| From: | Ashutosh Sharma <ashu(dot)coek88(at)gmail(dot)com> |
|---|---|
| To: | Fujii Masao <masao(dot)fujii(at)gmail(dot)com> |
| Cc: | n(dot)kalinin(at)postgrespro(dot)ru, pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: BUG #19508: pg_buffercache_pages() crashes the backend with an incompatible caller-supplied record definition |
| Date: | 2026-06-05 15:29:23 |
| Message-ID: | CAE9k0Pkr+KKSx4UVmrLp-ZgF1BtwoVCOHOL99MeXr81D8JnX1w@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi Fujii-san,
On Fri, Jun 5, 2026 at 8:49 AM Fujii Masao <masao(dot)fujii(at)gmail(dot)com> wrote:
>
> On Fri, Jun 5, 2026 at 12:49 AM PG Bug reporting form
> <noreply(at)postgresql(dot)org> wrote:
> >
> > The following bug has been logged on the website:
> >
> > Bug reference: 19508
> > Logged by: Nikita Kalinin
> > Email address: n(dot)kalinin(at)postgrespro(dot)ru
> > PostgreSQL version: 19beta1
> > Operating system: Fedora 44
> > Description:
> >
> > Hello,
> >
> > It appears that pg_buffercache_pages() trusts a caller-supplied record
> > descriptor without verifying that the declared column types match the actual
> > values returned by the function.
> >
> > The crash is reproducible on the current master branch with a fresh cluster
> > after installing the extension:
>
> Thanks for the report! I could reproduce this as well.
>
>
> > git blame points to the following commit:
> >
> > commit 257c8231bf97a77378f6fedb826b1243f0a41612 (HEAD)
> > Author: Heikki Linnakangas <heikki(dot)linnakangas(at)iki(dot)fi>
> > Date: Tue Apr 7 16:04:48 2026 +0300
> >
> > Modernize and optimize pg_buffercache_pages()
>
> Commit 257c8231bf9 changed pg_buffercache_pages() to materialize rows directly
> into a tuplestore. As a result, the function started using the caller-supplied
> RECORD descriptor as rsinfo->setDesc, so a mismatched column definition list
> could cause tuplestore_putvalues() to interpret returned Datums with incorrect
> types.
>
> Before that change, pg_buffercache_pages() exposed its actual tuple descriptor
> to the executor, allowing the executor's existing rowtype checks to reject
> incompatible definitions with a normal error.
>
> The attached patch restores that behavior while keeping the materialized-SRF
> implementation. Thoughts?
>
pg_buffercache_pages uses RETURNS SETOF RECORD whereas other
extensions like pgstattuple define explicit IN/OUT parameters at the
SQL level. Is there a specific reason this pattern was kept, or is it
simply a legacy design that hasn't been modernized? Had we followed
the IN/OUT parameter style, this sort of issue could have been
avoided, no?
--
With Regards,
Ashutosh Sharma.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Fujii Masao | 2026-06-05 15:38:15 | Re: BUG #19508: pg_buffercache_pages() crashes the backend with an incompatible caller-supplied record definition |
| Previous Message | Fujii Masao | 2026-06-05 15:15:57 | Re: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection |