1. 11 Feb, 2018 1 commit
    • Tom Lane's avatar
      Fix assorted errors in pg_dump's handling of extended statistics objects. · 5c9f2564
      Tom Lane authored
      pg_dump supposed that a stats object necessarily shares the same schema
      as its underlying table, and that it doesn't have a separate owner.
      These things may have been true during early development of the feature,
      but they are not true as of v10 release.
      
      Failure to track the object's schema separately turns out to have only
      limited consequences, because pg_get_statisticsobjdef() always schema-
      qualifies the target object name in the generated CREATE STATISTICS command
      (a decision out of step with the rest of ruleutils.c, but I digress).
      Therefore the restored object would be in the right schema, so that the
      only problem is that the TOC entry would be mislabeled as to schema.  That
      could lead to wrong decisions for schema-selective restores, for example.
      
      The ownership issue is a bit more serious: not only was the TOC entry
      potentially mislabeled as to owner, but pg_dump didn't bother to issue an
      ALTER OWNER command at all, so that after restore the stats object would
      continue to be owned by the restoring superuser.
      
      A final point is that decisions as to whether to dump a stats object or
      not were driven by whether the underlying table was dumped or not.  While
      that's not wrong on its face, it won't scale nicely to the planned future
      extension to cross-table statistics.  Moreover, that design decision comes
      out of the view of stats objects as being auxiliary to a particular table,
      like a rule or trigger, which is exactly where the above problems came
      from.  Since we're now treating stats objects more like independent objects
      in their own right, they ought to behave like standalone objects for this
      purpose too.  So change to using the generic selectDumpableObject() logic
      for them (which presently amounts to "dump if containing schema is to be
      dumped").
      
      Along the way to fixing this, restructure so that getExtendedStatistics
      collects the identity info (only) for all extended stats objects in one
      query, and then for each object actually being dumped, we retrieve the
      definition in dumpStatisticsExt.  This is necessary to ensure that
      schema-qualification in the generated CREATE STATISTICS command happens
      with respect to the search path that pg_dump will now be using at restore
      time (ie, the schema the stats object is in, not that of the underlying
      table).  It's probably also significantly faster in the typical scenario
      where only a minority of tables have extended stats.
      
      Back-patch to v10 where extended stats were introduced.
      
      Discussion: https://postgr.es/m/18272.1518328606@sss.pgh.pa.us
      5c9f2564
  2. 10 Feb, 2018 3 commits
    • Tom Lane's avatar
      Avoid premature free of pass-by-reference CALL arguments. · d02d4a6d
      Tom Lane authored
      Prematurely freeing the EState used to evaluate CALL arguments led, in some
      cases, to passing dangling pointers to the procedure.  This was masked in
      trivial cases because the argument pointers would point to Const nodes in
      the original expression tree, and in some other cases because the result
      value would end up in the standalone ExprContext rather than in memory
      belonging to the EState --- but that wasn't exactly high quality
      programming either, because the standalone ExprContext was never
      explicitly freed, breaking assorted API contracts.
      
      In addition, using a separate EState for each argument was just silly.
      
      So let's use just one EState, and one ExprContext, and make the latter
      belong to the former rather than be standalone, and clean up the EState
      (and hence the ExprContext) post-call.
      
      While at it, improve the function's commentary a bit.
      
      Discussion: https://postgr.es/m/29173.1518282748@sss.pgh.pa.us
      d02d4a6d
    • Tom Lane's avatar
      Fix oversight in CALL argument handling, and do some minor cleanup. · 65b1d767
      Tom Lane authored
      CALL statements cannot support sub-SELECTs in the arguments of the called
      procedure, since they just use ExecEvalExpr to evaluate such arguments.
      Teach transformSubLink() to reject the case, as it already does for other
      contexts in which subqueries are not supported.
      
      In passing, s/EXPR_KIND_CALL/EXPR_KIND_CALL_ARGUMENT/ to make that enum
      symbol line up more closely with the phrasing of the error messages it is
      associated with.  And fix someone's weak grasp of English grammar in the
      preceding EXPR_KIND_PARTITION_EXPRESSION addition.  Also update an
      incorrect comment in resolve_unique_index_expr (possibly it was correct
      when written, but nowadays transformExpr definitely does reject SRFs here).
      
