Commit Graph

23945 Commits

Author SHA1 Message Date
Magnus Hagander
9c6cfdc239 Fix for early log messages during postmaster startup getting lost when
running as a service on Win32.

Per report from Harald Armin Massa.

Backpatch to 8.2.
2007-02-11 15:12:21 +00:00
Bruce Momjian
d6c1e1682c Fix bug when localized to_char() day or month names were incorectly
trnasformed to lower or upper string.

Backpatch to 8.2.X.

Pavel Stehule
2007-02-08 20:33:54 +00:00
Tom Lane
d1be38cc7d Fix an ancient logic error in plpgsql's exec_stmt_block: it thought it could
get away with not (re)initializing a local variable if the variable is marked
"isconst" and not "isnull".  Unfortunately it makes this decision after having
already freed the old value, meaning that something like

   for i in 1..10 loop
     declare c constant text := 'hi there';

leads to subsequent accesses to freed memory, and hence probably crashes.
(In particular, this is why Asif Ali Rehman's bug leads to crash and not
just an unexpectedly-NULL value for SQLERRM: SQLERRM is marked CONSTANT
and so triggers this error.)

The whole thing seems wrong on its face anyway: CONSTANT means that you can't
change the variable inside the block, not that the initializer expression is
guaranteed not to change value across successive block entries.  Hence,
remove the "optimization" instead of trying to fix it.
2007-02-08 18:37:43 +00:00
Tom Lane
799290b1c5 Rearrange use of plpgsql_add_initdatums() so that only the parsing of a
DECLARE section needs to know about it.  Formerly, everyplace besides DECLARE
that created variables needed to do "plpgsql_add_initdatums(NULL)" to prevent
those variables from being sucked up as part of a subsequent DECLARE block.
This is obviously error-prone, and in fact the SQLSTATE/SQLERRM patch had
failed to do it for those two variables, leading to the bug recently exhibited
by Asif Ali Rehman: a DECLARE within an exception handler tried to reinitialize
SQLERRM.

Although the SQLSTATE/SQLERRM patch isn't in any pre-8.1 branches, and so
I can't point to a demonstrable failure there, it seems wise to back-patch
this into the older branches anyway, just to keep the logic similar to HEAD.
2007-02-08 18:37:38 +00:00
Bruce Momjian
760f4823e6 This patch fixes shared_preload_libraries on Windows hosts. It forces
each backend to re-load all shared_preload_libraries.

Backpatch to 8.2.X.

Korry Douglas
2007-02-08 17:04:48 +00:00
Bruce Momjian
e1c266493c Update URL for "Generalized Partial Indexes" paper to point to a cached
version.

Backpatch to 8.2.X.
2007-02-08 04:31:41 +00:00
Bruce Momjian
76f46f5cf6 Document that wal_sync_method open_* methods use O_DIRECT, if available.
Backpatch to 8.2.X.
2007-02-08 03:57:52 +00:00
Bruce Momjian
d015e14880 Stamp releases notes for 8.2.3, 8.1.8, 8.0.12. 2007-02-07 04:23:01 +00:00
Tom Lane
18b0d7de09 Fix PG_VERSION_NUM too. 2007-02-07 03:59:30 +00:00
Bruce Momjian
98e08d1aa0 Stamp releases 8.2.3, 8.1.8, 8.0.12. No release notes yet. 2007-02-07 03:48:58 +00:00
Bruce Momjian
0b36bbf8f2 Update FAQ for 8.2.3. 2007-02-07 03:16:59 +00:00
Tom Lane
04dc48b528 Fix an error in the original coding of holdable cursors: PersistHoldablePortal
thought that it didn't have to reposition the underlying tuplestore if the
portal is atEnd.  But this is not so, because tuplestores have separate read
and write cursors ... and the read cursor hasn't moved from the start.
This mistake explains bug #2970 from William Zhang.

Note: the coding here is pretty inefficient, but given that no one has noticed
this bug until now, I'd say hardly anyone uses the case where the cursor has
been advanced before being persisted.  So maybe it's not worth worrying about.
2007-02-06 22:49:30 +00:00
Bruce Momjian
b93d4a75a0 Backpatch FAQs to 8.2.X branch. 2007-02-06 18:38:04 +00:00
Tom Lane
8d24b8bd7a Remove typmod checking from the recent security-related patches. It turns
out that ExecEvalVar and friends don't necessarily have access to a tuple
descriptor with correct typmod: it definitely can contain -1, and possibly
might contain other values that are different from the Var's value.
Arguably this should be cleaned up someday, but it's not a simple change,
and in any case typmod discrepancies don't pose a security hazard.
Per reports from numerous people :-(

