1. 21 Sep, 2015 3 commits
    • Noah Misch's avatar
      Remove the SECURITY_ROW_LEVEL_DISABLED security context bit. · 7f11724b
      Noah Misch authored
      This commit's parent made superfluous the bit's sole usage.  Referential
      integrity checks have long run as the subject table's owner, and that
      now implies RLS bypass.  Safe use of the bit was tricky, requiring
      strict control over the SQL expressions evaluating therein.  Back-patch
      to 9.5, where the bit was introduced.
      
      Based on a patch by Stephen Frost.
      7f11724b
    • Noah Misch's avatar
      Remove the row_security=force GUC value. · 537bd178
      Noah Misch authored
      Every query of a single ENABLE ROW SECURITY table has two meanings, with
      the row_security GUC selecting between them.  With row_security=force
      available, every function author would have been advised to either set
      the GUC locally or test both meanings.  Non-compliance would have
      threatened reliability and, for SECURITY DEFINER functions, security.
      Authors already face an obligation to account for search_path, and we
      should not mimic that example.  With this change, only BYPASSRLS roles
      need exercise the aforementioned care.  Back-patch to 9.5, where the
      row_security GUC was introduced.
      
      Since this narrows the domain of pg_db_role_setting.setconfig and
      pg_proc.proconfig, one might bump catversion.  A row_security=force
      setting in one of those columns will elicit a clear message, so don't.
      537bd178
    • Noah Misch's avatar
      Restrict file mode creation mask during tmpfile(). · 8346218c
      Noah Misch authored
      Per Coverity.  Back-patch to 9.0 (all supported versions).
      
      Michael Paquier, reviewed (in earlier versions) by Heikki Linnakangas.
      8346218c
  2. 20 Sep, 2015 1 commit
    • Tom Lane's avatar
      Be more wary about partially-valid LOCALLOCK data in RemoveLocalLock(). · ba51774d
      Tom Lane authored
      RemoveLocalLock() must consider the possibility that LockAcquireExtended()
      failed to palloc the initial space for a locallock's lockOwners array.
      I had evidently meant to cope with this hazard when the code was originally
      written (commit 1785aceb), but missed that
      the pfree needed to be protected with an if-test.  Just to make sure things
      are left in a clean state, reset numLockOwners as well.
      
      Per low-memory testing by Andreas Seltenreich.  Back-patch to all supported
      branches.
      ba51774d
  3. 19 Sep, 2015 4 commits
    • Peter Eisentraut's avatar
      Simplify GETTEXT_FILES list · 85eda7e9
      Peter Eisentraut authored
      85eda7e9
    • Peter Eisentraut's avatar
      Add missing serial comma · 4a1e15e4
      Peter Eisentraut authored
      4a1e15e4
    • Peter Eisentraut's avatar
      Remove trailing slashes from directories in find command · f2dd1061
      Peter Eisentraut authored
      BSD find is not very smart and ends up writing double slashes into the
      output in those cases.  Also, xgettext is not very smart and splits the
      file names incorrectly in those cases, resulting in slightly incorrect
      file names being written into the POT file.
      f2dd1061
    • Robert Haas's avatar
      Glue layer to connect the executor to the shm_mq mechanism. · 4a4e6893
      Robert Haas authored
      The shm_mq mechanism was built to send error (and notice) messages and
      tuples between backends.  However, shm_mq itself only deals in raw
      bytes.  Since commit 2bd9e412, we have
      had infrastructure for one message to redirect protocol messages to a
      queue and for another backend to parse them and do useful things with
      them.  This commit introduces a somewhat analogous facility for tuples
      by adding a new type of DestReceiver, DestTupleQueue, which writes
      each tuple generated by a query into a shm_mq, and a new
      TupleQueueFunnel facility which reads raw tuples out of the queue and
      reconstructs the HeapTuple format expected by the executor.
      
