Segfault in PL/Python
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Segfault in PL/Python
by Peter Eisentraut-2
::
Rate this Message:
I have discovered an obscure segfault condition in PL/Python. In
PLy_output(), when the elog() call in the TRY branch throws an exception (this can happen when a statement timeout kicks in, for example), the PyErr_SetString() call in the CATCH branch can cause a segfault, because the Py_XDECREF(so) call before it releases memory that is still used by the sv variable that PyErr_SetString() uses as argument, because sv points into memory owned by so. Patch is attached. This should be backpatched back to 8.0, where this code was introduced. I also threw in a couple of volatile declarations for variables that are used before and after the TRY. I don't think they caused the crash that I observed, but they could become issues. [plpython-crash-fix.patch] Index: src/pl/plpython/plpython.c =================================================================== RCS file: /cvsroot/pgsql/src/pl/plpython/plpython.c,v retrieving revision 1.106 diff -u -3 -p -r1.106 plpython.c --- src/pl/plpython/plpython.c 2 Jan 2008 03:10:27 -0000 1.106 +++ src/pl/plpython/plpython.c 27 Oct 2009 14:13:00 -0000 @@ -2840,9 +2840,9 @@ PLy_fatal(PyObject * self, PyObject * ar static PyObject * PLy_output(volatile int level, PyObject * self, PyObject * args) { - PyObject *so; + PyObject *volatile so; char *volatile sv; - MemoryContext oldcontext; + volatile MemoryContext oldcontext; so = PyObject_Str(args); if (so == NULL || ((sv = PyString_AsString(so)) == NULL)) @@ -2861,6 +2861,10 @@ PLy_output(volatile int level, PyObject MemoryContextSwitchTo(oldcontext); PLy_error_in_progress = CopyErrorData(); FlushErrorState(); + + PyErr_SetString(PLy_exc_error, sv); + /* Note: If sv came from PyString_AsString(), it points into + * storage owned by so. So free so after using sv. */ Py_XDECREF(so); /* @@ -2868,7 +2872,6 @@ PLy_output(volatile int level, PyObject * control passes back to PLy_procedure_call, we check for PG * exceptions and re-throw the error. */ - PyErr_SetString(PLy_exc_error, sv); return NULL; } PG_END_TRY(); -- Sent via pgsql-hackers mailing list (pgsql-hackers@...) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |
|
|
Re: Segfault in PL/Python
by Peter Eisentraut-2
::
Rate this Message:
On Sat, 2009-10-31 at 14:24 +0200, Peter Eisentraut wrote:
> I have discovered an obscure segfault condition in PL/Python. In > PLy_output(), when the elog() call in the TRY branch throws an exception > (this can happen when a statement timeout kicks in, for example), the > PyErr_SetString() call in the CATCH branch can cause a segfault, because > the Py_XDECREF(so) call before it releases memory that is still used by > the sv variable that PyErr_SetString() uses as argument, because sv > points into memory owned by so. > > Patch is attached. This should be backpatched back to 8.0, where this > code was introduced. > > I also threw in a couple of volatile declarations for variables that are > used before and after the TRY. I don't think they caused the crash that > I observed, but they could become issues. This patch has been applied to 8.0 - 8.5. -- Sent via pgsql-hackers mailing list (pgsql-hackers@...) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |
| Free embeddable forum powered by Nabble | Forum Help |
