NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit8e5eef5

committed

Fix dereference of dangling pointer in GiST index buffering build.

gistBuildCallback tried to fetch the size of an index tuple thatmight have already been freed by gistProcessEmptyingQueue.While this seems to usually be harmless in production builds,in principle it could result in a SIGSEGV, or more likely a bogusvalue for indtuplesSize leading to poor page-split decisions laterin the build.The memory management here is confusing and could stand to berefactored, but for the moment it seems to be enough to fetchthe tuple size sooner. AFAICT the indtuples[Size] totals aren'tused in between these places; even if they were, the updatedvalues shouldn't be any worse to use. So just move theincrementing of the totals up.It's not very clear why our valgrind-using buildfarm animalshaven't noticed this problem, because the relevant code pathdoes seem to be exercised according to the code coverage report.I think the reason that we didn't fix this bug after the firstreport is that I'd wanted to try to understand that better.However, now that it's been re-discovered let's just be pragmaticand fix it already.Original report by Alexander Lakhin (bug #16329),later rediscovered by Egor Chindyaskin (bug #17874).Patch by Alexander Lakhin (commentary by Pavel Borisov and me).Back-patch to all supported branches.Discussion:https://postgr.es/m/16329-7a6aa9b6fa1118a1@postgresql.orgDiscussion:https://postgr.es/m/17874-63ca6c7ce42d2103@postgresql.org

1 parent3aa9613 commit8e5eef5Copy full SHA for 8e5eef5

File tree

1 file changed

+13

-4

lines changed

src/backend/access/gist
- gistbuild.c

1 file changed

+13

-4

lines changed

`‎src/backend/access/gist/gistbuild.c`

Lines changed: 13 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -901,6 +901,19 @@ gistBuildCallback(Relation index,`
`901`	`901`	`true);`
`902`	`902`	`itup->t_tid=*tid;`
`903`	`903`
	`904`	`+/* Update tuple count and total size. */`
	`905`	`+buildstate->indtuples+=1;`
	`906`	`+buildstate->indtuplesSize+=IndexTupleSize(itup);`
	`907`	`+`
	`908`	`+/*`
	`909`	`+ * XXX In buffering builds, the tempCxt is also reset down inside`
	`910`	`+ * gistProcessEmptyingQueue(). This is not great because it risks`
	`911`	`+ * confusion and possible use of dangling pointers (for example, itup`
	`912`	`+ * might be already freed when control returns here). It's generally`
	`913`	`+ * better that a memory context be "owned" by only one function. However,`
	`914`	`+ * currently this isn't causing issues so it doesn't seem worth the amount`
	`915`	`+ * of refactoring that would be needed to avoid it.`
	`916`	`+ */`
`904`	`917`	`if (buildstate->buildMode==GIST_BUFFERING_ACTIVE)`
`905`	`918`	`{`
`906`	`919`	`/* We have buffers, so use them. */`
`@@ -916,10 +929,6 @@ gistBuildCallback(Relation index,`
`916`	`929`	`buildstate->giststate,buildstate->heaprel, true);`
`917`	`930`	`}`
`918`	`931`
`919`		`-/* Update tuple count and total size. */`
`920`		`-buildstate->indtuples+=1;`
`921`		`-buildstate->indtuplesSize+=IndexTupleSize(itup);`
`922`		`-`
`923`	`932`	`MemoryContextSwitchTo(oldCtx);`
`924`	`933`	`MemoryContextReset(buildstate->giststate->tempCxt);`
`925`	`934`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8e5eef5

File tree

1 file changed

1 file changed

`‎src/backend/access/gist/gistbuild.c`

0 commit comments