ORCA: Fix use-after-free in flatten_join_alias_var_optimizer

yjhjstz · yjhjstz · commit 224f15320c74 · 2026-03-18T09:35:30.000-07:00
Guard pfree/list_free calls with pointer-equality checks to avoid freeing live nodes when flatten_join_alias_vars returns the same pointer unchanged (e.g., outer-reference Vars with varlevelsup > 0). The unconditional pfree(havingQual) freed the Var node, whose memory was later reused by palloc for a T_List. copyObjectImpl then copied the wrong node type into havingQual, causing ORCA to encounter an unexpected RangeTblEntry and fall back to the Postgres planner. Applies the same guard pattern to all six fields: targetList, returningList, havingQual, scatterClause, limitOffset, limitCount. Reported-in: #1618
diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
@@ -5522,35 +5522,40 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)
 	if (NIL != targetList)
 	{
 		queryNew->targetList = (List *) flatten_join_alias_vars(queryNew, (Node *) targetList);
-		list_free(targetList);
+		if (targetList != queryNew->targetList)
+			list_free(targetList);
 	}
 
-	List * returningList = queryNew->returningList;
+	List *returningList = queryNew->returningList;
 	if (NIL != returningList)
 	{
 		queryNew->returningList = (List *) flatten_join_alias_vars(queryNew, (Node *) returningList);
-		list_free(returningList);
+		if (returningList != queryNew->returningList)
+			list_free(returningList);
 	}
 
 	Node *havingQual = queryNew->havingQual;
 	if (NULL != havingQual)
 	{
 		queryNew->havingQual = flatten_join_alias_vars(queryNew, havingQual);
-		pfree(havingQual);
+		if (havingQual != queryNew->havingQual)
+			pfree(havingQual);
 	}
 
 	List *scatterClause = queryNew->scatterClause;
 	if (NIL != scatterClause)
 	{
 		queryNew->scatterClause = (List *) flatten_join_alias_vars(queryNew, (Node *) scatterClause);
-		list_free(scatterClause);
+		if (scatterClause != queryNew->scatterClause)
+			list_free(scatterClause);
 	}
 
 	Node *limitOffset = queryNew->limitOffset;
 	if (NULL != limitOffset)
 	{
 		queryNew->limitOffset = flatten_join_alias_vars(queryNew, limitOffset);
-		pfree(limitOffset);
+		if (limitOffset != queryNew->limitOffset)
+			pfree(limitOffset);
 	}
 
 	List *windowClause = queryNew->windowClause;
@@ -5577,7 +5582,8 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)
 	if (NULL != limitCount)
 	{
 		queryNew->limitCount = flatten_join_alias_vars(queryNew, limitCount);
-		pfree(limitCount);
+		if (limitCount != queryNew->limitCount)
+			pfree(limitCount);
 	}
 
     return queryNew;

Original file line number	Diff line number	Diff line change
`@@ -5522,35 +5522,40 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)`
`5522`	`5522`	`if (NIL != targetList)`
`5523`	`5523`	`{`
`5524`	`5524`	`queryNew->targetList = (List ) flatten_join_alias_vars(queryNew, (Node ) targetList);`
`5525`		`- list_free(targetList);`
	`5525`	`+ if (targetList != queryNew->targetList)`
	`5526`	`+ list_free(targetList);`
`5526`	`5527`	`}`
`5527`	`5528`
`5528`		`- List * returningList = queryNew->returningList;`
	`5529`	`+ List *returningList = queryNew->returningList;`
`5529`	`5530`	`if (NIL != returningList)`
`5530`	`5531`	`{`
`5531`	`5532`	`queryNew->returningList = (List ) flatten_join_alias_vars(queryNew, (Node ) returningList);`
`5532`		`- list_free(returningList);`
	`5533`	`+ if (returningList != queryNew->returningList)`
	`5534`	`+ list_free(returningList);`
`5533`	`5535`	`}`
`5534`	`5536`
`5535`	`5537`	`Node *havingQual = queryNew->havingQual;`
`5536`	`5538`	`if (NULL != havingQual)`
`5537`	`5539`	`{`
`5538`	`5540`	`queryNew->havingQual = flatten_join_alias_vars(queryNew, havingQual);`
`5539`		`- pfree(havingQual);`
	`5541`	`+ if (havingQual != queryNew->havingQual)`
	`5542`	`+ pfree(havingQual);`
`5540`	`5543`	`}`
`5541`	`5544`
`5542`	`5545`	`List *scatterClause = queryNew->scatterClause;`
`5543`	`5546`	`if (NIL != scatterClause)`
`5544`	`5547`	`{`
`5545`	`5548`	`queryNew->scatterClause = (List ) flatten_join_alias_vars(queryNew, (Node ) scatterClause);`
`5546`		`- list_free(scatterClause);`
	`5549`	`+ if (scatterClause != queryNew->scatterClause)`
	`5550`	`+ list_free(scatterClause);`
`5547`	`5551`	`}`
`5548`	`5552`
`5549`	`5553`	`Node *limitOffset = queryNew->limitOffset;`
`5550`	`5554`	`if (NULL != limitOffset)`
`5551`	`5555`	`{`
`5552`	`5556`	`queryNew->limitOffset = flatten_join_alias_vars(queryNew, limitOffset);`
`5553`		`- pfree(limitOffset);`
	`5557`	`+ if (limitOffset != queryNew->limitOffset)`
	`5558`	`+ pfree(limitOffset);`
`5554`	`5559`	`}`
`5555`	`5560`
`5556`	`5561`	`List *windowClause = queryNew->windowClause;`
`@@ -5577,7 +5582,8 @@ flatten_join_alias_var_optimizer(Query *query, int queryLevel)`
`5577`	`5582`	`if (NULL != limitCount)`
`5578`	`5583`	`{`
`5579`	`5584`	`queryNew->limitCount = flatten_join_alias_vars(queryNew, limitCount);`
`5580`		`- pfree(limitCount);`
	`5585`	`+ if (limitCount != queryNew->limitCount)`
	`5586`	`+ pfree(limitCount);`
`5581`	`5587`	`}`
`5582`	`5588`
`5583`	`5589`	`return queryNew;`