PostgreSQL 15.6 commit log

Stamp 15.6.

commit   : 496a1dc44bf1261053da9b3f7e430769754298b4    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 5 Feb 2024 16:43:21 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 5 Feb 2024 16:43:21 -0500    

Click here for diff

M configure
M configure.ac

Last-minute updates for release notes.

commit   : cb620968b6f7339113b7873b9abf5885cb4aa1ee    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 5 Feb 2024 11:51:11 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 5 Feb 2024 11:51:11 -0500    

Click here for diff

Security: CVE-2024-0985 (not CVE-2023-5869 as claimed in prior commit msg)  

M doc/src/sgml/release-15.sgml

Translation updates

commit   : 5b5483f1fd85dd0c6af7908ac442c6f0f2f60382    
  
author   : Peter Eisentraut <[email protected]>    
date     : Mon, 5 Feb 2024 14:47:58 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Mon, 5 Feb 2024 14:47:58 +0100    

Click here for diff

Source-Git-URL: https://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: b00179c98c571c2c717c2d9aff0fb4becbb9d298  

M src/backend/po/de.po
M src/backend/po/es.po
M src/backend/po/fr.po
M src/backend/po/it.po
M src/backend/po/ja.po
M src/backend/po/ko.po
M src/backend/po/ru.po
M src/backend/po/sv.po
M src/backend/po/uk.po
M src/backend/po/zh_CN.po
M src/bin/pg_dump/po/ru.po
M src/bin/pg_rewind/po/ru.po
M src/bin/pg_upgrade/po/ru.po
M src/bin/pg_upgrade/po/uk.po
M src/bin/pg_waldump/po/de.po
M src/bin/pg_waldump/po/ru.po
M src/bin/psql/po/ja.po
M src/bin/psql/po/ru.po
M src/bin/scripts/po/uk.po
M src/interfaces/libpq/po/ru.po
M src/pl/plpgsql/src/po/ru.po

Fix assertion if index is dropped during REFRESH CONCURRENTLY

commit   : 06f36bc01bf69f888896eb16025db8265b4df9be    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 5 Feb 2024 11:01:30 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 5 Feb 2024 11:01:30 +0200    

Click here for diff

When assertions are disabled, the built SQL statement is invalid and  
you get a "syntax error". So this isn't a serious problem, but let's  
avoid the assertion failure.  
  
Backpatch to all supported versions.  
  
Reviewed-by: Noah Misch  

M src/backend/commands/matview.c
M src/test/regress/expected/matview.out
M src/test/regress/sql/matview.sql

Run REFRESH MATERIALIZED VIEW CONCURRENTLY in right security context

commit   : f2fdea198b3d0ab30b9e8478a762488ecebabd88    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 5 Feb 2024 11:01:23 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 5 Feb 2024 11:01:23 +0200    

Click here for diff

The internal commands in REFRESH MATERIALIZED VIEW CONCURRENTLY are  
correctly executed in SECURITY_RESTRICTED_OPERATION mode, except for  
creating the temporary "diff" table, because you cannot create  
temporary tables in SRO mode. But creating the temporary "diff" table  
is a pretty complex CTAS command that selects from another temporary  
table created earlier in the command. If you can cajole that CTAS  
command to execute code defined by the table owner, the table owner  
can run code with the privileges of the user running the REFRESH  
command.  
  
The proof-of-concept reported to the security team relied on CREATE  
RULE to convert the internally-built temp table to a view. That's not  
possible since commit b23cd185fd, and I was not able to find a  
different way to turn the SELECT on the temp table into code  
execution, so as far as I know this is only exploitable in v15 and  
below. That's a fiddly assumption though, so apply this patch to  
master and all stable versions.  
  
Thanks to Pedro Gallegos for the report.  
  
Security: CVE-2023-5869  
Reviewed-by: Noah Misch  

M src/backend/commands/matview.c

Release notes for 16.2, 15.6, 14.11, 13.14, 12.18.

commit   : 9a3cf3477617d8f4e296bc0b9f69d956dc601a74    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 4 Feb 2024 14:17:14 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 4 Feb 2024 14:17:14 -0500    

Click here for diff

M doc/src/sgml/release-15.sgml

Translate ENOMEM to ERRCODE_OUT_OF_MEMORY in errcode_for_file_access().

commit   : 3766b8b64e1c6e2798accd321b1d027553ca7ae3    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 2 Feb 2024 15:34:29 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 2 Feb 2024 15:34:29 -0500    

Click here for diff

Previously you got ERRCODE_INTERNAL_ERROR, which seems inappropriate,  
especially given that we're trying to avoid emitting that in reachable  
cases.  
  
Alexander Kuzmenkov  
  
Discussion: https://postgr.es/m/CALzhyqzgQph0BY8-hFRRGdHhF8CoqmmDHW9S=hMZ-HMzLxRqDQ@mail.gmail.com  

M src/backend/utils/error/elog.c

Sync PG_VERSION file in CREATE DATABASE.

commit   : 8fa4a1ac61189efffb8b851ee77e1bc87360c445    
  
author   : Noah Misch <[email protected]>    
date     : Thu, 1 Feb 2024 13:44:19 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Thu, 1 Feb 2024 13:44:19 -0800    

Click here for diff

An OS crash could leave PG_VERSION empty or missing.  The same symptom  
appeared in a backup by block device snapshot, taken after the next  
checkpoint and before the OS flushes the PG_VERSION blocks.  Device  
snapshots are not a documented backup method, however.  Back-patch to  
v15, where commit 9c08aea6a3090a396be334cc58c511edab05776a introduced  
STRATEGY=WAL_LOG and made it the default.  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/monitoring.sgml
M src/backend/commands/dbcommands.c
M src/backend/utils/activity/wait_event.c
M src/include/utils/wait_event.h

Handle interleavings between CREATE DATABASE steps and base backup.

commit   : d493bed28f7f6c77051bba3dde383e0ff78d3a19    
  
author   : Noah Misch <[email protected]>    
date     : Thu, 1 Feb 2024 13:44:19 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Thu, 1 Feb 2024 13:44:19 -0800    

Click here for diff

Restoring a base backup taken in the middle of CreateDirAndVersionFile()  
or write_relmap_file() would lose the function's effects.  The symptom  
was absence of the database directory, PG_VERSION file, or  
pg_filenode.map.  If missing the directory, recovery would fail.  Either  
missing file would not fail recovery but would render the new database  
unusable.  Fix CreateDirAndVersionFile() with the transam/README "action  
first and then write a WAL entry" strategy.  That has a side benefit of  
moving filesystem mutations out of a critical section, reducing the ways  
to PANIC.  Fix the write_relmap_file() call with a lock acquisition, so  
it interacts with checkpoints like non-CREATE DATABASE calls do.  
Back-patch to v15, where commit 9c08aea6a3090a396be334cc58c511edab05776a  
introduced STRATEGY=WAL_LOG and made it the default.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/commands/dbcommands.c
M src/backend/utils/cache/relmapper.c

Update time zone data files to tzdata release 2024a.

commit   : 970b1aeeba78ad609455f7b55c9d81d06f2a75a5    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 1 Feb 2024 15:57:53 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 1 Feb 2024 15:57:53 -0500    

Click here for diff

DST law changes in Ittoqqortoormiit, Greenland (America/Scoresbysund),  
Kazakhstan (Asia/Almaty and Asia/Qostanay) and Palestine; as well as  
updates for the Antarctic stations Casey and Vostok.  
  
Historical corrections for Vietnam, Toronto, and Miquelon.  

M src/timezone/data/tzdata.zi

Avoid package qualification of $windows_os

commit   : 13330b45a1a315bed31c4017e032fcbd06361459    
  
author   : Andrew Dunstan <[email protected]>    
date     : Thu, 1 Feb 2024 15:17:41 -0500    
  
committer: Andrew Dunstan <[email protected]>    
date     : Thu, 1 Feb 2024 15:17:41 -0500    

Click here for diff

Further fallout from commit 6ee26c6a4b. To keep code in sync and avoid  
issues on older releases with different package names, simply use the  
unqualified name like many other places in our code.  

M src/bin/pg_rewind/t/003_extrafiles.pl

Apply band-aid fix for an oversight in reparameterize_path_by_child.

commit   : 12ec16d11c8bd75624a77ae7a456ceec8332c9d9    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 1 Feb 2024 12:34:21 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 1 Feb 2024 12:34:21 -0500    

Click here for diff

The path we wish to reparameterize is not a standalone object:  
in particular, it implicitly references baserestrictinfo clauses  
in the associated RelOptInfo, and if it's a SampleScan path then  
there is also the TableSampleClause in the RTE to worry about.  
Both of those could contain lateral references to the join partner  
relation, which would need to be modified to refer to its child.  
Since we aren't doing that, affected queries can give wrong answers,  
or odd failures such as "variable not found in subplan target list",  
or executor crashes.  But we can't just summarily modify those  
expressions, because they are shared with other paths for the rel.  
We'd break things if we modify them and then end up using some  
non-partitioned-join path.  
  
In HEAD, we plan to fix this by postponing reparameterization  
until create_plan(), when we know that those other paths are  
no longer of interest, and then adjusting those expressions along  
with the ones in the path itself.  That seems like too big a change  
for stable branches however.  In the back branches, let's just detect  
whether any troublesome lateral references actually exist in those  
expressions, and fail reparameterization if so.  This will result in  
not performing a partitioned join in such cases.  Given the lack of  
field complaints, nobody's likely to miss the optimization.  
  
Report and patch by Richard Guo.  Apply to 12-16 only, since  
the intended fix for HEAD looks quite different.  We're not quite  
ready to push the HEAD fix, but with back-branch releases coming  
up soon, it seems wise to get this stopgap fix in place there.  
  
Discussion: https://postgr.es/m/CAMbWs496+N=UAjOc=rcD3P7B6oJe4rZw08e_TZRUsWbPxZW3Tw@mail.gmail.com  

M src/backend/optimizer/util/pathnode.c
M src/test/regress/expected/partition_join.out
M src/test/regress/sql/partition_join.sql

doc: remove incorrect grammar for ALTER EVENT TRIGGER

commit   : 76fd779dbdd5a37f761ad033b7f71c70244793f9    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Thu, 1 Feb 2024 10:45:37 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Thu, 1 Feb 2024 10:45:37 +0100    

Click here for diff

The Parameters subsection had an extra TRIGGER in the grammar  
for DISABLE/ENABLE which is incorrect.  Backpatch down to all  
supported versions since it's been like this all along.  
  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: v12  

M doc/src/sgml/ref/alter_event_trigger.sgml

doc: Fix incorrect openssl option

commit   : da9cb249575229cbdebd27a3ba398efd072aa84b    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Thu, 1 Feb 2024 09:36:34 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Thu, 1 Feb 2024 09:36:34 +0100    

Click here for diff

The openssl command for displaying the DN of a client certificate was  
using --subject and not the single-dash option -subject. While recent  
versions of openssl handles double dash options,  earlier does not so  
fix by using just -subject  (which is per the openssl documentation).  
  
Backpatch to v14 where this was introduced.  
  
Reported-by: [email protected]  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: v14  

M doc/src/sgml/client-auth.sgml

Fix stats_fetch_consistency with stats for fixed-numbered objects

commit   : 171d21f50c3ee3f17911daa3d91eb75363669a11    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 1 Feb 2024 17:13:11 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 1 Feb 2024 17:13:11 +0900    

Click here for diff

This impacts the statistics retrieved in transactions for the following  
views when updating the value of stats_fetch_consistency, leading to  
behaviors contrary to what is documented since 605994651b6a as an update  
of this parameter should discard all statistics snapshot data:  
- pg_stat_archiver  
- pg_stat_bgwriter  
- pg_stat_checkpointer  
- pg_stat_io  
- pg_stat_slru  
- pg_stat_wal  
  
For example, updating stats_fetch_consistency from "snapshot" to "cache"  
in a transaction did not re-fetch any fresh data, using data cached from  
the time when "snapshot" was in use.  
  
Author: Shinya Kato  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 15  

M src/backend/utils/activity/pgstat.c

Fix various issues with ALTER TEXT SEARCH CONFIGURATION

commit   : 41fa4b31c12f4affc5d0ed1e257dacaf2bbe0731    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 31 Jan 2024 13:16:46 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 31 Jan 2024 13:16:46 +0900    

Click here for diff

This commit addresses a set of issues when changing token type mappings  
in a text search configuration when using duplicated token names:  
- ADD MAPPING would fail on insertion because of a constraint failure  
after inserting the same mapping.  
- ALTER MAPPING with an "overridden" configuration failed with "tuple  
already updated by self" when the token mappings are removed.  
- DROP MAPPING failed with "tuple already updated by self", like  
previously, but in a different code path.  
  
The code is refactored so the token names (with their numbers) are  
handled as a List with unique members rather than an array with numbers,  
ensuring that no duplicates mess up with the catalog inserts, updates  
and deletes.  The list is generated by getTokenTypes(), with the same  
error handling as previously while duplicated tokens are discarded from  
the list used to work on the catalogs.  
  
Regression tests are expanded to cover much more ground for the cases  
fixed by this commit, as there was no coverage for the code touched in  
this commit.  A bit more is done regarding the fact that a token name  
not supported by a configuration's parser should result in an error even  
if IF EXISTS is used in a DROP MAPPING clause.  This is implied in the  
code but there was no coverage for that, and it was very easy to miss.  
  
