PostgreSQL 12.2 commit log

commit   : 45b88269a353ad93744772791feb6d01bc7e1e42    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 17:14:51 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 17:14:51 -0500    

commit   : ce5a2d2c3e8e1353d1cb31ab143730accbb1ac75    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 12:51:07 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 12:51:07 -0500    

Security: CVE-2020-1720  

commit   : 87d014da99bf7613ce76938a9d58e99ef984737a    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 12:14:58 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 12:14:58 -0300    

The original coding failed to quote the argument properly.  
  
Reported-by: Daniel Gustafsson  
Discussion: [email protected]  

commit   : 2ad125322d5be8b264f2b0945d7dd23ba3ace60e    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 11:47:09 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 11:47:09 -0300    

Marking an object as dependant on an extension did not have any  
privilege check whatsoever; this allowed any user to mark objects as  
droppable by anyone able to DROP EXTENSION, which could be used to cause  
system-wide havoc.  Disallow by checking that the calling user owns the  
mentioned object.  
  
(No constraints are placed on the extension.)  
  
Security: CVE-2020-1720  
Reported-by: Tom Lane  
Discussion: [email protected]  

commit   : 326431670a876925d699e2be7a216a23ee2d32bf    
  
author   : Peter Eisentraut <[email protected]>    
date     : Mon, 10 Feb 2020 13:15:42 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Mon, 10 Feb 2020 13:15:42 +0100    

Source-Git-URL: https://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: bcdfb83b81a7aa3c3948c0a5221f9c68d7010ac5  

commit   : 198f0ba8bd0733e253a50b47c1dff33112542c1c    
  
author   : Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 15:48:35 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 15:48:35 +0900    

This reverts commit d1c0b61.  The patch has some downsides that require  
more attention, as discussed with Noah Misch.  
  
Backpatch-through: 9.5  

commit   : a6a8616dad9faa824401a3c420775a8f400df432    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 10 Feb 2020 08:34:43 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 10 Feb 2020 08:34:43 +0530    

Reported-by: Justin Pryzby  
Author: Justin Pryzby  
Backpatch-through: 9.6  
Discussion: https://postgr.es/m/[email protected]  

commit   : 770eca3adfe49bb531bfcba39e8061ce7f8fc534    
  
author   : Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 10:49:38 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 10:49:38 +0900    

The previous coding forgot to apply shell quoting to the socket  
directory and the data folder, leading to failures when running  
pg_upgrade.  This refactors the code generating the pg_ctl command  
starting clusters to use a more correct shell quoting.  Failures are  
easier to trigger in 12 and newer versions by using a value of  
--socketdir that includes quotes, but it is also possible to cause  
failures with quotes included in the default socket directory used by  
pg_upgrade or the data folders of the clusters involved in the  
upgrade.  
  
As 9.4 is going to be EOL'd with the next minor release, nobody is  
likely going to upgrade to it now so this branch is not included in the  
set of branches fixed.  
  
Author: Michael Paquier  
Reviewed-by: Álvaro Herrera, Noah Misch  
Backpatch-through: 9.5  

commit   : 2db27ff4eb3afde142554e51675c82469f15ce71    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:20:26 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:20:26 -0500    

This reverts commit 29af9c542f6cdc9a6456b175fdcdfe7a28b77d6c.  
  
Per discussion, we can't change the section title without some  
web-site work, so revert this change temporarily.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 0522d6f8f0d08b17f55b1e93e4a67e5f82e6bdaf    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:14:18 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:14:18 -0500    

commit   : baf487123ac5e4990cf17a67c90bc4c8adf6e8f1    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 12:02:57 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 12:02:57 -0500    

Commit b10714080 moved the GinPageSetDeleteXid() call to a spot where  
the "page" variable was pointing to the wrong page, causing the XID  
to be inserted on a page that's not being deleted, thus allowing later  
GinPageIsRecyclable tests to recycle the deleted page too soon.  
  
It might be a good idea to stop using the single "page" variable for  
multiple purposes in this function.  But for the moment I just moved  
the GinPageSetDeleteXid() call down beside the GinPageSetDeleted()  
call, which seems like a more logical place for it anyway.  
  
Back-patch to v11, as the faulty patch was.  (Fortunately, the bug  
hasn't made it into any release yet.)  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 4faea7fdf1768c65af744b5cbeaf201cdd345547    
  
author   : Fujii Masao <[email protected]>    
date     : Sat, 8 Feb 2020 12:29:38 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Sat, 8 Feb 2020 12:29:38 +0900    

Commit 598b466e80 in v12 renumbered ScanOption enum values to add  
the option for Tid scan. But the change of the codes assigned to  
the existing values caused an ABI break and may break some extensions  
depending on them. This should be avoided in minor version.  
  
This commit reverts the renumbering of ScanOption enum values made by  
commit 598b466e80 in v12 and put the ScanOption for Tid scan with new value.  
This is applied only to v12.  
  
Per complaint from Tom Lane.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 388d4351f78dfa6082922074127d496e6f525033    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 7 Feb 2020 16:52:55 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 7 Feb 2020 16:52:55 -0500    

As usual, the release notes for other branches will be made by cutting  
these down, but put them up for community review first.  

commit   : 2c80a656c2b5a2731e5df3c9398a66ffc18cbcf3    
  
author   : Alvaro Herrera <[email protected]>    
date     : Fri, 7 Feb 2020 18:27:18 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Fri, 7 Feb 2020 18:27:18 -0300    

On a multi-level partioned table, when adding a partition not directly  
connected to the root table, foreign key constraints referencing the  
root were not cloned to the new partition, leading to the FK being  
possibly inadvertently violated later on.  
  
This was caused by fuzzy thinking in CloneFkReferenced (commit  
f56f8f8da6af): it was skipping constraints marked as having parents on  
the theory that cloning those would create duplicates; but that's only  
correct for the top level of the partitioning hierarchy.  For levels  
below that one, such constraints must still be considered and only  
skipped if later on we see that we'd create duplicates.  Apparently, I  
(Álvaro) wrote the comments right but the code implemented something  
slightly different.  
  
Author: Jehan-Guillaume de Rorthais  
Discussion: https://postgr.es/m/20200206004948.238352db@firost  

commit   : ce054a8cd4f4faf3479050feb5d8fa08545f4c5c    
  
author   : Alvaro Herrera <[email protected]>    
date     : Fri, 7 Feb 2020 17:09:36 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Fri, 7 Feb 2020 17:09:36 -0300    

When running TRUNCATE CASCADE on a child of a partitioned table  
referenced by another partitioned table, the truncate was not applied to  
partitions of the referencing table; this could leave rows violating the  
constraint in the referencing partitioned table.  Repair by walking the  
pg_constraint chain all the way up to the topmost referencing table.  
  
Note: any partitioned tables containing FKs that reference other  
partitioned tables should be checked for possible violating rows, if  
TRUNCATE has occurred in partitions of the referenced table.  
  
Reported-by: Christophe Courtois  
Author: Jehan-Guillaume de Rorthais  
Discussion: https://postgr.es/m/20200204183906.115f693e@firost  

commit   : 598b466e80d9f46aa1472d4f1adb1df90be8c260    
  
author   : Fujii Masao <[email protected]>    
date     : Fri, 7 Feb 2020 22:00:21 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Fri, 7 Feb 2020 22:00:21 +0900    

Commit 147e3722f7 changed Tid scan so that it calls table_beginscan()  
and uses the scan option for seq scan. This change caused two issues.  
  
(1) The change caused Tid scan to take a predicate lock on the entire  
       relation in serializable transaction even when relation-level  
       lock is not necessary. This could lead to an unexpected  
       serialization error.  
  
(2) The change caused Tid scan to increment the number of seq_scan  
       in pg_stat_*_tables views even though it's not seq scan. This  
       could confuse the users.  
  
This commit adds the scan option for Tid scan and makes Tid scan  
use it, to avoid those issues.  
  
Back-patch to v12, where the bug was introduced.  
  
Author: Tatsuhito Kasahara  
Reviewed-by: Kyotaro Horiguchi, Masahiko Sawada, Fujii Masao  
Discussion: https://postgr.es/m/CAP0=ZVKy+gTbFmB6X_UW0pP3WaeJ-fkUWHoD-pExS=at3CY76g@mail.gmail.com  

commit   : 2f4733993a967ce7f89d1a02c9f12988e9b7ff6f    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 7 Feb 2020 08:11:01 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 7 Feb 2020 08:11:01 +0900    

This reverts commit 41aadee, as the GUC checks could run on older values  
with the new values used, and result in incorrect errors if both  
parameters are changed at the same time.  
  
Per complaint from Tom Lane.  
  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

commit   : 4988d7e96953ac858563e225079b6992810aab22    
  
author   : Fujii Masao <[email protected]>    
date     : Fri, 7 Feb 2020 00:33:11 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Fri, 7 Feb 2020 00:33:11 +0900    

Inherited queries perform access permission checks on the parent  
table only. But there are two exceptions to this rule in v12 or before;  
TRUNCATE and LOCK TABLE commands through a parent table check  
the permissions on not only the parent table but also the children  
tables. Previously these exceptions were not documented.  
  
This commit adds the note about these exceptions, into the document.  
  
Back-patch to v9.4. But we don't apply this commit to the master  
because commit e6f1e560e4 already got rid of the exception about  
inherited TRUNCATE and upcoming commit will do for the exception  
about inherited LOCK TABLE.  
  
Author: Amit Langote  
Reviewed-by: Fujii Masao  
Discussion: https://postgr.es/m/CA+HiwqHfTnMU6SUkyHxCmpHUKk7ERLHCR3vZVq19ZOQBjPBLmQ@mail.gmail.com  

commit   : c5060c15037e1d45fab78a341cff28f139f2163d    
  
author   : Amit Kapila <[email protected]>    
date     : Thu, 6 Feb 2020 16:00:54 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Thu, 6 Feb 2020 16:00:54 +0530    

Reported-by: Amit Langote  
Author: Amit Langote  
Backpatch-through: 9.6, where it was introduced  
Discussion: https://postgr.es/m/CA+HiwqFNADeukaaGRmTqANbed9Fd81gLi08AWe_F86_942Gspw@mail.gmail.com  

commit   : 3d214a8e5b7c21a46760b4480227e07977348ebb    
  
author   : Fujii Masao <[email protected]>    
date     : Thu, 6 Feb 2020 14:43:21 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Thu, 6 Feb 2020 14:43:21 +0900    

Previously PostgreSQL built with -DLWLOCK_STATS could report  
more than one LWLock statistics entries for the same backend  
process and the same LWLock. This is strange and only one  
statistics should be output in that case, instead.  
  
The cause of this issue is that the key variable used for  
LWLock stats hash table was not fully initialized. The key  
consists of two fields and they were initialized. But  
the following 4 bytes allocated in the key variable for  
the alignment was not initialized. So even if the same key  
was specified, hash_search(HASH_ENTER) could not find  
the existing entry for that key and created new one.  
  
This commit fixes this issue by initializing the key  
variable with zero. As the side effect of this commit,  
the volume of LWLock statistics output would be reduced  
very much.  
  
Back-patch to v10, where commit 3761fe3c20 introduced the issue.  
  
Author: Fujii Masao  
Reviewed-by: Julien Rouhaud, Kyotaro Horiguchi  
Discussion: https://postgr.es/m/[email protected]  

commit   : 0e37489ed682d29e8e010abbb1b28fa91237539a    
  
author   : Andrew Gierth <[email protected]>    
date     : Wed, 5 Feb 2020 19:49:47 +0000    
  
committer: Andrew Gierth <[email protected]>    
date     : Wed, 5 Feb 2020 19:49:47 +0000    

Tuple conversion incorrectly concluded that no conversion was needed  
as long as all the attributes lined up. But if the source tuple has a  
missing attribute (from addition of a column with default), then the  
destination tupdesc might not reflect the same default. The typical  
symptom was that the affected columns would be unexpectedly NULL.  
  
Repair by always forcing conversion if the source has missing  
attributes, which will be filled in by the deform operation. (In  
theory we could optimize for when the destination has the same  
default, but that seemed overkill.)  
  
Backpatch to 11 where missing attributes were added.  
  
Per bug #16242.  
  
Vik Fearing (discovery, code, testing) and me (analysis, testcase).  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 308724bcc3b9c1aeb33ce04e232e5199518fa06a    
  
author   : Alvaro Herrera <[email protected]>    
date     : Wed, 5 Feb 2020 15:06:11 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Wed, 5 Feb 2020 15:06:11 -0300    

The docs are ambiguous as to which tables would be copied over when the  
copy_data parameter is true in ALTER SUBSCRIPTION ... REFRESH PUBLICATION.  
Make it clear that it only applies to tables which are new in the  
publication.  
  
Author: David Christensen (reword by Álvaro Herrera)  
Discussion: https://postgr.es/m/[email protected]  

commit   : 78a26c3edd85b439265c067c45f04ce017c2eaff    
  
author   : Noah Misch <[email protected]>    
date     : Wed, 5 Feb 2020 08:26:41 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Wed, 5 Feb 2020 08:26:41 -0800    

PostgresNode already retained base directories in such cases.  Stop  
using $SIG{__DIE__}, which is redundant with the exit status check, in  
lieu of proliferating it to TestLib.  Back-patch to 9.6, where commit  
88802e068017bee8cea7a5502a712794e761c7b5 introduced retention on  
failure.  
  
Reviewed by Daniel Gustafsson.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 1fb8976b9cdd28f2986d63118fe64c00f600c531    
  
author   : Fujii Masao <[email protected]>    
date     : Thu, 26 Dec 2019 15:07:43 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Thu, 26 Dec 2019 15:07:43 +0900    

Column defaults may be specified separately for each partition.  
But INSERT via a partitioned table ignores those partition's default values.  
The former is documented, but the latter restriction not.  
This commit adds the note about that restriction into the document.  
  
Back-patch to v10 where partitioning was introduced.  
  
Author: Fujii Masao  
Reviewed-by: Amit Langote  
Discussion: https://postgr.es/m/CAHGQGwEs-59omrfGF7hOHz9iMME3RbKy5ny+iftDx3LHTEn9sA@mail.gmail.com  

commit   : 2e2351bd6c45a77b6462bf73102b5735a4e21379    
  
author   : Thomas Munro <[email protected]>    
date     : Wed, 5 Feb 2020 12:21:03 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Wed, 5 Feb 2020 12:21:03 +1300    

Commit 74618e77 added a new check intended to fix a bug, but put  
it in the wrong place so that parallel btree build was always  
disabled.  Do the check after we've actually tried to create  
a DSM segment.  Back-patch to 11, like the earlier commit.  
  
