PostgreSQL 9.6.1 commit log

Stamp 9.6.1.

commit   : 16e7c02c423449697b78ca857e5847981785e9ed    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 24 Oct 2016 16:08:51 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 24 Oct 2016 16:08:51 -0400    

Click here for diff

M configure
M configure.in
M doc/bug.template
M src/include/pg_config.h.win32
M src/interfaces/libpq/libpq.rc.in
M src/port/win32ver.rc

Translation updates

commit   : 681fdbbff1cd44963883c27007f10e1a8c4e65de    
  
author   : Peter Eisentraut <[email protected]>    
date     : Mon, 24 Oct 2016 12:00:00 -0400    
  
committer: Peter Eisentraut <[email protected]>    
date     : Mon, 24 Oct 2016 12:00:00 -0400    

Click here for diff

Source-Git-URL: git://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: e4e428572533133cac4ecefd69d251a0b5674fa3  

M src/backend/po/de.po
M src/backend/po/ru.po
M src/bin/initdb/po/ko.po
M src/bin/pg_basebackup/po/ko.po
M src/bin/pg_basebackup/po/ru.po
M src/bin/pg_config/po/ko.po
M src/bin/pg_controldata/po/ko.po
M src/bin/pg_ctl/po/ko.po
M src/bin/pg_dump/po/ko.po
M src/bin/pg_dump/po/ru.po
M src/bin/pg_resetxlog/po/ko.po
M src/bin/pg_rewind/po/de.po
M src/bin/pg_rewind/po/ko.po
M src/bin/pg_rewind/po/ru.po
M src/bin/psql/nls.mk
A src/bin/psql/po/ko.po
M src/bin/psql/po/ru.po
M src/bin/scripts/po/ja.po
M src/bin/scripts/po/ko.po
M src/bin/scripts/po/ru.po
M src/interfaces/ecpg/ecpglib/po/ko.po
M src/interfaces/ecpg/preproc/po/ko.po
M src/interfaces/ecpg/preproc/po/ru.po
M src/interfaces/libpq/po/ko.po
M src/interfaces/libpq/po/ru.po
M src/pl/plperl/po/ko.po
M src/pl/plpgsql/src/po/ko.po
M src/pl/plpython/po/ko.po

Update release notes for last-minute commit timestamp fix.

commit   : b9a728ef45fcfd93aa2efafb6876d2a946793f95    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 24 Oct 2016 09:37:23 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 24 Oct 2016 09:37:23 -0400    

Click here for diff

M doc/src/sgml/release-9.5.sgml
M doc/src/sgml/release-9.6.sgml

Preserve commit timestamps across clean restart

commit   : c8329f934e1bce2a47ca9127cb7cf704e070c278    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 24 Oct 2016 09:27:24 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 24 Oct 2016 09:27:24 -0300    

Click here for diff

An oversight in setting the boundaries of known commit timestamps during  
startup caused old commit timestamps to become inaccessible after a  
server restart.  
  
Author and reporter: Julien Rouhaud  
Review, test code: Craig Ringer  

M src/backend/access/transam/commit_ts.c
A src/test/modules/commit_ts/t/004_restart.pl

Release notes for 9.6.1, 9.5.5, 9.4.10, 9.3.15, 9.2.19, 9.1.24.

commit   : 6beb8c75ceed610a8e5d416882aad75fe722249e    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 22:13:28 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 22:13:28 -0400    

Click here for diff

M doc/src/sgml/release-9.1.sgml
M doc/src/sgml/release-9.2.sgml
M doc/src/sgml/release-9.3.sgml
M doc/src/sgml/release-9.4.sgml
M doc/src/sgml/release-9.5.sgml
M doc/src/sgml/release-9.6.sgml

Avoid testing tuple visibility without buffer lock.

commit   : fdcee9f1fc12d6d2c20da8da632b2062d2ed6289    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 19:14:32 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 19:14:32 -0400    

Click here for diff

INSERT ... ON CONFLICT (specifically ExecCheckHeapTupleVisible) contains  
another example of this unsafe coding practice.  It is much harder to get  
a failure out of it than the case fixed in commit 6292c2339, because in  
most scenarios any hint bits that could be set would have already been set  
earlier in the command.  However, Konstantin Knizhnik reported a failure  
with a custom transaction manager, and it's clearly possible to get a  
failure via a race condition in async-commit mode.  
  
For lack of a reproducible example, no regression test case in this  
commit.  
  
I did some testing with Asserts added to tqual.c's functions, and can say  
that running "make check-world" exposed these two bugs and no others.  
The Asserts are messy enough that I've not added them to the code for now.  
  
Report: <[email protected]>  
Related-Discussion: <CAO3NbwOycQjt2Oqy2VW-eLTq2M5uGMyHnGm=RNga4mjqcYD7gQ@mail.gmail.com>  

M src/backend/executor/nodeModifyTable.c

Don't throw serialization errors for self-conflicts in INSERT ON CONFLICT.

commit   : c4016fcb1fd2a20ef589a3a616b59381256a985a    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 18:36:13 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 18:36:13 -0400    

Click here for diff

A transaction that conflicts against itself, for example  
	INSERT INTO t(pk) VALUES (1),(1) ON CONFLICT DO NOTHING;  
should behave the same regardless of isolation level.  It certainly  
shouldn't throw a serialization error, as retrying will not help.  
We got this wrong due to the ON CONFLICT logic not considering the case,  
as reported by Jason Dusek.  
  
Core of this patch is by Peter Geoghegan (based on an earlier patch by  
Thomas Munro), though I didn't take his proposed code refactoring for fear  
that it might have unexpected side-effects.  Test cases by Thomas Munro  
and myself.  
  
Report: <CAO3NbwOycQjt2Oqy2VW-eLTq2M5uGMyHnGm=RNga4mjqcYD7gQ@mail.gmail.com>  
Related-Discussion: <[email protected]>  

M src/backend/executor/nodeModifyTable.c
A src/test/isolation/expected/insert-conflict-do-nothing-2.out
M src/test/isolation/isolation_schedule
A src/test/isolation/specs/insert-conflict-do-nothing-2.spec
M src/test/regress/expected/insert_conflict.out
M src/test/regress/sql/insert_conflict.sql

Avoid testing tuple visibility without buffer lock in RI_FKey_check().

commit   : 5beb73b49598ff255c3d085d27d72bf28c8551b0    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 15:01:24 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 23 Oct 2016 15:01:24 -0400    

Click here for diff

Despite the argumentation I wrote in commit 7a2fe85b0, it's unsafe to do  
this, because in corner cases it's possible for HeapTupleSatisfiesSelf  
to try to set hint bits on the target tuple; and at least since 8.2 we  
have required the buffer content lock to be held while setting hint bits.  
  
The added regression test exercises one such corner case.  Unpatched, it  
causes an assertion failure in assert-enabled builds, or otherwise would  
cause a hint bit change in a buffer we don't hold lock on, which given  
the right race condition could result in checksum failures or other data  
consistency problems.  The odds of a problem in the field are probably  
pretty small, but nonetheless back-patch to all supported branches.  
  
Report: <[email protected]>  

M src/backend/utils/adt/ri_triggers.c
M src/test/regress/expected/foreign_key.out
M src/test/regress/sql/foreign_key.sql

Improve documentation about use of Linux huge pages.

commit   : dc04be21d655c06ead19247c0240c684ce03b9d1    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 22 Oct 2016 14:04:51 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 22 Oct 2016 14:04:51 -0400    

Click here for diff

Show how to get the system's huge page size, rather than misleadingly  
referring to PAGE_SIZE (which is usually understood to be the regular  
page size).  Show how to confirm whether huge pages have been allocated.  
Minor wordsmithing.  Back-patch to 9.4 where this section appeared.  

