Make LOAD of an already-loaded library into a no-op, instead of attempting

tglsfdc · tglsfdc · commit 602a9ef5a7c6 · 2009-09-03T22:11:07.000Z
to unload and re-load the library.

The difficulty with unloading a library is that we haven't defined safe
protocols for doing so.  In particular, there's no safe mechanism for
getting out of a "hook" function pointer unless libraries are unloaded
in reverse order of loading.  And there's no mechanism at all for undefining
a custom GUC variable, so GUC would be left with a pointer to an old value
that might or might not still be valid, and very possibly wouldn't be in
the same place anymore.

While the unload and reload behavior had some usefulness in easing
development of new loadable libraries, it's of no use whatever to normal
users, so just disabling it isn't giving up that much.  Someday we might
care to expend the effort to develop safe unload protocols; but even if
we did, there'd be little certainty that every third-party loadable module
was following them, so some security restrictions would still be needed.

Back-patch to 8.2; before that, LOAD was superuser-only anyway.

Security: unprivileged users could crash backend.  CVE not assigned yet
diff --git a/doc/src/sgml/ref/create_function.sgml b/doc/src/sgml/ref/create_function.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.84 2008/12/31 02:25:03 tgl Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/create_function.sgml,v 1.85 2009/09/03 22:11:07 tgl Exp $
 -->
 
 <refentry id="SQL-CREATEFUNCTION">
@@ -528,8 +528,7 @@ CREATE FUNCTION foo(int, int default 42) ...
     When repeated <command>CREATE FUNCTION</command> calls refer to
     the same object file, the file is only loaded once per session.
     To unload and
-    reload the file (perhaps during development), use the <xref
-    linkend="sql-load" endterm="sql-load-title"> command.
+    reload the file (perhaps during development), start a new session.
    </para>
 
    <para>
diff --git a/doc/src/sgml/ref/load.sgml b/doc/src/sgml/ref/load.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/ref/load.sgml,v 1.25 2008/11/14 10:22:47 petere Exp $
+$PostgreSQL: pgsql/doc/src/sgml/ref/load.sgml,v 1.26 2009/09/03 22:11:07 tgl Exp $
 -->
 
 <refentry id="SQL-LOAD">
@@ -11,7 +11,7 @@ $PostgreSQL: pgsql/doc/src/sgml/ref/load.sgml,v 1.25 2008/11/14 10:22:47 petere
 
  <refnamediv>
   <refname>LOAD</refname>
-  <refpurpose>load or reload a shared library file</refpurpose>
+  <refpurpose>load a shared library file</refpurpose>
  </refnamediv>
 
  <indexterm zone="sql-load">
@@ -29,13 +29,12 @@ LOAD '<replaceable class="PARAMETER">filename</replaceable>'
 
   <para>
    This command loads a shared library file into the <productname>PostgreSQL</>
-   server's address space.  If the file had been loaded previously,
-   it is first unloaded.  This command is primarily useful to unload
-   and reload a shared library file that has been changed since the
-   server first loaded it.  To make use of the shared library,
-   function(s) in it need to be declared using the <xref
-   linkend="sql-createfunction" endterm="sql-createfunction-title">
-   command.
+   server's address space.  If the file has been loaded already,
+   the command does nothing.  Shared library files that contain C functions
+   are automatically loaded whenever one of their functions is called.
+   Therefore, an explicit <command>LOAD</> is usually only needed to
+   load a library that modifies the server's behavior through <quote>hooks</>
+   rather than providing a set of functions.
   </para>
 
   <para>
diff --git a/doc/src/sgml/xfunc.sgml b/doc/src/sgml/xfunc.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/xfunc.sgml,v 1.138 2009/05/27 01:18:06 tgl Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/xfunc.sgml,v 1.139 2009/09/03 22:11:07 tgl Exp $ -->
 
