1. 08 Jun, 2012 3 commits
  2. 07 Jun, 2012 6 commits
    • Tom Lane's avatar
      Scan the buffer pool just once, not once per fork, during relation drop. · ece01aae
      Tom Lane authored
      This provides a speedup of about 4X when NBuffers is large enough.
      There is also a useful reduction in sinval traffic, since we
      only do CacheInvalidateSmgr() once not once per fork.
      
      Simon Riggs, reviewed and somewhat revised by Tom Lane
      ece01aae
    • Peter Eisentraut's avatar
      Documentation spell and markup checking · 5baf6da7
      Peter Eisentraut authored
      5baf6da7
    • Peter Eisentraut's avatar
      Message style improvements · 5d0109bd
      Peter Eisentraut authored
      5d0109bd
    • Tom Lane's avatar
      Do unlocked prechecks in bufmgr.c loops that scan the whole buffer pool. · e8d029a3
      Tom Lane authored
      DropRelFileNodeBuffers, DropDatabaseBuffers, FlushRelationBuffers, and
      FlushDatabaseBuffers have to scan the whole shared_buffers pool because
      we have no index structure that would find the target buffers any more
      efficiently than that.  This gets expensive with large NBuffers.  We can
      shave some cycles from these loops by prechecking to see if the current
      buffer is interesting before we acquire the buffer header lock.
      Ordinarily such a test would be unsafe, but in these cases it should be
      safe because we are already assuming that the caller holds a lock that
      prevents any new target pages from being loaded into the buffer pool
      concurrently.  Therefore, no buffer tag should be changing to a value of
      interest, only away from a value of interest.  So a false negative match
      is impossible, while a false positive is safe because we'll recheck after
      acquiring the buffer lock.  Initial testing says that this speeds these
      loops by a factor of 2X to 3X on common Intel hardware.
      
      Patch for DropRelFileNodeBuffers by Jeff Janes (based on an idea of
      Heikki's); extended to the remaining sequential scans by Tom Lane
      e8d029a3
    • Simon Riggs's avatar
      Wake WALSender to reduce data loss at failover for async commit. · 2c8a4e9b
      Simon Riggs authored
      WALSender now woken up after each background flush by WALwriter, avoiding
      multi-second replication delay for an all-async commit workload.
      Replication delay reduced from 7s with default settings to 200ms and often
      much less, allowing significantly reduced data loss at failover.
      
      Andres Freund and Simon Riggs
      2c8a4e9b
    • Robert Haas's avatar
      Fix more crash-safe visibility map bugs, and improve comments. · b50991ee
      Robert Haas authored
      In lazy_scan_heap, we could issue bogus warnings about incorrect
      information in the visibility map, because we checked the visibility
      map bit before locking the heap page, creating a race condition.  Fix
      by rechecking the visibility map bit before we complain.  Rejigger
      some related logic so that we rely on the possibly-outdated
      all_visible_according_to_vm value as little as possible.
      
      In heap_multi_insert, it's not safe to clear the visibility map bit
      before beginning the critical section.  The visibility map is not
      crash-safe unless we treat clearing the bit as a critical operation.
      Specifically, if the transaction were to error out after we set the
      bit and before entering the critical section, we could end up writing
      the heap page to disk (with the bit cleared) and crashing before the
      visibility map page made it to disk.  That would be bad.  heap_insert
      has this correct, but somehow the order of operations got rearranged
      when heap_multi_insert was added.
      
      Also, add some more comments to visibilitymap_test, lazy_scan_heap,
      and IndexOnlyNext, expounding on concurrency issues.
      
      Per extensive code review by Andres Freund, and further review by Tom
      Lane, who also made the original report about the bogus warnings.
      b50991ee
  3. 05 Jun, 2012 5 commits
    • Magnus Hagander's avatar
      Use strerror(errno) instead of %m · 92135ea0
      Magnus Hagander authored
      Found by Fujii Masao
      92135ea0
    • Magnus Hagander's avatar
      Fix typo · 1e57c2c5
      Magnus Hagander authored
      Noted by Erik Rijkers
      1e57c2c5
    • Magnus Hagander's avatar
    • Tom Lane's avatar
      Fix bogus handling of control characters in json_lex_string(). · 3dd8e596
      Tom Lane authored
      The original coding misbehaved if "char" is signed, and also made the
      extremely poor decision to print control characters literally when trying
      to complain about them.  Report and patch by Shigeru Hanada.
      
