Document issue with heapam line pointer truncation.

Checking that an offset number isn't past the end of a heap page's line
pointer array was just a defensive sanity check for HOT-chain traversal
code before commit 3c3b8a4b.  It's etrictly necessary now, though.  Add
comments that reference the issue to code in heapam that needs to get it
right.

Per suggestion from Alexander Lakhin.

Discussion: https://postgr.es/m/f76a292c-9170-1aef-91a0-59d9443b99a3@gmail.com

1 files changed, 18 insertions, 4 deletions

diff --git a/src/backend/access/heap/pruneheap.c b/src/backend/access/heap/pruneheap.c
index 15ca1b304a0..db6912e9fa5 100644
--- a/src/backend/access/heap/pruneheap.c
+++ b/src/backend/access/heap/pruneheap.c
@@ -581,8 +581,15 @@ heap_prune_chain(Buffer buffer, OffsetNumber rootoffnum, PruneState *prstate)
 		bool		tupdead,
 					recent_dead;
 
-		/* Some sanity checks */
-		if (offnum < FirstOffsetNumber || offnum > maxoff)
+		/* Sanity check (pure paranoia) */
+		if (offnum < FirstOffsetNumber)
+			break;
+
+		/*
+		 * An offset past the end of page's line pointer array is possible
+		 * when the array was truncated (original item must have been unused)
+		 */
+		if (offnum > maxoff)
 			break;
 
 		/* If item is already processed, stop --- it must not be same chain */
@@ -962,8 +969,15 @@ heap_get_root_tuples(Page page, OffsetNumber *root_offsets)
 		 */
 		for (;;)
 		{
-			/* Sanity check */
-			if (nextoffnum < FirstOffsetNumber || nextoffnum > maxoff)
+			/* Sanity check (pure paranoia) */
+			if (offnum < FirstOffsetNumber)
+				break;
+
+			/*
+			 * An offset past the end of page's line pointer array is possible
+			 * when the array was truncated
+			 */
+			if (offnum > maxoff)
 				break;
 
 			lp = PageGetItemId(page, nextoffnum);