These issues exist since at least their introduction in core with  
140d4ebcb46e, so backpatch all the way down.  
  
Reported-by: Alexander Lakhin  
Author: Tender Wang, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/backend/commands/tsearchcmds.c
M src/test/regress/expected/tsdicts.out
M src/test/regress/sql/tsdicts.sql
M src/tools/pgindent/typedefs.list

Fix 003_extrafiles.pl test for the Windows

commit   : c7cc528a345066b8b542eacef6dc4d9f72552e46    
  
author   : Andrew Dunstan <[email protected]>    
date     : Tue, 30 Jan 2024 17:09:44 -0500    
  
committer: Andrew Dunstan <[email protected]>    
date     : Tue, 30 Jan 2024 17:09:44 -0500    

Click here for diff

File::Find converts backslashes to slashes in the newer Perl versions.  
See: https://github.com/Perl/perl5/commit/414f14df98cb1c9a20f92c5c54948b67c09f072d  
  
So, do the same conversion for Windows before comparing paths. To  
support all Perl versions, always convert them on Windows regardless of  
the Perl's version.  
  
Author: Nazir Bilal Yavuz <[email protected]>  
  
Backpatch to all live branches  

M src/bin/pg_rewind/t/003_extrafiles.pl

pgcrypto: Fix check for buffer size

commit   : f74b5c5bc67c3c1df799e5dd073a441984953b44    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Tue, 30 Jan 2024 11:15:46 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Tue, 30 Jan 2024 11:15:46 +0100    

Click here for diff

The code copying the PGP block into the temp buffer failed to  
account for the extra 2 bytes in the buffer which are needed  
for the prefix. If the block was oversized, subsequent checks  
of the prefix would have exceeded the buffer size.  Since the  
block sizes are hardcoded in the list of supported ciphers it  
can be verified that there is no live bug here. Backpatch all  
the way for consistency though, as this bug is old.  
  
Author: Mikhail Gribkov <[email protected]>  
Discussion: https://postgr.es/m/CAMEv5_uWvcMCMdRFDsJLz2Q8g16HEa9xWyfrkr+FYMMFJhawOw@mail.gmail.com  
Backpatch-through: v12  

M contrib/pgcrypto/pgp-decrypt.c

Doc: mention foreign keys can reference unique indexes

commit   : 6fc8a7b2b03bfcb26e2e7440251b6f17e01210c8    
  
author   : David Rowley <[email protected]>    
date     : Tue, 30 Jan 2024 10:16:17 +1300    
  
committer: David Rowley <[email protected]>    
date     : Tue, 30 Jan 2024 10:16:17 +1300    

Click here for diff

We seem to have only documented a foreign key can reference the columns of  
a primary key or unique constraint.  Here we adjust the documentation  
to mention columns in a non-partial unique index can be mentioned too.  
  
The header comment for transformFkeyCheckAttrs() also didn't mention  
unique indexes, so fix that too.  In passing make that header comment  
reflect reality in the various other aspects where it deviated from it.  
  
Bug: 18295  
Reported-by: Gilles PARC  
Author: Laurenz Albe, David Rowley  
Discussion: https://www.postgresql.org/message-id/18295-0ed0fac5c9f7b17b%40postgresql.org  
Backpatch-through: 12  

M doc/src/sgml/ddl.sgml
M doc/src/sgml/ref/create_table.sgml
M src/backend/commands/tablecmds.c

Move is_valid_ascii() to ascii.h.

commit   : 3726c1cb0e3bd18d8916978e18d95251d07360c3    
  
author   : Nathan Bossart <[email protected]>    
date     : Mon, 29 Jan 2024 12:09:08 -0600    
  
committer: Nathan Bossart <[email protected]>    
date     : Mon, 29 Jan 2024 12:09:08 -0600    

Click here for diff

This function requires simd.h, which is a rather large dependency  
for a widely-used header file like pg_wchar.h.  Furthermore, there  
is a report of a third-party tool that is struggling to use  
pg_wchar.h due to its dependence on simd.h (presumably because  
simd.h uses several intrinsics).  Moving the function to the much  
less popular ascii.h resolves these issues for now.  
  
This commit is back-patched for the benefit of the aforementioned  
third-party tool.  The simd.h dependency was only added in v16,  
but we've opted to back-patch to v15 so that is_valid_ascii() lives  
in the same file for all versions where it exists.  This could  
break existing third-party code that uses the function, but we  
couldn't find any examples of such code.  It should be possible to  
fix any code that this commit breaks by including ascii.h in the  
file that uses is_valid_ascii().  
  
Author: Jubilee Young  
Reviewed-by: Tom Lane, John Naylor, Andres Freund, Eric Ridge  
Discussion: https://postgr.es/m/CAPNHn3oKJJxMsYq%2BqLYzVJOFrUcOr4OF1EC-KtFT-qh8nOOOtQ%40mail.gmail.com  
Backpatch-through: 15  

M src/common/wchar.c
M src/include/mb/pg_wchar.h
M src/include/utils/ascii.h

Fix incompatibilities with libxml2 >= 2.12.0.

commit   : 3f8ac13b19764e3a485772d3cbb3ae6c4047eef2    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 29 Jan 2024 12:06:07 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 29 Jan 2024 12:06:07 -0500    

Click here for diff

libxml2 changed the required signature of error handler callbacks  
to make the passed xmlError struct "const".  This is causing build  
failures on buildfarm member caiman, and no doubt will start showing  
up in the field quite soon.  Add a version check to adjust the  
declaration of xml_errorHandler() according to LIBXML_VERSION.  
  
2.12.x also produces deprecation warnings for contrib/xml2/xpath.c's  
assignment to xmlLoadExtDtdDefaultValue.  I see no good reason for  
that to still be there, seeing that we disabled external DTDs (at a  
lower level) years ago for security reasons.  Let's just remove it.  
  
Back-patch to all supported branches, since they might all get built  
with newer libxml2 once it gets a bit more popular.  (The back  
branches produce another deprecation warning about xpath.c's use of  
xmlSubstituteEntitiesDefault().  We ought to consider whether to  
back-patch all or part of commit 65c5864d7 to silence that.  It's  
less urgent though, since it won't break the buildfarm.)  
  
Discussion: https://postgr.es/m/[email protected]  

M contrib/xml2/xpath.c
M src/backend/utils/adt/xml.c

Fix locking when fixing an incomplete split of a GIN internal page

commit   : e43425f481542e4d5ef9c8fbdfe1759159b9f183    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 29 Jan 2024 13:46:22 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 29 Jan 2024 13:46:22 +0200    

Click here for diff

ginFinishSplit() expects the caller to hold an exclusive lock on the  
buffer, but when finishing an earlier "leftover" incomplete split of  
an internal page, the caller held a shared lock. That caused an  
assertion failure in MarkBufferDirty(). Without assertions, it could  
lead to corruption if two backends tried to complete the split at the  
same time.  
  
On master, add a test case using the new injection point facility.  
  
Report and analysis by Fei Changhong. Backpatch the fix to all  
supported versions.  
  
Reviewed-by: Fei Changhong, Michael Paquier  
Discussion: https://www.postgresql.org/message-id/[email protected]  

M src/backend/access/gin/ginbtree.c

Fix catalog lookup due to wrong snapshot for subtransactions during decoding.

commit   : b793a416bfa8448a6be6deeb3b962c1173efa613    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 29 Jan 2024 10:42:41 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 29 Jan 2024 10:42:41 +0530    

Click here for diff

In commit 272248a0c, we fixed the catalog lookup due to the wrong snapshot  
for transactions and subtransactions during decoding. We failed to  
consider the case where top-level xact is already marked as containing  
catalog change but its subtransaction is not yet marked as containing  
catalog change even though it contained such a change.  
  
This can happen when during decoding, none of the WAL records from the  
subtransaction was decoded and top-level xact contains a DDL.  
  
We fix it by marking the transaction and all its subtransactions as  
containing catalog changes if the top-level xact contains any catalog  
change and it is present in the initial running xacts array.  
  
This fix is required only for 14 and 15 because in prior branches we  
already always mark the transaction and all its subtransactions as  
containing catalog changes in the same case. In 16 and above, we preserve  
the list of transaction IDs and sub-transaction IDs, that have modified  
catalogs and are running during snapshot serialization, to the serialized  
snapshot (see commit 7f13ac8123).  
  
Author: Fei Changhong  
Reviewed-by: Amit Kapila, Hayato Kuroda, Andy Fan  
Discussion: https://postgr.es/m/[email protected]  

M contrib/test_decoding/expected/catalog_change_snapshot.out
M contrib/test_decoding/specs/catalog_change_snapshot.spec
M src/backend/replication/logical/snapbuild.c

Add more LOG messages when starting and ending recovery from a backup

commit   : 8b34cff3381a6a1d3c3d97141d468d468d2a2551    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 25 Jan 2024 17:07:56 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 25 Jan 2024 17:07:56 +0900    

Click here for diff

Three LOG messages are added in the recovery code paths, providing  
information that can be useful to track corruption issues depending on  
the state of the cluster, telling that:  
- Recovery has started from a backup_label.  
- Recovery is restarting from a backup start LSN, without a  
backup_label.  
- Recovery has completed from a backup.  
  
This was originally applied on HEAD as of 1d35f705e191, and there is  
consensus that this can be useful for older versions.  This applies  
cleanly down to 15, so do it down to this version for now (older  
versions have heavily refactored the WAL recovery paths, making the  
change less straight-forward to do).  
  
Author: Andres Freund  
Reviewed-by: David Steele, Laurenz Albe, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 15  

M src/backend/access/transam/xlogrecovery.c

Detect Julian-date overflow in timestamp[tz]_pl_interval.

commit   : 86b6243a8ea92760679b6d9a8bbaab562b27a9db    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 26 Jan 2024 13:39:37 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 26 Jan 2024 13:39:37 -0500    

Click here for diff

We perform addition of the days field of an interval via  
arithmetic on the Julian-date representation of the timestamp's date.  
This step is subject to int32 overflow, and we also should not let  
the Julian date become very negative, for fear of weird results from  
j2date.  (In the timestamptz case, allow a Julian date of -1 to pass,  
since it might convert back to zero after timezone rotation.)  
  
The additions of the months and microseconds fields could also  
overflow, of course.  However, I believe we need no additional  
checks there; the existing range checks should catch such cases.  
The difficulty here is that j2date's magic modular arithmetic could  
produce something that looks like it's in-range.  
  
Per bug #18313 from Christian Maurer.  This has been wrong for  
a long time, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/horology.out
M src/test/regress/sql/horology.sql

Track LLVM 18 changes.

commit   : 67f7aaa38172155ab2d8a2248e87b5d0b7dc6444    
  
author   : Thomas Munro <[email protected]>    
date     : Thu, 25 Jan 2024 10:37:35 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Thu, 25 Jan 2024 10:37:35 +1300    

Click here for diff

A function was given a newly standard name from C++20 in LLVM 16.  Then  
LLVM 18 added a deprecation warning for the old name, and it is about to  
ship, so it's time to adjust that.  
  
Back-patch to all supported releases.  
  
Discussion: https://www.postgresql.org/message-id/CA+hUKGLbuVhH6mqS8z+FwAn4=5dHs0bAWmEMZ3B+iYHWKC4-ZA@mail.gmail.com  

M src/backend/jit/llvm/llvmjit_inline.cpp

Fix ALTER TABLE .. ADD COLUMN with complex inheritance trees

commit   : ad6fbbeeb07aa40dd3a90b417c0820543d8626eb    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 24 Jan 2024 14:20:10 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 24 Jan 2024 14:20:10 +0900    

Click here for diff

This command, when used to add a column on a parent table with a complex  
inheritance tree, tried to update multiple times the same tuple in  
pg_attribute for a child table when incrementing attinhcount, causing  
failures with "tuple already updated by self" because of a missing  
CommandCounterIncrement() between two updates.  
  
This exists for a rather long time, so backpatch all the way down.  
  
Reported-by: Alexander Lakhin  
Author: Tender Wang  
Reviewed-by: Richard Guo  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/backend/commands/tablecmds.c
M src/test/regress/expected/inherit.out
M src/test/regress/sql/inherit.sql

Abort pgbench if script end is reached with an open pipeline

commit   : 3fd36be52b70b95eea6fe7d296ce871f49eedb50    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 22 Jan 2024 17:48:30 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 22 Jan 2024 17:48:30 +0100    

Click here for diff

When a pipeline is opened with \startpipeline and not closed, pgbench  
will either error on the next transaction with a "already in pipeline  
mode" error or successfully end if this was the last transaction --  
despite not sending anything that was piped in the pipeline.  
  
Make it an error to reach end of script is reached while there's an  
open pipeline.  
  
Backpatch to 14, where pgbench got support for pipelines.  
  