M doc/src/sgml/runtime.sgml

Doc: wording tweak for PERL, PYTHON, TCLSH configuration variables.

commit   : a92c0f695bdf4e38218e918bf0474c0d45b6ebd0    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 21 Oct 2016 11:01:35 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 21 Oct 2016 11:01:35 -0400    

Click here for diff

Replace "Full path to ..." with "Full path name of ...".  At least one  
user has misinterpreted the existing wording as meaning "Directory  
containing ...".  

M doc/src/sgml/installation.sgml

Fix EXPLAIN so that it doesn't emit invalid XML in corner cases.

commit   : 0336665151f346737102cf27dbb682d6a526c8e4    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 20 Oct 2016 17:17:50 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 20 Oct 2016 17:17:50 -0400    

Click here for diff

With track_io_timing = on, EXPLAIN (ANALYZE, BUFFERS) will emit fields  
named like "I/O Read Time".  The slash makes that invalid as an XML  
element name, so that adding FORMAT XML would produce invalid XML.  
  
We already have code in there to translate spaces to dashes, so let's  
generalize that to convert anything that isn't a valid XML name character,  
viz letters, digits, hyphens, underscores, and periods.  We could just  
reject slashes, which would run a bit faster.  But the fact that this went  
unnoticed for so long doesn't give me a warm feeling that we'd notice the  
next creative violation, so let's make it a permanent fix.  
  
Reported by Markus Winand, though this isn't his initial patch proposal.  
  
Back-patch to 9.2 where track_io_timing was added.  The problem is only  
latent in 9.1, so I don't feel a need to fix it there.  
  
Discussion: <[email protected]>  

M src/backend/commands/explain.c

Sync our copy of the timezone library with IANA release tzcode2016h.

commit   : 845a8ea3e144c3a9ca2c95fd70de89c26422fb35    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 20 Oct 2016 15:40:07 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 20 Oct 2016 15:40:07 -0400    

Click here for diff

This absorbs a fix for a symlink-manipulation bug in zic that was  
introduced in 2016g.  It probably isn't interesting for our use-case,  
but I'm not quite sure, so let's update while we're at it.  

M src/timezone/zic.c

Update time zone data files to tzdata release 2016h.

commit   : 80ba149b057418b61d123d9428144406d2d6d238    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 20 Oct 2016 15:20:11 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 20 Oct 2016 15:20:11 -0400    

Click here for diff

(Didn't I just do this?  Oh well.)  
  
DST law changes in Palestine.  Historical corrections for Turkey.  
Switch to numeric abbreviations for Asia/Colombo.  

M src/timezone/data/asia
M src/timezone/data/australasia
M src/timezone/data/europe
M src/timezone/data/northamerica
M src/timezone/known_abbrevs.txt

Another portability fix for tzcode2016g update.

commit   : 9937088b26eef7bbe27a9bb5f497aa6307fded5c    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 23:32:08 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 23:32:08 -0400    

Click here for diff

clang points out that SIZE_MAX wouldn't fit into an int, which means  
this comparison is pretty useless.  Per report from Thomas Munro.  

M src/timezone/zic.c

Windows portability fix.

commit   : 9ee22f1ff66ae3632a4cd0391c487a327ef401ca    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 19:28:11 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 19:28:11 -0400    

Click here for diff

Per buildfarm.  

M src/timezone/zic.c

Sync our copy of the timezone library with IANA release tzcode2016g.

commit   : 7fec5e101a12acbabea6ecef3e7101c5de81e609    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 18:55:52 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 18:55:52 -0400    

Click here for diff

This is mostly to absorb some corner-case fixes in zic for year-2037  
timestamps.  The other changes that have been made are unlikely to affect  
our usage, but nonetheless we may as well take 'em.  

M src/timezone/localtime.c
M src/timezone/private.h
M src/timezone/strftime.c
M src/timezone/zic.c

Suppress "Factory" zone in pg_timezone_names view for tzdata >= 2016g.

commit   : 1b145a700158ab48c387d38f4830136d307a0e87    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 18:11:49 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 18:11:49 -0400    

Click here for diff

IANA got rid of the really silly "abbreviation" and replaced it with one  
that's only moderately silly.  But it's still pointless, so keep on not  
showing it.  

M src/backend/utils/adt/datetime.c

Update time zone data files to tzdata release 2016g.

commit   : 0c2f4c54c57cbc7283606137dba5c658511e6c1b    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 17:56:38 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 19 Oct 2016 17:56:38 -0400    

Click here for diff

DST law changes in Turkey.  Historical corrections for America/Los_Angeles,  
Europe/Kirov, Europe/Moscow, Europe/Samara, and Europe/Ulyanovsk.  
Rename Asia/Rangoon to Asia/Yangon, with a backward compatibility link.  
  
The IANA crew continue their campaign to replace invented time zone  
abbrevations with numeric GMT offsets.  This update changes numerous zones  
in Antarctica and the former Soviet Union, for instance Antarctica/Casey  
now reports "+08" not "AWST" in the pg_timezone_names view.  I kept these  
abbreviations in the tznames/ data files, however, so that we will still  
accept them for input.  (We may want to start trimming those files someday,  
but today is not that day.)  
  
An exception is that since IANA no longer claims that "AMT" is in use  
in Armenia for GMT+4, I replaced it in the Default file with GMT-4,  
corresponding to Amazon Time which is in use in South America.  It may be  
that that meaning is also invented and IANA will drop it in a future  
update; but for now, it seems silly to give pride of place to a meaning  
not traceable to IANA over one that is.  

M src/timezone/data/africa
M src/timezone/data/antarctica
M src/timezone/data/asia
M src/timezone/data/australasia
M src/timezone/data/backward
M src/timezone/data/backzone
M src/timezone/data/etcetera
M src/timezone/data/europe
M src/timezone/data/factory
M src/timezone/data/northamerica
M src/timezone/data/southamerica
M src/timezone/known_abbrevs.txt
M src/timezone/tznames/Antarctica.txt
M src/timezone/tznames/Asia.txt
M src/timezone/tznames/Default
M src/timezone/tznames/Europe.txt
M src/timezone/tznames/Indian.txt

Fix WAL-logging of FSM and VM truncation.

commit   : 142530ef0e683af4f063e4efd3b322cd3e9ea87e    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Wed, 19 Oct 2016 14:43:34 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Wed, 19 Oct 2016 14:43:34 +0300    

Click here for diff

When a relation is truncated, it is important that the FSM is truncated as  
well. Otherwise, after recovery, the FSM can return a page that has been  
truncated away, leading to errors like:  
  
ERROR:  could not read block 28991 in file "base/16390/572026": read only 0  
of 8192 bytes  
  
We were using MarkBufferDirtyHint() to dirty the buffer holding the last  
remaining page of the FSM, but during recovery, that might in fact not  
dirty the page, and the FSM update might be lost.  
  
To fix, use the stronger MarkBufferDirty() function. MarkBufferDirty()  
requires us to do WAL-logging ourselves, to protect from a torn page, if  
checksumming is enabled.  
  
Also fix an oversight in visibilitymap_truncate: it also needs to WAL-log  
when checksumming is enabled.  
  
Analysis by Pavan Deolasee.  
  