      Per report from Pavel Stehule --- but this resolves only one of the bugs
      he mentions.
      
      Discussion: https://postgr.es/m/CAFj8pRDxOwPPzpA8i+AQeDQFj7bhVw-dR2==rfWZ3zMGkm568Q@mail.gmail.com
      65b1d767
    • Alvaro Herrera's avatar
      Mention partitioned indexes in "Data Definition" chapter · fad15f4a
      Alvaro Herrera authored
      We can now create indexes more easily than before, so update this
      chapter to use the simpler instructions.
      
      After an idea of Amit Langote.  I (Álvaro) opted to do more invasive
      surgery and remove the previous suggestion to create per-partition
      indexes, which his patch left in place.
      
      Discussion: https://postgr.es/m/eafaaeb1-f0fd-d010-dd45-07db0300f645@lab.ntt.co.jp
      Author: Amit Langote, Álvaro Herrera
      fad15f4a
  3. 09 Feb, 2018 3 commits
  4. 08 Feb, 2018 5 commits
  5. 07 Feb, 2018 7 commits
    • Robert Haas's avatar
      postgres_fdw: Push down UPDATE/DELETE joins to remote servers. · 1bc0100d
      Robert Haas authored
      Commit 0bf3ae88 allowed direct
      foreign table modification; instead of fetching each row, updating
      it locally, and then pushing the modification back to the remote
      side, we would instead do all the work on the remote server via a
      single remote UPDATE or DELETE command.  However, that commit only
      enabled this optimization when join tree consisted only of the
      target table.
      
      This change allows the same optimization when an UPDATE statement
      has a FROM clause or a DELETE statement has a USING clause.  This
      works much like ordinary foreign join pushdown, in that the tables
      must be on the same remote server, relevant parts of the query
      must be pushdown-safe, and so forth.
      
      Etsuro Fujita, reviewed by Ashutosh Bapat, Rushabh Lathia, and me.
      Some formatting corrections by me.
      
      Discussion: http://postgr.es/m/5A57193A.2080003@lab.ntt.co.jp
      Discussion: http://postgr.es/m/b9cee735-62f8-6c07-7528-6364ce9347d0@lab.ntt.co.jp
      1bc0100d
    • Peter Eisentraut's avatar
      Make new triggers tests more robust · 7c44b75a
      Peter Eisentraut authored
      Add explicit collation on the trigger name to avoid locale dependencies.
      Also restrict the tables selected, to avoid interference from
      concurrently running tests.
      7c44b75a
    • Peter Eisentraut's avatar
      Add more information_schema columns · 32ff2691
      Peter Eisentraut authored
      - table_constraints.enforced
      - triggers.action_order
      - triggers.action_reference_old_table
      - triggers.action_reference_new_table
      Reviewed-by: default avatarMichael Paquier <michael.paquier@gmail.com>
      32ff2691
    • Robert Haas's avatar
      Update out-of-date comment in StartupXLOG. · b98a7cd5
      Robert Haas authored
      Commit 4b0d28de should have updated
      this comment, but did not.
      
      Thomas Munro
      
      Discussion: http://postgr.es/m/CAEepm=0iJ8aqQcF9ij2KerAkuHF3SwrVTzjMdm1H4w++nfBf9A@mail.gmail.com
      b98a7cd5
    • Robert Haas's avatar
      Remove prototype for fmgr() function, which no longer exists. · 4815dfa1
      Robert Haas authored
      Commit 5ded4bd2 removed the code
      for this function, but neglected to remove the prototype and
      associated comments.
      
      Dagfinn Ilmari Mannsåker
      
      Discussion: http://postgr.es/m/d8j4lmuxjzk.fsf@dalvik.ping.uio.no
      4815dfa1
    • Magnus Hagander's avatar
      Change default git repo URL to https · 9e039015
      Magnus Hagander authored
      Since we now support the server side handler for git over https (so
      we're no longer using the "dumb protocol"), make https the primary
      choice for cloning the repository, and the git protocol the secondary
      choice.
      
