PostgreSQL 11.7 (upcoming) commit log

Fix edge case leading to agg transitions skipping ExecAggTransReparent() calls.

commit   : c8e0e560e7c6106340ac5f8eab83e4569acea278    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 20 Jan 2020 23:26:51 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 20 Jan 2020 23:26:51 -0800    

Click here for diff

The code checking whether an aggregate transition value needs to be  
reparented into the current context has always only compared the  
transition return value with the previous transition value by datum,  
i.e. without regard for NULLness.  This normally works, because when  
the transition function returns NULL (via fcinfo->isnull), it'll  
return a value that won't be the same as its input value.  
  
But there's no hard requirement that that's the case. And it turns  
out, it's possible to hit this case (see discussion or reproducers),  
leading to a non-null transition value not being reparented, followed  
by a crash caused by that.  
  
Instead of adding another comparison of NULLness, instead have  
ExecAggTransReparent() ensure that pergroup->transValue ends up as 0  
when the new transition value is NULL. That avoids having to add an  
additional branch to the much more common cases of the transition  
function returning the old transition value (which is a pointer in  
this case), and when the new value is different, but not NULL.  
  
In branches since 69c3936a149, also deduplicate the reparenting code  
between the expression evaluation based transitions, and the path for  
ordered aggregates.  
  
Reported-By: Teodor Sigaev, Nikita Glukhov  
Author: Andres Freund  
Discussion: https://postgr.es/m/bd34e930-cfec-ea9b-3827-a8bc50891393@sigaev.ru  
Backpatch: 9.4-, this issue has existed since at least 7.4  

M src/backend/executor/execExprInterp.c
M src/backend/executor/nodeAgg.c

Add GUC variables for stat tracking and timeout as PGDLLIMPORT

commit   : 7c7026bb7aa57663766ee28e7b18c394d3b6d7fb    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Tue, 21 Jan 2020 13:47:01 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Tue, 21 Jan 2020 13:47:01 +0900    

Click here for diff

This helps integration of extensions with Windows.  The following  
parameters are changed:  
- idle_in_transaction_session_timeout (9.6 and newer versions)  
- lock_timeout  
- statement_timeout  
- track_activities  
- track_counts  
- track_functions  
  
Author: Pascal Legrand  
Reviewed-by: Amit Kamila, Julien Rouhaud, Michael Paquier  
Discussion: https://postgr.es/m/1579298868581-0.post@n3.nabble.com  
Backpatch-through: 9.4  

M src/include/pgstat.h
M src/include/storage/proc.h

Fix pg_dump's sigTermHandler() to use _exit() not exit().

commit   : 4ea5cf403824e98932aa17c1c00f9c5241daf89d    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 20 Jan 2020 12:57:17 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 20 Jan 2020 12:57:17 -0500    

Click here for diff

sigTermHandler() tried to be careful to invoke only operations that  
are safe to do in a signal handler.  But for some reason we forgot  
that exit(3) is not among those, because it calls atexit handlers  
that might do various random things.  (pg_dump itself installs no  
atexit handlers, but e.g. OpenSSL does.)  That led to crashes or  
lockups when attempting to terminate a parallel dump or restore  
via a signal.  
  
Fix by calling _exit() instead.  
  
Per bug #16199 from Raúl Marín.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/16199-cb2f121146a96f9b@postgresql.org  

M src/bin/pg_dump/parallel.c

Fix crash in BRIN inclusion op functions, due to missing datum copy.

commit   : da7abcf0f475bfacc064210d15be9e6e31e873f9    
  
author   : Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Mon, 20 Jan 2020 10:36:35 +0200    
  
committer: Heikki Linnakangas <heikki.linnakangas@iki.fi>    
date     : Mon, 20 Jan 2020 10:36:35 +0200    

Click here for diff

The BRIN add_value() and union() functions need to make a longer-lived  
copy of the argument, if they want to store it in the BrinValues struct  
also passed as argument. The functions for the "inclusion operator  
classes" used with box, range and inet types didn't take into account  
that the union helper function might return its argument as is, without  
making a copy. Check for that case, and make a copy if necessary. That  
case arises at least with the range_union() function, when one of the  
arguments is an 'empty' range:  
  
CREATE TABLE brintest (n numrange);  
CREATE INDEX brinidx ON brintest USING brin (n);  
INSERT INTO brintest VALUES ('empty');  
INSERT INTO brintest VALUES (numrange(0, 2^1000::numeric));  
INSERT INTO brintest VALUES ('(-1, 0)');  
  
SELECT brin_desummarize_range('brinidx', 0);  
SELECT brin_summarize_range('brinidx', 0);  
  
Backpatch down to 9.5, where BRIN was introduced.  
  
Discussion: https://www.postgresql.org/message-id/e6e1d6eb-0a67-36aa-e779-bcca59167c14%40iki.fi  
Reviewed-by: Emre Hasegeli, Tom Lane, Alvaro Herrera  

M src/backend/access/brin/brin_inclusion.c

Repair more failures with SubPlans in multi-row VALUES lists.

commit   : d8e877b869cb5dc33a8d96218115fc12e66b73d4    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 17 Jan 2020 16:17:17 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 17 Jan 2020 16:17:17 -0500    

Click here for diff

Commit 9b63c13f0 turns out to have been fundamentally misguided:  
the parent node's subPlan list is by no means the only way in which  
a child SubPlan node can be hooked into the outer execution state.  
As shown in bug #16213 from Matt Jibson, we can also get short-lived  
tuple table slots added to the outer es_tupleTable list.  At this point  
I have little faith that there aren't other possible connections as  
well; the long time it took to notice this problem shows that this  
isn't a heavily-exercised situation.  
  
Therefore, revert that fix, returning to the coding that passed a  
NULL parent plan pointer down to the transiently-built subexpressions.  
That gives us a pretty good guarantee that they won't hook into the  
outer executor state in any way.  But then we need some other solution  
to make SubPlans work.  Adopt the solution speculated about in the  
previous commit's log message: do expression initialization at plan  
startup for just those VALUES rows containing SubPlans, abandoning the  
goal of reclaiming memory intra-query for those rows.  In practice it  
seems unlikely that queries containing a vast number of VALUES rows  
would be using SubPlans in them, so this should not give up much.  
  
(BTW, this test case also refutes my claim in connection with the prior  
commit that the issue only arises with use of LATERAL.  That was just  
wrong: some variants of SubLink always produce SubPlans.)  
  
As with previous patch, back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/16213-871ac3bc208ecf23@postgresql.org  

M src/backend/executor/nodeValuesscan.c
M src/include/nodes/execnodes.h
M src/test/regress/expected/subselect.out
M src/test/regress/sql/subselect.sql

Set ReorderBufferTXN->final_lsn more eagerly

commit   : fe955ebee0f206117634521778efe10608cb6552    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Fri, 17 Jan 2020 18:00:39 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Fri, 17 Jan 2020 18:00:39 -0300    

Click here for diff

... specifically, set it incrementally as each individual change is  
spilled down to disk.  This way, it is set correctly when the  
transaction disappears without trace, ie. without leaving an XACT_ABORT  
wal record.  (This happens when the server crashes midway through a  
transaction.)  
  
Failing to have final_lsn prevents ReorderBufferRestoreCleanup() from  
working, since it needs the final_lsn in order to know the endpoint of  
its iteration through spilled files.  
  
Commit df9f682c7bf8 already tried to fix the problem, but it didn't set  
the final_lsn in all cases.  Revert that, since it's no longer needed.  
  
Author: Vignesh C  
Reviewed-by: Amit Kapila, Dilip Kumar  
Discussion: https://postgr.es/m/CALDaNm2CLk+K9JDwjYST0sPbGg5AQdvhUt0jbKyX_HdAE0jk3A@mail.gmail.com  

M src/backend/replication/logical/reorderbuffer.c
M src/include/replication/reorderbuffer.h

Allocate freechunks bitmap as part of SlabContext

commit   : 8c37e4469d13e34d80b6f561f617bd4bfe339c6c    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Fri, 17 Jan 2020 14:06:28 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Fri, 17 Jan 2020 14:06:28 +0100    

Click here for diff

The bitmap used by SlabCheck to cross-check free chunks in a block used  
to be allocated for each SlabCheck call, and was never freed. The memory  
leak could be fixed by simply adding a pfree call, but it's actually a  
bad idea to do any allocations in SlabCheck at all as it assumes the  
state of the memory management as a whole is sane.  
  
So instead we allocate the bitmap as part of SlabContext, which means  
we don't need to do any allocations in SlabCheck and the bitmap goes  
away together with the SlabContext.  
  
Backpatch to 10, where the Slab context was introduced.  
  
Author: Tomas Vondra  
Reported-by: Andres Freund  
Reviewed-by: Tom Lane  
Backpatch-through: 10  
Discussion: https://www.postgresql.org/message-id/20200116044119.g45f7pmgz4jmodxj%40alap3.anarazel.de  

M src/backend/utils/mmgr/slab.c

Fix buggy logic in isTempNamespaceInUse()

commit   : 5ec7bd819c5081d46a7e3bde60dcf7c01d7b8af9    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 15 Jan 2020 13:58:46 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 15 Jan 2020 13:58:46 +0900    

Click here for diff

The logic introduced in this routine as of 246a6c8 would report an  
incorrect result when a session calls it to check if the temporary  
namespace owned by the session is in use or not.  It is possible to  
optimize more the routine in this case to avoid a PGPROC lookup, but  
let's keep the logic simple.  As this routine is used only by autovacuum  
for now, there were no live bugs, still let's be correct for any future  
code involving it.  
  
Author: Michael Paquier  
Reviewed-by: Julien Rouhaud  
Discussion: https://postgr.es/m/20200113093703.GA41902@paquier.xyz  
Backpatch-through: 11  

M src/backend/catalog/namespace.c

docs: change "default role" wording to "predefined role"

commit   : 749f702d13de750b0adaf0aedbcc3c01f078c0c2    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Tue, 14 Jan 2020 13:13:04 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Tue, 14 Jan 2020 13:13:04 -0500    

Click here for diff

The new wording was determined to be more accurate.  Also, update  
release note links that reference these sections.  
  
Reported-by: rirans@comcast.net  
  
Discussion: https://postgr.es/m/157742545062.1149.11052653770497832538@wrigleys.postgresql.org  
  
Backpatch-through: 9.6  

M doc/src/sgml/release-11.sgml
M doc/src/sgml/user-manag.sgml

Make rewriter prevent auto-updates on views with conditional INSTEAD rules.

commit   : 9bdb1f0e37d4f65cdc32cec1563744dc92213d71    
  
author   : Dean Rasheed <dean.a.rasheed@gmail.com>    
date     : Tue, 14 Jan 2020 09:50:51 +0000    
  
committer: Dean Rasheed <dean.a.rasheed@gmail.com>    
date     : Tue, 14 Jan 2020 09:50:51 +0000    

Click here for diff

A view with conditional INSTEAD rules and no unconditional INSTEAD  
rules or INSTEAD OF triggers is not auto-updatable. Previously we  
relied on a check in the executor to catch this, but that's  
problematic since the planner may fail to properly handle such a query  
and thus return a particularly unhelpful error to the user, before  
reaching the executor check.  
  
Instead, trap this in the rewriter and report the correct error there.  
Doing so also allows us to include more useful error detail than the  
executor check can provide. This doesn't change the existing behaviour  
of updatable views; it merely ensures that useful error messages are  
reported when a view isn't updatable.  
  
Per report from Pengzhou Tang, though not adopting that suggested fix.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CAG4reAQn+4xB6xHJqWdtE0ve_WqJkdyCV4P=trYr4Kn8_3_PEA@mail.gmail.com  

M src/backend/executor/execMain.c
M src/backend/rewrite/rewriteHandler.c
M src/test/regress/expected/updatable_views.out
M src/test/regress/sql/updatable_views.sql

Revert test added by commit d207038053.

commit   : 17869eca785350f213d74e46fdd2a2c0f23f2757    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Sat, 11 Jan 2020 10:44:39 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Sat, 11 Jan 2020 10:44:39 +0530    

Click here for diff

This test was trying to test the mechanism to release kernel FDs as needed  
to get us under the max_safe_fds limit in case of spill files.  To do that,  
it needs to set max_files_per_process to a very low value which doesn't  
even permit starting of the server in the case when there are a few already  
opened files.  This test also won't work on platforms where we use one FD  
per semaphore.  
  
Backpatch-through: 10, till where this test was added  
Discussion:  
https://postgr.es/m/CAA4eK1LHhERi06Q+MmP9qBXBBboi+7WV3910J0aUgz71LcnKAw@mail.gmail.com  
https://postgr.es/m/6485.1578583522@sss.pgh.pa.us  

M src/test/recovery/t/006_logical_decoding.pl

Fix typo.

commit   : dea88c9be27813894081d14a8160c7d2196f4415    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Mon, 13 Jan 2020 14:44:55 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Mon, 13 Jan 2020 14:44:55 +0530    

Click here for diff

Reported-by: Antonin Houska  
Author: Antonin Houska  
Backpatch-through: 11, where it was introduced  
Discussion: https://postgr.es/m/2246.1578900133@antos  

M src/include/access/session.h

Fix edge-case crashes and misestimation in range containment selectivity.

commit   : 5832be6ca4d7d408dcda3746db378c524aef7b87    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 12 Jan 2020 14:37:00 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 12 Jan 2020 14:37:00 -0500    

Click here for diff

When estimating the selectivity of "range_var <@ range_constant" or  
"range_var @> range_constant", if the upper (or respectively lower)  
bound of the range_constant was above the last bin of the range_var's  
histogram, the code would access uninitialized memory and potentially  
crash (though it seems the probability of a crash is quite low).  
Handle the endpoint cases explicitly to fix that.  
  
While at it, be more paranoid about the possibility of getting NaN  
or other silly results from the range type's subdiff function.  
And improve some comments.  
  
Ordinarily we'd probably add a regression test case demonstrating  
the bug in unpatched code.  But it's too hard to get it to crash  
reliably because of the uninitialized-memory dependence, so skip that.  
  
Per bug #16122 from Adam Scott.  It's been broken from the beginning,  
apparently, so backpatch to all supported branches.  
  
Diagnosis by Michael Paquier, patch by Andrey Borodin and Tom Lane.  
  
Discussion: https://postgr.es/m/16122-eb35bc248c806c15@postgresql.org  

M src/backend/utils/adt/rangetypes_selfuncs.c

Remove incorrect assertion for INSERT in logical replication's publisher

commit   : 7eb6217db9ed46745b5cf999febc9641c626c270    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Sun, 12 Jan 2020 22:45:10 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Sun, 12 Jan 2020 22:45:10 +0900    

Click here for diff

On the publisher, it was assumed that an INSERT change cannot happen for  
a relation with no replica identity.  However this is true only for a  
change that needs references to old rows, aka UPDATE or DELETE, so  
trying to use logical replication with a relation that has no replica  
identity led to an assertion failure in the publisher when issuing an  
INSERT.  This commit removes the incorrect assertion, and adds more  
regression tests to provide coverage for relations without replica  
identity.  
  
Reported-by: Neha Sharma  
Author: Dilip Kumar, Michael Paquier  
Reviewed-by: Andres Freund  
Discussion: https://postgr.es/m/CANiYTQsL1Hb8_Km08qd32svrqNumXLJeoGo014O7VZymgOhZEA@mail.gmail.com  
Backpatch-through: 10  

M src/backend/replication/logical/proto.c
M src/test/subscription/t/001_rep_changes.pl

Maintain valid md.c state when FileClose() fails.

commit   : 2e86e154da23b3067fa579b530a8f057be6a391e    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Fri, 10 Jan 2020 18:31:22 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Fri, 10 Jan 2020 18:31:22 -0800    

Click here for diff

FileClose() failure ordinarily causes a PANIC.  Suppose the user  
disables that PANIC via data_sync_retry=on.  After mdclose() issued a  
FileClose() that failed, calls into md.c raised SIGSEGV.  This fix adds  
repalloc() calls during mdclose(); update a comment about ignoring  
repalloc() cost.  The rate of relation segment count change is a minor  
factor; more relevant to overall performance is the rate of mdclose()  
and subsequent re-opening of segments.  Back-patch to v10, where commit  
45e191e3aa62d47a8bc1a33f784286b2051f45cb introduced the bug.  
  
Reviewed by Kyotaro Horiguchi.  
  
Discussion: https://postgr.es/m/20191222091930.GA1280238@rfd.leadboat.com  

M src/backend/storage/smgr/md.c

doc: Fix naming of SELinux

commit   : 2696434b7f6b38799e338ac66962ee75f97d3eba    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Fri, 10 Jan 2020 09:37:21 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Fri, 10 Jan 2020 09:37:21 +0900    

Click here for diff

Reported-by: Tham Nguyen  
Discussion: https://postgr.es/m/157851402876.29175.12977878383183540468@wrigleys.postgresql.org  
Backpatch-through: 9.4  

M doc/src/sgml/ref/security_label.sgml
M src/test/modules/dummy_seclabel/README

commit   : 676c9156bbc8edb2f5249835d511c25ff7c2d126    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Thu, 9 Jan 2020 16:02:23 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Thu, 9 Jan 2020 16:02:23 +0100    

Click here for diff

Author: Vik Fearing <vik.fearing@2ndquadrant.com>  
Discussion: https://www.postgresql.org/message-id/flat/54c208b9-7e2c-6211-0ba0-ffb0429cf20b@2ndquadrant.com  

M doc/src/sgml/release-11.sgml

Reimplement nullification of walsender timestamp

commit   : af43581e8b297b2527e0b1716b616b7ea1fc496f    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 8 Jan 2020 14:33:49 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 8 Jan 2020 14:33:49 -0300    

Click here for diff

Make the value null only at pg_stat_activity-output time, as suggested  
by Tom Lane, instead of messing with the internal state.  This should  
appease buildfarm members with force_parallel_mode=regress, which are  
running parallel queries on logical replication walsenders.  
  
The fact that walsenders can run parallel queries should perhaps be  
studied more carefully, but for the moment let's get rid of the red  
blots in buildfarm.  
  
Backpatch to pg10, like the previous commit.  
  
Discussion: https://postgr.es/m/30804.1578438763@sss.pgh.pa.us  

M src/backend/access/transam/xact.c
M src/backend/utils/adt/pgstatfuncs.c

Revert "Forbid DROP SCHEMA on temporary namespaces"

commit   : 789bc293b3419cd4437dc6a7e99ec47882f91d04    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 8 Jan 2020 10:36:27 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 8 Jan 2020 10:36:27 +0900    

Click here for diff

This reverts commit a052f6c, following complains from Robert Haas and  
Tom Lane.  Backpatch down to 9.4, like the previous commit.  
  
Discussion: https://postgr.es/m/CA+TgmobL4npEX5=E5h=5Jm_9mZun3MT39Kq2suJFVeamc9skSQ@mail.gmail.com  
Backpatch-through: 9.4  

M src/backend/commands/dropcmds.c

pg_stat_activity: show NULL stmt start time for walsenders

commit   : 896db774e5b0a851792f02c8a19ea9b07c9dcc23    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 7 Jan 2020 17:38:48 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 7 Jan 2020 17:38:48 -0300    

Click here for diff

Returning a non-NULL time is pointless, sinc a walsender is not a  
process that would be running normal transactions anyway, but the code  
was unintentionally exposing the process start time intermittently,  
which was not only bogus but it also confused monitoring systems looking  
for idle transactions.  Fix by avoiding all updates in walsenders.  
  
Backpatch to 11, where walsenders started appearing in pg_stat_activity.  
  
Reported-by: Tomas Vondra  
Discussion: https://postgr.es/m/20191209234409.exe7osmyalwkt5j4@development  

M src/backend/access/transam/xact.c

Have logical replication subscriber fire column triggers

commit   : 7474393e0b98971c7779cbb23c2d7d17e38a944c    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 6 Jan 2020 08:21:14 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 6 Jan 2020 08:21:14 +0100    

Click here for diff

The logical replication apply worker did not fire per-column update  
triggers because the updatedCols bitmap in the RTE was not populated.  
This fixes that.  
  
Reviewed-by: Euler Taveira <euler@timbira.com.br>  
Discussion: https://www.postgresql.org/message-id/flat/21673e2d-597c-6afe-637e-e8b10425b240%402ndquadrant.com  

M src/backend/replication/logical/worker.c
M src/test/subscription/t/003_constraints.pl

Fix typos in parallel query docs.

commit   : a8474d863074cc97f49702b4cff4c69613f30b96    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Fri, 3 Jan 2020 10:52:46 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Fri, 3 Jan 2020 10:52:46 +0530    

Click here for diff

Reported-by: Jon Jensen  
Author: Jon Jensen  
Reviewed-by: Amit Kapila and Robert Haas  
Backpatch-through: 10  
Discussion: https://postgr.es/m/nycvar.YSQ.7.76.1912301807510.9899@ybpnyubfg  

M doc/src/sgml/parallel.sgml

Fix cloning of row triggers to sub-partitions

commit   : adc9cb6f26f785d1e62a0bd86d69974aab1bf6e5    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Thu, 2 Jan 2020 17:04:24 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Thu, 2 Jan 2020 17:04:24 -0300    

Click here for diff

When row triggers exist in partitioned partitions that are not either  
part of FKs or deferred unique constraints, they are not correctly  
cloned to their partitions.  That's because they are marked "internal",  
and those are purposefully skipped when doing the clone triggers dance.  
Fix by relaxing the condition on which internal triggers are skipped.  
  
