Thread
-
BUG #19366: heap-use-after-free in pgaio_io_reclaim() detected with RELCACHE_FORCE_RELEASE
PG Bug reporting form <noreply@postgresql.org> — 2025-12-29T06:00:01Z
The following bug has been logged on the website: Bug reference: 19366 Logged by: Alexander Lakhin Email address: exclusion@gmail.com PostgreSQL version: 18.1 Operating system: Ubuntu 24.04 Description: The following build: CC=gcc-14 CFLAGS='-O0 -fsanitize=address -fsanitize=undefined -fno-sanitize-recover -static-libasan -static-libubsan -DRELCACHE_FORCE_RELEASE' ./configure -q --enable-debug --enable-cassert --enable-tap-tests --with-liburing && make -s -j12 fails on 027_stream_regress.pl when executed as below: echo "io_method = io_uring" >/tmp/temp.config PROVE_TESTS="t/027*" TEMP_CONFIG=/tmp/temp.config make -s check -C src/test/recovery/ # +++ tap check in src/test/recovery +++ t/027_stream_regress.pl .. 2/? # Failed test 'regression tests pass' # at t/027_stream_regress.pl line 112. # got: '256' # expected: '0' ================================================================= ==1414701==ERROR: AddressSanitizer: heap-use-after-free on address 0x52d000160a10 at pc 0x6315765530f4 bp 0x7fff3a67b6d0 sp 0x7fff3a67b6c0 WRITE of size 8 at 0x52d000160a10 thread T0 #0 0x6315765530f3 in pgaio_io_reclaim .../src/backend/storage/aio/aio.c:698 #1 0x6315765523dd in pgaio_io_process_completion .../src/backend/storage/aio/aio.c:549 #2 0x631576565329 in pgaio_uring_drain_locked .../src/backend/storage/aio/method_io_uring.c:568 #3 0x631576565c83 in pgaio_uring_wait_one .../src/backend/storage/aio/method_io_uring.c:647 #4 0x631576552a68 in pgaio_io_wait .../src/backend/storage/aio/aio.c:622 #5 0x6315765568ad in pgaio_closing_fd .../src/backend/storage/aio/aio.c:1279 #6 0x6315765bf4dc in FileClose .../src/backend/storage/file/fd.c:1975 #7 0x6315766d8285 in mdclose .../src/backend/storage/smgr/md.c:726 #8 0x6315766e3264 in smgrrelease .../src/backend/storage/smgr/smgr.c:356 #9 0x6315766e34af in smgrclose .../src/backend/storage/smgr/smgr.c:376 #10 0x631576ee2edb in RelationCloseSmgr ../../../../src/include/utils/rel.h:597 #11 0x631576efae6e in RelationInvalidateRelation .../src/backend/utils/cache/relcache.c:2527 #12 0x631576efb3f8 in RelationClearRelation .../src/backend/utils/cache/relcache.c:2560 #13 0x631576ef7582 in RelationCloseCleanup .../src/backend/utils/cache/relcache.c:2251 #14 0x631576f247bf in ResOwnerReleaseRelation .../src/backend/utils/cache/relcache.c:6994 #15 0x63157709849e in ResourceOwnerReleaseAll .../src/backend/utils/resowner/resowner.c:395 #16 0x63157709b177 in ResourceOwnerReleaseInternal .../src/backend/utils/resowner/resowner.c:734 #17 0x63157709ad9d in ResourceOwnerReleaseInternal .../src/backend/utils/resowner/resowner.c:687 #18 0x63157709ace5 in ResourceOwnerRelease .../src/backend/utils/resowner/resowner.c:661 #19 0x631574fd4ac1 in AbortTransaction .../src/backend/access/transam/xact.c:2987 #20 0x631574fd7da2 in AbortCurrentTransactionInternal .../src/backend/access/transam/xact.c:3524 #21 0x631574fd7b75 in AbortCurrentTransaction .../src/backend/access/transam/xact.c:3478 #22 0x63157670bd59 in PostgresMain .../src/backend/tcop/postgres.c:4458 #23 0x6315766edc9a in BackendMain .../src/backend/tcop/backend_startup.c:124 #24 0x63157626c165 in postmaster_child_launch .../src/backend/postmaster/launch_backend.c:268 #25 0x63157627db5b in BackendStartup .../src/backend/postmaster/postmaster.c:3598 #26 0x631576277dc9 in ServerLoop .../src/backend/postmaster/postmaster.c:1713 #27 0x631576276827 in PostmasterMain .../src/backend/postmaster/postmaster.c:1403 #28 0x631575b643ef in main .../src/backend/main/main.c:231 #29 0x7a0f4722a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #30 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360 #31 0x6315749f5cf4 in _start (.