Thread

  1. BUG #19366: heap-use-after-free in pgaio_io_reclaim() detected with RELCACHE_FORCE_RELEASE

    PG Bug reporting form <noreply@postgresql.org> — 2025-12-29T06:00:01Z

    The following bug has been logged on the website:
    
    Bug reference:      19366
    Logged by:          Alexander Lakhin
    Email address:      exclusion@gmail.com
    PostgreSQL version: 18.1
    Operating system:   Ubuntu 24.04
    Description:        
    
    The following build:
    CC=gcc-14 CFLAGS='-O0  -fsanitize=address -fsanitize=undefined
    -fno-sanitize-recover -static-libasan -static-libubsan
    -DRELCACHE_FORCE_RELEASE' ./configure -q --enable-debug --enable-cassert
    --enable-tap-tests --with-liburing && make -s -j12
    
    fails on 027_stream_regress.pl when executed as below:
    echo "io_method = io_uring" >/tmp/temp.config
    PROVE_TESTS="t/027*" TEMP_CONFIG=/tmp/temp.config make -s check -C
    src/test/recovery/
    
    # +++ tap check in src/test/recovery +++
    t/027_stream_regress.pl .. 2/?
    #   Failed test 'regression tests pass'
    #   at t/027_stream_regress.pl line 112.
    #          got: '256'
    #     expected: '0'
    
    =================================================================
    ==1414701==ERROR: AddressSanitizer: heap-use-after-free on address
    0x52d000160a10 at pc 0x6315765530f4 bp 0x7fff3a67b6d0 sp 0x7fff3a67b6c0
    WRITE of size 8 at 0x52d000160a10 thread T0
        #0 0x6315765530f3 in pgaio_io_reclaim
    .../src/backend/storage/aio/aio.c:698
        #1 0x6315765523dd in pgaio_io_process_completion
    .../src/backend/storage/aio/aio.c:549
        #2 0x631576565329 in pgaio_uring_drain_locked
    .../src/backend/storage/aio/method_io_uring.c:568
        #3 0x631576565c83 in pgaio_uring_wait_one
    .../src/backend/storage/aio/method_io_uring.c:647
        #4 0x631576552a68 in pgaio_io_wait .../src/backend/storage/aio/aio.c:622
        #5 0x6315765568ad in pgaio_closing_fd
    .../src/backend/storage/aio/aio.c:1279
        #6 0x6315765bf4dc in FileClose .../src/backend/storage/file/fd.c:1975
        #7 0x6315766d8285 in mdclose .../src/backend/storage/smgr/md.c:726
        #8 0x6315766e3264 in smgrrelease .../src/backend/storage/smgr/smgr.c:356
        #9 0x6315766e34af in smgrclose .../src/backend/storage/smgr/smgr.c:376
        #10 0x631576ee2edb in RelationCloseSmgr
    ../../../../src/include/utils/rel.h:597
        #11 0x631576efae6e in RelationInvalidateRelation
    .../src/backend/utils/cache/relcache.c:2527
        #12 0x631576efb3f8 in RelationClearRelation
    .../src/backend/utils/cache/relcache.c:2560
        #13 0x631576ef7582 in RelationCloseCleanup
    .../src/backend/utils/cache/relcache.c:2251
        #14 0x631576f247bf in ResOwnerReleaseRelation
    .../src/backend/utils/cache/relcache.c:6994
        #15 0x63157709849e in ResourceOwnerReleaseAll
    .../src/backend/utils/resowner/resowner.c:395
        #16 0x63157709b177 in ResourceOwnerReleaseInternal
    .../src/backend/utils/resowner/resowner.c:734
        #17 0x63157709ad9d in ResourceOwnerReleaseInternal
    .../src/backend/utils/resowner/resowner.c:687
        #18 0x63157709ace5 in ResourceOwnerRelease
    .../src/backend/utils/resowner/resowner.c:661
        #19 0x631574fd4ac1 in AbortTransaction
    .../src/backend/access/transam/xact.c:2987
        #20 0x631574fd7da2 in AbortCurrentTransactionInternal
    .../src/backend/access/transam/xact.c:3524
        #21 0x631574fd7b75 in AbortCurrentTransaction
    .../src/backend/access/transam/xact.c:3478
        #22 0x63157670bd59 in PostgresMain .../src/backend/tcop/postgres.c:4458
        #23 0x6315766edc9a in BackendMain
    .../src/backend/tcop/backend_startup.c:124
        #24 0x63157626c165 in postmaster_child_launch
    .../src/backend/postmaster/launch_backend.c:268
        #25 0x63157627db5b in BackendStartup
    .../src/backend/postmaster/postmaster.c:3598
        #26 0x631576277dc9 in ServerLoop
    .../src/backend/postmaster/postmaster.c:1713
        #27 0x631576276827 in PostmasterMain
    .../src/backend/postmaster/postmaster.c:1403
        #28 0x631575b643ef in main .../src/backend/main/main.c:231
        #29 0x7a0f4722a1c9 in __libc_start_call_main
    ../sysdeps/nptl/libc_start_call_main.h:58
        #30 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360
        #31 0x6315749f5cf4 in _start
    (.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId:
    fb9da6221fd034ea4004b34de480b536444e54b6)
    
