Don't believe MinMaxExpr is leakproof without checking.

MinMaxExpr invokes the btree comparison function for its input datatype,
so it's only leakproof if that function is.  Many such functions are
indeed leakproof, but others are not, and we should not just assume that
they are.  Hence, adjust contain_leaked_vars to verify the leakproofness
of the referenced function explicitly.

I didn't add a regression test because it would need to depend on
some particular comparison function being leaky, and that's a moving
target, per discussion.

This has been wrong all along, so back-patch to supported branches.

Discussion: https://postgr.es/m/31042.1546194242@sss.pgh.pa.us

diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
index 21bf5dea9c35034ee4013c219dae6fb08e8be53b..df56569c502f325717ef85ee847a2c8db2c4fcd2 100644 (file)
--- a/src/backend/optimizer/util/clauses.c
+++ b/src/backend/optimizer/util/clauses.c
@@ -1579,7 +1579,6 @@ contain_leaked_vars_walker(Node *node, void *context)
                case T_CaseExpr:
                case T_CaseTestExpr:
                case T_RowExpr:
-               case T_MinMaxExpr:
                case T_SQLValueFunction:
                case T_NullTest:
                case T_BooleanTest:
@@ -1636,6 +1635,36 @@ contain_leaked_vars_walker(Node *node, void *context)
                        }
                        break;
 
+               case T_MinMaxExpr:
+                       {
+                               /*
+                                * MinMaxExpr is leakproof if the comparison function it calls
+                                * is leakproof.
+                                */
+                               MinMaxExpr *minmaxexpr = (MinMaxExpr *) node;
+                               TypeCacheEntry *typentry;
+                               bool            leakproof;
+
+                               /* Look up the btree comparison function for the datatype */
+                               typentry = lookup_type_cache(minmaxexpr->minmaxtype,
+                                                                                        TYPECACHE_CMP_PROC);
+                               if (OidIsValid(typentry->cmp_proc))
+                                       leakproof = get_func_leakproof(typentry->cmp_proc);
+                               else
+                               {
+                                       /*
+                                        * The executor will throw an error, but here we just
+                                        * treat the missing function as leaky.
+                                        */
+                                       leakproof = false;
+                               }
+
+                               if (!leakproof &&
+                                       contain_var_clause((Node *) minmaxexpr->args))
+                                       return true;
+                       }
+                       break;
+
                case T_CurrentOfExpr:
 
                        /*