1. 21 Mar, 2021 8 commits
    • Peter Geoghegan's avatar
      Recycle nbtree pages deleted during same VACUUM. · 9dd963ae
      Peter Geoghegan authored
      Maintain a simple array of metadata about pages that were deleted during
      nbtree VACUUM's current btvacuumscan() call.  Use this metadata at the
      end of btvacuumscan() to attempt to place newly deleted pages in the FSM
      without further delay.  It might not yet be safe to place any of the
      pages in the FSM by then (they may not be deemed recyclable), but we
      have little to lose and plenty to gain by trying.  In practice there is
      a very good chance that this will work out when vacuuming larger
      indexes, where scanning the index naturally takes quite a while.
      
      This commit doesn't change the page recycling invariants; it merely
      improves the efficiency of page recycling within the confines of the
      existing design.  Recycle safety is a part of nbtree's implementation of
      what Lanin & Shasha call "the drain technique".  The design happens to
      use transaction IDs (they're stored in deleted pages), but that in
      itself doesn't align the cutoff for recycle safety to any of the
      XID-based cutoffs used by VACUUM (e.g., OldestXmin).  All that matters
      is whether or not _other_ backends might be able to observe various
      inconsistencies in the tree structure (that they cannot just detect and
      recover from by moving right).  Recycle safety is purely a question of
      maintaining the consistency (or the apparent consistency) of a physical
      data structure.
      
      Note that running a simple serial test case involving a large range
      DELETE followed by a VACUUM VERBOSE will probably show that any newly
      deleted nbtree pages are not yet reusable/recyclable.  This is expected
      in the absence of even one concurrent XID assignment.  It is an old
      implementation restriction.  In practice it's unlikely to be the thing
      that makes recycling remain unsafe, at least with larger indexes, where
      recycling newly deleted pages during the same VACUUM actually matters.
      
      An important high-level goal of this commit (as well as related recent
      commits e5d8a999 and 9f3665fb) is to make expensive deferred cleanup
      operations in index AMs rare in general.  If index vacuuming frequently
      depends on the next VACUUM operation finishing off work that the current
      operation started, then the general behavior of index vacuuming is hard
      to predict.  This is relevant to ongoing work that adds a vacuumlazy.c
      mechanism to skip index vacuuming in certain cases.  Anything that makes
      the real world behavior of index vacuuming simpler and more linear will
      also make top-down modeling in vacuumlazy.c more robust.
      
      Author: Peter Geoghegan <pg@bowt.ie>
      Reviewed-By: default avatarMasahiko Sawada <sawada.mshk@gmail.com>
      Discussion: https://postgr.es/m/CAH2-Wzk76_P=67iUscb1UN44-gyZL-KgpsXbSxq_bdcMa7Q+wQ@mail.gmail.com
      9dd963ae
    • Tom Lane's avatar
      Bring configure support for LZ4 up to snuff. · 4d399a6f
      Tom Lane authored
      It's not okay to just shove the pkg_config results right into our
      build flags, for a couple different reasons:
      
      * This fails to maintain the separation between CPPFLAGS and CFLAGS,
      as well as that between LDFLAGS and LIBS.  (The CPPFLAGS angle is,
      I believe, the reason for warning messages reported when building
      with MacPorts' liblz4.)
      
      * If pkg_config emits anything other than -I/-D/-L/-l switches,
      it's highly unlikely that we want to absorb those.  That'd be more
      likely to break the build than do anything helpful.  (Even the -D
      case is questionable; but we're doing that for libxml2, so I kept it.)
      
      Also, it's not okay to skip doing an AC_CHECK_LIB probe, as
      evidenced by recent build failure on topminnow; that should
      have been caught at configure time.
      
      Model fixes for this on configure's libxml2 support.
      
      It appears that somebody overlooked an autoheader run, too.
      
      Discussion: https://postgr.es/m/20210119190720.GL8560@telsasoft.com
      4d399a6f
    • Tom Lane's avatar
      Make compression.sql regression test independent of default. · fd1ac9a5
      Tom Lane authored
      This test will fail in "make installcheck" if the installation's
      default_toast_compression setting is not 'pglz'.  Make it robust
      against that situation.
      