    0x52d000160a10 is located 9744 bytes inside of 32768-byte region
    [0x52d00015e400,0x52d000166400)
    freed by thread T0 here:
        #0 0x631574ab6aa8 in free.part.0
    (.../tmp_install/usr/local/pgsql/bin/postgres+0x34f8aa8) (BuildId:
    fb9da6221fd034ea4004b34de480b536444e54b6)
        #1 0x63157703cd29 in AllocSetReset .../src/backend/utils/mmgr/aset.c:607
        #2 0x631577078a30 in MemoryContextResetOnly
    .../src/backend/utils/mmgr/mcxt.c:439
        #3 0x63157703d2dd in AllocSetDelete
    .../src/backend/utils/mmgr/aset.c:663
        #4 0x631577079396 in MemoryContextDeleteOnly
    .../src/backend/utils/mmgr/mcxt.c:546
        #5 0x631577078fa4 in MemoryContextDelete
    .../src/backend/utils/mmgr/mcxt.c:500
        #6 0x631577079573 in MemoryContextDeleteChildren
    .../src/backend/utils/mmgr/mcxt.c:564
        #7 0x631577087a28 in AtAbort_Portals
    .../src/backend/utils/mmgr/portalmem.c:849
        #8 0x631574fd496f in AbortTransaction
    .../src/backend/access/transam/xact.c:2939
        #9 0x631574fd7da2 in AbortCurrentTransactionInternal
    .../src/backend/access/transam/xact.c:3524
        #10 0x631574fd7b75 in AbortCurrentTransaction
    .../src/backend/access/transam/xact.c:3478
        #11 0x63157670bd59 in PostgresMain .../src/backend/tcop/postgres.c:4458
        #12 0x6315766edc9a in BackendMain
    .../src/backend/tcop/backend_startup.c:124
        #13 0x63157626c165 in postmaster_child_launch
    .../src/backend/postmaster/launch_backend.c:268
        #14 0x63157627db5b in BackendStartup
    .../src/backend/postmaster/postmaster.c:3598
        #15 0x631576277dc9 in ServerLoop
    .../src/backend/postmaster/postmaster.c:1713
        #16 0x631576276827 in PostmasterMain
    .../src/backend/postmaster/postmaster.c:1403
        #17 0x631575b643ef in main .../src/backend/main/main.c:231
        #18 0x7a0f4722a1c9 in __libc_start_call_main
    ../sysdeps/nptl/libc_start_call_main.h:58
        #19 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360
        #20 0x6315749f5cf4 in _start
    (.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId:
    fb9da6221fd034ea4004b34de480b536444e54b6)
    
