Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wFzDl-005lna-0y
	for pgsql-bugs@arkaria.postgresql.org;
	Thu, 23 Apr 2026 18:56:18 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wFzDk-002zqz-1R
	for pgsql-bugs@arkaria.postgresql.org;
	Thu, 23 Apr 2026 18:56:16 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <x4mmm@yandex-team.ru>)
	id 1wFzDk-002zqT-08
	for pgsql-bugs@lists.postgresql.org;
	Thu, 23 Apr 2026 18:56:16 +0000
Received: from forwardcorp1a.mail.yandex.net ([2a02:6b8:c0e:500:1:45:d181:df01])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.2)
	(envelope-from <x4mmm@yandex-team.ru>)
	id 1wFzDg-00000002ScX-0zkE
	for pgsql-bugs@lists.postgresql.org;
	Thu, 23 Apr 2026 18:56:15 +0000
Received: from mail-nwsmtp-smtp-corp-main-66.iva.yp-c.yandex.net (mail-nwsmtp-smtp-corp-main-66.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:bf1f:0:640:c739:0])
	by forwardcorp1a.mail.yandex.net (Yandex) with ESMTPS id 9659EC01EA;
	Thu, 23 Apr 2026 21:56:07 +0300 (MSK)
Received: from smtpclient.apple (unknown [2a02:6bf:8080:438::1:10])
	by mail-nwsmtp-smtp-corp-main-66.iva.yp-c.yandex.net (smtpcorp) with ESMTPSA id 6uZDY20L14Y0-XRo1V1rI;
	Thu, 23 Apr 2026 21:56:07 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru;
	s=default; t=1776970567;
	bh=BSLhTe5JlZSzbbrx7deKuaUcrH1LiPShmZXqu5Gsm3w=;
	h=Message-Id:To:Date:References:Cc:In-Reply-To:From:Subject;
	b=Gk6fV0dK9WdrvFw9SAOMuxUAQ0cCKbPoblLqO7Qi/w8cgUIEBCZRvxxE/S9xTyWce
	 d8sUj4k6E7tIfPxcZ4cfmLgNroU827AfVMe1I5UFTJRUWO9nFVE8lyia2CEeAchcPp
	 PTGCjT1fxvC8GQxtmJ5uSob4zXcN9PRe0BlnFpPA=
Authentication-Results: mail-nwsmtp-smtp-corp-main-66.iva.yp-c.yandex.net; dkim=pass header.i=@yandex-team.ru
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.400.21\))
Subject: Re: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with
 malformed JSONPath containing non-existent variables
From: Andrey Borodin <x4mmm@yandex-team.ru>
In-Reply-To: <CAB8bMit1HvJsAasUYwmq+82Oa3zQhJyvsHNS4PGF_S_BCMnuVA@mail.gmail.com>
Date: Thu, 23 Apr 2026 23:55:56 +0500
Cc: pgsql-bugs@lists.postgresql.org,
 dhyan@nataraj.su
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE0E8193-85BD-4A10-BE23-582D92DA281D@yandex-team.ru>
References: <19458-a69c98bc498333ba@postgresql.org>
 <CAB8bMit1HvJsAasUYwmq+82Oa3zQhJyvsHNS4PGF_S_BCMnuVA@mail.gmail.com>
To: Andrey Rachitskiy <pl0h0yp1@gmail.com>
X-Mailer: Apple Mail (2.3864.400.21)
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: <https://www.postgresql.org/message-id/AE0E8193-85BD-4A10-BE23-582D92DA281D%40yandex-team.ru>
Precedence: bulk



> On 20 Apr 2026, at 18:38, Andrey Rachitskiy <pl0h0yp1@gmail.com> =
wrote:
>=20
> I propose a targeted backpatch for REL_14/15/16 in jsonpath_exec.c to =
align missing variable handling with newer branches and prevent =
pathological memory growth on malformed/hostile jsonpath expressions.

Hi! Thank you for the report and proposed fix. I've took a look into the
patch.

So we can use vars like this:

# SELECT jsonb_path_exists(
'{"x": 42}'::jsonb,
'$ ? ($"threshold" < 50)'::jsonpath,
'{"threshold": 10}'::jsonb -- HERE go vars
);

Operator @? is doing the same, but without supplied vars. And this =
thread
essentially points to buggy handling of vars:

# SELECT j @? '$"no_such_var"'
FROM (VALUES
  ('{"important": "data"}'::jsonb),
  ('42'::jsonb),
  ('null'::jsonb),
  ('false'::jsonb)
) AS t(j);
 ?column? =20
----------
 t
 t
 t
 t
(4 rows)

It basically says that path with value of var "no_such_var" exists =
everywhere.

I think it's a bug, but we would need a JSON Path expert here.

17+ throws an error, which seems suspicious to me too. @? is expected to
operate in silent mode. Perhaps, we should just return NULL instead of =
t.
By using RETURN_ERROR macro. But it might sound overly invasive for back
branches.

Even if we are going to throw an error, we can give mode details. I'd =
suggest
instead of "could not find jsonpath variable \"%s\"" throwing something =
like
"no variables supplied to reference by variable \"%s\"" or something =
along
those lines.


Besides this, the direction of the fix looks good to me. Thank you!


Best regards, Andrey Borodin.=