MIME-Version: 1.0
References: 
 <CACeKOO2QqpnML1OkQqqCCc+xG1d2M+sS7y7zE9vw5W-DXu+xKQ@mail.gmail.com>
 <20260211.192845.1888610184173239311.ishii@postgresql.org>
 <CACeKOO21jgrafj6RzO+ibLjBDUdDeQ0Tuu3tatkmGUdQi+GAAQ@mail.gmail.com>
 <20260219.085121.1424536813757196179.ishii@postgresql.org>
In-Reply-To: <20260219.085121.1424536813757196179.ishii@postgresql.org>
From: Nadav Shatz <nadav@tailorbrands.com>
Date: Thu, 19 Feb 2026 06:40:21 +0200
Message-ID: 
 <CACeKOO14e4h1na+J5TEPkHGuSVKA8YzL6gUaoCqgCqyoffCjHA@mail.gmail.com>
Subject: Re: Proposal: Recent mutated table tracking in memory
To: Tatsuo Ishii <ishii@postgresql.org>
Cc: pgpool-hackers@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000ab0a4f064b25e75a"
Archived-At: 
 <https://www.postgresql.org/message-id/CACeKOO14e4h1na%2BJ5TEPkHGuSVKA8YzL6gUaoCqgCqyoffCjHA%40mail.gmail.com>
Precedence: bulk

--000000000000ab0a4f064b25e75a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks! I=E2=80=99ll look into it and share an updated patch

Nadav Shatz
Tailor Brands | CTO


On Thu, Feb 19, 2026 at 1:51=E2=80=AFAM Tatsuo Ishii <ishii@postgresql.org>=
 wrote:

> >  Hi Tatsuo,
> >
> >   Thank you for the careful review. You raised an important concern. I'=
ve
> > addressed it in the updated patch =E2=80=95 here's the explanation:
> >
> >   The attack scenario you describe is now handled. In the updated patch=
,
> > writes inside explicit transactions are only flushed to the shared-memo=
ry
> > table map at COMMIT time. If the transaction is rolled back, the table =
is
> > never marked as stale. So the attack pattern:
> >
> >   BEGIN;
> >   UPDATE t1 SET i =3D 1 WHERE FALSE;
> >   ROLLBACK;
> >
> >   has zero effect on the shared-memory table map. The dml_adaptive_glob=
al
> > mode piggybacks on the existing dml_adaptive per-transaction write list
> > (transaction_temp_write_list). On COMMIT, the accumulated table names a=
re
> > resolved to OIDs and flushed to shared memory. On ROLLBACK,
> >   the list is simply discarded (the existing dml_adaptive behavior).
> >
> >   For autocommit statements (outside explicit transactions), tables are
> > marked immediately =E2=80=95 but in that case the write is committed, s=
o this is
> > correct.
> >
> >   Regression test included. Test 042 now includes:
> >   - Test 10: verifies that BEGIN; INSERT; ROLLBACK; SELECT does NOT rou=
te
> > the SELECT to primary
> >   - Test 11: verifies that BEGIN; INSERT; COMMIT; SELECT DOES route the
> > SELECT to primary
> >
> >   Additional context on the threat model:
> >
> >   1. This feature requires disable_load_balance_on_write =3D
> > 'dml_adaptive_global' =E2=80=95 it is opt-in, not enabled by default. O=
perators
> who
> > enable it accept documented trade-offs (additional shared memory,
> TTL-based
> > staleness window).
> >   2. An attacker who can connect and execute SQL against pgpool already
> has
> > the ability to cause far more damage (DROP TABLE, mass DELETEs, resourc=
e
> > exhaustion via expensive queries, connection flooding, etc.). The
> > table-marking via committed writes is a minor concern compared to
> >   those vectors. Authentication, connection limits, and network securit=
y
> > are the appropriate defenses at that layer.
> >   3. Even in the worst case (an attacker commits real writes in a loop)=
,
> > the impact is bounded: the stale marking is temporary (TTL-based,
> typically
> > a few seconds), and only affects load-balancing decisions =E2=80=95 it =
doesn't
> > cause data loss or correctness issues.
> >   4. The existing dml_adaptive mode has analogous behavior: within a
> > transaction, a write to table T causes all reads of T to go to primary
> for
> > the remainder of that transaction. The only difference is scope =E2=80=
=95
> > dml_adaptive_global extends this across sessions with a TTL.
> >
> > Thanks!
>
> Thank you for the patch. While I am looking into it, I noticed a
> regression test failure.
>
> t-ishii$ ./regress.sh 04[12]
> creating pgpool-II temporary installation ...
> :
> :
> testing 041.external_replication_delay...ok.
> testing 042.track_table_mutation...failed.
> out of 2 ok:1 failed:1 timeout:0
>
> However if I run 042 only, it succeeds.
>
> t-ishii$ ./regress.sh 042
> :
> :
> testing 042.track_table_mutation...ok.
> out of 1 ok:1 failed:0 timeout:0
>
> Can you please take a look at this? log/042.track_table_mutation
> attached.
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>

