Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1vwQEs-005qwj-0d
	for pgsql-bugs@arkaria.postgresql.org;
	Sat, 28 Feb 2026 19:44:34 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1vwQEr-00BNwv-0D
	for pgsql-bugs@arkaria.postgresql.org;
	Sat, 28 Feb 2026 19:44:33 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <noreply@postgresql.org>)
	id 1vw96w-008m9q-0R
	for pgsql-bugs@lists.postgresql.org;
	Sat, 28 Feb 2026 01:27:14 +0000
Received: from mahout.postgresql.org ([2001:4800:3e1:1::227])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <noreply@postgresql.org>)
	id 1vw96o-00000001evr-2ghv
	for pgsql-bugs@lists.postgresql.org;
	Sat, 28 Feb 2026 01:27:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject:
	Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID:
	Content-Description:In-Reply-To:References;
	bh=W03FqskYIeJbARY3a19KDJlphV+fBnDjlxPKTx0GcV8=; b=Hrz4/m7Gnt/16aAlxG2h++tk3K
	0UiGvkoZzU0NFpmgVW4evyu3REkWOvTLIIaAFUhkgm6EE5lB3m1D94t7lOTCgemPl4MoNJS5O+jHI
	jMoiNdgij0K97iQETFT2reDJ7pMh1pp42uMNQjYJxKxQ5ImEoagx1iuY6Ch+v2a7Q9PwR0QI/XeFu
	V2WVpGLDOjZuGMxs9MHKAhUNtPpZWBYg6Wng+kf09fzwP+AdO8BVOxrlQup36FA3PIG7sfJczkrsh
	zUx0TYX/qgKn8Dy0tsXyc+WZi2k4AZSDPUN2uqpzmWVoV1Wx8AVTa1A4nenNngtiMdq6qfsb43fXN
	kg8Z4Sig==;
Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60])
	by mahout.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <noreply@postgresql.org>)
	id 1vw96m-004cJH-03
	for pgsql-bugs@lists.postgresql.org;
	Sat, 28 Feb 2026 01:27:06 +0000
Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org)
	by wrigleys.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <noreply@postgresql.org>)
	id 1vw96k-00DeEm-2e
	for pgsql-bugs@lists.postgresql.org;
	Sat, 28 Feb 2026 01:27:02 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Subject: BUG #19421: PostgreSQL MERGE Crash: heap_compute_data_size() at heaptuple.c:236
To: pgsql-bugs@lists.postgresql.org
From: PG Bug reporting form <noreply@postgresql.org>
Cc: 303677365@qq.com
Reply-To: 303677365@qq.com, pgsql-bugs@lists.postgresql.org
Date: Sat, 28 Feb 2026 01:26:07 +0000
Message-ID: <19421-3d118fd489810af1@postgresql.org>
X-Auto-Response-Suppress: All
Auto-Submitted: auto-generated
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/19421-3d118fd489810af1%40postgresql.org>
Precedence: bulk

The following bug has been logged on the website:

Bug reference:      19421
Logged by:          chunling qin
Email address:      303677365@qq.com
PostgreSQL version: 15.5
Operating system:   centos
Description:       =20

-- PostgreSQL MERGE SIGSEGV Minimal Reproduction
-- Crash location: heap_compute_data_size() at heaptuple.c:236

-- Cleanup
DROP TABLE IF EXISTS child_tbl CASCADE;
DROP TABLE IF EXISTS parent_tbl CASCADE;

-- 1. Create parent table
CREATE TABLE parent_tbl (
    id      int not null,
    val     int
);

-- 2. Create child table with variable-length column and different column
order
CREATE TABLE child_tbl (
    filler  text,           -- variable-length column, will be dropped
    val     int,
    id      int not null,
    CHECK (id > 0)
);

-- 3. Drop variable-length column to create dropped column
ALTER TABLE child_tbl DROP COLUMN filler;

-- 4. Establish inheritance
ALTER TABLE child_tbl INHERIT parent_tbl;