Discussion: <CABOikdNr5vKucqyZH9s1Mh0XebLs_jRhKv6eJfNnD2wxTn=_9A@mail.gmail.com>  
  
Backpatch to 9.3, where we got data checksums.  

M src/backend/access/heap/visibilitymap.c
M src/backend/storage/freespace/freespace.c
A src/test/recovery/t/008_fsm_truncation.pl

Fix cidin() to handle values above 2^31 platform-independently.

commit   : cb6ab91797b98d1498adcea906fbddffec8c8f9c    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 18 Oct 2016 12:24:46 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 18 Oct 2016 12:24:46 -0400    

Click here for diff

CommandId is declared as uint32, and values up to 4G are indeed legal.  
cidout() handles them properly by treating the value as unsigned int.  
But cidin() was just using atoi(), which has platform-dependent behavior  
for values outside the range of signed int, as reported by Bart Lengkeek  
in bug #14379.  Use strtoul() instead, as xidin() does.  
  
In passing, make some purely cosmetic changes to make xidin/xidout  
look more like cidin/cidout; the former didn't have a monopoly on  
best practice IMO.  
  
Neither xidin nor cidin make any attempt to throw error for invalid input.  
I didn't change that here, and am not sure it's worth worrying about  
since neither is really a user-facing type.  The point is just to ensure  
that indubitably-valid inputs work as expected.  
  
It's been like this for a long time, so back-patch to all supported  
branches.  
  
Report: <[email protected]>  

M src/backend/utils/adt/xid.c

Fix use-after-free around DISTINCT transition function calls.

commit   : a5f0bd77a2fab60a52dc335a63efc21abc806aa7    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 17 Oct 2016 12:13:16 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 17 Oct 2016 12:13:16 +0300    

Click here for diff

Have tuplesort_gettupleslot() copy the contents of its current table slot  
as needed. This is based on an approach taken by tuplestore_gettupleslot().  
In the future, tuplesort_gettupleslot() may also be taught to avoid copying  
the tuple where caller can determine that that is safe (the  
tuplestore_gettupleslot() interface already offers this option to callers).  
  
Patch by Peter Geoghegan. Fixes bug #14344, reported by Regina Obe.  
  
Report: <[email protected]>  
  
Backpatch-through: 9.6  

M src/backend/utils/sort/tuplesort.c

Remove spurious word.

commit   : db4b54f1550aa830890ce190e5d196de8d17db33    
  
author   : Robert Haas <[email protected]>    
date     : Wed, 12 Oct 2016 17:01:19 -0700    
  
committer: Tatsuo Ishii <[email protected]>    
date     : Wed, 12 Oct 2016 17:01:19 -0700    

Click here for diff

Tatsuo Ishii  

M doc/src/sgml/parallel.sgml

Fix assorted integer-overflow hazards in varbit.c.

commit   : 4338ac8e78e95dcc327e86fc9944bdae8c551c27    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 14 Oct 2016 16:28:34 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 14 Oct 2016 16:28:34 -0400    

Click here for diff

bitshiftright() and bitshiftleft() would recursively call each other  
infinitely if the user passed INT_MIN for the shift amount, due to integer  
overflow in negating the shift amount.  To fix, clamp to -VARBITMAXLEN.  
That doesn't change the results since any shift distance larger than the  
input bit string's length produces an all-zeroes result.  
  
Also fix some places that seemed inadequately paranoid about input typmods  
exceeding VARBITMAXLEN.  While a typmod accepted by anybit_typmodin() will  
certainly be much less than that, at least some of these spots are  
reachable with user-chosen integer values.  
  
Andreas Seltenreich and Tom Lane  
  
Discussion: <[email protected]>  

M src/backend/utils/adt/varbit.c

Fix typo.

commit   : a209d6dc8cce69bf4d305486816845be3febacba    
  
author   : Tatsuo Ishii <[email protected]>    
date     : Fri, 14 Oct 2016 09:03:25 +0900    
  
committer: Tatsuo Ishii <[email protected]>    
date     : Fri, 14 Oct 2016 09:03:25 +0900    

Click here for diff

Confirmed by Michael Paquier.  

M doc/src/sgml/parallel.sgml

Fix handling of pgstat counters for TRUNCATE in a prepared transaction.

commit   : 03f2bf70a3e6fb57f29e41a86cf8f9a14b082616    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 19:45:58 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 19:45:58 -0400    

Click here for diff

pgstat_twophase_postcommit is supposed to duplicate the math in  
AtEOXact_PgStat, but it had missed out the bit about clearing  
t_delta_live_tuples/t_delta_dead_tuples for a TRUNCATE.  
  
It's harder than you might think to replicate the issue here, because  
those counters would only be nonzero when a previous transaction in  
the same backend had added/deleted tuples in the truncated table,  
and those counts hadn't been sent to the stats collector yet.  
  
Evident oversight in commit d42358efb.  I've not added a regression  
test for this; we tried to add one in d42358efb, and had to revert it  
because it was too timing-sensitive for the buildfarm.  
  
Back-patch to 9.5 where d42358efb came in.  
  
Stas Kelvich  
  
Discussion: <[email protected]>  

M src/backend/postmaster/pgstat.c

Fix typo.

commit   : b8850031ccc51401c256203b7dc9029a1160479e    
  
author   : Tatsuo Ishii <[email protected]>    
date     : Fri, 14 Oct 2016 07:45:25 +0900    
  
committer: Tatsuo Ishii <[email protected]>    
date     : Fri, 14 Oct 2016 07:45:25 +0900    

Click here for diff

Confirmed by Tom Lane.  

M doc/src/sgml/parallel.sgml

Fix another bug in merging of inherited CHECK constraints.

commit   : f9e8b05e5f1c5eeaa963a9550ba6a592bdcb9a97    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 17:05:14 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 17:05:14 -0400    

Click here for diff

It's not good for an inherited child constraint to be marked connoinherit;  
that would result in the constraint not propagating to grandchild tables,  
if any are created later.  The code mostly prevented this from happening  
but there was one case that was missed.  
  
This is somewhat related to commit e55a946a8, which also tightened checks  
on constraint merging.  Hence, back-patch to 9.2 like that one.  This isn't  
so much because there's a concrete feature-related reason to stop there,  
as to avoid having more distinct behaviors than we have to in this area.  
  
Amit Langote  
  
Discussion: <[email protected]>  

M src/backend/catalog/heap.c
M src/test/regress/expected/inherit.out
M src/test/regress/sql/inherit.sql

Try to find out the actual hugepage size when making a MAP_HUGETLB request.

commit   : 2dd9e315d461b81258f4a575c916aba69c1d69c9    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 15:06:46 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 15:06:46 -0400    

Click here for diff

Even if Linux's mmap() is okay with a partial-hugepage request, munmap()  
is not, as reported by Chris Richards.  Therefore it behooves us to try  
a bit harder to find out the actual hugepage size, instead of assuming  
that we can skate by with a guess.  
  
For the moment, just look into /proc/meminfo to find out the default  
hugepage size, and use that.  Later, on kernels that support requests  
for nondefault sizes, we might try to consider other alternatives.  
But that smells more like a new feature than a bug fix, especially if  
we want to provide any way for the DBA to control it, so leave it for  
another day.  
  
I set this up to allow easy addition of platform-specific code for  
non-Linux platforms, if needed; but right now there are no reports  
suggesting that we need to work harder on other platforms.  
  
Back-patch to 9.4 where hugepage support was introduced.  
  