      Dilip Kumar
      
      Discussion: https://postgr.es/m/CAFiTN-t0w+Rc2U3S+y=7KWcLuOYNB5MfWeGdNa7+pg0UovVdcQ@mail.gmail.com
      fd1ac9a5
    • Andrew Dunstan's avatar
      Don't run recover crash_temp_files test in Windows perl · ef823873
      Andrew Dunstan authored
      This reverts commit 677271a3.
      "Unbreak recovery test on Windows"
      
      The test hangs on Windows, and attempts to remedy the problem have
      proved fragile at best. So we simply disable the test on Windows perl.
      (Msys perl seems perfectly happy).
      
      Discussion: https://postgr.es/m/5b748470-7335-5439-e876-6a88c951e1c5@dunslane.net
      ef823873
    • Alvaro Herrera's avatar
      Fix new memory leaks in libpq · 2b526ed2
      Alvaro Herrera authored
      My oversight in commit 9aa491ab.
      
      Per coverity.
      2b526ed2
    • Andrew Dunstan's avatar
      Unbreak recovery test on Windows · 677271a3
      Andrew Dunstan authored
      On Windows we need to send explicit quit messages to psql or the TAP tests
      can hang.
      677271a3
    • Tom Lane's avatar
      Suppress various new compiler warnings. · 9fb9691a
      Tom Lane authored
      Compilers that don't understand that elog(ERROR) doesn't return
      issued warnings here.  In the cases in libpq_pipeline.c, we were
      not exactly helping things by failing to mark pg_fatal() as noreturn.
      
      Per buildfarm.
      9fb9691a
    • Peter Eisentraut's avatar
      Move lwlock-release probe back where it belongs · 96ae658e
      Peter Eisentraut authored
      The documentation specifically states that lwlock-release fires before
      any released waiters have been awakened.  It worked that way until
      ab5194e6, where is seems to have been
      misplaced accidentally.  Move it back where it belongs.
      
      Author: Craig Ringer <craig.ringer@enterprisedb.com>
      Discussion: https://www.postgresql.org/message-id/CAGRY4nwxKUS_RvXFW-ugrZBYxPFFM5kjwKT5O+0+Stuga5b4+Q@mail.gmail.com
      96ae658e
  2. 20 Mar, 2021 4 commits
    • Tomas Vondra's avatar
      Use valid compression method in brin_form_tuple · 882b2cdc
      Tomas Vondra authored
      When compressing the BRIN summary, we can't simply use the compression
      method from the indexed attribute.  The summary may use a different data
      type, e.g. fixed-length attribute may have varlena summary, leading to
      compression failures.  For the built-in BRIN opclasses this happens to
      work, because the summary uses the same data type as the attribute.
      
      When the data types match, we can inherit use the compression method
      specified for the attribute (it's copied into the index descriptor).
      Otherwise we don't have much choice and have to use the default one.
      
      Author: Tomas Vondra
      Reviewed-by: default avatarJustin Pryzby <pryzby@telsasoft.com>
      Discussion: https://postgr.es/m/e0367f27-392c-321a-7411-a58e1a7e4817%40enterprisedb.com
      882b2cdc
    • Tom Lane's avatar
      Fix up pg_dump's handling of per-attribute compression options. · aa25d108
      Tom Lane authored
      The approach used in commit bbe0a81d would've been disastrous for
      portability of dumps.  Instead handle non-default compression options
      in separate ALTER TABLE commands.  This reduces chatter for the
      common case where most columns are compressed the same way, and it
      makes it possible to restore the dump to a server that lacks any
      knowledge of per-attribute compression options (so long as you're
      willing to ignore syntax errors from the ALTER TABLE commands).
      
      There's a whole lot left to do to mop up after bbe0a81d, but
      I'm fast-tracking this part because we need to see if it's
      enough to make the buildfarm's cross-version-upgrade tests happy.
      
      Justin Pryzby and Tom Lane
      
      Discussion: https://postgr.es/m/20210119190720.GL8560@telsasoft.com
      aa25d108
    • Tom Lane's avatar
      Fix memory leak when rejecting bogus DH parameters. · e835e89a
      Tom Lane authored
      While back-patching e0e569e1, I noted that there were some other
      places where we ought to be applying DH_free(); namely, where we
      load some DH parameters from a file and then reject them as not
      being sufficiently secure.  While it seems really unlikely that
      anybody would hit these code paths in production, let alone do
      so repeatedly, let's fix it for consistency.
      
