PostgreSQL Bugs

Collected from the PG bugs email list.

Bug ID15540
PG Version11.1
OSLinux
Opened2018-12-07 10:34:28+00
Reported byPan Bian
StatusOpen

Body of first available message related to this bug follows.

The following bug has been logged on the website:

Bug reference:      15540
Logged by:          Pan Bian
Email address:      (redacted)
PostgreSQL version: 11.1
Operating system:   Linux
Description:        

File: src/backend/commands/tablecmds.c
Function: ExecuteTruncateGuts
Issue details:
The function ExecuteTruncateGuts drops the reference to rel via
relation_close when toast_relid is valid. However, after that, rel is passed
to pgstat_count_truncate. This may result in a use-after-release bug. Maybe,
rel should be re-declared on the branch that toast_relid is valid.

For your convenience, I copy-and-paste related code as follows:

void
ExecuteTruncateGuts(List *explicit_rels, List *relids, List
*relids_logged,
                    DropBehavior behavior, bool restart_seqs)
{
    ...
    foreach(cell, rels)
    {
        Relation    rel = (Relation) lfirst(cell);
        ...
        if (rel->rd_createSubid == mySubid ||
            rel->rd_newRelfilenodeSubid == mySubid)
        {
            /* Immediate, non-rollbackable truncation is OK */
            heap_truncate_one_rel(rel);
        }
        else
        {
            Oid         heap_relid;
            Oid         toast_relid;
            ...
            toast_relid = rel->rd_rel->reltoastrelid;

            /*
             * The same for the toast table, if any.
             */
            if (OidIsValid(toast_relid))
            {
                rel = relation_open(toast_relid, AccessExclusiveLock); 
//### open a relation
                RelationSetNewRelfilenode(rel,
rel->rd_rel->relpersistence,
                                          RecentXmin, minmulti);
                if (rel->rd_rel->relpersistence ==
RELPERSISTENCE_UNLOGGED)
                    heap_create_init_fork(rel);
                heap_close(rel, NoLock);   //### release the relation
            }

            /*
             * Reconstruct the indexes to match, and we're done.
             */
            reindex_relation(heap_relid, REINDEX_REL_PROCESS_TOAST, 0);
        }

        pgstat_count_truncate(rel);   //### the released relation is used
again
    }
}

Thank you,
Pan Bian

Messages

DateAuthorSubject
2018-12-07 10:34:28+00=?utf-8?q?PG_Bug_reporting_form?=BUG #15540: Use after release in ExecuteTruncateGuts
2018-12-07 16:09:05+00Tom LaneRe: BUG #15540: Use after release in ExecuteTruncateGuts
2018-12-07 17:22:46+00Alvaro HerreraRe: BUG #15540: Use after release in ExecuteTruncateGuts
2018-12-09 00:56:17+00PanBianRe: BUG #15540: Use after release in ExecuteTruncateGuts
2018-12-09 02:20:24+00Michael PaquierRe: BUG #15540: Use after release in ExecuteTruncateGuts