      The TupleQueueFunnel abstraction supports reading from multiple tuple
      streams at the same time, but only in round-robin fashion.  Someone
      could imaginably want other policies, but this should be good enough
      to meet our short-term needs related to parallel query, and we can
      always extend it later.
      
      This also makes one minor addition to the shm_mq API that didn'
      seem worth breaking out as a separate patch.
      
      Extracted from Amit Kapila's parallel sequential scan patch.  This
      code was originally written by me, and then it was revised by Amit,
      and then it was revised some more by me.
      4a4e6893
  4. 18 Sep, 2015 4 commits
    • Andrew Dunstan's avatar
      Cache argument type information in json(b) aggregate functions. · c00c3249
      Andrew Dunstan authored
      These functions have been looking up type info for every row they
      process. Instead of doing that we only look them up the first time
      through and stash the information in the aggregate state object.
      
      Affects json_agg, json_object_agg, jsonb_agg and jsonb_object_agg.
      
      There is plenty more work to do in making these more efficient,
      especially the jsonb functions, but this is a virtually cost free
      improvement that can be done right away.
      
      Backpatch to 9.5 where the jsonb variants were introduced.
      c00c3249
    • Tom Lane's avatar
      Fix low-probability memory leak in regex execution. · d9c0c728
      Tom Lane authored
      After an internal failure in shortest() or longest() while pinning down the
      exact location of a match, find() forgot to free the DFA structure before
      returning.  This is pretty unlikely to occur, since we just successfully
      ran the "search" variant of the DFA; but it could happen, and it would
      result in a session-lifespan memory leak since this code uses malloc()
      directly.  Problem seems to have been aboriginal in Spencer's library,
      so back-patch all the way.
      
      In passing, correct a thinko in a comment I added awhile back about the
      meaning of the "ntree" field.
      
      I happened across these issues while comparing our code to Tcl's version
      of the library.
      d9c0c728
    • Teodor Sigaev's avatar
      Add header forgotten in 213335c1 · d63a1720
      Teodor Sigaev authored
      Report from Peter Eisentraut
      d63a1720
    • Peter Eisentraut's avatar
  5. 17 Sep, 2015 5 commits
    • Teodor Sigaev's avatar
      Fix oversight in tsearch type check · 9acb9007
      Teodor Sigaev authored
      Use IsBinaryCoercible() method instead of custom
      is_expected_type/is_text_type functions which was introduced when tsearch2
      was moved into core.
      
      Per report by David E. Wheeler
      Analysis by Tom Lane
      Patch by me
      9acb9007
    • Andrew Dunstan's avatar
      Honour TEMP_CONFIG when testing pg_upgrade · 5f7c804b
      Andrew Dunstan authored
      This setting contains extra configuration for the temp instance, as used
      in pg_regress' --temp-config flag.
      
      Backpatch to 9.2 where test.sh was introduced.
      5f7c804b
    • Robert Haas's avatar
      Add new function planstate_tree_walker. · 8dd401aa
      Robert Haas authored
      ExplainPreScanNode knows how to iterate over a generic tree of plan
      states; factor that logic out into a separate walker function so that
      other code, such as upcoming patches for parallel query, can also use
      it.
      
      Patch by me, reviewed by Tom Lane.
      8dd401aa
    • Michael Meskes's avatar
      Let compiler handle size calculation of bool types. · 293fd7c7
      Michael Meskes authored
      Back in the day this did not work, but modern compilers should handle it themselves.
      293fd7c7
    • Teodor Sigaev's avatar
      Fix bug introduced by microvacuum for GiST · 22f519c9
      Teodor Sigaev authored
      Commit 013ebc0a introduces microvacuum for
      GiST, deletetion of tuple marked LP_DEAD uses IndexPageMultiDelete while
      recovery code uses IndexPageTupleDelete in loop. This causes a difference
      in offset numbers of tuples to delete. Patch introduces usage of
      IndexPageMultiDelete in GiST except gistplacetopage() where only one tuple is
      deleted at once. That also slightly improve performance, because
      IndexPageMultiDelete is more effective.
      
