Confine RI fast-path batching to the top transaction level

The FK fast-path batching added in b7b27eb41a5 buffers rows in a
transaction-lived cache (ri_fastpath_cache) keyed by constraint OID.
Running user-defined cast and equality functions during a batch flush,
together with the cache's lifetime and iteration, exposed two defects
reachable by an unprivileged table owner.

First, on subtransaction abort ri_FastPathSubXactCallback discarded the
entire cache.  An entry's batch holds rows buffered by the enclosing
transaction, not just the aborting subxact -- the cache is keyed by
constraint, so a single entry can mix rows from multiple subxact levels.
An internal subxact abort during after-trigger firing (e.g. a PL/pgSQL
BEGIN ... EXCEPTION block) therefore dropped buffered rows of the outer
transaction without running their FK checks, letting orphan rows commit
behind a constraint that still reported itself valid.  The discard also
left relations opened by the batch unclosed, producing "resource was not
closed" warnings.

Second, ri_FastPathEndBatch flushes by iterating the cache with
hash_seq_search.  If flush-time user code inserts into a different
fast-path FK table, a new entry is added to the cache mid-scan; it may
land in a bucket the scan has already passed and never be reached, and
ri_FastPathTeardown then destroys the cache without flushing it,
silently dropping that check.

Cleanly unwinding the cache on subxact abort would require tracking the
originating subxact of each buffered row, since rows from different
levels share an entry (the cache is keyed by constraint) and deferred
constraints cannot be flushed early at a subxact boundary.  Rather than
add that bookkeeping, confine batching to the top transaction level: in
RI_FKey_check, when GetCurrentTransactionNestLevel() > 1, use the
per-row fast path (ri_FastPathCheck) instead of buffering.  Rows checked
inside a subtransaction are then verified immediately and roll back
cleanly with their subtransaction, and the cache only ever holds
top-level rows.  With the cache confined to the top level, a
subtransaction abort has nothing of its own to discard, so
ri_FastPathSubXactCallback is removed along with its registration.

For the second defect, add a cache-wide flag (ri_fastpath_flushing) set
while ri_FastPathEndBatch iterates the cache.  A re-entrant FK check
arriving while the flag is set takes the per-row path rather than adding
an entry to the cache being scanned, so no entry can be missed and torn
down unflushed.  The flag is cleared in a PG_FINALLY so a flush that
throws (a reported violation or an error from user code) does not leave
it stuck.  As defensive insurance it is also cleared in
ri_FastPathXactCallback() at transaction end.

The per-row fast path still bypasses SPI and stays well ahead of the
pre-19 SPI-based check.  A fuller fix that preserves batching across
subtransactions -- whether by tracking the originating subxact of each
buffered row or by per-subxact cache stacks merged into the parent on
commit -- is left for a future release.

The subtransaction-abort case is covered by a new regression test.  The
mid-scan cross-table case depends on hash bucket placement and so is not
reliably reproducible in a portable test, but the flag prevents it by
construction.

Reported-by: Nikolay Samokhvalov <nik@postgres.ai>
Reviewed-by: Nikolay Samokhvalov <nik@postgres.ai>
Reviewed-by: Ayush Tiwari <ayushtiwari.slg01@gmail.com>
Reviewed-by: Junwang Zhao <zhjwpku@gmail.com>
Discussion: https://postgr.es/m/CAM527d9exRCdWrhJOnAxk_vACg7sr_yPoaJp_+uCFY0qP8v=aw@mail.gmail.com

diff --git a/src/backend/utils/adt/ri_triggers.c b/src/backend/utils/adt/ri_triggers.c
index 917a544c32b7a2f8647d018cb42f2b4cefcb8e17..06e7728c45d34f8ea473411d4669290d418f8081 100644 (file)
--- a/src/backend/utils/adt/ri_triggers.c
+++ b/src/backend/utils/adt/ri_triggers.c
@@ -228,8 +228,8 @@ typedef struct RI_CompareHashEntry
  * relations are held open with locks for the transaction duration, preventing
  * relcache invalidation.  The entry itself is torn down at batch end by
  * ri_FastPathEndBatch(); on abort, ResourceOwner releases the cached
- * relations and the XactCallback/SubXactCallback NULL the static cache pointer
- * to prevent any subsequent access.
+ * relations and the XactCallback NULLs the static cache pointer to prevent
+ * any subsequent access.
  */
 typedef struct RI_FastPathEntry
 {
@@ -267,6 +267,7 @@ static dclist_head ri_constraint_cache_valid_list;
 
 static HTAB *ri_fastpath_cache = NULL;
 static bool ri_fastpath_callback_registered = false;
+static bool ri_fastpath_flushing = false;
 
