1. 09 May, 2019 12 commits
    • Bruce Momjian's avatar
      doc: more PG 12 release note adjustments · 79697d03
      Bruce Momjian authored
      This adds two more items that should have been included in the
      beginning.
      
      Reported-by: Justin Pryzby
      
      Discussion: https://postgr.es/m/20190508203204.GA25482@telsasoft.com
      79697d03
    • Bruce Momjian's avatar
      docs: update release notes with fixes · 81ddfa2e
      Bruce Momjian authored
      Reported-by: Justin Pryzby
      
      Discussion: https://postgr.es/m/20190508203204.GA25482@telsasoft.com
      81ddfa2e
    • Michael Paquier's avatar
      Improve and fix some error handling for REINDEX INDEX/TABLE CONCURRENTLY · 508300e2
      Michael Paquier authored
      This improves the user experience when it comes to restrict several
      flavors of REINDEX CONCURRENTLY.  First, for INDEX, remove a restriction
      on shared relations as we already check after catalog relations.  Then,
      for TABLE, add a proper error message when attempting to run the command
      on system catalogs.  The code path of CREATE INDEX CONCURRENTLY already
      complains about that, but if a REINDEX is issued then then the error
      generated is confusing.
      
      While on it, add more tests to check restrictions on catalog indexes and
      on toast table/index for catalogs.  Some error messages are improved,
      with wording suggestion coming from Tom Lane.
      
      Reported-by: Tom Lane
      Author: Michael Paquier
      Reviewed-by: Tom Lane
      Discussion: https://postgr.es/m/23694.1556806002@sss.pgh.pa.us
      508300e2
    • Tom Lane's avatar
      Repair issues with faulty generation of merge-append plans. · 24c19e9f
      Tom Lane authored
      create_merge_append_plan failed to honor the CP_EXACT_TLIST flag:
      it would generate the expected targetlist but then it felt free to
      add resjunk sort targets to it.  This demonstrably leads to assertion
      failures in v11 and HEAD, and it's probably just accidental that we
      don't see the same in older branches.  I've not looked into whether
      there would be any real-world consequences in non-assert builds.
      In HEAD, create_append_plan has sprouted the same problem, so fix
      that too (although we do not have any test cases that seem able to
      reach that bug).  This is an oversight in commit 3fc6e2d7 which
      invented the CP_EXACT_TLIST flag, so back-patch to 9.6 where that
      came in.
      
      convert_subquery_pathkeys would create pathkeys for subquery output
      values if they match any EquivalenceClass known in the outer query
      and are available in the subquery's syntactic targetlist.  However,
      the second part of that condition is wrong, because such values might
      not appear in the subquery relation's reltarget list, which would
      mean that they couldn't be accessed above the level of the subquery
      scan.  We must check that they appear in the reltarget list, instead.
      This can lead to dropping knowledge about the subquery's sort
      ordering, but I believe it's okay, because any sort key that the
      outer query actually has any interest in would appear in the
      reltarget list.
      
      This second issue is of very long standing, but right now there's no
      evidence that it causes observable problems before 9.6, so I refrained
      from back-patching further than that.  We can revisit that choice if
      somebody finds a way to make it cause problems in older branches.
      (Developing useful test cases for these issues is really problematic;
      fixing convert_subquery_pathkeys removes the only known way to exhibit
      the create_merge_append_plan bug, and neither of the test cases added
      by this patch causes a problem in all branches, even when considering
      the issues separately.)
      
      The second issue explains bug #15795 from Suresh Kumar R ("could not
      find pathkey item to sort" with nested DISTINCT queries).  I stumbled
      across the first issue while investigating that.
      
      Discussion: https://postgr.es/m/15795-fadb56c8e44ee73c@postgresql.org
      24c19e9f
    • Bruce Momjian's avatar
      doc: update PG 12 release notes, v2 · 64084d68
      Bruce Momjian authored
      Adjustments requested by reviewers.
      
      Reported-by: Amit Kapila, Thomas Munro, Andrew Gierth, Amit Langote, Oleg Bartunov, Michael Paquier, Alvaro Herrera, Tatsuo Ishii
      
      Discussion: https://postgr.es/m/20190506233029.ozwged67i7s4qd6c@momjian.us
      64084d68
    • Etsuro Fujita's avatar
      Doc: Update FDW documentation about GetForeignUpperPaths(). · a0be05ba
      Etsuro Fujita authored
      In commit d50d172e, which added support for LIMIT/OFFSET pushdown in
      postgres_fdw, a new struct was introduced as the extra parameter of
      GetForeignUpperPaths() set for UPPERREL_FINAL, but I forgot to update
      the documentation to mention that.
      
