BUG #19366: heap-use-after-free in pgaio_io_reclaim() detected with RELCACHE_FORCE_RELEASE - Mailing list pgsql-bugs
| From | PG Bug reporting form |
|---|---|
| Subject | BUG #19366: heap-use-after-free in pgaio_io_reclaim() detected with RELCACHE_FORCE_RELEASE |
| Date | |
| Msg-id | 19366-4a38d4dd8e5deac9@postgresql.org Whole thread Raw |
| List | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 19366
Logged by: Alexander Lakhin
Email address: exclusion@gmail.com
PostgreSQL version: 18.1
Operating system: Ubuntu 24.04
Description:
The following build:
CC=gcc-14 CFLAGS='-O0 -fsanitize=address -fsanitize=undefined
-fno-sanitize-recover -static-libasan -static-libubsan
-DRELCACHE_FORCE_RELEASE' ./configure -q --enable-debug --enable-cassert
--enable-tap-tests --with-liburing && make -s -j12
fails on 027_stream_regress.pl when executed as below:
echo "io_method = io_uring" >/tmp/temp.config
PROVE_TESTS="t/027*" TEMP_CONFIG=/tmp/temp.config make -s check -C
src/test/recovery/
# +++ tap check in src/test/recovery +++
t/027_stream_regress.pl .. 2/?
# Failed test 'regression tests pass'
# at t/027_stream_regress.pl line 112.
# got: '256'
# expected: '0'
=================================================================
==1414701==ERROR: AddressSanitizer: heap-use-after-free on address
0x52d000160a10 at pc 0x6315765530f4 bp 0x7fff3a67b6d0 sp 0x7fff3a67b6c0
WRITE of size 8 at 0x52d000160a10 thread T0
#0 0x6315765530f3 in pgaio_io_reclaim
.../src/backend/storage/aio/aio.c:698
#1 0x6315765523dd in pgaio_io_process_completion
.../src/backend/storage/aio/aio.c:549
#2 0x631576565329 in pgaio_uring_drain_locked
.../src/backend/storage/aio/method_io_uring.c:568
#3 0x631576565c83 in pgaio_uring_wait_one
.../src/backend/storage/aio/method_io_uring.c:647
#4 0x631576552a68 in pgaio_io_wait .../src/backend/storage/aio/aio.c:622
#5 0x6315765568ad in pgaio_closing_fd
.../src/backend/storage/aio/aio.c:1279
#6 0x6315765bf4dc in FileClose .../src/backend/storage/file/fd.c:1975
#7 0x6315766d8285 in mdclose .../src/backend/storage/smgr/md.c:726
#8 0x6315766e3264 in smgrrelease .../src/backend/storage/smgr/smgr.c:356
#9 0x6315766e34af in smgrclose .../src/backend/storage/smgr/smgr.c:376
#10 0x631576ee2edb in RelationCloseSmgr
../../../../src/include/utils/rel.h:597
#11 0x631576efae6e in RelationInvalidateRelation
.../src/backend/utils/cache/relcache.c:2527
#12 0x631576efb3f8 in RelationClearRelation
.../src/backend/utils/cache/relcache.c:2560
#13 0x631576ef7582 in RelationCloseCleanup
.../src/backend/utils/cache/relcache.c:2251
#14 0x631576f247bf in ResOwnerReleaseRelation
.../src/backend/utils/cache/relcache.c:6994
#15 0x63157709849e in ResourceOwnerReleaseAll
.../src/backend/utils/resowner/resowner.c:395
#16 0x63157709b177 in ResourceOwnerReleaseInternal
.../src/backend/utils/resowner/resowner.c:734
#17 0x63157709ad9d in ResourceOwnerReleaseInternal
.../src/backend/utils/resowner/resowner.c:687
#18 0x63157709ace5 in ResourceOwnerRelease
.../src/backend/utils/resowner/resowner.c:661
#19 0x631574fd4ac1 in AbortTransaction
.../src/backend/access/transam/xact.c:2987
#20 0x631574fd7da2 in AbortCurrentTransactionInternal
.../src/backend/access/transam/xact.c:3524
#21 0x631574fd7b75 in AbortCurrentTransaction
.../src/backend/access/transam/xact.c:3478
#22 0x63157670bd59 in PostgresMain .../src/backend/tcop/postgres.c:4458
#23 0x6315766edc9a in BackendMain
.../src/backend/tcop/backend_startup.c:124
#24 0x63157626c165 in postmaster_child_launch
.../src/backend/postmaster/launch_backend.c:268
#25 0x63157627db5b in BackendStartup
.../src/backend/postmaster/postmaster.c:3598
#26 0x631576277dc9 in ServerLoop
.../src/backend/postmaster/postmaster.c:1713
#27 0x631576276827 in PostmasterMain
.../src/backend/postmaster/postmaster.c:1403
#28 0x631575b643ef in main .../src/backend/main/main.c:231
#29 0x7a0f4722a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#30 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360
#31 0x6315749f5cf4 in _start
(.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId:
fb9da6221fd034ea4004b34de480b536444e54b6)
0x52d000160a10 is located 9744 bytes inside of 32768-byte region
[0x52d00015e400,0x52d000166400)
freed by thread T0 here:
#0 0x631574ab6aa8 in free.part.0
(.../tmp_install/usr/local/pgsql/bin/postgres+0x34f8aa8) (BuildId:
fb9da6221fd034ea4004b34de480b536444e54b6)
#1 0x63157703cd29 in AllocSetReset .../src/backend/utils/mmgr/aset.c:607
#2 0x631577078a30 in MemoryContextResetOnly
