Re: BUG #15540: Use after release in ExecuteTruncateGuts - Mailing list pgsql-bugs

From PanBian
Subject Re: BUG #15540: Use after release in ExecuteTruncateGuts
Date
Msg-id 20181209005617.GA65607@bp
Whole thread Raw
In response to Re: BUG #15540: Use after release in ExecuteTruncateGuts  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: BUG #15540: Use after release in ExecuteTruncateGuts
List pgsql-bugs
On Fri, Dec 07, 2018 at 11:09:05AM -0500, Tom Lane wrote:
> =?utf-8?q?PG_Bug_reporting_form?= <noreply@postgresql.org> writes:
> > The function ExecuteTruncateGuts drops the reference to rel via
> > relation_close when toast_relid is valid. However, after that, rel is passed
> > to pgstat_count_truncate. This may result in a use-after-release bug.
> 
> ... and, even more to the point, the truncation stats count is incorrectly
> applied to the toast table not its parent.
> 
> > Maybe,
> > rel should be re-declared on the branch that toast_relid is valid.
> 
> Yeah, seems like the right way.  Will fix.
> 
> Are you using a static analyzer to find these?  I'm curious how
> you noticed them.

Yes. I write a static analysis tool. It can find functions that release
memory or other resources. Let's call them free-like functions. With such
free-like functions, the tool then performs data flow analysis to find 
use-after-free bugs. Of course, we can feed those free-like functions to
other static analyzers such as Coverity. I believe it will work too.

Best regards,
Pan Bian

> 
>             regards, tom lane



pgsql-bugs by date:

Previous
From: PG Bug reporting form
Date:
Subject: BUG #15543: PostgreSQL insert question marks instead of unicodecharacters
Next
From: Michael Paquier
Date:
Subject: Re: BUG #15540: Use after release in ExecuteTruncateGuts