Commit Graph

22323 Commits

Author SHA1 Message Date
Marc G. Fournier
b196a71d88 Tag 8.1.23. 2010-12-13 23:52:30 -04:00
Marc G. Fournier
6de5df1f87 Tag 8.1.23. 2010-12-13 23:06:55 -04:00
Tom Lane
e8b1dd7a67 Update release notes for releases 9.0.2, 8.4.6, 8.3.13, 8.2.19, and 8.1.23. 2010-12-13 20:23:51 -05:00
Peter Eisentraut
f512575500 Translation updates for release 8.1.23 2010-12-13 22:29:08 +02:00
Tom Lane
3d574824fe Update time zone data files to tzdata release 2010o: DST law changes in
Fiji and Samoa.  Historical corrections for Hong Kong.
2010-12-13 12:43:41 -05:00
Tom Lane
6b2c0eab1f Force default wal_sync_method to be fdatasync on Linux.
Recent versions of the Linux system header files cause xlogdefs.h to
believe that open_datasync should be the default sync method, whereas
formerly fdatasync was the default on Linux.  open_datasync is a bad
choice, first because it doesn't actually outperform fdatasync (in fact
the reverse), and second because we try to use O_DIRECT with it, causing
failures on certain filesystems (e.g., ext4 with data=journal option).
This part of the patch is largely per a proposal from Marti Raudsepp.
More extensive changes are likely to follow in HEAD, but this is as much
change as we want to back-patch.

Also clean up confusing code and incorrect documentation surrounding the
fsync_writethrough option.  Those changes shouldn't result in any actual
behavioral change, but I chose to back-patch them anyway to keep the
branches looking similar in this area.

In 9.0 and HEAD, also do some copy-editing on the WAL Reliability
documentation section.

Back-patch to all supported branches, since any of them might get used
on modern Linux versions.
2010-12-08 20:01:33 -05:00
Tom Lane
0ae63a4fb2 Add a stack overflow check to copyObject().
There are some code paths, such as SPI_execute(), where we invoke
copyObject() on raw parse trees before doing parse analysis on them.  Since
the bison grammar is capable of building heavily nested parsetrees while
itself using only minimal stack depth, this means that copyObject() can be
the front-line function that hits stack overflow before anything else does.
Accordingly, it had better have a check_stack_depth() call.  I did a bit of
performance testing and found that this slows down copyObject() by only a
few percent, so the hit ought to be negligible in the context of complete
processing of a query.

Per off-list report from Toshihide Katayama.  Back-patch to all supported
branches.
2010-12-06 22:56:12 -05:00
Tom Lane
8a6eb2ee98 Prevent inlining a SQL function with multiple OUT parameters.
There were corner cases in which the planner would attempt to inline such
a function, which would result in a failure at runtime due to loss of
information about exactly what the result record type is.  Fix by disabling
inlining when the function's recorded result type is RECORD.  There might
be some sub-cases where inlining could still be allowed, but this is a
simple and backpatchable fix, so leave refinements for another day.
Per bug #5777 from Nate Carson.

Back-patch to all supported branches.  8.1 happens to avoid a core-dump
here, but it still does the wrong thing.
2010-12-01 00:53:44 -05:00
Tom Lane
35a3def7b2 Fix significant memory leak in contrib/xml2 functions.
Most of the functions that execute XPath queries leaked the data structures
created by libxml2.  This memory would not be recovered until end of
session, so it mounts up pretty quickly in any serious use of the feature.
Per report from Pavel Stehule, though this isn't his patch.

Back-patch to all supported branches.
2010-11-26 15:21:12 -05:00
Itagaki Takahiro
268da29219 Don't raise "identifier will be truncated" messages in dblink
except creating new connections.
2010-11-26 18:10:00 +09:00
Heikki Linnakangas
acbffaa77d The GiST scan algorithm uses LSNs to detect concurrent pages splits, but
temporary indexes are not WAL-logged. We used a constant LSN for temporary
indexes, on the assumption that we don't need to worry about concurrent page
splits in temporary indexes because they're only visible to the current
session. But that assumption is wrong, it's possible to insert rows and
split pages in the same session, while a scan is in progress. For example,
by opening a cursor and fetching some rows, and INSERTing new rows before
fetching some more.