      Patch changes WAL format, so bump wal page magic.
      
      Bug report from Jeff Janes
      Diagnostic and patch by Anastasia Lubennikova and me
      22f519c9
  6. 16 Sep, 2015 7 commits
    • Robert Haas's avatar
      Determine whether it's safe to attempt a parallel plan for a query. · 7aea8e4f
      Robert Haas authored
      Commit 924bcf4f introduced a framework
      for parallel computation in PostgreSQL that makes most but not all
      built-in functions safe to execute in parallel mode.  In order to have
      parallel query, we'll need to be able to determine whether that query
      contains functions (either built-in or user-defined) that cannot be
      safely executed in parallel mode.  This requires those functions to be
      labeled, so this patch introduces an infrastructure for that.  Some
      functions currently labeled as safe may need to be revised depending on
      how pending issues related to heavyweight locking under paralllelism
      are resolved.
      
      Parallel plans can't be used except for the case where the query will
      run to completion.  If portal execution were suspended, the parallel
      mode restrictions would need to remain in effect during that time, but
      that might make other queries fail.  Therefore, this patch introduces
      a framework that enables consideration of parallel plans only when it
      is known that the plan will be run to completion.  This probably needs
      some refinement; for example, at bind time, we do not know whether a
      query run via the extended protocol will be execution to completion or
      run with a limited fetch count.  Having the client indicate its
      intentions at bind time would constitute a wire protocol break.  Some
      contexts in which parallel mode would be safe are not adjusted by this
      patch; the default is not to try parallel plans except from call sites
      that have been updated to say that such plans are OK.
      
      This commit doesn't introduce any parallel paths or plans; it just
      provides a way to determine whether they could potentially be used.
      I'm committing it on the theory that the remaining parallel sequential
      scan patches will also get committed to this release, hopefully in the
      not-too-distant future.
      
      Robert Haas and Amit Kapila.  Reviewed (in earlier versions) by Noah
      Misch.
      7aea8e4f
    • Tom Lane's avatar
      Sync regex code with Tcl 8.6.4. · b44d92b6
      Tom Lane authored
      Sync our regex code with upstream changes since last time we did this,
      which was Tcl 8.5.11 (see commit 08fd6ff3).
      
      The only functional change here is to disbelieve that an octal escape is
      three digits long if it would exceed \377.  That's a bug fix, but it's
      a minor one and could change the interpretation of working regexes, so
      don't back-patch.
      
      In addition to that, s/INFINITY/DUPINF/ to eliminate the risk of collisions
      with <math.h>'s macro, and s/LOCAL/NOPROP/ because that also seems like
      an unnecessarily collision-prone macro name.
      
      There were some other cosmetic changes in their copy that I did not adopt,
      notably a rather half-hearted attempt at renaming some of the C functions
      in a more verbose style.  (I'm not necessarily against the concept, but
      renaming just a few functions in the package is not an improvement.)
      b44d92b6
    • Tom Lane's avatar
      Fix documentation of regular expression character-entry escapes. · d0f18cde
      Tom Lane authored
      The docs claimed that \uhhhh would be interpreted as a Unicode value
      regardless of the database encoding, but it's never been implemented
      that way: \uhhhh and \xhhhh actually mean exactly the same thing, namely
      the character that pg_mb2wchar translates to 0xhhhh.  Moreover we were
      falsely dismissive of the usefulness of Unicode code points above FFFF.
      Fix that.
      
      It's been like this for ages, so back-patch to all supported branches.
      d0f18cde
    • Tom Lane's avatar
      Don't use "#" as an abbreviation for "number" in PL/Tcl error messages. · 4d0fc1d5
      Tom Lane authored
      Also, rewrite one error message to make it follow our message style
      guidelines better.
      