Amit Langote initially diagnosed the problem and proposed a fix, but I  
used a different approach.  
  
Reported-by: Petr Fedorov  
Discussion: https://postgr.es/m/6b3f0646-ba8c-b3a9-c62d-1c6651a1920f@phystech.edu  

M src/backend/commands/tablecmds.c
M src/test/regress/expected/triggers.out
M src/test/regress/sql/triggers.sql

Fix comment in test

commit   : f565f530edcc4728ed004b7c75b876168df2daa0    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Thu, 2 Jan 2020 14:40:18 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Thu, 2 Jan 2020 14:40:18 +0100    

Click here for diff

The comment was apparently copy-and-pasted and did not reflect the  
actual test outcome.  

M src/test/regress/expected/alter_generic.out
M src/test/regress/sql/alter_generic.sql

Fix running out of file descriptors for spill files.

commit   : 3e3a7973523570089fa69533dcb3aa0122636d8c    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Thu, 2 Jan 2020 10:55:54 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Thu, 2 Jan 2020 10:55:54 +0530    

Click here for diff

Currently while decoding changes, if the number of changes exceeds a  
certain threshold, we spill those to disk.  And this happens for each  
(sub)transaction.  Now, while reading all these files, we don't close them  
until we read all the files.  While reading these files, if the number of  
such files exceeds the maximum number of file descriptors, the operation  
errors out.  
  
Use PathNameOpenFile interface to open these files as that internally has  
the mechanism to release kernel FDs as needed to get us under the  
max_safe_fds limit.  
  
Reported-by: Amit Khandekar  
Author: Amit Khandekar  
Reviewed-by: Amit Kapila  
Backpatch-through: 9.4  
Discussion: https://postgr.es/m/CAJ3gD9c-sECEn79zXw4yBnBdOttacoE-6gAyP0oy60nfs_sabQ@mail.gmail.com  

M src/backend/replication/logical/reorderbuffer.c
M src/test/recovery/t/006_logical_decoding.pl

Update copyrights for 2020

commit   : 9776feb0e9ccb5bd05eb02c1296f0a78a50b766b    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Wed, 1 Jan 2020 12:21:44 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Wed, 1 Jan 2020 12:21:44 -0500    

Click here for diff

Backpatch-through: update all files in master, backpatch legal files through 9.4  

M COPYRIGHT
M doc/src/sgml/legal.sgml

Add pg_dump test for triggers on partitioned tables

commit   : 0a40f33b8768f065692aeda5b84eb1ec91aa03f0    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Fri, 27 Dec 2019 18:34:30 -0300    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Fri, 27 Dec 2019 18:34:30 -0300    

Click here for diff

This currently works, but add this test to ensure it continues to work.  
Lack of this test became evident after a recent bugfix submission that  
would have inadvertently broken it, in  
https://postgr.es/m/CA+HiwqFM2=i+uHB9o4OkLbE2S3sjPHoVe2wXuAD1GLJ4+Pk9eg@mail.gmail.com  

M src/bin/pg_dump/t/002_pg_dump.pl

doc: add examples of creative use of unique expression indexes

commit   : e6cf1724d8cdf81b4ec7e613e1b41357834261f9    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Fri, 27 Dec 2019 14:49:08 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Fri, 27 Dec 2019 14:49:08 -0500    

Click here for diff

Unique expression indexes can constrain data in creative ways, so show  
two examples.  
  
Reported-by: Tuomas Leikola  
  
Discussion: https://postgr.es/m/156760275564.1127.12321702656456074572@wrigleys.postgresql.org  
  
Backpatch-through: 9.4  

M doc/src/sgml/indices.sgml

docs: clarify infinite range values from data-type infinities

commit   : 4666da12d02eef0cacf278e9422ea90906ec2f65    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Fri, 27 Dec 2019 14:33:30 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Fri, 27 Dec 2019 14:33:30 -0500    

Click here for diff

The previous docs referenced these distinct ideas confusingly.  
  
Reported-by: Eugen Konkov  
  
Discussion: https://postgr.es/m/376945611.20191026161529@yandex.ru  
  
Backpatch-through: 9.4  

M doc/src/sgml/rangetypes.sgml

Forbid DROP SCHEMA on temporary namespaces

commit   : 786540085dbd5bccb5d8bfb9b519c4ffbf07ec28    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Fri, 27 Dec 2019 17:59:16 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Fri, 27 Dec 2019 17:59:16 +0900    

Click here for diff

This operation was possible for the owner of the schema or a superuser.  
Down to 9.4, doing this operation would cause inconsistencies in a  
session whose temporary schema was dropped, particularly if trying to  
create new temporary objects after the drop.  A more annoying  
consequence is a crash of autovacuum on an assertion failure when  
logging information about an orphaned temp table dropped.  Note that  
because of 246a6c8 (present in v11~), which has made the removal of  
orphaned temporary tables more aggressive, the failure could be  
triggered more easily, but it is possible to reproduce down to 9.4.  
  
Reported-by: Mahendra Singh, Prabhat Sahu  
Author: Michael Paquier  
Reviewed-by: Kyotaro Horiguchi, Mahendra Singh  
Discussion: https://postgr.es/m/CAKYtNAr9Zq=1-ww4etHo-VCC-k120YxZy5OS01VkaLPaDbv2tg@mail.gmail.com  
Backpatch-through: 9.4  

M src/backend/commands/dropcmds.c

Fix possible loss of sync between rectypeid and underlying PLpgSQL_type.

commit   : ee206cb830eff45179afde06c93643210b52b196    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 26 Dec 2019 15:19:39 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 26 Dec 2019 15:19:39 -0500    

Click here for diff

When revalidate_rectypeid() acts to update a stale record type OID  
in plpgsql's data structures, it fixes the active PLpgSQL_rec struct  
as well as the PLpgSQL_type struct it references.  However, the latter  
is shared across function executions while the former is not.  In a  
later function execution, the PLpgSQL_rec struct would be reinitialized  
by copy_plpgsql_datums and would then contain a stale type OID,  
typically leading to "could not open relation with OID NNNN" errors.  
revalidate_rectypeid() can easily fix this, fortunately, just by  
treating typ->typoid as authoritative.  
  
Per report and diagnosis from Ashutosh Sharma, though this is not his  
suggested fix.  Back-patch to v11 where this code came in.  
  
Discussion: https://postgr.es/m/CAE9k0Pkd4dZwt9J5pS9xhJFWpUtqs05C9xk_GEwPzYdV=GxwWg@mail.gmail.com  

M src/pl/plpgsql/src/expected/plpgsql_record.out
M src/pl/plpgsql/src/pl_exec.c
M src/pl/plpgsql/src/sql/plpgsql_record.sql

commit   : 1b2356a2911ca84eefdf5dcb7f574677b8879c80    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Thu, 26 Dec 2019 22:26:31 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Thu, 26 Dec 2019 22:26:31 +0900    

Click here for diff

confirmed_flush is part of a replication slot's information, but not  
confirmed_lsn.  
  
Author: Kyotaro Horiguchi  
Discussion: https://postgr.es/m/20191226.175919.17237335658671970.horikyota.ntt@gmail.com  
Backpatch-through: 11  

M src/backend/replication/slotfuncs.c

Rotate instead of shifting hash join batch number.

commit   : 9e551a14cb45e1240af4978b44d2b7c1c649482e    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Tue, 24 Dec 2019 11:31:24 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Tue, 24 Dec 2019 11:31:24 +1300    

Click here for diff

Our algorithm for choosing batch numbers turned out not to work  
effectively for multi-billion key inner relations.  We would use  
more hash bits than we have, and effectively concentrate all tuples  
into a smaller number of batches than we intended.  While ideally  
we should switch to wider hashes, for now, change the algorithm to  
one that effectively gives up bits from the bucket number when we  
don't have enough bits.  That means we'll finish up with longer  
bucket chains than would be ideal, but that's better than having  
batches that don't fit in work_mem and can't be divided.  
  
Batch-patch to all supported releases.  
  
Author: Thomas Munro  
Reviewed-by: Tom Lane, thanks also to Tomas Vondra, Alvaro Herrera, Andres Freund for testing and discussion  
Reported-by: James Coleman  
Discussion: https://postgr.es/m/16104-dc11ed911f1ab9df%40postgresql.org  

M src/backend/executor/nodeHash.c

Disallow null category in crosstab_hash

commit   : f49e5efbc29af0d7d58a9bdffbd314b85a1cf6af    
  
author   : Joe Conway <mail@joeconway.com>    
date     : Mon, 23 Dec 2019 13:33:42 -0500    
  
committer: Joe Conway <mail@joeconway.com>    
date     : Mon, 23 Dec 2019 13:33:42 -0500    

Click here for diff

While building a hash map of categories in load_categories_hash,  
resulting category names have not thus far been checked to ensure  
they are not null. Prior to pg12 null category names worked to the  
extent that they did not crash on some platforms. This is because  
those system libraries have an snprintf which can deal with being  
passed a null pointer argument for a string. But even in those cases  
null categories did nothing useful. And on some platforms it crashed.  
As of pg12, our own version of snprintf gets called, and it does  
not deal with null pointer arguments at all, and crashes consistently.  
  
Fix that by disallowing null categories. They never worked usefully,  
and no one has ever asked for them to work previously. Back-patch to  
all supported branches.  
  
Reported-By: Ireneusz Pluta  
Discussion: https://postgr.es/m/16176-7489719b05e4303c@postgresql.org  

M contrib/tablefunc/tablefunc.c

Disallow partition key expressions that return pseudo-types.

commit   : 281dd22ac0150603ab82c052a9b5995cc2c5fb8f    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 23 Dec 2019 12:53:13 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 23 Dec 2019 12:53:13 -0500    

Click here for diff

This wasn't checked originally, but it should have been, because  
in general pseudo-types can't be stored to and retrieved from disk.  
Notably, partition bound values of type "record" would not be  
interpretable by another session.  
  
