| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Bertrand Drouvot <bertranddrouvot(dot)pg(at)gmail(dot)com> |
| Cc: | Jeff Davis <pgsql(at)j-davis(dot)com>, Roman Eskin <r(dot)eskin(at)arenadata(dot)io>, Michael Paquier <michael(at)paquier(dot)xyz>, Alexander Lakhin <exclusion(at)gmail(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Subject: | Re: Avoid orphaned objects dependencies, take 3 |
| Date: | 2026-05-13 20:20:21 |
| Message-ID: | CA+TgmobtzkG9HzGtDXbgb3KVE46qHuSvGcuKHgAGQ1aejCoLLw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Apr 28, 2026 at 7:17 AM Bertrand Drouvot
<bertranddrouvot(dot)pg(at)gmail(dot)com> wrote:
> 0003: Add Assert guard to detect permission check before lock regressions
>
> Add instrumentation under USE_ASSERT_CHECKING to detect cases where object_aclcheck()
> is called on a referenced object before a lock is held on it, which would widen
> the TOCTOU window between the permission check and the dependency recording.
I really like the idea of having some kind of cross-check system that
can detect future (or current) coding mistakes. But what I wonder
about this mechanism is: should we instead be insisting that we take a
lock and check permissions on every dependency? Is it an error to
record a dependency on an object without any sort of permissions
check?
Also, I think the mechanism might not be entirely safe. ProcessUtility
can result in executing user-defined functions which could
theoretically run other DDL and then it seems like this code would get
confused.
--
Robert Haas
EDB: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Previous Message | Sami Imseih | 2026-05-13 19:55:00 | Re: Experimental patch for terminating VACUUM freeze blockers |