[pgpool-committers: 5315] pgpool: Fix segfault in extended query + query cache case.
ishii at sraoss.co.jp
Sat Nov 3 22:38:07 JST 2018
Fix segfault in extended query + query cache case.
If extended query is used when query cache enabled, Pgpool-II could
crash in certain case.
- parse before bind fires.
- a bind message is sent with previously parsed named statement and
- an explicit transaction is used.
When parse before bind fires, a new sent message corresponding to the
re-parsed message was not created.
When a bind message is sent from frontend using previously parsed
message and unnamed portal, Pgpool-II tries to add the unnamed portal
to the sent message list by calling
pool_add_sent_message(). pool_add_sent_message() removes the old
unnamed portal and add the new unnamed portal. Also it tries to remove
corresponding query context if it's not used by 2 or more sent
messages. Usually a query context is used by a named statement and an
unnamed portal and the query context will not moved.
However because when parse before bind fires a new sent message
corresponding to the re-parsed message was not created, the reference
count is 1, which cause the query context gets removed.
When the transaction ends, temporary buffer for query cache needed to
be removed. Unfortunately since the pointer to the temporary buffer
for query cache is stored in the query context which was just removed,
the pointer to the buffer points to a random address, and segfault
Because of the the reason if query cache is not enabled, the segfalt
does not occurs.
Note that this bug is easily reproduced by using "pgbench -M
prepared". ("pgbench -M extended" does not trigger the bug because it
does not use named statements.)
Fix is, When parse before bind fires, add a new sent message
corresponding to the re-parsed message.
src/protocol/pool_proto_modules.c | 7 +++++++
1 file changed, 7 insertions(+)
More information about the pgpool-committers