PostgreSQL 9.5 Open Items

Open Issues

(none as of 27 Dec 2015)

Resolved Issues

resolved after 9.5RC1

brin_summarize_new_values does not check that it was called on a brin index, nor check permissions.

resolved after 9.5beta2

• Fix issues in multixact truncation rework
  • Bug fixed
  • Comment fixes remain
• Incorrect UPDATE trigger invocation in the UPDATE clause of an UPSERT statement. Peter has posted a fix.
• vacuumdb -j and password handling
• Documentation tweaks for UPSERT - patch for all issues has been posted
• psql extended wrapped format off by one error in line wrapping
• Foreign join pushdown vs EvalPlanQual
  • committed patch
• another strange behavior with track_commit_timestamp
  • committed patch
• Relation files of unlogged relation for btree and spgist indexes not initialized after promotion (not a 9.5 issue)
  • committed patch
• ALTER TABLE SET TABLESPACE ignores unlogged relations (not a 9.5 issue)
• Mention policies in role-removal procedure *or* alter/drop them in DROP OWNED
  • alter/dropping them in DROP OWNED has been committed
• pg_rewind exiting with error code 1 when source and target are on the same timeline
• Arguable RLS security bug, EvalPlanQual() paranoia
  • Due to how locking is done in combination with updates and snapshots and RLS, it's possible, with the right timing and in the absence of any additional independent locking, to lock a row and then to see the updated results of that row where the access to that row has been removed. Discussed by Peter with Heikki and Andres where the agreement was that it was not a serious issue but documentation should be added to explain it.
  • Stephen proposed initial wording to take care of this and will provide a docpatch.
  • Fix committed
• Update CREATE POLICY reference page
  • Fix committed

resolved after 9.5beta1

• UPSERT on partition - The consensus is to treat the problem as a limitation and document it.
• Queries including simple UNION ALL against tables which have RLS policies could fail with an ERROR
• Crash with recursive call of jsonb_object_agg in plpgsql
• Strange behavior on track_commit_timestamp
• Oversize item computation needs more testing (c.f. ereport(ERROR) calls in brin_getinsertbuffer)
• Document the `inclusion` framework

resolved after 9.5alpha2

• Various issues with EXCLUDED.* targetlist
• report of issue with dropped columns.
• pg_receivexlog --if-not-exists plays with pointer dereference, pointed out by Coverity.
• Deadlock in LWLock
  • interaction between LWLockWaitForVar and the introduction of atomic locking.
• BRIN regression test fails with default_transaction_isolation = 'repeatable read'. (Actually the problem is effective index corruption; see 20150731194524 for details)
• 9.5 release notes may need ON CONFLICT DO NOTHING compatibility notice for FDW authors - release note patch committed.
• 9.5 release notes item for change to LEAKPROOF semantics
• Link $(WIN32RES) into single-file modules only when PGFILEDESC is set.
• Reconcile nodes/*funcs.c
• An all-zeros page might get added to FSM and not initialized
• brin_page_items() is unsafe against cache flushes
• Crash in planner code with 9.5 alpha 1
  • Report mentions that a query on pg_stat_activity when using pg_hero leads to a crash of server.
  • Some tests and analysis (playing with extended query protocol, pghero itself and analysis of planner code by Tom) are though showing up that the back trace and information provided do not show enough information to have a reproducible test case yet. And attempts to reproduce the failure with pgbench failed as of now.
  • This now appears to have been a false alarm caused by local code changes, and perhaps an inconsistent build.
• commit_ts and its dereferenced pointers
• PL/Python docs still describe pre-9.5 float conversion semantics
• CancelBackup() and tablespace_map file
• Remove row_security=force [Noah]
• Remove SECURITY_ROW_LEVEL_DISABLED; make ri_triggers.c subject to policies [Noah]
• Make BYPASSRLS more like table-owner bypass? [Noah]
• Dean's latest round of RLS refactoring.
  • Dean posted a rebased patch on July 30th.
  • Needs further rebasing following changes to restrictive policies from extensions
  • Not a behavioral change, code cleanup, need to determine if it should be done for 9.5 or just in master.
• PGXS "check" target forcing an install
• ON CONFLICT ... UPDATE on tables with oids didn't work
• [RLS] Leave one or more policies in the regression database, so that the pg_upgrade test suite exercises pg_dump support
• Can't connect with PGSSLMODE=require on Windows
• track_commit_timestamp tracks COMMIT PREPARED in standby server, but not in master server.
• The behavior of the standby when track_commit_timestamp is flipped in the master is weird.
• CREATE POLICY and RETURNING
  • lots of discussion of what the behavior should be, but no patches yet.
  • Questions have been raised about how UPDATE, DELETE, etc, USING clauses are independent of the SELECT USING clause; specifically, if the SELECT USING clause should always be applied first and then the UPDATE and DELETE USING clauses be combined with the SELECT USING clause. The current approach, where they are independent, means that it's possible to set up policies to allow "blind" UPDATEs or DELETEs, where a row could be updated or deleted even though it can't be "seen" through the SELECT USING policy. While the consensus was not overwhelming, the prevailing opinion appears to be that the current approach is very easy to explain, reason about, and flexible even if it does allow such 'blind' changes.
  • There was further discussion about modifying UPDATE policies, specifically, to allow the WITH CHECK policy to reference both the 'old' and 'new' versions of the row. That looks like it may be a useful future enhancement but not to be addressed at this time.
  • The last discussion ended here, which pointed out that it doesn't make sense to try and limit the rows returned based on the SELECT policy because those rows have already been transformed by the statement and might now pass whatever SELECT policy is defined.
  • Next steps are either additional documentation or review and comment of the existing approach and/or the proposals suggested.
  • Additional documentation is being worked on to better explain RETURNING, the blind updates/deletes, etc.
• Hash joins try to allocate too much memory
• jsonb_set bug when using string value for path to array element
• more RLS oversights
  • Add DDL-controlled, per-table policy forcing

