PostgreSQL 13.0 (upcoming) commit log

commit   : 5139db55636bc39c06232ada1b195f7d5d6950e0    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 18 May 2022 23:19:53 +0200    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 18 May 2022 23:19:53 +0200    

Commit 0fbf01120023 should have updated them but didn't.  

commit   : 80656f00f85668bb828c1eb878876e5bedcbf4c4    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 18 May 2022 20:28:31 +0200    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 18 May 2022 20:28:31 +0200    

We weren't checking the length of the column list in the alias clause of  
an XMLTABLE or JSON_TABLE function (a "tablefunc" RTE), and it was  
possible to make the server crash by passing an overly long one.  Fix it  
by throwing an error in that case, like the other places that deal with  
alias lists.  
  
In passing, modify the equivalent test used for join RTEs to look like  
the other ones, which was different for no apparent reason.  
  
This bug came in when XMLTABLE was born in version 10; backpatch to all  
stable versions.  
  
Reported-by: Wang Ke <krking@zju.edu.cn>  
Discussion: https://postgr.es/m/17480-1c9d73565bb28e90@postgresql.org  

commit   : 2e9559b30239ce3cf69383ced208a72a7eb99335    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Mon, 16 May 2022 11:26:26 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Mon, 16 May 2022 11:26:26 +0900    

If a cluster is promoted (aka the control file shows a state different  
than DB_IN_ARCHIVE_RECOVERY) while CreateRestartPoint() is still  
processing, this function could miss an update of the control file for  
"checkPoint" and "checkPointCopy" but still do the recycling and/or  
removal of the past WAL segments, assuming that the to-be-updated LSN  
values should be used as reference points for the cleanup.  This causes  
a follow-up restart attempting crash recovery to fail with a PANIC on a  
missing checkpoint record if the end-of-recovery checkpoint triggered by  
the promotion did not complete while the cluster abruptly stopped or  
crashed before the completion of this checkpoint.  The PANIC would be  
caused by the redo LSN referred in the control file as located in a  
segment already gone, recycled by the previous restartpoint with  
"checkPoint" out-of-sync in the control file.  
  
This commit fixes the update of the control file during restartpoints so  
as "checkPoint" and "checkPointCopy" are updated even if the cluster has  
been promoted while a restartpoint is running, to be on par with the set  
of WAL segments actually recycled in the end of CreateRestartPoint().  
  
7863ee4 has fixed this problem already on master, but the release timing  
of the latest point versions did not let me enough time to study and fix  
that on all the stable branches.  
  
Reported-by: Fujii Masao, Rui Zhao  
Author: Kyotaro Horiguchi  
Reviewed-by: Nathan Bossart, Michael Paquier  
Discussion: https://postgr.es/m/20220316.102444.2193181487576617583.horikyota.ntt@gmail.com  
Backpatch-through: 10  

commit   : b7579b25c8159bfda7b70c9ec005aae243017563    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 12 May 2022 11:31:46 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 12 May 2022 11:31:46 -0400    

This follows in the footsteps of commit 2591ee8ec by removing one more  
ill-advised shortcut from planning of GroupingFuncs.  It's true that  
we don't intend to execute the argument expression(s) at runtime, but  
we still have to process any Vars appearing within them, or we risk  
failure at setrefs.c time (or more fundamentally, in EXPLAIN trying  
to print such an expression).  Vars in upper plan nodes have to have  
referents in the next plan level, whether we ever execute 'em or not.  
  
Per bug #17479 from Michael J. Sullivan.  Back-patch to all supported  
branches.  
  
Richard Guo  
  
Discussion: https://postgr.es/m/17479-6260deceaf0ad304@postgresql.org  

commit   : 55558df2374167af38534df988ec3b9d0b0019f0    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Wed, 11 May 2022 10:41:24 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Wed, 11 May 2022 10:41:24 +0530    

The problem is that we don't send keep-alive messages for a long time  
while processing large transactions during logical replication where we  
don't send any data of such transactions. This can happen when the table  
modified in the transaction is not published or because all the changes  
got filtered. We do try to send the keep_alive if necessary at the end of  
the transaction (via WalSndWriteData()) but by that time the  
subscriber-side can timeout and exit.  
  
To fix this we try to send the keepalive message if required after  
processing certain threshold of changes.  
  
Reported-by: Fabrice Chapuis  
Author: Wang wei and Amit Kapila  
Reviewed By: Masahiko Sawada, Euler Taveira, Hou Zhijie, Hayato Kuroda  
Backpatch-through: 10  
Discussion: https://postgr.es/m/CAA5-nLARN7-3SLU_QUxfy510pmrYK6JJb=bk3hcgemAM_pAv+w@mail.gmail.com  

commit   : b9d70ef34b833fd63e3ff9f049dbbcdfda9dc9fe    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 11 May 2022 10:22:34 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 11 May 2022 10:22:34 +0900    

The current setup assumes that commands for lz4, zstd and gzip always  
exist by default if not enforced by a user's environment.  However,  
vcpkg, as one example, installs libraries but no binaries, so this  
default setup to assume that a command should always be present would  
cause failures.  This commit improves the detection of such external  
commands as follows:  
* If a ENV value is available, trust the environment/user and use it.  
* If a ENV value is not available, check its execution by looking in the  
current PATH, by launching a simple "$command --version" (that should be  
portable enough).  
** On execution failure, ignore ENV{command}.  
** On execution success, set ENV{command} = "$command".  
  
Note that this new rule applies to gzip, lz4 and zstd but not tar that  
we assume will always exist.  Those commands are set up in the  
environment only when using bincheck and taptest.  The CI includes all  
those commands and I have checked that their setup is correct there.  I  
have also tested this change in a MSVC environment where we have none of  
those commands.  
  
While on it, remove the references to lz4 from the documentation and  
vcregress.pl in ~v13.  --with-lz4 has been added in v14~ so there is no  
point to have this information in these older branches.  
  
Reported-by: Andrew Dunstan  
Reviewed-by: Andrew Dunstan  
Discussion: https://postgr.es/m/14402151-376b-a57a-6d0c-10ad12608e12@dunslane.net  
Backpatch-through: 10  

commit   : af9b967671533965debc9caf3e20fd65a3c71ae4    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 10 May 2022 18:42:02 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 10 May 2022 18:42:02 -0400    

In OpenLDAP 2.5 and later, libldap itself is always thread-safe and  
there's never a libldap_r.  Our existing coding dealt with that  
by assuming it wouldn't find libldap_r if libldap is thread-safe.  
But that rule fails to cope if there are multiple OpenLDAP versions  
visible, as is likely to be the case on macOS in particular.  We'd  
end up using shiny new libldap in the backend and a hoary libldap_r  
in libpq.  
  
Instead, once we've found libldap, check if it's >= 2.5 (by  
probing for a function introduced then) and don't bother looking  
for libldap_r if so.  While one can imagine library setups that  
this'd still give the wrong answer for, they seem unlikely to  
occur in practice.  
  
Per report from Peter Eisentraut.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/fedacd7c-2a38-25c9-e7ff-dea549d0e979@enterprisedb.com  

commit   : 4695fdb40fbb1e977e7e62f7d9af1fa948230d6a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 17:16:30 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 17:16:30 -0400    

commit   : 0c8215c7b6bdf528edab88943438f0db9afad49b    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 14:29:53 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 14:29:53 -0400    

Security: CVE-2022-1552  

commit   : 91a3a74c65f4094420b28c393ac1d38af8ae4c4a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 14:15:37 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 14:15:37 -0400    

The parser code that transformed VALUES from row-oriented to  
column-oriented lists failed if there were zero columns.  
You can't write that straightforwardly (though probably you  
should be able to), but the case can be reached by expanding  
a "tab.*" reference to a zero-column table.  
  
Per bug #17477 from Wang Ke.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/17477-0af3c6ac6b0a6ae0@postgresql.org  

commit   : 7f0754bc4c0a0abadcbe02e886e31305c37a7053    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 11:02:37 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 9 May 2022 11:02:37 -0400    

This reverts commit eafdf9de06e9b60168f5e47cedcfceecdc6d4b5f  
and its back-branch counterparts.  Corey Huinker pointed out that  
we'd discussed this exact change back in 2016 and rejected it,  
on the grounds that there's at least one usage pattern with LIMIT  
where an infinite endpoint can usefully be used.  Perhaps that  
argument needs to be re-litigated, but there's no time left before  
our back-branch releases.  To keep our options open, restore the  
status quo ante; if we do end up deciding to change things, waiting  
one more quarter won't hurt anything.  
  
Rather than just doing a straight revert, I added a new test case  
demonstrating the usage with LIMIT.  That'll at least remind us of  
the issue if we forget again.  
  
Discussion: https://postgr.es/m/3603504.1652068977@sss.pgh.pa.us  
Discussion: https://postgr.es/m/CADkLM=dzw0Pvdqp5yWKxMd+VmNkAMhG=4ku7GnCZxebWnzmz3Q@mail.gmail.com  

commit   : 88743d581e1bdedc13e4ca33c5a6597a5d2dbdc4    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Mon, 9 May 2022 08:35:08 -0700    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Mon, 9 May 2022 08:35:08 -0700    

It intended to, but did not, achieve this.  Adopt the new standard of  
setting user ID just after locking the relation.  Back-patch to v10 (all  
supported versions).  
  
Reviewed by Simon Riggs.  Reported by Alvaro Herrera.  
  
Security: CVE-2022-1552  

commit   : 35edcc0cee7bf7d4746e3e5b7966b1f0ec509560    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Mon, 9 May 2022 08:35:08 -0700    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Mon, 9 May 2022 08:35:08 -0700    

When a feature enumerates relations and runs functions associated with  
all found relations, the feature's user shall not need to trust every  
user having permission to create objects.  BRIN-specific functionality  
in autovacuum neglected to account for this, as did pg_amcheck and  
CLUSTER.  An attacker having permission to create non-temp objects in at  
least one schema could execute arbitrary SQL functions under the  
identity of the bootstrap superuser.  CREATE INDEX (not a  
relation-enumerating operation) and REINDEX protected themselves too  
late.  This change extends to the non-enumerating amcheck interface.  
Back-patch to v10 (all supported versions).  
  
Sergey Shinderuk, reviewed (in earlier versions) by Alexander Lakhin.  
Reported by Alexander Lakhin.  
  
Security: CVE-2022-1552  

commit   : 916463773c9b873c3537a735bd09183bb8488d0f    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 9 May 2022 12:27:22 +0200    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 9 May 2022 12:27:22 +0200    

Source-Git-URL: https://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: 7c8dcb6669ccc6ae33090d02ed92f0bad6ada742  

commit   : 6348e46850681daf1e648fd11cafabbe4aba8597    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Sun, 8 May 2022 17:59:30 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Sun, 8 May 2022 17:59:30 -0700    

f40d362a667 disabled part of 031_recovery_conflict.pl due to instability  
that's not trivial to fix in the back branches. That fixed most of the  
issues. But there was one more failure (on lapwing / REL_10_STABLE).  
  
That failure looks like it might be caused by a genuine problem. Disable the  
test until after the set of releases, to avoid packagers etc potentially  
having to fight with a test failure they can't do anything about.  
  
Discussion: https://postgr.es/m/3447060.1652032749@sss.pgh.pa.us  
Backpatch: 10-14  

commit   : fdaaba15397a71786a8ddcd987e067ab94e2b45c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 8 May 2022 12:36:38 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 8 May 2022 12:36:38 -0400    

commit   : 4caa85e4f358c8c442fd5855fbc2d80237d3e857    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sat, 7 May 2022 09:12:56 -0700    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sat, 7 May 2022 09:12:56 -0700    

Per buildfarm members tadarida, snapper, and kittiwake.  Back-patch to  
v10 (all supported versions).  

commit   : 23213f53ba206f8104ccbac9934190fdbfbfc082    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sat, 7 May 2022 00:33:15 -0700    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sat, 7 May 2022 00:33:15 -0700    

Per buildfarm members snapper and kittiwake.  Back-patch to v10 (all  
supported versions).  
  
Discussion: https://postgr.es/m/20220116210241.GC756210@rfd.leadboat.com  

commit   : 4e39957e6eb52887c2d631e9edf08a07c306ec9f    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Fri, 6 May 2022 09:01:08 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Fri, 6 May 2022 09:01:08 -0700    

The recovery deadlock test has a timing issue that was fixed in 5136967f1eb in  
HEAD. Unfortunately the same fix doesn't quite work in the back branches: 1)  
adjust_conf() doesn't exist, which is easy enough to work around 2) a restart  
cleares the recovery conflict stats < 15.  
  
These issues can be worked around, but given the upcoming set of minor  
releases, skip the problematic test for now. The buildfarm doesn't show  
failures in other parts of 031_recovery_conflict.pl.  
  
Discussion: https://postgr.es/m/20220506155827.dfnaheq6ufylwrqf@alap3.anarazel.de  
Backpatch: 10-14  

commit   : 6ab90d215afcec4c8d6583cb359ee0c1c1530a20    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Fri, 6 May 2022 08:39:07 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Fri, 6 May 2022 08:39:07 -0700    

In a2ab9c06ea1 I just backpatched the introduction of pump_until(), without  
changing the existing local definitions (as 6da65a3f9a9). The necessary  
changes seemed more verbose than desirable. However, that leads to warnings,  
as I failed to realize...  
  
Backpatch to all versions containing pump_until() calls before  
f74496dd611 (there's none in 10).  
  
Discussion: https://postgr.es/m/2808491.1651802860@sss.pgh.pa.us  
Discussion: https://postgr.es/m/18b37361-b482-b9d8-f30d-6115cd5ce25c@enterprisedb.com  
Backpatch: 11-14  

commit   : e9735d1af176e73158931a14b5f304a42f94f7d6    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 5 May 2022 14:54:53 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 5 May 2022 14:54:53 -0400    

DST law changes in Palestine.  Historical corrections for  
Chile and Ukraine.  

commit   : 27e97d0747ad0b615fd05b468bf09b12de196e44    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Wed, 4 May 2022 14:16:41 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Wed, 4 May 2022 14:16:41 -0700    

This reverts commit 8a3a8d9f103e360fffc02089810a520e22521ae2.  

commit   : 8a3a8d9f103e360fffc02089810a520e22521ae2    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Wed, 4 May 2022 12:50:38 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Wed, 4 May 2022 12:50:38 -0700    

Per buildfarm members longfin and skink.  
  
Discussion: https://postgr.es/m/20220413002626.udl7lll7f3o7nre7@alap3.anarazel.de  
Backpatch: 10-  

commit   : 0446d3bf3909247f06de9b8f08a739caf7cc72ca    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 2 May 2022 18:29:35 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 2 May 2022 18:29:35 -0700    

The prior commit showed that the introduction of recovery conflict tests was a  
good idea. Without these tests it's hard to know that the fix didn't break  
something...  
  
031_recovery_conflict.pl was introduced in 9f8a050f68d and extended in  
21e184403bf.  
  
Discussion: https://postgr.es/m/20220413002626.udl7lll7f3o7nre7@alap3.anarazel.de  
Backpatch: 10-14  

commit   : 57c5ad168be1ce9a5e91adb4c576996921cd8627    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 2 May 2022 18:25:00 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 2 May 2022 18:25:00 -0700    

The tests added in 9f8a050f68d failed nearly reliably on FreeBSD in CI, and  
occasionally on the buildfarm. That turns out to be caused not by a bug in the  
test, but by a longstanding bug in recovery conflict handling.  
  
