Re: BUG #15540: Use after release in ExecuteTruncateGuts

On Fri, Dec 07, 2018 at 11:09:05AM -0500, Tom Lane wrote:
> =?utf-8?q?PG_Bug_reporting_form?= <noreply@postgresql.org> writes:
> > The function ExecuteTruncateGuts drops the reference to rel via
> > relation_close when toast_relid is valid. However, after that, rel is passed
> > to pgstat_count_truncate. This may result in a use-after-release bug.
> 
> ... and, even more to the point, the truncation stats count is incorrectly
> applied to the toast table not its parent.
> 
> > Maybe,
> > rel should be re-declared on the branch that toast_relid is valid.
> 
> Yeah, seems like the right way.  Will fix.
> 
> Are you using a static analyzer to find these?  I'm curious how
> you noticed them.

Yes. I write a static analysis tool. It can find functions that release
memory or other resources. Let's call them free-like functions. With such
free-like functions, the tool then performs data flow analysis to find 
use-after-free bugs. Of course, we can feed those free-like functions to
other static analyzers such as Coverity. I believe it will work too.

Best regards,
Pan Bian

> 
>             regards, tom lane