      In passing, also change the links to git-scm.com from http to https.
      
      Reviewed by Stefan Kaltenbrunner and David G. Johnston
      9e039015
    • Tom Lane's avatar
      Support all SQL:2011 options for window frame clauses. · 0a459cec
      Tom Lane authored
      This patch adds the ability to use "RANGE offset PRECEDING/FOLLOWING"
      frame boundaries in window functions.  We'd punted on that back in the
      original patch to add window functions, because it was not clear how to
      do it in a reasonably data-type-extensible fashion.  That problem is
      resolved here by adding the ability for btree operator classes to provide
      an "in_range" support function that defines how to add or subtract the
      RANGE offset value.  Factoring it this way also allows the operator class
      to avoid overflow problems near the ends of the datatype's range, if it
      wishes to expend effort on that.  (In the committed patch, the integer
      opclasses handle that issue, but it did not seem worth the trouble to
      avoid overflow failures for datetime types.)
      
      The patch includes in_range support for the integer_ops opfamily
      (int2/int4/int8) as well as the standard datetime types.  Support for
      other numeric types has been requested, but that seems like suitable
      material for a follow-on patch.
      
      In addition, the patch adds GROUPS mode which counts the offset in
      ORDER-BY peer groups rather than rows, and it adds the frame_exclusion
      options specified by SQL:2011.  As far as I can see, we are now fully
      up to spec on window framing options.
      
      Existing behaviors remain unchanged, except that I changed the errcode
      for a couple of existing error reports to meet the SQL spec's expectation
      that negative "offset" values should be reported as SQLSTATE 22013.
      
      Internally and in relevant parts of the documentation, we now consistently
      use the terminology "offset PRECEDING/FOLLOWING" rather than "value
      PRECEDING/FOLLOWING", since the term "value" is confusingly vague.
      
      Oliver Ford, reviewed and whacked around some by me
      
      Discussion: https://postgr.es/m/CAGMVOdu9sivPAxbNN0X+q19Sfv9edEPv=HibOJhB14TJv_RCQg@mail.gmail.com
      0a459cec
  6. 06 Feb, 2018 3 commits
    • Robert Haas's avatar
      Fix incorrect grammar. · 23209457
      Robert Haas authored
      Etsuro Fujita
      
      Discussion: http://postgr.es/m/5A7981EA.8020201@lab.ntt.co.jp
      23209457
    • Robert Haas's avatar
      Avoid valgrind complaint about write() of uninitalized bytes. · 9fafa413
      Robert Haas authored
      LogicalTapeFreeze() may write out its first block when it is dirty but
      not full, and then immediately read the first block back in from its
      BufFile as a BLCKSZ-width block.  This can only occur in rare cases
      where very few tuples were written out, which is currently only
      possible with parallel external tuplesorts.  To avoid valgrind
      complaints, tell it to treat the tail of logtape.c's buffer as
      defined.
      
      Commit 9da0cc35 exposed this problem
      but did not create it.  LogicalTapeFreeze() has always tended to write
      out some amount of garbage bytes, but previously never wrote less than
      one block of data in total, so the problem was masked.
      
      Per buildfarm members lousyjack and skink.
      
      Peter Geoghegan, based on a suggestion from Tom Lane and me.  Some
      comment revisions by me.
      9fafa413
    • Tom Lane's avatar
      Doc: move info for btree opclass implementors into main documentation. · 3785f7ee
      Tom Lane authored
      Up to now, useful info for writing a new btree opclass has been buried
      in the backend's nbtree/README file.  Let's move it into the SGML docs,
      in preparation for extending it with info about "in_range" functions
      in the upcoming window RANGE patch.
      
      To do this, I chose to create a new chapter for btree indexes in Part VII
      (Internals), parallel to the chapters that exist for the newer index AMs.
      This is a pretty short chapter as-is.  At some point somebody might care
      to flesh it out with more detail about btree internals, but that is
      beyond the scope of my ambition for today.
      
