PostgreSQL 9.6.17 commit log

Stamp 9.6.17.

commit   : d48d8ba2361c93378d49050ff9526c8a7f289e34    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 17:21:38 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 17:21:38 -0500    

Click here for diff

M configure
M configure.in
M doc/bug.template
M src/include/pg_config.h.win32
M src/interfaces/libpq/libpq.rc.in
M src/port/win32ver.rc

Last-minute updates for release notes.

commit   : 3ede4280bce9ce567834cb79e9dfe66344526b18    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 12:51:07 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 10 Feb 2020 12:51:07 -0500    

Click here for diff

Security: CVE-2020-1720  

M doc/src/sgml/release-9.6.sgml

createuser: fix parsing of --connection-limit argument

commit   : 5575fc20817497a29732198c20b9364583407599    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 12:14:58 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 12:14:58 -0300    

Click here for diff

The original coding failed to quote the argument properly.  
  
Reported-by: Daniel Gustafsson  
Discussion: [email protected]  

M src/bin/scripts/createuser.c

Fix priv checks for ALTER <object> DEPENDS ON EXTENSION

commit   : e8b8eb937642f56725d4bc025ea7fa57caf6992c    
  
author   : Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 11:47:09 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Mon, 10 Feb 2020 11:47:09 -0300    

Click here for diff

Marking an object as dependant on an extension did not have any  
privilege check whatsoever; this allowed any user to mark objects as  
droppable by anyone able to DROP EXTENSION, which could be used to cause  
system-wide havoc.  Disallow by checking that the calling user owns the  
mentioned object.  
  
(No constraints are placed on the extension.)  
  
Security: CVE-2020-1720  
Reported-by: Tom Lane  
Discussion: [email protected]  

M src/backend/commands/alter.c

Translation updates

commit   : 384ecd6efed809fecce08224c7cd37241cc0c602    
  
author   : Peter Eisentraut <[email protected]>    
date     : Mon, 10 Feb 2020 12:57:12 +0100    
  
committer: Peter Eisentraut <[email protected]>    
date     : Mon, 10 Feb 2020 12:57:12 +0100    

Click here for diff

Source-Git-URL: https://git.postgresql.org/git/pgtranslation/messages.git  
Source-Git-Hash: f6ff77b5adca07948a26a4d512ba339243ecacab  

M src/backend/po/de.po
M src/backend/po/fr.po
M src/backend/po/ru.po
M src/backend/po/sv.po
M src/bin/pg_ctl/po/ru.po
M src/bin/pg_dump/po/fr.po
M src/bin/pg_dump/po/ru.po
M src/bin/pg_dump/po/sv.po
M src/interfaces/libpq/po/ru.po

Revert "pg_upgrade: Fix quoting of some arguments in pg_ctl command"

commit   : ff8c6fe95b81a36f0e81e879e41eb43d54282862    
  
author   : Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 15:48:52 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 15:48:52 +0900    

Click here for diff

This reverts commit d1c0b61.  The patch has some downsides that require  
more attention, as discussed with Noah Misch.  
  
Backpatch-through: 9.5  

M src/bin/pg_upgrade/server.c

doc: Spell checking

commit   : 812bfe89a2798b96fd60c24b4c2bfed436f3e29e    
  
author   : Amit Kapila <[email protected]>    
date     : Mon, 10 Feb 2020 09:09:56 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Mon, 10 Feb 2020 09:09:56 +0530    

Click here for diff

Reported-by: Justin Pryzby  
Author: Justin Pryzby  
Backpatch-through: 9.6  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/bloom.sgml

pg_upgrade: Fix quoting of some arguments in pg_ctl command

commit   : 2f2c3e62757d227635873939240f87daa836d380    
  
author   : Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 10:49:53 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Mon, 10 Feb 2020 10:49:53 +0900    

Click here for diff

The previous coding forgot to apply shell quoting to the socket  
directory and the data folder, leading to failures when running  
pg_upgrade.  This refactors the code generating the pg_ctl command  
starting clusters to use a more correct shell quoting.  Failures are  
easier to trigger in 12 and newer versions by using a value of  
--socketdir that includes quotes, but it is also possible to cause  
failures with quotes included in the default socket directory used by  
pg_upgrade or the data folders of the clusters involved in the  
upgrade.  
  
As 9.4 is going to be EOL'd with the next minor release, nobody is  
likely going to upgrade to it now so this branch is not included in the  
set of branches fixed.  
  
Author: Michael Paquier  
Reviewed-by: Álvaro Herrera, Noah Misch  
Backpatch-through: 9.5  

M src/bin/pg_upgrade/server.c

Revert "docs: change "default role" wording to "predefined role""

commit   : 608006c1b9c328ccb4ccd730cc2161a77eb6c3d7    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:22:08 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:22:08 -0500    

Click here for diff

This reverts commit 90d553dd96106ab278550e85d95a5663d77d7db7.  
  
Per discussion, we can't change the section title without some  
web-site work, so revert this change temporarily.  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/release-9.6.sgml
M doc/src/sgml/user-manag.sgml

Release notes for 12.2, 11.7, 10.12, 9.6.17, 9.5.21, 9.4.26.

commit   : 02836497c91b215266422b99809055267c263e57    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:14:19 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 9 Feb 2020 14:14:19 -0500    

Click here for diff

M doc/src/sgml/release-9.6.sgml

Add note about access permission checks by inherited TRUNCATE and LOCK TABLE.

commit   : ebf273000a5735fd35c58d851ba765e885f343c5    
  
author   : Fujii Masao <[email protected]>    
date     : Fri, 7 Feb 2020 00:33:11 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Fri, 7 Feb 2020 00:33:11 +0900    

Click here for diff

Inherited queries perform access permission checks on the parent  
table only. But there are two exceptions to this rule in v12 or before;  
TRUNCATE and LOCK TABLE commands through a parent table check  
the permissions on not only the parent table but also the children  
tables. Previously these exceptions were not documented.  
  
This commit adds the note about these exceptions, into the document.  
  
Back-patch to v9.4. But we don't apply this commit to the master  
because commit e6f1e560e4 already got rid of the exception about  
inherited TRUNCATE and upcoming commit will do for the exception  
about inherited LOCK TABLE.  
  
Author: Amit Langote  
Reviewed-by: Fujii Masao  
Discussion: https://postgr.es/m/CA+HiwqHfTnMU6SUkyHxCmpHUKk7ERLHCR3vZVq19ZOQBjPBLmQ@mail.gmail.com  

M doc/src/sgml/ddl.sgml

Fix typo.

commit   : 18e1233fce85472b6cfea229d3815fc6c7f0d107    
  
author   : Amit Kapila <[email protected]>    
date     : Thu, 6 Feb 2020 16:00:54 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Thu, 6 Feb 2020 16:00:54 +0530    

Click here for diff

Reported-by: Amit Langote  
Author: Amit Langote  
Backpatch-through: 9.6, where it was introduced  
Discussion: https://postgr.es/m/CA+HiwqFNADeukaaGRmTqANbed9Fd81gLi08AWe_F86_942Gspw@mail.gmail.com  

M src/backend/optimizer/path/allpaths.c

When a TAP file has non-zero exit status, retain temporary directories.

commit   : 048c7ccd7d6d65cfc51e1f89270275222e49895f    
  
author   : Noah Misch <[email protected]>    
date     : Wed, 5 Feb 2020 08:26:41 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Wed, 5 Feb 2020 08:26:41 -0800    

Click here for diff

PostgresNode already retained base directories in such cases.  Stop  
using $SIG{__DIE__}, which is redundant with the exit status check, in  
lieu of proliferating it to TestLib.  Back-patch to 9.6, where commit  
88802e068017bee8cea7a5502a712794e761c7b5 introduced retention on  
failure.  
  
Reviewed by Daniel Gustafsson.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/test/perl/TestLib.pm

Revert commit 928e755d22.

commit   : c15b17f9276ef9a870775c7ed5e53ab4c91b2444    
  
author   : Fujii Masao <[email protected]>    
date     : Mon, 3 Feb 2020 12:42:45 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Mon, 3 Feb 2020 12:42:45 +0900    

Click here for diff

This commit reverts the fix "Make inherited TRUNCATE perform access  
permission checks on parent table only" only in the back branches.  
  
It's not hard to imagine that there are some applications expecting  
the old behavior and the fix breaks their security. To avoid this  
compatibility problem, we decided to apply the fix only in HEAD and  
revert it in all supported back branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/commands/tablecmds.c
M src/test/regress/expected/privileges.out
M src/test/regress/sql/privileges.sql

Fix memory leak on DSM slot exhaustion.

commit   : 93be45245272fc9f59caecc3db949b49b464a2a1    
  
author   : Thomas Munro <[email protected]>    
date     : Sat, 1 Feb 2020 14:29:13 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Sat, 1 Feb 2020 14:29:13 +1300    

Click here for diff

If we attempt to create a DSM segment when no slots are available,  
we should return the memory to the operating system.  Previously  
we did that if the DSM_CREATE_NULL_IF_MAXSEGMENTS flag was  
passed in, but we didn't do it if an error was raised.  Repair.  
  
