Re: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables

Hi!

According to the Jsonpath standard, malformed expression should return an
error,
but not all cases of malformation are thoroughly described.

When this functionality was developed (Jsonpath and SQL/JSON) the absence
of the variable was considered as malformation and was decided to throw an
error
in threads long time ago. In case this behavior to be a subject for change
it surely
should not be backported, but the error-throwing code has to.
I agree that sometimes Json (-path) functionality provides very little info
on errors,
and it could be extended.

Changing this behavior is subject for Hackers and should be approved by Tom
Lane,
Adres Freund and other people responsible for including Jsonpath and
SQL/JSON
into Postgres.

On Tue, Apr 28, 2026 at 7:51 PM Andrey Borodin <x4mmm(at)yandex-team(dot)ru> wrote:

>
>
> > On 20 Apr 2026, at 18:38, Andrey Rachitskiy <pl0h0yp1(at)gmail(dot)com> wrote:
> >
> > I propose a targeted backpatch for REL_14/15/16 in jsonpath_exec.c to
> align missing variable handling with newer branches and prevent
> pathological memory growth on malformed/hostile jsonpath expressions.
>
> Hi! Thank you for the report and proposed fix. I've took a look into the
> patch.
>
> So we can use vars like this:
>
> # SELECT jsonb_path_exists(
> '{"x": 42}'::jsonb,
> '$ ? ($"threshold" < 50)'::jsonpath,
> '{"threshold": 10}'::jsonb -- HERE go vars
> );
>
> Operator @? is doing the same, but without supplied vars. And this thread
> essentially points to buggy handling of vars:
>
> # SELECT j @? '$"no_such_var"'
> FROM (VALUES
> ('{"important": "data"}'::jsonb),
> ('42'::jsonb),
> ('null'::jsonb),
> ('false'::jsonb)
> ) AS t(j);
> ?column?
> ----------
> t
> t
> t
> t
> (4 rows)
>
> It basically says that path with value of var "no_such_var" exists
> everywhere.
>
> I think it's a bug, but we would need a JSON Path expert here.
>
> 17+ throws an error, which seems suspicious to me too. @? is expected to
> operate in silent mode. Perhaps, we should just return NULL instead of t.
> By using RETURN_ERROR macro. But it might sound overly invasive for back
> branches.
>
> Even if we are going to throw an error, we can give mode details. I'd
> suggest
> instead of "could not find jsonpath variable \"%s\"" throwing something
> like
> "no variables supplied to reference by variable \"%s\"" or something along
> those lines.
>
>
> Besides this, the direction of the fix looks good to me. Thank you!
>
>
> Best regards, Andrey Borodin.
>
>
>
>

--
Regards,
Nikita Malakhov
Postgres Professional
The Russian Postgres Company
https://postgrespro.ru/