Skip to main content

Browse the archive

https://github.com/postgres/postgres
02 May 2024, 11:03:54 UTC
sort by:
Revision Author Date Message Commit Date
5cc7c13 Marc G. Fournier 10 December 2009, 02:56:56 UTC tag for 8.4.2 10 December 2009, 02:56:56 UTC
743ffa5 Robert Haas 10 December 2009, 01:54:21 UTC Fix levenshtein with costs. The previous code multiplied by the cost in only 3 of the 7 relevant locations. Marcin Mank, slightly adjusted by me. 10 December 2009, 01:54:21 UTC
e8df357 Tom Lane 10 December 2009, 00:31:24 UTC Update release notes for releases 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23, 7.4.27. 10 December 2009, 00:31:24 UTC
42ba393 Tom Lane 09 December 2009, 21:58:04 UTC Prevent indirect security attacks via changing session-local state within an allegedly immutable index function. It was previously recognized that we had to prevent such a function from executing SET/RESET ROLE/SESSION AUTHORIZATION, or it could trivially obtain the privileges of the session user. However, since there is in general no privilege checking for changes of session-local state, it is also possible for such a function to change settings in a way that might subvert later operations in the same session. Examples include changing search_path to cause an unexpected function to be called, or replacing an existing prepared statement with another one that will execute a function of the attacker's choosing. The present patch secures VACUUM, ANALYZE, and CREATE INDEX/REINDEX against these threats, which are the same places previously deemed to need protection against the SET ROLE issue. GUC changes are still allowed, since there are many useful cases for that, but we prevent security problems by forcing a rollback of any GUC change after completing the operation. Other cases are handled by throwing an error if any change is attempted; these include temp table creation, closing a cursor, and creating or deleting a prepared statement. (In 7.4, the infrastructure to roll back GUC changes doesn't exist, so we settle for rejecting changes of "search_path" in these contexts.) Original report and patch by Gurjeet Singh, additional analysis by Tom Lane. Security: CVE-2009-4136 09 December 2009, 21:58:04 UTC
a493b42 Magnus Hagander 09 December 2009, 16:16:45 UTC Update size references in installation instructions to be a bit more up-to-date with current versions. 09 December 2009, 16:16:45 UTC
1ac3651 Magnus Hagander 09 December 2009, 06:37:29 UTC Reject certificates with embedded NULLs in the commonName field. This stops attacks where an attacker would put <attack>\0<propername> in the field and trick the validation code that the certificate was for <attack>. This is a very low risk attack since it reuqires the attacker to trick the CA into issuing a certificate with an incorrect field, and the common PostgreSQL deployments are with private CAs, and not external ones. Also, default mode in 8.4 does not do any name validation, and is thus also not vulnerable - but the higher security modes are. Backpatch all the way. Even though versions 8.3.x and before didn't have certificate name validation support, they still exposed this field for the user to perform the validation in the application code, and there is no way to detect this problem through that API. Security: CVE-2009-4034 09 December 2009, 06:37:29 UTC
e37487d Tom Lane 09 December 2009, 00:35:59 UTC Update time zone data files to tzdata release 2009s: DST law changes in Antarctica, Argentina, Bangladesh, Fiji, Novokuznetsk, Pakistan, Palestine, Samoa, Syria. Also historical corrections for Hong Kong. 09 December 2009, 00:35:59 UTC
7a2afa1 Peter Eisentraut 08 December 2009, 22:22:17 UTC Translation updates 08 December 2009, 22:22:17 UTC
fd1b31f Magnus Hagander 08 December 2009, 20:08:37 UTC Fix a couple of broken links to third-party sites. 08 December 2009, 20:08:37 UTC
652dad6 Magnus Hagander 08 December 2009, 19:22:49 UTC Replace broken link to custom local gettext package with one to the main GNU site for gettext. 08 December 2009, 19:22:49 UTC
8c5a1d9 Magnus Hagander 07 December 2009, 19:20:01 UTC Update CVS documentation to be more current and add documentation about git mirror. Remove information about cvsup and documentation that's more about cvs than our use of cvs. Backpatch to 8.4 so we get the git information up on the website as soon as possible. 07 December 2009, 19:20:01 UTC
d1c5bdf Heikki Linnakangas 03 December 2009, 11:03:35 UTC Fix bug in temporary file management with subtransactions. A cursor opened in a subtransaction stays open even if the subtransaction is aborted, so any temporary files related to it must stay alive as well. With the patch, we use ResourceOwners to track open temporary files and don't automatically close them at subtransaction end (though in the normal case temporary files are registered with the subtransaction resource owner and will therefore be closed). At end of top transaction, we still check that there's no temporary files marked as close-at-end-of-transaction open, but that's now just a debugging cross-check as the resource owner cleanup should've closed them already. 03 December 2009, 11:03:35 UTC
e461436 Tom Lane 02 December 2009, 17:41:07 UTC Ignore attempts to set "application_name" in the connection startup packet. This avoids a useless connection retry and complaint in the postmaster log when receiving a connection from 8.5 or later libpq. Backpatch in all supported branches, but of course *not* HEAD. 02 December 2009, 17:41:07 UTC
b382cbb Tom Lane 30 November 2009, 16:38:40 UTC Avoid core dump on empty thesaurus dictionary. Per report from Robert Gravsjö. 30 November 2009, 16:38:40 UTC
1962ec6 Tom Lane 29 November 2009, 21:02:22 UTC Fix session-lifespan memory leak when a plperl function is redefined: we have to tell Perl it can release its compiled copy of the function text. Noted by Alexey Klyukin. Back-patch to 8.2 --- the problem exists further back, but this patch won't work without modification, and it's probably not worth the trouble. 29 November 2009, 21:02:22 UTC
2164a24 Michael Meskes 27 November 2009, 16:11:50 UTC Remove */ characters from declare cursor statements before putting them into a comment. 27 November 2009, 16:11:50 UTC
7c605d5 Peter Eisentraut 24 November 2009, 19:21:04 UTC Fix syntax in extract() examples Author: Erik Rijkers <er@xs4all.nl> 24 November 2009, 19:21:04 UTC