      Back-patch to v10 where this code was introduced.
      
      Discussion: https://postgr.es/m/16160-18367e56e9a28264@postgresql.org
      e835e89a
    • Tom Lane's avatar
      Avoid leaking memory in RestoreGUCState(), and improve comments. · f0c2a5bb
      Tom Lane authored
      RestoreGUCState applied InitializeOneGUCOption to already-live
      GUC entries, causing any malloc'd subsidiary data to be forgotten.
      We do want the effect of resetting the GUC to its compiled-in
      default, and InitializeOneGUCOption seems like the best way to do
      that, so add code to free any existing subsidiary data beforehand.
      
      The interaction between can_skip_gucvar, SerializeGUCState, and
      RestoreGUCState is way more subtle than their opaque comments
      would suggest to an unwary reader.  Rewrite and enlarge the
      comments to try to make it clearer what's happening.
      
      Remove a long-obsolete assertion in read_nondefault_variables: the
      behavior of set_config_option hasn't depended on IsInitProcessingMode
      since f5d9698a installed a better way of controlling it.
      
      Although this is fixing a clear memory leak, the leak is quite unlikely
      to involve any large amount of data, and it can only happen once in the
      lifetime of a worker process.  So it seems unnecessary to take any
      risk of back-patching.
      
      Discussion: https://postgr.es/m/4105247.1616174862@sss.pgh.pa.us
      f0c2a5bb
  3. 19 Mar, 2021 14 commits
    • Thomas Munro's avatar
      Provide recovery_init_sync_method=syncfs. · 61752afb
      Thomas Munro authored
      Since commit 2ce439f3 we have opened every file in the data directory
      and called fsync() at the start of crash recovery.  This can be very
      slow if there are many files, leading to field complaints of systems
      taking minutes or even hours to begin crash recovery.
      
      Provide an alternative method, for Linux only, where we call syncfs() on
      every possibly different filesystem under the data directory.  This is
      equivalent, but avoids faulting in potentially many inodes from
      potentially slow storage.
      
      The new mode comes with some caveats, described in the documentation, so
      the default value for the new setting is "fsync", preserving the older
      behavior.
      Reported-by: default avatarMichael Brown <michael.brown@discourse.org>
      Reviewed-by: default avatarFujii Masao <masao.fujii@oss.nttdata.com>
      Reviewed-by: default avatarPaul Guo <guopa@vmware.com>
      Reviewed-by: default avatarBruce Momjian <bruce@momjian.us>
      Reviewed-by: default avatarJustin Pryzby <pryzby@telsasoft.com>
      Reviewed-by: default avatarDavid Steele <david@pgmasters.net>
      Discussion: https://postgr.es/m/11bc2bb7-ecb5-3ad0-b39f-df632734cd81%40discourse.org
      Discussion: https://postgr.es/m/CAEET0ZHGnbXmi8yF3ywsDZvb3m9CbdsGZgfTXscQ6agcbzcZAw%40mail.gmail.com
      61752afb
    • Tomas Vondra's avatar
      Use lfirst_int in cmp_list_len_contents_asc · b822ae13
      Tomas Vondra authored
      The function added in be45be9c is comparing integer lists (IntList) by
      length and contents, but there were two bugs.  Firstly, it used intVal()
      to extract the value, but that's for Value nodes, not for extracting int
      values from IntList.  Secondly, it called it directly on the ListCell,
      without doing lfirst().  So just do lfirst_int() instead.
      
      Interestingly enough, this did not cause any crashes on the buildfarm,
      but valgrind rightfully complained about it.
      
      Discussion: https://postgr.es/m/bf3805a8-d7d1-ae61-fece-761b7ff41ecc@postgresfriends.org
      b822ae13
    • Robert Haas's avatar
      Fix use-after-ReleaseSysCache problem in ATExecAlterColumnType. · d00fbdc4
      Robert Haas authored
      Introduced by commit bbe0a81d.
      
