| 038f7e4 | Tom Lane | 16 September 2007, 03:03:40 UTC | Update release notes for last-minute fix. | 16 September 2007, 03:03:40 UTC |
| 60e3aaf | Tom Lane | 16 September 2007, 02:38:14 UTC | Fix aboriginal mistake in lazy VACUUM's code for truncating away no-longer-needed pages at the end of a table. We thought we could throw away pages containing HEAPTUPLE_DEAD tuples; but this is not so, because such tuples very likely have index entries pointing at them, and we wouldn't have removed the index entries. The problem only emerges in a somewhat unlikely race condition: the dead tuples have to have been inserted by a transaction that later aborted, and this has to have happened between VACUUM's initial scan of the page and then rechecking it for empty in count_nondeletable_pages. But that timespan will include an index-cleaning pass, so it's not all that hard to hit. This seems to explain a couple of previously unsolved bug reports. | 16 September 2007, 02:38:14 UTC |
| b2f6211 | Marc G. Fournier | 14 September 2007, 21:34:29 UTC | tag configure for 8.0.14 | 14 September 2007, 21:34:29 UTC |
| d620f2d | Tom Lane | 14 September 2007, 16:04:35 UTC | Fix markup that doesn't work in back branches. | 14 September 2007, 16:04:35 UTC |
| 42765a2 | Tom Lane | 14 September 2007, 15:51:31 UTC | Minor editorialization on release notes. | 14 September 2007, 15:51:31 UTC |
| 7feaeb8 | Peter Eisentraut | 13 September 2007, 21:04:12 UTC | Translation updates | 13 September 2007, 21:04:12 UTC |
| bf476b9 | Alvaro Herrera | 12 September 2007, 15:16:23 UTC | Fix the database-wide version of CLUSTER to silently skip temp tables of remote sessions, instead of erroring out in the middle of the operation. This is a backpatch of a previous fix applied to CLUSTER to HEAD and 8.2, all the way back that it is relevant to. | 12 September 2007, 15:16:23 UTC |
| d48f8ab | Alvaro Herrera | 12 September 2007, 02:05:53 UTC | Add a CHECK_FOR_INTERRUPTS call in the site where the vacuum delay point was removed. | 12 September 2007, 02:05:53 UTC |
| 6f3727c | Tom Lane | 11 September 2007, 17:44:01 UTC | Sync timezone data with 2007g zic release. | 11 September 2007, 17:44:01 UTC |
| 37ac2f6 | Bruce Momjian | 11 September 2007, 17:36:57 UTC | Stamp releases 8.2.5, 8.1.10, 8.0.14, 7.4.18, 7.3.20. Update FAQs for 8.2.5. | 11 September 2007, 17:36:57 UTC |
| 30099c2 | Bruce Momjian | 11 September 2007, 17:19:25 UTC | Stamp | 11 September 2007, 17:19:25 UTC |
| 371b213 | Tom Lane | 11 September 2007, 17:15:55 UTC | Make sure that open hash table scans are cleaned up when bgwriter tries to recover from elog(ERROR). Problem was created by introduction of hash seq search tracking awhile back, and affects all branches that have bgwriter; in HEAD the disease has snuck into autovacuum and walwriter too. (Not sure that the latter two use hash_seq_search at the moment, but surely they might someday.) Per report from Sergey Koposov. | 11 September 2007, 17:15:55 UTC |
| 13ad48e | Teodor Sigaev | 11 September 2007, 13:15:41 UTC | Fix header's size of structs defines in ispell. | 11 September 2007, 13:15:41 UTC |
| a441035 | Alvaro Herrera | 10 September 2007, 17:59:03 UTC | Remove the vacuum_delay_point call in count_nondeletable_pages, because we hold an exclusive lock on the table at this point, which we want to release as soon as possible. This is called in the phase of lazy vacuum where we truncate the empty pages at the end of the table. An alternative solution would be to lower the vacuum delay settings before starting the truncating phase, but this doesn't work very well in autovacuum due to the autobalancing code (which can cause other processes to change our cost delay settings). This case could be considered in the balancing code, but it is simpler this way. | 10 September 2007, 17:59:03 UTC |
| 43e3989 | Tom Lane | 29 August 2007, 16:31:57 UTC | Fix aboriginal bug in _tarAddFile(): when complaining that the amount of data read from the temp file didn't match the file length reported by ftello(), the wrong variable's value was printed, and so the message made no sense. Clean up a couple other coding infelicities while at it. | 29 August 2007, 16:31:57 UTC |
| 1798444 | Michael Meskes | 29 August 2007, 13:59:04 UTC | Fixed bug in Informix define handling. | 29 August 2007, 13:59:04 UTC |
| 28b1770 | Tom Lane | 25 August 2007, 19:08:37 UTC | Fix brain fade in DefineIndex(): it was continuing to access the table's relcache entry after having heap_close'd it. This could lead to misbehavior if a relcache flush wiped out the cache entry meanwhile. In 8.2 there is a very real risk of CREATE INDEX CONCURRENTLY using the wrong relid for locking and waiting purposes. I think the bug is only cosmetic in 8.0 and 8.1, because their transgression is limited to using RelationGetRelationName(rel) in an ereport message immediately after heap_close, and there's no way (except with special debugging options) for a cache flush to occur in that interval. Not quite sure that it's cosmetic in 7.4, but seems best to patch anyway. Found by trying to run the regression tests with CLOBBER_CACHE_ALWAYS enabled. Maybe we should try to do that on a regular basis --- it's awfully slow, but perhaps some fast buildfarm machine could do it once in awhile. | 25 August 2007, 19:08:37 UTC |
| fa87632 | Tom Lane | 23 August 2007, 16:16:11 UTC | Fix combo_decrypt() to throw an error for zero-length input when using a padded encryption scheme. Formerly it would try to access res[(unsigned) -1], which resulted in core dumps on 64-bit machines, and was certainly trouble waiting to happen on 32-bit machines (though in at least the known case it was harmless because that byte would be overwritten after return). Per report from Ken Colson; fix by Marko Kreen. | 23 August 2007, 16:16:11 UTC |
| c2e2ad7 | Tom Lane | 21 August 2007, 02:40:26 UTC | Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the byte after the last full byte of the bit array, regardless of whether that byte was part of the valid data or not. Found by buildfarm testing. Thanks to Stefan Kaltenbrunner for nailing down the cause. | 21 August 2007, 02:40:26 UTC |
| 5a3ec02 | Tom Lane | 15 August 2007, 19:16:12 UTC | Repair problems occurring when multiple RI updates have to be done to the same row within one query: we were firing check triggers before all the updates were done, leading to bogus failures. Fix by making the triggers queued by an RI update go at the end of the outer query's trigger event list, thereby effectively making the processing "breadth-first". This was indeed how it worked pre-8.0, so the bug does not occur in the 7.x branches. Per report from Pavel Stehule. | 15 August 2007, 19:16:12 UTC |
| c5e8671 | Neil Conway | 08 August 2007, 18:06:58 UTC | Fix a gradual memory leak in ExecReScanAgg(). Because the aggregation hash table is allocated in a child context of the agg node's memory context, MemoryContextReset() will reset but *not* delete the child context. Since ExecReScanAgg() proceeds to build a new hash table from scratch (in a new sub-context), this results in leaking the header for the previous memory context. Therefore, use MemoryContextResetAndDeleteChildren() instead. Credit: My colleague Sailesh Krishnamurthy at Truviso for isolating the cause of the leak. | 08 August 2007, 18:06:58 UTC |
| fbf9179 | Tom Lane | 06 August 2007, 01:38:40 UTC | Fix pg_restore to guard against unexpected EOF while reading an archive file. Per report and partial patch from Chad Wagner. | 06 August 2007, 01:38:40 UTC |
| 2e24f4a | Tom Lane | 04 August 2007, 01:42:44 UTC | Suppress time zone name (%Z) when logging timestamps in xlog.c startup on Windows. This is yet another manifestation of the problem that Windows returns time zone names that may be in a different encoding than we are using. I've put a better solution in HEAD, but the back branches need a simple patch. Per report from Hiroshi Saito. | 04 August 2007, 01:42:44 UTC |
| db97262 | Andrew Dunstan | 02 August 2007, 23:20:22 UTC | Make sure syslogPipe runs in binary mode on Windows to avoid corrupting the pipe chunking protocol. Backport to 8.0 | 02 August 2007, 23:20:22 UTC |
| 314a201 | Neil Conway | 02 August 2007, 17:48:59 UTC | Fix a memory leak in tuplestore_end(). Unlikely to be significant during normal operation, but tuplestore_end() ought to do what it claims to do. | 02 August 2007, 17:48:59 UTC |
| e938544 | Tom Lane | 31 July 2007, 19:54:11 UTC | Fix a bug in the original implementation of redundant-join-clause removal: clauses in which one side or the other references both sides of the join cannot be removed as redundant, because that expression won't have been constrained below the join. Per report from Sergey Burladyan. | 31 July 2007, 19:54:11 UTC |
| 59bb028 | Tom Lane | 31 July 2007, 15:50:07 UTC | Fix security definer functions with polymorphic arguments. This case has never worked because fmgr_security_definer() neglected to pass the fn_expr information through. Per report from Viatcheslav Kalinin. | 31 July 2007, 15:50:07 UTC |
| 5fd6d0f | Magnus Hagander | 23 July 2007, 18:12:56 UTC | The correct min buffer size is INITIAL_EXPBUFFER_SIZE, not PQERRORMSG_LENGTH. Backpatch only, the proper fix in HEAD is to use PQExpBuffers everywhere. | 23 July 2007, 18:12:56 UTC |
| 680a261 | Tom Lane | 21 July 2007, 22:12:24 UTC | Fix elog.c to avoid infinite recursion (leading to backend crash) when log_min_error_statement is active and there is some problem in logging the current query string; for example, that it's too long to include in the log message without running out of memory. This problem has existed since the log_min_error_statement feature was introduced. No doubt the reason it wasn't detected long ago is that 8.2 is the first release that defaults log_min_error_statement to less than PANIC level. Per report from Bill Moran. | 21 July 2007, 22:12:24 UTC |
