1. 12 Jun, 2015 9 commits
    • Andrew Dunstan's avatar
      Fix "path" infrastructure bug affecting jsonb_set() · 2271d002
      Andrew Dunstan authored
      jsonb_set() and other clients of the setPathArray() utility function
      could get spurious results when an array integer subscript is provided
      that is not within the range of int.
      
      To fix, ensure that the value returned by strtol() within setPathArray()
      is within the range of int;  when it isn't, assume an invalid input in
      line with existing, similar cases.  The path-orientated operators that
      appeared in PostgreSQL 9.3 and 9.4 do not call setPathArray(), and
      already independently take this precaution, so no change there.
      
      Peter Geoghegan
      2271d002
    • Tom Lane's avatar
      Fix failure to cover scalar-vs-rowtype cases in exec_stmt_return(). · ae58f143
      Tom Lane authored
      In commit 9e3ad1aa I modified plpgsql
      to use exec_stmt_return's simple-variables fast path in more cases.
      However, I overlooked that there are really two different return
      conventions in use here, depending on whether estate->retistuple is true,
      and the existing fast-path code had only bothered to handle one of them.
      So trying to return a scalar in a function returning composite, or vice
      versa, could lead to unexpected error messages (typically "cache lookup
      failed for type 0") or to a null-pointer-dereference crash.
      
      In the DTYPE_VAR case, we can just throw error if retistuple is true,
      corresponding to what happens in the general-expression code path that was
      being used previously.  (Perhaps someday both of these code paths should
      attempt a coercion, but today is not that day.)
      
      In the REC and ROW cases, just hand the problem to exec_eval_datum()
      when not retistuple.  Also clean up the ROW coding slightly so it looks
      more like exec_eval_datum().
      
      The previous commit also caused exec_stmt_return_next() to be used in
      more cases, but that code seems to be OK as-is.
      
      Per off-list report from Serge Rielau.  This bug is new in 9.5 so no need
      to back-patch.
      ae58f143
    • Tom Lane's avatar
      Improve error message and hint for ALTER COLUMN TYPE can't-cast failure. · b0098234
      Tom Lane authored
      We already tried to improve this once, but the "improved" text was rather
      off-target if you had provided a USING clause.  Also, it seems helpful
      to provide the exact text of a suggested USING clause, so users can just
      copy-and-paste it when needed.  Per complaint from Keith Rarick and a
      suggestion from Merlin Moncure.
      
      Back-patch to 9.2 where the current wording was adopted.
      b0098234
    • Fujii Masao's avatar
      Make postmaster restart archiver soon after it dies, even during recovery. · b5fe6203
      Fujii Masao authored
      After the archiver dies, postmaster tries to start a new one immediately.
      But previously this could happen only while server was running normally
      even though archiving was enabled always (i.e., archive_mode was set to
      always). So the archiver running during recovery could not restart soon
      after it died. This is an oversight in commit ffd37740.
      
      This commit changes reaper(), postmaster's signal handler to cleanup
      after a child process dies, so that it tries to a new archiver even during
      recovery if necessary.
      
      Patch by me. Review by Alvaro Herrera.
      b5fe6203
    • Michael Meskes's avatar
      Fixed some memory leaks in ECPG. · 96ad72d1
      Michael Meskes authored
      Patch by Michael Paquier
      96ad72d1
    • Michael Meskes's avatar
      Fix intoasc() in Informix compat lib. This function used to be a noop. · 82be1bf5
      Michael Meskes authored
      Patch by Michael Paquier
      82be1bf5
    • Fujii Masao's avatar
      Fix alphabetization in catalogs.sgml. · 091c02a9
      Fujii Masao authored
      System catalogs and views should be listed alphabetically
      in catalog.sgml, but only pg_file_settings view not.
      
      This patch also fixes typos in pg_file_settings comments.
      091c02a9
    • Fujii Masao's avatar
      Clean up useless mention of RMGRDESCSOURCES in pg_rewind Makefile. · cd3cff47
      Fujii Masao authored
      RMGRDESCSOURCES is defined and used only in pg_xlogdump Makefile,
      but pg_rewind Makefile mentioned it as extra files to remove in "make clean".
      This patch removes that useless mention from pg_rewind Makefile.
      
      Michael Paquier
      cd3cff47
    • Bruce Momjian's avatar
      release notes: add links to doc sections · 66447916
      Bruce Momjian authored
      66447916
  2. 11 Jun, 2015 11 commits
  3. 10 Jun, 2015 4 commits
  4. 09 Jun, 2015 3 commits
  5. 08 Jun, 2015 6 commits
    • Alvaro Herrera's avatar
      Fix typos · 94232c90
      Alvaro Herrera authored
      tablesapce -> tablespace
      there -> their
      
      These were introduced in 72d422a5, so no need to backpatch.
      94232c90
    • Fujii Masao's avatar
      Refactor WAL segment copying code. · 7abc6859
      Fujii Masao authored
      * Remove unused argument "dstfname" and related code from XLogFileCopy().
      
