"Dave Chapeskie" <pgsql@ddm.wox.org> writes:
> array_cat() has a bug when passed an empty array. The
> code attempts to optimise/short-circuit this case and
> returns a pointer to the non-empty argument. This is
> bad/wrong. Especially when used in a construct like:
> foo := foo || <some_array>
> since after array_cat() returns exec_assign_value()
> will pfree() 'foo' and then attempt to assign the now
> invalid result that points to 'foo'.
Actually, I would say the bug is exec_assign_value's. There is nothing
at all wrong with a function returning one of its input values; for
example the smaller/larger functions all do that. Let's see...
regression=# create or replace function smal(text,text) returns text as $$
regression$# declare tmp text;
regression$# begin
regression$# tmp := $1;
regression$# tmp := text_smaller(tmp, $2);
regression$# return tmp;
regression$# end$$ language plpgsql stable;
CREATE FUNCTION
regression=# select smal('abc', '123');
smal
------
123
(1 row)
regression=# select smal('123', 'abc');
ERROR: out of memory
DETAIL: Failed on request of size 1065320319.
CONTEXT: PL/pgSQL function "smal" line 4 at assignment
regression=#
It's very surprising no one noticed this before. Thanks for the report!
regards, tom lane
