Commit Graph

27005 Commits

Author SHA1 Message Date
Tom Lane
f014211849 Make decompilation of optimized CASE constructs more robust.
We had some hacks in ruleutils.c to cope with various odd transformations
that the optimizer could do on a CASE foo WHEN "CaseTestExpr = RHS" clause.
However, the fundamental impossibility of covering all cases was exposed
by Heikki, who pointed out that the "=" operator could get replaced by an
inlined SQL function, which could contain nearly anything at all.  So give
up on the hacks and just print the expression as-is if we fail to recognize
it as "CaseTestExpr = RHS".  (We must cover that case so that decompiled
rules print correctly; but we are not under any obligation to make EXPLAIN
output be 100% valid SQL in all cases, and already could not do so in some
other cases.)  This approach requires that we have some printable
representation of the CaseTestExpr node type; I used "CASE_TEST_EXPR".

Back-patch to all supported branches, since the problem case fails in all.
2011-05-26 19:26:04 -04:00
Tom Lane
9a57eafe9d Avoid uninitialized bits in the result of QTN2QT().
Found with additional valgrind testing.

Noah Misch
2011-05-24 14:22:05 -04:00
Tom Lane
18afe429a4 Install defenses against overflow in BuildTupleHashTable().
The planner can sometimes compute very large values for numGroups, and in
cases where we have no alternative to building a hashtable, such a value
will get fed directly to BuildTupleHashTable as its nbuckets parameter.
There were two ways in which that could go bad.  First, BuildTupleHashTable
declared the parameter as "int" but most callers were passing "long"s,
so on 64-bit machines undetected overflow could occur leading to a bogus
negative value.  The obvious fix for that is to change the parameter to
"long", which is what I've done in HEAD.  In the back branches that seems a
bit risky, though, since third-party code might be calling this function.
So for them, just put in a kluge to treat negative inputs as INT_MAX.
Second, hash_create can go nuts with extremely large requested table sizes
(notably, my_log2 becomes an infinite loop for inputs larger than
LONG_MAX/2).  What seems most appropriate to avoid that is to bound the
initial table size request to work_mem.

This fixes bug #6035 reported by Daniel Schreiber.  Although the reported
case only occurs back to 8.4 since it involves WITH RECURSIVE, I think
it's a good idea to install the defenses in all supported branches.
2011-05-23 12:53:00 -04:00
Heikki Linnakangas
4919a20c33 Replace strdup() with pstrdup(), to avoid leaking memory.
It's been like this since the seg module was introduced, so backpatch to
8.2 which is the oldest supported version.
2011-05-18 22:36:14 -04:00
Tom Lane
3b65ffa2bf Fix write-past-buffer-end in ldapServiceLookup().
The code to assemble ldap_get_values_len's output into a single string
wrote the terminating null one byte past where it should.  Fix that,
and make some other cosmetic adjustments to make the code a trifle more
readable and more in line with usual Postgres coding style.

Also, free the "result" string when done with it, to avoid a permanent
memory leak.

Bug report and patch by Albe Laurenz, cosmetic adjustments by me.
2011-05-12 11:57:21 -04:00
Peter Eisentraut
c01da31713 Add missing gitignore file 2011-05-02 01:05:01 +03:00
Peter Eisentraut
9c52bad398 Catch errors in for loop in makefile
Add "|| exit" so that the rule aborts when a command fails.

This is the minimal backpatch version.  The fix in head is more
elaborate.
2011-05-02 01:05:01 +03:00
Tom Lane
fd384cfc34 Make CLUSTER lock the old table's toast table before copying data.
We must lock out autovacuuming of the old toast table before computing the
OldestXmin horizon we will use.  Otherwise, autovacuum could start on the
toast table later, compute a later OldestXmin horizon, and remove as DEAD
toast tuples that we still need (because we think their parent tuples are
only RECENTLY_DEAD).  Per further thought about bug #5998.
2011-05-01 17:57:55 -04:00
Tom Lane
735d88e60e Remove special case for xmin == xmax in HeapTupleSatisfiesVacuum().
VACUUM was willing to remove a committed-dead tuple immediately if it was
deleted by the same transaction that inserted it.  The idea is that such a
tuple could never have been visible to any other transaction, so we don't
need to keep it around to satisfy MVCC snapshots.  However, there was
already an exception for tuples that are part of an update chain, and this
exception created a problem: we might remove TOAST tuples (which are never
part of an update chain) while their parent tuple stayed around (if it was
part of an update chain).  This didn't pose a problem for most things,
since the parent tuple is indeed dead: no snapshot will ever consider it
visible.  But MVCC-safe CLUSTER had a problem, since it will try to copy
RECENTLY_DEAD tuples to the new table.  It then has to copy their TOAST
data too, and would fail if VACUUM had already removed the toast tuples.