The standby timeout handler, used by ResolveRecoveryConflictWithBufferPin(),  
executed SendRecoveryConflictWithBufferPin() inside a signal handler. A bad  
idea, because the deadlock timeout handler (or a spurious latch set) could  
have interrupted ProcWaitForSignal(). If unlucky that could cause a  
self-deadlock on ProcArrayLock, if the deadlock check is in  
SendRecoveryConflictWithBufferPin()->CancelDBBackends().  
  
To fix, set a flag in StandbyTimeoutHandler(), and check the flag in  
ResolveRecoveryConflictWithBufferPin().  
  
Subsequently the recovery conflict tests will be backpatched.  
  
Discussion: https://postgr.es/m/20220413002626.udl7lll7f3o7nre7@alap3.anarazel.de  
Backpatch: 10-  

commit   : 90abe1e17f9d3f725cf92a3ef43593ec56eaf671    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Mon, 2 May 2022 18:09:43 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Mon, 2 May 2022 18:09:43 -0700    

These were originally introduced in a2ab9c06ea1 and a2ab9c06ea1, as they are  
needed by a about-to-be-backpatched test.  
  
Discussion: https://postgr.es/m/20220413002626.udl7lll7f3o7nre7@alap3.anarazel.de  
Backpatch: 10-14  

commit   : d85f2bfa09f64e52436e8f05a9e112e160bace65    
  
author   : Etsuro Fujita <efujita@postgresql.org>    
date     : Mon, 2 May 2022 16:45:04 +0900    
  
committer: Etsuro Fujita <efujita@postgresql.org>    
date     : Mon, 2 May 2022 16:45:04 +0900    

commit   : d9cede2c3bfd0739acf294e4e83b36ea9de36b83    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Mon, 25 Apr 2022 15:02:13 -0400    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Mon, 25 Apr 2022 15:02:13 -0400    

For some reason by default the mingw C Runtime takes it upon itself to  
expand program arguments that look like shell globbing characters. That  
has caused much scratching of heads and mis-attribution of the causes of  
some TAP test failures, so stop doing that.  
  
This removes an inconsistency with Windows binaries built with MSVC,  
which have no such behaviour.  
  
Per suggestion from Noah Misch.  
  
Backpatch to all live branches.  
  
Discussion: https://postgr.es/m/20220423025927.GA1274057@rfd.leadboat.com  

commit   : e6440d5007aaa33f946ab63f2c1dfd1ee99e2050    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 21 Apr 2022 17:58:52 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 21 Apr 2022 17:58:52 -0400    

inline_cte() expected to find exactly as many references to the  
target CTE as its cterefcount indicates.  While that should be  
accurate for the tree as emitted by the parser, there are some  
optimizations that occur upstream of here that could falsify it,  
notably removal of unused subquery output expressions.  
  
Trying to make the accounting 100% accurate seems expensive and  
doomed to future breakage.  It's not really worth it, because  
all this code is protecting is downstream assumptions that every  
referenced CTE has a plan.  Let's convert those assertions to  
regular test-and-elog just in case there's some actual problem,  
and then drop the failing assertion.  
  
Per report from Tomas Vondra (thanks also to Richard Guo for  
analysis).  Back-patch to v12 where the faulty code came in.  
  
Discussion: https://postgr.es/m/29196a1e-ed47-c7ca-9be2-b1c636816183@enterprisedb.com  

commit   : 1c60a99dd9a2064125d503227d8f8b17d33dc4ed    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Thu, 21 Apr 2022 09:20:00 -0400    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Thu, 21 Apr 2022 09:20:00 -0400    

Commit b3b4d8e68a moved our perl test modules to a better namespace  
structure, but this has made life hard for people wishing to backpatch  
improvements in the TAP tests. Here we alleviate much of that difficulty  
by implementing the new module names on top of the old modules, mostly  
by using a little perl typeglob aliasing magic, so that we don't have a  
dual maintenance burden. This should work both for the case where a new  
test is backpatched and the case where a fix to an existing test that  
uses the new namespace is backpatched.  
  
Reviewed by Michael Paquier  
  
Per complaint from Andres Freund  
  
Discussion: https://postgr.es/m/20220418141530.nfxtkohefvwnzncl@alap3.anarazel.de  
  
Applied to branches 10 through 14  

commit   : 1272630a249798a0fce6a00383c78f8129434523    
  
author   : Peter Geoghegan <pg@bowt.ie>    
date     : Wed, 20 Apr 2022 17:17:39 -0700    
  
committer: Peter Geoghegan <pg@bowt.ie>    
date     : Wed, 20 Apr 2022 17:17:39 -0700    

CLUSTER sort won't use the datum1 SortTuple field when clustering  
against an index whose leading key is an expression.  This makes it  
unsafe to use the abbreviated keys optimization, which was missed by the  
logic that sets up SortSupport state.  Affected tuplesorts output tuples  
in a completely bogus order as a result (the wrong SortSupport based  
comparator was used for the leading attribute).  
  
This issue is similar to the bug fixed on the master branch by recent  
commit cc58eecc5d.  But it's a far older issue, that dates back to the  
introduction of the abbreviated keys optimization by commit 4ea51cdfe8.  
  
Backpatch to all supported versions.  
  
Author: Peter Geoghegan <pg@bowt.ie>  
Author: Thomas Munro <thomas.munro@gmail.com>  
Discussion: https://postgr.es/m/CA+hUKG+bA+bmwD36_oDxAoLrCwZjVtST2fqe=b4=qZcmU7u89A@mail.gmail.com  
Backpatch: 10-  

commit   : 8275ba773dfe3168115bb3d32728111d9c4becb6    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 20 Apr 2022 18:08:15 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 20 Apr 2022 18:08:15 -0400    

Such cases will lead to infinite loops, so they're of no practical  
value.  The numeric variant of generate_series() already threw error  
for this, so borrow its message wording.  
  
Per report from Richard Wesley.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/91B44E7B-68D5-448F-95C8-B4B3B0F5DEAF@duckdblabs.com  

commit   : f583633bc130e8a572e5d29b9c8b2cc48885ecbf    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Apr 2022 23:03:59 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 19 Apr 2022 23:03:59 -0400    

An ALTER FUNCTION command that tried to update both the function's  
proparallel property and its proconfig list failed to do the former,  
because it stored the new proparallel value into a tuple that was  
no longer the interesting one.  Carelessness in 7aea8e4f2.  
  
(I did not bother with a regression test, because the only likely  
future breakage would be for someone to ignore the comment I added  
and add some other field update after the heap_modify_tuple step.  
A test using existing function properties could not catch that.)  
  
Per report from Bryn Llewellyn.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/8AC9A37F-99BD-446F-A2F7-B89AD0022774@yugabyte.com  

commit   : 82d4a17a17508a4e6ff9038d81a7dfb9f19e104a    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Tue, 19 Apr 2022 09:08:05 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Tue, 19 Apr 2022 09:08:05 +0530    

We don't allow to invoke more sync workers once we have reached the sync  
worker limit per subscription. But the check to enforce this also doesn't  
allow to launch an apply worker if it gets restarted.  
  
This code was introduced by commit de43897122 but we caught the problem  
only with the test added by recent commit c91f71b9dc which started failing  
occasionally in the buildfarm.  
  
As per buildfarm.  
Diagnosed-by: Amit Kapila, Masahiko Sawada, Tomas Vondra  
Author: Amit Kapila  
Backpatch-through: 10  
Discussion: https://postgr.es/m/CAH2L28vddB_NFdRVpuyRBJEBWjz4BSyTB=_ektNRH8NJ1jf95g@mail.gmail.com  
	    https://postgr.es/m/f90d2b03-4462-ce95-a524-d91464e797c8@enterprisedb.com  

commit   : 69cefb3fb8377992bd2ad0dce1b33570b3e5244a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 18 Apr 2022 12:16:45 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 18 Apr 2022 12:16:45 -0400    

Don't try to look at the attidentity field of system attributes,  
because they're not there in the TupleDescAttr array.  Sometimes  
this is harmless because we accidentally pick up a zero, but  
otherwise we'll report "no owned sequence found" from an attempt  
to alter a system attribute.  (It seems possible that a SIGSEGV  
could occur, too, though I've not seen it in testing.)  
  
It's not in this function's charter to complain that you can't  
alter a system column, so instead just hard-wire an assumption  
that system attributes aren't identities.  I didn't bother with  
a regression test because the appearance of the bug is very  
erratic.  
  
Per bug #17465 from Roman Zharkov.  Back-patch to all supported  
branches.  (There's not actually a live bug before v12, because  
before that get_attidentity() did the right thing anyway.  
But for consistency I changed the test in the older branches too.)  
  
Discussion: https://postgr.es/m/17465-f2a554a6cb5740d3@postgresql.org  

commit   : a6fc64b9a85e279c5a284c21374edeb857df5252    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Mon, 18 Apr 2022 11:40:18 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Mon, 18 Apr 2022 11:40:18 +0900    

This test, introduced in df86e52, uses a second standby to check that  
it is able to remove correctly RECOVERYHISTORY and RECOVERYXLOG at the  
end of recovery.  This standby uses the archives of the primary to  
restore its contents, with some of the archive's contents coming from  
the first standby previously promoted.  In slow environments, it was  
possible that the test did not check what it should, as the history file  
generated by the promotion of the first standby may not be stored yet on  
the archives the second standby feeds on.  So, it could be possible that  
the second standby selects an incorrect timeline, without restoring a  
history file at all.  
  
This commits adds a wait phase to make sure that the history file  
required by the second standby is archived before this cluster is  
created.  This relies on poll_query_until() with pg_stat_file() and an  
absolute path, something not supported in REL_10_STABLE.  
  
While on it, this adds a new test to check that the history file has  
been restored by looking at the logs of the second standby.  This  
ensures that a RECOVERYHISTORY, whose removal needs to be checked,  
is created in the first place.  This should make the test more robust.  
  
This test has been introduced by df86e52, but it came in light as an  
effect of the bug fixed by acf1dd42, where the extra restore_command  
calls made the test much slower.  
  
Reported-by: Andres Freund  
Discussion: https://postgr.es/m/YlT23IvsXkGuLzFi@paquier.xyz  
Backpatch-through: 11  

commit   : b404513de8579ce29ccb7becbb6e83587352263f    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Sat, 16 Apr 2022 17:43:54 -0700    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Sat, 16 Apr 2022 17:43:54 -0700    

The target failed, tested $PATH binaries, or tested a stale temporary  
installation.  Commit c66b438db62748000700c9b90b585e756dd54141 missed  
this.  Back-patch to v10 (all supported versions).  

commit   : d18c913b786c5ea82f7372c88cf2055050e5176a    
  
author   : Robert Haas <rhaas@postgresql.org>    
date     : Thu, 14 Apr 2022 11:10:11 -0400    
  
committer: Robert Haas <rhaas@postgresql.org>    
date     : Thu, 14 Apr 2022 11:10:11 -0400    

The back-patch of commit bbace5697df12398e87ffd9879171c39d27f5b33 had  
the unfortunate effect of changing the layout of PGPROC in the  
back-branches, which could break extensions. This happened because it  
changed the delayChkpt from type bool to type int. So, change it back,  
and add a new bool delayChkptEnd field instead. The new field should  
fall within what used to be padding space within the struct, and so  
hopefully won't cause any extensions to break.  
  
Per report from Markus Wanner and discussion with Tom Lane and others.  
  
Patch originally by me, somewhat revised by Markus Wanner per a  
suggestion from Michael Paquier. A very similar patch was developed  
by Kyotaro Horiguchi, but I failed to see the email in which that was  
posted before writing one of my own.  
  
Discussion: http://postgr.es/m/CA+Tgmoao-kUD9c5nG5sub3F7tbo39+cdr8jKaOVEs_1aBWcJ3Q@mail.gmail.com  
Discussion: http://postgr.es/m/20220406.164521.17171257901083417.horikyota.ntt@gmail.com  

commit   : 2275d044d0849251c5e0fa10ee16c73124731f5c    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Thu, 14 Apr 2022 15:09:36 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Thu, 14 Apr 2022 15:09:36 +0900    

Getting from get_raw_page() an all-zero page is considered as a valid  
case by the buffer manager and it can happen for example when finding a  
corrupted page with zero_damaged_pages enabled (using zero_damaged_pages  
to look at corrupted pages happens), or after a crash when a relation  
file is extended before any WAL for its new data is generated (before a  
vacuum or autovacuum job comes in to do some cleanup).  
  
However, all the functions of pageinspect, as of the index AMs (except  
hash that has its own idea of new pages), heap, the FSM or the page  
header have never worked with all-zero pages, causing various crashes  
when going through the page internals.  
  
This commit changes all the pageinspect functions to be compliant with  
all-zero pages, where the choice is made to return NULL or no rows for  
SRFs when finding a new page.  get_raw_page() still works the same way,  
returning a batch of zeros in the bytea of the page retrieved.  A hard  
error could be used but NULL, while more invasive, is useful when  
scanning relation files in full to get a batch of results for a single  
relation in one query.  Tests are added for all the code paths  
impacted.  
  
Reported-by: Daria Lepikhova  
Author: Michael Paquier  
Discussion: https://postgr.es/m/561e187b-3549-c8d5-03f5-525c14e65bd0@postgrespro.ru  
Backpatch-through: 10  

commit   : 44096c31eaf0e9d86053434de8fdce418609c01e    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Apr 2022 13:35:02 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 13 Apr 2022 13:35:02 -0400    

heap_fetch() used to have a "keep_buf" parameter that told it to return  
ownership of the buffer pin to the caller after finding that the  
requested tuple TID exists but is invisible to the specified snapshot.  
This was thoughtlessly removed in commit 5db6df0c0, which broke  
heapam_tuple_lock() (formerly EvalPlanQualFetch) because that function  
needs to do more accesses to the tuple even if it's invisible.  The net  
effect is that we would continue to touch the page for a microsecond or  
two after releasing pin on the buffer.  Usually no harm would result;  
but if a different session decided to defragment the page concurrently,  
we could see garbage data and mistakenly conclude that there's no newer  
tuple version to chain up to.  (It's hard to say whether this has  
happened in the field.  The bug was actually found thanks to a later  
change that allowed valgrind to detect accesses to non-pinned buffers.)  
  
The most reasonable way to fix this is to reintroduce keep_buf,  
although I made it behave slightly differently: buffer ownership  
is passed back only if there is a valid tuple at the requested TID.  
In HEAD, we can just add the parameter back to heap_fetch().  
To avoid an API break in the back branches, introduce an additional  
function heap_fetch_extended() in those branches.  
  
In HEAD there is an additional, less obvious API change: tuple->t_data  
will be set to NULL in all cases where buffer ownership is not returned,  
in particular when the tuple exists but fails the time qual (and  
!keep_buf).  This is to defend against any other callers attempting to  
access non-pinned buffers.  We concluded that making that change in back  
branches would be more likely to introduce problems than cure any.  
  
In passing, remove a comment about heap_fetch that was obsoleted by  
9a8ee1dc6.  
  
Per bug #17462 from Daniil Anisimov.  Back-patch to v12 where the bug  
was introduced.  
  
Discussion: https://postgr.es/m/17462-9c98a0f00df9bd36@postgresql.org  

commit   : 9144fa27dd7f0ad3a5ef818adb819c5375519115    
  
author   : David Rowley <drowley@postgresql.org>    
date     : Wed, 13 Apr 2022 11:20:06 +1200    
  
committer: David Rowley <drowley@postgresql.org>    
date     : Wed, 13 Apr 2022 11:20:06 +1200    

This was made optional in 959f6d6a1.  
  
Author: Justin Pryzby  
Discussion: https://postgr.es/m/20220411020336.GB26620@telsasoft.com  
Backpatch-through: 13, where -B was made optional  

commit   : 71e0736b6577962874ef3becd09cd74a43ffd92f    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 12 Apr 2022 18:21:04 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 12 Apr 2022 18:21:04 -0400    

Google seems to like to return textsearch.html for queries about  
GIN and GiST indexes, even though it's not a primary reference  
for either.  It seems likely that that's because those keywords  
appear in the page title.  Since "GIN and GiST Index Types" is  
not a very apposite title for this material anyway, rename the  
section in hopes of stopping that.  
  
Also provide explicit links to the GIN and GiST chapters, to help  
anyone who finds their way to this page regardless.  
  
Per gripe from Jan Piotrowski.  Back-patch to supported branches.  
(Unfortunately Google is likely to continue returning the 9.1  
version of this page, but improving that situation is a matter  
for the www team.)  
  
Discussion: https://postgr.es/m/164978902252.1276550.9330175733459697101@wrigleys.postgresql.org  

commit   : e22fd217ec5b5b454febd5c1a1cc3c3f1c4e3a63    
  
author   : David Rowley <drowley@postgresql.org>    
date     : Wed, 13 Apr 2022 09:17:17 +1200    
  
committer: David Rowley <drowley@postgresql.org>    
date     : Wed, 13 Apr 2022 09:17:17 +1200    

It's misleading to call the data directory the "synchronized data  
directory" when discussing a crash scenario when using pg_rewind's  
--no-sync option.  Here we just remove the word "synchronized" to avoid  
any possible confusion.  
  
Author: Justin Pryzby  
Discussion: https://postgr.es/m/20220411020336.GB26620@telsasoft.com  
Backpatch-through: 12, where --no-sync was added  

commit   : 87166d25a4569ac06dc3dcf44fa8c12f0263f836    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 6 Apr 2022 17:03:35 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 6 Apr 2022 17:03:35 -0400    

With asserts disabled, late-model clang notices that this variable  
is incremented but never otherwise read.  
  
Discussion: https://postgr.es/m/3171401.1649275153@sss.pgh.pa.us  

commit   : 8f4b5b09096ae5e470c6410312c24581da319733    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Sat, 2 Apr 2022 07:27:26 +0200    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Sat, 2 Apr 2022 07:27:26 +0200    

accidentally left behind by 4cb658af70027c3544fb843d77b2e84028762747  

commit   : 79df1d20c59c7fa21326f85be90f875fbe229ec6    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 31 Mar 2022 14:29:24 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 31 Mar 2022 14:29:24 -0400    

postgres_fdw would push ORDER BY clauses to the remote side without  
verifying that the sort operator is safe to ship.  Moreover, it failed  
to print a suitable USING clause if the sort operator isn't default  
for the sort expression's type.  The net result of this is that the  
remote sort might not have anywhere near the semantics we expect,  
which'd be disastrous for locally-performed merge joins in particular.  
  
We addressed similar issues in the context of ORDER BY within an  
aggregate function call in commit 7012b132d, but failed to notice  
that query-level ORDER BY was broken.  Thus, much of the necessary  
logic already existed, but it requires refactoring to be usable  
in both cases.  
  
Back-patch to all supported branches.  In HEAD only, remove the  
core code's copy of find_em_expr_for_rel, which is no longer used  
and really should never have been pushed into equivclass.c in the  
first place.  
  
Ronan Dunklau, per report from David Rowley;  
reviews by David Rowley, Ranier Vilela, and myself  
  
Discussion: https://postgr.es/m/CAApHDvr4OeC2DBVY--zVP83-K=bYrTD7F8SZDhN4g+pj2f2S-A@mail.gmail.com  

commit   : fb1d7f4519665f0a6a15a8fd6acc4bb5f86f5697    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 31 Mar 2022 11:24:26 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 31 Mar 2022 11:24:26 -0400    

Oversight in commit a59c79564.  Back-patch, as that was.  
Noted by Peter Eisentraut.  
  
Discussion: https://postgr.es/m/7f85ef6d-250b-f5ec-9867-89f0b16d019f@enterprisedb.com  

commit   : 8421a99ca189120af67df08a6308a0c97ab115ec    
  
author   : Daniel Gustafsson <dgustafsson@postgresql.org>    
date     : Thu, 31 Mar 2022 12:03:33 +0200    
  
committer: Daniel Gustafsson <dgustafsson@postgresql.org>    
date     : Thu, 31 Mar 2022 12:03:33 +0200    

Commit 61fa6ca79b3 accidentally wrote constrast instead of contrast.  
  
Backpatch-through: 10  
Discussion: https://postgr.es/m/88903179-5ce2-3d4d-af43-7830372bdcb6@enterprisedb.com  

commit   : f042dc6a415decc4e2a9707de5f3fc737e42e1ed    
  
author   : Etsuro Fujita <efujita@postgresql.org>    
date     : Wed, 30 Mar 2022 19:00:04 +0900    
  
committer: Etsuro Fujita <efujita@postgresql.org>    
date     : Wed, 30 Mar 2022 19:00:04 +0900    

commit   : a54ed2de80ec844e578e26f93ab008c814f56090    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 29 Mar 2022 15:36:21 +0200    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Tue, 29 Mar 2022 15:36:21 +0200    

This reverts commit 49d9cfc68bf4.  The approach taken by this patch has  
problems, so we'll come up with a radically different fix.  
  
Discussion: https://postgr.es/m/CA+TgmoYcUPL+WOJL2ZzhH=zmrhj0iOQ=iCFM0SuYqBbqZEamEg@mail.gmail.com  

commit   : 78ebfd885be563191d659d7a4ae230e199792e3f    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Mon, 28 Mar 2022 14:27:36 +0200    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Mon, 28 Mar 2022 14:27:36 +0200    

When dealing with partitioned tables, counters for partitioned tables  
are not updated when modifying child tables. This means autoanalyze may  
not update optimizer statistics for the parent relations, which can  
result in poor plans for some queries.  
  
It's worth documenting this limitation, so that people are aware of it  
and can take steps to mitigate it (e.g. by setting up a script executing  
ANALYZE regularly).  
  
Backpatch to v10. Older branches are affected too, of couse, but we no  
longer maintain those.  
  
Author: Justin Pryzby  
Reviewed-by: Zhihong Yu, Tomas Vondra  
Backpatch-through: 10  
Discussion: https://postgr.es/m/20210913035409.GA10647%40telsasoft.com  

commit   : 344d89abf36b9ea559a4b25543bbc7d4206988f5    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 16:38:43 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 16:38:43 -0700    

After closedir() dirent->d_name is not valid anymore. As there alerady are a  
few places relying on the limited lifetime of pg_waldump, do so here as well,  
and just pg_strdup() the string.  
  
The bug was introduced in fc49e24fa69a.  
  
Found by UBSan, run locally.  
  
Backpatch: 11-, like fc49e24fa69 itself.  

commit   : 9016a2a3dc4ee7e41ecda5a8b3a3d3481de94964    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 27 Mar 2022 12:57:46 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 27 Mar 2022 12:57:46 -0400    

Commit 8c6d30f21 caused this function to fail to set *displen  
in the PS_USE_NONE code path.  If the variable's previous value  
had been negative, that'd lead to a memory clobber at some call  
sites.  We'd managed not to notice due to very thin test coverage  
of such configurations, but this appears to explain buildfarm member  
lorikeet's recent struggles.  
  
Credit to Andrew Dunstan for spotting the problem.  Back-patch  
to v13 where the bug was introduced.  
  
Discussion: https://postgr.es/m/136102.1648320427@sss.pgh.pa.us  

commit   : 3d4d6dee07777ed2a0f0f7e5938879e07ad02a82    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Sun, 27 Mar 2022 17:53:55 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Sun, 27 Mar 2022 17:53:55 +0900    

A couple of code paths use the special area on the page passed by the  
function caller, expecting to find some data in it.  However, feeding  
an incorrect page can lead to out-of-bound reads when trying to access  
the page special area (like a heap page that has no special area,  
leading PageGetSpecialPointer() to grab a pointer outside the allocated  
page).  
  
The functions used for hash and btree indexes have some protection  
already against that, while some other functions using a relation OID  
as argument would make sure that the access method involved is correct,  
but functions taking in input a raw page without knowing the relation  
the page is attached to would run into problems.  
  
This commit improves the set of checks used in the code paths of BRIN,  
btree (including one check if a leaf page is found with a non-zero  
level), GIN and GiST to verify that the page given in input has a  
special area size that fits with each access method, which is done  
though PageGetSpecialSize(), becore calling PageGetSpecialPointer().  
  
The scope of the checks done is limited to work with pages that one  
would pass after getting a block with get_raw_page(), as it is possible  
to craft byteas that could bypass existing code paths.  Having too many  
checks would also impact the usability of pageinspect, as the existing  
code is very useful to look at the content details in a corrupted page,  
so the focus is really to avoid out-of-bound reads as this is never a  
good thing even with functions whose execution is limited to  
superusers.  
  
The safest approach could be to rework the functions so as these fetch a  
block using a relation OID and a block number, but there are also cases  
where using a raw page is useful.  
  
Tests are added to cover all the code paths that needed such checks, and  
an error message for hash indexes is reworded to fit better with what  
this commit adds.  
  
Reported-By: Alexander Lakhin  
Author: Julien Rouhaud, Michael Paquier  
Discussion: https://postgr.es/m/16527-ef7606186f0610a1@postgresql.org  
Discussion: https://postgr.es/m/561e187b-3549-c8d5-03f5-525c14e65bd0@postgrespro.ru  
Backpatch-through: 10  

commit   : 4fbbea2c1934092581662553fd4be9e84630fc5c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 26 Mar 2022 14:29:29 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 26 Mar 2022 14:29:29 -0400    

clang 13 with -Wextra warns that "performing pointer subtraction with  
a null pointer has undefined behavior" in the places where freepage.c  
tries to set a relptr variable to constant NULL.  This appears to be  
a compiler bug, but it's unlikely to get fixed instantly.  Fortunately,  
we can work around it by introducing an inline support function, which  
seems like a good change anyway because it removes the macro's existing  
double-evaluation hazard.  
  
Backpatch to v10 where this code was introduced.  
  
Patch by me, based on an idea of Andres Freund's.  
  
Discussion: https://postgr.es/m/48826.1648310694@sss.pgh.pa.us  

commit   : 6e9ffcf13a4a0d56f03b4048231066cb5d061299    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 25 Mar 2022 14:23:26 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 25 Mar 2022 14:23:26 -0400    

The previous method for doing that was to write zeroes into a  
predetermined set of page locations.  However, there's a roughly  
1-in-64K chance that the existing checksum will match by chance,  
and yesterday several buildfarm animals started to reproducibly  
see that, resulting in test failures because no checksum mismatch  
was reported.  
  
Since the checksum includes the page LSN, test success depends on  
the length of the installation's WAL history, which is affected by  
(at least) the initial catalog contents, the set of locales installed  
on the system, and the length of the pathname of the test directory.  
Sooner or later we were going to hit a chance match, and today is  
that day.  
  
Harden these tests by specifically inverting the checksum field and  
leaving all else alone, thereby guaranteeing that the checksum is  
incorrect.  
  
In passing, fix places that were using seek() to set up for syswrite(),  
a combination that the Perl docs very explicitly warn against.  We've  
probably escaped problems because no regular buffered I/O is done on  
these filehandles; but if it ever breaks, we wouldn't deserve or get  
much sympathy.  
  
Although we've only seen problems in HEAD, now that we recognize the  
environmental dependencies it seems like it might be just a matter  
of time until someone manages to hit this in back-branch testing.  
Hence, back-patch to v11 where we started doing this kind of test.  
  
Discussion: https://postgr.es/m/3192026.1648185780@sss.pgh.pa.us  

commit   : 50e3ed8e9172fe3cb9bc20899acaa4a8a0fd2388    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Fri, 25 Mar 2022 13:16:21 +0100    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Fri, 25 Mar 2022 13:16:21 +0100    

Crash recovery on standby may encounter missing directories when  
replaying create database WAL records.  Prior to this patch, the standby  
would fail to recover in such a case.  However, the directories could be  
legitimately missing.  Consider a sequence of WAL records as follows:  
  
    CREATE DATABASE  
    DROP DATABASE  
    DROP TABLESPACE  
  
If, after replaying the last WAL record and removing the tablespace  
directory, the standby crashes and has to replay the create database  
record again, the crash recovery must be able to move on.  
  
This patch adds a mechanism similar to invalid-page tracking, to keep a  
tally of missing directories during crash recovery.  If all the missing  
directory references are matched with corresponding drop records at the  
end of crash recovery, the standby can safely continue following the  
primary.  
  
Backpatch to 13, at least for now.  The bug is older, but fixing it in  
older branches requires more careful study of the interactions with  
commit e6d8069522c8, which appeared in 13.  
  
A new TAP test file is added to verify the condition.  However, because  
it depends on commit d6d317dbf615, it can only be added to branch  
master.  I (Álvaro) manually verified that the code behaves as expected  
in branch 14.  It's a bit nervous-making to leave the code uncovered by  
tests in older branches, but leaving the bug unfixed is even worse.  
Also, the main reason this fix took so long is precisely that we  
couldn't agree on a good strategy to approach testing for the bug, so  
perhaps this is the best we can do.  
  
Diagnosed-by: Paul Guo <paulguo@gmail.com>  
Author: Paul Guo <paulguo@gmail.com>  
Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com>  
Author: Asim R Praveen <apraveen@pivotal.io>  
Discussion: https://postgr.es/m/CAEET0ZGx9AvioViLf7nbR_8tH9-=27DN5xWJ2P9-ROH16e4JUA@mail.gmail.com  

commit   : 1ce14b6b2fe4af9ac7d7f90eb46c77b2e6deb2de    
  
author   : Robert Haas <rhaas@postgresql.org>    
date     : Thu, 24 Mar 2022 14:36:06 -0400    
  
committer: Robert Haas <rhaas@postgresql.org>    
date     : Thu, 24 Mar 2022 14:36:06 -0400    

If TRUNCATE causes some buffers to be invalidated and thus the  
checkpoint does not flush them, TRUNCATE must also ensure that the  
corresponding files are truncated on disk. Otherwise, a replay  
from the checkpoint might find that the buffers exist but have  
the wrong contents, which may cause replay to fail.  
  
Report by Teja Mupparti. Patch by Kyotaro Horiguchi, per a design  
suggestion from Heikki Linnakangas, with some changes to the  
comments by me. Review of this and a prior patch that approached  
the issue differently by Heikki Linnakangas, Andres Freund, Álvaro  
Herrera, Masahiko Sawada, and Tom Lane.  
  
Discussion: http://postgr.es/m/BYAPR06MB6373BF50B469CA393C614257ABF00@BYAPR06MB6373.namprd06.prod.outlook.com  

commit   : c0f99bb520da577f34cf7c10e1ea4aab727f08c7    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 13:05:59 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 13:05:59 -0700    

Noticed via -fsanitize=undefined. Introduced when a few columns in  
GetConfigOptionByNum() / pg_settings started to be translated in 72be8c29a /  
PG 12.  
  
Backpatch to all affected branches, for the same reasons as 46ab07ffda9.  
  
Discussion: https://postgr.es/m/20220323173537.ll7klrglnp4gn2um@alap3.anarazel.de  
Backpatch: 12-  

commit   : 8014c61ebda10d39ef8855b4826aeba5cacd36e1    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 13:05:25 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 13:05:25 -0700    

Noticed via -fsanitize=undefined.  
  
Backpatch to all branches, for the same reasons as 46ab07ffda9.  
  
Discussion: https://postgr.es/m/20220323173537.ll7klrglnp4gn2um@alap3.anarazel.de  
Backpatch: 10-  

commit   : 7c163aa93fe6e37f231cef9ac08d5041855228fa    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 12:43:14 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Wed, 23 Mar 2022 12:43:14 -0700    

When building with sanitizers the sanitizer library provides dlopen, but not  
dlsym(), making configure think that -ldl isn't needed. Just checking for  
dlsym() ought to suffice, hard to see dlsym() being provided without dlopen()  
also being provided.  
  
Backpatch to all branches, for the same reasons as 46ab07ffda9.  
  
Reviewed-By: Tom Lane <tgl@sss.pgh.pa.us>  
Discussion: https://postgr.es/m/20220323173537.ll7klrglnp4gn2um@alap3.anarazel.de  
Backpatch: 10-  

commit   : ca26c64581b529b2191757dbb27b94c6b0c101be    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 23 Mar 2022 19:23:51 +0100    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 23 Mar 2022 19:23:51 +0100    

It seems possible for the condition being tested to be true in  
production, and nobody would never know (except when some data  
eventually becomes corrupt?).  
  
Author: Álvaro Herrera <alvherre@alvh.no-ip.org>  
Discussion: https://postgr.es/m//202109040001.zky3wgv2qeqg@alvherre.pgsql  

commit   : 98eb3e06ce3a628adabeb90584c002a3c4bcec8e    
  
author   : Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 23 Mar 2022 18:22:10 +0100    
  
committer: Alvaro Herrera <alvherre@alvh.no-ip.org>    
date     : Wed, 23 Mar 2022 18:22:10 +0100    

Invalidate abortedRecPtr and missingContrecPtr after a missing  
continuation record is successfully skipped on a standby. This fixes a  
PANIC caused when a recently promoted standby attempts to write an  
OVERWRITE_RECORD with an LSN of the previously read aborted record.  
  
Backpatch to 10 (all stable versions).  
  
Author: Sami Imseih <simseih@amazon.com>  
Reviewed-by: Kyotaro Horiguchi <horikyota.ntt@gmail.com>  
Reviewed-by: Álvaro Herrera <alvherre@alvh.no-ip.org>  
Discussion: https://postgr.es/m/44D259DE-7542-49C4-8A52-2AB01534DCA9@amazon.com  

commit   : f784fcdc44435597c52b41f97bfbdf082a783c82    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 23 Mar 2022 14:31:18 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 23 Mar 2022 14:31:18 +1300    

As commits b700f96c and 3414099c did for the reloptions test, make  
sure VACUUM can always truncate the table as expected.  
  
Back-patch to 12, where vacuum_truncate arrived.  
  
Discussion: https://postgr.es/m/CAD21AoCNoWjYkdEtr%2BVDoF9v__V905AedKZ9iF%3DArgCtrbxZqw%40mail.gmail.com  

commit   : f183e23cc8a9107b6a8ddc7f16b97da926fddf94    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Tue, 22 Mar 2022 08:22:02 -0700    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Tue, 22 Mar 2022 08:22:02 -0700    

When cross-building to windows, or building with mingw on windows, the build  
could fail with  
  x86_64-w64-mingw32-gcc: error: win32ver.o: No such file or director  
because pg_dumpall didn't depend on WIN32RES, but it's recipe references  
it. The build nevertheless succeeded most of the time, due to  
pg_dump/pg_restore having the required dependency, causing win32ver.o to be  
built.  
  
Reported-By: Thomas Munro <thomas.munro@gmail.com>  
Discussion: https://postgr.es/m/CA+hUKGJeekpUPWW6yCVdf9=oBAcCp86RrBivo4Y4cwazAzGPng@mail.gmail.com  
Backpatch: 10-, omission present on all live branches  

commit   : f32be9938ca48d9658eaf29a30c78f855d36e97a    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Tue, 22 Mar 2022 13:21:39 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Tue, 22 Mar 2022 13:21:39 +0900    

This issue is environment-sensitive, where the SSL tests could fail in  
various way by feeding on defaults provided by sslcert, sslkey,  
sslrootkey, sslrootcert, sslcrl and sslcrldir coming from a local setup,  
as of ~/.postgresql/ by default.  Horiguchi-san has reported two  
failures, but more advanced testing from me (aka inclusion of garbage  
SSL configuration in ~/.postgresql/ for all the configuration  
parameters) has showed dozens of failures that can be triggered in the  
whole test suite.  
  
History has showed that we are not good when it comes to address such  
issues, fixing them locally like in dd87799, and such problems keep  
appearing.  This commit strengthens the entire test suite to put an end  
to this set of problems by embedding invalid default values in all the  
connection strings used in the tests.  The invalid values are prefixed  
in each connection string, relying on the follow-up values passed in the  
connection string to enforce any invalid value previously set.  Note  
that two tests related to CRLs are required to fail with certain pre-set  
configurations, but we can rely on enforcing an empty value instead  
after the invalid set of values.  
  
Reported-by: Kyotaro Horiguchi  
Reviewed-by: Andrew Dunstan, Daniel Gustafsson, Kyotaro Horiguchi  
Discussion: https://postgr.es/m/20220316.163658.1122740600489097632.horikyota.ntt@gmail.com  
backpatch-through: 10  

commit   : dfefe38fbea4c6f003319a9921f3fd6ded5e70aa    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 21 Mar 2022 17:44:29 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 21 Mar 2022 17:44:29 -0400    

The planner needs to treat GroupingFunc like Aggref for many purposes,  
in particular with respect to processing of the argument expressions,  
which are not to be evaluated at runtime.  A few places hadn't gotten  
that memo, notably including subselect.c's processing of outer-level  
aggregates.  This resulted in assertion failures or wrong plans for  
cases in which a GROUPING() construct references an outer aggregation  
level.  
  
Also fix missing special cases for GroupingFunc in cost_qual_eval  
(resulting in wrong cost estimates for GROUPING(), although it's  
not clear that that would affect plan shapes in practice) and in  
ruleutils.c (resulting in excess parentheses in pretty-print mode).  
  
Per bug #17088 from Yaoguang Chen.  Back-patch to all supported  
branches.  
  
Richard Guo, Tom Lane  
  
Discussion: https://postgr.es/m/17088-e33882b387de7f5c@postgresql.org  

commit   : 2241e5ceda2febd90b06e6cbc02a8b51e9e070e4    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 21 Mar 2022 12:22:13 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 21 Mar 2022 12:22:13 -0400    

DROP INDEX needs to lock the index's table before the index itself,  
else it will deadlock against ordinary queries that acquire the  
relation locks in that order.  This is correctly mechanized for  
plain indexes by RangeVarCallbackForDropRelation; but in the case of  
a partitioned index, we neglected to lock the child tables in advance  
of locking the child indexes.  We can fix that by traversing the  
inheritance tree and acquiring the needed locks in RemoveRelations,  
after we have acquired our locks on the parent partitioned table and  
index.  
  
While at it, do some refactoring to eliminate confusion between  
the actual and expected relkind in RangeVarCallbackForDropRelation.  
We can save a couple of syscache lookups too, by having that function  
pass back info that RemoveRelations will need.  
  
Back-patch to v11 where partitioned indexes were added.  
  
Jimmy Yih, Gaurab Dey, Tom Lane  
  
Discussion: https://postgr.es/m/BYAPR05MB645402330042E17D91A70C12BD5F9@BYAPR05MB6454.namprd05.prod.outlook.com  

commit   : 36c3acb397e15ee7f7d5545b4775eecc2ded917f    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 20 Mar 2022 12:39:40 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 20 Mar 2022 12:39:40 -0400    

The example used "TimeoutSec=0", but systemd's documented way to get  
the desired effect is "TimeoutSec=infinity".  
  
Discussion: https://postgr.es/m/164770078557.670.5467111518383664377@wrigleys.postgresql.org  

commit   : fe14b0dd45a8d028d7ae49b68e445f78e8535015    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Sat, 19 Mar 2022 16:37:43 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Sat, 19 Mar 2022 16:37:43 +0900    

This command flavor is supported, but there was nothing in the  
documentation about it.  
  
Author: Yugo Nagata  
Discussion: https://postgr.es/m/20220316133337.5dc9740abfa24c25ec9f67f5@sraoss.co.jp  
Backpatch-through: 10  

commit   : 88ae77588d9a891c492f8ba543b3c1064c7a8ef3    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 18 Mar 2022 16:01:42 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 18 Mar 2022 16:01:42 -0400    

The output of table_to_xmlschema() and allied functions includes  
a regex describing valid values for these types ... but the regex  
was itself invalid, as it failed to escape a literal "+" sign.  
  
Report and fix by Renan Soares Lopes.  Back-patch to all  
supported branches.  
  
Discussion: https://postgr.es/m/7f6fabaa-3f8f-49ab-89ca-59fbfe633105@me.com  

commit   : 5e144cc89b468d845a2dbd7bdd1786c6efcdfd83    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 17 Mar 2022 18:18:05 -0400    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 17 Mar 2022 18:18:05 -0400    

In commit bf7ca1587, I had the bright idea that we could make the  
result of a whole-row Var (that is, foo.*) track any column aliases  
that had been applied to the FROM entry the Var refers to.  However,  
that's not terribly logically consistent, because now the output of  
the Var is no longer of the named composite type that the Var claims  
to emit.  bf7ca1587 tried to handle that by changing the output  
tuple values to be labeled with a blessed RECORD type, but that's  
really pretty disastrous: we can wind up storing such tuples onto  
disk, whereupon they're not readable by other sessions.  
  
The only practical fix I can see is to give up on what bf7ca1587  
tried to do, and say that the column names of tuples produced by  
a whole-row Var are always those of the underlying named composite  
type, query aliases or no.  While this introduces some inconsistencies,  
it removes others, so it's not that awful in the abstract.  What *is*  
kind of awful is to make such a behavioral change in a back-patched  
bug fix.  But corrupt data is worse, so back-patched it will be.  
  
(A workaround available to anyone who's unhappy about this is to  
introduce an extra level of sub-SELECT, so that the whole-row Var is  
referring to the sub-SELECT's output and not to a named table type.  
Then the Var is of type RECORD to begin with and there's no issue.)  
  
Per report from Miles Delahunty.  The faulty commit dates to 9.5,  
so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/2950001.1638729947@sss.pgh.pa.us  

commit   : 27fafee72d1749cc530fc76220db400db2634fde    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Wed, 16 Mar 2022 16:42:47 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Wed, 16 Mar 2022 16:42:47 +0100    

Commit 83fd4532a7 allowed publishing of changes via ancestors, for  
publications defined with publish_via_partition_root. But the way  
the ancestor was determined in get_rel_sync_entry() was incorrect,  
simply updating the same variable. So with multiple publications,  
replicating different ancestors, the outcome depended on the order  
of publications in the list - the value from the last loop was used,  
even if it wasn't the top-most ancestor.  
  
This is a probably rare situation, as in most cases publications do  
not overlap, so each partition has exactly one candidate ancestor  
to replicate as and there's no ambiguity.  
  
Fixed by tracking the "ancestor level" for each publication, and  
picking the top-most ancestor. Adds a test case, verifying the  
correct ancestor is used for publishing the changes and that this  
does not depend on order of publications in the list.  
  
Older releases have another bug in this loop - once all actions are  
replicated, the loop is terminated, on the assumption that inspecting  
additional publications is unecessary. But that misses the fact that  
those additional applications may replicate different ancestors.  
  
Fixed by removal of this break condition. We might still terminate the  
loop in some cases (e.g. when replicating all actions and the ancestor  
is the partition root).  
  
Backpatch to 13, where publish_via_partition_root was introduced.  
  
Initial report and fix by me, test added by Hou zj. Reviews and  
improvements by Amit Kapila.  
  
Author: Tomas Vondra, Hou zj, Amit Kapila  
Reviewed-by: Amit Kapila, Hou zj  
Discussion: https://postgr.es/m/d26d24dd-2fab-3c48-0162-2b7f84a9c893%40enterprisedb.com  

commit   : bad202c615c9f4ad41be18aa7d9ffe41ebfb86fa    
  
author   : Alexander Korotkov <akorotkov@postgresql.org>    
date     : Wed, 16 Mar 2022 11:41:18 +0300    
  
committer: Alexander Korotkov <akorotkov@postgresql.org>    
date     : Wed, 16 Mar 2022 11:41:18 +0300    

911e702077 implemented operator class parameters including the signature length  
in ltree.  Previously, the signature length for gist_ltree_ops was 8.  Because  
of bug 911e702077 the default signature length for gist_ltree_ops became 28 for  
ltree 1.1 (where options method is NOT provided) and 8 for ltree 1.2 (where  
options method is provided).  This commit changes the default signature length  
for ltree 1.1 to 8.  
  
Existing gist_ltree_ops indexes might be corrupted in various scenarios.  
Thus, we have to recommend reindexing all the gist_ltree_ops indexes after  
the upgrade.  
  
Reported-by: Victor Yegorov  
Reviewed-by: Tomas Vondra, Tom Lane, Andres Freund, Nikita Glukhov  
Reviewed-by: Andrew Dunstan  
Author: Tomas Vondra, Alexander Korotkov  
Discussion: https://postgr.es/m/17406-71e02820ae79bb40%40postgresql.org  
Discussion: https://postgr.es/m/d80e0a55-6c3e-5b26-53e3-3c4f973f737c%40enterprisedb.com  

commit   : 51e760e5a667e7fcc1660756d657121b778861bf    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 16 Mar 2022 17:20:24 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 16 Mar 2022 17:20:24 +1300    

Commands like ALTER TABLE SET TABLESPACE may leave files for the next  
checkpoint to clean up.  If such files are not removed by the time DROP  
TABLESPACE is called, we request a checkpoint so that they are deleted.  
However, there is presently a window before checkpoint start where new  
unlink requests won't be scheduled until the following checkpoint.  This  
means that the checkpoint forced by DROP TABLESPACE might not remove the  
files we expect it to remove, and the following ERROR will be emitted:  
  
	ERROR:  tablespace "mytblspc" is not empty  
  
To fix, add a call to AbsorbSyncRequests() just before advancing the  
unlink cycle counter.  This ensures that any unlink requests forwarded  
prior to checkpoint start (i.e., when ckpt_started is incremented) will  
be processed by the current checkpoint.  Since AbsorbSyncRequests()  
performs memory allocations, it cannot be called within a critical  
section, so we also need to move SyncPreCheckpoint() to before  
CreateCheckPoint()'s critical section.  
  
This is an old bug, so back-patch to all supported versions.  
  
Author: Nathan Bossart <nathandbossart@gmail.com>  
Reported-by: Nathan Bossart <nathandbossart@gmail.com>  
Reviewed-by: Thomas Munro <thomas.munro@gmail.com>  
Reviewed-by: Andres Freund <andres@anarazel.de>  
Discussion: https://postgr.es/m/20220215235845.GA2665318%40nathanxps13  

commit   : 028a3c6b1cb1933a17bab5bdf22d7431357763b7    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 16 Mar 2022 12:29:55 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 16 Mar 2022 12:29:55 +0900    

This caused the function to fail, as the aligned copy of the raw page  
given by the function caller was not saved in the correct memory  
context, which needs to be multi_call_memory_ctx in this case.  
  
Issue introduced by 076f4d9.  
  
Per buildfarm members sifika, mylodon and longfin.  I have reproduced  
that locally with macos.  
  
Discussion: https://postgr.es/m/YjFPOtfCW6yLXUeM@paquier.xyz  
Backpatch-through: 10  

commit   : cfdb303be756d846031ba1c1d1ff2cae39a62c15    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 16 Mar 2022 15:37:15 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 16 Mar 2022 15:37:15 +1300    

If we run out of space in the checkpointer sync request queue (which is  
hopefully rare on real systems, but common with very small buffer pool),  
we wait for it to drain.  While waiting, we should report that as a wait  
event so that users know what is going on, and also handle postmaster  
death, since otherwise the loop might never terminate if the  
checkpointer has exited.  
  
Back-patch to 12.  Although the problem exists in earlier releases too,  
the code is structured differently before 12 so I haven't gone any  
further for now, in the absence of field complaints.  
  
Reported-by: Andres Freund <andres@anarazel.de>  
Reviewed-by: Andres Freund <andres@anarazel.de>  
Discussion: https://postgr.es/m/20220226213942.nb7uvb2pamyu26dj%40alap3.anarazel.de  

commit   : d3a9b83c30b62898f6823d127c6b6ddef98f7cba    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 16 Mar 2022 11:20:51 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 16 Mar 2022 11:20:51 +0900    

This commit fixes a set of issues related to the use of the SQL  
functions in this module when the caller is able to pass down raw page  
data as input argument:  
- The page size check was fuzzy in a couple of places, sometimes  
looking after only a sub-range, but what we are looking for is an exact  
match on BLCKSZ.  After considering a few options here, I have settled  
down to do a generalization of get_page_from_raw().  Most of the SQL  
functions already used that, and this is not strictly required if not  
accessing an 8-byte-wide value from a raw page, but this feels safer in  
the long run for alignment-picky environment, particularly if a code  
path begins to access such values.  This also reduces the number of  
strings that need to be translated.  
- The BRIN function brin_page_items() uses a Relation but it did not  
check the access method of the opened index, potentially leading to  
crashes.  All the other functions in need of a Relation already did  
that.  
- Some code paths could fail on elog(), but we should to use ereport()  
for failures that can be triggered by the user.  
  
Tests are added to stress all the cases that are fixed as of this  
commit, with some junk raw pages (\set VERBOSITY ensures that this works  
across all page sizes) and unexpected index types when functions open  
relations.  
  
Author: Michael Paquier, Justin Prysby  
Discussion: https://postgr.es/m/20220218030020.GA1137@telsasoft.com  
Backpatch-through: 10  

commit   : 5610411ac7b7d86b781aaaeed7f02b0e1005f8bb    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 16 Mar 2022 11:35:00 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 16 Mar 2022 11:35:00 +1300    

Since LLVM 14 has stopped changing and is about to be released,  
back-patch the following changes from the master branch:  
  
  e6a7600202105919bffd62b3dfd941f4a94e082b  
  807fee1a39de6bb8184082012e643951abb9ad1d  
  a56e7b66010f330782243de9e25ac2a6596be0e1  
  
Back-patch to 11, where LLVM JIT support came in.  

commit   : ef00502a5a0a41ae2cab3dc9b06bd2278d29d5fd    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 9 Mar 2022 14:59:22 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 9 Mar 2022 14:59:22 +0900    

ALTER ROUTINE triggers the events ddl_command_start and ddl_command_end,  
and DROP ROUTINE triggers sql_drop, ddl_command_start and  
ddl_command_end, but this was not mention on the matrix table.  
  
Reported-by: Leslie Lemaire  
Discussion: https://postgr.es/m/164647533363.646.5802968483136493025@wrigleys.postgresql.org  
Backpatch-through: 11  

commit   : 29ec94efd08b0b3f863db13f5978cdeab4f1c8dc    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Fri, 4 Mar 2022 18:53:13 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Fri, 4 Mar 2022 18:53:13 -0800    

Slow hosts may avoid load-induced, spurious failures by setting  
environment variable PG_TEST_TIMEOUT_DEFAULT to some number of seconds  
greater than 180.  Developers may see faster failures by setting that  
environment variable to some lesser number of seconds.  In tests, write  
$PostgreSQL::Test::Utils::timeout_default wherever the convention has  
been to write 180.  This change raises the default for some briefer  
timeouts.  Back-patch to v10 (all supported versions).  
  
Discussion: https://postgr.es/m/20220218052842.GA3627003@rfd.leadboat.com  

commit   : 59392746cb3fd3c23b5f7bfa9568a71705ca30d1    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 4 Mar 2022 13:23:58 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 4 Mar 2022 13:23:58 -0500    

pg_regress reported "Unix socket" as the default location whenever  
HAVE_UNIX_SOCKETS is defined.  However, that's not been accurate  
on Windows since 8f3ec75de.  Update this logic to match what libpq  
actually does now.  
  
This is just cosmetic, but still it's potentially misleading.  
Back-patch to v13 where 8f3ec75de came in.  
  
Discussion: https://postgr.es/m/3894060.1646415641@sss.pgh.pa.us  

commit   : 97031f440485a01627cb1cc442c0fb10d27b97bd    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 3 Mar 2022 19:03:17 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 3 Mar 2022 19:03:17 -0500    

This macro cast the result to BlockNumber after shifting, not before,  
which is the wrong thing.  Per the C spec, the uint16 fields would  
promote to int not unsigned int, so that (for 32-bit int) the shift  
potentially shifts a nonzero bit into the sign position.  I doubt  
there are any production systems where this would actually end with  
the wrong answer, but it is undefined behavior per the C spec, and  
clang's -fsanitize=undefined option reputedly warns about it on some  
platforms.  (I can't reproduce that right now, but the code is  
undeniably wrong per spec.)  It's easy to fix by casting to  
BlockNumber (uint32) in the proper places.  
  
It's been wrong for ages, so back-patch to all supported branches.  
  
Report and patch by Zhihong Yu (cosmetic tweaking by me)  
  
Discussion: https://postgr.es/m/CALNJ-vT9r0DSsAOw9OXVJFxLENoVS_68kJ5x0p44atoYH+H4dg@mail.gmail.com  

commit   : 1a027e6b7bdf06dc3bfe1e63a2493f13629cf44a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 3 Mar 2022 18:13:24 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 3 Mar 2022 18:13:24 -0500    

Most of these are cases where we could call memcpy() or other libc  
functions with a NULL pointer and a zero count, which is forbidden  
by POSIX even though every production version of libc allows it.  
We've fixed such things before in a piecemeal way, but apparently  
never made an effort to try to get them all.  I don't claim that  
this patch does so either, but it gets every failure I observe in  
check-world, using clang 12.0.1 on current RHEL8.  
  
numeric.c has a different issue that the sanitizer doesn't like:  
"ln(-1.0)" will compute log10(0) and then try to assign the  
resulting -Inf to an integer variable.  We don't actually use the  
result in such a case, so there's no live bug.  
  
Back-patch to all supported branches, with the idea that we might  
start running a buildfarm member that tests this case.  This includes  
back-patching c1132aae3 (Check the size in COPY_POINTER_FIELD),  
which previously silenced some of these issues in copyfuncs.c.  
  
Discussion: https://postgr.es/m/CALNJ-vT9r0DSsAOw9OXVJFxLENoVS_68kJ5x0p44atoYH+H4dg@mail.gmail.com  

commit   : 6599d8f1264299ee595f2eaf4dc6a9aa2d7940d2    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 2 Mar 2022 11:57:02 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 2 Mar 2022 11:57:02 -0500    

This change makes libpq apply the same private-key-file ownership  
and permissions checks that we have used in the backend since commit  
9a83564c5.  Namely, that the private key can be owned by either the  
current user or root (with different file permissions allowed in the  
two cases).  This allows system-wide management of key files, which  
is just as sensible on the client side as the server, particularly  
when the client is itself some application daemon.  
  
Sync the comments about this between libpq and the backend, too.  
  
Back-patch of a59c79564 and 50f03473e into all supported branches.  
  
David Steele  
  
Discussion: https://postgr.es/m/f4b7bc55-97ac-9e69-7398-335e212f7743@pgmasters.net  

commit   : 9b2d762a283dc65b2168c3555302e7a23bc377e1    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 25 Feb 2022 17:40:21 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 25 Feb 2022 17:40:21 -0500    

Perl can be convinced to execute user-defined code during compilation  
of a plperl function (or at least a plperlu function).  That's not  
such a big problem as long as the activity is confined within the  
Perl interpreter, and it's not clear we could do anything about that  
anyway.  However, if such code tries to use plperl's SPI functions,  
we have a bigger problem.  In the first place, those functions are  
likely to crash because current_call_data->prodesc isn't set up yet.  
In the second place, because it isn't set up, we lack critical info  
such as whether the function is supposed to be read-only.  And in  
the third place, this path allows code execution during function  
validation, which is strongly discouraged because of the potential  
for security exploits.  Hence, reject execution of the SPI functions  
until compilation is finished.  
  
While here, add check_spi_usage_allowed() calls to various functions  
that hadn't gotten the memo about checking that.  I think that perhaps  
plperl_sv_to_literal may have been intentionally omitted on the grounds  
that it was safe at the time; but if so, the addition of transforms  
functionality changed that.  The others are more recently added and  
seem to be flat-out oversights.  
  
Per report from Mark Murawski.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/9acdf918-7fff-4f40-f750-2ffa84f083d2@intellasoft.net  

commit   : 0b1020a96d8e14ba5c5fe22f825c3093160aa83b    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Fri, 25 Feb 2022 10:30:05 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Fri, 25 Feb 2022 10:30:05 -0800    

When opening a WAL file smaller than XLOG_BLCKSZ (e.g. 0 bytes long) while  
determining the wal_segment_size, pg_waldump checked errno, despite errno not  
being set by the short read. Resulting in a bogus error message.  
  
Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com>  
Discussion: https://postgr.es/m/20220214.181847.775024684568733277.horikyota.ntt@gmail.com  
Backpatch: 11-, the bug was introducedin fc49e24fa  

commit   : c2551483e0f6855183ae43a74abb3e434803b907    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Sat, 19 Feb 2022 12:27:20 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Sat, 19 Feb 2022 12:27:20 -0800    

When cleaning up temporary objects during process exit the cleanup could fail  
with:  
  FATAL: cannot fetch toast data without an active snapshot  
  
The bug is caused by RemoveTempRelationsCallback() not setting up a  
snapshot. If an object with toasted catalog data needs to be cleaned up,  
init_toast_snapshot() could fail with the above error.  
  
Most of the time however the the problem is masked due to cached catalog  
snapshots being returned by GetOldestSnapshot(). But dropping an object can  
cause catalog invalidations to be emitted. If no further catalog accesses are  
necessary between the invalidation processing and the next toast datum  
deletion, the bug becomes visible.  
  
It's easy to miss this bug because it typically happens after clients  
disconnect and the FATAL error just ends up in the log.  
  
Luckily temporary table cleanup at the next use of the same temporary schema  
or during DISCARD ALL does not have the same problem.  
  
Fix the bug by pushing a snapshot in RemoveTempRelationsCallback(). Also add  
isolation tests for temporary object cleanup, including objects with toasted  
catalog data.  
  
A future HEAD only commit will add more assertions.  
  
Reported-By: Miles Delahunty  
Author: Andres Freund  
Discussion: https://postgr.es/m/CAOFAq3BU5Mf2TTvu8D9n_ZOoFAeQswuzk7yziAb7xuw_qyw5gw@mail.gmail.com  
Backpatch: 10-  

commit   : a5716baac00b68e6cf0720047dddfe8892c8033e    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Sun, 20 Feb 2022 11:49:33 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Sun, 20 Feb 2022 11:49:33 -0500    

Following migration of Windows buildfarm members running TAP tests to  
use of ucrt64 perl for those tests, special processing for msys perl is  
no longer necessary and so is removed.  
  
Backpatch to release 10  
  
Discussion: https://postgr.es/m/c65a8781-77ac-ea95-d185-6db291e1baeb@dunslane.net  

commit   : c27aa21e0dc89484fec38cd4e2189c6c1a5cf251    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Sun, 20 Feb 2022 08:55:06 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Sun, 20 Feb 2022 08:55:06 -0500    

Commit f1ac4a74de disabled this processing, and as nothing has broken (as  
expected) here we proceed to remove the routine and adjust all the call  
sites.  
  
Backpatch to release 10  
  
Discussion: https://postgr.es/m/0ba775a2-8aa0-0d56-d780-69427cf6f33d@dunslane.net  
Discussion: https://postgr.es/m/20220125023609.5ohu3nslxgoygihl@alap3.anarazel.de  

commit   : 46b738ffc2bf27c1c0bf0492f8c646c4496819dc    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 17 Feb 2022 22:45:34 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 17 Feb 2022 22:45:34 -0500    

GCC 12 complains that set_stack_base is storing the address of  
a local variable in a long-lived pointer.  This is an entirely  
reasonable warning (indeed, it just helped us find a bug);  
but that behavior is intentional here.  We can work around it  
by using __builtin_frame_address(0) instead of a specific local  
variable; that produces an address a dozen or so bytes different,  
in my testing, but we don't care about such a small difference.  
Maybe someday a compiler lacking that function will start to issue  
a similar warning, but we'll worry about that when it happens.  
  
Patch by me, per a suggestion from Andres Freund.  Back-patch to  
v12, which is as far back as the patch will go without some pain.  
(Recently-established project policy would permit a back-patch as  
far as 9.2, but I'm disinclined to expend the work until GCC 12  
is much more widespread.)  
  
Discussion: https://postgr.es/m/3773792.1645141467@sss.pgh.pa.us  

commit   : 0dc0284ade4ade315982d1300cb87006b42e72c3    
  
author   : Etsuro Fujita <efujita@postgresql.org>    
date     : Wed, 16 Feb 2022 15:15:04 +0900    
  
committer: Etsuro Fujita <efujita@postgresql.org>    
date     : Wed, 16 Feb 2022 15:15:04 +0900    

Document that they can be modified using COPY as well.  
  
Back-patch to v11 where commit 3d956d956 added support for COPY in  
postgres_fdw.  

commit   : caa231be97df3e4cb2667ea355562d5a5faa60c9    
  
author   : Amit Kapila <akapila@postgresql.org>    
date     : Mon, 14 Feb 2022 08:24:44 +0530    
  
committer: Amit Kapila <akapila@postgresql.org>    
date     : Mon, 14 Feb 2022 08:24:44 +0530    

Currently, during UPDATE, the unchanged replica identity key attributes  
are not logged separately because they are getting logged as part of the  
new tuple. But if they are stored externally then the untoasted values are  
not getting logged as part of the new tuple and logical replication won't  
be able to replicate such UPDATEs. So we need to log such attributes as  
part of the old_key_tuple during UPDATE.  
  
Reported-by: Haiying Tang  
Author: Dilip Kumar and Amit Kapila  
Reviewed-by: Alvaro Herrera, Haiying Tang, Andres Freund  
Backpatch-through: 10  
Discussion: https://postgr.es/m/OS0PR01MB611342D0A92D4F4BF26C0F47FB229@OS0PR01MB6113.jpnprd01.prod.outlook.com  

commit   : ac2303aa0386d2fa26cc3e237076b49827b39d6a    
  
author   : Alexander Korotkov <akorotkov@postgresql.org>    
date     : Mon, 14 Feb 2022 03:26:55 +0300    
  
committer: Alexander Korotkov <akorotkov@postgresql.org>    
date     : Mon, 14 Feb 2022 03:26:55 +0300    

Fix ExecReScanIndexScan() to free the referenced tuples while emptying the  
priority queue.  Backpatch to all supported versions.  
  
Discussion: https://postgr.es/m/CAHqSB9gECMENBQmpbv5rvmT3HTaORmMK3Ukg73DsX5H7EJV7jw%40mail.gmail.com  
Author: Aliaksandr Kalenik  
Reviewed-by: Tom Lane, Alexander Korotkov  
Backpatch-through: 10  

commit   : 51ee561f5671cd92f6dcaacf043985c497a82fc1    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 12 Feb 2022 13:23:20 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 12 Feb 2022 13:23:20 -0500    

In commit 1f39a1c06 I made PQisBusy consider conn->write_failed, but  
that is now looking like complete brain fade.  In the first place, the  
logic is quite wrong: it ought to be like "and not" rather than "or".  
This meant that once we'd gotten into a write_failed state, PQisBusy  
would always return true, probably causing the calling application to  
iterate its loop until PQconsumeInput returns a hard failure thanks  
to connection loss.  That's not what we want: the intended behavior  
is to return an error PGresult, which the application probably has  
much cleaner support for.  
  