I'm not entirely sure whether the failure can occur in 8.0 --- the simple
test cases reported so far don't trigger it there.  But back-patch the
change all the way anyway.
2007-02-06 17:35:27 +00:00
Michael Meskes
33623b51b6 Backported regression test changes from HEAD so the buildfarm hopefully gets green again. 2007-02-06 10:48:28 +00:00
Michael Meskes
b8dd3a8604 Backported va_list handling cleanup 2007-02-06 09:41:44 +00:00
Tom Lane
a95abdf856 Fix a performance regression in 8.2: optimization of MIN/MAX into indexscans
had stopped working for tables buried inside views or sub-selects.  This is
because I had gotten rid of the simplify_jointree() preprocessing step, and
optimize_minmax_aggregates() wasn't smart enough to deal with a non-canonical
FromExpr.  Per gripe from Bill Howe.
2007-02-06 06:50:33 +00:00
Tom Lane
5338847fcd Not only did we agree that this 'hint' doesn't belong here, but the
markup's broken.  So just remove it...
2007-02-06 03:05:00 +00:00
Bruce Momjian
de9acc94f1 Trim down environment variable instructions for Win32, backpatch to 8.2.X. 2007-02-05 22:18:18 +00:00
Andrew Dunstan
e7c63e522c Pass modern COPY syntax to backend, since copy (query) does not accept old syntax. Per complaint from Michael Fuhr. 2007-02-05 15:23:24 +00:00
Tom Lane
54111e9511 Don't MAXALIGN in the checks to decide whether a tuple is over TOAST's
threshold for tuple length.  On 4-byte-MAXALIGN machines, the toast code
creates tuples that have t_len exactly TOAST_TUPLE_THRESHOLD ... but this
number is not itself maxaligned, so if heap_insert maxaligns t_len before
comparing to TOAST_TUPLE_THRESHOLD, it'll uselessly recurse back to
tuptoaster.c, wasting cycles.  (It turns out that this does not happen on
8-byte-MAXALIGN machines, because for them the outer MAXALIGN in the
TOAST_MAX_CHUNK_SIZE macro reduces TOAST_MAX_CHUNK_SIZE so that toast tuples
will be less than TOAST_TUPLE_THRESHOLD in size.  That MAXALIGN is really
incorrect, but we can't remove it now, see below.)  There isn't any particular
value in maxaligning before comparing to the thresholds, so just don't do
that, which saves a small number of cycles in itself.

These numbers should be rejiggered to minimize wasted space on toast-relation
pages, but we can't do that in the back branches because changing
TOAST_MAX_CHUNK_SIZE would force an initdb (by changing the contents of toast
tables).  We can move the toast decision thresholds a bit, though, which is
what this patch effectively does.

Thanks to Pavan Deolasee for discovering the unintended recursion.

Back-patch into 8.2, but not further, pending more testing.  (HEAD is about
to get a further patch modifying the thresholds, so it won't help much
for testing this form of the patch.)
2007-02-04 20:00:49 +00:00
Bruce Momjian
e5352a2556 Update wording. 2007-02-04 04:00:33 +00:00
Bruce Momjian
1015fd53b6 Add documentation for Windows on how to set an environment variable.
Backpatch to 8.2.X.
2007-02-04 03:58:58 +00:00
Bruce Momjian
d68f1ecbe2 Document that a client-only install using:
gmake -C src/bin install

does install a few server-only binaries.
2007-02-03 23:01:13 +00:00
Bruce Momjian
554d3a683c Fix configure detection code when --with-ldap and --enable-thread-safety
are both used.

Backpatch to 8.2.X.

Albe Laurenz
2007-02-03 02:47:35 +00:00
Neil Conway
3714d82f76 Reword suggestion that libpq.dll be installed in WINNT\SYSTEM32 under
Windows. Per Magnus Hagander, this is not recommended.
2007-02-02 16:10:10 +00:00
Tom Lane
d06a16c589 Stamp release 8.2.2.
Security: CVE-2007-0555, CVE-2007-0556
2007-02-02 00:14:22 +00:00
Tom Lane
40cf433eb6 Update release notes for security-related releases in all active branches.
Security: CVE-2007-0555, CVE-2007-0556
2007-02-02 00:10:33 +00:00
Tom Lane
23326cd18b Repair failure to check that a table is still compatible with a previously
made query plan.  Use of ALTER COLUMN TYPE creates a hazard for cached
query plans: they could contain Vars that claim a column has a different
type than it now has.  Fix this by checking during plan startup that Vars
at relation scan level match the current relation tuple descriptor.  Since
at that point we already have at least AccessShareLock, we can be sure the
column type will not change underneath us later in the query.  However,
since a backend's locks do not conflict against itself, there is still a
hole for an attacker to exploit: he could try to execute ALTER COLUMN TYPE
while a query is in progress in the current backend.  Seal that hole by
rejecting ALTER TABLE whenever the target relation is already open in
the current backend.

