I've been tasked with a quick acceptance check of Postgres for an
upcoming project. It's a quick check, so its limited to Clang's
analyzer and sanitizers.
The analyzer is reporting some findings, and some of the findings look
legitimate.
For example, it looks like there's a double `free` occurring in
streamutil.c (around line 115). Here's a screen capture of it under
scan-view: http://postimg.org/image/3ph4hkyav/. From the capture, it
looks like `password` should be set to NULL after `free` because Clang
found a path to get back to the top of the loop (which will free
`password` again`).
There's some others of interest, too. For example, Divide by Zero and
Buffer Overflows. Here's the index.html from the scan-view report:
http://postimg.org/image/tn2ovjout/.
The scan-view tar ball is a 5.5 megabytes in size (its HTML based with
a lot of mouse over markup to help understand flows), and I'm not sure
the bug reporter will take it. Plus the developers may not want it
added to the bug reporter.
Would someone know the best way to get this to the right folks?
Thanks in advance. (And sorry reporting to pgsql-general - the
developer list states emails must go elsewhere first).
Jeff
