NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit8899a2a

committed

Replace max_expr_depth parameter with a max_stack_depth parameter that

is measured in kilobytes and checked against actual physical executionstack depth, as per my proposal of 30-Dec. This gives us a fairlybulletproof defense against crashing due to runaway recursive functions.

1 parenta09b9a3 commit8899a2aCopy full SHA for 8899a2a

File tree

13 files changed

+157

-79

lines changed

doc/src/sgml
- runtime.sgml
src
- backend
  - executor
    - execQual.c
  - optimizer/util
    - clauses.c
  - parser
    - parse_expr.c
    - parser.c
  - tcop
    - postgres.c
  - utils/misc
    - guc.c
    - postgresql.conf.sample
- bin/psql
  - tab-complete.c
- include
  - miscadmin.h
  - parser
    - parse_expr.h
  - pg_config_manual.h
  - tcop
    - tcopprot.h

13 files changed

+157

-79

lines changed

`‎doc/src/sgml/runtime.sgml`

Lines changed: 21 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`<!--`
`2`		`-$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.253 2004/03/2403:48:41 neilc Exp $`
	`2`	`+$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.254 2004/03/2422:40:28 tgl Exp $`
`3`	`3`	`-->`
`4`	`4`
`5`	`5`	`<Chapter Id="runtime">`
`@@ -889,6 +889,26 @@ SET ENABLE_SEQSCAN TO OFF;`
`889`	`889`	`</listitem>`
`890`	`890`	`</varlistentry>`
`891`	`891`
	`892`	`+ <varlistentry id="guc-max-stack-depth" xreflabel="max_stack_depth">`
	`893`	`+ <term><varname>max_stack_depth</varname> (<type>integer</type>)</term>`
	`894`	`+ <listitem>`
	`895`	`+ <para>`
	`896`	`+ Specifies the maximum safe depth of the server's execution stack.`
	`897`	`+ The ideal setting for this parameter is the actual stack size limit`
	`898`	`+ enforced by the kernel (as set by <literal>ulimit -s</> or local`
	`899`	`+ equivalent), less a safety margin of a megabyte or so. The safety`
	`900`	`+ margin is needed because the stack depth is not checked in every`
	`901`	`+ routine in the server, but only in key potentially-recursive routines`
	`902`	`+ such as expression evaluation. Setting the parameter higher than`
	`903`	`+ the actual kernel limit will mean that a runaway recursive function`
	`904`	`+ can crash an individual backend process. The default setting is`
	`905`	`+ 2048 KB (two megabytes), which is conservatively small and unlikely`
	`906`	`+ to risk crashes. However, it may be too small to allow execution`
	`907`	`+ of complex functions.`
	`908`	`+ </para>`
	`909`	`+ </listitem>`
	`910`	`+ </varlistentry>`
	`911`	`+`
`892`	`912`	`</variablelist>`
`893`	`913`	`</sect3>`
`894`	`914`	`<sect3 id="runtime-config-resource-fsm">`
`@@ -2573,18 +2593,6 @@ dynamic_library_path = '/usr/local/lib/postgresql:/home/my_project/lib:$libdir'`
`2573`	`2593`	`</listitem>`
`2574`	`2594`	`</varlistentry>`
`2575`	`2595`
`2576`		`- <varlistentry id="guc-max-expr-depth" xreflabel="max_expr_depth">`
`2577`		`- <term><varname>max_expr_depth</varname> (<type>integer</type>)</term>`
`2578`		`- <listitem>`
`2579`		`- <para>`
`2580`		`- Sets the maximum expression nesting depth of the parser. The`
`2581`		`- default value of 10000 is high enough for any normal query,`
`2582`		`- but you can raise it if needed. (But if you raise it too high,`
`2583`		`- you run the risk of server crashes due to stack overflow.)`
`2584`		`- </para>`
`2585`		`- </listitem>`
`2586`		`- </varlistentry>`
`2587`		`-`
`2588`	`2596`	`</variablelist>`
`2589`	`2597`	`</sect3>`
`2590`	`2598`	`</sect2>`