      Discussion: https://postgr.es/m/23141.1517874668@sss.pgh.pa.us
      3785f7ee
  7. 05 Feb, 2018 5 commits
    • Robert Haas's avatar
      Fix possible crash in partition-wise join. · f069c91a
      Robert Haas authored
      The previous code assumed that we'd always succeed in creating
      child-joins for a joinrel for which partition-wise join was considered,
      but that's not guaranteed, at least in the case where dummy rels
      are involved.
      
      Ashutosh Bapat, with some wordsmithing by me.
      
      Discussion: http://postgr.es/m/CAFjFpRf8=uyMYYfeTBjWDMs1tR5t--FgOe2vKZPULxxdYQ4RNw@mail.gmail.com
      f069c91a
    • Tom Lane's avatar
      Last-minute updates for release notes. · 1eb5d43b
      Tom Lane authored
      Security: CVE-2018-1052, CVE-2018-1053
      1eb5d43b
    • Tom Lane's avatar
      Ensure that all temp files made during pg_upgrade are non-world-readable. · a926eb84
      Tom Lane authored
      pg_upgrade has always attempted to ensure that the transient dump files
      it creates are inaccessible except to the owner.  However, refactoring
      in commit 76a7650c broke that for the file containing "pg_dumpall -g"
      output; since then, that file was protected according to the process's
      default umask.  Since that file may contain role passwords (hopefully
      encrypted, but passwords nonetheless), this is a particularly unfortunate
      oversight.  Prudent users of pg_upgrade on multiuser systems would
      probably run it under a umask tight enough that the issue is moot, but
      perhaps some users are depending only on pg_upgrade's umask changes to
      protect their data.
      
      To fix this in a future-proof way, let's just tighten the umask at
      process start.  There are no files pg_upgrade needs to write at a
      weaker security level; and if there were, transiently relaxing the
      umask around where they're created would be a safer approach.
      
      Report and patch by Tom Lane; the idea for the fix is due to Noah Misch.
      Back-patch to all supported branches.
      
      Security: CVE-2018-1053
      a926eb84
    • Tom Lane's avatar
      Fix RelationBuildPartitionKey's processing of partition key expressions. · 3492a0af
      Tom Lane authored
      Failure to advance the list pointer while reading partition expressions
      from a list results in invoking an input function with inappropriate data,
      possibly leading to crashes or, with carefully crafted input, disclosure
      of arbitrary backend memory.
      
      Bug discovered independently by Álvaro Herrera and David Rowley.
      This patch is by Álvaro but owes something to David's proposed fix.
      Back-patch to v10 where the issue was introduced.
      
      Security: CVE-2018-1052
      3492a0af
    • Tom Lane's avatar
      Skip setting up shared instrumentation for Hash node if not needed. · 05d0f13f
      Tom Lane authored
      We don't need to set up the shared space for hash join instrumentation data
      if instrumentation hasn't been requested.  Let's follow the example of the
      similar Sort node code and save a few cycles by skipping that when we can.
      
      This reverts commit d59ff4ab and instead allows us to use the safer choice
      of passing noError = false to shm_toc_lookup in ExecHashInitializeWorker,
      since if we reach that call there should be a TOC entry to be found.
      
      Thomas Munro
      
      Discussion: https://postgr.es/m/E1ehkoZ-0005uW-43%40gemulon.postgresql.org
      05d0f13f
  8. 04 Feb, 2018 3 commits
  9. 03 Feb, 2018 4 commits
  10. 02 Feb, 2018 6 commits
    • Tom Lane's avatar
      Fix another instance of unsafe coding for shm_toc_lookup failure. · d59ff4ab
      Tom Lane authored
      One or another author of commit 5bcf389e seems to have thought that
      computing an offset from a NULL pointer would yield another NULL pointer.
      There may possibly be architectures where that works, but common machines
      don't work like that.  Per a quick code review of places calling
      shm_toc_lookup and not using noError = false.
      d59ff4ab
    • Tom Lane's avatar
      Be more wary about shm_toc_lookup failure. · 957ff087
      Tom Lane authored
      Commit 445dbd82 basically missed the point of commit d4663350,
      which was that we shouldn't allow shm_toc_lookup() failure to lead
      to a core dump or assertion crash, because the odds of such a
      failure should never be considered negligible.  It's correct that
      we can't expect the PARALLEL_KEY_ERROR_QUEUE TOC entry to be there
      if we have no workers.  But if we have no workers, we're not going
      to do anything in this function with the lookup result anyway,
      so let's just skip it.  That lets the code use the easy-to-prove-safe
      noError=false case, rather than anything requiring effort to review.
      