Reviewed-by: Peter Geoghegan  
Discussion: https://postgr.es/m/CAH2-WzmDABkJzrNnvf%2BOULK-_A_j9gkYg_Dz-H62jzNv4eKQTw%40mail.gmail.com  

commit   : 9a85860e12aa218731637d76f043199a0e7a4493    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 4 Feb 2020 13:07:13 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 4 Feb 2020 13:07:13 -0500    

Commit 499be013d added this field in a rather poorly-thought-through  
manner, with the result being that rather than being a field of the  
Append or MergeAppend plan node as intended (and as it seems to be,  
in text format), it was actually an element of the "Plans" subgroup.  
At least in JSON format, that's flat out invalid syntax, because  
"Plans" is an array not an object.  
  
While it's not hard to move the generation of the field so that it  
appears where it's supposed to, this does result in a visible change  
in field order in text format, in cases where a Append or MergeAppend  
plan node has any InitPlans attached.  That's slightly annoying to  
do in stable branches; but the alternative of continuing to emit  
broken non-text formats seems worse.  
  
Also, since the set of fields emitted is not supposed to be  
data-dependent in non-text formats, make sure that "Subplans Removed"  
appears in Append and MergeAppend nodes even when it's zero, in those  
formats.  (The previous coding made it look like it could appear in  
some other node types such as BitmapAnd, but we don't actually support  
runtime pruning there, so don't emit it in those cases.)  
  
Per bug #16171 from Mahadevan Ramachandran.  Fix by Daniel Gustafsson  
and Tom Lane, reviewed by Hamid Akhtar.  Back-patch to v11 where this  
code came in.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 42e3187a8204486823efe70a3ad6db6404047a02    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 3 Feb 2020 18:59:12 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 3 Feb 2020 18:59:12 -0300    

When replica identity is FULL (an admittedly unusual case), the loop  
that searches for tuples in execReplication.c didn't stop scanning the  
table when once a matching tuple was found.  Add the missing 'break'.  
  
Note slight behavior change: we now return the first matching tuple  
rather than the last one.  They are supposed to be indistinguishable  
anyway, so this shouldn't matter.  
  
Author: Konstantin Knizhnik  
Discussion: https://postgr.es/m/[email protected]  

commit   : 0d9f307cf82a96bc7945c9eb86328abc14e55736    
  
author   : Fujii Masao <[email protected]>    
date     : Mon, 3 Feb 2020 12:37:59 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Mon, 3 Feb 2020 12:37:59 +0900    

This commit reverts the fix "Make inherited TRUNCATE perform access  
permission checks on parent table only" only in the back branches.  
  
It's not hard to imagine that there are some applications expecting  
the old behavior and the fix breaks their security. To avoid this  
compatibility problem, we decided to apply the fix only in HEAD and  
revert it in all supported back branches.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 24dd34af1435a2a97e8b67d82328e45d0ac51413    
  
author   : Thomas Munro <[email protected]>    
date     : Sat, 1 Feb 2020 14:29:13 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Sat, 1 Feb 2020 14:29:13 +1300    

If we attempt to create a DSM segment when no slots are available,  
we should return the memory to the operating system.  Previously  
we did that if the DSM_CREATE_NULL_IF_MAXSEGMENTS flag was  
passed in, but we didn't do it if an error was raised.  Repair.  
  
Back-patch to 9.4, where DSM segments arrived.  
  
Author: Thomas Munro  
Reviewed-by: Robert Haas  
Reported-by: Julian Backes  
Discussion: https://postgr.es/m/CA%2BhUKGKAAoEw-R4om0d2YM4eqT1eGEi6%3DQot-3ceDR-SLiWVDw%40mail.gmail.com  

commit   : 65aa155135a5c7c913bcb042c51d72eaad53582f    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 17:03:55 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 17:03:55 -0500    

Commit fc7695891 changed CheckAttributeType to recurse into ranges,  
but made it pass down the wrong collation (always InvalidOid, since  
ranges as such have no collation).  This would result in guaranteed  
failure when considering a range type whose subtype is collatable.  
  
Embarrassingly, we lack any regression tests that would expose such  
a problem (but fortunately, somebody noticed before we shipped this  
bug in any release).  
  
Fix it to pass down the range's subtype collation property instead,  
and add some regression test cases to exercise collatable-subtype  
ranges a bit more.  Back-patch to all supported branches, as the  
previous patch was.  
  
Report and patch by Julien Rouhaud, test cases tweaked by me  
  
Discussion: https://postgr.es/m/CAOBaU_aBWqNweiGUFX0guzBKkcfJ8mnnyyGC_KBQmO12Mj5f_A@mail.gmail.com  

commit   : 0c84199f71e0bf2c192f6ec666e041fd7d9099c9    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 14:41:49 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 14:41:49 -0500    

If we failed to fork a worker process, or create a communication pipe  
for one, WaitForTerminatingWorkers would suffer an assertion failure  
if assert-enabled, otherwise crash or go into an infinite loop.  This  
was a consequence of not accounting for the startup condition where  
we've not yet forked all the workers.  
  
The original bug was that ParallelBackupStart would set workerStatus to  
WRKR_IDLE before it had successfully forked a worker.  I made things  
worse in commit b7b8cc0cf by not understanding the undocumented fact  
that the WRKR_TERMINATED state was also meant to represent the case  
where a worker hadn't been started yet: I changed enum T_WorkerStatus  
so that *all* the worker slots were initially in WRKR_IDLE state.  But  
this wasn't any more broken in practice, since even one slot in the  
wrong state would keep WaitForTerminatingWorkers from terminating.  
  
In v10 and later, introduce an explicit T_WorkerStatus value for  
worker-not-started, in hopes of preventing future oversights of the  
same ilk.  Before that, just document that WRKR_TERMINATED is supposed  
to cover that case (partly because it wasn't actively broken, and  
partly because the enum is exposed outside parallel.c in those branches,  
so there's microscopically more risk involved in changing it).  
In all branches, introduce a WORKER_IS_RUNNING status test macro  
to hide which T_WorkerStatus values mean that, and be more careful  
not to access ParallelSlot fields till we're sure they're valid.  
  
Per report from Vignesh C, though this is my patch not his.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CALDaNm1Luv-E3sarR+-unz-BjchquHHyfP+YC+2FS2pt_J+wxg@mail.gmail.com  

commit   : 706ad6a4df3aa04a83fea07d907057d379f04d40    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 31 Jan 2020 13:58:05 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 31 Jan 2020 13:58:05 +0900    

Oversight in commit b0afdca.  

commit   : a4484a6489291d3160767d57ab538f1de6698c21    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 30 Jan 2020 18:25:55 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 30 Jan 2020 18:25:55 -0500    

Very recent gcc complains that PLyObject_ToJsonbValue could return  
a pointer to a local variable.  I think it's wrong; but the coding  
is fragile enough, and the savings of one palloc() minimal enough,  
that it seems better to just do a palloc() all the time.  (My other  
idea of tweaking the if-condition doesn't suppress the warning.)  
  
Back-patch to v11 where this code was introduced.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 1fcf62e0b837c1b814a86f3abf92ad4d36ca30e6    
  
author   : Thomas Munro <[email protected]>    
date     : Fri, 31 Jan 2020 10:25:34 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Fri, 31 Jan 2020 10:25:34 +1300    

If no DSM slots are available, a ParallelContext can still be  
created, but its seg pointer is NULL.  Teach parallel btree build  
to cope with that by falling back to a regular non-parallel build,  
to avoid crashing with a segmentation fault.  
  
Back-patch to 11, where parallel CREATE INDEX landed.  
  
Reported-by: Nicola Contu  
Reviewed-by: Peter Geoghegan  
Discussion: https://postgr.es/m/CA%2BhUKGJgJEBnkuODBVomyK3MWFvDBbMVj%3Dgdt6DnRPU-5sQ6UQ%40mail.gmail.com  

commit   : de0177788bf3f0531af32cd5143a73e1234862d3    
  
author   : Fujii Masao <[email protected]>    
date     : Fri, 31 Jan 2020 00:42:06 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Fri, 31 Jan 2020 00:42:06 +0900    

Previously, TRUNCATE command through a parent table checked the  
permissions on not only the parent table but also the children tables  
inherited from it. This was a bug and inherited queries should perform  
access permission checks on the parent table only. This commit fixes  
that bug.  
  
Back-patch to all supported branches.  
  
Author: Amit Langote  
Reviewed-by: Fujii Masao  
Discussion: https://postgr.es/m/CAHGQGwFHdSvifhJE+-GSNqUHSfbiKxaeQQ7HGcYz6SC2n_oDcg@mail.gmail.com  

commit   : 3228512b7b2b6767b5f34768a958ed812118aa4d    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 30 Jan 2020 11:15:28 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 30 Jan 2020 11:15:28 +0900    

Advancing a physical replication slot with pg_replication_slot_advance()  
did not mark the slot as dirty if any advancing was done, preventing the  
follow-up checkpoint to flush the slot data to disk.  This caused the  
advancing to be lost even on clean restarts.  This does not happen for  
logical slots as any advancing marked the slot as dirty.  Per  
discussion, the original feature has been implemented so as in the event  
of a crash the slot may move backwards to a past LSN.  This property is  
kept and more documentation is added about that.  
  
This commit adds some new TAP tests to check the persistency of physical  
and logical slots after advancing across clean restarts.  
  
Author: Alexey Kondratov, Michael Paquier  
Reviewed-by: Andres Freund, Kyotaro Horiguchi, Craig Ringer  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 11  

commit   : b558f6da61c47b2be270dfbeed210c418601be82    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 29 Jan 2020 15:08:26 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 29 Jan 2020 15:08:26 +0900    

channel_binding's longest allowed value is not "7", it is actually "8".  
gssencmode also got that wrong.  
  
A similar mistake has been fixed as of f4051e3.  
  
Backpatch down to v12, where gssencmode has been introduced.  
  
Reviewed-by: Daniel Gustafsson  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

commit   : 87fed2a197abc1397b63ee74b3fa7eb20471fff5    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 28 Jan 2020 17:26:37 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 28 Jan 2020 17:26:37 -0500    

EvalPlanQualStart() supposed that it could re-use the relsubs_rowmark  
and relsubs_done arrays from a prior instantiation.  But since they are  
allocated in the es_query_cxt of the recheckestate, that's just wrong;  
EvalPlanQualEnd() will blow away that storage.  Therefore we were using  
storage that could have been reallocated to something else, causing all  
sorts of havoc.  
  
I think this was modeled on the old code's handling of es_epqTupleSlot,  
but since the code was anyway clearing the arrays at re-use, there's  
clearly no expectation of importing any outside state.  So it's just  
a dubious savings of a couple of pallocs, which is negligible compared  
to setting up a new planstate tree.  Therefore, just allocate the  
arrays always.  (I moved the allocations slightly for readability.)  
  
In principle this bug could cause a problem whenever EPQ rechecks are  
needed in more than one target table of a ModifyTable plan node.  
In practice it seems not quite so easy to trigger as that; I couldn't  
readily duplicate a crash with a partitioned target table, for instance.  
That's probably down to incidental choices about when to free or  
reallocate stuff.  The added isolation test case does seem to reliably  
show an assertion failure, though.  
  
Per report from Oleksii Kliukin.  Back-patch to v12 where the bug was  
introduced (evidently by commit 3fb307bc4).  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : f9d0be241aacc4913302080594f5a342b8b9dc15    
  
author   : Thomas Munro <[email protected]>    
date     : Mon, 27 Jan 2020 12:52:08 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Mon, 27 Jan 2020 12:52:08 +1300    

Currently, Parallel Hash Join cannot be used for full/right joins,  
so there is no point in setting the match flag.  It turns out that  
the cache coherence traffic generated by those writes slows down  
large systems running many-core joins, so let's stop doing that.  
In future, if we need to use match bits in parallel joins, we might  
want to consider setting them only if not already set.  
  
Back-patch to 11, where Parallel Hash Join arrived.  
  
Reported-by: Deng, Gang  
Discussion: https://postgr.es/m/0F44E799048C4849BAE4B91012DB910462E9897A%40SHSMSX103.ccr.corp.intel.com  

commit   : bad494380210a76071485c5d8624334c4389dd88    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 26 Jan 2020 16:31:48 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 26 Jan 2020 16:31:48 -0500    

In non-TEXT output formats, the "Settings" field should appear when  
requested, even if it would be empty.  
  
Also, get rid of the premature optimization of counting all the  
GUC_EXPLAIN variables at startup.  Since there was no provision for  
adjusting that count later, all it'd take would be some extension marking  
a parameter as GUC_EXPLAIN to risk an assertion failure or memory stomp.  
We could make get_explain_guc_options() count those variables on-the-fly,  
or dynamically resize its array ... but TBH I do not think that making a  
transient array of pointers a bit smaller is worth any extra complication,  
especially when you consider all the other transient space EXPLAIN eats.  
So just allocate that array at the max possible size.  
  
In HEAD, also add some regression test coverage for this feature.  
  
Because of the memory-stomp hazard, back-patch to v12 where this  
feature was added.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 7294f99a0b2043cf9b34a9a59ecb3dfbfae94f85    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 26 Jan 2020 14:31:08 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 26 Jan 2020 14:31:08 -0500    

In a statement like "UPDATE remote_tab SET (x,y) = (SELECT ...)",  
we'd conclude that the statement could be directly executed remotely,  
because the sub-SELECT is in a resjunk tlist item that's not examined  
for shippability.  Currently that ends up crashing if the sub-SELECT  
contains any remote Vars.  Prevent the crash by deeming MULTIEXEC  
Params to be unshippable.  
  
This is a bit of a brute-force solution, since if the sub-SELECT  
*doesn't* contain any remote Vars, the current execution technology  
would work; but that's not a terribly common use-case for this syntax,  
I think.  In any case, we generally don't try to ship sub-SELECTs, so  
it won't surprise anybody that this doesn't end up as a remote direct  
update.  I'd be inclined to see if that general limitation can be fixed  
before worrying about this case further.  
  
Per report from Lukáš Sobotka.  
  