This is a significant security hole: not only can one trivially crash the
backend, but with appropriate misuse of pass-by-reference datatypes it is
possible to read out arbitrary locations in the server process's memory,
which could allow retrieving database content the user should not be able
to see.  Our thanks to Jeff Trout for the initial report.

Security: CVE-2007-0556
2007-02-02 00:07:28 +00:00
Tom Lane
78e039cc2c Repair insufficiently careful type checking for SQL-language functions:
we should check that the function code returns the claimed result datatype
every time we parse the function for execution.  Formerly, for simple
scalar result types we assumed the creation-time check was sufficient, but
this fails if the function selects from a table that's been redefined since
then, and even more obviously fails if check_function_bodies had been OFF.

This is a significant security hole: not only can one trivially crash the
backend, but with appropriate misuse of pass-by-reference datatypes it is
possible to read out arbitrary locations in the server process's memory,
which could allow retrieving database content the user should not be able
to see.  Our thanks to Jeff Trout for the initial report.

Security: CVE-2007-0555
2007-02-02 00:03:17 +00:00
Bruce Momjian
14a866b18d Mention file system replication as a high availability solution in the
shared hardware section, and mention DRBD as a popular solution.
2007-02-01 21:03:00 +00:00
Tom Lane
b7c9821146 Fix plpgsql so that when a local variable has no initial-value expression,
an error will be thrown correctly if the variable is of a NOT NULL domain.
Report and almost-correct fix from Sergiy Vyshnevetskiy (bug #2948).
2007-02-01 19:23:00 +00:00
Neil Conway
3c7d9add71 Backpatch last night's fix for broken markup to the 8.2 branch. 2007-02-01 19:18:14 +00:00
Bruce Momjian
e3b12f76af Add 8.2.0 "Incomatibilities" documentation that pg_dump's -n and -t
behavior has changed.
2007-02-01 05:12:46 +00:00
Bruce Momjian
da45866c42 Backpatch FAQs to stable branch. 2007-02-01 04:56:41 +00:00
Peter Eisentraut
1762c4316e Translation updates 2007-01-31 08:33:34 +00:00
Bruce Momjian
8c14912cc1 Document need for periodic REINDEX in VACUUM FULL cases. 2007-01-31 04:13:28 +00:00
Bruce Momjian
e2d6898827 Update documentation for backslashes to mention escape string syntax
more, and standard_conforming_strings less, because in the future non-E
strings will not treat backslashes specially.

Also use E'' strings where backslashes are used in examples. (The
existing examples would have drawn warnings.)

Backpatch to 8.2.X.
2007-01-30 22:29:40 +00:00
Tom Lane
08c17d6e56 Repair oversights in the mechanism used to store compiled plpgsql functions.
The original coding failed (tried to access deallocated memory) if there were
two active call sites (fn_extra pointers) for the same function and the
function definition was updated.  Also, if an update of a recursive function
was detected upon nested entry to the function, the existing compiled version
was summarily deallocated, resulting in crash upon return to the outer
instance.  Problem observed while studying a bug report from Sergiy
Vyshnevetskiy.

Bug does not exist before 8.1 since older versions just leaked the memory of
obsoleted compiled functions, rather than trying to reclaim it.
2007-01-30 22:05:20 +00:00
Tom Lane
971230dfbb Add SPI_push/SPI_pop calls so that datatype input and output functions called
by plpgsql can themselves use SPI --- possibly indirectly, as in the case
of domain_in() invoking plpgsql functions in a domain check constraint.
Per bug #2945 from Sergiy Vyshnevetskiy.

Somewhat arbitrarily, I've chosen to back-patch this as far as 8.0.  Given
the lack of prior complaints, it doesn't seem critical for 7.x.
2007-01-30 18:02:28 +00:00
Bruce Momjian
c22f642f2f Clarify paramater handling for pg_get_serial_sequence(). 2007-01-30 02:32:05 +00:00
Tom Lane
01d9754bd9 Repair oversight in creation of "append relations": we should set up
rel->tuples as well as rel->rows, since some estimation functions expect both
to be valid in every baserel.  Per report from Dave Dutcher.
2007-01-28 18:50:48 +00:00
Tom Lane
8a114e0031 Fix up plpgsql's "simple expression" evaluation mechanism so that it behaves
safely in the presence of subtransactions.  To ensure that any ExprContext
shutdown callbacks are called at the right times, we have to have a separate
EState for each level of subtransaction.  Per "TupleDesc reference leak" bug
report from Stefan Kaltenbrunner.