Back-patch to 9.4, where DSM segments arrived.  
  
Author: Thomas Munro  
Reviewed-by: Robert Haas  
Reported-by: Julian Backes  
Discussion: https://postgr.es/m/CA%2BhUKGKAAoEw-R4om0d2YM4eqT1eGEi6%3DQot-3ceDR-SLiWVDw%40mail.gmail.com  

M src/backend/storage/ipc/dsm.c

Fix CheckAttributeType's handling of collations for ranges.

commit   : 742c646c198756ffb3fbe36c3c36715ca8048d77    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 17:03:55 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 17:03:55 -0500    

Click here for diff

Commit fc7695891 changed CheckAttributeType to recurse into ranges,  
but made it pass down the wrong collation (always InvalidOid, since  
ranges as such have no collation).  This would result in guaranteed  
failure when considering a range type whose subtype is collatable.  
  
Embarrassingly, we lack any regression tests that would expose such  
a problem (but fortunately, somebody noticed before we shipped this  
bug in any release).  
  
Fix it to pass down the range's subtype collation property instead,  
and add some regression test cases to exercise collatable-subtype  
ranges a bit more.  Back-patch to all supported branches, as the  
previous patch was.  
  
Report and patch by Julien Rouhaud, test cases tweaked by me  
  
Discussion: https://postgr.es/m/CAOBaU_aBWqNweiGUFX0guzBKkcfJ8mnnyyGC_KBQmO12Mj5f_A@mail.gmail.com  

M src/backend/catalog/heap.c
M src/backend/utils/cache/lsyscache.c
M src/include/utils/lsyscache.h
M src/test/regress/expected/rangetypes.out
M src/test/regress/expected/sanity_check.out
M src/test/regress/sql/rangetypes.sql

Fix parallel pg_dump/pg_restore for failure to create worker processes.

commit   : cb4c04a4e6a5226446fdb60b79529549750de750    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 14:41:49 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 31 Jan 2020 14:41:49 -0500    

Click here for diff

If we failed to fork a worker process, or create a communication pipe  
for one, WaitForTerminatingWorkers would suffer an assertion failure  
if assert-enabled, otherwise crash or go into an infinite loop.  This  
was a consequence of not accounting for the startup condition where  
we've not yet forked all the workers.  
  
The original bug was that ParallelBackupStart would set workerStatus to  
WRKR_IDLE before it had successfully forked a worker.  I made things  
worse in commit b7b8cc0cf by not understanding the undocumented fact  
that the WRKR_TERMINATED state was also meant to represent the case  
where a worker hadn't been started yet: I changed enum T_WorkerStatus  
so that *all* the worker slots were initially in WRKR_IDLE state.  But  
this wasn't any more broken in practice, since even one slot in the  
wrong state would keep WaitForTerminatingWorkers from terminating.  
  
In v10 and later, introduce an explicit T_WorkerStatus value for  
worker-not-started, in hopes of preventing future oversights of the  
same ilk.  Before that, just document that WRKR_TERMINATED is supposed  
to cover that case (partly because it wasn't actively broken, and  
partly because the enum is exposed outside parallel.c in those branches,  
so there's microscopically more risk involved in changing it).  
In all branches, introduce a WORKER_IS_RUNNING status test macro  
to hide which T_WorkerStatus values mean that, and be more careful  
not to access ParallelSlot fields till we're sure they're valid.  
  
Per report from Vignesh C, though this is my patch not his.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CALDaNm1Luv-E3sarR+-unz-BjchquHHyfP+YC+2FS2pt_J+wxg@mail.gmail.com  

M src/bin/pg_dump/parallel.c
M src/bin/pg_dump/parallel.h

Make inherited TRUNCATE perform access permission checks on parent table only.

commit   : 928e755d22de56e998b0b76596ebda1941e0e323    
  
author   : Fujii Masao <[email protected]>    
date     : Fri, 31 Jan 2020 00:45:39 +0900    
  
committer: Fujii Masao <[email protected]>    
date     : Fri, 31 Jan 2020 00:45:39 +0900    

Click here for diff

Previously, TRUNCATE command through a parent table checked the  
permissions on not only the parent table but also the children tables  
inherited from it. This was a bug and inherited queries should perform  
access permission checks on the parent table only. This commit fixes  
that bug.  
  
Back-patch to all supported branches.  
  
Author: Amit Langote  
Reviewed-by: Fujii Masao  
Discussion: https://postgr.es/m/CAHGQGwFHdSvifhJE+-GSNqUHSfbiKxaeQQ7HGcYz6SC2n_oDcg@mail.gmail.com  

M src/backend/commands/tablecmds.c
M src/test/regress/expected/privileges.out
M src/test/regress/sql/privileges.sql

In postgres_fdw, don't try to ship MULTIEXPR updates to remote server.

commit   : 43a648f57ce3d45fc77b0d18b0829884d8449151    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 26 Jan 2020 14:31:08 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 26 Jan 2020 14:31:08 -0500    

Click here for diff

In a statement like "UPDATE remote_tab SET (x,y) = (SELECT ...)",  
we'd conclude that the statement could be directly executed remotely,  
because the sub-SELECT is in a resjunk tlist item that's not examined  
for shippability.  Currently that ends up crashing if the sub-SELECT  
contains any remote Vars.  Prevent the crash by deeming MULTIEXEC  
Params to be unshippable.  
  
This is a bit of a brute-force solution, since if the sub-SELECT  
*doesn't* contain any remote Vars, the current execution technology  
would work; but that's not a terribly common use-case for this syntax,  
I think.  In any case, we generally don't try to ship sub-SELECTs, so  
it won't surprise anybody that this doesn't end up as a remote direct  
update.  I'd be inclined to see if that general limitation can be fixed  
before worrying about this case further.  
  
Per report from Lukáš Sobotka.  
  
Back-patch to 9.6.  9.5 had MULTIEXPR, but we didn't try to perform  
remote direct updates then, so the case didn't arise anyway.  
  
Discussion: https://postgr.es/m/CAJif3k+iA_ekBB5Zw2hDBaE1wtiQa4LH4_JUXrrMGwTrH0J01Q@mail.gmail.com  

M contrib/postgres_fdw/deparse.c
M contrib/postgres_fdw/expected/postgres_fdw.out
M contrib/postgres_fdw/sql/postgres_fdw.sql

Fix an oversight in commit 4c70098ff.

commit   : 451f50813b6f2ddda81c1f7d42976dd7ca506bd0    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 16:15:32 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 16:15:32 -0500    

Click here for diff

I had supposed that the from_char_seq_search() call sites were  
all passing the constant arrays you'd expect them to pass ...  
but on looking closer, the one for DY format was passing the  
days[] array not days_short[].  This accidentally worked because  
the day abbreviations in English are all the same as the first  
three letters of the full day names.  However, once we took out  
the "maximum comparison length" logic, it stopped working.  
  
As penance for that oversight, add regression test cases covering  
this, as well as every other switch case in DCH_from_char() that  
was not reached according to the code coverage report.  
  
Also, fold the DCH_RM and DCH_rm cases into one --- now that  
seq_search is case independent, there's no need to pass different  
comparison arrays for those cases.  
  
Back-patch, as the previous commit was.  

M src/backend/utils/adt/formatting.c
M src/test/regress/expected/horology.out
M src/test/regress/sql/horology.sql

Clean up formatting.c's logic for matching constant strings.

commit   : 9e24575f6f1bdf013fcd343e1163c72d4316888f    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 13:42:10 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 23 Jan 2020 13:42:10 -0500    

Click here for diff

seq_search(), which is used to match input substrings to constants  
such as month and day names, had a lot of bizarre and unnecessary  
behaviors.  It was mostly possible to avert our eyes from that before,  
but we don't want to duplicate those behaviors in the upcoming patch  
to allow recognition of non-English month and day names.  So it's time  
to clean this up.  In particular:  
  
* seq_search scribbled on the input string, which is a pretty dangerous  
thing to do, especially in the badly underdocumented way it was done here.  
Fortunately the input string is a temporary copy, but that was being made  
three subroutine levels away, making it something easy to break  
accidentally.  The behavior is externally visible nonetheless, in the form  
of odd case-folding in error reports about unrecognized month/day names.  
The scribbling is evidently being done to save a few calls to pg_tolower,  
but that's such a cheap function (at least for ASCII data) that it's  
pretty pointless to worry about.  In HEAD I switched it to be  
pg_ascii_tolower to ensure it is cheap in all cases; but there are corner  
cases in Turkish where this'd change behavior, so leave it as pg_tolower  
in the back branches.  
  
