PostgreSQL 11.11 commit log

commit   : db5b64b978290e2c2bb0a18edbf2447c1405ccad    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 8 Feb 2021 16:57:36 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 8 Feb 2021 16:57:36 -0500    

commit   : 790567a741cfec6663193084a18890bd05c9e4be    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 8 Feb 2021 18:00:20 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 8 Feb 2021 18:00:20 +0100    

Source-Git-URL: https://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: 4ddd4dc891ebc9345b4e4542726750189fa3b2d9  

commit   : 934b8508472a6b7175fd49bb2a8e719cb5560be8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 8 Feb 2021 11:10:40 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 8 Feb 2021 11:10:40 -0500    

Security: CVE-2021-3393, CVE-2021-20229  

commit   : cb5868cc1bd77b9b2f0f62b28d15a62b97ba3e94    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Mon, 8 Feb 2021 11:01:51 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Mon, 8 Feb 2021 11:01:51 +0200    

If a cross-partition UPDATE violates a constraint on the target partition,  
and the columns in the new partition are in different physical order than  
in the parent, the error message can reveal columns that the user does not  
have SELECT permission on. A similar bug was fixed earlier in commit  
804b6b6db4.  
  
The cause of the bug is that the callers of the  
ExecBuildSlotValueDescription() function got confused when constructing  
the list of modified columns. If the tuple was routed from a parent, we  
converted the tuple to the parent's format, but the list of modified  
columns was grabbed directly from the child's RTE entry.  
  
ExecUpdateLockMode() had a similar issue. That lead to confusion on which  
columns are key columns, leading to wrong tuple lock being taken on tables  
referenced by foreign keys, when a row is updated with INSERT ON CONFLICT  
UPDATE. A new isolation test is added for that corner case.  
  
With this patch, the ri_RangeTableIndex field is no longer set for  
partitions that don't have an entry in the range table. Previously, it was  
set to the RTE entry of the parent relation, but that was confusing.  
  
NOTE: This modifies the ResultRelInfo struct, replacing the  
ri_PartitionRoot field with ri_RootResultRelInfo. That's a bit risky to  
backpatch, because it breaks any extensions accessing the field. The  
change that ri_RangeTableIndex is not set for partitions could potentially  
break extensions, too. The ResultRelInfos are visible to FDWs at least,  
and this patch required small changes to postgres_fdw. Nevertheless, this  
seem like the least bad option. I don't think these fields widely used in  
extensions; I don't think there are FDWs out there that uses the FDW  
"direct update" API, other than postgres_fdw. If there is, you will get a  
compilation error, so hopefully it is caught quickly.  
  
Backpatch to 11, where support for both cross-partition UPDATEs, and unique  
indexes on partitioned tables, were added.  
  
Reviewed-by: Amit Langote  
Security: CVE-2021-3393  

commit   : 1c91af9b26a0252f43dc581cb0e607206fbebe4a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 7 Feb 2021 15:46:38 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 7 Feb 2021 15:46:38 -0500    

commit   : f94924f01e48b08c677eeeab20108bbbc0be52e6    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 7 Feb 2021 12:54:08 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 7 Feb 2021 12:54:08 -0500    

This reverts commit ed290896335414c6c069b9ccae1f3dcdd2fac6ba and  
equivalent back-branch commits.  The issue is subtler than I thought,  
and it's far from new, so just before a release deadline is no time  
to be fooling with it.  We'll consider what to do at a bit more  
leisure.  
  
Discussion: https://postgr.es/m/CAJcOf-fAdj=nDKMsRhQzndm-O13NY4dL6xGcEvdX5Xvbbi0V7g@mail.gmail.com  

commit   : ce5f27fcae61526603915a266f36a3b2c6f6c6de    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 6 Feb 2021 19:28:39 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 6 Feb 2021 19:28:39 -0500    

rewriteRuleAction() neglected this step, although it was careful to  
propagate other similar flags such as hasSubLinks or hasRowSecurity.  
Omitting to transfer hasRecursive is just cosmetic at the moment,  
but omitting hasModifyingCTE is a live bug, since the executor  
certainly looks at that.  
  
The proposed test case only fails back to v10, but since the executor  
examines hasModifyingCTE in 9.x as well, I suspect that a test case  
could be devised that fails in older branches.  Given the nearness  
of the release deadline, though, I'm not going to spend time looking  
for a better test.  
  
Report and patch by Greg Nancarrow, cosmetic changes by me  
  
Discussion: https://postgr.es/m/CAJcOf-fAdj=nDKMsRhQzndm-O13NY4dL6xGcEvdX5Xvbbi0V7g@mail.gmail.com  

commit   : 580069037cec005ed3b61d233ae87462be91c6d0    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 6 Feb 2021 15:17:02 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 6 Feb 2021 15:17:02 -0500    

Generally, members of inheritance trees must be plain tables (or,  
in more recent versions, foreign tables).  ALTER TABLE INHERIT  
rejects creating an inheritance relationship that has a view at  
either end.  When DefineQueryRewrite attempts to convert a relation  
to a view, it already had checks prohibiting doing so for partitioning  
parents or children as well as traditional-inheritance parents ...  
but it neglected to check that a traditional-inheritance child wasn't  
being converted.  Since the planner assumes that any inheritance  
child is a table, this led to making plans that tried to do a physical  
scan on a view, causing failures (or even crashes, in recent versions).  
  
One could imagine trying to support such a case by expanding the view  
normally, but since the rewriter runs before the planner does  
inheritance expansion, it would take some very fundamental refactoring  
to make that possible.  There are probably a lot of other parts of the  
system that don't cope well with such a situation, too.  For now,  
just forbid it.  
  
Per bug #16856 from Yang Lin.  Back-patch to all supported branches.  
(In versions before v10, this includes back-patching the portion of  
commit 501ed02cf that added has_superclass().  Perhaps the lack of  
that infrastructure partially explains the missing check.)  
  
Discussion: https://postgr.es/m/16856-0363e05c6e1612fd@postgresql.org  

commit   : d9b4163c553eb8ae47034946c11efb04e9498f6f    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Fri, 5 Feb 2021 11:14:56 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Fri, 5 Feb 2021 11:14:56 +0200    

If a multi-byte character is escaped with a backslash in TEXT mode input,  
and the encoding is one of the client-only encodings where the bytes after  
the first one can have an ASCII byte "embedded" in the char, we didn't  
skip the character correctly. After a backslash, we only skipped the first  
byte of the next character, so if it was a multi-byte character, we would  
try to process its second byte as if it was a separate character. If it  
was one of the characters with special meaning, like '\n', '\r', or  
another '\\', that would cause trouble.  
  
One such exmple is the byte sequence '\x5ca45c2e666f6f' in Big5 encoding.  
That's supposed to be [backslash][two-byte character][.][f][o][o], but  
because the second byte of the two-byte character is 0x5c, we incorrectly  
treat it as another backslash. And because the next character is a dot, we  
parse it as end-of-copy marker, and throw an "end-of-copy marker corrupt"  
error.  
  
Backpatch to all supported versions.  
  
Reviewed-by: John Naylor, Kyotaro Horiguchi  
Discussion: https://www.postgresql.org/message-id/a897f84f-8dca-8798-3139-07da5bb38728%40iki.fi  

commit   : 1c3a877469a93ae2e753da026bd1b939d8cf7f11    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 3 Feb 2021 19:38:29 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 3 Feb 2021 19:38:29 -0500    

If a portal is used to run a prepared CALL or DO statement that  
contains a ROLLBACK, PortalRunMulti fails because the portal's  
statement list gets cleared by the rollback.  (Since the grammar  
doesn't allow CALL/DO in PREPARE, the only easy way to get to this is  
via extended query protocol, which treats all inputs as prepared  
statements.)  It's difficult to avoid resetting the portal early  
because of resource-management issues, so work around this by teaching  
PortalRunMulti to be wary of portal->stmts having suddenly become NIL.  
  
The crash has only been seen to occur in v13 and HEAD (as a  
consequence of commit 1cff1b95a having added an extra touch of  
portal->stmts).  But even before that, the code involved touching a  
List that the portal no longer has any claim on.  In the test case at  
hand, the List will still exist because of another refcount on the  
cached plan; but I'm far from convinced that it's impossible for the  
cached plan to have been dropped by the time control gets back to  
PortalRunMulti.  Hence, backpatch to v11 where nested transactions  
were added.  
  
Thomas Munro and Tom Lane, per bug #16811 from James Inform  
  
Discussion: https://postgr.es/m/16811-c1b599b2c6c2d622@postgresql.org  

commit   : 5fc5ff61ce4903ea2cc925691089de02969840c9    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 2 Feb 2021 13:49:08 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 2 Feb 2021 13:49:08 -0500    

The ExecutorEnd hook is invoked in a context that could be quite  
long-lived, not the executor's own per-query context as I think  
we were sort of assuming.  Thus, any cruft generated while producing  
the EXPLAIN output could accumulate over multiple queries.  This can  
result in spectacular leakage if log_nested_statements is on, and  
even without that I'm surprised nobody complained before.  
  
To fix, just switch into the executor's context so that anything we  
allocate will be released when standard_ExecutorEnd frees the executor  
state.  We might as well nuke the code's retail pfree of the explain  
output string, too; that's laughably inadequate to the need.  
  
Japin Li, per report from Jeff Janes.  This bug is old, so  
back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CAMkU=1wCVtbeRn0s9gt12KwQ7PLXovbpM8eg25SYocKW3BT4hg@mail.gmail.com  

commit   : d1ab4bf6ed2d5d5026e13af510d0d3b025fa6ac9    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sat, 30 Jan 2021 00:00:27 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sat, 30 Jan 2021 00:00:27 -0800    

In a cluster having used CREATE INDEX CONCURRENTLY while having enabled  
prepared transactions, queries that use the resulting index can silently  
fail to find rows.  Fix this for future CREATE INDEX CONCURRENTLY by  
making it wait for prepared transactions like it waits for ordinary  
transactions.  This expands the VirtualTransactionId structure domain to  
admit prepared transactions.  It may be necessary to reindex to recover  
from past occurrences.  Back-patch to 9.5 (all supported versions).  
  
Andrey Borodin, reviewed (in earlier versions) by Tom Lane and Michael  
Paquier.  
  
Discussion: https://postgr.es/m/2E712143-97F7-4890-B470-4A35142ABC82@yandex-team.ru  

commit   : 289ef386dff6662b1c1cf90d0666a3863bcf5ba8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 28 Jan 2021 17:18:23 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 28 Jan 2021 17:18:23 -0500    

Per buildfarm and local experimentation, bleeding-edge gcc isn't  
convinced that the MemSet in reorder_function_arguments() is safe.  
Shut it up by adding an explicit check that pronargs isn't negative,  
and by changing MemSet to memset.  (It appears that either change is  
enough to quiet the warning at -O2, but let's do both to be sure.)  

commit   : 6f94531b0cf83b1401aca31c71412e633c566a63    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 28 Jan 2021 13:41:55 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 28 Jan 2021 13:41:55 -0500    

perform_pruning_combine_step() was not taught about the number of  
partition indexes used in hash partitioning; more embarrassingly,  
get_matching_hash_bounds() also had it wrong.  These errors are masked  
in the common case where all the partitions have the same modulus  
and no partition is missing.  However, with missing or unequal-size  
partitions, we could erroneously prune some partitions that need  
to be scanned, leading to silently wrong query answers.  
  
While a minimal-footprint fix for this could be to export  
get_partition_bound_num_indexes and make the incorrect functions use it,  
I'm of the opinion that that function should never have existed in the  
first place.  It's not reasonable data structure design that  
PartitionBoundInfoData lacks any explicit record of the length of  
its indexes[] array.  Perhaps that was all right when it could always  
be assumed equal to ndatums, but something should have been done about  
it as soon as that stopped being true.  Putting in an explicit  
"nindexes" field makes both partition_bounds_equal() and  
partition_bounds_copy() simpler, safer, and faster than before,  
and removes explicit knowledge of the number-of-partition-indexes  
rules from some other places too.  
  
This change also makes get_hash_partition_greatest_modulus obsolete.  
I left that in place in case any external code uses it, but no core  
code does anymore.  
  
Per bug #16840 from Michał Albrycht.  Back-patch to v11 where the  
hash partitioning code came in.  (In the back branches, add the new  
field at the end of PartitionBoundInfoData to minimize ABI risks.)  
  