Discussion: <[email protected]>  

M src/backend/port/sysv_shmem.c

Clean up handling of anonymous mmap'd shared-memory segment.

commit   : 9a9771c50e8100deb31058fcbb35a5bfd9e1e064    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 13:59:56 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 13:59:56 -0400    

Click here for diff

Fix detaching of the mmap'd segment to have its own on_shmem_exit callback,  
rather than piggybacking on the one for detaching from the SysV segment.  
That was confusing, and given the distance between the two attach calls,  
it was trouble waiting to happen.  
  
Make the detaching calls idempotent by clearing AnonymousShmem to show  
we've already unmapped.  I spent quite a bit of time yesterday trying  
to find a path that would allow the munmap()'s to be done twice, and  
while I did not succeed, it seems silly that there's even a question.  
  
Make the #ifdef logic less confusing by separating "do we want to use  
anonymous shmem" from EXEC_BACKEND.  Even though there's no current  
scenario where those conditions are different, it is not helpful for  
different places in the same file to be testing EXEC_BACKEND for what  
are fundamentally different reasons.  
  
Don't do on_exit_reset() in StartBackgroundWorker().  At best that's  
useless (InitPostmasterChild would have done it already) and at worst  
it could zap some callback that's unrelated to shared memory.  
  
Improve comments, and simplify the huge_pages enablement logic slightly.  
  
Back-patch to 9.4 where hugepage support was introduced.  
Arguably this should go into 9.3 as well, but the code looks  
significantly different there, and I doubt it's worth the  
trouble of adapting the patch given I can't show a live bug.  

M src/backend/port/sysv_shmem.c
M src/backend/postmaster/bgworker.c

Fix broken jsonb_set() logic for replacing array elements.

commit   : 0e9e64c07ed93fb2be4583adaea28205d3188a0e    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 00:25:28 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 13 Oct 2016 00:25:28 -0400    

Click here for diff

Commit 0b62fd036 did a fairly sloppy job of refactoring setPath()  
to support jsonb_insert() along with jsonb_set().  In its defense,  
though, there was no regression test case exercising the case of  
replacing an existing element in a jsonb array.  
  
Per bug #14366 from Peng Sun.  Back-patch to 9.6 where bug was introduced.  
  
Report: <[email protected]>  

M src/backend/utils/adt/jsonfuncs.c
M src/test/regress/expected/jsonb.out
M src/test/regress/sql/jsonb.sql

Revert addition of PGDLLEXPORT in PG_FUNCTION_INFO_V1 macro.

commit   : 490734c588c4e70d46950c4f6c64dfd6e592cdcc    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 12 Oct 2016 18:01:43 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 12 Oct 2016 18:01:43 -0400    

Click here for diff

This turns out not to be as harmless as I thought: MSVC will complain  
if it sees an "extern" declaration without PGDLLEXPORT and then one with.  
(Seems fairly silly, given that this can be changed after the fact by the  
linker, but there you have it.)  Therefore, contrib modules that have  
extern's for V1 functions in header files are falling over in the  
buildfarm, since none of those externs are marked PGDLLEXPORT.  
  
We might or might not conclude that we're willing to plaster those  
declarations with PGDLLEXPORT in HEAD, but in any case there's no way we're  
going to ship this change in the back branches.  Third-party authors would  
not thank us for breaking their code in a minor release.  Hence, revert  
the addition of PGDLLEXPORT (but let's keep the extra info in the comment).  
If we do the other changes we can revert this commit in HEAD.  
  
Per buildfarm.  

M src/include/fmgr.h

Provide DLLEXPORT markers for C functions via PG_FUNCTION_INFO_V1 macro.

commit   : c4a2ffefbf74bae049c95339fb733955d2b12c55    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 12 Oct 2016 12:45:50 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 12 Oct 2016 12:45:50 -0400    

Click here for diff

This isn't really necessary for our own code, because we use a .DEF file  
in MSVC builds (see gendef.pl), or --export-all-symbols in MinGW and  
Cygwin builds, to ensure that all global symbols in loadable modules  
will be exported on Windows.  However, third-party authors might use  
different build processes that need this marker, and it's harmless  
enough for our own builds.  
  
To some extent, this is an oversight in commit e7128e8db, so back-patch  
to 9.4 where that was added.  
  
Laurenz Albe  
  
Discussion: <A737B7A37273E048B164557ADEF4A58B539300BD@ntex2010a.host.magwien.gv.at>  

M src/include/fmgr.h

Fix copy-pasto in comment.

commit   : 3ccc15312b23fe283c7b63b3109229c16166745e    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Wed, 12 Oct 2016 12:07:54 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Wed, 12 Oct 2016 12:07:54 +0300    

Click here for diff

Amit Langote  

M src/include/catalog/pg_cast.h

Docs: grammatical fix.

commit   : 1fd64a9277439c94b8e102da6ced534f91807e57    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 11 Oct 2016 10:33:59 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 11 Oct 2016 10:33:59 -0400    

Click here for diff

Fix poor grammar introduced in 741ccd501.  

M doc/src/sgml/client-auth.sgml

Improve documentation for CREATE RECURSIVE VIEW.

commit   : cdc9d712f56bd3a7f40dbb9135992eb6a7a65e2f    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 11 Oct 2016 10:08:45 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 11 Oct 2016 10:08:45 -0400    

Click here for diff

It was perhaps not entirely clear that internal self-references shouldn't  
be schema-qualified even if the view name is written with a schema.  
Spell it out.  
  
Discussion: <[email protected]>  

M doc/src/sgml/ref/create_view.sgml

In PQsendQueryStart(), avoid leaking any left-over async result.

commit   : bb211b66f2934fbfe85c091dbff8db9ac520ceb5    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 10 Oct 2016 10:35:58 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 10 Oct 2016 10:35:58 -0400    

Click here for diff

Ordinarily there would not be an async result sitting around at this  
point, but it appears that in corner cases there can be.  Considering  
all the work we're about to launch, it's hardly going to cost anything  
noticeable to check.  
  
It's been like this forever, so back-patch to all supported branches.  
  
Report: <CAD-Qf1eLUtBOTPXyFQGW-4eEsop31tVVdZPu4kL9pbQ6tJPO8g@mail.gmail.com>  

M src/interfaces/libpq/fe-exec.c

Fix incorrect handling of polymorphic aggregates used as window functions.

commit   : dca25c2562199ce1e7e26367613912a8eadbbde8    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 9 Oct 2016 12:49:37 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 9 Oct 2016 12:49:37 -0400    

Click here for diff

The transfunction was told that its first argument and result were  
of the window function output type, not the aggregate state type.  
This'd only matter if the transfunction consults get_fn_expr_argtype,  
which typically only polymorphic functions would do.  
  
Although we have several regression tests around polymorphic aggs,  
none of them detected this mistake --- in fact, they still didn't  
fail when I injected the same mistake into nodeAgg.c.  So add some  
more tests covering both plain agg and window-function-agg cases.  
  
Per report from Sebastian Luque.  Back-patch to 9.6 where the error  
was introduced (by sloppy refactoring in commit 804163bc2, looks like).  
  
