Stamp 10.12.
commit : 95d2576d023ec2a8b984472191b4e4be4205516e
author : Tom Lane <[email protected]>
date : Mon, 10 Feb 2020 17:19:45 -0500
committer: Tom Lane <[email protected]>
date : Mon, 10 Feb 2020 17:19:45 -0500
M configure
M configure.in
M doc/bug.template
M src/include/pg_config.h.win32
M src/interfaces/libpq/libpq.rc.in
M src/port/win32ver.rc
Last-minute updates for release notes.
commit : 27cfad5c8630428f7a2f63fd53b2e4a4fb248a90
author : Tom Lane <[email protected]>
date : Mon, 10 Feb 2020 12:51:07 -0500
committer: Tom Lane <[email protected]>
date : Mon, 10 Feb 2020 12:51:07 -0500
Security: CVE-2020-1720
M doc/src/sgml/release-10.sgml
createuser: fix parsing of --connection-limit argument
commit : 16316172361ce8fcbae4a9bd653bfbc9f96d1ab8
author : Alvaro Herrera <[email protected]>
date : Mon, 10 Feb 2020 12:14:58 -0300
committer: Alvaro Herrera <[email protected]>
date : Mon, 10 Feb 2020 12:14:58 -0300
The original coding failed to quote the argument properly.
Reported-by: Daniel Gustafsson
Discussion: [email protected]
M src/bin/scripts/createuser.c
Fix priv checks for ALTER <object> DEPENDS ON EXTENSION
commit : ac1a998ed8c535a165e7f95179ee954df075f920
author : Alvaro Herrera <[email protected]>
date : Mon, 10 Feb 2020 11:47:09 -0300
committer: Alvaro Herrera <[email protected]>
date : Mon, 10 Feb 2020 11:47:09 -0300
Marking an object as dependant on an extension did not have any
privilege check whatsoever; this allowed any user to mark objects as
droppable by anyone able to DROP EXTENSION, which could be used to cause
system-wide havoc. Disallow by checking that the calling user owns the
mentioned object.
(No constraints are placed on the extension.)
Security: CVE-2020-1720
Reported-by: Tom Lane
Discussion: [email protected]
M src/backend/commands/alter.c
Translation updates
commit : 7f97b5e891d23db0e44f3292177c62fcb57bd766
author : Peter Eisentraut <[email protected]>
date : Mon, 10 Feb 2020 13:00:18 +0100
committer: Peter Eisentraut <[email protected]>
date : Mon, 10 Feb 2020 13:00:18 +0100
Source-Git-URL: https://git.postgresql.org/git/pgtranslation/messages.git
Source-Git-Hash: fc4d6b13b6a369c443a8f573f3836c5759d1a919
M src/backend/po/de.po
M src/backend/po/fr.po
M src/backend/po/ru.po
M src/backend/po/sv.po
M src/bin/pg_ctl/po/de.po
M src/bin/pg_ctl/po/ru.po
M src/bin/pg_dump/po/fr.po
M src/bin/pg_dump/po/ru.po
M src/bin/pg_dump/po/sv.po
M src/bin/pg_upgrade/po/ru.po
M src/bin/pg_waldump/po/ru.po
M src/interfaces/libpq/po/ru.po
Revert "pg_upgrade: Fix quoting of some arguments in pg_ctl command"
commit : 885177b954ccd3afad5382a68eeef367a39266a6
author : Michael Paquier <[email protected]>
date : Mon, 10 Feb 2020 15:48:46 +0900
committer: Michael Paquier <[email protected]>
date : Mon, 10 Feb 2020 15:48:46 +0900
This reverts commit d1c0b61. The patch has some downsides that require
more attention, as discussed with Noah Misch.
Backpatch-through: 9.5
M src/bin/pg_upgrade/server.c
doc: Spell checking
commit : c55863539c8cd6adf61b0f1287562a49f10bbbef
author : Amit Kapila <[email protected]>
date : Mon, 10 Feb 2020 09:01:41 +0530
committer: Amit Kapila <[email protected]>
date : Mon, 10 Feb 2020 09:01:41 +0530
Reported-by: Justin Pryzby
Author: Justin Pryzby
Backpatch-through: 9.6
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/bloom.sgml
pg_upgrade: Fix quoting of some arguments in pg_ctl command
commit : a2687d0bdc6c9250d1b7710fe43cf10af4beb895
author : Michael Paquier <[email protected]>
date : Mon, 10 Feb 2020 10:49:47 +0900
committer: Michael Paquier <[email protected]>
date : Mon, 10 Feb 2020 10:49:47 +0900
The previous coding forgot to apply shell quoting to the socket
directory and the data folder, leading to failures when running
pg_upgrade. This refactors the code generating the pg_ctl command
starting clusters to use a more correct shell quoting. Failures are
easier to trigger in 12 and newer versions by using a value of
--socketdir that includes quotes, but it is also possible to cause
failures with quotes included in the default socket directory used by
pg_upgrade or the data folders of the clusters involved in the
upgrade.
As 9.4 is going to be EOL'd with the next minor release, nobody is
likely going to upgrade to it now so this branch is not included in the
set of branches fixed.
Author: Michael Paquier
Reviewed-by: Álvaro Herrera, Noah Misch
Backpatch-through: 9.5
M src/bin/pg_upgrade/server.c
Revert "docs: change "default role" wording to "predefined role""
commit : 994f9a71f8262f332a5d8414d581f0c49d8ce41b
author : Tom Lane <[email protected]>
date : Sun, 9 Feb 2020 14:21:37 -0500
committer: Tom Lane <[email protected]>
date : Sun, 9 Feb 2020 14:21:37 -0500
This reverts commit 920c6add70c803ae1dcaab9358330320a60de470.
Per discussion, we can't change the section title without some
web-site work, so revert this change temporarily.
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/user-manag.sgml
Release notes for 12.2, 11.7, 10.12, 9.6.17, 9.5.21, 9.4.26.
commit : 65106a10f9c5bc9e4622b3616cdf31f74aa58cc2
author : Tom Lane <[email protected]>
date : Sun, 9 Feb 2020 14:14:18 -0500
committer: Tom Lane <[email protected]>
date : Sun, 9 Feb 2020 14:14:18 -0500
M doc/src/sgml/release-10.sgml
Add note about access permission checks by inherited TRUNCATE and LOCK TABLE.
commit : 87f738dafbe1e41a3315bf1157eca8eba63a3fa1
author : Fujii Masao <[email protected]>
date : Fri, 7 Feb 2020 00:33:11 +0900
committer: Fujii Masao <[email protected]>
date : Fri, 7 Feb 2020 00:33:11 +0900
Inherited queries perform access permission checks on the parent
table only. But there are two exceptions to this rule in v12 or before;
TRUNCATE and LOCK TABLE commands through a parent table check
the permissions on not only the parent table but also the children
tables. Previously these exceptions were not documented.
This commit adds the note about these exceptions, into the document.
Back-patch to v9.4. But we don't apply this commit to the master
because commit e6f1e560e4 already got rid of the exception about
inherited TRUNCATE and upcoming commit will do for the exception
about inherited LOCK TABLE.
Author: Amit Langote
Reviewed-by: Fujii Masao
Discussion: https://postgr.es/m/CA+HiwqHfTnMU6SUkyHxCmpHUKk7ERLHCR3vZVq19ZOQBjPBLmQ@mail.gmail.com
M doc/src/sgml/ddl.sgml
Fix typo.
commit : 699700b3626fa6e332ae94be5383e0bbf5bd8555
author : Amit Kapila <[email protected]>
date : Thu, 6 Feb 2020 16:00:54 +0530
committer: Amit Kapila <[email protected]>
date : Thu, 6 Feb 2020 16:00:54 +0530
Reported-by: Amit Langote
Author: Amit Langote
Backpatch-through: 9.6, where it was introduced
Discussion: https://postgr.es/m/CA+HiwqFNADeukaaGRmTqANbed9Fd81gLi08AWe_F86_942Gspw@mail.gmail.com
M src/backend/optimizer/path/allpaths.c
Fix bug in LWLock statistics mechanism.
commit : c17abac60eb23f0441cbf481ac5ea58905877084
author : Fujii Masao <[email protected]>
date : Thu, 6 Feb 2020 14:43:21 +0900
committer: Fujii Masao <[email protected]>
date : Thu, 6 Feb 2020 14:43:21 +0900
Previously PostgreSQL built with -DLWLOCK_STATS could report
more than one LWLock statistics entries for the same backend
process and the same LWLock. This is strange and only one
statistics should be output in that case, instead.
The cause of this issue is that the key variable used for
LWLock stats hash table was not fully initialized. The key
consists of two fields and they were initialized. But
the following 4 bytes allocated in the key variable for
the alignment was not initialized. So even if the same key
was specified, hash_search(HASH_ENTER) could not find
the existing entry for that key and created new one.
This commit fixes this issue by initializing the key
variable with zero. As the side effect of this commit,
the volume of LWLock statistics output would be reduced
very much.
Back-patch to v10, where commit 3761fe3c20 introduced the issue.
Author: Fujii Masao
Reviewed-by: Julien Rouhaud, Kyotaro Horiguchi
Discussion: https://postgr.es/m/[email protected]
M src/backend/storage/lmgr/lwlock.c
ALTER SUBSCRIPTION / REFRESH docs: explain copy_data
commit : c2ef3ab838323e9b5d1e6b49ffbf3db64370f8fe
author : Alvaro Herrera <[email protected]>
date : Wed, 5 Feb 2020 15:06:11 -0300
committer: Alvaro Herrera <[email protected]>
date : Wed, 5 Feb 2020 15:06:11 -0300
The docs are ambiguous as to which tables would be copied over when the
copy_data parameter is true in ALTER SUBSCRIPTION ... REFRESH PUBLICATION.
Make it clear that it only applies to tables which are new in the
publication.
Author: David Christensen (reword by Álvaro Herrera)
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/ref/alter_subscription.sgml
When a TAP file has non-zero exit status, retain temporary directories.
commit : d8efc5900f7c0a952b7ff3f6e8d8ea2e77fe2986
author : Noah Misch <[email protected]>
date : Wed, 5 Feb 2020 08:26:41 -0800
committer: Noah Misch <[email protected]>
date : Wed, 5 Feb 2020 08:26:41 -0800
PostgresNode already retained base directories in such cases. Stop
using $SIG{__DIE__}, which is redundant with the exit status check, in
lieu of proliferating it to TestLib. Back-patch to 9.6, where commit
88802e068017bee8cea7a5502a712794e761c7b5 introduced retention on
failure.
Reviewed by Daniel Gustafsson.
Discussion: https://postgr.es/m/[email protected]
M src/test/perl/TestLib.pm
Add note about how each partition's default value is treated, into the doc.
commit : 80dece684f863862d68ba3cc726a4bde9d2ce568
author : Fujii Masao <[email protected]>
date : Thu, 26 Dec 2019 15:07:43 +0900
committer: Fujii Masao <[email protected]>
date : Thu, 26 Dec 2019 15:07:43 +0900
Column defaults may be specified separately for each partition.
But INSERT via a partitioned table ignores those partition's default values.
The former is documented, but the latter restriction not.
This commit adds the note about that restriction into the document.
Back-patch to v10 where partitioning was introduced.
Author: Fujii Masao
Reviewed-by: Amit Langote
Discussion: https://postgr.es/m/CAHGQGwEs-59omrfGF7hOHz9iMME3RbKy5ny+iftDx3LHTEn9sA@mail.gmail.com
M doc/src/sgml/ref/create_table.sgml
Add missing break out seqscan loop in logical replication
commit : 380bc8829594b27d0924e617ae705422ec53eca1
author : Alvaro Herrera <[email protected]>
date : Mon, 3 Feb 2020 18:59:12 -0300
committer: Alvaro Herrera <[email protected]>
date : Mon, 3 Feb 2020 18:59:12 -0300
When replica identity is FULL (an admittedly unusual case), the loop
that searches for tuples in execReplication.c didn't stop scanning the
table when once a matching tuple was found. Add the missing 'break'.
