| From: | Nikita Malakhov <hukutoc(at)gmail(dot)com> |
|---|---|
| To: | Andrey Rachitskiy <pl0h0yp1(at)gmail(dot)com> |
| Cc: | Amit Langote <amitlangote09(at)gmail(dot)com>, Andrey Borodin <x4mmm(at)yandex-team(dot)ru>, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org>, Nikolay Shaplov <dhyan(at)nataraj(dot)su> |
| Subject: | Re: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables |
| Date: | 2026-06-05 10:57:27 |
| Message-ID: | CAN-LCVP7dxvrvRTpRhZbfL8Obh_d4dvcQOfuOQC5aKukZ7+xRw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
Hi!
Thank you very much for this investigation! I'd take a look into the patch
after the weekend.
On Fri, Jun 5, 2026 at 1:03 PM Andrey Rachitskiy <pl0h0yp1(at)gmail(dot)com> wrote:
> The growing allocation is leaked temporary JsonValueLists in
> executePredicate() (local lseq/rseq, ~1482–1547) and the arithmetic helpers
> executeBinaryArithmExpr() / executeUnaryArithmExpr() (~1561–1684). Each
> nested comparison or arithmetic subexpression materializes operands via
> executeItemOptUnwrapResult[NoThrow]() → executeNextItem() →
> JsonValueListAppend() (~1165, ~2451), but the interim lists are never freed
> before return. For @? specifically, executeJsonPath() also leaks a local
> vals list in strict exists mode (~579–586).
>
> Missing vars make the AFL case worse by returning null instead of error,
> so evaluation continues deep into nested $?()/comparisons instead of
> stopping at the first $"…" reference. The same leak mechanism is reachable
> without missing vars — Tom Lane demonstrated this on master (5a2043bf713)
> with $[*] ? (@ < $) on a large array.
>
> Our missing-variable patch fixes the reported OOM and the @? semantics bug
> by aborting early. Whether REL_14/15/16 also need a broader fix for interim
> JsonValueList cleanup is beyond what I can confidently propose; I've tried
> to pin down where the growth happens for that discussion.
>
> пт, 5 июн. 2026 г. в 13:58, Amit Langote <amitlangote09(at)gmail(dot)com>:
>
>> Hi,
>>
>> Before I dig into the patch properly after the weekend, one question
>> on the report itself: has anyone traced why the old path runs away on
>> memory? We've characterized it as missing-var, then null, then
>> evaluation continues, then OOM, but I don't think the actual growing
>> allocation has been pinned down. Mostly want to understand whether the
>> same runaway is reachable without a missing variable, since raising
>> the error early wouldn't catch those cases.
>>
>> - Thanks, Amit
>>
>
--
Regards,
Nikita Malakhov
Postgres Professional
The Russian Postgres Company
https://postgrespro.ru/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dag Lem | 2026-06-05 11:25:52 | REINDEX (CONCURRENTLY) TABLE handles DEFERRED constraints as IMMEDIATE while processing |
| Previous Message | Amjad Shahzad | 2026-06-05 10:55:39 | Re: BUG #19511: contrib/dblink: NULL dereference in dblink_get_notify() when called without a prior connection |