Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wRdkg-002XvM-1S
	for pgsql-bugs@arkaria.postgresql.org;
	Mon, 25 May 2026 22:26:26 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-bugs-owner+archive@lists.postgresql.org>)
	id 1wRdke-002JxC-17
	for pgsql-bugs@arkaria.postgresql.org;
	Mon, 25 May 2026 22:26:25 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <matheusssilv97@gmail.com>)
	id 1wRdkd-002Jx4-3B
	for pgsql-bugs@lists.postgresql.org;
	Mon, 25 May 2026 22:26:25 +0000
Received: from mail-vk1-xa35.google.com ([2607:f8b0:4864:20::a35])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <matheusssilv97@gmail.com>)
	id 1wRdkc-00000001QA5-2xRS
	for pgsql-bugs@lists.postgresql.org;
	Mon, 25 May 2026 22:26:24 +0000
Received: by mail-vk1-xa35.google.com with SMTP id
 71dfb90a1353d-5751136c561so8528537e0c.1
        for <pgsql-bugs@lists.postgresql.org>;
 Mon, 25 May 2026 15:26:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1779747980; x=1780352780;
 darn=lists.postgresql.org;
        h=in-reply-to:references:mime-version:to:from:subject:message-id:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=kNZ0PJQsGDFv+O8BSlkGLuu5TMuWte7/KydOvNSL/M8=;
        b=LNqLYhpH1lo39fjjSeBxsJLlijJ0UHeukWgcyZrOLSUAkZjZHnJ3rZ6wvquKQ++68T
         UN105B/D7Kf0EI+s5lKjTKEuGgINw0AlWsY5rwljJdINJuRiYSpJNiPb3dV9DXmA3c88
         lugTGpnYDl93+718RLCcwC9Qhj1/UM1XFeirKgSCggvp92tpzA5ZMi4Qkf0Z1HbuuOGk
         daaYnecqoRddes0SY/8MS1GLWnMg/9Wm+pv73+Sm0VdYL5L6JBncLNHwBHBikBiX8/Xu
         r5IMdesrAhBdQ4lfV1hXKENrfq0R12DzJdwnPHJvvBg5uI2EBT4jF/z3a2hOZdLP+Lmb
         R/6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779747980; x=1780352780;
        h=in-reply-to:references:mime-version:to:from:subject:message-id:date
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=kNZ0PJQsGDFv+O8BSlkGLuu5TMuWte7/KydOvNSL/M8=;
        b=NQYq/gb38uWF2vDU9f077Dv+UD2fc6blgmNmdbce67fSMkuBV+qVydS1bHuvZ42Ojd
         a5roIARhOSTxAJNNOxsXH5jtgp4uxqDIDKxZSCsAr4raThch1UT8SFRc0tS/soD7QSxa
         sAFwo2axd/BKETKZVk1YuNEQTb/xP1WMLQ+bNzutKiIxo4aeZJ2FNFzAcKJsJOGxY6v/
         x7QTQ25p4KaAwjJxb8l3oY7gWxbn0P5D97JurgvfzocYPykRdbUxDPUxrBLV0JKuQNlp
         6a9MlNaCmM4imJYIcE0D4SSnohlXF17d3Myy/9OsNYLvSYwzRYhsg2aaTLFma+a1oLdy
         bKcQ==
X-Forwarded-Encrypted: i=1;
 AFNElJ+wkKO4ggt8Is0rIQRjzkWIybgk9Wo992dvMhJPSeTSuVYrRHLSiWWMxmd/mJGFtzo4Wqbq81PZhLqB@lists.postgresql.org
X-Gm-Message-State: AOJu0Yziq9xGC16zp82KglLa4gC1jnItj0QtvtiuJphXXQ+6cWndb9Ad
	Pdh2/C8ZbBWDiyiM1K5c6+ztq6adO4ibkk7fr7i9txoYEfGdJ7VlSbBW
X-Gm-Gg: Acq92OFaQupqw47yhhhqzCmCg7mfwXeWngk5Sy+t7LEFEjGbwnIw73MQ0vEdpGBVGXt
	ggHbUVIRGS+qQQY/8qhDlQcyS9HlM81lv0kF4YrkvS+JZ40VkcSg14CwaXwmBhV9kWxTR9u7Rvq
	9zbtOpE4dTqpXEiCWnnDOz+86byRFqbjjFZWjlvnA84/kNKGSGnqwGHaeDG7DqqRYsZqrsu+W6H
	dYYJce8lupsRzTqKmc2+UdclrcCneXqxqEDVg2jge4y3uO5VWsGP88/M41VSRfsJJ4DJ4KTjK8/
	mqtbtSk80Ifv5wduoq2KmyeOTwibcSm+rVNLWydbZykenUiI1pe1S/uY7DJJpFQA/wb1dhPMs81
	lsaPSV51v6S3I0M93egslzGmd1nBQqYWpnR9J4ZQKxhR+pP1yKcQn815NG3eJ7DyoNlYyeMbH6l
	SfKR9FECXlzUbu1/MQlqpMMkzrAjN9dwPuqVoujIderrMLKw==
X-Received: by 2002:a05:6122:4b0b:b0:575:9f5:ac57 with SMTP id
 71dfb90a1353d-5868da99739mr3308273e0c.4.1779747980514;
        Mon, 25 May 2026 15:26:20 -0700 (PDT)
Received: from localhost ([2804:14d:328a:a59c:1166:2b6a:3001:a372])
        by smtp.gmail.com with ESMTPSA id
 71dfb90a1353d-586f889e7e3sm13722630e0c.15.2026.05.25.15.26.19
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 25 May 2026 15:26:20 -0700 (PDT)
Content-Type: multipart/mixed;
 boundary=18194a22b89a91d7b090efef74f2024bf9c4ccb73bc848c42352b739eba4
Date: Mon, 25 May 2026 19:26:17 -0300
Message-Id: <DIS405H05GE0.1OPMN9BEKKMS1@gmail.com>
Subject: Re: BUG #19480: PL/Python SRF crashes (SIGSEGV) when function is
 replaced mid-iteration: use-after-free in PLy_funct
From: "Matheus Alcantara" <matheusssilv97@gmail.com>
To: <adoros@starfishstorage.com>, <pgsql-bugs@lists.postgresql.org>
Mime-Version: 1.0
X-Mailer: aerc 0.21.0
References: <19480-f1f9fdce30462fc4@postgresql.org>
In-Reply-To: <19480-f1f9fdce30462fc4@postgresql.org>
List-Id: <pgsql-bugs.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-bugs@lists.postgresql.org>
List-Owner: <mailto:pgsql-bugs-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-bugs>
Archived-At: 
 <https://www.postgresql.org/message-id/DIS405H05GE0.1OPMN9BEKKMS1%40gmail.com>
Precedence: bulk