Note slight behavior change: we now return the first matching tuple
rather than the last one. They are supposed to be indistinguishable
anyway, so this shouldn't matter.
Author: Konstantin Knizhnik
Discussion: https://postgr.es/m/[email protected]
M src/backend/executor/execReplication.c
Revert commit 4b96c03a0a.
commit : 8b1a6499d055f6f222e200fd6410073537d11f31
author : Fujii Masao <[email protected]>
date : Mon, 3 Feb 2020 12:41:40 +0900
committer: Fujii Masao <[email protected]>
date : Mon, 3 Feb 2020 12:41:40 +0900
This commit reverts the fix "Make inherited TRUNCATE perform access
permission checks on parent table only" only in the back branches.
It's not hard to imagine that there are some applications expecting
the old behavior and the fix breaks their security. To avoid this
compatibility problem, we decided to apply the fix only in HEAD and
revert it in all supported back branches.
Discussion: https://postgr.es/m/[email protected]
M src/backend/commands/tablecmds.c
M src/test/regress/expected/privileges.out
M src/test/regress/sql/privileges.sql
Fix memory leak on DSM slot exhaustion.
commit : aab30cd4eddaa7e2b028a009d3ee11be42ce6f1e
author : Thomas Munro <[email protected]>
date : Sat, 1 Feb 2020 14:29:13 +1300
committer: Thomas Munro <[email protected]>
date : Sat, 1 Feb 2020 14:29:13 +1300
If we attempt to create a DSM segment when no slots are available,
we should return the memory to the operating system. Previously
we did that if the DSM_CREATE_NULL_IF_MAXSEGMENTS flag was
passed in, but we didn't do it if an error was raised. Repair.
Back-patch to 9.4, where DSM segments arrived.
Author: Thomas Munro
Reviewed-by: Robert Haas
Reported-by: Julian Backes
Discussion: https://postgr.es/m/CA%2BhUKGKAAoEw-R4om0d2YM4eqT1eGEi6%3DQot-3ceDR-SLiWVDw%40mail.gmail.com
M src/backend/storage/ipc/dsm.c
Fix CheckAttributeType's handling of collations for ranges.
commit : de3d2df75169c54e7471575fe741391a32c6dbae
author : Tom Lane <[email protected]>
date : Fri, 31 Jan 2020 17:03:55 -0500
committer: Tom Lane <[email protected]>
date : Fri, 31 Jan 2020 17:03:55 -0500
Commit fc7695891 changed CheckAttributeType to recurse into ranges,
but made it pass down the wrong collation (always InvalidOid, since
ranges as such have no collation). This would result in guaranteed
failure when considering a range type whose subtype is collatable.
Embarrassingly, we lack any regression tests that would expose such
a problem (but fortunately, somebody noticed before we shipped this
bug in any release).
Fix it to pass down the range's subtype collation property instead,
and add some regression test cases to exercise collatable-subtype
ranges a bit more. Back-patch to all supported branches, as the
previous patch was.
Report and patch by Julien Rouhaud, test cases tweaked by me
Discussion: https://postgr.es/m/CAOBaU_aBWqNweiGUFX0guzBKkcfJ8mnnyyGC_KBQmO12Mj5f_A@mail.gmail.com
M src/backend/catalog/heap.c
M src/backend/utils/cache/lsyscache.c
M src/include/utils/lsyscache.h
M src/test/regress/expected/rangetypes.out
M src/test/regress/expected/sanity_check.out
M src/test/regress/sql/rangetypes.sql
Fix parallel pg_dump/pg_restore for failure to create worker processes.
commit : 8b1d447a7160857ba952264879636cd02a72cf73
author : Tom Lane <[email protected]>
date : Fri, 31 Jan 2020 14:41:49 -0500
committer: Tom Lane <[email protected]>
date : Fri, 31 Jan 2020 14:41:49 -0500
If we failed to fork a worker process, or create a communication pipe
for one, WaitForTerminatingWorkers would suffer an assertion failure
if assert-enabled, otherwise crash or go into an infinite loop. This
was a consequence of not accounting for the startup condition where
we've not yet forked all the workers.
The original bug was that ParallelBackupStart would set workerStatus to
WRKR_IDLE before it had successfully forked a worker. I made things
worse in commit b7b8cc0cf by not understanding the undocumented fact
that the WRKR_TERMINATED state was also meant to represent the case
where a worker hadn't been started yet: I changed enum T_WorkerStatus
so that *all* the worker slots were initially in WRKR_IDLE state. But
this wasn't any more broken in practice, since even one slot in the
wrong state would keep WaitForTerminatingWorkers from terminating.
In v10 and later, introduce an explicit T_WorkerStatus value for
worker-not-started, in hopes of preventing future oversights of the
same ilk. Before that, just document that WRKR_TERMINATED is supposed
to cover that case (partly because it wasn't actively broken, and
partly because the enum is exposed outside parallel.c in those branches,
so there's microscopically more risk involved in changing it).
In all branches, introduce a WORKER_IS_RUNNING status test macro
to hide which T_WorkerStatus values mean that, and be more careful
not to access ParallelSlot fields till we're sure they're valid.
Per report from Vignesh C, though this is my patch not his.
Back-patch to all supported branches.
Discussion: https://postgr.es/m/CALDaNm1Luv-E3sarR+-unz-BjchquHHyfP+YC+2FS2pt_J+wxg@mail.gmail.com
M src/bin/pg_dump/parallel.c
Make inherited TRUNCATE perform access permission checks on parent table only.
commit : 4b96c03a0a2a6bdf685a0bef9fff1fb5f04516aa
author : Fujii Masao <[email protected]>
date : Fri, 31 Jan 2020 00:44:50 +0900
committer: Fujii Masao <[email protected]>
date : Fri, 31 Jan 2020 00:44:50 +0900
Previously, TRUNCATE command through a parent table checked the
permissions on not only the parent table but also the children tables
inherited from it. This was a bug and inherited queries should perform
access permission checks on the parent table only. This commit fixes
that bug.
Back-patch to all supported branches.
Author: Amit Langote
Reviewed-by: Fujii Masao
Discussion: https://postgr.es/m/CAHGQGwFHdSvifhJE+-GSNqUHSfbiKxaeQQ7HGcYz6SC2n_oDcg@mail.gmail.com
M src/backend/commands/tablecmds.c
M src/test/regress/expected/privileges.out
M src/test/regress/sql/privileges.sql
In postgres_fdw, don't try to ship MULTIEXPR updates to remote server.
commit : 603e03b4c9e8f853ab15da45e6e72df718ec335c
author : Tom Lane <[email protected]>
date : Sun, 26 Jan 2020 14:31:08 -0500
committer: Tom Lane <[email protected]>
date : Sun, 26 Jan 2020 14:31:08 -0500
In a statement like "UPDATE remote_tab SET (x,y) = (SELECT ...)",
we'd conclude that the statement could be directly executed remotely,
because the sub-SELECT is in a resjunk tlist item that's not examined
for shippability. Currently that ends up crashing if the sub-SELECT
contains any remote Vars. Prevent the crash by deeming MULTIEXEC
Params to be unshippable.
This is a bit of a brute-force solution, since if the sub-SELECT
*doesn't* contain any remote Vars, the current execution technology
would work; but that's not a terribly common use-case for this syntax,
I think. In any case, we generally don't try to ship sub-SELECTs, so
it won't surprise anybody that this doesn't end up as a remote direct
update. I'd be inclined to see if that general limitation can be fixed
before worrying about this case further.
Per report from Lukáš Sobotka.
Back-patch to 9.6. 9.5 had MULTIEXPR, but we didn't try to perform
remote direct updates then, so the case didn't arise anyway.
Discussion: https://postgr.es/m/CAJif3k+iA_ekBB5Zw2hDBaE1wtiQa4LH4_JUXrrMGwTrH0J01Q@mail.gmail.com
M contrib/postgres_fdw/deparse.c
M contrib/postgres_fdw/expected/postgres_fdw.out
M contrib/postgres_fdw/sql/postgres_fdw.sql
Doc: Fix list of storage parameters available for ALTER TABLE
commit : b9a9cb1bfd6eb6a5526f2a6b21b5865dac46bd8b
author : Michael Paquier <[email protected]>
date : Fri, 24 Jan 2020 09:56:12 +0900
committer: Michael Paquier <[email protected]>
date : Fri, 24 Jan 2020 09:56:12 +0900
Only the parameter parallel_workers can be used directly with ALTER
TABLE.
Issue introduced in 6f3a13f, so backpatch down to 10.
Author: Justin Pryzby
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 10
M doc/src/sgml/ref/alter_table.sgml
Fix an oversight in commit 4c70098ff.
commit : d6a9548b2fdc402bf818cab3d7a621fb5c3ced58
author : Tom Lane <[email protected]>
date : Thu, 23 Jan 2020 16:15:32 -0500
committer: Tom Lane <[email protected]>
date : Thu, 23 Jan 2020 16:15:32 -0500
I had supposed that the from_char_seq_search() call sites were
all passing the constant arrays you'd expect them to pass ...
but on looking closer, the one for DY format was passing the
days[] array not days_short[]. This accidentally worked because
the day abbreviations in English are all the same as the first
three letters of the full day names. However, once we took out
the "maximum comparison length" logic, it stopped working.
As penance for that oversight, add regression test cases covering
this, as well as every other switch case in DCH_from_char() that
was not reached according to the code coverage report.
Also, fold the DCH_RM and DCH_rm cases into one --- now that
seq_search is case independent, there's no need to pass different
comparison arrays for those cases.
Back-patch, as the previous commit was.
M src/backend/utils/adt/formatting.c
M src/test/regress/expected/horology.out
M src/test/regress/sql/horology.sql
Clean up formatting.c's logic for matching constant strings.
commit : 212b870d6743814db3df3a9cd80a8eefcd9f7b2f
author : Tom Lane <[email protected]>
date : Thu, 23 Jan 2020 13:42:10 -0500
committer: Tom Lane <[email protected]>
date : Thu, 23 Jan 2020 13:42:10 -0500
seq_search(), which is used to match input substrings to constants
such as month and day names, had a lot of bizarre and unnecessary
behaviors. It was mostly possible to avert our eyes from that before,
but we don't want to duplicate those behaviors in the upcoming patch
to allow recognition of non-English month and day names. So it's time
to clean this up. In particular:
* seq_search scribbled on the input string, which is a pretty dangerous
thing to do, especially in the badly underdocumented way it was done here.
Fortunately the input string is a temporary copy, but that was being made
three subroutine levels away, making it something easy to break
accidentally. The behavior is externally visible nonetheless, in the form
of odd case-folding in error reports about unrecognized month/day names.
The scribbling is evidently being done to save a few calls to pg_tolower,
but that's such a cheap function (at least for ASCII data) that it's
pretty pointless to worry about. In HEAD I switched it to be
pg_ascii_tolower to ensure it is cheap in all cases; but there are corner
cases in Turkish where this'd change behavior, so leave it as pg_tolower
in the back branches.
* seq_search insisted on knowing the case form (all-upper, all-lower,
or initcap) of the constant strings, so that it didn't have to case-fold
them to perform case-insensitive comparisons. This likewise seems like
excessive micro-optimization, given that pg_tolower is certainly very
cheap for ASCII data. It seems unsafe to assume that we know the case
form that will come out of pg_locale.c for localized month/day names, so
it's better just to define the comparison rule as "downcase all strings
before comparing". (The choice between downcasing and upcasing is
arbitrary so far as English is concerned, but it might not be in other
locales, so follow citext's lead here.)
* seq_search also had a parameter that'd cause it to report a match
after a maximum number of characters, even if the constant string were
longer than that. This was not actually used because no caller passed
a value small enough to cut off a comparison. Replicating that behavior
for localized month/day names seems expensive as well as useless, so
let's get rid of that too.
