1. 02 Dec, 2019 2 commits
  2. 01 Dec, 2019 2 commits
    • Andrew Dunstan's avatar
      Add dummy versions of new SSL functions for non-SSL builds · c01ac6dc
      Andrew Dunstan authored
      This rectifies an oversight in commit 4dc63552, which caused certain
      builds to fail, especially on Windows.
      c01ac6dc
    • Tom Lane's avatar
      Fix misbehavior with expression indexes on ON COMMIT DELETE ROWS tables. · c35b714c
      Tom Lane authored
      We implement ON COMMIT DELETE ROWS by truncating tables marked that
      way, which requires also truncating/rebuilding their indexes.  But
      RelationTruncateIndexes asks the relcache for up-to-date copies of any
      index expressions, which may cause execution of eval_const_expressions
      on them, which can result in actual execution of subexpressions.
      This is a bad thing to have happening during ON COMMIT.  Manuel Rigger
      reported that use of a SQL function resulted in crashes due to
      expectations that ActiveSnapshot would be set, which it isn't.
      The most obvious fix perhaps would be to push a snapshot during
      PreCommit_on_commit_actions, but I think that would just open the door
      to more problems: CommitTransaction explicitly expects that no
      user-defined code can be running at this point.
      
      Fortunately, since we know that no tuples exist to be indexed, there
      seems no need to use the real index expressions or predicates during
      RelationTruncateIndexes.  We can set up dummy index expressions
      instead (we do need something that will expose the right data type,
      as there are places that build index tupdescs based on this), and
      just ignore predicates and exclusion constraints.
      
      In a green field it'd likely be better to reimplement ON COMMIT DELETE
      ROWS using the same "init fork" infrastructure used for unlogged
      relations.  That seems impractical without catalog changes though,
      and even without that it'd be too big a change to back-patch.
      So for now do it like this.
      
      Per private report from Manuel Rigger.  This has been broken forever,
      so back-patch to all supported branches.
      c35b714c
  3. 30 Nov, 2019 3 commits
    • Andrew Dunstan's avatar
      libq support for sslpassword connection param, DER format keys · 4dc63552
      Andrew Dunstan authored
      This patch providies for support for password protected SSL client
      keys in libpq, and for DER format keys, both encrypted and unencrypted.
      There is a new connection parameter sslpassword, which is supplied to
      the OpenSSL libraries via a callback function. The callback function can
      also be set by an application by calling PQgetSSLKeyPassHook(). There is
      also a function to retreive the connection setting, PQsslpassword().
      
      Craig Ringer and Andrew Dunstan
      
      Reviewed by: Greg Nancarrow
      
      Discussion: https://postgr.es/m/f7ee88ed-95c4-95c1-d4bf-7b415363ab62@2ndQuadrant.com
      4dc63552
    • Tomas Vondra's avatar
      Fix off-by-one error in PGTYPEStimestamp_fmt_asc · 3ff660bb
      Tomas Vondra authored
      When using %b or %B patterns to format a date, the code was simply using
      tm_mon as an index into array of month names. But that is wrong, because
      tm_mon is 1-based, while array indexes are 0-based. The result is we
      either use name of the next month, or a segfault (for December).
      
      Fix by subtracting 1 from tm_mon for both patterns, and add a regression
      test triggering the issue. Backpatch to all supported versions (the bug
      is there far longer, since at least 2003).
      
      Reported-by: Paul Spencer
      Backpatch-through: 9.4
      Discussion: https://postgr.es/m/16143-0d861eb8688d3fef%40postgresql.org
      3ff660bb
    • Amit Kapila's avatar
      Revert commits 290acac9 and 8a7e9e9d. · 98a9b37b
      Amit Kapila authored
      This commit revert the commits to add a test case that tests the 'force'
      option when there is an active backend connected to the database being
      dropped.
      
      This feature internally sends SIGTERM to all the backends connected to the
      database being dropped and then the same is reported to the client.  We
      found that on Windows, the client end of the socket is not able to read
      the data once we close the socket in the server which leads to loss of
      error message which is not what we expect.  We also observed  similar
      behavior in other cases like pg_terminate_backend(),
      pg_ctl kill TERM <pid>.  There are probably a few others like that.  The
      fix for this requires further study.
      