      In passing, also fix core dump risk in report_parse_error() should the
      parse state be something other than what it expects.
      3dd8e596
    • Tom Lane's avatar
      Fix some more bugs in contrib/xml2's xslt_process(). · d9b31e48
      Tom Lane authored
      It failed to check for error return from xsltApplyStylesheet(), as reported
      by Peter Gagarinov.  (So far as I can tell, libxslt provides no convenient
      way to get a useful error message in failure cases.  There might be some
      inconvenient way, but considering that this code is deprecated it's hard to
      get enthusiastic about putting lots of work into it.  So I just made it say
      "failed to apply stylesheet", in line with the existing error checks.)
      
      While looking at the code I also noticed that the string returned by
      xsltSaveResultToString was never freed, resulting in a session-lifespan
      memory leak.
      
      Back-patch to all supported versions.
      d9b31e48
  4. 03 Jun, 2012 1 commit
    • Tom Lane's avatar
      Fix memory leaks in failure paths in buildACLCommands and parseAclItem. · d73b7f97
      Tom Lane authored
      This is currently only cosmetic, since all the call sites just curl up
      and die in event of a failure return.  It might be important for some
      future use-case, though, and in any case it quiets warnings from the
      clang static analyzer (as reported by Anna Zaks).
      
      Josh Kupershmidt
      d73b7f97
  5. 01 Jun, 2012 8 commits
  6. 31 May, 2012 7 commits
    • Tom Lane's avatar
      Stamp 9.2beta2. · 4bec93ac
      Tom Lane authored
      4bec93ac
    • Tom Lane's avatar
      51ecf52c
    • Tom Lane's avatar
      a04dc87d
    • Simon Riggs's avatar
      Only throw recovery conflicts when InHotStandby. Bug fix to recent · a2b516da
      Simon Riggs authored
      patch to allow Index Only Scans on Hot Standby.
      
      Bug report from Jaime Casanova
      a2b516da
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2012c. · c8105e62
      Tom Lane authored
      DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands,
      Gaza, Haiti, Hebron, Morocco, Syria, Tokelau Islands.
      Historical corrections for Canada.
      c8105e62
    • Tom Lane's avatar
      Force PL and range-type support functions to be owned by a superuser. · ad0009e7
      Tom Lane authored
      We allow non-superusers to create procedural languages (with restrictions)
      and range datatypes.  Previously, the automatically-created support
      functions for these objects ended up owned by the creating user.  This
      represents a rather considerable security hazard, because the owning user
      might be able to alter a support function's definition in such a way as to
      crash the server, inject trojan-horse SQL code, or even execute arbitrary
      C code directly.  It appears that right now the only actually exploitable
      problem is the infinite-recursion bug fixed in the previous patch for
      CVE-2012-2655.  However, it's not hard to imagine that future additions of
      more ALTER FUNCTION capability might unintentionally open up new hazards.
      To forestall future problems, cause these support functions to be owned by
      the bootstrap superuser, not the user creating the parent object.
      ad0009e7
    • Tom Lane's avatar
      Ignore SECURITY DEFINER and SET attributes for a PL's call handler. · 33c6eaf7
      Tom Lane authored
      It's not very sensible to set such attributes on a handler function;
      but if one were to do so, fmgr.c went into infinite recursion because
      it would call fmgr_security_definer instead of the handler function proper.
      There is no way for fmgr_security_definer to know that it ought to call the
      handler and not the original function referenced by the FmgrInfo's fn_oid,
      so it tries to do the latter, causing the whole process to start over
      again.
      
      Ordinarily such misconfiguration of a procedural language's handler could
      be written off as superuser error.  However, because we allow non-superuser
      database owners to create procedural languages and the handler for such a
      language becomes owned by the database owner, it is possible for a database
      owner to crash the backend, which ideally shouldn't be possible without
      superuser privileges.  In 9.2 and up we will adjust things so that the
      handler functions are always owned by superusers, but in existing branches
      this is a minor security fix.
      
      Problem noted by Noah Misch (after several of us had failed to detect
      it :-().  This is CVE-2012-2655.
      33c6eaf7
  7. 30 May, 2012 6 commits
    • Tom Lane's avatar
      Expand the allowed range of timezone offsets to +/-15:59:59 from Greenwich. · cd0ff9c0
      Tom Lane authored
      We used to only allow offsets less than +/-13 hours, then it was +/14,
      then it was +/-15.  That's still not good enough though, as per today's bug
      report from Patric Bechtel.  This time I actually looked through the Olson
      timezone database to find the largest offsets used anywhere.  The winners
      are Asia/Manila, at -15:56:00 until 1844, and America/Metlakatla, at
      +15:13:42 until 1867.  So we'd better allow offsets less than +/-16 hours.
      
      Given the history, we are way overdue to have some greppable #define
      symbols controlling this, so make some ... and also remove an obsolete
      comment that didn't get fixed the last time.
      
      Back-patch to all supported branches.
      cd0ff9c0
    • Robert Haas's avatar
      Fix two more bugs in fast-path relation locking. · 07ab1383
      Robert Haas authored
      First, the previous code failed to account for the fact that, during Hot
      Standby operation, the startup process takes AccessExclusiveLocks on
      relations without setting MyDatabaseId.  This resulted in fast path
      strong lock counts failing to be incremented with the startup process
      took locks, which in turn allowed conflicting lock requests to succeed
      when they should not have.  Report by Erik Rijkers, diagnosis by Heikki
      Linnakangas.
      
      Second, LockReleaseAll() failed to honor the allLocks and lockmethodid
      restrictions with respect to fast-path locks.  It's not clear to me
      whether this produces any user-visible breakage at the moment, but it's
      certainly wrong.  Rearrange order of operations in LockReleaseAll to fix.
      Noted by Tom Lane.
      07ab1383
    • Tom Lane's avatar
      Fix incorrect password transformation in contrib/pgcrypto's DES crypt(). · 932ded2e
      Tom Lane authored
      Overly tight coding caused the password transformation loop to stop
      examining input once it had processed a byte equal to 0x80.  Thus, if the
      given password string contained such a byte (which is possible though not
      highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
      subsequent characters would not contribute to the hash, making the password
      much weaker than it appears on the surface.
      
      This would only affect cases where applications used DES crypt() to encode
      passwords before storing them in the database.  If a weak password has been
      created in this fashion, the hash will stop matching after this update has
      been applied, so it will be easy to tell if any passwords were unexpectedly
      weak.  Changing to a different password would be a good idea in such a case.
      (Since DES has been considered inadequately secure for some time, changing
      to a different encryption algorithm can also be recommended.)
      
      This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
      Since the other projects have already published their fixes, there is no
      point in trying to keep this commit private.
      
      This bug has been assigned CVE-2012-2143, and credit for its discovery goes
      to Rubin Xu and Joseph Bonneau.
      932ded2e
    • Heikki Linnakangas's avatar
      Change the way parent pages are tracked during buffered GiST build. · d1996ed5
      Heikki Linnakangas authored
      We used to mimic the way a stack is constructed when descending the tree
      during normal GiST inserts, but that was quite complicated during a buffered
      build. It was also wrong: in GiST, the left-to-right relationships on
      different levels might not match each other, so that when you know the
      parent of a child page, you won't necessarily find the parent of the page to
      the right of the child page by following the rightlinks at the parent level.
      This sometimes led to "could not re-find parent" errors while building a
      GiST index.
      
