1. 14 May, 2009 1 commit
    • Heikki Linnakangas's avatar
      Add recovery_end_command option to recovery.conf. recovery_end_command · 9e403c25
      Heikki Linnakangas authored
      is run at the end of archive recovery, providing a chance to do external
      cleanup. Modify pg_standby so that it no longer removes the trigger file,
      that is to be done using the recovery_end_command now.
      
      Provide a "smart" failover mode in pg_standby, where we don't fail over
      immediately, but only after recovering all unapplied WAL from the archive.
      That gives you zero data loss assuming all WAL was archived before
      failover, which is what most users of pg_standby actually want.
      
      recovery_end_command by Simon Riggs, pg_standby changes by Fujii Masao and
      myself.
      9e403c25
  2. 13 May, 2009 3 commits
    • Tom Lane's avatar
      Add checks to DefineQueryRewrite() to prohibit attaching rules to relations · a7107136
      Tom Lane authored
      that aren't RELKIND_RELATION or RELKIND_VIEW, and to disallow attaching rules
      to system relations unless allowSystemTableMods is on.  This is to make the
      behavior of CREATE RULE more like CREATE TRIGGER, which disallows the
      comparable cases.  Per discussion of bug #4808.
      a7107136
    • Tom Lane's avatar
    • Tom Lane's avatar
      Rewrite xml.c's memory management (yet again). Give up on the idea of · 23543c73
      Tom Lane authored
      redirecting libxml's allocations into a Postgres context.  Instead, just let
      it use malloc directly, and add PG_TRY blocks as needed to be sure we release
      libxml data structures in error recovery code paths.  This is ugly but seems
      much more likely to play nicely with third-party uses of libxml, as seen in
      recent trouble reports about using Perl XML facilities in pl/perl and bug
      #4774 about contrib/xml2.
      
      I left the code for allocation redirection in place, but it's only
      built/used if you #define USE_LIBXMLCONTEXT.  This is because I found it
      useful to corral libxml's allocations in a palloc context when hunting
      for libxml memory leaks, and we're surely going to have more of those
      in the future with this type of approach.  But we don't want it turned on
      in a normal build because it breaks exactly what we need to fix.
      
      I have not re-indented most of the code sections that are now wrapped
      by PG_TRY(); that's for ease of review.  pg_indent will fix it.
      
      This is a pre-existing bug in 8.3, but I don't dare back-patch this change
      until it's gotten a reasonable amount of field testing.
      23543c73
  3. 12 May, 2009 5 commits
    • Tom Lane's avatar
      Update release notes for changes through 2009-05-11. Also some minor · db6e0b2d
      Tom Lane authored
      copy-editing and reordering of items.
      db6e0b2d
    • Tom Lane's avatar
      Fix intratransaction memory leaks in xml_recv, xmlconcat, xmlroot, and · 546454f8
      Tom Lane authored
      xml_parse, all arising from the same sloppy usage of parse_xml_decl.
      The original coding had that function returning its output string
      parameters in the libxml context, which is long-lived, and all but one
      of its callers neglected to free the strings afterwards.  The easiest
      and most bulletproof fix is to return the strings in the local palloc
      context instead, since that's short-lived.  This was only costing a
      dozen or two bytes per function call, but that adds up fast if the
      function is called repeatedly ...
      
      Noted while poking at the more general problem of what to do with our
      libxml memory allocation hooks.  Back-patch to 8.3, which has the
      identical coding.
      546454f8
    • Tom Lane's avatar
      Fix LOCK TABLE to eliminate the race condition that could make it give weird · f23bdda3
      Tom Lane authored
      errors when tables are concurrently dropped.  To do this we must take lock
      on each relation before we check its privileges.  The old code was trying
      to do that the other way around, which is a bit pointless when there are lots
      of other commands that lock relations before checking privileges.  I did keep
      it checking each relation's privilege before locking the next relation, which
      is a detail that ALTER TABLE isn't too picky about.
      f23bdda3
    • Tom Lane's avatar
      Modify find_inheritance_children() and find_all_inheritors() to add the · d4a363cd
      Tom Lane authored
      ability to lock relations as they scan pg_inherits, and to ignore any
      relations that have disappeared by the time we get lock on them.  This
      makes uses of these functions safe against concurrent DROP operations
      on child tables: we will effectively ignore any just-dropped child,
      rather than possibly throwing an error as in recent bug report from
      Thomas Johansson (and similar past complaints).  The behavior should
      not change otherwise, since the code was acquiring those same locks
      anyway, just a little bit later.
      