* from_char_seq_search used the maximum-length parameter to truncate
the input string in error reports about not finding a matching name.
This leads to rather confusing reports in many cases. Worse, it is
outright dangerous if the input string isn't all-ASCII, because we
risk truncating the string in the middle of a multibyte character.
That'd lead either to delivering an illegible error message to the
client, or to encoding-conversion failures that obscure the actual
data problem. Get rid of that in favor of truncating at whitespace
if any (a suggestion due to Alvaro Herrera).
In addition to fixing these things, I const-ified the input string
pointers of DCH_from_char and its subroutines, to make sure there
aren't any other scribbling-on-input problems.
The risk of generating a badly-encoded error message seems like
enough of a bug to justify back-patching, so patch all supported
branches.
Discussion: https://postgr.es/m/[email protected]
M src/backend/utils/adt/formatting.c
M src/test/regress/expected/horology.out
Fix concurrent indexing operations with temporary tables
commit : 9055344b495f7015205658741734be9d67cf4f4a
author : Michael Paquier <[email protected]>
date : Wed, 22 Jan 2020 09:49:33 +0900
committer: Michael Paquier <[email protected]>
date : Wed, 22 Jan 2020 09:49:33 +0900
Attempting to use CREATE INDEX, DROP INDEX or REINDEX with CONCURRENTLY
on a temporary relation with ON COMMIT actions triggered unexpected
errors because those operations use multiple transactions internally to
complete their work. Here is for example one confusing error when using
ON COMMIT DELETE ROWS:
ERROR: index "foo" already contains data
Issues related to temporary relations and concurrent indexing are fixed
in this commit by enforcing the non-concurrent path to be taken for
temporary relations even if using CONCURRENTLY, transparently to the
user. Using a non-concurrent path does not matter in practice as locks
cannot be taken on a temporary relation by a session different than the
one owning the relation, and the non-concurrent operation is more
effective.
The problem exists with REINDEX since v12 with the introduction of
CONCURRENTLY, and with CREATE/DROP INDEX since CONCURRENTLY exists for
those commands. In all supported versions, this caused only confusing
error messages to be generated. Note that with REINDEX, it was also
possible to issue a REINDEX CONCURRENTLY for a temporary relation owned
by a different session, leading to a server crash.
The idea to enforce transparently the non-concurrent code path for
temporary relations comes originally from Andres Freund.
Reported-by: Manuel Rigger
Author: Michael Paquier, Heikki Linnakangas
Reviewed-by: Andres Freund, Álvaro Herrera, Heikki Linnakangas
Discussion: https://postgr.es/m/CA+u7OA6gP7YAeCguyseusYcc=uR8+ypjCcgDDCTzjQ+k6S9ksQ@mail.gmail.com
Backpatch-through: 9.4
M doc/src/sgml/ref/create_index.sgml
M doc/src/sgml/ref/drop_index.sgml
M src/backend/catalog/index.c
M src/backend/commands/indexcmds.c
M src/backend/commands/tablecmds.c
M src/test/regress/expected/create_index.out
M src/test/regress/sql/create_index.sql
Fix edge case leading to agg transitions skipping ExecAggTransReparent() calls.
commit : 8bb006a412e4022f60cf7a71ebdc45a12d6c61c4
author : Andres Freund <[email protected]>
date : Mon, 20 Jan 2020 23:26:51 -0800
committer: Andres Freund <[email protected]>
date : Mon, 20 Jan 2020 23:26:51 -0800
The code checking whether an aggregate transition value needs to be
reparented into the current context has always only compared the
transition return value with the previous transition value by datum,
i.e. without regard for NULLness. This normally works, because when
the transition function returns NULL (via fcinfo->isnull), it'll
return a value that won't be the same as its input value.
But there's no hard requirement that that's the case. And it turns
out, it's possible to hit this case (see discussion or reproducers),
leading to a non-null transition value not being reparented, followed
by a crash caused by that.
Instead of adding another comparison of NULLness, instead have
ExecAggTransReparent() ensure that pergroup->transValue ends up as 0
when the new transition value is NULL. That avoids having to add an
additional branch to the much more common cases of the transition
function returning the old transition value (which is a pointer in
this case), and when the new value is different, but not NULL.
In branches since 69c3936a149, also deduplicate the reparenting code
between the expression evaluation based transitions, and the path for
ordered aggregates.
Reported-By: Teodor Sigaev, Nikita Glukhov
Author: Andres Freund
Discussion: https://postgr.es/m/[email protected]
Backpatch: 9.4-, this issue has existed since at least 7.4
M src/backend/executor/nodeAgg.c
Add GUC variables for stat tracking and timeout as PGDLLIMPORT
commit : 1ef7332b78f55f0503a8c882886d2979c2f94c62
author : Michael Paquier <[email protected]>
date : Tue, 21 Jan 2020 13:47:05 +0900
committer: Michael Paquier <[email protected]>
date : Tue, 21 Jan 2020 13:47:05 +0900
This helps integration of extensions with Windows. The following
parameters are changed:
- idle_in_transaction_session_timeout (9.6 and newer versions)
- lock_timeout
- statement_timeout
- track_activities
- track_counts
- track_functions
Author: Pascal Legrand
Reviewed-by: Amit Kamila, Julien Rouhaud, Michael Paquier
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.4
M src/include/pgstat.h
M src/include/storage/proc.h
Fix pg_dump's sigTermHandler() to use _exit() not exit().
commit : 6f6daa1be78503ee3d171d28ed9f6843cc53d129
author : Tom Lane <[email protected]>
date : Mon, 20 Jan 2020 12:57:17 -0500
committer: Tom Lane <[email protected]>
date : Mon, 20 Jan 2020 12:57:17 -0500
sigTermHandler() tried to be careful to invoke only operations that
are safe to do in a signal handler. But for some reason we forgot
that exit(3) is not among those, because it calls atexit handlers
that might do various random things. (pg_dump itself installs no
atexit handlers, but e.g. OpenSSL does.) That led to crashes or
lockups when attempting to terminate a parallel dump or restore
via a signal.
Fix by calling _exit() instead.
Per bug #16199 from Raúl Marín. Back-patch to all supported branches.
Discussion: https://postgr.es/m/[email protected]
M src/bin/pg_dump/parallel.c
Fix crash in BRIN inclusion op functions, due to missing datum copy.
commit : ff0c567cbfb7aeca479f5c087d17c85ffb5b2bf7
author : Heikki Linnakangas <[email protected]>
date : Mon, 20 Jan 2020 10:36:35 +0200
committer: Heikki Linnakangas <[email protected]>
date : Mon, 20 Jan 2020 10:36:35 +0200
The BRIN add_value() and union() functions need to make a longer-lived
copy of the argument, if they want to store it in the BrinValues struct
also passed as argument. The functions for the "inclusion operator
classes" used with box, range and inet types didn't take into account
that the union helper function might return its argument as is, without
making a copy. Check for that case, and make a copy if necessary. That
case arises at least with the range_union() function, when one of the
arguments is an 'empty' range:
CREATE TABLE brintest (n numrange);
CREATE INDEX brinidx ON brintest USING brin (n);
INSERT INTO brintest VALUES ('empty');
INSERT INTO brintest VALUES (numrange(0, 2^1000::numeric));
INSERT INTO brintest VALUES ('(-1, 0)');
SELECT brin_desummarize_range('brinidx', 0);
SELECT brin_summarize_range('brinidx', 0);
Backpatch down to 9.5, where BRIN was introduced.
Discussion: https://www.postgresql.org/message-id/e6e1d6eb-0a67-36aa-e779-bcca59167c14%40iki.fi
Reviewed-by: Emre Hasegeli, Tom Lane, Alvaro Herrera
M src/backend/access/brin/brin_inclusion.c
Repair more failures with SubPlans in multi-row VALUES lists.
commit : 167fd022ff3377f18b84de194ee728c91921dc3f
author : Tom Lane <[email protected]>
date : Fri, 17 Jan 2020 16:17:17 -0500
committer: Tom Lane <[email protected]>
date : Fri, 17 Jan 2020 16:17:17 -0500
Commit 9b63c13f0 turns out to have been fundamentally misguided:
the parent node's subPlan list is by no means the only way in which
a child SubPlan node can be hooked into the outer execution state.
As shown in bug #16213 from Matt Jibson, we can also get short-lived
tuple table slots added to the outer es_tupleTable list. At this point
I have little faith that there aren't other possible connections as
well; the long time it took to notice this problem shows that this
isn't a heavily-exercised situation.
Therefore, revert that fix, returning to the coding that passed a
NULL parent plan pointer down to the transiently-built subexpressions.
That gives us a pretty good guarantee that they won't hook into the
outer executor state in any way. But then we need some other solution
to make SubPlans work. Adopt the solution speculated about in the
previous commit's log message: do expression initialization at plan
startup for just those VALUES rows containing SubPlans, abandoning the
goal of reclaiming memory intra-query for those rows. In practice it
seems unlikely that queries containing a vast number of VALUES rows
would be using SubPlans in them, so this should not give up much.
(BTW, this test case also refutes my claim in connection with the prior
commit that the issue only arises with use of LATERAL. That was just
wrong: some variants of SubLink always produce SubPlans.)
As with previous patch, back-patch to all supported branches.
Discussion: https://postgr.es/m/[email protected]
M src/backend/executor/nodeValuesscan.c
M src/include/nodes/execnodes.h
M src/test/regress/expected/subselect.out
M src/test/regress/sql/subselect.sql
Set ReorderBufferTXN->final_lsn more eagerly
commit : e3154aae3c2604633a4ce8ffedf542999565c787
author : Alvaro Herrera <[email protected]>
date : Fri, 17 Jan 2020 18:00:39 -0300
committer: Alvaro Herrera <[email protected]>
date : Fri, 17 Jan 2020 18:00:39 -0300
... specifically, set it incrementally as each individual change is
spilled down to disk. This way, it is set correctly when the
transaction disappears without trace, ie. without leaving an XACT_ABORT
wal record. (This happens when the server crashes midway through a
transaction.)
Failing to have final_lsn prevents ReorderBufferRestoreCleanup() from
working, since it needs the final_lsn in order to know the endpoint of
its iteration through spilled files.
Commit df9f682c7bf8 already tried to fix the problem, but it didn't set
the final_lsn in all cases. Revert that, since it's no longer needed.
Author: Vignesh C
Reviewed-by: Amit Kapila, Dilip Kumar
Discussion: https://postgr.es/m/CALDaNm2CLk+K9JDwjYST0sPbGg5AQdvhUt0jbKyX_HdAE0jk3A@mail.gmail.com
M src/backend/replication/logical/reorderbuffer.c
M src/include/replication/reorderbuffer.h
Allocate freechunks bitmap as part of SlabContext
commit : a801452c9e3008b473265cc690077244b65635dc
author : Tomas Vondra <[email protected]>
date : Fri, 17 Jan 2020 14:06:28 +0100
committer: Tomas Vondra <[email protected]>
date : Fri, 17 Jan 2020 14:06:28 +0100
The bitmap used by SlabCheck to cross-check free chunks in a block used
to be allocated for each SlabCheck call, and was never freed. The memory
leak could be fixed by simply adding a pfree call, but it's actually a
bad idea to do any allocations in SlabCheck at all as it assumes the
state of the memory management as a whole is sane.
So instead we allocate the bitmap as part of SlabContext, which means
we don't need to do any allocations in SlabCheck and the bitmap goes
away together with the SlabContext.
Backpatch to 10, where the Slab context was introduced.
Author: Tomas Vondra
Reported-by: Andres Freund
Reviewed-by: Tom Lane
Backpatch-through: 10
Discussion: https://www.postgresql.org/message-id/20200116044119.g45f7pmgz4jmodxj%40alap3.anarazel.de
M src/backend/utils/mmgr/slab.c
docs: change "default role" wording to "predefined role"
commit : 920c6add70c803ae1dcaab9358330320a60de470
author : Bruce Momjian <[email protected]>
date : Tue, 14 Jan 2020 13:13:04 -0500
committer: Bruce Momjian <[email protected]>
date : Tue, 14 Jan 2020 13:13:04 -0500
The new wording was determined to be more accurate. Also, update
release note links that reference these sections.
