Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wf3VB-005Edc-2A for pgsql-hackers@arkaria.postgresql.org; Wed, 01 Jul 2026 22:33:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wf3V7-00G0D7-36 for pgsql-hackers@arkaria.postgresql.org; Wed, 01 Jul 2026 22:33:49 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wf3V7-00G0Cy-1m for pgsql-hackers@lists.postgresql.org; Wed, 01 Jul 2026 22:33:49 +0000 Received: from sss.pgh.pa.us ([68.162.161.243]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1wf3V5-000000019Ns-3wfQ for pgsql-hackers@lists.postgresql.org; Wed, 01 Jul 2026 22:33:48 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.18.1/8.18.1) with ESMTP id 661MXjlr3652799; Wed, 1 Jul 2026 18:33:45 -0400 From: Tom Lane To: Laurenz Albe cc: pgsql-hackers@lists.postgresql.org Subject: Re: Making the ENUM operators LEAKPROOF In-reply-to: <8222d01be22d9d87ba1e7f47e398f4ce81af4aaf.camel@cybertec.at> References: <8222d01be22d9d87ba1e7f47e398f4ce81af4aaf.camel@cybertec.at> Comments: In-reply-to Laurenz Albe message dated "Wed, 29 Apr 2026 17:32:44 +0200" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <3652797.1782945225.1@sss.pgh.pa.us> Date: Wed, 01 Jul 2026 18:33:45 -0400 Message-ID: <3652798.1782945225@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Laurenz Albe writes: > This is an attempt to get the operators from the "enum_ops" operator > class LEAKPROOF. I think we should reject this idea. Our standard for marking functions leakproof has always included a requirement that the amount of code involved be small enough that one can immediately confirm that there is no information leak. I don't think that enum_cmp() can meet that standard; the length of your argument already proves the point. The issue here is not really "can I convince myself that it's safe today?". It's more about "am I willing to bet that no future code change is going to unintentionally break the property?". The more code involved, the riskier that bet. I know that you are going to say "but text_cmp covers a lot of ground, including code (in libc or ICU) that isn't even ours". To my mind, we made an exception for text_cmp because the performance consequences of not making it leakproof were unacceptable. I do not think enum_cmp() can clear that bar either. FWIW, I do agree that marking enum_eq leakproof is safe. How many of the use-cases you are worried about would be satisfied with that? regards, tom lane