--18194a22b89a91d7b090efef74f2024bf9c4ccb73bc848c42352b739eba4
Content-Type: multipart/alternative;
 boundary=4f5f8659150cc68dade710fef0b0499c5ec5f2a353154a85eb87df62d891

--4f5f8659150cc68dade710fef0b0499c5ec5f2a353154a85eb87df62d891
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Content-Type: text/plain; charset=UTF-8

On Fri May 15, 2026 at 8:11 AM -03, PG Bug reporting form wrote:
> The root cause is that srfstate->savedargs is tied to proc->mcxt (which c=
an
> be deleted at any per-call boundary) rather than to
> funcctx->multi_call_memory_ctx (which lives for the entire SRF lifetime).
>
> Option A =E2=80=94 allocate savedargs in funcctx->multi_call_memory_ctx:
> Change PLy_function_save_args to accept a MemoryContext parameter and pas=
s
> funcctx->multi_call_memory_ctx from PLy_exec_function. The saved PyObject=
*
> references are valid regardless of which MemoryContext holds the struct.
>
> Option B =E2=80=94 detect proc rebuild and discard stale savedargs:
> After PLy_procedure_get returns a new proc, check whether it differs from
> the
> proc that created srfstate->savedargs. If so, discard savedargs
> (PLy_function_drop_args or simply set to NULL) and skip the restore.
>

Hi, thank you for the very detailed bug report. I've managed to
reproduce the issue on master.

