Hello Peter!
There is a code in vci_ros.c that initializes xl_heap_inplace xlrec.
Comment says this code was taken from src/backend/access/heap/heapam.c.
It was fine for Postgres 17 and earlier however struct xl_heap_inplace
has 6 fields, not one since commit 243e9b40f1b2. So nmsgs field of
xlrec has some random uninitialized value from stack. It goes to WAL
and in case of big nmsgs it can cause segfault during server startup.
Here are backtrace of a segfault while applying WAL on server startup
and a patch that initializes all necessary fields of xlrec to avoid bad
WAL records.
--
Regards,
Timur Magomedov
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000063acade950a0 in SIInsertDataEntries (data=0x7d8558d4dff4,
n=<optimized out>) at sinvaladt.c:417
417 segP->buffer[max % MAXNUMMESSAGES] = *data++;
(gdb) bt
#0 0x000063acade950a0 in SIInsertDataEntries (data=0x7d8558d4dff4,
n=<optimized out>) at sinvaladt.c:417
#1 0x000063acae000c0a in ProcessCommittedInvalidationMessages
(msgs=msgs@entry=0x7d855891fd74, nmsgs=339482369, RelcacheInitFileInval=248,
dbid=0, tsid=<optimized out>)
at inval.c:1168
#2 0x000063acadaef06c in heap_xlog_inplace (record=<optimized out>) at
heapam_xlog.c:1172
#3 heap_redo (record=<optimized out>) at heapam_xlog.c:1218
#4 0x000063acadb654ee in ApplyWalRecord (xlogreader=0x63acb952ed10,
record=0x7d855891dcf0, replayTLI=<optimized out>) at xlogrecovery.c:2001
#5 PerformWalRecovery () at xlogrecovery.c:1831
#6 0x000063acadb53113 in StartupXLOG () at xlog.c:5891
#7 0x000063acade0409b in StartupProcessMain (startup_data=<optimized out>,
startup_data_len=<optimized out>) at startup.c:258
#8 0x000063acaddfdaeb in postmaster_child_launch
(child_type=child_type@entry=B_STARTUP, child_slot=294,
startup_data=startup_data@entry=0x0,
startup_data_len=startup_data_len@entry=0,
client_sock=client_sock@entry=0x0) at launch_backend.c:292
#9 0x000063acade00907 in StartChildProcess (type=type@entry=B_STARTUP) at
postmaster.c:3983
#10 0x000063acade0020f in PostmasterMain (argc=argc@entry=1,
argv=argv@entry=0x63acb952d870) at postmaster.c:1396
#11 0x000063acadd12c25 in main (argc=1, argv=0x63acb952d870) at main.c:231
From c9e2625802c9683240b8f80d36594bab22963660 Mon Sep 17 00:00:00 2001
From: Timur Magomedov <[email protected]>
Date: Thu, 25 Sep 2025 17:20:17 +0300
Subject: [PATCH] Initialize in-place update struct
Random number of messages in WAL can fail server start otherwise
---
contrib/vci/storage/vci_ros.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/contrib/vci/storage/vci_ros.c b/contrib/vci/storage/vci_ros.c
index bf316fab543..869491c62ba 100644
--- a/contrib/vci/storage/vci_ros.c
+++ b/contrib/vci/storage/vci_ros.c
@@ -688,6 +688,10 @@ vci_WriteItem(Relation rel,
uint32 newlen;
xlrec.offnum = offsetNumber;
+ xlrec.dbId = MyDatabaseId;
+ xlrec.tsId = MyDatabaseTableSpace;
+ xlrec.relcacheInitFileInval = false;
+ xlrec.nmsgs = 0;
/*
* originally taken from heap_inplace_update() in
--
2.43.0
