Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wTyqB-000sDk-14 for pgsql-hackers@arkaria.postgresql.org; Mon, 01 Jun 2026 09:21:47 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wTyqA-009cTi-0I for pgsql-hackers@arkaria.postgresql.org; Mon, 01 Jun 2026 09:21:46 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wTyq9-009cTa-2A for pgsql-hackers@lists.postgresql.org; Mon, 01 Jun 2026 09:21:45 +0000 Received: from mail-wm1-x330.google.com ([2a00:1450:4864:20::330]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wTyq7-00000000dE7-1MFD for pgsql-hackers@lists.postgresql.org; Mon, 01 Jun 2026 09:21:45 +0000 Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-4909e3fa4b2so27387645e9.0 for ; Mon, 01 Jun 2026 02:21:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780305701; x=1780910501; darn=lists.postgresql.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=RyKYWgIG6j49BUYprFSpzelpqEy6BqWQI30LHClqPyU=; b=a+2il2FBgv/GprcD3AyQ9aGxDxDHS4YHrVOH6CJdOSNlr9xREQKLHJghP6Boq3//Cz gyiB7oKg2j70+NZg/Gcr/kbAYUOOz9cVGkmemhlUte4atw+e/vTHMidn9IwiywTGfIcI E6APIbwVGCYUgFLB7Pb3Qjpt75UKMzg+v9mlY9+AdXJ7b2MvU5+WjlwWw3/roFtDGsPD +wNPx9j+vz2SuDdJ6t5aOhCFBetxF8rjj6cItUMfjxifQct2SI7VVMLUNETWWhO13CZW BtzZisAgEaGsP+gTXNCog2oZ6Qd97rknF/lhdwx3JMtiOs/3Q8pWglgo7gANvxAsvSDE BJ3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780305701; x=1780910501; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RyKYWgIG6j49BUYprFSpzelpqEy6BqWQI30LHClqPyU=; b=sFXXN8UkAoCDgJo05ke43qr/Ej+vNcZbqtWgRWoO4lU6NsW+ANWKtcHVirg3FDnQ5y mo8+xeu/XWBEQuJ/wmr5VQC6hVheWtfC/YvnmFeTlOYYGfoPxGP7iE3KAOe7YsjUyEtW Gs5zOcvr63n+yPLnPlHIvCpGjs6ZqjeYveMvrvR8Rwa3S1xN3wLIMnUSEnLEJMuP44YW IyOE5QIIgRfY0SWwS/lbMTjuVWBkKcBdE95xHQQOmSj2dSXJwDfZekKzwlW4pZdquJXS EIfMYglhSWUFsVcG2yRAhQa/RsshpuqSV1NOgliOXzH16vMotCu3KJ81fVRF7Jdg6Lg7 PZ1A== X-Forwarded-Encrypted: i=1; AFNElJ+uaZvRl9sFwWVjwLUQNOExjJfV1RhLrnE6nk8YMfH+SvJOAYJ5fXsroqIQ/ahlJ+rQ5u9TE5dQGPVt1a6I@lists.postgresql.org X-Gm-Message-State: AOJu0YzaOnXdkm8Ve+qyR0NzcIcXhX/yCszOrXGAxc4tTYqpxTTm2sbF V5WkQ4tWLHjQanHPOdT/XgT2Jm/f/muA0ntifmHevYBa6QdcCoalNDDs X-Gm-Gg: Acq92OGnWroh+v6zMY90k69JVUv0G1H+8UuqkoetUTeXmBFtr/jK86hnUeGTE9N0N2n p/ZaUkEYaJcwhvtnxZAeRyD556C73xAiH1krRx7jOTtnDPlxm6DzksXD9TgzdbISSiBEhkK0Nel MhtGLZ+M45Lm1FbiSJupWXOPnGNUlWaE0uz13uNsFWIrolSmtVWjLD4Xov76Dr/TyMBCZnvMz1Z TTaiSKCZvPGiF2O33Ej2Hx36cmpPy1QQU6jsMdTB/01NNi7zWEknDWPn/IqBrisYQt6AO/49cnJ xPI+/XvbR8i0UkCxlX3WbkBMzllyaZz0bVhkT+/MOnvJU6UMawLBP0KeYrBhE1/7rhv/kBNoc67 Tf6OoQIR6nTTLM0PG5H42lAXs1c0TNvKrmryaHFQUKW+4rJfSbrRcGvOs6A0C23ckQNSyStz54c 32LwlCDbsMI0znEtRri0AWmeHKgL1di6mQDDvw3wgeabQlJROOnFbDWKaWQUZospuz0gyjRP5RU Xpiomwbr/J7Wg3kKrFOAw== X-Received: by 2002:a05:600c:378b:b0:488:78f2:6b0 with SMTP id 5b1f17b1804b1-490a2961ac8mr126730525e9.29.1780305701228; Mon, 01 Jun 2026 02:21:41 -0700 (PDT) Received: from bdtpg (ec2-15-237-197-144.eu-west-3.compute.amazonaws.com. [15.237.197.144]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c1035ebsm107164945e9.5.2026.06.01.02.21.