      Per buildfarm member prion.
      d00fbdc4
    • Robert Haas's avatar
      Allow configurable LZ4 TOAST compression. · bbe0a81d
      Robert Haas authored
      There is now a per-column COMPRESSION option which can be set to pglz
      (the default, and the only option in up until now) or lz4. Or, if you
      like, you can set the new default_toast_compression GUC to lz4, and
      then that will be the default for new table columns for which no value
      is specified. We don't have lz4 support in the PostgreSQL code, so
      to use lz4 compression, PostgreSQL must be built --with-lz4.
      
      In general, TOAST compression means compression of individual column
      values, not the whole tuple, and those values can either be compressed
      inline within the tuple or compressed and then stored externally in
      the TOAST table, so those properties also apply to this feature.
      
      Prior to this commit, a TOAST pointer has two unused bits as part of
      the va_extsize field, and a compessed datum has two unused bits as
      part of the va_rawsize field. These bits are unused because the length
      of a varlena is limited to 1GB; we now use them to indicate the
      compression type that was used. This means we only have bit space for
      2 more built-in compresison types, but we could work around that
      problem, if necessary, by introducing a new vartag_external value for
      any further types we end up wanting to add. Hopefully, it won't be
      too important to offer a wide selection of algorithms here, since
      each one we add not only takes more coding but also adds a build
      dependency for every packager. Nevertheless, it seems worth doing
      at least this much, because LZ4 gets better compression than PGLZ
      with less CPU usage.
      
      It's possible for LZ4-compressed datums to leak into composite type
      values stored on disk, just as it is for PGLZ. It's also possible for
      LZ4-compressed attributes to be copied into a different table via SQL
      commands such as CREATE TABLE AS or INSERT .. SELECT.  It would be
      expensive to force such values to be decompressed, so PostgreSQL has
      never done so. For the same reasons, we also don't force recompression
      of already-compressed values even if the target table prefers a
      different compression method than was used for the source data.  These
      architectural decisions are perhaps arguable but revisiting them is
      well beyond the scope of what seemed possible to do as part of this
      project.  However, it's relatively cheap to recompress as part of
      VACUUM FULL or CLUSTER, so this commit adjusts those commands to do
      so, if the configured compression method of the table happens not to
      match what was used for some column value stored therein.
      
      Dilip Kumar. The original patches on which this work was based were
      written by Ildus Kurbangaliev, and those were patches were based on
      even earlier work by Nikita Glukhov, but the design has since changed
      very substantially, since allow a potentially large number of
      compression methods that could be added and dropped on a running
      system proved too problematic given some of the architectural issues
      mentioned above; the choice of which specific compression method to
      add first is now different; and a lot of the code has been heavily
      refactored.  More recently, Justin Przyby helped quite a bit with
      testing and reviewing and this version also includes some code
      contributions from him. Other design input and review from Tomas
      Vondra, Álvaro Herrera, Andres Freund, Oleg Bartunov, Alexander
      Korotkov, and me.
      
      Discussion: http://postgr.es/m/20170907194236.4cefce96%40wp.localdomain
      Discussion: http://postgr.es/m/CAFiTN-uUpX3ck%3DK0mLEk-G_kUQY%3DSNOTeqdaNRR9FMdQrHKebw%40mail.gmail.com
      bbe0a81d
    • Tomas Vondra's avatar
      Fix race condition in remove_temp_files_after_crash TAP test · e589c489
      Tomas Vondra authored
      The TAP test was written so that it was not waiting for the correct SQL
      command, but for output from the preceding one.  This resulted in race
      conditions, allowing the commands to run in a different order, not block
      as expected and so on.  This fixes it by inverting the order of commands
      where possible, so that observing the output guarantees the data was
      inserted properly, and waiting for a lock to appear in pg_locks.
      