Easiest fix is to get rid of the special case for xmin == xmax.  This may
delay reclaiming dead space for a little bit in some cases, but it's by far
the most reliable way to fix the issue.

Per bug #5998 from Mark Reid.  Back-patch to 8.3, which is the oldest
version with MVCC-safe CLUSTER.
2011-04-29 16:30:02 -04:00
Tom Lane
67abb9598f Rewrite pg_size_pretty() to avoid compiler bug.
Convert it to use successive shifts right instead of increasing a divisor.
This is probably a tad more efficient than the original coding, and it's
nicer-looking than the previous patch because we don't need a special case
to avoid overflow in the last branch.  But the real reason to do it is to
avoid a Solaris compiler bug, as per results from buildfarm member moa.
2011-04-29 01:45:21 -04:00
Heikki Linnakangas
9c46b7a14d The arguments to pg_ctl kill are not optional - remove brackets in the docs.
Fujii Masao
2011-04-28 12:57:24 +03:00
Tom Lane
1391f1fbd1 Fix array- and path-creating functions to ensure padding bytes are zeroes.
Per recent discussion, it's important for all computed datums (not only the
results of input functions) to not contain any ill-defined (uninitialized)
bits.  Failing to ensure that can result in equal() reporting that
semantically indistinguishable Consts are not equal, which in turn leads to
bizarre and undesirable planner behavior, such as in a recent example from
David Johnston.  We might eventually try to fix this in a general manner by
allowing datatypes to define identity-testing functions, but for now the
path of least resistance is to expect datatypes to force all unused bits
into consistent states.

Per some testing by Noah Misch, array and path functions seem to be the
only ones presenting risks at the moment, so I looked through all the
functions in adt/array*.c and geo_ops.c and fixed them as necessary.  In
the array functions, the easiest/safest fix is to allocate result arrays
with palloc0 instead of palloc.  Possibly in future someone will want to
look into whether we can just zero the padding bytes, but that looks too
complex for a back-patchable fix.  In the path functions, we already had a
precedent in path_in for just zeroing the one known pad field, so duplicate
that code as needed.

Back-patch to all supported branches.
2011-04-27 13:58:54 -04:00
Tom Lane
049e8b07fa Fix pg_size_pretty() to avoid overflow for inputs close to INT64_MAX.
The expression that tried to round the value to the nearest TB could
overflow, leading to bogus output as reported in bug #5993 from Nicola
Cossu.  This isn't likely to ever happen in the intended usage of the
function (if it could, we'd be needing to use a wider datatype instead);
but it's not hard to give the expected output, so let's do so.
2011-04-25 16:22:24 -04:00
Tom Lane
3c34d7ee8e Fix bugs in indexing of in-doubt HOT-updated tuples.
If we find a DELETE_IN_PROGRESS HOT-updated tuple, it is impossible to know
whether to index it or not except by waiting to see if the deleting
transaction commits.  If it doesn't, the tuple might again be LIVE, meaning
we have to index it.  So wait and recheck in that case.

Also, we must not rely on ii_BrokenHotChain to decide that it's possible to
omit tuples from the index.  That could result in omitting tuples that we
need, particularly in view of yesterday's fixes to not necessarily set
indcheckxmin (but it's broken even without that, as per my analysis today).
Since this is just an extremely marginal performance optimization, dropping
the test shouldn't hurt.

These cases are only expected to happen in system catalogs (they're
possible there due to early release of RowExclusiveLock in most
catalog-update code paths).  Since reindexing of a system catalog isn't a
particularly performance-critical operation anyway, there's no real need to
be concerned about possible performance degradation from these changes.

The worst aspects of this bug were introduced in 9.0 --- 8.x will always
wait out a DELETE_IN_PROGRESS tuple.  But I think dropping index entries
on the strength of ii_BrokenHotChain is dangerous even without that, so
back-patch removal of that optimization to 8.3 and 8.4.
2011-04-20 20:34:27 -04:00
Tom Lane
8cf0208b70 Avoid changing an index's indcheckxmin horizon during REINDEX.
There can never be a need to push the indcheckxmin horizon forward, since
any HOT chains that are actually broken with respect to the index must
pre-date its original creation.  So we can just avoid changing pg_index
altogether during a REINDEX operation.