But in the second place, checking write_failed here seems like the  
wrong thing anyway.  The idea of the write_failed mechanism is to  
postpone handling of a write failure until we've read all we can from  
the server; so that flag should not interfere with input-processing  
behavior.  (Compare 7247e243a.)  What we *should* check for is  
status = CONNECTION_BAD, ie, socket already closed.  (Most places that  
close the socket don't touch asyncStatus, but they do reset status.)  
This primarily ensures that if PQisBusy() returns true then there is  
an open socket, which is assumed by several call sites in our own  
code, and probably other applications too.  
  
While at it, fix a nearby thinko in libpq's my_sock_write: we should  
only consult errno for res < 0, not res == 0.  This is harmless since  
pqsecure_raw_write would force errno to zero in such a case, but it  
still could confuse readers.  
  
Noted by Andres Freund.  Backpatch to v12 where 1f39a1c06 came in.  
  
Discussion: https://postgr.es/m/20220211011025.ek7exh6owpzjyudn@alap3.anarazel.de  

commit   : 0778b24ced8a873b432641001d046d1dde602466    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 11 Feb 2022 15:23:52 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 11 Feb 2022 15:23:52 -0500    

createplan.c tries to save a runtime projection step by specifying  
a scan plan node's output as being exactly the table's columns, or  
index's columns in the case of an index-only scan, if there is not a  
reason to do otherwise.  This logic did not previously pay attention  
to whether an index's columns are returnable.  That worked, sort of  
accidentally, until commit 9a3ddeb51 taught setrefs.c to reject plans  
that try to read a non-returnable column.  I have no desire to loosen  
setrefs.c's new check, so instead adjust use_physical_tlist() to not  
try to optimize this way when there are non-returnable column(s).  
  
Per report from Ryan Kelly.  Like the previous patch, back-patch  
to all supported branches.  
  
Discussion: https://postgr.es/m/CAHUie24ddN+pDNw7fkhNrjrwAX=fXXfGZZEHhRuofV_N_ftaSg@mail.gmail.com  

commit   : d0e1fd9587b3445904076fb7ba11b37138f0ac94    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 10 Feb 2022 16:49:39 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 10 Feb 2022 16:49:39 -0500    

"pg_ctl stop/restart" checked that the postmaster PID is valid just  
once, as a side-effect of sending the stop signal, and then would  
wait-till-timeout for the postmaster.pid file to go away.  This  
neglects the case wherein the postmaster dies uncleanly after we  
signal it.  Similarly, once "pg_ctl promote" has sent the signal,  
it'd wait for the corresponding on-disk state change to occur  
even if the postmaster dies.  
  
I'm not sure how we've managed not to notice this problem, but it  
seems to explain slow execution of the 017_shm.pl test script on AIX  
since commit 4fdbf9af5, which added a speculative "pg_ctl stop" with  
the idea of making real sure that the postmaster isn't there.  In the  
test steps that kill-9 and then restart the postmaster, it's possible  
to get past the initial signal attempt before kill() stops working  
for the doomed postmaster.  If that happens, pg_ctl waited till  
PGCTLTIMEOUT before giving up ... and the buildfarm's AIX members  
have that set very high.  
  
To fix, include a "kill(pid, 0)" test (similar to what  
postmaster_is_alive uses) in these wait loops, so that we'll  
give up immediately if the postmaster PID disappears.  
  
While here, I chose to refactor those loops out of where they were.  
do_stop() and do_restart() can perfectly well share one copy of the  
wait-for-stop loop, and it seems desirable to put a similar function  
beside that for wait-for-promote.  
  
Back-patch to all supported versions, since pg_ctl's wait logic  
is substantially identical in all, and we're seeing the slow test  
behavior in all branches.  
  
Discussion: https://postgr.es/m/20220210023537.GA3222837@rfd.leadboat.com  

commit   : eec7c640fe5022b19b2dd82f739dc0c2c54cdbb8    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Thu, 10 Feb 2022 13:44:05 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Thu, 10 Feb 2022 13:44:05 -0500    

Modern msys systems lack pexports but have gendef instead, so use that.  
  
Discussion: https://postgr.es/m/3ccde7a9-e4f9-e194-30e0-0936e6ad68ba@dunslane.net  
  
Backpatch to release 9.4 to enable building with perl on older branches.  
Before that pexports is not used for plperl.  

commit   : b3558cc96cd9714d879774d13c5bab12ef027864    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Wed, 9 Feb 2022 18:16:59 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Wed, 9 Feb 2022 18:16:59 -0800    

Some pre-2017 Test::More versions need perfect $Test::Builder::Level  
maintenance to find the variable.  Buildfarm member snapper reported an  
overall failure that the file intended to hide via the TODO construct.  
That trouble was reachable in v11 and v10.  For later branches, this  
serves as defense in depth.  Back-patch to v10 (all supported versions).  
  
Discussion: https://postgr.es/m/20220202055556.GB2745933@rfd.leadboat.com  

commit   : 1b8462bf1d097dfff2014b61d5d1ff6ca99d785d    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Wed, 9 Feb 2022 18:16:56 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Wed, 9 Feb 2022 18:16:56 -0800    

The back-patch of commit fdd965d074d46765c295223b119ca437dbcac973 broke  
CLOBBER_CACHE_ALWAYS for v9.6 through v13.  It updated the  
InvalidateSystemCaches() call for CLOBBER_CACHE_RECURSIVELY, neglecting  
the one for CLOBBER_CACHE_ALWAYS.  Back-patch to v13, v12, v11, and v10.  
  
Reviewed by Tomas Vondra.  Reported by Tomas Vondra.  
  
Discussion: https://postgr.es/m/df7b4c0b-7d92-f03f-75c4-9e08b269a716@enterprisedb.com  

commit   : 5ea3b99de07bd1c1757effc9664d0786cb21c963    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Feb 2022 19:25:56 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 8 Feb 2022 19:25:56 -0500    

Recent versions of Devel::PPPort try to redefine eval_pv() to  
dodge a bug in pre-5.31 Perl versions.  Unfortunately the redefinition  
fails on compilers that don't support statements nested within  
expressions.  However, we aren't actually interested in this bug fix,  
since we always call eval_pv() with croak_on_error = FALSE.  
So, until there's an upstream fix for this breakage, just comment  
out the macro to revert to the older behavior.  
  
Per report from Wei Sun, as well as previous buildfarm failure  
on pademelon (which I'd unfortunately not looked at carefully  
enough to understand the cause).  Back-patch to all supported  
versions, since we're using the same ppport.h in all.  
  
Discussion: https://postgr.es/m/tencent_2EFCC8BA0107B6EC0F97179E019A8A43C806@qq.com  
Report: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=pademelon&dt=2022-02-02%2001%3A22%3A58  

commit   : d7db9572070a627bae9919fd1b4e16c8208d4fca    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 7 Feb 2022 16:17:41 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 7 Feb 2022 16:17:41 -0500    

commit   : 7f7148b72e2b63274d93da6ea43f1493f4e92aa8    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 7 Feb 2022 13:36:22 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Mon, 7 Feb 2022 13:36:22 +0100    

Source-Git-URL: git://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: 9aa8bc576f9af5c61de4a6fc8119abfa36493d01  

commit   : 763c7aac575101cb4d3b3a37bb9811a66ef052c8    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 6 Feb 2022 14:24:55 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 6 Feb 2022 14:24:55 -0500    

commit   : 7d74ff82431ba8836f92ac33ed3f1ab276f51a92    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 5 Feb 2022 12:55:44 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 5 Feb 2022 12:55:44 -0500    

A very well-informed user might deduce this from what we said already,  
but I'd bet against it.  Lay it out explicitly.  
  
While here, rewrite the comment about tuple routing to be more  
intelligible to an average SQL user.  
  
Per bug #17395 from Alexander Lakhin.  Back-patch to v11.  (The text  
in this area is different in v10 and I'm not sufficiently excited  
about this point to adapt the patch.)  
  
Discussion: https://postgr.es/m/17395-8c326292078d1a57@postgresql.org  

commit   : 9c7cf083f26e183e200395b3514061bb9d71cc7e    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 5 Feb 2022 11:59:30 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 5 Feb 2022 11:59:30 -0500    

There are two Asserts in nodeMergejoin.c that are reachable if  
the input data is not in the expected order.  This seems way too  
fragile.  Alexander Lakhin reported a case where the assertions  
could be triggered with misconfigured foreign-table partitions,  
and bitter experience with unstable operating system collation  
definitions suggests another easy route to hitting them.  Neither  
Assert is in a place where we can't afford one more test-and-branch,  
so replace 'em with plain test-and-elog logic.  
  
Per bug #17395.  While the reported symptom is relatively recent,  
collation changes could happen anytime, so back-patch to all  
supported branches.  
  
Discussion: https://postgr.es/m/17395-8c326292078d1a57@postgresql.org  

commit   : 58e9d28091e76bfd4a2670bc9ca8ba44d958e57d    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Wed, 2 Feb 2022 21:53:51 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Wed, 2 Feb 2022 21:53:51 -0500    

Also move TCL syntax to the PL/tcl section.  
  
Reported-by: davs2rt@gmail.com  
  
Discussion: https://postgr.es/m/164308146320.12460.3590769444508751574@wrigleys.postgresql.org  
  
Backpatch-through: 10  

commit   : 31c9712610c7eec1b2f376fd3bbf5839e4234d64    
  
author   : Peter Eisentraut <peter@eisentraut.org>    
date     : Wed, 2 Feb 2022 09:14:26 +0100    
  
committer: Peter Eisentraut <peter@eisentraut.org>    
date     : Wed, 2 Feb 2022 09:14:26 +0100    

Small thinko introduced by 94aceed317730953476bec490ce0148b2af3c383  
  
Reported-by: nassehk@gmail.com  

commit   : 4d7d196ff69365041579024848f34ee57ac75223    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 1 Feb 2022 19:03:41 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 1 Feb 2022 19:03:41 -0500    

With Python 3.10, configure spits out warnings about the module  
distutils.sysconfig being deprecated and scheduled for removal in  
Python 3.12.  Change the uses in configure to use the module sysconfig  
instead.  The logic stays largely the same, although we have to  
rely on INCLUDEPY instead of the deprecated get_python_inc function.  
  
Note that sysconfig exists since Python 2.7, so this moves the  
minimum required version up from Python 2.6 (or 2.4, before v13).  
Also, sysconfig didn't exist in Python 3.1, so the minimum 3.x  
version is now 3.2.  
  
Back-patch of commit bd233bdd8 into all supported branches.  
  
In v10, this also includes back-patching v11's beff4bb9c, primarily  
because this opinion is clearly out-of-date:  
  
    While at it, get rid of the code's assumption that both the major and  
    minor numbers contain exactly one digit.  That will foreseeably be  
    broken by Python 3.10 in perhaps four or five years.  That's far enough  
    out that we probably don't need to back-patch this.  
  
Peter Eisentraut, Tom Lane, Andres Freund  
  
Discussion: https://postgr.es/m/c74add3c-09c4-a9dd-1a03-a846e5b2fc52@enterprisedb.com  

commit   : ff86ee3d2175d0e53e114bdb24137f5dc2dbb73b    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 31 Jan 2022 15:07:39 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 31 Jan 2022 15:07:39 -0500    

This reverts commits d81cac47a et al.  We shouldn't need that  
hack after the preceding commits.  
  
Discussion: https://postgr.es/m/20220131015130.shn6wr2fzuymerf6@alap3.anarazel.de  

commit   : bc89af248e04fc07c1c15eb2d3c743a22691c667    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 31 Jan 2022 15:01:05 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 31 Jan 2022 15:01:05 -0500    

Also apply the changes suggested by running  
perl ppport.h --compat-version=5.8.0  
  
And remove some no-longer-required NEED_foo declarations.  
  
Dagfinn Ilmari Mannsåker  
  
Back-patch of commit 05798c9f7 into all supported branches.  
At the time we thought this update was mostly cosmetic, but the  
lack of it has caused trouble, while the patch itself hasn't.  
  
Discussion: https://postgr.es/m/87y278s6iq.fsf@wibble.ilmari.org  
Discussion: https://postgr.es/m/20220131015130.shn6wr2fzuymerf6@alap3.anarazel.de  

commit   : 4afb5aeb9f1285bd3ff2b370671c7ad5a91445c9    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Sun, 30 Jan 2022 17:53:53 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Sun, 30 Jan 2022 17:53:53 -0800    

ppport.h was only updated in 05798c9f7f0 (master). Unfortunately my commit  
c89f409749c uses PERL_VERSION_LT which came in with that update. Breaking most  
buildfarm animals.  
  
I should have noticed that...  
  
We might want to backpatch the ppport update instead, but for now lets get the  
buildfarm green again.  
  
Discussion: https://postgr.es/m/20220131015130.shn6wr2fzuymerf6@alap3.anarazel.de  
Backpatch: 10-14, master doesn't need it  

commit   : 0dc0fe7b6c4583955f643c3ba7ea625767f300bb    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Sun, 30 Jan 2022 14:29:04 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Sun, 30 Jan 2022 14:29:04 -0800    

For older versions we need our own copy of perl's setlocale(), because it was  
not exposed (why we need the setlocale in the first place is explained in  
plperl_init_interp) . The copy stopped working in 5.28, as some of the used  
macros are not public anymore.  But Perl_setlocale is available in 5.28, so  
use that.  
  
Author: Victor Wagner <vitus@wagner.pp.ru>  
Reviewed-By: Dagfinn Ilmari Mannsåker <ilmari@ilmari.org>  
Discussion: https://postgr.es/m/20200501134711.08750c5f@antares.wagner.home  
Backpatch: all versions  

commit   : 5ad70564f46a5fc782191eb8010d90aaca9a762e    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 29 Jan 2022 11:41:12 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 29 Jan 2022 11:41:12 -0500    

Although select_common_type() has a failure-return convention, an  
apparent successful return just provides a type OID that *might* work  
as a common supertype; we've not validated that the required casts  
actually exist.  In the mainstream use-cases that doesn't matter,  
because we'll proceed to invoke coerce_to_common_type() on each input,  
which will fail appropriately if the proposed common type doesn't  
actually work.  However, a few callers didn't read the (nonexistent)  
fine print, and thought that if they got back a nonzero OID then the  
coercions were sure to work.  
  
This affects in particular the recently-added "anycompatible"  
polymorphic types; we might think that a function/operator using  
such types matches cases it really doesn't.  A likely end result  
of that is unexpected "ambiguous operator" errors, as for example  
in bug #17387 from James Inform.  Another, much older, case is that  
the parser might try to transform an "x IN (list)" construct to  
a ScalarArrayOpExpr even when the list elements don't actually have  
a common supertype.  
  
It doesn't seem desirable to add more checking to select_common_type  
itself, as that'd just slow down the mainstream use-cases.  Instead,  
write a separate function verify_common_type that performs the  
missing checks, and add a call to that where necessary.  Likewise add  
verify_common_type_from_oids to go with select_common_type_from_oids.  
  
Back-patch to v13 where the "anycompatible" types came in.  (The  
symptom complained of in bug #17387 doesn't appear till v14, but  
that's just because we didn't get around to converting || to use  
anycompatible till then.)  In principle the "x IN (list)" fix could  
go back all the way, but I'm not currently convinced that it makes  
much difference in real-world cases, so I won't bother for now.  
  
