1. 23 Apr, 2019 6 commits
    • Tom Lane's avatar
      Repair assorted issues in locale data extraction. · 7ad1cd31
      Tom Lane authored
      cache_locale_time (extraction of LC_TIME-related info) had never been
      taught the lessons we previously learned about extraction of info related
      to LC_MONETARY and LC_NUMERIC.  Specifically, commit 95a777c6 taught
      PGLC_localeconv() that data coming out of localeconv() was in an encoding
      determined by the relevant locale, but we didn't realize that there's a
      similar issue with strftime().  And commit a4930e7c hardened
      PGLC_localeconv() against errors occurring partway through, but failed
      to do likewise for cache_locale_time().  So, rearrange the latter
      function to perform encoding conversion and not risk failure while
      it's got the locales set to temporary values.
      
      This time around I also changed PGLC_localeconv() to treat it as FATAL
      if it can't restore the previous settings of the locale values.  There
      is no reason (except possibly OOM) for that to fail, and proceeding with
      the wrong locale values seems like a seriously bad idea --- especially
      on Windows where we have to also temporarily change LC_CTYPE.  Also,
      protect against the possibility that we can't identify the codeset
      reported for LC_MONETARY or LC_NUMERIC; rather than just failing,
      try to validate the data without conversion.
      
      The user-visible symptom this fixes is that if LC_TIME is set to a locale
      name that implies an encoding different from the database encoding,
      non-ASCII localized day and month names would be retrieved in the wrong
      encoding, leading to either unexpected encoding-conversion error reports
      or wrong output from to_char().  The other possible failure modes are
      unlikely enough that we've not seen reports of them, AFAIK.
      
      The encoding conversion problems do not manifest on Windows, since
      we'd already created special-case code to handle that issue there.
      
      Per report from Juan José Santamaría Flecha.  Back-patch to all
      supported versions.
      
      Juan José Santamaría Flecha and Tom Lane
      
      Discussion: https://postgr.es/m/CAC+AXB22So5aZm2vZe+MChYXec7gWfr-n-SK-iO091R0P_1Tew@mail.gmail.com
      7ad1cd31
    • Tom Lane's avatar
      Remove useless comment. · e0fb4c9d
      Tom Lane authored
      Commit e439c6f0 removed IndexStmt.relationId, but not the comment
      that had been added to explain it.  Said comment was therefore
      very confusing.
      e0fb4c9d
    • Peter Geoghegan's avatar
      Prevent O(N^2) unique index insertion edge case. · 9b109262
      Peter Geoghegan authored
      Commit dd299df8 made nbtree treat heap TID as a tiebreaker column,
      establishing the principle that there is only one correct location (page
      and page offset number) for every index tuple, no matter what.
      Insertions of tuples into non-unique indexes proceed as if heap TID
      (scan key's scantid) is just another user-attribute value, but
      insertions into unique indexes are more delicate.  The TID value in
      scantid must initially be omitted to ensure that the unique index
      insertion visits every leaf page that duplicates could be on.  The
      scantid is set once again after unique checking finishes successfully,
      which can force _bt_findinsertloc() to step right one or more times, to
      locate the leaf page that the new tuple must be inserted on.
      
      Stepping right within _bt_findinsertloc() was assumed to occur no more
      frequently than stepping right within _bt_check_unique(), but there was
      one important case where that assumption was incorrect: inserting a
      "duplicate" with NULL values.  Since _bt_check_unique() didn't do any
      real work in this case, it wasn't appropriate for _bt_findinsertloc() to
      behave as if it was finishing off a conventional unique insertion, where
      any existing physical duplicate must be dead or recently dead.
      _bt_findinsertloc() might have to grovel through a substantial portion
      of all of the leaf pages in the index to insert a single tuple, even
      when there were no dead tuples.
      
      To fix, treat insertions of tuples with NULLs into a unique index as if
      they were insertions into a non-unique index: never unset scantid before
      calling _bt_search() to descend the tree, and bypass _bt_check_unique()
      entirely.  _bt_check_unique() is no longer responsible for incoming
      tuples with NULL values.
      
      Discussion: https://postgr.es/m/CAH2-Wzm08nr+JPx4jMOa9CGqxWYDQ-_D4wtPBiKghXAUiUy-nQ@mail.gmail.com
      9b109262
    • Tom Lane's avatar
      Avoid order-of-execution problems with ALTER TABLE ADD PRIMARY KEY. · f4a3fdfb
      Tom Lane authored
      Up to now, DefineIndex() was responsible for adding attnotnull constraints
      to the columns of a primary key, in any case where it hadn't been
      convenient for transformIndexConstraint() to mark those columns as
      is_not_null.  It (or rather its minion index_check_primary_key) did this
      by executing an ALTER TABLE SET NOT NULL command for the target table.
      