      Discussion: https://postgr.es/m/CAH503wDKdYzyq7U-QJqGn%3DGm6XmoK%2B6_6xTJ-Yn5WSvoHLY1Ww%40mail.gmail.com
      e589c489
    • Tom Lane's avatar
      Blindly try to fix test script's tar invocation for MSYS. · 27ab1981
      Tom Lane authored
      Buildfarm member fairywren doesn't like the test case I added
      in commit 081876d7.  I'm guessing the reason is that I shouldn't
      be using a perl2host-ified path in the tar command line.
      27ab1981
    • Fujii Masao's avatar
      Fix comments in postmaster.c. · fd312140
      Fujii Masao authored
      Commit 86c23a6e changed the option to specify that postgres will
      stop all other server processes by sending the signal SIGSTOP,
      from -s to -T. But previously there were comments incorrectly
      explaining that SIGSTOP behavior is set by -s option. This commit
      fixes them.
      
      Author: Kyotaro Horiguchi
      Reviewed-by: Fujii Masao
      Discussion: https://postgr.es/m/20210316.165141.1400441966284654043.horikyota.ntt@gmail.com
      fd312140
    • Tom Lane's avatar
      Don't leak malloc'd error string in libpqrcv_check_conninfo(). · 9bacdf9f
      Tom Lane authored
      We leaked the error report from PQconninfoParse, when there was
      one.  It seems unlikely that real usage patterns would repeat
      the failure often enough to create serious bloat, but let's
      back-patch anyway to keep the code similar in all branches.
      
      Found via valgrind testing.
      Back-patch to v10 where this code was added.
      
      Discussion: https://postgr.es/m/3816764.1616104288@sss.pgh.pa.us
      9bacdf9f
    • Tom Lane's avatar
      Don't leak malloc'd strings when a GUC setting is rejected. · 377b7a83
      Tom Lane authored
      Because guc.c prefers to keep all its string values in malloc'd
      not palloc'd storage, it has to be more careful than usual to
      avoid leaks.  Error exits out of string GUC hook checks failed
      to clear the proposed value string, and error exits out of
      ProcessGUCArray() failed to clear the malloc'd results of
      ParseLongOption().
      
      Found via valgrind testing.
      This problem is ancient, so back-patch to all supported branches.
      
      Discussion: https://postgr.es/m/3816764.1616104288@sss.pgh.pa.us
      377b7a83
    • Tom Lane's avatar
      Don't leak compiled regex(es) when an ispell cache entry is dropped. · d303849b
      Tom Lane authored
      The text search cache mechanisms assume that we can clean up
      an invalidated dictionary cache entry simply by resetting the
      associated long-lived memory context.  However, that does not work
      for ispell affixes that make use of regular expressions, because
      the regex library deals in plain old malloc.  Hence, we leaked
      compiled regex(es) any time we dropped such a cache entry.  That
      could quickly add up, since even a fairly trivial regex can use up
      tens of kB, and a large one can eat megabytes.  Add a memory context
      callback to ensure that a regex gets freed when its owning cache
      entry is cleared.
      
      Found via valgrind testing.
      This problem is ancient, so back-patch to all supported branches.
      
      Discussion: https://postgr.es/m/3816764.1616104288@sss.pgh.pa.us
      d303849b
    • Tom Lane's avatar
      Don't run RelationInitTableAccessMethod in a long-lived context. · 415ffdc2
      Tom Lane authored
      Some code paths in this function perform syscache lookups, which
      can lead to table accesses and possibly leakage of cruft into
      the caller's context.  If said context is CacheMemoryContext,
      we eventually will have visible bloat.  But fixing this is no
      harder than moving one memory context switch step.  (The other
      callers don't have a problem.)
      
      Andres Freund and I independently found this via valgrind testing.
      Back-patch to v12 where this code was added.
      
      Discussion: https://postgr.es/m/20210317023101.anvejcfotwka6gaa@alap3.anarazel.de
      Discussion: https://postgr.es/m/3816764.1616104288@sss.pgh.pa.us
      415ffdc2
    • Tom Lane's avatar
      Don't leak rd_statlist when a relcache entry is dropped. · 28644fac
      Tom Lane authored
      Although these lists are usually NIL, and even when not empty
      are unlikely to be large, constant relcache update traffic could
      eventually result in visible bloat of CacheMemoryContext.
      
      Found via valgrind testing.
      Back-patch to v10 where this field was added.
      
      Discussion: https://postgr.es/m/3816764.1616104288@sss.pgh.pa.us
      28644fac
    • Tomas Vondra's avatar
      Fix TAP test for remove_temp_files_after_crash · a16b2b96
      Tomas Vondra authored
      The test included in cd91de0d had two simple flaws.
      