Discussion: https://postgr.es/m/17387-5dfe54b988444963@postgresql.org  

commit   : e90f258acaf2d78afc20842e7b63f0734c412bae    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Thu, 27 Jan 2022 17:53:53 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Thu, 27 Jan 2022 17:53:53 +0100    

Commit 8431e296ea reworked ProcArrayApplyRecoveryInfo to sort XIDs  
before adding them to KnownAssignedXids. But the XIDs are sorted using  
xidComparator, which compares the XIDs simply as uint32 values, not  
logically. KnownAssignedXidsAdd() however expects XIDs in logical order,  
and calls TransactionIdFollowsOrEquals() to enforce that. If there are  
XIDs for which the two orderings disagree, an error is raised and the  
recovery fails/restarts.  
  
Hitting this issue is fairly easy - you just need two transactions, one  
started before the 4B limit (e.g. XID 4294967290), the other sometime  
after it (e.g. XID 1000). Logically (4294967290 <= 1000) but when  
compared using xidComparator we try to add them in the opposite order.  
Which makes KnownAssignedXidsAdd() fail with an error like this:  
  
  ERROR: out-of-order XID insertion in KnownAssignedXids  
  
This only happens during replica startup, while processing RUNNING_XACTS  
records to build the snapshot. Once we reach STANDBY_SNAPSHOT_READY, we  
skip these records. So this does not affect already running replicas,  
but if you restart (or create) a replica while there are transactions  
with XIDs for which the two orderings disagree, you may hit this.  
  
Long-running transactions and frequent replica restarts increase the  
likelihood of hitting this issue. Once the replica gets into this state,  
it can't be started (even if the old transactions are terminated).  
  
Fixed by sorting the XIDs logically - this is fine because we're dealing  
with normal XIDs (because it's XIDs assigned to backends) and from the  
same wraparound epoch (otherwise the backends could not be running at  
the same time on the primary node). So there are no problems with the  
triangle inequality, which is why xidComparator compares raw values.  
  
Investigation and root cause analysis by Abhijit Menon-Sen. Patch by me.  
  
This issue is present in all releases since 9.4, however releases up to  
9.6 are EOL already so backpatch to 10 only.  
  
Reviewed-by: Abhijit Menon-Sen  
Reviewed-by: Alvaro Herrera  
Backpatch-through: 10  
Discussion: https://postgr.es/m/36b8a501-5d73-277c-4972-f58a4dce088a%40enterprisedb.com  

commit   : 785a28e422ea3fecbd38a3a49b488dc168ac3fb3    
  
author   : Noah Misch <noah@leadboat.com>    
date     : Wed, 26 Jan 2022 18:06:19 -0800    
  
committer: Noah Misch <noah@leadboat.com>    
date     : Wed, 26 Jan 2022 18:06:19 -0800    

Buildfarm members kittiwake, tadarida and snapper began to fail  
frequently when commits 3cd9c3b921977272e6650a5efbeade4203c4bca2 and  
f47ed79cc8a0cfa154dc7f01faaf59822552363f added tests of concurrency, but  
the problem was reachable before those commits.  Back-patch to v10 (all  
supported versions).  
  
Discussion: https://postgr.es/m/20220116210241.GC756210@rfd.leadboat.com  

commit   : 81596645ca2ba382918fca9e82aa3089db737e14    
  
author   : Magnus Hagander <magnus@hagander.net>    
date     : Wed, 26 Jan 2022 09:52:41 +0100    
  
committer: Magnus Hagander <magnus@hagander.net>    
date     : Wed, 26 Jan 2022 09:52:41 +0100    

For authentication method cert, clientcert=verify-full is implied. But  
the pg_hba_file_rules entry would incorrectly show clientcert=verify-ca.  
  
Per bug #17354  
  
Reported-By: Feike Steenbergen  
Reviewed-By: Jonathan Katz  
Backpatch-through: 12  

commit   : 213c5aa3bdba5783529d3c0f103dbfadf4f93f50    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 25 Jan 2022 12:17:40 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Tue, 25 Jan 2022 12:17:40 -0500    

This reverts commits 6051857fc and ed52c3707, but only in the back  
branches.  Further testing has shown that while those changes do fix  
some things, they also break others; in particular, it looks like  
walreceivers fail to detect walsender-initiated connection close  
reliably if the walsender shuts down this way.  We'll keep trying to  
improve matters in HEAD, but it now seems unwise to push these changes  
into stable releases.  
  
Discussion: https://postgr.es/m/CA+hUKG+OeoETZQ=Qw5Ub5h3tmwQhBmDA=nuNO3KG=zWfUypFAw@mail.gmail.com  

commit   : f8807e7742e5ce058b6fe05d797852e082e6d2c8    
  
author   : David Rowley <drowley@postgresql.org>    
date     : Tue, 25 Jan 2022 21:15:00 +1300    
  
committer: David Rowley <drowley@postgresql.org>    
date     : Tue, 25 Jan 2022 21:15:00 +1300    

8edd0e794 added some code to remove Append and MergeAppend nodes when they  
contained a single child node.  As it turned out, this was unsafe to do  
when the Append/MergeAppend was parallel_aware and the child node was not.  
Removing the Append/MergeAppend, in this case, could lead to the child plan  
being called multiple times by parallel workers when it was unsafe to do  
so.  
  
Here we fix this by just not removing the Append/MergeAppend when the  
parallel_aware flag of the parent and child node don't match.  
  
Reported-by: Yura Sokolov  
Bug: #17335  
Discussion: https://postgr.es/m/b59605fecb20ba9ea94e70ab60098c237c870628.camel%40postgrespro.ru  
Backpatch-through: 12, where 8edd0e794 was first introduced  

commit   : 35893cc96856ae191fbe5c639a542117c0479880    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Tue, 25 Jan 2022 10:49:41 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Tue, 25 Jan 2022 10:49:41 +0900    

This is an extraction of the user-visible changes done in 410aa24,  
including all the relevant documentation parts.  
  
Author: Justin Pryzby  
Discussion: https://postgr.es/m/20220124030001.GQ23027@telsasoft.com  
Backpatch-through: 10  

commit   : d67354d870bbddbde551e5b9804a42fb78af527e    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 24 Jan 2022 15:33:34 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 24 Jan 2022 15:33:34 -0500    

In logical replication mode, a WalSender is supposed to be able  
to execute any regular SQL command, as well as the special  
replication commands.  Poor design of the replication-command  
parser caused it to fail in various cases, notably:  
  
* semicolons embedded in a command, or multiple SQL commands  
sent in a single message;  
  
* dollar-quoted literals containing odd numbers of single  
or double quote marks;  
  
* commands starting with a comment.  
  
The basic problem here is that we're trying to run repl_scanner.l  
across the entire input string even when it's not a replication  
command.  Since repl_scanner.l does not understand all of the  
token types known to the core lexer, this is doomed to have  
failure modes.  
  
We certainly don't want to make repl_scanner.l as big as scan.l,  
so instead rejigger stuff so that we only lex the first token of  
a non-replication command.  That will usually look like an IDENT  
to repl_scanner.l, though a comment would end up getting reported  
as a '-' or '/' single-character token.  If the token is a replication  
command keyword, we push it back and proceed normally with repl_gram.y  
parsing.  Otherwise, we can drop out of exec_replication_command()  
without examining the rest of the string.  
  
(It's still theoretically possible for repl_scanner.l to fail on  
the first token; but that could only happen if it's an unterminated  
single- or double-quoted string, in which case you'd have gotten  
largely the same error from the core lexer too.)  
  
In this way, repl_gram.y isn't involved at all in handling general  
SQL commands, so we can get rid of the SQLCmd node type.  (In  
the back branches, we can't remove it because renumbering enum  
NodeTag would be an ABI break; so just leave it sit there unused.)  
  
I failed to resist the temptation to clean up some other sloppy  
coding in repl_scanner.l while at it.  The only externally-visible  
behavior change from that is it now accepts \r and \f as whitespace,  
same as the core lexer.  
  
Per bug #17379 from Greg Rychlewski.  Back-patch to all supported  
branches.  
  
Discussion: https://postgr.es/m/17379-6a5c6cfb3f1f5e77@postgresql.org  

commit   : c94c6612da573d2789855b77a47da45a4a19cfbd    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 24 Jan 2022 12:09:46 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 24 Jan 2022 12:09:46 -0500    

Without this, we get odd behavior when the previous cycle of  
lexing exited in a non-default exclusive state.  Every other  
copy of this code is aware that it has to do BEGIN(INITIAL),  
but repl_scanner.l did not get that memo.  
  
The real-world impact of this is probably limited, since most  
replication clients would abandon their connection after getting  
a syntax error.  Still, it's a bug.  
  
This mistake is old, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/1874781.1643035952@sss.pgh.pa.us  

commit   : 0cbc50737864177a29430be41e5b134a29e77554    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 23 Jan 2022 11:09:00 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 23 Jan 2022 11:09:00 -0500    

In the normal configuration where GEQO_DEBUG isn't defined,  
recent clang versions have started to complain that geqo_main.c  
accumulates the edge_failures count but never does anything  
with it.  As a minimal back-patchable fix, insert a void cast  
to silence this warning.  (I'd speculated about ripping out the  
GEQO_DEBUG logic altogether, but I don't think we'd wish to  
back-patch that.)  
  
Per recently-established project policy, this is a candidate  
for back-patching into out-of-support branches: it suppresses  
an annoying compiler warning but changes no behavior.  Hence,  
back-patch all the way to 9.2.  
  
Discussion: https://postgr.es/m/CA+hUKGLTSZQwES8VNPmWO9AO0wSeLt36OCPDAZTccT1h7Q7kTQ@mail.gmail.com  

commit   : 4d8c4d2061f90db009ec834308e260fb5ca1e885    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sun, 23 Jan 2022 03:36:55 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sun, 23 Jan 2022 03:36:55 +0100    

In sort_inner_and_outer we iterate a list of PathKey elements, but the  
variable is declared as (List *). This mistake is benign, because we  
only pass the pointer to lcons() and never dereference it.  
  
This exists since ~2004, but it's confusing. So fix and backpatch to all  
supported branches.  
  
Backpatch-through: 10  
Discussion: https://postgr.es/m/bf3a6ea1-a7d8-7211-0669-189d5c169374%40enterprisedb.com  

commit   : 267ccc38ba6a95889d98959f183de64ceff23087    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sun, 23 Jan 2022 02:49:41 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sun, 23 Jan 2022 02:49:41 +0100    

The syscache lookup may return NULL even for valid OID, for example due  
to a concurrent DROP STATISTICS, so a HeapTupleIsValid is necessary.  
Without it, it may fail with a segfault.  
  
Reported by Alexander Lakhin, patch by me. Backpatch to 13, where ALTER  
STATISTICS ... SET STATISTICS was introduced.  
  
Backpatch-through: 13  
Discussion: https://postgr.es/m/17372-bf3b6e947e35ae77%40postgresql.org  

commit   : 31b7b4d26e10086d4a79d49a28fd161da52da49a    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 22 Jan 2022 13:32:40 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 22 Jan 2022 13:32:40 -0500    

Previously, unless we had to add a NOT NULL constraint to the column,  
this command resulted in updating only the index's relcache entry.  
That's problematic when replication behavior is being driven off the  
existence of a primary key: other sessions (and ours too for that  
matter) failed to recalculate their opinion of whether the table can  
be replicated.  Add a relcache invalidation to fix it.  
  
This has been broken since pg_class.relhaspkey was removed in v11.  
Before that, updating the table's relhaspkey value sufficed to cause  
a cache flush.  Hence, backpatch to v11.  
  
Report and patch by Hou Zhijie  
  
Discussion: https://postgr.es/m/OS0PR01MB5716EBE01F112C62F8F9B786947B9@OS0PR01MB5716.jpnprd01.prod.outlook.com  

commit   : 64ebb43df068e3a9c01beeaacf7842080c43e712    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 21 Jan 2022 15:36:12 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Fri, 21 Jan 2022 15:36:12 -0500    

In libpq and ecpglib, multiple threads can concurrently enter the  
initialization logic for message localization.  Since we set the  
its-done flag before actually doing the work, it'd be possible  
for some threads to reach gettext() before anyone has called  
bindtextdomain().  Barring bugs in libintl itself, this would not  
result in anything worse than failure to localize some early  
messages.  Nonetheless, it's a bug, and an easy one to fix.  
  
Noted while investigating bug #17299 from Clemens Zeidler  
(much thanks to Liam Bowen for followup investigation on that).  
It currently appears that that actually *is* a bug in libintl itself,  
but that doesn't let us off the hook for this bit.  
  
Back-patch to all supported versions.  
  
Discussion: https://postgr.es/m/17299-7270741958c0b1ab@postgresql.org  
Discussion: https://postgr.es/m/CAE7q7Eit4Eq2=bxce=Fm8HAStECjaXUE=WBQc-sDDcgJQ7s7eg@mail.gmail.com  

commit   : fd48e5f5d3a14dda804e7b74e16dac6f5ab1b781    
  
author   : Andres Freund <andres@anarazel.de>    
date     : Fri, 21 Jan 2022 11:22:55 -0800    
  
committer: Andres Freund <andres@anarazel.de>    
date     : Fri, 21 Jan 2022 11:22:55 -0800    

While individual logical rewrite files were synced to disk, the directory was  
not. On some filesystems that could lead to loosing directory entries after a  
crash.  
  
Reported-By: Tom Lane <tgl@sss.pgh.pa.us>  
Author: Nathan Bossart <bossartn@amazon.com>  
Discussion: https://postgr.es/m/867F2E29-2782-4869-970E-B984C6D35A8F@amazon.com  
Backpatch: 10-  

commit   : b5f634116e8f3e264cc06c053bd7b4e25a615665    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Fri, 21 Jan 2022 14:54:51 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Fri, 21 Jan 2022 14:54:51 +0900    

The logic in charge of writing commit timestamps (enabled with  
track_commit_timestamp) for subtransactions had a one-bug bug,  
where it would be possible that commit timestamps go missing for the  
last subtransaction committed.  
  
While on it, simplify a bit the iteration logic in the loop writing the  
commit timestamps, as per suggestions from Kyotaro Horiguchi and Tom  
Lane, so as some variable initializations are not part of the loop  
itself.  
  
Issue introduced in 73c986a.  
  
Analyzed-by: Alex Kingsborough  
Author: Alex Kingsborough, Kyotaro Horiguchi  
Discussion: https://postgr.es/m/73A66172-4050-4F2A-B7F1-13508EDA2144@amazon.com  
Backpatch-through: 10  

commit   : 4828a80069abc3e4b5baffe3ebffb69e6dd5bc10    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 20 Jan 2022 17:28:07 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 20 Jan 2022 17:28:07 -0500    

Commits 6c4a8903b et al. had a couple of deficiencies:  
  
* The logic I added to Cluster::start to see if a PID file is present  
could be fooled by a stale PID file left over from a previous  
postmaster.  To fix, if we're not sure whether we expect to find a  
running postmaster or not, validate the PID using "kill 0".  
  
* 017_shm.pl has a loop in which it just issues repeated Cluster::start  
calls; this will fail if some invocation fails but leaves self->_pid  
set.  Per buildfarm results, the above fix is not enough to make this  
safe: we might have "validated" a PID for a postmaster that exits  
immediately after we look.  Hence, match each failed start call with  
a stop call that will get us back to the self->_pid == undef state.  
Add a fail_ok option to Cluster::stop to make this work.  
  