5e4b869 Heikki Linnakangas 23 November 2009, 09:58:51 UTC Fix an old bug in multixact and two-phase commit. Prepared transactions can be part of multixacts, so allocate a slot for each prepared transaction in the "oldest member" array in multixact.c. On PREPARE TRANSACTION, transfer the oldest member value from the current backends slot to the prepared xact slot. Also save and recover the value from the 2pc state file. The symptom of the bug was that after a transaction prepared, a shared lock still held by the prepared transaction was sometimes ignored by other transactions. Fix back to 8.1, where both 2PC and multixact were introduced. 23 November 2009, 09:58:51 UTC
1e925f4 Tom Lane 21 November 2009, 05:44:12 UTC Refactor ecpg grammar so that it uses the core grammar's unreserved_keyword list, minus a few specific words that have to be treated specially. This replaces a hard-wired list of keywords that would have needed manual maintenance, and was not getting it. The 8.4 coding was already missing these words, causing ecpg to incorrectly treat them as reserved words: CALLED, CATALOG, DEFINER, ENUM, FOLLOWING, INVOKER, OPTIONS, PARTITION, PRECEDING, RANGE, SECURITY, SERVER, UNBOUNDED, WRAPPER. In HEAD we were additionally missing COMMENTS, FUNCTIONS, SEQUENCES, TABLES. Per gripe from Bosco Rama. 21 November 2009, 05:44:12 UTC
00d144d Tom Lane 20 November 2009, 20:54:20 UTC Fix display and dumping of UPDATE OR TRUNCATE triggers (a bizarre combination maybe, but we should get it right). Bug noted while reviewing TRIGGER WHEN patch. Already fixed in HEAD. 20 November 2009, 20:54:20 UTC
cd5c42d Peter Eisentraut 19 November 2009, 22:05:49 UTC Typo: dump -> restore fixed in 8.4 and 8.5 Author: Guillaume Lelarge <guillaume@lelarge.info> 19 November 2009, 22:05:49 UTC
2951f8f Tom Lane 19 November 2009, 02:45:40 UTC Fix memory leak in syslogger: logfile_rotate() would leak a copy of the output filename if CSV logging was enabled and only one of the two possible output files got rotated during a particular call (which would, in fact, typically be the case during a size-based rotation). This would amount to about MAXPGPATH (1KB) per rotation, and it's been there since the CSV code was put in, so it's surprising that nobody noticed it before. Per bug #5196 from Thomas Poindessous. 19 November 2009, 02:45:40 UTC
1ec6548 Tom Lane 16 November 2009, 18:04:47 UTC While doing the final setrefs.c pass over a plan tree, try to match up non-Var sort/group expressions using ressortgroupref labels instead of depending entirely on equal()-ity of the upper node's tlist expressions to the lower node's. This avoids emitting the wrong outputs in cases where there are textually identical volatile sort/group expressions, as for example select distinct random(),random() from generate_series(1,10); Per report from Andrew Gierth. Backpatch to 8.4. Arguably this is wrong all the way back, but the only known case where there's an observable problem is when using hash aggregation to implement DISTINCT, which is new as of 8.4. So for the moment I'll refrain from backpatching further. 16 November 2009, 18:04:47 UTC
4272c87 Peter Eisentraut 15 November 2009, 13:55:42 UTC Make text search parser accept underscores in XML attributes (bug #5075) 15 November 2009, 13:55:42 UTC
8467f3c Magnus Hagander 14 November 2009, 15:39:45 UTC Add inheritable ACE when creating a restricted token for execution on Win32. Also refactor the code around it to be more clear. Jesse Morris 14 November 2009, 15:39:45 UTC
30137bd Heikki Linnakangas 13 November 2009, 19:48:26 UTC A better fix for the "ARRAY[...]::domain" problem. The previous patch worked, but the transformed ArrayExpr claimed to have a return type of "domain", even though the domain constraint was only checked by the enclosing CoerceToDomain node. With this fix, the ArrayExpr is correctly labeled with the base type of the domain. Per gripe by Tom Lane. 13 November 2009, 19:48:26 UTC
959af88 Heikki Linnakangas 13 November 2009, 16:09:20 UTC When you do "ARRAY[...]::domain", where domain is a domain over an array type, we need to check domain constraints. We used to do it correctly, but 8.4 introduced a separate code path for the "ARRAY[]::arraytype" case to infer the type of an empty ARRAY construct from the cast target, and forgot to take domains into account. Per report from Florian G. Pflug. 13 November 2009, 16:09:20 UTC
66ad0b3 Teodor Sigaev 13 November 2009, 11:17:22 UTC Fix multicolumn GIN's wrong results with fastupdate enabled. User-defined consistent functions believes the check array contains at least one true element which was not a true for scanning pending list. Per report from Yury Don <yura@vpcit.ru> 13 November 2009, 11:17:22 UTC
7a6aa85 Tom Lane 10 November 2009, 23:12:21 UTC Do not build psql's flex module on its own, but instead include it in mainloop.c. This ensures that postgres_fe.h is read before including any system headers, which is necessary to avoid problems on some platforms where we make nondefault selections of feature macros for stdio.h or other headers. We have had this policy for flex modules in the backend for many years, but for some reason it was not applied to psql. Per trouble report from Alexandra Roy and diagnosis by Albe Laurenz. 10 November 2009, 23:12:21 UTC
83d4698 Alvaro Herrera 10 November 2009, 18:00:30 UTC Fix longstanding problems in VACUUM caused by untimely interruptions In VACUUM FULL, an interrupt after the initial transaction has been recorded as committed can cause postmaster to restart with the following error message: PANIC: cannot abort transaction NNNN, it was already committed This problem has been reported many times. In lazy VACUUM, an interrupt after the table has been truncated by lazy_truncate_heap causes other backends' relcache to still point to the removed pages; this can cause future INSERT and UPDATE queries to error out with the following error message: could not read block XX of relation 1663/NNN/MMMM: read only 0 of 8192 bytes The window to this race condition is extremely narrow, but it has been seen in the wild involving a cancelled autovacuum process. The solution for both problems is to inhibit interrupts in both operations until after the respective transactions have been committed. It's not a complete solution, because the transaction could theoretically be aborted by some other error, but at least fixes the most common causes of both problems. 10 November 2009, 18:00:30 UTC
