Postgres Changelog - All Versions

This is a complete, one-page listing of changes across all Postgres versions. All versions 10 and older are EOL (end of life) and unsupported. This page was generated on November 30, 2023 by a script (version 1.34) by Greg Sabino Mullane, and contains information for 490 versions of Postgres.

Postgres version 16.1

Release date: 2023-11-09

This release contains a variety of fixes from 16.0. For information about new features in major release 16, see Version 16.0.

 Migration to Version 16.1

A dump/restore is not required for those running 16.X.

However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.

 Changes

• Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)

  This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.

  The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868 or CVE-2023-5868)

• Detect integer overflow while computing new array dimensions (Tom Lane)

  When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.

  The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869 or CVE-2023-5869)

• Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)

  The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.

  Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.

  The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870 or CVE-2023-5870)

• Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)

  Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.

• Prevent de-duplication of btree index entries for interval columns (Noah Misch)

  There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.

• Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.

• Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.

• Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)

  This bug might have caused unexpected failures while trying to insert large interval values into such an index.

• Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)

  Some cases involving an IS NULL condition on one of the partition keys could result in a crash.

• Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)

  In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.

• Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)

  If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.

• Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)

  When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])) clause. This could result in missing some rows that should have been fetched.

• Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)

• Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)

• Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)

• Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie)

  The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.

• Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)

  Previously, a not-on-point complaint “only heap AM is supported” would be raised.

• Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)

  Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.

• Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)

• Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)

  If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.

• Improve checks for corrupt PGLZ compressed data (Flavien Guedez)

• Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie)

• Fix bulk table insertion into partitioned tables (Andres Freund)

  Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.

• In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)

  This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.

• In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)

  Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.

• Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)

  No built-in parameter fits this description, but an extension could define such a parameter.

• Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)

  This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).

• Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)

  This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.

• Cope with torn reads of pg_control in frontend programs (Thomas Munro)

  On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.

• Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)

  Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.

• Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)

• Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)

  On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.

• Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)

  The block-level counters should be reset to zero at the same time we update the current-relation field.

• Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)

• Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)

  This could result in some statistics about WAL I/O being forgotten in a shutdown.

• Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)

  These were counted as normal-table writes when they should be counted as temp-table writes.

• When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)

• Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)

  DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.

• Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)

• Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)

  This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.

• Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)

  In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.

• Fix error-handling bug in RECORD type cache management (Thomas Munro)

  An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.

• Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)

  Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.

• Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)

• Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)

• Fix order of operations in GenericXLogFinish (Jeff Davis)

  This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).

• Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)

• Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner)

  Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.

• Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)

  Formerly, only the table-level ACL would get restored if both types were present.

• Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)

  These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.

• Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)

• Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki)

  Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.

• Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley)

• In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)

  This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.

• Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)

  Such an indexscan failed to return all the entries it should.

• Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)

• Suppress assorted build-time warnings on recent macOS (Tom Lane)

  Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.

• When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)

• Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)

  Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.

Postgres version 16.0

Release date: 2023-09-14

 Overview

PostgreSQL 16 contains many new features and enhancements, including:

• Allow parallelization of FULL and internal right OUTER hash joins

• Allow logical replication from standby servers

• Allow logical replication subscribers to apply large transactions in parallel

• Allow monitoring of I/O statistics using the new pg_stat_io view

• Add SQL/JSON constructors and identity functions

• Improve performance of vacuum freezing

• Add support for regular expression matching of user and database names in pg_hba.conf, and user names in pg_ident.conf

The above items and other new features of PostgreSQL 16 are explained in more detail in the sections below.

 Migration to Version 16

A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.

Version 16 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:

• Change assignment rules for PL/pgSQL bound cursor variables (Tom Lane)

  Previously, the string value of such variables was set to match the variable name during cursor assignment; now it will be assigned during OPEN, and will not match the variable name. To restore the previous behavior, assign the desired portal name to the cursor variable before OPEN.

• Disallow NULLS NOT DISTINCT indexes for primary keys (Daniel Gustafsson)

• Change REINDEX DATABASE and reindexdb to not process indexes on system catalogs (Simon Riggs)

  Processing such indexes is still possible using REINDEX SYSTEM and reindexdb --system.

• Tighten GENERATED expression restrictions on inherited and partitioned tables (Amit Langote, Tom Lane)

  Columns of parent/partitioned and child/partition tables must all have the same generation status, though now the actual generation expressions can be different.

• Remove pg_walinspect functions pg_get_wal_records_info_till_end_of_wal() and pg_get_wal_stats_till_end_of_wal() (Bharath Rupireddy)

• Rename server variable force_parallel_mode to debug_parallel_query (David Rowley)

• Remove the ability to create views manually with ON SELECT rules (Tom Lane)

• Remove the server variable vacuum_defer_cleanup_age (Andres Freund)

  This has been unnecessary since hot_standby_feedback and replication slots were added.

• Remove server variable promote_trigger_file (Simon Riggs)

  This was used to promote a standby to primary, but is now easier accomplished with pg_ctl promote or pg_promote().

• Remove read-only server variables lc_collate and lc_ctype (Peter Eisentraut)

  Collations and locales can vary between databases so having them as read-only server variables was unhelpful.

• Role inheritance now controls the default inheritance status of member roles added during GRANT (Robert Haas)

  The role's default inheritance behavior can be overridden with the new GRANT ... WITH INHERIT clause. This allows inheritance of some roles and not others because the members' inheritance status is set at GRANT time. Previously the inheritance status of member roles was controlled only by the role's inheritance status, and changes to a role's inheritance status affected all previous and future member roles.

• Restrict the privileges of CREATEROLE and its ability to modify other roles (Robert Haas)

  Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions.

• Remove symbolic links for the postmaster binary (Peter Eisentraut)

 Changes

Below you will find a detailed account of the changes between PostgreSQL 16 and the previous major release.

 Server (PG 16.0)

 Optimizer (PG 16.0)

• Allow incremental sorts in more cases, including DISTINCT (David Rowley)

• Add the ability for aggregates having ORDER BY or DISTINCT to use pre-sorted data (David Rowley)

  The new server variable enable_presorted_aggregate can be used to disable this.

• Allow memoize atop a UNION ALL (Richard Guo)

• Allow anti-joins to be performed with the non-nullable input as the inner relation (Richard Guo)

• Allow parallelization of FULL and internal right OUTER hash joins (Melanie Plageman, Thomas Munro)

• Improve the accuracy of GIN index access optimizer costs (Ronan Dunklau)

 General Performance (PG 16.0)

• Allow more efficient addition of heap and index pages (Andres Freund)

• During non-freeze operations, perform page freezing where appropriate (Peter Geoghegan)

  This makes full-table freeze vacuums less necessary.