Reported-by: [email protected]
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.6
M doc/src/sgml/user-manag.sgml
Make rewriter prevent auto-updates on views with conditional INSTEAD rules.
commit : 353cd826f44537871063c6525dc0e108c974a68c
author : Dean Rasheed <[email protected]>
date : Tue, 14 Jan 2020 09:50:13 +0000
committer: Dean Rasheed <[email protected]>
date : Tue, 14 Jan 2020 09:50:13 +0000
A view with conditional INSTEAD rules and no unconditional INSTEAD
rules or INSTEAD OF triggers is not auto-updatable. Previously we
relied on a check in the executor to catch this, but that's
problematic since the planner may fail to properly handle such a query
and thus return a particularly unhelpful error to the user, before
reaching the executor check.
Instead, trap this in the rewriter and report the correct error there.
Doing so also allows us to include more useful error detail than the
executor check can provide. This doesn't change the existing behaviour
of updatable views; it merely ensures that useful error messages are
reported when a view isn't updatable.
Per report from Pengzhou Tang, though not adopting that suggested fix.
Back-patch to all supported branches.
Discussion: https://postgr.es/m/CAG4reAQn+4xB6xHJqWdtE0ve_WqJkdyCV4P=trYr4Kn8_3_PEA@mail.gmail.com
M src/backend/executor/execMain.c
M src/backend/rewrite/rewriteHandler.c
M src/test/regress/expected/updatable_views.out
M src/test/regress/sql/updatable_views.sql
Revert test added by commit d207038053.
commit : f9e95252a311b65e3e5aa9cb56cec2736e2b1cfa
author : Amit Kapila <[email protected]>
date : Sat, 11 Jan 2020 10:44:39 +0530
committer: Amit Kapila <[email protected]>
date : Sat, 11 Jan 2020 10:44:39 +0530
This test was trying to test the mechanism to release kernel FDs as needed
to get us under the max_safe_fds limit in case of spill files. To do that,
it needs to set max_files_per_process to a very low value which doesn't
even permit starting of the server in the case when there are a few already
opened files. This test also won't work on platforms where we use one FD
per semaphore.
Backpatch-through: 10, till where this test was added
Discussion:
https://postgr.es/m/CAA4eK1LHhERi06Q+MmP9qBXBBboi+7WV3910J0aUgz71LcnKAw@mail.gmail.com
https://postgr.es/m/[email protected]
M src/test/recovery/t/006_logical_decoding.pl
Fix edge-case crashes and misestimation in range containment selectivity.
commit : 8c8b456b5116f4adb44d05d23a10ccc909b73b69
author : Tom Lane <[email protected]>
date : Sun, 12 Jan 2020 14:37:00 -0500
committer: Tom Lane <[email protected]>
date : Sun, 12 Jan 2020 14:37:00 -0500
When estimating the selectivity of "range_var <@ range_constant" or
"range_var @> range_constant", if the upper (or respectively lower)
bound of the range_constant was above the last bin of the range_var's
histogram, the code would access uninitialized memory and potentially
crash (though it seems the probability of a crash is quite low).
Handle the endpoint cases explicitly to fix that.
While at it, be more paranoid about the possibility of getting NaN
or other silly results from the range type's subdiff function.
And improve some comments.
Ordinarily we'd probably add a regression test case demonstrating
the bug in unpatched code. But it's too hard to get it to crash
reliably because of the uninitialized-memory dependence, so skip that.
Per bug #16122 from Adam Scott. It's been broken from the beginning,
apparently, so backpatch to all supported branches.
Diagnosis by Michael Paquier, patch by Andrey Borodin and Tom Lane.
Discussion: https://postgr.es/m/[email protected]
M src/backend/utils/adt/rangetypes_selfuncs.c
Remove incorrect assertion for INSERT in logical replication's publisher
commit : 30104eca885637ecce1b48c958cf6ec733b93a3d
author : Michael Paquier <[email protected]>
date : Sun, 12 Jan 2020 22:45:17 +0900
committer: Michael Paquier <[email protected]>
date : Sun, 12 Jan 2020 22:45:17 +0900
On the publisher, it was assumed that an INSERT change cannot happen for
a relation with no replica identity. However this is true only for a
change that needs references to old rows, aka UPDATE or DELETE, so
trying to use logical replication with a relation that has no replica
identity led to an assertion failure in the publisher when issuing an
INSERT. This commit removes the incorrect assertion, and adds more
regression tests to provide coverage for relations without replica
identity.
Reported-by: Neha Sharma
Author: Dilip Kumar, Michael Paquier
Reviewed-by: Andres Freund
Discussion: https://postgr.es/m/CANiYTQsL1Hb8_Km08qd32svrqNumXLJeoGo014O7VZymgOhZEA@mail.gmail.com
Backpatch-through: 10
M src/backend/replication/logical/proto.c
M src/test/subscription/t/001_rep_changes.pl
Maintain valid md.c state when FileClose() fails.
commit : cb977424532f20fae65f2e58ac901286a2482b24
author : Noah Misch <[email protected]>
date : Fri, 10 Jan 2020 18:31:22 -0800
committer: Noah Misch <[email protected]>
date : Fri, 10 Jan 2020 18:31:22 -0800
FileClose() failure ordinarily causes a PANIC. Suppose the user
disables that PANIC via data_sync_retry=on. After mdclose() issued a
FileClose() that failed, calls into md.c raised SIGSEGV. This fix adds
repalloc() calls during mdclose(); update a comment about ignoring
repalloc() cost. The rate of relation segment count change is a minor
factor; more relevant to overall performance is the rate of mdclose()
and subsequent re-opening of segments. Back-patch to v10, where commit
45e191e3aa62d47a8bc1a33f784286b2051f45cb introduced the bug.
Reviewed by Kyotaro Horiguchi.
Discussion: https://postgr.es/m/[email protected]
M src/backend/storage/smgr/md.c
doc: Fix naming of SELinux
commit : 7b84ff33a14095b6252edbee686edf93ac9c8d1b
author : Michael Paquier <[email protected]>
date : Fri, 10 Jan 2020 09:37:27 +0900
committer: Michael Paquier <[email protected]>
date : Fri, 10 Jan 2020 09:37:27 +0900
Reported-by: Tham Nguyen
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.4
M doc/src/sgml/ref/security_label.sgml
M src/test/modules/dummy_seclabel/README
doc: Add link to upgrading chapter to release notes
commit : 4c6f541a0affb44b2f0e5e3d99f75636054c9d89
author : Peter Eisentraut <[email protected]>
date : Thu, 9 Jan 2020 16:02:23 +0100
committer: Peter Eisentraut <[email protected]>
date : Thu, 9 Jan 2020 16:02:23 +0100
Author: Vik Fearing <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/[email protected]
M doc/src/sgml/release-10.sgml
Reimplement nullification of walsender timestamp
commit : da42b9f3ff4375972e535368e875ca0dbbdf322a
author : Alvaro Herrera <[email protected]>
date : Wed, 8 Jan 2020 14:33:49 -0300
committer: Alvaro Herrera <[email protected]>
date : Wed, 8 Jan 2020 14:33:49 -0300
Make the value null only at pg_stat_activity-output time, as suggested
by Tom Lane, instead of messing with the internal state. This should
appease buildfarm members with force_parallel_mode=regress, which are
running parallel queries on logical replication walsenders.
The fact that walsenders can run parallel queries should perhaps be
studied more carefully, but for the moment let's get rid of the red
blots in buildfarm.
Backpatch to pg10, like the previous commit.
Discussion: https://postgr.es/m/[email protected]
M src/backend/access/transam/xact.c
M src/backend/utils/adt/pgstatfuncs.c
Revert "Forbid DROP SCHEMA on temporary namespaces"
commit : 0c046f816902a61d32df37e214cf6f0e40088530
author : Michael Paquier <[email protected]>
date : Wed, 8 Jan 2020 10:36:33 +0900
committer: Michael Paquier <[email protected]>
date : Wed, 8 Jan 2020 10:36:33 +0900
This reverts commit a052f6c, following complains from Robert Haas and
Tom Lane. Backpatch down to 9.4, like the previous commit.
Discussion: https://postgr.es/m/CA+TgmobL4npEX5=E5h=5Jm_9mZun3MT39Kq2suJFVeamc9skSQ@mail.gmail.com
Backpatch-through: 9.4
M src/backend/commands/dropcmds.c
pg_stat_activity: show NULL stmt start time for walsenders
commit : 8de3b68faffcb5898244bd8af3abfb6edb11543f
author : Alvaro Herrera <[email protected]>
date : Tue, 7 Jan 2020 17:38:48 -0300
committer: Alvaro Herrera <[email protected]>
date : Tue, 7 Jan 2020 17:38:48 -0300
Returning a non-NULL time is pointless, sinc a walsender is not a
process that would be running normal transactions anyway, but the code
was unintentionally exposing the process start time intermittently,
which was not only bogus but it also confused monitoring systems looking
for idle transactions. Fix by avoiding all updates in walsenders.
Backpatch to pg10: previously I misidentified the branches that show
auxiliary processes in pg_stat_activity.
Reported-by: Tomas Vondra
Discussion: https://postgr.es/m/20191209234409.exe7osmyalwkt5j4@development
M src/backend/access/transam/xact.c
Have logical replication subscriber fire column triggers
commit : 66fd0adc73a8d3b0c43423c7d263cba37edaa36b
author : Peter Eisentraut <[email protected]>
date : Mon, 6 Jan 2020 08:21:14 +0100
committer: Peter Eisentraut <[email protected]>
date : Mon, 6 Jan 2020 08:21:14 +0100
The logical replication apply worker did not fire per-column update
triggers because the updatedCols bitmap in the RTE was not populated.
This fixes that.
Reviewed-by: Euler Taveira <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/21673e2d-597c-6afe-637e-e8b10425b240%402ndquadrant.com
M src/backend/replication/logical/worker.c
M src/test/subscription/t/003_constraints.pl
Fix typos in parallel query docs.
commit : 91595d181707e1ebfb37f7334ad89f24f677c8a7
author : Amit Kapila <[email protected]>
date : Fri, 3 Jan 2020 11:27:50 +0530
committer: Amit Kapila <[email protected]>
date : Fri, 3 Jan 2020 11:27:50 +0530
Reported-by: Jon Jensen
Author: Jon Jensen
Reviewed-by: Amit Kapila and Robert Haas
Backpatch-through: 10
Discussion: https://postgr.es/m/nycvar.YSQ.7.76.1912301807510.9899@ybpnyubfg
M doc/src/sgml/parallel.sgml
Fix comment in test
commit : f5cdf4629f7862ae081cb0357a014a3af2643bf1
author : Peter Eisentraut <[email protected]>
date : Thu, 2 Jan 2020 14:40:18 +0100
committer: Peter Eisentraut <[email protected]>
date : Thu, 2 Jan 2020 14:40:18 +0100
The comment was apparently copy-and-pasted and did not reflect the
actual test outcome.
M src/test/regress/expected/alter_generic.out
M src/test/regress/sql/alter_generic.sql
Fix running out of file descriptors for spill files.
commit : 27b5f48c79f76f61d074849640513d855cb22c2a
author : Amit Kapila <[email protected]>
date : Thu, 2 Jan 2020 11:08:07 +0530
committer: Amit Kapila <[email protected]>
date : Thu, 2 Jan 2020 11:08:07 +0530
Currently while decoding changes, if the number of changes exceeds a
certain threshold, we spill those to disk. And this happens for each
(sub)transaction. Now, while reading all these files, we don't close them
until we read all the files. While reading these files, if the number of
such files exceeds the maximum number of file descriptors, the operation
errors out.