| c216584 | Tom Lane | 20 July 2007, 16:30:12 UTC | Fix WAL replay of truncate operations to cope with the possibility that the truncated relation was deleted later in the WAL sequence. Since replay normally auto-creates a relation upon its first reference by a WAL log entry, failure is seen only if the truncate entry happens to be the first reference after the checkpoint we're restarting from; which is a pretty unusual case but of course not impossible. Fix by making truncate entries auto-create like the other ones do. Per report and test case from Dharmendra Goyal. | 20 July 2007, 16:30:12 UTC |
| a741047 | Tom Lane | 19 July 2007, 20:34:41 UTC | Make replace(), split_part(), and string_to_array() behave somewhat sanely when handed an invalidly-encoded pattern. The previous coding could get into an infinite loop if pg_mb2wchar_with_len() returned a zero-length string after we'd tested for nonempty pattern; which is exactly what it will do if the string consists only of an incomplete multibyte character. This led to either an out-of-memory error or a backend crash depending on platform. Per report from Wiktor Wodecki. | 19 July 2007, 20:34:41 UTC |
| 19c9660 | Andrew Dunstan | 19 July 2007, 19:15:25 UTC | Only use the pipe chunking protocol if we know the syslogger should be catching stderr output, and we are not ourselves the syslogger. Otherwise, go directly to stderr. Bug noticed by Tom Lane. Backpatch as far as 8.0. | 19 July 2007, 19:15:25 UTC |
| a41c4b2 | Tom Lane | 17 July 2007, 17:45:57 UTC | Fix incorrect optimization of foreign-key checks. When an UPDATE on the referencing table does not change the tuple's FK column(s), we don't bother to check the PK table since the constraint was presumably already valid. However, the check is still necessary if the tuple was inserted by our own transaction, since in that case the INSERT trigger will conclude it need not make the check (since its version of the tuple has been deleted). We got this right for simple cases, but not when the insert and update are in different subtransactions of the current top-level transaction; in such cases the FK check would never be made at all. (Hence, problem dates back to 8.0 when subtransactions were added --- it's actually the subtransaction version of a bug fixed in 7.3.5.) Fix, and add regression test cases. Report and fix by Affan Salman. | 17 July 2007, 17:45:57 UTC |
| ba56b48 | Tom Lane | 17 July 2007, 01:22:11 UTC | Fix outfuncs.c to dump A_Const nodes representing NULLs correctly. This has been broken since forever, but was not noticed because people seldom look at raw parse trees. AFAIK, no impact on users except that debug_print_parse might fail; but patch it all the way back anyway. Per report from Jeff Ross. | 17 July 2007, 01:22:11 UTC |
| 9b5efb8 | Joe Conway | 09 July 2007, 01:32:58 UTC | Restrict non-superusers to password authenticated connections to prevent possible escalation of privilege. Provide new SECURITY DEFINER functions with old behavior, but initially REVOKE ALL from public for these functions. Per list discussion and design proposed by Tom Lane. | 09 July 2007, 01:32:58 UTC |
| 54faed3 | Tom Lane | 02 July 2007, 20:12:11 UTC | Fix failure to restart Postgres when Linux kernel returns EIDRM for shmctl(). This is a Linux kernel bug that apparently exists in every extant kernel version: sometimes shmctl() will fail with EIDRM when EINVAL is correct. We were assuming that EIDRM indicates a possible conflict with pre-existing backends, and refusing to start the postmaster when this happens. Fortunately, there does not seem to be any case where Linux can legitimately return EIDRM (it doesn't track shmem segments in a way that would allow that), so we can get away with just assuming that EIDRM means EINVAL on this platform. Per reports from Michael Fuhr and Jon Lapham --- it's a bit surprising we have not seen more reports, actually. | 02 July 2007, 20:12:11 UTC |
| 2f5c37e | Tom Lane | 29 June 2007, 01:52:04 UTC | Fix a passel of ancient bugs in to_char(), including two distinct buffer overruns (neither of which seem likely to be exploitable as security holes, fortunately, since the provoker can't control the data written). One of these is due to choosing to stomp on the output of a called function, which is bad news in any case; make it treat the called functions' results as read-only. Avoid some unnecessary palloc/pfree traffic too; it's not really helpful to free small temporary objects, and again this is presuming more than it ought to about the nature of the results of called functions. Per report from Patrick Welche and additional code-reading by Imad. | 29 June 2007, 01:52:04 UTC |
| 71db4c7 | Tom Lane | 28 June 2007, 17:50:24 UTC | Fix incorrect tests for undef Perl values in some places in plperl.c. The correct test for defined-ness is SvOK(sv), not anything involving SvTYPE. Per bug #3415 from Matt Taylor. Back-patch as far as 8.0; no apparent problem in 7.x. | 28 June 2007, 17:50:24 UTC |
| b0bbcbe | Tom Lane | 20 June 2007, 18:21:25 UTC | transformColumnDefinition failed to complain about create table foo (bar int default null default 3); due to not thinking about the special-case handling of DEFAULT NULL. Problem noticed while investigating bug #3396. | 20 June 2007, 18:21:25 UTC |
| db6159b | Tom Lane | 20 June 2007, 18:16:10 UTC | CREATE DOMAIN ... DEFAULT NULL failed because gram.y special-cases DEFAULT NULL and DefineDomain didn't. Bug goes all the way back to original coding of domains. Per bug #3396 from Sergey Burladyan. | 20 June 2007, 18:16:10 UTC |
| ffa8396 | Andrew Dunstan | 14 June 2007, 01:50:35 UTC | Implement a chunking protocol for writes to the syslogger pipe, with messages reassembled in the syslogger before writing to the log file. This prevents partial messages from being written, which mucks up log rotation, and messages from different backends being interleaved, which causes garbled logs. Backport as far as 8.0, where the syslogger was introduced. Tom Lane and Andrew Dunstan | 14 June 2007, 01:50:35 UTC |
| 6222d86 | Tom Lane | 09 June 2007, 15:52:54 UTC | Allow numeric_fac() to be interrupted, since it can take quite a while for large inputs. Also cause it to error out immediately if the result will overflow, instead of grinding through a lot of calculation first. Per gripe from Jim Nasby. | 09 June 2007, 15:52:54 UTC |
| 94dc2d8 | Tom Lane | 07 June 2007, 14:50:18 UTC | Fix array_dims() example to be consistent with the data previously shown. Christian Rossow | 07 June 2007, 14:50:18 UTC |
| 083094f | Magnus Hagander | 04 June 2007, 11:59:27 UTC | On win32, don't use SO_REUSEADDR for TCP sockets. Per failure on buildfarm member baiji and subsequent discussion. | 04 June 2007, 11:59:27 UTC |
| 5f32030 | Tom Lane | 02 June 2007, 16:41:31 UTC | Fix erroneous error reporting for overlength input in text_date(), text_time(), and text_timetz(). 7.4-vintage bug found by Greg Stark. | 02 June 2007, 16:41:31 UTC |
| bc7ccdf | Tom Lane | 01 June 2007, 23:43:28 UTC | Fix aboriginal bug in BufFileDumpBuffer that would cause it to write the wrong data when dumping a bufferload that crosses a component-file boundary. This probably has not been seen in the wild because (a) component files are normally 1GB apiece and (b) non-block-aligned buffer usage is relatively rare. But it's fairly easy to reproduce a problem if one reduces RELSEG_SIZE in a test build. Kudos to Kurt Harriman for spotting the bug. | 01 June 2007, 23:43:28 UTC |
| 962cd23 | Tom Lane | 30 May 2007, 21:02:02 UTC | Fix overly-strict sanity check in BeginInternalSubTransaction that made it fail when used in a deferred trigger. Bug goes back to 8.0; no doubt the reason it hadn't been noticed is that we've been discouraging use of user-defined constraint triggers. Per report from Frank van Vugt. | 30 May 2007, 21:02:02 UTC |
| e793358 | Peter Eisentraut | 21 May 2007, 15:06:44 UTC | Fix spurious German index entry | 21 May 2007, 15:06:44 UTC |
| 52b18de | Tom Lane | 18 May 2007, 01:20:40 UTC | Remove redundant logging of send failures when SSL is in use. While pqcomm.c had been taught not to do that ages ago, the SSL code was helpfully bleating anyway. Resolves some recent reports such as bug #3266; however the underlying cause of the related bug #2829 is still unclear. | 18 May 2007, 01:20:40 UTC |
| 8e0bcdc | Magnus Hagander | 13 May 2007, 16:04:28 UTC | Document that CLUSTER breaks MVCC visibility rules. (Not needed in cvs head, because CLUSTER itself is fixed there) Heikki Linnakangas | 13 May 2007, 16:04:28 UTC |
| 3afb834 | Tom Lane | 01 May 2007, 18:54:17 UTC | Fix a thinko in my patch of a couple months ago for bug #3116: it did the wrong thing when inlining polymorphic SQL functions, because it was using the function's declared return type where it should have used the actual result type of the current call. In 8.1 and 8.2 this causes obvious failures even if you don't have assertions turned on; in 8.0 and 7.4 it would only be a problem if the inlined expression were used as an input to a function that did run-time type determination on its inputs. Add a regression test, since this is evidently an under-tested area. | 01 May 2007, 18:54:17 UTC |
| 2e8a8ea | Tom Lane | 26 April 2007, 23:25:30 UTC | Fix dynahash.c to suppress hash bucket splits while a hash_seq_search() scan is in progress on the same hashtable. This seems the least invasive way to fix the recently-recognized problem that a split could cause the scan to visit entries twice or (with much lower probability) miss them entirely. The only field-reported problem caused by this is the "failed to re-find shared lock object" PANIC in COMMIT PREPARED reported by Michel Dorochevsky, which was caused by multiply visited entries. However, it seems certain that mdsync() is vulnerable to missing required fsync's due to missed entries, and I am fearful that RelationCacheInitializePhase2() might be at risk as well. Because of that and the generalized hazard presented by this bug, back-patch all the supported branches. Along the way, fix pg_prepared_statement() and pg_cursor() to not assume that the hashtables they are examining will stay static between calls. This is risky regardless of the newly noted dynahash problem, because hash_seq_search() has never promised to cope with deletion of table entries other than the just-returned one. There may be no bug here because the only supported way to call these functions is via ExecMakeTableFunctionResult() which will cycle them to completion before doing anything very interesting, but it seems best to get rid of the assumption. This affects 8.2 and HEAD only, since those functions weren't there earlier. | 26 April 2007, 23:25:30 UTC |
