VEF extensions shouldn't share symbols (#435)

malone-at-work · dbentley-vsql · commit b96ccff5cb68 · 2026-02-06T18:09:55.000-05:00
If two VEBs are installed with similar methods this could cause:
1. The wrong function called
2. After uninstalling one extension, calling the other could crash.
3. After uninstalling one extension, unregistering the other could crash.

Changes included:
* RTLD_LOCAL is not the default on mac, so we should set it in dlopen().
* Mark materialize_func_desc as hidden so the dynamic linker doesn't coallesce it across .so files..
* Add a test that reproduces this behavior (at least on mac).

GitOrigin-RevId: 09375fc42938f751d0f22c471bcc9b1019c0e944
diff --git a/mysql-test/suite/villagesql/extension/r/vdf_multi_extension_crash.result b/mysql-test/suite/villagesql/extension/r/vdf_multi_extension_crash.result
@@ -0,0 +1,25 @@
+# Test: VDF crash when two extensions share func_desc pointers
+call mtr.add_suppression("Orphaned expansion directory found but not removed");
+# restart: --veb-dir=MYSQLTEST_VARDIR/veb
+Creating extension test_vdf_ext using SDK...
+Created test_vdf_ext.veb
+Creating extension test_vdf_alt using SDK...
+Created test_vdf_alt.veb
+# Install both extensions
+INSTALL EXTENSION test_vdf_ext;
+INSTALL EXTENSION test_vdf_alt;
+# Qualified calls work with both extensions loaded
+SELECT test_vdf_ext.simple_int_func() AS result;
+result
+42
+SELECT test_vdf_alt.simple_int_func() AS result;
+result
+99
+# Uninstall second extension only
+UNINSTALL EXTENSION test_vdf_alt;
+# Qualified call to first extension should still work
+SELECT test_vdf_ext.simple_int_func() AS result;
+result
+42
+# Cleanup
+UNINSTALL EXTENSION test_vdf_ext;
diff --git a/mysql-test/suite/villagesql/extension/t/vdf_multi_extension_crash.test b/mysql-test/suite/villagesql/extension/t/vdf_multi_extension_crash.test
@@ -0,0 +1,47 @@
+# Reproduction test: loading two extensions with similar VDF signatures
+# causes func_desc pointer sharing due to COMDAT/ICF merging of static
+# variables in materialize_func_desc<>. Uninstalling one extension
+# invalidates the other extension's func_desc pointers.
+#
+# This test uses only qualified VDF calls (extension.function syntax).
+
+--echo # Test: VDF crash when two extensions share func_desc pointers
+
+# Setup VEB directory for testing
+--let $veb_dir = $MYSQLTEST_VARDIR/veb
+--exec mkdir -p $veb_dir
+
+# Restart server with --veb-dir option
+call mtr.add_suppression("Orphaned expansion directory found but not removed");
+--replace_result $MYSQLTEST_VARDIR MYSQLTEST_VARDIR
+--let $restart_parameters = restart: --veb-dir=$veb_dir
+--source include/restart_mysqld.inc
+
+# Create first extension
+--let $extension_name = test_vdf_ext
+--let $extension_version = 1.0.0
+--let $extension_source = $MYSQL_TEST_DIR/suite/villagesql/std_data/simple_vdf.cc
+--source include/villagesql/create_extension_sdk.inc
+
+# Create second extension (has overlapping function name: simple_int_func)
+--let $extension_name = test_vdf_alt
+--let $extension_version = 1.0.0
+--let $extension_source = $MYSQL_TEST_DIR/suite/villagesql/std_data/simple_vdf_alt.cc
+--source include/villagesql/create_extension_sdk.inc
+
+--echo # Install both extensions
+INSTALL EXTENSION test_vdf_ext;
+INSTALL EXTENSION test_vdf_alt;
+
+--echo # Qualified calls work with both extensions loaded
+SELECT test_vdf_ext.simple_int_func() AS result;
+SELECT test_vdf_alt.simple_int_func() AS result;
+
+--echo # Uninstall second extension only
+UNINSTALL EXTENSION test_vdf_alt;
+
+--echo # Qualified call to first extension should still work
+SELECT test_vdf_ext.simple_int_func() AS result;
+
+--echo # Cleanup
+UNINSTALL EXTENSION test_vdf_ext;
diff --git a/mysql-test/suite/villagesql/std_data/simple_vdf_alt.cc b/mysql-test/suite/villagesql/std_data/simple_vdf_alt.cc
@@ -0,0 +1,48 @@
+/* Copyright (c) 2026 VillageSQL Contributors
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ */
+
+// Alternative simple test UDFs for extension testing.
+// Used to test ambiguous function name resolution when multiple extensions
+// provide the same function name.
+
+#include <villagesql/extension.h>
+
+#include <cstring>
+
+// Returns a different constant integer value (99)
+void simple_int_func_impl(vef_context_t *ctx, vef_vdf_result_t *out) {
+  out->int_value = 99;
+  out->type = VEF_RESULT_VALUE;
+}
+
+// Returns a different constant string value
+void alt_string_func_impl(vef_context_t *ctx, vef_vdf_result_t *out) {
+  const char *msg = "Hello from alt extension";
+  size_t len = strlen(msg);
+  memcpy(out->str_buf, msg, len);
+  out->actual_len = len;
+  out->type = VEF_RESULT_VALUE;
+}
+
+VEF_GENERATE_ENTRY_POINTS(
+    make_extension("simple_udf_alt", "0.0.1-devtest")
+        .func(make_func<&simple_int_func_impl>("simple_int_func")
+                  .returns(INT)
+                  .build())
+        .func(make_func<&alt_string_func_impl>("alt_string_func")
+                  .returns(STRING)
+                  .buffer_size(100)
+                  .build()))
diff --git a/villagesql/sdk/include/villagesql/func_builder.h b/villagesql/sdk/include/villagesql/func_builder.h
@@ -258,8 +258,15 @@ struct StaticFuncDesc {
 // Materializes the ABI descriptor structures at registration time.
 // Uses template parameters to ensure each function gets unique static storage.
 // FuncData is the StaticFuncDesc type, Index ensures uniqueness per function.
+//
+// Hidden visibility prevents the dynamic linker from coalescing identical
+// template instantiations across different extension .so files. Without this,
+// two extensions with functions of the same signature and index would share
+// the same static desc/signature objects, causing use-after-free when one
+// extension is unloaded.
 template <typename FuncData, size_t Index>
-vef_func_desc_t *materialize_func_desc(const FuncData &func_data) {
+__attribute__((visibility("hidden"))) vef_func_desc_t *materialize_func_desc(
+    const FuncData &func_data) {
   static vef_signature_t signature;
   static vef_func_desc_t desc;
 
diff --git a/villagesql/veb/veb_file.cc b/villagesql/veb/veb_file.cc
@@ -915,7 +915,11 @@ bool load_vef_extension(const std::string &so_path,
   registration.registration = nullptr;
   registration.unregister_func = nullptr;
 
-  void *handle = dlopen(so_path.c_str(), RTLD_NOW);
+  // RTLD_LOCAL ensures each extension's symbols are isolated. Without it,
+  // macOS defaults to RTLD_GLOBAL, allowing the dynamic linker to coalesce
+  // weak symbols (e.g. C++ template instantiations) across extensions, causing
+  // one extension to call another's function implementations.
+  void *handle = dlopen(so_path.c_str(), RTLD_NOW | RTLD_LOCAL);
   if (handle == nullptr) {
     const char *errmsg;
     int error_number = dlopen_errno;