In v12 and HEAD, add another flag to CheckAttributeType's repertoire  
so that it can produce a specific error message for this case.  That's  
infeasible in older branches without an ABI break, so fall back to  
a slightly-less-nicely-worded error message in v10 and v11.  
  
Problem noted by Amit Langote, though this patch is not his initial  
solution.  Back-patch to v10 where partitioning was introduced.  
  
Discussion: https://postgr.es/m/CA+HiwqFUzjfj9HEsJtYWcr1SgQ_=iCAvQ=O2Sx6aQxoDu4OiHw@mail.gmail.com  

M src/backend/commands/tablecmds.c
M src/test/regress/expected/create_table.out
M src/test/regress/sql/create_table.sql

Prevent a rowtype from being included in itself via a range.

commit   : 31dfa40a834177b8e989a59252ee3ce1a3309075    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 23 Dec 2019 12:08:24 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 23 Dec 2019 12:08:24 -0500    

Click here for diff

We probably should have thought of this case when ranges were added,  
but we didn't.  (It's not the fault of commit eb51af71f, because  
ranges didn't exist then.)  
  
It's an old bug, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/7782.1577051475@sss.pgh.pa.us  

M src/backend/catalog/heap.c
M src/test/regress/expected/rangetypes.out
M src/test/regress/sql/rangetypes.sql

Avoid low-probability regression test failures in timestamp[tz] tests.

commit   : fd06985cb9e780237c87cef9c27f134eb0abb4d3    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 22 Dec 2019 18:00:17 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 22 Dec 2019 18:00:17 -0500    

Click here for diff

If the first transaction block in these tests were entered exactly  
at midnight (California time), they'd report a bogus failure due  
to 'now' and 'midnight' having the same values.  Commit 8c2ac75c5  
had dismissed this as being of negligible probability, but we've  
now seen it happen in the buildfarm, so let's prevent it.  We can  
get pretty much the same test coverage without an it's-not-midnight  
assumption by moving the does-'now'-work cases into their own test step.  
  
While here, apply commit 47169c255's s/DELETE/TRUNCATE/ change to  
timestamptz as well as timestamp (not sure why that didn't  
occur to me at the time; the risk of failure is the same).  
  
Back-patch to all supported branches, since the main point is  
to get rid of potential buildfarm failures.  
  
Discussion: https://postgr.es/m/14821.1577031117@sss.pgh.pa.us  

M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
M src/test/regress/sql/timestamp.sql
M src/test/regress/sql/timestamptz.sql

In pgwin32_open, loop after ERROR_ACCESS_DENIED only if we can't stat.

commit   : b3c4e2418835f01ace9c19d4b17d3a0974f97206    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 21 Dec 2019 17:39:36 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 21 Dec 2019 17:39:36 -0500    

Click here for diff

This fixes a performance problem introduced by commit 6d7547c21.  
ERROR_ACCESS_DENIED is returned in some other cases besides the  
delete-pending case considered by that commit; notably, if the  
given path names a directory instead of a plain file.  In that  
case we'll uselessly loop for 1 second before returning the  
failure condition.  That slows down some usage scenarios enough  
to cause test timeout failures on our Windows buildfarm critters.  
  
To fix, try to stat() the file, and sleep/loop only if that fails.  
It will fail in the delete-pending case, and also in the case where  
the deletion completed before we could stat(), so we have the cases  
where we want to loop covered.  In the directory case, the stat()  
should succeed, letting us exit without a wait.  
  
One case where we'll still wait uselessly is if the access-denied  
problem pertains to a directory in the given pathname.  But we don't  
expect that to happen in any performance-critical code path.  
  
There might be room to refine this further, but I'll push it now  
in hopes of making the buildfarm green again.  
  
Back-patch, like the preceding commit.  
  
Alexander Lakhin and Tom Lane  
  
Discussion: https://postgr.es/m/23073.1576626626@sss.pgh.pa.us  

M src/port/open.c

docs: clarify handling of column lists in COPY TO/FROM

commit   : 7b94a0b389e2686e08fc839b55cc010c16fabad8    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Sat, 21 Dec 2019 12:44:38 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Sat, 21 Dec 2019 12:44:38 -0500    

Click here for diff

Previously it was unclear how COPY FROM handled cases where not all  
columns were specified, or if the order didn't match.  
  
Reported-by: pavlo.golub@gmail.com  
  
Discussion: https://postgr.es/m/157487729344.7213.14245726713444755296@wrigleys.postgresql.org  
  
Backpatch-through: 9.4  

M doc/src/sgml/ref/copy.sgml

commit   : 1a77ea02dca5b5f08c3b789b2390ef8544bee8a3    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 20 Dec 2019 15:34:08 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 20 Dec 2019 15:34:08 -0500    

Click here for diff

We realized years ago that it's better for libpq to accept all  
connection parameters syntactically, even if some are ignored or  
restricted due to lack of the feature in a particular build.  
However, that lesson from the SSL support was for some reason never  
applied to the GSSAPI support.  This is causing various buildfarm  
members to have problems with a test case added by commit 6136e94dc,  
and it's just a bad idea from a user-experience standpoint anyway,  
so fix it.  
  
While at it, fix some places where parameter-related infrastructure  
was added with the aid of a dartboard, or perhaps with the aid of  
the anti-pattern "add new stuff at the end".  It should be safe  
to rearrange the contents of struct pg_conn even in released  
branches, since that's private to libpq (and we'd have to move  
some fields in some builds to fix this, anyway).  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/11297.1576868677@sss.pgh.pa.us  

M contrib/postgres_fdw/expected/postgres_fdw.out
M contrib/postgres_fdw/sql/postgres_fdw.sql
M doc/src/sgml/libpq.sgml
M src/interfaces/libpq/fe-connect.c
M src/interfaces/libpq/libpq-int.h

Doc: add a short summary of available authentication methods.

commit   : 0f8571b5d5523618572d7913817ba35040ffd771    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 19 Dec 2019 09:42:47 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 19 Dec 2019 09:42:47 -0500    

Click here for diff

The "auth-methods" <sect1> used to include descriptions of all our  
authentication methods.  Commit 56811e573 promoted its child <sect2>'s  
to <sect1>'s, which has advantages but also created some issues:  
* The auth-methods page itself is essentially empty/useless.  
* Links that pointed to "auth-methods" as a placeholder for all  
auth methods were rendered a bit nonsensical.  
* DocBook no longer provides a subsection table-of-contents here,  
which formerly was a useful if terse summary of available auth methods.  
  
To improve matters, add a handwritten list of all the auth methods.  
  
Per gripe from Dave Cramer.  Back-patch to v11 where the previous  
commit came in.  
  
Discussion: https://postgr.es/m/CADK3HH+xQLhcPgg=kWqfogtXGGZr-JdSo=x=WQC0PkAVyxUWyQ@mail.gmail.com  

M doc/src/sgml/client-auth.sgml

Fix subscriber invalid memory access on DDL.

commit   : 046830164ee4064623c34930a41c351106338041    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Wed, 18 Dec 2019 08:16:31 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Wed, 18 Dec 2019 08:16:31 +0530    

Click here for diff

This patch allows building the local relmap cache for a subscribed  
relation after processing pending invalidation messages and potential  
relcache updates.  Without this, the attributes in the local cache don't  
tally with the updated relcache entry leading to invalid memory access.  
  
Reported-by Jehan-Guillaume de Rorthais  
Author: Jehan-Guillaume de Rorthais and Vignesh C  
Reviewed-by: Amit Kapila  
Backpatch-through: 10  
Discussion: https://postgr.es/m/20191025175929.7e90dbf5@firost  

M src/backend/replication/logical/relation.c

Remove shadow variables linked to RedoRecPtr in xlog.c

commit   : 668365014d7b330fa828826ff94653d446971a86    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 18 Dec 2019 10:11:36 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 18 Dec 2019 10:11:36 +0900    

Click here for diff

This changes the routines in charge of recycling WAL segments past the  
last redo LSN to not use anymore "RedoRecPtr" as a local variable, which  
is also available in the context of the session as a static declaration,  
replacing it with "lastredoptr".  This confusion has been introduced by  
d9fadbf, so backpatch down to v11 like the other commit.  
  
Thanks to Tom Lane, Robert Haas, Alvaro Herrera, Mark Dilger and Kyotaro  
Horiguchi for the input provided.  
  
Author: Ranier Vilela  
Discussion: https://postgr.es/m/MN2PR18MB2927F7B5F690065E1194B258E35D0@MN2PR18MB2927.namprd18.prod.outlook.com  
Backpatch-through: 11  

M src/backend/access/transam/xlog.c

Fix error reporting for index expressions of prohibited types.

commit   : fc449abc3dccc06b01783bcdb2c348c8ef670ccd    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 17 Dec 2019 17:44:28 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 17 Dec 2019 17:44:28 -0500    

Click here for diff

If CheckAttributeType() threw an error about the datatype of an  
index expression column, it would report an empty column name,  
which is pretty unhelpful and certainly not the intended behavior.  
I (tgl) evidently broke this in commit cfc5008a5, by not noticing  
that the column's attname was used above where I'd placed the  
assignment of it.  
  
In HEAD and v12, this is trivially fixable by moving up the  
assignment of attname.  Before v12 the code is a bit more messy;  
to avoid doing substantial refactoring, I took the lazy way out  
and just put in two copies of the assignment code.  
  
Report and patch by Amit Langote.  Back-patch to all supported  
branches.  
  
Discussion: https://postgr.es/m/CA+HiwqFA+BGyBFimjiYXXMa2Hc3fcL0+OJOyzUNjhU4NCa_XXw@mail.gmail.com  

M src/backend/catalog/index.c
M src/test/regress/expected/create_index.out
M src/test/regress/sql/create_index.sql

Change overly strict Assert in TransactionGroupUpdateXidStatus.

commit   : fc68a10b573faababd3a7d2b3f1f703a8ae76a44    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Thu, 12 Dec 2019 11:51:30 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Thu, 12 Dec 2019 11:51:30 +0530    

Click here for diff

This Assert thought that an overflowed transaction can never get registered  
for the group update.  But that is not true, because even when the number  
of children for a transaction got reduced, the overflow flag is not  
changed.  And, for group update, we only care about the current number of  
children for a transaction that is being committed.  
  
Based on comments by Andres Freund, remove a redundant Assert in  
TransactionIdSetPageStatus as we already had a static Assert for the same  
condition a few lines earlier.  
  