 /*
  * Local function prototypes
@@ -469,14 +470,30 @@ RI_FKey_check(TriggerData *trigdata)
         */
        if (ri_fastpath_is_applicable(riinfo))
        {
-               if (AfterTriggerIsActive())
+               if (AfterTriggerIsActive() &&
+                       GetCurrentTransactionNestLevel() == 1 &&
+                       !ri_fastpath_flushing)
                {
                        /* Batched path: buffer and probe in groups */
                        ri_FastPathBatchAdd(riinfo, fk_rel, newslot);
                }
                else
                {
-                       /* ALTER TABLE validation: per-row, no cache */
+                       /*
+                        * Per-row path, used when batching is not safe or not applicable:
+                        *
+                        * - ALTER TABLE validation, where no after-trigger firing is
+                        * active;
+                        *
+                        * - any FK check inside a subtransaction, since the batch cache
+                        * is confined to the top transaction level (it cannot be cleanly
+                        * unwound on subxact abort);
+                        *
+                        * - a re-entrant check from user cast/operator code running
+                        * during a batch flush, since adding a cache entry while
+                        * ri_FastPathEndBatch is iterating the cache could leave it
+                        * unflushed.
+                        */
                        ri_FastPathCheck(riinfo, fk_rel, newslot);
                }
                return PointerGetDatum(NULL);
@@ -4181,19 +4198,41 @@ ri_FastPathEndBatch(void *arg)
        if (ri_fastpath_cache == NULL)
                return;
 
-       /* Flush any partial batches -- can throw ERROR */
-       hash_seq_init(&status, ri_fastpath_cache);
-       while ((entry = hash_seq_search(&status)) != NULL)
+       /*
+        * Set a flag for the duration of the scan so that any FK check triggered
+        * by user cast or operator code during a flush takes the per-row path
+        * instead of adding a new entry to the cache we are iterating.  A new
+        * entry could land in an already-scanned bucket and then be torn down
+        * unflushed below.
+        *
+        * The flush can throw ERROR (a reported constraint violation, or an error
+        * from the user code it runs).  In that case ri_FastPathTeardown below is
+        * skipped; the ResourceOwner and the transaction-end callback handle
+        * resource cleanup on the abort path.  The PG_FINALLY only resets the
+        * flag and deliberately does not attempt teardown.
+        */
+       Assert(!ri_fastpath_flushing);
+       ri_fastpath_flushing = true;
+       PG_TRY();
        {
-               if (entry->batch_count > 0)
+               hash_seq_init(&status, ri_fastpath_cache);
+               while ((entry = hash_seq_search(&status)) != NULL)
                {
-                       Relation        fk_rel = table_open(entry->fk_relid, AccessShareLock);
-                       RI_ConstraintInfo *riinfo = ri_LoadConstraintInfo(entry->conoid);
+                       if (entry->batch_count > 0)
+                       {
+                               Relation        fk_rel = table_open(entry->fk_relid, AccessShareLock);
+                               RI_ConstraintInfo *riinfo = ri_LoadConstraintInfo(entry->conoid);
 
-                       ri_FastPathBatchFlush(entry, fk_rel, riinfo);
-                       table_close(fk_rel, NoLock);
+                               ri_FastPathBatchFlush(entry, fk_rel, riinfo);
+                               table_close(fk_rel, NoLock);
+                       }
                }
        }
+       PG_FINALLY();
+       {
+               ri_fastpath_flushing = false;
+       }
+       PG_END_TRY();
 
        ri_FastPathTeardown();
 }
@@ -4245,22 +4284,14 @@ ri_FastPathXactCallback(XactEvent event, void *arg)
         */
        ri_fastpath_cache = NULL;
        ri_fastpath_callback_registered = false;
-}
 
-static void
-ri_FastPathSubXactCallback(SubXactEvent event, SubTransactionId mySubid,
-                                                  SubTransactionId parentSubid, void *arg)
-{
-       if (event == SUBXACT_EVENT_ABORT_SUB)
-       {
-               /*
-                * ResourceOwner already released relations.  NULL the static pointers
-                * so the still-registered batch callback becomes a no-op for the rest
-                * of this transaction.
-                */
-               ri_fastpath_cache = NULL;
-               ri_fastpath_callback_registered = false;
-       }
+       /*
+        * Also clear the in-flush flag.  ri_FastPathEndBatch() already clears it
+        * via PG_FINALLY, so this is just defensive: it keeps a stale flag from
+        * surviving into the next transaction should any future path leave it
+        * set.
+        */
+       ri_fastpath_flushing = false;
 }
 
