BUG #19438: segfault with temp_file_limit inside cursor

The following bug has been logged on the website:

Bug reference: 19438
Logged by: Dmitriy Kuzmin
Email address: kuzmin(dot)db4(at)gmail(dot)com
PostgreSQL version: 14.22
Operating system: Rocky Linux 8.10 (Green Obsidian)
Description:

Greetings

I experimented with setting temp_file_limit within a cursor and discovered a
segmentation fault under certain circumstances.
The issue exist in the current minors of 14 and 15 (14.22 and 15.17), but I
was unable to reproduce it in version 16 or higher.

To reproduce, simply run the following code.

begin;
declare cur1 cursor for select c, c c2 from generate_series(0, 1000000)
x(c) order by c;
\o /dev/null
fetch all from cur1;
set temp_file_limit TO '1MB';
fetch backward all from cur1;
rollback ;

Logs:
2026-03-25 16:24:58.264 MSK [3321241] ERROR: temporary file size exceeds
temp_file_limit (1024kB)
2026-03-25 16:24:58.264 MSK [3321241] STATEMENT: fetch backward all from
cur1;
2026-03-25 16:24:58.338 MSK [3320934] LOG: server process (PID 3321241) was
terminated by signal 11: Segmentation fault
2026-03-25 16:24:58.338 MSK [3320934] DETAIL: Failed process was running:
rollback ;
2026-03-25 16:24:58.338 MSK [3320934] LOG: terminating any other active
server processes

Backtrace on pastebin(postgresql 14.22): https://pastebin.com/2srPbzhN
Backtrace(postgresql 14.22)

[New LWP 3320966]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `postgres: postgres postgres [local]'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 pfree (pointer=0x2d81538) at mcxt.c:1202
1202 context->methods->free_p(context, pointer);
#0 pfree (pointer=0x2d81538) at mcxt.c:1202
context = 0x0
#1 0x000000000095399f in tuplestore_end (state=0x2d81318) at
tuplestore.c:462
i = 0
#2 0x0000000000946920 in PortalDrop (portal=0x2ccf7f8,
isTopCommit=<optimized out>) at portalmem.c:585
oldcontext = 0x2c6c930
__func__ = "PortalDrop"
#3 0x0000000000946a50 in CreatePortal (name=name(at)entry=0xaa970d "",
allowDup=allowDup(at)entry=true, dupSilent=dupSilent(at)entry=true) at
portalmem.c:193
portal = 0x2ccf7f8
__func__ = "CreatePortal"
#4 0x0000000000801116 in exec_simple_query (query_string=0x2c6ca48
"rollback ;") at postgres.c:1124
snapshot_set = false
per_parsetree_context = 0x0
plantree_list = 0x2c6d7d0
parsetree = 0x2c6d450
commandTag = CMDTAG_ROLLBACK
qc = {commandTag = CMDTAG_UNKNOWN, nprocessed = 1064392740122972416}
querytree_list = <optimized out>
portal = <optimized out>
receiver = <optimized out>
format = 0
parsetree_item__state = {l = 0x2c6d480, i = 0}
dest = DestRemote
oldcontext = 0x2d22810
parsetree_list = 0x2c6d480
parsetree_item = <optimized out>
save_log_statement_stats = false
was_logged = false
use_implicit_block = false
msec_str =
"Z\000\000\000\000\000\000\000Q\000\000\000\000\000\000\000\370\227\311\002\000\000\000\000\267\360\222\000\000\000\000"
__func__ = "exec_simple_query"
#5 0x0000000000802a6d in PostgresMain (argc=argc(at)entry=1,
argv=argv(at)entry=0x7ffcd5351a90, dbname=<optimized out>, username=<optimized
out>) at postgres.c:4571
query_string = 0x2c6ca48 "rollback ;"
firstchar = <optimized out>
input_message = {data = 0x2c6ca48 "rollback ;", len = 11, maxlen =
1024, cursor = 11}
local_sigjmp_buf = {{__jmpbuf = {140723885512688,
7291976700258799160, 46766072, 0, 3, 582, -7292484179921744328,
7291977799450480184}, __mask_was_saved = 1, __saved_mask = {__val =
{4194304, 140723885518811, 0, 0, 140723885513328, 140321394626256,
1064392740122972416, 206158430232, 9872339, 206158430240, 140723885513248,
140723885513056, 1064392740122972416, 46728512, 0, 11180896}}}}
send_ready_for_query = false
idle_in_transaction_timeout_enabled = false
idle_session_timeout_enabled = false
__func__ = "PostgresMain"
#6 0x00000000007816ca in BackendRun (port=<optimized out>, port=<optimized
out>) at postmaster.c:4543
av = {0x972bd4 "postgres", 0x0}
ac = 1
av = <optimized out>
ac = <optimized out>
#7 BackendStartup (port=<optimized out>) at postmaster.c:4265
bn = <optimized out>
pid = <optimized out>
bn = <optimized out>
pid = <optimized out>
__func__ = "BackendStartup"
__errno_location = <optimized out>
__errno_location = <optimized out>
save_errno = <optimized out>
__errno_location = <optimized out>
__errno_location = <optimized out>
#8 ServerLoop () at postmaster.c:1752
port = <optimized out>
i = <optimized out>
rmask = {fds_bits = {256, 0 <repeats 15 times>}}
selres = <optimized out>
now = <optimized out>
readmask = {fds_bits = {960, 0 <repeats 15 times>}}
nSockets = <optimized out>
last_lockfile_recheck_time = 1774444257
last_touch_time = 1774444257
__func__ = "ServerLoop"
#9 0x0000000000782539 in PostmasterMain (argc=argc(at)entry=3,
argv=argv(at)entry=0x2c65120) at postmaster.c:1424
opt = <optimized out>
status = <optimized out>
userDoption = <optimized out>
listen_addr_saved = true
i = <optimized out>
output_config_variable = <optimized out>
__func__ = "PostmasterMain"
#10 0x0000000000500bde in main (argc=3, argv=0x2c65120) at main.c:211
No locals.