Report: <[email protected]>  

M src/backend/executor/nodeWindowAgg.c
M src/test/regress/expected/polymorphism.out
M src/test/regress/sql/polymorphism.sql

Fix two bugs in merging of inherited CHECK constraints.

commit   : b605aeba0e117e4b8087fc95eba4cce07bb185ef    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 8 Oct 2016 19:29:27 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 8 Oct 2016 19:29:27 -0400    

Click here for diff

Historically, we've allowed users to add a CHECK constraint to a child  
table and then add an identical CHECK constraint to the parent.  This  
results in "merging" the two constraints so that the pre-existing  
child constraint ends up with both conislocal = true and coninhcount > 0.  
However, if you tried to do it in the other order, you got a duplicate  
constraint error.  This is problematic for pg_dump, which needs to issue  
separated ADD CONSTRAINT commands in some cases, but has no good way to  
ensure that the constraints will be added in the required order.  
And it's more than a bit arbitrary, too.  The goal of complaining about  
duplicated ADD CONSTRAINT commands can be served if we reject the case of  
adding a constraint when the existing one already has conislocal = true;  
but if it has conislocal = false, let's just make the ADD CONSTRAINT set  
conislocal = true.  In this way, either order of adding the constraints  
has the same end result.  
  
Another problem was that the code allowed creation of a parent constraint  
marked convalidated that is merged with a child constraint that is  
!convalidated.  In this case, an inheritance scan of the parent table could  
emit some rows violating the constraint condition, which would be an  
unexpected result given the marking of the parent constraint as validated.  
Hence, forbid merging of constraints in this case.  (Note: valid child and  
not-valid parent seems fine, so continue to allow that.)  
  
Per report from Benedikt Grundmann.  Back-patch to 9.2 where we introduced  
possibly-not-valid check constraints.  The second bug obviously doesn't  
apply before that, and I think the first doesn't either, because pg_dump  
only gets into this situation when dealing with not-valid constraints.  
  
Report: <CADbMkNPT-Jz5PRSQ4RbUASYAjocV_KHUWapR%2Bg8fNvhUAyRpxA%40mail.gmail.com>  
Discussion: <[email protected]>  

M src/backend/catalog/heap.c
M src/backend/commands/tablecmds.c
M src/test/regress/expected/inherit.out
M src/test/regress/expected/sanity_check.out
M src/test/regress/sql/inherit.sql

Remove user_relns() SRF from regression tests.

commit   : b89f07b592210be3906d8201f03f0cf569f0dd83    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 8 Oct 2016 18:43:01 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 8 Oct 2016 18:43:01 -0400    

Click here for diff

Back-patch commit 0dba54f1666ead71c54ce100b39efda67596d297 into the older  
branches.  This test is almost as much of a patching hazard there as it is  
in HEAD, and it has no more reason to be needed than it does in HEAD.  
  
I went back as far as 9.2; I judged 9.1 not worth the trouble since  
it's on the verge of being EOL'd.  

M src/test/regress/input/create_function_2.source
M src/test/regress/input/misc.source
M src/test/regress/output/create_function_2.source
M src/test/regress/output/misc.source

commit   : f812b20ba57cd753a5290967db3496790a2dff0f    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 7 Oct 2016 21:12:25 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 7 Oct 2016 21:12:25 -0400    

Click here for diff

The need for this was previously obscured even on picky platforms  
by the hack we used to support direct cross-module references in  
the transforms contrib modules.  Now that that hack is gone, the  
undefined symbol is exposed, as reported by Robert Haas.  
  
Back-patch to 9.5 where we started to use -Wl,-undefined,dynamic_lookup.  
I'm a bit surprised that the older branches don't seem to contain  
any gettext references in this module, but since they don't fail  
at build time, they must not.  (We might be able to get away with  
leaving this alone in 9.5/9.6, but I think it's cleaner if the  
reference gets resolved at link time.)  
  
Report: <CA+TgmoaHJKU5kcWZcYduATYVT7Mnx+8jUnycaYYL7OtCwCigug@mail.gmail.com>  

M src/backend/replication/libpqwalreceiver/Makefile

Fix fallback implementation of pg_atomic_write_u32().

commit   : a4b25cd9cba99b2bf1363f6b4fb9ced84b46d796    
  
author   : Andres Freund <[email protected]>    
date     : Fri, 7 Oct 2016 16:55:15 -0700    
  
committer: Andres Freund <[email protected]>    
date     : Fri, 7 Oct 2016 16:55:15 -0700    

Click here for diff

I somehow had assumed that in the spinlock (in turn possibly using  
semaphores) based fallback atomics implementation 32 bit writes could be  
done without a lock. As far as the write goes that's correct, since  
postgres supports only platforms with single-copy atomicity for aligned  
32bit writes.  But writing without holding the spinlock breaks  
read-modify-write operations like pg_atomic_compare_exchange_u32(),  
since they'll potentially "miss" a concurrent write, which can't happen  
in actual hardware implementations.  
  
In 9.6+ when using the fallback atomics implementation this could lead  
to buffer header locks not being properly marked as released, and  
potentially some related state corruption.  I don't see a related danger  
in 9.5 (earliest release with the API), because pg_atomic_write_u32()  
wasn't used in a concurrent manner there.  
  
The state variable of local buffers, before this change, were  
manipulated using pg_atomic_write_u32(), to avoid unnecessary  
synchronization overhead. As that'd not be the case anymore, introduce  
and use pg_atomic_unlocked_write_u32(), which does not correctly  
interact with RMW operations.  
  
This bug only caused issues when postgres is compiled on platforms  
without atomics support (i.e. no common new platform), or when compiled  
with --disable-atomics, which explains why this wasn't noticed in  
testing.  
  
Reported-By: Tom Lane  
Discussion: <[email protected]>  
Backpatch: 9.5-, where the atomic operations API was introduced.  

M src/backend/port/atomics.c
M src/backend/storage/buffer/bufmgr.c
M src/backend/storage/buffer/localbuf.c
M src/include/port/atomics.h
M src/include/port/atomics/fallback.h
M src/include/port/atomics/generic.h
M src/include/storage/buf_internals.h

Make TAP test suites to work, when @INC does not contain current dir.

commit   : 2efed55db1cc8e40d74242e61d7c741cccb4a50d    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 21:48:21 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 21:48:21 +0300    

Click here for diff

Recent Perl and/or new Linux distributions are starting to remove "." from  
the @INC list by default. That breaks pg_rewind and ssl test suites, which  
use helper perl modules that reside in the same directory. To fix, add the  
current source directory explicitly to prove's include dir.  
  
The vcregress.pl script probably also needs something like this, but I  
wasn't able to remove '.' from @INC on Windows to test this, and don't want  
to try doing that blindly.  
  
Discussion: <[email protected]>  

M src/Makefile.global.in

Fix pg_dump to work against pre-9.0 servers again.

commit   : 1749332ec9e5017ca7ebfa245597cc765b4553fd    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 7 Oct 2016 09:51:18 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 7 Oct 2016 09:51:18 -0400    

Click here for diff

getBlobs' queries for pre-9.0 servers were broken in two ways:  
the 7.x/8.x query uses DISTINCT so it can't have unspecified-type  
NULLs in the target list, and both that query and the 7.0 one  
failed to provide the correct output column labels, so that the  
subsequent code to extract data from the PGresult would fail.  
  
Back-patch to 9.6 where the breakage was introduced (by commit 23f34fa4b).  
  
Amit Langote and Tom Lane  
  
Discussion: <[email protected]>  

M src/bin/pg_dump/pg_dump.c

Don't allow both --source-server and --source-target args to pg_rewind.

commit   : 2933ed0362ae5fbc9e0c28035286318b4d299492    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 14:35:17 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 14:35:17 +0300    

Click here for diff

They are supposed to be mutually exclusive, but there was no check for  
that.  
  
