Thread: oid2name core dump

oid2name core dump

From

Michael Fuhr

Date:

02 December 2004, 07:42:04

PostgreSQL 8.0.0beta5 (CVS HEAD)
Solaris 9
gcc 3.4.2

oid2name consistently dumps core:

% oid2name -d test -f 77199
From database "test":
Segmentation fault (core dumped)

(gdb) where
#0  0xfee473ec in realfree () from /usr/lib/libc.so.1
#1  0xfee47cec in cleanfree () from /usr/lib/libc.so.1
#2  0xfee46e18 in _malloc_unlocked () from /usr/lib/libc.so.1


On FreeBSD 4.10-STABLE oid2name runs but prints warnings about
freeing junk pointers:

% oid2name -d test -f 173181
From database "test":
oid2name in free(): warning: junk pointer, too low to make sense
oid2name in free(): warning: junk pointer, too low to make sense
  Filenode  Table Name
----------------------
    173181         foo


The warnings are coming from these two lines (around lines 448 and 449):

    free(comma_oids);
    free(comma_tables);

Apparently the values of comma_oids and comma_tables are bogus.
I haven't looked more closely yet to see why.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

Re: oid2name core dump

From

Michael Fuhr

Date:

02 December 2004, 07:55:32

On Wed, Dec 01, 2004 at 09:41:49PM -0700, Michael Fuhr wrote:

> The warnings are coming from these two lines (around lines 448 and 449):
>
>     free(comma_oids);
>     free(comma_tables);
>
> Apparently the values of comma_oids and comma_tables are bogus.
> I haven't looked more closely yet to see why.

main() initializes my_opts->oids->num and my_opts->tables->num to 0.
sql_exec_searchtables() later sets comma_oids and comma_tables with
the following code:

    comma_oids = get_comma_elts(opts->oids);
    comma_tables = get_comma_elts(opts->tables);

get_comma_elts() starts with the following:

    if (eary->num == 0)
        return "";

sql_exec_searchtables() later tries to free the pointers to "".
Program fall down go boom.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

Re: oid2name core dump

From

Neil Conway

Date:

02 December 2004, 09:11:54

On Wed, 2004-12-01 at 21:41 -0700, Michael Fuhr wrote:
> % oid2name -d test -f 173181
> From database "test":
> oid2name in free(): warning: junk pointer, too low to make sense
> oid2name in free(): warning: junk pointer, too low to make sense
>   Filenode  Table Name
> ----------------------
>     173181         foo

I checked in a fix for this to HEAD; the patch is attached. I also
noticed various other brokenness in oid2name (access to uninitialized
variables, malloc() + sscanf() rather than strdup(), etc.), which I
fixed.

Thanks for the report.

-Neil

Attachment

oid2name-fixes-1.patch

Re: oid2name core dump

From

Alvaro Herrera

Date:

02 December 2004, 17:15:46

On Thu, Dec 02, 2004 at 05:11:22PM +1100, Neil Conway wrote:

> I checked in a fix for this to HEAD; the patch is attached. I also
> noticed various other brokenness in oid2name (access to uninitialized
> variables, malloc() + sscanf() rather than strdup(), etc.), which I
> fixed.

I think they were mostly my bugs.  Thanks for fixing.

--
Alvaro Herrera (<alvherre[@]dcc.uchile.cl>)
"I suspect most samba developers are already technically insane...
Of course, since many of them are Australians, you can't tell." (L. Torvalds)