1. 10 Jun, 2012 5 commits
  2. 09 Jun, 2012 1 commit
  3. 08 Jun, 2012 3 commits
  4. 07 Jun, 2012 6 commits
    • Tom Lane's avatar
      Scan the buffer pool just once, not once per fork, during relation drop. · ece01aae
      Tom Lane authored
      This provides a speedup of about 4X when NBuffers is large enough.
      There is also a useful reduction in sinval traffic, since we
      only do CacheInvalidateSmgr() once not once per fork.
      
      Simon Riggs, reviewed and somewhat revised by Tom Lane
      ece01aae
    • Peter Eisentraut's avatar
      Documentation spell and markup checking · 5baf6da7
      Peter Eisentraut authored
      5baf6da7
    • Peter Eisentraut's avatar
      Message style improvements · 5d0109bd
      Peter Eisentraut authored
      5d0109bd
    • Tom Lane's avatar
      Do unlocked prechecks in bufmgr.c loops that scan the whole buffer pool. · e8d029a3
      Tom Lane authored
      DropRelFileNodeBuffers, DropDatabaseBuffers, FlushRelationBuffers, and
      FlushDatabaseBuffers have to scan the whole shared_buffers pool because
      we have no index structure that would find the target buffers any more
      efficiently than that.  This gets expensive with large NBuffers.  We can
      shave some cycles from these loops by prechecking to see if the current
      buffer is interesting before we acquire the buffer header lock.
      Ordinarily such a test would be unsafe, but in these cases it should be
      safe because we are already assuming that the caller holds a lock that
      prevents any new target pages from being loaded into the buffer pool
      concurrently.  Therefore, no buffer tag should be changing to a value of
      interest, only away from a value of interest.  So a false negative match
      is impossible, while a false positive is safe because we'll recheck after
      acquiring the buffer lock.  Initial testing says that this speeds these
      loops by a factor of 2X to 3X on common Intel hardware.
      
      Patch for DropRelFileNodeBuffers by Jeff Janes (based on an idea of
      Heikki's); extended to the remaining sequential scans by Tom Lane
      e8d029a3
    • Simon Riggs's avatar
      Wake WALSender to reduce data loss at failover for async commit. · 2c8a4e9b
      Simon Riggs authored
      WALSender now woken up after each background flush by WALwriter, avoiding
      multi-second replication delay for an all-async commit workload.
      Replication delay reduced from 7s with default settings to 200ms and often
      much less, allowing significantly reduced data loss at failover.
      
      Andres Freund and Simon Riggs
      2c8a4e9b
    • Robert Haas's avatar
      Fix more crash-safe visibility map bugs, and improve comments. · b50991ee
      Robert Haas authored
      In lazy_scan_heap, we could issue bogus warnings about incorrect
      information in the visibility map, because we checked the visibility
      map bit before locking the heap page, creating a race condition.  Fix
      by rechecking the visibility map bit before we complain.  Rejigger
      some related logic so that we rely on the possibly-outdated
      all_visible_according_to_vm value as little as possible.
      
      In heap_multi_insert, it's not safe to clear the visibility map bit
      before beginning the critical section.  The visibility map is not
      crash-safe unless we treat clearing the bit as a critical operation.
      Specifically, if the transaction were to error out after we set the
      bit and before entering the critical section, we could end up writing
      the heap page to disk (with the bit cleared) and crashing before the
      visibility map page made it to disk.  That would be bad.  heap_insert
      has this correct, but somehow the order of operations got rearranged
      when heap_multi_insert was added.
      
      Also, add some more comments to visibilitymap_test, lazy_scan_heap,
      and IndexOnlyNext, expounding on concurrency issues.
      
      Per extensive code review by Andres Freund, and further review by Tom
      Lane, who also made the original report about the bogus warnings.
      b50991ee
  5. 05 Jun, 2012 5 commits
    • Magnus Hagander's avatar
      Use strerror(errno) instead of %m · 92135ea0
      Magnus Hagander authored
      Found by Fujii Masao
      92135ea0
    • Magnus Hagander's avatar
      Fix typo · 1e57c2c5
      Magnus Hagander authored
      Noted by Erik Rijkers
      1e57c2c5
    • Magnus Hagander's avatar
    • Tom Lane's avatar
      Fix bogus handling of control characters in json_lex_string(). · 3dd8e596
      Tom Lane authored
      The original coding misbehaved if "char" is signed, and also made the
      extremely poor decision to print control characters literally when trying
      to complain about them.  Report and patch by Shigeru Hanada.
      