| d221ef7 | Neil Conway | 23 April 2007, 16:53:09 UTC | Fix newly-introduced documentation typo. | 23 April 2007, 16:53:09 UTC |
| 13e2223 | PostgreSQL Daemon | 20 April 2007, 03:44:17 UTC | Update configure for release Security: hold for release | 20 April 2007, 03:44:17 UTC |
| cfe1b04 | Tom Lane | 20 April 2007, 03:27:54 UTC | Fix markup. Security: CVE-2007-2138 | 20 April 2007, 03:27:54 UTC |
| 566331a | Tom Lane | 20 April 2007, 02:38:33 UTC | Support explicit placement of the temporary-table schema within search_path. This is needed to allow a security-definer function to set a truly secure value of search_path. Without it, a malicious user can use temporary objects to execute code with the privileges of the security-definer function. Even pushing the temp schema to the back of the search path is not quite good enough, because a function or operator at the back of the path might still capture control from one nearer the front due to having a more exact datatype match. Hence, disable searching the temp schema altogether for functions and operators. Security: CVE-2007-2138 | 20 April 2007, 02:38:33 UTC |
| c6f3c24 | Tom Lane | 19 April 2007, 22:44:51 UTC | Sync timezone data with 2007e zic release. | 19 April 2007, 22:44:51 UTC |
| 0f93ebd | Tom Lane | 19 April 2007, 20:24:28 UTC | Repair PANIC condition in hash indexes when a previous index extension attempt failed (due to lock conflicts or out-of-space). We might have already extended the index's filesystem EOF before failing, causing the EOF to be beyond what the metapage says is the last used page. Hence the invariant maintained by the code needs to be "EOF is at or beyond last used page", not "EOF is exactly the last used page". Problem was created by my patch of 2006-11-19 that attempted to repair bug #2737. Since that was back-patched to 7.4, this needs to be as well. Per report and test case from Vlastimil Krejcir. | 19 April 2007, 20:24:28 UTC |
| 77be1e8 | Bruce Momjian | 19 April 2007, 13:02:15 UTC | Release wording updates for releases 8.2.4, 8.1.9, 8.0.13, 7.4.17, 7.3.19. | 19 April 2007, 13:02:15 UTC |
| 447b2b9 | Bruce Momjian | 19 April 2007, 04:04:41 UTC | Update FAQ to mention most recent release for releases 8.2.4, 8.1.9, 8.0.13, 7.4.17, 7.3.19. | 19 April 2007, 04:04:41 UTC |
| 416dcc4 | Bruce Momjian | 19 April 2007, 03:06:46 UTC | Stamp releases 8.2.4, 8.1.9, 8.0.13, 7.4.17, 7.3.19. | 19 April 2007, 03:06:46 UTC |
| a7ce947 | Bruce Momjian | 19 April 2007, 02:47:01 UTC | Release note updates for 8.2.4, 8.1.9, 8.0.13, 7.4.17, 7.3.19. | 19 April 2007, 02:47:01 UTC |
| fdfc58e | Peter Eisentraut | 18 April 2007, 20:57:58 UTC | Translation updates | 18 April 2007, 20:57:58 UTC |
| 0fd9735 | Magnus Hagander | 16 April 2007, 20:15:53 UTC | Don't write timing output in quiet mode. Merlin Moncure | 16 April 2007, 20:15:53 UTC |
| 47d61a5 | Tom Lane | 02 April 2007, 18:49:49 UTC | Fix check_sql_fn_retval to allow the case where a SQL function declared to return void ends with a SELECT, if that SELECT has a single result that is also of type void. Without this, it's hard to write a void function that calls another void function. Per gripe from Peter. Back-patch as far as 8.0. | 02 April 2007, 18:49:49 UTC |
| 51fb910 | Teodor Sigaev | 02 April 2007, 11:43:11 UTC | Fix caching of unsuccessful initialization of parser or configuration. Per report from Listmail <lists@peufeu.com> | 02 April 2007, 11:43:11 UTC |
| 6a3bacf | Tatsuo Ishii | 26 March 2007, 11:46:25 UTC | Fix pg_wchar_table's maxmblen field of EUC_CN, EUC_TW, MULE_INTERNAL and GB18030. patches from ITAGAKI Takahiro. | 26 March 2007, 11:46:25 UTC |
| adf06f6 | Tom Lane | 17 March 2007, 03:16:03 UTC | SPI_cursor_open failed to enforce that only read-only queries could be executed in read_only mode. This could lead to various relatively-subtle failures, such as an allegedly stable function returning non-stable results. Bug goes all the way back to the introduction of read-only mode in 8.0. Per report from Gaetano Mendola. | 17 March 2007, 03:16:03 UTC |
