Make stack depth check work with asan's use-after-return

With address sanitizer's stack-use-after-return check, stack variables are moved to heap allocations, to allow to detect references to the memory at a later time. That broke our stack-depth check, which is why we had to disable detect_stack_use_after_return in CI. Luckily __builtin_frame_address() works correctly, even under asan, so use that. We started using __builtin_frame_address() with de447bb8e6, however as of that commit we just used it for the stack base address, not for the value to compare to the base address. Now we use it for both. When building without __builtin_frame_address() support, we continue to use stack variables for the stack depth determination. Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us> Discussion: https://postgr.es/m/2kk4z4odvuyrg7qlwjd7ft4eron4cle4btb33v4qatgsdkayir@gj6e62rgsel4 Backpatch-through: 14
2026-06-11 17:50:22 -04:00 · 2026-05-28 11:34:13 -04:00 · 2026-05-28 11:34:13 -04:00 · 970ac13791
commit 970ac13791
parent cdb9b2830d
2 changed files with 20 additions and 4 deletions
--- a/.cirrus.tasks.yml
+++ b/.cirrus.tasks.yml
@ -271,7 +271,7 @@ task:
    # print_stacktraces=1,verbosity=2, duh
    # detect_leaks=0: too many uninteresting leak errors in short-lived binaries
    UBSAN_OPTIONS: print_stacktrace=1:disable_coredump=0:abort_on_error=1:verbosity=2
-    ASAN_OPTIONS: print_stacktrace=1:disable_coredump=0:abort_on_error=1:detect_leaks=0:detect_stack_use_after_return=0
+    ASAN_OPTIONS: print_stacktrace=1:disable_coredump=0:abort_on_error=1:detect_leaks=0

    # SANITIZER_FLAGS is set in the tasks below
    CFLAGS: -Og -ggdb -fno-sanitize-recover=all $SANITIZER_FLAGS
--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
@ -3495,7 +3495,8 @@ set_stack_base(void)
 	/*
 	 * Set up reference point for stack depth checking.  On recent gcc we use
 	 * __builtin_frame_address() to avoid a warning about storing a local
-	 * variable's address in a long-lived variable.
+	 * variable's address in a long-lived variable.  This is also important
+	 * with address sanitizer, see comment in stack_is_too_deep().
 	 */
 #ifdef HAVE__BUILTIN_FRAME_ADDRESS
 	stack_base_ptr = __builtin_frame_address(0);
@ -3549,13 +3550,28 @@ check_stack_depth(void)
 bool
 stack_is_too_deep(void)
 {
+#ifndef HAVE__BUILTIN_FRAME_ADDRESS
 	char		stack_top_loc;
+#endif
 	long		stack_depth;
+	char	   *stack_address;

 	/*
-	 * Compute distance from reference point to my local variables
+	 * With address sanitizer's stack-use-after-return check, stack variables
+	 * are moved to heap allocations, to allow to detect references to the
+	 * memory at a later time. That would break our stack-depth check. Luckily
+	 * __builtin_frame_address() works correctly, even under asan.
 	 */
-	stack_depth = (long) (stack_base_ptr - &stack_top_loc);
+#ifndef HAVE__BUILTIN_FRAME_ADDRESS
+	stack_address = &stack_top_loc;
+#else
+	stack_address = (char *) __builtin_frame_address(0);
+#endif
+
+	/*
+	 * Compute distance from reference point to my stack frame.
+	 */
+	stack_depth = (long) (stack_base_ptr - stack_address);

 	/*
 	 * Take abs value, since stacks grow up on some machines, down on others