      In passing, also fix core dump risk in report_parse_error() should the
      parse state be something other than what it expects.
      3dd8e596
    • Tom Lane's avatar
      Fix some more bugs in contrib/xml2's xslt_process(). · d9b31e48
      Tom Lane authored
      It failed to check for error return from xsltApplyStylesheet(), as reported
      by Peter Gagarinov.  (So far as I can tell, libxslt provides no convenient
      way to get a useful error message in failure cases.  There might be some
      inconvenient way, but considering that this code is deprecated it's hard to
      get enthusiastic about putting lots of work into it.  So I just made it say
      "failed to apply stylesheet", in line with the existing error checks.)
      
      While looking at the code I also noticed that the string returned by
      xsltSaveResultToString was never freed, resulting in a session-lifespan
      memory leak.
      
      Back-patch to all supported versions.
      d9b31e48
  6. 03 Jun, 2012 1 commit
    • Tom Lane's avatar
      Fix memory leaks in failure paths in buildACLCommands and parseAclItem. · d73b7f97
      Tom Lane authored
      This is currently only cosmetic, since all the call sites just curl up
      and die in event of a failure return.  It might be important for some
      future use-case, though, and in any case it quiets warnings from the
      clang static analyzer (as reported by Anna Zaks).
      
      Josh Kupershmidt
      d73b7f97
  7. 01 Jun, 2012 8 commits
  8. 31 May, 2012 7 commits
    • Tom Lane's avatar
      Stamp 9.2beta2. · 4bec93ac
      Tom Lane authored
      4bec93ac
    • Tom Lane's avatar
      51ecf52c
    • Tom Lane's avatar
      a04dc87d
    • Simon Riggs's avatar
      Only throw recovery conflicts when InHotStandby. Bug fix to recent · a2b516da
      Simon Riggs authored
      patch to allow Index Only Scans on Hot Standby.
      
      Bug report from Jaime Casanova
      a2b516da
    • Tom Lane's avatar
      Update time zone data files to tzdata release 2012c. · c8105e62
      Tom Lane authored
      DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands,
      Gaza, Haiti, Hebron, Morocco, Syria, Tokelau Islands.
      Historical corrections for Canada.
      c8105e62
    • Tom Lane's avatar
      Force PL and range-type support functions to be owned by a superuser. · ad0009e7
      Tom Lane authored
      We allow non-superusers to create procedural languages (with restrictions)
      and range datatypes.  Previously, the automatically-created support
      functions for these objects ended up owned by the creating user.  This
      represents a rather considerable security hazard, because the owning user
      might be able to alter a support function's definition in such a way as to
      crash the server, inject trojan-horse SQL code, or even execute arbitrary
      C code directly.  It appears that right now the only actually exploitable
      problem is the infinite-recursion bug fixed in the previous patch for
      CVE-2012-2655.  However, it's not hard to imagine that future additions of
      more ALTER FUNCTION capability might unintentionally open up new hazards.
      To forestall future problems, cause these support functions to be owned by
      the bootstrap superuser, not the user creating the parent object.
      ad0009e7
    • Tom Lane's avatar
      Ignore SECURITY DEFINER and SET attributes for a PL's call handler. · 33c6eaf7
      Tom Lane authored
      It's not very sensible to set such attributes on a handler function;
      but if one were to do so, fmgr.c went into infinite recursion because
      it would call fmgr_security_definer instead of the handler function proper.
      There is no way for fmgr_security_definer to know that it ought to call the
      handler and not the original function referenced by the FmgrInfo's fn_oid,
      so it tries to do the latter, causing the whole process to start over
      again.
      