Discussion: https://postgr.es/m/16840-571a22976f829ad4@postgresql.org  

commit   : ee62fcaf38944633cc6d30c3ba910aee196fb726    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 28 Jan 2021 11:17:13 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 28 Jan 2021 11:17:13 -0500    

We had "short *mdy" in the extern declarations, but "short mdy[3]"  
in the actual function definitions.  Per C99 these are equivalent,  
but recent versions of gcc have started to issue warnings about  
the inconsistency.  Clean it up before the warnings get any more  
widespread.  
  
Back-patch, in case anyone wants to build older PG versions with  
bleeding-edge compilers.  
  
Discussion: https://postgr.es/m/2401575.1611764534@sss.pgh.pa.us  

commit   : 3055e8d0f1e79ac6487c7421e70dd987aca4c4cf    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Thu, 28 Jan 2021 12:50:40 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Thu, 28 Jan 2021 12:50:40 -0300    

doConnect() never returns connections in state CONNECTION_BAD, so  
checking for that is pointless.  Remove the code that does.  
  
This code has been dead since ba708ea3dc84, 20 years ago.  
  
Discussion: https://postgr.es/m/20210126195224.GA20361@alvherre.pgsql  
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>  

commit   : f7f2a28d4350daeeb60f72e97e463528da0f47a7    
  
author   : Andrew Gierth <rhodiumtoad@postgresql.org>    
date     : Thu, 28 Jan 2021 10:53:10 +0000    
  
committer: Andrew Gierth <rhodiumtoad@postgresql.org>    
date     : Thu, 28 Jan 2021 10:53:10 +0000    

When building aggregate expression steps, strict checks need a bailout  
jump for when a null value is encountered, so there is a list of steps  
that require later adjustment. Adding entries to that list for steps  
that aren't actually strict would be harmless, except that there is an  
Assert which catches them. This leads to spurious errors on asserts  
builds, for data sets that trigger parallel aggregation of an  
aggregate with a non-strict deserialization function (no such  
aggregates exist in the core system).  
  
Repair by not adding the adjustment entry when it's not needed.  
  
Backpatch back to 11 where the code was introduced.  
  
Per a report from Darafei (Komzpa) of the PostGIS project; analysis  
and patch by me.  
  
Discussion: https://postgr.es/m/87mty7peb3.fsf@news-spur.riddles.org.uk  

commit   : fdd405c63fff4e3d0215f1d41b1ef58361dc81dc    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 26 Jan 2021 16:42:13 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 26 Jan 2021 16:42:13 -0300    

When reporting connection errors, we might show a database name in the  
message that's not the one we actually tried to connect to, if the  
database was taken from libpq defaults instead of from user parameters.  
Fix such error messages to use PQdb(), which reports the correct name.  
  
(But, per commit 2930c05634bc, make sure not to try to print NULL.)  
  
Apply to branches 9.5 through 13.  Branch master has already been  
changed differently by commit 58cd8dca3de0.  
  
Reported-by: Robert Haas <robertmhaas@gmail.com>  
Discussion: https://postgr.es/m/CA+TgmobssJ6rS22dspWnu-oDxXevGmhMD8VcRBjmj-b9UDqRjw@mail.gmail.com  

commit   : 3fa7b9078f284f6e0f06befeaaf0499b0a096211    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 26 Jan 2021 13:04:52 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 26 Jan 2021 13:04:52 -0500    

The loops to identify word boundaries could access past the end of  
the input string.  Likely that would never result in an actual  
crash, but it makes valgrind unhappy.  
  
The logic to try different numbers of words didn't work when the  
input has two words but we only have a match to the first, eg  
"\h with select".  (We must "continue" the pass loop, not "break".)  
  
The logic to compute nl_count was bizarrely managed, and in at  
least two code paths could end up calling PageOutput with  
nl_count = 0, resulting in failing to paginate output that should  
have been fed to the pager.  Also, in v12 and up, the nl_count  
calculation hadn't been updated to account for the addition of a URL.  
  
The PQExpBuffer holding the command syntax details wasn't freed,  
resulting in a session-lifespan memory leak.  
  
While here, improve some comments, choose a more descriptive name  
for a variable, fix inconsistent datatype choice for another variable.  
  
Per bug #16837 from Alexander Lakhin.  This code is very old,  
so back-patch to all supported branches.  
  
Kyotaro Horiguchi and Tom Lane  
  
Discussion: https://postgr.es/m/16837-479bcd56040c71b3@postgresql.org  

commit   : b8894a3661d4951ebde539f918e98f0d84afacb7    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 25 Jan 2021 14:53:13 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 25 Jan 2021 14:53:13 -0500    

Embarrassing oversight in this test script, which fortunately is not  
run by default.  
  
Report and patch by Jacob Champion.  
  
Discussion: https://postgr.es/m/1fcb175bafef6560f47a8c31229fa7c938486b8d.camel@vmware.com  

commit   : a7cdd3f7124d234414ab0a9c6172ef38982b4256    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 25 Jan 2021 13:03:11 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 25 Jan 2021 13:03:11 -0500    

I chanced to notice that this dumped core due to a faulty Assert.  
To add insult to injury, the output has been misformatted since v11.  
Obviously we need some regression testing here.  
  
Discussion: https://postgr.es/m/d1cc628c-3953-4209-957b-29427acc38c8@www.fastmail.com  

commit   : 34eeebbb03037e60606e5f6748c46a789eecd308    
  
author   : David Rowley <drowley@postgresql.org>    
date     : Mon, 25 Jan 2021 19:54:02 +1300    
  
committer: David Rowley <drowley@postgresql.org>    
date     : Mon, 25 Jan 2021 19:54:02 +1300    

Both heapgettup() and heapgettup_pagemode() incorrectly set the first page  
to scan in a backward scan in which the number of pages to scan was  
specified by heap_setscanlimits().  The code incorrectly started the scan  
at the end of the relation when startBlk was 0, or otherwise at  
startBlk - 1, neither of which is correct when only scanning a subset of  
pages.  
  
The fix here checks if heap_setscanlimits() has changed the number of  
pages to scan and if so we set the first page to scan as the final page in  
the specified range during backward scans.  
  
Proper adjustment of this code was forgotten when heap_setscanlimits() was  
added in 7516f5259 back in 9.5.  However, practice, nowhere in core code  
performs backward scans after having used heap_setscanlimits(), yet, it is  
possible an extension uses the heap functions in this way, hence  
backpatch.  
  
An upcoming patch does use heap_setscanlimits() with backward scans, so  
this must be fixed before that can go in.  
  
Author: David Rowley  
Discussion: https://postgr.es/m/CAApHDvpGc9h0_oVD2CtgBcxCS1N-qDYZSeBRnUh+0CWJA9cMaA@mail.gmail.com  
Backpatch-through: 9.5, all supported versions  

commit   : c82c015b53223216203aa41991caedde6bbf7fc6    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 24 Jan 2021 16:29:47 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 24 Jan 2021 16:29:47 -0500    

DST law changes in Russia (Volgograd zone) and South Sudan.  
Historical corrections for Australia, Bahamas, Belize, Bermuda,  
Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.  
Notably, the Australia/Currie zone has been corrected to the point  
where it is identical to Australia/Hobart.  

commit   : baf9fc46ec0a9ed424c630ef58582c1a2906b934    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Jan 2021 18:58:25 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Jan 2021 18:58:25 -0500    

In light of recent discussions, we should instruct people to  
install Apple's command line tools; installing Xcode is secondary.  
  
Also, fix sample command for finding out the default sysroot,  
as we now know that the command originally recommended can give  
a result that doesn't match your OS version.  
  
Also document the workaround to use if you really don't want  
configure to select a sysroot at all.  
  
Discussion: https://postgr.es/m/20210119111625.20435-1-james.hilliard1@gmail.com  

commit   : a5f7b837f3478ffb0362156452b2ff07c86a47e3    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Jan 2021 11:29:43 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Jan 2021 11:29:43 -0500    

This text claimed that the reconnection would occur "to the same  
server", but there is no such guarantee in the code, nor would  
insisting on that be an improvement.  
  
Back-patch to v10 where multi-host connection strings were added.  
  
Discussion: https://postgr.es/m/1095901.1611268376@sss.pgh.pa.us  

commit   : cbcff1729ff27a7fb28d3339e448f90ca0a70dac    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 20 Jan 2021 12:07:23 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 20 Jan 2021 12:07:23 -0500    

It emerges that in some phases of the moon (perhaps to do with  
directory entry order?), xcrun will report that the SDK path is  
  /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk  
which is normally a symlink to a version-numbered sibling directory.  
Our heuristic to skip non-version-numbered pathnames was rejecting  
that, which is the wrong thing to do.  We'd still like to end up  
with a version-numbered PG_SYSROOT value, but we can have that by  
dereferencing the symlink.  
  
Like the previous fix, back-patch to all supported versions.  
  
Discussion: https://postgr.es/m/522433.1611089678@sss.pgh.pa.us  

commit   : 6a97ca31288d0fceff10a6c2c8dd3293de7c845c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 20 Jan 2021 11:49:29 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 20 Jan 2021 11:49:29 -0500    

By default VACUUM will skip pages that it can't immediately get  
exclusive access to, which means that even activities as harmless  
and unpredictable as checkpoint buffer writes might prevent a page  
from being processed.  Ordinarily this is no big deal, but we have  
a small number of test cases that examine the results of VACUUM's  
processing and therefore will fail if the page of interest is skipped.  
This seems to be the explanation for some rare buildfarm failures.  
To fix, add the DISABLE_PAGE_SKIPPING option to the VACUUM commands  
in tests where this could be an issue.  
  
In passing, remove a duplicated query in pageinspect/sql/page.sql.  
  
Back-patch as necessary (some of these cases are as old as v10).  
  
Discussion: https://postgr.es/m/413923.1611006484@sss.pgh.pa.us  

commit   : 1c3a4d44d84437b40e8311a0810d2a189e54e291    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 20 Jan 2021 11:39:21 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 20 Jan 2021 11:39:21 +0900    

Specifying duplicated objects in this command would lead to unique  
constraint violations in pg_default_acl or "tuple already updated by  
self" errors.  Similarly to GRANT/REVOKE, increment the command ID after  
each subcommand processing to allow this case to work transparently.  
  
A regression test is added by tweaking one of the existing queries of  
privileges.sql to stress this case.  
  
Reported-by: Andrus  
Author: Michael Paquier  
Reviewed-by: Álvaro Herrera  
Discussion: https://postgr.es/m/ae2a7dc1-9d71-8cba-3bb9-e4cb7eb1f44e@hot.ee  
Backpatch-through: 9.5  

commit   : 794562d0770ae0ba4096c57c116e80a2be043fbf    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Jan 2021 13:25:33 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Jan 2021 13:25:33 -0500    

Somebody extended search_plan_tree() to treat MergeAppend exactly  
like Append, which is 100% wrong, because unlike Append we can't  
assume that only one input node is actively returning tuples.  
Hence a cursor using a MergeAppend across a UNION ALL or inheritance  
tree could falsely match a WHERE CURRENT OF query at a row that  
isn't actually the cursor's current output row, but coincidentally  
has the same TID (in a different table) as the current output row.  
  
Delete the faulty code; this means that such a case will now return  
an error like 'cursor "foo" is not a simply updatable scan of table  
"bar"', instead of silently misbehaving.  Users should not find that  
surprising though, as the same cursor query could have failed that way  
already depending on the chosen plan.  (It would fail like that if the  
sort were done with an explicit Sort node instead of MergeAppend.)  
  
Expand the clearly-inadequate commentary to be more explicit about  
what this code is doing, in hopes of forestalling future mistakes.  
  
It's been like this for awhile, so back-patch to all supported  
branches.  
  
Discussion: https://postgr.es/m/482865.1611075182@sss.pgh.pa.us  

commit   : 777bf92e33515bb6be2f73b6df4096496385bf55    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Mon, 18 Jan 2021 18:48:25 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Mon, 18 Jan 2021 18:48:25 -0500    

Backpatch-through: 10  

commit   : de622e677cfd3b547a47db2ae1957798bb8df480    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 18 Jan 2021 18:32:30 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 18 Jan 2021 18:32:30 -0500    

execCurrent.c's search_plan_tree() assumed that ForeignScanStates  
and CustomScanStates necessarily have a valid ss_currentRelation.  
This is demonstrably untrue for postgres_fdw's remote join and  
remote aggregation plans, and non-leaf custom scans might not have  
an identifiable scan relation either.  Avoid crashing by ignoring  
such nodes when the field is null.  
  
