Refactor replay queue entry lifecycle and fix use-after-free

Refactor apply_replay_queue_append_entry() to return a bool indicating
whether the caller must free the entry, instead of requiring the caller
to compare pointers and track an entry_spilled flag. The function now
updates entry and msg pointers through out-parameters.

This fixes a use-after-free: on a COMMIT message, replication_handler()
calls handle_commit → apply_replay_queue_reset → MemoryContextReset,
which destroys in-memory entries. The old code then accessed
entry->from_pq on the freed memory. The new design captures the free
decision before replication_handler runs.

Also update spill_transaction regression test: move TRUNCATE before
subscriber configuration in SUB_DISABLE section to avoid replicating
TRUNCATE while exception_behaviour is active, drop command_counter
from exception_log queries for stable output, and add sanity checks.

Author: danolivo

src/spock_apply.c

@@ -254,8 +254,8 @@ static void get_feedback_position(XLogRecPtr *recvpos, XLogRecPtr *writepos,
 static void UpdateWorkerStats(XLogRecPtr last_received, XLogRecPtr last_inserted);
 static void maybe_advance_forwarded_origin(XLogRecPtr end_lsn, bool xact_had_exception);
 static ApplyReplayEntry *apply_replay_queue_next_entry(void);
-static ApplyReplayEntry *apply_replay_queue_append_entry(ApplyReplayEntry *entry,
-							StringInfo msg);
+static bool apply_replay_queue_append_entry(ApplyReplayEntry **entry_p,
+							StringInfo *msg_p);
 static void apply_replay_queue_start_replay(void);
 static void apply_replay_spill_write_entry(int len, char *data);
 static ApplyReplayEntry *apply_replay_spill_read_entry(void);
@@ -2910,7 +2910,7 @@ apply_work(PGconn *streamConn)
 			{
 				ApplyReplayEntry *entry;
 				bool		queue_append;
-				bool		entry_spilled = false;
+				bool		need_free = false;
 				StringInfo	msg;
 				int			c;
 
@@ -3013,19 +3013,17 @@ apply_work(PGconn *streamConn)
 
 					/* Append the entry to the replay queue if from stream */
 					if (queue_append)
+						need_free = apply_replay_queue_append_entry(&entry,
+																   &msg);
+					else
 					{
-						ApplyReplayEntry *orig = entry;
-
-						entry = apply_replay_queue_append_entry(entry, msg);
-						entry_spilled = (entry != orig);
-
 						/*
-						 * Spilling relocates the entry from ApplyReplayContext
-						 * to TopMemoryContext, freeing the original.  Update msg
-						 * to point to the new copy's copydata.
+						 * Replay path: spill-read entries live in
+						 * TopMemoryContext and must be freed explicitly.
+						 * Capture this before replication_handler, which
+						 * may reset ApplyReplayContext and free the entry.
 						 */
-						if (entry_spilled)
-							msg = &entry->copydata;
+						need_free = !entry->from_pq;
 					}
 
 					/*
@@ -3045,19 +3043,7 @@ apply_work(PGconn *streamConn)
 
 					replication_handler(msg);
 
-					/*
-					 * Free spilled entries explicitly: their structs live in
-					 * TopMemoryContext (not ApplyReplayContext), so they are
-					 * not cleaned up by apply_replay_queue_reset.
-					 *
-					 * In-memory entries (both first-pass and replay) live in
-					 * ApplyReplayContext and are freed by
-					 * MemoryContextReset inside apply_replay_queue_reset,
-					 * called on applying a COMMIT.
-					 *
-					 * !from_pq catches spill-read entries during replay.
-					 */
-					if (entry_spilled || !entry->from_pq)
+					if (need_free)
 						apply_replay_entry_free(entry);
 				}
 				else if (c == 'k')
@@ -4159,15 +4145,20 @@ apply_replay_queue_next_entry(void)
  * If spock_replay_queue_size is configured and the in-memory limit is
  * exceeded, spill subsequent entries to a temporary file on disk.
  *
- * Returns the entry to use after the call.  When spilled, the original
- * entry (in ApplyReplayContext) is freed and replaced by a copy in
- * TopMemoryContext that survives MemoryContextReset(ApplyReplayContext)
- * in handle_commit.  The caller can detect spilling by comparing the
- * returned pointer to the original.
+ * When spilled, the original entry (in ApplyReplayContext) is freed and
+ * replaced by a copy in TopMemoryContext that survives
+ * MemoryContextReset(ApplyReplayContext) in handle_commit.  The updated
+ * entry and msg pointers are written back through entry_p and msg_p.
+ *
+ * Returns true if the caller must free the entry after processing
+ * (i.e. it lives in TopMemoryContext), false if it will be cleaned up
+ * automatically by MemoryContextReset(ApplyReplayContext).
  */
-static ApplyReplayEntry *
-apply_replay_queue_append_entry(ApplyReplayEntry *entry, StringInfo msg)
+static bool
+apply_replay_queue_append_entry(ApplyReplayEntry **entry_p, StringInfo *msg_p)
 {
+	ApplyReplayEntry *entry = *entry_p;
+	StringInfo	msg = *msg_p;
 	MemoryContext	oldctx;
 