• Allow window functions to use the faster ROWS mode internally when RANGE mode is active but unnecessary (David Rowley)

• Allow optimization of always-increasing window functions ntile(), cume_dist() and percent_rank() (David Rowley)

• Allow aggregate functions string_agg() and array_agg() to be parallelized (David Rowley)

• Improve performance by caching RANGE and LIST partition lookups (Amit Langote, Hou Zhijie, David Rowley)

• Allow control of the shared buffer usage by vacuum and analyze (Melanie Plageman)

  The VACUUM/ANALYZE option is BUFFER_USAGE_LIMIT, and the vacuumdb option is --buffer-usage-limit. The default value is set by server variable vacuum_buffer_usage_limit, which also controls autovacuum.

• Support wal_sync_method=fdatasync on Windows (Thomas Munro)

• Allow HOT updates if only BRIN-indexed columns are updated (Matthias van de Meent, Josef Simanek, Tomas Vondra)

• Improve the speed of updating the process title (David Rowley)

• Allow xid/subxid searches and ASCII string detection to use vector operations (Nathan Bossart, John Naylor)

  ASCII detection is particularly useful for COPY FROM. Vector operations are also used for some C array searches.

• Reduce overhead of memory allocations (Andres Freund, David Rowley)

 Monitoring (PG 16.0)

• Add system view pg_stat_io view to track I/O statistics (Melanie Plageman)

• Record statistics on the last sequential and index scans on tables (Dave Page)

  This information appears in pg_stat_*_tables and pg_stat_*_indexes.

• Record statistics on the occurrence of updated rows moving to new pages (Corey Huinker)

  The pg_stat_*_tables column is n_tup_newpage_upd.

• Add speculative lock information to the pg_locks system view (Masahiko Sawada, Noriyoshi Shinoda)

  The transaction id is displayed in the transactionid column and the speculative insertion token is displayed in the objid column.

• Add the display of prepared statement result types to the pg_prepared_statements view (Dagfinn Ilmari Mannsåker)

• Create subscription statistics entries at subscription creation time so stats_reset is accurate (Andres Freund)

  Previously entries were created only when the first statistics were reported.

• Correct the I/O accounting for temp relation writes shown in pg_stat_database (Melanie Plageman)

• Add function pg_stat_get_backend_subxact() to report on a session's subtransaction cache (Dilip Kumar)

• Have pg_stat_get_backend_idset(), pg_stat_get_backend_activity(), and related functions use the unchanging backend id (Nathan Bossart)

  Previously the index values might change during the lifetime of the session.

• Report stand-alone backends with a special backend type (Melanie Plageman)

• Add wait event SpinDelay to report spinlock sleep delays (Andres Freund)

• Create new wait event DSMAllocate to indicate waiting for dynamic shared memory allocation (Thomas Munro)

  Previously this type of wait was reported as DSMFillZeroWrite, which was also used by mmap() allocations.

• Add the database name to the process title of logical WAL senders (Tatsuhiro Nakamori)

  Physical WAL senders do not display a database name.

• Add checkpoint and REDO LSN information to log_checkpoints messages (Bharath Rupireddy, Kyotaro Horiguchi)

• Provide additional details during client certificate failures (Jacob Champion)

 Privileges (PG 16.0)

• Add predefined role pg_create_subscription with permission to create subscriptions (Robert Haas)

• Allow subscriptions to not require passwords (Robert Haas)

  This is accomplished with the option password_required=false.

• Simplify permissions for LOCK TABLE (Jeff Davis)

  Previously a user's ability to perform LOCK TABLE at various lock levels was limited to the lock levels required by the commands they had permission to execute on the table. For example, someone with UPDATE permission could perform all lock levels except ACCESS SHARE, even though it was a lesser lock level. Now users can issue lesser lock levels if they already have permission for greater lock levels.

• Allow GRANT group_name TO user_name to be performed with ADMIN OPTION (Robert Haas)

  Previously CREATEROLE permission was required.

• Allow GRANT to use WITH ADMIN TRUE/FALSE syntax (Robert Haas)

  Previously only the WITH ADMIN OPTION syntax was supported.

• Allow roles that create other roles to automatically inherit the new role's rights or the ability to SET ROLE to the new role (Robert Haas, Shi Yu)

  This is controlled by server variable createrole_self_grant.

• Prevent users from changing the default privileges of non-inherited roles (Robert Haas)

  This is now only allowed for inherited roles.

• When granting role membership, require the granted-by role to be a role that has appropriate permissions (Robert Haas)

  This is a requirement even when a non-bootstrap superuser is granting role membership.

• Allow non-superusers to grant permissions using a granted-by user that is not the current user (Robert Haas)

  The current user still must have sufficient permissions given by the specified granted-by user.

• Add GRANT to control permission to use SET ROLE (Robert Haas)

  This is controlled by a new GRANT ... SET option.

• Add dependency tracking to roles which have granted privileges (Robert Haas)

  For example, removing ADMIN OPTION will fail if there are privileges using that option; CASCADE must be used to revoke dependent permissions.

• Add dependency tracking of grantors for GRANT records (Robert Haas)

  This guarantees that pg_auth_members.grantor values are always valid.

• Allow multiple role membership records (Robert Haas)

  Previously a new membership grant would remove a previous matching membership grant, even if other aspects of the grant did not match.

• Prevent removal of superuser privileges for the bootstrap user (Robert Haas)

  Restoring such users could lead to errors.

• Allow makeaclitem() to accept multiple privilege names (Robins Tharakan)

  Previously only a single privilege name, like SELECT, was accepted.

 Server Configuration (PG 16.0)

• Add support for Kerberos credential delegation (Stephen Frost)

  This is enabled with server variable gss_accept_delegation and libpq connection parameter gssdelegation.

• Allow the SCRAM iteration count to be set with server variable scram_iterations (Daniel Gustafsson)

• Improve performance of server variable management (Tom Lane)

• Tighten restrictions on which server variables can be reset (Masahiko Sawada)

  Previously, while certain variables, like transaction_isolation, were not affected by RESET ALL, they could be individually reset in inappropriate situations.

• Move various postgresql.conf items into new categories (Shinya Kato)

  This also affects the categories displayed in the pg_settings view.

• Prevent configuration file recursion beyond 10 levels (Julien Rouhaud)

• Allow autovacuum to more frequently honor changes to delay settings (Melanie Plageman)

  Rather than honor changes only at the start of each relation, honor them at the start of each block.