Author: Anthonin Bonnefoy <[email protected]>  
Reported-by: Michael Paquier <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  

M src/bin/pgbench/pgbench.c
M src/bin/pgbench/t/001_pgbench_with_server.pl

Fix plpgsql to allow new-style SQL CREATE FUNCTION as a SQL command.

commit   : de2d393a8a870750f4d03ad771541f4600b9f23b    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 18 Jan 2024 16:10:57 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 18 Jan 2024 16:10:57 -0500    

Click here for diff

plpgsql fails on new-style CREATE FUNCTION/PROCEDURE commands within  
a routine or DO block, because make_execsql_stmt believes that a  
semicolon token always terminates a SQL command.  Now, that's actually  
been wrong since the day it was written, because CREATE RULE has long  
allowed multiple rule actions separated by semicolons.  But there are  
few enough people using multi-action rules that there was never an  
attempt to fix it.  New-style SQL functions, though, are popular.  
  
psql has this same problem of "does this semicolon really terminate  
the command?".  It deals with CREATE RULE by counting parenthesis  
nesting depth: a semicolon within parens doesn't end a command.  
Commits e717a9a18 and 029c5ac03 created a similar heuristic to count  
matching BEGIN/END pairs (but only within CREATEs, so as not to be  
fooled by plain BEGIN).  That's survived several releases now without  
trouble reports, so let's just absorb those heuristics into plpgsql.  
  
Per report from Samuel Dussault.  Back-patch to v14 where new-style  
SQL function syntax came in.  
  
Discussion: https://postgr.es/m/YT2PR01MB88552C3E9AD40A6C038774A781722@YT2PR01MB8855.CANPRD01.PROD.OUTLOOK.COM  

M src/pl/plpgsql/src/Makefile
A src/pl/plpgsql/src/expected/plpgsql_misc.out
M src/pl/plpgsql/src/pl_gram.y
A src/pl/plpgsql/src/sql/plpgsql_misc.sql

Improve handling of dropped partitioned indexes for REINDEX INDEX

commit   : a0c19de115661a9c10553291bc5c384f326140af    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 18 Jan 2024 16:31:46 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 18 Jan 2024 16:31:46 +0900    

Click here for diff

A REINDEX INDEX done on a partitioned index builds a list of the indexes  
to work on before processing its partitions in individual transactions.  
When combined with a DROP of the partitioned index, there was a window  
where it was possible to see some unexpected "could not open relation  
with OID", synonym of relation lookup error.  The code was robust enough  
to handle the case where the parent relation is missing, but not the  
case where an index would be gone missing.  
  
This is similar to 1d65416661bb.  
  
Support for REINDEX on partitioned relations has been introduced in  
a6642b3ae060, so backpatch down to 14.  
  
Author: Fei Changhong  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 14  

M src/backend/catalog/index.c

Add try_index_open(), conditional variant of index_open()

commit   : 1cf2dba84b189ef08df7b029ca5f99d85b6ce7aa    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 18 Jan 2024 15:04:35 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 18 Jan 2024 15:04:35 +0900    

Click here for diff

try_index_open() is able to open an index if its relkind fits, except  
that it would return NULL instead of generated an error if the relation  
does not exist.  This new routine will be used by an upcoming patch to  
make REINDEX on partitioned relations more robust when an index in a  
partition tree is dropped.  
  
Extracted from a larger patch by the same author.  
  
Author: Fei Changhong  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 14  

M src/backend/access/index/indexam.c
M src/include/access/genam.h

lwlock: Fix quadratic behavior with very long wait lists

commit   : f374fb4aab3efd37c4c522bce68ca96c7550e8af    
  
author   : Andres Freund <[email protected]>    
date     : Sun, 20 Nov 2022 11:56:32 -0800    
  
committer: Michael Paquier <[email protected]>    
date     : Sun, 20 Nov 2022 11:56:32 -0800    

Click here for diff

Until now LWLockDequeueSelf() sequentially searched the list of waiters to see  
if the current proc is still is on the list of waiters, or has already been  
removed. In extreme workloads, where the wait lists are very long, this leads  
to a quadratic behavior. #backends iterating over a list #backends  
long. Additionally, the likelihood of needing to call LWLockDequeueSelf() in  
the first place also increases with the increased length of the wait queue, as  
it becomes more likely that a lock is released while waiting for the wait list  
lock, which is held for longer during lock release.  
  
Due to the exponential back-off in perform_spin_delay() this is surprisingly  
hard to detect. We should make that easier, e.g. by adding a wait event around  
the pg_usleep() - but that's a separate patch.  
  
The fix is simple - track whether a proc is currently waiting in the wait list  
or already removed but waiting to be woken up in PGPROC->lwWaiting.  
  
In some workloads with a lot of clients contending for a small number of  
lwlocks (e.g. WALWriteLock), the fix can substantially increase throughput.  
  
This has been originally fixed for 16~ with a4adc31f6902 without a  
backpatch, and we have heard complaints from users impacted by this  
quadratic behavior in older versions as well.  
  
Author: Andres Freund <[email protected]>  
Reviewed-by: Bharath Rupireddy <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/CALj2ACXktNbG=K8Xi7PSqbofTZozavhaxjatVc14iYaLu4Maag@mail.gmail.com  
Backpatch-through: 12  

M src/backend/access/transam/twophase.c
M src/backend/storage/lmgr/lwlock.c
M src/backend/storage/lmgr/proc.c
M src/include/storage/lwlock.h
M src/include/storage/proc.h

Fix incorrect comment on how BackendStatusArray is indexed

commit   : 90ccc9bf90a917037f9cd451ce4c10fb9704924e    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Wed, 17 Jan 2024 15:44:10 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Wed, 17 Jan 2024 15:44:10 +0200    

Click here for diff

The comment was copy-pasted from the call to ProcSignalInit() in  
AuxiliaryProcessMain(), which uses a similar scheme of having reserved  
slots for aux processes after MaxBackends slots for backends. However,  
ProcSignalInit() indexing starts from 1, whereas BackendStatusArray  
starts from 0. The code is correct, but the comment was wrong.  
  
Discussion: https://www.postgresql.org/message-id/[email protected]  
Backpatch-through: v14  

M src/backend/utils/activity/backend_status.c

Close socket in case of errors in setting non-blocking

commit   : 551c0b7bda3e147494bb9858035427d918b885a2    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Wed, 17 Jan 2024 11:24:11 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Wed, 17 Jan 2024 11:24:11 +0100    

Click here for diff

If configuring the newly created socket non-blocking fails we  
error out and return INVALID_SOCKET, but the socket that had  
been created wasn't closed. Fix by issuing closesocket in the  
errorpath.  
  
Backpatch to all supported branches.  
  
Author: Ranier Vilela <[email protected]>  
Discussion: https://postgr.es/m/CAEudQApmU5CrKefH85VbNYE2y8H=-qqEJbg6RAPU65+vCe+89A@mail.gmail.com  
Backpatch-through: v12  

M src/backend/port/win32/socket.c

Decorate WITH with literal markup tags

commit   : 25e5663b8cd3a63008b9bea790d9a41e569103fe    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Tue, 16 Jan 2024 13:51:15 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Tue, 16 Jan 2024 13:51:15 +0100    

Click here for diff

One instance of "WITH clause" was not using <literal> tags around  
WITH, while others were, so add markup to the last one to ensure  
consistency.  Backpatch to v15 where MERGE was added.  
  
Reported-by: jian he <[email protected]>  
Discussion: https://postgr.es/m/CACJufxGJKY9ZCPV2WDM6xFsXq9C8r7r3vU6AkScN+p9k6CEpMw@mail.gmail.com  
Backpatch-through: v15  

M doc/src/sgml/ref/merge.sgml

Don't test already-referenced pointer for nullness

commit   : 2b656cbd2f24edb7e2964fa3f71ca253ee9d81d8    
  
author   : Alvaro Herrera <[email protected]>    
date     : Tue, 16 Jan 2024 12:27:52 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Tue, 16 Jan 2024 12:27:52 +0100    

Click here for diff

Commit b8ba7344e9eb added in PQgetResult a derefence to a pointer  
returned by pqPrepareAsyncResult(), before some other code that was  
already testing that pointer for nullness.  But since commit  
618c16707a6d (in Postgres 15), pqPrepareAsyncResult() doesn't ever  
return NULL (a statically-allocated result is returned if OOM).  So in  
branches 15 and up, we can remove the redundant pointer check with no  
harm done.  
  
However, in branch 14, pqPrepareAsyncResult() can indeed return NULL if  
it runs out of memory.  Fix things there by adding a null pointer check  
before dereferencing the pointer.  This should hint Coverity that the  
preexisting check is not redundant but necessary.  
  
Backpatch to 14, like b8ba7344e9eb.  
  
Per Coverity.  

M src/interfaces/libpq/fe-exec.c

Prevent access to an unpinned buffer in BEFORE ROW UPDATE triggers.

commit   : 1a4e54617398ff916ddebe69d1197b795f693c65    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 14 Jan 2024 12:38:41 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 14 Jan 2024 12:38:41 -0500    

Click here for diff

When ExecBRUpdateTriggers switches to a new target tuple as a result  
of the EvalPlanQual logic, it must form a new proposed update tuple.  
Since commit 86dc90056, that tuple (the result of  
ExecGetUpdateNewTuple) has been a virtual tuple that might contain  
pointers to by-ref fields of the new target tuple (in "oldslot").  
However, immediately after that we materialize oldslot, causing it to  
drop its buffer pin, whereupon the by-ref pointers are unsafe to use.  
This is a live bug only when the new target tuple is in a different  
page than the original target tuple, since we do still hold a pin on  
the original one.  (Before 86dc90056, there was no bug because the  
EPQ plantree would hold a pin on the new target tuple; but now that's  
not assured.)  To fix, forcibly materialize the new tuple before we  
materialize oldslot.  This costs nothing since we would have done that  
shortly anyway.  
  
The real-world impact of this is probably minimal.  A visible failure  
could occur if the new target tuple's buffer were recycled for some  
other page in the short interval before we materialize newslot within  
the trigger-calling loop; but that's quite unlikely given that we'd  
just touched that page.  There's a larger hazard that some other  
process could prune and repack that page within the window.  We have  
lock on the new target tuple, but that wouldn't prevent it being moved  
on the page.  
  
Alexander Lakhin and Tom Lane, per bug #17798 from Alexander Lakhin.  
Back-patch to v14 where 86dc90056 came in.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/commands/trigger.c

Re-pgindent catcache.c after previous commit.

commit   : d41358f4bbc87ecc82231cac637b9e347ac35d5c    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 13 Jan 2024 13:54:11 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 13 Jan 2024 13:54:11 -0500    

Click here for diff

Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/CAGjhLkOoBEC9mLsnB42d3CO1vcMx71MLSEuigeABbQ8oRdA6gw@mail.gmail.com  

M src/backend/utils/cache/catcache.c

Cope with catcache entries becoming stale during detoasting.

commit   : 2a46a0df479321d00d01e09270d794a800af6c25    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 13 Jan 2024 13:46:27 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 13 Jan 2024 13:46:27 -0500    

Click here for diff

We've long had a policy that any toasted fields in a catalog tuple  
should be pulled in-line before entering the tuple in a catalog cache.  
However, that requires access to the catalog's toast table, and we'll  
typically do AcceptInvalidationMessages while opening the toast table.  
So it's possible that the catalog tuple is outdated by the time we  
finish detoasting it.  Since no cache entry exists yet, we can't  
mark the entry stale during AcceptInvalidationMessages, and instead  
we'll press forward and build an apparently-valid cache entry.  The  
upshot is that we have a race condition whereby an out-of-date entry  
could be made in a backend's catalog cache, and persist there  
indefinitely causing indeterminate misbehavior.  
  
To fix, use the existing systable_recheck_tuple code to recheck  
whether the catalog tuple is still up-to-date after we finish  
detoasting it.  If not, loop around and restart the process of  
searching the catalog and constructing cache entries from the top.  
The case is rare enough that this shouldn't create any meaningful  
performance penalty, even in the SearchCatCacheList case where  
we need to tear down and reconstruct the whole list.  
  
Indeed, the case is so rare that AFAICT it doesn't occur during  
our regression tests, and there doesn't seem to be any easy way  
to build a test that would exercise it reliably.  To allow  
testing of the retry code paths, add logic (in USE_ASSERT_CHECKING  
builds only) that randomly pretends that the recheck failed about  
one time out of a thousand.  This is enough to ensure that we'll  
pass through the retry paths during most regression test runs.  
  
By adding an extra level of looping, this commit creates a need  
to reindent most of SearchCatCacheMiss and SearchCatCacheList.  
I'll do that separately, to allow putting those changes in  
.git-blame-ignore-revs.  
  
Patch by me; thanks to Alexander Lakhin for having built a test  
case to prove the bug is real, and to Xiaoran Wang for review.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/CAGjhLkOoBEC9mLsnB42d3CO1vcMx71MLSEuigeABbQ8oRdA6gw@mail.gmail.com  

M src/backend/utils/cache/catcache.c

Added literal tag for RETURNING

commit   : 076530887a587968947a6d1854d6f44f61c586be    
  
author   : Alvaro Herrera <[email protected]>    
date     : Fri, 12 Jan 2024 12:44:20 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Fri, 12 Jan 2024 12:44:20 +0100    

Click here for diff

This is an old mistake (92e38182d7c8); backpatch all the way back.  
  
Author: Atsushi Torikoshi <[email protected]>  
Reviewed-by: Ashutosh Bapat <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ref/copy.sgml

pg_regress: Disable autoruns for cmd.exe on Windows

commit   : 7e7d827f57b982f1c68ef5852a2c16a6be28cc33    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 12 Jan 2024 13:59:58 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 12 Jan 2024 13:59:58 +0900    

Click here for diff

This is similar to 9886744a361b, to prevent the execution of other  
programs due to autorun configurations which could influence the  
postmaster startup.  
  
