| From: | Amit Langote <amitlangote09(at)gmail(dot)com> |
|---|---|
| To: | Amul Sul <sulamul(at)gmail(dot)com> |
| Cc: | PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Server crash: Use-after-free in AfterTriggerEndQuery() |
| Date: | 2026-05-05 07:45:26 |
| Message-ID: | CA+HiwqGBy7ED8+drGY1j6GYKoi0vXZgoBSaH5GsBgiBY3Qd1xg@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, May 5, 2026 at 15:37 Amul Sul <sulamul(at)gmail(dot)com> wrote:
> Hi,
>
> The crash occurs when the per-query firing loop in
> AfterTriggerEndQuery() exits via the "all fired" path. If
> afterTriggerInvokeEvents() reallocated query_stack while firing, the
> loop's local qs pointer is left dangling, and the subsequent
> FireAfterTriggerBatchCallbacks(qs->batch_callbacks) reads
> batch_callbacks from the freed memory and crashes.
>
> Here is the reproducible test that has an AFTER INSERT trigger on a
> referenced table that recursively inserts rows into itself:
>
> --
> create table trigger_recursive_pk (id int primary key);
> create table trigger_recursive_fk (id int references
> trigger_recursive_pk(id));
> insert into trigger_recursive_pk select g from generate_series(1, 15) g;
>
> create function trigger_recursive_fn() returns trigger language plpgsql as
> $$
> begin
> if new.id < 10 then
> insert into trigger_recursive_fk values (new.id + 1);
> end if;
> return new;
> end$$;
>
> create trigger trigger_recursive after insert on trigger_recursive_fk
> for each row execute function trigger_recursive_fn();
>
> insert into trigger_recursive_fk values (1);
> --
>
> The attached patch fixes the reported issue by recomputing qs
> immediately before calling FireAfterTriggerBatchCallbacks().
Thanks Amul for the report. I'll look at this on Thursday when I'm back at
work.
- Amit
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitrii Bondar | 2026-05-05 07:48:30 | Re: Pgbench: remove synchronous prepare |
| Previous Message | Peter Eisentraut | 2026-05-05 07:43:21 | Re: [PATCH] Clean up property graph error messages |