Ensure result of an aggregate's finalfunc is made read-only.

tglsfdc · tglsfdc · commit 78d5952dd0e6 · 2023-04-16T14:16:40.000-04:00
The finalfunc might return a read-write expanded object. If we de-duplicate multiple call sites for the aggregate, any function(s) receiving the aggregate result earlier could alter or destroy the value that reaches the ones called later. This is a brown-paper-bag bug in commit 42b746d, because we actually considered the need for read-only-ness but failed to realize that it applied to the case with a finalfunc as well as the case without. Per report from Justin Pryzby. New error in HEAD, no need for back-patch. Discussion: https://postgr.es/m/ZDm5TuKsh3tzoEjz@telsasoft.com
diff --git a/src/backend/executor/nodeAgg.c b/src/backend/executor/nodeAgg.c
@@ -1040,9 +1040,10 @@ process_ordered_aggregate_multi(AggState *aggstate,
  * (But note that in some cases, such as when there is no finalfn, the
  * result might be a pointer to or into the agg's transition value.)
  *
- * The finalfn uses the state as set in the transno. This also might be
+ * The finalfn uses the state as set in the transno.  This also might be
  * being used by another aggregate function, so it's important that we do
- * nothing destructive here.
+ * nothing destructive here.  Moreover, the aggregate's final value might
+ * get used in multiple places, so we mustn't return a R/W expanded datum.
  */
 static void
 finalize_aggregate(AggState *aggstate,
@@ -1116,8 +1117,13 @@ finalize_aggregate(AggState *aggstate,
 		}
 		else
 		{
-			*resultVal = FunctionCallInvoke(fcinfo);
+			Datum		result;
+
+			result = FunctionCallInvoke(fcinfo);
 			*resultIsNull = fcinfo->isnull;
+			*resultVal = MakeExpandedObjectReadOnly(result,
+													fcinfo->isnull,
+													peragg->resulttypeLen);
 		}
 		aggstate->curperagg = NULL;
 	}
@@ -1165,6 +1171,7 @@ finalize_partialaggregate(AggState *aggstate,
 		else
 		{
 			FunctionCallInfo fcinfo = pertrans->serialfn_fcinfo;
+			Datum		result;
 
 			fcinfo->args[0].value =
 				MakeExpandedObjectReadOnly(pergroupstate->transValue,
@@ -1173,8 +1180,11 @@ finalize_partialaggregate(AggState *aggstate,
 			fcinfo->args[0].isnull = pergroupstate->transValueIsNull;
 			fcinfo->isnull = false;
 
-			*resultVal = FunctionCallInvoke(fcinfo);
+			result = FunctionCallInvoke(fcinfo);
 			*resultIsNull = fcinfo->isnull;
+			*resultVal = MakeExpandedObjectReadOnly(result,
+													fcinfo->isnull,
+													peragg->resulttypeLen);
 		}
 	}
 	else
diff --git a/src/backend/executor/nodeWindowAgg.c b/src/backend/executor/nodeWindowAgg.c
@@ -623,10 +623,15 @@ finalize_windowaggregate(WindowAggState *winstate,
 		}
 		else
 		{
+			Datum		res;
+
 			winstate->curaggcontext = peraggstate->aggcontext;
-			*result = FunctionCallInvoke(fcinfo);
+			res = FunctionCallInvoke(fcinfo);
 			winstate->curaggcontext = NULL;
 			*isnull = fcinfo->isnull;
+			*result = MakeExpandedObjectReadOnly(res,
+												 fcinfo->isnull,
+												 peraggstate->resulttypeLen);
 		}
 	}
 	else
diff --git a/src/test/regress/expected/aggregates.out b/src/test/regress/expected/aggregates.out
@@ -2758,6 +2758,43 @@ SELECT balk(hundred) FROM tenk1;
      
 (1 row)
 
+ROLLBACK;
+-- test multiple usage of an aggregate whose finalfn returns a R/W datum
+BEGIN;
+CREATE FUNCTION rwagg_sfunc(x anyarray, y anyarray) RETURNS anyarray
+LANGUAGE plpgsql IMMUTABLE AS $$
+BEGIN
+    RETURN array_fill(y[1], ARRAY[4]);
+END;
+$$;
+CREATE FUNCTION rwagg_finalfunc(x anyarray) RETURNS anyarray
+LANGUAGE plpgsql STRICT IMMUTABLE AS $$
+DECLARE
+    res x%TYPE;
+BEGIN
+    -- assignment is essential for this test, it expands the array to R/W
+    res := array_fill(x[1], ARRAY[4]);
+    RETURN res;
+END;
+$$;
+CREATE AGGREGATE rwagg(anyarray) (
+    STYPE = anyarray,
+    SFUNC = rwagg_sfunc,
+    FINALFUNC = rwagg_finalfunc
+);
+CREATE FUNCTION eatarray(x real[]) RETURNS real[]
+LANGUAGE plpgsql STRICT IMMUTABLE AS $$
+BEGIN
+    x[1] := x[1] + 1;
+    RETURN x;
+END;
+$$;
+SELECT eatarray(rwagg(ARRAY[1.0::real])), eatarray(rwagg(ARRAY[1.0::real]));
+ eatarray  | eatarray  
+-----------+-----------
+ {2,1,1,1} | {2,1,1,1}
+(1 row)
+
 ROLLBACK;
 -- test coverage for aggregate combine/serial/deserial functions
 BEGIN;
diff --git a/src/test/regress/sql/aggregates.sql b/src/test/regress/sql/aggregates.sql
@@ -1207,6 +1207,45 @@ SELECT balk(hundred) FROM tenk1;
 
