Movatterモバイル変換

Tighten security restrictions withinREFRESH MATERIALIZED VIEW CONCURRENTLY (Heikki Linnakangas)§§

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user runningREFRESH. Fix things so that all user-determined code is run as the view's owner, as expected.

The only known exploit for this error does not work inPostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.

ThePostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2024-0985)

Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)§

There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.

When dequeueing from an LWLock, avoid needing to search the list of waiting processes (Andres Freund)§

This fixes O(N^2) behavior when the list of waiters is long. In some use-cases this results in substantial throughput improvements.

Avoid generating incorrect partitioned-join plans (Richard Guo)§

Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as“variable not found in subplan target list”, or executor crashes.

Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)§

This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.

Fix misprocessing of window function run conditions (Richard Guo)§

This oversight could lead to“WindowFunc not found in subplan target lists” errors.

Skip inappropriate actions whenMERGE causes a cross-partition update (Dean Rasheed)§

When executing aMERGE UPDATE action on a partitioned table, if theUPDATE is turned into aDELETE andINSERT due to changing a partition key column, skip firingAFTER UPDATE ROW triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regularUPDATE doesn't do them in such cases;MERGE shouldn't either.

Cope withBEFORE ROW DELETE triggers in cross-partitionMERGE updates (Dean Rasheed)§

If such a trigger attempted to prevent the update by returning NULL,MERGE would suffer an error or assertion failure.

Prevent access to a no-longer-pinned buffer inBEFORE ROW UPDATE triggers (Alexander Lakhin, Tom Lane)§

If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.

Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)§§

The limiting value was too large, allowing“invalid DSA memory alloc request size” errors to occur with sufficiently large expected hash table sizes.

Avoid assertion failures inheap_update() andheap_delete() when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)§

This error had no impact in non-assert builds.

Fix overly tight assertion aboutfalse_positive_rate parameter of BRIN bloom operator classes (Alexander Lakhin)§

This error had no impact in non-assert builds, either.

Fix possible failure duringALTER TABLE ADD COLUMN on a complex inheritance tree (Tender Wang)§

If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with“tuple already updated by self”.

Fix problems with duplicate token names inALTER TEXT SEARCH CONFIGURATION ... MAPPING commands (Tender Wang, Michael Paquier)§

Properly lock the associated table duringDROP STATISTICS (Tomas Vondra)§

Failure to acquire the lock could result in“tuple concurrently deleted” errors if theDROP executes concurrently withANALYZE.

Fix function volatility checking forGENERATED andDEFAULT expressions (Tom Lane)§

These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting aGENERATED clause, or to mistakenly applying the constant-default-value optimization inALTER TABLE ADD COLUMN.

Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)§§

We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.

Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)§

Computing0 - INT64_MIN should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returningINT64_MIN.

Detect Julian-date overflow when adding or subtracting aninterval to/from atimestamp (Tom Lane)§

Some cases that should cause an out-of-range error produced an incorrect result instead.

Add more checks for overflow ininterval_mul() andinterval_div() (Dean Rasheed)§

Some cases that should cause an out-of-range error produced an incorrect result instead.

Ensure cached statistics are discarded after a change tostats_fetch_consistency (Shinya Kato)§

In some code paths, it was possible for stale statistics to be returned.

Make thepg_file_settings view check validity of unapplied values for settings withbackend orsuperuser-backend context (Tom Lane)§

Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.

Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)§

Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.

Avoid failure if a child index is dropped concurrently withREINDEX INDEX on a partitioned index (Fei Changhong)§§

Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)§

The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.

Avoid premature release of buffer pin in GIN index insertion (Tom Lane)§

If an index root page split occurs concurrently with our own insertion, the code could fail with“buffer NNNN is not owned by resource owner”.

Avoid failure with partitioned SP-GiST indexes (Tom Lane)§

Trying to use an index of this kind could lead to“No such file or directory” errors.

Fix ownership change reporting for large objects (Tom Lane)§

A no-opALTER LARGE OBJECT OWNER command (that is, one selecting the existing owner) passed the wrong class ID to thePostAlterHook, probably confusing any extension using that hook.

Fix reporting of I/O timing data inEXPLAIN (BUFFERS) (Michael Paquier)§

The numbers labeled as“shared/local” actually refer only to shared buffers, so change that label to“shared”.

Ensure durability ofCREATE DATABASE (Noah Misch)§§

If an operating system crash occurred during or shortly afterCREATE DATABASE, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory,PG_VERSION file, orpg_filenode.map file was missing or empty.

Add moreLOG messages when starting and ending recovery from a backup (Andres Freund)§

This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems.

Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)§

ThestartedInRecovery flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.

Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro)§

This bug appears to be only latent except when running a 32-bitPostgreSQL build on a 64-bit platform.

Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)§

One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.

Ensure that column default values are correctly transmitted by thepgoutput logical replication plugin (Nikhil Benesch)§

ALTER TABLE ADD COLUMN with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table,pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber.

Fix failure of logical replication's initial sync for a table with no columns (Vignesh C)§

This case generated an improperly-formattedCOPY command.

Prevent examining system catalogs with the wrong snapshot during logical decoding (Fei Changhong)§

If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups. This fix deals with the case that a top-level transaction is already marked as containing catalog changes, but its subtransaction(s) are not.

Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)§

In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients likepsql frequently do this. It may also confuse extensions that useClientAuthentication_hook.

Fix incompatibility withOpenSSL 3.2 (Tristan Partin, Bo Andreson)§

Use the BIO“app_data” field for our private storage, instead of assuming it's okay to use the“data” field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.

Be more wary aboutOpenSSL not settingerrno on error (Tom Lane)§

Iferrno isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like“could not accept SSL connection: Success”.

Fix file descriptor leakage when a foreign data wrapper'sForeignAsyncRequest function fails (Heikki Linnakangas)§

ReportENOMEM errors from file-related system calls asERRCODE_OUT_OF_MEMORY, notERRCODE_INTERNAL_ERROR (Alexander Kuzmenkov)§

InPL/pgSQL, support SQL commands that areCREATE FUNCTION/CREATE PROCEDURE with SQL-standard bodies (Tom Lane)§

Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.

Fixlibpq's handling of errors in pipelines (Álvaro Herrera)§§

The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.

Makelibpq'sPQsendFlushRequest() function flush the client output buffer under the same rules as otherPQsend functions (Jelte Fennema-Nio)§

In pipeline mode, it may still be necessary to callPQflush() as well; but this change removes some inconsistency.

Avoid race condition whenlibpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)§

Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)§

When using GSSAPI encryption in non-blocking mode,libpq sometimes failed with“GSSAPI caller failed to retransmit all data needing to be retried”.

Inpg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)§§

Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).

Inpg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)§

This conforms to the behavior for other dependent objects such as indexes.

Make it an error for apgbench script to end with an open pipeline (Anthonin Bonnefoy)§

Previously,pgbench would behave oddly if a\startpipeline command lacked a matching\endpipeline. This seems like a scripting mistake rather than a case thatpgbench needs to handle nicely, so throw an error.

Fix crash incontrib/intarray if an array with an element equal toINT_MAX is inserted into agist__int_ops index (Alexander Lakhin, Tom Lane)§

Report a better error whencontrib/pageinspect'shash_bitmap_info() function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)§

Report a better error whencontrib/pgstattuple'spgstathashindex() function is applied to a partitioned hash index (Alexander Lakhin)§

On Windows, suppress autorun options when launching subprocesses inpg_ctl andpg_regress (Kyotaro Horiguchi)§§

When launching a child process viacmd.exe, pass the/D flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.

Moveis_valid_ascii() frommb/pg_wchar.h toutils/ascii.h (Jubilee Young)§

This change avoids the need to include<simd.h> inpg_wchar.h, which was causing problems for some third-party code.

Fix compilation failures withlibxml2 version 2.12.0 and later (Tom Lane)§

Fix compilation failure ofWAL_DEBUG code on Windows (Bharath Rupireddy)§

Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)§

Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When usinggcc, we can suppress these warnings with a pragma.

Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)§

Update time zone data files totzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon. (Tom Lane)§