Fix by generating fake increasing LSNs, used in place of real LSNs in
temporary GiST indexes.
2010-11-16 11:25:17 +02:00
Robert Haas
0e27a73191 Fix bug in cube picksplit algorithm.
Alexander Korotkov
2010-11-14 21:29:29 -05:00
Tom Lane
40da2c778c Add missing outfuncs.c support for struct InhRelation.
This is needed to support debug_print_parse, per report from Jon Nelson.
Cursory testing via the regression tests suggests we aren't missing
anything else.
2010-11-13 00:35:13 -05:00
Tom Lane
faea083531 Fix old oversight in const-simplification of COALESCE() expressions.
Once we have found a non-null constant argument, there is no need to
examine additional arguments of the COALESCE.  The previous coding got it
right only if the constant was in the first argument position; otherwise
it tried to simplify following arguments too, leading to unexpected
behavior like this:

regression=# select coalesce(f1, 42, 1/0) from int4_tbl;
ERROR:  division by zero

It's a minor corner case, but a bug is a bug, so back-patch all the way.
2010-11-12 15:19:08 -05:00
Heikki Linnakangas
f5cf3ce7a4 Fix bug introduced by the recent patch to check that the checkpoint redo
location read from backup label file can be found: wasShutdown was set
incorrectly when a backup label file was found.

Jeff Davis, with a little tweaking by me.
2010-11-11 19:31:47 +02:00
Tom Lane
5154ebad98 Fix line_construct_pm() for the case of "infinite" (DBL_MAX) slope.
This code was just plain wrong: what you got was not a line through the
given point but a line almost indistinguishable from the Y-axis, although
not truly vertical.  The only caller that tries to use this function with
m == DBL_MAX is dist_ps_internal for the case where the lseg is horizontal;
it would end up producing the distance from the given point to the place
where the lseg's line crosses the Y-axis.  That function is used by other
operators too, so there are several operators that could compute wrong
distances from a line segment to something else.  Per bug #5745 from
jindiax.

Back-patch to all supported branches.
2010-11-10 16:55:07 -05:00
Tom Lane
1d5edff1b0 Repair memory leakage while ANALYZE-ing complex index expressions.
The general design of memory management in Postgres is that intermediate
results computed by an expression are not freed until the end of the tuple
cycle.  For expression indexes, ANALYZE has to re-evaluate each expression
for each of its sample rows, and it wasn't bothering to free intermediate
results until the end of processing of that index.  This could lead to very
substantial leakage if the intermediate results were large, as in a recent
example from Jakub Ouhrabka.  Fix by doing ResetExprContext for each sample
row.  This necessitates adding a datumCopy step to ensure that the final
expression value isn't recycled too.  Some quick testing suggests that this
change adds at worst about 10% to the time needed to analyze a table with
an expression index; which is annoying, but seems a tolerable price to pay
to avoid unexpected out-of-memory problems.

Back-patch to all supported branches.
2010-11-09 11:51:19 -05:00
Tom Lane
17b38fae86 Add support for detecting register-stack overrun on IA64.
Per recent investigation, the register stack can grow faster than the
regular stack depending on compiler and choice of options.  To avoid
crashes we must check both stacks in check_stack_depth().

Back-patch to all supported versions.
2010-11-06 22:59:31 -04:00
Tom Lane
9f22a3f091 Reduce recursion depth in recently-added regression test.
Some buildfarm members fail the test with the original depth of 10 levels,
apparently because they are running at the minimum max_stack_depth setting
of 100kB and using ~ 10k per recursion level.  While it might be
interesting to try to figure out why they're eating so much stack, it isn't
likely that any fix for that would be back-patchable.  So just change the
test to recurse only 5 levels.  The extra levels don't prove anything
correctness-wise anyway.
2010-11-03 13:42:24 -04:00
Tom Lane
2868b0cbe0 Ensure an index that uses a whole-row Var still depends on its table.
We failed to record any dependency on the underlying table for an index
declared like "create index i on t (foo(t.*))".  This would create trouble
if the table were dropped without previously dropping the index.  To fix,
simplify some overly-cute code in index_create(), accepting the possibility
that sometimes the whole-table dependency will be redundant.  Also document
this hazard in dependency.c.  Per report from Kevin Grittner.

In passing, prevent a core dump in pg_get_indexdef() if the index's table
can't be found.  I came across this while experimenting with Kevin's
example.  Not sure it's a real issue when the catalogs aren't corrupt, but
might as well be cautious.

Back-patch to all supported versions.
2010-11-02 17:15:35 -04:00
Tom Lane
c0486e9dea Fix plpgsql's handling of "simple" expression evaluation.
In general, expression execution state trees aren't re-entrantly usable,
since functions can store private state information in them.
For efficiency reasons, plpgsql tries to cache and reuse state trees for
"simple" expressions.  It can get away with that most of the time, but it
can fail if the state tree is dirty from a previous failed execution (as
in an example from Alvaro) or is being used recursively (as noted by me).

Fix by tracking whether a state tree is in use, and falling back to the
"non-simple" code path if so.  This results in a pretty considerable speed
hit when the non-simple path is taken, but the available alternatives seem
even more unpleasant because they add overhead in the simple path.  Per
idea from Heikki.

Back-patch to all supported branches.
2010-10-28 13:01:28 -04:00
Heikki Linnakangas
35b66df6e7 Before removing backup_label and irrevocably changing pg_control file, check
that WAL file containing the checkpoint redo-location can be found. This
avoids making the cluster irrecoverable if the redo location is in an earlie
WAL file than the checkpoint record.

Report, analysis and patch by Jeff Davis, with small changes by me.
2010-10-26 21:41:21 +03:00
Heikki Linnakangas
62f86b32ea If pk is NULL, the backend would segfault when accessing ->algo and the
following NULL check was never reached.

This problem was found by Coccinelle (null_ref.cocci from coccicheck).

Marti Raudsepp
2010-10-20 22:28:34 +03:00
Robert Haas
04daad28c8 Warn that views can be safely used to hide columns, but not rows. 2010-10-08 09:19:22 -04:00
Marc G. Fournier
d6d7926cd1 Tag 8.1.22 2010-10-01 10:37:59 -03:00
Tom Lane
329d7554a6 Use a separate interpreter for each calling SQL userid in plperl and pltcl.
There are numerous methods by which a Perl or Tcl function can subvert
the behavior of another such function executed later; for example, by
redefining standard functions or operators called by the target function.
If the target function is SECURITY DEFINER, or is called by such a
function, this means that any ordinary SQL user with Perl or Tcl language
usage rights can do essentially anything with the privileges of the target
function's owner.

To close this security hole, create a separate Perl or Tcl interpreter for
each SQL userid under which plperl or pltcl functions are executed within
a session.  However, all plperlu or pltclu functions run within a session
still share a single interpreter, since they all execute at the trust
level of a database superuser anyway.

Note: this change results in a functionality loss when libperl has been
built without the "multiplicity" option: it's no longer possible to call
plperl functions under different userids in one session, since such a
libperl can't support multiple interpreters in one process.  However, such
a libperl already failed to support concurrent use of plperl and plperlu,
so it's likely that few people use such versions with Postgres.