Back-patch to 9.6.  9.5 had MULTIEXPR, but we didn't try to perform  
remote direct updates then, so the case didn't arise anyway.  
  
Discussion: https://postgr.es/m/CAJif3k+iA_ekBB5Zw2hDBaE1wtiQa4LH4_JUXrrMGwTrH0J01Q@mail.gmail.com  

commit   : c4c76d198e3db48ac390a46eab66bcaf1d734a2c    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 24 Jan 2020 09:55:51 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 24 Jan 2020 09:55:51 +0900    

Only the parameter parallel_workers can be used directly with ALTER  
TABLE.  
  
Issue introduced in 6f3a13f, so backpatch down to 10.  
  
Author: Justin Pryzby  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 10  

commit   : f309c812ed3106def62e940ca54718c7eeda8694    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 16:15:32 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 16:15:32 -0500    

I had supposed that the from_char_seq_search() call sites were  
all passing the constant arrays you'd expect them to pass ...  
but on looking closer, the one for DY format was passing the  
days[] array not days_short[].  This accidentally worked because  
the day abbreviations in English are all the same as the first  
three letters of the full day names.  However, once we took out  
the "maximum comparison length" logic, it stopped working.  
  
As penance for that oversight, add regression test cases covering  
this, as well as every other switch case in DCH_from_char() that  
was not reached according to the code coverage report.  
  
Also, fold the DCH_RM and DCH_rm cases into one --- now that  
seq_search is case independent, there's no need to pass different  
comparison arrays for those cases.  
  
Back-patch, as the previous commit was.  

commit   : be13f227febc386a892c8beedc2eb00938a57d2c    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 13:42:10 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 13:42:10 -0500    

seq_search(), which is used to match input substrings to constants  
such as month and day names, had a lot of bizarre and unnecessary  
behaviors.  It was mostly possible to avert our eyes from that before,  
but we don't want to duplicate those behaviors in the upcoming patch  
to allow recognition of non-English month and day names.  So it's time  
to clean this up.  In particular:  
  
* seq_search scribbled on the input string, which is a pretty dangerous  
thing to do, especially in the badly underdocumented way it was done here.  
Fortunately the input string is a temporary copy, but that was being made  
three subroutine levels away, making it something easy to break  
accidentally.  The behavior is externally visible nonetheless, in the form  
of odd case-folding in error reports about unrecognized month/day names.  
The scribbling is evidently being done to save a few calls to pg_tolower,  
but that's such a cheap function (at least for ASCII data) that it's  
pretty pointless to worry about.  In HEAD I switched it to be  
pg_ascii_tolower to ensure it is cheap in all cases; but there are corner  
cases in Turkish where this'd change behavior, so leave it as pg_tolower  
in the back branches.  
  
* seq_search insisted on knowing the case form (all-upper, all-lower,  
or initcap) of the constant strings, so that it didn't have to case-fold  
them to perform case-insensitive comparisons.  This likewise seems like  
excessive micro-optimization, given that pg_tolower is certainly very  
cheap for ASCII data.  It seems unsafe to assume that we know the case  
form that will come out of pg_locale.c for localized month/day names, so  
it's better just to define the comparison rule as "downcase all strings  
before comparing".  (The choice between downcasing and upcasing is  
arbitrary so far as English is concerned, but it might not be in other  
locales, so follow citext's lead here.)  
  
* seq_search also had a parameter that'd cause it to report a match  
after a maximum number of characters, even if the constant string were  
longer than that.  This was not actually used because no caller passed  
a value small enough to cut off a comparison.  Replicating that behavior  
for localized month/day names seems expensive as well as useless, so  
let's get rid of that too.  
  
* from_char_seq_search used the maximum-length parameter to truncate  
the input string in error reports about not finding a matching name.  
This leads to rather confusing reports in many cases.  Worse, it is  
outright dangerous if the input string isn't all-ASCII, because we  
risk truncating the string in the middle of a multibyte character.  
That'd lead either to delivering an illegible error message to the  
client, or to encoding-conversion failures that obscure the actual  
data problem.  Get rid of that in favor of truncating at whitespace  
if any (a suggestion due to Alvaro Herrera).  
  
In addition to fixing these things, I const-ified the input string  
pointers of DCH_from_char and its subroutines, to make sure there  
aren't any other scribbling-on-input problems.  
  
The risk of generating a badly-encoded error message seems like  
enough of a bug to justify back-patching, so patch all supported  
branches.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 817a1b88ac669a71b5f0f78cbfe84a73ae8abfd3    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 22 Jan 2020 09:49:24 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 22 Jan 2020 09:49:24 +0900    

Attempting to use CREATE INDEX, DROP INDEX or REINDEX with CONCURRENTLY  
on a temporary relation with ON COMMIT actions triggered unexpected  
errors because those operations use multiple transactions internally to  
complete their work.  Here is for example one confusing error when using  
ON COMMIT DELETE ROWS:  
ERROR:  index "foo" already contains data  
  
Issues related to temporary relations and concurrent indexing are fixed  
in this commit by enforcing the non-concurrent path to be taken for  
temporary relations even if using CONCURRENTLY, transparently to the  
user.  Using a non-concurrent path does not matter in practice as locks  
cannot be taken on a temporary relation by a session different than the  
one owning the relation, and the non-concurrent operation is more  
effective.  
  
The problem exists with REINDEX since v12 with the introduction of  
CONCURRENTLY, and with CREATE/DROP INDEX since CONCURRENTLY exists for  
those commands.  In all supported versions, this caused only confusing  
error messages to be generated.  Note that with REINDEX, it was also  
possible to issue a REINDEX CONCURRENTLY for a temporary relation owned  
by a different session, leading to a server crash.  
  
The idea to enforce transparently the non-concurrent code path for  
temporary relations comes originally from Andres Freund.  
  
Reported-by: Manuel Rigger  
Author: Michael Paquier, Heikki Linnakangas  
Reviewed-by: Andres Freund, Álvaro Herrera, Heikki Linnakangas  
Discussion: https://postgr.es/m/CA+u7OA6gP7YAeCguyseusYcc=uR8+ypjCcgDDCTzjQ+k6S9ksQ@mail.gmail.com  
Backpatch-through: 9.4  

commit   : 21fdfd0e8d223a31aeed2b167e6ce4f653e9c51c    
  
author   : Andres Freund <[email protected]>    
date     : Mon, 20 Jan 2020 23:26:51 -0800    
  
committer: Andres Freund <[email protected]>    
date     : Mon, 20 Jan 2020 23:26:51 -0800    

The code checking whether an aggregate transition value needs to be  
reparented into the current context has always only compared the  
transition return value with the previous transition value by datum,  
i.e. without regard for NULLness.  This normally works, because when  
the transition function returns NULL (via fcinfo->isnull), it'll  
return a value that won't be the same as its input value.  
  
But there's no hard requirement that that's the case. And it turns  
out, it's possible to hit this case (see discussion or reproducers),  
leading to a non-null transition value not being reparented, followed  
by a crash caused by that.  
  
Instead of adding another comparison of NULLness, instead have  
ExecAggTransReparent() ensure that pergroup->transValue ends up as 0  
when the new transition value is NULL. That avoids having to add an  
additional branch to the much more common cases of the transition  
function returning the old transition value (which is a pointer in  
this case), and when the new value is different, but not NULL.  
  
In branches since 69c3936a149, also deduplicate the reparenting code  
between the expression evaluation based transitions, and the path for  
ordered aggregates.  
  
Reported-By: Teodor Sigaev, Nikita Glukhov  
Author: Andres Freund  
Discussion: https://postgr.es/m/[email protected]  
Backpatch: 9.4-, this issue has existed since at least 7.4  

commit   : ef8e6b2c2ba05f27b7bbfcb1a180db07d1c274ee    
  
author   : Michael Paquier <[email protected]>    
date     : Tue, 21 Jan 2020 13:46:55 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Tue, 21 Jan 2020 13:46:55 +0900    

This helps integration of extensions with Windows.  The following  
parameters are changed:  
- idle_in_transaction_session_timeout (9.6 and newer versions)  
- lock_timeout  
- statement_timeout  
- track_activities  
- track_counts  
- track_functions  
  
Author: Pascal Legrand  
Reviewed-by: Amit Kamila, Julien Rouhaud, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 9.4  

commit   : 71b121f425486c2a02f88f90e2a7c852182b5af0    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 20 Jan 2020 12:57:17 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 20 Jan 2020 12:57:17 -0500    

sigTermHandler() tried to be careful to invoke only operations that  
are safe to do in a signal handler.  But for some reason we forgot  
that exit(3) is not among those, because it calls atexit handlers  
that might do various random things.  (pg_dump itself installs no  
atexit handlers, but e.g. OpenSSL does.)  That led to crashes or  
lockups when attempting to terminate a parallel dump or restore  
via a signal.  
  
Fix by calling _exit() instead.  
  
Per bug #16199 from Raúl Marín.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : fd436bba01f6df843a9f421669c02e2b970fdc7a    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 20 Jan 2020 10:36:35 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 20 Jan 2020 10:36:35 +0200    

The BRIN add_value() and union() functions need to make a longer-lived  
copy of the argument, if they want to store it in the BrinValues struct  
also passed as argument. The functions for the "inclusion operator  
classes" used with box, range and inet types didn't take into account  
that the union helper function might return its argument as is, without  
making a copy. Check for that case, and make a copy if necessary. That  
case arises at least with the range_union() function, when one of the  
arguments is an 'empty' range:  
  
CREATE TABLE brintest (n numrange);  
CREATE INDEX brinidx ON brintest USING brin (n);  
INSERT INTO brintest VALUES ('empty');  
INSERT INTO brintest VALUES (numrange(0, 2^1000::numeric));  
INSERT INTO brintest VALUES ('(-1, 0)');  
  
SELECT brin_desummarize_range('brinidx', 0);  
SELECT brin_summarize_range('brinidx', 0);  
  
Backpatch down to 9.5, where BRIN was introduced.  
  
Discussion: https://www.postgresql.org/message-id/e6e1d6eb-0a67-36aa-e779-bcca59167c14%40iki.fi  
Reviewed-by: Emre Hasegeli, Tom Lane, Alvaro Herrera  

commit   : c7c2cc67007741338a36a8d7aa86e23600aa5e18    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 19 Jan 2020 19:15:15 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 19 Jan 2020 19:15:15 -0500    

ecpg_build_params() would crash on a null pointer dereference if  
realloc() failed, due to updating the persistent "stmt" struct  
too aggressively.  (Even without the crash, this would've leaked  
the old storage that we were trying to realloc.)  
  
Per Coverity.  This seems to have been broken in commit 0cc050794,  
so back-patch into v12.  

commit   : ac2dcca5dfe62177fd871a8f4f71430a1c92382c    
  
author   : Michael Paquier <[email protected]>    
date     : Sat, 18 Jan 2020 12:32:55 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Sat, 18 Jan 2020 12:32:55 +0900    

Mixing incorrect bounds set in the SSL context leads to confusing error  
messages generated by OpenSSL which are hard to act on.  New checks are  
added within the GUC machinery to improve the user experience as they  
apply to any SSL implementation, not only OpenSSL, and doing the checks  
beforehand avoids the creation of a SSL during a reload (or startup)  
which we know will never be used anyway.  
  
Backpatch down to 12, as those parameters have been introduced by  
e73e67c.  
  
Author: Michael Paquier  
Reviewed-by: Daniel Gustafsson  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

commit   : 2e2646060e18461de24e3585344095664dc7727b    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 17 Jan 2020 16:17:17 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 17 Jan 2020 16:17:17 -0500    

Commit 9b63c13f0 turns out to have been fundamentally misguided:  
the parent node's subPlan list is by no means the only way in which  
a child SubPlan node can be hooked into the outer execution state.  
As shown in bug #16213 from Matt Jibson, we can also get short-lived  
tuple table slots added to the outer es_tupleTable list.  At this point  
I have little faith that there aren't other possible connections as  
well; the long time it took to notice this problem shows that this  
isn't a heavily-exercised situation.  
  
Therefore, revert that fix, returning to the coding that passed a  
NULL parent plan pointer down to the transiently-built subexpressions.  
That gives us a pretty good guarantee that they won't hook into the  
outer executor state in any way.  But then we need some other solution  
to make SubPlans work.  Adopt the solution speculated about in the  
previous commit's log message: do expression initialization at plan  
startup for just those VALUES rows containing SubPlans, abandoning the  
goal of reclaiming memory intra-query for those rows.  In practice it  
seems unlikely that queries containing a vast number of VALUES rows  
would be using SubPlans in them, so this should not give up much.  
  
(BTW, this test case also refutes my claim in connection with the prior  
commit that the issue only arises with use of LATERAL.  That was just  
wrong: some variants of SubLink always produce SubPlans.)  
  
As with previous patch, back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : bc2140627ff14c207a0af990b8ea3860e188e6b1    
  
author   : Alvaro Herrera <[email protected]>    
date     : Fri, 17 Jan 2020 18:00:39 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Fri, 17 Jan 2020 18:00:39 -0300    

... specifically, set it incrementally as each individual change is  
spilled down to disk.  This way, it is set correctly when the  
transaction disappears without trace, ie. without leaving an XACT_ABORT  
wal record.  (This happens when the server crashes midway through a  
transaction.)  
  
Failing to have final_lsn prevents ReorderBufferRestoreCleanup() from  
working, since it needs the final_lsn in order to know the endpoint of  
its iteration through spilled files.  
  
Commit df9f682c7bf8 already tried to fix the problem, but it didn't set  
the final_lsn in all cases.  Revert that, since it's no longer needed.  
  
Author: Vignesh C  
Reviewed-by: Amit Kapila, Dilip Kumar  
Discussion: https://postgr.es/m/CALDaNm2CLk+K9JDwjYST0sPbGg5AQdvhUt0jbKyX_HdAE0jk3A@mail.gmail.com  

commit   : 162c951dfe8f0a894f2832e04aacfc3a0a7bf50c    
  
author   : Tomas Vondra <[email protected]>    
date     : Fri, 17 Jan 2020 14:06:28 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Fri, 17 Jan 2020 14:06:28 +0100    

The bitmap used by SlabCheck to cross-check free chunks in a block used  
to be allocated for each SlabCheck call, and was never freed. The memory  
leak could be fixed by simply adding a pfree call, but it's actually a  
bad idea to do any allocations in SlabCheck at all as it assumes the  
state of the memory management as a whole is sane.  
  