      Euler Taveira and Tom Lane
      4d0fc1d5
    • Tom Lane's avatar
      Remove no-longer-used T_PrivGrantee node tag. · ad584a08
      Tom Lane authored
      Oversight in commit 31eae602, which
      replaced PrivGrantee nodes with RoleSpec nodes.  Spotted by Yugo Nagata.
      ad584a08
    • Teodor Sigaev's avatar
      pgbench progress with timestamp · 1def9063
      Teodor Sigaev authored
      This patch adds an option to replace the "time since pgbench run
      started" with a Unix epoch timestamp in the progress report so that,
      for instance, it is easier to compare timelines with pgsql log
      
      Fabien COELHO <coelho@cri.ensmp.fr>
      1def9063
    • Peter Eisentraut's avatar
      5878a377
  7. 15 Sep, 2015 8 commits
    • Stephen Frost's avatar
      Enforce ALL/SELECT policies in RETURNING for RLS · 4f3b2a88
      Stephen Frost authored
      For the UPDATE/DELETE RETURNING case, filter the records which are not
      visible to the user through ALL or SELECT policies from those considered
      for the UPDATE or DELETE.  This is similar to how the GRANT system
      works, which prevents RETURNING unless the caller has SELECT rights on
      the relation.
      
      Per discussion with Robert, Dean, Tom, and Kevin.
      
      Back-patch to 9.5 where RLS was introduced.
      4f3b2a88
    • Stephen Frost's avatar
      RLS refactoring · 22eaf35c
      Stephen Frost authored
      This refactors rewrite/rowsecurity.c to simplify the handling of the
      default deny case (reducing the number of places where we check for and
      add the default deny policy from three to one) by splitting up the
      retrival of the policies from the application of them.
      
      This also allowed us to do away with the policy_id field.  A policy_name
      field was added for WithCheckOption policies and is used in error
      reporting, when available.
      
      Patch by Dean Rasheed, with various mostly cosmetic changes by me.
      
      Back-patch to 9.5 where RLS was introduced to avoid unnecessary
      differences, since we're still in alpha, per discussion with Robert.
      22eaf35c
    • Peter Eisentraut's avatar
      Fix whitespace · 000a2133
      Peter Eisentraut authored
      000a2133
    • Tom Lane's avatar
      Revert "Fix an O(N^2) problem in foreign key references". · 3d9e8db9
      Tom Lane authored
      Commit 5ddc7288 does not actually work
      because it will happily blow away ri_constraint_cache entries that are
      in active use in outer call levels.  In any case, it's a very ugly,
      brute-force solution to the problem of limiting the cache size.
      Revert until it can be redesigned.
      3d9e8db9
    • Stephen Frost's avatar
      Add POLICY to COMMENT documentation · 6820094d
      Stephen Frost authored
      COMMENT supports POLICY but the documentation hadn't caught up with
      that fact.
      
      Patch by Charles Clavadetscher
      
      Back-patch to 9.5 where POLICY was added.
      6820094d
    • Fujii Masao's avatar
      05ec71ee
    • Fujii Masao's avatar
      Improve log messages related to tablespace_map file · 10fbb79f
      Fujii Masao authored
      This patch changes the log message which is logged when the server
      successfully renames backup_label file to *.old but fails to rename
      tablespace_map file during the shutdown. Previously the WARNING
      message "online backup mode was not canceled" was logged in that case.
      However this message is confusing because the backup mode is treated
      as canceled whenever backup_label is successfully renamed. So this
      commit makes the server log the message "online backup mode canceled"
      in that case.
      
      Also this commit changes errdetail messages so that they follow the
      error message style guide.
      
      Back-patch to 9.5 where tablespace_map file is introduced.
      
      Original patch by Amit Kapila, heavily modified by me.
      10fbb79f
    • Teodor Sigaev's avatar
      Fix wrong comment in commit d0242602 · 0f759285
      Teodor Sigaev authored
      Per gripe from Robert Haas
      0f759285
  8. 14 Sep, 2015 1 commit
  9. 13 Sep, 2015 3 commits
  10. 12 Sep, 2015 2 commits
  11. 11 Sep, 2015 2 commits