Re: Bitmap index scans use of filters on available columns - Mailing list pgsql-hackers

From Tomas Vondra
Subject Re: Bitmap index scans use of filters on available columns
Date
Msg-id 563B9FF0.8030402@2ndquadrant.com
Whole thread Raw
In response to Re: Bitmap index scans use of filters on available columns  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: Bitmap index scans use of filters on available columns
List pgsql-hackers
Hi,

On 11/05/2015 06:51 PM, Robert Haas wrote:
> On Wed, Nov 4, 2015 at 9:15 PM, Tomas Vondra
> <tomas.vondra@2ndquadrant.com> wrote:
>> I certainly understand there are cases that require care - like the
>> leakproof thing pointed out by Robert for example. I don't immediately see
>> why evaluation against dead rows would be a problem.
>
> Well, one thing is that you might leak information about
> already-deleted rows, which could be a security vulnerability, or more
> mundanely cause a function to error out when there are no actually
> visible rows that could trigger such an error.  It would be surprising
> if you could add a CHECK(b != 0) constraint to a table, query it for
> rows where a/b>1, and get a division by zero error.

Yes, I guess we don't have this problem when evaluating the expression 
on heap because we get to check visibility first, and after moving the 
expression to the index we can't do that.

But then again, can we come up with a way to distinguish operators that 
are safe to evaluate on indexes - either automatic or manual? We already 
do that with the indexable operators with explicitly listing them in the 
opclass, and we also explicitly use the LEAKPROOF for a similar thing. I 
don't think extending the opclass is a really good solution, but why not 
to invent another *PROOF flag?


> But I think it's even worse: I believe there can be dead rows in the
> heap whose tuple descriptor doesn't even match the current
> pg_attribute contents.  Consider BEGIN; ALTER TABLE ... ADD COLUMN ...
> int8; INSERT ...; ROLLBACK; ALTER TABLE .. ADD COLUMN .. text; SELECT
> ...  If the SELECT tries to decode one of the tuples added by the
> failed transaction considering the new column as text when the dead
> tuples in question had it as an int8, I suspect that you can crash the
> server.  Nothing good will happen, anyway.

But that is about heap, and we're discussing indexes here, right? I 
don't think you can break the index descriptor like this, because 
otherwise we'd already have problems with that.

regards

--
Tomas Vondra                  http://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services



pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: Parallel Seq Scan
Next
From: Joe Conway
Date:
Subject: Re: Request: pg_cancel_backend variant that handles 'idle in transaction' sessions