So instead we allocate the bitmap as part of SlabContext, which means  
we don't need to do any allocations in SlabCheck and the bitmap goes  
away together with the SlabContext.  
  
Backpatch to 10, where the Slab context was introduced.  
  
Author: Tomas Vondra  
Reported-by: Andres Freund  
Reviewed-by: Tom Lane  
Backpatch-through: 10  
Discussion: https://www.postgresql.org/message-id/20200116044119.g45f7pmgz4jmodxj%40alap3.anarazel.de  

commit   : 0fca3d0a4ec297bff5a5cb01dfe345e0f63d7d63    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 15 Jan 2020 13:58:41 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 15 Jan 2020 13:58:41 +0900    

The logic introduced in this routine as of 246a6c8 would report an  
incorrect result when a session calls it to check if the temporary  
namespace owned by the session is in use or not.  It is possible to  
optimize more the routine in this case to avoid a PGPROC lookup, but  
let's keep the logic simple.  As this routine is used only by autovacuum  
for now, there were no live bugs, still let's be correct for any future  
code involving it.  
  
Author: Michael Paquier  
Reviewed-by: Julien Rouhaud  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 11  

commit   : 29af9c542f6cdc9a6456b175fdcdfe7a28b77d6c    
  
author   : Bruce Momjian <[email protected]>    
date     : Tue, 14 Jan 2020 13:13:04 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Tue, 14 Jan 2020 13:13:04 -0500    

The new wording was determined to be more accurate.  Also, update  
release note links that reference these sections.  
  
Reported-by: [email protected]  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.6  

commit   : fd5476b79c2ff63dd32e154198f8201553180e58    
  
author   : Dean Rasheed <[email protected]>    
date     : Tue, 14 Jan 2020 09:51:28 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Tue, 14 Jan 2020 09:51:28 +0000    

A view with conditional INSTEAD rules and no unconditional INSTEAD  
rules or INSTEAD OF triggers is not auto-updatable. Previously we  
relied on a check in the executor to catch this, but that's  
problematic since the planner may fail to properly handle such a query  
and thus return a particularly unhelpful error to the user, before  
reaching the executor check.  
  
Instead, trap this in the rewriter and report the correct error there.  
Doing so also allows us to include more useful error detail than the  
executor check can provide. This doesn't change the existing behaviour  
of updatable views; it merely ensures that useful error messages are  
reported when a view isn't updatable.  
  
Per report from Pengzhou Tang, though not adopting that suggested fix.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CAG4reAQn+4xB6xHJqWdtE0ve_WqJkdyCV4P=trYr4Kn8_3_PEA@mail.gmail.com  

commit   : fa1eaebfad436f58a8e6d0201f334edd2553b3d2    
  
author   : Amit Kapila <[email protected]>    
date     : Sat, 11 Jan 2020 10:44:39 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Sat, 11 Jan 2020 10:44:39 +0530    

This test was trying to test the mechanism to release kernel FDs as needed  
to get us under the max_safe_fds limit in case of spill files.  To do that,  
it needs to set max_files_per_process to a very low value which doesn't  
even permit starting of the server in the case when there are a few already  
opened files.  This test also won't work on platforms where we use one FD  
per semaphore.  
  
Backpatch-through: 10, till where this test was added  
Discussion:  
https://postgr.es/m/CAA4eK1LHhERi06Q+MmP9qBXBBboi+7WV3910J0aUgz71LcnKAw@mail.gmail.com  
https://postgr.es/m/[email protected]  

commit   : bf65f3c8871bcc95a3b4d5bcb5409d3df05c8273    
  
author   : Peter Eisentraut <[email protected]>    
date     : Mon, 13 Jan 2020 13:27:39 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Mon, 13 Jan 2020 13:27:39 +0100    

The use of pg_atoi() for parsing a string into an Oid fails for values  
larger than INT32_MAX, since OIDs are unsigned.  Instead, use  
atooid().  While this has less error checking, the contents of the  
data directory are expected to be trustworthy, so we don't need to go  
out of our way to do full error checking.  
  
Discussion: https://www.postgresql.org/message-id/flat/dea47fc8-6c89-a2b1-07e3-754ff1ab094b%402ndquadrant.com  

commit   : 52bc730381420a8fd9a92e633e217c8ca8c3a54b    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 13 Jan 2020 14:44:55 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 13 Jan 2020 14:44:55 +0530    

Reported-by: Antonin Houska  
Author: Antonin Houska  
Backpatch-through: 11, where it was introduced  
Discussion: https://postgr.es/m/2246.1578900133@antos  

commit   : 70c17a81278c7d727ae5096fbb561bdd58eaadd0    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 12 Jan 2020 14:37:00 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 12 Jan 2020 14:37:00 -0500    

When estimating the selectivity of "range_var <@ range_constant" or  
"range_var @> range_constant", if the upper (or respectively lower)  
bound of the range_constant was above the last bin of the range_var's  
histogram, the code would access uninitialized memory and potentially  
crash (though it seems the probability of a crash is quite low).  
Handle the endpoint cases explicitly to fix that.  
  
While at it, be more paranoid about the possibility of getting NaN  
or other silly results from the range type's subdiff function.  
And improve some comments.  
  
Ordinarily we'd probably add a regression test case demonstrating  
the bug in unpatched code.  But it's too hard to get it to crash  
reliably because of the uninitialized-memory dependence, so skip that.  
  
Per bug #16122 from Adam Scott.  It's been broken from the beginning,  
apparently, so backpatch to all supported branches.  
  
Diagnosis by Michael Paquier, patch by Andrey Borodin and Tom Lane.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 7c21a964ef8a3b51f1fe0571054343ac0941008e    
  
author   : Michael Paquier <[email protected]>    
date     : Sun, 12 Jan 2020 22:44:59 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Sun, 12 Jan 2020 22:44:59 +0900    

On the publisher, it was assumed that an INSERT change cannot happen for  
a relation with no replica identity.  However this is true only for a  
change that needs references to old rows, aka UPDATE or DELETE, so  
trying to use logical replication with a relation that has no replica  
identity led to an assertion failure in the publisher when issuing an  
INSERT.  This commit removes the incorrect assertion, and adds more  
regression tests to provide coverage for relations without replica  
identity.  
  
Reported-by: Neha Sharma  
Author: Dilip Kumar, Michael Paquier  
Reviewed-by: Andres Freund  
Discussion: https://postgr.es/m/CANiYTQsL1Hb8_Km08qd32svrqNumXLJeoGo014O7VZymgOhZEA@mail.gmail.com  
Backpatch-through: 10  

commit   : fde155424f6779b009f8f01a71af8dd6176a0c81    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 11 Jan 2020 17:14:08 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 11 Jan 2020 17:14:08 -0500    

Fix assorted bugs in handling of non-blocking I/O when using GSSAPI  
encryption.  The encryption layer could return the wrong status  
information to its caller, resulting in effectively dropping some data  
(or possibly in aborting a not-broken connection), or in a "livelock"  
situation where data remains to be sent but the upper layers think  
transmission is done and just go to sleep.  There were multiple small  
thinkos contributing to that, as well as one big one (failure to think  
through what to do when a send fails after having already transmitted  
data).  Note that these errors could cause failures whether the client  
application asked for non-blocking I/O or not, since both libpq and  
the backend always run things in non-block mode at this level.  
  
Also get rid of use of static variables for GSSAPI inside libpq;  
that's entirely not okay given that multiple connections could be  
open at once inside a single client process.  
  
Also adjust a bunch of random small discrepancies between the frontend  
and backend versions of the send/receive functions -- except for error  
handling, they should be identical, and now they are.  
  
Also extend the Kerberos TAP tests to exercise cases where nontrivial  
amounts of data need to be pushed through encryption.  Before, those  
tests didn't provide any useful coverage at all for the cases of  
interest here.  (They still might not, depending on timing, but at  
least there's a chance.)  
  
Per complaint from pmc@citylink and subsequent investigation.  
Back-patch to v12 where this code was introduced.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 93078e63f77979df3752e8ef5392dd384117e0ef    
  
author   : Noah Misch <[email protected]>    
date     : Fri, 10 Jan 2020 18:31:22 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Fri, 10 Jan 2020 18:31:22 -0800    

FileClose() failure ordinarily causes a PANIC.  Suppose the user  
disables that PANIC via data_sync_retry=on.  After mdclose() issued a  
FileClose() that failed, calls into md.c raised SIGSEGV.  This fix adds  
repalloc() calls during mdclose(); update a comment about ignoring  
repalloc() cost.  The rate of relation segment count change is a minor  
factor; more relevant to overall performance is the rate of mdclose()  
and subsequent re-opening of segments.  Back-patch to v10, where commit  
45e191e3aa62d47a8bc1a33f784286b2051f45cb introduced the bug.  
  
Reviewed by Kyotaro Horiguchi.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 2e89a1248db51bebd01f41011d439cdf9832eca8    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 10 Jan 2020 09:37:16 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 10 Jan 2020 09:37:16 +0900    

Reported-by: Tham Nguyen  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 9.4  

commit   : e05a3b490a258293c017bd107813c2d78813fab0    
  
author   : Peter Eisentraut <[email protected]>    
date     : Thu, 9 Jan 2020 16:02:23 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Thu, 9 Jan 2020 16:02:23 +0100    

Author: Vik Fearing <[email protected]>  
Discussion: https://www.postgresql.org/message-id/flat/[email protected]  

commit   : 20c4df8c8d7c54e34e921e770b594582d276f19e    
  
author   : Alvaro Herrera <[email protected]>    
date     : Wed, 8 Jan 2020 14:33:49 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Wed, 8 Jan 2020 14:33:49 -0300    

Make the value null only at pg_stat_activity-output time, as suggested  
by Tom Lane, instead of messing with the internal state.  This should  
appease buildfarm members with force_parallel_mode=regress, which are  
running parallel queries on logical replication walsenders.  
  
The fact that walsenders can run parallel queries should perhaps be  
studied more carefully, but for the moment let's get rid of the red  
blots in buildfarm.  
  
Backpatch to pg10, like the previous commit.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : c24f3b70efc243bb44a6a4121032f19e2d6e813e    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 8 Jan 2020 09:42:53 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 8 Jan 2020 09:42:53 -0500    

ALTER TABLE failed if a column referenced in a GENERATED expression  
had been added or changed in type earlier in the ALTER command.  
That's because the GENERATED expression needs to be evaluated  
against the table's updated tuples, but it was being evaluated  
against the original tuples.  (Fortunately the executor has adequate  
cross-checks to notice the mismatch, so we just got an obscure error  
message and not anything more dangerous.)  
  
Per report from Andreas Joseph Krogh.  Back-patch to v12 where  
GENERATED was added.  
  
Discussion: https://postgr.es/m/VisenaEmail.200.231b0a41523275d0.16ea7f800c7@tc7-visena  

commit   : a1c003e5ff82f3dc9fc4bf7a32706e53ae6373bf    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 8 Jan 2020 10:36:22 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 8 Jan 2020 10:36:22 +0900    

This reverts commit a052f6c, following complains from Robert Haas and  
Tom Lane.  Backpatch down to 9.4, like the previous commit.  
  
Discussion: https://postgr.es/m/CA+TgmobL4npEX5=E5h=5Jm_9mZun3MT39Kq2suJFVeamc9skSQ@mail.gmail.com  
Backpatch-through: 9.4  

commit   : fce9ba8192b48d7b4a57a19d92044c4f378a41a0    
  
author   : Alvaro Herrera <[email protected]>    
date     : Tue, 7 Jan 2020 17:38:48 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Tue, 7 Jan 2020 17:38:48 -0300    

Returning a non-NULL time is pointless, sinc a walsender is not a  
process that would be running normal transactions anyway, but the code  
was unintentionally exposing the process start time intermittently,  
which was not only bogus but it also confused monitoring systems looking  
for idle transactions.  Fix by avoiding all updates in walsenders.  
  
Backpatch to 11, where walsenders started appearing in pg_stat_activity.  
  
Reported-by: Tomas Vondra  
Discussion: https://postgr.es/m/20191209234409.exe7osmyalwkt5j4@development  

commit   : b89845267a6b0197e86b5a189d26f90f6a45c05f    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 6 Jan 2020 16:42:20 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 6 Jan 2020 16:42:20 -0500    

Since the WAL flush position only moves forward, it's safe to cache  
its previous value within each walsender process, and update from  
shared memory only once we've caught up to the previously-seen value.  
When there are many active walsenders, this makes for a very significant  
reduction in the amount of contention on the XLogCtl->info_lck spinlock.  
  
This patch also adjusts the logic so that we update our idea of the  
flush position after processing a WAL record, rather than beforehand.  
This may cause us to realize we're not caught up when the preceding  
coding would've thought that we were, but that seems all to the good;  
it may avoid a useless sleep-and-wakeup cycle.  
  
Back-patch to v12.  The contention problem exists in prior branches,  
but it's much less severe (due to inefficiencies elsewhere) so there  
seems no need to take any risk of back-patching further.  
  
Pierre Ducroquet, reviewed by Julien Rouhaud  
  
Discussion: https://postgr.es/m/2931018.Vxl9zapr77@pierred-pdoc  

commit   : 8c2bfd9f9b5da06a60ef7d46565bff2eaf5ceb2c    
  
author   : Peter Eisentraut <[email protected]>    
date     : Mon, 6 Jan 2020 08:21:14 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Mon, 6 Jan 2020 08:21:14 +0100    

The logical replication apply worker did not fire per-column update  
triggers because the updatedCols bitmap in the RTE was not populated.  
This fixes that.  
  