| 328df52 | Tom Lane | 14 March 2007, 18:49:18 UTC | Fix a longstanding bug in VACUUM FULL's handling of update chains. The code did not expect that a DEAD tuple could follow a RECENTLY_DEAD tuple in an update chain, but because the OldestXmin rule for determining deadness is a simplification of reality, it is possible for this situation to occur (implying that the RECENTLY_DEAD tuple is in fact dead to all observers, but this patch does not attempt to exploit that). The code would follow a chain forward all the way, but then stop before a DEAD tuple when backing up, meaning that not all of the chain got moved. This could lead to copying the chain multiple times (resulting in duplicate copies of the live tuple at its end), or leaving dangling index entries behind (which, aside from generating warnings from later vacuums, creates a risk of wrong query results or bogus duplicate-key errors once the heap slot the index entry points to is repopulated). The fix is to recheck HeapTupleSatisfiesVacuum while following a chain forward, and to stop if a DEAD tuple is reached. Each contiguous group of RECENTLY_DEAD tuples will therefore be copied as a separate chain. The patch also adds a couple of extra sanity checks to verify correct behavior. Per report and test case from Pavan Deolasee. | 14 March 2007, 18:49:18 UTC |
| 967d6ad | Tom Lane | 14 March 2007, 17:38:29 UTC | Arrange to install a "posixrules" entry in our timezone database, so that POSIX-style timezone specs that don't exactly match any database entry will be treated as having correct USA DST rules. Also, document that this can be changed if you want to use some other DST rules with a POSIX zone spec. We could consider changing localtime.c's TZDEFRULESTRING, but since that facility can only deal with one DST transition rule, it seems fairly useless now; might as well just plan to override it using a "posixrules" entry. Backpatch as far as 8.0. There isn't much we can do in 7.x ... either your libc gets it right, or it doesn't. | 14 March 2007, 17:38:29 UTC |
| 14686de | Tom Lane | 06 March 2007, 22:45:35 UTC | Fix oversight in original coding of inline_function(): since check_sql_fn_retval allows binary-compatibility cases, the expression extracted from an inline-able SQL function might have a type that is only binary-compatible with the declared function result type. To avoid possibly changing the semantics of the expression, we should insert a RelabelType node in such cases. This has only been shown to have bad consequences in recent 8.1 and up releases, but I suspect there may be failure cases in the older branches too, so patch it all the way back. Per bug #3116 from Greg Mullane. Along the way, fix an omission in eval_const_expressions_mutator: it failed to copy the relabelformat field when processing a RelabelType. No known observable failures from this, but it definitely isn't intended behavior. | 06 March 2007, 22:45:35 UTC |
| 45c8465 | Tom Lane | 01 March 2007, 18:50:49 UTC | Fix markQueryForLocking() to work correctly in the presence of nested views. It has been wrong for this case since it was first written for 7.1 :-( Per report from Pavel Hanák. | 01 March 2007, 18:50:49 UTC |
| 278ed7c | Michael Meskes | 27 February 2007, 13:26:59 UTC | Backported bug fix for #2956. | 27 February 2007, 13:26:59 UTC |
| 34f92d2 | Tom Lane | 18 February 2007, 19:49:42 UTC | Fix portal management code to support non-default command completion tags for portals using PORTAL_UTIL_SELECT strategy. This is currently significant only for FETCH queries, which are supposed to include a count in the tag. Seems it's been broken since 7.4, but nobody noticed before Knut Lehre. | 18 February 2007, 19:49:42 UTC |
| 0652254 | Teodor Sigaev | 12 February 2007, 14:18:43 UTC | Fix backend crash in parsing incorrect tsquery. Per report from Jon Rosebaugh <jon@inklesspen.com> | 12 February 2007, 14:18:43 UTC |
| 36149aa | Tom Lane | 08 February 2007, 18:38:08 UTC | Fix an ancient logic error in plpgsql's exec_stmt_block: it thought it could get away with not (re)initializing a local variable if the variable is marked "isconst" and not "isnull". Unfortunately it makes this decision after having already freed the old value, meaning that something like for i in 1..10 loop declare c constant text := 'hi there'; leads to subsequent accesses to freed memory, and hence probably crashes. (In particular, this is why Asif Ali Rehman's bug leads to crash and not just an unexpectedly-NULL value for SQLERRM: SQLERRM is marked CONSTANT and so triggers this error.) The whole thing seems wrong on its face anyway: CONSTANT means that you can't change the variable inside the block, not that the initializer expression is guaranteed not to change value across successive block entries. Hence, remove the "optimization" instead of trying to fix it. | 08 February 2007, 18:38:08 UTC |
