Fix crash when a special var points to another special var

rjuju · rjuju · commit a3811025041a · 2025-10-15T12:47:14.000+08:00
When a var has a special varno (ie a negative varno), we need to resolve the
actual underlying Var, as we would otherwise end up reading random memory when
trying to access the associated RangeTblEntry.  The previous code was correctly
resolving such Var, but didn't consider the possibility that the resolved Var
could itself have a special varno which needs to be resolved again.

Thanks to Kenny Chen for the report.
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -17,3 +17,4 @@
   * github user RekGRpth
   * Zhihong Yu
   * github user romanstingler
+  * Kenny Chen
diff --git a/pg_qualstats.c b/pg_qualstats.c
@@ -2391,6 +2391,17 @@ pgqs_resolve_var(Var *var, pgqsWalkerContext *context)
 	List	   *tlist = NULL;
 	PlanState  *planstate = context->planstate;
 
+	/*
+	 * This function can recurse, so this can prevent infinite loop in case of
+	 * any problem.
+	 */
+	CHECK_FOR_INTERRUPTS();
+
+#if PG_VERSION_NUM >= 140000
+	/* ROWID_VAR is only used during planning, so we shouldn't see it. */
+	Assert(var->varno != ROWID_VAR);
+#endif
+
 	pgqs_set_planstates(context->planstate, context);
 	switch (var->varno)
 	{
@@ -2437,6 +2448,13 @@ pgqs_resolve_var(Var *var, pgqsWalkerContext *context)
 
 	pgqs_set_planstates(planstate, context);
 
+	/*
+	 * If the resolved var is still a var with a special varno, we need to
+	 * resolve it again.
+	 */
+	if (IsA(var, Var) && IS_SPECIAL_VARNO(var->varno))
+		return pgqs_resolve_var(var, context);
+
 	return (Expr *) var;
 }
 
