public inbox for [email protected]
help / color / mirror / Atom feedFrom: Andrey Rachitskiy <[email protected]>
To: Amit Langote <[email protected]>
Cc: Andrey Borodin <[email protected]>
Cc: Nikita Malakhov <[email protected]>
Cc: PostgreSQL mailing lists <[email protected]>
Cc: Nikolay Shaplov <[email protected]>
Subject: Re: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables
Date: Fri, 5 Jun 2026 15:03:11 +0500
Message-ID: <CAB8bMivkf5X73X6LOSxt4r4tx_PN6DnGKVcBa3BtYX=eOKwHaw@mail.gmail.com> (raw)
In-Reply-To: <CA+HiwqG5pP8g0oGkz8x6X80XJyZqGiS16F9DhvJ3Ukejkd8MbQ@mail.gmail.com>
References: <[email protected]>
<CAB8bMit1HvJsAasUYwmq+82Oa3zQhJyvsHNS4PGF_S_BCMnuVA@mail.gmail.com>
<[email protected]>
<CAN-LCVNh2z4EE+F21XPe7XRSWfPFtZx1WYAswpU5qs+RdR=jjg@mail.gmail.com>
<[email protected]>
<CAN-LCVPiBi9XXW__RorX=dH2_fANAMXhdbULmHFFg97F_0ubRw@mail.gmail.com>
<[email protected]>
<CA+HiwqG5pP8g0oGkz8x6X80XJyZqGiS16F9DhvJ3Ukejkd8MbQ@mail.gmail.com>
The growing allocation is leaked temporary JsonValueLists in
executePredicate() (local lseq/rseq, ~1482–1547) and the arithmetic helpers
executeBinaryArithmExpr() / executeUnaryArithmExpr() (~1561–1684). Each
nested comparison or arithmetic subexpression materializes operands via
executeItemOptUnwrapResult[NoThrow]() → executeNextItem() →
JsonValueListAppend() (~1165, ~2451), but the interim lists are never freed
before return. For @? specifically, executeJsonPath() also leaks a local
vals list in strict exists mode (~579–586).
Missing vars make the AFL case worse by returning null instead of error, so
evaluation continues deep into nested $?()/comparisons instead of stopping
at the first $"…" reference. The same leak mechanism is reachable without
missing vars — Tom Lane demonstrated this on master (5a2043bf713) with $[*]
? (@ < $) on a large array.
Our missing-variable patch fixes the reported OOM and the @? semantics bug
by aborting early. Whether REL_14/15/16 also need a broader fix for interim
JsonValueList cleanup is beyond what I can confidently propose; I've tried
to pin down where the growth happens for that discussion.
пт, 5 июн. 2026 г. в 13:58, Amit Langote <[email protected]>:
> Hi,
>
> Before I dig into the patch properly after the weekend, one question
> on the report itself: has anyone traced why the old path runs away on
> memory? We've characterized it as missing-var, then null, then
> evaluation continues, then OOM, but I don't think the actual growing
> allocation has been pinned down. Mostly want to understand whether the
> same runaway is reachable without a missing variable, since raising
> the error early wouldn't catch those cases.
>
> - Thanks, Amit
>
view thread (10+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
Subject: Re: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables
In-Reply-To: <CAB8bMivkf5X73X6LOSxt4r4tx_PN6DnGKVcBa3BtYX=eOKwHaw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox