Commit Graph

24435 Commits

Author SHA1 Message Date
Tom Lane
2759410380 Work around a subtle portability problem in use of printf %s format.
Depending on which spec you read, field widths and precisions in %s may be
counted either in bytes or characters.  Our code was assuming bytes, which
is wrong at least for glibc's implementation, and in any case libc might
have a different idea of the prevailing encoding than we do.  Hence, for
portable results we must avoid using anything more complex than just "%s"
unless the string to be printed is known to be all-ASCII.

This patch fixes the cases I could find, including the psql formatting
failure reported by Hernan Gonzalez.  In HEAD only, I also added comments
to some places where it appears safe to continue using "%.*s".
2010-05-08 16:40:31 +00:00
Tom Lane
e7a03793d8 Fix psql to not go into infinite recursion when expanding a variable that
refers to itself (directly or indirectly).  Instead, print a message when
recursion is detected, and don't expand the repeated reference.  Per bug
#5448 from Francis Markham.

Back-patch to 8.0.  Although the issue exists in 7.4 as well, it seems
impractical to fix there because of the lack of any state stack that
could be used to track active expansions.
2010-05-05 22:19:18 +00:00
Tom Lane
7bab4d1764 Add code to InternalIpcMemoryCreate() to handle the case where shmget()
returns EINVAL for an existing shared memory segment.  Although it's not
terribly sensible, that behavior does meet the POSIX spec because EINVAL
is the appropriate error code when the existing segment is smaller than the
requested size, and the spec explicitly disclaims any particular ordering of
error checks.  Moreover, it does in fact happen on OS X and probably other
BSD-derived kernels.  (We were able to talk NetBSD into changing their code,
but purging that behavior from the wild completely seems unlikely to happen.)
We need to distinguish collision with a pre-existing segment from invalid size
request in order to behave sensibly, so it's worth some extra code here to get
it right.  Per report from Gavin Kistner and subsequent investigation.

Back-patch to all supported versions, since any of them could get used
with a kernel having the debatable behavior.
2010-05-01 22:46:50 +00:00
Tom Lane
d20f503a28 Fix multiple memory leaks in PLy_spi_execute_fetch_result: it would leak
memory if the result had zero rows, and also if there was any sort of error
while converting the result tuples into Python data.  Reported and partially
fixed by Andres Freund.

Back-patch to all supported versions.  Note: I haven't tested the 7.4 fix.
7.4's configure check for python is so obsolete it doesn't work on my
current machines :-(.  The logic change is pretty straightforward though.
2010-04-30 19:16:04 +00:00
Heikki Linnakangas
345c2c5e76 On Windows, syslogger runs in two threads. The main thread processes config
reload and rotation signals, and a helper thread reads messages from the
pipe and writes them to the log file. However, server code isn't generally
thread-safe, so if both try to do e.g palloc()/pfree() at the same time,
bad things will happen. To fix that, use a critical section (which is like
a mutex) to enforce that only one the threads are active at a time.
2010-04-16 09:52:15 +00:00
Tom Lane
06464ef972 Fix psql's \copy to not insert spaces around dots and commas in the text of
the SELECT query in \copy (SELECT ...) commands.  This is unnecessary and
breaks numeric literals, as seen in bug #5411 from Vitalii Tymchyshyn.

This change has already been made in passing in HEAD; backpatch to 8.2
through 8.4 (earlier releases don't have COPY (SELECT ...) at all).
2010-04-15 21:05:23 +00:00
Peter Eisentraut
b1954e95cb IP port -> TCP port
backpatched to 8.1, where this first appeared
2010-04-15 20:46:24 +00:00
Tom Lane
3efd14b9df Fix a problem introduced by my patch of 2010-01-12 that revised the way
relcache reload works.  In the patched code, a relcache entry in process of
being rebuilt doesn't get unhooked from the relcache hash table; which means
that if a cache flush occurs due to sinval queue overrun while we're
rebuilding it, the entry could get blown away by RelationCacheInvalidate,
resulting in crash or misbehavior.  Fix by ensuring that an entry being
rebuilt has positive refcount, so it won't be seen as a target for removal
if a cache flush occurs.  (This will mean that the entry gets rebuilt twice
in such a scenario, but that's okay.)  It appears that the problem can only
arise within a transaction that has previously reassigned the relfilenode of
a pre-existing table, via TRUNCATE or a similar operation.  Per bug #5412
from Rusty Conover.

Back-patch to 8.2, same as the patch that introduced the problem.
I think that the failure can't actually occur in 8.2, since it lacks the
rd_newRelfilenodeSubid optimization, but let's make it work like the later
branches anyway.

Patch by Heikki, slightly editorialized on by me.
2010-04-14 21:31:33 +00:00
Magnus Hagander
1fc8cef48d Clean up inconsistent commas 2010-04-09 11:49:56 +00:00
Magnus Hagander
4fdc9f2150 Update list of Windows timezones we try to match localized names against
to one that's up to date with Windows 2003R2.
2010-04-09 11:46:08 +00:00
Magnus Hagander
266bf09a16 Proceed to look for the next timezone when matching a localized
Windows timezone name where the information in the registry is
incomplete, instead of aborting.

This fixes cases when the registry information is incomplete for
a timezone that is alphabetically before the one that is in use.

Per report from Alexander Forschner
2010-04-08 11:26:00 +00:00
Magnus Hagander
346dd12c9f Log the actual timezone name that we fail to look up the values for in
case the registry data doesn't follow the format we expect, to facilitate
debugging.
2010-04-06 20:35:13 +00:00
Andrew Dunstan
cefc04c24f Sync perl's ppport.h on all branches back to 7.4 with recent update on HEAD, ensuring we can build older branches with modern Perl installations. 2010-04-03 17:54:26 +00:00
Tom Lane
4e1b7c8656 Ensure that contrib/pgstattuple functions respond to cancel interrupts
reasonably promptly, by adding CHECK_FOR_INTERRUPTS in the per-page loops.

Tatsuhito Kasahara
2010-04-02 16:17:12 +00:00
Heikki Linnakangas
311984fabc Don't pass an invalid file handle to dup2(). That causes a crash on
Windows, thanks to a feature in CRT called Parameter Validation.

Backpatch to 8.2, which is the oldest version supported on Windows. In
8.2 and 8.3 also backpatch the earlier change to use DEVNULL instead of
NULL_DEV #define for a /dev/null-like device. NULL_DEV was hard-coded to
"/dev/null" regardless of platform, which didn't work on Windows, while
DEVNULL works on all platforms. Restarting syslogger didn't work on
Windows on versions 8.3 and below because of that.
2010-04-01 20:12:43 +00:00
Alvaro Herrera
9a77104a26 Prevent ALTER USER f RESET ALL from removing the settings that were put there
by a superuser -- "ALTER USER f RESET setting" already disallows removing such a
setting.

Apply the same treatment to ALTER DATABASE d RESET ALL when run by a database
owner that's not superuser.
2010-03-25 14:45:21 +00:00
Tom Lane
cb8bd60aa4 Clear error_context_stack and debug_query_string at the beginning of proc_exit,
so that we won't try to attach any context printouts to messages that get
emitted while exiting.  Per report from Dennis Koegel, the context functions
won't necessarily work after we've started shutting down the backend, and it
seems possible that debug_query_string could be pointing at freed storage
as well.  The context information doesn't seem particularly relevant to
such messages anyway, so there's little lost by suppressing it.

Back-patch to all supported branches.  I can only demonstrate a crash with
log_disconnections messages back to 8.1, but the risk seems real in 8.0 and
before anyway.
2010-03-20 00:58:26 +00:00
Magnus Hagander
3f060dfa3b Typo fixes.
Fujii Masao
2010-03-17 18:04:21 +00:00
Marc G. Fournier
9fbbb5e21e tag 8.2.16 2010-03-12 03:44:14 +00:00
Tom Lane
d66486b89a Preliminary release notes for releases 8.4.3, 8.3.10, 8.2.16, 8.1.20, 8.0.24,
7.4.28.
2010-03-10 01:58:51 +00:00
Tom Lane
62513c3e55 Use SvROK(sv) rather than directly checking SvTYPE(sv) == SVt_RV in plperl.
The latter is considered unwarranted chumminess with the implementation,
and can lead to crashes with recent Perl versions.

Report and fix by Tim Bunce.  Back-patch to all versions containing the
questionable coding pattern.
2010-03-09 22:35:07 +00:00
Alvaro Herrera
d08f0d861d Update time zone data files to tzdata release 2010d: DST law changes in Fiji,
Samoa, Chile; corrections to recent changes in Paraguay and Bangladesh.
2010-03-09 14:30:41 +00:00
Bruce Momjian
d70d411461 Return proper exit code (3) from psql when ON_ERROR_STOP=on and
--single-transaction are both used and the failure happens in commit,
e.g. failed deferred trigger.  Also properly free BEGIN/COMMIT result
structures from --single-transaction.

Per report from Dominic Bevacqua
2010-03-09 01:09:54 +00:00
Magnus Hagander
452419a6f0 Add missing space in example.
Tim Landscheidt
2010-03-08 12:39:37 +00:00
Tom Lane
df96e128f8 Update time zone data files to tzdata release 2010c: DST law changes in
Bangladesh, Mexico, Paraguay.
2010-03-08 01:18:39 +00:00
Tom Lane
b00c0a6001 When reading pg_hba.conf and similar files, do not treat @file as an inclusion
unless (1) the @ isn't quoted and (2) the filename isn't empty.  This guards
against unexpectedly treating usernames or other strings in "flat files"
as inclusion requests, as seen in a recent trouble report from Ed L.
The empty-filename case would be guaranteed to misbehave anyway, because our
subsequent path-munging behavior results in trying to read the directory
containing the current input file.

I think this might finally explain the report at
http://archives.postgresql.org/pgsql-bugs/2004-05/msg00132.php
of a crash after printing "authentication file token too long, skipping",
since I was able to duplicate that message (though not a crash) on a
platform where stdio doesn't refuse to read directories.  We never got
far in investigating that problem, but now I'm suspicious that the trigger
condition was an @ in the flat password file.

Back-patch to all active branches since the problem can be demonstrated in all
branches except HEAD.  The test case, creating a user named "@", doesn't cause
a problem in HEAD since we got rid of the flat password file.  Nonetheless it
seems like a good idea to not consider quoted @ as a file inclusion spec,
so I changed HEAD too.
2010-03-06 00:46:07 +00:00
Tom Lane
48fcbb803b Fix a couple of places that would loop forever if attempts to read a stdio file
set ferror() but never set feof().  This is known to be the case for recent
glibc when trying to read a directory as a file, and might be true for other
platforms/cases too.  Per report from Ed L.  (There is more that we ought to
do about his report, but this is one easily identifiable issue.)
2010-03-03 20:31:29 +00:00
Tom Lane
c4810d9ae0 Make contrib/xml2 use core xml.c's error handler, when available (that is,
in versions >= 8.3).  The core code is more robust and efficient than what
was there before, and this also reduces risks involved in swapping different
libxml error handler settings.

Before 8.3, there is still some risk of problems if add-on modules such as
Perl invoke libxml without setting their own error handler.  Given the lack
of reports I'm not sure there's a risk in practice, so I didn't take the
step of actually duplicating the core code into older contrib/xml2 branches.
Instead I just tweaked the existing code to ensure it didn't leave a dangling
pointer to short-lived memory when throwing an error.
2010-03-03 19:10:40 +00:00
Andrew Dunstan
57e9e01ecd Backpatch MSVC build fix for XSLT 2010-03-02 15:43:11 +00:00
Heikki Linnakangas
58128f7de0 Fix numericlocale psql option when used with a null string and latex and troff
formats; a null string must not be formatted as a numeric. The more exotic
formats latex and troff also incorrectly formatted all strings as numerics
when numericlocale was on.

Backpatch to 8.1 where numericlocale option was added.

This fixes bug #5355 reported by Andy Lester.
2010-03-01 20:56:06 +00:00
Tom Lane
7af8e8d671 Fix contrib/xml2 so regression test still works when it's built without libxslt.
This involves modifying the module to have a stable ABI, that is, the
xslt_process() function still exists even without libxslt.  It throws a
runtime error if called, but doesn't prevent executing the CREATE FUNCTION
call.  This is a good thing anyway to simplify cross-version upgrades.
2010-03-01 18:08:27 +00:00
Tom Lane
057b5485e6 Remove xmlCleanupParser calls from contrib/xml2.
These are unnecessary and probably dangerous.  I don't see any immediate
risk situations in the core XML support or contrib/xml2 itself, but there
could be issues with external uses of libxml2, and in any case it's an
accident waiting to happen.
2010-03-01 05:16:54 +00:00
Tom Lane
2502898d73 Back-patch today's memory management fixups in contrib/xml2.
Prior to 8.3, these changes are not critical for compatibility with core
Postgres, since core had no libxml2 calls then.  However there is still
a risk if contrib/xml2 is used along with libxml2 functionality in Perl
or other loadable modules.  So back-patch to all versions.

Also back-patch addition of regression tests.  I'm not sure how many of
the cases are interesting without the interaction with core xml code,
but a silly regression test is still better than none at all.
2010-03-01 03:41:17 +00:00
Tom Lane
a68bdfbcaa Allow predicate_refuted_by() to deduce that NOT A refutes A.
We had originally made the stronger assumption that NOT A refutes any B
if B implies A, but this fails in three-valued logic, because we need to
prove B is false not just that it's not true.  However the logic does
go through if B is equal to A.

