Re: Is MinMaxExpr really leakproof?
Andrew Gierth <andrew@tao11.riddles.org.uk>
From: Andrew Gierth <andrew@tao11.riddles.org.uk>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Noah Misch <noah@leadboat.com>, pgsql-hackers@lists.postgresql.org,
Stephen Frost <sfrost@snowman.net>
Date: 2018-12-31T18:22:02Z
Lists: pgsql-hackers
>>>>> "Tom" == Tom Lane <tgl@sss.pgh.pa.us> writes: >> bttextcmp() and other varstr_cmp() callers fall afoul of the same >> restriction with their "could not convert string to UTF-16" errors >> (https://postgr.es/m/CADyhKSXPwrUv%2B9LtqPAQ_gyZTv4hYbr2KwqBxcs6a3Vee1jBLQ%40mail.gmail.com). >> Leaking the binary fact that an unspecified string contains an >> unspecified rare Unicode character is not a serious leak, however. >> Also, those errors would be a substantial usability impediment if >> they happened much in practice; you couldn't index affected values. Tom> Yeah. I think that there might be a usability argument for marking Tom> textcmp and related operators as leakproof despite this Tom> theoretical leak condition, because not marking them puts a large Tom> practical constraint on what conditions we can optimize. However, Tom> that discussion just applies narrowly to the string data types; it Tom> is independent of what we want to say the general policy is. I think that's not even a theoretical leak; the documentation for MultiByteToWideChar does not indicate any way in which it can return an error for the specific parameters we pass to it. In particular we do not tell it to return errors for invalid input characters. -- Andrew (irc:RhodiumToad)
Commits
-
Don't believe MinMaxExpr is leakproof without checking.
- 68a13f28bebc 12.0 landed
- f8b9b8097292 9.5.16 landed
- d6b37cdb6ec9 9.4.21 landed
- c27c3993ef6d 9.6.12 landed
- 64edc788b4a5 10.7 landed
- 099063340bb1 11.2 landed
-
Update leakproofness markings on some btree comparison functions.
- d01e75d68eb2 12.0 landed