Thread: [PATCH] Windows port, fix some resources leaks

On Tue, Jan 21, 2020 at 11:01:07AM -0300, Ranier Vilela wrote:
> Done.

I would recommend that you also run all the regression tests present
in the source before sending a patch.  If you don't know how to do
that, there is some documentation on the matter:
https://www.postgresql.org/docs/current/regress-run.html

If you send any patches, it is always important to make sure that
nothing you change breaks the existing coverage (on top of reading the
surrounding code and understanding its context, of course)

Hint: this crashes at initdb time.
--
Michael

On Wed, Jan 22, 2020 at 05:51:51PM -0300, Ranier Vilela wrote:
> After review the patches and build all and run regress checks for each
> patch, those are the ones that don't break.

There is some progress.  You should be careful about your patches,
as they generate compiler warnings.  Here is one quote from gcc-9:
logging.c:87:13: warning: passing argument 1 of ‘free’ discards
‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
   87 |        free(sgr_warning);
But there are others.

    if (strcmp(name, "error") == 0)
+   {
+       free(sgr_error);
        sgr_error = strdup(value);
+   }
I don't see the point of doing that in logging.c.  pg_logging_init()
is called only once per tools, so this cannot happen.  Another point
that may matter here though is that we do not complain about OOMs.
That's really unlikely to happen, and if it happens it leads to
partially colored output.

-   NOERR();
+   if (ISERR())
+   {
+       freedfa(s);
+       return v->err;
+   }
Can you design a query where this is a problem?

    pg_log_error("could not allocate SIDs: error code %lu",
    GetLastError());
+   CloseHandle(origToken);
+   FreeLibrary(Advapi32Handle);
[...]
    pg_log_error("could not open process token: error code %lu",
    GetLastError());
+   FreeLibrary(Advapi32Handle);
    return 0;
For those two ones, it looks that you are right.  However, I think
that it would be safer to check if Advapi32Handle is NULL for both.

@@ -187,6 +190,7 @@ get_restricted_token(void)
        }
        exit(x);
    }
+   free(cmdline);
Anything allocated with pg_strdup() should be free'd with pg_free(),
that's a matter of consistency.

+++ b/src/backend/postmaster/postmaster.c
@@ -4719,6 +4719,8 @@ retry:
    if (cmdLine[sizeof(cmdLine) - 2] != '\0')
    {
        elog(LOG, "subprocess command line too long");
+       UnmapViewOfFile(param);
+       CloseHandle(paramHandle);
The three ones in postmaster.c are correct guesses.

+       if (sspictx != NULL)
+       {
+           DeleteSecurityContext(sspictx);
+           free(sspictx);
+       }
+       FreeCredentialsHandle(&sspicred);
This stuff is correctly free'd after calling AcceptSecurityContext()
in the SSPI code, but not the two other code paths.  Looks right.
Actually, for the first one, wouldn't it be better to free those
resources *before* ereport(ERROR) on ERRCODE_PROTOCOL_VIOLATION?
That's an authentication path so it does not really matter but..

    ldap_unbind(*ldap);
+   FreeLibrary(ldaphandle);
    return STATUS_ERROR;
Yep.  That's consistent to clean up.

+       if (VirtualFree(ShmemProtectiveRegion, 0, MEM_RELEASE) == 0)
+           elog(FATAL, "failed to release reserved memory region
(addr=%p): error code %lu",
+               ShmemProtectiveRegion, GetLastError());
        return false;
No, that's not right.  I think that it is possible to loop over
ShmemProtectiveRegion in some cases.  And actually, your patch is dead
wrong because this is some code called by the postmaster and it cannot
use FATAL.

> Not all leaks detected by Coverity are fixed.

Coverity is a static analyzer, it misses a lot of things tied to the
context of the code, so you need to take its suggestions with a pinch
of salt.
--
Michael

On Fri, Jan 24, 2020 at 09:37:25AM -0300, Ranier Vilela wrote:
> Em sex., 24 de jan. de 2020 às 04:13, Michael Paquier <michael@paquier.xyz>
> escreveu:
>> There is some progress.  You should be careful about your patches,
>> as they generate compiler warnings.  Here is one quote from gcc-9:
>> logging.c:87:13: warning: passing argument 1 of ‘free’ discards
>> ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
>>    87 |        free(sgr_warning);
>
> Well, in this cases, the solution is cast.
> free((char *) sgr_warning);

Applying blindly a cast is never a good practice.