This solution will lead to errors like 'cursor "foo" is not a  
simply updatable scan of table "bar"' in cases where maybe we  
could have allowed WHERE CURRENT OF to work.  That's not an issue  
for postgres_fdw's usages, since joins or aggregations would render  
WHERE CURRENT OF invalid anyway.  But an otherwise-transparent  
upper level custom scan node might find this annoying.  When and if  
someone cares to expend work on such a scenario, we could invent a  
custom-scan-provider callback to determine what's safe.  
  
Report and patch by David Geier, commentary by me.  It's been like  
this for awhile, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/0253344d-9bdd-11c4-7f0d-d88c02cd7991@swarm64.com  

commit   : c6ff165f99a7ecc4420b513ab7ea3c2dd72927a3    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sat, 16 Jan 2021 12:21:35 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sat, 16 Jan 2021 12:21:35 -0800    

The context is an object that no longer bears some aclitem that it bore  
initially.  (A user issued REVOKE or GRANT statements upon the object.)  
pg_dump is forming SQL to reproduce the object ACL.  Since initdb  
creates no ACL bearing GRANT OPTION, reaching this bug requires an  
extension where the creation script establishes such an ACL.  No PGXN  
extension does that.  If an installation did reach the bug, pg_dump  
would have omitted a semicolon, causing a REVOKE and the next SQL  
statement to fail.  Separately, since the affected code exists to  
eliminate an entire aclitem, it wants plain REVOKE, not REVOKE GRANT  
OPTION FOR.  Back-patch to 9.6, where commit  
23f34fa4ba358671adab16773e79c17c92cbc870 first appeared.  
  
Discussion: https://postgr.es/m/20210109102423.GA160022@rfd.leadboat.com  

commit   : 677f6cb1d9875e9d4bbc7d3acde39b52bcbfdf11    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sat, 16 Jan 2021 12:21:35 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sat, 16 Jan 2021 12:21:35 -0800    

Every core SLRU wraps around.  With the exception of pg_notify, the wrap  
point can fall in the middle of a page.  Account for this in the  
PagePrecedes callback specification and in SimpleLruTruncate()'s use of  
said callback.  Update each callback implementation to fit the new  
specification.  This changes SerialPagePrecedesLogically() from the  
style of asyncQueuePagePrecedes() to the style of CLOGPagePrecedes().  
(Whereas pg_clog and pg_serial share a key space, pg_serial is nothing  
like pg_notify.)  The bug fixed here has the same symptoms and user  
followup steps as 592a589a04bd456410b853d86bd05faa9432cbbb.  Back-patch  
to 9.5 (all supported versions).  
  
Reviewed by Andrey Borodin and (in earlier versions) by Tom Lane.  
  
Discussion: https://postgr.es/m/20190202083822.GC32531@gust.leadboat.com  

commit   : f52db969440bbbf6c9c46c9c98c1eb7a5619354f    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Fri, 15 Jan 2021 23:24:19 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Fri, 15 Jan 2021 23:24:19 +0100    

Add a check that CREATE STATISTICS does not add extended statistics on  
system catalogs, similarly to indexes etc.  It can be overriden using  
the allow_system_table_mods GUC.  
  
This bug exists since 7b504eb282c, adding the extended statistics, so  
backpatch all the way back to PostgreSQL 10.  
  
Author: Tomas Vondra  
Reported-by: Dean Rasheed  
Backpatch-through: 10  
Discussion: https://postgr.es/m/CAEZATCXAPrrOKwEsyZKQ4uzzJQWBCt6QAvOcgqRGdWwT1zb%2BrQ%40mail.gmail.com  

commit   : 046c8facecee083c34246fd2d6b06ba2769ff0b2    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 15 Jan 2021 11:28:51 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 15 Jan 2021 11:28:51 -0500    

In cases where Xcode is newer than the underlying macOS version,  
asking xcodebuild for the SDK path will produce a pointer to the  
SDK shipped with Xcode, which may end up building code that does  
not work on the underlying macOS version.  It appears that in  
such cases, xcodebuild's answer also fails to match the default  
behavior of Apple's compiler: assuming one has installed Xcode's  
"command line tools", there will be an SDK for the OS's own version  
in /Library/Developer/CommandLineTools, and the compiler will  
default to using that.  This is all pretty poorly documented,  
but experimentation suggests that "xcrun --show-sdk-path" gives  
the sysroot path that the compiler is actually using, at least  
in some cases.  Hence, try that first, but revert to xcodebuild  
if xcrun fails (in very old Xcode, it is missing or lacks the  
--show-sdk-path switch).  
  
Also, "xcrun --show-sdk-path" may give a path that is valid but lacks  
any OS version identifier.  We don't really want that, since most  
of the motivation for wiring -isysroot into the build flags at all  
is to ensure that all parts of a PG installation are built against  
the same SDK, even when considering extensions built later and/or on  
a different machine.  Insist on finding "N.N" in the directory name  
before accepting the result.  (Adding "--sdk macosx" to the xcrun  
call seems to produce the same answer as xcodebuild, but usually  
more quickly because it's cached, so we also try that as a fallback.)  
  
The core reason why we don't want to use Xcode's default SDK in cases  
like this is that Apple's technology for introducing new syscalls  
does not play nice with Autoconf: for example, configure will think  
that preadv/pwritev exist when using a Big Sur SDK, even when building  
on an older macOS version where they don't exist.  It'd be nice to  
have a better solution to that problem, but this patch doesn't attempt  
to fix that.  
  
Per report from Sergey Shinderuk.  Back-patch to all supported versions.  
  
Discussion: https://postgr.es/m/ed3b8e5d-0da8-6ebd-fd1c-e0ac80a4b204@postgrespro.ru  

commit   : 97b025ebe6733c69a1569fd662391ad58d0616a6    
  
author   : Fujii Masao <fujii@postgresql.org>    
date     : Fri, 15 Jan 2021 12:44:17 +0900    
  
committer: Fujii Masao <fujii@postgresql.org>    
date     : Fri, 15 Jan 2021 12:44:17 +0900    

Commit ac883ac453 refactored shm_toc_estimate() but changed its calculation  
of shared memory size for TOC incorrectly. Previously this could cause too  
large memory to be allocated.  
  
Back-patch to v11 where the bug was introduced.  
  
Author: Takayuki Tsunakawa  
Discussion: https://postgr.es/m/TYAPR01MB2990BFB73170E2C4921E2C4DFEA80@TYAPR01MB2990.jpnprd01.prod.outlook.com  

commit   : bb12a7f429ca1b10aebc469d9379837fa3d09220    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 14 Jan 2021 16:19:38 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 14 Jan 2021 16:19:38 -0500    

This is the same fix as commit 9eabfe300 applied to INDEX ATTACH  
entries, but for table-to-publication attachments.  As in that  
case, even though the backend doesn't record "ownership" of the  
attachment, we still ought to label it in the dump archive with  
the role name that should run the ALTER PUBLICATION command.  
The existing behavior causes the ALTER to be done by the original  
role that started the restore; that will usually work fine, but  
there may be corner cases where it fails.  
  
The bulk of the patch is concerned with changing struct  
PublicationRelInfo to include a pointer to the associated  
PublicationInfo object, so that we can get the owner's name  
out of that when the time comes.  While at it, I rewrote  
getPublicationTables() to do just one query of pg_publication_rel,  
not one per table.  
  
Back-patch to v10 where this code was introduced.  
  
Discussion: https://postgr.es/m/1165710.1610473242@sss.pgh.pa.us  

commit   : c442b32c2e6de06e8e2c9a6b98612145ac87f0ff    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Thu, 14 Jan 2021 15:32:14 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Thu, 14 Jan 2021 15:32:14 -0300    

When a tablespace is used in a partitioned relation (per commits  
ca4103025dfe in pg12 for tables and 33e6c34c3267 in pg11 for indexes),  
it is possible to drop the tablespace, potentially causing various  
problems.  One such was reported in bug #16577, where a rewriting ALTER  
TABLE causes a server crash.  
  
Protect against this by using pg_shdepend to keep track of tablespaces  
when used for relations that don't keep physical files; we now abort a  
tablespace if we see that the tablespace is referenced from any  
partitioned relations.  
  
Backpatch this to 11, where this problem has been latent all along.  We  
don't try to create pg_shdepend entries for existing partitioned  
indexes/tables, but any ones that are modified going forward will be  
protected.  
  
Note slight behavior change: when trying to drop a tablespace that  
contains both regular tables as well as partitioned ones, you'd  
previously get ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE and now you'll  
get ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST.  Arguably, the latter is more  
correct.  
  
It is possible to add protecting pg_shdepend entries for existing  
tables/indexes, by doing  
  ALTER TABLE ONLY some_partitioned_table SET TABLESPACE pg_default;  
  ALTER TABLE ONLY some_partitioned_table SET TABLESPACE original_tablespace;  
for each partitioned table/index that is not in the database default  
tablespace.  Because these partitioned objects do not have storage, no  
file needs to be actually moved, so it shouldn't take more time than  
what's required to acquire locks.  
  
This query can be used to search for such relations:  
SELECT ... FROM pg_class WHERE relkind IN ('p', 'I') AND reltablespace <> 0  
  
Reported-by: Alexander Lakhin <exclusion@gmail.com>  
Discussion: https://postgr.es/m/16577-881633a9f9894fd5@postgresql.org  
Author: Álvaro Herrera <alvherre@alvh.no-ip.org>  
Reviewed-by: Michael Paquier <michael@paquier.xyz>  

commit   : d8bb22ab3c9982aeb2b7cb1df964c9fec56fde39    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Jan 2021 14:52:49 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Jan 2021 14:52:49 -0500    

The point of this restriction is to avoid trying to substitute variables  
into timestamp literal values, which may contain strings like '12:34'.  
  
There is a good deal more that should be done to reduce pgbench's  
tendency to substitute where it shouldn't.  But this is sufficient to  
solve the case complained of by Jaime Soler, and it's simple enough  
to back-patch.  
  
Back-patch to v11; before commit 9d36a3866, pgbench had a slightly  
different definition of what a variable name is, and anyway it seems  
unwise to change long-stable branches for this.  
  
Fabien Coelho  
  
Discussion: https://postgr.es/m/alpine.DEB.2.22.394.2006291740420.805678@pseudo  

commit   : bcdff449145aaf210e48da988a453e78fa55f88f    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Jan 2021 13:30:04 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Jan 2021 13:30:04 -0500    

Options that change how the archive data is converted to SQL text  
are ignored when dumping to archive formats.  The documentation  
previously said "not meaningful", which is not helpful.  
  
Discussion: https://postgr.es/m/161052021249.12228.9598689907884726185@wrigleys.postgresql.org  

commit   : 7adc408f4b64db1c9244dc48d40b87ba8be9df9a    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Wed, 13 Jan 2021 08:31:45 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Wed, 13 Jan 2021 08:31:45 +0530    

The memory for the snapshot was leaked while serializing it to disk during  
logical decoding. This memory will be freed only once walsender stops  
streaming the changes. This can lead to a huge memory increase when master  
logs Standby Snapshot too frequently say when the user is trying to create  
many replication slots.  
  
Reported-by: funnyxj.fxj@alibaba-inc.com  
Diagnosed-by: funnyxj.fxj@alibaba-inc.com  
Author: Amit Kapila  
Backpatch-through: 9.5  
Discussion: https://postgr.es/m/033ab54c-6393-42ee-8ec9-2b399b5d8cde.funnyxj.fxj@alibaba-inc.com  

commit   : 9f15188a1b822fafa59ca2b022a876fde0a175b8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 12 Jan 2021 13:37:38 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 12 Jan 2021 13:37:38 -0500    

Although a partitioned index's attachment to its parent doesn't  
have separate ownership, the ArchiveEntry for it needs to be  
marked with an owner anyway, to ensure that the ALTER command  
is run by the appropriate role when restoring with  
--use-set-session-authorization.  Without this, the ALTER will  
be run by the role that started the restore session, which will  
usually work but it's formally the wrong thing.  
  
Back-patch to v11 where this type of ArchiveEntry was added.  
In HEAD, add equivalent commentary to the just-added TABLE ATTACH  
case, which I'd made do the right thing already.  
  
Discussion: https://postgr.es/m/1094034.1610418498@sss.pgh.pa.us  

commit   : 57404fe9e1e1b34bec2945bb9d1992995cd75439    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 12 Jan 2021 12:52:14 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 12 Jan 2021 12:52:14 -0500    

Adding a table to a publication requires ownership of the table  
(in addition to ownership of the publication).  This was mentioned  
nowhere.  

commit   : ce501627ceb42322ebcebaef24ce3a72e593b724    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 12 Jan 2021 11:48:45 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 12 Jan 2021 11:48:45 -0300    

This comment has been wrong since its introduction in commit  
2c03216d8311.  
  