Reported-by: Vignesh C  
Author: Dilip Kumar  
Reviewed-by: Amit Kapila  
Backpatch-through: 11  
Discussion: https://postgr.es/m/CAFiTN-s5=uJw-Z6JC9gcqtBSjXsrHnU63PXBrA=pnBjqnkm5UA@mail.gmail.com  

M src/backend/access/transam/clog.c

On Windows, wait a little to see if ERROR_ACCESS_DENIED goes away.

commit   : 2cf51809b1ae072d2f086286456e1e29e234a2a8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Dec 2019 15:10:55 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 16 Dec 2019 15:10:55 -0500    

Click here for diff

Attempting to open a file fails with ERROR_ACCESS_DENIED if the file  
is flagged for deletion but not yet actually gone (another in a long  
list of reasons why Windows is broken, if you ask me).  This seems  
likely to explain a lot of irreproducible failures we see in the  
buildfarm.  This state generally persists for only a millisecond or so,  
so just wait a bit and retry.  If it's a real permissions problem,  
we'll eventually give up and report it as such.  If it's the pending  
deletion case, we'll see file-not-found and report that after the  
deletion completes, and the caller will treat that in an appropriate  
way.  
  
In passing, rejigger the existing retry logic for some other error  
cases so that we don't uselessly wait an extra time when we're  
not going to retry anymore.  
  
Alexander Lakhin (with cosmetic tweaks by me).  Back-patch to all  
supported branches, since this seems like a pretty safe change and  
the problem is definitely real.  
  
Discussion: https://postgr.es/m/16161-7a985d2f1bbe8f71@postgresql.org  

M src/port/open.c

Clean up some misplaced comments in partition_join.sql regression test.

commit   : 06b9f38d35d1426d91101c16ed9717118ebcec66    
  
author   : Etsuro Fujita <efujita@postgresql.org>    
date     : Mon, 16 Dec 2019 17:00:17 +0900    
  
committer: Etsuro Fujita <efujita@postgresql.org>    
date     : Mon, 16 Dec 2019 17:00:17 +0900    

Click here for diff

Also, add a comment explaining a test case.  
  
Back-patch to 11 where the regression test was added.  
  
Discussion: https://postgr.es/m/CAPmGK15adZPh2B%2BmGUjSOMH%2BH39ogDRWfCfm4G6jncZCAs9V_Q%40mail.gmail.com  

M src/test/regress/expected/partition_join.out
M src/test/regress/sql/partition_join.sql

Fix EXTRACT(ISOYEAR FROM timestamp) for years BC.

commit   : 332584da9cfdbe91a651427a9fc3ed76dffaa529    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 12 Dec 2019 12:30:44 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 12 Dec 2019 12:30:44 -0500    

Click here for diff

The test cases added by commit 26ae3aa80 exposed an old oversight in  
timestamp[tz]_part: they didn't correct the result of date2isoyear()  
for BC years, so that we produced an off-by-one answer for such years.  
Fix that, and back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com  

M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out

Remove redundant function calls in timestamp[tz]_part().

commit   : 7d233810a3a3b20460639253f5e38d4186cd350d    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 12 Dec 2019 12:12:35 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 12 Dec 2019 12:12:35 -0500    

Click here for diff

The DTK_DOW/DTK_ISODOW and DTK_DOY switch cases in timestamp_part() and  
timestamptz_part() contained calls of timestamp2tm() that were fully  
redundant with the ones done just above the switch.  This evidently crept  
in during commit 258ee1b63, which relocated that code from another place  
where the calls were indeed needed.  Just delete the redundant calls.  
  
I (tgl) noted that our test coverage of these functions left quite a  
bit to be desired, so extend timestamp.sql and timestamptz.sql to  
cover all the branches.  
  
Back-patch to all supported branches, as the previous commit was.  
There's no real issue here other than some wasted cycles in some  
not-too-heavily-used code paths, but the test coverage seems valuable.  
  
Report and patch by Li Japin; test case adjustments by me.  
  
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com  

M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
M src/test/regress/sql/timestamp.sql
M src/test/regress/sql/timestamptz.sql

Remove extra parenthesis from comment.

commit   : d94766a65a6012ccf9926bd154b087a0afb15068    
  
author   : Etsuro Fujita <efujita@postgresql.org>    
date     : Thu, 12 Dec 2019 15:45:02 +0900    
  
committer: Etsuro Fujita <efujita@postgresql.org>    
date     : Thu, 12 Dec 2019 15:45:02 +0900    

Click here for diff

M src/backend/partitioning/partbounds.c

Doc: back-patch documentation about limitations of CHECK constraints.

commit   : 49b83f6474349ecc756348f422003f447a5058bf    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 11 Dec 2019 15:53:36 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 11 Dec 2019 15:53:36 -0500    

Click here for diff

Back-patch commits 36d442a25 and 1f66c657f into all supported  
branches.  I'd considered doing this when putting in the latter  
commit, but failed to pull the trigger.  Now that we've had an  
actual field complaint about the lack of such docs, let's do it.  
  
Per bug #16158 from Piotr Jander.  Original patches by Lætitia Avrot,  
Patrick Francelle, and me.  
  
Discussion: https://postgr.es/m/16158-7ccf2f74b3d655db@postgresql.org  

M doc/src/sgml/ddl.sgml
M doc/src/sgml/ref/alter_domain.sgml
M doc/src/sgml/ref/alter_table.sgml
M doc/src/sgml/ref/create_domain.sgml
M doc/src/sgml/ref/create_table.sgml

Fix race condition in our Windows signal emulation.

commit   : 2ed302ab97034a683816a3d6610e03345e6aef3b    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 Dec 2019 15:03:51 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 Dec 2019 15:03:51 -0500    

Click here for diff

pg_signal_dispatch_thread() responded to the client (signal sender)  
and disconnected the pipe before actually setting the shared variables  
that make the signal visible to the backend process's main thread.  
In the worst case, it seems, effective delivery of the signal could be  
postponed for as long as the machine has any other work to do.  
  
To fix, just move the pg_queue_signal() call so that we do it before  
responding to the client.  This essentially makes pgkill() synchronous,  
which is a stronger guarantee than we have on Unix.  That may be  
overkill, but on the other hand we have not seen comparable timing bugs  
on any Unix platform.  
  
While at it, add some comments to this sadly underdocumented code.  
  
Problem diagnosis and fix by Amit Kapila; I just added the comments.  
  
Back-patch to all supported versions, as it appears that this can cause  
visible NOTIFY timing oddities on all of them, and there might be  
other misbehavior due to slow delivery of other signals.  
  
Discussion: https://postgr.es/m/32745.1575303812@sss.pgh.pa.us  

M src/backend/port/win32/signal.c

Improve isolationtester's timeout management.

commit   : 235eab52c059b07d57e8f18aaa17d7528bb523e9    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 Dec 2019 14:31:57 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 Dec 2019 14:31:57 -0500    

Click here for diff

isolationtester.c had a hard-wired limit of 3 minutes per test step.  
It now emerges that this isn't quite enough for some of the slowest  
buildfarm animals.  This isn't the first time we've had to raise  
this limit (cf. 1db439ad4), so let's make it configurable.  This  
patch raises the default to 5 minutes, and introduces an environment  
variable PGISOLATIONTIMEOUT that can be set if more time is needed,  
following the precedent of PGCTLTIMEOUT.  
  
Also, modify isolationtester so that when the timeout is hit,  
it explicitly reports having sent a cancel.  This makes the regression  
failure log considerably more intelligible.  (In the worst case, a  
timed-out test might actually be reported as "passing" without this  
extra output, so arguably this is a bug fix in itself.)  
  
In passing, update the README file, which had apparently not gotten  
touched when we added "make check" support here.  
  
Back-patch to 9.6; older versions don't have comparable timeout logic.  
  
Discussion: https://postgr.es/m/22964.1575842935@sss.pgh.pa.us  

M src/test/isolation/README
M src/test/isolation/isolationtester.c

Fix typos in miscinit.c.

commit   : 469a274229143eba0940b7c116ecd1032d959af1    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Mon, 9 Dec 2019 08:39:34 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Mon, 9 Dec 2019 08:39:34 +0530    

Click here for diff

Commit f13ea95f9e moved the description of postmaster.pid file contents  
from miscadmin.h to pidfile.h, but missed to update the comments in  
miscinit.c.  
  
Author: Hadi Moshayedi  
Reviewed-by: Amit Kapila  
Backpatch-through: 10  
Discussion: https://postgr.es/m/CAK=1=WpYEM9x3LGkaxgXaxeYQjnkdW8XLsxrYRTE2Gq-H83FMw@mail.gmail.com  

M src/backend/utils/init/miscinit.c

Document search_path security with untrusted dbowner or CREATEROLE.

commit   : b97857b67659afda917bef87ac03bb99781db878    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sun, 8 Dec 2019 11:06:26 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sun, 8 Dec 2019 11:06:26 -0800    

Click here for diff

Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that  
certain schema usage patterns are secure against CREATEROLE users and  
database owners.  When an untrusted user is the database owner or holds  
CREATEROLE privilege, a query is secure only if its session started with  
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.  
Back-patch to 9.4 (all supported versions).  
  
Discussion: https://postgr.es/m/20191013013512.GC4131753@rfd.leadboat.com  

M doc/src/sgml/ddl.sgml

Doc: improve documentation about run-time pruning's effects on EXPLAIN.

commit   : 731ab0a284f43048f66516d5b3b642819035ba1a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 8 Dec 2019 10:36:29 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 8 Dec 2019 10:36:29 -0500    

Click here for diff

Tatsuo Ishii complained that this para wasn't very intelligible.  
Try to make it better.  
  
Discussion: https://postgr.es/m/20191207.200500.989741087350666720.t-ishii@sraoss.co.jp  

M doc/src/sgml/perform.sgml

Fix handling of OpenSSL's SSL_clear_options

commit   : 7ad544fd8e4528e920f994098a587c7ffd8ea595    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Fri, 6 Dec 2019 15:14:31 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Fri, 6 Dec 2019 15:14:31 +0900    

Click here for diff

This function is supported down to OpenSSL 0.9.8, which is the oldest  
version supported since 593d4e4 (from Postgres 10 onwards), and is used  
since e3bdb2d (from 11 onwards).  It is defined as a macro from OpenSSL  
0.9.8 to 1.0.2, and as a function in 1.1.0 and newer versions.  However,  
the configure check present is only adapted for functions.  So, even if  
the code would be able to compile, configure fails to detect the macro,  
causing it to be ignored when compiling the code with OpenSSL from 0.9.8  
to 1.0.2.  
  
