Re: Re: [COMMITTERS] pgsql: Fix permission tests for views/tables proven empty by constraint

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Greg Stark <stark(at)mit(dot)edu>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Re: [COMMITTERS] pgsql: Fix permission tests for views/tables proven empty by constraint
Date: 2013-05-08 16:30:31
Message-ID: 1245.1368030631@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-committers pgsql-hackers

Greg Stark <stark(at)mit(dot)edu> writes:
> That's kind of dismaying. ORMs have a tendency to create queries like
> this and people may have even written such queries by hand and tested
> them to determine that postgres was able to exclude the useless
> relation. To have them install a security update and discover that
> something they had previously tested no longer worked would be
> annoying.

Turns out to be more to this than I realized before. In an example
such as the one I showed

select * from
((select f1 as x from t1 offset 0)
union all
(select f2 as x from t2 offset 0)) ss
where false;

where an appendrel subselect member can be proven empty on the basis
of outer-query clauses alone, *we don't even plan that subquery*.
The fix I had in mind for this fails to capture table references from
such a subquery.

We could extend setrefs.c to dig into unplanned subqueries and grab RTEs
out of them, but that would not be a complete fix. In particular, RTEs
would not get made for inheritance children of parent tables mentioned
in the query, since inheritance expansion is done by the planner. Now,
that wouldn't affect permissions checks because no extra permissions
checks are done on inheritance children, but it would affect the locking
behavior that Andres was worried about.

I think the only reliable way to make this optimization fully
transparent would be to go ahead and plan every subquery, even when we
know we'll discard the planning results immediately. That seems like
quite a lot of overkill. I'm not really sure I buy Greg's argument
that people might be depending on the performance benefits of not
planning such subqueries, but I guess it's not impossible either.

My inclination is to go ahead and write the extra code to dig RTEs out
of unplanned subqueries, and not worry about failing to lock inheritance
children in them.

I'm also now pretty firmly in the camp of "let's not try at all to fix
this in the back branches".

Thoughts?

regards, tom lane

In response to

Responses

Browse pgsql-committers by date

  From Date Subject
Next Message Heikki Linnakangas 2013-05-08 17:31:00 pgsql: Fix walsender failure at promotion.
Previous Message Tom Lane 2013-05-08 12:59:54 Re: [COMMITTERS] pgsql: Fix permission tests for views/tables proven empty by constraint

Browse pgsql-hackers by date

  From Date Subject
Next Message Peter Eisentraut 2013-05-08 16:34:29 Re: improving PL/Python builds on OS X
Previous Message Jeff Janes 2013-05-08 16:27:33 Re: XLogFlush invoked about twice as much after 9.2 group commit enhancement