      Firstly, the number of rows was low and on some platforms (e.g. 32-bit)
      the sort did not require on-disk sort, so on those machines it was not
      testing the automatic removal.  The test was however failing, because
      without any temporary files the base/pgsql_tmp directory was not even
      created.  Fixed by increasing the rowcount to 5000, which should be high
      engough on any platform.
      
      Secondly, the test used a simple sleep to wait for the temporary file to
      be created.  This is obviously problematic, because on slow machines (or
      with valgrind, CLOBBER_CACHE_ALWAYS etc.) it may take a while to create
      the temporary file.  But we also want the tests run reasonably fast.
      Fixed by instead relying on a UNIQUE constraint, blocking the query that
      created the temporary file.
      
      Author: Euler Taveira
      Reviewed-by: Tomas Vondra
      Discussion: https://postgr.es/m/CAH503wDKdYzyq7U-QJqGn%3DGm6XmoK%2B6_6xTJ-Yn5WSvoHLY1Ww%40mail.gmail.com
      a16b2b96
    • Michael Paquier's avatar
      Improve tab completion of IMPORT FOREIGN SCHEMA with \h in psql · 5b2266e3
      Michael Paquier authored
      Only "IMPORT" was showing as result of the completion, while IMPORT
      FOREIGN SCHEMA is the only command using this keyword in first
      position.  This changes the completion to show the full command name
      instead of just "IMPORT".
      
      Reviewed-by: Georgios Kokolatos, Julien Rouhaud
      Discussion: https://postgr.es/m/YFL6JneBiuMWYyoh@paquier.xyz
      5b2266e3
  4. 18 Mar, 2021 6 commits
  5. 17 Mar, 2021 8 commits
    • Andres Freund's avatar
      Fix memory lifetime issues of replication slot stats. · 5f79580a
      Andres Freund authored
      When accessing replication slot stats, introduced in 98681675,
      pgstat_read_statsfiles() reads the data into newly allocated
      memory. Unfortunately the current memory context at that point is the
      callers, leading to leaks and use-after-free dangers.
      
      The fix is trivial, explicitly use pgStatLocalContext. There's some
      potential for further improvements, but that's outside of the scope of
      this bugfix.
      
      No backpatch necessary, feature is only in HEAD.
      
      Author: Andres Freund <andres@anarazel.de>
      Discussion: https://postgr.es/m/20210317230447.c7uc4g3vbs4wi32i@alap3.anarazel.de
      5f79580a
    • Tom Lane's avatar
      Doc: remove duplicated step in RLS example. · 70945649
      Tom Lane authored
      Seems to have been a copy-and-paste mistake in 093129c9.
      Per report from max1@inbox.ru.
      
      Discussion: https://postgr.es/m/161591740692.24273.4202054598867879464@wrigleys.postgresql.org
      70945649
    • Tom Lane's avatar
      Code review for server's handling of "tablespace map" files. · 8620a7f6
      Tom Lane authored
      While looking at Robert Foggia's report, I noticed a passel of
      other issues in the same area:
      
      * The scheme for backslash-quoting newlines in pathnames is just
      wrong; it will misbehave if the last ordinary character in a pathname
      is a backslash.  I'm not sure why we're bothering to allow newlines
      in tablespace paths, but if we're going to do it we should do it
      without introducing other problems.  Hence, backslashes themselves
      have to be backslashed too.
      
      * The author hadn't read the sscanf man page very carefully, because
      this code would drop any leading whitespace from the path.  (I doubt
      that a tablespace path with leading whitespace could happen in
      practice; but if we're bothering to allow newlines in the path, it
      sure seems like leading whitespace is little less implausible.)  Using
      sscanf for the task of finding the first space is overkill anyway.
      
      * While I'm not 100% sure what the rationale for escaping both \r and
      \n is, if the idea is to allow Windows newlines in the file then this
      code failed, because it'd throw an error if it saw \r followed by \n.
      
      * There's no cross-check for an incomplete final line in the map file,
      which would be a likely apparent symptom of the improper-escaping
      bug.
      