      We now use a simple hash table to track the parent of every internal page.
      Whenever a page is split, and downlinks are moved from one page to another,
      we update the hash table accordingly. This is also better for performance
      than the old method, as we never need to move right to re-find the parent
      page, which could take a significant amount of time for buffers that were
      created much earlier in the index build.
      d1996ed5
    • Heikki Linnakangas's avatar
      Delete the temporary file used in buffered GiST build, after the build. · be02b168
      Heikki Linnakangas authored
      There were two bugs here: We forgot to call gistFreeBuildBuffers() function
      at the end of build, and we passed interXact == true to BufFileCreateTemp,
      so the file wasn't automatically cleaned up at end-of-transaction either.
      be02b168
    • Tom Lane's avatar
      Rewrite --section option to decouple it from --schema-only/--data-only. · 4317e024
      Tom Lane authored
      The initial implementation of pg_dump's --section option supposed that the
      existing --schema-only and --data-only options could be made equivalent to
      --section settings.  This is wrong, though, due to dubious but long since
      set-in-stone decisions about where to dump SEQUENCE SET items, as seen in
      bug report from Martin Pitt.  (And I'm not totally convinced there weren't
      other bugs, either.)  Undo that coupling and instead drive --section
      filtering off current-section state tracked as we scan through the TOC
      list to call _tocEntryRequired().
      
      To make sure those decisions don't shift around and hopefully save a few
      cycles, run _tocEntryRequired() only once per TOC entry and save the result
      in a new TOC field.  This required minor rejiggering of ACL handling but
      also allows a far cleaner implementation of inhibit_data_for_failed_table.
      
      Also, to ensure that pg_dump and pg_restore have the same behavior with
      respect to the --section switches, add _tocEntryRequired() filtering to
      WriteToc() and WriteDataChunks(), rather than trying to implement section
      filtering in an entirely orthogonal way in dumpDumpableObject().  This
      required adjusting the handling of the special ENCODING and STDSTRINGS
      items, but they were pretty weird before anyway.
      
      Minor other code review for the patch, too.
      4317e024
  8. 29 May, 2012 3 commits
    • Heikki Linnakangas's avatar
      Fix integer overflow bug in GiST buffering build calculations. · 4bc6fb57
      Heikki Linnakangas authored
      The result of (maintenance_work_mem * 1024) / BLCKSZ doesn't fit in a signed
      32-bit integer, if maintenance_work_mem >= 2GB. Use double instead. And
      while we're at it, write the calculations in an easier to understand form,
      with the intermediary steps written out and commented.
      4bc6fb57
    • Tom Lane's avatar
      Teach AbortOutOfAnyTransaction to clean up partially-started transactions. · 2755abf3
      Tom Lane authored
      AbortOutOfAnyTransaction failed to do anything if the state it saw on
      entry corresponded to failing partway through StartTransaction.  I fixed
      AbortCurrentTransaction to cope with that case way back in commit
      60b2444c, but evidently overlooked that
      AbortOutOfAnyTransaction should do likewise.
      
      Back-patch to all supported branches.  It's not clear that this omission
      has any more-than-cosmetic consequences, but it's also not clear that it
      doesn't, so back-patching seems the least risky choice.
      2755abf3
    • Tom Lane's avatar
      Eliminate some more O(N^2) behaviors in pg_dump/pg_restore. · c89bdf76
      Tom Lane authored
      This patch fixes three places (which AFAICT is all of them) where runtime
      was O(N^2) in the number of TOC entries, by using an index array to replace
      linear searches of the TOC list.  This performance issue is a bit less bad
      than those recently fixed, because it depends on the number of items dumped
      not the number in the source database, so the problem can be dodged by
      doing partial dumps.
      
      The previous coding already had an instance of one of the two index arrays
      needed, but it was only calculated in parallel-restore cases; now we need
      it all the time.  I also chose to move the arrays into the ArchiveHandle
      data structure, to make this code a bit more ready for the day that we
      try to sling multiple ArchiveHandles around in pg_dump or pg_restore.
      
      Since we still need some server-side work before pg_dump can really cope
      nicely with tens of thousands of tables, there's probably little point in
      back-patching.
      c89bdf76
  9. 28 May, 2012 1 commit
    • Peter Eisentraut's avatar
      libpq: URI parsing fixes · 2d612abd
      Peter Eisentraut authored
      Drop special handling of host component with slashes to mean
      Unix-domain socket.  Specify it as separate parameter or using
      percent-encoding now.
      
      Allow omitting username, password, and port even if the corresponding
      designators are present in URI.
      
      Handle percent-encoding in query parameter keywords.
      
      Alex Shulgin
      
      some documentation improvements by myself
      2d612abd