| From: | Alexander Kuznetsov <kuznetsovam(at)altlinux(dot)org> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, egori(at)altlinux(dot)org, nickel(at)altlinux(dot)org |
| Subject: | Re: [PATCH] Check for TupleTableSlot nullness before dereferencing |
| Date: | 2024-10-09 15:23:40 |
| Message-ID: | ba1926b5-74c6-42c8-8f65-f3de9cbac026@altlinux.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
03.10.2024 12:48, Daniel Gustafsson wrote:
> From a quick reading we can only reach there after evaluating an expression, so
> can it really be null though? This code hasn't changed all that much since
> 2009, if there was a reachable segfault on a null pointer deref I have a
> feeling we'd heard about it by now so some extra care seems warranted to ensure
> it's not a static analyzer false positive.
Thanks for your response!
It seems to me that dereferencing is possible under the following scenario:
1. slot2 is NULL at line 968,
2. The while loop at line 971 executes once, filling slot1 (slot2 still remains NULL),
3. No changes occur to slot2 thereafter, up to line 1003,
4. At line 1003, slot2 is swapped with slot1 (assuming numDistinctCols > 0),
5. At line 1016, slot1 is dereferenced with conent of slot2 (NULL).
This entire reasoning is based on the assumption that slot2 can theoretically be NULL, as there is such a check at line 968.
Is it possible that no errors have occurred because this condition has always been satisfied and is, perhaps, redundant, or maybe I'm misunderstanding something?
--
Best regards,
Alexander Kuznetsov
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Junwang Zhao | 2024-10-09 15:46:19 | Re: general purpose array_sort |
| Previous Message | Tom Lane | 2024-10-09 15:03:03 | Re: \watch 0 or \watch 0.00001 doesn't do what I want |