This offers a cleaner solution than my previous patch for the problem
found a few days ago that we mustn't try to update pg_index while we are
reindexing it.  System catalog indexes will always be created with
indcheckxmin = false during initdb, and with this modified code we should
never try to change their pg_index entries.  This avoids special-casing
system catalogs as the former patch did, and should provide a performance
benefit for many cases where REINDEX formerly caused an index to be
considered unusable for a short time.

Back-patch to 8.3 to cover all versions containing HOT.  Note that this
patch changes the API for index_build(), but I believe it is unlikely that
any add-on code is calling that directly.
2011-04-19 18:51:12 -04:00
Tom Lane
6c0635d7a4 Revert "Prevent incorrect updates of pg_index while reindexing pg_index itself."
This reverts commit 2c69fc0596 of 2011-04-15.
There's a better way to do it, which will follow shortly.
2011-04-19 16:59:34 -04:00
Tom Lane
2c69fc0596 Prevent incorrect updates of pg_index while reindexing pg_index itself.
The places that attempt to change pg_index.indcheckxmin during a reindexing
operation cannot be executed safely if pg_index itself is the subject of
the operation.  This is the explanation for a couple of recent reports of
VACUUM FULL failing with
	ERROR:  duplicate key value violates unique constraint "pg_index_indexrelid_index"
	DETAIL:  Key (indexrelid)=(2678) already exists.

However, there isn't any real need to update indcheckxmin in such a
situation, if we assume that pg_index can never contain a truly broken HOT
chain.  This assumption holds if new indexes are never created on it during
concurrent operations, which is something we don't consider safe for any
system catalog, not just pg_index.  Accordingly, modify the code to not
manipulate indcheckxmin when reindexing any system catalog.

Back-patch to 8.3, where HOT was introduced.  The known failure scenarios
involve 9.0-style VACUUM FULL, so there might not be any real risk before
9.0, but let's not assume that.
2011-04-15 20:19:16 -04:00
Marc G. Fournier
0844f42d41 Tag 8.3.15. 2011-04-15 00:18:15 -03:00
Peter Eisentraut
c481b87eb3 Translation updates 2011-04-14 23:30:43 +03:00
Tom Lane
a330793001 Update release notes for releases 9.0.4, 8.4.8, 8.3.15, and 8.2.21. 2011-04-14 15:51:50 -04:00
Tom Lane
193dc638a5 Update time zone data files to tzdata release 2011f.
DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, Turkey.
Historical corrections for South Australia, Alaska, Hawaii.
2011-04-13 18:05:09 -04:00
Heikki Linnakangas
cbb8c36c8d On IA64 architecture, we check the depth of the register stack in addition
to the regular stack. The code to do that is platform and compiler specific,
add support for the HP-UX native compiler.
2011-04-13 11:53:19 +03:00
Andrew Dunstan
502ff05209 Avoid use of mixed slash style paths in arguments to xcopy in MSVC builds.
Some versions of xcopy, notably on Windows 7 don't like it. Backpatch
to 8.3, where we first used xcopy.
2011-04-07 22:16:16 -04:00
Tom Lane
ec31cdeb88 Modernize dlopen interface code for FreeBSD and OpenBSD.
Remove the hard-wired assumption that __mips__ (and only __mips__) lacks
dlopen in FreeBSD and OpenBSD.  This assumption is outdated at least for
OpenBSD, as per report from an anonymous 9.1 tester.  We can perfectly well
use HAVE_DLOPEN instead to decide which code to use.

Some other cosmetic adjustments to make freebsd.c, netbsd.c, and openbsd.c
exactly alike.
2011-04-07 15:14:56 -04:00
Tom Lane
9a9c7c2eb1 Fix SortTocFromFile() to cope with lines that are too long for its buffer.
The original coding supposed that a dump TOC file could never contain lines
longer than 1K.  The folly of that was exposed by a recent report from
Per-Olov Esgard.  We only really need to see the first dozen or two bytes
of each line, since we're just trying to read off the numeric ID at the
start of the line; so there's no need for a particularly huge buffer.
What there is a need for is logic to not process continuation bufferloads.

Back-patch to all supported branches, since it's always been like this.
2011-04-07 11:40:39 -04:00
Tom Lane
cfce572ace Prevent a rowtype from being included in itself.
Eventually we might be able to allow that, but it's not clear how many
places need to be fixed to prevent infinite recursion when there's a direct
or indirect inclusion of a rowtype in itself.  One such place is
CheckAttributeType(), which will recurse to stack overflow in cases such as
those exhibited in bug #5950 from Alex Perepelica.  If we were sure it was
the only such place, we could easily modify the code added by this patch to
stop the recursion without a complaint ... but it probably isn't the only
such place.  Hence, throw error until such time as someone is excited
enough about this type of usage to put work into making it safe.

