Skip to main content

Browse the archive

https://github.com/postgres/postgres
07 April 2024, 13:56:23 UTC
sort by:
Revision Author Date Message Commit Date
f250131 Marc G. Fournier 10 December 2009, 03:02:07 UTC tag 8.3.9 10 December 2009, 03:02:07 UTC
8e692a9 Tom Lane 10 December 2009, 00:31:34 UTC Update release notes for releases 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, 7.4.27. 10 December 2009, 00:31:34 UTC
e3b01bc Tom Lane 09 December 2009, 21:58:17 UTC Prevent indirect security attacks via changing session-local state within an allegedly immutable index function. It was previously recognized that we had to prevent such a function from executing SET/RESET ROLE/SESSION AUTHORIZATION, or it could trivially obtain the privileges of the session user. However, since there is in general no privilege checking for changes of session-local state, it is also possible for such a function to change settings in a way that might subvert later operations in the same session. Examples include changing search_path to cause an unexpected function to be called, or replacing an existing prepared statement with another one that will execute a function of the attacker's choosing. The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against these threats, which are the same places previously deemed to need protection against the SET ROLE issue. GUC changes are still allowed, since there are many useful cases for that, but we prevent security problems by forcing a rollback of any GUC change after completing the operation. Other cases are handled by throwing an error if any change is attempted; these include temp table creation, closing a cursor, and creating or deleting a prepared statement. (In 7.4, the infrastructure to roll back GUC changes doesn't exist, so we settle for rejecting changes of "search_path" in these contexts.) Original report and patch by Gurjeet Singh, additional analysis by Tom Lane. Security: CVE-2009-4136 09 December 2009, 21:58:17 UTC
d724237 Magnus Hagander 09 December 2009, 06:37:25 UTC Reject certificates with embedded NULLs in the commonName field. This stops attacks where an attacker would put <attack>\0<propername> in the field and trick the validation code that the certificate was for <attack>. This is a very low risk attack since it reuqires the attacker to trick the CA into issuing a certificate with an incorrect field, and the common PostgreSQL deployments are with private CAs, and not external ones. Also, default mode in 8.4 does not do any name validation, and is thus also not vulnerable - but the higher security modes are. Backpatch all the way. Even though versions 8.3.x and before didn't have certificate name validation support, they still exposed this field for the user to perform the validation in the application code, and there is no way to detect this problem through that API. Security: CVE-2009-4034 09 December 2009, 06:37:25 UTC
d01b2e4 Tom Lane 09 December 2009, 00:36:08 UTC Update time zone data files to tzdata release 2009s: DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria. Also historical corrections for Hong Kong. 09 December 2009, 00:36:08 UTC
d549d3e Peter Eisentraut 08 December 2009, 22:15:48 UTC Translation updates 08 December 2009, 22:15:48 UTC
dd7321f Heikki Linnakangas 03 December 2009, 11:03:44 UTC Fix bug in temporary file management with subtransactions. A cursor opened in a subtransaction stays open even if the subtransaction is aborted, so any temporary files related to it must stay alive as well. With the patch, we use ResourceOwners to track open temporary files and don't automatically close them at subtransaction end (though in the normal case temporary files are registered with the subtransaction resource owner and will therefore be closed). At end of top transaction, we still check that there's no temporary files marked as close-at-end-of-transaction open, but that's now just a debugging cross-check as the resource owner cleanup should've closed them already. 03 December 2009, 11:03:44 UTC
3c77fbd Tom Lane 02 December 2009, 17:41:31 UTC Ignore attempts to set "application_name" in the connection startup packet. This avoids a useless connection retry and complaint in the postmaster log when receiving a connection from 8.5 or later libpq. Backpatch in all supported branches, but of course *not* HEAD. 02 December 2009, 17:41:31 UTC
e6bfe55 Tom Lane 30 November 2009, 16:38:46 UTC Avoid core dump on empty thesaurus dictionary. Per report from Robert Gravsjö. 30 November 2009, 16:38:46 UTC
b50e026 Tom Lane 29 November 2009, 21:02:28 UTC Fix session-lifespan memory leak when a plperl function is redefined: we have to tell Perl it can release its compiled copy of the function text. Noted by Alexey Klyukin. Back-patch to 8.2 --- the problem exists further back, but this patch won't work without modification, and it's probably not worth the trouble. 29 November 2009, 21:02:28 UTC
602878d Peter Eisentraut 24 November 2009, 19:20:53 UTC Fix syntax in extract() examples Author: Erik Rijkers <er@xs4all.nl> 24 November 2009, 19:20:53 UTC
0852c4d Heikki Linnakangas 23 November 2009, 09:59:00 UTC Fix an old bug in multixact and two-phase commit. Prepared transactions can be part of multixacts, so allocate a slot for each prepared transaction in the "oldest member" array in multixact.c. On PREPARE TRANSACTION, transfer the oldest member value from the current backends slot to the prepared xact slot. Also save and recover the value from the 2pc state file. The symptom of the bug was that after a transaction prepared, a shared lock still held by the prepared transaction was sometimes ignored by other transactions. Fix back to 8.1, where both 2PC and multixact were introduced. 23 November 2009, 09:59:00 UTC
31f38e3 Tom Lane 19 November 2009, 02:45:50 UTC Fix memory leak in syslogger: logfile_rotate() would leak a copy of the output filename if CSV logging was enabled and only one of the two possible output files got rotated during a particular call (which would, in fact, typically be the case during a size-based rotation). This would amount to about MAXPGPATH (1KB) per rotation, and it's been there since the CSV code was put in, so it's surprising that nobody noticed it before. Per bug #5196 from Thomas Poindessous. 19 November 2009, 02:45:50 UTC
87021e7 Peter Eisentraut 15 November 2009, 13:54:22 UTC Make text search parser accept underscores in XML attributes (bug #5075) 15 November 2009, 13:54:22 UTC
d509347 Magnus Hagander 14 November 2009, 15:39:41 UTC Add inheritable ACE when creating a restricted token for execution on Win32. Also refactor the code around it to be more clear. Jesse Morris 14 November 2009, 15:39:41 UTC
3b0d57e Tom Lane 10 November 2009, 23:12:29 UTC Do not build psql's flex module on its own, but instead include it in mainloop.c. This ensures that postgres_fe.h is read before including any system headers, which is necessary to avoid problems on some platforms where we make nondefault selections of feature macros for stdio.h or other headers. We have had this policy for flex modules in the backend for many years, but for some reason it was not applied to psql. Per trouble report from Alexandra Roy and diagnosis by Albe Laurenz. 10 November 2009, 23:12:29 UTC
fa40685 Alvaro Herrera 10 November 2009, 18:00:44 UTC Fix longstanding problems in VACUUM caused by untimely interruptions In VACUUM FULL, an interrupt after the initial transaction has been recorded as committed can cause postmaster to restart with the following error message: PANIC: cannot abort transaction NNNN, it was already committed This problem has been reported many times. In lazy VACUUM, an interrupt after the table has been truncated by lazy_truncate_heap causes other backends' relcache to still point to the removed pages; this can cause future INSERT and UPDATE queries to error out with the following error message: could not read block XX of relation 1663/NNN/MMMM: read only 0 of 8192 bytes The window to this race condition is extremely narrow, but it has been seen in the wild involving a cancelled autovacuum process. The solution for both problems is to inhibit interrupts in both operations until after the respective transactions have been committed. It's not a complete solution, because the transaction could theoretically be aborted by some other error, but at least fixes the most common causes of both problems. 10 November 2009, 18:00:44 UTC
862f5db Heikki Linnakangas 04 November 2009, 12:51:42 UTC Disable triggering failover with a signal in pg_standby on Windows, because Windows doesn't do signal processing like other platforms do. It never really worked, but recent changes to the signal handling made it crash. This fixes bug #4961. Patch by Fujii Masao. 04 November 2009, 12:51:42 UTC
9250485 Peter Eisentraut 03 November 2009, 08:44:52 UTC Fix obscure segfault condition in PL/Python In PLy_output(), when the elog() call in the TRY branch throws an exception (this can happen when a statement timeout kicks in, for example), the PyErr_SetString() call in the CATCH branch can cause a segfault, because the Py_XDECREF(so) call before it releases memory that is still used by the sv variable that PyErr_SetString() uses as argument, because sv points into memory owned by so. Backpatched back to 8.0, where this code was introduced. I also threw in a couple of volatile declarations for variables that are used before and after the TRY. I don't think they caused the crash that I observed, but they could become issues. 03 November 2009, 08:44:52 UTC
2a47208 Tom Lane 31 October 2009, 18:12:12 UTC Ensure the previous Perl interpreter selection is restored upon exit from plperl_call_handler, in both the normal and error-exit paths. Per report from Alexey Klyukin. 31 October 2009, 18:12:12 UTC
15b406f Tom Lane 30 October 2009, 20:58:57 UTC Make the overflow guards in ExecChooseHashTableSize be more protective. The original coding ensured nbuckets and nbatch didn't exceed INT_MAX, which while not insane on its own terms did nothing to protect subsequent code like "palloc(nbatch * sizeof(BufFile *))". Since enormous join size estimates might well be planner error rather than reality, it seems best to constrain the initial sizes to be not more than work_mem/sizeof(pointer), thus ensuring the allocated arrays don't exceed work_mem. We will allow nbatch to get bigger than that during subsequent ExecHashIncreaseNumBatches calls, but we should still guard against integer overflow in those palloc requests. Per bug #5145 from Bernt Marius Johnsen. Although the given test case only seems to fail back to 8.2, previous releases have variants of this issue, so patch all supported branches. 30 October 2009, 20:58:57 UTC
972dd13 Tom Lane 27 October 2009, 20:14:39 UTC Fix AfterTriggerSaveEvent to use a test and elog, not just Assert, to check that it's called within an AfterTriggerBeginQuery/AfterTriggerEndQuery pair. The RI cascade triggers suppress that overhead on the assumption that they are always run non-deferred, so it's possible to violate the condition if someone mistakenly changes pg_trigger to mark such a trigger deferred. We don't really care about supporting that, but throwing an error instead of crashing seems desirable. Per report from Marcelo Costa. 27 October 2009, 20:14:39 UTC
e0066c6 Tom Lane 16 October 2009, 22:08:48 UTC Rewrite pam_passwd_conv_proc to be more robust: avoid assuming that the pam_message array contains exactly one PAM_PROMPT_ECHO_OFF message. Instead, deal with however many messages there are, and don't throw error for PAM_ERROR_MSG and PAM_TEXT_INFO messages. This logic is borrowed from openssh 5.2p1, which hopefully has seen more real-world PAM usage than we have. Per bug #5121 from Ryan Douglas, which turned out to be caused by the conv_proc being called with zero messages. Apparently that is normal behavior given the combination of Linux pam_krb5 with MS Active Directory as the domain controller. Patch all the way back, since this code has been essentially untouched since 7.4. (Surprising we've not heard complaints before.) 16 October 2009, 22:08:48 UTC
1b198db Heikki Linnakangas 14 October 2009, 22:10:17 UTC Rename the new MAX_AUTH_TOKEN_LENGTH #define to PG_MAX_AUTH_MAX_TOKEN_LENGTH, to make it more obvious that it's a PostgreSQL internal limit, not something that comes from system header files. 14 October 2009, 22:10:17 UTC
c6b4d4f Heikki Linnakangas 14 October 2009, 07:27:44 UTC Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI athentication methods. While the old 2000 byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. Ian Turner 14 October 2009, 07:27:44 UTC
c2c86e4 Heikki Linnakangas 08 October 2009, 04:46:37 UTC Fix off-by-one bug in bitncmp(): When comparing a number of bits divisible by 8, bitncmp() may dereference a pointer one byte out of bounds. Chris Mikkelson (bug #5101) 08 October 2009, 04:46:37 UTC
895a3fb Tom Lane 02 October 2009, 22:50:03 UTC Fix an oversight in an 8.3-era patch: pgstat_initstats should allow stats to be collected for sequences. Report and fix by Akira Kurosawa 02 October 2009, 22:50:03 UTC
81f7305 Tom Lane 02 October 2009, 18:13:19 UTC Fix erroneous handling of shared dependencies (ie dependencies on roles) in CREATE OR REPLACE FUNCTION. The original code would update pg_shdepend as if a new function was being created, even if it wasn't, with two bad consequences: pg_shdepend might record the wrong owner for the function, and any dependencies for roles mentioned in the function's ACL would be lost. The fix is very easy: just don't touch pg_shdepend at all when doing a function replacement. Also update the CREATE FUNCTION reference page, which never explained exactly what changes and doesn't change in a function replacement. In passing, fix the CREATE VIEW reference page similarly; there's no code bug there, but the docs didn't say what happens. 02 October 2009, 18:13:19 UTC
9cfc3d2 Tom Lane 29 September 2009, 01:21:02 UTC Fix equivclass.c's not-quite-right strategy for handling X=X clauses. The original coding correctly noted that these aren't just redundancies (they're effectively X IS NOT NULL, assuming = is strict). However, they got treated that way if X happened to be in a single-member EquivalenceClass already, which could happen if there was an ORDER BY X clause, for instance. The simplest and most reliable solution seems to be to not try to process such clauses through the EquivalenceClass machinery; just throw them back for traditional processing. The amount of work that'd be needed to be smarter than that seems out of proportion to the benefit. Per bug #5084 from Bernt Marius Johnsen, and analysis by Andrew Gierth. 29 September 2009, 01:21:02 UTC
eff805b Andrew Dunstan 28 September 2009, 17:30:41 UTC Convert a perl array to a postgres array when returned by Set Returning Functions as well as non SRFs. Backpatch to 8.1 where these facilities were introduced. with a little help from Abhijit Menon-Sen. 28 September 2009, 17:30:41 UTC
8b720b5 Tom Lane 26 September 2009, 18:25:03 UTC Fix RelationCacheInitializePhase2 (Phase3, in HEAD) to cope with the possibility of shared-inval messages causing a relcache flush while it tries to fill in missing data in preloaded relcache entries. There are actually two distinct failure modes here: 1. The flush could delete the next-to-be-processed cache entry, causing the subsequent hash_seq_search calls to go off into the weeds. This is the problem reported by Michael Brown, and I believe it also accounts for bug #5074. The simplest fix is to restart the hashtable scan after we've read any new data from the catalogs. It appears that pre-8.4 branches have not suffered from this failure, because by chance there were no other catalogs sharing the same hash chains with the catalogs that RelationCacheInitializePhase2 had work to do for. However that's obviously pretty fragile, and it seems possible that derivative versions with additional system catalogs might be vulnerable, so I'm back-patching this part of the fix anyway. 2. The flush could delete the *current* cache entry, in which case the pointer to the newly-loaded data would end up being stored into an already-deleted Relation struct. As long as it was still deleted, the only consequence would be some leaked space in CacheMemoryContext. But it seems possible that the Relation struct could already have been recycled, in which case this represents a hard-to-reproduce clobber of cached data structures, with unforeseeable consequences. The fix here is to pin the entry while we work on it. In passing, also change RelationCacheInitializePhase2 to Assert that formrdesc() set up the relation's cached TupleDesc (rd_att) with the correct type OID and hasoids values. This is more appropriate than silently updating the values, because the original tupdesc might already have been copied into the catcache. However this part of the patch is not in HEAD because it fails due to some questionable recent changes in formrdesc :-(. That will be cleaned up in a subsequent patch. 26 September 2009, 18:25:03 UTC
13b67eb Teodor Sigaev 18 September 2009, 14:03:12 UTC Fix incorrect arguments for gist_box_penalty call. The bug could be observed only for secondary page split (i.e. for non-first columns of index) Patch by Paul Ramsey <pramsey@opengeo.org> 18 September 2009, 14:03:12 UTC