      The trouble with this solution is that if we're creating the index due
      to ALTER TABLE ADD PRIMARY KEY, and the outer ALTER TABLE has additional
      sub-commands, the inner ALTER TABLE's operations executed at the wrong
      time with respect to the outer ALTER TABLE's operations.  In particular,
      the inner ALTER would perform a validation scan at a point where the
      table's storage might be inconsistent with its catalog entries.  (This is
      on the hairy edge of being a security problem, but AFAICS it isn't one
      because the inner scan would only be interested in the tuples' null
      bitmaps.)  This can result in unexpected failures, such as the one seen
      in bug #15580 from Allison Kaptur.
      
      To fix, let's remove the attempt to do SET NOT NULL from DefineIndex(),
      reducing index_check_primary_key's role to verifying that the columns are
      already not null.  (It shouldn't ever see such a case, but it seems wise
      to keep the check for safety.)  Instead, make transformIndexConstraint()
      generate ALTER TABLE SET NOT NULL subcommands to be executed ahead of
      the ADD PRIMARY KEY operation in every case where it can't force the
      column to be created already-not-null.  This requires only minor surgery
      in parse_utilcmd.c, and it makes for a much more satisfying spec for
      transformIndexConstraint(): it's no longer having to take it on faith
      that someone else will handle addition of NOT NULL constraints.
      
      To make that work, we have to move the execution of AT_SetNotNull into
      an ALTER pass that executes ahead of AT_PASS_ADD_INDEX.  I moved it to
      AT_PASS_COL_ATTRS, and put that after AT_PASS_ADD_COL to avoid failure
      when the column is being added in the same command.  This incidentally
      fixes a bug in the only previous usage of AT_PASS_COL_ATTRS, for
      AT_SetIdentity: it didn't work either for a newly-added column.
      
      Playing around with this exposed a separate bug in ALTER TABLE ONLY ...
      ADD PRIMARY KEY for partitioned tables.  The intent of the ONLY modifier
      in that context is to prevent doing anything that would require holding
      lock for a long time --- but the implied SET NOT NULL would recurse to
      the child partitions, and do an expensive validation scan for any child
      where the column(s) were not already NOT NULL.  To fix that, invent a
      new ALTER subcommand AT_CheckNotNull that just insists that a child
      column be already NOT NULL, and apply that, not AT_SetNotNull, when
      recursing to children in this scenario.  This results in a slightly laxer
      definition of ALTER TABLE ONLY ... SET NOT NULL for partitioned tables,
      too: that command will now work as long as all children are already NOT
      NULL, whereas before it just threw up its hands if there were any
      partitions.
      
      In passing, clean up the API of generateClonedIndexStmt(): remove a
      useless argument, ensure that the output argument is not left undefined,
      update the header comment.
      
      A small side effect of this change is that no-such-column errors in ALTER
      TABLE ADD PRIMARY KEY now produce a different message that includes the
      table name, because they are now detected by the SET NOT NULL step which
      has historically worded its error that way.  That seems fine to me, so
      I didn't make any effort to avoid the wording change.
      
      The basic bug #15580 is of very long standing, and these other bugs
      aren't new in v12 either.  However, this is a pretty significant change
      in the way ALTER TABLE ADD PRIMARY KEY works.  On balance it seems best
      not to back-patch, at least not till we get some more confidence that
      this patch has no new bugs.
      
      Patch by me, but thanks to Jie Zhang for a preliminary version.
      
      Discussion: https://postgr.es/m/15580-d1a6de5a3d65da51@postgresql.org
      Discussion: https://postgr.es/m/1396E95157071C4EBBA51892C5368521017F2E6E63@G08CNEXMBPEKD02.g08.fujitsu.local
      f4a3fdfb
    • Tom Lane's avatar
      Don't request pretty-printed output from xmlNodeDump(). · c06e3550
      Tom Lane authored
      xml.c passed format = 1 to xmlNodeDump(), resulting in sometimes getting
      extra whitespace (newlines + spaces) in the output.  We don't really want
      that, first because whitespace might be semantically significant in some
      XML uses, and second because it happens only very inconsistently.  Only
      one case in our regression tests is affected.
      
      This potentially affects the results of xpath() and the XMLTABLE construct,
      when emitting nodeset values.
      