• Remove restrictions that archive files be durably renamed (Nathan Bossart)

  The archive_command command is now more likely to be called with already-archived files after a crash.

• Prevent archive_library and archive_command from being set at the same time (Nathan Bossart)

  Previously archive_library would override archive_command.

• Allow the postmaster to terminate children with an abort signal (Tom Lane)

  This allows collection of a core dump for a stuck child process. This is controlled by send_abort_for_crash and send_abort_for_kill. The postmaster's -T switch is now the same as setting send_abort_for_crash.

• Remove the non-functional postmaster -n option (Tom Lane)

• Allow the server to reserve backend slots for roles with pg_use_reserved_connections membership (Nathan Bossart)

  The number of reserved slots is set by server variable reserved_connections.

• Allow huge pages to work on newer versions of Windows 10 (Thomas Munro)

  This adds the special handling required to enable huge pages on newer versions of Windows 10.

• Add debug_io_direct setting for developer usage (Thomas Munro, Andres Freund, Bharath Rupireddy)

  While primarily for developers, wal_sync_method=open_sync/open_datasync has been modified to not use direct I/O with wal_level=minimal; this is now enabled with debug_io_direct=wal.

• Add function pg_split_walfile_name() to report the segment and timeline values of WAL file names (Bharath Rupireddy)

 pg_hba.conf (PG 16.0)

• Add support for regular expression matching on database and role entries in pg_hba.conf (Bertrand Drouvot)

  Regular expression patterns are prefixed with a slash. Database and role names that begin with slashes need to be double-quoted if referenced in pg_hba.conf.

• Improve user-column handling of pg_ident.conf to match pg_hba.conf (Jelte Fennema)

  Specifically, add support for all, role membership with +, and regular expressions with a leading slash. Any user name that matches these patterns must be double-quoted.

• Allow include files in pg_hba.conf and pg_ident.conf (Julien Rouhaud)

  These are controlled by include, include_if_exists, and include_dir. System views pg_hba_file_rules and pg_ident_file_mappings now display the file name.

• Allow pg_hba.conf tokens to be of unlimited length (Tom Lane)

• Add rule and map numbers to the system view pg_hba_file_rules (Julien Rouhaud)

 Localization (PG 16.0)

• Determine the default encoding from the locale when using ICU (Jeff Davis)

  Previously the default was always UTF-8.

• Have CREATE DATABASE and CREATE COLLATION's LOCALE options, and initdb and createdb --locale options, control non-libc collation providers (Jeff Davis)

  Previously they only controlled libc providers.

• Add predefined collations unicode and ucs_basic (Peter Eisentraut)

  This only works if ICU support is enabled.

• Allow custom ICU collation rules to be created (Peter Eisentraut)

  This is done using CREATE COLLATION's new RULES clause, as well as new options for CREATE DATABASE, createdb, and initdb.

• Allow Windows to import system locales automatically (Juan José Santamaría Flecha)

  Previously, only ICU locales could be imported on Windows.

 Logical Replication (PG 16.0)

• Allow logical decoding on standbys (Bertrand Drouvot, Andres Freund, Amit Khandekar)

  Snapshot WAL records are required for logical slot creation but cannot be created on standbys. To avoid delays, the new function pg_log_standby_snapshot() allows creation of such records.

• Add server variable to control how logical decoding publishers transfer changes and how subscribers apply them (Shi Yu)

  The variable is debug_logical_replication_streaming.

• Allow logical replication initial table synchronization to copy rows in binary format (Melih Mutlu)

  This is only possible for subscriptions marked as binary.

• Allow parallel application of logical replication (Hou Zhijie, Wang Wei, Amit Kapila)

  The CREATE SUBSCRIPTION STREAMING option now supports parallel to enable application of large transactions by parallel workers. The number of parallel workers is controlled by the new server variable max_parallel_apply_workers_per_subscription. Wait events LogicalParallelApplyMain, LogicalParallelApplyStateChange, and LogicalApplySendData were also added. Column leader_pid was added to system view pg_stat_subscription to track parallel activity.

• Improve performance for logical replication apply without a primary key (Onder Kalaci, Amit Kapila)

  Specifically, REPLICA IDENTITY FULL can now use btree indexes rather than sequentially scanning the table to find matches.

• Allow logical replication subscribers to process only changes that have no origin (Vignesh C, Amit Kapila)

  This can be used to avoid replication loops. This is controlled by the new CREATE SUBSCRIPTION ... ORIGIN option.

• Perform logical replication SELECT and DML actions as the table owner (Robert Haas)

  This improves security and now requires subscription owners to be either superusers or to have SET ROLE permission on all roles owning tables in the replication set. The previous behavior of performing all operations as the subscription owner can be enabled with the subscription run_as_owner option.

• Have wal_retrieve_retry_interval operate on a per-subscription basis (Nathan Bossart)

  Previously the retry time was applied globally. This also adds wait events >LogicalRepLauncherDSA and LogicalRepLauncherHash.

 Utility Commands (PG 16.0)

• Add EXPLAIN option GENERIC_PLAN to display the generic plan for a parameterized query (Laurenz Albe)

• Allow a COPY FROM value to map to a column's DEFAULT (Israel Barth Rubio)

• Allow COPY into foreign tables to add rows in batches (Andrey Lepikhov, Etsuro Fujita)

  This is controlled by the postgres_fdw option batch_size.

• Allow the STORAGE type to be specified by CREATE TABLE (Teodor Sigaev, Aleksander Alekseev)

  Previously only ALTER TABLE could control this.

• Allow truncate triggers on foreign tables (Yugo Nagata)

• Allow VACUUM and vacuumdb to only process TOAST tables (Nathan Bossart)

  This is accomplished by having VACUUM turn off PROCESS_MAIN or by vacuumdb using the --no-process-main option.

• Add VACUUM options to skip or update all frozen statistics (Tom Lane, Nathan Bossart)

  The options are SKIP_DATABASE_STATS and ONLY_DATABASE_STATS.

• Change REINDEX DATABASE and REINDEX SYSTEM to no longer require an argument (Simon Riggs)

  Previously the database name had to be specified.

• Allow CREATE STATISTICS to generate a statistics name if none is specified (Simon Riggs)

 Data Types (PG 16.0)

• Allow non-decimal integer literals (Peter Eisentraut)

  For example, 0x42F, 0o273, and 0b100101.

• Allow NUMERIC to process hexadecimal, octal, and binary integers of any size (Dean Rasheed)

  Previously only unquoted eight-byte integers were supported with these non-decimal bases.