--000000000000ab0a4f064b25e75a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Thanks! I=E2=80=99ll look into it and share an updated pa=
tch<br clear=3D"all"><br clear=3D"all"><div><div dir=3D"rtl" class=3D"gmail=
_signature" data-smartmail=3D"gmail_signature"><div dir=3D"ltr"><div><div d=
ir=3D"ltr"><div dir=3D"rtl"><div dir=3D"ltr"><font style=3D"color:rgb(0,0,0=
)">Nadav Shatz</font></div><div dir=3D"ltr"><font style=3D"color:rgb(0,0,0)=
">Tailor Brands=C2=A0| CTO</font></div></div></div></div></div></div></div>=
</div><div><br></div><div><br><div class=3D"gmail_quote gmail_quote_contain=
er"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Feb 19, 2026 at 1:51=E2=
=80=AFAM Tatsuo Ishii &lt;<a href=3D"mailto:ishii@postgresql.org">ishii@pos=
tgresql.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;=
padding-left:1ex;border-left-color:rgb(204,204,204)">&gt;=C2=A0 Hi Tatsuo,<=
br>
&gt; <br>
&gt;=C2=A0 =C2=A0Thank you for the careful review. You raised an important =
concern. I&#39;ve<br>
&gt; addressed it in the updated patch =E2=80=95 here&#39;s the explanation=
:<br>
&gt; <br>
&gt;=C2=A0 =C2=A0The attack scenario you describe is now handled. In the up=
dated patch,<br>
&gt; writes inside explicit transactions are only flushed to the shared-mem=
ory<br>
&gt; table map at COMMIT time. If the transaction is rolled back, the table=
 is<br>
&gt; never marked as stale. So the attack pattern:<br>
&gt; <br>
&gt;=C2=A0 =C2=A0BEGIN;<br>
&gt;=C2=A0 =C2=A0UPDATE t1 SET i =3D 1 WHERE FALSE;<br>
&gt;=C2=A0 =C2=A0ROLLBACK;<br>
&gt; <br>
&gt;=C2=A0 =C2=A0has zero effect on the shared-memory table map. The dml_ad=
aptive_global<br>
&gt; mode piggybacks on the existing dml_adaptive per-transaction write lis=
t<br>
&gt; (transaction_temp_write_list). On COMMIT, the accumulated table names =
are<br>
&gt; resolved to OIDs and flushed to shared memory. On ROLLBACK,<br>
&gt;=C2=A0 =C2=A0the list is simply discarded (the existing dml_adaptive be=
havior).<br>
&gt; <br>
&gt;=C2=A0 =C2=A0For autocommit statements (outside explicit transactions),=
 tables are<br>
&gt; marked immediately =E2=80=95 but in that case the write is committed, =
so this is<br>
&gt; correct.<br>
&gt; <br>
&gt;=C2=A0 =C2=A0Regression test included. Test 042 now includes:<br>
&gt;=C2=A0 =C2=A0- Test 10: verifies that BEGIN; INSERT; ROLLBACK; SELECT d=
oes NOT route<br>
&gt; the SELECT to primary<br>
&gt;=C2=A0 =C2=A0- Test 11: verifies that BEGIN; INSERT; COMMIT; SELECT DOE=
S route the<br>
&gt; SELECT to primary<br>
&gt; <br>
&gt;=C2=A0 =C2=A0Additional context on the threat model:<br>
&gt; <br>
&gt;=C2=A0 =C2=A01. This feature requires disable_load_balance_on_write =3D=
<br>
&gt; &#39;dml_adaptive_global&#39; =E2=80=95 it is opt-in, not enabled by d=
efault. Operators who<br>
&gt; enable it accept documented trade-offs (additional shared memory, TTL-=
based<br>
&gt; staleness window).<br>
&gt;=C2=A0 =C2=A02. An attacker who can connect and execute SQL against pgp=
ool already has<br>
&gt; the ability to cause far more damage (DROP TABLE, mass DELETEs, resour=
ce<br>
&gt; exhaustion via expensive queries, connection flooding, etc.). The<br>
&gt; table-marking via committed writes is a minor concern compared to<br>
&gt;=C2=A0 =C2=A0those vectors. Authentication, connection limits, and netw=
ork security<br>
&gt; are the appropriate defenses at that layer.<br>
&gt;=C2=A0 =C2=A03. Even in the worst case (an attacker commits real writes=
 in a loop),<br>
&gt; the impact is bounded: the stale marking is temporary (TTL-based, typi=
cally<br>
&gt; a few seconds), and only affects load-balancing decisions =E2=80=95 it=
 doesn&#39;t<br>
&gt; cause data loss or correctness issues.<br>
&gt;=C2=A0 =C2=A04. The existing dml_adaptive mode has analogous behavior: =
within a<br>
&gt; transaction, a write to table T causes all reads of T to go to primary=
 for<br>
&gt; the remainder of that transaction. The only difference is scope =E2=80=
=95<br>
&gt; dml_adaptive_global extends this across sessions with a TTL.<br>
&gt; <br>
&gt; Thanks!<br>
<br>
Thank you for the patch. While I am looking into it, I noticed a<br>
regression test failure.<br>
<br>
t-ishii$ ./regress.sh 04[12]<br>
creating pgpool-II temporary installation ...<br>
:<br>
:<br>
testing 041.external_replication_delay...ok.<br>
testing 042.track_table_mutation...failed.<br>
out of 2 ok:1 failed:1 timeout:0<br>
<br>
However if I run 042 only, it succeeds.<br>
<br>
t-ishii$ ./regress.sh 042<br>
:<br>
:<br>
testing 042.track_table_mutation...ok.<br>
out of 1 ok:1 failed:0 timeout:0<br>
<br>
Can you please take a look at this? log/042.track_table_mutation<br>
attached.<br>
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS K.K.<br>
English: <a href=3D"http://www.sraoss.co.jp/index_en/" rel=3D"noreferrer" t=
arget=3D"_blank">http://www.sraoss.co.jp/index_en/</a><br>
Japanese:<a href=3D"http://www.sraoss.co.jp" rel=3D"noreferrer" target=3D"_=
blank">http://www.sraoss.co.jp</a><br>
</blockquote></div></div>

--000000000000ab0a4f064b25e75a--