      Discussion: https://postgr.es/m/E1iaD8h-0004us-K9@gemulon.postgresql.org
      98a9b37b
  4. 29 Nov, 2019 5 commits
  5. 28 Nov, 2019 8 commits
  6. 27 Nov, 2019 4 commits
  7. 26 Nov, 2019 4 commits
    • Andrew Dunstan's avatar
      Fix closing stdin in TestLib.pm · 792dba73
      Andrew Dunstan authored
      Commit 9af34f3c naively assumed that all non-windows platforms would
      have pseudoterminals and that perl would have IO::Pty. Such is not the
      case. Instead of assumung anything, test for the presence of IO::Pty and
      only use code that might depend on it if it's present. The test result is
      exposed in $TestLib::have_io_pty so that it can be conveniently used in
      SKIP tests.
      
      Discussion: https://postgr.es/m/20191126044110.GB5435@paquier.xyz
      792dba73
    • Tom Lane's avatar
      Allow access to child table statistics if user can read parent table. · 553d2ec2
      Tom Lane authored
      The fix for CVE-2017-7484 disallowed use of pg_statistic data for
      planning purposes if the user would not be able to select the associated
      column and a non-leakproof function is to be applied to the statistics
      values.  That turns out to disable use of pg_statistic data in some
      common cases involving inheritance/partitioning, where the user does
      have permission to select from the parent table that was actually named
      in the query, but not from a child table whose stats are needed.  Since,
      in non-corner cases, the user *can* select the child table's data via
      the parent, this restriction is not actually useful from a security
      standpoint.  Improve the logic so that we also check the permissions of
      the originally-named table, and allow access if select permission exists
      for that.
      
      When checking access to stats for a simple child column, we can map
      the child column number back to the parent, and perform this test
      exactly (including not allowing access if the child column isn't
      exposed by the parent).  For expression indexes, the current logic
      just insists on whole-table select access, and this patch allows
      access if the user can select the whole parent table.  In principle,
      if the child table has extra columns, this might allow access to
      stats on columns the user can't read.  In practice, it's unlikely
      that the planner is going to do any stats calculations involving
      expressions that are not visible to the query, so we'll ignore that
      fine point for now.  Perhaps someday we'll improve that logic to
      detect exactly which columns are used by an expression index ...
      but today is not that day.
      
      Back-patch to v11.  The issue was created in 9.2 and up by the
      CVE-2017-7484 fix, but this patch depends on the append_rel_array[]
      planner data structure which only exists in v11 and up.  In
      practice the issue is most urgent with partitioned tables, so
      fixing v11 and later should satisfy much of the practical need.
      
      Dilip Kumar and Amit Langote, with some kibitzing by me
      
      Discussion: https://postgr.es/m/3876.1531261875@sss.pgh.pa.us
      553d2ec2
    • Michael Paquier's avatar
      Add safeguards for pg_fsync() called with incorrectly-opened fds · 12198239
      Michael Paquier authored
      On some platforms, fsync() returns EBADFD when opening a file descriptor
      with O_RDONLY (read-only), leading ultimately now to a PANIC to prevent
      data corruption.
      
      This commit adds a new sanity check in pg_fsync() based on fcntl() to
      make sure that we don't repeat again mistakes with incorrectly-set file
      descriptors so as problems are detected at an early stage.  Without
      that, such errors could only be detected after running Postgres on a
      specific supported platform for the culprit code path, which could take
      some time before being found.  b8e19b93 was a fix for such a problem,
      which got undetected for more than 5 years, and a586cc4b fixed another
      similar issue.
      
      Note that the new check added works as well when fsync=off is
      configured, so as all regression tests would detect problems as long as
      assertions are enabled.  fcntl() being not available on Windows, the
      new checks do not happen there.
      
      Author: Michael Paquier
      Reviewed-by: Mark Dilger
      Discussion: https://postgr.es/m/20191009062640.GB21379@paquier.xyz
      12198239
    • Amit Kapila's avatar
      Don't shut down Gather[Merge] early under Limit. · 080313f8
      Amit Kapila authored
      Revert part of commit 19df1702f5.
      
      Early shutdown was added by that commit so that we could collect
      statistics from workers, but unfortunately, it interacted badly with
      rescans.  The problem is that we ended up destroying the parallel context
      which is required for rescans.  This leads to rescans of a Limit node over
      a Gather node to produce unpredictable results as it tries to access
      destroyed parallel context.  By reverting the early shutdown code, we
      might lose statistics in some cases of Limit over Gather [Merge], but that
      will require further study to fix.
      