• Allow underscores in integer and numeric constants (Peter Eisentraut, Dean Rasheed)

  This can improve readability for long strings of digits.

• Accept the spelling +infinity in datetime input (Vik Fearing)

• Prevent the specification of epoch and infinity together with other fields in datetime strings (Joseph Koshakow)

• Remove undocumented support for date input in the form YyearMmonthDday (Joseph Koshakow)

• Add functions pg_input_is_valid() and pg_input_error_info() to check for type conversion errors (Tom Lane)

 General Queries (PG 16.0)

• Allow subqueries in the FROM clause to omit aliases (Dean Rasheed)

• Add support for enhanced numeric literals in SQL/JSON paths (Peter Eisentraut)

  For example, allow hexadecimal, octal, and binary integers and underscores between digits.

 Functions (PG 16.0)

• Add SQL/JSON constructors (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote)

  The new functions JSON_ARRAY(), JSON_ARRAYAGG(), JSON_OBJECT(), and JSON_OBJECTAGG() are part of the SQL standard.

• Add SQL/JSON object checks (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote, Andrew Dunstan)

  The IS JSON checks include checks for values, arrays, objects, scalars, and unique keys.

• Allow JSON string parsing to use vector operations (John Naylor)

• Improve the handling of full text highlighting function ts_headline() for OR and NOT expressions (Tom Lane)

• Add functions to add, subtract, and generate timestamptz values in a specified time zone (Przemyslaw Sztoch, Gurjeet Singh)

  The functions are date_add(), date_subtract(), and generate_series().

• Change date_trunc(unit, timestamptz, time_zone) to be an immutable function (Przemyslaw Sztoch)

  This allows the creation of expression indexes using this function.

• Add server variable SYSTEM_USER (Bertrand Drouvot)

  This reports the authentication method and its authenticated user.

• Add functions array_sample() and array_shuffle() (Martin Kalcher)

• Add aggregate function ANY_VALUE() which returns any value from a set (Vik Fearing)

• Add function random_normal() to supply normally-distributed random numbers (Paul Ramsey)

• Add error function erf() and its complement erfc() (Dean Rasheed)

• Improve the accuracy of numeric power() for integer exponents (Dean Rasheed)

• Add XMLSERIALIZE() option INDENT to pretty-print its output (Jim Jones)

• Change pg_collation_actual_version() to return a reasonable value for the default collation (Jeff Davis)

  Previously it returned NULL.

• Allow pg_read_file() and pg_read_binary_file() to ignore missing files (Kyotaro Horiguchi)

• Add byte specification (B) to pg_size_bytes() (Peter Eisentraut)

• Allow to_reg* functions to accept numeric OIDs as input (Tom Lane)

 PL/pgSQL (PG 16.0)

• Add the ability to get the current function's OID in PL/pgSQL (Pavel Stehule)

  This is accomplished with GET DIAGNOSTICS variable = PG_ROUTINE_OID.

 libpq (PG 16.0)

• Add libpq connection option require_auth to specify a list of acceptable authentication methods (Jacob Champion)

  This can also be used to disallow certain authentication methods.

• Allow multiple libpq-specified hosts to be randomly selected (Jelte Fennema)

  This is enabled with load_balance_hosts=random and can be used for load balancing.

• Add libpq option sslcertmode to control transmission of the client certificate (Jacob Champion)

  The option values are disable, allow, and require.

• Allow libpq to use the system certificate pool for certificate verification (Jacob Champion, Thomas Habets)

  This is enabled with sslrootcert=system, which also enables sslmode=verify-full.

 Client Applications (PG 16.0)

• Allow ECPG variable declarations to use typedef names that match unreserved SQL keywords (Tom Lane)

  This change does prevent keywords which match C typedef names from being processed as keywords in later EXEC SQL blocks.

 psql (PG 16.0)

• Allow psql to control the maximum width of header lines in expanded format (Platon Pronko)

  This is controlled by xheader_width.

• Add psql command \drg to show role membership details (Pavel Luzanov)

  The Member of output column has been removed from \du and \dg because this new command displays this informaion in more detail.

• Allow psql's access privilege commands to show system objects (Nathan Bossart)

  The options are \dpS and \zS.

• Add FOREIGN designation to psql \d+ for foreign table children and partitions (Ian Lawrence Barwick)

• Prevent \df+ from showing function source code (Isaac Morland)

  Function bodies are more easily viewed with \sf.

• Allow psql to submit queries using the extended query protocol (Peter Eisentraut)

  Passing arguments to such queries is done using the new psql \bind command.

• Allow psql \watch to limit the number of executions (Andrey Borodin)

  The \watch options can now be named when specified.

• Detect invalid values for psql \watch, and allow zero to specify no delay (Andrey Borodin)

• Allow psql scripts to obtain the exit status of shell commands and queries (Corey Huinker, Tom Lane)

  The new psql control variables are SHELL_ERROR and SHELL_EXIT_CODE.

• Various psql tab completion improvements (Vignesh C, Aleksander Alekseev, Dagfinn Ilmari Mannsåker, Shi Yu, Michael Paquier, Ken Kato, Peter Smith)

 pg_dump (PG 16.0)

• Add pg_dump control of dumping child tables and partitions (Gilles Darold)

  The new options are --table-and-children, --exclude-table-and-children, and --exclude-table-data-and-children.

• Add LZ4 and Zstandard compression to pg_dump (Georgios Kokolatos, Justin Pryzby)

• Allow pg_dump and pg_basebackup to use long mode for compression (Justin Pryzby)

• Improve pg_dump to accept a more consistent compression syntax (Georgios Kokolatos)

  Options like --compress=gzip:5.

 Server Applications (PG 16.0)

• Add initdb option to set server variables for the duration of initdb and all future server starts (Tom Lane)

  The option is -c name=value.

• Add options to createuser to control more user options (Shinya Kato)

  Specifically, the new options control the valid-until date, bypassing of row-level security, and role membership.

• Deprecate createuser option --role (Nathan Bossart)

  This option could be easily confused with new createuser role membership options, so option --member-of has been added with the same functionality. The --role option can still be used.

• Allow control of vacuumdb schema processing (Gilles Darold)

  These are controlled by options --schema and --exclude-schema.

• Use new VACUUM options to improve the performance of vacuumdb (Tom Lane, Nathan Bossart)

• Have pg_upgrade set the new cluster's locale and encoding (Jeff Davis)

  This removes the requirement that the new cluster be created with the same locale and encoding settings.