| 3e94cf5 | Tom Lane | 08 February 2007, 18:38:03 UTC | Rearrange use of plpgsql_add_initdatums() so that only the parsing of a DECLARE section needs to know about it. Formerly, everyplace besides DECLARE that created variables needed to do "plpgsql_add_initdatums(NULL)" to prevent those variables from being sucked up as part of a subsequent DECLARE block. This is obviously error-prone, and in fact the SQLSTATE/SQLERRM patch had failed to do it for those two variables, leading to the bug recently exhibited by Asif Ali Rehman: a DECLARE within an exception handler tried to reinitialize SQLERRM. Although the SQLSTATE/SQLERRM patch isn't in any pre-8.1 branches, and so I can't point to a demonstrable failure there, it seems wise to back-patch this into the older branches anyway, just to keep the logic similar to HEAD. | 08 February 2007, 18:38:03 UTC |
| dc80902 | Bruce Momjian | 07 February 2007, 04:22:08 UTC | Stamp releases notes for 8.2.3, 8.1.8, 8.0.12. | 07 February 2007, 04:22:08 UTC |
| 8cbd1c3 | Bruce Momjian | 07 February 2007, 03:48:21 UTC | Stamp releases 8.2.3, 8.1.8, 8.0.12. No release notes yet. | 07 February 2007, 03:48:21 UTC |
| bb65d51 | Tom Lane | 06 February 2007, 22:49:42 UTC | Fix an error in the original coding of holdable cursors: PersistHoldablePortal thought that it didn't have to reposition the underlying tuplestore if the portal is atEnd. But this is not so, because tuplestores have separate read and write cursors ... and the read cursor hasn't moved from the start. This mistake explains bug #2970 from William Zhang. Note: the coding here is pretty inefficient, but given that no one has noticed this bug until now, I'd say hardly anyone uses the case where the cursor has been advanced before being persisted. So maybe it's not worth worrying about. | 06 February 2007, 22:49:42 UTC |
| 122680c | Tom Lane | 06 February 2007, 17:35:41 UTC | Remove typmod checking from the recent security-related patches. It turns out that ExecEvalVar and friends don't necessarily have access to a tuple descriptor with correct typmod: it definitely can contain -1, and possibly might contain other values that are different from the Var's value. Arguably this should be cleaned up someday, but it's not a simple change, and in any case typmod discrepancies don't pose a security hazard. Per reports from numerous people :-( I'm not entirely sure whether the failure can occur in 8.0 --- the simple test cases reported so far don't trigger it there. But back-patch the change all the way anyway. | 06 February 2007, 17:35:41 UTC |
| 2d28b69 | Michael Meskes | 06 February 2007, 09:42:08 UTC | Backported va_list handling cleanup | 06 February 2007, 09:42:08 UTC |
| 2f92bea | Neil Conway | 02 February 2007, 16:10:18 UTC | Reword suggestion that libpq.dll be installed in WINNT\SYSTEM32 under Windows. Per Magnus Hagander, this is not recommended. | 02 February 2007, 16:10:18 UTC |
| d724689 | Tom Lane | 02 February 2007, 00:15:09 UTC | Stamp release 8.0.11. Security: CVE-2007-0555, CVE-2007-0556 | 02 February 2007, 00:15:09 UTC |
| 384f05d | Tom Lane | 02 February 2007, 00:10:51 UTC | Update release notes for security-related releases in all active branches. Security: CVE-2007-0555, CVE-2007-0556 | 02 February 2007, 00:10:51 UTC |
| 7fbfa4e | Tom Lane | 02 February 2007, 00:08:01 UTC | Repair failure to check that a table is still compatible with a previously made query plan. Use of ALTER COLUMN TYPE creates a hazard for cached query plans: they could contain Vars that claim a column has a different type than it now has. Fix this by checking during plan startup that Vars at relation scan level match the current relation tuple descriptor. Since at that point we already have at least AccessShareLock, we can be sure the column type will not change underneath us later in the query. However, since a backend's locks do not conflict against itself, there is still a hole for an attacker to exploit: he could try to execute ALTER COLUMN TYPE while a query is in progress in the current backend. Seal that hole by rejecting ALTER TABLE whenever the target relation is already open in the current backend. This is a significant security hole: not only can one trivially crash the backend, but with appropriate misuse of pass-by-reference datatypes it is possible to read out arbitrary locations in the server process's memory, which could allow retrieving database content the user should not be able to see. Our thanks to Jeff Trout for the initial report. Security: CVE-2007-0556 | 02 February 2007, 00:08:01 UTC |
| f674971 | Tom Lane | 02 February 2007, 00:03:44 UTC | Repair insufficiently careful type checking for SQL-language functions: we should check that the function code returns the claimed result datatype every time we parse the function for execution. Formerly, for simple scalar result types we assumed the creation-time check was sufficient, but this fails if the function selects from a table that's been redefined since then, and even more obviously fails if check_function_bodies had been OFF. This is a significant security hole: not only can one trivially crash the backend, but with appropriate misuse of pass-by-reference datatypes it is possible to read out arbitrary locations in the server process's memory, which could allow retrieving database content the user should not be able to see. Our thanks to Jeff Trout for the initial report. Security: CVE-2007-0555 | 02 February 2007, 00:03:44 UTC |