Security: CVE-2010-3433
2010-09-30 17:21:59 -04:00
Peter Eisentraut
51b69efc28 Translation updates for 8.1.22 2010-09-30 22:15:37 +03:00
Tom Lane
10fbaf0f94 Update release notes for releases 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22,
8.0.26, and 7.4.30.
2010-09-30 14:27:51 -04:00
Tom Lane
3c2da80df6 Further fixes to the pg_get_expr() security fix in back branches.
It now emerges that the JDBC driver expects to be able to use pg_get_expr()
on an output of a sub-SELECT.  So extend the check logic to be able to recurse
into a sub-SELECT to see if the argument is ultimately coming from an
appropriate column.  Per report from Thomas Kellerer.
2010-09-25 16:39:44 -04:00
Tom Lane
5efa1444e6 Still more .gitignore cleanup.
Fix overly-enthusiastic ignores, as identified by
git ls-files -i --exclude-standard
2010-09-24 13:48:37 -04:00
Robert Haas
cf497cbdf2 Add contrib/xml2/pgxml.sql to .gitignore
Kevin Grittner
2010-09-23 22:08:30 -04:00
Tom Lane
511449d40f Prevent show_session_authorization from crashing when session_authorization
hasn't been set.

The only known case where this can happen is when show_session_authorization
is invoked in an autovacuum process, which is possible if an index function
calls it, as for example in bug #5669 from Andrew Geery.  We could perhaps
try to return a sensible value, such as the name of the cluster-owning
superuser; but that seems like much more trouble than the case is worth,
and in any case it could create new possible failure modes.  Simply
returning an empty string seems like the most appropriate fix.

Back-patch to all supported versions, even those before autovacuum, just
in case there's another way to provoke this crash.
2010-09-23 16:53:42 -04:00
Tom Lane
4e2e9f27dd More fixes for libpq's .gitignore file.
The previous patches failed to cover a lot of symlinks that are only
added in platform-specific cases.  Make the lists match what's in the
Makefile for each branch.
2010-09-22 22:32:54 -04:00
Tom Lane
7c192c9193 Do some copy-editing on the Git usage docs. 2010-09-22 20:22:55 -04:00
Tom Lane
2e75e7082d Fix documentation gitignore for pre-9.0 doc build methods. 2010-09-22 18:26:29 -04:00
Tom Lane
f02f7c4c93 Some more gitignore cleanups: cover contrib and PL regression test outputs.
Also do some further work in the back branches, where quite a bit wasn't
covered by Magnus' original back-patch.
2010-09-22 17:22:18 -04:00
Magnus Hagander
706a5809b9 Remove anonymous cvs instructions, and replace them with instructions
for git. Change other references from cvs to git as well.
2010-09-22 20:48:47 +02:00
Magnus Hagander
3fb50a7288 Convert cvsignore to gitignore, and add .gitignore for build targets. 2010-09-22 12:57:17 +02:00
Tom Lane
a17e0e1f2d Back-patch replacement of README.CVS with README.git.
In older branches, also git-ify the "make distdir" rule.
2010-09-21 14:43:20 -04:00
Tom Lane
deb8a22cac Update time zone data files to tzdata release 2010l: DST law changes in
Egypt and Palestine.  Added new names for two Micronesian timezones:
Pacific/Chuuk is now preferred over Pacific/Truk (and the preferred
abbreviation is CHUT not TRUT) and Pacific/Pohnpei is preferred over
Pacific/Ponape.  Historical corrections for Finland.
2010-08-26 19:59:22 +00:00
Tom Lane
c2c90a5430 Fix ExecMakeTableFunctionResult to verify that all rows returned by a SRF
returning "record" actually do have the same rowtype.  This is needed because
the parser can't realistically enforce that they will all have the same typmod,
as seen in a recent example from David Wheeler.

