Fix cache flush hazard in cache_record_field_properties().

We need to increment the refcount on the composite type's cached tuple
descriptor while we do lookups of its column types.  Otherwise a cache
flush could occur and release the tuple descriptor before we're done with
it.  This fails reliably with -DCLOBBER_CACHE_ALWAYS, but the odds of a
failure in a production build seem rather low (since the pfree'd descriptor
typically wouldn't get scribbled on immediately).  That may explain the
lack of any previous reports.  Buildfarm issue noted by Christian Ullrich.

Back-patch to 9.1 where the bogus code was added.

Author: tglsfdc

src/backend/utils/cache/typcache.c

@@ -648,6 +648,9 @@ cache_record_field_properties(TypeCacheEntry *typentry)
 			load_typcache_tupdesc(typentry);
 		tupdesc = typentry->tupDesc;
 
+		/* Must bump the refcount while we do additional catalog lookups */
+		IncrTupleDescRefCount(tupdesc);
+
 		/* Have each property if all non-dropped fields have the property */
 		newflags = (TCFLAGS_HAVE_FIELD_EQUALITY |
 					TCFLAGS_HAVE_FIELD_COMPARE);
@@ -671,6 +674,8 @@ cache_record_field_properties(TypeCacheEntry *typentry)
 				break;
 		}
 		typentry->flags |= newflags;
+
+		DecrTupleDescRefCount(tupdesc);
 	}
 	typentry->flags |= TCFLAGS_CHECKED_FIELD_PROPERTIES;
 }