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId: fb9da6221fd034ea4004b34de480b536444e54b6) 0x52d000160a10 is located 9744 bytes inside of 32768-byte region [0x52d00015e400,0x52d000166400) freed by thread T0 here: #0 0x631574ab6aa8 in free.part.0 (.../tmp_install/usr/local/pgsql/bin/postgres+0x34f8aa8) (BuildId: fb9da6221fd034ea4004b34de480b536444e54b6) #1 0x63157703cd29 in AllocSetReset .../src/backend/utils/mmgr/aset.c:607 #2 0x631577078a30 in MemoryContextResetOnly .../src/backend/utils/mmgr/mcxt.c:439 #3 0x63157703d2dd in AllocSetDelete .../src/backend/utils/mmgr/aset.c:663 #4 0x631577079396 in MemoryContextDeleteOnly .../src/backend/utils/mmgr/mcxt.c:546 #5 0x631577078fa4 in MemoryContextDelete .../src/backend/utils/mmgr/mcxt.c:500 #6 0x631577079573 in MemoryContextDeleteChildren .../src/backend/utils/mmgr/mcxt.c:564 #7 0x631577087a28 in AtAbort_Portals .../src/backend/utils/mmgr/portalmem.c:849 #8 0x631574fd496f in AbortTransaction .../src/backend/access/transam/xact.c:2939 #9 0x631574fd7da2 in AbortCurrentTransactionInternal .../src/backend/access/transam/xact.c:3524 #10 0x631574fd7b75 in AbortCurrentTransaction .../src/backend/access/transam/xact.c:3478 #11 0x63157670bd59 in PostgresMain .../src/backend/tcop/postgres.c:4458 #12 0x6315766edc9a in BackendMain .../src/backend/tcop/backend_startup.c:124 #13 0x63157626c165 in postmaster_child_launch .../src/backend/postmaster/launch_backend.c:268 #14 0x63157627db5b in BackendStartup .../src/backend/postmaster/postmaster.c:3598 #15 0x631576277dc9 in ServerLoop .../src/backend/postmaster/postmaster.c:1713 #16 0x631576276827 in PostmasterMain .../src/backend/postmaster/postmaster.c:1403 #17 0x631575b643ef in main .../src/backend/main/main.c:231 #18 0x7a0f4722a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #19 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360 #20 0x6315749f5cf4 in _start (.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId: fb9da6221fd034ea4004b34de480b536444e54b6) previously allocated by thread T0 here: #0 0x631574ab7f97 in malloc (.../tmp_install/usr/local/pgsql/bin/postgres+0x34f9f97) (BuildId: fb9da6221fd034ea4004b34de480b536444e54b6) #1 0x63157703f3fe in AllocSetAllocFromNewBlock .../src/backend/utils/mmgr/aset.c:952 #2 0x63157704019e in AllocSetAlloc .../src/backend/utils/mmgr/aset.c:1098 #3 0x63157708047b in palloc .../src/backend/utils/mmgr/mcxt.c:1408 #4 0x6315757f4265 in ExprEvalPushStep .../src/backend/executor/execExpr.c:2676 #5 0x6315757f76a6 in ExecPushExprSetupSteps .../src/backend/executor/execExpr.c:2930 #6 0x6315757f6e7b in ExecCreateExprSetupSteps .../src/backend/executor/execExpr.c:2882 #7 0x6315757db00e in ExecInitQual .../src/backend/executor/execExpr.c:250 #8 0x6315759e7d9c in ExecInitIndexScan .../src/backend/executor/nodeIndexscan.c:960 #9 0x6315758c4c1d in ExecInitNode .../src/backend/executor/execProcnode.c:220 #10 0x631575a56682 in ExecInitNestLoop .../src/backend/executor/nodeNestloop.c:301 #11 0x6315758c4ea2 in ExecInitNode .../src/backend/executor/execProcnode.c:298 #12 0x631575941611 in ExecInitAgg .../src/backend/executor/nodeAgg.c:3410 #13 0x6315758c4ffa in ExecInitNode .../src/backend/executor/execProcnode.c:341 #14 0x631575881130 in InitPlan .../src/backend/executor/execMain.c:987 #15 0x63157587b573 in standard_ExecutorStart .../src/backend/executor/execMain.c:261 #16 0x7a0f422d5cc4 in pgss_ExecutorStart .../contrib/pg_stat_statements/pg_stat_statements.c:1007 #17 0x63157587a137 in ExecutorStart .../src/backend/executor/execMain.c:135 #18 0x631576712c58 in PortalStart .../src/backend/tcop/pquery.c:513 #19 0x6315766fcfff in exec_simple_query .../src/backend/tcop/postgres.c:1240 #20 0x63157670ce7f in PostgresMain .../src/backend/tcop/postgres.c:4775 #21 0x6315766edc9a in BackendMain .../src/backend/tcop/backend_startup.c:124 #22 0x63157626c165 in postmaster_child_launch .../src/backend/postmaster/launch_backend.c:268 #23 0x63157627db5b in BackendStartup .../src/backend/postmaster/postmaster.c:3598 #24 0x631576277dc9 in ServerLoop .../src/backend/postmaster/postmaster.c:1713 #25 0x631576276827 in PostmasterMain .../src/backend/postmaster/postmaster.c:1403 #26 0x631575b643ef in main .../src/backend/main/main.c:231 #27 0x7a0f4722a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #28 0x7a0f4722a28a in __libc_start_main_impl ../csu/libc-start.c:360 #29 0x6315749f5cf4 in _start (.../tmp_install/usr/local/pgsql/bin/postgres+0x3437cf4) (BuildId: fb9da6221fd034ea4004b34de480b536444e54b6) SUMMARY: AddressSanitizer: heap-use-after-free .../src/backend/storage/aio/aio.c:698 in pgaio_io_reclaim ... ==1414701==ABORTING 2025-12-29 07:26:28.626 EET postmaster[1406872] LOG: client backend (PID 1414701) was terminated by signal 6: Aborted 2025-12-29 07:26:28.626 EET postmaster[1406872] DETAIL: Failed process was running: select max(histogram_bounds) from pg_stats where tablename = 'pg_am'; (this stacktrace is from the master branch) Reproduced starting from 12ce89fd0.