Use PathNameOpenFile interface to open these files as that internally has
the mechanism to release kernel FDs as needed to get us under the
max_safe_fds limit.
Reported-by: Amit Khandekar
Author: Amit Khandekar
Reviewed-by: Amit Kapila
Backpatch-through: 9.4
Discussion: https://postgr.es/m/CAJ3gD9c-sECEn79zXw4yBnBdOttacoE-6gAyP0oy60nfs_sabQ@mail.gmail.com
M src/backend/replication/logical/reorderbuffer.c
M src/test/recovery/t/006_logical_decoding.pl
Update copyrights for 2020
commit : f512479c23e02ecd49aeb569064517b07de5cc2e
author : Bruce Momjian <[email protected]>
date : Wed, 1 Jan 2020 12:21:44 -0500
committer: Bruce Momjian <[email protected]>
date : Wed, 1 Jan 2020 12:21:44 -0500
Backpatch-through: update all files in master, backpatch legal files through 9.4
M COPYRIGHT
M doc/src/sgml/legal.sgml
doc: add examples of creative use of unique expression indexes
commit : 2fc7fc48863e963516f47508468fd37aa8d2713a
author : Bruce Momjian <[email protected]>
date : Fri, 27 Dec 2019 14:49:08 -0500
committer: Bruce Momjian <[email protected]>
date : Fri, 27 Dec 2019 14:49:08 -0500
Unique expression indexes can constrain data in creative ways, so show
two examples.
Reported-by: Tuomas Leikola
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.4
M doc/src/sgml/indices.sgml
docs: clarify infinite range values from data-type infinities
commit : baecea566880175c30847ef96b19b02325d7e7a1
author : Bruce Momjian <[email protected]>
date : Fri, 27 Dec 2019 14:33:30 -0500
committer: Bruce Momjian <[email protected]>
date : Fri, 27 Dec 2019 14:33:30 -0500
The previous docs referenced these distinct ideas confusingly.
Reported-by: Eugen Konkov
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.4
M doc/src/sgml/rangetypes.sgml
Forbid DROP SCHEMA on temporary namespaces
commit : f1958351eae2c9ef820825c3f50f905cff13ccaf
author : Michael Paquier <[email protected]>
date : Fri, 27 Dec 2019 17:59:21 +0900
committer: Michael Paquier <[email protected]>
date : Fri, 27 Dec 2019 17:59:21 +0900
This operation was possible for the owner of the schema or a superuser.
Down to 9.4, doing this operation would cause inconsistencies in a
session whose temporary schema was dropped, particularly if trying to
create new temporary objects after the drop. A more annoying
consequence is a crash of autovacuum on an assertion failure when
logging information about an orphaned temp table dropped. Note that
because of 246a6c8 (present in v11~), which has made the removal of
orphaned temporary tables more aggressive, the failure could be
triggered more easily, but it is possible to reproduce down to 9.4.
Reported-by: Mahendra Singh, Prabhat Sahu
Author: Michael Paquier
Reviewed-by: Kyotaro Horiguchi, Mahendra Singh
Discussion: https://postgr.es/m/CAKYtNAr9Zq=1-ww4etHo-VCC-k120YxZy5OS01VkaLPaDbv2tg@mail.gmail.com
Backpatch-through: 9.4
M src/backend/commands/dropcmds.c
Rotate instead of shifting hash join batch number.
commit : 8e89bc6dfd3dbd3637d67ad4391805a6e6b2e4cd
author : Thomas Munro <[email protected]>
date : Tue, 24 Dec 2019 11:31:24 +1300
committer: Thomas Munro <[email protected]>
date : Tue, 24 Dec 2019 11:31:24 +1300
Our algorithm for choosing batch numbers turned out not to work
effectively for multi-billion key inner relations. We would use
more hash bits than we have, and effectively concentrate all tuples
into a smaller number of batches than we intended. While ideally
we should switch to wider hashes, for now, change the algorithm to
one that effectively gives up bits from the bucket number when we
don't have enough bits. That means we'll finish up with longer
bucket chains than would be ideal, but that's better than having
batches that don't fit in work_mem and can't be divided.
Batch-patch to all supported releases.
Author: Thomas Munro
Reviewed-by: Tom Lane, thanks also to Tomas Vondra, Alvaro Herrera, Andres Freund for testing and discussion
Reported-by: James Coleman
Discussion: https://postgr.es/m/16104-dc11ed911f1ab9df%40postgresql.org
M src/backend/executor/nodeHash.c
Disallow null category in crosstab_hash
commit : 81be0c57e2908667acbf7595744d045a4bec1df7
author : Joe Conway <[email protected]>
date : Mon, 23 Dec 2019 13:33:50 -0500
committer: Joe Conway <[email protected]>
date : Mon, 23 Dec 2019 13:33:50 -0500
While building a hash map of categories in load_categories_hash,
resulting category names have not thus far been checked to ensure
they are not null. Prior to pg12 null category names worked to the
extent that they did not crash on some platforms. This is because
those system libraries have an snprintf which can deal with being
passed a null pointer argument for a string. But even in those cases
null categories did nothing useful. And on some platforms it crashed.
As of pg12, our own version of snprintf gets called, and it does
not deal with null pointer arguments at all, and crashes consistently.
Fix that by disallowing null categories. They never worked usefully,
and no one has ever asked for them to work previously. Back-patch to
all supported branches.
Reported-By: Ireneusz Pluta
Discussion: https://postgr.es/m/[email protected]
M contrib/tablefunc/tablefunc.c
Disallow partition key expressions that return pseudo-types.
commit : ea1205a02a030562e41353bc39fcf621e11b45c0
author : Tom Lane <[email protected]>
date : Mon, 23 Dec 2019 12:53:13 -0500
committer: Tom Lane <[email protected]>
date : Mon, 23 Dec 2019 12:53:13 -0500
This wasn't checked originally, but it should have been, because
in general pseudo-types can't be stored to and retrieved from disk.
Notably, partition bound values of type "record" would not be
interpretable by another session.
In v12 and HEAD, add another flag to CheckAttributeType's repertoire
so that it can produce a specific error message for this case. That's
infeasible in older branches without an ABI break, so fall back to
a slightly-less-nicely-worded error message in v10 and v11.
Problem noted by Amit Langote, though this patch is not his initial
solution. Back-patch to v10 where partitioning was introduced.
Discussion: https://postgr.es/m/CA+HiwqFUzjfj9HEsJtYWcr1SgQ_=iCAvQ=O2Sx6aQxoDu4OiHw@mail.gmail.com
M src/backend/commands/tablecmds.c
M src/test/regress/expected/create_table.out
M src/test/regress/sql/create_table.sql
Prevent a rowtype from being included in itself via a range.
commit : 4af2531d03930c1fa1aa7ffc9b7cda9e23d7c03a
author : Tom Lane <[email protected]>
date : Mon, 23 Dec 2019 12:08:24 -0500
committer: Tom Lane <[email protected]>
date : Mon, 23 Dec 2019 12:08:24 -0500
We probably should have thought of this case when ranges were added,
but we didn't. (It's not the fault of commit eb51af71f, because
ranges didn't exist then.)
It's an old bug, so back-patch to all supported branches.
Discussion: https://postgr.es/m/[email protected]
M src/backend/catalog/heap.c
M src/test/regress/expected/rangetypes.out
M src/test/regress/sql/rangetypes.sql
Avoid low-probability regression test failures in timestamp[tz] tests.
commit : 37ae8640ed9b96267da0b05fd09f60bdffe58482
author : Tom Lane <[email protected]>
date : Sun, 22 Dec 2019 18:00:17 -0500
committer: Tom Lane <[email protected]>
date : Sun, 22 Dec 2019 18:00:17 -0500
If the first transaction block in these tests were entered exactly
at midnight (California time), they'd report a bogus failure due
to 'now' and 'midnight' having the same values. Commit 8c2ac75c5
had dismissed this as being of negligible probability, but we've
now seen it happen in the buildfarm, so let's prevent it. We can
get pretty much the same test coverage without an it's-not-midnight
assumption by moving the does-'now'-work cases into their own test step.
While here, apply commit 47169c255's s/DELETE/TRUNCATE/ change to
timestamptz as well as timestamp (not sure why that didn't
occur to me at the time; the risk of failure is the same).
Back-patch to all supported branches, since the main point is
to get rid of potential buildfarm failures.
Discussion: https://postgr.es/m/[email protected]
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
M src/test/regress/sql/timestamp.sql
M src/test/regress/sql/timestamptz.sql
In pgwin32_open, loop after ERROR_ACCESS_DENIED only if we can't stat.
commit : a69f5697ae13f92a3407647a5c419cccd541676a
author : Tom Lane <[email protected]>
date : Sat, 21 Dec 2019 17:39:36 -0500
committer: Tom Lane <[email protected]>
date : Sat, 21 Dec 2019 17:39:36 -0500
This fixes a performance problem introduced by commit 6d7547c21.
ERROR_ACCESS_DENIED is returned in some other cases besides the
delete-pending case considered by that commit; notably, if the
given path names a directory instead of a plain file. In that
case we'll uselessly loop for 1 second before returning the
failure condition. That slows down some usage scenarios enough
to cause test timeout failures on our Windows buildfarm critters.
To fix, try to stat() the file, and sleep/loop only if that fails.
It will fail in the delete-pending case, and also in the case where
the deletion completed before we could stat(), so we have the cases
where we want to loop covered. In the directory case, the stat()
should succeed, letting us exit without a wait.
One case where we'll still wait uselessly is if the access-denied
problem pertains to a directory in the given pathname. But we don't
expect that to happen in any performance-critical code path.
There might be room to refine this further, but I'll push it now
in hopes of making the buildfarm green again.
Back-patch, like the preceding commit.
Alexander Lakhin and Tom Lane
Discussion: https://postgr.es/m/[email protected]
M src/port/open.c
docs: clarify handling of column lists in COPY TO/FROM
commit : 075129276ed66c9ac19198ec8aa108a538086d82
author : Bruce Momjian <[email protected]>
date : Sat, 21 Dec 2019 12:44:38 -0500
committer: Bruce Momjian <[email protected]>
date : Sat, 21 Dec 2019 12:44:38 -0500
Previously it was unclear how COPY FROM handled cases where not all
columns were specified, or if the order didn't match.
Reported-by: [email protected]
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.4
M doc/src/sgml/ref/copy.sgml
libpq should expose GSS-related parameters even when not implemented.
commit : d09cfa3e2874fb5ca5db046bff574d77e335049a
author : Tom Lane <[email protected]>
date : Fri, 20 Dec 2019 15:34:08 -0500
committer: Tom Lane <[email protected]>
date : Fri, 20 Dec 2019 15:34:08 -0500
We realized years ago that it's better for libpq to accept all
connection parameters syntactically, even if some are ignored or
restricted due to lack of the feature in a particular build.
However, that lesson from the SSL support was for some reason never
applied to the GSSAPI support. This is causing various buildfarm
members to have problems with a test case added by commit 6136e94dc,
and it's just a bad idea from a user-experience standpoint anyway,
so fix it.
While at it, fix some places where parameter-related infrastructure
was added with the aid of a dartboard, or perhaps with the aid of
the anti-pattern "add new stuff at the end". It should be safe
to rearrange the contents of struct pg_conn even in released
branches, since that's private to libpq (and we'd have to move
some fields in some builds to fix this, anyway).
Back-patch to all supported branches.
Discussion: https://postgr.es/m/[email protected]
M contrib/postgres_fdw/expected/postgres_fdw.out
M contrib/postgres_fdw/sql/postgres_fdw.sql
M doc/src/sgml/libpq.sgml
M src/interfaces/libpq/fe-connect.c
M src/interfaces/libpq/libpq-int.h
Fix subscriber invalid memory access on DDL.
commit : d6eca4958d78499b66aad9cf4b595b871c177e02
author : Amit Kapila <[email protected]>
date : Wed, 18 Dec 2019 08:27:41 +0530
committer: Amit Kapila <[email protected]>
date : Wed, 18 Dec 2019 08:27:41 +0530
This patch allows building the local relmap cache for a subscribed
relation after processing pending invalidation messages and potential
relcache updates. Without this, the attributes in the local cache don't
tally with the updated relcache entry leading to invalid memory access.