      Back-patch to v10, like the previous commit.
      
      Discussion: https://postgr.es/m/3647.1517601675@sss.pgh.pa.us
      957ff087
    • Tom Lane's avatar
      First-draft release notes for 10.2. · bf641d33
      Tom Lane authored
      As usual, the release notes for other branches will be made by cutting
      these down, but put them up for community review first.
      bf641d33
    • Peter Eisentraut's avatar
      Fix application of identity values in some cases · 533c5d8b
      Peter Eisentraut authored
      Investigation of 2d2d06b7 revealed that
      identity values were not applied in some further cases, including
      logical replication subscribers, VALUES RTEs, and ALTER TABLE ... ADD
      COLUMN.  To fix all that, apply the identity column expression in
      build_column_default() instead of repeating the same logic at each call
      site.
      
      For ALTER TABLE ... ADD COLUMN ... IDENTITY, the previous coding
      completely ignored that existing rows for the new column should have
      values filled in from the identity sequence.  The coding using
      build_column_default() fails for this because the sequence ownership
      isn't registered until after ALTER TABLE, and we can't do it before
      because we don't have the column in the catalog yet.  So we specially
      remember in ColumnDef the sequence name that we decided on and build a
      custom NextValueExpr using that.
      Reviewed-by: default avatarMichael Paquier <michael.paquier@gmail.com>
      533c5d8b
    • Robert Haas's avatar
      Support parallel btree index builds. · 9da0cc35
      Robert Haas authored
      To make this work, tuplesort.c and logtape.c must also support
      parallelism, so this patch adds that infrastructure and then applies
      it to the particular case of parallel btree index builds.  Testing
      to date shows that this can often be 2-3x faster than a serial
      index build.
      
      The model for deciding how many workers to use is fairly primitive
      at present, but it's better than not having the feature.  We can
      refine it as we get more experience.
      
      Peter Geoghegan with some help from Rushabh Lathia.  While Heikki
      Linnakangas is not an author of this patch, he wrote other patches
      without which this feature would not have been possible, and
      therefore the release notes should possibly credit him as an author
      of this feature.  Reviewed by Claudio Freire, Heikki Linnakangas,
      Thomas Munro, Tels, Amit Kapila, me.
      
      Discussion: http://postgr.es/m/CAM3SWZQKM=Pzc=CAHzRixKjp2eO5Q0Jg1SoFQqeXFQ647JiwqQ@mail.gmail.com
      Discussion: http://postgr.es/m/CAH2-Wz=AxWqDoVvGU7dq856S4r6sJAj6DBn7VMtigkB33N5eyg@mail.gmail.com
      9da0cc35
    • Robert Haas's avatar
      Refactor code for partition bound searching · 9aef1731
      Robert Haas authored
      Remove partition_bound_cmp() and partition_bound_bsearch(), whose
      void * argument could be, depending on the situation, of any of
      three different types: PartitionBoundSpec *, PartitionRangeBound *,
      Datum *.
      
      Instead, introduce separate bound-searching functions for each
      situation: partition_list_bsearch, partition_range_bsearch,
      partition_range_datum_bsearch, and partition_hash_bsearch.  This
      requires duplicating the code for binary search, but it makes the
      code much more type safe, involves fewer branches at runtime, and
      at least in my opinion, is much easier to understand.
      
      Along the way, add an option to partition_range_datum_bsearch
      allowing the number of keys to be specified, so that we can search
      for partitions based on a prefix of the full list of partition
      keys.  This is important for pending work to improve partition
      pruning.
      
      Amit Langote, per a suggestion from me.
      
      Discussion: http://postgr.es/m/CA+TgmoaVLDLc8=YESRwD32gPhodU_ELmXyKs77gveiYp+JE4vQ@mail.gmail.com
      9aef1731