Reviewed-by: Euler Taveira <[email protected]>  
Discussion: https://www.postgresql.org/message-id/flat/21673e2d-597c-6afe-637e-e8b10425b240%402ndquadrant.com  

commit   : 6c1860b4d32082c411dd012bda4dfde35c41e942    
  
author   : Tatsuo Ishii <[email protected]>    
date     : Sun, 5 Jan 2020 19:50:27 +0900    
  
committer: Tatsuo Ishii <[email protected]>    
date     : Sun, 5 Jan 2020 19:50:27 +0900    

Per suggestion from Tom Lane.  
Discussion: https://postgr.es/m/flat/20191230.093451.1762483750956466101.t-ishii%40sraoss.co.jp  

commit   : 0c8836ab49b17c493dd4344f582935f04acea326    
  
author   : Amit Kapila <[email protected]>    
date     : Fri, 3 Jan 2020 10:52:46 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Fri, 3 Jan 2020 10:52:46 +0530    

Reported-by: Jon Jensen  
Author: Jon Jensen  
Reviewed-by: Amit Kapila and Robert Haas  
Backpatch-through: 10  
Discussion: https://postgr.es/m/nycvar.YSQ.7.76.1912301807510.9899@ybpnyubfg  

commit   : d732148398a6e406170383ab21960ac373cd1316    
  
author   : Alvaro Herrera <[email protected]>    
date     : Thu, 2 Jan 2020 17:04:24 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Thu, 2 Jan 2020 17:04:24 -0300    

When row triggers exist in partitioned partitions that are not either  
part of FKs or deferred unique constraints, they are not correctly  
cloned to their partitions.  That's because they are marked "internal",  
and those are purposefully skipped when doing the clone triggers dance.  
Fix by relaxing the condition on which internal triggers are skipped.  
  
Amit Langote initially diagnosed the problem and proposed a fix, but I  
used a different approach.  
  
Reported-by: Petr Fedorov  
Discussion: https://postgr.es/m/[email protected]  

commit   : 98b75c38c6ed2701c278316daac744222a1d56dd    
  
author   : Peter Eisentraut <[email protected]>    
date     : Thu, 2 Jan 2020 14:40:18 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Thu, 2 Jan 2020 14:40:18 +0100    

The comment was apparently copy-and-pasted and did not reflect the  
actual test outcome.  

commit   : f8a6d8e71b177578c4dce78dcf66293c71917844    
  
author   : Amit Kapila <[email protected]>    
date     : Thu, 2 Jan 2020 10:40:32 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Thu, 2 Jan 2020 10:40:32 +0530    

Currently while decoding changes, if the number of changes exceeds a  
certain threshold, we spill those to disk.  And this happens for each  
(sub)transaction.  Now, while reading all these files, we don't close them  
until we read all the files.  While reading these files, if the number of  
such files exceeds the maximum number of file descriptors, the operation  
errors out.  
  
Use PathNameOpenFile interface to open these files as that internally has  
the mechanism to release kernel FDs as needed to get us under the  
max_safe_fds limit.  
  
Reported-by: Amit Khandekar  
Author: Amit Khandekar  
Reviewed-by: Amit Kapila  
Backpatch-through: 9.4  
Discussion: https://postgr.es/m/CAJ3gD9c-sECEn79zXw4yBnBdOttacoE-6gAyP0oy60nfs_sabQ@mail.gmail.com  

commit   : 8f3e44a1649e79718da65cd8883d481b329a02a7    
  
author   : Bruce Momjian <[email protected]>    
date     : Wed, 1 Jan 2020 12:21:45 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Wed, 1 Jan 2020 12:21:45 -0500    

Backpatch-through: update all files in master, backpatch legal files through 9.4  

commit   : b4507a22fed9c2398895d1d4b94815ad1a053bb0    
  
author   : Alvaro Herrera <[email protected]>    
date     : Fri, 27 Dec 2019 18:34:30 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Fri, 27 Dec 2019 18:34:30 -0300    

This currently works, but add this test to ensure it continues to work.  
Lack of this test became evident after a recent bugfix submission that  
would have inadvertently broken it, in  
https://postgr.es/m/CA+HiwqFM2=i+uHB9o4OkLbE2S3sjPHoVe2wXuAD1GLJ4+Pk9eg@mail.gmail.com  

commit   : 2034bcc845f228c675c218e1928cf5337e74381d    
  
author   : Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:49:08 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:49:08 -0500    

Unique expression indexes can constrain data in creative ways, so show  
two examples.  
  
Reported-by: Tuomas Leikola  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.4  

commit   : 5d72f85d4ca8e0a56836ea48576ff8f684f7dce7    
  
author   : Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:33:30 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:33:30 -0500    

The previous docs referenced these distinct ideas confusingly.  
  
Reported-by: Eugen Konkov  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.4  

commit   : 1dd88201ad6e7eea9c9fff9077f3577dbe7458cd    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 27 Dec 2019 17:59:12 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 27 Dec 2019 17:59:12 +0900    

This operation was possible for the owner of the schema or a superuser.  
Down to 9.4, doing this operation would cause inconsistencies in a  
session whose temporary schema was dropped, particularly if trying to  
create new temporary objects after the drop.  A more annoying  
consequence is a crash of autovacuum on an assertion failure when  
logging information about an orphaned temp table dropped.  Note that  
because of 246a6c8 (present in v11~), which has made the removal of  
orphaned temporary tables more aggressive, the failure could be  
triggered more easily, but it is possible to reproduce down to 9.4.  
  
Reported-by: Mahendra Singh, Prabhat Sahu  
Author: Michael Paquier  
Reviewed-by: Kyotaro Horiguchi, Mahendra Singh  
Discussion: https://postgr.es/m/CAKYtNAr9Zq=1-ww4etHo-VCC-k120YxZy5OS01VkaLPaDbv2tg@mail.gmail.com  
Backpatch-through: 9.4  

commit   : 883c27a1cf9b80d9a1cf13f527ad21024fa1849d    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 26 Dec 2019 15:19:39 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 26 Dec 2019 15:19:39 -0500    

When revalidate_rectypeid() acts to update a stale record type OID  
in plpgsql's data structures, it fixes the active PLpgSQL_rec struct  
as well as the PLpgSQL_type struct it references.  However, the latter  
is shared across function executions while the former is not.  In a  
later function execution, the PLpgSQL_rec struct would be reinitialized  
by copy_plpgsql_datums and would then contain a stale type OID,  
typically leading to "could not open relation with OID NNNN" errors.  
revalidate_rectypeid() can easily fix this, fortunately, just by  
treating typ->typoid as authoritative.  
  
Per report and diagnosis from Ashutosh Sharma, though this is not his  
suggested fix.  Back-patch to v11 where this code came in.  
  
Discussion: https://postgr.es/m/CAE9k0Pkd4dZwt9J5pS9xhJFWpUtqs05C9xk_GEwPzYdV=GxwWg@mail.gmail.com  

commit   : 50fa688f303024447fa8b2419a733b551f752769    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 26 Dec 2019 22:26:26 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 26 Dec 2019 22:26:26 +0900    

confirmed_flush is part of a replication slot's information, but not  
confirmed_lsn.  
  
Author: Kyotaro Horiguchi  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 11  

commit   : 8052aaf521e4885477bd1af100edcf21031e6d11    
  
author   : Thomas Munro <[email protected]>    
date     : Tue, 24 Dec 2019 11:31:24 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Tue, 24 Dec 2019 11:31:24 +1300    

Our algorithm for choosing batch numbers turned out not to work  
effectively for multi-billion key inner relations.  We would use  
more hash bits than we have, and effectively concentrate all tuples  
into a smaller number of batches than we intended.  While ideally  
we should switch to wider hashes, for now, change the algorithm to  
one that effectively gives up bits from the bucket number when we  
don't have enough bits.  That means we'll finish up with longer  
bucket chains than would be ideal, but that's better than having  
batches that don't fit in work_mem and can't be divided.  
  
Batch-patch to all supported releases.  
  
Author: Thomas Munro  
Reviewed-by: Tom Lane, thanks also to Tomas Vondra, Alvaro Herrera, Andres Freund for testing and discussion  
Reported-by: James Coleman  
Discussion: https://postgr.es/m/16104-dc11ed911f1ab9df%40postgresql.org  

commit   : b5e7569dddd2ef8b3d84b528be916647e7465c12    
  
author   : Joe Conway <[email protected]>    
date     : Mon, 23 Dec 2019 13:33:34 -0500    
  
committer: Joe Conway <[email protected]>    
date     : Mon, 23 Dec 2019 13:33:34 -0500    

While building a hash map of categories in load_categories_hash,  
resulting category names have not thus far been checked to ensure  
they are not null. Prior to pg12 null category names worked to the  
extent that they did not crash on some platforms. This is because  
those system libraries have an snprintf which can deal with being  
passed a null pointer argument for a string. But even in those cases  
null categories did nothing useful. And on some platforms it crashed.  
As of pg12, our own version of snprintf gets called, and it does  
not deal with null pointer arguments at all, and crashes consistently.  
  
Fix that by disallowing null categories. They never worked usefully,  
and no one has ever asked for them to work previously. Back-patch to  
all supported branches.  
  
Reported-By: Ireneusz Pluta  
Discussion: https://postgr.es/m/[email protected]  

commit   : 7fbb39a967ea7fa32915407ea87eee1d5f38d9e7    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 23 Dec 2019 12:53:13 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 23 Dec 2019 12:53:13 -0500    

This wasn't checked originally, but it should have been, because  
in general pseudo-types can't be stored to and retrieved from disk.  
Notably, partition bound values of type "record" would not be  
interpretable by another session.  
  
In v12 and HEAD, add another flag to CheckAttributeType's repertoire  
so that it can produce a specific error message for this case.  That's  
infeasible in older branches without an ABI break, so fall back to  
a slightly-less-nicely-worded error message in v10 and v11.  
  
Problem noted by Amit Langote, though this patch is not his initial  
solution.  Back-patch to v10 where partitioning was introduced.  
  
Discussion: https://postgr.es/m/CA+HiwqFUzjfj9HEsJtYWcr1SgQ_=iCAvQ=O2Sx6aQxoDu4OiHw@mail.gmail.com  

commit   : 976cb11f6c58b8807455982ae7344b72ea2cd1ab    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 23 Dec 2019 12:08:23 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 23 Dec 2019 12:08:23 -0500    

We probably should have thought of this case when ranges were added,  
but we didn't.  (It's not the fault of commit eb51af71f, because  
ranges didn't exist then.)  
  
It's an old bug, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : e1c056cc4d7bcc0dfe8a3808550e7b7f73b64643    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 22 Dec 2019 18:00:17 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 22 Dec 2019 18:00:17 -0500    

If the first transaction block in these tests were entered exactly  
at midnight (California time), they'd report a bogus failure due  
to 'now' and 'midnight' having the same values.  Commit 8c2ac75c5  
had dismissed this as being of negligible probability, but we've  
now seen it happen in the buildfarm, so let's prevent it.  We can  
get pretty much the same test coverage without an it's-not-midnight  
assumption by moving the does-'now'-work cases into their own test step.  
  
While here, apply commit 47169c255's s/DELETE/TRUNCATE/ change to  
timestamptz as well as timestamp (not sure why that didn't  
occur to me at the time; the risk of failure is the same).  
  
Back-patch to all supported branches, since the main point is  
to get rid of potential buildfarm failures.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 90281a3a28a7ab9fcf83f471c1ef714f8d96fd1c    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 21 Dec 2019 17:39:36 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 21 Dec 2019 17:39:36 -0500    

This fixes a performance problem introduced by commit 6d7547c21.  
ERROR_ACCESS_DENIED is returned in some other cases besides the  
delete-pending case considered by that commit; notably, if the  
given path names a directory instead of a plain file.  In that  
case we'll uselessly loop for 1 second before returning the  
failure condition.  That slows down some usage scenarios enough  
to cause test timeout failures on our Windows buildfarm critters.  
  
To fix, try to stat() the file, and sleep/loop only if that fails.  
It will fail in the delete-pending case, and also in the case where  
the deletion completed before we could stat(), so we have the cases  
where we want to loop covered.  In the directory case, the stat()  
should succeed, letting us exit without a wait.  
  
One case where we'll still wait uselessly is if the access-denied  
problem pertains to a directory in the given pathname.  But we don't  
expect that to happen in any performance-critical code path.  
  
There might be room to refine this further, but I'll push it now  
in hopes of making the buildfarm green again.  
  
Back-patch, like the preceding commit.  
  
Alexander Lakhin and Tom Lane  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 96aa9b60896def1e6c2a1dd127498e58c53361cf    
  
author   : Bruce Momjian <[email protected]>    
date     : Sat, 21 Dec 2019 12:44:38 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Sat, 21 Dec 2019 12:44:38 -0500    

Previously it was unclear how COPY FROM handled cases where not all  
columns were specified, or if the order didn't match.  
  
Reported-by: [email protected]  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.4  

commit   : e8f60e6fe206b4877c5b0d0b70015e672de04f60    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 20 Dec 2019 15:34:07 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 20 Dec 2019 15:34:07 -0500    

We realized years ago that it's better for libpq to accept all  
connection parameters syntactically, even if some are ignored or  
restricted due to lack of the feature in a particular build.  
However, that lesson from the SSL support was for some reason never  
applied to the GSSAPI support.  This is causing various buildfarm  
members to have problems with a test case added by commit 6136e94dc,  
and it's just a bad idea from a user-experience standpoint anyway,  
so fix it.  
  
While at it, fix some places where parameter-related infrastructure  
was added with the aid of a dartboard, or perhaps with the aid of  
the anti-pattern "add new stuff at the end".  It should be safe  
to rearrange the contents of struct pg_conn even in released  
branches, since that's private to libpq (and we'd have to move  
some fields in some builds to fix this, anyway).  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : e5a37d958decfbc9dc650e66775db5896b7486ff    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 19 Dec 2019 09:42:46 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 19 Dec 2019 09:42:46 -0500    

The "auth-methods" <sect1> used to include descriptions of all our  
authentication methods.  Commit 56811e573 promoted its child <sect2>'s  
to <sect1>'s, which has advantages but also created some issues:  
* The auth-methods page itself is essentially empty/useless.  
* Links that pointed to "auth-methods" as a placeholder for all  
auth methods were rendered a bit nonsensical.  
* DocBook no longer provides a subsection table-of-contents here,  
which formerly was a useful if terse summary of available auth methods.  
  
To improve matters, add a handwritten list of all the auth methods.  
  
Per gripe from Dave Cramer.  Back-patch to v11 where the previous  
commit came in.  
  
Discussion: https://postgr.es/m/CADK3HH+xQLhcPgg=kWqfogtXGGZr-JdSo=x=WQC0PkAVyxUWyQ@mail.gmail.com  

commit   : a9f304f5362f18b88fab04f342c99bd3d2c37944    
  
author   : Robert Haas <[email protected]>    
date     : Thu, 19 Dec 2019 09:24:44 -0500    
  
committer: Robert Haas <[email protected]>    
date     : Thu, 19 Dec 2019 09:24:44 -0500    

Commit d986d4e87f61c68f52c68ebc274960dc664b7b4e renamed a variable  
but neglected to update the corresponding comment.  
  
Amit Langote  

commit   : c74111d8bd6853b9944d004706dcc0cea2f2a25a    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 16 Dec 2019 15:23:46 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 16 Dec 2019 15:23:46 +0530    

This patch allows building the local relmap cache for a subscribed  
relation after processing pending invalidation messages and potential  
relcache updates.  Without this, the attributes in the local cache don't  
tally with the updated relcache entry leading to invalid memory access.  
  
Reported-by Jehan-Guillaume de Rorthais  
Author: Jehan-Guillaume de Rorthais and Vignesh C  
Reviewed-by: Amit Kapila  
Backpatch-through: 10  
Discussion: https://postgr.es/m/20191025175929.7e90dbf5@firost  

commit   : 35c01529b8c9d8f168379639b4f37227d768d313    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 18 Dec 2019 10:11:31 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 18 Dec 2019 10:11:31 +0900    

This changes the routines in charge of recycling WAL segments past the  
last redo LSN to not use anymore "RedoRecPtr" as a local variable, which  
is also available in the context of the session as a static declaration,  
replacing it with "lastredoptr".  This confusion has been introduced by  
d9fadbf, so backpatch down to v11 like the other commit.  
  
Thanks to Tom Lane, Robert Haas, Alvaro Herrera, Mark Dilger and Kyotaro  
Horiguchi for the input provided.  
  
Author: Ranier Vilela  
Discussion: https://postgr.es/m/MN2PR18MB2927F7B5F690065E1194B258E35D0@MN2PR18MB2927.namprd18.prod.outlook.com  
Backpatch-through: 11  

commit   : 97ba30fab51a19e06ae1cf74abed3ce748b2fa95    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 17 Dec 2019 17:44:28 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 17 Dec 2019 17:44:28 -0500    

If CheckAttributeType() threw an error about the datatype of an  
index expression column, it would report an empty column name,  
which is pretty unhelpful and certainly not the intended behavior.  
I (tgl) evidently broke this in commit cfc5008a5, by not noticing  
that the column's attname was used above where I'd placed the  
assignment of it.  
  
In HEAD and v12, this is trivially fixable by moving up the  
assignment of attname.  Before v12 the code is a bit more messy;  
to avoid doing substantial refactoring, I took the lazy way out  
and just put in two copies of the assignment code.  
  
Report and patch by Amit Langote.  Back-patch to all supported  
branches.  
  
Discussion: https://postgr.es/m/CA+HiwqFA+BGyBFimjiYXXMa2Hc3fcL0+OJOyzUNjhU4NCa_XXw@mail.gmail.com  

commit   : 0eac283bfc8b893d91a1ecf184d2c8373a1ed906    
  
author   : Amit Kapila <[email protected]>    
date     : Thu, 12 Dec 2019 11:51:30 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Thu, 12 Dec 2019 11:51:30 +0530    

This Assert thought that an overflowed transaction can never get registered  
for the group update.  But that is not true, because even when the number  
of children for a transaction got reduced, the overflow flag is not  
changed.  And, for group update, we only care about the current number of  
children for a transaction that is being committed.  
  
Based on comments by Andres Freund, remove a redundant Assert in  
TransactionIdSetPageStatus as we already had a static Assert for the same  
condition a few lines earlier.  
  
Reported-by: Vignesh C  
Author: Dilip Kumar  
Reviewed-by: Amit Kapila  
Backpatch-through: 11  
Discussion: https://postgr.es/m/CAFiTN-s5=uJw-Z6JC9gcqtBSjXsrHnU63PXBrA=pnBjqnkm5UA@mail.gmail.com  

commit   : 95f43fee91793cbcfaf13636a5936a5184fdafe3    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 16 Dec 2019 15:10:55 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 16 Dec 2019 15:10:55 -0500    

Attempting to open a file fails with ERROR_ACCESS_DENIED if the file  
is flagged for deletion but not yet actually gone (another in a long  
list of reasons why Windows is broken, if you ask me).  This seems  
likely to explain a lot of irreproducible failures we see in the  
buildfarm.  This state generally persists for only a millisecond or so,  
so just wait a bit and retry.  If it's a real permissions problem,  
we'll eventually give up and report it as such.  If it's the pending  
deletion case, we'll see file-not-found and report that after the  
deletion completes, and the caller will treat that in an appropriate  
way.  
  
In passing, rejigger the existing retry logic for some other error  
cases so that we don't uselessly wait an extra time when we're  
not going to retry anymore.  
  
Alexander Lakhin (with cosmetic tweaks by me).  Back-patch to all  
supported branches, since this seems like a pretty safe change and  
the problem is definitely real.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 42d1acd2edc4a02de63c7b3d2a18056d393e373d    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 16 Dec 2019 13:57:41 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 16 Dec 2019 13:57:41 +0200    

Commit a7ee7c8513 fixed a bug in GiST page split during index creation,  
where we failed to re-find the position of a downlink after the page  
containing it was split. However, that fix was incomplete; the other call  
to gistinserttuples() in the same function needs to also clear  
'downlinkoffnum'.  
  
Fixes bug #16134 reported by Alexander Lakhin, for real this time. The  
previous fix was enough to fix the crash with the reproducer script for  
bug #16162, but the original script for #16134 was still crashing.  
  
Backpatch to v12, like the previous incomplete fix.  
  
Discussion: https://www.postgresql.org/message-id/d869f537-abe4-d2ea-0510-38cd053f5152%40gmail.com  

commit   : e3ac8939324d73c35e2fd0f846001eb02e3a7858    
  
author   : Etsuro Fujita <[email protected]>    
date     : Mon, 16 Dec 2019 17:00:16 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Mon, 16 Dec 2019 17:00:16 +0900    

Also, add a comment explaining a test case.  
  
Back-patch to 11 where the regression test was added.  
  
Discussion: https://postgr.es/m/CAPmGK15adZPh2B%2BmGUjSOMH%2BH39ogDRWfCfm4G6jncZCAs9V_Q%40mail.gmail.com  

commit   : d04e2553d49d7478f6e869fcecea7d6ca9c6bd50    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 14 Dec 2019 13:49:15 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 14 Dec 2019 13:49:15 -0500    

The RTE_RESULT simplification logic added by commit 4be058fe9 had a  
flaw: it would collapse out a RTE_RESULT that is due to compute a  
PlaceHolderVar, and reassign the PHV to the parent join level, even if  
another input relation of the join contained a lateral reference to  
the PHV.  That can't work because the PHV would be computed too late.  
In practice it led to failures of internal sanity checks later in  
planning (either assertion failures or errors such as "failed to  
construct the join relation").  
  
To fix, add code to check for the presence of such PHVs in relevant  
portions of the query tree.  Notably, this required refactoring  
range_table_walker so that a caller could ask to walk individual RTEs  
not the whole list.  (It might be a good idea to refactor  
range_table_mutator in the same way, if only to keep those functions  
looking similar; but I didn't do so here as it wasn't necessary for  
the bug fix.)  
  
This exercise also taught me that find_dependent_phvs(), as it stood,  
could only safely be used on the entire Query, not on subtrees.  
Adjust its API to reflect that; which in passing allows it to have  
a fast path for the common case of no PHVs anywhere.  
  
Per report from Will Leinweber.  Back-patch to v12 where the bug  
was introduced.  
  
Discussion: https://postgr.es/m/CALLb-4xJMd4GZt2YCecMC95H-PafuWNKcmps4HLRx2NHNBfB4g@mail.gmail.com  

commit   : fd005e1a87446ad61a6c950841b0a6f93bdfb594    
  
author   : Thomas Munro <[email protected]>    
date     : Sat, 14 Dec 2019 17:38:09 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Sat, 14 Dec 2019 17:38:09 +1300    

The previous commit failed to consider that FileGetRawDesc() might  
not return a valid fd, as discovered on the build farm.  Switch to  
using the File interface only.  
  
Back-patch to 12, like the previous commit.  

commit   : c3dc0cdd6b58f6d4a632364554c9aec5b4f83f69    
  
author   : Thomas Munro <[email protected]>    
date     : Sat, 14 Dec 2019 15:54:31 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Sat, 14 Dec 2019 15:54:31 +1300    

_mdfd_getseg() opens all segments up to the requested one.  That  
causes problems for mdsyncfiletag(), if mdunlinkfork() has  
already unlinked other segment files.  Open the file we want  
directly by name instead, if it's not already open.  
  
The consequence of this bug was a rare panic in the checkpointer,  
made more likely if you saturated the sync request queue so that  
the SYNC_FORGET_REQUEST messages for a given relation were more  
likely to be absorbed in separate cycles by the checkpointer.  
  
Back-patch to 12.  Defect in commit 3eb77eba.  
  
Author: Thomas Munro  
Reported-by: Justin Pryzby  
Discussion: https://postgr.es/m/20191119115759.GI30362%40telsasoft.com  

commit   : 70c4f500eaeb2ccc3ed49764ee925482bd5c33e0    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Fri, 13 Dec 2019 23:58:10 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Fri, 13 Dec 2019 23:58:10 +0200    

The bug was similar to the one that was fixed in commit 22251686f0. When  
we split page X and insert the downlink for the new page, the parent page  
might also need to be split. When that happens, the downlink offset number  
we remembered for X is no longer valid. We correctly called  
gistFindCorrectParent() to re-find it, but gistFindCorrectParent() doesn't  
do anything if the LSN of the page hasn't changed, and we stopped updating  
LSNs during index build in commit 9155580fd5. The buggy codepath was taken  
if the page was split into three or more pages, and inserting the downlink  
caused the parent page to split. To fix, explicitly mark the downlink  
offset number as invalid, to force gistFindCorrectParent() to re-find it.  
  
Fixes bug #16134 reported by Alexander Lakhin, reported again as #16162 by  
Andreas Kunert. Thanks to Jeff Janes, Tom Lane and Tomas Vondra for  
debugging. Backpatch to v12, where we stopped WAL-logging during index  
build.  
  
Discussion: https://www.postgresql.org/message-id/16134-0423f729671dec64%40postgresql.org  
Discussion: https://www.postgresql.org/message-id/16162-45d21b7b6c1a3105%40postgresql.org  

commit   : 07c4b6ac7d6e467f9db681772b5d5101144fcfe7    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:30:44 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:30:44 -0500    

The test cases added by commit 26ae3aa80 exposed an old oversight in  
timestamp[tz]_part: they didn't correct the result of date2isoyear()  
for BC years, so that we produced an off-by-one answer for such years.  
Fix that, and back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com  

commit   : 73355634959bc011508a24f0e344c6f6fddf419e    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:12:35 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:12:35 -0500    

The DTK_DOW/DTK_ISODOW and DTK_DOY switch cases in timestamp_part() and  
timestamptz_part() contained calls of timestamp2tm() that were fully  
redundant with the ones done just above the switch.  This evidently crept  
in during commit 258ee1b63, which relocated that code from another place  
where the calls were indeed needed.  Just delete the redundant calls.  
  
I (tgl) noted that our test coverage of these functions left quite a  
bit to be desired, so extend timestamp.sql and timestamptz.sql to  
cover all the branches.  
  
Back-patch to all supported branches, as the previous commit was.  
There's no real issue here other than some wasted cycles in some  
not-too-heavily-used code paths, but the test coverage seems valuable.  
  
Report and patch by Li Japin; test case adjustments by me.  
  
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com  

commit   : 6a9b5a2f82cb8f7267d9e25093a643d47fd3fbb6    
  
author   : Etsuro Fujita <[email protected]>    
date     : Thu, 12 Dec 2019 15:45:01 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Thu, 12 Dec 2019 15:45:01 +0900    

commit   : be9d4b9280606a0b0984ba46c452a48961cf92d4    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 10 Dec 2019 13:17:08 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 10 Dec 2019 13:17:08 -0500    

On Windows, we use CMD.EXE to redirect the postmaster's stdout/stderr  
into a log file.  CMD.EXE will open that file with non-sharing-friendly  
parameters, and the file will remain open for a short time after the  
postmaster has removed postmaster.pid.  This can result in an  
ERROR_SHARING_VIOLATION failure if we attempt to start a new postmaster  
immediately with the same log file (e.g. during "pg_ctl restart").  
This seems to explain intermittent buildfarm failures we've been seeing  
on Windows machines.  
  
To fix, just open and close the log file using our own pgwin32_open(),  
which will wait if necessary to avoid the failure.  (Perhaps someday  
we should stop using CMD.EXE, but that would be a far more complex  
patch, and it doesn't seem worth the trouble ... yet.)  
  
Back-patch to v12.  This only solves the problem when frontend fopen()  
is redirected to pgwin32_fopen(), which has only been true since commit  
0ba06e0bf.  Hence, no point in back-patching further, unless we care  
to back-patch that change too.  
  
Diagnosis and patch by Alexander Lakhin (bug #16154).  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 547e454cbc8f8896b535cf2debd61b2c5701d8c0    
  
author   : Etsuro Fujita <[email protected]>    
date     : Tue, 10 Dec 2019 18:00:31 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Tue, 10 Dec 2019 18:00:31 +0900    

AfterTriggerExecute() retrieves a fresh tuple or pair of tuples from a  
tuplestore and then stores the tuple(s) in the passed-in slot(s) if  
AFTER_TRIGGER_FDW_FETCH, while it uses the most-recently-retrieved  
tuple(s) stored in the slot(s) if AFTER_TRIGGER_FDW_REUSE.  This was  
done correctly before 12, but commit ff11e7f4b broke it by mistakenly  
clearing the tuple(s) stored in the slot(s) in that function, leading to  
an assertion failure as reported in bug #16139 from Alexander Lakhin.  
  
Also, fix some other issues with the aforementioned commit in passing:  
  
* For tg_newslot, which is a slot added to the TriggerData struct by the  
  commit to store new updated tuples, it didn't ensure the slot was NULL  
  if there was no such tuple.  
* The commit failed to update the documentation about the trigger  
  interface.  
  
Author: Etsuro Fujita  
Backpatch-through: 12  
Discussion: https://postgr.es/m/16139-94f9ccf0db6119ec%40postgresql.org  

commit   : 001362cfdc94f992ff92df9353394160d7c5e13c    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 15:03:51 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 15:03:51 -0500    

pg_signal_dispatch_thread() responded to the client (signal sender)  
and disconnected the pipe before actually setting the shared variables  
that make the signal visible to the backend process's main thread.  
In the worst case, it seems, effective delivery of the signal could be  
postponed for as long as the machine has any other work to do.  
  