Option A seems to fix the issue (see attached patch) but I've found
another issue while playing with this that I think it's related:

CREATE OR REPLACE FUNCTION trigger_stack_overflow(x BIGINT)
RETURNS TABLE(i BIGINT) AS $$
    import time
    plpy.execute(f"CREATE TEMP TABLE _rt_{x} (x int)")
    plpy.execute(f"DROP TABLE _rt_{x}")
    time.sleep(0.3)
    plpy.execute("SELECT trigger_stack_overflow(1)")
    yield x
$$ LANGUAGE plpython3u VOLATILE;

Run SELECT trigger_stack_overflow(1) and on another session execute the
CREATE OR REPLACE and wait for the first session to crash with this
stacktrace:
frame #3: 0x000000010554a694 postgres`ExceptionalCondition(conditionName=3D=
"proc->calldepth > 0", fileName=3D"../src/pl/plpython/plpy_exec.c", lineNum=
ber=3D701) at assert.c:65:2
frame #4: 0x0000000105e41984 plpython3.dylib`PLy_global_args_pop(proc=3D0x0=
00000014b03cf00) at plpy_exec.c:701:2
frame #5: 0x0000000105e40d94 plpython3.dylib`PLy_exec_function(fcinfo=3D0x0=
00000011e077738, proc=3D0x000000014b03cf00) at plpy_exec.c:264:3

The expected output from the first session should be something like
this:

ERROR:  54001: error fetching next item from iterator
DETAIL:  spiexceptions.StatementTooComplex: error fetching next item from i=
terator
HINT:  Increase the configuration parameter "max_stack_depth" (currently 20=
48kB), after ensuring the platform's stack depth limit is adequate.

This is because when PLy_procedure_delete() is executed on
PLy_procedure_get() it also destroy information related with recursive
functions, such as "calldepth", "argstack" and "globals" which cause the
assert failure Assert(proc->calldepth > 0) on PLy_global_args_pop() when
it's executed on PG_CATCH block on PLy_exec_function() or EXC_BAD_ACCESS
when accessing "argstack" or "globals".

Althrought changing the memory context where savedargs is allocated fix
the reported issue I think that the long term fix is to preserve such
necessary execution information during PLyProcedure re-creation. I'm
still studying the code to see if and how this can implemented.

--
Matheus Alcantara
EDB: https://www.enterprisedb.com

--4f5f8659150cc68dade710fef0b0499c5ec5f2a353154a85eb87df62d891--

--18194a22b89a91d7b090efef74f2024bf9c4ccb73bc848c42352b739eba4
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename=0001-plpython-Use-correct-memory-context-for-savedargs.patch
Content-Type: text/plain; charset=utf-8;
 name=0001-plpython-Use-correct-memory-context-for-savedargs.patch