 ROLLBACK;
 
+-- test multiple usage of an aggregate whose finalfn returns a R/W datum
+BEGIN;
+
+CREATE FUNCTION rwagg_sfunc(x anyarray, y anyarray) RETURNS anyarray
+LANGUAGE plpgsql IMMUTABLE AS $$
+BEGIN
+    RETURN array_fill(y[1], ARRAY[4]);
+END;
+$$;
+
+CREATE FUNCTION rwagg_finalfunc(x anyarray) RETURNS anyarray
+LANGUAGE plpgsql STRICT IMMUTABLE AS $$
+DECLARE
+    res x%TYPE;
+BEGIN
+    -- assignment is essential for this test, it expands the array to R/W
+    res := array_fill(x[1], ARRAY[4]);
+    RETURN res;
+END;
+$$;
+
+CREATE AGGREGATE rwagg(anyarray) (
+    STYPE = anyarray,
+    SFUNC = rwagg_sfunc,
+    FINALFUNC = rwagg_finalfunc
+);
+
+CREATE FUNCTION eatarray(x real[]) RETURNS real[]
+LANGUAGE plpgsql STRICT IMMUTABLE AS $$
+BEGIN
+    x[1] := x[1] + 1;
+    RETURN x;
+END;
+$$;
+
+SELECT eatarray(rwagg(ARRAY[1.0::real])), eatarray(rwagg(ARRAY[1.0::real]));
+
+ROLLBACK;
+
 -- test coverage for aggregate combine/serial/deserial functions
 BEGIN;
 

Original file line number	Diff line number	Diff line change
`@@ -1040,9 +1040,10 @@ process_ordered_aggregate_multi(AggState *aggstate,`
`1040`	`1040`	`* (But note that in some cases, such as when there is no finalfn, the`
`1041`	`1041`	`* result might be a pointer to or into the agg's transition value.)`
`1042`	`1042`	`*`
`1043`		`- * The finalfn uses the state as set in the transno. This also might be`
	`1043`	`+ * The finalfn uses the state as set in the transno. This also might be`
`1044`	`1044`	`* being used by another aggregate function, so it's important that we do`
`1045`		`- * nothing destructive here.`
	`1045`	`+ * nothing destructive here. Moreover, the aggregate's final value might`
	`1046`	`+ * get used in multiple places, so we mustn't return a R/W expanded datum.`
`1046`	`1047`	`*/`
`1047`	`1048`	`static void`
`1048`	`1049`	`finalize_aggregate(AggState *aggstate,`
`@@ -1116,8 +1117,13 @@ finalize_aggregate(AggState *aggstate,`
`1116`	`1117`	`}`
`1117`	`1118`	`else`
`1118`	`1119`	`{`
`1119`		`- *resultVal = FunctionCallInvoke(fcinfo);`
	`1120`	`+ Datum result;`
	`1121`	`+`
	`1122`	`+ result = FunctionCallInvoke(fcinfo);`
`1120`	`1123`	`*resultIsNull = fcinfo->isnull;`
	`1124`	`+ *resultVal = MakeExpandedObjectReadOnly(result,`
	`1125`	`+ fcinfo->isnull,`
	`1126`	`+ peragg->resulttypeLen);`
`1121`	`1127`	`}`
`1122`	`1128`	`aggstate->curperagg = NULL;`
`1123`	`1129`	`}`
`@@ -1165,6 +1171,7 @@ finalize_partialaggregate(AggState *aggstate,`
`1165`	`1171`	`else`
`1166`	`1172`	`{`
`1167`	`1173`	`FunctionCallInfo fcinfo = pertrans->serialfn_fcinfo;`
	`1174`	`+ Datum result;`
`1168`	`1175`
`1169`	`1176`	`fcinfo->args[0].value =`
`1170`	`1177`	`MakeExpandedObjectReadOnly(pergroupstate->transValue,`
`@@ -1173,8 +1180,11 @@ finalize_partialaggregate(AggState *aggstate,`
`1173`	`1180`	`fcinfo->args[0].isnull = pergroupstate->transValueIsNull;`
`1174`	`1181`	`fcinfo->isnull = false;`
`1175`	`1182`
`1176`		`- *resultVal = FunctionCallInvoke(fcinfo);`
	`1183`	`+ result = FunctionCallInvoke(fcinfo);`
`1177`	`1184`	`*resultIsNull = fcinfo->isnull;`
	`1185`	`+ *resultVal = MakeExpandedObjectReadOnly(result,`
	`1186`	`+ fcinfo->isnull,`
	`1187`	`+ peragg->resulttypeLen);`
`1178`	`1188`	`}`
`1179`	`1189`	`}`
`1180`	`1190`	`else`
Original file line number	Diff line number	Diff line change
`@@ -623,10 +623,15 @@ finalize_windowaggregate(WindowAggState *winstate,`
`623`	`623`	`}`
`624`	`624`	`else`
`625`	`625`	`{`
	`626`	`+ Datum res;`
	`627`	`+`
`626`	`628`	`winstate->curaggcontext = peraggstate->aggcontext;`
`627`		`- *result = FunctionCallInvoke(fcinfo);`
	`629`	`+ res = FunctionCallInvoke(fcinfo);`
`628`	`630`	`winstate->curaggcontext = NULL;`
`629`	`631`	`*isnull = fcinfo->isnull;`
	`632`	`+ *result = MakeExpandedObjectReadOnly(res,`
	`633`	`+ fcinfo->isnull,`
	`634`	`+ peraggstate->resulttypeLen);`
`630`	`635`	`}`
`631`	`636`	`}`
`632`	`637`	`else`