1bb8236 Heikki Linnakangas 13 September 2009, 18:32:27 UTC Don't error out if recycling or removing an old WAL segment fails at the end of checkpoint. Although the checkpoint has been written to WAL at that point already, so that all data is safe, and we'll retry removing the WAL segment at the next checkpoint, if such a failure persists we won't be able to remove any other old WAL segments either and will eventually run out of disk space. It's better to treat the failure as non-fatal, and move on to clean any other WAL segment and continue with any other end-of-checkpoint cleanup. We don't normally expect any such failures, but on Windows it can happen with some anti-virus or backup software that lock files without FILE_SHARE_DELETE flag. Also, the loop in pgrename() to retry when the file is locked was broken. If a file is locked on Windows, you get ERROR_SHARE_VIOLATION, not ERROR_ACCESS_DENIED, at least on modern versions. Fix that, although I left the check for ERROR_ACCESS_DENIED in there as well (presumably it was correct in some environment), and added ERROR_LOCK_VIOLATION to be consistent with similar checks in pgwin32_open(). Reduce the timeout on the loop from 30s to 10s, on the grounds that since it's been broken, we've effectively had a timeout of 0s and no-one has complained, so a smaller timeout is actually closer to the old behavior. A longer timeout would mean that if recycling a WAL file fails because it's locked for some reason, InstallXLogFileSegment() will hold ControlFileLock for longer, potentially blocking other backends, so a long timeout isn't totally harmless. While we're at it, set errno correctly in pgrename(). Backpatch to 8.2, which is the oldest version supported on Windows. The xlog.c changes would make sense on other platforms and thus on older versions as well, but since there's no such locking issues on other platforms, it's not worth it. 13 September 2009, 18:32:27 UTC
103be09 Heikki Linnakangas 10 September 2009, 09:43:17 UTC On Windows, when a file is deleted and another process still has an open file handle on it, the file goes into "pending deletion" state where it still shows up in directory listing, but isn't accessible otherwise. That confuses RemoveOldXLogFiles(), making it think that the file hasn't been archived yet, while it actually was, and it was deleted along with the .done file. Fix that by renaming the file with ".deleted" extension before deleting it. Also check the return value of rename() and unlink(), so that if the removal fails for any reason (e.g another process is holding the file locked), we don't delete the .done file until the WAL file is really gone. Backpatch to 8.2, which is the oldest version supported on Windows. 10 September 2009, 09:43:17 UTC
a15cb06 Tom Lane 08 September 2009, 04:25:25 UTC Remove outside-the-scanner references to "yyleng". It seems the flex developers have decided to change yyleng from int to size_t. This has already happened in the latest release of OS X, and will start happening elsewhere once the next release of flex appears. Rather than trying to divine how it's declared in any particular build, let's just remove the one existing not-very-necessary external usage. Back-patch to all supported branches; not so much because users in the field are likely to care about building old branches with cutting-edge flex, as to keep OSX-based buildfarm members from having problems with old branches. 08 September 2009, 04:25:25 UTC
dfd5282 Tom Lane 06 September 2009, 15:25:39 UTC Update the tznames reference files, and add IDT (Israel Daylight Time) to the Default timezone abbreviation set. Back-port the the current file set to all branches that contain tznames. This includes adding SGT to the Default set in pre-8.4 releases. Joachim Wieland 06 September 2009, 15:25:39 UTC
691efa1 Heikki Linnakangas 04 September 2009, 10:49:50 UTC Fix encoding handling in xml binary input function. If the XML header didn't specify an encoding explicitly, we used to treat it as being in database encoding when we parsed it, but then perform a UTF-8 -> database encoding conversion on it, which was completely bogus. It's now consistently treated as UTF-8. 04 September 2009, 10:49:50 UTC
e01fdca Marc G. Fournier 04 September 2009, 00:53:29 UTC Tag 8.3.8 04 September 2009, 00:53:29 UTC
7e2024b Tom Lane 03 September 2009, 22:14:07 UTC Final updates of release notes for 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26. 03 September 2009, 22:14:07 UTC
5927d9f Tom Lane 03 September 2009, 22:11:22 UTC Make LOAD of an already-loaded library into a no-op, instead of attempting to unload and re-load the library. The difficulty with unloading a library is that we haven't defined safe protocols for doing so. In particular, there's no safe mechanism for getting out of a "hook" function pointer unless libraries are unloaded in reverse order of loading. And there's no mechanism at all for undefining a custom GUC variable, so GUC would be left with a pointer to an old value that might or might not still be valid, and very possibly wouldn't be in the same place anymore. While the unload and reload behavior had some usefulness in easing development of new loadable libraries, it's of no use whatever to normal users, so just disabling it isn't giving up that much. Someday we might care to expend the effort to develop safe unload protocols; but even if we did, there'd be little certainty that every third-party loadable module was following them, so some security restrictions would still be needed. Back-patch to 8.2; before that, LOAD was superuser-only anyway. Security: unprivileged users could crash backend. CVE not assigned yet 03 September 2009, 22:11:22 UTC
fe8170d Tom Lane 03 September 2009, 22:08:23 UTC Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions. This extends the previous patch that forbade SETting these variables inside security-definer functions. RESET is equally a security hole, since it would allow regaining privileges of the caller; furthermore it can trigger Assert failures and perhaps other internal errors, since the code is not expecting these variables to change in such contexts. The previous patch did not cover this case because assign hooks don't really have enough information, so move the responsibility for preventing this into guc.c. Problem discovered by Heikki Linnakangas. Security: no CVE assigned yet, extends CVE-2007-6600 03 September 2009, 22:08:23 UTC
095f7ba Peter Eisentraut 03 September 2009, 19:25:46 UTC Translation updates 03 September 2009, 19:25:46 UTC
1e4a3cf Tom Lane 03 September 2009, 04:44:50 UTC Update time zone data files to tzdata release 2009l: DST law changes in Egypt, Mauritius, Bangladesh. 03 September 2009, 04:44:50 UTC
bcdb578 Tom Lane 02 September 2009, 02:41:07 UTC Fix pg_ctl's readfile() to not go into infinite loop on an empty file (could happen if either postgresql.conf or postmaster.opts is empty). It's been broken since the C version was written for 8.0, so patch all the way back. initdb's copy of the function is broken in the same way, but it's less important there since the input files should never be empty. Patch that in HEAD only, and also fix some cosmetic differences that crept into that copy of the function. Per report from Corry Haines and Jeff Davis. 02 September 2009, 02:41:07 UTC
d40ef0d Tom Lane 30 August 2009, 16:53:45 UTC Remove duplicate variable initializations identified by clang static checker. One of these represents a nontrivial bug (a promptly-leaked palloc), so backpatch. Greg Stark 30 August 2009, 16:53:45 UTC
143373b Bruce Momjian 27 August 2009, 01:27:24 UTC Update release notes for 7.4.26, 8.0.22, 8.1.18, 8.2.14, 8.3.8, 8.4.1. 27 August 2009, 01:27:24 UTC
fa837ad Alvaro Herrera 24 August 2009, 17:23:28 UTC Avoid calling kill() in a postmaster signal handler. This causes problems when the system load is high, per report from Zdenek Kotala in <1250860954.1239.114.camel@localhost>; instead of calling kill directly, have the signal handler set a flag which is checked in ServerLoop. This way, the handler can return before being called again by a subsequent signal sent from the autovacuum launcher. Also, increase the sleep in the launcher in this failure path to 1 second. Backpatch to 8.3, which is when the signalling between autovacuum launcher/postmaster was introduced. Also, add a couple of ReleasePostmasterChildSlot calls in error paths; this part backpatched to 8.4 which is when the child slot stuff was introduced. 24 August 2009, 17:23:28 UTC
b040178 Tom Lane 24 August 2009, 16:18:25 UTC Fix inclusions of readline/editline header files so that we only attempt to #include the version of history.h that is in the same directory as the readline.h we are using. This avoids problems in some scenarios where both readline and editline are installed. Report and patch by Zdenek Kotala. 24 August 2009, 16:18:25 UTC
f57d5b7 Tom Lane 18 August 2009, 21:23:28 UTC Fix overflow for INTERVAL 'x ms' where x is more than a couple million, and integer datetimes are in use. Per bug report from Hubert Depesz Lubaczewski. Alex Hunsaker 18 August 2009, 21:23:28 UTC
2792c59 Tom Lane 16 August 2009, 19:55:38 UTC Fix imprecise documentation of random(): it never returns 1.0. This was changed in 8.2 but the documentation was not corrected. Per gripe from Sam Mason. 16 August 2009, 19:55:38 UTC
51bc461 Tom Lane 16 August 2009, 18:14:46 UTC Fix incorrect encoding-aware name truncation in makeArrayTypeName(). truncate_identifier won't do anything if the passed-in strlen is already less than NAMEDATALEN, which it always would be given the strlcpy usage. This has been broken since the arrays-of-composite-types code went in. Arguably truncate_identifier is suffering from excessive optimization and should always process the string, but for the moment I'll take the more localized patch. Per bug #4987. 16 August 2009, 18:14:46 UTC
29e6ced Bruce Momjian 15 August 2009, 20:23:20 UTC Remove tabs from SGML. 15 August 2009, 20:23:20 UTC
355e7ef Tom Lane 12 August 2009, 18:24:03 UTC Fix old bug in log_autovacuum_min_duration code: it was relying on being able to access a Relation entry it had just closed. I happened to be testing with CLOBBER_CACHE_ALWAYS, which made this a guaranteed core dump (at least on machines where sprintf %s isn't forgiving of a NULL pointer). It's probably quite unlikely that it would fail in the field, but a bug is a bug. Fix by moving the relation_close call down past the logging action. 12 August 2009, 18:24:03 UTC
0a427ab Magnus Hagander 11 August 2009, 11:51:20 UTC Reserve the shared memory region during backend startup on Windows, so that memory allocated by starting third party DLLs doesn't end up conflicting with it. Hopefully this solves the long-time issue with "could not reattach to shared memory" errors on Win32. Patch from Tsutomu Yamada and me, based on idea from Trevor Talbot. 11 August 2009, 11:51:20 UTC
1d6ddeb Magnus Hagander 10 August 2009, 11:48:50 UTC Enable the use of multiple CPUs/cores when building on MSVC. This only affects the C compiler step - we still only build one target at a time. 10 August 2009, 11:48:50 UTC
bbe2168 Andrew Dunstan 10 August 2009, 02:39:24 UTC Re-add documentation for --no-readline option of psql, mistakenly removed a decade ago. Backpatch to release 7.4. 10 August 2009, 02:39:24 UTC
d9a00eb Tom Lane 07 August 2009, 20:16:22 UTC Try to defend against the possibility that libpq is still in COPY_IN state when we reach the post-COPY "pump it dry" error recovery code that was added 2006-11-24. Per a report from Neil Best, there is at least one code path in which this occurs, leading to an infinite loop in code that's supposed to be making it more robust not less so. A reasonable response seems to be to call PQputCopyEnd() again, so let's try that. Back-patch to all versions that contain the cleanup loop. 07 August 2009, 20:16:22 UTC
b1fc543 Heikki Linnakangas 07 August 2009, 06:00:09 UTC Fast shutdown stop should forcibly disconnect any active backends, even if a smart shutdown is already in progress. Backpatch to 8.3, this was broken in the patch that introduced "dead-end backends". Per report by Itagaki Takahiro, patch by Fujii Masao. 07 August 2009, 06:00:09 UTC
4f9bb27 Magnus Hagander 30 July 2009, 09:28:03 UTC Make sure FD_SETSIZE is set before we include any Windows header files. Josh Williams 30 July 2009, 09:28:03 UTC
e9d2f68 Tom Lane 29 July 2009, 15:57:23 UTC Fix a thinko introduced into CountActiveBackends by a recent patch: we should ignore NULL array entries, not non-NULL ones. This had the effect of disabling commit_delay, and could have caused a crash in the rare race condition the patch was intended to fix. Bug report and diagnosis by Jeff Janes, in bug #4952. 29 July 2009, 15:57:23 UTC
fe37cbb Teodor Sigaev 28 July 2009, 09:32:45 UTC Fix incorrect cleanup of tsquery in ts_rewrite(). Per bug #4933 by Aaron Marcuse-Kubitza <aaronmk@blackducksoftware.com> 28 July 2009, 09:32:45 UTC
def9d5f Peter Eisentraut 24 July 2009, 19:54:36 UTC Fix the fix for the gist error message 24 July 2009, 19:54:36 UTC
a88b390 Alvaro Herrera 20 July 2009, 20:38:58 UTC Install src/include/utils/fmgroids.h on VPATH builds too. The original coding was not dealing specially with this file being a symlink, with the end result that it was not installed in VPATH builds. Oddly enough, the clean target does know about it ... 20 July 2009, 20:38:58 UTC
d7bc5e3 Tom Lane 17 July 2009, 23:20:15 UTC Repair bug #4926 "too few pathkeys for mergeclauses". This example shows that the sanity checking I added to create_mergejoin_plan() in 8.3 was a few bricks shy of a load: the mergeclauses could reference pathkeys in a noncanonical order such as x,y,x, not only cases like x,x,y which is all that the code had allowed for. The odd cases only turn up when using redundant clauses in an outer join condition, which is why no one had noticed before. 17 July 2009, 23:20:15 UTC
b5f32d8 Tom Lane 14 July 2009, 15:38:03 UTC Do a conditional SPI_push/SPI_pop when replanning a query in RevalidateCachedPlan. This is to avoid a "SPI_ERROR_CONNECT" failure when the planner calls a SPI-using function and we are already inside one. The alternative fix is to expect callers of RevalidateCachedPlan to do this, which seems likely to result in additional hard-to-detect bugs of omission. Per reports from Frank van Vugt and Marek Lewczuk. Back-patch to 8.3. It's much harder to trigger the bug in 8.3, due to a smaller set of cases in which plans can be invalidated, but it could happen. (I think perhaps only a SI reset event could make 8.3 fail here, but that's certainly within the realm of possibility.) 14 July 2009, 15:38:03 UTC
1201008 Tom Lane 10 July 2009, 00:32:12 UTC Fix xslt_process() to ensure that it inserts a NULL terminator after the last pair of parameter name/value strings, even when there are MAXPARAMS of them. Aboriginal bug in contrib/xml2, noted while studying bug #4912 (though I'm not sure whether there's something else involved in that report). This might be thought a security issue, since it's a potential backend crash; but considering that untrustworthy users shouldn't be allowed to get their hands on xslt_process() anyway, it's probably not worth getting excited about. 10 July 2009, 00:32:12 UTC
96ee4c9 Heikki Linnakangas 06 July 2009, 19:11:53 UTC Fix ancient bug in handling of to_char modifier 'TH', when used with HH. In what seems like an oversight, we used to treat 'TH' the same as lowercase 'th', but only with HH/HH12. 06 July 2009, 19:11:53 UTC
e3eb8f6 Magnus Hagander 25 June 2009, 11:30:12 UTC Disallow empty passwords in LDAP authentication, the same way we already do it for PAM. 25 June 2009, 11:30:12 UTC
462c280 Tom Lane 23 June 2009, 16:25:09 UTC Fix an ancient error in dist_ps (distance from point to line segment), which a number of other geometric operators also depend on. It miscalculated the slope of the perpendicular to the given line segment anytime that slope was other than 0, infinite, or +/-1. In some cases the error would be masked because the true closest point on the line segment was one of its endpoints rather than the intersection point, but in other cases it could give an arbitrarily bad answer. Per bug #4872 from Nick Roosevelt. Bug goes clear back to Berkeley days, so patch all supported branches. Make a couple of cosmetic adjustments while at it. 23 June 2009, 16:25:09 UTC
d353864 Heikki Linnakangas 18 June 2009, 10:09:34 UTC Fix error in comment. Fujii Masao 18 June 2009, 10:09:34 UTC
5b2e5fe Tom Lane 14 June 2009, 00:00:30 UTC Change test tables in copy2 regression test to be temporary tables. This prevents autovacuum from reclaiming free space in them and causing the test's output row order to change, which is causing intermittent bogus failure reports in the buildfarm. Backpatch to 8.3. The issue exists further back, but since autovacuum was not on by default before 8.3, it's not a problem for buildfarm testing. 14 June 2009, 00:00:30 UTC
aebb4ed Tom Lane 11 June 2009, 17:45:45 UTC Update time zone data files to tzdata release 2009i: DST law changes in Bangladesh, Egypt, Jordan, Pakistan. 11 June 2009, 17:45:45 UTC
2b2a333 Peter Eisentraut 10 June 2009, 20:01:48 UTC Improve capitalization and punctuation in recently added GiST message. 10 June 2009, 20:01:48 UTC
8882a46 Tom Lane 10 June 2009, 18:54:23 UTC Keep rs_startblock the same during heap_rescan, so that a rescan of a SeqScan node starts from the same place as the first scan did. This avoids surprising behavior of scrollable and WITH HOLD cursors, as seen in Mark Kirkwood's bug report of yesterday. It's not entirely clear whether a rescan should be forced to drop out of the syncscan mode, but for the moment I left the code behaving the same on that point. Any change there would only be a performance and not a correctness issue, anyway. Back-patch to 8.3, since the unstable behavior was created by the syncscan patch. 10 June 2009, 18:54:23 UTC
