Re: Fix mismatched deallocation functions
Tristan Partin <tristan@partin.io>
From: "Tristan Partin" <tristan@partin.io>
To: "Zsolt Parragi" <zsolt.parragi@percona.com>
Cc: "pgsql-hackers" <pgsql-hackers@postgresql.org>
Date: 2026-05-28T20:21:40Z
Lists: pgsql-hackers
Attachments
- v2-0001-Fix-mismatched-deallocation-functions.patch (text/x-patch)
- allocators.cocci (text/plain)
On Thu May 7, 2026 at 10:01 PM UTC, Zsolt Parragi wrote: > Hello! > > There are many cases missed by the script, for example: > > tab-complete.in.c:7089: > > `previous_words = pg_malloc_array(char *, point);` > > tab-complete.in.c:6364: > > `completion_ref_object = pg_strdup(word);` > > tab-complete.in.c:7090: > > `*buffer = (char *) pg_malloc(point * 2);` > > There's also completion_ref_schema, which is an out parameter of > parse_identifier, still freed in the patch. Thanks. I have adjusted the script to cover these instances, and fixed the patch in v2. > The strtokx change in stringutils.c is also strange - the patch > converts one free at line 96, and leaves the same free a few lines > above at line 73 as is. Thanks. Fixed this as well in the script. Fixed in v2. >> I generated the patch with the help of Coccinelle[0]. I'm no expert with >> Coccinelle, but it seemed like a good candidate to get this refactor >> done. You can run the attached script in your tree with the following >> command: > > If I had to do it, I would try to approach this with static analysis > tools instead: a custom rule that enforces attribute declarations for > return values / output parameters allocated by pg_malloc and similar > functions. Without attributes everywhere, these checks will never be > complete because tools won't be able to fully reason about cross > source file call paths. > For example clang-tidy even has an auto fix mode that could apply > these attributes automatically. > > With the attributes in place, we would automatically receive warnings > for every incorrect free attribute, which a tool could then > automatically fix. This would be nice. GCC already has some of this functionality: __attribute__((malloc(pfree))). When you add the deallocator, GCC will warn: -Wmismatched-dealloc. Perhaps there was some confusion in my initial proposal. I cannot confirm if this patch fixes every instance, but what it does do is get all my __attribute__((malloc)) additions added to the codebase without causing additional compiler warning noise, which would be a prerequisite to committing the __attribute__((malloc)) additions. I would think that as GCC continues to evolve, we could get even more warnings generated to help us find further issues with mismatched deallocation functions. > If we want to avoid generating noise by placing attributes everywhere > in the source (I'm not sure how noisy that would be), that part could > be a specialized CI run instead, since the transformation itself can > be automated. The current size of my attribute patch is not very noisy at all: src/include/c.h | 12 ++++++++++++ src/include/common/fe_memutils.h | 36 ++++++++++++++++++------------------ src/include/utils/palloc.h | 30 +++++++++++++++--------------- 3 files changed, 45 insertions(+), 33 deletions(-) I would advocate for adding the attributes, which is why I have submitted this preliminary patch. In addition to -Wmismatched-dealloc, GCC also can use -Wfree-nonheap-object, when the attributes are present. Attached you will find v2 of the patch and v2 of the Coccinelle script. For more reading on __attribute__((malloc)), see the GCC documentation: https://gcc.gnu.org/onlinedocs/gcc/Common-Attributes.html#index-malloc. -- Tristan Partin PostgreSQL Contributors Team AWS (https://aws.amazon.com)