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 02:21:40 -0700 (PDT) Date: Mon, 1 Jun 2026 09:21:39 +0000 From: Bertrand Drouvot To: Heikki Linnakangas Cc: Robert Haas , Jeff Davis , Roman Eskin , Michael Paquier , Alexander Lakhin , pgsql-hackers@lists.postgresql.org, Tom Lane Subject: Re: Avoid orphaned objects dependencies, take 3 Message-ID: References: <9f5f0dd4-96d5-4d90-9436-62d96e0298f9@arenadata.io> <3963e573-4852-4d25-b741-7c5c7e1f9140@iki.fi> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="qDVpkCoSYWu3RcCv" Content-Disposition: inline In-Reply-To: <3963e573-4852-4d25-b741-7c5c7e1f9140@iki.fi> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --qDVpkCoSYWu3RcCv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi, On Wed, May 27, 2026 at 06:53:35PM +0300, Heikki Linnakangas wrote: > Fixed these, and did some more copy-editing on the comments. With that, > committed and backpatched. Thanks! Now that we avoid orphaned objects dependencies, I resumed working on Robert's concern about the TOCTOU window where a REVOKE could land between the original permission check and the dependency recording. Based on our discussion during PGConf.dev, PFA a new patch that uses the same approach as RangeVarGetRelidExtended(): record SharedInvalidMessageCounter at the time of the original aclcheck, then before locking compare the current counter to the saved value. If it changed, recheck permission before acquiring the lock. After the lock wait, if more invalidations arrived, release and retry. Remarks: The tracking array lives in a dedicated AclCheckTrackContext memory context (child of TopMemoryContext). The context is reset at the start of each top-level utility statement, which frees all prior allocations and provides clean lifetime management. Recording is gated by aclcheck_tracking_active, which is set to true only during top-level utility statement execution. This ensures DML and queries pay no cost. The flag is cleared both at normal completion of ProcessUtility and in AbortTransaction to handle the error path. The patch adds a test that would fail without the TOCTOU protection in place. Alternatives considered: - To avoid allocating memory for each statement, keep the array in TopMemoryContext and never free it (only resetting the count). But that left the high-water mark allocated for the lifetime of the backend. - Passing privilege info (roleId, mode) as extra arguments through the dependency recording APIs (recordDependencyOn, recordMultipleDependencies, etc.). It was discarded because expression-based dependencies (recordDependencyOnExpr, find_expr_references_walker) discover objects by walking expression trees: the caller never sees individual objects and cannot attach privilege info to them. That's why I believe the tracking approach that is in the attached sounds like a right approach. Bonus point, it would also help if we want to "ensure" that we always do the acl check prior the dependency recording: that would avoid cases like the one mentioned in [1] (for example, when we can create a view and then record a dependency based on a function we don't have exec privilege on). [1]: https://postgr.es/m/agsCqlLTytZCudMv%40bdtpg Regards, -- Bertrand Drouvot PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com --qDVpkCoSYWu3RcCv Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="v23-0001-Recheck-permissions-after-lock-acquisition-in-de.patch"