This was originally applied on HEAD as of 83c75ac7fb69 without a  
backpatch, but the patch has survived CI and buildfarm cycles.  I have  
checked that cmd /d exists down to Windows XP, which should make this  
change work correctly in the oldest branches still supported.  
  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/test/regress/pg_regress.c

pg_ctl: Disable autoruns for cmd.exe on Windows

commit   : 33d1be06aee08e60fa5017c4a6c64c520d047c36    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 12 Jan 2024 13:53:10 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 12 Jan 2024 13:53:10 +0900    

Click here for diff

On Windows, cmd.exe is used to launch the postmaster process to ease its  
redirection setup.  However, cmd.exe may execute other programs at  
startup due to autorun configurations, which could influence the  
postmaster startup.  This patch adds /D flag to the launcher cmd.exe  
command line to disable autorun settings written in the registry.  
  
This was originally applied on HEAD as of 9886744a361b without a  
backpatch, but the patch has survived CI and buildfarm cycles.  I have  
checked that cmd /d exists down to Windows XP, which should make this  
change work correctly in the oldest branches still supported.  
  
Reported-by: Hayato Kuroda  
Author: Kyotaro Horiguchi  
Reviewed-by: Robert Haas, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/bin/pg_ctl/pg_ctl.c

Allow subquery pullup to wrap a PlaceHolderVar in another one.

commit   : a0b4fda442a7acf31d919f5a8988d230fa4db6cb    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 11 Jan 2024 15:28:13 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 11 Jan 2024 15:28:13 -0500    

Click here for diff

The code for wrapping subquery output expressions in PlaceHolderVars  
believed that if the expression already was a PlaceHolderVar, it was  
never necessary to wrap that in another one.  That's wrong if the  
expression is underneath an outer join and involves a lateral  
reference to outside that scope: failing to add an additional PHV  
risks evaluating the expression at the wrong place and hence not  
forcing it to null when the outer join should do so.  This is an  
oversight in commit 9e7e29c75, which added logic to forcibly wrap  
lateral-reference Vars in PlaceHolderVars, but didn't see that the  
adjacent case for PlaceHolderVars needed the same treatment.  
  
The test case we have for this doesn't fail before 4be058fe9, but now  
that I see the problem I wonder if it is possible to demonstrate  
related errors before that.  That's moot though, since all such  
branches are out of support.  
  
Per bug #18284 from Holger Reise.  Back-patch to all supported  
branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/optimizer/prep/prepjointree.c
M src/test/regress/expected/join.out
M src/test/regress/sql/join.sql

Fix omission in partitioning limitation documentation

commit   : bcaf41c608b1b7b462d6ff13c0e4fa80a8847f66    
  
author   : Magnus Hagander <[email protected]>    
date     : Thu, 11 Jan 2024 14:27:10 +0100    
  
committer: Magnus Hagander <[email protected]>    
date     : Thu, 11 Jan 2024 14:27:10 +0100    

Click here for diff

UNIQUE and PRIMARY KEY constraints can be created on ONLY the  
partitioned table.  We already had an example demonstrating that,  
but forgot to mention it in the documentation of the limits of  
partitioning.  
  
Author: Laurenz Albe  
Reviewed-By: shihao zhong, Shubham Khanna, Ashutosh Bapat  
Backpatch-through: 12  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ddl.sgml

Handle WindowClause.runCondition in tree walker/mutator functions.

commit   : c3f52fd5d7160733e6b78fc8957e8990a3341bda    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 10 Jan 2024 13:36:34 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 10 Jan 2024 13:36:34 -0500    

Click here for diff

Commit 9d9c02ccd, which added the notion of a "run condition" for  
window functions, neglected to teach nodeFuncs.c to process the new  
field.  Remarkably, that doesn't seem to have had any ill effects  
before we invented Var.varnullingrels, but now it can cause visible  
failures in join-removal scenarios.  
  
I have no faith that there's not reachable problems in v15 too,  
so back-patch the code change to v15 where 9d9c02ccd came in.  
The test case seems irrelevant to v15, though.  
  
Per bug #18277 from Zuming Jiang.  Diagnosis and patch by  
Richard Guo.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/nodes/nodeFuncs.c

Doc: fix character_sets view.

commit   : c74aad093d096fdec6d39eb2cad544274b919a93    
  
author   : Tatsuo Ishii <[email protected]>    
date     : Tue, 9 Jan 2024 19:52:13 +0900    
  
committer: Tatsuo Ishii <[email protected]>    
date     : Tue, 9 Jan 2024 19:52:13 +0900    

Click here for diff

The note regarding character encoding form in "The Information Schema"  
said that LATIN1 character repertoires only use one encoding form  
LATIN1. This is not correct because LATIN1 has another encoding form  
ISO-2022-JP-2. To fix this, replace LATIN1 with LATIN2, which is not  
supported by ISO-2022-JP-2, thus it can be said that LATIN2 only uses  
one encoding form.  
  
Back-patch to supported branches.  
  
Author: Tatsuo Ishii  
Reviewed-by: Daniel Gustafsson  
Discussion: https://postgr.es/m/flat/20240102.153925.1147403616414525145.t-ishii%40sranhm.sra.co.jp  

M doc/src/sgml/information_schema.sgml

Fix indentation in ExecParallelHashIncreaseNumBatches()

commit   : 6eecc3a622b2db39417e5457735420468b89897e    
  
author   : Alexander Korotkov <[email protected]>    
date     : Mon, 8 Jan 2024 19:43:05 +0200    
  
committer: Alexander Korotkov <[email protected]>    
date     : Mon, 8 Jan 2024 19:43:05 +0200    

Click here for diff

Backpatch-through: 12  

M src/backend/executor/nodeHash.c

Fix integer-overflow problem in intarray's g_int_decompress().

commit   : 940ab02b53eb3a3babc9dd4dea261f5a6d8aa334    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 7 Jan 2024 15:19:50 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 7 Jan 2024 15:19:50 -0500    

Click here for diff

An array element equal to INT_MAX gave this code indigestion,  
causing an infinite loop that surely ended in SIGSEGV.  We fixed  
some nearby problems awhile ago (cf 757c5182f) but missed this.  
  
Report and diagnosis by Alexander Lakhin (bug #18273); patch by me  
  
Discussion: https://postgr.es/m/[email protected]  

M contrib/intarray/_int_gist.c
M contrib/intarray/data/test__int.data
M contrib/intarray/expected/_int.out
M contrib/intarray/sql/_int.sql

Fix oversized memory allocation in Parallel Hash Join

commit   : 1a7c03e6fc75d2a5ee4893252d47f0549f078494    
  
author   : Alexander Korotkov <[email protected]>    
date     : Sun, 7 Jan 2024 09:03:55 +0200    
  
committer: Alexander Korotkov <[email protected]>    
date     : Sun, 7 Jan 2024 09:03:55 +0200    

Click here for diff

During the calculations of the maximum for the number of buckets, take into  
account that later we round that to the next power of 2.  
  
Reported-by: Karen Talarico  
Bug: #16925  
Discussion: https://postgr.es/m/16925-ec96d83529d0d629%40postgresql.org  
Author: Thomas Munro, Andrei Lepikhov, Alexander Korotkov  
Reviewed-by: Alena Rybakina  
Backpatch-through: 12  

M src/backend/executor/nodeHash.c

commit   : 596eeb10972b30d3c3d6f8368b33378837bcd261    
  
author   : Bruce Momjian <[email protected]>    
date     : Wed, 3 Jan 2024 20:49:04 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Wed, 3 Jan 2024 20:49:04 -0500    

Click here for diff

Reported-by: Michael Paquier  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 12  

M COPYRIGHT
M doc/src/sgml/legal.sgml

Avoid masking EOF (no-password-supplied) conditions in auth.c.

commit   : a0d016393be5732f4422268050db2f111bb84674    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 3 Jan 2024 17:40:38 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 3 Jan 2024 17:40:38 -0500    

Click here for diff

CheckPWChallengeAuth() would return STATUS_ERROR if the user does not  
exist or has no password assigned, even if the client disconnected  
without responding to the password challenge (as libpq often will,  
for example).  We should return STATUS_EOF in that case, and the  
lower-level functions do, but this code level got it wrong since the  
refactoring done in 7ac955b34.  This breaks the intent of not logging  
anything for EOF cases (cf. comments in auth_failed()) and might  
also confuse users of ClientAuthentication_hook.  
  
Per report from Liu Lang.  Back-patch to all supported versions.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/libpq/auth.c

Doc: Python's control flow construct is try/except not try/catch.

commit   : 272f857aed43a662f8f93df3d3b6d5798a05df61    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 3 Jan 2024 12:22:00 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 3 Jan 2024 12:22:00 -0500    

Click here for diff

Very ancient thinko, dating evidently to 22690719e.  
Spotted by gweatherby.  
  
Discussion: https://postgr.es/m/170423637139.1288848.11840082988774620003@wrigleys.postgresql.org  

M doc/src/sgml/plpython.sgml

In pg_dump, don't dump a stats object unless dumping underlying table.

commit   : 1e0841426e968f184277e7638227b16fb3cdca7a    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 29 Dec 2023 10:57:11 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 29 Dec 2023 10:57:11 -0500    

Click here for diff

If the underlying table isn't being dumped, it's useless to dump  
an extended statistics object; it'll just cause errors at restore.  
We have always applied similar policies to, say, indexes.  
  
(When and if we get cross-table stats objects, it might be profitable  
to think a little harder about what to do with them.  But for now  
there seems no point in considering a stats object as anything but  
an appendage of its table.)  
  
Rian McGuire and Tom Lane, per report from Rian McGuire.  
Back-patch to supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/bin/pg_dump/pg_dump.c
M src/bin/pg_dump/pg_dump.h
M src/bin/pg_dump/t/002_pg_dump.pl

doc: Mention AttributeRelationId in FDW validator function description

commit   : 296128a53646126fc33394ca859df5ab000c4798    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 28 Dec 2023 20:09:27 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 28 Dec 2023 20:09:27 +0900    

Click here for diff

The documentation has been missing one value in the list of catalog OIDs  
that can be given to the validator function of a FDW, as of  
AttributeRelationId, when changing the attribute options of a foreign  
table.  
  
Author: Ian Lawrence Barwick  
Discussion: https://postgr.es/m/CAB8KJ=i16t2yJU_Pq2Z+hnNGWFhagp_bJmzxHZu3ZkOjZm-+rQ@mail.gmail.com  
Backpatch-through: 12  

M doc/src/sgml/fdwhandler.sgml

Doc: specify aclitem syntax more clearly.

commit   : 2ad96ebbfd10896c6d4a16bf9f64a09f426244bf    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 27 Dec 2023 13:52:01 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 27 Dec 2023 13:52:01 -0500    

Click here for diff

The previous wording here relied solely on an example to explain  
aclitem output format.  Add an actual syntax synopsis and  
explanation of the elements to make it clearer.  
  
David Johnston and Tom Lane, per gripe from Eugen Konkov.  
  
Discussion: https://postgr.es/m/170326116972.1876499.18357820037829248593@wrigleys.postgresql.org  

M doc/src/sgml/ddl.sgml

Fix failure to verify PGC_[SU_]BACKEND GUCs in pg_file_settings view.

commit   : 76dd3d94a50435f57efc4da29e27a1bf69862726    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 26 Dec 2023 17:57:48 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 26 Dec 2023 17:57:48 -0500    

Click here for diff

set_config_option() bails out early if it detects that the option to  
be set is PGC_BACKEND or PGC_SU_BACKEND class and we're reading the  
config file in a postmaster child; we don't want to apply any new  
value in such a case.  That's fine as far as it goes, but it fails  
to consider the requirements of the pg_file_settings view: for that,  
we need to check validity of the value even though we have no  
intention to apply it.  Because we didn't, even very silly values  
for affected GUCs would be reported as valid by the view.  There  
are only half a dozen such GUCs, which perhaps explains why this  
got overlooked for so long.  
  
Fix by continuing when changeVal is false; this parallels the logic  
in some other early-exit paths.  
  
Also, the check added by commit 924bcf4f1 to prevent GUC changes in  
parallel workers seems a few bricks shy of a load: it's evidently  
assuming that ereport(elevel, ...) won't return.  Make sure we  
bail out if it does.  The lack of trouble reports suggests that  
this is only a latent bug, i.e. parallel workers don't actually  
reach here with elevel < ERROR.  (Per the code coverage report,  
we never reach here at all in the regression suite.)  But we clearly  
don't want to risk proceeding if that does happen.  
  
Per report from Rıdvan Korkmaz.  These are ancient bugs, so back-patch  
to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/utils/misc/guc.c

Hide warnings from Python headers when using gcc-compatible compiler.

commit   : 5f8d6d7097fee4aa3a6da056489e03b7b1a98871    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 26 Dec 2023 16:16:29 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 26 Dec 2023 16:16:29 -0500    

Click here for diff

Like commit 388e80132, use "#pragma GCC system_header" to silence  
warnings appearing within the Python headers, since newer Python  
versions no longer worry about some restrictions we still use like  
-Wdeclaration-after-statement.  
  
This patch improves on 388e80132 by inventing a separate wrapper  
header file, allowing the pragma to be tightly scoped to just  
the Python headers and not other stuff we have laying about in  
plpython.h.  I applied the same technique to plperl for the same  
reason: the original patch suppressed warnings for a good deal  
of our own code, not only the Perl headers.  
  
Like the previous commit, back-patch to supported branches.  
  