• Add pg_upgrade option to specify the default transfer mode (Peter Eisentraut)

  The option is --copy.

• Improve pg_basebackup to accept numeric compression options (Georgios Kokolatos, Michael Paquier)

  Options like --compress=server-5 are now supported.

• Fix pg_basebackup to handle tablespaces stored in the PGDATA directory (Robert Haas)

• Add pg_waldump option --save-fullpage to dump full page images (David Christensen)

• Allow pg_waldump options -t/--timeline to accept hexadecimal values (Peter Eisentraut)

• Add support for progress reporting to pg_verifybackup (Masahiko Sawada)

• Allow pg_rewind to properly track timeline changes (Heikki Linnakangas)

  Previously if pg_rewind was run after a timeline switch but before a checkpoint was issued, it might incorrectly determine that a rewind was unnecessary.

• Have pg_receivewal and pg_recvlogical cleanly exit on SIGTERM (Christoph Berg)

  This signal is often used by systemd.

 Source Code (PG 16.0)

• Build ICU support by default (Jeff Davis)

  This removes build flag --with-icu and adds flag --without-icu.

• Add support for SSE2 (Streaming SIMD Extensions 2) vector operations on x86-64 architectures (John Naylor)

• Add support for Advanced SIMD (Single Instruction Multiple Data) (NEON) instructions on ARM architectures (Nathan Bossart)

• Have Windows binaries built with MSVC use RandomizedBaseAddress (ASLR) (Michael Paquier)

  This was already enabled on MinGW builds.

• Prevent extension libraries from exporting their symbols by default (Andres Freund, Tom Lane)

  Functions that need to be called from the core backend or other extensions must now be explicitly marked PGDLLEXPORT.

• Require Windows 10 or newer versions (Michael Paquier, Juan José Santamaría Flecha)

  Previously Windows Vista and Windows XP were supported.

• Require Perl version 5.14 or later (John Naylor)

• Require Bison version 2.3 or later (John Naylor)

• Require Flex version 2.5.35 or later (John Naylor)

• Require MIT Kerberos for GSSAPI support (Stephen Frost)

• Remove support for Visual Studio 2013 (Michael Paquier)

• Remove support for HP-UX (Thomas Munro)

• Remove support for HP/Intel Itanium (Thomas Munro)

• Remove support for M68K, M88K, M32R, and SuperH CPU architectures (Thomas Munro)

• Remove libpq support for SCM credential authentication (Michael Paquier)

  Backend support for this authentication method was removed in PostgresSQL 9.1.

• Add meson build system (Andres Freund, Nazir Bilal Yavuz, Peter Eisentraut)

  This eventually will replace the Autoconf and Windows-based MSVC build systems.

• Allow control of the location of the openssl binary used by the build system (Peter Eisentraut)

  Make finding openssl program a configure or meson option

• Add build option to allow testing of small WAL segment sizes (Andres Freund)

  The build options are --with-segsize-blocks and -Dsegsize_blocks.

• Add pgindent options (Andrew Dunstan)

  The new options are --show-diff, --silent-diff, --commit, and --help, and allow multiple --exclude options. Also require the typedef file to be explicitly specified. Options --code-base and --build were also removed.

• Add pg_bsd_indent source code to the main tree (Tom Lane)

• Improve make_ctags and make_etags (Yugo Nagata)

• Adjust pg_attribute columns for efficiency (Peter Eisentraut)

 Additional Modules (PG 16.0)

• Improve use of extension-based indexes on boolean columns (Zongliang Quan, Tom Lane)

• Add support for Daitch-Mokotoff Soundex to fuzzystrmatch (Dag Lem)

• Allow auto_explain to log values passed to parameterized statements (Dagfinn Ilmari Mannsåker)

  This affects queries using server-side PREPARE/EXECUTE and client-side parse/bind. Logging is controlled by auto_explain.log_parameter_max_length; by default query parameters will be logged with no length restriction.

• Have auto_explain's log_verbose mode honor the value of compute_query_id (Atsushi Torikoshi)

  Previously even if compute_query_id was enabled, log_verbose was not showing the query identifier.

• Change the maximum length of ltree labels from 256 to 1000 and allow hyphens (Garen Torikian)

• Have pg_stat_statements normalize constants used in utility commands (Michael Paquier)

  Previously constants appeared instead of placeholders, e.g., $1.

• Add pg_walinspect function pg_get_wal_block_info() to report WAL block information (Michael Paquier, Melanie Plageman, Bharath Rupireddy)

• Change how pg_walinspect functions pg_get_wal_records_info() and pg_get_wal_stats() interpret ending LSNs (Bharath Rupireddy)

  Previously ending LSNs which represent nonexistent WAL locations would generate an error, while they will now be interpreted as the end of the WAL.

• Add detailed descriptions of WAL records in pg_walinspect and pg_waldump (Melanie Plageman, Peter Geoghegan)

• Add pageinspect function bt_multi_page_stats() to report statistics on multiple pages (Hamid Akhtar)

  This is similar to bt_page_stats() except it can report on a range of pages.

• Add empty range output column to pageinspect function brin_page_items() (Tomas Vondra)

• Redesign archive modules to be more flexible (Nathan Bossart)

  Initialization changes will require modules written for older versions of Postgres to be updated.

• Correct inaccurate pg_stat_statements row tracking extended query protocol statements (Sami Imseih)

• Add pg_buffercache function pg_buffercache_usage_counts() to report usage totals (Nathan Bossart)

• Add pg_buffercache function pg_buffercache_summary() to report summarized buffer statistics (Melih Mutlu)

• Allow the schemas of required extensions to be referenced in extension scripts using the new syntax @extschema:referenced_extension_name@ (Regina Obe)

• Allow required extensions to be marked as non-relocatable using no_relocate (Regina Obe)

  This allows @extschema:referenced_extension_name@ to be treated as a constant for the lifetime of the extension.

 postgres_fdw (PG 16.0)

• Allow postgres_fdw to do aborts in parallel (Etsuro Fujita)

  This is enabled with postgres_fdw option parallel_abort.

• Make ANALYZE on foreign postgres_fdw tables more efficient (Tomas Vondra)

  The postgres_fdw option analyze_sampling controls the sampling method.

• Restrict shipment of reg* type constants in postgres_fdw to those referencing built-in objects or extensions marked as shippable (Tom Lane)

• Have postgres_fdw and dblink handle interrupts during connection establishment (Andres Freund)

 Acknowledgments

The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.