2c61405 Tom Lane 05 November 2009, 04:38:35 UTC Allow binary-coercible cases in ri_HashCompareOp; there are some such cases that are not handled by find_coercion_pathway, notably composite->RECORD. Now that 8.4 supports composites as primary keys, it's worth dealing with this case. 05 November 2009, 04:38:35 UTC
7433359 Heikki Linnakangas 04 November 2009, 12:51:36 UTC Disable triggering failover with a signal in pg_standby on Windows, because Windows doesn't do signal processing like other platforms do. It never really worked, but recent changes to the signal handling made it crash. This fixes bug #4961. Patch by Fujii Masao. 04 November 2009, 12:51:36 UTC
59052a5 Peter Eisentraut 03 November 2009, 08:59:16 UTC Fix obscure segfault condition in PL/Python In PLy_output(), when the elog() call in the TRY branch throws an exception (this can happen when a statement timeout kicks in, for example), the PyErr_SetString() call in the CATCH branch can cause a segfault, because the Py_XDECREF(so) call before it releases memory that is still used by the sv variable that PyErr_SetString() uses as argument, because sv points into memory owned by so. Backpatched back to 8.0, where this code was introduced. I also threw in a couple of volatile declarations for variables that are used before and after the TRY. I don't think they caused the crash that I observed, but they could become issues. 03 November 2009, 08:59:16 UTC
01adc8a Tom Lane 01 November 2009, 22:31:02 UTC Dept of second thoughts: after studying index_getnext() a bit more I realize that it can scribble on scan->xs_ctup.t_self while following HOT chains, so we can't rely on that to stay valid between hashgettuple() calls. Introduce a private variable in HashScanOpaque, instead. 01 November 2009, 22:31:02 UTC
891e225 Tom Lane 01 November 2009, 21:25:33 UTC Fix two serious bugs introduced into hash indexes by the 8.4 patch that made hash indexes keep entries sorted by hash value. First, the original plans for concurrency assumed that insertions would happen only at the end of a page, which is no longer true; this could cause scans to transiently fail to find index entries in the presence of concurrent insertions. We can compensate by teaching scans to re-find their position after re-acquiring read locks. Second, neither the bucket split nor the bucket compaction logic had been fixed to preserve hashvalue ordering, so application of either of those processes could lead to permanent corruption of an index, in the sense that searches might fail to find entries that are present. This patch fixes the split and compaction logic to preserve hashvalue ordering, but it cannot do anything about pre-existing corruption. We will need to recommend reindexing all hash indexes in the 8.4.2 release notes. To buy back the performance loss hereby induced in split and compaction, fix them to use PageIndexMultiDelete instead of retail PageIndexDelete operations. We might later want to do something with qsort'ing the page contents rather than doing a binary search for each insertion, but that seemed more invasive than I cared to risk in a back-patch. Per bug #5157 from Jeff Janes and subsequent investigation. 01 November 2009, 21:25:33 UTC
f175aed Tom Lane 31 October 2009, 18:12:05 UTC Ensure the previous Perl interpreter selection is restored upon exit from plperl_call_handler, in both the normal and error-exit paths. Per report from Alexey Klyukin. 31 October 2009, 18:12:05 UTC
3f5a482 Tom Lane 30 October 2009, 20:58:51 UTC Make the overflow guards in ExecChooseHashTableSize be more protective. The original coding ensured nbuckets and nbatch didn't exceed INT_MAX, which while not insane on its own terms did nothing to protect subsequent code like "palloc(nbatch * sizeof(BufFile *))". Since enormous join size estimates might well be planner error rather than reality, it seems best to constrain the initial sizes to be not more than work_mem/sizeof(pointer), thus ensuring the allocated arrays don't exceed work_mem. We will allow nbatch to get bigger than that during subsequent ExecHashIncreaseNumBatches calls, but we should still guard against integer overflow in those palloc requests. Per bug #5145 from Bernt Marius Johnsen. Although the given test case only seems to fail back to 8.2, previous releases have variants of this issue, so patch all supported branches. 30 October 2009, 20:58:51 UTC
4b53f16 Tom Lane 28 October 2009, 18:10:00 UTC Fix \df to re-allow regexp special characters in the function name pattern. This has always worked, up until somebody's thinko here: http://archives.postgresql.org/pgsql-committers/2009-04/msg00233.php Per bug #5143 from Piotr Wolinski. 28 October 2009, 18:10:00 UTC
f18a77a Tom Lane 27 October 2009, 20:14:33 UTC Fix AfterTriggerSaveEvent to use a test and elog, not just Assert, to check that it's called within an AfterTriggerBeginQuery/AfterTriggerEndQuery pair. The RI cascade triggers suppress that overhead on the assumption that they are always run non-deferred, so it's possible to violate the condition if someone mistakenly changes pg_trigger to mark such a trigger deferred. We don't really care about supporting that, but throwing an error instead of crashing seems desirable. Per report from Marcelo Costa. 27 October 2009, 20:14:33 UTC
bd02b48 Tom Lane 27 October 2009, 17:11:30 UTC Make FOR UPDATE/SHARE in the primary query not propagate into WITH queries; for example in WITH w AS (SELECT * FROM foo) SELECT * FROM w, bar ... FOR UPDATE the FOR UPDATE will now affect bar but not foo. This is more useful and consistent than the original 8.4 behavior, which tried to propagate FOR UPDATE into the WITH query but always failed due to assorted implementation restrictions. Even though we are in process of removing those restrictions, it seems correct on philosophical grounds to not let the outer query's FOR UPDATE affect the WITH query. In passing, fix isLockedRel which frequently got things wrong in nested-subquery cases: "FOR UPDATE OF foo" applies to an alias foo in the current query level, not subqueries. This has been broken for a long time, but it doesn't seem worth back-patching further than 8.4 because the actual consequences are minimal. At worst the parser would sometimes get RowShareLock on a relation when it should be AccessShareLock or vice versa. That would only make a difference if someone were using ExclusiveLock concurrently, which no standard operation does, and anyway FOR UPDATE doesn't result in visible changes so it's not clear that the someone would notice any problem. Between that and the fact that FOR UPDATE barely works with subqueries at all in existing releases, I'm not excited about worrying about it. 27 October 2009, 17:11:30 UTC