 	Assert(entry != NULL);
@@ -4218,7 +4209,9 @@ apply_replay_queue_append_entry(ApplyReplayEntry *entry, StringInfo msg)
 		MemoryContextSwitchTo(oldctx);
 
 		pfree(entry);
-		return mc_entry;
+		*entry_p = mc_entry;
+		*msg_p = &mc_entry->copydata;
+		return true;	/* caller must free */
 	}
 	else
 	{
@@ -4242,7 +4235,7 @@ apply_replay_queue_append_entry(ApplyReplayEntry *entry, StringInfo msg)
 			elog(DEBUG1, "SPOCK %s: replay queue keep in-memory entry %u: ",
 				 MySubscription->name, xact_action_counter);
 
-		return entry;
+		return false;	/* freed by MemoryContextReset */
 	}
 }
 
@@ -4264,7 +4257,9 @@ apply_replay_queue_start_replay(void)
 	if (apply_replay_spilling)
 	{
 		Assert(apply_replay_spill_file != NULL);
-		BufFileSeek(apply_replay_spill_file, 0, 0, SEEK_SET);
+		if (BufFileSeek(apply_replay_spill_file, 0, 0, SEEK_SET) != 0)
+			elog(ERROR, "SPOCK %s: could not seek replay spill file to start",
+				 MySubscription->name);
 		apply_replay_spill_read = 0;
 	}
 

tests/regress/expected/spill_transaction.out

@@ -167,16 +167,15 @@ SELECT id, payload FROM test_spill;
  -1 |   50000
 (1 row)
 
-SELECT command_counter AS cnt,operation AS opt,
-  remote_new_tup FROM spock.exception_log
+SELECT operation AS opt, remote_new_tup FROM spock.exception_log
 ORDER BY command_counter DESC LIMIT 5;
-  cnt  |  opt   |                                                  remote_new_tup                                                   
--------+--------+-------------------------------------------------------------------------------------------------------------------
- 50013 | INSERT | [{"value": 50000, "attname": "id", "atttype": "int4"}, {"value": 50000, "attname": "payload", "atttype": "int4"}]
- 50012 | INSERT | [{"value": 49999, "attname": "id", "atttype": "int4"}, {"value": 49999, "attname": "payload", "atttype": "int4"}]
- 50011 | INSERT | [{"value": 49998, "attname": "id", "atttype": "int4"}, {"value": 49998, "attname": "payload", "atttype": "int4"}]
- 50010 | INSERT | [{"value": 49997, "attname": "id", "atttype": "int4"}, {"value": 49997, "attname": "payload", "atttype": "int4"}]
- 50009 | INSERT | [{"value": 49996, "attname": "id", "atttype": "int4"}, {"value": 49996, "attname": "payload", "atttype": "int4"}]
+  opt   |                                                  remote_new_tup                                                   
+--------+-------------------------------------------------------------------------------------------------------------------
+ INSERT | [{"value": 50000, "attname": "id", "atttype": "int4"}, {"value": 50000, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49999, "attname": "id", "atttype": "int4"}, {"value": 49999, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49998, "attname": "id", "atttype": "int4"}, {"value": 49998, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49997, "attname": "id", "atttype": "int4"}, {"value": 49997, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49996, "attname": "id", "atttype": "int4"}, {"value": 49996, "attname": "payload", "atttype": "int4"}]
 (5 rows)
 
 -- ============================================================
@@ -221,16 +220,15 @@ SELECT count(*), sum(id), sum(payload) FROM test_spill;
  50000 | 1249974999 | 1250025000
 (1 row)
 