* seq_search insisted on knowing the case form (all-upper, all-lower,  
or initcap) of the constant strings, so that it didn't have to case-fold  
them to perform case-insensitive comparisons.  This likewise seems like  
excessive micro-optimization, given that pg_tolower is certainly very  
cheap for ASCII data.  It seems unsafe to assume that we know the case  
form that will come out of pg_locale.c for localized month/day names, so  
it's better just to define the comparison rule as "downcase all strings  
before comparing".  (The choice between downcasing and upcasing is  
arbitrary so far as English is concerned, but it might not be in other  
locales, so follow citext's lead here.)  
  
* seq_search also had a parameter that'd cause it to report a match  
after a maximum number of characters, even if the constant string were  
longer than that.  This was not actually used because no caller passed  
a value small enough to cut off a comparison.  Replicating that behavior  
for localized month/day names seems expensive as well as useless, so  
let's get rid of that too.  
  
* from_char_seq_search used the maximum-length parameter to truncate  
the input string in error reports about not finding a matching name.  
This leads to rather confusing reports in many cases.  Worse, it is  
outright dangerous if the input string isn't all-ASCII, because we  
risk truncating the string in the middle of a multibyte character.  
That'd lead either to delivering an illegible error message to the  
client, or to encoding-conversion failures that obscure the actual  
data problem.  Get rid of that in favor of truncating at whitespace  
if any (a suggestion due to Alvaro Herrera).  
  
In addition to fixing these things, I const-ified the input string  
pointers of DCH_from_char and its subroutines, to make sure there  
aren't any other scribbling-on-input problems.  
  
The risk of generating a badly-encoded error message seems like  
enough of a bug to justify back-patching, so patch all supported  
branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/utils/adt/formatting.c
M src/test/regress/expected/horology.out

Fix concurrent indexing operations with temporary tables

commit   : ef33edeb58350afde74a9b28e34efce0e3119063    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 22 Jan 2020 09:49:39 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 22 Jan 2020 09:49:39 +0900    

Click here for diff

Attempting to use CREATE INDEX, DROP INDEX or REINDEX with CONCURRENTLY  
on a temporary relation with ON COMMIT actions triggered unexpected  
errors because those operations use multiple transactions internally to  
complete their work.  Here is for example one confusing error when using  
ON COMMIT DELETE ROWS:  
ERROR:  index "foo" already contains data  
  
Issues related to temporary relations and concurrent indexing are fixed  
in this commit by enforcing the non-concurrent path to be taken for  
temporary relations even if using CONCURRENTLY, transparently to the  
user.  Using a non-concurrent path does not matter in practice as locks  
cannot be taken on a temporary relation by a session different than the  
one owning the relation, and the non-concurrent operation is more  
effective.  
  
The problem exists with REINDEX since v12 with the introduction of  
CONCURRENTLY, and with CREATE/DROP INDEX since CONCURRENTLY exists for  
those commands.  In all supported versions, this caused only confusing  
error messages to be generated.  Note that with REINDEX, it was also  
possible to issue a REINDEX CONCURRENTLY for a temporary relation owned  
by a different session, leading to a server crash.  
  
The idea to enforce transparently the non-concurrent code path for  
temporary relations comes originally from Andres Freund.  
  
Reported-by: Manuel Rigger  
Author: Michael Paquier, Heikki Linnakangas  
Reviewed-by: Andres Freund, Álvaro Herrera, Heikki Linnakangas  
Discussion: https://postgr.es/m/CA+u7OA6gP7YAeCguyseusYcc=uR8+ypjCcgDDCTzjQ+k6S9ksQ@mail.gmail.com  
Backpatch-through: 9.4  

M doc/src/sgml/ref/create_index.sgml
M doc/src/sgml/ref/drop_index.sgml
M src/backend/catalog/index.c
M src/backend/commands/indexcmds.c
M src/backend/commands/tablecmds.c
M src/test/regress/expected/create_index.out
M src/test/regress/sql/create_index.sql

Fix edge case leading to agg transitions skipping ExecAggTransReparent() calls.

commit   : d4c339924cf7d258c569d48381aa3c90ee5d8695    
  
author   : Andres Freund <[email protected]>    
date     : Mon, 20 Jan 2020 23:26:51 -0800    
  
committer: Andres Freund <[email protected]>    
date     : Mon, 20 Jan 2020 23:26:51 -0800    

Click here for diff

The code checking whether an aggregate transition value needs to be  
reparented into the current context has always only compared the  
transition return value with the previous transition value by datum,  
i.e. without regard for NULLness.  This normally works, because when  
the transition function returns NULL (via fcinfo->isnull), it'll  
return a value that won't be the same as its input value.  
  
But there's no hard requirement that that's the case. And it turns  
out, it's possible to hit this case (see discussion or reproducers),  
leading to a non-null transition value not being reparented, followed  
by a crash caused by that.  
  
Instead of adding another comparison of NULLness, instead have  
ExecAggTransReparent() ensure that pergroup->transValue ends up as 0  
when the new transition value is NULL. That avoids having to add an  
additional branch to the much more common cases of the transition  
function returning the old transition value (which is a pointer in  
this case), and when the new value is different, but not NULL.  
  
In branches since 69c3936a149, also deduplicate the reparenting code  
between the expression evaluation based transitions, and the path for  
ordered aggregates.  
  
Reported-By: Teodor Sigaev, Nikita Glukhov  
Author: Andres Freund  
Discussion: https://postgr.es/m/[email protected]  
Backpatch: 9.4-, this issue has existed since at least 7.4  

M src/backend/executor/nodeAgg.c

Add GUC variables for stat tracking and timeout as PGDLLIMPORT

commit   : 9740cdbe5e35c57abba1d3cfe082d8dd35118ca5    
  
author   : Michael Paquier <[email protected]>    
date     : Tue, 21 Jan 2020 13:47:10 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Tue, 21 Jan 2020 13:47:10 +0900    

Click here for diff

This helps integration of extensions with Windows.  The following  
parameters are changed:  
- idle_in_transaction_session_timeout (9.6 and newer versions)  
- lock_timeout  
- statement_timeout  
- track_activities  
- track_counts  
- track_functions  
  
Author: Pascal Legrand  
Reviewed-by: Amit Kamila, Julien Rouhaud, Michael Paquier  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 9.4  

M src/include/pgstat.h
M src/include/storage/proc.h

Fix pg_dump's sigTermHandler() to use _exit() not exit().

commit   : 208e262f9246df9050aee63a933bb8b7fe265163    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 20 Jan 2020 12:57:17 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 20 Jan 2020 12:57:17 -0500    

Click here for diff

sigTermHandler() tried to be careful to invoke only operations that  
are safe to do in a signal handler.  But for some reason we forgot  
that exit(3) is not among those, because it calls atexit handlers  
that might do various random things.  (pg_dump itself installs no  
atexit handlers, but e.g. OpenSSL does.)  That led to crashes or  
lockups when attempting to terminate a parallel dump or restore  
via a signal.  
  
Fix by calling _exit() instead.  
  
Per bug #16199 from Raúl Marín.  Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/bin/pg_dump/parallel.c

Fix crash in BRIN inclusion op functions, due to missing datum copy.

commit   : e96f30d898d8c8cde44e625b888e839f707dcc60    
  
author   : Heikki Linnakangas <[email protected]>    
date     : Mon, 20 Jan 2020 10:36:35 +0200    
  
committer: Heikki Linnakangas <[email protected]>    
date     : Mon, 20 Jan 2020 10:36:35 +0200    

Click here for diff

The BRIN add_value() and union() functions need to make a longer-lived  
copy of the argument, if they want to store it in the BrinValues struct  
also passed as argument. The functions for the "inclusion operator  
classes" used with box, range and inet types didn't take into account  
that the union helper function might return its argument as is, without  
making a copy. Check for that case, and make a copy if necessary. That  
case arises at least with the range_union() function, when one of the  
arguments is an 'empty' range:  
  
CREATE TABLE brintest (n numrange);  
CREATE INDEX brinidx ON brintest USING brin (n);  
INSERT INTO brintest VALUES ('empty');  
INSERT INTO brintest VALUES (numrange(0, 2^1000::numeric));  
INSERT INTO brintest VALUES ('(-1, 0)');  
  
SELECT brin_desummarize_range('brinidx', 0);  
SELECT brin_summarize_range('brinidx', 0);  
  
Backpatch down to 9.5, where BRIN was introduced.  
  