      * Previously XLogFileCopy() returned a pstrdup'd string so that
      InstallXLogFileSegment() used it later. Since the pstrdup'd string was never
      free'd, there could be a risk of memory leak. It was almost harmless because
      the startup process exited just after calling XLogFileCopy(), it existed.
      This commit changes XLogFileCopy() so that it directly calls
      InstallXLogFileSegment() and doesn't call pstrdup() at all. Which fixes that
      memory leak problem.
      
      * Extend InstallXLogFileSegment() so that the caller can specify the log level.
      Which allows us to emit an error when InstallXLogFileSegment() fails a disk
      file access like link() and rename(). Previously it was always logged with
      LOG level and additionally needed to be logged with ERROR when we wanted
      to treat it as an error.
      
      Michael Paquier
      7abc6859
    • Andres Freund's avatar
      Allow HotStandbyActiveInReplay() to be called in single user mode. · d1b95821
      Andres Freund authored
      HotStandbyActiveInReplay, introduced in 061b079f, only allowed WAL
      replay to happen in the startup process, missing the single user case.
      
      This buglet is fairly harmless as it only causes problems when single
      user mode in an assertion enabled build is used to replay a btree vacuum
      record.
      
      Backpatch to 9.2. 061b079f was backpatched further, but the assertion
      was not.
      d1b95821
    • Andrew Dunstan's avatar
      Clarify documentation of jsonb - text · 94d6727d
      Andrew Dunstan authored
      Peter Geoghegan
      94d6727d
    • Andrew Dunstan's avatar
      Desupport jsonb subscript deletion on objects · b81c7b40
      Andrew Dunstan authored
      Supporting deletion of JSON pairs within jsonb objects using an
      array-style integer subscript allowed for surprising outcomes.  This was
      mostly due to the implementation-defined ordering of pairs within
      objects for jsonb.
      
      It also seems desirable to make jsonb integer subscript deletion
      consistent with the 9.4 era general purpose integer subscripting
      operator for jsonb (although that operator returns NULL when an object
      is encountered, while we prefer here to throw an error).
      
      Peter Geoghegan, following discussion on -hackers.
      b81c7b40
    • Peter Eisentraut's avatar
      doc: Fix broken links in FOP build · d23a3a60
      Peter Eisentraut authored
      FOP doesn't handle links to table rows, so put the link to a cell
      instead.
      d23a3a60
  6. 07 Jun, 2015 1 commit
    • Tom Lane's avatar
      Use a safer method for determining whether relcache init file is stale. · f3b5565d
      Tom Lane authored
      When we invalidate the relcache entry for a system catalog or index, we
      must also delete the relcache "init file" if the init file contains a copy
      of that rel's entry.  The old way of doing this relied on a specially
      maintained list of the OIDs of relations present in the init file: we made
      the list either when reading the file in, or when writing the file out.
      The problem is that when writing the file out, we included only rels
      present in our local relcache, which might have already suffered some
      deletions due to relcache inval events.  In such cases we correctly decided
      not to overwrite the real init file with incomplete data --- but we still
      used the incomplete initFileRelationIds list for the rest of the current
      session.  This could result in wrong decisions about whether the session's
      own actions require deletion of the init file, potentially allowing an init
      file created by some other concurrent session to be left around even though
      it's been made stale.
      
      Since we don't support changing the schema of a system catalog at runtime,
      the only likely scenario in which this would cause a problem in the field
      involves a "vacuum full" on a catalog concurrently with other activity, and
      even then it's far from easy to provoke.  Remarkably, this has been broken
      since 2002 (in commit 78634044), but we had
      never seen a reproducible test case until recently.  If it did happen in
      the field, the symptoms would probably involve unexpected "cache lookup
      failed" errors to begin with, then "could not open file" failures after the
      next checkpoint, as all accesses to the affected catalog stopped working.
      Recovery would require manually removing the stale "pg_internal.init" file.
      
      To fix, get rid of the initFileRelationIds list, and instead consult
      syscache.c's list of relations used in catalog caches to decide whether a
      relation is included in the init file.  This should be a tad more efficient
      anyway, since we're replacing linear search of a list with ~100 entries
      with a binary search.  It's a bit ugly that the init file contents are now
      so directly tied to the catalog caches, but in practice that won't make
      much difference.
      
      Back-patch to all supported branches.
      f3b5565d
  7. 05 Jun, 2015 3 commits
    • Tom Lane's avatar
      Get rid of a //-style comment. · 1497369e
      Tom Lane authored
      Not sure how "//XXX" got into a committed patch in the first place,
      as it's both content-free and against project style.  pgindent made a
      bit of a hash of it, too.
      