Although I'm convinced the code is wrong as far back as 8.0, it doesn't seem
that there are any ways for the problem to really manifest before 8.2: AFAICS,
8.0 and 8.1 only use the ExprContextCallback mechanism to handle set-returning
functions, which cannot usefully be executed in a "simple expression" anyway.
Hence, no backpatch before 8.2 --- the risk of unforeseen breakage seems
to outweigh the chance of fixing something.
2007-01-28 16:15:58 +00:00
Tom Lane
e96164dd71 Dept of second thoughts: the IQ of estimate_array_length() needs to be
kept on par with that of scalararraysel(), else estimates that should
track might not.  Hence teach it about binary-compatible cases, too.
2007-01-28 02:53:42 +00:00
Tom Lane
ff3c2e4e46 Fix scalararraysel() to cope with binary-compatible cases, such as text[]
versus varchar[].  This oversight probably explains Ryan Holmes' recent
complaint --- he was getting a generic selectivity estimate instead of
anything intelligent.
2007-01-28 01:37:45 +00:00
Tom Lane
223cd82c1d Correct an old logic error in btree page splitting: when considering a split
exactly at the point where we need to insert a new item, the calculation used
the wrong size for the "high key" of the new left page.  This could lead to
choosing an unworkable split, resulting in "PANIC: failed to add item to the
left sibling" (or "right sibling") failure.  Although this bug has been there
a long time, it's very difficult to trigger a failure before 8.2, since there
was generally a lot of free space on both sides of a chosen split.  In 8.2,
where the user-selected fill factor determines how much free space the code
tries to leave, an unworkable split is much more likely.  Report by Joe
Conway, diagnosis and fix by Heikki Linnakangas.
2007-01-27 20:53:36 +00:00
Tom Lane
cb476c1ec3 Back-port changes of Jan 16 and 17 to "revoke" pending fsync requests during
DROP TABLE and DROP DATABASE.  Should prevent unexpected "permission denied"
failures on Windows, and is cleaner on other platforms too since we no longer
have to take it on faith that ENOENT is okay during an fsync attempt.

Patched as far back as 8.1; per recent discussion I think we are not going
to worry about Windows-specific issues in 8.0 anymore.
2007-01-27 20:15:47 +00:00
Tom Lane
043fcd6616 On Windows, use pgwin32_waitforsinglesocket() instead of select() to wait for
input in the stats collector.  Our select() emulation is apparently buggy
for UDP sockets :-(.  This should resolve problems with stats collection
(and hence autovacuum) failing under more than minimal load.  Diagnosis
and patch by Magnus Hagander.

Patch probably needs to be back-ported to 8.1 and 8.0, but first let's
see if it makes the buildfarm happy...
2007-01-26 20:07:01 +00:00
Bruce Momjian
ebe2830613 Properly detoast access to bytea field pg_trigger.tgargs. Old code
might cause server crash.

Backpatch to 8.2.X.
2007-01-25 04:17:56 +00:00
Tom Lane
4e978c4e27 Get pg_utf_mblen(), pg_utf2wchar_with_len(), and utf2ucs() all on the same
page about the maximum UTF8 sequence length we support (4 bytes since 8.1,
3 before that).  pg_utf2wchar_with_len never got updated to support 4-byte
characters at all, and in any case had a buffer-overrun risk in that it
could produce multiple pg_wchars from what mblen claims to be just one UTF8
character.  The only reason we don't have a major security hole is that most
callers allocate worst-case output buffers; the sole exception in released
versions appears to be pre-8.2 iwchareq() (ie, ILIKE), which can be crashed
due to zeroing out its return address --- but AFAICS that can't be exploited
for anything more than a crash, due to inability to control what gets written
there.  Per report from James Russell and Michael Fuhr.

Pre-8.1 the risk is much less, but I still think pg_utf2wchar_with_len's
behavior given an incomplete final character risks buffer overrun, so
back-patch that logic change anyway.

This patch also makes sure that UTF8 sequences exceeding the supported
length (whichever it is) are consistently treated as error cases, rather
than being treated like a valid shorter sequence in some places.
2007-01-24 17:12:23 +00:00