Michael Banck  
  
Discussion: <[email protected]>  

M src/bin/pg_rewind/pg_rewind.c

Clear OpenSSL error queue after failed X509_STORE_load_locations() call.

commit   : 4d3ecbfee9dbe34fe20991a5a402b1f949814928    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 12:53:40 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 12:53:40 +0300    

Click here for diff

Leaving the error in the error queue used to be harmless, because the  
X509_STORE_load_locations() call used to be the last step in  
initialize_SSL(), and we would clear the queue before the next  
SSL_connect() call. But previous commit moved things around. The symptom  
was that if a CRL file was not found, and one of the subsequent  
initialization steps, like loading the client certificate or private key,  
failed, we would incorrectly print the "no such file" error message from  
the earlier X509_STORE_load_locations() call as the reason.  
  
Backpatch to all supported versions, like the previous patch.  

M src/interfaces/libpq/fe-secure-openssl.c

Don't share SSL_CTX between libpq connections.

commit   : 341acf235943c15aa56103ef7b66ecec625b4af0    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 12:20:39 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Fri, 7 Oct 2016 12:20:39 +0300    

Click here for diff

There were several issues with the old coding:  
  
1. There was a race condition, if two threads opened a connection at the  
   same time. We used a mutex around SSL_CTX_* calls, but that was not  
   enough, e.g. if one thread SSL_CTX_load_verify_locations() with one  
   path, and another thread set it with a different path, before the first  
   thread got to establish the connection.  
  
2. Opening two different connections, with different sslrootcert settings,  
   seemed to fail outright with "SSL error: block type is not 01". Not sure  
   why.  
  
3. We created the SSL object, before calling SSL_CTX_load_verify_locations  
   and SSL_CTX_use_certificate_chain_file on the SSL context. That was  
   wrong, because the options set on the SSL context are propagated to the  
   SSL object, when the SSL object is created. If they are set after the  
   SSL object has already been created, they won't take effect until the  
   next connection. (This is bug #14329)  
  
At least some of these could've been fixed while still using a shared  
context, but it would've been more complicated and error-prone. To keep  
things simple, let's just use a separate SSL context for each connection,  
and accept the overhead.  
  
Backpatch to all supported versions.  
  
Report, analysis and test case by Kacper Zuk.  
  
Discussion: <[email protected]>  

M src/interfaces/libpq/fe-secure-openssl.c
M src/test/ssl/Makefile
M src/test/ssl/README
M src/test/ssl/ServerSetup.pm
A src/test/ssl/ssl/client+client_ca.crt
M src/test/ssl/t/001_ssltests.pl

Disable synchronous commits in pg_rewind.

commit   : aab809664813380b3cd6c94a2791ffddc656b1f1    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Thu, 6 Oct 2016 13:24:46 +0300    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Thu, 6 Oct 2016 13:24:46 +0300    

Click here for diff

If you point pg_rewind to a server that is using synchronous replication,  
with "pg_rewind --source-server=...", and the replication is not working  
for some reason, pg_rewind will get stuck because it creates a temporary  
table, which needs to be replicated. You could call broken replication a  
pilot error, but pg_rewind is often used in special circumstances, when  
there are changes to the replication setup.  
  
We don't do any "real" updates, and we don't care about fsyncing or  
replicating the operations on the temporary tables, so fix that by  
setting synchronous_commit off.  
  
Michael Banck, Michael Paquier. Backpatch to 9.5, where pg_rewind was  
introduced.  
  
Discussion: <[email protected]>  

M src/bin/pg_rewind/libpq_fetch.c

Update obsolete comments and perldoc.

commit   : bfcd07b4444d8fdf1ddaba375aa5b3aea419a898    
  
author   : Robert Haas <[email protected]>    
date     : Wed, 5 Oct 2016 13:08:48 -0400    
  
committer: Robert Haas <[email protected]>    
date     : Wed, 5 Oct 2016 13:08:48 -0400    

Click here for diff

Loose ends from commit 2a0f89cd717ce6d49cdc47850577823682167e87.  
  
Daniel Gustafsson  

M src/test/perl/PostgresNode.pm

Correct logical decoding restore behaviour for subtransactions.

commit   : 76c0b73df6c481a29cf6e45bebeafd6d71957f08    
  
author   : Andres Freund <[email protected]>    
date     : Mon, 3 Oct 2016 22:11:36 -0700    
  
committer: Andres Freund <[email protected]>    
date     : Mon, 3 Oct 2016 22:11:36 -0700    

Click here for diff

Before initializing iteration over a subtransaction's changes, the last  
few changes were not spilled to disk. That's correct if the transaction  
didn't spill to disk, but otherwise... This bug can lead to missed or  
misorderd subtransaction contents when they were spilled to disk.  
  
Move spilling of the remaining in-memory changes to  
ReorderBufferIterTXNInit(), where it can easily be applied to the top  
transaction and, if present, subtransactions.  
  
Since this code had too many bugs already, noticeably increase test  
coverage.  
  
Fixes: #14319  
Reported-By: Huan Ruan  
Discussion: <[email protected]>  
Backport: 9,4-, where logical decoding was added  

M contrib/test_decoding/Makefile
A contrib/test_decoding/expected/spill.out
A contrib/test_decoding/sql/spill.sql
M src/backend/replication/logical/reorderbuffer.c

Show a sensible value in pg_settings.unit for GUC_UNIT_XSEGS variables.

commit   : 993d94c59038fb80068a2b7780a1062dcaa2bb4f    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 3 Oct 2016 16:40:06 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 3 Oct 2016 16:40:06 -0400    

Click here for diff

Commit 88e982302 invented GUC_UNIT_XSEGS for min_wal_size and max_wal_size,  
but neglected to make it display sensibly in pg_settings.unit (by adding a  
case to the switch in GetConfigOptionByNum).  Fix that, and adjust said  
switch to throw a run-time error the next time somebody forgets.  
  
In passing, avoid using a static buffer for the output string --- the rest  
of this function pstrdup's from a local buffer, and I see no very good  
reason why the units code should do it differently and less safely.  
  
Per report from Otar Shavadze.  Back-patch to 9.5 where the new unit type  
was added.  
  
Report: <CAG-jOyA=iNFhN+yB4vfvqh688B7Tr5SArbYcFUAjZi=0Exp-Lg@mail.gmail.com>  

M src/backend/utils/misc/guc.c
M src/include/utils/guc.h

Fix RLS with COPY (col1, col2) FROM tab

commit   : 190765a059cc5e8226cdb18b9715741b32b12255    
  
author   : Stephen Frost <[email protected]>    
date     : Mon, 3 Oct 2016 16:23:02 -0400    
  
committer: Stephen Frost <[email protected]>    
date     : Mon, 3 Oct 2016 16:23:02 -0400    

Click here for diff

Attempting to COPY a subset of columns from a table with RLS enabled  
would fail due to an invalid query being constructed (using a single  
ColumnRef with the list of fields to exact in 'fields', but that's for  
the different levels of an indirection for a single column, not for  
specifying multiple columns).  
  
Correct by building a ColumnRef and then RestTarget for each column  
being requested and then adding those to the targetList for the select  
query.  Include regression tests to hopefully catch if this is broken  
again in the future.  
  