      An exception is LockTableCommand(), which is still behaving unsafely;
      but that seems to require some more discussion before we change it.
      d4a363cd
    • Tom Lane's avatar
      Do some minor code refactoring in preparation for changing the APIs of · 0ada5591
      Tom Lane authored
      find_inheritance_children() and find_all_inheritors().  I got annoyed that
      these are buried inside the planner but mostly used elsewhere.  So, create
      a new file catalog/pg_inherits.c and put them there, along with a couple
      of other functions that search pg_inherits.
      
      The code that modifies pg_inherits is (still) in tablecmds.c --- it's
      kind of entangled with unrelated code that modifies pg_depend and other
      stuff, so pulling it out seemed like a bigger change than I wanted to make
      right now.  But this file provides a natural home for it if anyone ever
      gets around to that.
      
      This commit just moves code around; it doesn't change anything, except
      I succumbed to the temptation to make a couple of trivial optimizations
      in typeInheritsFrom().
      0ada5591
  4. 11 May, 2009 4 commits
  5. 10 May, 2009 2 commits
    • Tom Lane's avatar
      Make a marginal performance improvement in predicate_implied_by and · 723476c7
      Tom Lane authored
      predicate_refuted_by: if either top-level input is a single-element list,
      reduce it to its lone member before proceeding.  This avoids
      a useless level of AND-recursion within the recursive proof routines.
      It's worth doing because, for example, if the clause is a 100-element
      list and the predicate is a 1-element list then we'd otherwise strip
      the predicate's list structure 100 times as we iterate through the clause.
      It's only needed at top level because there won't be any trivial ANDs below
      that --- this situation is an artifact of the decision to represent even
      single-item conditions as Lists in the "implicit AND" format, and that format
      is only used at the top level of any predicate or restriction condition.
      723476c7
    • Tom Lane's avatar
      Adjust pg_dumpall so that it emits ENCODING, LC_COLLATE, and LC_CTYPE options · 4db44b43
      Tom Lane authored
      in its CREATE DATABASE commands only for databases that have settings
      different from the installation defaults.  This is a low-tech method of
      avoiding unnecessary platform dependencies in dump files.  Eventually we ought
      to have a platform-independent way of specifying LC_COLLATE and LC_CTYPE, but
      that's not going to happen for 8.4, and this patch at least avoids the issue
      for people who aren't setting up per-database locales.  ENCODING doesn't have
      the platform dependency problem, but it seems consistent to make it act the
      same as the locale settings.
      4db44b43
  6. 09 May, 2009 1 commit
  7. 08 May, 2009 3 commits
  8. 07 May, 2009 4 commits
    • Tom Lane's avatar
      Add an option to AlterTableCreateToastTable() to allow its caller to force · 1e06ed1a
      Tom Lane authored
      a toast table to be built, even if the sum-of-column-widths calculation
      indicates one isn't needed.  This is needed by pg_migrator because if the
      old table has a toast table, we have to migrate over the toast table since
      it might contain some live data, even though subsequent column drops could
      mean that no recently-added rows could require toasting.
      1e06ed1a
    • Tom Lane's avatar
      Change pgbench to use the table names pgbench_accounts, pgbench_branches, · 48caf91b
      Tom Lane authored
      pgbench_history, and pgbench_tellers, rather than just accounts, branches,
      history, and tellers.  This is to prevent accidental conflicts with real
      application tables, as has been reported to happen at least once.  Also
      remove the automatic "SET search_path = public" that it did at startup,
      as this seems to restrict testing flexibility without actually buying much.
      Per proposal by Joshua Drake and ensuing discussion.
      
      Joshua Drake and Tom Lane
      48caf91b
    • Tom Lane's avatar
      Ooops ... make_outerjoininfo wasn't actually enforcing the join order · fdd48b18
      Tom Lane authored
      restrictions specified for semijoins in optimizer/README, to wit that
      you can't reassociate outer joins into or out of the RHS of a semijoin.
      Per report from Heikki.
      fdd48b18
    • Heikki Linnakangas's avatar
      Request XLOG switch before writing checkpoint in pg_start_backup(). Otherwise · 223431cb
      Heikki Linnakangas authored
      you can end up with an unrecoverable backup if you start a new base backup
      right after finishing archive recovery. In that scenario, the redo pointer of
      the checkpoint that pg_start_backup() writes points to the XLOG segment where
      the timeline-changing end-of-archive-recovery checkpoint is. The beginning
      of that segment contains pages with the old timeline ID, and we don't accept
      that in recovery unless we find a history file covering the old timeline ID.
      If you omit pg_xlog from the base backup and clear the archive directory
      before starting the backup, there will be no such history file available.
      
      The bug is present in all versions since PITR was introduced in 8.0, but I'm
      back-patching only back to 8.2. Earlier versions didn't have XLOG switch
      records, making this fix unfeasible. Given the lack of reports until now,
      it doesn't seem worthwhile to spend more effort to fix 8.0 and 8.1.
      
      Per report and suggestion by Mikael Krantz
      223431cb
  9. 06 May, 2009 3 commits
    • Tom Lane's avatar
      Tweak distribute_qual_to_rels so that when we decide a pseudoconstant qual · 1f36fece
      Tom Lane authored
      can be pushed to the top of the join tree, we update both the relids and
      qualscope variables to keep them in sync.  This prevents a possible later
      failure of an Assert clause, and affects nothing else since qualscope isn't
      used later except for that Assert.  At the moment the Assert shouldn't be
      reachable when we've pushed the qual up; but this is cheap insurance, and
      it's more sensible anyway in terms of the overall logic of the routine.
      Per analysis of a bug report from Stefan Huehner.
      
      I'm not back-patching this since it's just future-proofing; but if anyone
      gets tempted to change check_outerjoin_delay again in the back branches,
      this might be needed.
      1f36fece
    • Tom Lane's avatar
      Modify CREATE DATABASE to enforce that the source database's encoding setting · 421c66b7
      Tom Lane authored
      must be used for the new database, except when copying from template0.
      This is the same rule that we now enforce for locale settings, and it has
      the same motivation: databases other than template0 might contain data that
      would be invalid according to a different setting.  This represents another
      step in a continuing process of locking down ways in which encoding violations
      could occur inside the backend.  Per discussion of a few days ago.
      
      In passing, fix pre-existing breakage of mbregress.sh, and fix up a couple
      of ereport() calls in dbcommands.c that failed to specify sqlstate codes.
      421c66b7
    • Tom Lane's avatar
      Fix ecpg tests for change that disallowed Unicode literals unless · ab4e386a
      Tom Lane authored
      standard_conforming_strings is on.
      ab4e386a
  10. 05 May, 2009 11 commits
    • Tom Lane's avatar
      Tweak a comment to agree a bit better with the new dispensation that · d7ee3355
      Tom Lane authored
      locales are database-wide, not server-wide.
      d7ee3355
    • Tom Lane's avatar
      Minor improvement: avoid assuming that GetLastError value cannot be · 2fe0f296
      Tom Lane authored
      affected by CloseHandle() or Sleep().
      2fe0f296
    • Tom Lane's avatar
      Make new complaint about unsafe Unicode literals include an error location. · 1bbbcb04
      Tom Lane authored
      Every other ereport in scan.l has one, this should too.
      1bbbcb04
    • Tom Lane's avatar
      Install an atexit(2) callback that ensures that proc_exit's cleanup processing · 249a899f
      Tom Lane authored
      will still be performed if something in a backend process calls exit()
      directly, instead of going through proc_exit() as we prefer.  This is a second
      response to the issue that we might load third-party code that doesn't know it
      should not call exit().  Such a call will now cause a reasonably graceful
      backend shutdown, if possible.  (Of course, if the reason for the exit() call
      is out-of-memory or some such, we might not be able to recover, but at least
      we will try.)
      249a899f
    • Tom Lane's avatar
      Install a "dead man switch" to allow the postmaster to detect cases where · 969d7cd4
      Tom Lane authored
      a backend has done exit(0) or exit(1) without having disengaged itself
      from shared memory.  We are at risk for this whenever third-party code is
      loaded into a backend, since such code might not know it's supposed to go
      through proc_exit() instead.  Also, it is reported that under Windows
      there are ways to externally kill a process that cause the status code
      returned to the postmaster to be indistinguishable from a voluntary exit
      (thank you, Microsoft).  If this does happen then the system is probably
      hosed --- for instance, the dead session might still be holding locks.
      So the best recovery method is to treat this like a backend crash.
      
