[PATCH] Prevent replacement of a function if it's used in an index expression and is not IMMUTABLE

Hi hackers,

The purpose of this patch is to prevent replacing a function via `CREATE OR REPLACE FUNCTION` with a new definition that is not marked as `IMMUTABLE`, if the existing function is referenced by an index expression.

Replacing such functions may lead to index corruption or runtime semantic inconsistencies, especially when the function’s output is not stable for the same input.

This patch is motivated by our analysis of both recent and earlier PostgreSQL security vulnerabilities, notably:

- CVE-2020-25695: A privilege escalation issue caused by non-IMMUTABLE expressions.
- CVE-2024-1713: A similar privilege escalation issue related to the `plv8` extension, akin to CVE-2020-25695.

Although these CVE vulnerabilities have been fixed, we believe this patch enforces a stricter rule that further enhances PostgreSQL’s robustness:

If a function is used in an index, it can only be replaced if it is declared as `IMMUTABLE`.

This strategy aligns with PostgreSQL’s established assumption that `IMMUTABLE` functions are safe to use in indexes and their behavior should remain consistent after updates.

We hope this contribution benefits the community, and we welcome your valuable feedback.

Sincerely, 
xiaojiluo (Tencent Yunding Lab)