Merge #148531

148531: sql/rls: push join through permeable Barriers when ON filters are leakproof r=spilchen a=spilchen

Adds normalization rules to push InnerJoin and InnerJoinApply operators below a permeable Barrier when all ON clause filters are leakproof. The Barrier is rewrapped above the join to preserve its semantics while allowing better plan shapes.

This change helps optimize queries affected by RLS, which typically involve barriers around injected RLS predicates.

Note: A similar rule for semi-joins was considered, but no test scenario was found where a barrier incorrectly appears below a semi-join. Existing optgen rules seem to avoid that situation. The semi-join query remains in the join test I added.

Closes #146952

Epic: CRDB-48807
Release note: none

Co-authored-by: Matt Spilchen <[email protected]>

Author: craig[bot]

pkg/sql/opt/exec/explain/testdata/row_level_security

@@ -174,13 +174,10 @@ select t1.c1 from t1, t2 where t1.c1 = t2.c1 and t1.c1 = 1;
 ----
 • cross join
 │
-├── • index join
-│   │ table: t1@t1_pkey
-│   │
-│   └── • scan
-│         table: t1@t1_idx
-│         spans: 1+ spans
-│         policies: policy 1, p2, p3, r1, r2
+├── • scan
+│     table: t1@t1_idx
+│     spans: 1+ spans
+│     policies: policy 1, p2, p3, r1, r2
 │
 └── • filter
     │ filter: c1 = _

pkg/sql/opt/norm/general_funcs.go

@@ -635,6 +635,11 @@ func (c *CustomFuncs) FuncDeps(expr memo.RelExpr) *props.FuncDepSet {
 	return &expr.Relational().FuncDeps
 }
 
+// IsLeakproof returns true if the given expression is leakproof.
+func (c *CustomFuncs) IsLeakproof(expr memo.RelExpr) bool {
+	return expr.Relational().VolatilitySet.IsLeakproof()
+}
+
 // ----------------------------------------------------------------------
 //
 // Ordering functions
@@ -1605,3 +1610,13 @@ func (c *CustomFuncs) SplitLeakproofFilters(
 	}
 	return leakproofFilters, remainingFilters, true
 }
+
+// HasAllLeakProofFilters returns true if every filter given is leakproof.
+func (c *CustomFuncs) HasAllLeakProofFilters(filters memo.FiltersExpr) bool {
+	for i := range filters {
+		if !filters[i].ScalarProps().VolatilitySet.IsLeakproof() {
+			return false
+		}
+	}
+	return true
+}

pkg/sql/opt/norm/rules/join.opt

@@ -845,3 +845,47 @@ $left
     )
     $on
 )
+
+# PushLeakproofJoinIntoPermeableBarrierLeft moves a join below a permeable
+# Barrier on its left input when all ON filters are leakproof. The Barrier is
+# then placed above the join. This is safe because leakproof filters can be
+# reordered freely, and the Barrier allows such movement when marked as
+# LeakproofPermeable. This rule is effectively pushing the left input into the
+# Barrier, so the left input must be leakproof as well.
+[PushLeakproofJoinIntoPermeableBarrierLeft, Normalize]
+(InnerJoin | InnerJoinApply
+    (Barrier
+        $left:*
+        $leakproofPermeable:* & (If $leakproofPermeable)
+    )
+    $right:* & (IsLeakproof $right)
+    $on:* & (HasAllLeakProofFilters $on)
+    $private:*
+)
+=>
+(Barrier
+    ((OpName) $left $right $on $private)
+    $leakproofPermeable
+)
+
+# PushLeakproofJoinIntoPermeableBarrierRight is the right-side variant.
+# It moves a join below a permeable Barrier on its right input when all ON
+# filters are leakproof, then rewraps the join in the Barrier to preserve its
+# blocking behavior for non-leakproof expressions higher in the plan. This rule
+# is effectively pushing the right input into the Barrier, so the right input
+# must be leakproof as well.
+[PushLeakproofJoinIntoPermeableBarrierRight, Normalize]
+(InnerJoin | InnerJoinApply
+    $left:* & (IsLeakproof $left)
+    (Barrier
+        $right:*
+        $leakproofPermeable:* & (If $leakproofPermeable)
+    )
+    $on:* & (HasAllLeakProofFilters $on)
+    $private:*
+)
+=>
+(Barrier
+    ((OpName) $left $right $on $private)
+    $leakproofPermeable
+)