0dfba4e Alvaro Herrera 27 October 2009, 14:00:15 UTC Fix documentation on the toast.fillfactor reloption: it doesn't exist. Per note from Zoltan Boszormenyi. 27 October 2009, 14:00:15 UTC
8842800 Tom Lane 16 October 2009, 22:08:42 UTC Rewrite pam_passwd_conv_proc to be more robust: avoid assuming that the pam_message array contains exactly one PAM_PROMPT_ECHO_OFF message. Instead, deal with however many messages there are, and don't throw error for PAM_ERROR_MSG and PAM_TEXT_INFO messages. This logic is borrowed from openssh 5.2p1, which hopefully has seen more real-world PAM usage than we have. Per bug #5121 from Ryan Douglas, which turned out to be caused by the conv_proc being called with zero messages. Apparently that is normal behavior given the combination of Linux pam_krb5 with MS Active Directory as the domain controller. Patch all the way back, since this code has been essentially untouched since 7.4. (Surprising we've not heard complaints before.) 16 October 2009, 22:08:42 UTC
a04cb27 Heikki Linnakangas 16 October 2009, 10:38:55 UTC FREEZE and VERBOSE options were in wrong order in the VACUUM command that vacuumdb produces. Per report by Thom Brown. 16 October 2009, 10:38:55 UTC
3db362e Heikki Linnakangas 14 October 2009, 22:10:01 UTC Rename the new MAX_AUTH_TOKEN_LENGTH #define to PG_MAX_AUTH_MAX_TOKEN_LENGTH, to make it more obvious that it's a PostgreSQL internal limit, not something that comes from system header files. 14 October 2009, 22:10:01 UTC
bd62a21 Heikki Linnakangas 14 October 2009, 07:27:27 UTC Raise the maximum authentication token (Kerberos ticket) size in GSSAPI and SSPI athentication methods. While the old 2000 byte limit was more than enough for Unix Kerberos implementations, tickets issued by Windows Domain Controllers can be much larger. Ian Turner 14 October 2009, 07:27:27 UTC
3d70b5d Tom Lane 13 October 2009, 14:33:21 UTC Fix ts_stat's failure on empty tsvector. Also insert a couple of Asserts that check for stack overflow. Bogus coding appears to be new in 8.4 --- older releases had a much simpler algorithm here. Per bug #5111. 13 October 2009, 14:33:21 UTC
09a12ef Heikki Linnakangas 08 October 2009, 04:46:30 UTC Fix off-by-one bug in bitncmp(): When comparing a number of bits divisible by 8, bitncmp() may dereference a pointer one byte out of bounds. Chris Mikkelson (bug #5101) 08 October 2009, 04:46:30 UTC
4c7ac1a Alvaro Herrera 07 October 2009, 16:27:29 UTC Fix snapshot management, take two. Partially revert the previous patch I installed and replace it with a more general fix: any time a snapshot is pushed as Active, we need to ensure that it will not be modified in the future. This means that if the same snapshot is used as CurrentSnapshot, it needs to be copied separately. This affects serializable transactions only, because CurrentSnapshot has already been copied by RegisterSnapshot and so PushActiveSnapshot does not think it needs another copy. However, CommandCounterIncrement would modify CurrentSnapshot, whereas ActiveSnapshots must not have their command counters incremented. I say "partially" because the regression test I added for the previous bug has been kept. (This restores 8.3 behavior, because before snapmgr.c existed, any snapshot set as Active was copied.) Per bug report from Stuart Bishop in 6bc73d4c0910042358k3d1adff3qa36f8df75198ecea@mail.gmail.com 07 October 2009, 16:27:29 UTC
8e3384e Tom Lane 06 October 2009, 00:55:35 UTC Change CREATE TABLE so that column default expressions coming from different inheritance parent tables are compared using equal(), instead of doing strcmp() on the nodeToString representation. The old implementation was always a tad cheesy, and it finally fails completely as of 8.4, now that the node tree might contain syntax location information. equal() knows it's supposed to ignore those fields, but strcmp() hardly can. Per recent report from Scott Ribe. 06 October 2009, 00:55:35 UTC
83a6738 Tom Lane 03 October 2009, 20:04:45 UTC Fix assorted memory leaks in pg_hba.conf parsing. Over a sufficiently large number of SIGHUP cycles, these would have run the postmaster out of memory. Noted while testing memory-leak scenario in postgresql.conf configuration-change-printing patch. 03 October 2009, 20:04:45 UTC
70b533e Tom Lane 02 October 2009, 22:49:56 UTC Fix an oversight in an 8.3-era patch: pgstat_initstats should allow stats to be collected for sequences. Report and fix by Akira Kurosawa 02 October 2009, 22:49:56 UTC
c3110e4 Tom Lane 02 October 2009, 21:14:11 UTC Make sure that GIN fast-insert and regular code paths enforce the same tuple size limit. Improve the error message for index-tuple-too-large so that it includes the actual size, the limit, and the index name. Sync with the btree occurrences of the same error. Back-patch to 8.4 because it appears that the out-of-sync problem is occurring in the field. Teodor and Tom 02 October 2009, 21:14:11 UTC
ac317a8 Tom Lane 02 October 2009, 18:13:10 UTC Fix erroneous handling of shared dependencies (ie dependencies on roles) in CREATE OR REPLACE FUNCTION. The original code would update pg_shdepend as if a new function was being created, even if it wasn't, with two bad consequences: pg_shdepend might record the wrong owner for the function, and any dependencies for roles mentioned in the function's ACL would be lost. The fix is very easy: just don't touch pg_shdepend at all when doing a function replacement. Also update the CREATE FUNCTION reference page, which never explained exactly what changes and doesn't change in a function replacement. In passing, fix the CREATE VIEW reference page similarly; there's no code bug there, but the docs didn't say what happens. 02 October 2009, 18:13:10 UTC
ae35363 Alvaro Herrera 02 October 2009, 17:58:21 UTC Ensure that a cursor has an immutable snapshot throughout its lifespan. The old coding was using a regular snapshot, referenced elsewhere, that was subject to having its command counter updated. Fix by creating a private copy of the snapshot exclusively for the cursor. Backpatch to 8.4, which is when the bug was introduced during the snapshot management rewrite. 02 October 2009, 17:58:21 UTC
d4bd842 Tom Lane 29 September 2009, 01:20:55 UTC Fix equivclass.c's not-quite-right strategy for handling X=X clauses. The original coding correctly noted that these aren't just redundancies (they're effectively X IS NOT NULL, assuming = is strict). However, they got treated that way if X happened to be in a single-member EquivalenceClass already, which could happen if there was an ORDER BY X clause, for instance. The simplest and most reliable solution seems to be to not try to process such clauses through the EquivalenceClass machinery; just throw them back for traditional processing. The amount of work that'd be needed to be smarter than that seems out of proportion to the benefit. Per bug #5084 from Bernt Marius Johnsen, and analysis by Andrew Gierth. 29 September 2009, 01:20:55 UTC
38da75e Andrew Dunstan 28 September 2009, 17:30:56 UTC Convert a perl array to a postgres array when returned by Set Returning Functions as well as non SRFs. Backpatch to 8.1 where these facilities were introduced. with a little help from Abhijit Menon-Sen. 28 September 2009, 17:30:56 UTC
5136541 Tom Lane 26 September 2009, 18:24:55 UTC Fix RelationCacheInitializePhase2 (Phase3, in HEAD) to cope with the possibility of shared-inval messages causing a relcache flush while it tries to fill in missing data in preloaded relcache entries. There are actually two distinct failure modes here: 1. The flush could delete the next-to-be-processed cache entry, causing the subsequent hash_seq_search calls to go off into the weeds. This is the problem reported by Michael Brown, and I believe it also accounts for bug #5074. The simplest fix is to restart the hashtable scan after we've read any new data from the catalogs. It appears that pre-8.4 branches have not suffered from this failure, because by chance there were no other catalogs sharing the same hash chains with the catalogs that RelationCacheInitializePhase2 had work to do for. However that's obviously pretty fragile, and it seems possible that derivative versions with additional system catalogs might be vulnerable, so I'm back-patching this part of the fix anyway. 2. The flush could delete the *current* cache entry, in which case the pointer to the newly-loaded data would end up being stored into an already-deleted Relation struct. As long as it was still deleted, the only consequence would be some leaked space in CacheMemoryContext. But it seems possible that the Relation struct could already have been recycled, in which case this represents a hard-to-reproduce clobber of cached data structures, with unforeseeable consequences. The fix here is to pin the entry while we work on it. In passing, also change RelationCacheInitializePhase2 to Assert that formrdesc() set up the relation's cached TupleDesc (rd_att) with the correct type OID and hasoids values. This is more appropriate than silently updating the values, because the original tupdesc might already have been copied into the catcache. However this part of the patch is not in HEAD because it fails due to some questionable recent changes in formrdesc :-(. That will be cleaned up in a subsequent patch. 26 September 2009, 18:24:55 UTC
ddf8b77 Tom Lane 22 September 2009, 15:46:43 UTC Fix crash if a DROP is attempted on an internally-dependent object. Introduced in 8.4 rewrite of dependency.c. Per bug #5072 from Amit Khandekar. 22 September 2009, 15:46:43 UTC
3141a43 Bruce Momjian 21 September 2009, 20:21:02 UTC fsync test files Prevent creation of 16GB files during fsync testing; only create 16MB files; backpatch to 8.4.X. 21 September 2009, 20:21:02 UTC
4853c1e Tom Lane 18 September 2009, 20:01:18 UTC A bit more wordsmithing on the COPY CSV NULL business. 18 September 2009, 20:01:18 UTC
8cc1c8c Teodor Sigaev 18 September 2009, 14:02:40 UTC Fix incorrect arguments for gist_box_penalty call. The bug could be observed only for secondary page split (i.e. for non-first columns of index) Patch by Paul Ramsey <pramsey@opengeo.org> 18 September 2009, 14:02:40 UTC
541569c Bruce Momjian 17 September 2009, 21:49:22 UTC CSV NULL Documentation Update docs to clearly explain NULL value matching behavior, per Andrew. Backpatch to 8.4.X. 17 September 2009, 21:49:22 UTC
77b2388 Bruce Momjian 17 September 2009, 21:28:30 UTC CVS NULL Documentation Clearify documentation of CVS's output of NULL values, per suggestion from Magnus. Backpatch to 8.4.X. 17 September 2009, 21:28:30 UTC
010394d Tom Lane 15 September 2009, 20:31:35 UTC Fix two distinct errors in creation of GIN_INSERT_LISTPAGE xlog records. In practice these mistakes were always masked when full_page_writes was on, because XLogInsert would always choose to log the full page, and then ginRedoInsertListPage wouldn't try to do anything. But with full_page_writes off a WAL replay failure was certain. The GIN_INSERT_LISTPAGE record type could probably be eliminated entirely in favor of using XLOG_HEAP_NEWPAGE, but I refrained from doing that now since it would have required a significantly more invasive patch. In passing do a little bit of code cleanup, including making the accounting for free space on GIN list pages more precise. (This wasn't a bug as the errors were always in the conservative direction.) Per report from Simon. Back-patch to 8.4 which contains the identical code. 15 September 2009, 20:31:35 UTC
524f701 Heikki Linnakangas 13 September 2009, 18:32:17 UTC Don't error out if recycling or removing an old WAL segment fails at the end of checkpoint. Although the checkpoint has been written to WAL at that point already, so that all data is safe, and we'll retry removing the WAL segment at the next checkpoint, if such a failure persists we won't be able to remove any other old WAL segments either and will eventually run out of disk space. It's better to treat the failure as non-fatal, and move on to clean any other WAL segment and continue with any other end-of-checkpoint cleanup. We don't normally expect any such failures, but on Windows it can happen with some anti-virus or backup software that lock files without FILE_SHARE_DELETE flag. Also, the loop in pgrename() to retry when the file is locked was broken. If a file is locked on Windows, you get ERROR_SHARE_VIOLATION, not ERROR_ACCESS_DENIED, at least on modern versions. Fix that, although I left the check for ERROR_ACCESS_DENIED in there as well (presumably it was correct in some environment), and added ERROR_LOCK_VIOLATION to be consistent with similar checks in pgwin32_open(). Reduce the timeout on the loop from 30s to 10s, on the grounds that since it's been broken, we've effectively had a timeout of 0s and no-one has complained, so a smaller timeout is actually closer to the old behavior. A longer timeout would mean that if recycling a WAL file fails because it's locked for some reason, InstallXLogFileSegment() will hold ControlFileLock for longer, potentially blocking other backends, so a long timeout isn't totally harmless. While we're at it, set errno correctly in pgrename(). Backpatch to 8.2, which is the oldest version supported on Windows. The xlog.c changes would make sense on other platforms and thus on older versions as well, but since there's no such locking issues on other platforms, it's not worth it. 13 September 2009, 18:32:17 UTC
0daae1a Joe Conway 12 September 2009, 23:21:13 UTC plug dblink resource leak dblink generates orphaned connections when called with a connection string, fail_on_error = true, and an ERROR occurs. Discovery and patch by Tatsuhito Kasahara. Introduced in 8.4. 12 September 2009, 23:21:13 UTC
3a3c2cd Tom Lane 12 September 2009, 00:05:07 UTC Fix assertion failure when a SELECT DISTINCT ON expression is volatile. In this case we generate two PathKey references to the expression (one for DISTINCT and one for ORDER BY) and they really need to refer to the same EquivalenceClass. However get_eclass_for_sort_expr was being overly paranoid and creating two different EC's. Correct behavior is to use the SortGroupRef index to decide whether two references to volatile expressions that are equal() (ie textually equivalent) should be considered the same. Backpatch to 8.4. Possibly this should be changed in 8.3 as well, but I'll refrain in the absence of evidence of a visible failure in that branch. Per bug #5049. 12 September 2009, 00:05:07 UTC
96ca52d Heikki Linnakangas 10 September 2009, 09:42:29 UTC On Windows, when a file is deleted and another process still has an open file handle on it, the file goes into "pending deletion" state where it still shows up in directory listing, but isn't accessible otherwise. That confuses RemoveOldXLogFiles(), making it think that the file hasn't been archived yet, while it actually was, and it was deleted along with the .done file. Fix that by renaming the file with ".deleted" extension before deleting it. Also check the return value of rename() and unlink(), so that if the removal fails for any reason (e.g another process is holding the file locked), we don't delete the .done file until the WAL file is really gone. Backpatch to 8.2, which is the oldest version supported on Windows. 10 September 2009, 09:42:29 UTC
9ed9ac5 Tom Lane 09 September 2009, 03:33:01 UTC Fix bug with WITH RECURSIVE immediately inside WITH RECURSIVE. 99% of the code was already okay with this, but the hack that obtained the output column types of a recursive union in advance of doing real parse analysis of the recursive union forgot to handle the case where there was an inner WITH clause available to the non-recursive term. Best fix seems to be to refactor so that we don't need the "throwaway" parse analysis step at all. Instead, teach the transformSetOperationStmt code to set up the CTE's output column information after it's processed the non-recursive term normally. Per report from David Fetter. 09 September 2009, 03:33:01 UTC
3385dcc Tom Lane 08 September 2009, 04:25:14 UTC Remove outside-the-scanner references to "yyleng". It seems the flex developers have decided to change yyleng from int to size_t. This has already happened in the latest release of OS X, and will start happening elsewhere once the next release of flex appears. Rather than trying to divine how it's declared in any particular build, let's just remove the one existing not-very-necessary external usage. Back-patch to all supported branches; not so much because users in the field are likely to care about building old branches with cutting-edge flex, as to keep OSX-based buildfarm members from having problems with old branches. 08 September 2009, 04:25:14 UTC
2b893f6 Tom Lane 06 September 2009, 15:25:31 UTC Update the tznames reference files, and add IDT (Israel Daylight Time) to the Default timezone abbreviation set. Back-port the the current file set to all branches that contain tznames. This includes adding SGT to the Default set in pre-8.4 releases. Joachim Wieland 06 September 2009, 15:25:31 UTC
d53bbbc Tom Lane 05 September 2009, 21:14:13 UTC Put back "ifeq ($(PORTNAME), solaris)", this time with some documentation of why it's not as broken as it appears on first glance. 05 September 2009, 21:14:13 UTC
71c4a7b Tom Lane 04 September 2009, 23:11:10 UTC Revert ill-considered restriction of dtrace support to Solaris only. 04 September 2009, 23:11:10 UTC
a3cd02e Heikki Linnakangas 04 September 2009, 10:49:43 UTC Fix encoding handling in xml binary input function. If the XML header didn't specify an encoding explicitly, we used to treat it as being in database encoding when we parsed it, but then perform a UTF-8 -> database encoding conversion on it, which was completely bogus. It's now consistently treated as UTF-8. 04 September 2009, 10:49:43 UTC
6883b7d Marc G. Fournier 04 September 2009, 00:36:51 UTC Tag 8.4.1 04 September 2009, 00:36:51 UTC
b58a4b2 Tom Lane 03 September 2009, 22:13:58 UTC Final updates of release notes for 8.4.1, 8.3.8, 8.2.14, 8.1.18, 8.0.22, 7.4.26. 03 September 2009, 22:13:58 UTC
