| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | hash_create(nelem = 0) does invalid memory accesses |
| Date: | 2016-09-27 23:24:49 |
| Message-ID: | 20160927232449.m4xm4kvkgyiqmx53@alap3.anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
debugging a citus valgrind bleat I noticed that hash_create() accesses
the result of palloc(0) as an hash element:
HTAB *
hash_create(const char *tabname, long nelem, HASHCTL *info, int flags)
{
...
if ((flags & HASH_SHARED_MEM) ||
nelem < hctl->nelem_alloc)
{
if (!element_alloc(hashp, (int) nelem))
ereport(ERROR,
(errcode(ERRCODE_OUT_OF_MEMORY),
errmsg("out of memory")));
}
...}
I.e. e call element_alloc with nelem = 0. There we then do:
static bool
element_alloc(HTAB *hashp, int nelem)
{
...
firstElement = (HASHELEMENT *) hashp->alloc(nelem * elementSize);
...
firstElement->link = hctlv->freeList;
}
which means we'll write to the result of palloc(0).
Do we consider this an API usage error that we want to fix?
Greetings,
Andres Freund
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2016-09-27 23:27:59 | Re: LLVM Address Sanitizer (ASAN) and valgrind support |
| Previous Message | Greg Stark | 2016-09-27 23:23:11 | Re: LLVM Address Sanitizer (ASAN) and valgrind support |