• Abhijit Menon-Sen
• Adam Mackler
• Adrian Klaver
• Ahsan Hadi
• Ajin Cherian
• Ajit Awekar
• Alan Hodgson
• Aleksander Alekseev
• Alex Denman
• Alex Kozhemyakin
• Alexander Korolev
• Alexander Korotkov
• Alexander Lakhin
• Alexander Pyhalov
• Alexey Borzov
• Alexey Ermakov
• Alexey Makhmutov
• Álvaro Herrera
• Amit Kapila
• Amit Khandekar
• Amit Langote
• Amul Sul
• Anastasia Lubennikova
• Anban Company
• Andreas Dijkman
• Andreas Karlsson
• Andreas Scherbaum
• Andrei Zubkov
• Andres Freund
• Andrew Alsup
• Andrew Bille
• Andrew Dunstan
• Andrew Gierth
• Andrew Kesper
• Andrey Borodin
• Andrey Lepikhov
• Andrey Sokolov
• Ankit Kumar Pandey
• Ante Kresic
• Anton Melnikov
• Anton Sidyakin
• Anton Voloshin
• Antonin Houska
• Arne Roland
• Artem Anisimov
• Arthur Zakirov
• Ashutosh Bapat
• Ashutosh Sharma
• Asim Praveen
• Atsushi Torikoshi
• Ayaki Tachikake
• Balazs Szilfai
• Benoit Lobréau
• Bernd Helmle
• Bertrand Drouvot
• Bharath Rupireddy
• Bilva Sanaba
• Bob Krier
• Boris Zentner
• Brad Nicholson
• Brar Piening
• Bruce Momjian
• Bruno da Silva
• Carl Sopchak
• Cary Huang
• Changhong Fei
• Chris Travers
• Christoph Berg
• Christophe Pettus
• Corey Huinker
• Craig Ringer
• Curt Kolovson
• Dag Lem
• Dagfinn Ilmari Mannsåker
• Daniel Gustafsson
• Daniel Vérité
• Daniel Watzinger
• Daniel Westermann
• Daniele Varrazzo
• Daniil Anisimov
• Danny Shemesh
• Dave Page
• David Christensen
• David G. Johnston
• David Geier
• David Gilman
• David Kimura
• David Rowley
• David Steele
• David Turon
• David Zhang
• Davinder Singh
• Dean Rasheed
• Denis Laxalde
• Dilip Kumar
• Dimos Stamatakis
• Dmitriy Kuzmin
• Dmitry Astapov
• Dmitry Dolgov
• Dmitry Koval
• Dong Wook Lee
• Dongming Liu
• Drew DeVault
• Duncan Sands
• Ed Maste
• Egor Chindyaskin
• Ekaterina Kiryanova
• Elena Indrupskaya
• Emmanuel Quincerot
• Eric Mutta
• Erik Rijkers
• Erki Eessaar
• Erwin Brandstetter
• Etsuro Fujita
• Eugeny Zhuzhnev
• Euler Taveira
• Evan Jones
• Evgeny Morozov
• Fabrízio de Royes Mello
• Farias de Oliveira
• Florin Irion
• Franz-Josef Färber
• Garen Torikian
• Georgios Kokolatos
• Gilles Darold
• Greg Stark
• Guillaume Lelarge
• Gunnar Bluth
• Gunnar Morling
• Gurjeet Singh
• Haiyang Wang
• Haiying Tang
• Hamid Akhtar
• Hans Buschmann
• Hao Wu
• Hayato Kuroda
• Heath Lord
• Heikki Linnakangas
• Himanshu Upadhyaya
• Hisahiro Kauchi
• Hongyu Song
• Hubert Lubaczewski
• Hung Nguyen
• Ian Barwick
• Ibrar Ahmed
• Ilya Gladyshev
• Ilya Nenashev
• Isaac Morland
• Israel Barth Rubio
• Jacob Champion
• Jacob Speidel
• Jaime Casanova
• Jakub Wartak
• James Coleman
• James Inform
• James Vanns
• Jan Wieck
• Japin Li
• Jeevan Ladhe
• Jeff Davis
• Jeff Janes
• Jehan-Guillaume de Rorthais
• Jelte Fennema
• Jian He
• Jim Jones
• Jinbao Chen
• Joe Conway
• Joel Jacobson
• John Naylor
• Jonathan Katz
• Josef Simanek
• Joseph Koshakow
• Juan José Santamaría Flecha
• Julien Rouhaud
• Julien Roze
• Junwang Zhao
• Justin Pryzby
• Justin Zhang
• Karina Litskevich
• Karl O. Pinc
• Keisuke Kuroda
• Ken Kato
• Kevin McKibbin
• Kieran McCusker
• Kirk Wolak
• Konstantin Knizhnik
• Koshi Shibagaki
• Kotaro Kawamoto
• Kui Liu
• Kyotaro Horiguchi
• Lakshmi Narayanan Sreethar
• Laurence Parry
• Laurenz Albe
• Luca Ferrari
• Lukas Fittl
• Maciek Sakrejda
• Magnus Hagander
• Maja Zaloznik
• Marcel Hofstetter
• Marina Polyakova
• Mark Dilger
• Marko Tiikkaja
• Markus Winand
• Martijn van Oosterhout
• Martin Jurca
• Martin Kalcher
• Mary Xu
• Masahiko Sawada
• Masahiro Ikeda
• Masao Fujii
• Mason Sharp
• Matheus Alcantara
• Mats Kindahl
• Matthias van de Meent
• Matthijs van der Vleuten
• Maxim Orlov
• Maxim Yablokov
• Mehmet Emin Karakas
• Melanie Plageman
• Melih Mutlu
• Micah Gate
• Michael Banck
• Michael Paquier
• Michail Nikolaev
• Michel Pelletier
• Mike Oh
• Mikhail Gribkov
• Mingli Zhang
• Miroslav Bendik
• Mitsuru Hinata
• Myo Wai Thant
• Naeem Akhter
• Naoki Okano
• Nathan Bossart
• Nazir Bilal Yavuz
• Neha Sharma
• Nick Babadzhanian
• Nicola Contu
• Nikhil Shetty
• Nikita Glukhov
• Nikolay Samokhvalov
• Nikolay Shaplov
• Nishant Sharma
• Nitin Jadhav
• Noah Misch
• Noboru Saito
• Noriyoshi Shinoda
• Nuko Yokohama
• Oleg Bartunov
• Oleg Tselebrovskiy
• Olly Betts
• Onder Kalaci
• Onur Tirtir
• Pablo Federico
• Palle Girgensohn
• Paul Guo
• Paul Jungwirth
• Paul Ramsey
• Pavel Borisov
• Pavel Kulakov
• Pavel Luzanov
• Pavel Stehule
• Peifeng Qiu
• Peter Eisentraut
• Peter Geoghegan
• Peter Smith
• Phil Florent
• Philippe Godfrin
• Platon Pronko
• Przemyslaw Sztoch
• Rachel Heaton
• Ranier Vilela
• Regina Obe
• Reid Thompson
• Reiner Peterke
• Richard Guo
• Riivo Kolka
• Rishu Bagga
• Robert Haas
• Robert Sjöblom
• Robert Treat
• Roberto Mello
• Robins Tharakan
• Roman Zharkov
• Ronan Dunklau
• Rushabh Lathia
• Ryo Matsumura
• Samay Sharma
• Sami Imseih
• Sandeep Thakkar
• Sandro Santilli
• Sebastien Flaesch
• Sébastien Lardière
• Sehrope Sarkuni
• Sergey Belyashov
• Sergey Pankov
• Sergey Shinderuk
• Shi Yu
• Shinya Kato
• Sho Kato
• Shruthi Gowda
• Shveta Mallik
• Simon Riggs
• Sindy Senorita
• Sirisha Chamarthi
• Sravan Kumar
• Stéphane Tachoires
• Stephen Frost
• Steve Chavez
• Stone Tickle
• Sven Klemm
• Takamichi Osumi
• Takeshi Ideriha
• Tatsuhiro Nakamori
• Tatsuo Ishii
• Ted Yu
• Teja Mupparti
• Tender Wang
• Teodor Sigaev
• Thiago Nunes
• Thom Brown
• Thomas Habets
• Thomas Mc Kay
• Thomas Munro
• Tim Carey-Smith
• Tim Field
• Timo Stolz
• Tom Lane
• Tomas Vondra
• Tor Erik Linnerud
• Torsten Förtsch
• Tristan Partin
• Troy Frericks
• Tushar Ahuja
• Valerie Woolard
• Vibhor Kumar
• Victor Spirin
• Victoria Shepard
• Vignesh C
• Vik Fearing
• Vitaly Burovoy
• Vitaly Davydov
• Wang Wei
• Wenjing Zeng
• Whale Song
• Will Mortensen
• Wolfgang Walther
• Xin Wen
• Xing Guo
• Xingwang Xu
• XueJing Zhao
• Yanliang Lei
• Youmiu Mo
• Yugo Nagata
• Yura Sokolov
• Yuta Katsuragi
• Zhen Mingyang
• Zheng Li
• Zhihong Yu
• Zhijie Hou
• Zongliang Quan
• Zuming Jiang

Postgres version 15.5

Release date: 2023-11-09

This release contains a variety of fixes from 15.4. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.5

A dump/restore is not required for those running 15.X.

However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.

Also, if you are upgrading from a version earlier than 15.4, see Version 15.4.

 Changes

• Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)

  This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.

  The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868 or CVE-2023-5868)

• Detect integer overflow while computing new array dimensions (Tom Lane)

  When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.

  The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869 or CVE-2023-5869)

• Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)

  The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.

  Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.

  The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870 or CVE-2023-5870)

• Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)

  Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.

• Prevent de-duplication of btree index entries for interval columns (Noah Misch)

  There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.

• Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.

• Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.

• Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)

  This bug might have caused unexpected failures while trying to insert large interval values into such an index.

• Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)

  Some cases involving an IS NULL condition on one of the partition keys could result in a crash.

• Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)

  In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.

• Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)

  If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.

• Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)

  When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])) clause. This could result in missing some rows that should have been fetched.

• Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)

• Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)

• Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)

• Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)

  Previously, a not-on-point complaint “only heap AM is supported” would be raised.

• Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)

  Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.

• Fix pg_stat_reset_single_table_counters() to do the right thing for a shared catalog (Masahiro Ikeda)

  Previously the reset would be ineffective.

• Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)

• Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)

  If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.

• Fix incorrect coding in gtsvector_picksplit() (Alexander Lakhin)

  This could lead to poor page-split decisions in GiST indexes on tsvector columns.

• Improve checks for corrupt PGLZ compressed data (Flavien Guedez)

• In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)

  Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.

• Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)

  No built-in parameter fits this description, but an extension could define such a parameter.

• Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)

  This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).

• Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)

  This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.

• Cope with torn reads of pg_control in frontend programs (Thomas Munro)

  On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.

• Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)

  Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.

• Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)

  On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.

• Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)

  The block-level counters should be reset to zero at the same time we update the current-relation field.

• Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)

• Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)

  This could result in some statistics about WAL I/O being forgotten in a shutdown.

• Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)

  DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.

• Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)

• Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)

  This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.

• Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)

  In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.

• Fix error-handling bug in RECORD type cache management (Thomas Munro)

  An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.

• Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)

• Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)

  Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.

• Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)

• Fix race condition in database dropping that could lead to the autovacuum launcher getting stuck (Andres Freund, Will Mortensen, Jacob Speidel)

  The race could lead to a statistics entry for the removed database remaining present, confusing the launcher's selection of which database to process.

• Fix datatype size confusion in logical tape management (Ranier Vilela)

  Integer overflow was possible on platforms where long is wider than int, although it would take a multiple-terabyte temporary file to cause a problem.

• Avoid unintended close of syslogger process's stdin (Heikki Linnakangas)

• Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)

  Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL.

• Keep by-reference attmissingval values in a long-lived context while they are being used (Andrew Dunstan)

  This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.

• Recalculate the effective value of search_path after ALTER ROLE (Jeff Davis)

  This ensures that after renaming a role, the meaning of the special string $user is re-determined.

• Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)

• Fix order of operations in GenericXLogFinish (Jeff Davis)

  This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).

• Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)

• Fix assertion failure in pg_dump when it's asked to dump the pg_catalog schema (Peter Eisentraut)

• Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)

  Formerly, only the table-level ACL would get restored if both types were present.

• Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)

  These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.

• Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)

  This has only been seen to occur when the server connection runs through pgbouncer.

• Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)

• In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)

  This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.

• Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)

  Such an indexscan failed to return all the entries it should.

• Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)

• Suppress assorted build-time warnings on recent macOS (Tom Lane)

  Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.

• When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)

• Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)

  Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.

Postgres version 15.4

Release date: 2023-08-10

This release contains a variety of fixes from 15.3. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.4

A dump/restore is not required for those running 15.X.

However, if you use BRIN indexes, it may be advisable to reindex them; see the third changelog entry below.

Also, if you are upgrading from a version earlier than 15.1, see Version 15.1.

