afterTriggerInvokeEvents() may repalloc afterTriggers.query_stack
while firing trigger events, leaving any precomputed entry pointer
dangling. The loop body in AfterTriggerEndQuery() recomputes qs
after each afterTriggerInvokeEvents() call for that reason, but the
"all fired" break path exits without the recompute, and the
subsequent FireAfterTriggerBatchCallbacks(qs->batch_callbacks)
dereferences the freed pointer.
Fix by recomputing qs immediately before
FireAfterTriggerBatchCallbacks(), as the loop body already does
after each afterTriggerInvokeEvents() call.
The hazard was introduced in
34a30786293, which added the
qs->batch_callbacks dereference at this site.
Reported-by: Amul Sul <sulamul@gmail.com>
Author: Amul Sul <sulamul@gmail.com>
Reviewed-by: Anthonin Bonnefoy <anthonin.bonnefoy@datadoghq.com>
Reviewed-by: Amit Langote <amitlangote09@gmail.com>
Discussion: https://postgr.es/m/CAAJ_b95p6-qiVpE2Gpr=bUsNAqTcejD_rPgLnfjx9m=fo3Rf3Q@mail.gmail.com
* Fire batch callbacks before releasing query-level storage and before
* decrementing query_depth. Callbacks may do real work (index probes,
* error reporting).
+ *
+ * Recompute qs first: the loop above refreshes it after each
+ * afterTriggerInvokeEvents() call (see comment there), but the "all
+ * fired" break exits without doing so, leaving qs potentially stale here.
*/
+ qs = &afterTriggers.query_stack[afterTriggers.query_depth];
FireAfterTriggerBatchCallbacks(qs->batch_callbacks);
/* Release query-level-local storage, including tuplestores if any */
drop function whoami();
drop role regress_fn_owner;
drop role regress_caller;
+--
+-- Test a recursive AFTER ROW trigger that nests after-trigger query levels
+-- deeply enough to grow query_stack mid-fire. Outer levels then resume their
+-- post-loop cleanup against the relocated stack.
+--
+create table trigger_recursive (id int);
+create function trigger_recursive_fn() returns trigger language plpgsql as $$
+begin
+ if new.id < 10 then
+ insert into trigger_recursive values (new.id + 1);
+ end if;
+ return new;
+end$$;
+create trigger trigger_recursive after insert on trigger_recursive
+ for each row execute function trigger_recursive_fn();
+insert into trigger_recursive values (1);
+select count(*) from trigger_recursive;
+ count
+-------
+ 10
+(1 row)
+
+drop table trigger_recursive;
+drop function trigger_recursive_fn();
drop function whoami();
drop role regress_fn_owner;
drop role regress_caller;
+
+--
+-- Test a recursive AFTER ROW trigger that nests after-trigger query levels
+-- deeply enough to grow query_stack mid-fire. Outer levels then resume their
+-- post-loop cleanup against the relocated stack.
+--
+create table trigger_recursive (id int);
+create function trigger_recursive_fn() returns trigger language plpgsql as $$
+begin
+ if new.id < 10 then
+ insert into trigger_recursive values (new.id + 1);
+ end if;
+ return new;
+end$$;
+
+create trigger trigger_recursive after insert on trigger_recursive
+ for each row execute function trigger_recursive_fn();
+
+insert into trigger_recursive values (1);
+select count(*) from trigger_recursive;
+
+drop table trigger_recursive;
+drop function trigger_recursive_fn();
projects / thirdparty / postgresql.git / commitdiff