To fix, just move the pg_queue_signal() call so that we do it before  
responding to the client.  This essentially makes pgkill() synchronous,  
which is a stronger guarantee than we have on Unix.  That may be  
overkill, but on the other hand we have not seen comparable timing bugs  
on any Unix platform.  
  
While at it, add some comments to this sadly underdocumented code.  
  
Problem diagnosis and fix by Amit Kapila; I just added the comments.  
  
Back-patch to all supported versions, as it appears that this can cause  
visible NOTIFY timing oddities on all of them, and there might be  
other misbehavior due to slow delivery of other signals.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : eadfafda049e3081f8078aa30ea33f538c45aecd    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 14:31:57 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 14:31:57 -0500    

isolationtester.c had a hard-wired limit of 3 minutes per test step.  
It now emerges that this isn't quite enough for some of the slowest  
buildfarm animals.  This isn't the first time we've had to raise  
this limit (cf. 1db439ad4), so let's make it configurable.  This  
patch raises the default to 5 minutes, and introduces an environment  
variable PGISOLATIONTIMEOUT that can be set if more time is needed,  
following the precedent of PGCTLTIMEOUT.  
  
Also, modify isolationtester so that when the timeout is hit,  
it explicitly reports having sent a cancel.  This makes the regression  
failure log considerably more intelligible.  (In the worst case, a  
timed-out test might actually be reported as "passing" without this  
extra output, so arguably this is a bug fix in itself.)  
  
In passing, update the README file, which had apparently not gotten  
touched when we added "make check" support here.  
  
Back-patch to 9.6; older versions don't have comparable timeout logic.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : a7472d2b7a36deb3474d3a21f5aba0b643da3065    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 9 Dec 2019 08:39:34 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 9 Dec 2019 08:39:34 +0530    

Commit f13ea95f9e moved the description of postmaster.pid file contents  
from miscadmin.h to pidfile.h, but missed to update the comments in  
miscinit.c.  
  
Author: Hadi Moshayedi  
Reviewed-by: Amit Kapila  
Backpatch-through: 10  
Discussion: https://postgr.es/m/CAK=1=WpYEM9x3LGkaxgXaxeYQjnkdW8XLsxrYRTE2Gq-H83FMw@mail.gmail.com  

commit   : cc4371dc345392777aa419ca872b28c4169a797b    
  
author   : Noah Misch <[email protected]>    
date     : Sun, 8 Dec 2019 11:06:26 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Sun, 8 Dec 2019 11:06:26 -0800    

Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that  
certain schema usage patterns are secure against CREATEROLE users and  
database owners.  When an untrusted user is the database owner or holds  
CREATEROLE privilege, a query is secure only if its session started with  
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.  
Back-patch to 9.4 (all supported versions).  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : ba62bb63b399dcd6e80817b1c73ead9d87ecc311    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 8 Dec 2019 10:36:29 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 8 Dec 2019 10:36:29 -0500    

Tatsuo Ishii complained that this para wasn't very intelligible.  
Try to make it better.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 902276ff1309ce30522d2b1bc343898c786ca02d    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 6 Dec 2019 15:14:26 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 6 Dec 2019 15:14:26 +0900    

This function is supported down to OpenSSL 0.9.8, which is the oldest  
version supported since 593d4e4 (from Postgres 10 onwards), and is used  
since e3bdb2d (from 11 onwards).  It is defined as a macro from OpenSSL  
0.9.8 to 1.0.2, and as a function in 1.1.0 and newer versions.  However,  
the configure check present is only adapted for functions.  So, even if  
the code would be able to compile, configure fails to detect the macro,  
causing it to be ignored when compiling the code with OpenSSL from 0.9.8  
to 1.0.2.  
  
The code needs a configure check as per a364dfa, which has fixed a  
compilation issue with a past version of LibreSSL in NetBSD 5.1.  On  
HEAD, just remove the configure check as the last release of NetBSD 5 is  
from 2014 (and we have no more buildfarm members for it).  In 11 and 12,  
improve the configure logic so as both macros and functions are  
correctly detected.  This makes NetBSD 5 still work on already-released  
branches, but not for 13 onwards.  
  
The patch for HEAD is from me, and Daniel has written the version to use  
for the back-branches.  
  
Author: Michael Paquier, Daniel Gustaffson  
Reviewed-by: Tom Lane  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 11  

commit   : 0e5baa095176cbb77f8ea30054ab4c3a59409da7    
  
author   : Etsuro Fujita <[email protected]>    
date     : Wed, 4 Dec 2019 12:45:01 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Wed, 4 Dec 2019 12:45:01 +0900    

commit   : a8a8c6b296406bbf30948768939c08457bd468a4    
  
author   : Tomas Vondra <[email protected]>    
date     : Tue, 3 Dec 2019 16:55:51 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Tue, 3 Dec 2019 16:55:51 +0100    

The dict_int text search dictionary template accepts maxlen parameter,  
which is then used to cap the length of input strings. The value was  
not properly checked, and the code simply does  
  
    txt[d->maxlen] = '\0';  
  
to insert a terminator, leading to segfaults with negative values.  
  
This commit simply rejects values less than 1. The issue was there since  
dct_int was introduced in 9.3, so backpatch all the way back to 9.4  
which is the oldest supported version.  
  
Reported-by: cili  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 9.4  

commit   : ef30975b49702f9f8aaed7b1cd8f78470ed1b22d    
  
author   : Michael Paquier <[email protected]>    
date     : Tue, 3 Dec 2019 13:01:40 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Tue, 3 Dec 2019 13:01:40 +0900    

On Windows, all the hosts spawned by the TAP tests bind to 127.0.0.1.  
Hence, if there is a port conflict, starting a cluster would immediately  
fail.  One of the test scripts of pg_ctl initializes a node without  
PostgresNode.pm, using the default port 5432.  This could cause  
unexpected startup failures in the tests if an independent server was up  
and running on the same host (the reverse is also possible, though more  
unlikely).  Fix this issue by assigning properly a free port to the node  
configured, in the same range used as for the other nodes part of the  
tests.  
  
Author: Michael Paquier  
Reviewed-by: Andrew Dunstan  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 11  

commit   : b154d70f743039452f2cadee9566d754e79e3653    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 1 Dec 2019 13:09:26 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 1 Dec 2019 13:09:26 -0500    

We implement ON COMMIT DELETE ROWS by truncating tables marked that  
way, which requires also truncating/rebuilding their indexes.  But  
RelationTruncateIndexes asks the relcache for up-to-date copies of any  
index expressions, which may cause execution of eval_const_expressions  
on them, which can result in actual execution of subexpressions.  
This is a bad thing to have happening during ON COMMIT.  Manuel Rigger  
reported that use of a SQL function resulted in crashes due to  
expectations that ActiveSnapshot would be set, which it isn't.  
The most obvious fix perhaps would be to push a snapshot during  
PreCommit_on_commit_actions, but I think that would just open the door  
to more problems: CommitTransaction explicitly expects that no  
user-defined code can be running at this point.  
  
Fortunately, since we know that no tuples exist to be indexed, there  
seems no need to use the real index expressions or predicates during  
RelationTruncateIndexes.  We can set up dummy index expressions  
instead (we do need something that will expose the right data type,  
as there are places that build index tupdescs based on this), and  
just ignore predicates and exclusion constraints.  
  
In a green field it'd likely be better to reimplement ON COMMIT DELETE  
ROWS using the same "init fork" infrastructure used for unlogged  
relations.  That seems impractical without catalog changes though,  
and even without that it'd be too big a change to back-patch.  
So for now do it like this.  
  
Per private report from Manuel Rigger.  This has been broken forever,  
so back-patch to all supported branches.  

commit   : 0dafed6fedf4da0e0e38c5961ae4b1540b4a8a5c    
  
author   : Tomas Vondra <[email protected]>    
date     : Sat, 30 Nov 2019 14:51:27 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Sat, 30 Nov 2019 14:51:27 +0100    

When using %b or %B patterns to format a date, the code was simply using  
tm_mon as an index into array of month names. But that is wrong, because  
tm_mon is 1-based, while array indexes are 0-based. The result is we  
either use name of the next month, or a segfault (for December).  
  
Fix by subtracting 1 from tm_mon for both patterns, and add a regression  
test triggering the issue. Backpatch to all supported versions (the bug  
is there far longer, since at least 2003).  
  
Reported-by: Paul Spencer  
Backpatch-through: 9.4  
Discussion: https://postgr.es/m/16143-0d861eb8688d3fef%40postgresql.org  

commit   : 79d6e6afabcb3766ea4d21e3e26d25a5f2f69553    
  
author   : Tomas Vondra <[email protected]>    
date     : Thu, 28 Nov 2019 23:25:14 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Thu, 28 Nov 2019 23:25:14 +0100    

Commit c676e659b2 reworked how choose_best_statistics() picks the best  
extended statistics, but failed to remove clauses_attnums which is now  
unnecessary. So get rid of it and backpatch to 12, same as c676e659b2.  
  
Author: Tomas Vondra  
Discussion: https://postgr.es/m/CA+u7OA7H5rcE2=8f263w4NZD6ipO_XOrYB816nuLXbmSTH9pQQ@mail.gmail.com  
Backpatch-through: 12  

commit   : ef3fed2ce4a3018a992ef913a3333bb682b702ae    
  
author   : Tomas Vondra <[email protected]>    
date     : Thu, 28 Nov 2019 22:20:28 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Thu, 28 Nov 2019 22:20:28 +0100    

When picking the best extended statistics object for a list of clauses,  
it's not enough to look at attnums extracted from the clause list as a  
whole. Consider for example this query with OR clauses:  
  
   SELECT * FROM t WHERE (t.a = 1) OR (t.b = 1) OR (t.c = 1)  
  
with a statistics defined on columns (a,b). Relying on attnums extracted  
from the whole OR clause, we'd consider the statistics usable. That does  
not work, as we see the conditions as a single OR-clause, referencing an  
attribute not covered by the statistic, leading to empty list of clauses  
to be estimated using the statistics and an assert failure.  
  
This changes choose_best_statistics to check which clauses are actually  
covered, and only using attributes from the fully covered ones. For the  
previous example this means the statistics object will not be considered  
as compatible with the OR-clause.  
  
Backpatch to 12, where MCVs were introduced. The issue does not affect  
older versions because functional dependencies don't handle OR clauses.  
  
Author: Tomas Vondra  
Reviewed-by: Dean Rasheed  
Reported-By: Manuel Rigger  
Discussion: https://postgr.es/m/CA+u7OA7H5rcE2=8f263w4NZD6ipO_XOrYB816nuLXbmSTH9pQQ@mail.gmail.com  
Backpatch-through: 12  

commit   : bf3cef24a31966686dfaae3085ce7c545c0019a4    
  
author   : Etsuro Fujita <[email protected]>    
date     : Wed, 27 Nov 2019 16:00:46 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Wed, 27 Nov 2019 16:00:46 +0900    

commit   : 21a4edd1281de5efd09f1cf5c6073af14a2de409    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 26 Nov 2019 14:41:48 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 26 Nov 2019 14:41:48 -0500    

The fix for CVE-2017-7484 disallowed use of pg_statistic data for  
planning purposes if the user would not be able to select the associated  
column and a non-leakproof function is to be applied to the statistics  
values.  That turns out to disable use of pg_statistic data in some  
common cases involving inheritance/partitioning, where the user does  
have permission to select from the parent table that was actually named  
in the query, but not from a child table whose stats are needed.  Since,  
in non-corner cases, the user *can* select the child table's data via  
the parent, this restriction is not actually useful from a security  
standpoint.  Improve the logic so that we also check the permissions of  
the originally-named table, and allow access if select permission exists  
for that.  
  
When checking access to stats for a simple child column, we can map  
the child column number back to the parent, and perform this test  
exactly (including not allowing access if the child column isn't  
exposed by the parent).  For expression indexes, the current logic  
just insists on whole-table select access, and this patch allows  
access if the user can select the whole parent table.  In principle,  
if the child table has extra columns, this might allow access to  
stats on columns the user can't read.  In practice, it's unlikely  
that the planner is going to do any stats calculations involving  
expressions that are not visible to the query, so we'll ignore that  
fine point for now.  Perhaps someday we'll improve that logic to  
detect exactly which columns are used by an expression index ...  
but today is not that day.  
  
Back-patch to v11.  The issue was created in 9.2 and up by the  
CVE-2017-7484 fix, but this patch depends on the append_rel_array[]  
planner data structure which only exists in v11 and up.  In  
practice the issue is most urgent with partitioned tables, so  
fixing v11 and later should satisfy much of the practical need.  
  
Dilip Kumar and Amit Langote, with some kibitzing by me  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 1cc3a90c7551cf1f33611152eba2bca56e0b721e    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 18 Nov 2019 14:17:41 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 18 Nov 2019 14:17:41 +0530    

Revert part of commit 19df1702f5.  
  
Early shutdown was added by that commit so that we could collect  
statistics from workers, but unfortunately, it interacted badly with  
rescans.  The problem is that we ended up destroying the parallel context  
which is required for rescans.  This leads to rescans of a Limit node over  
a Gather node to produce unpredictable results as it tries to access  
destroyed parallel context.  By reverting the early shutdown code, we  
might lose statistics in some cases of Limit over Gather [Merge], but that  
will require further study to fix.  
  
Reported-by: Jerry Sievers  
Diagnosed-by: Thomas Munro  
Author: Amit Kapila, testcase by Vignesh C  
Backpatch-through: 9.6  
Discussion: https://postgr.es/m/[email protected]  

commit   : a24a4167aa3889d26c425d38a8c67cc39df35fbd    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 15:57:31 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 15:57:31 -0500    

If LISTEN is the only action in a serializable-mode transaction,  
and the session was not previously listening, and the notify queue  
is not empty, predicate.c reported an assertion failure.  That  
happened because we'd acquire the transaction's initial snapshot  
during PreCommit_Notify, which was called *after* predicate.c  
expects any such snapshot to have been established.  
  
To fix, just swap the order of the PreCommit_Notify and  
PreCommit_CheckForSerializationFailure calls during CommitTransaction.  
This will imply holding the notify-insertion lock slightly longer,  
but the difference could only be meaningful in serializable mode,  
which is an expensive option anyway.  
  