Peter Eisentraut and Tom Lane  
  
Discussion: https://postgr.es/m/[email protected]  

M src/pl/plperl/GNUmakefile
M src/pl/plperl/plperl.h
A src/pl/plperl/plperl_system.h
M src/pl/plpython/Makefile
M src/pl/plpython/plpython.h
A src/pl/plpython/plpython_system.h

Doc: Add missing pgoutput options.

commit   : ad4a9f1f73e97f5ef7469df506e920c459f5361d    
  
author   : Amit Kapila <[email protected]>    
date     : Tue, 26 Dec 2023 11:06:59 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Tue, 26 Dec 2023 11:06:59 +0530    

Click here for diff

We forgot to update the docs while adding new options in pgoutput.  
  
Author: Emre Hasegeli  
Reviewed-by: Peter Smith, Amit Kapila  
Backpatch-through: 12  
Discussion: https://postgr.es/m/CAE2gYzwdwtUbs-tPSV-QBwgTubiyGD2ZGsSnAVsDfAGGLDrGOA%40mail.gmail.com  

M doc/src/sgml/logical-replication.sgml
M doc/src/sgml/protocol.sgml

Avoid trying to fetch metapage of an SPGist partitioned index.

commit   : ab04c1901d0d55039330bc02f9f4e1024b2a95dc    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 21 Dec 2023 12:43:36 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 21 Dec 2023 12:43:36 -0500    

Click here for diff

This is necessary when spgcanreturn() is invoked on a partitioned  
index, and the failure might be reachable in other scenarios as  
well.  The rest of what spgGetCache() does is perfectly sensible  
for a partitioned index, so we should allow it to go through.  
  
I think the main takeaway from this is that we lack sufficient test  
coverage for non-btree partitioned indexes.  Therefore, I added  
simple test cases for brin and gin as well as spgist (hash and  
gist AMs were covered already in indexing.sql).  
  
Per bug #18256 from Alexander Lakhin.  Although the known test case  
only fails since v16 (3c569049b), I've got no faith at all that there  
aren't other ways to reach this problem; so back-patch to all  
supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/access/spgist/spgutils.c
M src/test/regress/expected/indexing.out
M src/test/regress/sql/indexing.sql

Fix BEFORE ROW trigger handling in cross-partition MERGE update.

commit   : 7e8c6d7af6588b8a7249cc3e1eb195cc32d120a2    
  
author   : Dean Rasheed <[email protected]>    
date     : Thu, 21 Dec 2023 12:51:55 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Thu, 21 Dec 2023 12:51:55 +0000    

Click here for diff

Fix a bug during MERGE if a cross-partition update is attempted on a  
partitioned table with a BEFORE DELETE ROW trigger that returns NULL,  
to prevent the update. This would cause an error to be thrown, or an  
assert failure in an assert-enabled build.  
  
This was an oversight in 9321c79c86, which failed to properly  
distinguish a DELETE prevented by a trigger from one prevented by a  
concurrent update. Fix by having ExecDelete() return the TM_Result  
status to ExecCrossPartitionUpdate(), so that it can distinguish the  
two cases, and make ExecCrossPartitionUpdate() return the TM_Result  
status to ExecUpdateAct(), so that it can return the correct status  
from a concurrent update.  
  
In addition, ensure that the command tag is correctly updated by  
having ExecMergeMatched() pass canSetTag to ExecUpdateAct(), rather  
than passing false, so that it updates the command tag if it does a  
cross-partition update, making this code path in ExecMergeMatched()  
consistent with ExecUpdate().  
  
Per bug #18238 from Alexander Lakhin. Back-patch to v15, where MERGE  
was introduced.  
  
Dean Rasheed, reviewed by Richard Guo and Jian He.  
  
Discussion: https://postgr.es/m/18238-2f2bdc7f720180b9%40postgresql.org  

M src/backend/executor/nodeModifyTable.c
M src/test/regress/expected/merge.out
M src/test/regress/sql/merge.sql

doc: Fix syntax in ALTER FOREIGN DATA WRAPPER example

commit   : 3e8379afffe3654de853096687bf3b5b39e534b4    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Tue, 19 Dec 2023 14:13:50 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Tue, 19 Dec 2023 14:13:50 +0100    

Click here for diff

The example for dropping an option was incorrectly quoting the  
option key thus making it a value turning the command into an  
unqualified ADD operation. The result of dropping became adding  
a new key/value pair instead:  
  
 d=# alter foreign data wrapper f options (drop 'b');  
 ALTER FOREIGN DATA WRAPPER  
 d=# select fdwoptions from pg_foreign_data_wrapper where fdwname='f';  
  fdwoptions  
 ------------  
  {drop=b}  
 (1 row)  
  
This has been incorrect for a long time so backpatch to all  
supported branches.  
  
Author: Tim <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ref/alter_foreign_data_wrapper.sgml

pageinspect: Fix failure with hash_bitmap_info() for partitioned indexes

commit   : 2e08440d61ea1a783d98c05a834bb52736de5dd9    
  
author   : Michael Paquier <[email protected]>    
date     : Tue, 19 Dec 2023 18:19:16 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Tue, 19 Dec 2023 18:19:16 +0900    

Click here for diff

This function reads directly a page from a relation, relying on  
index_open() to open the index to read from.  Unfortunately, this would  
crash when using partitioned indexes, as these can be opened with  
index_open() but they have no physical pages.  
  
Alexander has fixed the module, while I have written the test.  
  
Author: Alexander Lakhin, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M contrib/pageinspect/expected/hash.out
M contrib/pageinspect/hashfuncs.c
M contrib/pageinspect/sql/hash.sql

pgstattuple: Fix failure with pgstathashindex() for partitioned indexes

commit   : b745f168042e253e92a71bb4d4554789d72c21c5    
  
author   : Michael Paquier <[email protected]>    
date     : Tue, 19 Dec 2023 15:20:50 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Tue, 19 Dec 2023 15:20:50 +0900    

Click here for diff

As coded, the function relied on index_open() when opening an index  
relation, allowing partitioned indexes to be processed by  
pgstathashindex().  This was leading to a "could not open file" error  
because partitioned indexes have no physical files, or to a crash with  
an assertion failure (like on HEAD).  
  
This issue is fixed by applying the same checks as the other stat  
functions for indexes, with a lookup at both RELKIND_INDEX and the index  
AM expected.  
  
Author: Alexander Lakhin  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M contrib/pgstattuple/expected/pgstattuple.out
M contrib/pgstattuple/pgstatindex.c
M contrib/pgstattuple/sql/pgstattuple.sql

Doc: add a bit to indices.sgml about what is an indexable clause.

commit   : afc987e196107b0887314838256a885af05b8714    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 17 Dec 2023 16:49:44 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 17 Dec 2023 16:49:44 -0500    

Click here for diff

We didn't explain this clearly until somewhere deep in the  
"Extending SQL" chapter, but really it ought to be mentioned  
in the introductory material too.  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/indices.sgml

Fix bugs in manipulation of large objects.

commit   : 7a99fb6e1377e86afb7c19eb58a1b02d49dc9294    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 15 Dec 2023 13:55:05 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 15 Dec 2023 13:55:05 -0500    

Click here for diff

In v16 and up (since commit afbfc0298), large object ownership  
checking has been broken because object_ownercheck() didn't take care  
of the discrepancy between our object-address representation of large  
objects (classId == LargeObjectRelationId) and the catalog where their  
ownership info is actually stored (LargeObjectMetadataRelationId).  
This resulted in failures such as "unrecognized class ID: 2613"  
when trying to update blob properties as a non-superuser.  
  
Poking around for related bugs, I found that AlterObjectOwner_internal  
would pass the wrong classId to the PostAlterHook in the no-op code  
path where the large object already has the desired owner.  Also,  
recordExtObjInitPriv checked for the wrong classId; that bug is only  
latent because the stanza is dead code anyway, but as long as we're  
carrying it around it should be less wrong.  These bugs are quite old.  
  
In HEAD, we can reduce the scope for future bugs of this ilk by  
changing AlterObjectOwner_internal's API to let the translation happen  
inside that function, rather than requiring callers to know about it.  
  
A more bulletproof fix, perhaps, would be to start using  
LargeObjectMetadataRelationId as the dependency and object-address  
classId for blobs.  However that has substantial risk of breaking  
third-party code; even within our own code, it'd create hassles  
for pg_dump which would have to cope with a version-dependent  
representation.  For now, keep the status quo.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/catalog/aclchk.c
M src/backend/commands/alter.c

Fix description of I/O timing info for shared buffers in EXPLAIN (BUFFERS)

commit   : 8dd70828b460b76f756d75c86cd454518ae224dc    
  
author   : Michael Paquier <[email protected]>    
date     : Thu, 14 Dec 2023 09:59:52 +0100    
  
committer: Michael Paquier <[email protected]>    
date     : Thu, 14 Dec 2023 09:59:52 +0100    

Click here for diff

This fixes an error introduced by efb0ef909f60, that changed the  
description of this field to "shared/local" while these I/O timings  
relate to shared buffers.  This information is available when  
track_io_timing is enabled.  Note that HEAD has added new counters for  
local buffers in 295c36c0c1fa, so there is no need to touch it.  The  
description is updated to "shared" to be compatible with HEAD.  
  
Per discussion with Nazir Bilal Yavuz and Hubert Depesz Lubaczewski,  
whose EXPLAIN analyzer tool was not actually able to parse the previous  
term because of the slash character.  
  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 15  

M src/backend/commands/explain.c

Prevent tuples to be marked as dead in subtransactions on standbys

commit   : f5d8f59cae3e0befda51a97cc3715fa6caf7105d    
  
author   : Michael Paquier <[email protected]>    
date     : Tue, 12 Dec 2023 17:05:29 +0100    
  
committer: Michael Paquier <[email protected]>    
date     : Tue, 12 Dec 2023 17:05:29 +0100    

Click here for diff

Dead tuples are ignored and are not marked as dead during recovery, as  
it can lead to MVCC issues on a standby because its xmin may not match  
with the primary.  This information is tracked by a field called  
"xactStartedInRecovery" in the transaction state data, switched on when  
starting a transaction in recovery.  
  
Unfortunately, this information was not correctly tracked when starting  
a subtransaction, because the transaction state used for the  
subtransaction did not update "xactStartedInRecovery" based on the state  
of its parent.  This would cause index scans done in subtransactions to  
return inconsistent data, depending on how the xmin of the primary  
and/or the standby evolved.  
  
This is broken since the introduction of hot standby in efc16ea52067, so  
backpatch all the way down.  
  
Author: Fei Changhong  
Reviewed-by: Kyotaro Horiguchi  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/backend/access/transam/xact.c

Fix typo in comment

commit   : 419b6cb885a5fcb215ce86dcda441bd7dbfac202    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Tue, 12 Dec 2023 12:16:38 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Tue, 12 Dec 2023 12:16:38 +0100    

Click here for diff

Commit 98e675ed7af accidentally mistyped IDENTIFY_SYSTEM as  
IDENTIFY_SERVER. Backpatch to all supported branches.  
  
Reported-by: Alexander Lakhin <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/replication/libpqwalreceiver/libpqwalreceiver.c

Be more wary about OpenSSL not setting errno on error.

commit   : 551d4b28e4453fce5890c0df7121bae44b417ec2    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 11 Dec 2023 11:51:56 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 11 Dec 2023 11:51:56 -0500    

Click here for diff

OpenSSL will sometimes return SSL_ERROR_SYSCALL without having set  
errno; this is apparently a reflection of recv(2)'s habit of not  
setting errno when reporting EOF.  Ensure that we treat such cases  
the same as read EOF.  Previously, we'd frequently report them like  
"could not accept SSL connection: Success" which is confusing, or  
worse report them with an unrelated errno left over from some  
previous syscall.  
  
To fix, ensure that errno is zeroed immediately before the call,  
and report its value only when it's not zero afterwards; otherwise  
report EOF.  
  
For consistency, I've applied the same coding pattern in libpq's  
pqsecure_raw_read().  Bare recv(2) shouldn't really return -1 without  
setting errno, but in case it does we might as well cope.  
  
Per report from Andres Freund.  Back-patch to all supported versions.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/libpq/be-secure-openssl.c
M src/backend/libpq/pqcomm.c
M src/interfaces/libpq/fe-secure-openssl.c
M src/interfaces/libpq/fe-secure.c

Fix an undetected deadlock due to apply worker.

commit   : 332b43063351758055f68c6227444e6003dba769    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 11 Dec 2023 08:23:33 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 11 Dec 2023 08:23:33 +0530    

Click here for diff

The apply worker needs to update the state of the subscription tables to  
'READY' during the synchronization phase which requires locking the  
corresponding subscription. The apply worker also waits for the  
subscription tables to reach the 'SYNCDONE' state after holding the locks  
on the subscription and the wait is done using WaitLatch. The 'SYNCDONE'  
state is changed by tablesync workers again by locking the corresponding  
subscription. Both the state updates use AccessShareLock mode to lock the  
subscription, so they can't block each other. However, a backend can  
simultaneously try to acquire a lock on the same subscription using  
AccessExclusiveLock mode to alter the subscription. Now, the backend's  
wait on a lock can sneak in between the apply worker and table sync worker  
causing deadlock.  
  
In other words, apply_worker waits for tablesync worker which waits for  
backend, and backend waits for apply worker. This is not detected by the  
deadlock detector because apply worker uses WaitLatch.  
  
The fix is to release existing locks in apply worker before it starts to  
wait for tablesync worker to change the state.  
  
Reported-by: Tomas Vondra  
Author: Shlok Kyal  
Reviewed-by: Amit Kapila, Peter Smith  
Backpatch-through: 12  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/replication/logical/tablesync.c

Fix potential pointer overflow in xlogreader.c.

commit   : b9f687f5abaf40c13fed59fe08014116a8344102    
  
author   : Thomas Munro <[email protected]>    
date     : Fri, 8 Dec 2023 15:10:48 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Fri, 8 Dec 2023 15:10:48 +1300    

Click here for diff

While checking if a record could fit in the circular WAL decoding  
buffer, the coding from commit 3f1ce973 used arithmetic that could  
overflow.  64 bit systems were unaffected for various technical reasons,  
which probably explains the lack of problem reports.  Likewise for 32  
bit systems running known 32 bit kernels.  The systems at risk of  
problems appear to be 32 bit processes running on 64 bit kernels, with  
unlucky placement in memory.  
  
Per complaint from GCC -fsanitize=undefined -m32, while testing  
variations of 039_end_of_wal.pl.  
  
Back-patch to 15.  
  
Reviewed-by: Nathan Bossart <[email protected]>  
Reviewed-by: Robert Haas <[email protected]>  
Discussion: https://postgr.es/m/CA%2BhUKGKH0oRPOX7DhiQ_b51sM8HqcPp2J3WA-Oen%3DdXog%2BAGGQ%40mail.gmail.com  

M src/backend/access/transam/xlogreader.c

Fix path of regress shared library in pg_upgrade test

commit   : 24482838c2c4bf251896e7ace837d48ba1fdc036    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 8 Dec 2023 10:37:37 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 8 Dec 2023 10:37:37 +0900    

Click here for diff

During a pg_upgrade test using an old dump, all references to the old  
regress shared library path (so, dylib or dll) are updated to point to  
the library path used by the new build, to ensure a consistent  
comparison between the old and new dumps.  
  
The test previously relied on a hardcoded value of "src/test/regress/"  
to build the new path value, which would point to an incorrect location  
for the meson and vpath builds.  This is replaced by REGRESS_SHLIB, able  
to point to the correct location of the regress shared library.  
  
Author: Alexander Lakhin  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 15  

M src/bin/pg_upgrade/t/002_pg_upgrade.pl

Fix compilation on Windows with WAL_DEBUG

commit   : 87ed81a8739b2419ceb4818c469ce1c5d1ae98d2    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 6 Dec 2023 14:11:44 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 6 Dec 2023 14:11:44 +0900    

Click here for diff

This has been broken since b060dbe0001a that has reworked the callback  
mechanism of XLogReader, most likely unnoticed because any form of  
development involving WAL happens on platforms where this compiles fine.  
  
Author: Bharath Rupireddy  
Discussion: https://postgr.es/m/CALj2ACVF14WKQMFwcJ=3okVDhiXpuK5f7YdT+BdYXbbypMHqWA@mail.gmail.com  
Backpatch-through: 13  

M src/backend/access/transam/xlog.c

Apply filters to dump files all the time in 002_pg_upgrade.pl

commit   : f0b53daa2c761e5349a91ebe1162c1ce87a8b33f    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 6 Dec 2023 09:55:05 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 6 Dec 2023 09:55:05 +0900    

Click here for diff

This commit removes the restriction that would not apply filters to the  
dumps used for comparison in the TAP test of pg_upgrade when using the  
same base version for the old and new nodes.  
  
The previous logic would fail on Windows if loading a dump while using  
the same set of binaries for the old and new nodes, as the library  
dependencies updated in the old dump would append CRLFs to the dump  
file as it is treated as a text file.  The dump filtering logic replaces  
all CRLFs (\r\n) by LFs (\n), which is able to prevent this issue.  
  
When the old and new versions of the binaries are the same,  
AdjustUpgrade removes all blank lines, removes version-based comments  
generated by pg_dump and replaces CRLFs by LFs.  
  
Reported-by: Alexander Lakhin  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 15  

M src/bin/pg_upgrade/t/002_pg_upgrade.pl

Fix incorrect error message for IDENTIFY_SYSTEM

commit   : bc0a368dc5bc2bef957ede025e7f81f74c7aa58f    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Tue, 5 Dec 2023 14:30:56 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Tue, 5 Dec 2023 14:30:56 +0100    

Click here for diff

Commit 5a991ef8692e accidentally reversed the order of the tuples  
and fields parameters, making the error message incorrectly refer  
to 3 tuples with 1 field when IDENTIFY_SYSTEM returns 1 tuple and  
3 or 4 fields. Fix by changing the order of the parameters.  This  
also adds a comment describing why we check for < 3 when postgres  
since 9.4 has been sending 4 fields.  
  
Backpatch all the way since the bug is almost a decade old.  
  
Author: Tomonari Katsumata <[email protected]>  
Reviewed-by: Tom Lane <[email protected]>  
Bug: #18224  
Backpatch-through: v12  

M src/backend/replication/libpqwalreceiver/libpqwalreceiver.c

Fix handling of errors in libpq pipelines

commit   : 1171c6e7418564296e9023859f68225b247427a7    
  
author   : Alvaro Herrera <[email protected]>    
date     : Tue, 5 Dec 2023 12:43:24 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Tue, 5 Dec 2023 12:43:24 +0100    

Click here for diff

The logic to keep the libpq command queue in sync with queries that have  
been processed had a bug when errors were returned for reasons other  
than problems in queries -- for example, when a connection is lost.  We  
incorrectly consumed an element from the command queue every time, but  
this is wrong and can lead to the queue becoming empty ahead of time,  
leading to later malfunction: PQgetResult would return nothing,  
potentially causing the calling application to enter a busy loop.  
  
Fix by making the SYNC queue element a barrier that can only be consumed  
when a SYNC message is received.  
  
Backpatch to 14.  
  
Reported by: Иван Трофимов (Ivan Trofimov) <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  

M src/interfaces/libpq/fe-exec.c
M src/interfaces/libpq/fe-protocol3.c
M src/interfaces/libpq/libpq-int.h

Don't use pgbench -j in tests

commit   : 25f2a43756443031239a5d212a63ae9b183e4502    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 4 Dec 2023 14:00:51 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 4 Dec 2023 14:00:51 +0100    

Click here for diff

It draws an unnecessary error in builds compiled without thread support.  
  
Added by commit 038f586d5f1d, which was backpatched to 14; though in  
branch master we no longer support such builds, there's no reason to  
have this there, so remove it in all branches since 14.  
  
Reported-by: Michael Paquier <[email protected]>  
Discussion: https://postgr.es/m/[email protected]  

M src/bin/pgbench/t/001_pgbench_with_server.pl

doc: Remove reference to trigger file regarding promotion

commit   : 0e4674a697d5bdb9f3136005f0467c874b28e6d7    
  
author   : Michael Paquier <[email protected]>    
date     : Mon, 4 Dec 2023 08:10:27 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Mon, 4 Dec 2023 08:10:27 +0900    

Click here for diff

The wording changed here comes from 991bfe11d28a, when the only way to  
trigger a promotion was with a trigger file.  There are more options to  
achieve this operation these days, like the SQL function pg_promote() or  
the command `pg_ctl promote`, so it is confusing to assume that only a  
trigger file is able to do the work.  
  
Note also that promote_trigger_file has been removed as of cd4329d9393f  
in 16~.  
  
Author: Shinya Kato  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M doc/src/sgml/high-availability.sgml

Check collation when creating partitioned index

commit   : 15d485921b1c2125d551e87a1f04be9d5c124b15    
  
author   : Peter Eisentraut <[email protected]>    
date     : Fri, 1 Dec 2023 15:48:06 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Fri, 1 Dec 2023 15:48:06 +0100    

Click here for diff

When creating a partitioned index, the partition key must be a subset  
of the index's columns.  But this currently doesn't check that the  
collations between the partition key and the index definition match.  
So you can construct a unique index that fails to enforce uniqueness.  
(This would most likely involve a nondeterministic collation, so it  
would have to be crafted explicitly and is not something that would  
just happen by accident.)  
  
This patch adds the required collation check.  As a result, any  
previously allowed unique index that has a collation mismatch would no  
longer be allowed to be created.  
  
Reviewed-by: Tom Lane <[email protected]>  
Discussion: https://www.postgresql.org/message-id/flat/3327cb54-f7f1-413b-8fdb-7a9dceebb938%40eisentraut.org  

M src/backend/commands/indexcmds.c

doc: Update info on information schema usage tables

commit   : 74a1bb168dd5fafe17e0f901543b286d9b15d3e4    
  
author   : Peter Eisentraut <[email protected]>    
date     : Fri, 1 Dec 2023 08:40:45 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Fri, 1 Dec 2023 08:40:45 +0100    

Click here for diff

Commit f40c6969d0 added the information schema usage tables but added  
documentation that they did not fully work yet.  Commit e717a9a18b  
then added SQL-standard function bodies, which made the information  
schema views fully functional, but it neglected to update the  
documentation.  This is now done here.  
  
Reported-by: Erki Eessaar <[email protected]>  
Reviewed-by: Erki Eessaar <[email protected]>  
Discussion: https://www.postgresql.org/message-id/flat/AM9PR01MB8268EC7B696F9FE346CA5B93FEB8A%40AM9PR01MB8268.eurprd01.prod.exchangelabs.com  

M doc/src/sgml/information_schema.sgml

Use BIO_{get,set}_app_data instead of BIO_{get,set}_data.

commit   : 5dd30bb54bfec14e5677aff3e306edec79c204ef    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 28 Nov 2023 12:34:03 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 28 Nov 2023 12:34:03 -0500    

Click here for diff

We should have done it this way all along, but we accidentally got  
away with using the wrong BIO field up until OpenSSL 3.2.  There,  
the library's BIO routines that we rely on use the "data" field  
for their own purposes, and our conflicting use causes assorted  
weird behaviors up to and including core dumps when SSL connections  
are attempted.  Switch to using the approved field for the purpose,  
i.e. app_data.  
  
While at it, remove our configure probes for BIO_get_data as well  
as the fallback implementation.  BIO_{get,set}_app_data have been  
there since long before any OpenSSL version that we still support,  
even in the back branches.  
  
Also, update src/test/ssl/t/001_ssltests.pl to allow for a minor  
change in an error message spelling that evidently came in with 3.2.  
  
Tristan Partin and Bo Andreson.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CAN55FZ1eDDYsYaL7mv+oSLUij2h_u6hvD4Qmv-7PK7jkji0uyQ@mail.gmail.com  

M configure
M configure.ac
M src/backend/libpq/be-secure-openssl.c
M src/include/pg_config.h.in
M src/interfaces/libpq/fe-secure-openssl.c
M src/test/ssl/t/001_ssltests.pl
M src/tools/msvc/Solution.pm

Fix assertions with RI triggers in heap_update and heap_delete.

commit   : 2873fbfe0d6500a45a316d2d42414a432a96e9f1    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Tue, 28 Nov 2023 11:59:09 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Tue, 28 Nov 2023 11:59:09 +0200    

Click here for diff

If the tuple being updated is not visible to the crosscheck snapshot,  
we return TM_Updated but the assertions would not hold in that case.  
Move them to before the cross-check.  
  
Fixes bug #17893. Backpatch to all supported versions.  
  
Author: Alexander Lakhin  
Backpatch-through: 12  
Discussion: https://www.postgresql.org/message-id/17893-35847009eec517b5%40postgresql.org  

M src/backend/access/heap/heapam.c
M src/include/access/tableam.h
M src/test/isolation/expected/fk-snapshot.out
M src/test/isolation/specs/fk-snapshot.spec

Fix CREATE INDEX CONCURRENTLY example

commit   : fef92f9ba10175bab6af4307c54ce450a592a2e7    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 27 Nov 2023 19:18:03 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 27 Nov 2023 19:18:03 +0100    

Click here for diff

It fails to use the CONCURRENTLY keyword where it was necessary, so add  
it.  This text was added to pg11 in commit 5efd604ec0a3; backpatch to pg12.  
  
Author: Nikolay Samokhvalov <[email protected]>  
Discussion: https://postgr.es/m/CAM527d9iz6+=_c7EqSKaGzjqWvSeCeRVVvHZ1v3gDgjTtvgsbw@mail.gmail.com  

M doc/src/sgml/ddl.sgml

Avoid unconditionally filling in missing values with NULL in pgoutput.

commit   : a77fb8c685495ba100e5fbe3ac78d9cd289bd48a    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 27 Nov 2023 09:14:17 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 27 Nov 2023 09:14:17 +0530    

Click here for diff

52e4f0cd4 introduced a bug in pgoutput in which missing values in tuples  
were incorrectly filled in with NULL. The problem was the use of  
CreateTupleDescCopy where CreateTupleDescCopyConstr was required, as the  
former drops the constraints in the tuple description (specifically, the  
default value constraint) on the floor.  
  
The bug could result in incorrectness when a table replicated via  
`REPLICA IDENTITY FULL` underwent a schema change that added a column  
with a default value. The problem is that in such cases updates fill NULL  
values in old tuples for missing columns for default values. Then on the  
subscriber, we failed to find a matching tuple and missed updating the  
required row.  
  