469a487 Tom Lane 10 June 2009, 16:31:38 UTC Fix cash_in() to behave properly in locales where frac_digits is zero, eg Japan. Report and fix by Itagaki Takahiro. Also fix CASHDEBUG printout format for branches with 64-bit money type, and some minor comment cleanup. Back-patch to 7.4, because it's broken all the way back. 10 June 2009, 16:31:38 UTC
96c6b33 Tom Lane 10 June 2009, 03:44:42 UTC Ensure xmlFree(NULL) is a no-op instead of a core dump. Per report from Sergey Burladyan, there are at least some dank corners of libxml2 that assume this behavior, even though their published documentation suggests they shouldn't. This is only really a live problem in 8.3, but the code is still there for possible debugging use in HEAD, so patch both branches. 10 June 2009, 03:44:42 UTC
84814ef Alvaro Herrera 09 June 2009, 19:36:42 UTC Fix typo, per Tom 09 June 2009, 19:36:42 UTC
2be1e5c Alvaro Herrera 09 June 2009, 16:41:38 UTC Dynamically set a lower bound on autovacuum nap time so that we don't rebuild the database list too often. Per bug report from Łukasz Jagiełło and ensuing discussion on pgsql-performance. 09 June 2009, 16:41:38 UTC
c31c81c Peter Eisentraut 08 June 2009, 21:32:50 UTC Fix map_sql_table_to_xmlschema() with dropped attributes. 08 June 2009, 21:32:50 UTC
abf4b00 Andrew Dunstan 05 June 2009, 20:32:15 UTC Adjust recent PERL_SYS_INIT3 call to avoid platforms where it might fail, and to remove compilation warning. Backpatch the release 7.4 05 June 2009, 20:32:15 UTC
b2ec4f2 Tom Lane 05 June 2009, 18:50:52 UTC GIN's ItemPointerIsMin, ItemPointerIsMax, and ItemPointerIsLossyPage macros should use GinItemPointerGetBlockNumber/GinItemPointerGetOffsetNumber, not ItemPointerGetBlockNumber/ItemPointerGetOffsetNumber, because the latter will Assert() on ip_posid == 0, ie a "Min" pointer. (Thus, ItemPointerIsMin has never worked at all, but it seems unused at present.) I'm not certain that the case can occur in normal functioning, but it's blowing up on me while investigating Tatsuo-san's data corruption problem. In any case it seems like a problem waiting to bite someone. Back-patch just in case this really is a problem for somebody in the field. 05 June 2009, 18:50:52 UTC
101430d Andrew Dunstan 05 June 2009, 18:31:48 UTC Search for versioned perl library instead of using hardcoded name on Windows. Backpatch to release 8.3 05 June 2009, 18:31:48 UTC
16f4994 Andrew Dunstan 04 June 2009, 16:00:11 UTC Initialise perl library as documented in perl API. Backpatch to release 7.4. 04 June 2009, 16:00:11 UTC
c0dd9f7 Heikki Linnakangas 02 June 2009, 06:19:41 UTC Only recycle normal files in pg_xlog as WAL segments. pg_standby creates symbolic links with the -l option, and as Fujii Masao pointed out we ended up overwriting files in the archive directory before this patch. Patch by Aidan Van Dyk, Fujii Masao and me. Backpatch to 8.3, where pg_standby was introduced. 02 June 2009, 06:19:41 UTC
6b4a3a7 Tom Lane 24 May 2009, 18:10:47 UTC Fix LIKE's special-case code for % followed by _. I'm not entirely sure that this case is worth a special code path, but a special code path that gets the boundary condition wrong is definitely no good. Per bug #4821 from Andrew Gierth. In passing, clean up some minor code formatting issues (excess parentheses and blank lines in odd places). Back-patch to 8.3, where the bug was introduced. 24 May 2009, 18:10:47 UTC
8e4862b Heikki Linnakangas 19 May 2009, 08:30:12 UTC Update relpages and reltuples estimates in stand-alone ANALYZE, even if there's no analyzable attributes or indexes. We also used to report 0 live and dead tuples for such tables, which messed with autovacuum threshold calculations. This fixes bug #4812 reported by George Su. Backpatch back to 8.1. 19 May 2009, 08:30:12 UTC
9497c7a Tom Lane 12 May 2009, 20:17:46 UTC Fix intratransaction memory leaks in xml_recv, xmlconcat, xmlroot, and xml_parse, all arising from the same sloppy usage of parse_xml_decl. The original coding had that function returning its output string parameters in the libxml context, which is long-lived, and all but one of its callers neglected to free the strings afterwards. The easiest and most bulletproof fix is to return the strings in the local palloc context instead, since that's short-lived. This was only costing a dozen or two bytes per function call, but that adds up fast if the function is called repeatedly ... Noted while poking at the more general problem of what to do with our libxml memory allocation hooks. Back-patch to 8.3, which has the identical coding. 12 May 2009, 20:17:46 UTC
dd60bca Tom Lane 11 May 2009, 17:56:14 UTC Partially revert my patch of 2008-11-12 that installed a limit on the number of AND/OR clause branches that predtest.c would attempt to deal with. As noted in bug #4721, that change disabled proof attempts for sizes of problems that people are actually expecting it to work for. The original complaint it was trying to solve was O(N^2) behavior for long IN-lists, so let's try applying the limit to just ScalarArrayOpExprs rather than everything. Another case of "foolish consistency" I fear. Back-patch to 8.2, same as the previous patch was. 11 May 2009, 17:56:14 UTC
b6ecee2 Heikki Linnakangas 07 May 2009, 11:25:28 UTC Request XLOG switch before writing checkpoint in pg_start_backup(). Otherwise you can end up with an unrecoverable backup if you start a new base backup right after finishing archive recovery. In that scenario, the redo pointer of the checkpoint that pg_start_backup() writes points to the XLOG segment where the timeline-changing end-of-archive-recovery checkpoint is. The beginning of that segment contains pages with the old timeline ID, and we don't accept that in recovery unless we find a history file covering the old timeline ID. If you omit pg_xlog from the base backup and clear the archive directory before starting the backup, there will be no such history file available. The bug is present in all versions since PITR was introduced in 8.0, but I'm back-patching only back to 8.2. Earlier versions didn't have XLOG switch records, making this fix unfeasible. Given the lack of reports until now, it doesn't seem worthwhile to spend more effort to fix 8.0 and 8.1. Per report and suggestion by Mikael Krantz 07 May 2009, 11:25:28 UTC