The code needs a configure check as per a364dfa, which has fixed a  
compilation issue with a past version of LibreSSL in NetBSD 5.1.  On  
HEAD, just remove the configure check as the last release of NetBSD 5 is  
from 2014 (and we have no more buildfarm members for it).  In 11 and 12,  
improve the configure logic so as both macros and functions are  
correctly detected.  This makes NetBSD 5 still work on already-released  
branches, but not for 13 onwards.  
  
The patch for HEAD is from me, and Daniel has written the version to use  
for the back-branches.  
  
Author: Michael Paquier, Daniel Gustaffson  
Reviewed-by: Tom Lane  
Discussion: https://postgr.es/m/20191205083252.GE5064@paquier.xyz  
Discussion: https://postgr.es/m/98F7F99E-1129-41D8-B86B-FE3B1E286881@yesql.se  
Backpatch-through: 11  

M configure
M configure.in

Ensure maxlen is at leat 1 in dict_int

commit   : 267eb954cc96210985426aa31142ead37bfdc62c    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Tue, 3 Dec 2019 16:55:51 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Tue, 3 Dec 2019 16:55:51 +0100    

Click here for diff

The dict_int text search dictionary template accepts maxlen parameter,  
which is then used to cap the length of input strings. The value was  
not properly checked, and the code simply does  
  
    txt[d->maxlen] = '\0';  
  
to insert a terminator, leading to segfaults with negative values.  
  
This commit simply rejects values less than 1. The issue was there since  
dct_int was introduced in 9.3, so backpatch all the way back to 9.4  
which is the oldest supported version.  
  
Reported-by: cili  
Discussion: https://postgr.es/m/16144-a36a5bef7657047d@postgresql.org  
Backpatch-through: 9.4  

M contrib/dict_int/dict_int.c
M contrib/dict_int/expected/dict_int.out
M contrib/dict_int/sql/dict_int.sql

Fix failures with TAP tests of pg_ctl on Windows

commit   : 8fd28a7baaccaba89987f9628632e9c39235c6b5    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Tue, 3 Dec 2019 13:01:43 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Tue, 3 Dec 2019 13:01:43 +0900    

Click here for diff

On Windows, all the hosts spawned by the TAP tests bind to 127.0.0.1.  
Hence, if there is a port conflict, starting a cluster would immediately  
fail.  One of the test scripts of pg_ctl initializes a node without  
PostgresNode.pm, using the default port 5432.  This could cause  
unexpected startup failures in the tests if an independent server was up  
and running on the same host (the reverse is also possible, though more  
unlikely).  Fix this issue by assigning properly a free port to the node  
configured, in the same range used as for the other nodes part of the  
tests.  
  
Author: Michael Paquier  
Reviewed-by: Andrew Dunstan  
Discussion: https://postgr.es/m/20191202031444.GC1696@paquier.xyz  
Backpatch-through: 11  

M src/bin/pg_ctl/t/001_start_stop.pl

Fix misbehavior with expression indexes on ON COMMIT DELETE ROWS tables.

commit   : 768a401e242de18f22d2d0d3b810fce7b3d5e612    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 1 Dec 2019 13:09:26 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 1 Dec 2019 13:09:26 -0500    

Click here for diff

We implement ON COMMIT DELETE ROWS by truncating tables marked that  
way, which requires also truncating/rebuilding their indexes.  But  
RelationTruncateIndexes asks the relcache for up-to-date copies of any  
index expressions, which may cause execution of eval_const_expressions  
on them, which can result in actual execution of subexpressions.  
This is a bad thing to have happening during ON COMMIT.  Manuel Rigger  
reported that use of a SQL function resulted in crashes due to  
expectations that ActiveSnapshot would be set, which it isn't.  
The most obvious fix perhaps would be to push a snapshot during  
PreCommit_on_commit_actions, but I think that would just open the door  
to more problems: CommitTransaction explicitly expects that no  
user-defined code can be running at this point.  
  
Fortunately, since we know that no tuples exist to be indexed, there  
seems no need to use the real index expressions or predicates during  
RelationTruncateIndexes.  We can set up dummy index expressions  
instead (we do need something that will expose the right data type,  
as there are places that build index tupdescs based on this), and  
just ignore predicates and exclusion constraints.  
  
In a green field it'd likely be better to reimplement ON COMMIT DELETE  
ROWS using the same "init fork" infrastructure used for unlogged  
relations.  That seems impractical without catalog changes though,  
and even without that it'd be too big a change to back-patch.  
So for now do it like this.  
  
Per private report from Manuel Rigger.  This has been broken forever,  
so back-patch to all supported branches.  

M src/backend/catalog/heap.c
M src/backend/catalog/index.c
M src/backend/utils/cache/relcache.c
M src/include/catalog/index.h
M src/include/utils/relcache.h
M src/test/regress/expected/temp.out
M src/test/regress/sql/temp.sql

Fix off-by-one error in PGTYPEStimestamp_fmt_asc

commit   : 9668bf5d5215cd4510c6cc9d1d07561b839b6a30    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 30 Nov 2019 14:51:27 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 30 Nov 2019 14:51:27 +0100    

Click here for diff

When using %b or %B patterns to format a date, the code was simply using  
tm_mon as an index into array of month names. But that is wrong, because  
tm_mon is 1-based, while array indexes are 0-based. The result is we  
either use name of the next month, or a segfault (for December).  
  
Fix by subtracting 1 from tm_mon for both patterns, and add a regression  
test triggering the issue. Backpatch to all supported versions (the bug  
is there far longer, since at least 2003).  
  
Reported-by: Paul Spencer  
Backpatch-through: 9.4  
Discussion: https://postgr.es/m/16143-0d861eb8688d3fef%40postgresql.org  

M src/interfaces/ecpg/pgtypeslib/timestamp.c
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.c
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.stderr
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.stdout
M src/interfaces/ecpg/test/pgtypeslib/dt_test.pgc

Fix typo in comment.

commit   : c41824c152aba5019cc58b72d6ad5f6761743fab    
  
author   : Etsuro Fujita <efujita@postgresql.org>    
date     : Wed, 27 Nov 2019 16:00:48 +0900    
  
committer: Etsuro Fujita <efujita@postgresql.org>    
date     : Wed, 27 Nov 2019 16:00:48 +0900    

Click here for diff

M src/backend/optimizer/util/relnode.c

Allow access to child table statistics if user can read parent table.

commit   : 1d9056f563f3dcef6296e252b60c1d5831e43be6    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 26 Nov 2019 14:41:48 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 26 Nov 2019 14:41:48 -0500    

Click here for diff

The fix for CVE-2017-7484 disallowed use of pg_statistic data for  
planning purposes if the user would not be able to select the associated  
column and a non-leakproof function is to be applied to the statistics  
values.  That turns out to disable use of pg_statistic data in some  
common cases involving inheritance/partitioning, where the user does  
have permission to select from the parent table that was actually named  
in the query, but not from a child table whose stats are needed.  Since,  
in non-corner cases, the user *can* select the child table's data via  
the parent, this restriction is not actually useful from a security  
standpoint.  Improve the logic so that we also check the permissions of  
the originally-named table, and allow access if select permission exists  
for that.  
  
When checking access to stats for a simple child column, we can map  
the child column number back to the parent, and perform this test  
exactly (including not allowing access if the child column isn't  
exposed by the parent).  For expression indexes, the current logic  
just insists on whole-table select access, and this patch allows  
access if the user can select the whole parent table.  In principle,  
if the child table has extra columns, this might allow access to  
stats on columns the user can't read.  In practice, it's unlikely  
that the planner is going to do any stats calculations involving  
expressions that are not visible to the query, so we'll ignore that  
fine point for now.  Perhaps someday we'll improve that logic to  
detect exactly which columns are used by an expression index ...  
but today is not that day.  
  
Back-patch to v11.  The issue was created in 9.2 and up by the  
CVE-2017-7484 fix, but this patch depends on the append_rel_array[]  
planner data structure which only exists in v11 and up.  In  
practice the issue is most urgent with partitioned tables, so  
fixing v11 and later should satisfy much of the practical need.  
  
Dilip Kumar and Amit Langote, with some kibitzing by me  
  
Discussion: https://postgr.es/m/3876.1531261875@sss.pgh.pa.us  

M src/backend/utils/adt/selfuncs.c
M src/test/regress/expected/inherit.out
M src/test/regress/sql/inherit.sql

Don't shut down Gather[Merge] early under Limit.

commit   : d0ccfa9d6a3da0a47ee02947f54dd36f9f90972c    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Mon, 18 Nov 2019 14:17:41 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Mon, 18 Nov 2019 14:17:41 +0530    

Click here for diff

Revert part of commit 19df1702f5.  
  
Early shutdown was added by that commit so that we could collect  
statistics from workers, but unfortunately, it interacted badly with  
rescans.  The problem is that we ended up destroying the parallel context  
which is required for rescans.  This leads to rescans of a Limit node over  
a Gather node to produce unpredictable results as it tries to access  
destroyed parallel context.  By reverting the early shutdown code, we  
might lose statistics in some cases of Limit over Gather [Merge], but that  
will require further study to fix.  
  
Reported-by: Jerry Sievers  
Diagnosed-by: Thomas Munro  
Author: Amit Kapila, testcase by Vignesh C  
Backpatch-through: 9.6  
Discussion: https://postgr.es/m/87ims2amh6.fsf@jsievers.enova.com  

M src/backend/executor/nodeLimit.c
M src/test/regress/expected/select_parallel.out
M src/test/regress/sql/select_parallel.sql

Avoid assertion failure with LISTEN in a serializable transaction.

commit   : d9bb71947949b79f72a555e6d1d7d17ec8580455    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 24 Nov 2019 15:57:31 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 24 Nov 2019 15:57:31 -0500    

Click here for diff

If LISTEN is the only action in a serializable-mode transaction,  
and the session was not previously listening, and the notify queue  
is not empty, predicate.c reported an assertion failure.  That  
happened because we'd acquire the transaction's initial snapshot  
during PreCommit_Notify, which was called *after* predicate.c  
expects any such snapshot to have been established.  
  
To fix, just swap the order of the PreCommit_Notify and  
PreCommit_CheckForSerializationFailure calls during CommitTransaction.  
This will imply holding the notify-insertion lock slightly longer,  
but the difference could only be meaningful in serializable mode,  
which is an expensive option anyway.  
  