.../src/backend/utils/mmgr/mcxt.c:439
#3 0x63157703d2dd in AllocSetDelete
.../src/backend/utils/mmgr/aset.c:663
#4 0x631577079396 in MemoryContextDeleteOnly
.../src/backend/utils/mmgr/mcxt.c:546
#5 0x631577078fa4 in MemoryContextDelete
.../src/backend/utils/mmgr/mcxt.c:500
#6 0x631577079573 in MemoryContextDeleteChildren
.../src/backend/utils/mmgr/mcxt.c:564
#7 0x631577087a28 in AtAbort_Portals
.../src/backend/utils/mmgr/portalmem.c:849
#8 0x631574fd496f in AbortTransaction
.../src/backend/access/transam/xact.c:2939
#9 0x631574fd7da2 in AbortCurrentTransactionInternal
.../src/backend/access/transam/xact.c:3524
#10 0x631574fd7b75 in AbortCurrentTransaction
.../src/backend/access/transam/xact.c:3478
#11 0x63157670bd59 in PostgresMain .../src/backend/tcop/postgres.c:4458
#12 0x6315766edc9a in BackendMain
.../src/backend/tcop/backend_startup.c:124
#13 0x63157626c165 in postmaster_child_launch
.../src/backend/postmaster/launch_backend.c:268
#14 0x63157627db5b in BackendStartup
.../src/backend/postmaster/postmaster.c:3598
#15 0x631576277dc9 in ServerLoop
.../src/backend/postmaster/postmaster.c:1713
#16 0x631576276827 in PostmasterMain
.../src/backend/postmaster/postmaster.c:1403
#17 0x631575b643ef in main .../src/backend/main/main.c:231
#18 0x7a0f4722a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#19 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360
#20 0x6315749f5cf4 in _start
(.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId:
fb9da6221fd034ea4004b34de480b536444e54b6)
previously allocated by thread T0 here:
#0 0x631574ab7f97 in malloc
(.../tmp_install/usr/local/pgsql/bin/postgres+0x34f9f97) (BuildId:
fb9da6221fd034ea4004b34de480b536444e54b6)
#1 0x63157703f3fe in AllocSetAllocFromNewBlock
.../src/backend/utils/mmgr/aset.c:952
#2 0x63157704019e in AllocSetAlloc
.../src/backend/utils/mmgr/aset.c:1098
#3 0x63157708047b in palloc .../src/backend/utils/mmgr/mcxt.c:1408
#4 0x6315757f4265 in ExprEvalPushStep
.../src/backend/executor/execExpr.c:2676
#5 0x6315757f76a6 in ExecPushExprSetupSteps
.../src/backend/executor/execExpr.c:2930
#6 0x6315757f6e7b in ExecCreateExprSetupSteps
.../src/backend/executor/execExpr.c:2882
#7 0x6315757db00e in ExecInitQual
.../src/backend/executor/execExpr.c:250
#8 0x6315759e7d9c in ExecInitIndexScan
.../src/backend/executor/nodeIndexscan.c:960
#9 0x6315758c4c1d in ExecInitNode
.../src/backend/executor/execProcnode.c:220
#10 0x631575a56682 in ExecInitNestLoop
.../src/backend/executor/nodeNestloop.c:301
#11 0x6315758c4ea2 in ExecInitNode
.../src/backend/executor/execProcnode.c:298
#12 0x631575941611 in ExecInitAgg
.../src/backend/executor/nodeAgg.c:3410
#13 0x6315758c4ffa in ExecInitNode
.../src/backend/executor/execProcnode.c:341
#14 0x631575881130 in InitPlan .../src/backend/executor/execMain.c:987
#15 0x63157587b573 in standard_ExecutorStart
.../src/backend/executor/execMain.c:261
#16 0x7a0f422d5cc4 in pgss_ExecutorStart
.../contrib/pg_stat_statements/pg_stat_statements.c:1007
#17 0x63157587a137 in ExecutorStart
.../src/backend/executor/execMain.c:135
#18 0x631576712c58 in PortalStart .../src/backend/tcop/pquery.c:513
#19 0x6315766fcfff in exec_simple_query
.../src/backend/tcop/postgres.c:1240
#20 0x63157670ce7f in PostgresMain .../src/backend/tcop/postgres.c:4775
#21 0x6315766edc9a in BackendMain
.../src/backend/tcop/backend_startup.c:124
#22 0x63157626c165 in postmaster_child_launch
.../src/backend/postmaster/launch_backend.c:268
#23 0x63157627db5b in BackendStartup
.../src/backend/postmaster/postmaster.c:3598
#24 0x631576277dc9 in ServerLoop
.../src/backend/postmaster/postmaster.c:1713
#25 0x631576276827 in PostmasterMain
.../src/backend/postmaster/postmaster.c:1403
#26 0x631575b643ef in main .../src/backend/main/main.c:231
#27 0x7a0f4722a1c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#28 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360
#29 0x6315749f5cf4 in _start
(.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId:
fb9da6221fd034ea4004b34de480b536444e54b6)
SUMMARY: AddressSanitizer: heap-use-after-free
.../src/backend/storage/aio/aio.c:698 in pgaio_io_reclaim
...
==1414701==ABORTING
2025-12-29 07:26:28.626 EET postmaster[1406872] LOG: client backend (PID
1414701) was terminated by signal 6: Aborted
2025-12-29 07:26:28.626 EET postmaster[1406872] DETAIL: Failed process was
running: select max(histogram_bounds) from pg_stats where tablename =
'pg_am';
(this stacktrace is from the master branch)
Reproduced starting from 12ce89fd0.
pgsql-bugs by date: