1. 09 Oct, 2015 3 commits
    • Robert Haas's avatar
      Remove set_latch_on_sigusr1 flag. · db0f6cad
      Robert Haas authored
      This flag has proven to be a recipe for bugs, and it doesn't seem like
      it can really buy anything in terms of performance.  So let's just
      *always* set the process latch when we receive SIGUSR1 instead of
      trying to do it only when needed.
      
      Per my recent proposal on pgsql-hackers.
      db0f6cad
    • Stephen Frost's avatar
      Handle append_rel_list in expand_security_qual · b7aac362
      Stephen Frost authored
      During expand_security_quals, we take the security barrier quals on an
      RTE and create a subquery which evaluates the quals.  During this, we
      have to replace any variables in the outer query which refer to the
      original RTE with references to the columns from the subquery.
      
      We need to also perform that replacement for any Vars in the
      append_rel_list.
      
      Only backpatching to 9.5 as we only go through this process in 9.4 for
      auto-updatable security barrier views, which UNION ALL queries aren't.
      
      Discovered by Haribabu Kommi
      
      Patch by Dean Rasheed
      b7aac362
    • Tom Lane's avatar
      Fix uninitialized-variable bug. · 94f5246c
      Tom Lane authored
      For some reason, neither of the compilers I usually use noticed the
      uninitialized-variable problem I introduced in commit 7e2a18a9.
      That's hardly a good enough excuse though.  Committing with brown paper bag
      on head.
      
      In addition to putting the operations in the right order, move the
      declaration of "now" inside the loop; there's no need for it to be
      outside, and that does wake up older gcc enough to notice any similar
      future problem.
      
      Back-patch to 9.4; earlier versions lack the time-to-SIGKILL stanza
      so there's no bug.
      94f5246c
  2. 08 Oct, 2015 5 commits
  3. 07 Oct, 2015 4 commits
  4. 06 Oct, 2015 6 commits
    • Tom Lane's avatar
      Perform an immediate shutdown if the postmaster.pid file is removed. · 7e2a18a9
      Tom Lane authored
      The postmaster now checks every minute or so (worst case, at most two
      minutes) that postmaster.pid is still there and still contains its own PID.
      If not, it performs an immediate shutdown, as though it had received
      SIGQUIT.
      
      The original goal behind this change was to ensure that failed buildfarm
      runs would get fully cleaned up, even if the test scripts had left a
      postmaster running, which is not an infrequent occurrence.  When the
      buildfarm script removes a test postmaster's $PGDATA directory, its next
      check on postmaster.pid will fail and cause it to exit.  Previously, manual
      intervention was often needed to get rid of such orphaned postmasters,
      since they'd block new test postmasters from obtaining the expected socket
      address.
      
      However, by checking postmaster.pid and not something else, we can provide
      additional robustness: manual removal of postmaster.pid is a frequent DBA
      mistake, and now we can at least limit the damage that will ensue if a new
      postmaster is started while the old one is still alive.
      
      Back-patch to all supported branches, since we won't get the desired
      improvement in buildfarm reliability otherwise.
      7e2a18a9
    • Robert Haas's avatar
      Remove more volatile qualifiers. · 8f6bb851
      Robert Haas authored
      Prior to commit 0709b7ee, access to
      variables within a spinlock-protected critical section had to be done
      through a volatile pointer, but that should no longer be necessary.
      This continues work begun in df4077cd
      and 6ba4ecbf.
      
      Thomas Munro and Michael Paquier
      8f6bb851
    • Bruce Momjian's avatar
      Have CREATE TABLE LIKE add OID column if any LIKEd table has one · b943f502
      Bruce Momjian authored
      Also, process constraints for LIKEd tables at the end so an OID column
      can be referenced in a constraint.
      
      Report by Tom Lane
      b943f502
    • Bruce Momjian's avatar
      to_number(): allow 'V' to divide by 10^(the number of digits) · 28b3a3d4
      Bruce Momjian authored
      to_char('V') already multiplied in a similar manner.
      
      Report by Jeremy Lowery
      28b3a3d4
    • Bruce Momjian's avatar
      psql: allow \pset C in setting the title, matches \C · 2145a766
      Bruce Momjian authored
      Report by David G. Johnston
      2145a766
    • Bruce Momjian's avatar
      to_char(): Do not count negative sign as a digit for time values · 2d87eedc
      Bruce Momjian authored
      For time masks, like HH24, MI, SS, CC, MM, do not count the negative
      sign as part of the zero-padding length specified by the mask, e.g. have
      to_char('-4 years'::interval, 'YY') return '-04', not '-4'.
      
      Report by Craig Ringer
      2d87eedc
  5. 05 Oct, 2015 14 commits
    • Bruce Momjian's avatar
      docs: update guidelines on when to use GIN and GiST indexes · 6d8b2aa8
      Bruce Momjian authored
      Report by Tomas Vondra
      
      Backpatch through 9.5
      6d8b2aa8
    • Tom Lane's avatar
      Docs: explain contrib/pg_stat_statements' handling of GC failure. · f8a5e579
      Tom Lane authored
      Failure to perform garbage collection now has a user-visible effect, so
      explain that and explain that reducing pgss_max is the way to prevent it.
      Per gripe from Andrew Dunstan.
      f8a5e579
    • Tom Lane's avatar
      Fix insufficiently-portable regression test case. · 9e36c91b
      Tom Lane authored
      Some of the buildfarm members are evidently miserly enough of stack space
      to pass the originally-committed form of this test.  Increase the
      requirement 10X to hopefully ensure that it fails as-expected everywhere.
      
      Security: CVE-2015-5289
      9e36c91b
    • Tom Lane's avatar
      Last-minute updates for release notes. · 272ede71
      Tom Lane authored
      Add entries for security and not-quite-security issues.
      
      Security: CVE-2015-5288, CVE-2015-5289
      272ede71
    • Andres Freund's avatar
      Remove outdated comment about relation level autovacuum freeze limits. · 10cfd6f8
      Andres Freund authored
      The documentation for the autovacuum_multixact_freeze_max_age and
      autovacuum_freeze_max_age relation level parameters contained:
      "Note that while you can set autovacuum_multixact_freeze_max_age very
      small, or even zero, this is usually unwise since it will force frequent
      vacuuming."
      which hasn't been true since these options were made relation options,
      instead of residing in the pg_autovacuum table (834a6da4).
      
      Remove the outdated sentence. Even the lowered limits from 2596d705 are
      high enough that this doesn't warrant calling out the risk in the CREATE
      TABLE docs.
      
      Per discussion with Tom Lane and Alvaro Herrera
      
      Discussion: 26377.1443105453@sss.pgh.pa.us
      Backpatch: 9.0- (in parts)
      10cfd6f8
    • Stephen Frost's avatar
      Add regression tests for INSERT/UPDATE+RETURNING · be400cd2
      Stephen Frost authored
      This adds regressions tests which are specific to INSERT+RETURNING and
      UPDATE+RETURNING to ensure that the SELECT policies are added as
      WithCheckOptions (and should therefore throw an error when the policy is
      violated).
      
      Per suggestion from Andres.
      
      Back-patch to 9.5 as the prior commit was.
      be400cd2
    • Noah Misch's avatar
      Prevent stack overflow in query-type functions. · 5976097c
      Noah Misch authored
      The tsquery, ltxtquery and query_int data types have a common ancestor.
      Having acquired check_stack_depth() calls independently, each was
      missing at least one call.  Back-patch to 9.0 (all supported versions).
      5976097c
    • Noah Misch's avatar
      Prevent stack overflow in container-type functions. · 30cb1288
      Noah Misch authored
      A range type can name another range type as its subtype, and a record
      type can bear a column of another record type.  Consequently, functions
      like range_cmp() and record_recv() are recursive.  Functions at risk
      include operator family members and referents of pg_type regproc
      columns.  Treat as recursive any such function that looks up and calls
      the same-purpose function for a record column type or the range subtype.
      Back-patch to 9.0 (all supported versions).
      
      An array type's element type is never itself an array type, so array
      functions are unaffected.  Recursion depth proportional to array
      dimensionality, found in array_dim_to_jsonb(), is fine thanks to MAXDIM.
      30cb1288
    • Noah Misch's avatar
      Prevent stack overflow in json-related functions. · 08fa47c4
      Noah Misch authored
      Sufficiently-deep recursion heretofore elicited a SIGSEGV.  If an
      application constructs PostgreSQL json or jsonb values from arbitrary
      user input, application users could have exploited this to terminate all
      active database connections.  That applies to 9.3, where the json parser
      adopted recursive descent, and later versions.  Only row_to_json() and
      array_to_json() were at risk in 9.2, both in a non-security capacity.
      Back-patch to 9.2, where the json type was introduced.
      
      Oskari Saarenmaa, reviewed by Michael Paquier.
      
      Security: CVE-2015-5289
      08fa47c4
    • Noah Misch's avatar
      pgcrypto: Detect and report too-short crypt() salts. · 1d812c8b
      Noah Misch authored
      Certain short salts crashed the backend or disclosed a few bytes of
      backend memory.  For existing salt-induced error conditions, emit a
      message saying as much.  Back-patch to 9.0 (all supported versions).
      
      Josh Kupershmidt
      
      Security: CVE-2015-5288
      1d812c8b
    • Stephen Frost's avatar
      Apply SELECT policies in INSERT/UPDATE+RETURNING · 2ca9d544
      Stephen Frost authored
      Similar to 7d8db3e8, given that INSERT+RETURNING requires SELECT rights
      on the table, apply the SELECT policies as WCOs to the tuples being
      inserted.  Apply the same logic to UPDATE+RETURNING.
      
      Back-patch to 9.5 where RLS was added.
      2ca9d544
    • Stephen Frost's avatar
      Do not write out WCOs in Query · 4158cc37
      Stephen Frost authored
      The WithCheckOptions list in Query are only populated during rewrite and
      do not need to be written out or read in as part of a Query structure.
      
      Further, move WithCheckOptions to the bottom and add comments to clarify
      that it is only populated during rewrite.
      
      Back-patch to 9.5 with a catversion bump, as we are still in alpha.
      4158cc37
    • Andres Freund's avatar
      Re-Align *_freeze_max_age reloption limits with corresponding GUC limits. · 2596d705
      Andres Freund authored
      In 020235a5 I lowered the autovacuum_*freeze_max_age minimums to
      allow for easier testing of wraparounds. I did not touch the
      corresponding per-table limits. While those don't matter for the purpose
      of wraparound, it seems more consistent to lower them as well.
      
      It's noteworthy that the previous reloption lower limit for
      autovacuum_multixact_freeze_max_age was too high by one magnitude, even
      before 020235a5.
      
      Discussion: 26377.1443105453@sss.pgh.pa.us
      Backpatch: back to 9.0 (in parts), like the prior patch
      2596d705
    • Stephen Frost's avatar
      ALTER TABLE .. FORCE ROW LEVEL SECURITY · 088c8336
      Stephen Frost authored
      To allow users to force RLS to always be applied, even for table owners,
      add ALTER TABLE .. FORCE ROW LEVEL SECURITY.
      
      row_security=off overrides FORCE ROW LEVEL SECURITY, to ensure pg_dump
      output is complete (by default).
      
      Also add SECURITY_NOFORCE_RLS context to avoid data corruption when
      ALTER TABLE .. FORCE ROW SECURITY is being used. The
      SECURITY_NOFORCE_RLS security context is used only during referential
      integrity checks and is only considered in check_enable_rls() after we
      have already checked that the current user is the owner of the relation
      (which should always be the case during referential integrity checks).
      
      Back-patch to 9.5 where RLS was added.
      088c8336
  6. 04 Oct, 2015 8 commits
    • Tom Lane's avatar
    • Tom Lane's avatar
      Improve contrib/pg_stat_statements' handling of garbage collection failure. · 8bbe4cbd
      Tom Lane authored
      If we can't read the query texts file (whether because out-of-memory, or
      for some other reason), give up and reset the file to empty, discarding all
      stored query texts, though not the statistics per se.  We used to leave
      things alone and hope for better luck next time, but the problem is that
      the file is only going to get bigger and even harder to slurp into memory.
      Better to do something that will get us out of trouble.
      
      Likewise reset the file to empty for any other failure within gc_qtexts().
      The previous behavior after a write error was to discard query texts but
      not do anything to truncate the file, which is just weird.
      
      Also, increase the maximum supported file size from MaxAllocSize to
      MaxAllocHugeSize; this makes it more likely we'll be able to do a garbage
      collection successfully.
      
      Also, fix recalculation of mean_query_len within entry_dealloc() to match
      the calculation in gc_qtexts().  The previous coding overlooked the
      possibility of dropped texts (query_len == -1) and would underestimate the
      mean of the remaining entries in such cases, thus possibly causing excess
      garbage collection cycles.
      
      In passing, add some errdetail to the log entry that complains about
      insufficient memory to read the query texts file, which after all was
      Jim Nasby's original complaint.
      
      Back-patch to 9.4 where the current handling of query texts was
      introduced.
      
      Peter Geoghegan, rather editorialized upon by me
      8bbe4cbd
    • Andres Freund's avatar
      Fix hstore_plpython test when python3 is used. · 86b1e678
      Andres Freund authored
      Due to b67aaf21 / CREATE EXTENSION ... CASCADE the test output
      contains the extension name in yet another place. Since that's variable
      depending on the python version...
      
      Add yet another name mangling stanza to regress-python3-mangle.mk.
      
      Author: Petr Jelinek
      86b1e678
    • Tom Lane's avatar
      Further twiddling of nodeHash.c hashtable sizing calculation. · f2fc98fb
      Tom Lane authored
      On reflection, the submitted patch didn't really work to prevent the
      request size from exceeding MaxAllocSize, because of the fact that we'd
      happily round nbuckets up to the next power of 2 after we'd limited it to
      max_pointers.  The simplest way to enforce the limit correctly is to
      round max_pointers down to a power of 2 when it isn't one already.
      
      (Note that the constraint to INT_MAX / 2, if it were doing anything useful
      at all, is properly applied after that.)
      f2fc98fb
    • Tom Lane's avatar
      Fix some issues in new hashtable size calculations in nodeHash.c. · a31e64d0
      Tom Lane authored
      Limit the size of the hashtable pointer array to not more than
      MaxAllocSize, per reports from Kouhei Kaigai and others of "invalid memory
      alloc request size" failures.  There was discussion of allowing the array
      to get larger than that by using the "huge" palloc API, but so far no proof
      that that is actually a good idea, and at this point in the 9.5 cycle major
      changes from old behavior don't seem like the way to go.
      
      Fix a rather serious secondary bug in the new code, which was that it
      didn't ensure nbuckets remained a power of 2 when recomputing it for the
      multiple-batch case.
      
      Clean up sloppy division of labor between ExecHashIncreaseNumBuckets and
      its sole call site.
      a31e64d0
    • Andrew Dunstan's avatar
      Disallow invalid path elements in jsonb_set · 1edd4ec8
      Andrew Dunstan authored
      Null path elements and, where the object is an array, invalid integer
      elements now cause an error.
      
      Incorrect behaviour noted by Thom Brown, patch from Dmitry Dolgov.
      
      Backpatch to 9.5 where jsonb_set was introduced
      1edd4ec8
    • Peter Eisentraut's avatar
    • Tom Lane's avatar
      Update 9.5 release notes through today. · cf007a4b
      Tom Lane authored
      cf007a4b