      Note that the older code in contrib/xml2 doesn't do this; it seems
      to have been an aboriginal bad decision in commit ea3b212f.
      
      While this definitely seems like a bug to me, the small number of
      complaints to date argues against back-patching a behavioral change.
      Hence, fix in HEAD only, at least for now.
      
      Per report from Jean-Marc Voillequin.
      
      Discussion: https://postgr.es/m/1EC8157EB499BF459A516ADCF135ADCE3A23A9CA@LON-WGMSX712.ad.moodys.net
      c06e3550
    • Michael Paquier's avatar
      Fix detection of passwords hashed with MD5 or SCRAM-SHA-256 · ccae190b
      Michael Paquier authored
      This commit fixes a couple of issues related to the way password
      verifiers hashed with MD5 or SCRAM-SHA-256 are detected, leading to
      being able to store in catalogs passwords which do not follow the
      supported hash formats:
      - A MD5-hashed entry was checked based on if its header uses "md5" and
      if the string length matches what is expected.  Unfortunately the code
      never checked if the hash only used hexadecimal characters, as reported
      by Tom Lane.
      - A SCRAM-hashed entry was checked based on only its header, which
      should be "SCRAM-SHA-256$", but it never checked for any fields
      afterwards, as reported by Jonathan Katz.
      
      Backpatch down to v10, which is where SCRAM has been introduced, and
      where password verifiers in plain format have been removed.
      
      Author: Jonathan Katz
      Reviewed-by: Tom Lane, Michael Paquier
      Discussion: https://postgr.es/m/016deb6b-1f0a-8e9f-1833-a8675b170aa9@postgresql.org
      Backpatch-through: 10
      ccae190b
  2. 22 Apr, 2019 2 commits
  3. 21 Apr, 2019 1 commit
    • Tomas Vondra's avatar
      Fix mvdistinct and dependencies size calculations · d08c44f7
      Tomas Vondra authored
      The formulas used to calculate size while (de)serializing mvndistinct
      and functional dependencies were based on offset() of the structs. But
      that is incorrect, because the structures are not copied directly, we
      we copy the individual fields directly.
      
      At the moment this works fine, because there is no alignment padding
      on any platform we support. But it might break if we ever added some
      fields into any of the structs, for example. It's also confusing.
      
      Fixed by reworking the macros to directly sum sizes of serialized
      fields. The macros are now useful only for serialiation, so there is
      no point in keeping them in the public header file. So make them
      private by moving them to the .c files.
      
      Also adds a couple more asserts to check the serialization, and fixes
      an incorrect allocation of MVDependency instead of (MVDependency *).
      
      Reported-By: Tom Lane
      Discussion: https://postgr.es/m/29785.1555365602@sss.pgh.pa.us
      d08c44f7
  4. 20 Apr, 2019 2 commits
    • Bruce Momjian's avatar
      docs: reorder collation regression test order in paragraph · bfbc150e
      Bruce Momjian authored
      Backpatch-through: 10
      bfbc150e
    • Stephen Frost's avatar
      GSSAPI: Improve documentation and tests · eb882a1b
      Stephen Frost authored
      The GSSAPI encryption patch neglected to update the protocol
      documentation to describe how to set up a GSSAPI encrypted connection
      from a client to the server, so fix that by adding the appropriate
      documentation to protocol.sgml.
      
      The tests added for encryption support were overly long and couldn't be
      run in parallel due to race conditions; this was largely because each
      test was setting up its own KDC to perform the tests.  Instead, merge
      the authentication tests and the encryption tests into the original
      test, where we only create one KDC to run the tests with.  Also, have
      the tests check what the server's opinion is of the connection and if it
      was GSS authenticated or encrypted using the pg_stat_gssapi view.
      
      In passing, fix the libpq label for GSSENC-Mode to be consistent with
      the "PGGSSENCMODE" environment variable.
      
      Missing protocol documentation pointed out by Michael Paquier.
      Issues with the tests pointed out by Tom Lane and Peter Eisentraut.
      
      Refactored tests and added documentation by me.
      
      Reviewed by Robbie Harwood (protocol documentation) and Michael Paquier
      (rework of the tests).
      eb882a1b
  5. 19 Apr, 2019 7 commits
    • Andres Freund's avatar
      Fix slot type issue for fuzzy distance index scan over out-of-core table AM. · b8b94ea1
      Andres Freund authored
      For amcanreorderby scans the nodeIndexscan.c's reorder queue holds
      heap tuples, but the underlying table likely does not. Before this fix
      we'd return different types of slots, depending on whether the tuple
      came from the reorder queue, or from the index + table.
      
