Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wOwrw-000Iuv-1z for pgsql-hackers@arkaria.postgresql.org; Mon, 18 May 2026 12:14:49 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wOwrt-002FaR-1y for pgsql-hackers@arkaria.postgresql.org; Mon, 18 May 2026 12:14:46 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wOwrt-002FaH-0g for pgsql-hackers@lists.postgresql.org; Mon, 18 May 2026 12:14:46 +0000 Received: from mail-wm1-x333.google.com ([2a00:1450:4864:20::333]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wOwrm-00000000BRo-26Ly for pgsql-hackers@lists.postgresql.org; Mon, 18 May 2026 12:14:40 +0000 Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-48984d29fe3so24039435e9.0 for ; Mon, 18 May 2026 05:14:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779106477; x=1779711277; darn=lists.postgresql.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=QVXPHr2f5N7np+EPE2UWPCp7pSoIeAnA2YVUrvlp9fA=; b=ICPtWFTSydUdVGtfkC0wt/P26hxG98l6FETN57GBuhff0Q/l8K1u+6NziBDGkSFmz1 AxkcxQ5TCVkR6k4vSoDY2CUGLe/5XUGAYNbd1CT3pM3BPRgepFWH8FyMP6GteoLKfCYE Odef6NKgB1rpyWRXxqtharLCkseoo4POkWkhwXjoYb6fVG7KNwLNH36HwIXm3fplb3je bIqfT/dVzVyTU1li128+MTWnX0yb8Ey4eitMzPeH3tEXs0XWj4DjUrxs3rzFiJ7KHuTu cNY11yKCzfaf7zCs9+jbdsKyK6J8Ntd9P01Y1R/PzyPjrpEtkgEG2Cpvz6xWz4W4kiS8 GenA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779106477; x=1779711277; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QVXPHr2f5N7np+EPE2UWPCp7pSoIeAnA2YVUrvlp9fA=; b=H800Vn8YQuc19R4e229KdFvx0n8XLC/2BSU//l4W0+vKqeUkXg0q1hH/hZ7qsEvZkO coo+Oq832pcC1sxFbqgOeHUYLjqEO5++WEMs7JiamIYrJcmNFcjSPFXadfrFv7hT7J/v F4LBalPamYaqQkZ5v9vK1FGlsyu/XtwxmY16TWtwlmnrO9AXkizD3N/QvvvQSfHEoCAn kGstJ92yX5FYiPmVZsOuo4helMFoGwOBXCJik0a6xCz+7RtnWW5Ybohpzi3kLlxmEyPl PUqmFa5MJMiA9fv8LBXxkR4hhzPQQdAJ8P9O4CBOvM5HDFv9vJwif/TA4aGHFemwiFGF YHmg== X-Forwarded-Encrypted: i=1; AFNElJ+wL3dk9qnBcA0xXIkEvcaRAp5gZDTR2eq352kM6MogrzznnhxTatSN6/1P4bjJenYr3yLgicvpsxQp0A3R@lists.postgresql.org X-Gm-Message-State: AOJu0Yy1drOKJVE53Y6P2iukKo5ff+9tUYOMUYHsflNAwUUStjuLOqJU lyPw7et/YDRpAWU8LVIjvThfQMnj+cVcnAQZPOlIC19wo+AoW8yGcHmgUhTSJ4KZmUc= X-Gm-Gg: Acq92OEzpqaJUvnMx+6UKKdURh/V/gA4O3ZcEZ1hGbabznmWXEsg62Xo3BGPIdmq+Nb 4pe49CR8a3BWHFNW1P9/y5RofbxoXelEwUpAhzskFZ+HNfEwd8CUgOZc4c61dWohBcIZz3fd1Hh 5DQq8MBkIL9DLRK02xe2qIGjGAtMgLiY0/H/Aeyp38EnXY8iYPVZEvBTNH9I7tq1aa5Junj5uuw ZAaOnKhGfwiX8mX4Q3VmODxKJNJkhnMhztXcKIuL7Q0CfHQIhDhvwJcdS2LpjBMkCk4xpJq/zNI cuInrkcqiZ7mro45ZW0TcNlWeooEzjq6wnEtdhSqg2tePIAXc2V71Yt/fCdOlXjFcEmHqdaUrqe H+iMos4iP6C07FDbFwyJvu2Lsjss+zjDvI0ToldUgyHErw/Wox9TZZcL91q5rz0SHYEkOP+3XuS IV4W0ktCO/ax137U8k426nDmfo9A7oKfwZ0qbsva5T4vcIqPvXnx7EuOUK5a55EMF7GlGpvEJ4R LXqk8qyha6BVU3T5tnilZD456WQvk0A X-Received: by 2002:a05:600c:c167:b0:48f:d410:6065 with SMTP id 5b1f17b1804b1-48fe66138dfmr231286135e9.29.1779106476602; Mon, 18 May 2026 05:14:36 -0700 (PDT) Received: from bdtpg (ec2-15-237-197-144.eu-west-3.compute.amazonaws.com. [15.237.197.144]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48feab2896bsm84300865e9.4.2026.05.18.05.14.