      On the generation end, aside from the escaping issue we have:
      
      * If needtblspcmapfile is true then do_pg_start_backup will pass back
      escaped strings in tablespaceinfo->path values, which no caller wants
      or is prepared to deal with.  I'm not sure if there's a live bug from
      that, but it looks like there might be (given the dubious assumption
      that anyone actually has newlines in their tablespace paths).
      
      * It's not being very paranoid about the possibility of random stuff
      in the pg_tblspc directory.  IMO we should ignore anything without an
      OID-like name.
      
      The escaping rule change doesn't seem back-patchable: it'll require
      doubling of backslashes in the tablespace_map file, which is basically
      a basebackup format change.  The odds of that causing trouble are
      considerably more than the odds of the existing bug causing trouble.
      The rest of this seems somewhat unlikely to cause problems too,
      so no back-patch.
      8620a7f6
    • Tom Lane's avatar
      Prevent buffer overrun in read_tablespace_map(). · a50e4fd0
      Tom Lane authored
      Robert Foggia of Trustwave reported that read_tablespace_map()
      fails to prevent an overrun of its on-stack input buffer.
      Since the tablespace map file is presumed trustworthy, this does
      not seem like an interesting security vulnerability, but still
      we should fix it just in the name of robustness.
      
      While here, document that pg_basebackup's --tablespace-mapping option
      doesn't work with tar-format output, because it doesn't.  To make it
      work, we'd have to modify the tablespace_map file within the tarball
      sent by the server, which might be possible but I'm not volunteering.
      (Less-painful solutions would require changing the basebackup protocol
      so that the source server could adjust the map.  That's not very
      appetizing either.)
      a50e4fd0
    • Tom Lane's avatar
      Add end-to-end testing of pg_basebackup's tar-format output. · 081876d7
      Tom Lane authored
      The existing test script does run pg_basebackup with the -Ft option,
      but it makes no real attempt to verify the sanity of the results.
      We wouldn't know if the output is incompatible with standard "tar"
      programs, nor if the server fails to start from the restored output.
      Notably, this means that xlog.c's read_tablespace_map() is not being
      meaningfully tested, since that code is used only in the tar-format
      case.  (We do have reasonable coverage of restoring from plain-format
      output, though it's over in src/test/recovery not here.)
      
      Hence, attempt to untar the output and start a server from it,
      rather just hoping it's OK.
      
      This test assumes that the local "tar" has the "-C directory"
      switch.  Although that's not promised by POSIX, my research
      suggests that all non-extinct tar implementations have it.
      Should the buildfarm's opinion differ, we can complicate the
      test a bit to avoid requiring that.
      
      Possibly this should be back-patched, but I'm unsure about
      whether it could work on Windows before d66b23b0.
      081876d7
    • Tom Lane's avatar
      Doc: improve discussion of variable substitution in PL/pgSQL. · c783e656
      Tom Lane authored
      This was a bit disjointed, partly because of a not-well-considered
      decision to document SQL commands that don't return result rows as
      though they had nothing in common with commands that do.  Rearrange
      so that we have one discussion of variable substitution that clearly
      applies to all types of SQL commands, and then handle the question
      of processing command output separately.  Clarify that EXPLAIN,
      CREATE TABLE AS SELECT, and similar commands that incorporate an
      optimizable statement will act like optimizable statements for the
      purposes of variable substitution.  Do a bunch of minor wordsmithing
      in the same area.
      
      David Johnston and Tom Lane, reviewed by Pavel Stehule and David
      Steele
      
      Discussion: https://postgr.es/m/CAKFQuwYvMKucM5fnZvHSo-ah4S=_n9gmKeu6EAo=_fTrohunqQ@mail.gmail.com
      c783e656
    • Thomas Munro's avatar
    • Michael Paquier's avatar
      Fix comment in indexing.c · 9fd2952c
      Michael Paquier authored
      578b2297, that removed support for WITH OIDS, has changed
      CatalogTupleInsert() to not return an Oid, but one comment was still
      mentioning that.
      
      Author: Vik Fearing
      Discussion: https://postgr.es/m/fef01975-ed10-3601-7b9e-80ecef72d00b@postgresfriends.org
      9fd2952c