Discussion: https://www.postgresql.org/message-id/e6e1d6eb-0a67-36aa-e779-bcca59167c14%40iki.fi  
Reviewed-by: Emre Hasegeli, Tom Lane, Alvaro Herrera  

M src/backend/access/brin/brin_inclusion.c

Repair more failures with SubPlans in multi-row VALUES lists.

commit   : 45f03cfa56c88a3c662436027f076ad2b667287e    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 17 Jan 2020 16:17:17 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 17 Jan 2020 16:17:17 -0500    

Click here for diff

Commit 9b63c13f0 turns out to have been fundamentally misguided:  
the parent node's subPlan list is by no means the only way in which  
a child SubPlan node can be hooked into the outer execution state.  
As shown in bug #16213 from Matt Jibson, we can also get short-lived  
tuple table slots added to the outer es_tupleTable list.  At this point  
I have little faith that there aren't other possible connections as  
well; the long time it took to notice this problem shows that this  
isn't a heavily-exercised situation.  
  
Therefore, revert that fix, returning to the coding that passed a  
NULL parent plan pointer down to the transiently-built subexpressions.  
That gives us a pretty good guarantee that they won't hook into the  
outer executor state in any way.  But then we need some other solution  
to make SubPlans work.  Adopt the solution speculated about in the  
previous commit's log message: do expression initialization at plan  
startup for just those VALUES rows containing SubPlans, abandoning the  
goal of reclaiming memory intra-query for those rows.  In practice it  
seems unlikely that queries containing a vast number of VALUES rows  
would be using SubPlans in them, so this should not give up much.  
  
(BTW, this test case also refutes my claim in connection with the prior  
commit that the issue only arises with use of LATERAL.  That was just  
wrong: some variants of SubLink always produce SubPlans.)  
  
As with previous patch, back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/executor/nodeValuesscan.c
M src/include/nodes/execnodes.h
M src/test/regress/expected/subselect.out
M src/test/regress/sql/subselect.sql

Set ReorderBufferTXN->final_lsn more eagerly

commit   : cdb14154bb00e711152f4011417b3e44ea85adea    
  
author   : Alvaro Herrera <[email protected]>    
date     : Fri, 17 Jan 2020 18:00:39 -0300    
  
committer: Alvaro Herrera <[email protected]>    
date     : Fri, 17 Jan 2020 18:00:39 -0300    

Click here for diff

... specifically, set it incrementally as each individual change is  
spilled down to disk.  This way, it is set correctly when the  
transaction disappears without trace, ie. without leaving an XACT_ABORT  
wal record.  (This happens when the server crashes midway through a  
transaction.)  
  
Failing to have final_lsn prevents ReorderBufferRestoreCleanup() from  
working, since it needs the final_lsn in order to know the endpoint of  
its iteration through spilled files.  
  
Commit df9f682c7bf8 already tried to fix the problem, but it didn't set  
the final_lsn in all cases.  Revert that, since it's no longer needed.  
  
Author: Vignesh C  
Reviewed-by: Amit Kapila, Dilip Kumar  
Discussion: https://postgr.es/m/CALDaNm2CLk+K9JDwjYST0sPbGg5AQdvhUt0jbKyX_HdAE0jk3A@mail.gmail.com  

M src/backend/replication/logical/reorderbuffer.c
M src/include/replication/reorderbuffer.h

docs: change "default role" wording to "predefined role"

commit   : 90d553dd96106ab278550e85d95a5663d77d7db7    
  
author   : Bruce Momjian <[email protected]>    
date     : Tue, 14 Jan 2020 13:13:04 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Tue, 14 Jan 2020 13:13:04 -0500    

Click here for diff

The new wording was determined to be more accurate.  Also, update  
release note links that reference these sections.  
  
Reported-by: [email protected]  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.6  

M doc/src/sgml/release-9.6.sgml
M doc/src/sgml/user-manag.sgml

Make rewriter prevent auto-updates on views with conditional INSTEAD rules.

commit   : fd87262de55e402c72d4bdacee830838735b1f27    
  
author   : Dean Rasheed <[email protected]>    
date     : Tue, 14 Jan 2020 09:49:23 +0000    
  
committer: Dean Rasheed <[email protected]>    
date     : Tue, 14 Jan 2020 09:49:23 +0000    

Click here for diff

A view with conditional INSTEAD rules and no unconditional INSTEAD  
rules or INSTEAD OF triggers is not auto-updatable. Previously we  
relied on a check in the executor to catch this, but that's  
problematic since the planner may fail to properly handle such a query  
and thus return a particularly unhelpful error to the user, before  
reaching the executor check.  
  
Instead, trap this in the rewriter and report the correct error there.  
Doing so also allows us to include more useful error detail than the  
executor check can provide. This doesn't change the existing behaviour  
of updatable views; it merely ensures that useful error messages are  
reported when a view isn't updatable.  
  
Per report from Pengzhou Tang, though not adopting that suggested fix.  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/CAG4reAQn+4xB6xHJqWdtE0ve_WqJkdyCV4P=trYr4Kn8_3_PEA@mail.gmail.com  

M src/backend/executor/execMain.c
M src/backend/rewrite/rewriteHandler.c
M src/test/regress/expected/updatable_views.out
M src/test/regress/sql/updatable_views.sql

Fix edge-case crashes and misestimation in range containment selectivity.

commit   : 2dd10477cbfcf4d54725e9fd2cb3af84aa644fe5    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 12 Jan 2020 14:37:00 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 12 Jan 2020 14:37:00 -0500    

Click here for diff

When estimating the selectivity of "range_var <@ range_constant" or  
"range_var @> range_constant", if the upper (or respectively lower)  
bound of the range_constant was above the last bin of the range_var's  
histogram, the code would access uninitialized memory and potentially  
crash (though it seems the probability of a crash is quite low).  
Handle the endpoint cases explicitly to fix that.  
  
While at it, be more paranoid about the possibility of getting NaN  
or other silly results from the range type's subdiff function.  
And improve some comments.  
  
Ordinarily we'd probably add a regression test case demonstrating  
the bug in unpatched code.  But it's too hard to get it to crash  
reliably because of the uninitialized-memory dependence, so skip that.  
  
Per bug #16122 from Adam Scott.  It's been broken from the beginning,  
apparently, so backpatch to all supported branches.  
  
Diagnosis by Michael Paquier, patch by Andrey Borodin and Tom Lane.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/utils/adt/rangetypes_selfuncs.c

doc: Fix naming of SELinux

commit   : 24d559db92faf8695cb285364c7cf6fe5c576681    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 10 Jan 2020 09:37:33 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 10 Jan 2020 09:37:33 +0900    

Click here for diff

Reported-by: Tham Nguyen  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 9.4  

M doc/src/sgml/ref/security_label.sgml
M src/test/modules/dummy_seclabel/README

Revert "Forbid DROP SCHEMA on temporary namespaces"

commit   : 50174b70e779613479006bab944340706de51795    
  
author   : Michael Paquier <[email protected]>    
date     : Wed, 8 Jan 2020 10:36:40 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Wed, 8 Jan 2020 10:36:40 +0900    

Click here for diff

This reverts commit a052f6c, following complains from Robert Haas and  
Tom Lane.  Backpatch down to 9.4, like the previous commit.  
  
Discussion: https://postgr.es/m/CA+TgmobL4npEX5=E5h=5Jm_9mZun3MT39Kq2suJFVeamc9skSQ@mail.gmail.com  
Backpatch-through: 9.4  

M src/backend/commands/dropcmds.c

Fix running out of file descriptors for spill files.

commit   : ba5b4e506489b1f2c66c47134a5bd7404104b80b    
  
author   : Amit Kapila <[email protected]>    
date     : Thu, 2 Jan 2020 11:29:50 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Thu, 2 Jan 2020 11:29:50 +0530    

Click here for diff

Currently while decoding changes, if the number of changes exceeds a  
certain threshold, we spill those to disk.  And this happens for each  
(sub)transaction.  Now, while reading all these files, we don't close them  
until we read all the files.  While reading these files, if the number of  
such files exceeds the maximum number of file descriptors, the operation  
errors out.  
  
Use PathNameOpenFile interface to open these files as that internally has  
the mechanism to release kernel FDs as needed to get us under the  
max_safe_fds limit.  
  