      Going forward, we should have at least one buildfarm member using
      "gcc -ansi" to catch such things, at least till such time as we
      decide the project target language isn't C90 any more.  I've turned
      this option on on dromedary.
      1497369e
    • Tom Lane's avatar
      Fix incorrect order of database-locking operations in InitPostgres(). · ac23b711
      Tom Lane authored
      We should set MyProc->databaseId after acquiring the per-database lock,
      not beforehand.  The old way risked deadlock against processes trying to
      copy or delete the target database, since they would first acquire the lock
      and then wait for processes with matching databaseId to exit; that left a
      window wherein an incoming process could set its databaseId and then block
      on the lock, while the other process had the lock and waited in vain for
      the incoming process to exit.
      
      CountOtherDBBackends() would time out and fail after 5 seconds, so this
      just resulted in an unexpected failure not a permanent lockup, but it's
      still annoying when it happens.  A real-world example of a use-case is that
      short-duration connections to a template database should not cause CREATE
      DATABASE to fail.
      
      Doing it in the other order should be fine since the contract has always
      been that processes searching the ProcArray for a database ID must hold the
      relevant per-database lock while searching.  Thus, this actually removes
      the former race condition that required an assumption that storing to
      MyProc->databaseId is atomic.
      
      It's been like this for a long time, so back-patch to all active branches.
      ac23b711
    • Robert Haas's avatar
      Cope with possible failure of the oldest MultiXact to exist. · 068cfadf
      Robert Haas authored
      Recent commits, mainly b69bf30b and
      53bb309d, introduced mechanisms to
      protect against wraparound of the MultiXact member space: the number
      of multixacts that can exist at one time is limited to 2^32, but the
      total number of members in those multixacts is also limited to 2^32,
      and older code did not take care to enforce the second limit,
      potentially allowing old data to be overwritten while it was still
      needed.
      
      Unfortunately, these new mechanisms failed to account for the fact
      that the code paths in which they run might be executed during
      recovery or while the cluster was in an inconsistent state.  Also,
      they failed to account for the fact that users who used pg_upgrade
      to upgrade a PostgreSQL version between 9.3.0 and 9.3.4 might have
      might oldestMultiXid = 1 in the control file despite the true value
      being larger.
      
      To fix these problems, first, avoid unnecessarily examining the
      mmembers of MultiXacts when the cluster is not known to be consistent.
      TruncateMultiXact has done this for a long time, and this patch does
      not fix that.  But the new calls used to prevent member wraparound
      are not needed until we reach normal running, so avoid calling them
      earlier.  (SetMultiXactIdLimit is actually called before InRecovery
      is set, so we can't rely on that; we invent our own multixact-specific
      flag instead.)
      
      Second, make failure to look up the members of a MultiXact a non-fatal
      error.  Instead, if we're unable to determine the member offset at
      which wraparound would occur, postpone arming the member wraparound
      defenses until we are able to do so.  If we're unable to determine the
      member offset that should force autovacuum, force it continuously
      until we are able to do so.  If we're unable to deterine the member
      offset at which we should truncate the members SLRU, log a message and
      skip truncation.
      
      An important consequence of these changes is that anyone who does have
      a bogus oldestMultiXid = 1 value in pg_control will experience
      immediate emergency autovacuuming when upgrading to a release that
      contains this fix.  The release notes should highlight this fact.  If
      a user has no pg_multixact/offsets/0000 file, but has oldestMultiXid = 1
      in the control file, they may wish to vacuum any tables with
      relminmxid = 1 prior to upgrading in order to avoid an immediate
      emergency autovacuum after the upgrade.  This must be done with a
      PostgreSQL version 9.3.5 or newer and with vacuum_multixact_freeze_min_age
      and vacuum_multixact_freeze_table_age set to 0.
      
      This patch also adds an additional log message at each database server
      startup, indicating either that protections against member wraparound
      have been engaged, or that they have not.  In the latter case, once
      autovacuum has advanced oldestMultiXid to a sane value, the message
      indicating that the guards have been engaged will appear at the next
      checkpoint.  A few additional messages have also been added at the DEBUG1
      level so that the correct operation of this code can be properly audited.
      
      Along the way, this patch fixes another, related bug in TruncateMultiXact
      that has existed since PostgreSQL 9.3.0: when no MultiXacts exist at
      all, the truncation code looks up NextMultiXactId, which doesn't exist
      yet.  This can lead to TruncateMultiXact removing every file in
      pg_multixact/offsets instead of keeping one around, as it should.
      This in turn will cause the database server to refuse to start
      afterwards.
      
      Patch by me.  Review by Álvaro Herrera, Andres Freund, Noah Misch, and
      Thomas Munro.
      068cfadf
  8. 04 Jun, 2015 3 commits