6225c80 Magnus Hagander 05 May 2009, 09:48:53 UTC Make the win32 shared memory code try 10 times instead of one if it fails because the shared memory segment already exists. This means it can take up to 10 seconds before it reports the error if it *does* exist, but hopefully it will make the system capable of restarting even when the server is under high load. 05 May 2009, 09:48:53 UTC
8f1555e Magnus Hagander 04 May 2009, 08:36:44 UTC Call SetLastError(0) before calling the file mapping functions to make sure that the error code is reset, as a precaution in case the API doesn't properly reset it on success. This could be necessary, since we check the error value even if the function doesn't fail for specific success cases. 04 May 2009, 08:36:44 UTC
4df4ffe Tom Lane 03 May 2009, 23:13:44 UTC Fix pg_resetxlog to remove archive status files along with WAL segment files. Fujii Masao 03 May 2009, 23:13:44 UTC
252d2b1 Tom Lane 02 May 2009, 20:17:33 UTC Split the release notes into a separate file for each (active) major branch, as per my recent proposal. release.sgml itself is now just a stub that should change rarely; ideally, only once per major release to add a new include line. Most editing work will occur in the release-N.N.sgml files. To update a back branch for a minor release, just copy the appropriate release-N.N.sgml file(s) into the back branch. This commit doesn't change the end-product documentation at all, only the source layout. However, it makes it easy to start omitting ancient information from newer branches' documentation, should we ever decide to do that. 02 May 2009, 20:17:33 UTC
d4f9678 Tom Lane 01 May 2009, 19:29:13 UTC When checking for datetime field overflow, we should allow a fractional-second part that rounds up to exactly 1.0 second. The previous coding rejected input like "00:12:57.9999999999999999999999999999", with the exact number of nines needed to cause failure varying depending on float-timestamp option and possibly on platform. Obviously this should round up to the next integral second, if we don't have enough precision to distinguish the value from that. Per bug #4789 from Robert Kruus. In passing, fix a missed check for fractional seconds in one copy of the "is it greater than 24:00:00" code. Broken all the way back, so patch all the way back. 01 May 2009, 19:29:13 UTC
8f61f0b Tom Lane 25 April 2009, 16:45:03 UTC Fix the handling of sub-SELECTs appearing in the arguments of an outer-level aggregate function. By definition, such a sub-SELECT cannot reference any variables of query levels between itself and the aggregate's semantic level (else the aggregate would've been assigned to that lower level instead). So the correct, most efficient implementation is to treat the sub-SELECT as being a sub-select of that outer query level, not the level the aggregate syntactically appears in. Not doing so also confuses the heck out of our parameter-passing logic, as illustrated in bug report from Daniel Grace. Fortunately, we were already copying the whole Aggref expression up to the outer query level, so all that's needed is to delay SS_process_sublinks processing of the sub-SELECT until control returns to the outer level. This has been broken since we introduced spec-compliant treatment of outer aggregates in 7.4; so patch all the way back. 25 April 2009, 16:45:03 UTC
0fca584 Bruce Momjian 25 April 2009, 15:54:02 UTC Remove HELIOS Software GmbH name and copyright from AIX dynloader files, per approval from Helmut Tschemernjak, President. Only back branches; files removed from CVS HEAD. 25 April 2009, 15:54:02 UTC
f3676bc Tom Lane 19 April 2009, 20:36:13 UTC Fix textsearch documentation examples to not recommend concatenating separate fields without putting a space between. Per gripe from Rick Schumeyer. 19 April 2009, 20:36:13 UTC
57af05a Tom Lane 16 April 2009, 20:42:28 UTC Fix planner to restore its previous level of intelligence about pushing constants through full joins, as in select * from tenk1 a full join tenk1 b using (unique1) where unique1 = 42; which should generate a fairly cheap plan where we apply the constraint unique1 = 42 in each relation scan. This had been broken by my patch of 2008-06-27, which is now reverted in favor of a more invasive but hopefully less incorrect approach. That patch was meant to prevent incorrect extraction of OR'd indexclauses from OR conditions above an outer join. To do that correctly we need more information than the outerjoin_delay flag can provide, so add a nullable_relids field to RestrictInfo that records exactly which relations are nulled by outer joins that are underneath a particular qual clause. A side benefit is that we can make the test in create_or_index_quals more specific: it is now smart enough to extract an OR'd indexclause into the outer side of an outer join, even though it must not do so in the inner side. The old coding couldn't distinguish these cases so it could not do either. 16 April 2009, 20:42:28 UTC
e43d79b Magnus Hagander 15 April 2009, 18:58:34 UTC Remove beer-ware license from crypt-md5.c, per approval from Poul-Henning Kamp. This makes the file the same standard 2-clause BSD as the rest of PostgreSQL. 15 April 2009, 18:58:34 UTC
88e0883 Tom Lane 09 April 2009, 20:50:51 UTC Update time zone data files to tzdata release 2009e: DST law changes in Argentina/San_Luis, Cuba, Jordan (historical correction only), Morocco, Palestine, Syria, Tunisia. 09 April 2009, 20:50:51 UTC
back to top