Reported-by: Amit Khandekar  
Author: Amit Khandekar  
Reviewed-by: Amit Kapila  
Backpatch-through: 9.4  
Discussion: https://postgr.es/m/CAJ3gD9c-sECEn79zXw4yBnBdOttacoE-6gAyP0oy60nfs_sabQ@mail.gmail.com  

M src/backend/replication/logical/reorderbuffer.c

Update copyrights for 2020

commit   : 15eb1b66a4e5a9236f5a4a53f1def5ebca81768b    
  
author   : Bruce Momjian <[email protected]>    
date     : Wed, 1 Jan 2020 12:21:44 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Wed, 1 Jan 2020 12:21:44 -0500    

Click here for diff

Backpatch-through: update all files in master, backpatch legal files through 9.4  

M COPYRIGHT
M doc/src/sgml/legal.sgml

doc: add examples of creative use of unique expression indexes

commit   : 6f53e66bec7087b615cd5a5e94d10a83d301ba10    
  
author   : Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:49:08 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:49:08 -0500    

Click here for diff

Unique expression indexes can constrain data in creative ways, so show  
two examples.  
  
Reported-by: Tuomas Leikola  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.4  

M doc/src/sgml/indices.sgml

docs: clarify infinite range values from data-type infinities

commit   : df189f353f8f2077287de7e66a467db2593290e1    
  
author   : Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:33:30 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Fri, 27 Dec 2019 14:33:30 -0500    

Click here for diff

The previous docs referenced these distinct ideas confusingly.  
  
Reported-by: Eugen Konkov  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.4  

M doc/src/sgml/rangetypes.sgml

Forbid DROP SCHEMA on temporary namespaces

commit   : cb6f94a5219d3a42df376919e0d77578d8ff2121    
  
author   : Michael Paquier <[email protected]>    
date     : Fri, 27 Dec 2019 17:59:27 +0900    
  
committer: Michael Paquier <[email protected]>    
date     : Fri, 27 Dec 2019 17:59:27 +0900    

Click here for diff

This operation was possible for the owner of the schema or a superuser.  
Down to 9.4, doing this operation would cause inconsistencies in a  
session whose temporary schema was dropped, particularly if trying to  
create new temporary objects after the drop.  A more annoying  
consequence is a crash of autovacuum on an assertion failure when  
logging information about an orphaned temp table dropped.  Note that  
because of 246a6c8 (present in v11~), which has made the removal of  
orphaned temporary tables more aggressive, the failure could be  
triggered more easily, but it is possible to reproduce down to 9.4.  
  
Reported-by: Mahendra Singh, Prabhat Sahu  
Author: Michael Paquier  
Reviewed-by: Kyotaro Horiguchi, Mahendra Singh  
Discussion: https://postgr.es/m/CAKYtNAr9Zq=1-ww4etHo-VCC-k120YxZy5OS01VkaLPaDbv2tg@mail.gmail.com  
Backpatch-through: 9.4  

M src/backend/commands/dropcmds.c

Rotate instead of shifting hash join batch number.

commit   : 15861deb65cdd900ed2608ef2de64f9b915c7baf    
  
author   : Thomas Munro <[email protected]>    
date     : Tue, 24 Dec 2019 11:31:24 +1300    
  
committer: Thomas Munro <[email protected]>    
date     : Tue, 24 Dec 2019 11:31:24 +1300    

Click here for diff

Our algorithm for choosing batch numbers turned out not to work  
effectively for multi-billion key inner relations.  We would use  
more hash bits than we have, and effectively concentrate all tuples  
into a smaller number of batches than we intended.  While ideally  
we should switch to wider hashes, for now, change the algorithm to  
one that effectively gives up bits from the bucket number when we  
don't have enough bits.  That means we'll finish up with longer  
bucket chains than would be ideal, but that's better than having  
batches that don't fit in work_mem and can't be divided.  
  
Batch-patch to all supported releases.  
  
Author: Thomas Munro  
Reviewed-by: Tom Lane, thanks also to Tomas Vondra, Alvaro Herrera, Andres Freund for testing and discussion  
Reported-by: James Coleman  
Discussion: https://postgr.es/m/16104-dc11ed911f1ab9df%40postgresql.org  

M src/backend/executor/nodeHash.c

Disallow null category in crosstab_hash

commit   : 3757c164008c2659ff5b28ab97854c3f5d919de4    
  
author   : Joe Conway <[email protected]>    
date     : Mon, 23 Dec 2019 13:33:57 -0500    
  
committer: Joe Conway <[email protected]>    
date     : Mon, 23 Dec 2019 13:33:57 -0500    

Click here for diff

While building a hash map of categories in load_categories_hash,  
resulting category names have not thus far been checked to ensure  
they are not null. Prior to pg12 null category names worked to the  
extent that they did not crash on some platforms. This is because  
those system libraries have an snprintf which can deal with being  
passed a null pointer argument for a string. But even in those cases  
null categories did nothing useful. And on some platforms it crashed.  
As of pg12, our own version of snprintf gets called, and it does  
not deal with null pointer arguments at all, and crashes consistently.  
  
Fix that by disallowing null categories. They never worked usefully,  
and no one has ever asked for them to work previously. Back-patch to  
all supported branches.  
  
Reported-By: Ireneusz Pluta  
Discussion: https://postgr.es/m/[email protected]  

M contrib/tablefunc/tablefunc.c

Prevent a rowtype from being included in itself via a range.

commit   : 354d913f9745c4ce39c891d9a73b0b2535fd9c4c    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 23 Dec 2019 12:08:24 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 23 Dec 2019 12:08:24 -0500    

Click here for diff

We probably should have thought of this case when ranges were added,  
but we didn't.  (It's not the fault of commit eb51af71f, because  
ranges didn't exist then.)  
  
It's an old bug, so back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/catalog/heap.c
M src/test/regress/expected/rangetypes.out
M src/test/regress/sql/rangetypes.sql

Avoid low-probability regression test failures in timestamp[tz] tests.

commit   : b399d01fd7bb5d3f056e9b65933b9e3d89fb2d45    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 22 Dec 2019 18:00:18 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 22 Dec 2019 18:00:18 -0500    

Click here for diff

If the first transaction block in these tests were entered exactly  
at midnight (California time), they'd report a bogus failure due  
to 'now' and 'midnight' having the same values.  Commit 8c2ac75c5  
had dismissed this as being of negligible probability, but we've  
now seen it happen in the buildfarm, so let's prevent it.  We can  
get pretty much the same test coverage without an it's-not-midnight  
assumption by moving the does-'now'-work cases into their own test step.  
  
While here, apply commit 47169c255's s/DELETE/TRUNCATE/ change to  
timestamptz as well as timestamp (not sure why that didn't  
occur to me at the time; the risk of failure is the same).  
  
Back-patch to all supported branches, since the main point is  
to get rid of potential buildfarm failures.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
M src/test/regress/sql/timestamp.sql
M src/test/regress/sql/timestamptz.sql

In pgwin32_open, loop after ERROR_ACCESS_DENIED only if we can't stat.

commit   : 739201b0e62ddb6dc8f4c9ae3b43bf5b6e4393d1    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 21 Dec 2019 17:39:36 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 21 Dec 2019 17:39:36 -0500    

Click here for diff

This fixes a performance problem introduced by commit 6d7547c21.  
ERROR_ACCESS_DENIED is returned in some other cases besides the  
delete-pending case considered by that commit; notably, if the  
given path names a directory instead of a plain file.  In that  
case we'll uselessly loop for 1 second before returning the  
failure condition.  That slows down some usage scenarios enough  
to cause test timeout failures on our Windows buildfarm critters.  
  
To fix, try to stat() the file, and sleep/loop only if that fails.  
It will fail in the delete-pending case, and also in the case where  
the deletion completed before we could stat(), so we have the cases  
where we want to loop covered.  In the directory case, the stat()  
should succeed, letting us exit without a wait.  
  
One case where we'll still wait uselessly is if the access-denied  
problem pertains to a directory in the given pathname.  But we don't  
expect that to happen in any performance-critical code path.  
  
There might be room to refine this further, but I'll push it now  
in hopes of making the buildfarm green again.  
  
Back-patch, like the preceding commit.  
  
Alexander Lakhin and Tom Lane  
  
Discussion: https://postgr.es/m/[email protected]  

M src/port/open.c

docs: clarify handling of column lists in COPY TO/FROM

commit   : 586f4ffd6de3be0f0566d23a2deeb2628b9f036e    
  
author   : Bruce Momjian <[email protected]>    
date     : Sat, 21 Dec 2019 12:44:38 -0500    
  
committer: Bruce Momjian <[email protected]>    
date     : Sat, 21 Dec 2019 12:44:38 -0500    

Click here for diff

Previously it was unclear how COPY FROM handled cases where not all  
columns were specified, or if the order didn't match.  
  