-SELECT command_counter AS cnt,operation AS opt,
-  remote_new_tup FROM spock.exception_log
+SELECT operation AS opt,remote_new_tup FROM spock.exception_log
 ORDER BY command_counter DESC LIMIT 5;
-  cnt   |  opt   |                                                  remote_new_tup                                                   
---------+--------+-------------------------------------------------------------------------------------------------------------------
- 100013 | INSERT | [{"value": 50000, "attname": "id", "atttype": "int4"}, {"value": 50000, "attname": "payload", "atttype": "int4"}]
- 100012 | INSERT | [{"value": 49999, "attname": "id", "atttype": "int4"}, {"value": 49999, "attname": "payload", "atttype": "int4"}]
- 100011 | INSERT | [{"value": 49998, "attname": "id", "atttype": "int4"}, {"value": 49998, "attname": "payload", "atttype": "int4"}]
- 100010 | INSERT | [{"value": 49997, "attname": "id", "atttype": "int4"}, {"value": 49997, "attname": "payload", "atttype": "int4"}]
- 100009 | INSERT | [{"value": 49996, "attname": "id", "atttype": "int4"}, {"value": 49996, "attname": "payload", "atttype": "int4"}]
+  opt   |                                                  remote_new_tup                                                   
+--------+-------------------------------------------------------------------------------------------------------------------
+ INSERT | [{"value": 50000, "attname": "id", "atttype": "int4"}, {"value": 50000, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49999, "attname": "id", "atttype": "int4"}, {"value": 49999, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49998, "attname": "id", "atttype": "int4"}, {"value": 49998, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49997, "attname": "id", "atttype": "int4"}, {"value": 49997, "attname": "payload", "atttype": "int4"}]
+ INSERT | [{"value": 49996, "attname": "id", "atttype": "int4"}, {"value": 49996, "attname": "payload", "atttype": "int4"}]
 (5 rows)
 
 -- ============================================================
@@ -239,25 +237,35 @@ ORDER BY command_counter DESC LIMIT 5;
 -- conflicting row, re-enable, and verify the transaction
 -- is applied successfully.
 -- ============================================================
+\c :provider_dsn
+TRUNCATE test_spill RESTART IDENTITY;
+SELECT spock.sync_event() as sync_lsn \gset
 \c :subscriber_dsn
+CALL spock.wait_for_sync_event(NULL, 'test_provider', :'sync_lsn', 30);
+ result 
+--------
+ t
+(1 row)
+
 ALTER SYSTEM SET spock.exception_behaviour = 'sub_disable';
 SELECT pg_reload_conf();
  pg_reload_conf 
 ----------------
  t
 (1 row)
 
-\c :provider_dsn
-TRUNCATE test_spill RESTART IDENTITY;
-SELECT spock.sync_event() as sync_lsn
-\gset
-\c :subscriber_dsn
-CALL spock.wait_for_sync_event(NULL, 'test_provider', :'sync_lsn', 30);
- result 
---------
- t
+-- Check that all works and clean on subscriber
+SELECT status FROM spock.sub_show_status('test_subscription');
+   status    
+-------------
+ replicating
 (1 row)
 
+SELECT * FROM test_spill; -- empty
+ id | payload 
+----+---------
+(0 rows)
+
 INSERT INTO test_spill (id, payload) VALUES (-1, 50000); -- Add conflicting record
 \c :provider_dsn
 COPY test_spill (id) FROM PROGRAM 'seq 1 50000' WITH (FORMAT text);
@@ -304,16 +312,15 @@ SELECT node_name,relname,idxname,conflict_type,conflict_resolution,
 -----------+---------+---------+---------------+---------------------+-------------+--------------
 (0 rows)
 