Author: Masahiko Sawada <sawada.mshk@gmail.com>  
Discussion: https://postgr.es/m/CAD21AoAzz6qipFJBbGEaHmyWxvvNDp8httbwLR9tUQWaTjUs2Q@mail.gmail.com  

commit   : 21c9decc6b0e825b8327b51d35333b8b2694dd6d    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Sat, 9 Jan 2021 12:11:15 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Sat, 9 Jan 2021 12:11:15 -0500    

The previous description of how the executor processes non-SELECT  
queries was very dense, causing lack of clarity.  This expanded text  
spells it out more simply.  
  
Reported-by: fotis.koutoupas@gmail.com  
  
Discussion: https://postgr.es/m/160912275508.676.17469511338925622905@wrigleys.postgresql.org  
  
Backpatch-through: 9.5  

commit   : 769908811b8b7ea7a087d5a016b9e94042f89481    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 8 Jan 2021 12:16:00 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 8 Jan 2021 12:16:00 -0500    

brenext(), when parsing a '*' quantifier, forgot to return any "value"  
for the token; per the equivalent case in next(), it should return  
value 1 to indicate that greedy rather than non-greedy behavior is  
wanted.  The result is that the compiled regexp could behave like 'x*?'  
rather than the intended 'x*', if we were unlucky enough to have  
a zero in v->nextvalue at this point.  That seems to happen with some  
reliability if we have '.*' at the beginning of a BRE-mode regexp,  
although that depends on the initial contents of a stack-allocated  
struct, so it's not guaranteed to fail.  
  
Found by Alexander Lakhin using valgrind testing.  This bug seems  
to be aboriginal in Spencer's code, so back-patch all the way.  
  
Discussion: https://postgr.es/m/16814-6c5e3edd2bdf0d50@postgresql.org  

commit   : c67fea09da25463b6f6fc73fa2676ffd53e9a8e5    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 7 Jan 2021 20:36:09 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 7 Jan 2021 20:36:09 -0500    

We found last February that the error-case tests added by commit  
008cf0409 failed on OpenBSD, because that platform doesn't really  
check locale names.  At the time it seemed that that was only an issue  
for LC_CTYPE, but testing on a more recent version of OpenBSD shows  
that it's now equally lax about LC_COLLATE.  
  
Rather than dropping the LC_COLLATE test too, put back LC_CTYPE  
(reverting c4b0edb07), and adjust these tests to accept the different  
error message that we get if setlocale() doesn't reject a bogus locale  
name.  The point of these tests is not really what the backend does  
with the locale name, but to show that createdb quotes funny locale  
names safely; so we're not losing test reliability this way.  
  
Back-patch as appropriate.  
  
Discussion: https://postgr.es/m/231373.1610058324@sss.pgh.pa.us  

commit   : a112efa6a015cc3e0e752e36ece4ed10ede1d714    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 7 Jan 2021 11:45:09 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 7 Jan 2021 11:45:09 -0500    

On reflection, the order of operations in PostgresMain() is wrong.  
These timeouts ought to be shut down before, not after, we do the  
post-command-read CHECK_FOR_INTERRUPTS, to guarantee that any  
timeout error will be detected there rather than at some ill-defined  
later point (possibly after having wasted a lot of work).  
  
This is really an error in the original idle_in_transaction_timeout  
patch, so back-patch to 9.6 where that was introduced.  

commit   : a46f32e3bf9d986d3c870696a417157c7ba47dae    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Thu, 7 Jan 2021 20:50:44 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Thu, 7 Jan 2021 20:50:44 +0900    

The documentation of pg_rewind mentioned the use of restore_command and  
primary_conninfo as options available at startup to fetch missing WAL  
segments that could be used to find the point of divergence for the  
rewind.  This is confusing because when finding the point of divergence  
the target cluster is offline, so this option is not available.  
  
Issue introduced by 878bd9a, so backpatch down to 9.6.  The  
documentation of 13 and HEAD was already right as this sentence has been  
changed by a7e8ece when introducing -c/--restore-target-wal.  
  
Reported-by: Amine Tengilimoglu  
Discussion: https://postgr.es/m/CADTdw-w_0MP=iQrfizeU4QU5fcZb+w8P_oPeLL+WznWf0kbn3w@mail.gmail.com  
Backpatch-through: 9.6  

commit   : e83771880402f9b2b0feefa10ae842ad8ef82b03    
  
author   : Fujii Masao <fujii@postgresql.org>    
date     : Wed, 6 Jan 2021 12:31:55 +0900    
  
committer: Fujii Masao <fujii@postgresql.org>    
date     : Wed, 6 Jan 2021 12:31:55 +0900    

The deadlocks that the recovery conflict on lock is involved in can  
happen between hot-standby backends and the startup process.  
If a backend takes an access exclusive lock on the table and which  
finally triggers the deadlock, that deadlock can be detected  
as expected. On the other hand, previously, if the startup process  
took an access exclusive lock and which finally triggered the deadlock,  
that deadlock could not be detected and could remain even after  
deadlock_timeout passed. This is a bug.  
  
The cause of this bug was that the code for handling the recovery  
conflict on lock didn't take care of deadlock case at all. It assumed  
that deadlocks involving the startup process and backends were able  
to be detected by the deadlock detector invoked within backends.  
But this assumption was incorrect. The startup process also should  
have invoked the deadlock detector if necessary.  
  
To fix this bug, this commit makes the startup process invoke  
the deadlock detector if deadlock_timeout is reached while handling  
the recovery conflict on lock. Specifically, in that case, the startup  
process requests all the backends holding the conflicting locks to  
check themselves for deadlocks.  
  
Back-patch to v9.6. v9.5 has also this bug, but per discussion we decided  
not to back-patch the fix to v9.5. Because v9.5 doesn't have some  
infrastructure codes (e.g., 37c54863cf) that this bug fix patch depends on.  
We can apply those codes for the back-patch, but since the next minor  
version release is the final one for v9.5, it's risky to do that. If we  
unexpectedly introduce new bug to v9.5 by the back-patch, there is no  
chance to fix that. We determined that the back-patch to v9.5 would give  
more risk than gain.  
  
Author: Fujii Masao  
Reviewed-by: Bertrand Drouvot, Masahiko Sawada, Kyotaro Horiguchi  
Discussion: https://postgr.es/m/4041d6b6-cf24-a120-36fa-1294220f8243@oss.nttdata.com  

commit   : 636d5ee26fb49c72412d22ab7a2516815e568a8f    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Tue, 5 Jan 2021 14:26:37 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Tue, 5 Jan 2021 14:26:37 -0500    

Reported-by: "Tang, Haiying"  
  
Discussion: https://postgr.es/m/bbbccf7a3c2d436e85d45869d612fd6b@G08CNEXMBPEKD05.g08.fujitsu.local  
  
Author: "Tang, Haiying"  
  
Backpatch-through: 9.5  

commit   : ab042d0108232d4b8b6a2b104a466a4bb2f6b9f1    
  
author   : Dean Rasheed <dean.a.rasheed@gmail.com>    
date     : Tue, 5 Jan 2021 11:48:45 +0000    
  
committer: Dean Rasheed <dean.a.rasheed@gmail.com>    
date     : Tue, 5 Jan 2021 11:48:45 +0000    

Commit bc43b7c2c0 used fabs() directly on an int variable, which  
apparently requires an explicit cast on some platforms.  
  
Per buildfarm.  

commit   : 160a9e425f18b248c87130fec9f04b77dceb60a3    
  
author   : Dean Rasheed <dean.a.rasheed@gmail.com>    
date     : Tue, 5 Jan 2021 11:05:58 +0000    
  
committer: Dean Rasheed <dean.a.rasheed@gmail.com>    
date     : Tue, 5 Jan 2021 11:05:58 +0000    

In power_var_int(), the computation of the number of significant  
digits to use in the computation used log(Abs(exp)), which isn't safe  
because Abs(exp) returns INT_MIN when exp is INT_MIN. Use fabs()  
instead of Abs(), so that the exponent is cast to a double before the  
absolute value is taken.  
  
Back-patch to 9.6, where this was introduced (by 7d9a4737c2).  
  
Discussion: https://postgr.es/m/CAEZATCVd6pMkz=BrZEgBKyqqJrt2xghr=fNc8+Z=5xC6cgWrWA@mail.gmail.com  

commit   : 50a420bee0c28595974a07a0f2175d677fb6a642    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 4 Jan 2021 18:32:40 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 4 Jan 2021 18:32:40 -0500    

If the substring start index and length overflow when added together,  
substring() misbehaved, either throwing a bogus "negative substring  
length" error on a case that should succeed, or failing to complain that  
a negative length is negative (and instead returning the whole string,  
in most cases).  Unsurprisingly, the text, bytea, and bit variants of  
the function all had this issue.  Rearrange the logic to ensure that  
negative lengths are always rejected, and add an overflow check to  
handle the other case.  
  
Also install similar guards into detoast_attr_slice() (nee  
heap_tuple_untoast_attr_slice()), since it's far from clear that  
no other code paths leading to that function could pass it values  
that would overflow.  
  
Patch by myself and Pavel Stehule, per bug #16804 from Rafi Shamim.  
  
Back-patch to v11.  While these bugs are old, the common/int.h  
infrastructure for overflow-detecting arithmetic didn't exist before  
commit 4d6ad3125, and it doesn't seem like these misbehaviors are bad  
enough to justify developing a standalone fix for the older branches.  
  
Discussion: https://postgr.es/m/16804-f4eeeb6c11ba71d4@postgresql.org  

commit   : f6704ac83e49b94a66fd7393cb19915447a5ad24    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Sat, 2 Jan 2021 13:06:24 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Sat, 2 Jan 2021 13:06:24 -0500    

Backpatch-through: 9.5  

commit   : ae58189540bdf8bace05925d3f3e94da7a1fc5a0    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 1 Jan 2021 15:51:09 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 1 Jan 2021 15:51:09 -0500    

Try to be clearer about what computation is actually happening here.  
  
Per bug #16797 from Dana Burd.  
  
Discussion: https://postgr.es/m/16797-f264b0b980b53b8b@postgresql.org  

commit   : abb208bfa5f7f41d58aba11ddedc6ca469db23b3    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 30 Dec 2020 17:48:43 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 30 Dec 2020 17:48:43 -0500    

The behavior of cross-type comparisons among date/time data types was  
not really explained anywhere.  You could probably infer it if you  
recognized the applicability of comments elsewhere about datatype  
conversions, but it seems worthy of explicit documentation.  
  
Per bug #16797 from Dana Burd.  
  
Discussion: https://postgr.es/m/16797-f264b0b980b53b8b@postgresql.org  

commit   : 5c3444e31384def202c1e2b9333fcc823b8d36a7    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Wed, 30 Dec 2020 01:43:43 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Wed, 30 Dec 2020 01:43:43 -0800    

This suffices for testing v12 -> v13; some other version pairs need more  
changes.  Back-patch to v10, which removed the function.  

commit   : e06713ab6eaca9e74f405de1195a9c020f886dd9    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Tue, 29 Dec 2020 18:19:15 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Tue, 29 Dec 2020 18:19:15 +0900    

90fbf7c has taken care of that for HEAD.  This includes the portion of  
the fixes that applies to the documentation, where needed depending on  
the branch.  
  
Author: Justin Pryzby  
Discussion: https://postgr.es/m/20201227202604.GC26311@telsasoft.com  
Backpatch-through: 9.5  

commit   : 7966b41ded75c9c5f19b827d6d36f9408ca121a2    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 28 Dec 2020 11:55:23 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 28 Dec 2020 11:55:23 -0500    

There's a second call of get_eval_mcontext() that should also be  
get_stmt_mcontext().  This is actually dead code, since no  
interesting allocations happen before switching back to the  
original context, but we should keep it in sync with the other  
call to forestall possible future bugs.  
  
Discussion: https://postgr.es/m/f075f7be-c654-9aa8-3ffc-e9214622f02a@enterprisedb.com  

commit   : 2e15f48d97271ce4ee6707f172494a1ebd0bc8e2    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 28 Dec 2020 11:41:25 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 28 Dec 2020 11:41:25 -0500    

Commit a6b1f5365 intended to place the transient "target" list of  
a CALL statement in the function's statement-lifespan context,  
but I fat-fingered that and used get_eval_mcontext() instead of  
get_stmt_mcontext().  The eval_mcontext belongs to the "simple  
expression" infrastructure, which is destroyed at transaction end.  
The net effect is that a CALL in a procedure to another procedure  
that has OUT or INOUT parameters would fail if the called procedure  
did a COMMIT.  
  
