Re: BUG #16041: Error shows up both in pgAdmin and in Ruby (pg gem) -Segmentation fault

Hello,

I am able to reproduce this on macOS 10.14 (Mojave) in multiple versions 
of Ruby and in a minimal C program.

Steps to reproduce:

1. Install libpq for PostgreSQL 12:
    brew install postgresql@12

2. Install the pg gem:
    gem install pg

2. Start a PostgreSQL server:
    docker run --rm -d -p 127.0.0.1:5432:5432 postgres:12

3. Execute some GSS path before and after fork:
    ruby -r pg -e '
      PG.connect(host: "localhost")
      Process.fork { PG.connect(host: "localhost") }
      Process.wait
    '

Notice that host must be a TCP address (not Unix) and gssencmode must be 
"prefer" (default is "prefer".) The version of the server doesn't appear 
to matter; I tested 10, 11, and 12.

This can also happen in `rails console` if an application initializer 
interacts with ActiveRecord or a descendant (i.e. opens a database 
connection.) Any further interaction with ActiveRecord on the console 
segfaults.

This has been reported in a variety of Ruby projects and often dismissed 
as "a PostgreSQL issue."


I found a similar trace in a Python package that interacts with the 
macOS keychain.[1] There they narrowed it to a single call, raised the 
issue upstream, and were told in-short "you can't use keychain after fork."

Based on that report, I crafted a minimal C program to make the same GSS 
call as libpq. I compiled (with deprecation warnings) and tested with 
the following:

    gcc macos-gss-crash.c -o macos-gss-crash -lgssapi_krb5
    ./macos-gss-crash

It prints:

    before gss_acquire_cred in main
    after gss_acquire_cred in main
    gss complete: true
    before gss_acquire_cred in child
    child signalled: 11

I've attached the C program and crash reports for it and the above Ruby 
snippet.

Thanks!

Chris

[1]: https://github.com/jaraco/keyring/issues/281


On 10/4/19 5:43 PM, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      16041
> Logged by:          Mark Siemers
> Email address:      mark.siemers@gmail.com
> PostgreSQL version: 12.0
> Operating system:   Mac OS X Mojave 10.14.6
> Description:
> 
> For further details (including crash report) see bugs filed with
> third-parties:
> Ruby - https://bugs.ruby-lang.org/issues/16239
> pgAdmin 4 - https://redmine.postgresql.org/issues/4813
> 
> The speculation from a ruby maintainer is there is an issue with GSS
> authentication on OS X.
> 
> Snippet of stack trace below:
> 7   ???                             0x0000000200000000 0 + 8589934592
> 8   com.apple.security              0x00007fff3f57c059 invocation function
> for block in
> Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*)
> + 287
> 9   libdispatch.dylib               0x00007fff5fd6d63d
> _dispatch_client_callout + 8
> 10  libdispatch.dylib               0x00007fff5fd79129
> _dispatch_lane_barrier_sync_invoke_and_complete + 60
> 11  com.apple.security              0x00007fff3f57be47
> Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*)
> + 441
> 12  com.apple.security              0x00007fff3f37cae2
> Security::KeychainCore::KCCursorImpl::next(Security::KeychainCore::Item&) +
> 230
> 13  com.apple.security              0x00007fff3f523c98
> Security::KeychainCore::IdentityCursor::next(Security::SecPointer<Security::KeychainCore::Identity>&)
> + 192
> 14  com.apple.security              0x00007fff3f545f2f
> SecIdentitySearchCopyNext + 145
> 15  com.apple.security              0x00007fff3f550956
> SecItemCopyMatching_osx(__CFDictionary const*, void const**) + 238
> 16  com.apple.security              0x00007fff3f553fc5 SecItemCopyMatching +
> 316
> 17  com.apple.Heimdal               0x00007fff4feae830 0x7fff4fe5c000 +
> 337968
> 18  com.apple.Heimdal               0x00007fff4fead35e hx509_certs_find +
> 67
> 19  com.apple.Heimdal               0x00007fff4fe88a6c _krb5_pk_find_cert +
> 246
> 20  com.apple.GSS                   0x00007fff364dbd8e
> _gsspku2u_acquire_cred + 386
> 21  com.apple.GSS                   0x00007fff364cb0d8 gss_acquire_cred +
> 523
> 22  libpq.5.dylib                   0x0000000112b4b77d
> pg_GSS_have_cred_cache + 54
> 23  libpq.5.dylib                   0x0000000112b39edf PQconnectPoll +
> 6377
> 24  libpq.5.dylib                   0x0000000112b36f8b connectDBComplete +
> 232
> 25  libpq.5.dylib                   0x0000000112b37112 PQconnectdb + 36
> 26  pg_ext.bundle                   0x000000011157ab01
> gvl_PQconnectdb_skeleton + 17
> 27  ruby                            0x000000010f1dfff9 call_without_gvl +
> 185
> 28  pg_ext.bundle                   0x000000011157aadd gvl_PQconnectdb +
> 45
> 29  pg_ext.bundle                   0x000000011157fcb9 pgconn_init + 121
> 30  ruby                            0x000000010f221b1c vm_call0_body + 604
>