Patch-By: Adam Brightwell  
Reviewed-By: Michael Paquier  

M src/backend/commands/copy.c
M src/test/regress/expected/copy2.out
M src/test/regress/sql/copy2.sql

Enforce a specific order for probing library loadability in pg_upgrade.

commit   : bac56dbe090670408551bd68690e91f7b0207ccf    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 3 Oct 2016 10:07:39 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 3 Oct 2016 10:07:39 -0400    

Click here for diff

pg_upgrade checks whether all the shared libraries used in the old cluster  
are also available in the new one by issuing LOAD for each library name.  
Previously, it cared not what order it did the LOADs in.  Ideally it  
should not have to care, but currently the transform modules in contrib  
fail unless both the language and datatype modules they depend on are  
loaded first.  A backend-side solution for that looks possible but  
probably not back-patchable, so as a stopgap measure, let's do the LOAD  
tests in order by library name length.  That should fix the problem for  
reasonably-named transform modules, eg "hstore_plpython" will be loaded  
after both "hstore" and "plpython".  (Yeah, it's a hack.)  
  
In a larger sense, having a predictable order of these probes is a good  
thing, since it will make upgrades predictably work or not work in the  
face of inter-library dependencies.  Also, this patch replaces O(N^2)  
de-duplication logic with O(N log N) logic, which could matter in  
installations with very many databases.  So I don't foresee reverting this  
even after we have a proper fix for the library-dependency problem.  
  
In passing, improve a couple of SQL queries used here.  
  
Per complaint from Andrew Dunstan that pg_upgrade'ing the transform contrib  
modules failed.  Back-patch to 9.5 where transform modules were introduced.  
  
Discussion: <[email protected]>  

M src/bin/pg_upgrade/function.c

Add ALTER EXTENSION ADD/DROP ACCESS METHOD, and use it in pg_upgrade.

commit   : f40334b85cf89f1eafd04d31665704fd173e317c    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 2 Oct 2016 14:31:28 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 2 Oct 2016 14:31:28 -0400    

Click here for diff

Without this, an extension containing an access method is not properly  
dumped/restored during pg_upgrade --- the AM ends up not being a member  
of the extension after upgrading.  
  
Another oversight in commit 473b93287, reported by Andrew Dunstan.  
  
Report: <[email protected]>  

M doc/src/sgml/ref/alter_extension.sgml
M src/backend/parser/gram.y
M src/bin/pg_dump/pg_dump.c

Do ClosePostmasterPorts() earlier in SubPostmasterMain().

commit   : 4677fe9fb0aa534b8611c29075fb57b3573612eb    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 17:15:10 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 17:15:10 -0400    

Click here for diff

In standard Unix builds, postmaster child processes do ClosePostmasterPorts  
immediately after InitPostmasterChild, that is almost immediately after  
being spawned.  This is important because we don't want children holding  
open the postmaster's end of the postmaster death watch pipe.  
  
However, in EXEC_BACKEND builds, SubPostmasterMain was postponing this  
responsibility significantly, in order to make it slightly more convenient  
to pass the right flag value to ClosePostmasterPorts.  This is bad,  
particularly seeing that process_shared_preload_libraries() might invoke  
nearly-arbitrary code.  Rearrange so that we do it as soon as we've  
fetched the socket FDs via read_backend_variables().  
  
Also move the comment explaining about randomize_va_space to before the  
call of PGSharedMemoryReAttach, which is where it's relevant.  The old  
placement was appropriate when the reattach happened inside  
CreateSharedMemoryAndSemaphores, but that was a long time ago.  
  
Back-patch to 9.3; the patch doesn't apply cleanly before that, and  
it doesn't seem worth a lot of effort given that we've had no actual  
field complaints traceable to this.  
  
Discussion: <[email protected]>  

M src/backend/postmaster/postmaster.c

Fix bugs in contrib/pg_visibility.

commit   : f4e787c826446102eb38ffb5f398bea43b44cacf    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 16:32:55 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 16:32:55 -0400    

Click here for diff

collect_corrupt_items() failed to initialize tuple.t_self.  While  
HeapTupleSatisfiesVacuum() doesn't actually use that value, it does  
Assert that it's valid, so that the code would dump core if ip_posid  
chanced to be zero.  (That's somewhat unlikely, which probably explains  
how this got missed.  In any case it wouldn't matter for field use.)  
  
Also, collect_corrupt_items was returning the wrong TIDs, that is the  
contents of t_ctid rather than the tuple's own location.  This would  
be the same thing in simple cases, but it could be wrong if, for  
example, a past update attempt had been rolled back, leaving a live  
tuple whose t_ctid doesn't point at itself.  
  
Also, in pg_visibility(), guard against trying to read a page past  
the end of the rel.  The VM code handles inquiries beyond the end  
of the map by silently returning zeroes, and it seems like we should  
do the same thing here.  
  
I ran into the assertion failure while using pg_visibility to check  
pg_upgrade's behavior, and then noted the other problems while  
reading the code.  
  
Report: <[email protected]>  

M contrib/pg_visibility/pg_visibility.c

Copy-editing for contrib/pg_visibility documentation.

commit   : b01f9ed25950f26f85c44e31b2a97d6f1ba3534e    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 15:32:53 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 15:32:53 -0400    

Click here for diff

Add omitted names for some function parameters.  
Fix some minor grammatical issues.  

M doc/src/sgml/pgvisibility.sgml

Fix misstatement in comment in Makefile.shlib.

commit   : 581f431f7be3c335f11dfd29a2498ad96d8a08ce    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 13:45:16 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 13:45:16 -0400    

Click here for diff

There is no need for "all: all-lib" to be placed before inclusion of  
Makefile.shlib.  Makefile.global is what ensures that "all" is the  
default target, and we already document that that has to be included  
first.  Per comment from Pavel Raiskup.  
  
Discussion: <[email protected]>  

M src/Makefile.shlib

Fix misplacement of submake-generated-headers prerequisites.

commit   : 68fb75e103e78478ef45a71e1a25055751e789f2    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 13:35:13 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 1 Oct 2016 13:35:13 -0400    

Click here for diff

The sequence "configure; cd src/pl/plpython; make -j" failed due to  
trying to compile plpython's .o files before the generated headers  
finished building.  (This is an important real-world case, since it's  
the typical second step when building both plpython2 and plpython3.)  
This happens because the submake-generated-headers target is not  
placed in a way to make it a prerequisite to compiling the .o files.  
Fix that.  
  
Checking other uses of submake-generated-headers, I noted that the one  
attached to pg_regress was similarly misplaced; but it's actually not  
needed at all for pg_regress.o, rather regress.o, so move it to be a  
prerequisite of that.  
  
Back-patch to 9.6 where submake-generated-headers was introduced  
(by commit 548af97fc).  It's not immediately clear to me why the  
previous coding didn't have the same issue; but since we've not  
had field reports of plpython make failing, leave it alone in the  
older branches.  
  
Pavel Raiskup and Tom Lane  
  
Discussion: <[email protected]>  

M src/pl/plpython/Makefile
M src/test/regress/GNUmakefile

Improve error reporting in pg_upgrade's file copying/linking/rewriting.

commit   : 53fbeed40702e49c02a85a31f52a1683abe57a4e    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 30 Sep 2016 20:40:27 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 30 Sep 2016 20:40:27 -0400    

Click here for diff

The previous design for this had copyFile(), linkFile(), and  
rewriteVisibilityMap() returning strerror strings, with the caller  
producing one-size-fits-all error messages based on that.  This made it  
impossible to produce messages that described the failures with any degree  
of precision, especially not short-read problems since those don't set  
errno at all.  
  