Author: Nikhil Benesch  
Reviewed-by: Hou Zhijie, Amit Kapila  
Backpatch-through: 15  
Discussion: http://postgr.es/m/CAPWqQZTEpZQamYsGMn6ZDRvVywwpVPiKH6OY4KSgA+NmeqFNzA@mail.gmail.com  

M src/backend/replication/pgoutput/pgoutput.c
M src/test/subscription/t/100_bugs.pl

Fix race condition with BIO methods initialization in libpq with threads

commit   : b97226815030be274f13a114cf8ebf0063899c41    
  
author   : Michael Paquier <[email protected]>    
date     : Mon, 27 Nov 2023 09:40:50 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Mon, 27 Nov 2023 09:40:50 +0900    

Click here for diff

The libpq code in charge of creating per-connection SSL objects was  
prone to a race condition when loading the custom BIO methods needed by  
my_SSL_set_fd().  As BIO methods are stored as a static variable, the  
initialization of a connection could fail because it could be possible  
to have one thread refer to my_bio_methods while it is being manipulated  
by a second concurrent thread.  
  
This error has been introduced by 8bb14cdd33de, that has removed  
ssl_config_mutex around the call of my_SSL_set_fd(), that itself sets  
the custom BIO methods used in libpq.  Like previously, the BIO method  
initialization is now protected by the existing ssl_config_mutex, itself  
initialized earlier for WIN32.  
  
While on it, document that my_bio_methods is protected by  
ssl_config_mutex, as this can be easy to miss.  
  
Reported-by: Willi Mann  
Author: Willi Mann, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/interfaces/libpq/fe-secure-openssl.c

Doc: list AT TIME ZONE and COLLATE in operator precedence table.

commit   : c7bd476049ca43ed86faae02c7c1cc3553ebe93c    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 26 Nov 2023 16:40:22 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 26 Nov 2023 16:40:22 -0500    

Click here for diff

These constructs have precedence, but we forgot to list them.  
In HEAD, mention AT LOCAL as well as AT TIME ZONE.  
  
Per gripe from Shay Rojansky.  
  
Discussion: https://postgr.es/m/CADT4RqBPdbsZW7HS1jJP319TMRHs1hzUiP=iRJYR6UqgHCrgNQ@mail.gmail.com  

M doc/src/sgml/syntax.sgml

Fix timing-dependent failure in GSSAPI data transmission.

commit   : a50053777e95b077b2d8a43d8adfa9d396dd3994    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 23 Nov 2023 13:30:18 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 23 Nov 2023 13:30:18 -0500    

Click here for diff

When using GSSAPI encryption in non-blocking mode, libpq sometimes  
failed with "GSSAPI caller failed to retransmit all data needing  
to be retried".  The cause is that pqPutMsgEnd rounds its transmit  
request down to an even multiple of 8K, and sometimes that can lead  
to not requesting a write of data that was requested to be written  
(but reported as not written) earlier.  That can upset pg_GSS_write's  
logic for dealing with not-yet-written data, since it's possible  
the data in question had already been incorporated into an encrypted  
packet that we weren't able to send during the previous call.  
  
We could fix this with a one-or-two-line hack to disable pqPutMsgEnd's  
round-down behavior, but that seems like making the caller work around  
a behavior that pg_GSS_write shouldn't expose in this way.  Instead,  
adjust pg_GSS_write to never report a partial write: it either  
reports a complete write, or reflects the failure of the lower-level  
pqsecure_raw_write call.  The requirement still exists for the caller  
to present at least as much data as on the previous call, but with  
the caller-visible write start point not moving there is no temptation  
for it to present less.  We lose some ability to reclaim buffer space  
early, but I doubt that that will make much difference in practice.  
  
This also gets rid of a rather dubious assumption that "any  
interesting failure condition (from pqsecure_raw_write) will recur  
on the next try".  We've not seen failure reports traceable to that,  
but I've never trusted it particularly and am glad to remove it.  
  
Make the same adjustments to the equivalent backend routine  
be_gssapi_write().  It is probable that there's no bug on the backend  
side, since we don't have a notion of nonblock mode there; but we  
should keep the logic the same to ease future maintenance.  
  
Per bug #18210 from Lars Kanis.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/libpq/be-secure-gssapi.c
M src/interfaces/libpq/fe-secure-gssapi.c
M src/interfaces/libpq/libpq-int.h

Fix resource leak when a FDW's ForeignAsyncRequest function fails

commit   : 481d7d1c01c6335661dd2ccf505298e4b91ee12a    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Thu, 23 Nov 2023 13:30:13 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Thu, 23 Nov 2023 13:30:13 +0200    

Click here for diff

If an error is thrown after calling CreateWaitEventSet(), the memory  
of a WaitEventSet is free'd as it's allocated in the short-lived  
memory context, but the file descriptor (on epoll- or kqueue-based  
systems) or handles (on Windows) that it contains are leaked.  
  
Use PG_TRY-FINALLY to ensure it gets freed. (On master, I will apply a  
better fix, using ResourceOwners to track the WaitEventSet, but that's  
not backpatchable.)  
  
The added test doesn't check for leaking resources, so it passed even  
before this commit. But at least it covers the code path.  
  
In the passing, fix misleading comment on what the 'nevents' argument  
to WaitEventSetWait means.  
  
Report by Alexander Lakhin, analysis and suggestion for the fix by Tom  
Lane. Fixes bug #17828. Backpatch to v14 where async execution was  
introduced, but master gets a different fix.  
  
Discussion: https://www.postgresql.org/message-id/[email protected]  
Discussion: https://www.postgresql.org/message-id/[email protected]  

M contrib/postgres_fdw/expected/postgres_fdw.out
M contrib/postgres_fdw/sql/postgres_fdw.sql
M src/backend/executor/nodeAppend.c

Fix the initial sync tables with no columns.

commit   : 57aae65aee2626143055349954024b678c92bb11    
  
author   : Amit Kapila <[email protected]>    
date     : Wed, 22 Nov 2023 11:14:35 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Wed, 22 Nov 2023 11:14:35 +0530    

Click here for diff

The copy command formed for initial sync was using parenthesis for tables  
with no columns leading to syntax error. This patch avoids adding  
parenthesis for such tables.  
  
Reported-by: Justin G  
Author: Vignesh C  
Reviewed-by: Peter Smith, Amit Kapila  
Backpatch-through: 15  
Discussion: http://postgr.es/m/[email protected]  

M src/backend/replication/logical/tablesync.c
M src/test/subscription/t/001_rep_changes.pl

doc: FreeBSD uses camcontrol identify, not atacontrol, for cache

commit   : 4e64be6520dbc67febbf8ecd8fe28bad06c0255c    
  
author   : Bruce Momjian <[email protected]>    
date     : Tue, 21 Nov 2023 20:09:20 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Tue, 21 Nov 2023 20:09:20 -0500    

Click here for diff

This is for IDE drive cache control, same as SCSI (already documented  
properly).  
  
Reported-by: John Ekins  
  
Discussion: https://postgr.es/m/[email protected]  
  
Author: John Ekins  
  
Backpatch-through: 12  

M doc/src/sgml/wal.sgml

Fix query checking consistency of table amhandlers in opr_sanity.sql

commit   : 63e045c2dcf53eb56d2851acc1236c31f3098a95    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 22 Nov 2023 09:32:34 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 22 Nov 2023 09:32:34 +0900    

Click here for diff

As written, the query checked for an access method of type 's', which is  
not an AM type supported in the core code.  
  
Error introduced by 8586bf7ed888.  As this query is not checking what it  
should, backpatch all the way down.  
  
Reviewed-by: Aleksander Alekseev  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 12  

M src/test/regress/expected/opr_sanity.out
M src/test/regress/sql/opr_sanity.sql

Lock table in DROP STATISTICS

commit   : 0177fc773e3c6cfafbcfc8e447c013bd2dfe3672    
  
author   : Tomas Vondra <[email protected]>    
date     : Sun, 19 Nov 2023 21:03:29 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Sun, 19 Nov 2023 21:03:29 +0100    

Click here for diff

The DROP STATISTICS code failed to properly lock the table, leading to  
  
  ERROR:  tuple concurrently deleted  
  
when executed concurrently with ANALYZE.  
  
Fixed by modifying RemoveStatisticsById() to acquire the same lock as  
ANALYZE. This function is called only by DROP STATISTICS, as ANALYZE  
calls RemoveStatisticsDataById() directly.  
  
Reported by Justin Pryzby, fix by me. Backpatch through 12. The code was  
like this since it was introduced in 10, but older releases are EOL.  
  
Reported-by: Justin Pryzby  
Reviewed-by: Tom Lane  
Backpatch-through: 12  
  
Discussion: https://postgr.es/m/ZUuk-8CfbYeq6g_u@pryzbyj2023  

M src/backend/commands/statscmds.c

Fix typo in person's name.

commit   : 1816ecd3858999cc18f3994d29942bfeb0a60944    
  
author   : Noah Misch <[email protected]>    
date     : Sat, 18 Nov 2023 17:31:18 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Sat, 18 Nov 2023 17:31:18 -0800    

Click here for diff

Back-patch v16..v12 (all supported versions); master is unaffected.  

M doc/src/sgml/release-15.sgml

Guard against overflow in interval_mul() and interval_div().

commit   : 2851aa7d1fc3bd3dfac00ff2250a7e029ed6499f    
  
author   : Dean Rasheed <[email protected]>    
date     : Sat, 18 Nov 2023 14:47:04 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Sat, 18 Nov 2023 14:47:04 +0000    

Click here for diff

Commits 146604ec43 and a898b409f6 added overflow checks to  
interval_mul(), but not to interval_div(), which contains almost  
identical code, and so is susceptible to the same kinds of  
overflows. In addition, those checks did not catch all possible  
overflow conditions.  
  
Add additional checks to the "cascade down" code in interval_mul(),  
and copy all the overflow checks over to the corresponding code in  
interval_div(), so that they both generate "interval out of range"  
errors, rather than returning bogus results.  
  
Given that these errors are relatively easy to hit, back-patch to all  
supported branches.  
  
Per bug #18200 from Alexander Lakhin, and subsequent investigation.  
  
Discussion: https://postgr.es/m/18200-5ea288c7b2d504b1%40postgresql.org  

M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/interval.out
M src/test/regress/sql/interval.sql

doc: improve description of privileges for MERGE and update glossary.

commit   : ff772853d02e274684567620fba56dd1f10f2489    
  
author   : Dean Rasheed <[email protected]>    
date     : Sat, 18 Nov 2023 12:37:40 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Sat, 18 Nov 2023 12:37:40 +0000    

Click here for diff

On the MERGE page, the description of the privileges required could be  
taken to imply that the SELECT privilege is required on all columns of  
the data source, whereas actually it is only required on the columns  
referred to by conditions or expressions in the MERGE command. Re-word  
it to make that a little clearer, and mention expressions as well as  
conditions.  
  
Also, add a glossary entry for MERGE, and nearby on the glossary page,  
mention MERGE in the list of commands that cannot update a  
materialized view.  
  
Noted by Jian He. Patch by me, reviewed by Jian He.  
  
Discussion: https://postgr.es/m/CACJufxHuSoRXKwr0MtSFLXuT2nFVWcVfEWhxg7qdP9h%2Bs3a%2BUw%40mail.gmail.com  

M doc/src/sgml/glossary.sgml
M doc/src/sgml/ref/merge.sgml

llvmjit: Use explicit LLVMContextRef for inlining

commit   : aef521849b68d1eeb63c3dfbc4e92d66dc94a636    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Fri, 17 Nov 2023 10:20:51 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Fri, 17 Nov 2023 10:20:51 +0100    

Click here for diff

When performing inlining LLVM unfortunately "leaks" types (the  
types survive and are usable, but a new round of inlining will  
recreate new structurally equivalent types). This accumulation  
will over time amount to a memory leak which for some queries  
can be large enough to trigger the OOM process killer.  
  
To avoid accumulation of types, all IR related data is stored  
in an LLVMContextRef which is dropped and recreated in order  
to release all types.  Dropping and recreating incurs overhead,  
so it will be done only after 100 queries. This is a heuristic  
which might be revisited, but until we can get the size of the  
context from LLVM we are flying a bit blind.  
  
This issue has been reported several times, there may be more  
references to it in the archives on top of the threads linked  
below.  
  
This is a backpatch of 9dce22033d5 to all supported branches.  
  
Reported-By: Justin Pryzby <[email protected]>  
Reported-By: Kurt Roeckx <[email protected]>  
Reported-By: Jaime Casanova <[email protected]>  
Reported-By: Lauri Laanmets <[email protected]>  
Author: Andres Freund and Daniel Gustafsson  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/CAPH-tTxLf44s3CvUUtQpkDr1D8Hxqc2NGDzGXS1ODsfiJ6WSqA@mail.gmail.com  
Backpatch-through: v12  

M src/backend/jit/llvm/llvmjit.c
M src/backend/jit/llvm/llvmjit_deform.c
M src/backend/jit/llvm/llvmjit_expr.c
M src/backend/jit/llvm/llvmjit_inline.cpp
M src/include/jit/llvmjit.h
M src/include/jit/llvmjit_emit.h

Ensure we preprocess expressions before checking their volatility.

commit   : 9057ddbefe7e8a1aed8ea91fc0f98f31b8e693d7    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 16 Nov 2023 10:05:14 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 16 Nov 2023 10:05:14 -0500    

Click here for diff

contain_mutable_functions and contain_volatile_functions give  
reliable answers only after expression preprocessing (specifically  
eval_const_expressions).  Some places understand this, but some did  
not get the memo --- which is not entirely their fault, because the  
problem is documented only in places far away from those functions.  
Introduce wrapper functions that allow doing the right thing easily,  
and add commentary in hopes of preventing future mistakes from  
copy-and-paste of code that's only conditionally safe.  
  