    previously allocated by thread T0 here:
        #0 0x631574ab7f97 in malloc
    (.../tmp_install/usr/local/pgsql/bin/postgres+0x34f9f97) (BuildId:
    fb9da6221fd034ea4004b34de480b536444e54b6)
        #1 0x63157703f3fe in AllocSetAllocFromNewBlock
    .../src/backend/utils/mmgr/aset.c:952
        #2 0x63157704019e in AllocSetAlloc
    .../src/backend/utils/mmgr/aset.c:1098
        #3 0x63157708047b in palloc .../src/backend/utils/mmgr/mcxt.c:1408
        #4 0x6315757f4265 in ExprEvalPushStep
    .../src/backend/executor/execExpr.c:2676
        #5 0x6315757f76a6 in ExecPushExprSetupSteps
    .../src/backend/executor/execExpr.c:2930
        #6 0x6315757f6e7b in ExecCreateExprSetupSteps
    .../src/backend/executor/execExpr.c:2882
        #7 0x6315757db00e in ExecInitQual
    .../src/backend/executor/execExpr.c:250
        #8 0x6315759e7d9c in ExecInitIndexScan
    .../src/backend/executor/nodeIndexscan.c:960
        #9 0x6315758c4c1d in ExecInitNode
    .../src/backend/executor/execProcnode.c:220
        #10 0x631575a56682 in ExecInitNestLoop
    .../src/backend/executor/nodeNestloop.c:301
        #11 0x6315758c4ea2 in ExecInitNode
    .../src/backend/executor/execProcnode.c:298
        #12 0x631575941611 in ExecInitAgg
    .../src/backend/executor/nodeAgg.c:3410
        #13 0x6315758c4ffa in ExecInitNode
    .../src/backend/executor/execProcnode.c:341
        #14 0x631575881130 in InitPlan .../src/backend/executor/execMain.c:987
        #15 0x63157587b573 in standard_ExecutorStart
    .../src/backend/executor/execMain.c:261
        #16 0x7a0f422d5cc4 in pgss_ExecutorStart
    .../contrib/pg_stat_statements/pg_stat_statements.c:1007
        #17 0x63157587a137 in ExecutorStart
    .../src/backend/executor/execMain.c:135
        #18 0x631576712c58 in PortalStart .../src/backend/tcop/pquery.c:513
        #19 0x6315766fcfff in exec_simple_query
    .../src/backend/tcop/postgres.c:1240
        #20 0x63157670ce7f in PostgresMain .../src/backend/tcop/postgres.c:4775
        #21 0x6315766edc9a in BackendMain
    .../src/backend/tcop/backend_startup.c:124
        #22 0x63157626c165 in postmaster_child_launch
    .../src/backend/postmaster/launch_backend.c:268
        #23 0x63157627db5b in BackendStartup
    .../src/backend/postmaster/postmaster.c:3598
        #24 0x631576277dc9 in ServerLoop
    .../src/backend/postmaster/postmaster.c:1713
        #25 0x631576276827 in PostmasterMain
    .../src/backend/postmaster/postmaster.c:1403
        #26 0x631575b643ef in main .../src/backend/main/main.c:231
        #27 0x7a0f4722a1c9 in __libc_start_call_main
    ../sysdeps/nptl/libc_start_call_main.h:58
        #28 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360
        #29 0x6315749f5cf4 in _start
    (.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId:
    fb9da6221fd034ea4004b34de480b536444e54b6)
    
    SUMMARY: AddressSanitizer: heap-use-after-free
    .../src/backend/storage/aio/aio.c:698 in pgaio_io_reclaim
    ...
    ==1414701==ABORTING
    
    2025-12-29 07:26:28.626 EET postmaster[1406872] LOG:  client backend (PID
    1414701) was terminated by signal 6: Aborted
    2025-12-29 07:26:28.626 EET postmaster[1406872] DETAIL:  Failed process was
    running: select max(histogram_bounds) from pg_stats where tablename =
    'pg_am';
    (this stacktrace is from the master branch)
    
    Reproduced starting from 12ce89fd0.