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 05:14:35 -0700 (PDT) Date: Mon, 18 May 2026 12:14:34 +0000 From: Bertrand Drouvot To: Robert Haas Cc: Jeff Davis , Roman Eskin , Michael Paquier , Alexander Lakhin , pgsql-hackers@lists.postgresql.org, Tom Lane Subject: Re: Avoid orphaned objects dependencies, take 3 Message-ID: References: <298d95b5570b91a7d0ee42895e79890feefc67d6.camel@j-davis.com> <9f5f0dd4-96d5-4d90-9436-62d96e0298f9@arenadata.io> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="FjYZKkuBdH+F20sI" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --FjYZKkuBdH+F20sI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit Hi, On Wed, May 13, 2026 at 04:20:21PM -0400, Robert Haas wrote: > On Tue, Apr 28, 2026 at 7:17 AM Bertrand Drouvot > wrote: > > 0003: Add Assert guard to detect permission check before lock regressions > > > > Add instrumentation under USE_ASSERT_CHECKING to detect cases where object_aclcheck() > > is called on a referenced object before a lock is held on it, which would widen > > the TOCTOU window between the permission check and the dependency recording. > > I really like the idea of having some kind of cross-check system that > can detect future (or current) coding mistakes. Thanks for the feedback! BTW, it detected a new one due to 4793fc41f82, so v21 attached does fix it to make the CI green. > But what I wonder > about this mechanism is: should we instead be insisting that we take a > lock and check permissions on every dependency? Is it an error to > record a dependency on an object without any sort of permissions > check? I'm not sure. For example, currently, without execute privilege on myfunc(), one could create a view like: CREATE VIEW v1 AS SELECT myfunc(a) FROM t1; so that the dependency is recorded. The execution permission is checked when the view is queried. I don't think this example is a bug, so that I'm doubtful about insisting that we take a lock and check permissions on every dependency. > Also, I think the mechanism might not be entirely safe. ProcessUtility > can result in executing user-defined functions which could > theoretically run other DDL and then it seems like this code would get > confused. The assert fires when an aclcheck was tracked and the lock is not held. Since the locks are transaction-scoped, any lock acquired during the statement persists, so the assert passes regardless of nesting. So that looks not possible to get false positives (assert fires) due to user-defined functions running other DDL. The concern would be false negatives (missed detection) due to the reset wiping the outer DDL's entries. I believe, that's theoretically possible only if: - The outer DDL has a P1 bug (aclcheck without lock on object X) - A user-defined function happens to run DDL that also aclchecks and locks the same object X - The user-defined function DDL's lock satisfies the assert for the outer DDL But then, the bug would be caught in normal testing without the user-defined function being present. So I'm not sure how this code could get confused. Do you have an example of what you have in mind? Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com --FjYZKkuBdH+F20sI Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v21-0001-Avoid-orphaned-objects-dependencies.patch"