  <sect1 id="xfunc">
   <title>User-Defined Functions</title>
@@ -1481,9 +1481,7 @@ PG_MODULE_MAGIC;
     file is retained in memory.  Future calls in the same session to
     the function(s) in that file will only incur the small overhead of
     a symbol table lookup.  If you need to force a reload of an object
-    file, for example after recompiling it, use the <xref
-    linkend="sql-load" endterm="sql-load-title"> command or begin a
-    fresh session.
+    file, for example after recompiling it, begin a fresh session.
    </para>
 
    <indexterm zone="xfunc-c-dynload">
@@ -1509,8 +1507,8 @@ PG_MODULE_MAGIC;
     unloading the file.  Likewise, the function receives no parameters and
     should return void.  Note that <function>_PG_fini</> will only be called
     during an unload of the file, not during process termination.
-    (Presently, an unload only happens in the context of re-loading
-    the file due to an explicit <command>LOAD</> command.)
+    (Presently, unloads are disabled and will never occur, but this may
+    change in the future.)
    </para>
 
   </sect2>
diff --git a/src/backend/utils/fmgr/dfmgr.c b/src/backend/utils/fmgr/dfmgr.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/fmgr/dfmgr.c,v 1.99 2009/06/11 14:49:05 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/fmgr/dfmgr.c,v 1.100 2009/09/03 22:11:07 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -385,10 +385,17 @@ incompatible_module_error(const char *libname,
  * Unload the specified dynamic-link library file, if it is loaded.
  *
  * Note: libname is expected to be an exact name for the library file.
+ *
+ * XXX for the moment, this is disabled, resulting in LOAD of an already-loaded
+ * library always being a no-op.  We might re-enable it someday if we can
+ * convince ourselves we have safe protocols for un-hooking from hook function
+ * pointers, releasing custom GUC variables, and perhaps other things that
+ * are definitely unsafe currently.
  */
 static void
 internal_unload_library(const char *libname)
 {
+#ifdef NOT_USED
 	DynamicFileList *file_scanner,
 			   *prv,
 			   *nxt;
@@ -436,6 +443,7 @@ internal_unload_library(const char *libname)
 		else
 			prv = file_scanner;
 	}
+#endif /* NOT_USED */
 }
 
 static bool

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`*`
`10`	`10`	`* IDENTIFICATION`
`11`		`- * $PostgreSQL: pgsql/src/backend/utils/fmgr/dfmgr.c,v 1.99 2009/06/11 14:49:05 momjian Exp $`
	`11`	`+ * $PostgreSQL: pgsql/src/backend/utils/fmgr/dfmgr.c,v 1.100 2009/09/03 22:11:07 tgl Exp $`
`12`	`12`	`*`
`13`	`13`	`*-------------------------------------------------------------------------`
`14`	`14`	`*/`
`@@ -385,10 +385,17 @@ incompatible_module_error(const char *libname,`
`385`	`385`	`* Unload the specified dynamic-link library file, if it is loaded.`
`386`	`386`	`*`
`387`	`387`	`* Note: libname is expected to be an exact name for the library file.`
	`388`	`+ *`
	`389`	`+ * XXX for the moment, this is disabled, resulting in LOAD of an already-loaded`
	`390`	`+ * library always being a no-op. We might re-enable it someday if we can`
	`391`	`+ * convince ourselves we have safe protocols for un-hooking from hook function`
	`392`	`+ * pointers, releasing custom GUC variables, and perhaps other things that`
	`393`	`+ * are definitely unsafe currently.`
`388`	`394`	`*/`
`389`	`395`	`static void`
`390`	`396`	`internal_unload_library(const char *libname)`
`391`	`397`	`{`
	`398`	`+#ifdef NOT_USED`
`392`	`399`	`DynamicFileList *file_scanner,`
`393`	`400`	`*prv,`
`394`	`401`	`*nxt;`
`@@ -436,6 +443,7 @@ internal_unload_library(const char *libname)`
`436`	`443`	`else`
`437`	`444`	`prv = file_scanner;`
`438`	`445`	`}`
	`446`	`+#endif /* NOT_USED */`
`439`	`447`	`}`
`440`	`448`
`441`	`449`	`static bool`