Reported-by: [email protected]  
  
Discussion: https://postgr.es/m/[email protected]  
  
Backpatch-through: 9.4  

M doc/src/sgml/ref/copy.sgml

commit   : c11bd6c10fe56b627a5ecb3263bbbcde60a06091    
  
author   : Tom Lane <[email protected]>    
date     : Fri, 20 Dec 2019 15:34:08 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Fri, 20 Dec 2019 15:34:08 -0500    

Click here for diff

We realized years ago that it's better for libpq to accept all  
connection parameters syntactically, even if some are ignored or  
restricted due to lack of the feature in a particular build.  
However, that lesson from the SSL support was for some reason never  
applied to the GSSAPI support.  This is causing various buildfarm  
members to have problems with a test case added by commit 6136e94dc,  
and it's just a bad idea from a user-experience standpoint anyway,  
so fix it.  
  
While at it, fix some places where parameter-related infrastructure  
was added with the aid of a dartboard, or perhaps with the aid of  
the anti-pattern "add new stuff at the end".  It should be safe  
to rearrange the contents of struct pg_conn even in released  
branches, since that's private to libpq (and we'd have to move  
some fields in some builds to fix this, anyway).  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M contrib/postgres_fdw/expected/postgres_fdw.out
M contrib/postgres_fdw/sql/postgres_fdw.sql
M doc/src/sgml/libpq.sgml
M src/interfaces/libpq/fe-connect.c
M src/interfaces/libpq/libpq-int.h

Fix error reporting for index expressions of prohibited types.

commit   : 275a8ac4f75ccfa73e0baa7c71ad59f4fe89367c    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 17 Dec 2019 17:44:28 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 17 Dec 2019 17:44:28 -0500    

Click here for diff

If CheckAttributeType() threw an error about the datatype of an  
index expression column, it would report an empty column name,  
which is pretty unhelpful and certainly not the intended behavior.  
I (tgl) evidently broke this in commit cfc5008a5, by not noticing  
that the column's attname was used above where I'd placed the  
assignment of it.  
  
In HEAD and v12, this is trivially fixable by moving up the  
assignment of attname.  Before v12 the code is a bit more messy;  
to avoid doing substantial refactoring, I took the lazy way out  
and just put in two copies of the assignment code.  
  
Report and patch by Amit Langote.  Back-patch to all supported  
branches.  
  
Discussion: https://postgr.es/m/CA+HiwqFA+BGyBFimjiYXXMa2Hc3fcL0+OJOyzUNjhU4NCa_XXw@mail.gmail.com  

M src/backend/catalog/index.c
M src/test/regress/expected/create_index.out
M src/test/regress/sql/create_index.sql

On Windows, wait a little to see if ERROR_ACCESS_DENIED goes away.

commit   : 65cb25e4fb5025ee6dcbcee0c15602f556945f8d    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 16 Dec 2019 15:10:55 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 16 Dec 2019 15:10:55 -0500    

Click here for diff

Attempting to open a file fails with ERROR_ACCESS_DENIED if the file  
is flagged for deletion but not yet actually gone (another in a long  
list of reasons why Windows is broken, if you ask me).  This seems  
likely to explain a lot of irreproducible failures we see in the  
buildfarm.  This state generally persists for only a millisecond or so,  
so just wait a bit and retry.  If it's a real permissions problem,  
we'll eventually give up and report it as such.  If it's the pending  
deletion case, we'll see file-not-found and report that after the  
deletion completes, and the caller will treat that in an appropriate  
way.  
  
In passing, rejigger the existing retry logic for some other error  
cases so that we don't uselessly wait an extra time when we're  
not going to retry anymore.  
  
Alexander Lakhin (with cosmetic tweaks by me).  Back-patch to all  
supported branches, since this seems like a pretty safe change and  
the problem is definitely real.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/port/open.c

Fix EXTRACT(ISOYEAR FROM timestamp) for years BC.

commit   : 6e2ac8d66d58ccdda4dcccc52f8b6b7911db0ad2    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:30:44 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:30:44 -0500    

Click here for diff

The test cases added by commit 26ae3aa80 exposed an old oversight in  
timestamp[tz]_part: they didn't correct the result of date2isoyear()  
for BC years, so that we produced an off-by-one answer for such years.  
Fix that, and back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com  

M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out

Remove redundant function calls in timestamp[tz]_part().

commit   : 6bed9b4f6ea5703a68246a3e335181c658d5dd5e    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:12:35 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 12 Dec 2019 12:12:35 -0500    

Click here for diff

The DTK_DOW/DTK_ISODOW and DTK_DOY switch cases in timestamp_part() and  
timestamptz_part() contained calls of timestamp2tm() that were fully  
redundant with the ones done just above the switch.  This evidently crept  
in during commit 258ee1b63, which relocated that code from another place  
where the calls were indeed needed.  Just delete the redundant calls.  
  
I (tgl) noted that our test coverage of these functions left quite a  
bit to be desired, so extend timestamp.sql and timestamptz.sql to  
cover all the branches.  
  
Back-patch to all supported branches, as the previous commit was.  
There's no real issue here other than some wasted cycles in some  
not-too-heavily-used code paths, but the test coverage seems valuable.  
  
Report and patch by Li Japin; test case adjustments by me.  
  
Discussion: https://postgr.es/m/SG2PR06MB37762CAE45DB0F6CA7001EA9B6550@SG2PR06MB3776.apcprd06.prod.outlook.com  

M src/backend/utils/adt/timestamp.c
M src/test/regress/expected/timestamp.out
M src/test/regress/expected/timestamptz.out
M src/test/regress/sql/timestamp.sql
M src/test/regress/sql/timestamptz.sql

Doc: back-patch documentation about limitations of CHECK constraints.

commit   : 7ef59c9b183955e841c39c227e9ebc5c49eb9f18    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 11 Dec 2019 15:53:36 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 11 Dec 2019 15:53:36 -0500    

Click here for diff

Back-patch commits 36d442a25 and 1f66c657f into all supported  
branches.  I'd considered doing this when putting in the latter  
commit, but failed to pull the trigger.  Now that we've had an  
actual field complaint about the lack of such docs, let's do it.  
  
Per bug #16158 from Piotr Jander.  Original patches by Lætitia Avrot,  
Patrick Francelle, and me.  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ddl.sgml
M doc/src/sgml/ref/alter_domain.sgml
M doc/src/sgml/ref/alter_table.sgml
M doc/src/sgml/ref/create_domain.sgml
M doc/src/sgml/ref/create_table.sgml

Fix race condition in our Windows signal emulation.

commit   : df44e411c00878210baea3dd3363268f2760f793    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 15:03:52 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 15:03:52 -0500    

Click here for diff

pg_signal_dispatch_thread() responded to the client (signal sender)  
and disconnected the pipe before actually setting the shared variables  
that make the signal visible to the backend process's main thread.  
In the worst case, it seems, effective delivery of the signal could be  
postponed for as long as the machine has any other work to do.  
  
To fix, just move the pg_queue_signal() call so that we do it before  
responding to the client.  This essentially makes pgkill() synchronous,  
which is a stronger guarantee than we have on Unix.  That may be  
overkill, but on the other hand we have not seen comparable timing bugs  
on any Unix platform.  
  
While at it, add some comments to this sadly underdocumented code.  
  
Problem diagnosis and fix by Amit Kapila; I just added the comments.  
  
Back-patch to all supported versions, as it appears that this can cause  
visible NOTIFY timing oddities on all of them, and there might be  
other misbehavior due to slow delivery of other signals.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/port/win32/signal.c

Improve isolationtester's timeout management.

commit   : 999c72b4dc2e0e67869f698af32b24ed14d9edc3    
  
author   : Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 14:31:57 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Mon, 9 Dec 2019 14:31:57 -0500    

Click here for diff

isolationtester.c had a hard-wired limit of 3 minutes per test step.  
It now emerges that this isn't quite enough for some of the slowest  
buildfarm animals.  This isn't the first time we've had to raise  
this limit (cf. 1db439ad4), so let's make it configurable.  This  
patch raises the default to 5 minutes, and introduces an environment  
variable PGISOLATIONTIMEOUT that can be set if more time is needed,  
following the precedent of PGCTLTIMEOUT.  
  
Also, modify isolationtester so that when the timeout is hit,  
it explicitly reports having sent a cancel.  This makes the regression  
failure log considerably more intelligible.  (In the worst case, a  
timed-out test might actually be reported as "passing" without this  
extra output, so arguably this is a bug fix in itself.)  
  
In passing, update the README file, which had apparently not gotten  
touched when we added "make check" support here.  
  