| a258f9c | Peter Eisentraut | 31 January 2007, 08:20:42 UTC | Translation updates | 31 January 2007, 08:20:42 UTC |
| 052e884 | Tom Lane | 30 January 2007, 18:02:40 UTC | Add SPI_push/SPI_pop calls so that datatype input and output functions called by plpgsql can themselves use SPI --- possibly indirectly, as in the case of domain_in() invoking plpgsql functions in a domain check constraint. Per bug #2945 from Sergiy Vyshnevetskiy. Somewhat arbitrarily, I've chosen to back-patch this as far as 8.0. Given the lack of prior complaints, it doesn't seem critical for 7.x. | 30 January 2007, 18:02:40 UTC |
| f109cb1 | Tom Lane | 27 January 2007, 20:53:46 UTC | Correct an old logic error in btree page splitting: when considering a split exactly at the point where we need to insert a new item, the calculation used the wrong size for the "high key" of the new left page. This could lead to choosing an unworkable split, resulting in "PANIC: failed to add item to the left sibling" (or "right sibling") failure. Although this bug has been there a long time, it's very difficult to trigger a failure before 8.2, since there was generally a lot of free space on both sides of a chosen split. In 8.2, where the user-selected fill factor determines how much free space the code tries to leave, an unworkable split is much more likely. Report by Joe Conway, diagnosis and fix by Heikki Linnakangas. | 27 January 2007, 20:53:46 UTC |
| 6b8a7cf | Tom Lane | 24 January 2007, 17:12:35 UTC | Get pg_utf_mblen(), pg_utf2wchar_with_len(), and utf2ucs() all on the same page about the maximum UTF8 sequence length we support (4 bytes since 8.1, 3 before that). pg_utf2wchar_with_len never got updated to support 4-byte characters at all, and in any case had a buffer-overrun risk in that it could produce multiple pg_wchars from what mblen claims to be just one UTF8 character. The only reason we don't have a major security hole is that most callers allocate worst-case output buffers; the sole exception in released versions appears to be pre-8.2 iwchareq() (ie, ILIKE), which can be crashed due to zeroing out its return address --- but AFAICS that can't be exploited for anything more than a crash, due to inability to control what gets written there. Per report from James Russell and Michael Fuhr. Pre-8.1 the risk is much less, but I still think pg_utf2wchar_with_len's behavior given an incomplete final character risks buffer overrun, so back-patch that logic change anyway. This patch also makes sure that UTF8 sequences exceeding the supported length (whichever it is) are consistently treated as error cases, rather than being treated like a valid shorter sequence in some places. | 24 January 2007, 17:12:35 UTC |
| 3e0b541 | Tom Lane | 24 January 2007, 01:26:02 UTC | Relax an Assert() that has been found to be too strict in some situations involving unions of types having typmods. Variants of the failure are known to occur in 8.1 and up; not sure if it's possible in 8.0 and 7.4, but since the code exists that far back, I'll just patch 'em all. Per report from Brian Hurt. | 24 January 2007, 01:26:02 UTC |
| 8147c13 | Tatsuo Ishii | 13 January 2007, 03:17:34 UTC | Back port patch. Call srandom() instead of srand(). pgbench calls random() later, so it should have called srandom(). On most platforms except Windows srandom() is actually identical to srand(), so the bug only bites Windows users. per bug report from Akio Ishida. | 13 January 2007, 03:17:34 UTC |
| a7542c3 | PostgreSQL Daemon | 06 January 2007, 06:18:46 UTC | tag it | 06 January 2007, 06:18:46 UTC |
| 3d5f286 | Tom Lane | 06 January 2007, 06:01:48 UTC | Links to GUC variables from HISTORY don't work in back branches... | 06 January 2007, 06:01:48 UTC |
| a05e93e | Bruce Momjian | 06 January 2007, 04:17:33 UTC | Fix markup because older releases couldn't link to the reference section. | 06 January 2007, 04:17:33 UTC |
| ccd743e | Tom Lane | 05 January 2007, 22:35:04 UTC | Minor copy-editing for release note updates. | 05 January 2007, 22:35:04 UTC |
| e0f20bb | Bruce Momjian | 05 January 2007, 20:53:30 UTC | Stamp release 8.0.10. | 05 January 2007, 20:53:30 UTC |
| 1f503f2 | Bruce Momjian | 05 January 2007, 20:03:19 UTC | Create release notes for 8.0.10. | 05 January 2007, 20:03:19 UTC |
| 85690a0 | Tom Lane | 03 January 2007, 22:39:49 UTC | Fix regex_fixed_prefix() to cope reasonably well with regex patterns of the form '^(foo)$'. Before, these could never be optimized into indexscans. The recent changes to make psql and pg_dump generate such patterns (for \d commands and -t and related switches, respectively) therefore represented a big performance hit for people with large pg_class catalogs, as seen in recent gripe from Erik Jones. While at it, be more paranoid about case-sensitivity checking in multibyte encodings, and fix some other corner cases in which a regex might be interpreted too liberally. | 03 January 2007, 22:39:49 UTC |