Per report from Peter Eisentraut.  Back-patch to v11, like the  
prior patch.  
  
Discussion: https://postgr.es/m/f075f7be-c654-9aa8-3ffc-e9214622f02a@enterprisedb.com  

commit   : 6819380dd2655f1790d760b13a81f3d27dbe685a    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Mon, 28 Dec 2020 22:17:06 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Mon, 28 Dec 2020 22:17:06 +0900    

The code in charge of processing a single invalidation message has been  
using since 568d413 the structure for relation mapping messages.  This  
had fortunately no consequence as both locate the database ID at the  
same location, but it could become a problem in the future if this area  
of the code changes.  
  
Author: Konstantin Knizhnik  
Discussion: https://postgr.es/m/8044c223-4d3a-2cdb-42bf-29940840ce94@postgrespro.ru  
Backpatch-through: 9.5  

commit   : 294cdd7d0fffbaadf0f35202a30aab2863e6106a    
  
author   : Fujii Masao <fujii@postgresql.org>    
date     : Mon, 28 Dec 2020 19:59:00 +0900    
  
committer: Fujii Masao <fujii@postgresql.org>    
date     : Mon, 28 Dec 2020 19:59:00 +0900    

In postgres_fdw, the cached connections to foreign servers will not be  
closed until the local session exits if the user mappings or foreign servers  
that those connections depend on are dropped. Those connections can be  
leaked.  
  
To fix that connection leak issue, after a change to a pg_foreign_server  
or pg_user_mapping catalog entry, this commit makes postgres_fdw close  
the connections depending on that entry immediately if current  
transaction has not used those connections yet. Otherwise, mark those  
connections as invalid and then close them at the end of current transaction,  
since they cannot be closed in the midst of the transaction using them.  
Closed connections will be remade at the next opportunity if necessary.  
  
Back-patch to all supported branches.  
  
Author: Bharath Rupireddy  
Reviewed-by: Zhihong Yu, Zhijie Hou, Fujii Masao  
Discussion: https://postgr.es/m/CALj2ACVNcGH_6qLY-4_tXz8JLvA+4yeBThRfxMz7Oxbk1aHcpQ@mail.gmail.com  

commit   : e83e8509b0c83813e7c70fb121cbf67c343a4dbd    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Fri, 25 Dec 2020 10:41:59 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Fri, 25 Dec 2020 10:41:59 -0800    

This makes existing sessions reflect "ALTER ROLE ... [NO]INHERIT" as  
quickly as they have been reflecting "GRANT role_name".  Back-patch to  
9.5 (all supported versions).  
  
Reviewed by Nathan Bossart.  
  
Discussion: https://postgr.es/m/20201221095028.GB3777719@rfd.leadboat.com  

commit   : b99b6b9d6cac6d45e8652a3f15f0823ab91d51d1    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 24 Dec 2020 17:00:43 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 24 Dec 2020 17:00:43 -0500    

If a database shutdown (smart or fast) is commanded between the time  
some process decides to request a new background worker and the time  
that the postmaster can launch that worker, then nothing happens  
because the postmaster won't launch any bgworkers once it's exited  
PM_RUN state.  This is fine ... unless the requesting process is  
waiting for that worker to finish (or even for it to start); in that  
case the requestor is stuck, and only manual intervention will get us  
to the point of being able to shut down.  
  
To fix, cancel pending requests for workers when the postmaster sends  
shutdown (SIGTERM) signals, and similarly cancel any new requests that  
arrive after that point.  (We can optimize things slightly by only  
doing the cancellation for workers that have waiters.)  To fit within  
the existing bgworker APIs, the "cancel" is made to look like the  
worker was started and immediately stopped, causing deregistration of  
the bgworker entry.  Waiting processes would have to deal with  
premature worker exit anyway, so this should introduce no bugs that  
weren't there before.  We do have a side effect that registration  
records for restartable bgworkers might disappear when theoretically  
they should have remained in place; but since we're shutting down,  
that shouldn't matter.  
  
Back-patch to v10.  There might be value in putting this into 9.6  
as well, but the management of bgworkers is a bit different there  
(notably see 8ff518699) and I'm not convinced it's worth the effort  
to validate the patch for that branch.  
  
Discussion: https://postgr.es/m/661570.1608673226@sss.pgh.pa.us  

commit   : 0eaaeabed7c5798260c2ca20c711527acd4f0ce2    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Wed, 23 Dec 2020 09:37:37 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Wed, 23 Dec 2020 09:37:37 -0500    

This was missed when the feature was added.  
  
Reported-by: Daniel Westermann  
  
Discussion: https://postgr.es/m/160624532969.25818.4767632047905006142@wrigleys.postgresql.org  
  
Backpatch-through: 11  

commit   : 35ad5c7c7eed04e0cc5ea0e59defd5e929e5debc    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 23 Dec 2020 12:51:42 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 23 Dec 2020 12:51:42 +0900    

The parsing of this parameter has been using strtoul(), which is not  
portable across platforms.  On most Unix platforms, unsigned long has a  
size of 64 bits, while on Windows it is 32 bits.  It is common in  
recovery scenarios to rely on the output of txid_current() or even the  
newer pg_current_xact_id() to get a transaction ID for setting up  
recovery_target_xid.  The value returned by those functions includes the  
epoch in the computed result, which would cause strtoul() to fail where  
unsigned long has a size of 32 bits once the epoch is incremented.  
  
WAL records and 2PC data include only information about 32-bit XIDs and  
it is not possible to have XIDs across more than one epoch, so  
discarding the high bits from the transaction ID set has no impact on  
recovery.  On the contrary, the use of strtoul() prevents a consistent  
behavior across platforms depending on the size of unsigned long.  
  
This commit changes the parsing of recovery_target_xid to use  
pg_strtouint64() instead, available down to 9.6.  There is one TAP test  
stressing recovery with recovery_target_xid, where a tweak based on  
pg_reset{xlog,wal} is added to bump the XID epoch so as this change gets  
tested, as per an idea from Alexander Lakhin.  
  
Reported-by: Alexander Lakhin  
Discussion: https://postgr.es/m/16780-107fd0c0385b1035@postgresql.org  
Backpatch-through: 9.6  

commit   : a1bd14d54e525bc6dfac95f6f76e107e53f1f621    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 22 Dec 2020 13:23:49 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 22 Dec 2020 13:23:49 -0500    

Bad things happen if the DBA issues "pg_ctl stop -m fast" before  
autoprewarm finishes loading its list of blocks to prewarm.  
The current worker process successfully terminates early, but  
(if this wasn't the last database with blocks to prewarm) the  
leader process will just try to launch another worker for the  
next database.  Since the postmaster is now in PM_WAIT_BACKENDS  
state, it ignores the launch request, and the leader just sits  
until it's killed manually.  
  
This is mostly the fault of our half-baked design for launching  
background workers, but a proper fix for that is likely to be  
too invasive to be back-patchable.  To ameliorate the situation,  
fix apw_load_buffers() to check whether SIGTERM has arrived  
just before trying to launch another worker.  That leaves us with  
only a very narrow window in each worker launch where SIGTERM  
could occur between the launch request and successful worker start.  
  
Another issue is that if the leader process does manage to exit,  
it unconditionally rewrites autoprewarm.blocks with only the  
blocks currently in shared buffers, thus forgetting any blocks  
that we hadn't reached yet while prewarming.  This seems quite  
unhelpful, since the next database start will then not have the  
expected prewarming benefit.  Fix it to not modify the file if  
we shut down before the initial load attempt is complete.  
  
Per bug #16785 from John Thompson.  Back-patch to v11 where  
the autoprewarm code was introduced.  
  
Discussion: https://postgr.es/m/16785-c0207d8c67fb5f25@postgresql.org  

commit   : 75c8ef5ae56c5d9fad594b65eaa3bb8024f7f24f    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 21 Dec 2020 13:11:29 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 21 Dec 2020 13:11:29 -0500    

The jsonb || jsonb operator arbitrarily rejected certain combinations  
of scalar and non-scalar inputs, while being willing to concatenate  
other combinations.  This was of course quite undocumented.  Rather  
than trying to document it, let's just remove the restriction,  
creating a uniform rule that unless we are handling an object-to-object  
concatenation, non-array inputs are converted to one-element arrays,  
resulting in an array-to-array concatenation.  (This does not change  
the behavior for any case that didn't throw an error before.)  
  
Per complaint from Joel Jacobson.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/163099.1608312033@sss.pgh.pa.us  

commit   : b6efd8a6daa54b3f94af83767aeaaaeff7c27879    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 20 Dec 2020 15:28:22 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 20 Dec 2020 15:28:22 -0500    

The separate "cd" command before invoking psql made sense (or at least  
I thought so) when it was added in commit ed1939332.  But 4e3a61635  
removed the supporting text that explained when to use it, making it  
just confusing.  So drop it.  
  
Also switch from four-dot to three-dot filler for the unsupplied  
part of the path, since at least one person has read the four-dot  
filler as a typo for "../..".  And fix these/those inconsistency.  
  
Discussion: https://postgr.es/m/160837647714.673.5195186835607800484@wrigleys.postgresql.org  

commit   : 14c6afbbb3086c109163df25fad4ac7c5835c513    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 20 Dec 2020 13:37:25 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 20 Dec 2020 13:37:25 -0500    

Point out the workaround to be used if you want to write a script  
file name that includes "@".  Clean up the text a little.  
  
Fabien Coelho, additional wordsmithing by me  
  
Discussion: https://postgr.es/m/1c4e81550d214741827a03292222db8d@G08CNEXMBPEKD06.g08.fujitsu.local  

commit   : 21b2ee6ee376c0c9d05dd1edfa8d68c87ffcbd0a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 18 Dec 2020 15:46:44 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 18 Dec 2020 15:46:44 -0500    

A narrow reading of the C standard says that memcpy(x,x,n) is undefined,  
although it's hard to envision an implementation that would really  
misbehave.  However, analysis tools such as valgrind might whine about  
this; accordingly, let's band-aid relmapper.c to not do it.  
  
See also 5b630501e, d3f4e8a8a, ad7b48ea0, and other similar fixes.  
Apparently, none of those folk tried valgrinding initdb?  This has been  
like this for long enough that I'm surprised it hasn't been reported  
before.  
  
Back-patch, just in case anybody wants to use a back branch on a platform  
that complains about this; we back-patched those earlier fixes too.  
  
Discussion: https://postgr.es/m/161790.1608310142@sss.pgh.pa.us  

commit   : 48cbed8821120b378e22be1f0d3cfcf61ef0d1e4    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Tue, 15 Dec 2020 19:20:15 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Tue, 15 Dec 2020 19:20:15 -0500    

It was not clear how COPY TO behaved with partitioning/inheritance  
because the paragraphs were so far apart.  Also reword to simplify.  
  
Discussion: https://postgr.es/m/20201203211723.GR24052@telsasoft.com  
  
Author: Justin Pryzby  
  
Backpatch-through: 10  

commit   : 355f9d2452dc93563fd89cac4b858d9e3f8e5960    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Tue, 15 Dec 2020 10:00:18 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Tue, 15 Dec 2020 10:00:18 -0500    

This is a backport of commits 114541d58e and 6f59826f0 to the remaining  
live branches.  

commit   : 4ee058a3bd9b939d940b8621f66a5c09163cc295    
  
author   : Jeff Davis <jdavis@postgresql.org>    
date     : Mon, 14 Dec 2020 23:49:06 -0800    
  
committer: Jeff Davis <jdavis@postgresql.org>    
date     : Mon, 14 Dec 2020 23:49:06 -0800    

This reverts commit 3a9e64aa0d96c8ffb6c682b082d0f72b1d373327.  
  
Commit 4bad60e3 fixed the root of the problem that 3a9e64aa worked  
around.  
  
This enables proper pipelining of commands after terminating  
replication, eliminating an undocumented limitation.  
  
Discussion: https://postgr.es/m/3d57bc29-4459-578b-79cb-7641baf53c57%40iki.fi  
Backpatch-through: 9.5  

commit   : 970761f15f4a866728a472a44e332a7011631feb    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Sat, 12 Dec 2020 12:59:09 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Sat, 12 Dec 2020 12:59:09 -0500    

Backpatch-through: 9.5  

commit   : add6b13be91f412a11a5be6d91888be9f16c7b1d    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Sat, 12 Dec 2020 12:51:16 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Sat, 12 Dec 2020 12:51:16 -0500    

Backpatch-through: 9.5  

commit   : 1f229f4fdcf88d8fe7cb0b7442a4894cd4d1c47c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Dec 2020 17:50:54 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Dec 2020 17:50:54 -0500    

array_get_element and array_get_slice qualify as leakproof, since  
they will silently return NULL for bogus subscripts.  But  
array_set_element and array_set_slice throw errors for such cases,  
making them clearly not leakproof.  contain_leaked_vars was evidently  
written with only the former case in mind, as it gave the wrong answer  
for assignment SubscriptingRefs (nee ArrayRefs).  
  