57710f3 Tom Lane 03 September 2009, 22:11:13 UTC Make LOAD of an already-loaded library into a no-op, instead of attempting to unload and re-load the library. The difficulty with unloading a library is that we haven't defined safe protocols for doing so. In particular, there's no safe mechanism for getting out of a "hook" function pointer unless libraries are unloaded in reverse order of loading. And there's no mechanism at all for undefining a custom GUC variable, so GUC would be left with a pointer to an old value that might or might not still be valid, and very possibly wouldn't be in the same place anymore. While the unload and reload behavior had some usefulness in easing development of new loadable libraries, it's of no use whatever to normal users, so just disabling it isn't giving up that much. Someday we might care to expend the effort to develop safe unload protocols; but even if we did, there'd be little certainty that every third-party loadable module was following them, so some security restrictions would still be needed. Back-patch to 8.2; before that, LOAD was superuser-only anyway. Security: unprivileged users could crash backend. CVE not assigned yet 03 September 2009, 22:11:13 UTC
4fd4bf4 Tom Lane 03 September 2009, 22:08:14 UTC Disallow RESET ROLE and RESET SESSION AUTHORIZATION inside security-definer functions. This extends the previous patch that forbade SETting these variables inside security-definer functions. RESET is equally a security hole, since it would allow regaining privileges of the caller; furthermore it can trigger Assert failures and perhaps other internal errors, since the code is not expecting these variables to change in such contexts. The previous patch did not cover this case because assign hooks don't really have enough information, so move the responsibility for preventing this into guc.c. Problem discovered by Heikki Linnakangas. Security: no CVE assigned yet, extends CVE-2007-6600 03 September 2009, 22:08:14 UTC
3e24409 Peter Eisentraut 03 September 2009, 21:01:26 UTC Translation updates 03 September 2009, 21:01:26 UTC
828fc43 Tom Lane 03 September 2009, 18:48:21 UTC Install a workaround for a longstanding gcc bug that allows SIGFPE traps to occur for division by zero, even though the code is carefully avoiding that. All available evidence is that the only functions affected are int24div, int48div, and int28div, so patch just those three functions to include a "return" after the ereport() call. Backpatch to 8.4 so that the fix can be tested in production builds. For older branches our recommendation will continue to be to use -O1 on affected platforms (which are mostly non-mainstream anyway). 03 September 2009, 18:48:21 UTC
0f240ce Tom Lane 03 September 2009, 04:44:43 UTC Update time zone data files to tzdata release 2009l: DST law changes in Egypt, Mauritius, Bangladesh. 03 September 2009, 04:44:43 UTC
2bdd765 Tom Lane 02 September 2009, 17:52:33 UTC Fix subquery pullup to wrap a PlaceHolderVar around the entire RowExpr that's generated for a whole-row Var referencing the subquery, when the subquery is in the nullable side of an outer join. The previous coding instead put PlaceHolderVars around the elements of the RowExpr. The effect was that when the outer join made the subquery outputs go to null, the whole-row Var produced ROW(NULL,NULL,...) rather than just NULL. There are arguments afoot about whether those things ought to be semantically indistinguishable, but for the moment they are not entirely so, and the planner needs to take care that its machinations preserve the difference. Per bug #5025. Making this feasible required refactoring ResolveNew() to allow more caller control over what is substituted for a Var. I chose to make ResolveNew() a wrapper around a new general-purpose function replace_rte_variables(). I also fixed the ancient bogosity that ResolveNew might fail to set a query's hasSubLinks field after inserting a SubLink in it. Although all current callers make sure that happens anyway, we've had bugs of that sort before, and it seemed like a good time to install a proper solution. Back-patch to 8.4. The problem can be demonstrated clear back to 8.0, but the fix would be too invasive in earlier branches; not to mention that people may be depending on the subtly-incorrect behavior. The 8.4 series is new enough that fixing this probably won't cause complaints, but it might in older branches. Also, 8.4 shows the incorrect behavior in more cases than older branches do, because it is able to flatten subqueries in more cases. 02 September 2009, 17:52:33 UTC
9a6313f Tom Lane 02 September 2009, 02:40:59 UTC Fix pg_ctl's readfile() to not go into infinite loop on an empty file (could happen if either postgresql.conf or postmaster.opts is empty). It's been broken since the C version was written for 8.0, so patch all the way back. initdb's copy of the function is broken in the same way, but it's less important there since the input files should never be empty. Patch that in HEAD only, and also fix some cosmetic differences that crept into that copy of the function. Per report from Corry Haines and Jeff Davis. 02 September 2009, 02:40:59 UTC
ba53172 Tom Lane 30 August 2009, 16:53:37 UTC Remove duplicate variable initializations identified by clang static checker. One of these represents a nontrivial bug (a promptly-leaked palloc), so backpatch. Greg Stark 30 August 2009, 16:53:37 UTC
3f2fa30 Tom Lane 27 August 2009, 20:08:12 UTC Modify the definition of window-function PARTITION BY and ORDER BY clauses so that their elements are always taken as simple expressions over the query's input columns. It originally seemed like a good idea to make them act exactly like GROUP BY and ORDER BY, right down to the SQL92-era behavior of accepting output column names or numbers. However, that was not such a great idea, for two reasons: 1. It permits circular references, as exhibited in bug #5018: the output column could be the one containing the window function itself. (We actually had a regression test case illustrating this, but nobody thought twice about how confusing that would be.) 2. It doesn't seem like a good idea for, eg, "lead(foo) OVER (ORDER BY foo)" to potentially use two completely different meanings for "foo". Accordingly, narrow down the behavior of window clauses to use only the SQL99-compliant interpretation that the expressions are simple expressions. 27 August 2009, 20:08:12 UTC
6c593b9 Alvaro Herrera 27 August 2009, 20:05:46 UTC Fix broken markup Jan Urbański 27 August 2009, 20:05:46 UTC
b78b4d5 Alvaro Herrera 27 August 2009, 17:19:31 UTC Fix handling of autovacuum reloptions. In the original coding, setting a single reloption would cause default values to be used for all the other reloptions. This is a problem particularly for autovacuum reloptions. Itagaki Takahiro 27 August 2009, 17:19:31 UTC