Discussion: https://postgr.es/m/CA+hUKGKV6fOHvfiPt8=dOKzvswjAyLoFoJF1iQXMNpi7+hD1JQ@mail.gmail.com  

commit   : 31680730ef7bac82ff09efa0824c2d8e5e8840f1    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Thu, 20 Jan 2022 10:13:18 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Thu, 20 Jan 2022 10:13:18 -0500    

This was omitted from c3879a7b4c which modified the other msvc .bat  
files.  
  
Per request from Juan José Santamaría Flecha  
  
Discussion: https://postgr.es/m/CAC+AXB0_fxYGbQoaYjCA8um7TTbOVP4L9aXnVmHwK8WzaT4gdA@mail.gmail.com  
  
Backpatch to all live branches.  

commit   : 8e8e253a7b90d89dd9cb9d33848b55ac79958351    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Thu, 20 Jan 2022 22:11:48 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Thu, 20 Jan 2022 22:11:48 +1300    

Since the test requires reproducible behavior from VACUUM, and since  
DISABLE_PAGE_SKIPPING doesn't actually disable all forms of page  
skipping, let's use a temporary table to avoid contention.  
  
Back-patch to 12, like commit 3414099c.  
  
Discussion: https://postgr.es/m/20220120052404.sonrhq3f3qgplpzj%40alap3.anarazel.de  

commit   : 3ca40a2b18a0638994e35160dfc8d392b1aef898    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Thu, 20 Jan 2022 16:54:58 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Thu, 20 Jan 2022 16:54:58 +0900    

This information was nowhere to be found.  This adds one note on the  
page of COMMENT, and one note in the section dedicated to explicit  
locking, both telling that a SHARE UPDATE EXCLUSIVE lock is taken on the  
object commented.  
  
Author: Nikolai Berkoff  
Reviewed-by: Laurenz Albe  
Discussion: https://postgr.es/m/_0HDHIGcCdCsUyXn22QwI2FEuNR6Fs71rtgGX6hfyBlUh5rrnE2qMmvIFu9EY4Pijr2gUmJEAXCjuNU2Oxku9TryLp9CdHllpsCfN3gD0-Y=@pm.me  
Backpatch-through: 10  

commit   : 6eec809fbcfbd8e0ab5e1c6485c7f53020f0d0b0    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 19 Jan 2022 16:29:09 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Wed, 19 Jan 2022 16:29:09 -0500    

"pg_ctl start" might start a new postmaster and then return failure  
anyway, for example if PGCTLTIMEOUT is exceeded.  If there is a  
postmaster there, it's still incumbent on us to shut it down at  
script end, so check for the PID file even though we are about  
to fail.  
  
This has been broken all along, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/647439.1642622744@sss.pgh.pa.us  

commit   : 3204b8a7affc7277ae4eebc3f53c566f859d1815    
  
author   : Michael Paquier <michael@paquier.xyz>    
date     : Wed, 19 Jan 2022 10:37:53 +0900    
  
committer: Michael Paquier <michael@paquier.xyz>    
date     : Wed, 19 Jan 2022 10:37:53 +0900    

This function returns NULL if the replication origin given in input  
argument does not exist, contrary to what the docs described  
previously.  
  
Author: Ian Barwick  
Discussion: https://postgr.es/m/CAB8KJ=htJjBL=103URqjOxV2mqb4rjphDpMeKdyKq_QXt6h05w@mail.gmail.com  
Backpatch-through: 10  

commit   : 639a9293d4cbf6bdfcc641f335e2c5a2359cce75    
  
author   : Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 19 Jan 2022 07:03:01 +1300    
  
committer: Thomas Munro <tmunro@postgresql.org>    
date     : Wed, 19 Jan 2022 07:03:01 +1300    

Where we test vacuum_truncate's effects, sometimes this is failing to  
truncate as expected on the build farm.  That could be explained by page  
skipping, so disable it explicitly, with the theory that commit fe246d1c  
didn't go far enough.  
  
Back-patch to 12, where the vacuum_truncate tests were added.  
  
Discussion: https://postgr.es/m/CA%2BhUKGLT2UL5_JhmBzUgkdyKfc%3D5J-gJSQJLysMs4rqLUKLAzw%40mail.gmail.com  

commit   : 90e0f9fd8cae7cfb09c11534f690edde6d6ee06c    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 17 Jan 2022 21:18:49 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 17 Jan 2022 21:18:49 -0500    

The original coding (from c33869cc3) failed with "more than one row  
returned by a subquery used as an expression" if there were unrelated  
triggers of the same tgname on parent partitioned tables.  (That's  
possible because statement-level triggers don't get inherited.)  Fix  
by applying LIMIT 1 after sorting the candidates by inheritance level.  
  
Also, wrap the subquery in a CASE so that we don't have to execute it at  
all when the trigger is visibly non-inherited.  Aside from saving some  
cycles, this avoids the need for a confusing and undocumented NULLIF().  
  
While here, tweak the format of the emitted query to look a bit  
nicer for "psql -E", and add some explanation of this subquery,  
because it badly needs it.  
  
Report and patch by Justin Pryzby (with some editing by me).  
Back-patch to v13 where the faulty code came in.  
  
Discussion: https://postgr.es/m/20211217154356.GJ17618@telsasoft.com  

commit   : d18ec312f9f36c220aa1a1497d3173729c862d66    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 17 Jan 2022 13:30:04 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 17 Jan 2022 13:30:04 -0500    

It seems highly unlikely that gettext() can be relied on to be  
async-signal-safe.  psql used to understand that, but someone got  
it wrong long ago in the src/bin/scripts/ version of handle_sigint,  
and then the bad idea was perpetuated when those two versions were  
unified into src/fe_utils/cancel.c.  
  
I'm unsure why there have not been field complaints about this  
... maybe gettext() is signal-safe once it's translated at least  
one message?  But we have no business assuming any such thing.  
  
In cancel.c (v13 and up), I preserved our ability to localize  
"Cancel request sent" messages by invoking gettext() before  
the signal handler is set up.  In earlier branches I just made  
src/bin/scripts/ not localize those messages, as psql did then.  
  
(Just for extra unsafety, the src/bin/scripts/ version was  
invoking fprintf() from a signal handler.  Sigh.)  
  
Noted while fixing signal-safety issues in PQcancel() itself.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/2937814.1641960929@sss.pgh.pa.us  

commit   : f27af7b880de97cccd24e37a62692f294bba5bba    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 17 Jan 2022 12:52:44 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 17 Jan 2022 12:52:44 -0500    

PQcancel() is supposed to be safe to call from a signal handler,  
and indeed psql uses it that way.  All of the library functions  
it uses are specified to be async-signal-safe by POSIX ...  
except for strerror.  Neither plain strerror nor strerror_r  
are considered safe.  When this code was written, back in the  
dark ages, we probably figured "oh, strerror will just index  
into a constant array of strings" ... but in any locale except C,  
that's unlikely to be true.  Probably the reason we've not heard  
complaints is that (a) this error-handling code is unlikely to be  
reached in normal use, and (b) in many scenarios, localized error  
strings would already have been loaded, after which maybe it's  
safe to call strerror here.  Still, this is clearly unacceptable.  
  
The best we can do without relying on strerror is to print the  
decimal value of errno, so make it do that instead.  (This is  
probably not much loss of user-friendliness, given that it is  
hard to get a failure here.)  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/2937814.1641960929@sss.pgh.pa.us  

commit   : 90a847e6dcc8fcf8d6f0eaf7b8022153d3b0f184    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 16 Jan 2022 14:59:20 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sun, 16 Jan 2022 14:59:20 -0500    

Since enum labels have to be single-quoted, this part of the  
tab completion machinery got side-swiped by commit cd69ec66c.  
A side-effect of that commit is that (at least with some versions  
of Readline) the text string passed for completion will omit the  
leading quote mark of the enum label literal.  Libedit still acts  
the same as before, though, so adapt COMPLETE_WITH_ENUM_VALUE so  
that it can cope with either convention.  
  
Also, when we fail to find any valid completion, set  
rl_completion_suppress_quote = 1.  Otherwise readline will  
go ahead and append a closing quote, which is unwanted.  
  
Per report from Peter Eisentraut.  Back-patch to v13 where  
cd69ec66c came in.  
  
Discussion: https://postgr.es/m/8ca82d89-ec3d-8b28-8291-500efaf23b25@enterprisedb.com  

commit   : d6817032d26becd3c49f11d16efd6012e2139fc4    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 15 Jan 2022 18:17:20 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 15 Jan 2022 18:17:20 +0100    

Commit 859b3003de disabled building of extended stats for inheritance  
trees, to prevent updating the same catalog row twice. While that  
resolved the issue, it also means there are no extended stats for  
declaratively partitioned tables, because there are no data in the  
non-leaf relations.  
  
That also means declaratively partitioned tables were not affected by  
the issue 859b3003de addressed, which means this is a regression  
affecting queries that calculate estimates for the whole inheritance  
tree as a whole (which includes e.g. GROUP BY queries).  
  
But because partitioned tables are empty, we can invert the condition  
and build statistics only for the case with inheritance, without losing  
anything. And we can consider them when calculating estimates.  
  
It may be necessary to run ANALYZE on partitioned tables, to collect  
proper statistics. For declarative partitioning there should no prior  
statistics, and it might take time before autoanalyze is triggered. For  
tables partitioned by inheritance the statistics may include data from  
child relations (if built 859b3003de), contradicting the current code.  
  
Report and patch by Justin Pryzby, minor fixes and cleanup by me.  
Backpatch all the way back to PostgreSQL 10, where extended statistics  
were introduced (same as 859b3003de).  
  
Author: Justin Pryzby  
Reported-by: Justin Pryzby  
Backpatch-through: 10  
Discussion: https://postgr.es/m/20210923212624.GI831%40telsasoft.com  

commit   : acfde7c5837dd3c2a40ff9cc639ba5d914e8e8ea    
  
author   : Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 15 Jan 2022 02:15:23 +0100    
  
committer: Tomas Vondra <tomas.vondra@postgresql.org>    
date     : Sat, 15 Jan 2022 02:15:23 +0100    

Since commit 859b3003de we only build extended statistics for individual  
relations, ignoring the child relations. This resolved the issue with  
updating catalog tuple twice, but we still tried to use the statistics  
when calculating estimates for the whole inheritance tree. When the  
relations contain very distinct data, it may produce bogus estimates.  
  
This is roughly the same issue 427c6b5b9 addressed ~15 years ago, and we  
fix it the same way - by ignoring extended statistics when calculating  
estimates for the inheritance tree as a whole. We still consider  
extended statistics when calculating estimates for individual child  
relations, of course.  
  
This may result in plan changes due to different estimates, but if the  
old statistics were not describing the inheritance tree particularly  
well it's quite likely the new plans is actually better.  
  
Report and patch by Justin Pryzby, minor fixes and cleanup by me.  
Backpatch all the way back to PostgreSQL 10, where extended statistics  
were introduced (same as 859b3003de).  
  
Author: Justin Pryzby  
Reported-by: Justin Pryzby  
Backpatch-through: 10  
Discussion: https://postgr.es/m/20210923212624.GI831%40telsasoft.com  

commit   : ca14c4184b55cbe2fa79c87174b8064fc5f90874    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 13 Jan 2022 17:49:26 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 13 Jan 2022 17:49:26 -0500    

Commit 7745bc352 intended to ensure that whole-row Vars would be  
printed with "::type" decoration in all contexts where plain  
"var.*" notation would result in star-expansion, notably in  
ROW() and VALUES() constructs.  However, it missed the case of  
INSERT with a single-row VALUES, as reported by Timur Khanjanov.  
  
Nosing around ruleutils.c, I found a second oversight: the  
code for RowCompareExpr generates ROW() notation without benefit  
of an actual RowExpr, and naturally it wasn't in sync :-(.  
(The code for FieldStore also does this, but we don't expect that  
to generate strictly parsable SQL anyway, so I left it alone.)  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/efaba6f9-4190-56be-8ff2-7a1674f9194f@intrans.baku.az  

commit   : 2180833ba90e9657a7e622b419194763890c8a6d    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 10 Jan 2022 11:46:16 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Mon, 10 Jan 2022 11:46:16 -0500    

I had a brain fade in commit d32899157, and used 2:30AM as the  
example timestamp for both spring-forward and fall-back cases.  
But it's not actually ambiguous at all in the fall-back case,  
because that transition is from 2AM to 1AM under USA rules.  
Fix the example to use 1:30AM, which *is* ambiguous.  
  
Noted while answering a question from Aleksander Alekseev.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/2191355.1641828552@sss.pgh.pa.us  

commit   : 32cd4264ccfc00234c6500913800983ca1073729    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Mon, 10 Jan 2022 10:08:44 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Mon, 10 Jan 2022 10:08:44 -0500    

Juan José Santamaría Flecha  
  
Backpatch to all live branches  

commit   : 823d4c7e25383cb4056c21615130b2abde17efba    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 8 Jan 2022 14:54:39 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Sat, 8 Jan 2022 14:54:39 -0500    

If contrib/btree_gist is used to make a GIST index on a char(N)  
(bpchar) column, and that column is retrieved via an index-only  
scan, what came out had all trailing spaces removed.  Since  
that doesn't happen in any other kind of table scan, this is  
clearly a bug.  The cause is that gbt_bpchar_compress() strips  
trailing spaces (using rtrim1) before a new index entry is made.  
That was probably a good idea when this code was first written,  
but since we invented index-only scans, it's not so good.  
  
One answer could be to mark this opclass as incapable of index-only  
scans.  But to do so, we'd need an extension module version bump,  
followed by manual action by DBAs to install the updated version  
of btree_gist.  And it's not really a desirable place to end up,  
anyway.  
  
Instead, let's fix the code by removing the unwanted space-stripping  
action and adjusting the opclass's comparison logic to ignore  
trailing spaces as bpchar normally does.  This will not hinder  
cases that work today, since index searches with this logic will  
act the same whether trailing spaces are stored or not.  It will  
not by itself fix the problem of getting space-stripped results  
from index-only scans, of course.  Users who care about that can  
REINDEX affected indexes after installing this update, to immediately  
replace all improperly-truncated index entries.  Otherwise, it can  
be expected that the index's behavior will change incrementally as  
old entries are replaced by new ones.  
  
Per report from Alexander Lakhin.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/696c995b-b37f-5526-f45d-04abe713179f@gmail.com  

commit   : 410567177cd418569f1acac5e8073a1c407943ee    
  
author   : Bruce Momjian <bruce@momjian.us>    
date     : Fri, 7 Jan 2022 19:04:56 -0500    
  
committer: Bruce Momjian <bruce@momjian.us>    
date     : Fri, 7 Jan 2022 19:04:56 -0500    

Backpatch-through: 10  

commit   : f3ded9c4600c000cdd7e0eb307bdfccd39a0e90e    
  
author   : Andrew Dunstan <andrew@dunslane.net>    
date     : Fri, 7 Jan 2022 16:07:45 -0500    
  
committer: Andrew Dunstan <andrew@dunslane.net>    
date     : Fri, 7 Jan 2022 16:07:45 -0500    

Instead of using a hardcoded or default path to the perl file the .bat  
file is a wrapper for, we use a path that means the file is found in  
the same directory as the .bat file.  
  
Patch by Anton Voloshin, slightly tweaked by me.  
  
Backpatch to all live branches  
  
Discussion: https://postgr.es/m/2b7a674b-5fb0-d264-75ef-ecc7a31e54f8@postgrespro.ru  

commit   : 86d4bbb56a8aa94e8926067a5bf86a5a74b8c933    
  
author   : Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 6 Jan 2022 16:46:46 -0500    
  
committer: Tom Lane <tgl@sss.pgh.pa.us>    
date     : Thu, 6 Jan 2022 16:46:46 -0500