Reported-by Jehan-Guillaume de Rorthais
Author: Jehan-Guillaume de Rorthais and Vignesh C
Reviewed-by: Amit Kapila
Backpatch-through: 10
Discussion: https://postgr.es/m/20191025175929.7e90dbf5@firost
M src/backend/replication/logical/relation.c
Fix error reporting for index expressions of prohibited types.
commit : 5c5a268c605b9040206a3174667c20056d8e6603
author : Tom Lane <[email protected]>
date : Tue, 17 Dec 2019 17:44:28 -0500
committer: Tom Lane <[email protected]>
date : Tue, 17 Dec 2019 17:44:28 -0500
If CheckAttributeType() threw an error about the datatype of an
index expression column, it would report an empty column name,
which is pretty unhelpful and certainly not the intended behavior.
I (tgl) evidently broke this in commit cfc5008a5, by not noticing
that the column's attname was used above where I'd placed the
assignment of it.
In HEAD and v12, this is trivially fixable by moving up the
assignment of attname. Before v12 the code is a bit more messy;
to avoid doing substantial refactoring, I took the lazy way out
and just put in two copies of the assignment code.
Report and patch by Amit Langote. Back-patch to all supported
branches.
Discussion: https://postgr.es/m/CA+HiwqFA+BGyBFimjiYXXMa2Hc3fcL0+OJOyzUNjhU4NCa_XXw@mail.gmail.com
M src/backend/catalog/index.c
M src/test/regress/expected/create_index.out
M src/test/regress/sql/create_index.sql
On Windows, wait a little to see if ERROR_ACCESS_DENIED goes away.
commit : 81b052c3173afc998f7235707e6ffbe33e1bbd01
author : Tom Lane <[email protected]>
date : Mon, 16 Dec 2019 15:10:55 -0500
committer: Tom Lane <[email protected]>
date : Mon, 16 Dec 2019 15:10:55 -0500
Attempting to open a file fails with ERROR_ACCESS_DENIED if the file
is flagged for deletion but not yet actually gone (another in a long
list of reasons why Windows is broken, if you ask me). This seems
likely to explain a lot of irreproducible failures we see in the
buildfarm. This state generally persists for only a millisecond or so,
so just wait a bit and retry. If it's a real permissions problem,
we'll eventually give up and report it as such. If it's the pending
deletion case, we'll see file-not-found and report that after the
deletion completes, and the caller will treat that in an appropriate
way.
In passing, rejigger the existing retry logic for some other error
cases so that we don't uselessly wait an extra time when we're
not going to retry anymore.
Alexander Lakhin (with cosmetic tweaks by me). Back-patch to all
supported branches, since this seems like a pretty safe change and
the problem is definitely real.
Discussion: https://postgr.es/m/[email protected]
M src/port/open.c
Fix EXTRACT(ISOYEAR FROM timestamp) for years BC.
commit : c965c42a53e998c1744e355291eff1975155ac7d
author : Tom Lane <[email protected]>
date : Thu, 12 Dec 2019 12:30:44 -0500
committer: Tom Lane <[email protected]>
date : Thu, 12 Dec 2019 12:30:44 -0500
The test cases added by commit 26ae3aa80 exposed an old oversight in
timestamp[tz]_part: they didn't correct the result of date2isoyear()
for BC years, so that we produced an off-by-one answer for such years.
Fix that, and back-patch to all supported branches.
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com
M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
Remove redundant function calls in timestamp[tz]_part().
commit : f3cf330532f476942cfa09c991e96fff6b199a91
author : Tom Lane <[email protected]>
date : Thu, 12 Dec 2019 12:12:35 -0500
committer: Tom Lane <[email protected]>
date : Thu, 12 Dec 2019 12:12:35 -0500
The DTK_DOW/DTK_ISODOW and DTK_DOY switch cases in timestamp_part() and
timestamptz_part() contained calls of timestamp2tm() that were fully
redundant with the ones done just above the switch. This evidently crept
in during commit 258ee1b63, which relocated that code from another place
where the calls were indeed needed. Just delete the redundant calls.
I (tgl) noted that our test coverage of these functions left quite a
bit to be desired, so extend timestamp.sql and timestamptz.sql to
cover all the branches.
Back-patch to all supported branches, as the previous commit was.
There's no real issue here other than some wasted cycles in some
not-too-heavily-used code paths, but the test coverage seems valuable.
Report and patch by Li Japin; test case adjustments by me.
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com
M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
M src/test/regress/sql/timestamp.sql
M src/test/regress/sql/timestamptz.sql
Remove extra parenthesis from comment.
commit : eecc150000c9f50dba53d18ed4cc2cbe7ffc9068
author : Etsuro Fujita <[email protected]>
date : Thu, 12 Dec 2019 15:45:04 +0900
committer: Etsuro Fujita <[email protected]>
date : Thu, 12 Dec 2019 15:45:04 +0900
M src/backend/catalog/partition.c
Doc: back-patch documentation about limitations of CHECK constraints.
commit : af4006f0097acbf758859eff965818c6fddceb4b
author : Tom Lane <[email protected]>
date : Wed, 11 Dec 2019 15:53:36 -0500
committer: Tom Lane <[email protected]>
date : Wed, 11 Dec 2019 15:53:36 -0500
Back-patch commits 36d442a25 and 1f66c657f into all supported
branches. I'd considered doing this when putting in the latter
commit, but failed to pull the trigger. Now that we've had an
actual field complaint about the lack of such docs, let's do it.
Per bug #16158 from Piotr Jander. Original patches by Lætitia Avrot,
Patrick Francelle, and me.
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/ddl.sgml
M doc/src/sgml/ref/alter_domain.sgml
M doc/src/sgml/ref/alter_table.sgml
M doc/src/sgml/ref/create_domain.sgml
M doc/src/sgml/ref/create_table.sgml
Fix race condition in our Windows signal emulation.
commit : 096ea540e1e98913d3e8ed419450bbee8d83335f
author : Tom Lane <[email protected]>
date : Mon, 9 Dec 2019 15:03:52 -0500
committer: Tom Lane <[email protected]>
date : Mon, 9 Dec 2019 15:03:52 -0500
pg_signal_dispatch_thread() responded to the client (signal sender)
and disconnected the pipe before actually setting the shared variables
that make the signal visible to the backend process's main thread.
In the worst case, it seems, effective delivery of the signal could be
postponed for as long as the machine has any other work to do.
To fix, just move the pg_queue_signal() call so that we do it before
responding to the client. This essentially makes pgkill() synchronous,
which is a stronger guarantee than we have on Unix. That may be
overkill, but on the other hand we have not seen comparable timing bugs
on any Unix platform.
While at it, add some comments to this sadly underdocumented code.
Problem diagnosis and fix by Amit Kapila; I just added the comments.
Back-patch to all supported versions, as it appears that this can cause
visible NOTIFY timing oddities on all of them, and there might be
other misbehavior due to slow delivery of other signals.
Discussion: https://postgr.es/m/[email protected]
M src/backend/port/win32/signal.c
Improve isolationtester's timeout management.
commit : bd0c44bdf477766f3ae6de295687390c69a857a9
author : Tom Lane <[email protected]>
date : Mon, 9 Dec 2019 14:31:57 -0500
committer: Tom Lane <[email protected]>
date : Mon, 9 Dec 2019 14:31:57 -0500
isolationtester.c had a hard-wired limit of 3 minutes per test step.
It now emerges that this isn't quite enough for some of the slowest
buildfarm animals. This isn't the first time we've had to raise
this limit (cf. 1db439ad4), so let's make it configurable. This
patch raises the default to 5 minutes, and introduces an environment
variable PGISOLATIONTIMEOUT that can be set if more time is needed,
following the precedent of PGCTLTIMEOUT.
Also, modify isolationtester so that when the timeout is hit,
it explicitly reports having sent a cancel. This makes the regression
failure log considerably more intelligible. (In the worst case, a
timed-out test might actually be reported as "passing" without this
extra output, so arguably this is a bug fix in itself.)
In passing, update the README file, which had apparently not gotten
touched when we added "make check" support here.
Back-patch to 9.6; older versions don't have comparable timeout logic.
Discussion: https://postgr.es/m/[email protected]
M src/test/isolation/README
M src/test/isolation/isolationtester.c
Fix typos in miscinit.c.
commit : 2ab5c03dc16a8ee029d79a5813c9163d4c1b1ace
author : Amit Kapila <[email protected]>
date : Mon, 9 Dec 2019 08:39:34 +0530
committer: Amit Kapila <[email protected]>
date : Mon, 9 Dec 2019 08:39:34 +0530
Commit f13ea95f9e moved the description of postmaster.pid file contents
from miscadmin.h to pidfile.h, but missed to update the comments in
miscinit.c.
Author: Hadi Moshayedi
Reviewed-by: Amit Kapila
Backpatch-through: 10
Discussion: https://postgr.es/m/CAK=1=WpYEM9x3LGkaxgXaxeYQjnkdW8XLsxrYRTE2Gq-H83FMw@mail.gmail.com
M src/backend/utils/init/miscinit.c
Document search_path security with untrusted dbowner or CREATEROLE.
commit : 6909742976612e45a68e765618bb88dacd6da758
author : Noah Misch <[email protected]>
date : Sun, 8 Dec 2019 11:06:26 -0800
committer: Noah Misch <[email protected]>
date : Sun, 8 Dec 2019 11:06:26 -0800
Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that
certain schema usage patterns are secure against CREATEROLE users and
database owners. When an untrusted user is the database owner or holds
CREATEROLE privilege, a query is secure only if its session started with
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.
Back-patch to 9.4 (all supported versions).
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/ddl.sgml
Ensure maxlen is at leat 1 in dict_int
commit : 46ce37b67a5144458adb0789eb4e9169a61881fd
author : Tomas Vondra <[email protected]>
date : Tue, 3 Dec 2019 16:55:51 +0100
committer: Tomas Vondra <[email protected]>
date : Tue, 3 Dec 2019 16:55:51 +0100
The dict_int text search dictionary template accepts maxlen parameter,
which is then used to cap the length of input strings. The value was
not properly checked, and the code simply does
txt[d->maxlen] = '\0';
to insert a terminator, leading to segfaults with negative values.
This commit simply rejects values less than 1. The issue was there since
dct_int was introduced in 9.3, so backpatch all the way back to 9.4
which is the oldest supported version.
Reported-by: cili
Discussion: https://postgr.es/m/[email protected]
Backpatch-through: 9.4
M contrib/dict_int/dict_int.c
M contrib/dict_int/expected/dict_int.out
M contrib/dict_int/sql/dict_int.sql
Fix misbehavior with expression indexes on ON COMMIT DELETE ROWS tables.
commit : 25c7183c06271b44ad2f13fc6ffe435544bee970
author : Tom Lane <[email protected]>
date : Sun, 1 Dec 2019 13:09:27 -0500
committer: Tom Lane <[email protected]>
date : Sun, 1 Dec 2019 13:09:27 -0500
We implement ON COMMIT DELETE ROWS by truncating tables marked that
way, which requires also truncating/rebuilding their indexes. But
RelationTruncateIndexes asks the relcache for up-to-date copies of any
index expressions, which may cause execution of eval_const_expressions
on them, which can result in actual execution of subexpressions.
This is a bad thing to have happening during ON COMMIT. Manuel Rigger
reported that use of a SQL function resulted in crashes due to
expectations that ActiveSnapshot would be set, which it isn't.
The most obvious fix perhaps would be to push a snapshot during
PreCommit_on_commit_actions, but I think that would just open the door
to more problems: CommitTransaction explicitly expects that no
user-defined code can be running at this point.
