Thread: ParseTzFile doesn't FreeFile on error

ParseTzFile doesn't FreeFile on error

From
Kyotaro Horiguchi
Date:
While working on some patch, I saw the following error message when a
transaction ended successfully after a failed call to
parse_and_validate_value().

The cause is ParseTzFile() returns leaving an open file descriptor
unfreed in some error cases.

This happens only in a special case when the errors are ignored, but
in principle the file descriptor should be released before exiting the
function.

I'm not sure it's worth fixing but the attached fixes that.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center

Attachment

Re: ParseTzFile doesn't FreeFile on error

From
Tom Lane
Date:
Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
> The cause is ParseTzFile() returns leaving an open file descriptor
> unfreed in some error cases.
> This happens only in a special case when the errors are ignored, but
> in principle the file descriptor should be released before exiting the
> function.
> I'm not sure it's worth fixing but the attached fixes that.

I agree this is worth fixing, but adding all these gotos seems a bit
inelegant.  What do you think of the attached version?

BTW, my first thought about it was "what if one of the callees throws
elog(ERROR), eg palloc out-of-memory"?  But I think that's all right
since then we'll reach transaction abort cleanup, which won't whine
about open files.  The problem is limited to the case where no error
gets thrown.

            regards, tom lane

diff --git a/src/backend/utils/misc/tzparser.c b/src/backend/utils/misc/tzparser.c
index a69cb2d268..8f2c95f055 100644
--- a/src/backend/utils/misc/tzparser.c
+++ b/src/backend/utils/misc/tzparser.c
@@ -364,7 +364,8 @@ ParseTzFile(const char *filename, int depth,
             {
                 GUC_check_errmsg("could not read time zone file \"%s\": %m",
                                  filename);
-                return -1;
+                n = -1;
+                break;
             }
             /* else we're at EOF after all */
             break;
@@ -374,7 +375,8 @@ ParseTzFile(const char *filename, int depth,
             /* the line is too long for tzbuf */
             GUC_check_errmsg("line is too long in time zone file \"%s\", line %d",
                              filename, lineno);
-            return -1;
+            n = -1;
+            break;
         }

         /* skip over whitespace */
@@ -397,12 +399,13 @@ ParseTzFile(const char *filename, int depth,
             {
                 GUC_check_errmsg("@INCLUDE without file name in time zone file \"%s\", line %d",
                                  filename, lineno);
-                return -1;
+                n = -1;
+                break;
             }
             n = ParseTzFile(includeFile, depth + 1,
                             base, arraysize, n);
             if (n < 0)
-                return -1;
+                break;
             continue;
         }

@@ -413,12 +416,18 @@ ParseTzFile(const char *filename, int depth,
         }

         if (!splitTzLine(filename, lineno, line, &tzentry))
-            return -1;
+        {
+            n = -1;
+            break;
+        }
         if (!validateTzEntry(&tzentry))
-            return -1;
+        {
+            n = -1;
+            break;
+        }
         n = addToArray(base, arraysize, n, &tzentry, override);
         if (n < 0)
-            return -1;
+            break;
     }

     FreeFile(tzFile);

Re: ParseTzFile doesn't FreeFile on error

From
Kyotaro Horiguchi
Date:
At Mon, 30 May 2022 13:11:04 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote in 
> Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
> > The cause is ParseTzFile() returns leaving an open file descriptor
> > unfreed in some error cases.
> > This happens only in a special case when the errors are ignored, but
> > in principle the file descriptor should be released before exiting the
> > function.
> > I'm not sure it's worth fixing but the attached fixes that.
> 
> I agree this is worth fixing, but adding all these gotos seems a bit
> inelegant.  What do you think of the attached version?

It is what came up to me first. It is natural. So I'm fine with
it. The point of the "goto"s was that repeated "n = -1;break;" looked
somewhat noisy to me in the loop.

> BTW, my first thought about it was "what if one of the callees throws
> elog(ERROR), eg palloc out-of-memory"?  But I think that's all right
> since then we'll reach transaction abort cleanup, which won't whine
> about open files.  The problem is limited to the case where no error
> gets thrown.

Right. This "issue" is not a problem unless the caller continues
without throwing an exception after the function errors out, which is
not done by the current code.

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center



Re: ParseTzFile doesn't FreeFile on error

From
Tom Lane
Date:
Kyotaro Horiguchi <horikyota.ntt@gmail.com> writes:
> At Mon, 30 May 2022 13:11:04 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote in 
>> BTW, my first thought about it was "what if one of the callees throws
>> elog(ERROR), eg palloc out-of-memory"?  But I think that's all right
>> since then we'll reach transaction abort cleanup, which won't whine
>> about open files.  The problem is limited to the case where no error
>> gets thrown.

> Right. This "issue" is not a problem unless the caller continues
> without throwing an exception after the function errors out, which is
> not done by the current code.

Actually the problem *is* reachable, if you intentionally break the
already-active timezone abbreviation file: newly started sessions
produce file-leak warnings after failing to apply the setting.
I concede that's not a likely scenario, but that's why I think it's
worth fixing.

            regards, tom lane



Re: ParseTzFile doesn't FreeFile on error

From
Kyotaro Horiguchi
Date:
At Tue, 31 May 2022 14:21:28 -0400, Tom Lane <tgl@sss.pgh.pa.us> wrote in 
> Actually the problem *is* reachable, if you intentionally break the
> already-active timezone abbreviation file: newly started sessions
> produce file-leak warnings after failing to apply the setting.
> I concede that's not a likely scenario, but that's why I think it's
> worth fixing.

Ah, I see. Thanks!

regards.

-- 
Kyotaro Horiguchi
NTT Open Source Software Center