Back-patch as far as 8.3.  8.2 doesn't have the recursive call in
CheckAttributeType in the first place, so I see no need to add code there
in the absence of clear evidence of a problem elsewhere.
2011-03-28 15:45:14 -04:00
Robert Haas
9951cf8461 Correct "characters" to "bytes" in createdb docs.
Susanne Ebrecht
2011-03-27 21:29:22 -04:00
Tom Lane
5b6c27a607 Improve user-defined-aggregates documentation.
On closer inspection, that two-element initcond value seems to have been
a little white lie to avoid explaining the full behavior of float8_accum.
But if people are going to expect the examples to be exactly correct,
I suppose we'd better explain.  Per comment from Thom Brown.
2011-03-23 16:57:37 -04:00
Tom Lane
03f957fe1d Fix ancient typo in user-defined-aggregates documentation.
The description of the initcond value for the built-in avg(float8)
aggregate has been wrong since it was written.  Noted by Disc Magnet.
2011-03-23 12:34:08 -04:00
Tom Lane
cf73547075 Avoid potential deadlock in InitCatCachePhase2().
Opening a catcache's index could require reading from that cache's own
catalog, which of course would acquire AccessShareLock on the catalog.
So the original coding here risks locking index before heap, which could
deadlock against another backend trying to get exclusive locks in the
normal order.  Because InitCatCachePhase2 is only called when a backend
has to start up without a relcache init file, the deadlock was seldom seen
in the field.  (And by the same token, there's no need to worry about any
performance disadvantage; so not much point in trying to distinguish
exactly which catalogs have the risk.)

Bug report, diagnosis, and patch by Nikhil Sontakke.  Additional commentary
by me.  Back-patch to all supported branches.
2011-03-22 13:01:17 -04:00
Alvaro Herrera
4c1a9ee665 Fix PL/Python memory leak involving array slices
Report and patch from Daniel Popowich, bug #5842
(with some debugging help from Alex Hunsaker)
2011-03-17 12:49:38 -03:00
Andrew Dunstan
158e042747 Use correct PATH separator for Cygwin in pg_regress.c.
This has been broken for years, and I'm not sure why it has not been
noticed before, but now a very modern Cygwin breaks on it, and the fix
is clearly correct. Backpatching to all live branches.
2011-03-17 00:22:03 -04:00
Tom Lane
56423c143c On further reflection, we'd better do the same in int.c.
We previously heard of the same problem in int24div(), so there's not a
good reason to suppose the problem is confined to cases involving int8.
2011-03-11 19:04:14 -05:00
Tom Lane
24aad03e98 Put in some more safeguards against executing a division-by-zero.
Add dummy returns before every potential division-by-zero in int8.c,
because apparently further "improvements" in gcc's optimizer have
enabled it to break functions that weren't broken before.

Aurelien Jarno, via Martin Pitt
2011-03-11 18:19:07 -05:00
Tom Lane
e476eedd0c Fix dangling-pointer problem in before-row update trigger processing.
ExecUpdate checked for whether ExecBRUpdateTriggers had returned a new
tuple value by seeing if the returned tuple was pointer-equal to the old
one.  But the "old one" was in estate->es_junkFilter's result slot, which
would be scribbled on if we had done an EvalPlanQual update in response to
a concurrent update of the target tuple; therefore we were comparing a
dangling pointer to a live one.  Given the right set of circumstances we
could get a false match, resulting in not forcing the tuple to be stored in
the slot we thought it was stored in.  In the case reported by Maxim Boguk
in bug #5798, this led to "cannot extract system attribute from virtual
tuple" failures when trying to do "RETURNING ctid".  I believe there is a
very-low-probability chance of more serious errors, such as generating
incorrect index entries based on the original rather than the
trigger-modified version of the row.

In HEAD, change all of ExecBRInsertTriggers, ExecIRInsertTriggers,
ExecBRUpdateTriggers, and ExecIRUpdateTriggers so that they continue to
have similar APIs.  In the back branches I just changed
ExecBRUpdateTriggers, since there is no bug in the ExecBRInsertTriggers
case.
2011-02-21 21:18:25 -05:00
Tom Lane
a580bffa08 Add CheckTableNotInUse calls in DROP TABLE and DROP INDEX.
Recent releases had a check on rel->rd_refcnt in heap_drop_with_catalog,
but failed to cover the possibility of pending trigger events at DROP time.
(Before 8.4 we didn't even check the refcnt.)  When the trigger events were
eventually fired, you'd get "could not open relation with OID nnn" errors,
as in recent report from strk.  Better to throw a suitable error when the
DROP is attempted.