Fortunately, since we know that no tuples exist to be indexed, there
seems no need to use the real index expressions or predicates during
RelationTruncateIndexes. We can set up dummy index expressions
instead (we do need something that will expose the right data type,
as there are places that build index tupdescs based on this), and
just ignore predicates and exclusion constraints.
In a green field it'd likely be better to reimplement ON COMMIT DELETE
ROWS using the same "init fork" infrastructure used for unlogged
relations. That seems impractical without catalog changes though,
and even without that it'd be too big a change to back-patch.
So for now do it like this.
Per private report from Manuel Rigger. This has been broken forever,
so back-patch to all supported branches.
M src/backend/catalog/heap.c
M src/backend/catalog/index.c
M src/backend/utils/cache/relcache.c
M src/include/catalog/index.h
M src/include/utils/relcache.h
M src/test/regress/expected/temp.out
M src/test/regress/sql/temp.sql
Fix off-by-one error in PGTYPEStimestamp_fmt_asc
commit : f71b22f537b987f6f4b04f889bbd955c548d7d72
author : Tomas Vondra <[email protected]>
date : Sat, 30 Nov 2019 14:51:27 +0100
committer: Tomas Vondra <[email protected]>
date : Sat, 30 Nov 2019 14:51:27 +0100
When using %b or %B patterns to format a date, the code was simply using
tm_mon as an index into array of month names. But that is wrong, because
tm_mon is 1-based, while array indexes are 0-based. The result is we
either use name of the next month, or a segfault (for December).
Fix by subtracting 1 from tm_mon for both patterns, and add a regression
test triggering the issue. Backpatch to all supported versions (the bug
is there far longer, since at least 2003).
Reported-by: Paul Spencer
Backpatch-through: 9.4
Discussion: https://postgr.es/m/16143-0d861eb8688d3fef%40postgresql.org
M src/interfaces/ecpg/pgtypeslib/timestamp.c
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.c
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.stderr
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.stdout
M src/interfaces/ecpg/test/pgtypeslib/dt_test.pgc
Fix typo in comment.
commit : e429b03cc63b5879b87be6dd96c49c7868febeb1
author : Etsuro Fujita <[email protected]>
date : Wed, 27 Nov 2019 16:00:49 +0900
committer: Etsuro Fujita <[email protected]>
date : Wed, 27 Nov 2019 16:00:49 +0900
M src/backend/optimizer/util/relnode.c
Don't shut down Gather[Merge] early under Limit.
commit : f7ae68aacd9d9cd18a62575b927491d56e57a555
author : Amit Kapila <[email protected]>
date : Mon, 18 Nov 2019 14:17:41 +0530
committer: Amit Kapila <[email protected]>
date : Mon, 18 Nov 2019 14:17:41 +0530
Revert part of commit 19df1702f5.
Early shutdown was added by that commit so that we could collect
statistics from workers, but unfortunately, it interacted badly with
rescans. The problem is that we ended up destroying the parallel context
which is required for rescans. This leads to rescans of a Limit node over
a Gather node to produce unpredictable results as it tries to access
destroyed parallel context. By reverting the early shutdown code, we
might lose statistics in some cases of Limit over Gather [Merge], but that
will require further study to fix.
Reported-by: Jerry Sievers
Diagnosed-by: Thomas Munro
Author: Amit Kapila, testcase by Vignesh C
Backpatch-through: 9.6
Discussion: https://postgr.es/m/[email protected]
M src/backend/executor/nodeLimit.c
M src/test/regress/expected/select_parallel.out
M src/test/regress/sql/select_parallel.sql
Avoid assertion failure with LISTEN in a serializable transaction.
commit : bd743b6006191796d08d4a1836e539626f01f50d
author : Tom Lane <[email protected]>
date : Sun, 24 Nov 2019 15:57:31 -0500
committer: Tom Lane <[email protected]>
date : Sun, 24 Nov 2019 15:57:31 -0500
If LISTEN is the only action in a serializable-mode transaction,
and the session was not previously listening, and the notify queue
is not empty, predicate.c reported an assertion failure. That
happened because we'd acquire the transaction's initial snapshot
during PreCommit_Notify, which was called *after* predicate.c
expects any such snapshot to have been established.
To fix, just swap the order of the PreCommit_Notify and
PreCommit_CheckForSerializationFailure calls during CommitTransaction.
This will imply holding the notify-insertion lock slightly longer,
but the difference could only be meaningful in serializable mode,
which is an expensive option anyway.
It appears that this is just an assertion failure, with no
consequences in non-assert builds. A snapshot used only to scan
the notify queue could not have been involved in any serialization
conflicts, so there would be nothing for
PreCommit_CheckForSerializationFailure to do except assign it a
prepareSeqNo and set the SXACT_FLAG_PREPARED flag. And given no
conflicts, neither of those omissions affect the behavior of
ReleasePredicateLocks. This admittedly once-over-lightly analysis
is backed up by the lack of field reports of trouble.
Per report from Mark Dilger. The bug is old, so back-patch to all
supported branches; but the new test case only goes back to 9.6,
for lack of adequate isolationtester infrastructure before that.
Discussion: https://postgr.es/m/[email protected]
Discussion: https://postgr.es/m/[email protected]
M src/backend/access/transam/xact.c
M src/test/isolation/expected/async-notify.out
M src/test/isolation/specs/async-notify.spec
doc: Fix whitespace in syntax.
commit : c08ac67f47a3e3e8ca7889178f1f12fe993ca7d2
author : Thomas Munro <[email protected]>
date : Mon, 25 Nov 2019 09:20:28 +1300
committer: Thomas Munro <[email protected]>
date : Mon, 25 Nov 2019 09:20:28 +1300
Back-patch to 10.
Author: Andreas Karlsson
Discussion: https://postgr.es/m/043acae2-a369-b7fa-be48-1933aa2e82d1%40proxel.se
M doc/src/sgml/ref/insert.sgml
Stabilize NOTIFY behavior by transmitting notifies before ReadyForQuery.
commit : dbe15524becb0d1366e9421aabdf85f538001942
author : Tom Lane <[email protected]>
date : Sun, 24 Nov 2019 14:42:59 -0500
committer: Tom Lane <[email protected]>
date : Sun, 24 Nov 2019 14:42:59 -0500
This patch ensures that, if any notify messages were received during
a just-finished transaction, they get sent to the frontend just before
not just after the ReadyForQuery message. With libpq and other client
libraries that act similarly, this guarantees that the client will see
the notify messages as available as soon as it thinks the transaction
is done.
This probably makes no difference in practice, since in realistic
use-cases the application would have to cope with asynchronous
arrival of notify events anyhow. However, it makes it a lot easier
to build cross-session-notify test cases with stable behavior.
I'm a bit surprised now that we've not seen any buildfarm instability
with the test cases added by commit b10f40bf0. Tests that I intend
to add in an upcoming bug fix are definitely unstable without this.
Back-patch to 9.6, which is as far back as we can do NOTIFY testing
with the isolationtester infrastructure.
Discussion: https://postgr.es/m/[email protected]
M src/backend/commands/async.c
M src/backend/tcop/postgres.c
Improve test coverage for LISTEN/NOTIFY.
commit : 34f66c0ed800f50ffa75d57c7769f07d0adb5e29
author : Tom Lane <[email protected]>
date : Sat, 23 Nov 2019 17:30:01 -0500
committer: Tom Lane <[email protected]>
date : Sat, 23 Nov 2019 17:30:01 -0500
Back-patch commit b10f40bf0 into older branches. This adds reporting
of NOTIFY messages to isolationtester.c, and extends the async-notify
test to include direct tests of basic NOTIFY functionality.
This provides useful infrastructure for testing a bug fix I'm about
to back-patch, and there seems no good reason not to have better tests
of LISTEN/NOTIFY in the back branches. The commit's survived long
enough in HEAD to make it unlikely that it will cause problems.
Back-patch as far as 9.6. isolationtester.c changed too much in 9.6
to make it sane to try to fix older branches this way, and I don't
really want to back-patch those changes too.
Discussion: https://postgr.es/m/[email protected]
M src/test/isolation/expected/async-notify.out
M src/test/isolation/isolationtester.c
M src/test/isolation/specs/async-notify.spec
Add test coverage for "unchanged toast column" replication code path.
commit : 8b46acf7c423128439423f6677e9d85e286e1806
author : Tom Lane <[email protected]>
date : Fri, 22 Nov 2019 12:52:26 -0500
committer: Tom Lane <[email protected]>
date : Fri, 22 Nov 2019 12:52:26 -0500
It seems pretty unacceptable to have no regression test coverage
for this aspect of the logical replication protocol, especially
given the bugs we've found in related code.
Discussion: https://postgr.es/m/[email protected]
M src/test/subscription/t/001_rep_changes.pl
Fix bogus tuple-slot management in logical replication UPDATE handling.
commit : 5d3fcb53a6a81a75457a3afef6aff91629705f2b
author : Tom Lane <[email protected]>
date : Fri, 22 Nov 2019 11:31:19 -0500
committer: Tom Lane <[email protected]>
date : Fri, 22 Nov 2019 11:31:19 -0500
slot_modify_cstrings seriously abused the TupleTableSlot API by relying
on a slot's underlying data to stay valid across ExecClearTuple. Since
this abuse was also quite undocumented, it's little surprise that the
case got broken during the v12 slot rewrites. As reported in bug #16129
from Ondřej Jirman, this could lead to crashes or data corruption when
a logical replication subscriber processes a row update. Problems would
only arise if the subscriber's table contained columns of pass-by-ref
types that were not being copied from the publisher.
Fix by explicitly copying the datum/isnull arrays from the source slot
that the old row was in already. This ends up being about the same
thing that happened pre-v12, but hopefully in a less opaque and
fragile way.
We might've caught the problem sooner if there were any test cases
dealing with updates involving non-replicated or dropped columns.
Now there are.
Back-patch to v10 where this code came in. Even though the failure
does not manifest before v12, IMO this code is too fragile to leave
as-is. In any case we certainly want the additional test coverage.
Patch by me; thanks to Tomas Vondra for initial investigation.
Discussion: https://postgr.es/m/[email protected]
M src/backend/replication/logical/worker.c
M src/test/subscription/t/001_rep_changes.pl
Defend against self-referential views in relation_is_updatable().
commit : b9f3d7a5317bbafb0cef1921c2e777bb327fdaee
author : Tom Lane <[email protected]>
date : Thu, 21 Nov 2019 16:21:44 -0500
committer: Tom Lane <[email protected]>
date : Thu, 21 Nov 2019 16:21:44 -0500
While a self-referential view doesn't actually work, it's possible
to create one, and it turns out that this breaks some of the
information_schema views. Those views call relation_is_updatable(),
which neglected to consider the hazards of being recursive. In
older PG versions you get a "stack depth limit exceeded" error,
but since v10 it'd recurse to the point of stack overrun and crash,
because commit a4c35ea1c took out the expression_returns_set() call
that was incidentally checking the stack depth.
Since this function is only used by information_schema views, it
seems like it'd be better to return "not updatable" than suffer
an error. Hence, add tracking of what views we're examining,
in just the same way that the nearby fireRIRrules() code detects
self-referential views. I added a check_stack_depth() call too,
just to be defensive.
Per private report from Manuel Rigger. Back-patch to all
supported versions.
M src/backend/rewrite/rewriteHandler.c
M src/backend/utils/adt/misc.c
M src/include/rewrite/rewriteHandler.h
Provide statistics for hypothetical BRIN indexes
commit : f4095026cf174f9993920b8fce227db9c128bd5c
author : Michael Paquier <[email protected]>
date : Thu, 21 Nov 2019 10:23:49 +0900
committer: Michael Paquier <[email protected]>
date : Thu, 21 Nov 2019 10:23:49 +0900
Trying to use hypothetical indexes with BRIN currently fails when trying
to access a relation that does not exist when looking for the
statistics. With the current API, it is not possible to easily pass
a value for pages_per_range down to the hypothetical index, so this
makes use of the default value of BRIN_DEFAULT_PAGES_PER_RANGE, which
should be fine enough in most cases.