`‎src/backend/executor/execQual.c`

Lines changed: 16 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/executor/execQual.c,v 1.156 2004/03/17 20:48:42 tgl Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/executor/execQual.c,v 1.157 2004/03/24 22:40:28 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -27,6 +27,11 @@`
`27`	`27`	`*trying to speed it up, the execution plan should be pre-processed`
`28`	`28`	`*to facilitate attribute sharing between nodes wherever possible,`
`29`	`29`	`*instead of doing needless copying.-cim 5/31/91`
	`30`	`+ *`
	`31`	`+ *During expression evaluation, we check_stack_depth only in`
	`32`	`+ *ExecMakeFunctionResult rather than at every single node. This`
	`33`	`+ *is a compromise that trades off precision of the stack limit setting`
	`34`	`+ *to gain speed.`
`30`	`35`	`*/`
`31`	`36`
`32`	`37`	`#include"postgres.h"`
`@@ -840,6 +845,9 @@ ExecMakeFunctionResult(FuncExprState *fcache,`
`840`	`845`	`boolhasSetArg;`
`841`	`846`	`inti;`
`842`	`847`
	`848`	`+/* Guard against stack overflow due to overly complex expressions */`
	`849`	`+check_stack_depth();`
	`850`	`+`
`843`	`851`	`/*`
`844`	`852`	`* arguments is a list of expressions to evaluate before passing to`
`845`	`853`	`* the function manager. We skip the evaluation if it was already`
`@@ -1058,6 +1066,9 @@ ExecMakeFunctionResultNoSets(FuncExprState *fcache,`
`1058`	`1066`	`FunctionCallInfoDatafcinfo;`
`1059`	`1067`	`inti;`
`1060`	`1068`
	`1069`	`+/* Guard against stack overflow due to overly complex expressions */`
	`1070`	`+check_stack_depth();`
	`1071`	`+`
`1061`	`1072`	`if (isDone)`
`1062`	`1073`	`*isDone=ExprSingleResult;`
`1063`	`1074`
`@@ -2503,6 +2514,10 @@ ExecInitExpr(Expr node, PlanState parent)`
`2503`	`2514`
`2504`	`2515`	`if (node==NULL)`
`2505`	`2516`	`returnNULL;`
	`2517`	`+`
	`2518`	`+/* Guard against stack overflow due to overly complex expressions */`
	`2519`	`+check_stack_depth();`
	`2520`	`+`
`2506`	`2521`	`switch (nodeTag(node))`
`2507`	`2522`	`{`
`2508`	`2523`	`caseT_Var:`

`‎src/backend/optimizer/util/clauses.c`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/optimizer/util/clauses.c,v 1.166 2004/03/21 22:29:11 tgl Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/optimizer/util/clauses.c,v 1.167 2004/03/24 22:40:28 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`* HISTORY`
`14`	`14`	`* AUTHORDATEMAJOR EVENT`
`@@ -2347,6 +2347,10 @@ expression_tree_walker(Node *node,`
`2347`	`2347`	`*/`
`2348`	`2348`	`if (node==NULL)`
`2349`	`2349`	`return false;`
	`2350`	`+`
	`2351`	`+/* Guard against stack overflow due to overly complex expressions */`
	`2352`	`+check_stack_depth();`
	`2353`	`+`
`2350`	`2354`	`switch (nodeTag(node))`
`2351`	`2355`	`{`
`2352`	`2356`	`caseT_Var:`
`@@ -2720,6 +2724,10 @@ expression_tree_mutator(Node *node,`
`2720`	`2724`
`2721`	`2725`	`if (node==NULL)`
`2722`	`2726`	`returnNULL;`
	`2727`	`+`
	`2728`	`+/* Guard against stack overflow due to overly complex expressions */`
	`2729`	`+check_stack_depth();`
	`2730`	`+`
`2723`	`2731`	`switch (nodeTag(node))`
`2724`	`2732`	`{`
`2725`	`2733`	`caseT_Var:`

`‎src/backend/parser/parse_expr.c`

Lines changed: 3 additions & 33 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/parser/parse_expr.c,v 1.166 2004/03/17 20:48:42 tgl Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/parser/parse_expr.c,v 1.167 2004/03/24 22:40:29 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -35,9 +35,6 @@`
`35`	`35`	`#include"utils/syscache.h"`
`36`	`36`
`37`	`37`
`38`		`-intmax_expr_depth=DEFAULT_MAX_EXPR_DEPTH;`
`39`		`-staticintexpr_depth_counter=0;`
`40`		`-`
`41`	`38`	`boolTransform_null_equals= false;`
`42`	`39`
`43`	`40`	`staticNodetypecast_expression(ParseStatepstate,Node*expr,`
`@@ -47,19 +44,6 @@ static Node transformIndirection(ParseState pstate, Node *basenode,`
`47`	`44`	`List*indirection);`
`48`	`45`
`49`	`46`
`50`		`-/*`
`51`		`- * Initialize for parsing a new query.`
`52`		`- *`
`53`		`- * We reset the expression depth counter here, in case it was left nonzero`
`54`		`- * due to ereport()'ing out of the last parsing operation.`
`55`		`- */`
`56`		`-void`
`57`		`-parse_expr_init(void)`
`58`		`-{`
`59`		`-expr_depth_counter=0;`
`60`		`-}`
`61`		`-`
`62`		`-`
`63`	`47`	`/*`
`64`	`48`	`* transformExpr -`
`65`	`49`	`* Analyze and transform expressions. Type checking and type casting is`
`@@ -92,20 +76,8 @@ transformExpr(ParseState pstate, Node expr)`
`92`	`76`	`if (expr==NULL)`
`93`	`77`	`returnNULL;`
`94`	`78`
`95`		`-/*`
`96`		`- * Guard against an overly complex expression leading to coredump due`
`97`		`- * to stack overflow here, or in later recursive routines that`
`98`		`- * traverse expression trees. Note that this is very unlikely to`
`99`		`- * happen except with pathological queries; but we don't want someone`
`100`		`- * to be able to crash the backend quite that easily...`
`101`		`- */`
`102`		`-if (++expr_depth_counter>max_expr_depth)`
`103`		`-ereport(ERROR,`
`104`		`-(errcode(ERRCODE_STATEMENT_TOO_COMPLEX),`
`105`		`-errmsg("expression too complex"),`
`106`		`-errdetail("Nesting depth exceeds maximum expression depth %d.",`
`107`		`-max_expr_depth),`
`108`		`-errhint("Increase the configuration parameter \"max_expr_depth\".")));`
	`79`	`+/* Guard against stack overflow due to overly complex expressions */`
	`80`	`+check_stack_depth();`
`109`	`81`
`110`	`82`	`switch (nodeTag(expr))`
`111`	`83`	`{`
`@@ -938,8 +910,6 @@ transformExpr(ParseState pstate, Node expr)`
`938`	`910`	`break;`
`939`	`911`	`}`
`940`	`912`
`941`		`-expr_depth_counter--;`
`942`		`-`
`943`	`913`	`returnresult;`
`944`	`914`	`}`
`945`	`915`

`‎src/backend/parser/parser.c`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`* Portions Copyright (c) 1994, Regents of the University of California`
`15`	`15`	`*`
`16`	`16`	`* IDENTIFICATION`
`17`		`- * $PostgreSQL: pgsql/src/backend/parser/parser.c,v 1.60 2003/11/29 19:51:52 pgsql Exp $`
	`17`	`+ * $PostgreSQL: pgsql/src/backend/parser/parser.c,v 1.61 2004/03/24 22:40:29 tgl Exp $`
`18`	`18`	`*`
`19`	`19`	`*-------------------------------------------------------------------------`
`20`	`20`	`*/`
`@@ -50,7 +50,6 @@ raw_parser(const char *str)`
`50`	`50`
`51`	`51`	`scanner_init(str);`
`52`	`52`	`parser_init();`
`53`		`-parse_expr_init();`
`54`	`53`
`55`	`54`	`yyresult=yyparse();`
`56`	`55`

`‎src/backend/tcop/postgres.c`

Lines changed: 74 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/tcop/postgres.c,v 1.396 2004/03/21 22:29:11 tgl Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/tcop/postgres.c,v 1.397 2004/03/24 22:40:29 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`* NOTES`
`14`	`14`	`* this is the "main" module of the postgres backend and`
`@@ -92,11 +92,22 @@ bool Log_disconnections = false;`
`92`	`92`	`*/`
`93`	`93`	`intXfuncMode=0;`
`94`	`94`
	`95`	`+/* GUC variable for maximum stack depth (measured in kilobytes) */`
	`96`	`+intmax_stack_depth=2048;`
	`97`	`+`
	`98`	`+`
`95`	`99`	`/* ----------------`
`96`	`100`	`*private variables`
`97`	`101`	`* ----------------`
`98`	`102`	`*/`
`99`	`103`
	`104`	`+/* max_stack_depth converted to bytes for speed of checking */`
	`105`	`+staticintmax_stack_depth_bytes=2048*1024;`
	`106`	`+`
	`107`	`+/* stack base pointer (initialized by PostgresMain) */`
	`108`	`+staticchar*stack_base_ptr=NULL;`
	`109`	`+`
	`110`	`+`
`100`	`111`	`/*`
`101`	`112`	`* Flag to mark SIGHUP. Whenever the main loop comes around it`
`102`	`113`	`* will reread the configuration file. (Better than doing the`
`@@ -1970,6 +1981,64 @@ ProcessInterrupts(void)`
`1970`	`1981`	`}`
`1971`	`1982`
`1972`	`1983`
	`1984`	`+/*`
	`1985`	`+ * check_stack_depth: check for excessively deep recursion`
	`1986`	`+ *`
	`1987`	`+ * This should be called someplace in any recursive routine that might possibly`
	`1988`	`+ * recurse deep enough to overflow the stack. Most Unixen treat stack`
	`1989`	`+ * overflow as an unrecoverable SIGSEGV, so we want to error out ourselves`
	`1990`	`+ * before hitting the hardware limit. Unfortunately we have no direct way`
	`1991`	`+ * to detect the hardware limit, so we have to rely on the admin to set a`
	`1992`	`+ * GUC variable for it ...`
	`1993`	`+ */`
	`1994`	`+void`
	`1995`	`+check_stack_depth(void)`
	`1996`	`+{`
	`1997`	`+charstack_top_loc;`
	`1998`	`+intstack_depth;`
	`1999`	`+`
	`2000`	`+/*`
	`2001`	`+ * Compute distance from PostgresMain's local variables to my own`
	`2002`	`+ *`
	`2003`	`+ * Note: in theory stack_depth should be ptrdiff_t or some such, but`
	`2004`	`+ * since the whole point of this code is to bound the value to something`
	`2005`	`+ * much less than integer-sized, int should work fine.`
	`2006`	`+ */`
	`2007`	`+stack_depth= (int) (stack_base_ptr-&stack_top_loc);`
	`2008`	`+/*`
	`2009`	`+ * Take abs value, since stacks grow up on some machines, down on others`
	`2010`	`+ */`
	`2011`	`+if (stack_depth<0)`
	`2012`	`+stack_depth=-stack_depth;`
	`2013`	`+/*`
	`2014`	`+ * Trouble?`
	`2015`	`+ *`
	`2016`	`+ * The test on stack_base_ptr prevents us from erroring out if called`
	`2017`	`+ * during process setup or in a non-backend process. Logically it should`
	`2018`	`+ * be done first, but putting it here avoids wasting cycles during normal`
	`2019`	`+ * cases.`
	`2020`	`+ */`
	`2021`	`+if (stack_depth>max_stack_depth_bytes&&`
	`2022`	`+stack_base_ptr!=NULL)`
	`2023`	`+{`
	`2024`	`+ereport(ERROR,`
	`2025`	`+(errcode(ERRCODE_STATEMENT_TOO_COMPLEX),`
	`2026`	`+errmsg("stack depth limit exceeded"),`
	`2027`	`+errhint("Increase the configuration parameter \"max_stack_depth\".")));`
	`2028`	`+}`
	`2029`	`+}`
	`2030`	`+`
	`2031`	`+/* GUC assign hook to update max_stack_depth_bytes from max_stack_depth */`
	`2032`	`+bool`
	`2033`	`+assign_max_stack_depth(intnewval,booldoit,GucSourcesource)`
	`2034`	`+{`
	`2035`	`+/* Range check was already handled by guc.c */`
	`2036`	`+if (doit)`
	`2037`	`+max_stack_depth_bytes=newval*1024;`
	`2038`	`+return true;`
	`2039`	`+}`
	`2040`	`+`
	`2041`	`+`
`1973`	`2042`	`staticvoid`
`1974`	`2043`	`usage(char*progname)`
`1975`	`2044`	`{`
`@@ -2030,6 +2099,7 @@ PostgresMain(int argc, char argv[], const char username)`
`2030`	`2099`	`GucSourcegucsource;`
`2031`	`2100`	`char*tmp;`
`2032`	`2101`	`intfirstchar;`
	`2102`	`+charstack_base;`
`2033`	`2103`	`StringInfoDatainput_message;`
`2034`	`2104`	`volatileboolsend_rfq= true;`
`2035`	`2105`
`@@ -2069,6 +2139,9 @@ PostgresMain(int argc, char argv[], const char username)`
`2069`	`2139`
`2070`	`2140`	`SetProcessingMode(InitProcessing);`
`2071`	`2141`
	`2142`	`+/* Set up reference point for stack depth checking */`
	`2143`	`+stack_base_ptr=&stack_base;`
	`2144`	`+`
`2072`	`2145`	`/*`
`2073`	`2146`	`* Set default values for command-line options.`
`2074`	`2147`	`*/`

`‎src/backend/utils/misc/guc.c`

Lines changed: 11 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`* Written by Peter Eisentraut <peter_e@gmx.net>.`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.192 2004/03/23 01:23:48 tgl Exp $`
	`13`	`+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.193 2004/03/24 22:40:29 tgl Exp $`
`14`	`14`	`*`
`15`	`15`	`*--------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -1023,6 +1023,15 @@ static struct config_int ConfigureNamesInt[] =`
`1023`	`1023`	`16384,1024,INT_MAX /1024,NULL,NULL`
`1024`	`1024`	`},`
`1025`	`1025`
	`1026`	`+{`
	`1027`	`+{"max_stack_depth",PGC_SUSET,RESOURCES_MEM,`
	`1028`	`+gettext_noop("Sets the maximum stack depth, in kilobytes."),`
	`1029`	`+NULL`
	`1030`	`+},`
	`1031`	`+&max_stack_depth,`
	`1032`	`+2048,100,INT_MAX /1024,assign_max_stack_depth,NULL`
	`1033`	`+},`
	`1034`	`+`
`1026`	`1035`	`{`
`1027`	`1036`	`{"vacuum_cost_page_hit",PGC_USERSET,RESOURCES,`
`1028`	`1037`	`gettext_noop("Vacuum cost for a page found in the buffer cache."),`
`@@ -1097,14 +1106,6 @@ static struct config_int ConfigureNamesInt[] =`
`1097`	`1106`	`0,0,INT_MAX,NULL,NULL`
`1098`	`1107`	`},`
`1099`	`1108`	`#endif`
`1100`		`-{`
`1101`		`-{"max_expr_depth",PGC_USERSET,CLIENT_CONN_OTHER,`
`1102`		`-gettext_noop("Sets the maximum expression nesting depth."),`
`1103`		`-NULL`
`1104`		`-},`
`1105`		`-&max_expr_depth,`
`1106`		`-DEFAULT_MAX_EXPR_DEPTH,10,INT_MAX,NULL,NULL`
`1107`		`-},`
`1108`	`1109`
`1109`	`1110`	`{`
`1110`	`1111`	`{"statement_timeout",PGC_USERSET,CLIENT_CONN_STATEMENT,`
`@@ -1246,7 +1247,7 @@ static struct config_int ConfigureNamesInt[] =`
`1246`	`1247`	`},`
`1247`	`1248`
`1248`	`1249`	`{`
`1249`		`-{"debug_shared_buffers",PGC_POSTMASTER,RESOURCES_MEM,`
	`1250`	`+{"debug_shared_buffers",PGC_POSTMASTER,STATS_MONITORING,`
`1250`	`1251`	`gettext_noop("Interval to report shared buffer status in seconds"),`
`1251`	`1252`	`NULL`
`1252`	`1253`	`},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8899a2a

File tree

13 files changed

13 files changed

`‎doc/src/sgml/runtime.sgml`

`‎src/backend/executor/execQual.c`

`‎src/backend/optimizer/util/clauses.c`

`‎src/backend/parser/parse_expr.c`

`‎src/backend/parser/parser.c`

`‎src/backend/tcop/postgres.c`

`‎src/backend/utils/misc/guc.c`

0 commit comments