      Author: Etsuro Fujita
      Discussion: https://postgr.es/m/CAPmGK17uSXQDe31oRb-z1nYyT6vVzkstZkA3_Wbq38U92b9BmQ%40mail.gmail.com
      a0be05ba
    • Etsuro Fujita's avatar
      postgres_fdw: Fix cost estimation for aggregate pushdown. · edbcbe27
      Etsuro Fujita authored
      In commit 7012b132, which added support for aggregate pushdown in
      postgres_fdw, the expense of evaluating the final scan/join target
      computed by make_group_input_target() was not accounted for at all in
      costing aggregate pushdown paths with local statistics.  The right fix
      for this would be to have a separate upper stage to adjust the final
      scan/join relation (see comments for apply_scanjoin_target_to_paths());
      but for now, fix by adding the tlist eval cost when costing aggregate
      pushdown paths with local statistics.
      
      Apply this to HEAD only to avoid destabilizing existing plan choices.
      
      Author: Etsuro Fujita
      Reviewed-By: Antonin Houska
      Discussion: https://postgr.es/m/5C66A056.60007%40lab.ntt.co.jp
      edbcbe27
    • Thomas Munro's avatar
      Fix SxactGlobalXmin tracking. · 47a338cf
      Thomas Munro authored
      Commit bb16aba5 broke the code that maintains SxactGlobalXmin.  It
      could get stuck when a well-timed READ ONLY transaction runs.  If
      SxactGlobalXmin stops advancing, transactions on the
      FinishedSerializableTransactions queue are never cleaned up, so
      resources are effectively leaked.  Revert that hunk of the commit.
      
      Also revert another similar hunk that was probably harmless, but
      unnecessary and unjustified, relating to the DOOMED flag in case of
      RO_SAFE early release.
      
      Author: Thomas Munro
      Reported-by: Tom Lane
      Discussion: https://postgr.es/m/16170.1557251214%40sss.pgh.pa.us
      47a338cf
    • Peter Eisentraut's avatar
      pg_controldata: Add common gettext flags · cd805f46
      Peter Eisentraut authored
      So it picks up strings in pg_log_* calls.  This was forgotten when it
      was added to all other relevant subdirectories.
      cd805f46
    • Peter Eisentraut's avatar
      Fix grammar in error message · 02daece4
      Peter Eisentraut authored
      02daece4
    • Tom Lane's avatar
      Clean up the behavior and API of catalog.c's is-catalog-relation tests. · 2d7d946c
      Tom Lane authored
      The right way for IsCatalogRelation/Class to behave is to return true
      for OIDs less than FirstBootstrapObjectId (not FirstNormalObjectId),
      without any of the ad-hoc fooling around with schema membership.
      
      The previous code was wrong because (1) it claimed that
      information_schema tables were not catalog relations but their toast
      tables were, which is silly; and (2) if you dropped and recreated
      information_schema, which is a supported operation, the behavior
      changed.  That's even sillier.  With this definition, "catalog
      relations" are exactly the ones traceable to the postgres.bki data,
      which seems like what we want.
      
      With this simplification, we don't actually need access to the pg_class
      tuple to identify a catalog relation; we only need its OID.  Hence,
      replace IsCatalogClass with "IsCatalogRelationOid(oid)".  But keep
      IsCatalogRelation as a convenience function.
      
      This allows fixing some arguably-wrong semantics in contrib/sepgsql and
      ReindexRelationConcurrently, which were using an IsSystemNamespace test
      where what they really should be using is IsCatalogRelationOid.  The
      previous coding failed to protect toast tables of system catalogs, and
      also was not on board with the general principle that user-created tables
      do not become catalogs just by virtue of being renamed into pg_catalog.
      We can also get rid of a messy hack in ReindexMultipleTables.
      
      While we're at it, also rename IsSystemNamespace to IsCatalogNamespace,
      because the previous name invited confusion with the more expansive
      semantics used by IsSystemRelation/Class.
      
      Also improve the comments in catalog.c.
      
      There are a few remaining places in replication-related code that are
      special-casing OIDs below FirstNormalObjectId.  I'm inclined to think
      those are wrong too, and if there should be any special case it should
      just extend to FirstBootstrapObjectId.  But first we need to debate
      whether a FOR ALL TABLES publication should include information_schema.
      
      Discussion: https://postgr.es/m/21697.1557092753@sss.pgh.pa.us
      Discussion: https://postgr.es/m/15150.1557257111@sss.pgh.pa.us
      2d7d946c
    • Michael Paquier's avatar
      Fix error status of vacuumdb when multiple jobs are used · 3ae3c18b
      Michael Paquier authored
      When running a batch of VACUUM or ANALYZE commands on a given database,
      there were cases where it is possible to have vacuumdb not report an
      error where it actually should, leading to incorrect status results.
      
      Author: Julien Rouhaud
      Reviewed-by: Amit Kapila, Michael Paquier
      Discussion: https://postgr.es/m/CAOBaU_ZuTwz7CtqLYJ1Ouuh272bTQPLN8b1bAPk0bCBm4PDMTQ@mail.gmail.com
      Backpatch-through: 9.5
      3ae3c18b
  2. 08 May, 2019 9 commits
  3. 07 May, 2019 9 commits
  4. 06 May, 2019 5 commits
    • Bruce Momjian's avatar
      docs: fist draft version of the PG 12 release notes · bdf595ad
      Bruce Momjian authored
      Still needs text markup, links, word wrap, and indenting.
      bdf595ad
    • Alvaro Herrera's avatar
      Revert "Make pg_dump emit ATTACH PARTITION instead of PARTITION OF" · a1ec7402
      Alvaro Herrera authored
      ... and fallout (from branches 10, 11 and master).  The change was
      ill-considered, and it broke a few normal use cases; since we don't have
      time to fix it, we'll try again after this week's minor releases.
      