      The dead man switch is armed for a particular child process when it
      acquires a regular PGPROC, and disarmed when the PGPROC is released;
      these should be the first and last touches of shared memory resources
      in a backend, or close enough anyway.  This choice means there is no
      coverage for auxiliary processes, but I doubt we need that, since they
      shouldn't be executing any user-provided code anyway.
      
      This patch also improves the management of the EXEC_BACKEND
      ShmemBackendArray array a bit, by reducing search costs.
      
      Although this problem is of long standing, the lack of field complaints
      seems to mean it's not critical enough to risk back-patching; at least
      not till we get some more testing of this mechanism.
      969d7cd4
    • Tom Lane's avatar
      Insert CHECK_FOR_INTERRUPTS() calls into btree and hash index scans at the · 8f348112
      Tom Lane authored
      points where we step right or left to the next page.  This should ensure
      reasonable response time to a query cancel request during an unsuccessful
      index scan, as seen in recent gripe from Marc Cousin.  It's a bit trickier
      than it might seem at first glance, because CHECK_FOR_INTERRUPTS() is a no-op
      if executed while holding a buffer lock.  So we have to do it just at the
      point where we've dropped one page lock and not yet acquired the next.
      
      Remove CHECK_FOR_INTERRUPTS calls at the top level of btgetbitmap and
      hashgetbitmap, since they're pointless given the added checks.
      
      I think that GIST is okay already --- at least, there's a CHECK_FOR_INTERRUPTS
      at a plausible-looking place in gistnext().  I don't claim to know GIN well
      enough to try to poke it for this, if indeed it has a problem at all.
      
      This is a pre-existing issue, but in view of the lack of prior complaints
      I'm not going to risk back-patching.
      8f348112
    • Tom Lane's avatar
      Update comment for _bt_relandgetbuf. · 2aa5ca95
      Tom Lane authored
      2aa5ca95
    • Peter Eisentraut's avatar
      Disable the use of Unicode escapes in string constants (U&'') when · 40bc4c26
      Peter Eisentraut authored
      standard_conforming_strings is not on, for security reasons.
      40bc4c26
    • Tom Lane's avatar
      Avoid integer overflow in the loop that extracts histogram entries from · 616bceb8
      Tom Lane authored
      ANALYZE's total sample.  The original coding is at risk of overflow for
      statistics targets exceeding about 2675; this was not a problem before
      8.4 but it is now.  Per bug #4793 from Dennis Noordsij.
      616bceb8
    • Magnus Hagander's avatar
      Make the win32 shared memory code try 10 times instead of one if · 5d540add
      Magnus Hagander authored
      it fails because the shared memory segment already exists. This
      means it can take up to 10 seconds before it reports the error
      if it *does* exist, but hopefully it will make the system capable
      of restarting even when the server is under high load.
      5d540add
    • Tom Lane's avatar
      Code review for \df rewrite: fix assorted bugs, make type and · 9f4e9bfa
      Tom Lane authored
      volatility columns localizable.
      9f4e9bfa
  11. 04 May, 2009 3 commits