 /*
@@ -4287,7 +4318,6 @@ ri_FastPathGetEntry(const RI_ConstraintInfo *riinfo, Relation fk_rel)
                if (!ri_fastpath_xact_callback_registered)
                {
                        RegisterXactCallback(ri_FastPathXactCallback, NULL);
-                       RegisterSubXactCallback(ri_FastPathSubXactCallback, NULL);
                        ri_fastpath_xact_callback_registered = true;
                }
 

diff --git a/src/test/regress/expected/foreign_key.out b/src/test/regress/expected/foreign_key.out
index e08dff99f03992ad2c9a40bd74134519c947ce4a..e1563144d4c85f6e1e04d416a597895e32e0c728 100644 (file)
--- a/src/test/regress/expected/foreign_key.out
+++ b/src/test/regress/expected/foreign_key.out
@@ -3768,3 +3768,27 @@ SELECT count(*), max(a) FROM fp_reentry_fk2;  -- 64 rows, max 1
 (1 row)
 
 DROP TABLE fp_reentry_fk2, fp_reentry_pk2;
+-- Subtransaction abort during after-trigger firing must not drop FK checks
+-- for rows buffered earlier in the same statement.  Batching is confined to
+-- the top transaction level and the buffered batch is no longer discarded on
+-- subxact abort, so the violating rows are detected.
+CREATE TABLE fp_subxact_pk (id int PRIMARY KEY);
+INSERT INTO fp_subxact_pk SELECT g FROM generate_series(1, 10) g;
+CREATE TABLE fp_subxact_fk (a int, tag text);
+ALTER TABLE fp_subxact_fk ADD CONSTRAINT fp_subxact_fk_fkey
+    FOREIGN KEY (a) REFERENCES fp_subxact_pk (id);
+CREATE FUNCTION fp_abort_subxact() RETURNS trigger LANGUAGE plpgsql AS $$
+BEGIN
+    IF NEW.tag = 'boom' THEN
+        BEGIN PERFORM 1/0; EXCEPTION WHEN division_by_zero THEN NULL; END;
+    END IF;
+    RETURN NEW;
+END$$;
+CREATE TRIGGER fp_subxact_trg AFTER INSERT ON fp_subxact_fk
+    FOR EACH ROW EXECUTE FUNCTION fp_abort_subxact();
+INSERT INTO fp_subxact_fk VALUES (999, 'bad'), (0, 'boom'), (1, 'ok');
+ERROR:  insert or update on table "fp_subxact_fk" violates foreign key constraint "fp_subxact_fk_fkey"
+DETAIL:  Key (a)=(999) is not present in table "fp_subxact_pk".
+DROP TRIGGER fp_subxact_trg ON fp_subxact_fk;
+DROP FUNCTION fp_abort_subxact();
+DROP TABLE fp_subxact_fk, fp_subxact_pk;

diff --git a/src/test/regress/sql/foreign_key.sql b/src/test/regress/sql/foreign_key.sql
index 87381194f416cab6db173a96e2bbc860548b6229..abeb85965b9975472a1321c5a837251c94e086c5 100644 (file)
--- a/src/test/regress/sql/foreign_key.sql
+++ b/src/test/regress/sql/foreign_key.sql
@@ -2726,3 +2726,26 @@ BEGIN
 END$$;
 SELECT count(*), max(a) FROM fp_reentry_fk2;  -- 64 rows, max 1
 DROP TABLE fp_reentry_fk2, fp_reentry_pk2;
+
+-- Subtransaction abort during after-trigger firing must not drop FK checks
+-- for rows buffered earlier in the same statement.  Batching is confined to
+-- the top transaction level and the buffered batch is no longer discarded on
+-- subxact abort, so the violating rows are detected.
+CREATE TABLE fp_subxact_pk (id int PRIMARY KEY);
+INSERT INTO fp_subxact_pk SELECT g FROM generate_series(1, 10) g;
+CREATE TABLE fp_subxact_fk (a int, tag text);
+ALTER TABLE fp_subxact_fk ADD CONSTRAINT fp_subxact_fk_fkey
+    FOREIGN KEY (a) REFERENCES fp_subxact_pk (id);
+CREATE FUNCTION fp_abort_subxact() RETURNS trigger LANGUAGE plpgsql AS $$
+BEGIN
+    IF NEW.tag = 'boom' THEN
+        BEGIN PERFORM 1/0; EXCEPTION WHEN division_by_zero THEN NULL; END;
+    END IF;
+    RETURN NEW;
+END$$;
+CREATE TRIGGER fp_subxact_trg AFTER INSERT ON fp_subxact_fk
+    FOR EACH ROW EXECUTE FUNCTION fp_abort_subxact();
+INSERT INTO fp_subxact_fk VALUES (999, 'bad'), (0, 'boom'), (1, 'ok');
+DROP TRIGGER fp_subxact_trg ON fp_subxact_fk;
+DROP FUNCTION fp_abort_subxact();
+DROP TABLE fp_subxact_fk, fp_subxact_pk;