Recognizing this limited case is enough to handle examples that arise when
we have simplified "bool_var = true" or "bool_var = false" to just "bool_var"
or "NOT bool_var".  If we had not done that simplification then the
btree-operator proof logic would have been able to prove that the expressions
were contradictory, but only for identical expressions being compared to the
constants; so handling identical A and B covers all the same cases.

The motivation for doing this is to avoid unexpected asymmetrical behavior
when a partitioned table uses a boolean partitioning column, as in today's
gripe from Dominik Sander.

Back-patch to 8.2, which is as far back as predicate_refuted_by attempts to
do anything at all with NOTs.
2010-02-25 21:00:15 +00:00
Magnus Hagander
f8bd81b4cb Add configuration parameter ssl_renegotiation_limit to control
how often we do SSL session key renegotiation. Can be set to
0 to disable renegotiation completely, which is required if
a broken SSL library is used (broken patches to CVE-2009-3555
a known cause) or when using a client library that can't do
renegotiation.
2010-02-25 13:26:19 +00:00
Itagaki Takahiro
2c0914be73 Fix STOP WAL LOCATION in backup history files no to return the next
segment of XLOG_BACKUP_END record even if the the record is placed
at a segment boundary. Furthermore the previous implementation could
return nonexistent segment file name when the boundary is in segments
that has "FE" suffix; We never use segments with "FF" suffix.

Backpatch to 8.0, where hot backup was introduced.

Reported by Fujii Masao.
2010-02-19 01:07:57 +00:00
Tom Lane
aff66ef113 Volatile-ize all five places where we expect a PG_TRY block to restore
old memory context in plpython.  Before only one of them was marked
volatile, but per report from Zdenek Kotala, some compilers do the
wrong thing here.
2010-02-18 23:50:27 +00:00
Greg Stark
f9aa8763e2 revert prior patch to fsync directories until portability problems exposed by build farm can be sorted out 2010-02-16 00:01:11 +00:00
Greg Stark
1534023ff0 Make CREATE DATABASE safe against losing whole files by fsyncing the
directory and not just the individual files.

Back-patch to 8.1 -- before that we just called "cp -r" and never
fsynced anything anyways.
2010-02-14 17:50:39 +00:00
Tom Lane
c53917dc66 Don't choke when exec_move_row assigns a synthesized null to a column
that happens to be composite itself.  Per bug #5314 from Oleg Serov.

Backpatch to 8.0 --- 7.4 has got too many other shortcomings in
composite-type support to make this worth worrying about in that branch.
2010-02-12 19:38:00 +00:00
Andrew Dunstan
51e24cc249 Free reference in correct Perl context. Backpatch to release 8.2. Patch from Tim Bunce. 2010-02-12 04:33:22 +00:00
Joe Conway
ff6a12b3f3 Check to ensure the number of primary key fields supplied does not
exceed the total number of non-dropped source table fields for
dblink_build_sql_*(). Addresses bug report from Rushabh Lathia.

Backpatch all the way to the 7.3 branch.
2010-02-03 23:01:47 +00:00
Tom Lane
46b6fbc9b4 Change regexp engine's ccondissect/crevdissect routines to perform DFA
matching before recursing instead of after.  The DFA match eliminates
unworkable midpoint choices a lot faster than the recursive check, in most
cases, so doing it first can speed things up; particularly in pathological
cases such as recently exhibited by Michael Glaesemann.

In addition, apply some cosmetic changes that were applied upstream (in the
Tcl project) at the same time, in order to sync with upstream version 1.15
of regexec.c.

Upstream apparently intends to backpatch this, so I will too.  The
pathological behavior could be unpleasant if encountered in the field,
which seems to justify any risk of introducing new bugs.

Tom Lane, reviewed by Donal K. Fellows of Tcl project
2010-02-01 02:45:46 +00:00
Magnus Hagander
27554860c0 Fix race condition in win32 signal handling.
There was a race condition where the receiving pipe could be closed by the
child thread if the main thread was pre-empted before it got a chance to
create a new one, and the dispatch thread ran to completion during that time.

One symptom of this is that rows in pg_listener could be dropped under
heavy load.

Analysis and original patch by Radu Ilie, with some small
modifications by Magnus Hagander.
2010-01-31 17:16:25 +00:00
Tom Lane
0c969e1fec Avoid performing encoding conversion on command tag strings during EndCommand.
Since all current and foreseeable future command tags will be pure ASCII,
there is no need to do conversion on them.  This saves a few cycles and also
avoids polluting otherwise-pristine subtransaction memory contexts, which
is the cause of the backend memory leak exhibited in bug #5302.  (Someday
we'll probably want to have a better method of determining whether
subtransaction contexts need to be kept around, but today is not that day.)

Backpatch to 8.0.  The cycle-shaving aspect of this would work in 7.4
too, but without subtransactions the memory-leak aspect doesn't apply,
so it doesn't seem worth touching 7.4.
2010-01-30 20:10:11 +00:00
Tom Lane
04cec1a95b Apply Tcl_Init() to the "hold" interpreter created by pltcl.
You might think this is unnecessary since that interpreter is never used
to run code --- but it turns out that's wrong.  As of Tcl 8.5, the "clock"
command (alone among builtin Tcl commands) is partially implemented by
loaded-on-demand Tcl code, which means that it fails if there's not
unknown-command support, and also that it's impossible to run it directly
in a safe interpreter.  The way they get around the latter is that
Tcl_CreateSlave() automatically sets up an alias command that forwards any
execution of "clock" in a safe slave interpreter to its parent interpreter.
Thus, when attempting to execute "clock" in trusted pltcl, the command
actually executes in the "hold" interpreter, where it will fail if
unknown-command support hasn't been introduced by sourcing the standard
init.tcl script, which is done by Tcl_Init().  (This is a pretty dubious
design decision on the Tcl boys' part, if you ask me ... but they didn't.)

Back-patch all the way.  It's not clear that anyone would try to use ancient
versions of pltcl with a recent Tcl, but it's not clear they wouldn't, either.
Also add a regression test using "clock", in branches that have regression
test support for pltcl.

Per recent trouble report from Kyle Bateman.
2010-01-25 01:58:33 +00:00
Tom Lane
a82c3f4634 Fix assorted core dumps and Assert failures that could occur during
AbortTransaction or AbortSubTransaction, when trying to clean up after an
error that prevented (sub)transaction start from completing:
* access to TopTransactionResourceOwner that might not exist
* assert failure in AtEOXact_GUC, if AtStart_GUC not called yet
* assert failure or core dump in AfterTriggerEndSubXact, if
  AfterTriggerBeginSubXact not called yet

Per testing by injecting elog(ERROR) at successive steps in StartTransaction
and StartSubTransaction.  It's not clear whether all of these cases could
really occur in the field, but at least one of them is easily exposed by
simple stress testing, as per my accidental discovery yesterday.
2010-01-24 21:49:48 +00:00
Tom Lane
84cce31372 Insert CHECK_FOR_INTERRUPTS calls into loops in dbsize.c, to ensure that
the various disk-size-reporting functions will respond to query cancel
reasonably promptly even in very large databases.  Per report from
Kevin Grittner.
2010-01-23 21:29:17 +00:00
Tom Lane
cfac3efb2f When loading critical system indexes into the relcache, ensure we lock the
underlying catalog not only the index itself.  Otherwise, if the cache
load process touches the catalog (which will happen for many though not
all of these indexes), we are locking index before parent table, which can
result in a deadlock against processes that are trying to lock them in the
normal order.  Per today's failure on buildfarm member gothic_moth; it's
surprising the problem hadn't been identified before.

Back-patch to 8.2.  Earlier releases didn't have the issue because they
didn't try to lock these indexes during load (instead assuming that they
couldn't change schema at all during multiuser operation).
2010-01-13 23:07:28 +00:00
Tom Lane
483b17119a Fix relcache reload mechanism to be more robust in the face of errors
occurring during a reload, such as query-cancel.  Instead of zeroing out
an existing relcache entry and rebuilding it in place, build a new relcache
entry, then swap its contents with the old one, then free the new entry.
This avoids problems with code believing that a previously obtained pointer
to a cache entry must still reference a valid entry, as seen in recent
failures on buildfarm member jaguar.  (jaguar is using CLOBBER_CACHE_ALWAYS
which raises the probability of failure substantially, but the problem
could occur in the field without that.)  The previous design was okay
when it was made, but subtransactions and the ResourceOwner mechanism
make it unsafe now.

Also, make more use of the already existing rd_isvalid flag, so that we
remember that the entry requires rebuilding even if the first attempt fails.

Back-patch as far as 8.2.  Prior versions have enough issues around relcache
reload anyway (due to inadequate locking) that fixing this one doesn't seem
worthwhile.
2010-01-12 18:12:40 +00:00