      While that could be fixed by signalling that the node doesn't return a
      fixed type of slot, it seems better to instead remove the separate
      slot for the reorder queue, and use ExecForceStoreHeapTuple() to store
      tuples from the queue. It's not particularly common to need
      reordering, after all.
      
      This reverts most of the iss_ReorderQueueSlot related changes to
      nodeIndexscan.c made in 1a0586de, except that now
      ExecForceStoreHeapTuple() is used instead of ExecStoreHeapTuple().
      
      Noticed when testing zheap against the in-core version of tableam.
      
      Author: Andres Freund
      b8b94ea1
    • Andres Freund's avatar
      Fix two memory leaks around force-storing tuples in slots. · 88e6ad30
      Andres Freund authored
      As reported by Tom, when ExecStoreMinimalTuple() had to perform a
      conversion to store the minimal tuple in the slot, it forgot to
      respect the shouldFree flag, and leaked the tuple into the current
      memory context if true.  Fix that by freeing the tuple in that case.
      
      Looking at the relevant code made me (Andres) realize that not having
      the shouldFree parameter to ExecForceStoreHeapTuple() was a bad
      idea. Some callers had to locally implement the necessary logic, and
      in one case it was missing, creating a potential per-group leak in
      non-hashed aggregation.
      
      The choice to not free the tuple in ExecComputeStoredGenerated() is
      not pretty, but not introduced by this commit - I'll start a separate
      discussion about it.
      
      Reported-By: Tom Lane
      Discussion: https://postgr.es/m/366.1555382816@sss.pgh.pa.us
      88e6ad30
    • Tom Lane's avatar
      Fix problems with auto-held portals. · 4d5840ce
      Tom Lane authored
      HoldPinnedPortals() did things in the wrong order: it must not mark
      a portal autoHeld until it's been successfully held.  Otherwise,
      a failure while persisting the portal results in a server crash
      because we think the portal is in a good state when it's not.
      
      Also add a check that portal->status is READY before attempting to
      hold a pinned portal.  We have such a check before the only other
      use of HoldPortal(), so it seems unwise not to check it here.
      
      Lastly, rethink the responsibility for where to call HoldPinnedPortals.
      The comment for it imagined that it was optional for any individual PL
      to call it or not, but that cannot be the case: if some outer level of
      procedure has a pinned portal, failing to persist it when an inner
      procedure commits is going to be trouble.  Let's have SPI do it instead
      of the individual PLs.  That's not a complete solution, since in theory
      a PL might not be using SPI to perform commit/rollback, but such a PL
      is going to have to be aware of lots of related requirements anyway.
      (This change doesn't cause an API break for any external PLs that might
      be calling HoldPinnedPortals per the old regime, because calling it
      twice during a commit or rollback sequence won't hurt.)
      
      Per bug #15703 from Julian Schauder.  Back-patch to v11 where this code
      came in.
      
      Discussion: https://postgr.es/m/15703-c12c5bc0ea34ba26@postgresql.org
      4d5840ce
    • Michael Paquier's avatar
    • Michael Paquier's avatar
      bc540f98
    • Michael Paquier's avatar
      Remove dependency to pageinspect in recovery tests · 5a9323ea
      Michael Paquier authored
      If contrib/pageinspect is not installed, this causes the test checking
      the minimum recovery point to fail.  The point is that the dependency
      with pageinspect is not really necessary as the test does also all
      checks with an offline cluster by scanning directly the on-disk pages,
      which is enough for the purpose of the test.
      
      Per complaint from Tom Lane.
      
      Author: Michael Paquier
      Discussion: https://postgr.es/m/17806.1555566345@sss.pgh.pa.us
      5a9323ea
    • Andres Freund's avatar
      Fix potential use-after-free for BEFORE UPDATE row triggers on non-core AMs. · 75e03eab
      Andres Freund authored
      When such a trigger returns the old row version, it naturally get
      stored in the slot for the trigger result. When a table AMs doesn't
      store HeapTuples internally, ExecBRUpdateTriggers() frees the old row
      version passed to triggers - but before this fix it might still be
      referenced by the slot holding the new tuple.
      
      Noticed when running the out-of-core zheap AM against the in-core
      version of tableam.
      
      Author: Andres Freund
      75e03eab
  6. 18 Apr, 2019 4 commits
  7. 17 Apr, 2019 11 commits
  8. 16 Apr, 2019 4 commits
  9. 15 Apr, 2019 3 commits