BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables

I propose a targeted backpatch for REL_14/15/16 in jsonpath_exec.c to align
missing variable handling with newer branches and prevent pathological
memory growth on malformed/hostile jsonpath expressions.

Why this is not a full backport
This is intentionally not a full backport of the REL_17 jsonpath executor
refactoring (callbacks for variable access, broader executor integration,
etc.).

Why this still fixes the reported issue
On REL_14/15/16, with current behavior (missing vars -> null), some crafted
jsonpath expressions continue deep evaluation and can consume very large
memory, leading to OOM.
With this patch, execution fails early on undefined variable, matching
REL_17 behavior for this case and avoiding runaway memory use.

—
Regards,
Andrey Rachitskiy
Postgres Professional

пт, 17 апр. 2026 г. в 16:21, PG Bug reporting form <noreply@postgresql.org>:

On 20 Apr 2026, at 18:38, Andrey Rachitskiy <pl0h0yp1@gmail.com> wrote:

I propose a targeted backpatch for REL_14/15/16 in jsonpath_exec.c to align missing variable handling with newer branches and prevent pathological memory growth on malformed/hostile jsonpath expressions.

Hi! Thank you for the report and proposed fix. I've took a look into the
patch.

So we can use vars like this:

# SELECT jsonb_path_exists(
'{"x": 42}'::jsonb,
'$ ? ($"threshold" < 50)'::jsonpath,
'{"threshold": 10}'::jsonb -- HERE go vars
);

Operator @? is doing the same, but without supplied vars. And this thread
essentially points to buggy handling of vars:

# SELECT j @? '$"no_such_var"'
FROM (VALUES
('{"important": "data"}'::jsonb),
('42'::jsonb),
('null'::jsonb),
('false'::jsonb)
) AS t(j);
?column?
----------
t
t
t
t
(4 rows)

It basically says that path with value of var "no_such_var" exists everywhere.

I think it's a bug, but we would need a JSON Path expert here.

17+ throws an error, which seems suspicious to me too. @? is expected to
operate in silent mode. Perhaps, we should just return NULL instead of t.
By using RETURN_ERROR macro. But it might sound overly invasive for back
branches.

Even if we are going to throw an error, we can give mode details. I'd suggest
instead of "could not find jsonpath variable \"%s\"" throwing something like
"no variables supplied to reference by variable \"%s\"" or something along
those lines.

Besides this, the direction of the fix looks good to me. Thank you!

Best regards, Andrey Borodin.

Hi!

According to the Jsonpath standard, malformed expression should return an
error,
but not all cases of malformation are thoroughly described.

When this functionality was developed (Jsonpath and SQL/JSON) the absence
of the variable was considered as malformation and was decided to throw an
error
in threads long time ago. In case this behavior to be a subject for change
it surely
should not be backported, but the error-throwing code has to.
I agree that sometimes Json (-path) functionality provides very little info
on errors,
and it could be extended.

Changing this behavior is subject for Hackers and should be approved by Tom
Lane,
Adres Freund and other people responsible for including Jsonpath and
SQL/JSON
into Postgres.

On Tue, Apr 28, 2026 at 7:51 PM Andrey Borodin <x4mmm@yandex-team.ru> wrote:

On 20 Apr 2026, at 18:38, Andrey Rachitskiy <pl0h0yp1@gmail.com> wrote:

I propose a targeted backpatch for REL_14/15/16 in jsonpath_exec.c to

align missing variable handling with newer branches and prevent
pathological memory growth on malformed/hostile jsonpath expressions.

Hi! Thank you for the report and proposed fix. I've took a look into the
patch.

So we can use vars like this:

# SELECT jsonb_path_exists(
'{"x": 42}'::jsonb,
'$ ? ($"threshold" < 50)'::jsonpath,
'{"threshold": 10}'::jsonb -- HERE go vars
);

Operator @? is doing the same, but without supplied vars. And this thread
essentially points to buggy handling of vars:

# SELECT j @? '$"no_such_var"'
FROM (VALUES
('{"important": "data"}'::jsonb),
('42'::jsonb),
('null'::jsonb),
('false'::jsonb)
) AS t(j);
?column?
----------
t
t
t
t
(4 rows)

It basically says that path with value of var "no_such_var" exists
everywhere.

I think it's a bug, but we would need a JSON Path expert here.

17+ throws an error, which seems suspicious to me too. @? is expected to
operate in silent mode. Perhaps, we should just return NULL instead of t.
By using RETURN_ERROR macro. But it might sound overly invasive for back
branches.

Even if we are going to throw an error, we can give mode details. I'd
suggest
instead of "could not find jsonpath variable \"%s\"" throwing something
like
"no variables supplied to reference by variable \"%s\"" or something along
those lines.

Besides this, the direction of the fix looks good to me. Thank you!

Best regards, Andrey Borodin.

--
Regards,
Nikita Malakhov
Postgres Professional
The Russian Postgres Company
https://postgrespro.ru/