Re: Use-after-free crash

Hi Emond,

>> Hi,
>>
>> Yesterday one of our tests detected a segmentation fault in pgpool,
>> caused by a use-after-free. It is triggered during the shutdown of the
>> process, so it probably isn't too harmful, but still I think it should
>> be fixed. I've worked with Claude Code to build a patch (against 4.7)
>> and a reproducer of the problem. The patch also contains a detailed
>> explanation of how this crashes in the commit message. To run the
>> reproducer:
>> tar xzf pgpool-uaf-repro.tar.gz
>> cd pgpool-uaf-repro
>> PGPOOL=/path/to/their/pgpool ./reproduce.sh
>>
>> Best regards,
>> Emond
>
> Thanks for the report. I will look into this.

After reading README.md, I tried to build ASan enabled pgpool but failed:

LANG=C make -C src CFLAGS="-g -O1 -fsanitize=address -fno-omit-frame-pointer \
-Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing" \
LIBS="-lcrypt -lm" pgpool
:
:
gcc -DHAVE_CONFIG_H -DDEFAULT_CONFIGDIR=\"/usr/local/etc\" -DPGSQL_BIN_DIR=\"/usr/local/pgsql/bin\" -I. -I../src/include -D_GNU_SOURCE -I /usr/local/pgsql/include -g -O1 -fsanitize=address -fno-omit-frame-pointer -Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing -c -o utils/pg_prng.o utils/pg_prng.c
make: *** No rule to make target 'parser/libsql-parser.a', needed by 'pgpool'. Stop.
make: Leaving directory '/home/t-ishii/work/Pgpool-II/current/pgpool2/src'

So I modifed the src/Makefile

#CFLAGS = -g -O2 -Wall -Wmissing-prototypes -Wmissing-declarations -Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing
CFLAGS = -g -O1 -fsanitize=address -fno-omit-frame-pointer \
-Wmissing-prototypes -Wmissing-declarations \
-Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing

and succeeded in building ASan enabled pgpool.
Then run the reproducer (pgpool was installed as /usr/local/bin/pgpool)

$ ./reproduce.sh
pgpool : /usr/local/bin/pgpool
pgpool-II version 4.8devel (mitsukakeboshi)
pgbin : /usr/local/pgsql/bin
postgres (PostgreSQL) 18.4
workdir: /tmp/pgpool-uaf-kYI6hy
--- running client ---
session ready; firing trigger
client done
--- result ---
RESULT: CRASH REPRODUCED (use-after-free / signal)
268:==434672==ERROR: AddressSanitizer: heap-use-after-free on address 0x51d0000215a0 at pc 0x5cdb1e84b6ab bp 0x7ffc54297120 sp 0x7ffc54297110
270: #0 0x5cdb1e84b6aa in pool_query_context_destroy context/pool_query_context.c:106
274: #4 0x5cdb1e8447e8 in pool_clear_sent_message_list context/pool_session_context.c:500
275: #5 0x5cdb1e7fa679 in reset_connection protocol/pool_process_query.c:1041
300:SUMMARY: AddressSanitizer: heap-use-after-free context/pool_query_context.c:106 in pool_query_context_destroy
334:2026-06-15 10:21:53.476: main pid 434668: DEBUG: child process with pid: 434672 exits with status 134 by signal 6

ASan deteced heap-use-after-free as expected.

After the patch, no crash occured.

./reproduce.sh
pgpool : /usr/local/bin/pgpool
pgpool-II version 4.8devel (mitsukakeboshi)
pgbin : /usr/local/pgsql/bin
postgres (PostgreSQL) 18.4
workdir: /tmp/pgpool-uaf-XvNAWK
--- running client ---
session ready; firing trigger
client done
--- result ---
RESULT: no crash (this is the expected outcome on a FIXED pgpool)
253:2026-06-15 11:59:49.821: [unknown] pid 530619: LOG: reading and processing packets
254:2026-06-15 11:59:49.821: [unknown] pid 530619: DETAIL: postmaster on DB node 0 was shutdown by administrative command
262:2026-06-15 11:59:51.319: [unknown] pid 530619: WARNING: write on backend 0 failed with error :"Connection reset by peer"
268:2026-06-15 11:59:51.319: [unknown] pid 530619: WARNING: write on backend 0 failed with error :"Broken pipe"
270:2026-06-15 11:59:51.319: [unknown] pid 530619: WARNING: write on backend 0 failed with error :"Broken pipe"

Also I ran our regression test with the patch and all the tests
passed. I read README.md and the patch and the explanation and the
patch look correct to me. I am going to push the patch.

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp