Tom Lane [Mon, 27 Aug 2007 03:36:08 +0000 (03:36 +0000)]
Fix a couple of misbehaviors rooted in the fact that the default creation
namespace isn't necessarily first in the search path (there could be implicit
schemas ahead of it). Examples are
test=# set search_path TO s1;
test=# create view pg_timezone_names as select * from pg_timezone_names();
ERROR: "pg_timezone_names" is already a view
test=# create table pg_class (f1 int primary key);
ERROR: permission denied: "pg_class" is a system catalog
You'd expect these commands to create the requested objects in s1, since
names beginning with pg_ aren't supposed to be reserved anymore. What is
happening is that we create the requested base table and then execute
additional commands (here, CREATE RULE or CREATE INDEX), and that code is
passed the same RangeVar that was in the original command. Since that
RangeVar has schemaname = NULL, the secondary commands think they should do a
path search, and that means they find system catalogs that are implicitly in
front of s1 in the search path.
This is perilously close to being a security hole: if the secondary command
failed to apply a permission check then it'd be possible for unprivileged
users to make schema modifications to system catalogs. But as far as I can
find, there is no code path in which a check doesn't occur. Which makes it
just a weird corner-case bug for people who are silly enough to want to
name their tables the same as a system catalog.
The relevant code has changed quite a bit since 8.2, which means this patch
wouldn't work as-is in the back branches. Since it's a corner case no one
has reported from the field, I'm not going to bother trying to back-patch.
Tom Lane [Mon, 27 Aug 2007 01:39:25 +0000 (01:39 +0000)]
Remove the 'not in' operator (!!=). This was a hangover from Berkeley
days that was obsolete the moment we had IN (SELECT ...) capability.
It's arguably a security hole since it applied no permissions check to
the table it searched, and since it was never documented anywhere,
removing it seems more appropriate than fixing it.
Tom Lane [Mon, 27 Aug 2007 01:24:50 +0000 (01:24 +0000)]
Require SELECT privilege on a table to do dblink_get_pkey(). This is
not all that exciting when the system catalogs are readable by all,
but some people try to lock them down, and would not like this sort of
end run ...
Tom Lane [Mon, 27 Aug 2007 01:19:14 +0000 (01:19 +0000)]
Restrict pg_relation_size to relation owner, pg_database_size to DB owner,
and pg_tablespace_size to superusers. Perhaps we could weaken the first
case to just require SELECT privilege, but that doesn't work for the
other cases, so use ownership as the common concept.
Tom Lane [Mon, 27 Aug 2007 00:57:36 +0000 (00:57 +0000)]
Make currtid() functions require SELECT privileges on the target table.
While it's not clear that TID linkage info is of any great use to a
nefarious user, it's certainly unexpected that these functions wouldn't
insist on read privileges.
Tom Lane [Mon, 27 Aug 2007 00:13:51 +0000 (00:13 +0000)]
Restrict pgrowlocks function to superusers. (This might be too strict,
but no permissions check at all is certainly no good.) Clean up usage
of some deprecated APIs.
Tom Lane [Sun, 26 Aug 2007 23:59:50 +0000 (23:59 +0000)]
Restrict pgstattuple functions to superusers. (This might be too strict,
but no permissions check at all is certainly no good.) Clean up usage
of some deprecated APIs.
Tom Lane [Sun, 26 Aug 2007 21:44:25 +0000 (21:44 +0000)]
Make ARRAY(SELECT ...) return an empty array, rather than a NULL, when the
sub-select returns zero rows. Per complaint from Jens Schicke. Since this
is more in the nature of a definition change than a bug, not back-patched.
Tom Lane [Sat, 25 Aug 2007 20:29:25 +0000 (20:29 +0000)]
Adjust with-system-tzdata patch to not attempt to install a symlink,
but just hardwire the specified timezone database path into the executable.
Per discussion, this avoids some packaging disadvantages of using a
symlink.
Tom Lane [Sat, 25 Aug 2007 19:08:19 +0000 (19:08 +0000)]
Fix brain fade in DefineIndex(): it was continuing to access the table's
relcache entry after having heap_close'd it. This could lead to misbehavior
if a relcache flush wiped out the cache entry meanwhile. In 8.2 there is a
very real risk of CREATE INDEX CONCURRENTLY using the wrong relid for locking
and waiting purposes. I think the bug is only cosmetic in 8.0 and 8.1,
because their transgression is limited to using RelationGetRelationName(rel)
in an ereport message immediately after heap_close, and there's no way (except
with special debugging options) for a cache flush to occur in that interval.
Not quite sure that it's cosmetic in 7.4, but seems best to patch anyway.
Found by trying to run the regression tests with CLOBBER_CACHE_ALWAYS enabled.
Maybe we should try to do that on a regular basis --- it's awfully slow,
but perhaps some fast buildfarm machine could do it once in awhile.
Tom Lane [Sat, 25 Aug 2007 17:47:44 +0000 (17:47 +0000)]
Simplify implementation of ts_debug() function --- use a join instead
of redundant sub-selects. initdb not forced, since this is just a
cosmetic change, but the new code won't show up till you do one.
Tom Lane [Sat, 25 Aug 2007 00:03:59 +0000 (00:03 +0000)]
Cleanup for some problems in tsearch patch:
- ispell initialization crashed on empty dictionary file
- ispell initialization crashed on affix file with prefixes but no suffixes
- stop words file was run through pg_verify_mbstr, with database
encoding, but it's supposed to be UTF-8; similar bug for synonym files
- bunch of comments added, typos fixed, and other cleanup
Introduced consistent encoding checking/conversion of data read from tsearch
configuration files, by doing this in a single t_readline() subroutine
(replacing direct usages of fgets). Cleaned up API for readstopwords too.
Tom Lane [Thu, 23 Aug 2007 16:15:51 +0000 (16:15 +0000)]
Fix combo_decrypt() to throw an error for zero-length input when using a
padded encryption scheme. Formerly it would try to access res[(unsigned) -1],
which resulted in core dumps on 64-bit machines, and was certainly trouble
waiting to happen on 32-bit machines (though in at least the known case
it was harmless because that byte would be overwritten after return).
Per report from Ken Colson; fix by Marko Kreen.
Tom Lane [Wed, 22 Aug 2007 22:30:20 +0000 (22:30 +0000)]
Suppress testing the options of CREATE TEXT SEARCH DICTIONARY during
initdb. We should create all the standard dictionaries even though
some of them may not work in template1's encoding. Per Teodor.
Tom Lane [Wed, 22 Aug 2007 05:13:50 +0000 (05:13 +0000)]
Remove option to change parser of an existing text search configuration.
This prevents needing to do complex and poorly-defined updates of the
mapping table if the new parser has different token types than the old.
Per discussion.
Tom Lane [Wed, 22 Aug 2007 02:25:34 +0000 (02:25 +0000)]
Make \dFt and \dFt+ do something different --- omitting the function
names in the former case seems more consistent with the behavior of
other \dF commands.
Tom Lane [Wed, 22 Aug 2007 01:39:46 +0000 (01:39 +0000)]
Simplify the syntax of CREATE/ALTER TEXT SEARCH DICTIONARY by treating the
init options of the template as top-level options in the syntax. This also
makes ALTER a bit easier to use, since options can be replaced individually.
I also made these statements verify that the tmplinit method will accept
the new settings before they get stored; in the original coding you didn't
find out about mistakes until the dictionary got invoked.
Under the hood, init methods now get options as a List of DefElem instead
of a raw text string --- that lets tsearch use existing options-pushing code
instead of duplicating functionality.
Tom Lane [Tue, 21 Aug 2007 21:24:00 +0000 (21:24 +0000)]
Simplify CREATE TEXT SEARCH CONFIGURATION by eliminating the separate
'with map' parameter; as things now stand there's really not much point
in specifying a config-to-copy if you don't copy its map. Also, use
COPY instead of TEMPLATE as the key word for a config-to-copy, so as
to avoid confusion with text search templates. Per discussion; the
just-committed reference page for the command already describes it
this way.
Tom Lane [Tue, 21 Aug 2007 21:08:47 +0000 (21:08 +0000)]
First rough cut at text search documentation: bare bones reference
pages for the new SQL commands. I also committed Bruce's text search
introductory chapter, as-is except for fixing some markup errors,
so that there would be a place for the reference pages to link to.
Tom Lane [Tue, 21 Aug 2007 16:08:23 +0000 (16:08 +0000)]
Exclude snowball/libstemmer/ files from the set processed by pgindent.
There's not much point in prettifying machine-generated code, and it
seems best to keep these files exactly like upstream anyway. Also add
some notes about why various files are excluded.
Tom Lane [Tue, 21 Aug 2007 02:40:06 +0000 (02:40 +0000)]
Fix potential access-off-the-end-of-memory in varbit_out(): it fetched the
byte after the last full byte of the bit array, regardless of whether that
byte was part of the valid data or not. Found by buildfarm testing.
Thanks to Stefan Kaltenbrunner for nailing down the cause.
Tom Lane [Tue, 21 Aug 2007 01:12:28 +0000 (01:12 +0000)]
contrib/tsearch2 now fails its regression test because of conflicts with
the core additions. For the moment I diked it out of contrib/Makefile.
We should look at turning it into a backward-compatibility package.
Tom Lane [Tue, 21 Aug 2007 01:11:32 +0000 (01:11 +0000)]
Tsearch2 functionality migrates to core. The bulk of this work is by
Oleg Bartunov and Teodor Sigaev, but I did a lot of editorializing,
so anything that's broken is probably my fault.
Documentation is nonexistent as yet, but let's land the patch so we can
get some portability testing done.
Andrew Dunstan [Sun, 19 Aug 2007 01:41:25 +0000 (01:41 +0000)]
Provide for logfiles in machine readable CSV format. In consequence, rename
redirect_stderr to logging_collector.
Original patch from Arul Shaji, subsequently modified by Greg Smith, and then
heavily modified by me.
Tom Lane [Wed, 15 Aug 2007 21:39:50 +0000 (21:39 +0000)]
Arrange to cache a ResultRelInfo in the executor's EState for relations that
are not one of the query's defined result relations, but nonetheless have
triggers fired against them while the query is active. This was formerly
impossible but can now occur because of my recent patch to fix the firing
order for RI triggers. Caching a ResultRelInfo avoids duplicating work by
repeatedly opening and closing the same relation, and also allows EXPLAIN
ANALYZE to "see" and report on these extra triggers. Use the same mechanism
to cache open relations when firing deferred triggers at transaction shutdown;
this replaces the former one-element-cache strategy used in that case, and
should improve performance a bit when there are deferred triggers on a number
of relations.
Tom Lane [Wed, 15 Aug 2007 19:15:47 +0000 (19:15 +0000)]
Repair problems occurring when multiple RI updates have to be done to the same
row within one query: we were firing check triggers before all the updates
were done, leading to bogus failures. Fix by making the triggers queued by
an RI update go at the end of the outer query's trigger event list, thereby
effectively making the processing "breadth-first". This was indeed how it
worked pre-8.0, so the bug does not occur in the 7.x branches.
Per report from Pavel Stehule.
Bruce Momjian [Wed, 15 Aug 2007 15:53:30 +0000 (15:53 +0000)]
Add third idea about pulling data from indexes.
> A third idea would be for a heap scan to check if all rows are visible
> and if so set a per-table flag which can be checked by index scans.
> Any change to the table would have to clear the flag. To detect
> changes during the heap scan a counter could be set at the start and
> checked at the end --- if it is the same, the table has not been
> modified --- any table change would increment the counter.
Tom Lane [Tue, 14 Aug 2007 17:35:18 +0000 (17:35 +0000)]
Fix oversight in async-commit patch: there were some places in heapam.c
that still thought they could set HEAP_XMAX_COMMITTED immediately after
seeing the other transaction commit. Make them use the same logic as
tqual.c does to determine if the hint bit can be set yet.
Michael Meskes [Tue, 14 Aug 2007 10:01:54 +0000 (10:01 +0000)]
- Finished major rewrite to use new protocol version
- Really prepare statements
- Added more regression tests
- Added auto-prepare mode
- Use '$n' for positional variables, '?' is still possible via ecpg option
- Cleaned up the sources a little bit
Tom Lane [Mon, 13 Aug 2007 19:27:12 +0000 (19:27 +0000)]
TEMPORARILY make synchronous_commit default to OFF, so that we can get more
thorough testing of async-commit mode from the buildfarm. This patch MUST
get reverted before 8.3 release!
Tom Lane [Mon, 13 Aug 2007 19:08:26 +0000 (19:08 +0000)]
Fix two bugs induced in VACUUM FULL by async-commit patch.
First, we cannot assume that XLogAsyncCommitFlush guarantees hint bits will be
settable, because clog.c's inexact LSN bookkeeping results in windows where a
previously flushed transaction is considered unhintable because it shares an
LSN slot with a later unflushed transaction. But repair_frag requires
XMIN_COMMITTED to be correct so that it can distinguish tuples moved by the
current vacuum. Since not being able to set the bit is an uncommon corner
case, the most practical way of dealing with it seems to be to abandon
shrinking (ie, don't invoke repair_frag) when we find a non-dead tuple whose
XMIN_COMMITTED bit couldn't be set.
Second, it is possible for the same reason that a RECENTLY_DEAD tuple does not
get its XMAX_COMMITTED bit set during scan_heap. But by the time repair_frag
examines the tuple it might be possible to set the bit. We therefore must
take buffer content lock when calling HeapTupleSatisfiesVacuum a second time,
else we can get an Assert failure in SetBufferCommitInfoNeedsSave. This
latter bug is latent in existing releases, but I think it cannot actually
occur without async commit, since the first HeapTupleSatisfiesVacuum call
should always have set the bit. So I'm not going to back-patch it.
In passing, reduce the existing "cannot shrink relation" messages from NOTICE
to LOG level. The new message must be no higher than LOG if we don't want
unpredictable regression test failures, and consistency seems like a good
idea. Also arrange that only one such message is reported per VACUUM FULL;
in typical scenarios you could get spammed with many such messages, which
seems a bit useless.
Tom Lane [Mon, 13 Aug 2007 01:18:47 +0000 (01:18 +0000)]
Document that the regexp split functions ignore zero-length matches in
certain corner cases. Per discussion, the code does what we want, but
it really needs to be documented that these functions act differently
from regexp_matches.
Tom Lane [Sun, 12 Aug 2007 20:39:14 +0000 (20:39 +0000)]
Remove an "optimization" I installed in 2001, to make repalloc() attempt to
enlarge the memory chunk in-place when it was feasible to do so. This turns
out to not work well at all for scenarios involving repeated cycles of
palloc/repalloc/pfree: the eventually freed chunks go into the wrong freelist
for the next initial palloc request, and so we consume memory indefinitely.
While that could be defended against, the number of cases where the
optimization can still be applied drops significantly, and adjusting the
initial sizes of StringInfo buffers makes it drop to almost nothing.
Seems better to just remove the extra complexity.
Per recent discussion and testing.
Tom Lane [Sun, 12 Aug 2007 20:18:06 +0000 (20:18 +0000)]
Increase the initial size of StringInfo buffers to 1024 bytes (from 256);
likewise increase the initial size of the scanner's literal buffer to 1024
(from 128). Instrumentation of the regression tests suggests that this
saves a useful amount of repalloc() traffic --- the number of calls occurring
during one set of tests drops from about 6900 to about 3900. The old sizes
were chosen in the late 90's with an eye to machines much smaller than
are common today.
Tom Lane [Sat, 11 Aug 2007 19:16:41 +0000 (19:16 +0000)]
Avoid memory leakage across successive calls of regexp_matches() or
regexp_split_to_table() within a single query. This is only a partial
solution, as it turns out that with enough matches per string these
functions can also tickle a repalloc() misbehavior. But fixing that
is a topic for a separate patch.
Tom Lane [Sat, 11 Aug 2007 03:56:24 +0000 (03:56 +0000)]
Code review for regexp_matches/regexp_split patch. Refactor to avoid assuming
that cached compiled patterns will still be there when the function is next
called. Clean up looping logic, thereby fixing bug identified by Pavel
Stehule. Share setup code between the two functions, add some comments, and
avoid risky mixing of int and size_t variables. Clean up the documentation a
tad, and accept all the flag characters mentioned in table 9-19 rather than
just a subset.
Tom Lane [Fri, 10 Aug 2007 00:39:31 +0000 (00:39 +0000)]
Fix unintended change of output format for createlang/droplang -l. Missed
these uses of printQuery() in FETCH_COUNT patch a year ago :-(. Per report
from Tomoaki Sato.
Tom Lane [Thu, 9 Aug 2007 01:18:43 +0000 (01:18 +0000)]
Revise postmaster startup/shutdown logic to eliminate the problem that a
constant flow of new connection requests could prevent the postmaster from
completing a shutdown or crash restart. This is done by labeling child
processes that are "dead ends", that is, we know that they were launched only
to tell a client that it can't connect. These processes are managed
separately so that they don't confuse us into thinking that we can't advance
to the next stage of a shutdown or restart sequence, until the very end
where we must wait for them to drain out so we can delete the shmem segment.
Per discussion of a misbehavior reported by Keaton Adams.
Since this code was baroque already, and my first attempt at fixing the
problem made it entirely impenetrable, I took the opportunity to rewrite it
in a state-machine style. That eliminates some duplicated code sections and
hopefully makes everything a bit clearer.
Neil Conway [Wed, 8 Aug 2007 18:07:05 +0000 (18:07 +0000)]
Fix a gradual memory leak in ExecReScanAgg(). Because the aggregation
hash table is allocated in a child context of the agg node's memory
context, MemoryContextReset() will reset but *not* delete the child
context. Since ExecReScanAgg() proceeds to build a new hash table
from scratch (in a new sub-context), this results in leaking the
header for the previous memory context. Therefore, use
MemoryContextResetAndDeleteChildren() instead.
Credit: My colleague Sailesh Krishnamurthy at Truviso for isolating
the cause of the leak.
Neil Conway [Tue, 7 Aug 2007 06:25:14 +0000 (06:25 +0000)]
Adjust the output of MemoryContextStats() so that the stats for a
child memory contexts is indented two spaces to the right of its
parent context. This should make it easier to deduce the memory
context hierarchy from the output of MemoryContextStats().
Tom Lane [Sun, 5 Aug 2007 15:43:00 +0000 (15:43 +0000)]
Adjust configure so that it sets CFLAGS properly for Intel's icc
even if the compiler is not defining __GNUC__. Per report from
Dirk Tilger that it is possible for icc to not do that.
Tom Lane [Sun, 5 Aug 2007 15:11:40 +0000 (15:11 +0000)]
Apparently icc doesn't always define __ICC, and it's more correct to
check for __INTEL_COMPILER. Per report from Dirk Tilger.
Not back-patched since I don't fully trust it yet ...
Neil Conway [Sat, 4 Aug 2007 21:01:09 +0000 (21:01 +0000)]
Tweak for initdb: if more command-line arguments were specified than
expected, exit with an error, rather than complaining about the error
on stderr but continuing onward.
Tom Lane [Sat, 4 Aug 2007 19:29:25 +0000 (19:29 +0000)]
Fix crash caused by log_timezone patch if we attempt to emit any elog messages
between the setting of log_line_prefix and the setting of log_timezone. We
can't realistically set log_timezone any earlier than we do now, so the best
behavior seems to be to use GMT zone if any timestamps are to be logged during
early startup. Create a dummy zone variable with a minimal definition of GMT
(in particular it will never know about leap seconds), so that we can set it
up without reference to any external files.
Tom Lane [Sat, 4 Aug 2007 03:15:49 +0000 (03:15 +0000)]
Fix a problem in my recent patch to initialize cancel_key for autovac workers
as well as regular backends: if no regular backend launches before the autovac
launcher tries to start an autovac worker, the postmaster would get an Assert
fault due to calling PostmasterRandom before random_seed was initialized.
Cleanest solution seems to be to take the initialization of random_seed out
of ServerLoop and let PostmasterRandom do it for itself.
Tom Lane [Sat, 4 Aug 2007 01:26:54 +0000 (01:26 +0000)]
Switch over to using the src/timezone functions for formatting timestamps
displayed in the postmaster log. This avoids Windows-specific problems with
localized time zone names that are in the wrong encoding, and generally seems
like a good idea to forestall other potential platform-dependent issues.
To preserve the existing behavior that all backends will log in the same time
zone, create a new GUC variable log_timezone that can only be changed on a
system-wide basis, and reference log-related calculations to that zone instead
of the TimeZone variable.
This fixes the issue reported by Hiroshi Saito that timestamps printed by
xlog.c startup could be improperly localized on Windows. We still need a
simpler patch for that problem in the back branches, however.
Tom Lane [Fri, 3 Aug 2007 20:06:50 +0000 (20:06 +0000)]
Fix some sloppiness in the recent multiple-autovacuum-worker patch. It was
not bothering to initialize is_autovacuum for regular backends, meaning there
was a significant chance of the postmaster prematurely sending them SIGTERM
during database shutdown. Also, leaving the cancel key unset for an autovac
worker meant that any client could send it SIGINT, which doesn't sound
especially good either.
Andrew Dunstan [Thu, 2 Aug 2007 23:39:45 +0000 (23:39 +0000)]
Move session_start out of MyProcPort stucture and make it a global called MyStartTime,
so that we will be able to create a cookie for all processes for CSVlogs.
It is set wherever MyProcPid is set. Take the opportunity to remove the now
unnecessary session-only restriction on the %s and %c escapes in log_line_prefix.
Tom Lane [Wed, 1 Aug 2007 22:45:09 +0000 (22:45 +0000)]
Support an optional asynchronous commit mode, in which we don't flush WAL
before reporting a transaction committed. Data consistency is still
guaranteed (unlike setting fsync = off), but a crash may lose the effects
of the last few transactions. Patch by Simon, some editorialization by Tom.