Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVAJg-001kE7-01 for pgsql-bugs@arkaria.postgresql.org; Thu, 04 Jun 2026 15:49:08 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wVAJe-007P9H-34 for pgsql-bugs@arkaria.postgresql.org; Thu, 04 Jun 2026 15:49:06 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wV9B4-006zhY-0M for pgsql-bugs@lists.postgresql.org; Thu, 04 Jun 2026 14:36:10 +0000 Received: from mahout.postgresql.org ([2001:4800:3e1:1::227]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wV9B1-00000001Fmk-2aVA for pgsql-bugs@lists.postgresql.org; Thu, 04 Jun 2026 14:36:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=postgresql.org; s=20171124; h=Message-ID:Date:Reply-To:Cc:From:To:Subject: Content-Transfer-Encoding:MIME-Version:Content-Type:Sender:Content-ID: Content-Description:In-Reply-To:References; bh=yoA893jNK1geK8SoxOESLfl1Lg+yDmwGhI2T+0LXKXg=; b=KTohnA8e5EPnE04vPXyfKM9CLg n0VWOMi9fTnPJbE6Q+VNnIhfKixZU10m4Pg/sp6Bp2LzmZ8xmLBRa97nszR/Q/s9pAwE54ygcKPyr eArABHS/4sv7jIpY+mXJ8MDpRfot3z4+Ynl40Zancl9/nWh/XCXTRnCY4PpIL5w8VGkIvh7AgHje+ o1dlqDxZD1BenumQavqpLPDfglckkw8ITd7qbKz+pWn5pefFF1Isnd2WOiQcIh8uEm3Wo0u1sFndJ 8nVc7M56VO0tKeIlBJ6MCZZq9Fr6STTVTE8OBvi7RA7FBTK8j2tj1fWsACfiECzDWjdFjfdcLw1Ou szjwQ3yg==; Received: from wrigleys.postgresql.org ([2a02:16a8:dc51::60]) by mahout.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wV9Az-003Jf5-0W for pgsql-bugs@lists.postgresql.org; Thu, 04 Jun 2026 14:36:06 +0000 Received: from localhost ([127.0.0.1] helo=wrigleys.postgresql.org) by wrigleys.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wV9Ax-007dHR-1y for pgsql-bugs@lists.postgresql.org; Thu, 04 Jun 2026 14:36:03 +0000 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Subject: BUG #19508: pg_buffercache_pages() crashes the backend with an incompatible caller-supplied record definition To: pgsql-bugs@lists.postgresql.org From: PG Bug reporting form Cc: n.kalinin@postgrespro.ru Reply-To: n.kalinin@postgrespro.ru, pgsql-bugs@lists.postgresql.org Date: Thu, 04 Jun 2026 14:35:10 +0000 Message-ID: <19508-e5f188183279219b@postgresql.org> X-Auto-Response-Suppress: All Auto-Submitted: auto-generated List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk The following bug has been logged on the website: Bug reference: 19508 Logged by: Nikita Kalinin Email address: n.kalinin@postgrespro.ru PostgreSQL version: 19beta1 Operating system: Fedora 44 Description: =20 Hello, It appears that pg_buffercache_pages() trusts a caller-supplied record descriptor without verifying that the declared column types match the actual values returned by the function. The crash is reproducible on the current master branch with a fresh cluster after installing the extension: CREATE EXTENSION pg_buffercache; SELECT * FROM pg_buffercache_pages() AS p( bufferid integer, relfilenode oid, reltablespace oid, reldatabase oid, relforknumber smallint, relblocknumber bigint, isdirty text, usagecount smallint ) LIMIT 1; postgres=3D# select version(); version ---------------------------------------------------------------------------= ---------------------------------- PostgreSQL 19beta1 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 16.1.1 20260515 (Red Hat 16.1.1-2), 64-bit (1 row) The only difference from the types documented for pg_buffercache_pages() is that isdirty is declared as text instead of boolean. git blame points to the following commit: commit 257c8231bf97a77378f6fedb826b1243f0a41612 (HEAD) Author: Heikki Linnakangas Date: Tue Apr 7 16:04:48 2026 +0300 Modernize and optimize pg_buffercache_pages() Backtrace: #0 0x00000000004b2565 in VARATT_CAN_MAKE_SHORT (PTR=3D) at ../../../../src/include/varatt.h:419 #1 heap_compute_data_size (tupleDesc=3DtupleDesc@entry=3D0x3e5ba110, values=3Dvalues@entry=3D0x7ffd0dc219c0, isnull=3Disnull@entry=3D0x7ffd0= dc219b4) at heaptuple.c:239 #2 0x00000000004b3bff in heap_form_minimal_tuple (tupleDescriptor=3D0x3e5ba110, values=3Dvalues@entry=3D0x7ffd0dc219c0, isnull=3Disnull@entry=3D0x7ffd0= dc219b4, extra=3Dextra@entry=3D0) at heaptuple.c:1434 #3 0x0000000000a6fa09 in tuplestore_putvalues (state=3D0x3e5cc0d8, tdesc=3D, values=3Dvalues@entry=3D0x7ffd0dc219c0, isnull=3Disnull@entry=3D0x7ffd0= dc219b4) at tuplestore.c:791 #4 0x00007f180fa0447e in pg_buffercache_pages (fcinfo=3D) at pg_buffercache_pages.c:202 #5 0x00000000006b7e35 in ExecMakeTableFunctionResult (setexpr=3D0x3e5b9e98, econtext=3D0x3e5b9d38, argContext=3D, expectedDesc=3D0x3e5ba110, randomAccess= =3Dfalse) at execSRF.c:235 #6 0x00000000006ccc57 in FunctionNext (node=3D0x3e5b9b28) at nodeFunctionscan.c:95 #7 0x00000000006daf22 in ExecProcNode (node=3D0x3e5b9b28) at ../../../src/include/executor/executor.h:327 #8 ExecLimit (pstate=3D0x3e5b97b8) at nodeLimit.c:95 #9 0x00000000006ac39a in ExecProcNode (node=3D0x3e5b97b8) at ../../../src/include/executor/executor.h:327 #10 ExecutePlan (queryDesc=3D0x3e5d7d80, operation=3DCMD_SELECT, sendTuples=3Dtrue, numberTuples=3D0, direction=3D, dest=3D0x3e5e11f8) at execMain.c:1736 #11 standard_ExecutorRun (queryDesc=3D0x3e5d7d80, direction=3D, count=3D0) at execMain.c:377 #12 0x00000000008c61d8 in PortalRunSelect (portal=3Dportal@entry=3D0x3e52f1= 30, forward=3Dforward@entry=3Dtrue, count=3D0, count@entry=3D92233720368547= 75807, dest=3Ddest@entry=3D0x3e5e11f8) at pquery.c:917 #13 0x00000000008c78be in PortalRun (portal=3Dportal@entry=3D0x3e52f130, count=3Dcount@entry=3D9223372036854775807, isTopLevel=3DisTopLevel@entr= y=3Dtrue, dest=3Ddest@entry=3D0x3e5e11f8, altdest=3Daltdest@entry=3D0x3e5e11f8, qc=3Dqc@entry=3D0x7ffd0dc21e20) at pquery.c:761 #14 0x00000000008c3548 in exec_simple_query ( query_string=3D0x3e48b800 "SELECT *\nFROM pg_buffercache_pages() AS p(\n bufferid integer,\n relfilenode oid,\n reltablespace oid,\n reldatabase oid,\n relforknumber smallint,\n relblocknumber bigint,\n isdirty text,\n usagecoun"...) at postgres.c:1290 #15 0x00000000008c5021 in PostgresMain (dbname=3D, username=3D) at postgres.c:4856 #16 0x00000000008bf01d in BackendMain (startup_data=3D, startup_data_len=3D) at backend_startup.c:124 #17 0x00000000007fefae in postmaster_child_launch (child_type=3D, child_slot=3D1, startup_data=3Dstartup_data@entry=3D0x7ffd0dc22270, startup_data_len=3Dstartup_data_len@entry=3D24, client_sock=3Dclient_sock@entry=3D0x7ffd0dc22290) at launch_backend.c:2= 68 #18 0x00000000008029b6 in BackendStartup (client_sock=3D0x7ffd0dc22290) at postmaster.c:3627 #19 ServerLoop () at postmaster.c:1728 #20 0x0000000000804479 in PostmasterMain (argc=3Dargc@entry=3D3, argv=3Dargv@entry=3D0x3e434fe0) at postmaster.c:1415 #21 0x00000000004a1c18 in main (argc=3D3, argv=3D0x3e434fe0) at main.c:231 For comparison, the same query executed on REL_18_STABLE is rejected with a regular error: ERROR: function return row and query-specified return row do not match DETAIL: Returned type boolean at ordinal position 7, but query expects text.