This would be a live security bug, were it not that assignment  
SubscriptingRefs can only occur in INSERT and UPDATE target lists,  
while we only care about leakproofness for qual expressions; so the  
wrong answer can't occur in practice.  Still, that's a rather shaky  
answer for a security-related question; and maybe in future somebody  
will want to ask about leakproofness of a tlist.  So it seems wise to  
fix and even back-patch this correction.  
  
(We would need some change here anyway for the upcoming  
generic-subscripting patch, since extensions might make different  
tradeoffs about whether to throw errors.  Commit 558d77f20 attempted  
to lay groundwork for that by asking check_functions_in_node whether a  
SubscriptingRef contains leaky functions; but that idea fails now that  
the implementation methods of a SubscriptingRef are not SQL-visible  
functions that could be marked leakproof or not.)  
  
Back-patch to 9.6.  While 9.5 has the same issue, the code's a bit  
different.  It seems quite unlikely that we'd introduce any actual bug  
in the short time 9.5 has left to live, so the work/risk/reward balance  
isn't attractive for changing 9.5.  
  
Discussion: https://postgr.es/m/3143742.1607368115@sss.pgh.pa.us  

commit   : 5303706b320864332abd99b666a466863ffece22    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Dec 2020 13:09:48 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Dec 2020 13:09:48 -0500    

The SQL standard says that redundant unique constraints are disallowed,  
but we long ago decided that throwing an error would be too  
user-unfriendly, so we just drop redundant ones.  The docs weren't very  
clear about that though, as this behavior was only explained for PRIMARY  
KEY vs UNIQUE, not UNIQUE vs UNIQUE.  
  
While here, I couldn't resist doing some copy-editing and markup-fixing  
on the adjacent text about INCLUDE options.  
  
Per bug #16767 from Matthias vd Meent.  
  
Discussion: https://postgr.es/m/16767-1714a2056ca516d0@postgresql.org  

commit   : 10c601578a25a1811e68c30d2775952858672a15    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Dec 2020 12:06:19 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Dec 2020 12:06:19 -0500    

This restriction was mentioned in connection with string literals,  
but it wasn't made clear that it's a general restriction not just  
a syntactic limitation in query strings.  
  
Per unsigned documentation comment.  
  
Discussion: https://postgr.es/m/160720552914.710.16625261471128631268@wrigleys.postgresql.org  

commit   : b88afd8b6124270a4eead676a5dd56ee7d32a74d    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Tue, 8 Dec 2020 15:22:48 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Tue, 8 Dec 2020 15:22:48 +0900    

The following routines are called within pgcrypto when handling digests  
but there were no checks for failures:  
- EVP_MD_CTX_size (can fail with -1 as of 3.0.0)  
- EVP_MD_CTX_block_size (can fail with -1 as of 3.0.0)  
- EVP_DigestInit_ex  
- EVP_DigestUpdate  
- EVP_DigestFinal_ex  
  
A set of elog(ERROR) is added by this commit to detect such failures,  
that should never happen except in the event of a processing failure  
internal to OpenSSL.  
  
Note that it would be possible to use ERR_reason_error_string() to get  
more context about such errors, but these refer mainly to the internals  
of OpenSSL, so it is not really obvious how useful that would be.  This  
is left out for simplicity.  
  
Per report from Coverity.  Thanks to Tom Lane for the discussion.  
  
Backpatch-through: 9.5  

commit   : 1e16ad101459432418d61a0faf2c7692ad76459b    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 7 Dec 2020 18:21:06 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 7 Dec 2020 18:21:06 -0800    

clang only uses the 'i1' type for scalar booleans, not for pointers to  
booleans (as the pointer might be pointing into a larger memory  
allocation). Therefore a pointer-to-bool needs to the "storage" boolean.  
  
There's no known case of wrong code generation due to this, but it seems quite  
possible that it could cause problems (see e.g. 72559438f92).  
  
Author: Andres Freund  
Discussion: https://postgr.es/m/20201207212142.wz5tnbk2jsaqzogb@alap3.anarazel.de  
Backpatch: 11-, where jit support was added  

commit   : f4f924b3ed77ff8b3a6901a545e7c2943edcf9a1    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 7 Dec 2020 18:12:23 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 7 Dec 2020 18:12:23 -0800    

Until recently 'native' was implicitly included via 'orcjit', but a change  
included in LLVM 11 (not yet released) removed a number of such indirect  
component references.  
  
Reported-By: Fabien COELHO <coelho@cri.ensmp.fr>  
Reported-By: Andres Freund <andres@anarazel.de>  
Reported-By: Thomas Munro <thomas.munro@gmail.com>  
Author: Andres Freund <andres@anarazel.de>  
Discussion: https://postgr.es/m/20201201064949.mex6kvi2kygby3ni@alap3.anarazel.de  
Backpatch: 11-, where jit support was added  

commit   : 90eb343ef3929a0cce5b6940781680cd4f7801f2    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 9 Nov 2020 20:01:33 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 9 Nov 2020 20:01:33 -0800    

As there haven't been problem on the buildfarm due to this change,  
backpatch 6c57f2ed16e now.  
  
Author: Andres Freund  
Discussion: https://postgr.es/m/20201016011244.pmyvr3ee2gbzplq4@alap3.anarazel.de  
Backpatch: 11-, where jit support was added  

commit   : 10d9c9d03cfeadf872b57bae8847624afac87d5e    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Mon, 7 Dec 2020 14:44:34 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Mon, 7 Dec 2020 14:44:34 +0200    

pg_rewind looks at the control file to check what timeline a server is on.  
But promotion doesn't immediately write a checkpoint, it merely writes  
an end-of-recovery WAL record. If pg_rewind runs immediately after  
promotion, before the checkpoint has completed, it will think think that  
the server is still on the earlier timeline. We ran into this issue a long  
time ago already, see commit 484a848a73f.  
  
It's a bit bogus that pg_rewind doesn't determine the timeline correctly  
until the end-of-recovery checkpoint has completed. We probably should  
fix that. But for now work around it by waiting for the checkpoint  
to complete before running pg_rewind, like we did in commit 484a848a73f.  
  
In the passing, tidy up the new test a little bit. Rerder the INSERTs so  
that the comments make more sense, remove a spurious CHECKPOINT call after  
pg_rewind has already run, and add --debug option, so that if this fails  
again, we'll have more data.  
  
Per buildfarm failure at https://buildfarm.postgresql.org/cgi-bin/show_stage_log.pl?nm=rorqual&dt=2020-12-06%2018%3A32%3A19&stg=pg_rewind-check.  
Backpatch to all supported versions.  
  
Discussion: https://www.postgresql.org/message-id/1713707e-e318-761c-d287-5b6a4aa807e8@iki.fi  

commit   : cda50f2112f29eb4bca148b1dd7f06efa559acdf    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Fri, 4 Dec 2020 18:20:18 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Fri, 4 Dec 2020 18:20:18 +0200    

Buildfarm has been failing sporadically on the new test.  I was able to  
reproduce this by adding a random 0-10 s delay in the walreceiver, just  
before it connects to the primary. There's a race condition where node_3  
is promoted before it has fully caught up with node_1, leading to diverged  
timelines. When node_1 is later reconfigured as standby following node_3,  
it fails to catch up:  
  
LOG:  primary server contains no more WAL on requested timeline 1  
LOG:  new timeline 2 forked off current database system timeline 1 before current recovery point 0/30000A0  
  
That's the situation where you'd need to use pg_rewind, but in this case  
it happens already when we are just setting up the actual pg_rewind  
scenario we want to test, so change the test so that it waits until  
node_3 is connected and fully caught up before promoting it, so that you  
get a clean, controlled failover.  
  
Also rewrite some of the comments, for clarity. The existing comments  
detailed what each step in the test did, but didn't give a good overview  
of the situation the steps were trying to create.  
  
For reasons I don't understand, the test setup had to be written slightly  
differently in 9.6 and 9.5 than in later versions. The 9.5/9.6 version  
needed node 1 to be reinitialized from backup, whereas in later versions  
it could be shut down and reconfigured to be a standby. But even 9.5 should  
support "clean switchover", where primary makes sure that pending WAL is  
replicated to standby on shutdown. It would be nice to figure out what's  
going on there, but that's independent of pg_rewind and the scenario that  
this test tests.  
  
Discussion: https://www.postgresql.org/message-id/b0a3b95b-82d2-6089-6892-40570f8c5e60%40iki.fi  

commit   : aee1f7496113bfe5e7ea6acdef49b86405507a83    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Thu, 3 Dec 2020 11:33:24 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Thu, 3 Dec 2020 11:33:24 -0500    

Backpatch-through: 11  

commit   : 792d000e53b398f88c1e4bb22826a408b1cc0b8c    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Thu, 3 Dec 2020 10:28:58 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Thu, 3 Dec 2020 10:28:58 -0500    

In a few places, the long-version options were listed before the  
single-letter ones in the command summary of a few commands.  This  
didn't match other commands, and didn't match the option ordering later  
in the same reference page.  
  
Backpatch-through: 9.5  

commit   : 63e316f0bc1d73276b94283ab482513892c5ee75    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Thu, 3 Dec 2020 15:57:48 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Thu, 3 Dec 2020 15:57:48 +0200    

If the target is a standby server, its WAL doesn't end at the last  
checkpoint record, but at minRecoveryPoint. We must scan all the  
WAL from the last common checkpoint all the way up to minRecoveryPoint  
for modified pages, and also consider that portion when determining  
whether the server needs rewinding.  
  
Backpatch to all supported versions.  
  
Author: Ian Barwick and me  
Discussion: https://www.postgresql.org/message-id/CABvVfJU-LDWvoz4-Yow3Ay5LZYTuPD7eSjjE4kGyNZpXC6FrVQ%40mail.gmail.com  

commit   : 28bb8c496691e0fb60f49eac08b4dc1d8bdd6b4a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 1 Dec 2020 14:02:28 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 1 Dec 2020 14:02:28 -0500    

As it stood, expandTableLikeClause() re-did the same relation_openrv  
call that transformTableLikeClause() had done.  However there are  
scenarios where this would not find the same table as expected.  
We hold lock on the LIKE source table, so it can't be renamed or  
dropped, but another table could appear before it in the search path.  
This explains the odd behavior reported in bug #16758 when cloning a  
table as a temp table of the same name.  This case worked as expected  
before commit 502898192 introduced the need to open the source table  
twice, so we should fix it.  
  
To make really sure we get the same table, let's re-open it by OID not  
name.  That requires adding an OID field to struct TableLikeClause,  
which is a little nervous-making from an ABI standpoint, but as long  
as it's at the end I don't think there's any serious risk.  
  
Per bug #16758 from Marc Boeren.  Like the previous patch,  
back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/16758-840e84a6cfab276d@postgresql.org  

commit   : 49aaabdf8d0b85cbf19537bb8bc12856f2e9dc4d    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 1 Dec 2020 11:46:56 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 1 Dec 2020 11:46:56 -0300    

When memcpy() is called on a pointer, the compiler is entitled to assume  
that the pointer is not null, which can lead to optimizing nearby code  
in potentially undesirable ways.  We still want such optimizations  
(gcc's -fdelete-null-pointer-checks) in cases where they're valid.  
  
Related: commit 13bba02271dc.  
  
Backpatch to pg11, where this particular instance appeared.  
  
Reported-by: Ranier Vilela <ranier.vf@gmail.com>  
Reported-by: Zhihong Yu <zyu@yugabyte.com>  
Discussion: https://postgr.es/m/CAEudQApUndmQkr5fLrCKXQ7+ib44i7S+Kk93pyVThS85PnG3bQ@mail.gmail.com  
Discussion: https://postgr.es/m/CALNJ-vSdhwSM5f4tnNn1cdLHvXMVe_S+V3nR5GwNrmCPNB2VtQ@mail.gmail.com  

commit   : d5706ad7b70a03c53d06abff019d4cc56342ab09    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Tue, 1 Dec 2020 13:46:27 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Tue, 1 Dec 2020 13:46:27 +1300    

When committing a transaction that dropped a relation, we previously  
truncated only the first segment file to free up disk space (the one  
that won't be unlinked until the next checkpoint).  
  
