On Fri, Dec 07, 2018 at 11:09:05AM -0500, Tom Lane wrote:
> =?utf-8?q?PG_Bug_reporting_form?= <noreply@postgresql.org> writes:
> > The function ExecuteTruncateGuts drops the reference to rel via
> > relation_close when toast_relid is valid. However, after that, rel is passed
> > to pgstat_count_truncate. This may result in a use-after-release bug.
>
> ... and, even more to the point, the truncation stats count is incorrectly
> applied to the toast table not its parent.
>
> > Maybe,
> > rel should be re-declared on the branch that toast_relid is valid.
>
> Yeah, seems like the right way. Will fix.
>
> Are you using a static analyzer to find these? I'm curious how
> you noticed them.
Yes. I write a static analysis tool. It can find functions that release
memory or other resources. Let's call them free-like functions. With such
free-like functions, the tool then performs data flow analysis to find
use-after-free bugs. Of course, we can feed those free-like functions to
other static analyzers such as Coverity. I believe it will work too.
Best regards,
Pan Bian
>
> regards, tom lane