Re: Report a potential bug caused by a improper call to pfree()

Hi,

On Sun, Jan 30, 2022 at 10:47:18AM +0800, wliang@stu.xidian.edu.cn wrote:
> 
> I find a potential bug caused by a improper call to pfree in PostgresSQL 14.1, which is in
backend/utils/adt/jsonb_gin.c
> 
> Specifically,  at line 1116, the pointer 'stack' is assigned with the address of a local variable 'tail'.
> At line 1163, pfree() is called to free 'stack'. However, pfree is designed to free the memory in heap rather than
stack.
> 
> 1158             case WJB_END_ARRAY:
> 1159             case WJB_END_OBJECT:
> 1160                 /* Pop the stack */
> 1161                 parent = stack->parent;
> 1162                 pfree(stack);
> 
> I think it may be a potential bug and can be fixed without any side-effect as:
> 
> 
>  ++        if (stack != &tail)
> 1162                pfree(stack);

I don't think it's necessary, it should be guaranteed that something as been
pushed on the tail, ie. there shouldn't be a WJB_END_* before a corresponding
begin.

Note that the tail also can't have a parent, so even if that scenario could
happen, it would crash in the previous instruction anyway, trying to
dereference a NULL pointer.