Since pg_upgrade has no intention of continuing after any error in this  
area, let's fix this by just letting these functions call pg_fatal() for  
themselves, making it easy for each point of failure to have a suitable  
error message.  Taking this approach also allows dropping cleanup code  
that was unnecessary and was often rather sloppy about preserving errno.  
To not lose relevant info that was reported before, pass in the schema name  
and table name of the current table so that they can be included in the  
error reports.  
  
An additional problem was the use of getErrorText(), which was flat out  
wrong for all but a couple of call sites, because it unconditionally did  
"_dosmaperr(GetLastError())" on Windows.  That's only appropriate when  
reporting an error from a Windows-native API, which only a couple of  
the callers were actually doing.  Thus, even the reported strerror string  
would be unrelated to the actual failure in many cases on Windows.  
To fix, get rid of getErrorText() altogether, and just have call sites  
do strerror(errno) instead, since that's the way all the rest of our  
frontend programs do it.  Add back the _dosmaperr() calls in the two  
places where that's actually appropriate.  
  
In passing, make assorted messages hew more closely to project style  
guidelines, notably by removing initial capitals in not-complete-sentence  
primary error messages.  (I didn't make any effort to clean up places  
I didn't have another reason to touch, though.)  
  
Per discussion of a report from Thomas Kellerer.  Back-patch to 9.6,  
but no further; given the relative infrequency of reports of problems  
here, it's not clear it's worth adapting the patch to older branches.  
  
Patch by me, but with credit to Alvaro Herrera for spotting the issue  
with getErrorText's misuse of _dosmaperr().  
  
Discussion: <[email protected]>  

M src/bin/pg_upgrade/check.c
M src/bin/pg_upgrade/controldata.c
M src/bin/pg_upgrade/exec.c
M src/bin/pg_upgrade/file.c
M src/bin/pg_upgrade/function.c
M src/bin/pg_upgrade/option.c
M src/bin/pg_upgrade/pg_upgrade.c
M src/bin/pg_upgrade/pg_upgrade.h
M src/bin/pg_upgrade/relfilenode.c
M src/bin/pg_upgrade/tablespace.c
M src/bin/pg_upgrade/util.c
M src/bin/pg_upgrade/version.c

Fix multiple portability issues in pg_upgrade's rewriteVisibilityMap().

commit   : b6d90607364c4ad9315e28f76c836de4751beca5    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 30 Sep 2016 20:39:06 -0400    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 30 Sep 2016 20:39:06 -0400    

Click here for diff

This is new code in 9.6, and evidently we missed out testing it as  
thoroughly as it should have been.  Bugs fixed here:  
  
1. Use binary not text mode to open the files on Windows.  Before, if  
the visibility map chanced to contain two bytes that looked like \r\n,  
Windows' read() would convert that to \n, which both corrupts the map  
data and causes the file to look shorter than it should.  Unless you  
were *very* unlucky and had an exact multiple of 8K such occurrences  
in each VM file, this would cause pg_upgrade to report a failure,  
though with a rather obscure error message.  
  
2. The code for copying rebuilt bytes into the output was simply wrong.  
It chanced to work okay on little-endian machines but would emit the  
bytes in the wrong order on big-endian, leading to silent corruption  
of the visibility map data.  
  
3. The code was careless about alignment of the working buffers.  Given  
all three of an alignment-picky architecture, a compiler that chooses  
to put the new_vmbuf[] local variable at an odd starting address, and  
a checksum-enabled database, pg_upgrade would dump core.  
  
Point one was reported by Thomas Kellerer, the other two detected by  
code-reading.  
  
Point two is much the nastiest of these issues from an impact standpoint,  
though fortunately it affects only a minority of users.  The Windows issue  
will definitely bite people, but it seems quite unlikely that there would  
be undetected corruption from that.  
  
In addition, I failed to resist the temptation to do some minor cosmetic  
adjustments, mostly improving the comments.  
  
It would be a good idea to try to improve the error reporting here, but  
that seems like material for a separate patch.  
  
Discussion: <[email protected]>  

M src/bin/pg_upgrade/file.c

Retry opening new segments in pg_xlogdump --folllow

commit   : 41d58e97afe4c24398a5469f79468a50895b3ab0    
  
author   : Magnus Hagander <[email protected]>    
date     : Fri, 30 Sep 2016 11:19:30 +0200    
  
committer: Magnus Hagander <[email protected]>    
date     : Fri, 30 Sep 2016 11:19:30 +0200    

Click here for diff

There is a small window between when the server closes out the existing  
segment and the new one is created. Put a loop around the open call in  
this case to make sure we wait for the new file to actually appear.  

M src/bin/pg_xlogdump/pg_xlogdump.c

Silence compiler warnings

commit   : 7341c2830cf3d06a96d97f0e6a2e85bf808faae4    
  
author   : Alvaro Herrera <[email protected]>    
date     : Wed, 28 Sep 2016 19:31:58 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Wed, 28 Sep 2016 19:31:58 -0300    

Click here for diff

Reported by Peter Eisentraut.  Coding suggested by Tom Lane.  

M src/backend/catalog/objectaddress.c

worker_spi: Call pgstat_report_stat.

commit   : f0476e226f1bc3aaaa4185ace3a09bc586b42cde    
  
author   : Robert Haas <[email protected]>    
date     : Wed, 28 Sep 2016 12:38:33 -0400    
  
committer: Robert Haas <[email protected]>    
date     : Wed, 28 Sep 2016 12:38:33 -0400    

Click here for diff

Without this, statistics changes accumulated by the worker never get  
reported to the stats collector, which is bad.  
  
Julien Rouhaud  

M src/test/modules/worker_spi/worker_spi.c

Fix dangling pointer problem in ReorderBufferSerializeChange.

commit   : 32841fa325de298e0bad771c588354fd59866e42    
  
author   : Robert Haas <[email protected]>    
date     : Wed, 28 Sep 2016 11:19:46 -0400    
  
committer: Robert Haas <[email protected]>    
date     : Wed, 28 Sep 2016 11:19:46 -0400    

Click here for diff

Commit 3fe3511d05127cc024b221040db2eeb352e7d716 introduced a new  
case into this function, but neglected to ensure that the "ondisk"  
pointer got updated after a possible reallocation as the code does  
in other cases.  
  
Stas Kelvich, per diagnosis by Konstantin Knizhnik.  

M src/backend/replication/logical/reorderbuffer.c

Include <sys/select.h> where needed

commit   : f0631bda9bf729161490da76414648dafcc0adbe    
  
author   : Alvaro Herrera <[email protected]>    
date     : Tue, 27 Sep 2016 01:05:21 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Tue, 27 Sep 2016 01:05:21 -0300    

Click here for diff

<sys/select.h> is required by POSIX.1-2001 to get the prototype of  
select(2), but nearly no systems enforce that because older standards  
let you get away with including some other headers.  Recent OpenBSD  
hacking has removed that frail touch of friendliness, however, which  
broke some compiles; fix all the way back to 9.1 by adding the required  
standard.  Only vacuumdb.c was reported to fail, but it seems easier to  
fix the whole lot in a fell swoop.  
  
Per bug #14334 by Sean Farrell.  

M src/backend/libpq/auth.c
M src/backend/postmaster/pgstat.c
M src/bin/pg_basebackup/pg_basebackup.c
M src/bin/pg_basebackup/pg_recvlogical.c
M src/bin/pg_basebackup/receivelog.c
M src/bin/pg_dump/parallel.c
M src/bin/scripts/vacuumdb.c
M src/port/pgsleep.c
M src/test/examples/testlibpq2.c