Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wScPR-003ISm-0d for pgsql-bugs@arkaria.postgresql.org; Thu, 28 May 2026 15:12:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wScPP-00CYz1-0p for pgsql-bugs@arkaria.postgresql.org; Thu, 28 May 2026 15:12:32 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wScPO-00CYyl-3D for pgsql-bugs@lists.postgresql.org; Thu, 28 May 2026 15:12:31 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wScPN-00000001BQw-3VgA for pgsql-bugs@lists.postgresql.org; Thu, 28 May 2026 15:12:31 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.18.1/8.18.1) with ESMTP id 64SFCRCq982976; Thu, 28 May 2026 11:12:27 -0400 From: Tom Lane To: "Matheus Alcantara" cc: adoros@starfishstorage.com, pgsql-bugs@lists.postgresql.org Subject: Re: BUG #19480: PL/Python SRF crashes (SIGSEGV) when function is replaced mid-iteration: use-after-free in PLy_funct In-reply-to: References: <19480-f1f9fdce30462fc4@postgresql.org> Comments: In-reply-to "Matheus Alcantara" message dated "Mon, 25 May 2026 19:26:17 -0300" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <982974.1779981146.1@sss.pgh.pa.us> Date: Thu, 28 May 2026 11:12:26 -0400 Message-ID: <982975.1779981146@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk "Matheus Alcantara" writes: > On Fri May 15, 2026 at 8:11 AM -03, PG Bug reporting form wrote: >> The root cause is that srfstate->savedargs is tied to proc->mcxt (which can >> be deleted at any per-call boundary) rather than to >> funcctx->multi_call_memory_ctx (which lives for the entire SRF lifetime). > Option A seems to fix the issue (see attached patch) but I've found > another issue while playing with this that I think it's related: > ... > This is because when PLy_procedure_delete() is executed on > PLy_procedure_get() it also destroy information related with recursive > functions, such as "calldepth", "argstack" and "globals" which cause the > assert failure Assert(proc->calldepth > 0) on PLy_global_args_pop() when > it's executed on PG_CATCH block on PLy_exec_function() or EXC_BAD_ACCESS > when accessing "argstack" or "globals". Yeah. The bigger picture though is: if we are re-entrantly calling either a recursive function or a SRF, we should not destroy any of the existing state, nor do we want to replace the function body. The only way to have sane behavior is to keep executing the same function body until the execution instance (recursion level or continued SRF) is done. So these concerns about associated state are only part of the problem. plpgsql ran into this years ago, and its solution has been to maintain a reference count on each function parsetree and not destroy an obsoleted parsetree till the reference count goes to zero. I've had in the back of my head that the other PLs need to do likewise, but it hasn't gotten to the front of the to-do list, mainly because the other PLs are much less used and so field complaints about this have been rare. I had hoped also that the language interpreters underlying the other PLs might solve some of this for us, but it's unclear to what extent they help. Certainly it's not cool to be clobbering our own execution state that's outside the language interpreter. We might want to go as far as converting the other PLs to use the utils/cache/funccache.c infrastructure, but perhaps there is a less invasive fix. Certainly, a fix based on funccache.c could not be back-patched. (On the other hand, given the rarity of complaints, perhaps a HEAD-only fix is acceptable.) regards, tom lane