      Ordinarily such misconfiguration of a procedural language's handler could
      be written off as superuser error.  However, because we allow non-superuser
      database owners to create procedural languages and the handler for such a
      language becomes owned by the database owner, it is possible for a database
      owner to crash the backend, which ideally shouldn't be possible without
      superuser privileges.  In 9.2 and up we will adjust things so that the
      handler functions are always owned by superusers, but in existing branches
      this is a minor security fix.
      
      Problem noted by Noah Misch (after several of us had failed to detect
      it :-().  This is CVE-2012-2655.
      33c6eaf7
  9. 30 May, 2012 4 commits
    • Tom Lane's avatar
      Expand the allowed range of timezone offsets to +/-15:59:59 from Greenwich. · cd0ff9c0
      Tom Lane authored
      We used to only allow offsets less than +/-13 hours, then it was +/14,
      then it was +/-15.  That's still not good enough though, as per today's bug
      report from Patric Bechtel.  This time I actually looked through the Olson
      timezone database to find the largest offsets used anywhere.  The winners
      are Asia/Manila, at -15:56:00 until 1844, and America/Metlakatla, at
      +15:13:42 until 1867.  So we'd better allow offsets less than +/-16 hours.
      
      Given the history, we are way overdue to have some greppable #define
      symbols controlling this, so make some ... and also remove an obsolete
      comment that didn't get fixed the last time.
      
      Back-patch to all supported branches.
      cd0ff9c0
    • Robert Haas's avatar
      Fix two more bugs in fast-path relation locking. · 07ab1383
      Robert Haas authored
      First, the previous code failed to account for the fact that, during Hot
      Standby operation, the startup process takes AccessExclusiveLocks on
      relations without setting MyDatabaseId.  This resulted in fast path
      strong lock counts failing to be incremented with the startup process
      took locks, which in turn allowed conflicting lock requests to succeed
      when they should not have.  Report by Erik Rijkers, diagnosis by Heikki
      Linnakangas.
      
      Second, LockReleaseAll() failed to honor the allLocks and lockmethodid
      restrictions with respect to fast-path locks.  It's not clear to me
      whether this produces any user-visible breakage at the moment, but it's
      certainly wrong.  Rearrange order of operations in LockReleaseAll to fix.
      Noted by Tom Lane.
      07ab1383
    • Tom Lane's avatar
      Fix incorrect password transformation in contrib/pgcrypto's DES crypt(). · 932ded2e
      Tom Lane authored
      Overly tight coding caused the password transformation loop to stop
      examining input once it had processed a byte equal to 0x80.  Thus, if the
      given password string contained such a byte (which is possible though not
      highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
      subsequent characters would not contribute to the hash, making the password
      much weaker than it appears on the surface.
      
      This would only affect cases where applications used DES crypt() to encode
      passwords before storing them in the database.  If a weak password has been
      created in this fashion, the hash will stop matching after this update has
      been applied, so it will be easy to tell if any passwords were unexpectedly
      weak.  Changing to a different password would be a good idea in such a case.
      (Since DES has been considered inadequately secure for some time, changing
      to a different encryption algorithm can also be recommended.)
      
      This code, and the bug, are shared with at least PHP, FreeBSD, and OpenBSD.
      Since the other projects have already published their fixes, there is no
      point in trying to keep this commit private.
      
      This bug has been assigned CVE-2012-2143, and credit for its discovery goes
      to Rubin Xu and Joseph Bonneau.
      932ded2e
    • Heikki Linnakangas's avatar
      Change the way parent pages are tracked during buffered GiST build. · d1996ed5
      Heikki Linnakangas authored
      We used to mimic the way a stack is constructed when descending the tree
      during normal GiST inserts, but that was quite complicated during a buffered
      build. It was also wrong: in GiST, the left-to-right relationships on
      different levels might not match each other, so that when you know the
      parent of a child page, you won't necessarily find the parent of the page to
      the right of the child page by following the rightlinks at the parent level.
      This sometimes led to "could not re-find parent" errors while building a
      GiST index.
      
      We now use a simple hash table to track the parent of every internal page.
      Whenever a page is split, and downlinks are moved from one page to another,
      we update the hash table accordingly. This is also better for performance
      than the old method, as we never need to move right to re-find the parent
      page, which could take a significant amount of time for buffers that were
      created much earlier in the index build.
      d1996ed5