Being able to refine or enforce the hypothetical costs in more
optimistic ways would require more refactoring by filling in the
statistics when building IndexOptInfo in plancat.c. This would involve
ABI breakages around the costing routines, something not fit for stable
branches.
This is broken since 7e534ad, so backpatch down to v10.
Author: Julien Rouhaud, Heikki Linnakangas
Reviewed-by: Álvaro Herrera, Tom Lane, Michael Paquier
Discussion: https://postgr.es/m/CAOBaU_ZH0LKEA8VFCocr6Lpte1ab0b6FpvgS0y4way+RPSXfYg@mail.gmail.com
Backpatch-through: 10
M src/backend/utils/adt/selfuncs.c
Remove incorrect markup
commit : a45feb1a4fd48dad5d969d1ff010861a18b4a6b9
author : Magnus Hagander <[email protected]>
date : Wed, 20 Nov 2019 17:03:07 +0100
committer: Magnus Hagander <[email protected]>
date : Wed, 20 Nov 2019 17:03:07 +0100
Author: Daniel Gustafsson <[email protected]>
M doc/src/sgml/libpq.sgml
Revise GIN README
commit : b6f57c2d7bfc2c0ddfc33158b2c42ebd0c715959
author : Alexander Korotkov <[email protected]>
date : Tue, 19 Nov 2019 23:11:24 +0300
committer: Alexander Korotkov <[email protected]>
date : Tue, 19 Nov 2019 23:11:24 +0300
We find GIN concurrency bugs from time to time. One of the problems here is
that concurrency of GIN isn't well-documented in README. So, it might be even
hard to distinguish design bugs from implementation bugs.
This commit revised concurrency section in GIN README providing more details.
Some examples are illustrated in ASCII art.
Also, this commit add the explanation of how is tuple layout in internal GIN
B-tree page different in comparison with nbtree.
Discussion: https://postgr.es/m/CAPpHfduXR_ywyaVN4%2BOYEGaw%3DcPLzWX6RxYLBncKw8de9vOkqw%40mail.gmail.com
Author: Alexander Korotkov
Reviewed-by: Peter Geoghegan
Backpatch-through: 9.4
M src/backend/access/gin/README
Fix traversing to the deleted GIN page via downlink
commit : ab64b474d9bec8486b42e550526a121f0d81b681
author : Alexander Korotkov <[email protected]>
date : Tue, 19 Nov 2019 23:08:14 +0300
committer: Alexander Korotkov <[email protected]>
date : Tue, 19 Nov 2019 23:08:14 +0300
Current GIN code appears to don't handle traversing to the deleted page via
downlink. This commit fixes that by stepping right from the delete page like
we do in nbtree.
This commit also fixes setting 'deleted' flag to the GIN pages. Now other page
flags are not erased once page is deleted. That helps to keep our assertions
true if we arrive deleted page via downlink.
Discussion: https://postgr.es/m/CAPpHfdvMvsw-NcE5bRS7R1BbvA4BxoDnVVjkXC5W0Czvy9LVrg%40mail.gmail.com
Author: Alexander Korotkov
Reviewed-by: Peter Geoghegan
Backpatch-through: 9.4
M src/backend/access/gin/ginbtree.c
M src/backend/access/gin/gindatapage.c
M src/backend/access/gin/ginvacuum.c
M src/backend/access/gin/ginxlog.c
Fix deadlock between ginDeletePage() and ginStepRight()
commit : 21ad61ab31786128ae780feca8fcf766bbb6a579
author : Alexander Korotkov <[email protected]>
date : Tue, 19 Nov 2019 23:07:36 +0300
committer: Alexander Korotkov <[email protected]>
date : Tue, 19 Nov 2019 23:07:36 +0300
When ginDeletePage() is about to delete page it locks its left sibling to revise
the rightlink. So, it locks pages in right to left manner. Int he same time
ginStepRight() locks pages in left to right manner, and that could cause a
deadlock.
This commit makes ginScanToDelete() keep exclusive lock on left siblings of
currently investigated path. That elimites need to relock left sibling in
ginDeletePage(). Thus, deadlock with ginStepRight() can't happen anymore.
Reported-by: Chen Huajun
Discussion: https://postgr.es/m/5c332bd1.87b6.16d7c17aa98.Coremail.chjischj%40163.com
Author: Alexander Korotkov
Reviewed-by: Peter Geoghegan
Backpatch-through: 10
M src/backend/access/gin/README
M src/backend/access/gin/ginvacuum.c
Doc: clarify use of RECURSIVE in WITH.
commit : f1155901fa598f3476a489152fbfe37a5833613c
author : Tom Lane <[email protected]>
date : Tue, 19 Nov 2019 14:43:37 -0500
committer: Tom Lane <[email protected]>
date : Tue, 19 Nov 2019 14:43:37 -0500
Apparently some people misinterpreted the syntax as being that
RECURSIVE is a prefix of individual WITH queries. It's a modifier
for the WITH clause as a whole, so state that more clearly.
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/ref/select.sgml
Doc: clarify behavior of ALTER DEFAULT PRIVILEGES ... IN SCHEMA.
commit : d30e0ed55c6bba632f491fa8db2c2bbde33330c3
author : Tom Lane <[email protected]>
date : Tue, 19 Nov 2019 14:21:41 -0500
committer: Tom Lane <[email protected]>
date : Tue, 19 Nov 2019 14:21:41 -0500
The existing text stated that "Default privileges that are specified
per-schema are added to whatever the global default privileges are for
the particular object type". However, that bare-bones observation is
not quite clear enough, as demonstrated by the complaint in bug #16124.
Flesh it out by stating explicitly that you can't revoke built-in
default privileges this way, and by providing an example to drive
the point home.
Back-patch to all supported branches, since it's been like this
from the beginning.
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/ref/alter_default_privileges.sgml
Further fix dumping of views that contain just VALUES(...).
commit : a1b2cf0950ea464a1d95529ed4aaf727c13e463a
author : Tom Lane <[email protected]>
date : Sat, 16 Nov 2019 20:00:19 -0500
committer: Tom Lane <[email protected]>
date : Sat, 16 Nov 2019 20:00:19 -0500
It turns out that commit e9f1c01b7 missed a case: we must print a
VALUES clause in long format if get_query_def is given a resultDesc
that would require the query's output column name(s) to be different
from what the bare VALUES clause would produce.
This applies in case an ALTER ... RENAME COLUMN has been done to
a view that formerly could be printed in simple format, as shown
in the added regression test case. It also explains bug #16119
from Dmitry Telpt, because it turns out that (unlike CREATE VIEW)
CREATE MATERIALIZED VIEW fails to apply any column aliases it's
given to the stored ON SELECT rule. So to get them to be printed,
we have to account for the resultDesc renaming. It might be worth
changing the matview code so that it creates the ON SELECT rule
with the correct aliases; but we'd still need these messy checks in
get_simple_values_rte to handle the case of a subsequent column
rename, so any such change would be just neatnik-ism not a bug fix.
Like the previous patch, back-patch to all supported branches.
Discussion: https://postgr.es/m/[email protected]
M src/backend/utils/adt/ruleutils.c
M src/test/regress/expected/rules.out
M src/test/regress/sql/rules.sql
Skip system attributes when applying mvdistinct stats
commit : 0b0f281cc0fe383162b170889e79502e21e6b35a
author : Tomas Vondra <[email protected]>
date : Sat, 16 Nov 2019 01:17:15 +0100
committer: Tomas Vondra <[email protected]>
date : Sat, 16 Nov 2019 01:17:15 +0100
When estimating number of distinct groups, we failed to ignore system
attributes when matching the group expressions to mvdistinct stats,
causing failures like
ERROR: negative bitmapset member not allowed
Fix that by simply skipping anything that is not a regular attribute.
Backpatch to PostgreSQL 10, where the extended stats were introduced.
Bug: #16111
Reported-by: Tuomas Leikola
Author: Tomas Vondra
Backpatch-through: 10
Discussion: https://postgr.es/m/[email protected]
M src/backend/utils/adt/selfuncs.c
M src/test/regress/expected/stats_ext.out
M src/test/regress/sql/stats_ext.sql
Avoid downcasing/truncation of RADIUS authentication parameters.
commit : 4be69e2ea14d4f00c77a1185e68b7f9235aeb95f
author : Tom Lane <[email protected]>
date : Wed, 13 Nov 2019 13:41:04 -0500
committer: Tom Lane <[email protected]>
date : Wed, 13 Nov 2019 13:41:04 -0500
Commit 6b76f1bb5 changed all the RADIUS auth parameters to be lists
rather than single values. But its use of SplitIdentifierString
to parse the list format was not very carefully thought through,
because that function thinks it's parsing SQL identifiers, which
means it will (a) downcase the strings and (b) truncate them to
be shorter than NAMEDATALEN. While downcasing should be harmless
for the server names and ports, it's just wrong for the shared
secrets, and probably for the NAS Identifier strings as well.
The truncation aspect is at least potentially a problem too,
though typical values for these parameters would fit in 63 bytes.
Fortunately, we now have a function SplitGUCList that is exactly
the same except for not doing the two unwanted things, so fixing
this is a trivial matter of calling that function instead.
While here, improve the documentation to show how to double-quote
the parameter values. I failed to resist the temptation to do
some copy-editing as well.
Report and patch from Marcos David (bug #16106); doc changes by me.
Back-patch to v10 where the aforesaid commit came in, since this is
arguably a regression from our previous behavior with RADIUS auth.
Discussion: https://postgr.es/m/[email protected]
M doc/src/sgml/client-auth.sgml
M src/backend/libpq/hba.c
Include TableFunc references when computing expression dependencies.
commit : e25c4b3b2f678dd4fad142e494a44a59a7748904
author : Tom Lane <[email protected]>
date : Wed, 13 Nov 2019 12:11:50 -0500
committer: Tom Lane <[email protected]>
date : Wed, 13 Nov 2019 12:11:50 -0500
The TableFunc node (i.e., XMLTABLE) includes type and collation OIDs
that might not be referenced anywhere else in the expression tree,
so they need to be accounted for when extracting dependencies.
Fortunately, the practical effects of this are limited, since
(a) it's somewhat unlikely that people would be extracting
columns of non-builtin types from an XML document, and (b)
in many scenarios, the query would contain other references
to such types, or functions depending on them. However, it's
not hard to construct examples wherein the existing code lets
one drop a type used in XMLTABLE and thereby break a view.
This is evidently an original oversight in the XMLTABLE patch,
so back-patch to v10 where that came in.
Discussion: https://postgr.es/m/[email protected]
M src/backend/catalog/dependency.c
Handle arrays and ranges in pg_upgrade's test for non-upgradable types.
commit : c443e3c439273217d1e9a6e1a933ece302aa4ba1
author : Tom Lane <[email protected]>
date : Wed, 13 Nov 2019 11:35:37 -0500
committer: Tom Lane <[email protected]>
date : Wed, 13 Nov 2019 11:35:37 -0500
pg_upgrade needs to check whether certain non-upgradable data types
appear anywhere on-disk in the source cluster. It knew that it has
to check for these types being contained inside domains and composite
types; but it somehow overlooked that they could be contained in
arrays and ranges, too. Extend the existing recursive-containment
query to handle those cases.
We probably should have noticed this oversight while working on
commit 0ccfc2822 and follow-ups, but we failed to :-(. The whole
thing's possibly a bit overdesigned, since we don't really expect
that any of these types will appear on disk; but if we're going to
the effort of doing a recursive search then it's silly not to cover
all the possibilities.
While at it, refactor so that we have only one copy of the search
logic, not three-and-counting. Also, to keep the branches looking
more alike, back-patch the output wording change of commit 1634d3615.
Back-patch to all supported branches.
Discussion: https://postgr.es/m/[email protected]
M src/bin/pg_upgrade/version.c