It appears that this is just an assertion failure, with no  
consequences in non-assert builds.  A snapshot used only to scan  
the notify queue could not have been involved in any serialization  
conflicts, so there would be nothing for  
PreCommit_CheckForSerializationFailure to do except assign it a  
prepareSeqNo and set the SXACT_FLAG_PREPARED flag.  And given no  
conflicts, neither of those omissions affect the behavior of  
ReleasePredicateLocks.  This admittedly once-over-lightly analysis  
is backed up by the lack of field reports of trouble.  
  
Per report from Mark Dilger.  The bug is old, so back-patch to all  
supported branches; but the new test case only goes back to 9.6,  
for lack of adequate isolationtester infrastructure before that.  
  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/[email protected]  

commit   : ec9f6be3b9a935864f28b9ef183a9a4d08662cc3    
  
author   : Thomas Munro <[email protected]>    
date     : Mon, 25 Nov 2019 09:20:28 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Mon, 25 Nov 2019 09:20:28 +1300    

Back-patch to 10.  
  
Author: Andreas Karlsson  
Discussion: https://postgr.es/m/043acae2-a369-b7fa-be48-1933aa2e82d1%40proxel.se  

commit   : c47f498c93f9ebbb44cd03cf82f817da15761350    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 14:42:59 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 14:42:59 -0500    

This patch ensures that, if any notify messages were received during  
a just-finished transaction, they get sent to the frontend just before  
not just after the ReadyForQuery message.  With libpq and other client  
libraries that act similarly, this guarantees that the client will see  
the notify messages as available as soon as it thinks the transaction  
is done.  
  
This probably makes no difference in practice, since in realistic  
use-cases the application would have to cope with asynchronous  
arrival of notify events anyhow.  However, it makes it a lot easier  
to build cross-session-notify test cases with stable behavior.  
I'm a bit surprised now that we've not seen any buildfarm instability  
with the test cases added by commit b10f40bf0.  Tests that I intend  
to add in an upcoming bug fix are definitely unstable without this.  
  
Back-patch to 9.6, which is as far back as we can do NOTIFY testing  
with the isolationtester infrastructure.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 7d4c3118137a37dddcefe28145a3a2e4bccf59fd    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 23 Nov 2019 17:30:00 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 23 Nov 2019 17:30:00 -0500    

Back-patch commit b10f40bf0 into older branches.  This adds reporting  
of NOTIFY messages to isolationtester.c, and extends the async-notify  
test to include direct tests of basic NOTIFY functionality.  
  
This provides useful infrastructure for testing a bug fix I'm about  
to back-patch, and there seems no good reason not to have better tests  
of LISTEN/NOTIFY in the back branches.  The commit's survived long  
enough in HEAD to make it unlikely that it will cause problems.  
  
Back-patch as far as 9.6.  isolationtester.c changed too much in 9.6  
to make it sane to try to fix older branches this way, and I don't  
really want to back-patch those changes too.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 8047a7b9dd454a6514ab7d0fcbe27aca3ec2e11c    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 22 Nov 2019 12:52:26 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 22 Nov 2019 12:52:26 -0500    

It seems pretty unacceptable to have no regression test coverage  
for this aspect of the logical replication protocol, especially  
given the bugs we've found in related code.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : a2aa224e05dca3caf45beb6720a8b9a25e68efad    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 22 Nov 2019 11:31:19 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 22 Nov 2019 11:31:19 -0500    

slot_modify_cstrings seriously abused the TupleTableSlot API by relying  
on a slot's underlying data to stay valid across ExecClearTuple.  Since  
this abuse was also quite undocumented, it's little surprise that the  
case got broken during the v12 slot rewrites.  As reported in bug #16129  
from Ondřej Jirman, this could lead to crashes or data corruption when  
a logical replication subscriber processes a row update.  Problems would  
only arise if the subscriber's table contained columns of pass-by-ref  
types that were not being copied from the publisher.  
  
Fix by explicitly copying the datum/isnull arrays from the source slot  
that the old row was in already.  This ends up being about the same  
thing that happened pre-v12, but hopefully in a less opaque and  
fragile way.  
  
We might've caught the problem sooner if there were any test cases  
dealing with updates involving non-replicated or dropped columns.  
Now there are.  
  
Back-patch to v10 where this code came in.  Even though the failure  
does not manifest before v12, IMO this code is too fragile to leave  
as-is.  In any case we certainly want the additional test coverage.  
  
Patch by me; thanks to Tomas Vondra for initial investigation.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 5186f7625e5fc0e3ae85419099a75d6aa93d8351    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 21 Nov 2019 16:21:43 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 21 Nov 2019 16:21:43 -0500    

While a self-referential view doesn't actually work, it's possible  
to create one, and it turns out that this breaks some of the  
information_schema views.  Those views call relation_is_updatable(),  
which neglected to consider the hazards of being recursive.  In  
older PG versions you get a "stack depth limit exceeded" error,  
but since v10 it'd recurse to the point of stack overrun and crash,  
because commit a4c35ea1c took out the expression_returns_set() call  
that was incidentally checking the stack depth.  
  
Since this function is only used by information_schema views, it  
seems like it'd be better to return "not updatable" than suffer  
an error.  Hence, add tracking of what views we're examining,  
in just the same way that the nearby fireRIRrules() code detects  
self-referential views.  I added a check_stack_depth() call too,  
just to be defensive.  
  
Per private report from Manuel Rigger.  Back-patch to all  
supported versions.  

commit   : c644407f757c26c9037e4dfc67f57b841489afd4    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 21 Nov 2019 10:23:38 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 21 Nov 2019 10:23:38 +0900    

Trying to use hypothetical indexes with BRIN currently fails when trying  
to access a relation that does not exist when looking for the  
statistics.  With the current API, it is not possible to easily pass  
a value for pages_per_range down to the hypothetical index, so this  
makes use of the default value of BRIN_DEFAULT_PAGES_PER_RANGE, which  
should be fine enough in most cases.  
  
Being able to refine or enforce the hypothetical costs in more  
optimistic ways would require more refactoring by filling in the  
statistics when building IndexOptInfo in plancat.c.  This would involve  
ABI breakages around the costing routines, something not fit for stable  
branches.  
  
This is broken since 7e534ad, so backpatch down to v10.  
  
Author: Julien Rouhaud, Heikki Linnakangas  
Reviewed-by: Álvaro Herrera, Tom Lane, Michael Paquier  
Discussion: https://postgr.es/m/CAOBaU_ZH0LKEA8VFCocr6Lpte1ab0b6FpvgS0y4way+RPSXfYg@mail.gmail.com  
Backpatch-through: 10  

commit   : 2c9772f5f5b4172d7332c7fbf742d773bdf44e1c    
  
author   : Magnus Hagander <[email protected]>    
date     : Wed, 20 Nov 2019 17:03:07 +0100    
  
committer: Magnus Hagander <[email protected]>    
date     : Wed, 20 Nov 2019 17:03:07 +0100    

Author: Daniel Gustafsson <[email protected]>  

commit   : 2189f49c420f2bf49dfac122f9fbae51c3565594    
  
author   : Thomas Munro <[email protected]>    
date     : Wed, 20 Nov 2019 17:52:15 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Wed, 20 Nov 2019 17:52:15 +1300    

When ReadFile() encounters the end of a file while reading from  
a synchronous handle with an offset provided via OVERLAPPED, it  
reports an error instead of returning 0.  By not handling that  
(undocumented) result correctly, we caused some noisy LOG  
messages about an unknown error code.  Repair.  
  
Back-patch to 12, where we started using pread()/ReadFile() with  
an offset.  
  
Reported-by: ZhenHua Cai, Amit Kapila  
Diagnosed-by: Juan Jose Santamaria Flecha  
Tested-by: Amit Kapila  
Discussion: https://postgr.es/m/CAA4eK1LK3%2BWRtpz68TiRdpHwxxWm%3D%2Bt1BMf-G68hhQsAQ41PZg%40mail.gmail.com  

commit   : 135026653d450c28d458576a023dffc0e3cb0bf9    
  
author   : Tatsuo Ishii <[email protected]>    
date     : Wed, 20 Nov 2019 09:13:12 +0900    
  
committer: Tatsuo Ishii <[email protected]>    
date     : Wed, 20 Nov 2019 09:13:12 +0900    

Discussion: https://postgr.es/m/20191119.222048.49467220816510881.t-ishii%40sraoss.co.jp  

commit   : bffe18e3e7dbb3c159361e62478c324ebe3041ec    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 17:03:26 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 17:03:26 -0500    

The planner's optimization code for LIKE and regex operators could  
error out with a complaint like "no = operator for opfamily NNN"  
if someone created a binary-compatible index (for example, a  
bpchar_ops index on a text column) on the LIKE's left argument.  
  
This is a consequence of careless refactoring in commit 74dfe58a5.  
The old code in match_special_index_operator only accepted specific  
combinations of the pattern operator and the index opclass, thereby  
indirectly guaranteeing that the opclass would have a comparison  
operator with the same LHS input type as the pattern operator.  
While moving the logic out to a planner support function, I simplified  
that test in a way that no longer guarantees that.  Really though we'd  
like an altogether weaker dependency on the opclass, so rather than  
put back exactly the old code, just allow lookup failure.  I have in  
mind now to rewrite this logic completely, but this is the minimum  
change needed to fix the bug in v12.  
  
Per report from Manuel Rigger.  Back-patch to v12 where the mistake  
came in.  
  
Discussion: https://postgr.es/m/CA+u7OA7nnGYy8rY0vdTe811NuA+Frr9nbcBO9u2Z+JxqNaud+g@mail.gmail.com  

commit   : a64e7e05a418ec26a76ecbf04c80e9ba7fe8aa90    
  
author   : Alexander Korotkov <[email protected]>    
date     : Wed, 20 Nov 2019 00:12:33 +0300    
  
committer: Alexander Korotkov <[email protected]>    
date     : Wed, 20 Nov 2019 00:12:33 +0300    

By oversight 52ac6cd2d0 makes ginDeletePage() sets pd_prune_xid of page to be  
deleted before entering the critical section.  It appears that only versions 11  
and later were affected by this oversight.  
  
Backpatch-through: 11  

commit   : ca05fa5375eb3124660e24346f1bdc3990c118f2    
  
author   : Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:11:24 +0300    
  
committer: Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:11:24 +0300    

We find GIN concurrency bugs from time to time.  One of the problems here is  
that concurrency of GIN isn't well-documented in README.  So, it might be even  
hard to distinguish design bugs from implementation bugs.  
  
This commit revised concurrency section in GIN README providing more details.  
Some examples are illustrated in ASCII art.  
  
Also, this commit add the explanation of how is tuple layout in internal GIN  
B-tree page different in comparison with nbtree.  
  
Discussion: https://postgr.es/m/CAPpHfduXR_ywyaVN4%2BOYEGaw%3DcPLzWX6RxYLBncKw8de9vOkqw%40mail.gmail.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 9.4  

commit   : ee437ca7408b67f2b785e4221c7e567aecf68b47    
  
author   : Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:08:14 +0300    
  
committer: Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:08:14 +0300    

Current GIN code appears to don't handle traversing to the deleted page via  
downlink.  This commit fixes that by stepping right from the delete page like  
we do in nbtree.  
  
This commit also fixes setting 'deleted' flag to the GIN pages.  Now other page  
flags are not erased once page is deleted.  That helps to keep our assertions  
true if we arrive deleted page via downlink.  
  
Discussion: https://postgr.es/m/CAPpHfdvMvsw-NcE5bRS7R1BbvA4BxoDnVVjkXC5W0Czvy9LVrg%40mail.gmail.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 9.4  

commit   : 051c50c01c32ceb498d53e78f48297713744b7cb    
  
author   : Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:07:36 +0300    
  
committer: Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:07:36 +0300    

When ginDeletePage() is about to delete page it locks its left sibling to revise  
the rightlink.  So, it locks pages in right to left manner.  Int he same time  
ginStepRight() locks pages in left to right manner, and that could cause a  
deadlock.  
  
This commit makes ginScanToDelete() keep exclusive lock on left siblings of  
currently investigated path.  That elimites need to relock left sibling in  
ginDeletePage().  Thus, deadlock with ginStepRight() can't happen anymore.  
  
Reported-by: Chen Huajun  
Discussion: https://postgr.es/m/5c332bd1.87b6.16d7c17aa98.Coremail.chjischj%40163.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 10  

commit   : 823a551fe0c6e732f48cb54dc60d5cfd66b0aff4    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:43:37 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:43:37 -0500    

Apparently some people misinterpreted the syntax as being that  
RECURSIVE is a prefix of individual WITH queries.  It's a modifier  
for the WITH clause as a whole, so state that more clearly.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : 93b2bbede91b32d12d9e444e576be2efff6942b5    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:21:41 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:21:41 -0500    

The existing text stated that "Default privileges that are specified  
per-schema are added to whatever the global default privileges are for  
the particular object type".  However, that bare-bones observation is  
not quite clear enough, as demonstrated by the complaint in bug #16124.  
Flesh it out by stating explicitly that you can't revoke built-in  
default privileges this way, and by providing an example to drive  
the point home.  
  
Back-patch to all supported branches, since it's been like this  
from the beginning.  
  
Discussion: https://postgr.es/m/[email protected]  

commit   : fcaf29d87a6ca08188fa9fe1ebba90c9654df006    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 16 Nov 2019 20:00:19 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 16 Nov 2019 20:00:19 -0500    

It turns out that commit e9f1c01b7 missed a case: we must print a  
VALUES clause in long format if get_query_def is given a resultDesc  
that would require the query's output column name(s) to be different  
from what the bare VALUES clause would produce.  
  
This applies in case an ALTER ... RENAME COLUMN has been done to  
a view that formerly could be printed in simple format, as shown  
in the added regression test case.  It also explains bug #16119  
from Dmitry Telpt, because it turns out that (unlike CREATE VIEW)  
CREATE MATERIALIZED VIEW fails to apply any column aliases it's  
given to the stored ON SELECT rule.  So to get them to be printed,  
we have to account for the resultDesc renaming.  It might be worth  
changing the matview code so that it creates the ON SELECT rule  
with the correct aliases; but we'd still need these messy checks in  
get_simple_values_rte to handle the case of a subsequent column  
rename, so any such change would be just neatnik-ism not a bug fix.  
  
Like the previous patch, back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]