>>     if (strcmp(name, "error") == 0)
>> +   {
>> +       free(sgr_error);
>>         sgr_error = strdup(value);
>> +   }
>> I don't see the point of doing that in logging.c.  pg_logging_init()
>> is called only once per tools, so this cannot happen.  Another point
>> that may matter here though is that we do not complain about OOMs.
>> That's really unlikely to happen, and if it happens it leads to
>> partially colored output.
>
> Coverity show the alert, because he tries all the possibilites.Is
> inside a loop.  It seems to me that the only way to happen is by the
> user, by introducing a repeated and wrong sequence.

Again, Coverity may say something that does not apply to the reality,
and sometimes it misses some spots.  Here we should be looking at
query patterns which involve a memory leak.  So I'd rather look at
that separately, and actually on a separate thread because that's not
a Windows-only code path.  If you'd look at the rest of the regex
code, I suspect that there could a couple of ramifications which have
similar problems (I haven't looked at that myself).

>> For those two ones, it looks that you are right.  However, I think
>> that it would be safer to check if Advapi32Handle is NULL for both.
>
> Michael, I did it differently and modified the function to not need to test
> NULL, I think it was better.

advapi32.dll should be present in any modern Windows platform, so
logging an error is actually fine by me instead of a warning.

I have shaved from the patch the parts which are not completely
relevant to this thread, and committed a version addressing the most
obvious leaks after doing more tests, including the changes for
restricted_token.c as of 10a5252.  Thanks.
--
Michael

On Fri, Jan 24, 2020 at 2:13 AM Michael Paquier <michael@paquier.xyz> wrote:
> No, that's not right.  I think that it is possible to loop over
> ShmemProtectiveRegion in some cases.  And actually, your patch is dead
> wrong because this is some code called by the postmaster and it cannot
> use FATAL.

Uh, really? I am not aware of such a rule.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 2020-Jan-28, Robert Haas wrote:

> On Fri, Jan 24, 2020 at 2:13 AM Michael Paquier <michael@paquier.xyz> wrote:
> > No, that's not right.  I think that it is possible to loop over
> > ShmemProtectiveRegion in some cases.  And actually, your patch is dead
> > wrong because this is some code called by the postmaster and it cannot
> > use FATAL.
> 
> Uh, really? I am not aware of such a rule.

I don't think we have ever expressed it as such, but certainly we prefer
postmaster to be super robust ... rather live with a some hundred bytes
leak rather than have it die and take the whole database service down
for what's essentially a fringe bug that has bothered no one in a decade
and a half.

-- 
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

On Tue, Jan 28, 2020 at 4:06 PM Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
> I don't think we have ever expressed it as such, but certainly we prefer
> postmaster to be super robust ... rather live with a some hundred bytes
> leak rather than have it die and take the whole database service down
> for what's essentially a fringe bug that has bothered no one in a decade
> and a half.

Well, yeah. I mean, I'm not saying it's a good idea in this instance
to FATAL here. I'm just saying that I don't think there is a general
rule that code which does FATAL in the postmaster is automatically
wrong, which is what I took Michael to be suggesting.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Tue, Jan 28, 2020 at 04:11:47PM -0500, Robert Haas wrote:
> On Tue, Jan 28, 2020 at 4:06 PM Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
>> I don't think we have ever expressed it as such, but certainly we prefer
>> postmaster to be super robust ... rather live with a some hundred bytes
>> leak rather than have it die and take the whole database service down
>> for what's essentially a fringe bug that has bothered no one in a decade
>> and a half.
>
> Well, yeah. I mean, I'm not saying it's a good idea in this instance
> to FATAL here. I'm just saying that I don't think there is a general
> rule that code which does FATAL in the postmaster is automatically
> wrong, which is what I took Michael to be suggesting.

Re-reading the thread, I can see your point that my previous email may
read like a rule applying to the postmaster, so sorry for the
confusion.

Anyway, I was referring to the point mentioned in three places of
pgwin32_ReserveSharedMemoryRegion() to not use FATAL for this
routine.  The issue with the order of DLL loading is hard to miss..
--
Michael