Two actual bugs of this ilk are fixed here.  We failed to preprocess  
column GENERATED expressions before checking mutability, so that the  
code could fail to detect the use of a volatile function  
default-argument expression, or it could reject a polymorphic function  
that is actually immutable on the datatype of interest.  Likewise,  
column DEFAULT expressions weren't preprocessed before determining if  
it's safe to apply the attmissingval mechanism.  A false negative  
would just result in an unnecessary table rewrite, but a false  
positive could allow the attmissingval mechanism to be used in a case  
where it should not be, resulting in unexpected initial values in a  
new column.  
  
In passing, re-order the steps in ComputePartitionAttrs so that its  
checks for invalid column references are done before applying  
expression_planner, rather than after.  The previous coding would  
not complain if a partition expression contains a disallowed column  
reference that gets optimized away by constant folding, which seems  
to me to be a behavior we do not want.  
  
Per bug #18097 from Jim Keener.  Back-patch to all supported versions.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/catalog/heap.c
M src/backend/commands/copyfrom.c
M src/backend/commands/indexcmds.c
M src/backend/commands/tablecmds.c
M src/backend/optimizer/util/clauses.c
M src/include/optimizer/optimizer.h
M src/test/regress/expected/fast_default.out
M src/test/regress/expected/generated.out
M src/test/regress/sql/fast_default.sql
M src/test/regress/sql/generated.sql

Fix fallback implementation for pg_atomic_test_set_flag().

commit   : 18f47989ecb0d63db34f8140cc335fec2543fe4a    
  
author   : Nathan Bossart <[email protected]>    
date     : Wed, 15 Nov 2023 15:04:18 -0600    
  
committer: Nathan Bossart <[email protected]>    
date     : Wed, 15 Nov 2023 15:04:18 -0600    

Click here for diff

The fallback implementation of pg_atomic_test_set_flag() that uses  
atomic-exchange gives pg_atomic_exchange_u32_impl() an extra  
argument.  This issue has been present since the introduction of  
the atomics API in commit b64d92f1a5.  
  
Reviewed-by: Andres Freund  
Discussion: https://postgr.es/m/20231114035439.GA1809032%40nathanxps13  
Backpatch-through: 12  

M src/include/port/atomics/generic.h

Allow new role 'regress_dump_login_role' to log in under SSPI.

commit   : 63c1b4d88a6fb268cd6cd3b177554257d6c40955    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 14 Nov 2023 00:31:39 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 14 Nov 2023 00:31:39 -0500    

Click here for diff

Semi-blind attempt to fix a70f2a57f to work on Windows,  
along the same lines as 5253519b2.  Per buildfarm.  

M src/test/modules/test_pg_dump/t/001_base.pl

Don't try to dump RLS policies or security labels for extension objects.

commit   : f15147df625fca1466ff3488ced517c239844eef    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 13 Nov 2023 17:04:10 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 13 Nov 2023 17:04:10 -0500    

Click here for diff

checkExtensionMembership() set the DUMP_COMPONENT_SECLABEL and  
DUMP_COMPONENT_POLICY flags for extension member objects, even though  
we lack any infrastructure for tracking extensions' initial settings  
of these properties.  This is not OK.  The result was that a dump  
would always include commands to set these properties for extension  
objects that have them, with at least three negative consequences:  
  
1. The restoring user might not have privilege to set these properties  
on these objects.  
  
2. The properties might be incorrect/irrelevant for the version of the  
extension that's installed in the destination database.  
  
3. The dump itself might fail, in the case of RLS properties attached  
to extension tables that the dumping user lacks privilege to LOCK.  
(That's because we must get at least AccessShareLock to ensure that  
we don't fail while trying to decompile the RLS expressions.)  
  
When and if somebody cares to invent initial-state infrastructure for  
extensions' RLS policies and security labels, we could think about  
finding another way around problem #3.  But in the absence of such  
infrastructure, this whole thing is just wrong and we shouldn't do it.  
  
(Note: this applies only to ordinary dumps; binary-upgrade dumps  
still dump and restore extension member objects separately, with  
all properties.)  
  
Tom Lane and Jacob Champion.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/bin/pg_dump/pg_dump.c
M src/test/modules/test_pg_dump/t/001_base.pl
M src/test/modules/test_pg_dump/test_pg_dump–1.0.sql

doc: correct description of libpq's PQsetnonblocking() mode

commit   : 403f4f4fa1b1fc32b6884890ba7c4242f54ec2a6    
  
author   : Bruce Momjian <[email protected]>    
date     : Mon, 13 Nov 2023 14:03:37 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Mon, 13 Nov 2023 14:03:37 -0500    

Click here for diff

Reported-by: Yugo NAGATA  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 12-16, master already done  

M doc/src/sgml/libpq.sgml

Don't release index root page pin in ginFindParents().

commit   : 4c73ec604844ad2c0b496e401a339b09edd8ef3e    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 13 Nov 2023 11:44:35 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 13 Nov 2023 11:44:35 -0500    

Click here for diff

It's clearly stated in the comments that ginFindParents() must keep  
the pin on the index's root page that's associated with the topmost  
GinBtreeStack item.  However, the code path for the case that the  
desired downlink has been pushed down to the next index level  
ignored this proviso, and would release the pin anyway if we were  
still examining the root level.  That led to an assertion failure  
or "buffer NNNN is not owned by resource owner" error later, when  
we try to release the pin again at the end of the insertion.  
  
This is quite hard to reproduce, since it can only happen if an  
index root page split occurs concurrently with our own insertion.  
Thanks to Jeff Janes for finding a test case that triggers it  
often enough to allow investigation.  
  
This has been there since the beginning of GIN, so back-patch  
to all supported branches.  
  
Discussion: https://postgr.es/m/CAMkU=1yCAKtv86dMrD__Ja-7KzjE=uMeKX8y__cx5W-OEWy2ow@mail.gmail.com  

M src/backend/access/gin/ginbtree.c

doc: Add missing semicolon in example

commit   : 06169ffda3b6644de7671c7d0284477da4e2d20f    
  
author   : Daniel Gustafsson <[email protected]>    
date     : Mon, 13 Nov 2023 14:13:03 +0100    
  
committer: Daniel Gustafsson <[email protected]>    
date     : Mon, 13 Nov 2023 14:13:03 +0100    

Click here for diff

One of the examples on the SELECT page was missing a semicolon from  
a listing which has the look and feel of being a psql session. This  
adds the missing semicolon and also removes the newline between the  
query and results to match the other examples nearby.  
  
Backpatch to all supported branches to avoid backpatching issues on  
this page.  
  
Reported-by: [email protected]  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: v12  

M doc/src/sgml/ref/select.sgml

Remove incorrect file reference in comment.

commit   : c30f1fcd8abf25524120797dda3b7650231ca73c    
  
author   : Etsuro Fujita <[email protected]>    
date     : Mon, 13 Nov 2023 19:05:03 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Mon, 13 Nov 2023 19:05:03 +0900    

Click here for diff

Commit b7eda3e0e moved XidInMVCCSnapshot() from tqual.c into snapmgr.c,  
but follow-up commit c91560def incorrectly updated this reference.  We  
could fix it, but as pointed out by Daniel Gustafsson, 1) the reader can  
easily find the file that contains the definition of that function, e.g.  
by grepping, and 2) this kind of reference is prone to going stale; so  
let's just remove it.  
  
Back-patch to all supported branches.  
  
Reviewed by Daniel Gustafsson.  
  
Discussion: https://postgr.es/m/CAPmGK145VdKkPBLWS2urwhgsfidbSexwY-9zCL6xSUJH%2BBTUUg%40mail.gmail.com  

M src/backend/storage/ipc/procarray.c

Fix AFTER ROW trigger execution in MERGE cross-partition update.

commit   : c0bfdaf2b773d9e0de343c768dfbb89c250ae439    
  
author   : Dean Rasheed <[email protected]>    
date     : Thu, 9 Nov 2023 11:28:25 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Thu, 9 Nov 2023 11:28:25 +0000    

Click here for diff

When executing a MERGE UPDATE action, if the UPDATE is turned into a  
cross-partition DELETE then INSERT, do not attempt to invoke AFTER  
UPDATE ROW triggers, or any of the other post-update actions in  
ExecUpdateEpilogue().  
  
For consistency with a plain UPDATE command, such triggers should not  
be fired (and typically fail anyway), and similarly, other post-update  
actions, such as WCO/RLS checks should not be executed, and might also  
lead to unexpected failures.  
  
Therefore, as with ExecUpdate(), make ExecMergeMatched() return  
immediately if ExecUpdateAct() reports that a cross-partition update  
was done, to be sure that no further processing is done for that  
tuple.  
  
Back-patch to v15, where MERGE was introduced.  
  
Discussion: https://postgr.es/m/CAEZATCWjBgagyNZs02vgDF0DvASYj-iHTFtXG2-nP3orZhmtcw%40mail.gmail.com  

M src/backend/executor/nodeModifyTable.c
M src/test/regress/expected/triggers.out
M src/test/regress/sql/triggers.sql

Ensure we use the correct spelling of "ensure"

commit   : 456d697bae081ae77ff222375cf0704316041f88    
  
author   : David Rowley <[email protected]>    
date     : Fri, 10 Nov 2023 00:17:07 +1300    
  
committer: David Rowley <[email protected]>    
date     : Fri, 10 Nov 2023 00:17:07 +1300    

Click here for diff

We seem to have accidentally used "insure" in a few places.  Correct  
that.  
  
Author: Peter Smith  
Discussion: https://postgr.es/m/CAHut+Pv0biqrhA3pMhu40aDsj343mTsD75khKnHsLqR8P04f=Q@mail.gmail.com  
Backpatch-through: 12, oldest supported version  

M src/backend/access/heap/hio.c
M src/backend/utils/misc/guc.c
M src/include/storage/buf_internals.h

Fix corner-case 64-bit integer subtraction bug on some platforms.

commit   : 308a69a9878212bc2f96279023ce16070dac9214    
  
author   : Dean Rasheed <[email protected]>    
date     : Thu, 9 Nov 2023 09:54:22 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Thu, 9 Nov 2023 09:54:22 +0000    

Click here for diff

When computing "0 - INT64_MIN", most platforms would report an  
overflow error, which is correct. However, platforms without integer  
overflow builtins or 128-bit integers would fail to spot the overflow,  
and incorrectly return INT64_MIN.  
  
Back-patch to all supported branches.  
  
Patch be me. Thanks to Jian He for initial investigation, and Laurenz  
Albe and Tom Lane for review.  
  
Discussion: https://postgr.es/m/CAEZATCUNK-AZSD0jVdgkk0N%3DNcAXBWeAEX-QU9AnJPensikmdQ%40mail.gmail.com  

M src/include/common/int.h
M src/test/regress/expected/int8.out
M src/test/regress/sql/int8.sql

Call pqPipelineFlush from PQsendFlushRequest

commit   : 0e28091d5507bd63d5ad51e9795dd368aa4c7c4c    
  
author   : Alvaro Herrera <[email protected]>    
date     : Wed, 8 Nov 2023 16:44:08 +0100    
  
committer: Alvaro Herrera <[email protected]>    
date     : Wed, 8 Nov 2023 16:44:08 +0100    

Click here for diff

When PQsendFlushRequest() was added by commit 69cf1d5429d4, we argued  
against adding a PQflush() call in it[1].  This is still the right  
decision: if the user wants a flush to occur, they can just call that.  
However, we failed to realize that the message bytes could still be  
given to the kernel for transmitting when this can be made without  
blocking.  That's what pqPipelineFlush() does, and it is done for every  
single other message type sent by libpq, so do that.  
  
(When the socket is in blocking mode this may indeed block, but that's  
what all the other libpq message-sending routines do, too.)  
  
[1] https://www.postgresql.org/message-id/202106252352.5ca4byasfun5%40alvherre.pgsql  
  
Author: Jelte Fennema-Nio <[email protected]>  
Discussion: https://postgr.es/m/CAGECzQTxZRevRWkKodE-SnJk1Yfm4eKT+8E4Cyq3MJ9YKTnNew@mail.gmail.com  

M src/interfaces/libpq/fe-exec.c

Enlarge assertion in bloom_init() for false_positive_rate

commit   : 7e18c0bd63aecb9fc4ee2e8aaf537d4952bd0197    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 8 Nov 2023 14:06:39 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 8 Nov 2023 14:06:39 +0900    

Click here for diff

false_positive_rate is a parameter that can be set with the bloom  
opclass in BRIN, and setting it to a value of exactly 0.25 would trigger  
an assertion in the first INSERT done on the index with value set.  
  
The assertion changed here relied on BLOOM_{MIN|MAX}_FALSE_POSITIVE_RATE  
that are somewhat arbitrary values, and specifying an out-of-range value  
would also trigger a failure when defining such an index.  So, as-is,  
the assertion was just doubling on the min-max check of the reloption.  
This is now enlarged to check that it is a correct percentage value,  
instead, based on a suggestion by Tom Lane.  
  
Author: Alexander Lakhin  
Reviewed-by: Tom Lane, Shihao Zhong  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 14  

M src/backend/access/brin/brin_bloom.c