Fix SkipScan crash due to pruned unique path

When SkipScan paths are added it can result in a crash if the new SkipScan dominates the PostgreSQL planned unique path. In that case, the previous unique path is pruned and freed, leading to a potential memory corruption since a pointer to the original unique path is used when looping over all subpaths to try to apply SkipScan. Thus, if the original unique path is pruned, and there are multiple subpaths, a crash will occur in the next iteration over the subpaths. The crash is fixed by making a shallow copy of the original unique path while iterating the subpaths.
timescale · Dec 2, 2021 · 095991a · 095991a
1 parent 210886e
commit 095991a
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/tsl/src/nodes/skip_scan/planner.c b/tsl/src/nodes/skip_scan/planner.c
@@ -211,12 +211,22 @@ tsl_skip_scan_paths_add(PlannerInfo *root, RelOptInfo *input_rel, RelOptInfo *ou
 			break;
 		}
 	}
+
 	/* no UniquePath found so this query might not be
 	 * elegible for sort-based DISTINCT and therefore
 	 * not elegible for SkipScan either */
 	if (!unique)
 		return;
 
+	/* Need to make a copy of the unique path here because add_path() in the
+	 * pathlist loop below might prune it if the new unique path
+	 * (SkipScanPath) dominates the old one. When the unique path is pruned,
+	 * the pointer will no longer be valid in the next iteration of the
+	 * pathlist loop. Fortunately, the Path object is not deeply freed, so a
+	 * shallow copy is enough. */
+	unique = makeNode(UpperUniquePath);
+	memcpy(unique, lfirst_node(UpperUniquePath, lc), sizeof(UpperUniquePath));
+
 	foreach (lc, input_rel->pathlist)
 	{
 		bool project = false;