It appears that this is just an assertion failure, with no  
consequences in non-assert builds.  A snapshot used only to scan  
the notify queue could not have been involved in any serialization  
conflicts, so there would be nothing for  
PreCommit_CheckForSerializationFailure to do except assign it a  
prepareSeqNo and set the SXACT_FLAG_PREPARED flag.  And given no  
conflicts, neither of those omissions affect the behavior of  
ReleasePredicateLocks.  This admittedly once-over-lightly analysis  
is backed up by the lack of field reports of trouble.  
  
Per report from Mark Dilger.  The bug is old, so back-patch to all  
supported branches; but the new test case only goes back to 9.6,  
for lack of adequate isolationtester infrastructure before that.  
  
Discussion: https://postgr.es/m/3ac7f397-4d5f-be8e-f354-440020675694@gmail.com  
Discussion: https://postgr.es/m/13881.1574557302@sss.pgh.pa.us  

M src/backend/access/transam/xact.c
M src/test/isolation/expected/async-notify.out
M src/test/isolation/specs/async-notify.spec

doc: Fix whitespace in syntax.

commit   : 14512879364144e6c6b4762902e6a551d709280d    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Mon, 25 Nov 2019 09:20:28 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Mon, 25 Nov 2019 09:20:28 +1300    

Click here for diff

Back-patch to 10.  
  
Author: Andreas Karlsson  
Discussion: https://postgr.es/m/043acae2-a369-b7fa-be48-1933aa2e82d1%40proxel.se  

M doc/src/sgml/ref/insert.sgml

Stabilize NOTIFY behavior by transmitting notifies before ReadyForQuery.

commit   : 377d1b95bfeb969c0525f4949868005051dcd511    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 24 Nov 2019 14:42:59 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 24 Nov 2019 14:42:59 -0500    

Click here for diff

This patch ensures that, if any notify messages were received during  
a just-finished transaction, they get sent to the frontend just before  
not just after the ReadyForQuery message.  With libpq and other client  
libraries that act similarly, this guarantees that the client will see  
the notify messages as available as soon as it thinks the transaction  
is done.  
  
This probably makes no difference in practice, since in realistic  
use-cases the application would have to cope with asynchronous  
arrival of notify events anyhow.  However, it makes it a lot easier  
to build cross-session-notify test cases with stable behavior.  
I'm a bit surprised now that we've not seen any buildfarm instability  
with the test cases added by commit b10f40bf0.  Tests that I intend  
to add in an upcoming bug fix are definitely unstable without this.  
  
Back-patch to 9.6, which is as far back as we can do NOTIFY testing  
with the isolationtester infrastructure.  
  
Discussion: https://postgr.es/m/13881.1574557302@sss.pgh.pa.us  

M src/backend/commands/async.c
M src/backend/tcop/postgres.c

Improve test coverage for LISTEN/NOTIFY.

commit   : 295054411ebbff7ecfcc801ddfbdbadc1bac9f72    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 23 Nov 2019 17:30:00 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 23 Nov 2019 17:30:00 -0500    

Click here for diff

Back-patch commit b10f40bf0 into older branches.  This adds reporting  
of NOTIFY messages to isolationtester.c, and extends the async-notify  
test to include direct tests of basic NOTIFY functionality.  
  
This provides useful infrastructure for testing a bug fix I'm about  
to back-patch, and there seems no good reason not to have better tests  
of LISTEN/NOTIFY in the back branches.  The commit's survived long  
enough in HEAD to make it unlikely that it will cause problems.  
  
Back-patch as far as 9.6.  isolationtester.c changed too much in 9.6  
to make it sane to try to fix older branches this way, and I don't  
really want to back-patch those changes too.  
  
Discussion: https://postgr.es/m/31304.1564246011@sss.pgh.pa.us  

M src/test/isolation/expected/async-notify.out
M src/test/isolation/isolationtester.c
M src/test/isolation/specs/async-notify.spec

Add test coverage for "unchanged toast column" replication code path.

commit   : 785206afdf1fed6358ed3893cdb1e7b581dde40d    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Nov 2019 12:52:26 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Nov 2019 12:52:26 -0500    

Click here for diff

It seems pretty unacceptable to have no regression test coverage  
for this aspect of the logical replication protocol, especially  
given the bugs we've found in related code.  
  
Discussion: https://postgr.es/m/16129-a0c0f48e71741e5f@postgresql.org  

M src/test/subscription/t/001_rep_changes.pl

Fix bogus tuple-slot management in logical replication UPDATE handling.

commit   : b72a44c51ad6a75d078ef919a498f6c12b93c309    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Nov 2019 11:31:19 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 22 Nov 2019 11:31:19 -0500    

Click here for diff

slot_modify_cstrings seriously abused the TupleTableSlot API by relying  
on a slot's underlying data to stay valid across ExecClearTuple.  Since  
this abuse was also quite undocumented, it's little surprise that the  
case got broken during the v12 slot rewrites.  As reported in bug #16129  
from Ondřej Jirman, this could lead to crashes or data corruption when  
a logical replication subscriber processes a row update.  Problems would  
only arise if the subscriber's table contained columns of pass-by-ref  
types that were not being copied from the publisher.  
  
Fix by explicitly copying the datum/isnull arrays from the source slot  
that the old row was in already.  This ends up being about the same  
thing that happened pre-v12, but hopefully in a less opaque and  
fragile way.  
  
We might've caught the problem sooner if there were any test cases  
dealing with updates involving non-replicated or dropped columns.  
Now there are.  
  
Back-patch to v10 where this code came in.  Even though the failure  
does not manifest before v12, IMO this code is too fragile to leave  
as-is.  In any case we certainly want the additional test coverage.  
  
Patch by me; thanks to Tomas Vondra for initial investigation.  
  
Discussion: https://postgr.es/m/16129-a0c0f48e71741e5f@postgresql.org  

M src/backend/replication/logical/worker.c
M src/test/subscription/t/001_rep_changes.pl

Defend against self-referential views in relation_is_updatable().

commit   : 669138ebd1465944119340397bcf31bab3050404    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 21 Nov 2019 16:21:44 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 21 Nov 2019 16:21:44 -0500    

Click here for diff

While a self-referential view doesn't actually work, it's possible  
to create one, and it turns out that this breaks some of the  
information_schema views.  Those views call relation_is_updatable(),  
which neglected to consider the hazards of being recursive.  In  
older PG versions you get a "stack depth limit exceeded" error,  
but since v10 it'd recurse to the point of stack overrun and crash,  
because commit a4c35ea1c took out the expression_returns_set() call  
that was incidentally checking the stack depth.  
  
Since this function is only used by information_schema views, it  
seems like it'd be better to return "not updatable" than suffer  
an error.  Hence, add tracking of what views we're examining,  
in just the same way that the nearby fireRIRrules() code detects  
self-referential views.  I added a check_stack_depth() call too,  
just to be defensive.  
  
Per private report from Manuel Rigger.  Back-patch to all  
supported versions.  

M src/backend/rewrite/rewriteHandler.c
M src/backend/utils/adt/misc.c
M src/include/rewrite/rewriteHandler.h

Provide statistics for hypothetical BRIN indexes

commit   : 62074a34360b7a2b05f30087c9fe83da1c8bb6c8    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Thu, 21 Nov 2019 10:23:43 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Thu, 21 Nov 2019 10:23:43 +0900    

Click here for diff

Trying to use hypothetical indexes with BRIN currently fails when trying  
to access a relation that does not exist when looking for the  
statistics.  With the current API, it is not possible to easily pass  
a value for pages_per_range down to the hypothetical index, so this  
makes use of the default value of BRIN_DEFAULT_PAGES_PER_RANGE, which  
should be fine enough in most cases.  
  
Being able to refine or enforce the hypothetical costs in more  
optimistic ways would require more refactoring by filling in the  
statistics when building IndexOptInfo in plancat.c.  This would involve  
ABI breakages around the costing routines, something not fit for stable  
branches.  
  
This is broken since 7e534ad, so backpatch down to v10.  
  
Author: Julien Rouhaud, Heikki Linnakangas  
Reviewed-by: Álvaro Herrera, Tom Lane, Michael Paquier  
Discussion: https://postgr.es/m/CAOBaU_ZH0LKEA8VFCocr6Lpte1ab0b6FpvgS0y4way+RPSXfYg@mail.gmail.com  
Backpatch-through: 10  

M src/backend/utils/adt/selfuncs.c

Remove incorrect markup

commit   : d40efd2b4d592a2144d5d4edd70424f6bef2cf17    
  
author   : Magnus Hagander <magnus@hagander.net>    
date     : Wed, 20 Nov 2019 17:03:07 +0100    
  
committer: Magnus Hagander <magnus@hagander.net>    
date     : Wed, 20 Nov 2019 17:03:07 +0100    

Click here for diff

Author: Daniel Gustafsson <daniel@yesql.se>  

M doc/src/sgml/libpq.sgml

Fix page modification outside of critical section in GIN

commit   : 7d467dee0831728de107ad15c5625bf97698d790    
  
author   : Alexander Korotkov <akorotkov@postgresql.org>    
date     : Wed, 20 Nov 2019 00:12:33 +0300    
  
committer: Alexander Korotkov <akorotkov@postgresql.org>    
date     : Wed, 20 Nov 2019 00:12:33 +0300    

Click here for diff

By oversight 52ac6cd2d0 makes ginDeletePage() sets pd_prune_xid of page to be  
deleted before entering the critical section.  It appears that only versions 11  
and later were affected by this oversight.  
  
Backpatch-through: 11  

M src/backend/access/gin/ginvacuum.c

Revise GIN README

commit   : 287192bda245cbb7b7577d4c351822772b7e7373    
  
author   : Alexander Korotkov <akorotkov@postgresql.org>    
date     : Tue, 19 Nov 2019 23:11:24 +0300    
  
committer: Alexander Korotkov <akorotkov@postgresql.org>    
date     : Tue, 19 Nov 2019 23:11:24 +0300    

Click here for diff

We find GIN concurrency bugs from time to time.  One of the problems here is  
that concurrency of GIN isn't well-documented in README.  So, it might be even  
hard to distinguish design bugs from implementation bugs.  
  
This commit revised concurrency section in GIN README providing more details.  
Some examples are illustrated in ASCII art.  
  
Also, this commit add the explanation of how is tuple layout in internal GIN  
B-tree page different in comparison with nbtree.  
  