Truncate higher numbered segments too, even though we unlink them on  
commit.  This frees the disk space immediately, even if other backends  
have open file descriptors and might take a long time to get around to  
handling shared invalidation events and closing them.  Also extend the  
same behavior to the first segment, in recovery.  
  
Back-patch to all supported releases.  
  
Bug: #16663  
Reported-by: Denis Patron <denis.patron@previnet.it>  
Reviewed-by: Pavel Borisov <pashkin.elfe@gmail.com>  
Reviewed-by: Neil Chen <carpenter.nail.cz@gmail.com>  
Reviewed-by: David Zhang <david.zhang@highgo.ca>  
Discussion: https://postgr.es/m/16663-fe97ccf9932fc800%40postgresql.org  

commit   : ed9c9b033546129daf06d4aa013f5c0e22c5947d    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Mon, 30 Nov 2020 18:24:55 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Mon, 30 Nov 2020 18:24:55 -0300    

Because regular CREATE INDEX commands are independent, and there's no  
logical data dependency, it's not immediately obvious that transactions  
held by concurrent index builds on one table will block the second phase  
of concurrent index creation on an unrelated table, so document this  
caveat.  
  
Backpatch this all the way back.  In branch master, mention that only  
some indexes are involved.  
  
Author: James Coleman <jtc331@gmail.com>  
Reviewed-by: David Johnston <david.g.johnston@gmail.com>  
Discussion: https://postgr.es/m/CAAaqYe994=PUrn8CJZ4UEo_S-FfRr_3ogERyhtdgHAb2WG_Ufg@mail.gmail.com  

commit   : 8d0155962e20c0981a4416b04857b7d997f116a5    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 30 Nov 2020 15:24:13 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 30 Nov 2020 15:24:13 -0500    

Checking for DocBook being installed was valuable when we were on the  
OpenSP docs toolchain, because that was rather hard to get installed  
fully.  Nowadays, as long as you have xmllint and xsltproc installed,  
you're good, because those programs will fetch the DocBook files off  
the net at need.  Moreover, testing this at configure time means that  
a network access may well occur whether or not you have any interest  
in building the docs later.  That can be slow (typically 2 or 3  
seconds, though much higher delays have been reported), and it seems  
not very nice to be doing an off-machine access without warning, too.  
  
Hence, drop the PGAC_CHECK_DOCBOOK probe, and adjust related  
documentation.  Without that macro, there's not much left of  
config/docbook.m4 at all, so I just removed it.  
  
Back-patch to v11, where we started to use xmllint in the  
PGAC_CHECK_DOCBOOK probe.  
  
Discussion: https://postgr.es/m/E2EE6B76-2D96-408A-B961-CAE47D1A86F0@yesql.se  
Discussion: https://postgr.es/m/A55A7FC9-FA60-47FE-98B5-139CDC57CE6E@gmail.com  

commit   : 942e441ee8f444bcc877ee7cdae00d5ecd312feb    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 30 Nov 2020 14:38:00 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 30 Nov 2020 14:38:00 -0500    

This can't work if there's no postmaster, and indeed the code got an  
assertion failure trying.  There should be a check on IsUnderPostmaster  
gating the use of parallelism, as the planner has for ordinary  
parallel queries.  
  
Commit 40d964ec9 got this right, so follow its model of checking  
IsUnderPostmaster at the same place where we check for  
max_parallel_maintenance_workers == 0.  In general, new code  
implementing parallel utility operations should do the same.  
  
Report and patch by Yulin Pei, cosmetically adjusted by me.  
Back-patch to v11 where this code came in.  
  
Discussion: https://postgr.es/m/HK0PR01MB22747D839F77142D7E76A45DF4F50@HK0PR01MB2274.apcprd01.prod.exchangelabs.com  

commit   : caecab229abdcac05bdeb8ac94e78194dfc71f5c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 30 Nov 2020 12:22:43 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 30 Nov 2020 12:22:43 -0500    

If a PlaceHolderVar is to be evaluated at a join relation, but  
its value is only needed there and not at higher levels, we neglected  
to update the joinrel's direct_lateral_relids to include the PHV's  
source rel.  This causes problems because join_is_legal() then won't  
allow joining the joinrel to the PHV's source rel at all, leading  
to "failed to build any N-way joins" planner failures.  
  
Per report from Andreas Seltenreich.  Back-patch to 9.5  
where the problem originated.  
  
Discussion: https://postgr.es/m/87blfgqa4t.fsf@aurora.ydns.eu  

commit   : 777ac03a6823edf7dcf5a184c8a5d74f04a4c430    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 29 Nov 2020 15:22:04 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 29 Nov 2020 15:22:04 -0500    

Through my misreading of what the existing code actually did,  
commits 85c54287a et al. broke psql's behavior for the case where  
"\c connstring" provides a password in the connstring.  We should  
use that password in such a case, but as of 85c54287a we ignored it  
(and instead, prompted for a password).  
  
Commit 94929f1cf fixed that in HEAD, but since I thought it was  
cleaning up a longstanding misbehavior and not one I'd just created,  
I didn't back-patch it.  
  
Hence, back-patch the portions of 94929f1cf having to do with  
password management.  In addition to fixing the introduced bug,  
this means that "\c -reuse-previous=on connstring" will allow  
re-use of an existing connection's password if the connstring  
doesn't change user/host/port.  That didn't happen before, but  
it seems like a bug fix, and anyway I'm loath to have significant  
differences in this code across versions.  
  
Also fix an error with the same root cause about whether or not to  
override a connstring's setting of client_encoding.  As of 85c54287a  
we always did so; restore the previous behavior of overriding only  
when stdin/stdout are a terminal and there's no environment setting  
of PGCLIENTENCODING.  (I find that definition a bit surprising, but  
right now doesn't seem like the time to revisit it.)  
  
Per bug #16746 from Krzysztof Gradek.  As with the previous patch,  
back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/16746-44b30e2edf4335d4@postgresql.org  

commit   : 5fe3e9333287c33da710ace62648df4531e5f307    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 29 Nov 2020 13:58:30 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 29 Nov 2020 13:58:30 -0500    

The documentation omitted the critical tidbit that a keyword-array entry  
is simply ignored if its corresponding value-array entry is NULL or an  
empty string; it will *not* override any previously-obtained value for  
the parameter.  (See conninfo_array_parse().)  I'd supposed that would  
force the setting back to default, which is what led me into bug #16746;  
but it doesn't.  
  
While here, I couldn't resist the temptation to do some copy-editing,  
both in the description of PQconnectdbParams() and in the section  
about connection URI syntax.  
  
Discussion: https://postgr.es/m/931505.1606618746@sss.pgh.pa.us  

commit   : 40f2fbe71ad615a2bcaaf5b840ccb9329e4378aa    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 28 Nov 2020 14:03:40 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 28 Nov 2020 14:03:40 -0500    

Commit 566372b3d fixed some race conditions involving concurrent  
SimpleLruTruncate calls, but it introduced new ones in async.c.  
A newly-listening backend could attempt to read Notify SLRU pages that  
were in process of being truncated, possibly causing an error.  Also,  
the QUEUE_TAIL pointer could become set to a value that's not equal to  
the queue position of any backend.  While that's fairly harmless in  
v13 and up (thanks to commit 51004c717), in older branches it resulted  
in near-permanent disabling of the queue truncation logic, so that  
continued use of NOTIFY led to queue-fill warnings and eventual  
inability to send any more notifies.  (A server restart is enough to  
make that go away, but it's still pretty unpleasant.)  
  
The core of the problem is confusion about whether QUEUE_TAIL  
represents the "logical" tail of the queue (i.e., the oldest  
still-interesting data) or the "physical" tail (the oldest data we've  
not yet truncated away).  To fix, split that into two variables.  
QUEUE_TAIL regains its definition as the logical tail, and we  
introduce a new variable to track the oldest un-truncated page.  
  
Per report from Mikael Gustavsson.  Like the previous patch,  
back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/1b8561412e8a4f038d7a491c8b922788@smhi.se  

commit   : b9a027c53a2a1efbe45413c83fc89412654a0d1c    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Wed, 25 Nov 2020 09:49:00 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Wed, 25 Nov 2020 09:49:00 +0100    

Author: Justin Pryzby <pryzby@telsasoft.com>  
Discussion: https://www.postgresql.org/message-id/20201121194105.GO24784@telsasoft.com  

commit   : 018e7d98dc157265efc4121e2b5971c0a2afcbe1    
  
author   : Andrew Gierth <rhodiumtoad@postgresql.org>    
date     : Tue, 24 Nov 2020 20:58:32 +0000    
  
committer: Andrew Gierth <rhodiumtoad@postgresql.org>    
date     : Tue, 24 Nov 2020 20:58:32 +0000    

Previously this code assumed that all IndexScan nodes supported  
mark/restore, which is not true since it depends on optional index AM  
support functions. This could lead to errors about missing support  
functions in rare edge cases of mergejoins with no sort keys, where an  
unordered non-btree index scan was placed on the inner path without a  
protecting Materialize node. (Normally, the fact that merge join  
requires ordered input would avoid this error.)  
  
Backpatch all the way since this bug is ancient.  
  
Per report from Eugen Konkov on irc.  
  
Discussion: https://postgr.es/m/87o8jn50be.fsf@news-spur.riddles.org.uk  

commit   : 57b5d8484c8a0949c3fa8205a324ac7bf3a377fb    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Fri, 20 Nov 2020 14:41:14 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Fri, 20 Nov 2020 14:41:14 +0200    

This is a backpatch of commit 2cccb627f1, backpatched due to popular  
demand. Backpatch to all supported versions.  
  
Author: Alexey Bashtanov  
Discussion: https://www.postgresql.org/message-id/36823f65-050d-ae24-aa4d-a37726998240%40imap.cc  

commit   : d01e37845c2262a0b51a59c77ff8ad7b855824f8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 20 Nov 2020 00:58:26 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 20 Nov 2020 00:58:26 -0500    

We previously put the -isysroot switch only into CPPFLAGS, theorizing  
that it was only needed to find the right copies of include files.  
However, it seems that we also need to use it while linking programs,  
to find the right stub ".tbd" files for libraries.  We got away  
without that up to now, but apparently that was mostly luck.  It may  
also be that failures are only observed when the Xcode version is  
noticeably out of sync with the host macOS version; the case that's  
prompting action right now is that builds fail when using latest Xcode  
(12.2) on macOS Catalina, even though it's fine on Big Sur.  
  
Hence, add -isysroot to LDFLAGS as well.  (It seems that the more  
common practice is to put it in CFLAGS, whence it'd be included at  
both compile and link steps.  However, we can't mess with CFLAGS in  
the platform template file without confusing configure's logic for  
choosing default CFLAGS.)  
  
Back-patch of 49407dc32 into all supported branches.  
  
Report and patch by James Hilliard (some cosmetic mods by me)  
  
Discussion: https://postgr.es/m/20201120003314.20560-1-james.hilliard1@gmail.com  

commit   : 0455f78ddbb09b6ad3bb6b582b75fd3975a24541    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Fri, 20 Nov 2020 10:44:09 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Fri, 20 Nov 2020 10:44:09 +1300    

1.  Previously, a DSA area would create up to four segments at each size  
before doubling the size.  After this commit, it will create only two at  
each size, so it ramps up faster and therefore needs fewer slots.  
  
2.  Previously, the total limit on DSM slots allowed for 2 per connection.  
Switch to 5 per connection.  
  
This back-patches commit d061ea21 from release 13 into 10-12 based on a  
field complaint.  
  
Discussion: https://postgr.es/m/CAO03teA%2BjE1qt5iWDWzHqaufqBsF6EoOgZphnazps_tr_jDPZA%40mail.gmail.com  
Discussion: https://postgr.es/m/CA%2BhUKGL6H2BpGbiF7Lj6QiTjTGyTLW_vLR%3DSn2tEBeTcYXiMKw%40mail.gmail.com  

commit   : c690ebbefa3394b67ceb1ba913590d873ad40355    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 19 Nov 2020 15:03:17 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 19 Nov 2020 15:03:17 -0500    

Commit 502898192 was too careless about the order of execution of the  
additional ALTER TABLE operations generated by expandTableLikeClause.  
It just stuck them all at the end, which seems okay for most purposes.  
But it falls down in the case where LIKE is importing a primary key  
or unique index and the outer CREATE TABLE includes a FOREIGN KEY  
constraint that needs to depend on that index.  Weird as that is,  
it used to work, so we ought to keep it working.  
  