593810f Heikki Linnakangas 27 August 2009, 07:18:04 UTC In the checkpoint written at the end of archive recovery, the WAL page header was incorrectly initialized with timeline ID 0. That rendered the WAL page unrecoverable, making a subsequent archive recovery stop at that point. ThisTimeLineID needs to be initialized before calling AdvanceXLInsertBuffer(). This fixes bug #5011 reported by James Bardin. Backpatch to 8.4, as the bug was introduced by the changes to use of bgwriter for writing the end-of-archive-recovery checkpoint. Patch by Tom Lane. 27 August 2009, 07:18:04 UTC
95ac06c Bruce Momjian 27 August 2009, 01:27:43 UTC Update release notes for 7.4.26, 8.0.22, 8.1.18, 8.2.14, 8.3.8, 8.4.1. 27 August 2009, 01:27:43 UTC
824e0e4 Tom Lane 24 August 2009, 20:08:40 UTC Try to make silent_mode behave somewhat reasonably. Instead of sending stdout/stderr to /dev/null after forking away from the terminal, send them to postmaster.log within the data directory. Since this opens the door to indefinite logfile bloat, recommend even more strongly that log output be redirected when using silent_mode. Move the postmaster's initial calls of load_hba() and load_ident() down to after we have started the log collector, if we are going to. This is so that errors reported by them will appear in the "usual" place. Reclassify silent_mode as a LOGGING_WHERE, not LOGGING_WHEN, parameter, since it's got absolutely nothing to do with the latter category. In passing, fix some obsolete references to -S ... this option hasn't had that switch letter for a long time. Back-patch to 8.4, since as of 8.4 load_hba() and load_ident() are more picky (and thus more likely to fail) than they used to be. This entire change was driven by a complaint about those errors disappearing into the bit bucket. 24 August 2009, 20:08:40 UTC
1651dfc Tom Lane 24 August 2009, 18:09:54 UTC Small correction to previous patch: we shouldn't ReleasePostmasterChildSlot for a dead_end child, because we didn't AssignPostmasterChildSlot. 24 August 2009, 18:09:54 UTC
6887067 Alvaro Herrera 24 August 2009, 17:23:17 UTC Avoid calling kill() in a postmaster signal handler. This causes problems when the system load is high, per report from Zdenek Kotala in <1250860954.1239.114.camel@localhost>; instead of calling kill directly, have the signal handler set a flag which is checked in ServerLoop. This way, the handler can return before being called again by a subsequent signal sent from the autovacuum launcher. Also, increase the sleep in the launcher in this failure path to 1 second. Backpatch to 8.3, which is when the signalling between autovacuum launcher/postmaster was introduced. Also, add a couple of ReleasePostmasterChildSlot calls in error paths; this part backpatched to 8.4 which is when the child slot stuff was introduced. 24 August 2009, 17:23:17 UTC
3600e4c Tom Lane 24 August 2009, 16:18:19 UTC Fix inclusions of readline/editline header files so that we only attempt to #include the version of history.h that is in the same directory as the readline.h we are using. This avoids problems in some scenarios where both readline and editline are installed. Report and patch by Zdenek Kotala. 24 August 2009, 16:18:19 UTC
fedb166 Tom Lane 24 August 2009, 02:18:40 UTC Fix a violation of WAL coding rules in the recent patch to include an "all tuples visible" flag in heap page headers. The flag update *must* be applied before calling XLogInsert, but heap_update and the tuple moving routines in VACUUM FULL were ignoring this rule. A crash and replay could therefore leave the flag incorrectly set, causing rows to appear visible in seqscans when they should not be. This might explain recent reports of data corruption from Jeff Ross and others. In passing, do a bit of editorialization on comments in visibilitymap.c. 24 August 2009, 02:18:40 UTC
2acb2bc Tom Lane 23 August 2009, 18:26:15 UTC Tweak ExecIndexEvalRuntimeKeys to forcibly detoast any toasted comparison values before they get passed to the index access method. This avoids repeated detoastings that will otherwise ensue as the comparison value is examined by various index support functions. We have seen a couple of reports of cases where repeated detoastings result in an order-of-magnitude slowdown, so it seems worth adding a bit of extra logic to prevent this. I had previously proposed trying to avoid duplicate detoastings in general, but this fix takes care of what seems the most important case in practice with very little effort or risk. Back-patch to 8.4 so that the PostGIS folk won't have to wait a year to have this fix in a production release. (The issue exists further back, of course, but the code's diverged enough to make backpatching further a higher-risk action. Also it appears that the possible gains may be limited in prior releases because of different handling of lossy operators.) 23 August 2009, 18:26:15 UTC
977c777 Tom Lane 18 August 2009, 21:23:21 UTC Fix overflow for INTERVAL 'x ms' where x is more than a couple million, and integer datetimes are in use. Per bug report from Hubert Depesz Lubaczewski. Alex Hunsaker 18 August 2009, 21:23:21 UTC
55ea948 Tom Lane 16 August 2009, 19:55:28 UTC Fix imprecise documentation of random(): it never returns 1.0. This was changed in 8.2 but the documentation was not corrected. Per gripe from Sam Mason. 16 August 2009, 19:55:28 UTC
ef75f74 Tom Lane 16 August 2009, 18:14:39 UTC Fix incorrect encoding-aware name truncation in makeArrayTypeName(). truncate_identifier won't do anything if the passed-in strlen is already less than NAMEDATALEN, which it always would be given the strlcpy usage. This has been broken since the arrays-of-composite-types code went in. Arguably truncate_identifier is suffering from excessive optimization and should always process the string, but for the moment I'll take the more localized patch. Per bug #4987. 16 August 2009, 18:14:39 UTC
08d1d61 Bruce Momjian 15 August 2009, 19:33:29 UTC Remove tab in SGML. 15 August 2009, 19:33:29 UTC
69eab4e Tom Lane 13 August 2009, 16:53:15 UTC Put back adjust_appendrel_attrs()'s code for dealing with RestrictInfo. I mistakenly removed it last month, thinking it was no longer needed --- but it is still needed for dealing with joininfo lists. Fortunately this bit of brain fade hadn't made it into any released versions yet. 13 August 2009, 16:53:15 UTC
back to top