Back-patch to 9.6; older versions don't have comparable timeout logic.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/test/isolation/README
M src/test/isolation/isolationtester.c

Document search_path security with untrusted dbowner or CREATEROLE.

commit   : 0c1008dd455a5b0a9b12e7337fd031dcd6f61cdb    
  
author   : Noah Misch <[email protected]>    
date     : Sun, 8 Dec 2019 11:06:26 -0800    
  
committer: Noah Misch <[email protected]>    
date     : Sun, 8 Dec 2019 11:06:26 -0800    

Click here for diff

Commit 5770172cb0c9df9e6ce27c507b449557e5b45124 wrote, incorrectly, that  
certain schema usage patterns are secure against CREATEROLE users and  
database owners.  When an untrusted user is the database owner or holds  
CREATEROLE privilege, a query is secure only if its session started with  
SELECT pg_catalog.set_config('search_path', '', false) or equivalent.  
Back-patch to 9.4 (all supported versions).  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ddl.sgml

Ensure maxlen is at leat 1 in dict_int

commit   : fabdad822287d6aac6a80fc57a97d38bd7456958    
  
author   : Tomas Vondra <[email protected]>    
date     : Tue, 3 Dec 2019 16:55:51 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Tue, 3 Dec 2019 16:55:51 +0100    

Click here for diff

The dict_int text search dictionary template accepts maxlen parameter,  
which is then used to cap the length of input strings. The value was  
not properly checked, and the code simply does  
  
    txt[d->maxlen] = '\0';  
  
to insert a terminator, leading to segfaults with negative values.  
  
This commit simply rejects values less than 1. The issue was there since  
dct_int was introduced in 9.3, so backpatch all the way back to 9.4  
which is the oldest supported version.  
  
Reported-by: cili  
Discussion: https://postgr.es/m/[email protected]  
Backpatch-through: 9.4  

M contrib/dict_int/dict_int.c
M contrib/dict_int/expected/dict_int.out
M contrib/dict_int/sql/dict_int.sql

Fix misbehavior with expression indexes on ON COMMIT DELETE ROWS tables.

commit   : 283f095d0bff349682985bfa84c36e86c282a055    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 1 Dec 2019 13:09:27 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 1 Dec 2019 13:09:27 -0500    

Click here for diff

We implement ON COMMIT DELETE ROWS by truncating tables marked that  
way, which requires also truncating/rebuilding their indexes.  But  
RelationTruncateIndexes asks the relcache for up-to-date copies of any  
index expressions, which may cause execution of eval_const_expressions  
on them, which can result in actual execution of subexpressions.  
This is a bad thing to have happening during ON COMMIT.  Manuel Rigger  
reported that use of a SQL function resulted in crashes due to  
expectations that ActiveSnapshot would be set, which it isn't.  
The most obvious fix perhaps would be to push a snapshot during  
PreCommit_on_commit_actions, but I think that would just open the door  
to more problems: CommitTransaction explicitly expects that no  
user-defined code can be running at this point.  
  
Fortunately, since we know that no tuples exist to be indexed, there  
seems no need to use the real index expressions or predicates during  
RelationTruncateIndexes.  We can set up dummy index expressions  
instead (we do need something that will expose the right data type,  
as there are places that build index tupdescs based on this), and  
just ignore predicates and exclusion constraints.  
  
In a green field it'd likely be better to reimplement ON COMMIT DELETE  
ROWS using the same "init fork" infrastructure used for unlogged  
relations.  That seems impractical without catalog changes though,  
and even without that it'd be too big a change to back-patch.  
So for now do it like this.  
  
Per private report from Manuel Rigger.  This has been broken forever,  
so back-patch to all supported branches.  

M src/backend/catalog/heap.c
M src/backend/catalog/index.c
M src/backend/utils/cache/relcache.c
M src/include/catalog/index.h
M src/include/utils/relcache.h
M src/test/regress/expected/temp.out
M src/test/regress/sql/temp.sql

Fix off-by-one error in PGTYPEStimestamp_fmt_asc

commit   : c59414da7bd3be9f80e7585fc173d21942468d3b    
  
author   : Tomas Vondra <[email protected]>    
date     : Sat, 30 Nov 2019 14:51:27 +0100    
  
committer: Tomas Vondra <[email protected]>    
date     : Sat, 30 Nov 2019 14:51:27 +0100    

Click here for diff

When using %b or %B patterns to format a date, the code was simply using  
tm_mon as an index into array of month names. But that is wrong, because  
tm_mon is 1-based, while array indexes are 0-based. The result is we  
either use name of the next month, or a segfault (for December).  
  
Fix by subtracting 1 from tm_mon for both patterns, and add a regression  
test triggering the issue. Backpatch to all supported versions (the bug  
is there far longer, since at least 2003).  
  
Reported-by: Paul Spencer  
Backpatch-through: 9.4  
Discussion: https://postgr.es/m/16143-0d861eb8688d3fef%40postgresql.org  

M src/interfaces/ecpg/pgtypeslib/timestamp.c
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.c
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.stderr
M src/interfaces/ecpg/test/expected/pgtypeslib-dt_test.stdout
M src/interfaces/ecpg/test/pgtypeslib/dt_test.pgc

Fix typo in comment.

commit   : 474cd0931b758f4ee353fbc8cfc38a762b997be1    
  
author   : Etsuro Fujita <[email protected]>    
date     : Wed, 27 Nov 2019 16:00:51 +0900    
  
committer: Etsuro Fujita <[email protected]>    
date     : Wed, 27 Nov 2019 16:00:51 +0900    

Click here for diff

M src/backend/optimizer/util/relnode.c

Don't shut down Gather[Merge] early under Limit.

commit   : 1ad0df67c7904ff64166d7a453c53943f069ee52    
  
author   : Amit Kapila <[email protected]>    
date     : Tue, 26 Nov 2019 09:41:41 +0530    
  
committer: Amit Kapila <[email protected]>    
date     : Tue, 26 Nov 2019 09:41:41 +0530    

Click here for diff

Revert part of commit 19df1702f5.  
  
Early shutdown was added by that commit so that we could collect  
statistics from workers, but unfortunately, it interacted badly with  
rescans.  The problem is that we ended up destroying the parallel context  
which is required for rescans.  This leads to rescans of a Limit node over  
a Gather node to produce unpredictable results as it tries to access  
destroyed parallel context.  By reverting the early shutdown code, we  
might lose statistics in some cases of Limit over Gather [Merge], but that  
will require further study to fix.  
  
Reported-by: Jerry Sievers  
Diagnosed-by: Thomas Munro  
Author: Amit Kapila  
Backpatch-through: 9.6  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/executor/nodeLimit.c

Avoid assertion failure with LISTEN in a serializable transaction.

commit   : cdba85eb01ed378d8c2d713f3df62a96c3daabd4    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 15:57:31 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 15:57:31 -0500    

Click here for diff

If LISTEN is the only action in a serializable-mode transaction,  
and the session was not previously listening, and the notify queue  
is not empty, predicate.c reported an assertion failure.  That  
happened because we'd acquire the transaction's initial snapshot  
during PreCommit_Notify, which was called *after* predicate.c  
expects any such snapshot to have been established.  
  
To fix, just swap the order of the PreCommit_Notify and  
PreCommit_CheckForSerializationFailure calls during CommitTransaction.  
This will imply holding the notify-insertion lock slightly longer,  
but the difference could only be meaningful in serializable mode,  
which is an expensive option anyway.  
  
It appears that this is just an assertion failure, with no  
consequences in non-assert builds.  A snapshot used only to scan  
the notify queue could not have been involved in any serialization  
conflicts, so there would be nothing for  
PreCommit_CheckForSerializationFailure to do except assign it a  
prepareSeqNo and set the SXACT_FLAG_PREPARED flag.  And given no  
conflicts, neither of those omissions affect the behavior of  
ReleasePredicateLocks.  This admittedly once-over-lightly analysis  
is backed up by the lack of field reports of trouble.  
  
Per report from Mark Dilger.  The bug is old, so back-patch to all  
supported branches; but the new test case only goes back to 9.6,  
for lack of adequate isolationtester infrastructure before that.  
  
Discussion: https://postgr.es/m/[email protected]  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/access/transam/xact.c
M src/test/isolation/expected/async-notify.out
M src/test/isolation/specs/async-notify.spec

Stabilize NOTIFY behavior by transmitting notifies before ReadyForQuery.

commit   : 111298aa65339a91c513c42ac2ea3eb6d343d0ea    
  
author   : Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 14:42:59 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sun, 24 Nov 2019 14:42:59 -0500    

Click here for diff

This patch ensures that, if any notify messages were received during  
a just-finished transaction, they get sent to the frontend just before  
not just after the ReadyForQuery message.  With libpq and other client  
libraries that act similarly, this guarantees that the client will see  
the notify messages as available as soon as it thinks the transaction  
is done.  
  
