AddressSanitizer (
(also available through gcc, but I used clang), reports one bug, which
I traced down to this code in ruleutils.c:

    #define ViewSelectRuleName "_RETURN"

     * Get the pg_rewrite tuple for the view's SELECT rule
    args[0] = ObjectIdGetDatum(viewoid);
    args[1] = PointerGetDatum(ViewSelectRuleName);
    nulls[0] = ' ';
    nulls[1] = ' ';
    spirc = SPI_execute_plan(plan_getviewrule, args, nulls, true, 2);

[I also think that the 2 here is wrong, probably thinking it means 2
arguments, but it means 2 result rows, but only one is needed.  But
that's unrelated to the bug.]

The datums end up in datumCopy(), which tries to copy 64 bytes of
"name" data, overrunning the end of the string.

I think the correct code is something like

    args[1] = DirectFunctionCall1(namein, CStringGetDatum(ViewSelectRuleName));

which indeed makes the crash go away.  (A more explicit string-to-name
function might be useful and could also be used in other places.)

This is the only remaining issue found by AddressSanitizer that is
clearly attributable to the PostgreSQL source code (after the recently
fixed issue with memcpy with identical arguments).  There are crashes
in PL/Perl and PL/Python, but it's not clear to me yet whose fault
they are.

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to