      Reported-by: Rushabh Lathia
      Discussion: https://postgr.es/m/CAGPqQf0iQV=PPOv2Btog9J9AwOQp6HmuVd6SbGTR_v3Zp2XT1w@mail.gmail.com
      a1ec7402
    • Michael Paquier's avatar
      Add tests for error message generation in partition tuple routing · 91248608
      Michael Paquier authored
      This adds extra tests for the error message generated for partition
      tuple routing in the executor, using more than three levels of
      partitioning including partitioned tables with no partitions.  These
      tests have been added to fix CVE-2019-10129 on REL_11_STABLE.  HEAD has
      no active bugs in this area, but it lacked coverage.
      
      Author: Michael Paquier
      Reviewed-by: Noah Misch
      Security: CVE-2019-10129
      91248608
    • Dean Rasheed's avatar
      Use checkAsUser for selectivity estimator checks, if it's set. · a0905056
      Dean Rasheed authored
      In examine_variable() and examine_simple_variable(), when checking the
      user's table and column privileges to determine whether to grant
      access to the pg_statistic data, use checkAsUser for the privilege
      checks, if it's set. This will be the case if we're accessing the
      table via a view, to indicate that we should perform privilege checks
      as the view owner rather than the current user.
      
      This change makes this planner check consistent with the check in the
      executor, so the planner will be able to make use of statistics if the
      table is accessible via the view. This fixes a performance regression
      introduced by commit e2d4ef8d, which affects queries against
      non-security barrier views in the case where the user doesn't have
      privileges on the underlying table, but the view owner does.
      
      Note that it continues to provide the same safeguards controlling
      access to pg_statistic for direct table access (in which case
      checkAsUser won't be set) and for security barrier views, because of
      the nearby checks on rte->security_barrier and rte->securityQuals.
      
      Back-patch to all supported branches because e2d4ef8d was.
      
      Dean Rasheed, reviewed by Jonathan Katz and Stephen Frost.
      a0905056
    • Dean Rasheed's avatar
      Fix security checks for selectivity estimation functions with RLS. · 1aebfbea
      Dean Rasheed authored
      In commit e2d4ef8d, security checks were added to prevent
      user-supplied operators from running over data from pg_statistic
      unless the user has table or column privileges on the table, or the
      operator is leakproof. For a table with RLS, however, checking for
      table or column privileges is insufficient, since that does not
      guarantee that the user has permission to view all of the column's
      data.
      
      Fix this by also checking for securityQuals on the RTE, and insisting
      that the operator be leakproof if there are any. Thus the
      leakproofness check will only be skipped if there are no securityQuals
      and the user has table or column privileges on the table -- i.e., only
      if we know that the user has access to all the data in the column.
      
      Back-patch to 9.5 where RLS was added.
      
      Dean Rasheed, reviewed by Jonathan Katz and Stephen Frost.
      
      Security: CVE-2019-10130
      1aebfbea
  5. 05 May, 2019 3 commits
    • Tom Lane's avatar
      Bring pg_nextoid()'s error messages into line with message style guide. · bd5e8b62
      Tom Lane authored
      Noticed while reviewing nearby code.  Given all the disclaimers about
      this not being meant as user-facing code, I wonder whether we should
      make these non-translatable?  But in any case there's little excuse
      for them not to be good English.
      bd5e8b62
    • Tom Lane's avatar
      Fix style violations in syscache lookups. · 9691aa72
      Tom Lane authored
      Project style is to check the success of SearchSysCacheN and friends
      by applying HeapTupleIsValid to the result.  A tiny minority of calls
      creatively did it differently.  Bring them into line with the rest.
      
      This is just cosmetic, since HeapTupleIsValid is indeed just a null
      check at the moment ... but that may not be true forever, and in any
      case it puts a mental burden on readers who may wonder why these
      call sites are not like the rest.
      
      Back-patch to v11 just to keep the branches in sync.  (The bulk of these
      errors seem to have originated in v11 or v12, though a few are old.)
      
      Per searching to see if anyplace else had made the same error
      repaired in 62148c35.
      9691aa72
    • Tom Lane's avatar
      Add check for syscache lookup failure in update_relispartition(). · 62148c35
      Tom Lane authored
      Omitted in commit 05b38c7e (though it looks like the original blame
      belongs to 9e9befac).  A failure is admittedly unlikely, but if it
      did happen, SIGSEGV is not the approved method of reporting it.
      
      Per Coverity.  Back-patch to v11 where the broken code originated.
      62148c35
  6. 04 May, 2019 2 commits