RnJvbSA2MWY0NmFiZDQ1MDljYzUxOWRlM2U0M2FkZmQ5ZTBiNGZhMGY2ZmNiIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXRoZXVzIEFsY2FudGFyYSA8bXRocy5kZXZAcG0ubWU+CkRh
dGU6IE1vbiwgMjUgTWF5IDIwMjYgMTk6MjI6MDkgLTAzMDAKU3ViamVjdDogW1BBVENIXSBwbHB5
dGhvbjogVXNlIGNvcnJlY3QgbWVtb3J5IGNvbnRleHQgZm9yIHNhdmVkYXJncwoKLS0tCiBzcmMv
cGwvcGxweXRob24vcGxweV9leGVjLmMgfCAyNyArKysrKysrKysrKysrKysrKysrKy0tLS0tLS0K
IDEgZmlsZSBjaGFuZ2VkLCAyMCBpbnNlcnRpb25zKCspLCA3IGRlbGV0aW9ucygtKQoKZGlmZiAt
LWdpdCBhL3NyYy9wbC9wbHB5dGhvbi9wbHB5X2V4ZWMuYyBiL3NyYy9wbC9wbHB5dGhvbi9wbHB5
X2V4ZWMuYwppbmRleCBkZTBkYWQxZjUzMy4uZDkzZTgwMGUwYmUgMTAwNjQ0Ci0tLSBhL3NyYy9w
bC9wbHB5dGhvbi9wbHB5X2V4ZWMuYworKysgYi9zcmMvcGwvcGxweXRob24vcGxweV9leGVjLmMK
QEAgLTMxLDcgKzMxLDcgQEAgdHlwZWRlZiBzdHJ1Y3QgUEx5U1JGU3RhdGUKIH0gUEx5U1JGU3Rh
dGU7CiAKIHN0YXRpYyBQeU9iamVjdCAqUEx5X2Z1bmN0aW9uX2J1aWxkX2FyZ3MoRnVuY3Rpb25D
YWxsSW5mbyBmY2luZm8sIFBMeVByb2NlZHVyZSAqcHJvYyk7Ci1zdGF0aWMgUEx5U2F2ZWRBcmdz
ICpQTHlfZnVuY3Rpb25fc2F2ZV9hcmdzKFBMeVByb2NlZHVyZSAqcHJvYyk7CitzdGF0aWMgUEx5
U2F2ZWRBcmdzICpQTHlfZnVuY3Rpb25fc2F2ZV9hcmdzKE1lbW9yeUNvbnRleHQgbWN0eCwgUEx5
UHJvY2VkdXJlICpwcm9jKTsKIHN0YXRpYyB2b2lkIFBMeV9mdW5jdGlvbl9yZXN0b3JlX2FyZ3Mo
UEx5UHJvY2VkdXJlICpwcm9jLCBQTHlTYXZlZEFyZ3MgKnNhdmVkYXJncyk7CiBzdGF0aWMgdm9p
ZCBQTHlfZnVuY3Rpb25fZHJvcF9hcmdzKFBMeVNhdmVkQXJncyAqc2F2ZWRhcmdzKTsKIHN0YXRp
YyB2b2lkIFBMeV9nbG9iYWxfYXJnc19wdXNoKFBMeVByb2NlZHVyZSAqcHJvYyk7CkBAIC0xNzYs
OCArMTc2LDE1IEBAIFBMeV9leGVjX2Z1bmN0aW9uKEZ1bmN0aW9uQ2FsbEluZm8gZmNpbmZvLCBQ
THlQcm9jZWR1cmUgKnByb2MpCiAJCQkJICogVGhpcyB3b24ndCBiZSBsYXN0IGNhbGwsIHNvIHNh
dmUgYXJndW1lbnQgdmFsdWVzLiAgV2UgZG8KIAkJCQkgKiB0aGlzIGFnYWluIGVhY2ggdGltZSBp
biBjYXNlIHRoZSBpdGVyYXRvciBpcyBjaGFuZ2luZyB0aG9zZQogCQkJCSAqIHZhbHVlcy4KKwkJ
CQkgKgorCQkJCSAqIFdlIHVzZSBmdW5jY3R4LT5tdWx0aV9jYWxsX21lbW9yeV9jdHggdG8gZW5z
dXJlIHNhdmVkYXJncworCQkJCSAqIHN1cnZpdmVzIGFjcm9zcyBWYWx1ZVBlckNhbGwgaW52b2Nh
dGlvbnMsIGJ1dCBpcyBjbGVhbmVkIHVwCisJCQkJICogd2hlbiB0aGUgU1JGIGNvbXBsZXRlcy4g
IFRoaXMgYWxzbyBwcm90ZWN0cyBhZ2FpbnN0IHRoZQorCQkJCSAqIGNhc2Ugd2hlcmUgdGhlIHBy
b2NlZHVyZSBpcyBkZWxhdGVkICh2aWEKKwkJCQkgKiBQTHlfcHJvY2VkdXJlX2RlbGV0ZSApIHdo
aWxlIHRoZSBTUkYgaXMgcnVubmluZy4KIAkJCQkgKi8KLQkJCQlzcmZzdGF0ZS0+c2F2ZWRhcmdz