      Reported-by: Jerry Sievers
      Diagnosed-by: Thomas Munro
      Author: Amit Kapila, testcase by Vignesh C
      Backpatch-through: 9.6
      Discussion: https://postgr.es/m/87ims2amh6.fsf@jsievers.enova.com
      080313f8
  8. 25 Nov, 2019 7 commits
  9. 24 Nov, 2019 5 commits
    • Andrew Dunstan's avatar
      Use native methods to open input in TestLib::slurp_file on Windows. · 114541d5
      Andrew Dunstan authored
      It is hoped that this will avoid some errors that we have seen before,
      but lately with greater frequency, in buildfarm animals.
      
      For now apply only to master. If this proves effective it can be
      backpatched.
      
      Discussion: https://postgr.es/m/13900.1572839580@sss.pgh.pa.us
      
      Author: Juan José Santamaría Flecha
      114541d5
    • Tom Lane's avatar
      Doc: improve discussion of race conditions involved in LISTEN. · d3aa114a
      Tom Lane authored
      The user docs didn't really explain how to use LISTEN safely,
      so clarify that.  Also clean up some fuzzy-headed explanations
      in comments.  No code changes.
      
      Discussion: https://postgr.es/m/3ac7f397-4d5f-be8e-f354-440020675694@gmail.com
      d3aa114a
    • Tom Lane's avatar
      Avoid assertion failure with LISTEN in a serializable transaction. · 6b802cfc
      Tom Lane authored
      If LISTEN is the only action in a serializable-mode transaction,
      and the session was not previously listening, and the notify queue
      is not empty, predicate.c reported an assertion failure.  That
      happened because we'd acquire the transaction's initial snapshot
      during PreCommit_Notify, which was called *after* predicate.c
      expects any such snapshot to have been established.
      
      To fix, just swap the order of the PreCommit_Notify and
      PreCommit_CheckForSerializationFailure calls during CommitTransaction.
      This will imply holding the notify-insertion lock slightly longer,
      but the difference could only be meaningful in serializable mode,
      which is an expensive option anyway.
      
      It appears that this is just an assertion failure, with no
      consequences in non-assert builds.  A snapshot used only to scan
      the notify queue could not have been involved in any serialization
      conflicts, so there would be nothing for
      PreCommit_CheckForSerializationFailure to do except assign it a
      prepareSeqNo and set the SXACT_FLAG_PREPARED flag.  And given no
      conflicts, neither of those omissions affect the behavior of
      ReleasePredicateLocks.  This admittedly once-over-lightly analysis
      is backed up by the lack of field reports of trouble.
      
      Per report from Mark Dilger.  The bug is old, so back-patch to all
      supported branches; but the new test case only goes back to 9.6,
      for lack of adequate isolationtester infrastructure before that.
      
      Discussion: https://postgr.es/m/3ac7f397-4d5f-be8e-f354-440020675694@gmail.com
      Discussion: https://postgr.es/m/13881.1574557302@sss.pgh.pa.us
      6b802cfc
    • Thomas Munro's avatar
      doc: Fix whitespace in syntax. · 1974853d
      Thomas Munro authored
      Back-patch to 10.
      
      Author: Andreas Karlsson
      Discussion: https://postgr.es/m/043acae2-a369-b7fa-be48-1933aa2e82d1%40proxel.se
      1974853d
    • Tom Lane's avatar
      Stabilize NOTIFY behavior by transmitting notifies before ReadyForQuery. · 79002697
      Tom Lane authored
      This patch ensures that, if any notify messages were received during
      a just-finished transaction, they get sent to the frontend just before
      not just after the ReadyForQuery message.  With libpq and other client
      libraries that act similarly, this guarantees that the client will see
      the notify messages as available as soon as it thinks the transaction
      is done.
      
      This probably makes no difference in practice, since in realistic
      use-cases the application would have to cope with asynchronous
      arrival of notify events anyhow.  However, it makes it a lot easier
      to build cross-session-notify test cases with stable behavior.
      I'm a bit surprised now that we've not seen any buildfarm instability
      with the test cases added by commit b10f40bf.  Tests that I intend
      to add in an upcoming bug fix are definitely unstable without this.
      
      Back-patch to 9.6, which is as far back as we can do NOTIFY testing
      with the isolationtester infrastructure.
      
      Discussion: https://postgr.es/m/13881.1574557302@sss.pgh.pa.us
      79002697