printf %s with NULL pointer (was Re: BUG #17098: Assert failed on composing an error message when adding a type to an extension being dropped)
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: pgsql-hackers@lists.postgresql.org
Date: 2021-07-12T17:20:56Z
Lists: pgsql-bugs, pgsql-hackers
[ moved from -bugs list for more visibility ]
I wrote:
> However, that root issue is converted from a relatively minor bug into
> a server crash because snprintf.c treats a NULL pointer passed to %s
> as a crash-worthy error. I have advocated for that behavior in the
> past, but I'm starting to wonder if it wouldn't be wiser to change
> over to the glibc-ish behavior of printing "(null)" or the like.
> It seems like we've long since found all the interesting bugs that
> the assert-or-crash behavior could reveal, and now we're down to
> weird corner cases where its main effect is to weaken our robustness.
I did a little more thinking about this. I believe the strongest
argument for having snprintf.c crash on NULL is that it keeps us
from relying on having more-forgiving behavior in case we're using
platform-supplied *printf functions (cf commit 0c62356cc). However,
that is only relevant for code that's meant to go into pre-v12 branches,
since we stopped using libc's versions of these functions in v12.
So one plausible way to approach this is to say that we should wait
until v11 is EOL and then change it.
However, that feels overly conservative to me. I doubt that anyone
is *intentionally* relying on *printf not crashing on a NULL pointer.
For example, in the case that started this thread:
if (OidIsValid(oldExtension))
ereport(ERROR,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("%s is already a member of extension \"%s\"",
getObjectDescription(&object, false),
get_extension_name(oldExtension))));
the problem is failure to consider the possibility that
get_extension_name could return NULL due to a just-committed
concurrent DROP EXTENSION. I'm afraid there are a lot of
corner cases like that still lurking.
So my feeling about this is that switching snprintf.c's behavior
would produce some net gain in robustness for v12 and up, while
not making things any worse for the older branches. I still hold
to the opinion that we've already flushed out all the cases of
passing NULL that we're likely to find via ordinary testing.
Thoughts?
regards, tom lane
Commits
-
Make printf("%s", NULL) print "(null)" instead of crashing.
- c0a6f83deba9 13.4 landed
- 9329b923542f 11.13 landed
- 89ad14cd7870 14.0 landed
- 7e09b504d023 9.6.23 landed
- 5a435289d1a8 10.18 landed
- 4c8a14e8d993 12.8 landed
- 3779ac62d709 15.0 landed
-
Lock the extension during ALTER EXTENSION ADD/DROP.
- 92340ba5a795 12.8 landed
- 734be249d2c8 9.6.23 landed
- 6bd9ae173d37 11.13 landed
- 69dfc36fd54d 14.0 landed
- 626731db26ae 15.0 landed
- 1d49c888755b 10.18 landed
- 1c612bc98ec3 13.4 landed
-
Add an assertion that we don't pass NULL to snprintf("%s").
- 0c62356cc877 11.0 cited
-
Fix broken logic for reporting PL/Python function names in errcontext.
- e748e902def4 11.0 cited