Re: Use-after-free in expand_partitioned_rtentry

On Fri, 29 Aug 2025 at 23:45, Bernd Reiß <bd_reiss@gmx.at> wrote:
> Thanks for the quick response and the review.

Thanks for the report, investigation and patch.

I've pushed and backpatched this to 15. v14 doesn't have the
RelOptInfo.live_parts field, so it didn't suffer from the issue.
Technically, 15 isn't broken either as the bms_del_member() function
in that version wouldn't pfree the set. I decided to patch 15 anyway
to keep the code the same and to avoid assuming it's ok to ignore the
return value of bms_del_member().

> This is admittedly a pretty remote edge case, but still, better safe
> than sorry.

Did you find it through code analysis or from a crash?

It would just have been a matter of time before someone hit this.

David