Back-patch to 8.0, which is as far back as we have the notion of RECORD
subtypes being distinguished by typmod.  Wheeler's example depends on
8.4-and-up features, but I suspect there may be ways to provoke similar
failures before 8.4.
2010-08-26 18:55:12 +00:00
Peter Eisentraut
703cd9c31f Catch null pointer returns from PyCObject_AsVoidPtr and PyCObject_FromVoidPtr
This is reproducibly possible in Python 2.7 if the user turned
PendingDeprecationWarning into an error, but it's theoretically also possible
in earlier versions in case of exceptional conditions.

backpatched to 8.0
2010-08-25 19:37:34 +00:00
Tom Lane
e521b3e9b5 Arrange to fsync the contents of lockfiles (both postmaster.pid and the
socket lockfile) when writing them.  The lack of an fsync here may well
explain two different reports we've seen of corrupted lockfile contents,
which doesn't particularly bother the running server but can prevent a
new server from starting if the old one crashes.  Per suggestion from
Alvaro.

Back-patch to all supported versions.
2010-08-16 17:33:17 +00:00
Tom Lane
7ded6d69d5 Fix psql's copy of utf2ucs() to match the backend's copy exactly;
in particular, propagate a fix in the test to see whether a UTF8 character has
length 4 bytes.  This is likely of little real-world consequence because
5-or-more-byte UTF8 sequences are not supported by Postgres nor seen anywhere
in the wild, but still we may as well get it right.  Problem found by Joseph
Adams.

Bug is aboriginal, so back-patch all the way.
2010-08-16 00:06:48 +00:00
Robert Haas
35f0dccb0d Fix one more incorrect errno definition in the ECPG manual.
Again, back-patch all the way to 7.4.
2010-08-11 19:04:03 +00:00
Robert Haas
19efe0489f Fix incorrect errno definitions in ECPG manual.
ecpgerrno.h hasn't materially changed since PostgreSQL 7.4, so this has
been wrong for a very long time.  Back-patch all the way.

Satoshi Nagayasu
2010-08-11 18:52:52 +00:00
Tom Lane
d0844a851f Fix incorrect logic in plpgsql for cleanup after evaluation of non-simple
expressions.  We need to deal with this when handling subscripts in an array
assignment, and also when catching an exception.  In an Assert-enabled build
these omissions led to Assert failures, but I think in a normal build the
only consequence would be short-term memory leakage; which may explain why
this wasn't reported from the field long ago.

Back-patch to all supported versions.  7.4 doesn't have exceptions, but
otherwise these bugs go all the way back.

Heikki Linnakangas and Tom Lane
2010-08-09 18:50:54 +00:00
Tom Lane
2f7cd4356b Improved version of patch to protect pg_get_expr() against misuse:
look through join alias Vars to avoid breaking join queries, and
move the test to someplace where it will catch more possible ways
of calling a function.  We still ought to throw away the whole thing
in favor of a data-type-based solution, but that's not feasible in
the back branches.

Completion of back-port of my patch of yesterday.
2010-07-30 17:57:18 +00:00
Tom Lane
9e468f94aa Fix another longstanding problem in copy_relation_data: it was blithely
assuming that a local char[] array would be aligned on at least a word
boundary.  There are architectures on which that is pretty much guaranteed to
NOT be the case ... and those arches also don't like non-aligned memory
accesses, meaning that log_newpage() would crash if it ever got invoked.
Even on Intel-ish machines there's a potential for a large performance penalty
from doing I/O to an inadequately aligned buffer.  So palloc it instead.

Backpatch to 8.0 --- 7.4 doesn't have this code.
2010-07-29 19:23:58 +00:00
Robert Haas
76a106f264 Fix possible page corruption by ALTER TABLE .. SET TABLESPACE.
If a zeroed page is present in the heap, ALTER TABLE .. SET TABLESPACE will
set the LSN and TLI while copying it, which is wrong, and heap_xlog_newpage()
will do the same thing during replay, so the corruption propagates to any
standby.  Note, however, that the bug can't be demonstrated unless archiving
is enabled, since in that case we skip WAL logging altogether, and the LSN/TLI
are not set.

Back-patch to 8.0; prior releases do not have tablespaces.

Analysis and patch by Jeff Davis.  Adjustments for back-branches and minor
wordsmithing by me.
2010-07-29 16:15:33 +00:00