| From: | PanBian <bianpan2016(at)163(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #15540: Use after release in ExecuteTruncateGuts |
| Date: | 2018-12-09 00:56:17 |
| Message-ID: | 20181209005617.GA65607@bp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Fri, Dec 07, 2018 at 11:09:05AM -0500, Tom Lane wrote:
> =?utf-8?q?PG_Bug_reporting_form?= <noreply(at)postgresql(dot)org> writes:
> > The function ExecuteTruncateGuts drops the reference to rel via
> > relation_close when toast_relid is valid. However, after that, rel is passed
> > to pgstat_count_truncate. This may result in a use-after-release bug.
>
> ... and, even more to the point, the truncation stats count is incorrectly
> applied to the toast table not its parent.
>
> > Maybe,
> > rel should be re-declared on the branch that toast_relid is valid.
>
> Yeah, seems like the right way. Will fix.
>
> Are you using a static analyzer to find these? I'm curious how
> you noticed them.
Yes. I write a static analysis tool. It can find functions that release
memory or other resources. Let's call them free-like functions. With such
free-like functions, the tool then performs data flow analysis to find
use-after-free bugs. Of course, we can feed those free-like functions to
other static analyzers such as Coverity. I believe it will work too.
Best regards,
Pan Bian
>
> regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2018-12-09 02:20:24 | Re: BUG #15540: Use after release in ExecuteTruncateGuts |
| Previous Message | PG Bug reporting form | 2018-12-08 01:10:52 | BUG #15543: PostgreSQL insert question marks instead of unicode characters |