catalog: spin off and adopt back-reference validation level

[postamar]

Previously, forward- and backward-reference-checking was done in one
same validation phase, identified by the
catalog.ValidationLevelCrossReferences constant and a similarly named
method on catalog.Descriptor. This validation phase was exercised both
when reading and when writing descriptors.

The problem with this was that a corrupt back-reference would make
a table unusable until descriptor surgery was performed. While this
might be warranted in the context of schema changes, that's not the case
when it comes to queries, which don't really care about these
back-references. For this reason, we want to bypass back-reference
validation when reading descriptors for the purpose of serving queries.
These reads are characterized by the flag AvoidLeased being unset.

To do this, this commit splits the cross-reference validation level into
two. The back-reference level now exists to check the integrity of
back-references directly, as well as to check that forward references
also have matching back-references in the referenced descriptors.

Fixes #85263.

Release justification: low-risk, high benefit change
Release note: None

---

This PR is based on #87067 which is the product of what made sense for me to take action on right now regarding #86420 (comment) .

[cockroach-teamcity]

This change is 

[postamar]

The descriptors collection is way too self-referential for this to work reliably. It calls itself for validation and hydration in ways which are impossible to reason about. I think the way to go here is to tighten the self-referential parts into an inner core object of sorts:

• this object contains the layers (virtual, temporary, synthetic, stored and leased);
• it serves getByIDs queries, along with getByName and getAllDescriptors and other similar endpoints;
• it handles validation and type hydration, along with memory management and caching;
• the lease manager, the kv layer etc. can be dependency-injected so that we can do some kind of tracing, have data-driven tests, etc.

[postamar]

This is ready for review now, it's correct enough.

[ajwerner]

nice!

Reviewed 28 of 28 files at r2, 1 of 1 files at r3, all commit messages.
Reviewable status: complete! 1 of 0 LGTMs obtained (waiting on @postamar)

---

pkg/sql/schemachanger/scbuild/internal/scbuildstmt/alter_table_alter_primary_key.go line 397 at r2 (raw file):

	if _, _, inboundFKElem := scpb.FindForeignKeyConstraint(b.BackReferences(tableID)); inboundFKElem != nil {
		panic(scerrors.NotImplementedErrorf(t.n,
			fmt.Sprintf(`foreign keys to table with TTL %q are not permitted`, ns.Name)))

why fmt.Sprintf? It's already a formatting method, no? This is going to lead to redaction in a bad way

---

pkg/sql/schemachanger/scbuild/internal/scbuildstmt/alter_table_alter_primary_key.go line 400 at r2 (raw file):

	}
	if _, _, outboundFKElem := scpb.FindForeignKeyConstraint(b.QueryByID(tableID)); outboundFKElem != nil {
		panic(scerrors.NotImplementedErrorf(t.n,

why fmt.Sprintf? It's already a formatting method, no? This is going to lead to redaction in a bad way

[postamar]

Thanks for the review! No good reason why fmt.Sprintf is being used there. Fixing.

[postamar]

bors r+

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build failed (retrying...):

• Bazel Essential CI (Cockroach)

[craig]

Build succeeded:

• Bazel Essential CI (Cockroach)