To fix, make parse_utilcmd.c insert LIKE clauses between index-creation  
and FK-creation commands in the transformed list of commands, and change  
utility.c so that the commands generated by expandTableLikeClause are  
executed immediately not at the end.  One could imagine scenarios where  
this wouldn't work either; but currently expandTableLikeClause only  
makes column default expressions, CHECK constraints, and indexes, and  
this ordering seems fine for those.  
  
Per bug #16730 from Sofoklis Papasofokli.  Like the previous patch,  
back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/16730-b902f7e6e0276b30@postgresql.org  

commit   : 6b8235d035650d732b11c4e38f07c722496db0b9    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Nov 2020 20:32:35 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Nov 2020 20:32:35 -0500    

Otherwise, if FDDEBUG is enabled, the debugging output fails because  
it tries to read the fileName, which isn't set up yet (and should in  
fact always be NULL).  
  
AFAICT, this has been wrong since Berkeley.  Before 96bf88d52,  
it would accidentally fail to crash on platforms where snprintf()  
is forgiving about being passed a NULL pointer for %s; but the  
file name intended to be included in the debug output wouldn't  
ever have shown up.  
  
Report and fix by Greg Nancarrow.  Although this is only visibly  
broken in custom-made builds, it still seems worth back-patching  
to all supported branches, as the FDDEBUG code is pretty useless  
as it stands.  
  
Discussion: https://postgr.es/m/CAJcOf-cUDgm9qYtC_B6XrC6MktMPNRby2p61EtSGZKnfotMArw@mail.gmail.com  

commit   : 84e31622882358f61e9d3c16c5b4f3187f504a68    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Nov 2020 16:39:59 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Nov 2020 16:39:59 -0500    

Since this function is used as a CHECK constraint condition,  
returning NULL is tantamount to returning TRUE, which would have the  
effect of letting in a row that doesn't satisfy the hash condition.  
Admittedly, the cases for which this is done should be unreachable  
in practice, but that doesn't make it any less a bad idea.  It also  
seems like a dartboard was used to decide which error cases should  
throw errors as opposed to returning NULL.  
  
For the checks for NULL input values, I just switched it to returning  
false.  There's some argument that an error would be better; but the  
case really should be can't-happen in a generated hash constraint,  
so it's likely not worth more code for.  
  
For the parent-relation-open-failure case, it seems like we might  
as well let relation_open throw an error, instead of having an  
impossible-to-diagnose constraint failure.  
  
Back-patch to v11 where this code came in.  
  
Discussion: https://postgr.es/m/24067.1605134819@sss.pgh.pa.us  

commit   : 89aa30a179686d86aeccddf715f039d1a15d2b30    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Nov 2020 15:16:39 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Nov 2020 15:16:39 -0500    

This was evidently missed in commit 6337865f3, which generally did  
s/TRUE/true/ everywhere.  It escaped notice up to now because ICU  
versions before ICU 68 provided definitions of "TRUE" and "FALSE"  
regardless.  With ICU 68, it fails to compile.  
  
Per report from Condor.  Back-patch to v11 where 6337865f3 came in.  
(I've not tested v10, where this call originated, but I imagine  
it's fine since we defined TRUE in c.h back then.)  
  
Discussion: https://postgr.es/m/7a6f3336165bfe3ca66abcda7966f9d0@stz-bg.com  

commit   : bea246117b402e59340c9efa0bdbdbe7c1ea8554    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 13:13:43 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 13:13:43 -0500    

This clarifies exactly what the bgwriter does, which should help with  
tuning.  
  
Reported-by: Chris Wilson  
  
Discussion: https://postgr.es/m/160399562040.7809.7335281028960123489@wrigleys.postgresql.org  
  
Backpatch-through: 9.5  

commit   : 524712ceae3b443e19b54ad877d26558af7ee3d0    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 12:36:16 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 12:36:16 -0500    

Followup to patch 152ed04799.  
  
Reported-by: Alvaro Herrera  
  
Discussion: https://postgr.es/m/20201112202900.GA28098@alvherre.pgsql  
  
Backpatch-through: 9.5  

commit   : 9425c90cc3e16c2779e3e413030b53206e625508    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 11:14:54 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 11:14:54 -0500    

This applies the fix bcbd771332 to skipped branches.  
  
Reported-by: Erik Rijkers  
  
Discussion: https://postgr.es/m/e92b3fba98a0c0f7afc0a2a37e765954@xs4all.nl  
  
Backpatch-through: 9.5-11  

commit   : 2c2ab4b9cb311a314e795653bd500f10c3955566    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 10:26:16 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Mon, 16 Nov 2020 10:26:16 -0500    

This is a followup commit on 3370207986.  
  
Reported-by: Justin Pryzby  
  
Discussion: https://postgr.es/m/20201112211143.GL30691@telsasoft.com  
  
Backpatch-through: 9.5  

commit   : 9cebe49524af365d48f9e63048c79f537d6b135c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 15 Nov 2020 16:10:48 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 15 Nov 2020 16:10:48 -0500    

These flags should be independent: in particular an index AM should  
be able to say that it supports include columns without necessarily  
supporting multiple key columns.  The included-columns patch got  
this wrong, possibly aided by the fact that it didn't bother to  
update the documentation.  
  
While here, clarify some text about amcanreturn, which was a little  
vague about what should happen when amcanreturn reports that only  
some of the index columns are returnable.  
  
Noted while reviewing the SP-GiST included-columns patch, which  
quite incorrectly (and unsafely) changed SP-GiST to claim  
amcanmulticol = true as a workaround for this bug.  
  
Backpatch to v11 where included columns were introduced.  

commit   : a87d7801c24ffb3593841838ba0e3d4883d34853    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 14 Nov 2020 13:09:53 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 14 Nov 2020 13:09:53 -0500    

This started with the intent to explain that range upper bounds  
are exclusive, which previously you could only find out by reading  
the CREATE TABLE man page.  But I soon found that section 5.11  
really could stand a fair amount of editorial attention.  It's  
apparently been revised several times without much concern for  
overall flow, nor careful copy-editing.  
  
Back-patch to v11, which is as far as the patch goes easily.  
  
Per gripe from Edson Richter.  Thanks to David Johnston for review.  
  
Discussion: https://postgr.es/m/DM6PR13MB3988736CF8F5DC5720440231CFE60@DM6PR13MB3988.namprd13.prod.outlook.com  

commit   : e60f4a3fc045790d91b4aacab31b37489b697f0a    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Thu, 12 Nov 2020 15:13:01 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Thu, 12 Nov 2020 15:13:01 -0500    

These files are in compiled directories and install directories.  
  
Reported-by: e.indrupskaya@postgrespro.ru  
  
Discussion: https://postgr.es/m/160379609706.24746.7506163279454026608@wrigleys.postgresql.org  
  
Backpatch-through: 9.5  

commit   : b740b4a86784f40a4a473dc754525919e6abbc22    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Thu, 12 Nov 2020 15:00:44 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Thu, 12 Nov 2020 15:00:44 -0500    

Expression indexes can't benefit from pre-computed statistics on  
columns.  
  
Reported-by: Nikolay Samokhvalov  
  
Discussion: https://postgr.es/m/CANNMO++5rw9RDA=p40iMVbMNPaW6O=S0AFzTU=KpYHRpCd1voA@mail.gmail.com  
  
Author: Nikolay Samokhvalov, modified  
  
Backpatch-through: 9.5  

commit   : b5b7072a6725a2564c43b88feb5c7bb38862d4e8    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Thu, 12 Nov 2020 14:33:28 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Thu, 12 Nov 2020 14:33:28 -0500    

Document that though the history file content is marked as bytea, it is  
the same a text, and neither is btyea-escaped or encoding converted.  
  
Reported-by: Brar Piening  
  
Discussion: https://postgr.es/m/6a1b9cd9-17e3-df67-be55-86102af6bdf5@gmx.de  
  
Backpatch-through: 13 - 9.5 (not master)  

commit   : 7e3dc147d0a8364fb39f3229031cd6bf44180307    
  
author   : Andrew Gierth <rhodiumtoad@postgresql.org>    
date     : Thu, 12 Nov 2020 14:34:37 +0000    
  
committer: Andrew Gierth <rhodiumtoad@postgresql.org>    
date     : Thu, 12 Nov 2020 14:34:37 +0000    

Whether from size overflow in gistSplit or from secondary splits,  
picksplit is (rarely) called with exactly two items to split.  
  
Formerly, due to special-case handling of the last item, this would  
lead to access to an uninitialized cache entry; prior to PG 13 this  
might have been harmless or at worst led to an incorrect union datum,  
but in 13 onwards it can cause a backend crash from using an  
uninitialized pointer.  
  
Repair by removing the special case, which was deemed not to have been  
appropriate anyway. Backpatch all the way, because this bug has  
existed since pg_trgm was added.  
  
Per report on IRC from user "ftzdomino". Analysis and testing by me,  
patch from Alexander Korotkov.  
  
Discussion: https://postgr.es/m/87k0usfdxg.fsf@news-spur.riddles.org.uk  

commit   : c4424d33cca9719ae925d0cc018acf32182a6d95    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Wed, 11 Nov 2020 18:37:36 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Wed, 11 Nov 2020 18:37:36 +0100    

Commit 8bf74967dab moved some of the code from brin_new_memtuple to  
brin_memtuple_initialize, but this resulted in some of the code being  
duplicate. Fix by removing the duplicate lines and backpatch to 10.  
  
Author: Tomas Vondra  
Backpatch-through: 10  
Discussion: https://postgr.es/m/5eb50c97-9a8e-b691-8c40-1b2a55611c4c%40enterprisedb.com  

commit   : 3a89ea0eb64a1b50b27de1965fdb2173a04d5e11    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 10 Nov 2020 22:51:19 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 10 Nov 2020 22:51:19 -0500    

Introduce TimestampDifferenceMilliseconds() to simplify callers  
that would rather have the difference in milliseconds, instead of  
the select()-oriented seconds-and-microseconds format.  This gets  
rid of at least one integer division per call, and it eliminates  
some apparently-easy-to-mess-up arithmetic.  
  
Two of these call sites were in fact wrong:  
  
* pg_prewarm's autoprewarm_main() forgot to multiply the seconds  
by 1000, thus ending up with a delay 1000X shorter than intended.  
That doesn't quite make it a busy-wait, but close.  
  
* postgres_fdw's pgfdw_get_cleanup_result() thought it needed to compute  
microseconds not milliseconds, thus ending up with a delay 1000X longer  
than intended.  Somebody along the way had noticed this problem but  
misdiagnosed the cause, and imposed an ad-hoc 60-second limit rather  
than fixing the units.  This was relatively harmless in context, because  
we don't care that much about exactly how long this delay is; still,  
it's wrong.  
  
There are a few more callers of TimestampDifference() that don't  
have a direct need for seconds-and-microseconds, but can't use  
TimestampDifferenceMilliseconds() either because they do need  
microsecond precision or because they might possibly deal with  
intervals long enough to overflow 32-bit milliseconds.  It might be  
worth inventing another API to improve that, but that seems outside  
the scope of this patch; so those callers are untouched here.  
  
Given the fact that we are fixing some bugs, and the likelihood  
that future patches might want to back-patch code that uses this  
new API, back-patch to all supported branches.  
  
Alexey Kondratov and Tom Lane  
  
Discussion: https://postgr.es/m/3b1c053a21c07c1ed5e00be3b2b855ef@postgrespro.ru  

commit   : 9fed2b5b2eddba03bda7d62376186b141630ce38    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Tue, 10 Nov 2020 19:18:35 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Tue, 10 Nov 2020 19:18:35 -0500    

Was wrong in commit 1a9388bd0f.  
  
Reported-by: Tom Lane, Justin Pryzby  
  
Discussion: https://postgr.es/m/20201102063333.GE22691@telsasoft.com  
  
Backpatch-through: 9.5  

commit   : d3d4f7233a3e16dcbaa95f62e7559d147790b574    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 10 Nov 2020 18:32:36 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 10 Nov 2020 18:32:36 -0500    

Summarily changing the STYPE of regression-test aggregates that  
depend on array_append or array_cat is an issue for the buildfarm's  
cross-version-upgrade tests, because those aggregates (as defined  
in the back branches) now won't load into HEAD.  Although this seems  
like only a minimal risk for genuine user-defined aggregates, we  
need to do something for the buildfarm.  Hence, adjust the aggregate  
definitions, in both HEAD and the back branches.  
  
Discussion: https://postgr.es/m/1401824.1604537031@sss.pgh.pa.us  
Discussion: https://postgr.es/m/E1kaQ2c-0005lx-Eg@gemulon.postgresql.org