-SELECT command_counter AS cnt,operation AS opt,
-  remote_new_tup FROM spock.exception_log
+SELECT operation AS opt, remote_new_tup FROM spock.exception_log
 ORDER BY command_counter DESC LIMIT 5;
-  cnt   |     opt     |                                                  remote_new_tup                                                   
---------+-------------+-------------------------------------------------------------------------------------------------------------------
- 150014 | SUB_DISABLE | 
- 150013 | INSERT      | [{"value": 50000, "attname": "id", "atttype": "int4"}, {"value": 50000, "attname": "payload", "atttype": "int4"}]
- 150012 | INSERT      | [{"value": 49999, "attname": "id", "atttype": "int4"}, {"value": 49999, "attname": "payload", "atttype": "int4"}]
- 150011 | INSERT      | [{"value": 49998, "attname": "id", "atttype": "int4"}, {"value": 49998, "attname": "payload", "atttype": "int4"}]
- 150010 | INSERT      | [{"value": 49997, "attname": "id", "atttype": "int4"}, {"value": 49997, "attname": "payload", "atttype": "int4"}]
+     opt     |                                                  remote_new_tup                                                   
+-------------+-------------------------------------------------------------------------------------------------------------------
+ SUB_DISABLE | 
+ INSERT      | [{"value": 50000, "attname": "id", "atttype": "int4"}, {"value": 50000, "attname": "payload", "atttype": "int4"}]
+ INSERT      | [{"value": 49999, "attname": "id", "atttype": "int4"}, {"value": 49999, "attname": "payload", "atttype": "int4"}]
+ INSERT      | [{"value": 49998, "attname": "id", "atttype": "int4"}, {"value": 49998, "attname": "payload", "atttype": "int4"}]
+ INSERT      | [{"value": 49997, "attname": "id", "atttype": "int4"}, {"value": 49997, "attname": "payload", "atttype": "int4"}]
 (5 rows)
 
 -- ============================================================

tests/regress/sql/spill_transaction.sql

@@ -92,7 +92,6 @@ SELECT pg_reload_conf();
 
 \c :provider_dsn
 TRUNCATE test_spill RESTART IDENTITY;
-
 SELECT spock.sync_event() as sync_lsn
 \gset
 
@@ -112,8 +111,7 @@ CALL spock.wait_for_sync_event(NULL, 'test_provider', :'sync_lsn', 30);
 -- Check: COPY transaction discarded, single record presented
 SELECT id, payload FROM test_spill;
 
-SELECT command_counter AS cnt,operation AS opt,
-  remote_new_tup FROM spock.exception_log
+SELECT operation AS opt, remote_new_tup FROM spock.exception_log
 ORDER BY command_counter DESC LIMIT 5;
 
 -- ============================================================
@@ -126,7 +124,6 @@ SELECT pg_reload_conf();
 
 \c :provider_dsn
 TRUNCATE test_spill RESTART IDENTITY;
-
 SELECT spock.sync_event() as sync_lsn
 \gset
 
@@ -145,8 +142,7 @@ CALL spock.wait_for_sync_event(NULL, 'test_provider', :'sync_lsn', 30);
 -- Check 49999 COPY records applied plus older one has been kept
 SELECT count(*), sum(id), sum(payload) FROM test_spill;
 
-SELECT command_counter AS cnt,operation AS opt,
-  remote_new_tup FROM spock.exception_log
+SELECT operation AS opt,remote_new_tup FROM spock.exception_log
 ORDER BY command_counter DESC LIMIT 5;
 
 -- ============================================================
@@ -155,18 +151,20 @@ ORDER BY command_counter DESC LIMIT 5;
 -- conflicting row, re-enable, and verify the transaction
 -- is applied successfully.
 -- ============================================================
-\c :subscriber_dsn
-ALTER SYSTEM SET spock.exception_behaviour = 'sub_disable';
-SELECT pg_reload_conf();
 
 \c :provider_dsn
 TRUNCATE test_spill RESTART IDENTITY;
-
-SELECT spock.sync_event() as sync_lsn
-\gset
+SELECT spock.sync_event() as sync_lsn \gset
 
 \c :subscriber_dsn
 CALL spock.wait_for_sync_event(NULL, 'test_provider', :'sync_lsn', 30);
+ALTER SYSTEM SET spock.exception_behaviour = 'sub_disable';
+SELECT pg_reload_conf();
+
+-- Check that all works and clean on subscriber
+SELECT status FROM spock.sub_show_status('test_subscription');
+SELECT * FROM test_spill; -- empty
+
 INSERT INTO test_spill (id, payload) VALUES (-1, 50000); -- Add conflicting record
 
 \c :provider_dsn
@@ -200,8 +198,7 @@ SELECT count(*), sum(id), sum(payload) FROM test_spill;
 -- Check how the conflict has been processed.
 SELECT node_name,relname,idxname,conflict_type,conflict_resolution,
   local_tuple,remote_tuple FROM spock.resolutions;
-SELECT command_counter AS cnt,operation AS opt,
-  remote_new_tup FROM spock.exception_log
+SELECT operation AS opt, remote_new_tup FROM spock.exception_log
 ORDER BY command_counter DESC LIMIT 5;
 
 -- ============================================================