resolved after 9.5alpha1

• Missing reference to TransformRelationId and OCLASS_TRANSFORM in object_classes
• PANIC in GIN code (the second issue, with metapage-update record)
• Trivial bug in bttext_abbrev_convert()
• WAL-related tools and .partial WAL file
  • WAL-related tools, i.e., pg_archivecleanup, pg_resetxlog and pg_xlogdump don't seem to properly handle .paritial WAL file.
• Revoke support for strxfrm() implementations that write past the specified array length.
• Finish XLC atomics implementation.
• Fix AIX build (0689cfc, bcd7c41, 7193436)
• Final jsonb semantics patch, concerning adding negative subscripting everywhere
  • Patch also concerns adding additional minor input sanitization
• crash with plpgsql caused by CAST. Test case available.
• RLS fails to work with UPDATE ... WHERE CURRENT OF
  • Patch committed.
• Issue with ON CONFLICT DO UPDATE assignment expressions containing indirection
• Check the relevant index element in ON CONFLICT unique index inference
• XLOG reader facility leaks memory when decoding records, nodes in recovery can fail with OOM after recovering many records.
  • Actually not that critical, the problem is in XLogReaderFree which should control a bit more blocks to be freed.
  • patch committed
• Memory leaks of pg_rewind, patch committed
• copy.c handling for RLS is insecure, patch committed
• pg_stats leaks information on relations with RLS enabled
• more RLS oversights
  • Items 1 - 4, 6, 7 fixed/committed/pushed.
• Suggested improvement/clarification for CREATE FUNCTION docs
• Dean's latest round of RLS refactoring. Includes notable bugfix.
  • DML queries with additional non-target (FROM/USING) relations cared about UPDATE/DELETE applicable policies, not SELECT applicable policies. This is clearly a bug.
    • Joe extracted this part of the overall patch and committed it here
• TABLESAMPLE feature needs a lot of work
• TABLESAMPLE doesn't actually satisfy the SQL spec, does it?
• A NULL search key causes segfault
• spgist recovery assertion failure
• Revert most 9.5 changes to pre-9.5 vcregress.pl tests.
• Ignore tablespace_map file when backup_label is not present
  • Decision whether the error level should be LOG or WARNING is under discussion.
• pg_rewind fails when pg_xlog is defined as a soft link in PGDATA.
  • Heikki has mentioned one solution: ignore the content on pg_xlog. We may as well consider later a new option to allow the user to set up a soft link with pg_rewind after a rewind.
  • Michael has mentioned another solution: use an implementation of pg_readlink and fetch its content from source to target. This needs as well to modify pg_stat_file such as lstat() is used instead of stat() to detect if a path is a soft link (or junction point on Windows) or not. Perhaps this solution is not worth the backward-incompatibility issues as stat() reports the information of the linked target when meeting up with a soft link/junction point.
  • Decision has been taken to make pg_xlog behave as a repository even if it is detected as a soft link. Switched as such by 0e42397.
• Removal of SSL renegotiation code, perhaps not directly an issue with 9.5, but we may want to get a good outcome here instead of waiting 1 extra year with 9.6. Fixed as 426746b.
• FPW compression leaks information Make wal_compression SUSET and document potential security risks?
  • Parameter has been switched to SUSET.