ID0gUEx5X2Z1bmN0aW9uX3NhdmVfYXJncyhwcm9jKTsKKwkJCQlzcmZzdGF0ZS0+c2F2ZWRhcmdz
ID0gUEx5X2Z1bmN0aW9uX3NhdmVfYXJncyhmdW5jY3R4LT5tdWx0aV9jYWxsX21lbW9yeV9jdHgs
CisJCQkJCQkJCQkJCQkJCQkgcHJvYyk7CiAJCQl9CiAJCX0KIApAQCAtNTM2LDEzICs1NDMsMTMg
QEAgUEx5X2Z1bmN0aW9uX2J1aWxkX2FyZ3MoRnVuY3Rpb25DYWxsSW5mbyBmY2luZm8sIFBMeVBy
b2NlZHVyZSAqcHJvYykKICAqIGF2YWlsYWJsZSB2aWEgdGhlIHByb2MncyBnbG9iYWxzIDotKCAu
Li4gYnV0IHdlJ3JlIHN0dWNrIHdpdGggdGhhdCBub3cuCiAgKi8KIHN0YXRpYyBQTHlTYXZlZEFy
Z3MgKgotUEx5X2Z1bmN0aW9uX3NhdmVfYXJncyhQTHlQcm9jZWR1cmUgKnByb2MpCitQTHlfZnVu
Y3Rpb25fc2F2ZV9hcmdzKE1lbW9yeUNvbnRleHQgbWN0eCwgUEx5UHJvY2VkdXJlICpwcm9jKQog
ewogCVBMeVNhdmVkQXJncyAqcmVzdWx0OwogCi0JLyogc2F2ZWQgYXJncyBhcmUgYWx3YXlzIGFs
bG9jYXRlZCBpbiBwcm9jZWR1cmUncyBjb250ZXh0ICovCisJLyogQWxsb2NhdGUgaW4gdGhlIGNh
bGxlci1zcGVjaWZpZWQgbWVtb3J5IGNvbnRleHQgKi8KIAlyZXN1bHQgPSAoUEx5U2F2ZWRBcmdz
ICopCi0JCU1lbW9yeUNvbnRleHRBbGxvY1plcm8ocHJvYy0+bWN4dCwKKwkJTWVtb3J5Q29udGV4
dEFsbG9jWmVybyhtY3R4LAogCQkJCQkJCSAgIG9mZnNldG9mKFBMeVNhdmVkQXJncywgbmFtZWRh
cmdzKSArCiAJCQkJCQkJICAgcHJvYy0+bmFyZ3MgKiBzaXplb2YoUHlPYmplY3QgKikpOwogCXJl
c3VsdC0+bmFyZ3MgPSBwcm9jLT5uYXJnczsKQEAgLTY1OCw4ICs2NjUsMTQgQEAgUEx5X2dsb2Jh
bF9hcmdzX3B1c2goUEx5UHJvY2VkdXJlICpwcm9jKQogCXsKIAkJUEx5U2F2ZWRBcmdzICpub2Rl
OwogCi0JCS8qIEJ1aWxkIGEgc3RydWN0IGNvbnRhaW5pbmcgY3VycmVudCBhcmd1bWVudCB2YWx1
ZXMgKi8KLQkJbm9kZSA9IFBMeV9mdW5jdGlvbl9zYXZlX2FyZ3MocHJvYyk7CisJCS8qCisJCSAq
IEJ1aWxkIGEgc3RydWN0IGNvbnRhaW5pbmcgY3VycmVudCBhcmd1bWVudCB2YWx1ZXMuICBXZSB1
c2UKKwkJICogcHJvYy0+bWN4dCBiZWNhdXNlIHRoZSBzYXZlZCBhcmdzIG11c3QgcGVyc2lzdCBh
Y3Jvc3MgdGhlIGVudGlyZQorCQkgKiByZWN1cnNpdmUgY2FsbCBzdGFjaywgd2hpY2ggY2FuIHNw
YW4gbXVsdGlwbGUgZnVuY3Rpb24gaW52b2NhdGlvbnMuCisJCSAqIFRoZSBwcm9jZWR1cmUncyBt
ZW1vcnkgY29udGV4dCBoYXMgdGhlIGFwcHJvcHJpYXRlIGxpZmV0aW1lIGZvcgorCQkgKiB0aGlz
LCBhbmQgd2UgZXhwbGljaXRseSBmcmVlIHRoZSBzdHJ1Y3Qgd2hlbiBwb3BwaW5nLgorCQkgKi8K
KwkJbm9kZSA9IFBMeV9mdW5jdGlvbl9zYXZlX2FyZ3MocHJvYy0+bWN4dCwgcHJvYyk7CiAKIAkJ
LyoKIAkJICogUHVzaCB0aGUgc2F2ZWQgYXJndW1lbnQgdmFsdWVzIGludG8gdGhlIHByb2NlZHVy
ZSdzIHN0YWNrLiAgT25jZSB3ZQotLSAKMi41MC4xIChBcHBsZSBHaXQtMTU1KQoK
--18194a22b89a91d7b090efef74f2024bf9c4ccb73bc848c42352b739eba4--