This probably makes no difference in practice, since in realistic  
use-cases the application would have to cope with asynchronous  
arrival of notify events anyhow.  However, it makes it a lot easier  
to build cross-session-notify test cases with stable behavior.  
I'm a bit surprised now that we've not seen any buildfarm instability  
with the test cases added by commit b10f40bf0.  Tests that I intend  
to add in an upcoming bug fix are definitely unstable without this.  
  
Back-patch to 9.6, which is as far back as we can do NOTIFY testing  
with the isolationtester infrastructure.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/commands/async.c
M src/backend/tcop/postgres.c

Improve test coverage for LISTEN/NOTIFY.

commit   : 8173fa5abb16947c6e96d774e34e50f141cbe255    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 23 Nov 2019 17:30:01 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 23 Nov 2019 17:30:01 -0500    

Click here for diff

Back-patch commit b10f40bf0 into older branches.  This adds reporting  
of NOTIFY messages to isolationtester.c, and extends the async-notify  
test to include direct tests of basic NOTIFY functionality.  
  
This provides useful infrastructure for testing a bug fix I'm about  
to back-patch, and there seems no good reason not to have better tests  
of LISTEN/NOTIFY in the back branches.  The commit's survived long  
enough in HEAD to make it unlikely that it will cause problems.  
  
Back-patch as far as 9.6.  isolationtester.c changed too much in 9.6  
to make it sane to try to fix older branches this way, and I don't  
really want to back-patch those changes too.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/test/isolation/expected/async-notify.out
M src/test/isolation/isolationtester.c
M src/test/isolation/specs/async-notify.spec

Defend against self-referential views in relation_is_updatable().

commit   : 52434ba73e3cab79f21b5deb921f51ea84a32e53    
  
author   : Tom Lane <[email protected]>    
date     : Thu, 21 Nov 2019 16:21:44 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Thu, 21 Nov 2019 16:21:44 -0500    

Click here for diff

While a self-referential view doesn't actually work, it's possible  
to create one, and it turns out that this breaks some of the  
information_schema views.  Those views call relation_is_updatable(),  
which neglected to consider the hazards of being recursive.  In  
older PG versions you get a "stack depth limit exceeded" error,  
but since v10 it'd recurse to the point of stack overrun and crash,  
because commit a4c35ea1c took out the expression_returns_set() call  
that was incidentally checking the stack depth.  
  
Since this function is only used by information_schema views, it  
seems like it'd be better to return "not updatable" than suffer  
an error.  Hence, add tracking of what views we're examining,  
in just the same way that the nearby fireRIRrules() code detects  
self-referential views.  I added a check_stack_depth() call too,  
just to be defensive.  
  
Per private report from Manuel Rigger.  Back-patch to all  
supported versions.  

M src/backend/rewrite/rewriteHandler.c
M src/backend/utils/adt/misc.c
M src/include/rewrite/rewriteHandler.h

Revise GIN README

commit   : 84dcf5235984f45458d13a9e0e486caf97f152ea    
  
author   : Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:11:24 +0300    
  
committer: Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:11:24 +0300    

Click here for diff

We find GIN concurrency bugs from time to time.  One of the problems here is  
that concurrency of GIN isn't well-documented in README.  So, it might be even  
hard to distinguish design bugs from implementation bugs.  
  
This commit revised concurrency section in GIN README providing more details.  
Some examples are illustrated in ASCII art.  
  
Also, this commit add the explanation of how is tuple layout in internal GIN  
B-tree page different in comparison with nbtree.  
  
Discussion: https://postgr.es/m/CAPpHfduXR_ywyaVN4%2BOYEGaw%3DcPLzWX6RxYLBncKw8de9vOkqw%40mail.gmail.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 9.4  

M src/backend/access/gin/README

Fix traversing to the deleted GIN page via downlink

commit   : 99f5888d358a5db375ce0299b18fb47ccfa1646c    
  
author   : Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:08:14 +0300    
  
committer: Alexander Korotkov <[email protected]>    
date     : Tue, 19 Nov 2019 23:08:14 +0300    

Click here for diff

Current GIN code appears to don't handle traversing to the deleted page via  
downlink.  This commit fixes that by stepping right from the delete page like  
we do in nbtree.  
  
This commit also fixes setting 'deleted' flag to the GIN pages.  Now other page  
flags are not erased once page is deleted.  That helps to keep our assertions  
true if we arrive deleted page via downlink.  
  
Discussion: https://postgr.es/m/CAPpHfdvMvsw-NcE5bRS7R1BbvA4BxoDnVVjkXC5W0Czvy9LVrg%40mail.gmail.com  
Author: Alexander Korotkov  
Reviewed-by: Peter Geoghegan  
Backpatch-through: 9.4  

M src/backend/access/gin/ginbtree.c
M src/backend/access/gin/gindatapage.c
M src/backend/access/gin/ginvacuum.c
M src/backend/access/gin/ginxlog.c

Doc: clarify use of RECURSIVE in WITH.

commit   : 5bb9954c1cda315add1ceeeec601eadf6ee48c0c    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:43:37 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:43:37 -0500    

Click here for diff

Apparently some people misinterpreted the syntax as being that  
RECURSIVE is a prefix of individual WITH queries.  It's a modifier  
for the WITH clause as a whole, so state that more clearly.  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ref/select.sgml

Doc: clarify behavior of ALTER DEFAULT PRIVILEGES ... IN SCHEMA.

commit   : 611a4aba15f0e9ef8ef710454bd0ecb4f671eb39    
  
author   : Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:21:42 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Tue, 19 Nov 2019 14:21:42 -0500    

Click here for diff

The existing text stated that "Default privileges that are specified  
per-schema are added to whatever the global default privileges are for  
the particular object type".  However, that bare-bones observation is  
not quite clear enough, as demonstrated by the complaint in bug #16124.  
Flesh it out by stating explicitly that you can't revoke built-in  
default privileges this way, and by providing an example to drive  
the point home.  
  
Back-patch to all supported branches, since it's been like this  
from the beginning.  
  
Discussion: https://postgr.es/m/[email protected]  

M doc/src/sgml/ref/alter_default_privileges.sgml

Further fix dumping of views that contain just VALUES(...).

commit   : e4865bbdc72a702d09c349116ad64d0b3d8c9add    
  
author   : Tom Lane <[email protected]>    
date     : Sat, 16 Nov 2019 20:00:19 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Sat, 16 Nov 2019 20:00:19 -0500    

Click here for diff

It turns out that commit e9f1c01b7 missed a case: we must print a  
VALUES clause in long format if get_query_def is given a resultDesc  
that would require the query's output column name(s) to be different  
from what the bare VALUES clause would produce.  
  
This applies in case an ALTER ... RENAME COLUMN has been done to  
a view that formerly could be printed in simple format, as shown  
in the added regression test case.  It also explains bug #16119  
from Dmitry Telpt, because it turns out that (unlike CREATE VIEW)  
CREATE MATERIALIZED VIEW fails to apply any column aliases it's  
given to the stored ON SELECT rule.  So to get them to be printed,  
we have to account for the resultDesc renaming.  It might be worth  
changing the matview code so that it creates the ON SELECT rule  
with the correct aliases; but we'd still need these messy checks in  
get_simple_values_rte to handle the case of a subsequent column  
rename, so any such change would be just neatnik-ism not a bug fix.  
  
Like the previous patch, back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/backend/utils/adt/ruleutils.c
M src/test/regress/expected/rules.out
M src/test/regress/sql/rules.sql

Handle arrays and ranges in pg_upgrade's test for non-upgradable types.

commit   : f378d4dac4ce80d6772ae4956cd71b10985c481c    
  
author   : Tom Lane <[email protected]>    
date     : Wed, 13 Nov 2019 11:35:37 -0500    
  
committer: Tom Lane <[email protected]>    
date     : Wed, 13 Nov 2019 11:35:37 -0500    

Click here for diff

pg_upgrade needs to check whether certain non-upgradable data types  
appear anywhere on-disk in the source cluster.  It knew that it has  
to check for these types being contained inside domains and composite  
types; but it somehow overlooked that they could be contained in  
arrays and ranges, too.  Extend the existing recursive-containment  
query to handle those cases.  
  
We probably should have noticed this oversight while working on  
commit 0ccfc2822 and follow-ups, but we failed to :-(.  The whole  
thing's possibly a bit overdesigned, since we don't really expect  
that any of these types will appear on disk; but if we're going to  
the effort of doing a recursive search then it's silly not to cover  
all the possibilities.  
  
While at it, refactor so that we have only one copy of the search  
logic, not three-and-counting.  Also, to keep the branches looking  
more alike, back-patch the output wording change of commit 1634d3615.  
  
Back-patch to all supported branches.  
  
Discussion: https://postgr.es/m/[email protected]  

M src/bin/pg_upgrade/version.c