Discussion: https://postgr.es/m/CAPpHfduXR_ywyaVN4%2BOYEGaw%3DcPLzWX6RxYLBncKw8de9vOkqw%40mail.gmail.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 9.4  

M src/backend/access/gin/README

Fix traversing to the deleted GIN page via downlink

commit   : c0bf35421529ab210479ea0e828270e6626adff6    
  
author   : Alexander Korotkov <akorotkov@postgresql.org>    
date     : Tue, 19 Nov 2019 23:08:14 +0300    
  
committer: Alexander Korotkov <akorotkov@postgresql.org>    
date     : Tue, 19 Nov 2019 23:08:14 +0300    

Click here for diff

Current GIN code appears to don't handle traversing to the deleted page via  
downlink.  This commit fixes that by stepping right from the delete page like  
we do in nbtree.  
  
This commit also fixes setting 'deleted' flag to the GIN pages.  Now other page  
flags are not erased once page is deleted.  That helps to keep our assertions  
true if we arrive deleted page via downlink.  
  
Discussion: https://postgr.es/m/CAPpHfdvMvsw-NcE5bRS7R1BbvA4BxoDnVVjkXC5W0Czvy9LVrg%40mail.gmail.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 9.4  

M src/backend/access/gin/ginbtree.c
M src/backend/access/gin/gindatapage.c
M src/backend/access/gin/ginvacuum.c
M src/backend/access/gin/ginxlog.c

Fix deadlock between ginDeletePage() and ginStepRight()

commit   : 9f292798992ee8efe3281ba61db3c53ea7007b1a    
  
author   : Alexander Korotkov <akorotkov@postgresql.org>    
date     : Tue, 19 Nov 2019 23:07:36 +0300    
  
committer: Alexander Korotkov <akorotkov@postgresql.org>    
date     : Tue, 19 Nov 2019 23:07:36 +0300    

Click here for diff

When ginDeletePage() is about to delete page it locks its left sibling to revise  
the rightlink.  So, it locks pages in right to left manner.  Int he same time  
ginStepRight() locks pages in left to right manner, and that could cause a  
deadlock.  
  
This commit makes ginScanToDelete() keep exclusive lock on left siblings of  
currently investigated path.  That elimites need to relock left sibling in  
ginDeletePage().  Thus, deadlock with ginStepRight() can't happen anymore.  
  
Reported-by: Chen Huajun  
Discussion: https://postgr.es/m/5c332bd1.87b6.16d7c17aa98.Coremail.chjischj%40163.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 10  

M src/backend/access/gin/README
M src/backend/access/gin/ginvacuum.c

Doc: clarify use of RECURSIVE in WITH.

commit   : e0457665ccf8052a3ec6d6c37002b81d3b29e235    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Nov 2019 14:43:37 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Nov 2019 14:43:37 -0500    

Click here for diff

Apparently some people misinterpreted the syntax as being that  
RECURSIVE is a prefix of individual WITH queries.  It's a modifier  
for the WITH clause as a whole, so state that more clearly.  
  
Discussion: https://postgr.es/m/ca53c6ce-a0c6-b14a-a8e3-162f0b2cc119@a-kretschmer.de  

M doc/src/sgml/ref/select.sgml

Doc: clarify behavior of ALTER DEFAULT PRIVILEGES ... IN SCHEMA.

commit   : ff6de57750828030488901aa19fa1580f0f087d8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Nov 2019 14:21:41 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Nov 2019 14:21:41 -0500    

Click here for diff

The existing text stated that "Default privileges that are specified  
per-schema are added to whatever the global default privileges are for  
the particular object type".  However, that bare-bones observation is  
not quite clear enough, as demonstrated by the complaint in bug #16124.  
Flesh it out by stating explicitly that you can't revoke built-in  
default privileges this way, and by providing an example to drive  
the point home.  
  
Back-patch to all supported branches, since it's been like this  
from the beginning.  
  
Discussion: https://postgr.es/m/16124-423d8ee4358421bc@postgresql.org  

M doc/src/sgml/ref/alter_default_privileges.sgml

Further fix dumping of views that contain just VALUES(...).

commit   : d898edf4f233a3ffe6a0da64179fc268a1d46200    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 16 Nov 2019 20:00:19 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 16 Nov 2019 20:00:19 -0500    

Click here for diff

It turns out that commit e9f1c01b7 missed a case: we must print a  
VALUES clause in long format if get_query_def is given a resultDesc  
that would require the query's output column name(s) to be different  
from what the bare VALUES clause would produce.  
  
This applies in case an ALTER ... RENAME COLUMN has been done to  
a view that formerly could be printed in simple format, as shown  
in the added regression test case.  It also explains bug #16119  
from Dmitry Telpt, because it turns out that (unlike CREATE VIEW)  
CREATE MATERIALIZED VIEW fails to apply any column aliases it's  
given to the stored ON SELECT rule.  So to get them to be printed,  
we have to account for the resultDesc renaming.  It might be worth  
changing the matview code so that it creates the ON SELECT rule  
with the correct aliases; but we'd still need these messy checks in  
get_simple_values_rte to handle the case of a subsequent column  
rename, so any such change would be just neatnik-ism not a bug fix.  
  
Like the previous patch, back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/16119-e64823f30a45a754@postgresql.org  

M src/backend/utils/adt/ruleutils.c
M src/test/regress/expected/rules.out
M src/test/regress/sql/rules.sql

Skip system attributes when applying mvdistinct stats

commit   : 25a9ff6cadbb2099a5f53876d9e29f35a080df43    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 16 Nov 2019 01:17:15 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 16 Nov 2019 01:17:15 +0100    

Click here for diff

When estimating number of distinct groups, we failed to ignore system  
attributes when matching the group expressions to mvdistinct stats,  
causing failures like  
  
  ERROR: negative bitmapset member not allowed  
  
Fix that by simply skipping anything that is not a regular attribute.  
Backpatch to PostgreSQL 10, where the extended stats were introduced.  
  
Bug: #16111  
Reported-by: Tuomas Leikola  
Author: Tomas Vondra  
Backpatch-through: 10  
Discussion: https://postgr.es/m/16111-687799584c3a7e73@postgresql.org  

M src/backend/utils/adt/selfuncs.c
M src/test/regress/expected/stats_ext.out
M src/test/regress/sql/stats_ext.sql

Always call ExecShutdownNode() if appropriate.

commit   : bc049d0d460aead528ace909a3477bc701ab2e9a    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Sat, 16 Nov 2019 10:04:52 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Sat, 16 Nov 2019 10:04:52 +1300    

Click here for diff

Call ExecShutdownNode() after ExecutePlan()'s loop, rather than at each  
break.  We had forgotten to do that in one case.  The omission caused  
intermittent "temporary file leak" warnings from multi-batch parallel  
hash joins with a LIMIT clause.  
  
Back-patch to 11.  Though the problem exists in theory in earlier  
parallel query releases, nothing really depended on it.  
  
Author: Kyotaro Horiguchi  
Reviewed-by: Thomas Munro, Amit Kapila  
Discussion: https://postgr.es/m/20191111.212418.2222262873417235945.horikyota.ntt%40gmail.com  

M src/backend/executor/execMain.c

Avoid downcasing/truncation of RADIUS authentication parameters.

commit   : d66e68207e998c9b6180bee5fb55019f35fdacf4    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Nov 2019 13:41:04 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Nov 2019 13:41:04 -0500    

Click here for diff

Commit 6b76f1bb5 changed all the RADIUS auth parameters to be lists  
rather than single values.  But its use of SplitIdentifierString  
to parse the list format was not very carefully thought through,  
because that function thinks it's parsing SQL identifiers, which  
means it will (a) downcase the strings and (b) truncate them to  
be shorter than NAMEDATALEN.  While downcasing should be harmless  
for the server names and ports, it's just wrong for the shared  
secrets, and probably for the NAS Identifier strings as well.  
The truncation aspect is at least potentially a problem too,  
though typical values for these parameters would fit in 63 bytes.  
  
Fortunately, we now have a function SplitGUCList that is exactly  
the same except for not doing the two unwanted things, so fixing  
this is a trivial matter of calling that function instead.  
  
While here, improve the documentation to show how to double-quote  
the parameter values.  I failed to resist the temptation to do  
some copy-editing as well.  
  
Report and patch from Marcos David (bug #16106); doc changes by me.  
Back-patch to v10 where the aforesaid commit came in, since this is  
arguably a regression from our previous behavior with RADIUS auth.  
  
Discussion: https://postgr.es/m/16106-7d319e4295d08e70@postgresql.org  

M doc/src/sgml/client-auth.sgml
M src/backend/libpq/hba.c

Include TableFunc references when computing expression dependencies.

commit   : 94a9cb43ff5a84b25a3e7d5226c8e02d55fe69c3    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Nov 2019 12:11:49 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Nov 2019 12:11:49 -0500    

Click here for diff

The TableFunc node (i.e., XMLTABLE) includes type and collation OIDs  
that might not be referenced anywhere else in the expression tree,  
so they need to be accounted for when extracting dependencies.  
  
Fortunately, the practical effects of this are limited, since  
(a) it's somewhat unlikely that people would be extracting  
columns of non-builtin types from an XML document, and (b)  
in many scenarios, the query would contain other references  
to such types, or functions depending on them.  However, it's  
not hard to construct examples wherein the existing code lets  
one drop a type used in XMLTABLE and thereby break a view.  
  
This is evidently an original oversight in the XMLTABLE patch,  
so back-patch to v10 where that came in.  
  
Discussion: https://postgr.es/m/18427.1573508501@sss.pgh.pa.us  

M src/backend/catalog/dependency.c

Handle arrays and ranges in pg_upgrade's test for non-upgradable types.

commit   : 8e4ef328738f7c865736ef36346461e687c9e45c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Nov 2019 11:35:37 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Nov 2019 11:35:37 -0500    

Click here for diff

pg_upgrade needs to check whether certain non-upgradable data types  
appear anywhere on-disk in the source cluster.  It knew that it has  
to check for these types being contained inside domains and composite  
types; but it somehow overlooked that they could be contained in  
arrays and ranges, too.  Extend the existing recursive-containment  
query to handle those cases.  
  
We probably should have noticed this oversight while working on  
commit 0ccfc2822 and follow-ups, but we failed to :-(.  The whole  
thing's possibly a bit overdesigned, since we don't really expect  
that any of these types will appear on disk; but if we're going to  
the effort of doing a recursive search then it's silly not to cover  
all the possibilities.  
  
While at it, refactor so that we have only one copy of the search  
logic, not three-and-counting.  Also, to keep the branches looking  
more alike, back-patch the output wording change of commit 1634d3615.  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/31473.1573412838@sss.pgh.pa.us  

M src/bin/pg_upgrade/version.c