resolved before 9.5alpha1

• BRIN page type identifier BRIN special space needs reshuffling
• proposal: searching in array function - array_position array_offset(s) do not consider arrays not starting from 1
• Assertion failure when streaming logical changes (crash in walsender replaying from a logical decoding slot)
• no test programs in contrib fix src/test/modules to work on MSVC
• Improve GB18030 <-> UTF8 encoding conversions
• alter user/role CURRENT_USER CURRENT_USER needs some fixes
• transforms vs CLOBBER_CACHE_ALWAYS
• Re: collations in shared catalogs?
• CREATE EXTENSION pg_audit can fail (pg_audit has been reverted)
• intermittent "cache lookup failed for access method 403" failure at session start
• custom-join has no way to construct Plan nodes of child Path nodes (commit)
• brin regression test intermittent failures
  • This is probably fixed as of 4-June, but it would be a good idea to watch chipmunk for a week or two before declaring the issue closed.
  • No more failures, so far anyway. -rhaas, 2015-06-26
• less log level for success dynamic background workers for 9.5 (commit)
• Memory leak with XLogFileCopy since de768844 (WAL file with .partial) (commit)
  • committed by Fujii Masao
• Remove symlinks in pg_tblspc during archive recovery and error for non-symlink paths (commit)
• DDL deparsing does not support CREATE/ALTER TRANSFORM
  • Patch for support of CREATE/DROP TRANSFORM in DDL deparsing, one bug found with DROP TRANSFORM
  • Alvaro committed part of this and, as of 2015-06-22, says he will look at the rest next
  • second commit
• PANIC in GIN code
• max_wal_size and restartpoints
• pg_file_settings patch needs some rework
  • current implementation blocks a fix for a 9.4.1 regression concerning unwanted complaints about multiple entries for PGC_POSTMASTER variables
• pg_file_settings view does not work properly on Windows
• pg_rewind failure by file deletion in source server
  • Similar issue with xlogtemp files, can be fixed by ignoring them in process_remote_files().
  • Window triggering failure cannot be reduced to zero, but significantly reduced by scanning files still present in source server with pg_stat_file and a if_not_exists mode (just an idea). Fixed by generalizing the missing_ok logic in system file functions present in core.
• Potential log(0) and division by 0 in ANALYZE and TABLESAMPLE
  • partial patch from Michael Paquier is attached to the thread, but Michael says it doesn't cover everything
  • Correct fix by Petr Jelinek
  • Fix done by making sampler recall again pg_erand48 when finding out 0.0. Idea by Tom.

Older bugs

• basebackups during ALTER DATABASE ... SET TABLESPACE ... not safe
  • this is not a 9.5 regression, although it is a bug
• recovery_target_action = pause & hot_standby = off
  • per this post from Andres, the remaining issue here is not 9.5 material
• pg_rewind tests are unstable
  • Patch committed as 582fbff, which should fix the reported symptom.
  • pg_ctl timeouts remain a potential source of pg_rewind test suite instability, but the pg_ctl suite is also affected, back to 9.4.

Non-bugs

• All information of pg_stat_ssl visible to every users
  • seems like this is OK, unless more people weigh in and say it isn't.
• pg_rewind failure when target path contains non-writable files.
  • Heikki and Robert have agreed that pg_rewind should fail in this case. Hence users should remove such files from PGDATA before performing a rewind.
• Refactoring speculative insertion with unique indexes a little - Idea formally proposed, patch posted
  • Feels like the contract that the executor has with speculative insertion + amcanunique AMs should be made explicit, and be documented under "51.5. Index Uniqueness Checks".
  • this would be good to fix up, but not a release blocker and subsequent discussion
• DDL deparsing testing module should have detected that transforms were not supported, but it failed to notice that
  • This is a clear testing deficiency, which should be fixed going forward to prevent future errors of omission. But there is no reason to hold up 9.5 for it.