From bf3ebfd93f0a6351042669e04d192f4245e45c3e Mon Sep 17 00:00:00 2001
From: Robert Haas <rhaas@postgresql.org>
Date: Thu, 29 Sep 2011 14:26:03 -0400
Subject: [PATCH] Bug fixes and additional assertions.

---
 src/backend/storage/ipc/snaparray.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/backend/storage/ipc/snaparray.c b/src/backend/storage/ipc/snaparray.c
index a5c8198225..24a4adf249 100644
--- a/src/backend/storage/ipc/snaparray.c
+++ b/src/backend/storage/ipc/snaparray.c
@@ -957,13 +957,13 @@ SnapArrayUpdateCache(bool have_lock)
 	uint64		buffer_space_needed;
 	uint32		num_running_xids;
 	uint32		num_removed_xids;
+	uint32		buffer_offset;
 	uint32		n;
 	uint32		m;
 	uint32		r;
 	TransactionId	xmax;
 	TransactionId	new_xmax;
 	TransactionId	highest_removed_subxid;
-	TransactionId  *buffer;
 	TransactionId  *running_xids;
 	TransactionId  *removed_xids;
 	uint32		xids_added;
@@ -997,14 +997,14 @@ SnapArrayUpdateCache(bool have_lock)
 	if (start_pointer == SnapArrayCache.last_start_pointer)
 	{
 		read_starts_at = SnapArrayCache.last_stop_pointer;
-		buffer = &SnapArrayCache.buffer[SnapArrayCache.size];
+		buffer_offset = SnapArrayCache.size;
 		buffer_space_needed = SnapArrayCache.size
 			+ (stop_pointer - read_starts_at);
 	}
 	else
 	{
 		read_starts_at = start_pointer;
-		buffer = SnapArrayCache.buffer;
+		buffer_offset = 0;
 		buffer_space_needed = stop_pointer - read_starts_at;
 	}
 
@@ -1027,7 +1027,8 @@ SnapArrayUpdateCache(bool have_lock)
 	SnapArrayCache.last_stop_pointer = 0;
 
 	/* Copy the data. */
-	SnapArrayReadData(read_starts_at, stop_pointer, buffer);
+	SnapArrayReadData(read_starts_at, stop_pointer,
+					  &SnapArrayCache.buffer[buffer_offset]);
 
 	/* Check for wraparound (unless we have the lock). */
 	if (!have_lock)
@@ -1053,9 +1054,11 @@ SnapArrayUpdateCache(bool have_lock)
 	/* Data must begin with a snapshot summary. */
 	Assert(SnapArrayCache.size >= SNAPARRAY_SUMMARY_ITEMS);
 	Assert(SnapArrayCache.buffer[0] == InvalidTransactionId);
+	Assert(SnapArrayCache.size <= SnapArrayCache.entries);
 	xmax = SnapArrayCache.buffer[1];
 	highest_removed_subxid = SnapArrayCache.buffer[2];
 	num_running_xids = (uint32) SnapArrayCache.buffer[3];
+	Assert(SNAPARRAY_SUMMARY_ITEMS + num_running_xids <= SnapArrayCache.size);
 	num_removed_xids =
 		SnapArrayCache.size - (num_running_xids + SNAPARRAY_SUMMARY_ITEMS);
 
-- 
2.39.5