Re: Use-after-free crash

Hi Tatsuo,

Thanks for including this. I think Claude made a mistake cleaning up
the build files to produce a clean tarball that was not linked to my
local system. I'm glad you got it to work. I must admit Claude Code is
really impressive with its ability to troubleshoot issues like these.
In this case, all it had was a single core dump and the test scenario.
From there, it managed to find the issue, create a fix and build the
reproducer.

Best regards,
Emond

Op ma 15 jun 2026 om 12:07 schreef Tatsuo Ishii <ishii(at)postgresql(dot)org>:
>
> Hi Emond,
>
> >> Hi,
> >>
> >> Yesterday one of our tests detected a segmentation fault in pgpool,
> >> caused by a use-after-free. It is triggered during the shutdown of the
> >> process, so it probably isn't too harmful, but still I think it should
> >> be fixed. I've worked with Claude Code to build a patch (against 4.7)
> >> and a reproducer of the problem. The patch also contains a detailed
> >> explanation of how this crashes in the commit message. To run the
> >> reproducer:
> >> tar xzf pgpool-uaf-repro.tar.gz
> >> cd pgpool-uaf-repro
> >> PGPOOL=/path/to/their/pgpool ./reproduce.sh
> >>
> >> Best regards,
> >> Emond
> >
> > Thanks for the report. I will look into this.
>
> After reading README.md, I tried to build ASan enabled pgpool but failed:
>
> LANG=C make -C src CFLAGS="-g -O1 -fsanitize=address -fno-omit-frame-pointer \
> -Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing" \
> LIBS="-lcrypt -lm" pgpool
> :
> :
> gcc -DHAVE_CONFIG_H -DDEFAULT_CONFIGDIR=\"/usr/local/etc\" -DPGSQL_BIN_DIR=\"/usr/local/pgsql/bin\" -I. -I../src/include -D_GNU_SOURCE -I /usr/local/pgsql/include -g -O1 -fsanitize=address -fno-omit-frame-pointer -Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing -c -o utils/pg_prng.o utils/pg_prng.c
> make: *** No rule to make target 'parser/libsql-parser.a', needed by 'pgpool'. Stop.
> make: Leaving directory '/home/t-ishii/work/Pgpool-II/current/pgpool2/src'
>
> So I modifed the src/Makefile
>
> #CFLAGS = -g -O2 -Wall -Wmissing-prototypes -Wmissing-declarations -Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing
> CFLAGS = -g -O1 -fsanitize=address -fno-omit-frame-pointer \
> -Wmissing-prototypes -Wmissing-declarations \
> -Wno-format-truncation -Wno-stringop-truncation -fno-strict-aliasing
>
> and succeeded in building ASan enabled pgpool.
> Then run the reproducer (pgpool was installed as /usr/local/bin/pgpool)
>
> $ ./reproduce.sh
> pgpool : /usr/local/bin/pgpool
> pgpool-II version 4.8devel (mitsukakeboshi)
> pgbin : /usr/local/pgsql/bin
> postgres (PostgreSQL) 18.4
> workdir: /tmp/pgpool-uaf-kYI6hy
> --- running client ---
> session ready; firing trigger
> client done
> --- result ---
> RESULT: CRASH REPRODUCED (use-after-free / signal)
> 268:==434672==ERROR: AddressSanitizer: heap-use-after-free on address 0x51d0000215a0 at pc 0x5cdb1e84b6ab bp 0x7ffc54297120 sp 0x7ffc54297110
> 270: #0 0x5cdb1e84b6aa in pool_query_context_destroy context/pool_query_context.c:106
> 274: #4 0x5cdb1e8447e8 in pool_clear_sent_message_list context/pool_session_context.c:500
> 275: #5 0x5cdb1e7fa679 in reset_connection protocol/pool_process_query.c:1041
> 300:SUMMARY: AddressSanitizer: heap-use-after-free context/pool_query_context.c:106 in pool_query_context_destroy
> 334:2026-06-15 10:21:53.476: main pid 434668: DEBUG: child process with pid: 434672 exits with status 134 by signal 6
>
> ASan deteced heap-use-after-free as expected.
>
> After the patch, no crash occured.
>
> ./reproduce.sh
> pgpool : /usr/local/bin/pgpool
> pgpool-II version 4.8devel (mitsukakeboshi)
> pgbin : /usr/local/pgsql/bin
> postgres (PostgreSQL) 18.4
> workdir: /tmp/pgpool-uaf-XvNAWK
> --- running client ---
> session ready; firing trigger
> client done
> --- result ---
> RESULT: no crash (this is the expected outcome on a FIXED pgpool)
> 253:2026-06-15 11:59:49.821: [unknown] pid 530619: LOG: reading and processing packets
> 254:2026-06-15 11:59:49.821: [unknown] pid 530619: DETAIL: postmaster on DB node 0 was shutdown by administrative command
> 262:2026-06-15 11:59:51.319: [unknown] pid 530619: WARNING: write on backend 0 failed with error :"Connection reset by peer"
> 268:2026-06-15 11:59:51.319: [unknown] pid 530619: WARNING: write on backend 0 failed with error :"Broken pipe"
> 270:2026-06-15 11:59:51.319: [unknown] pid 530619: WARNING: write on backend 0 failed with error :"Broken pipe"
>
> Also I ran our regression test with the patch and all the tests
> passed. I read README.md and the patch and the explanation and the
> patch look correct to me. I am going to push the patch.
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp