On Mon, 2026-06-01 at 09:21 +0000, Bertrand Drouvot wrote:
> Now that we avoid orphaned objects dependencies, I resumed working on
> Robert's
> concern about the TOCTOU window where a REVOKE could land between the
> original
> permission check and the dependency recording.
>
> Based on our discussion during PGConf.dev, PFA a new patch that uses
> the same
> approach as RangeVarGetRelidExtended(): record
> SharedInvalidMessageCounter at the
> time of the original aclcheck, then before locking compare the
> current counter to
> the saved value. If it changed, recheck permission before acquiring
> the lock.
> After the lock wait, if more invalidations arrived, release and
> retry.
RangeVarGetRelidExtended() coordinates three things:
- name lookup
- lock
- ACL check
whereas recheckAclAndLock() only coordinates the latter two. That means
there can still be some strange failures, like:
-- Session 1
BEGIN;
DROP SCHEMA s2;
-- Session 2
SET search_path=s2, s1;
CREATE FUNCTION f() RETURNS INT LANGUAGE plpgsql AS
$$ BEGIN RETURN 42; END; $$;
-- Session 1
COMMIT;
-- Session 2
ERROR: referenced schema was concurrently dropped
even though no schema was actually referenced in the query, and a retry
of the transaction successfully creates the function in s1. Is that
expected?
Regards,
Jeff Davis
