Participants
Andres Freund
Andres Freund
PG Bug reporting form
PG Bug reporting form
Tom Lane
Tom Lane
Attachments
Show all attachments
Thread Outline
#1PG Bug reporting formPG Bug reporting form
Jan 28, 2025
#2Andres FreundAndres Freundto PG Bug reporting form (#1)
Jan 28, 2025
#3Tom LaneTom Laneto Andres Freund (#2)
Jan 28, 2025
#4Andres FreundAndres Freundto Tom Lane (#3)
Jan 28, 2025

BUG #18785: Pointer bmr.rel, dereferenced by passing as 1st parameter to function is checked for NULL later

Started by PG Bug reporting formabout 1 year ago4 messagesbugs
Jump to latest
#1PG Bug reporting form
PG Bug reporting form
noreply@postgresql.org

The following bug has been logged on the website:

Bug reference: 18785
Logged by: Daniel Elishakov
Email address: dan-eli@mail.ru
PostgreSQL version: 16.6
Operating system: ubuntu 20.04
Description:

Hello, I suggest the following patch for this issue.

@@ -905,6 +905,8 @@ ExtendBufferedRelTo(BufferManagerRelation bmr,
bmr.smgr->smgr_cached_nblocks[fork] == InvalidBlockNumber)
&&
!smgrexists(bmr.smgr, fork))
{
+
+ Assert(bmr.rel != NULL);
LockRelationForExtension(bmr.rel, ExclusiveLock);

/* could have been closed while waiting for lock */

I think we need to check bmr.rel for NULL, because Asserts above do not
suggest bmr.rel != NULL. Moreover, it is being checked for NULL later after
being passed into function LockRelationForExtension(bmr.rel, ExclusiveLock);

#2Andres Freund
Andres Freund
andres@anarazel.de
In reply to: PG Bug reporting form (#1)
Re: BUG #18785: Pointer bmr.rel, dereferenced by passing as 1st parameter to function is checked for NULL later

Hi,

On 2025-01-28 13:58:13 +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 18785
Logged by: Daniel Elishakov
Email address: dan-eli@mail.ru
PostgreSQL version: 16.6
Operating system: ubuntu 20.04
Description:

I don't think it's particularly useful to report missing assertions as bugs,
particularly not multiple bugs for basically the same issue.

Hello, I suggest the following patch for this issue.

@@ -905,6 +905,8 @@ ExtendBufferedRelTo(BufferManagerRelation bmr,
bmr.smgr->smgr_cached_nblocks[fork] == InvalidBlockNumber)
&&
!smgrexists(bmr.smgr, fork))
{
+
+ Assert(bmr.rel != NULL);
LockRelationForExtension(bmr.rel, ExclusiveLock);

/* could have been closed while waiting for lock */

I think we need to check bmr.rel for NULL, because Asserts above do not
suggest bmr.rel != NULL. Moreover, it is being checked for NULL later after
being passed into function LockRelationForExtension(bmr.rel, ExclusiveLock);

I guess it couldn't hurt to add them. It's fine for existing callers...

The specific suggested assertion seems not great, because it'll often not even
be reached, due to the file not being empty.

I think it'd be better to assert something like

/* EB_CREATE_FORK_IF_NEEDED is currently only needed with extension lock */
Assert(!(flags & EB_CREATE_FORK_IF_NEEDED) || !(flags & EB_SKIP_EXTENSION_LOCK));

/* can only acquire extension lock if rel is passed in */
Assert(bmr.rel != NULL || (flags & EB_SKIP_EXTENSION_LOCK));

Greetings,

Andres Freund

#3Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Andres Freund (#2)
Re: BUG #18785: Pointer bmr.rel, dereferenced by passing as 1st parameter to function is checked for NULL later

Andres Freund <andres@anarazel.de> writes:

On 2025-01-28 13:58:13 +0000, PG Bug reporting form wrote:

Hello, I suggest the following patch for this issue.

@@ -905,6 +905,8 @@ ExtendBufferedRelTo(BufferManagerRelation bmr,
bmr.smgr->smgr_cached_nblocks[fork] == InvalidBlockNumber)
&&
!smgrexists(bmr.smgr, fork))
{
+
+ Assert(bmr.rel != NULL);
LockRelationForExtension(bmr.rel, ExclusiveLock);

I guess it couldn't hurt to add them. It's fine for existing callers...

Seems quite pointless really. If bmr.rel is NULL, the
LockRelationForExtension call will SIGSEGV all by itself.
Transforming that into a SIGABRT isn't moving the football much.

The actually interesting question is whether it's possible to
reach there with bmr.rel being NULL, and if so what we have to do
to avoid such a crash. Adding an Assert still doesn't help.

regards, tom lane

#4Andres Freund
Andres Freund
andres@anarazel.de
In reply to: Tom Lane (#3)
Re: BUG #18785: Pointer bmr.rel, dereferenced by passing as 1st parameter to function is checked for NULL later

Hi,

On 2025-01-28 15:04:35 -0500, Tom Lane wrote:

Andres Freund <andres@anarazel.de> writes:

On 2025-01-28 13:58:13 +0000, PG Bug reporting form wrote:

Hello, I suggest the following patch for this issue.

@@ -905,6 +905,8 @@ ExtendBufferedRelTo(BufferManagerRelation bmr,
bmr.smgr->smgr_cached_nblocks[fork] == InvalidBlockNumber)
&&
!smgrexists(bmr.smgr, fork))
{
+
+ Assert(bmr.rel != NULL);
LockRelationForExtension(bmr.rel, ExclusiveLock);

I guess it couldn't hurt to add them. It's fine for existing callers...

Seems quite pointless really. If bmr.rel is NULL, the
LockRelationForExtension call will SIGSEGV all by itself.
Transforming that into a SIGABRT isn't moving the football much.

Well, the assertions I suggested would catch the buggy code even if, for the
current call, the relation fork *does* exist. For LockRelationForExtension()
to crash would require actually reaching the block...

The actually interesting question is whether it's possible to
reach there with bmr.rel being NULL, and if so what we have to do
to avoid such a crash. Adding an Assert still doesn't help.

Pretty sure it can't be reached. The current user of bmr.rel == NULL is
recovery, where we normally don't have a relcache. That doesn't use
EB_CREATE_FORK_IF_NEEDED. The users (freespacemap, visibilitymap) of
EB_CREATE_FORK_IF_NEEDED all pass the relation in and would crash themselves
if called with a NULL rel.

Greetings,

Andres Freund

← Back to Topics