-- 5. Add NO INHERIT constraint so only child table is selected for INSERT
ALTER TABLE parent_tbl ADD CONSTRAINT pcheck CHECK (id < 0) NO INHERIT;

-- 6. Execute MERGE - crashes here
MERGE INTO parent_tbl p
USING (VALUES (1)) AS src(id) ON p.id =3D src.id
WHEN NOT MATCHED THEN INSERT (id, val) VALUES (src.id, 100);
[root@VM-253-35-tencentos pgdata]#
[root@VM-253-35-tencentos pgdata]#
[root@VM-253-35-tencentos pgdata]#
[root@VM-253-35-tencentos pgdata]#
[root@VM-253-35-tencentos pgdata]#
[root@VM-253-35-tencentos pgdata]#  cat /data/pgdata/BUG_REPORT.md
# Bug Report: SIGSEGV in MERGE INTO inheritance table with dropped column

## Summary

PostgreSQL server crashes with SIGSEGV when executing `MERGE ... WHEN NOT
MATCHED THEN INSERT` on an inheritance parent table, where the child table
has a dropped variable-length column and a different column order than the
parent.

## PostgreSQL Version

PostgreSQL 15.5

## Minimal Reproduction

```sql
-- 1. Create parent table
CREATE TABLE parent_tbl (
    id      int not null,
    val     int
);

-- 2. Create child table with variable-length column and different column
order
CREATE TABLE child_tbl (
    filler  text,           -- variable-length column, will be dropped
    val     int,
    id      int not null,
    CHECK (id > 0)
);

-- 3. Drop variable-length column (creates dropped column with attlen=3D-1)
ALTER TABLE child_tbl DROP COLUMN filler;

-- 4. Establish inheritance
ALTER TABLE child_tbl INHERIT parent_tbl;

-- 5. Add NO INHERIT constraint so only child table is selected for INSERT
ALTER TABLE parent_tbl ADD CONSTRAINT pcheck CHECK (id < 0) NO INHERIT;

-- 6. Execute MERGE - crashes here
MERGE INTO parent_tbl p
USING (VALUES (1)) AS src(id) ON p.id =3D src.id
WHEN NOT MATCHED THEN INSERT (id, val) VALUES (src.id, 100);
```

## Crash Location

```
#0  heap_compute_data_size() at heaptuple.c:236
#1  heap_form_tuple()
#2  tts_buffer_heap_materialize()
#3  ExecMaterializeSlot()
#4  ExecInsert()
#5  ExecMergeNotMatched() at nodeModifyTable.c:3172
```

## Root Cause Analysis

The crash occurs due to improper handling of dropped columns in the tuple
slot during MERGE INSERT:

1. The child table has 3 attributes: `[dropped(attlen=3D-1), val, id]`
2. Due to constraint exclusion (NO INHERIT constraint on parent), only the
child table is selected as the result relation (`mt_nrels=3D1`)
3. The `ri_newTupleSlot` uses the child table's TupleDescriptor (3 columns)
4. The projection only fills values for the 2 valid columns
5. **Bug**: The dropped column's `isnull[0]` is `false` but `values[0]` is
`0` (null pointer)
6. `heap_compute_data_size()` attempts to call
`VARATT_CAN_MAKE_SHORT(DatumGetPointer(0))` on the variable-length dropped
column, causing SIGSEGV

## Key Conditions

- Child table must have a **dropped variable-length column** (attlen =3D -1)
- Child table must have **different column order** than parent (created
independently, then inherited)
- Constraint exclusion must result in **only child table** being selected as
result relation
- Execute `MERGE ... WHEN NOT MATCHED THEN INSERT`

## Expected Behavior

The MERGE statement should either:
1. Properly set `isnull[i] =3D true` for dropped columns in the projection
slot, or
2. Skip dropped columns when computing data size in
`heap_compute_data_size()`

## Actual Behavior

Server crashes with SIGSEGV (signal 11).