Also add a similar check in DROP INDEX.

Back-patch to all supported branches.
2011-02-15 15:50:11 -05:00
Magnus Hagander
666407566d Undefine setlocale() macro on Win32
New versions of libintl redefine setlocale() to a macro
which causes problems when the backend and libintl are
linked against different versions of the runtime, which
is often the case in msvc builds.

Hiroshi Inoue, slightly updated comment by me
2011-02-01 13:28:06 +01:00
Itagaki Takahiro
9f37a76a1c Fix wrong error reports in 'number of array dimensions exceeds the
maximum allowed' messages, that have reported one-less dimensions.

Alexey Klyukin
2011-02-01 15:48:08 +09:00
Marc G. Fournier
5370e1a001 Tag 8.3.14 2011-01-27 22:24:47 -04:00
Tom Lane
da61f86011 Update release notes.
Security: CVE-2010-4015
2011-01-27 17:47:27 -05:00
Tom Lane
23f2e93aff Prevent buffer overrun while parsing an integer in a "query_int" value.
contrib/intarray's gettoken() uses a fixed-size buffer to collect an
integer's digits, and did not guard against overrunning the buffer.
This is at least a backend crash risk, and in principle might allow
arbitrary code execution.  The code didn't check for overflow of the
integer value either, which while not presenting a crash risk was still
bad.

Thanks to Apple Inc's security team for reporting this issue and supplying
the fix.

Security: CVE-2010-4015
2011-01-27 17:43:34 -05:00
Tom Lane
9ca6020111 Don't include <asm/ia64regs.h> unnecessarily.
We only need that header when compiling with icc, since the gcc variant of
ia64_get_bsp() uses in-line assembly code.  Per report from Frank Brendel,
the header doesn't exist on all IA64 platforms; so don't include it unless
we need it.
2011-01-27 16:29:59 -05:00
Peter Eisentraut
e7a1793f55 Translation updates for release 8.3.14 2011-01-27 23:13:12 +02:00
Tom Lane
a84c4eee2f Update release notes for releases 9.0.3, 8.4.7, 8.3.14, and 8.2.20. 2011-01-27 16:10:08 -05:00
Tom Lane
1a1167a172 Fix pg_restore to do the right thing when escaping large objects.
Specifically, this makes the workflow pg_dump -Fc -> pg_restore -> file
produce correct output for BLOBs when the source database has
standard_conforming_strings turned on.  It was already okay when that was
off, or if pg_restore was told to restore directly into a database.

This is a back-port of commit b1732111f2 of
2009-08-04, with additional changes to emit old-style escaped bytea data
instead of hex-style.  At the time, we had not heard of anyone encountering
the problem in the field, so I judged it not worth the risk of changing
back branches.  Now we do have a report, from Bosco Rama, so back-patch
into 8.2 through 8.4.  9.0 and up are okay already.
2011-01-21 16:22:27 -05:00
Tom Lane
b414dde44c Fix miscalculation of itemsafter in array_set_slice().
If the slice to be assigned to was before the existing array lower bound
(requiring at least one null element to spring into existence to fill the
gap), the code miscalculated how many entries needed to be copied from
the old array's null bitmap.  This could result in trashing the array's
data area (as seen in bug #5840 from Karsten Loesing), or worse.

This has been broken since we first allowed the behavior of assigning to
non-adjacent slices, in 8.2.  Back-patch to all affected versions.
2011-01-17 12:40:51 -05:00
Magnus Hagander
c1bcb1fb61 Revert installation of gram.h in 8.3
To make the buildfarm green again, since there is no file to
copy on msvc, and also given discussion about the necessity
of the file at all...
2011-01-11 11:31:42 +01:00
Magnus Hagander
e6cc57f1fb Ensure the directory for gram.h is created on win32
Result of bad testing of my last commit.
2011-01-09 17:04:09 +01:00
Magnus Hagander
afa5584b25 Properly install gram.h on MSVC builds
This file is now needed by pgAdmin builds, which started
failing since it was missing in the installer builds.
2011-01-09 15:38:54 +01:00
Andrew Dunstan
d61d3c39dd Allow older branches to be built with Visual Studio 2008. This is a backport of commit df0cdd53 to the 8.2, 8.3 and 8.4 branches. 2011-01-04 16:06:51 -05:00