 Changes

• Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)

  This restriction guards against SQL-injection hazards for trusted extensions.

  The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417 or CVE-2023-39417)

• Fix MERGE to enforce row security policies properly (Dean Rasheed)

  When MERGE performs an UPDATE action, it should enforce any UPDATE or SELECT RLS policies defined on the target table, to be consistent with the way that a plain UPDATE with a WHERE clause works. Instead it was enforcing INSERT RLS policies for both INSERT and UPDATE actions.

  In addition, when MERGE performs a DO NOTHING action, it applied the target table's DELETE RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors.

  The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2023-39418 or CVE-2023-39418)

• Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)

  Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.

  This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX any BRIN indexes that may be used to search for nulls.

• Avoid leaving a corrupted database behind when DROP DATABASE is interrupted (Andres Freund)

  If DROP DATABASE was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE.

• Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)

  If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.

• Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION (Michael Paquier)

  Such an index will now be ignored, and a new child index created instead.

• Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)

  The update of the index's pg_index entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple” error.

• Fix ALTER EXTENSION SET SCHEMA to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)

  Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.

• Fix tracking of tables' access method dependencies (Michael Paquier)

  ALTER TABLE ... SET ACCESS METHOD failed to update relevant pg_depend entries when changing a table's access method. When using non-built-in access methods, this creates a risk that an access method could be dropped even though tables still depend on it. This fix corrects the logic in ALTER TABLE, but it will not adjust any already-missing pg_depend entries.

• Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)

  This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.

• Don't Memoize lateral joins with volatile join conditions (Richard Guo)

  Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL.

• Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)

  The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)

• Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)

• Fix race conditions in conflict detection for SERIALIZABLE isolation mode (Thomas Munro)

  Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.

• Fix misbehavior of EvalPlanQual checks with inherited or partitioned target tables (Tom Lane)

  This oversight could lead to update or delete actions in READ COMMITTED isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.

• Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)

  When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.

• Fix intermittent failures when trying to update a field of a composite column (Tom Lane)

  If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.

• Prevent query-lifespan memory leaks in some UPDATE queries with triggers (Tomas Vondra)

• Prevent query-lifespan memory leaks when an Incremental Sort plan node is rescanned (James Coleman, Laurenz Albe, Tom Lane)

• Accept fractional seconds in the input to jsonpath's datetime() method (Tom Lane)

• Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)

• Allow tokens up to 10240 bytes long in pg_hba.conf and pg_ident.conf (Tom Lane)

  The previous limit of 256 bytes has been found insufficient for some use-cases.

• Ensure that all existing placeholders are checked for matches when an extension declares its GUC prefix to be reserved (Karina Litskevich, Ekaterina Sokolova)

  Faulty loop logic could cause some entries to be skipped.

• Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)

  If JIT is in use, running out of memory in a C++ new call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.

• Fix rare null-pointer crash in plancache.c (Tom Lane)

• Avoid leaking a stats entry for a subscription when it is dropped (Masahiko Sawada)

• Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)

  Ensure that the segment is moved into the appropriate “bin” for its new amount of free space, so that it will be found by subsequent searches.

• Allow VACUUM to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)

  If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX will fix the broken index, but preventing VACUUM from completing until that is done risks making matters far worse.

• Ensure that WrapLimitsVacuumLock is released after VACUUM detects invalid data in pg_database.datfrozenxid or pg_database.datminmxid (Andres Freund)

  Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.

• Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)

  After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held” in the startup process.

• Ensure that a newly created, but still empty table is fsync'ed at the next checkpoint (Heikki Linnakangas)

  Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file” errors.

• Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)

  While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.

• Silence bogus “missing contrecord” errors (Thomas Munro)

  Treat this case as plain end-of-WAL to avoid logging inaccurate complaints from pg_waldump and walsender.

• Fix overly strict assertion in jsonpath code (David Rowley)

  This assertion failed if a query applied the .type() operator to a like_regex result. There was no bug in non-assert builds.

• Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)

• Avoid assertion failure when the stats_fetch_consistency setting is changed intra-transaction (Kyotaro Horiguchi)

• Fix contrib/fuzzystrmatch's Soundex difference() function to handle empty input sanely (Alexander Lakhin, Tom Lane)

  An input string containing no alphabetic characters resulted in unpredictable output.

• Tighten whitespace checks in contrib/hstore input (Evan Jones)

  In some cases, characters would be falsely recognized as whitespace and hence discarded.

• Disallow oversize input arrays with contrib/intarray's gist__int_ops index opclass (Ankit Kumar Pandey, Alexander Lakhin)

  Previously this code would report a NOTICE but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.

• Avoid useless double decompression of GiST index entries in contrib/intarray (Konstantin Knizhnik, Matthias van de Meent, Tom Lane)

• Fix contrib/pageinspect's gist_page_items() function to work when there are included index columns (Alexander Lakhin, Michael Paquier)

  Previously, if the index has included columns, gist_page_items() would fail to display those values on index leaf pages, or crash outright on non-leaf pages.

• In psql, ignore the PSQL_WATCH_PAGER environment variable when stdin/stdout are not a terminal (Tom Lane)

  This corresponds to the treatment of PSQL_PAGER in commands besides \watch.

• Fix pg_dump to correctly handle new-style SQL-language functions whose bodies require parse-time dependencies on unique indexes (Tom Lane)

  Such cases can arise from GROUP BY and ON CONFLICT clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loop”.

• Improve pg_dump's display of details about dependency-loop problems (Tom Lane)

• Avoid crash in pgbench with an empty pipeline and prepared mode (Álvaro Herrera)

• Ensure that pg_index.indisreplident is kept up-to-date in relation cache entries (Shruthi Gowda)

  This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.

• Fix make_etags script to work with non-Exuberant ctags (Masahiko Sawada)

Postgres version 15.3

Release date: 2023-05-11

This release contains a variety of fixes from 15.2. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.3

A dump/restore is not required for those running 15.X.

However, if you are upgrading from a version earlier than 15.1, see Version 15.1.

 Changes

• Prevent CREATE SCHEMA from defeating changes in search_path (Alexander Lakhin)

  Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.

  The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)

• Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)

  If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.

  The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)

• Fix potential corruption of the template (source) database after CREATE DATABASE with the STRATEGY WAL_LOG option (Nathan Bossart, Ryo Matsumura)

  Improper buffer handling created a risk that any later modification of the template's pg_class catalog would be lost.

• Fix memory leakage and unnecessary disk reads during CREATE DATABASE with the STRATEGY WAL_LOG option (Andres Freund)

• Avoid crash when the new schema name is omitted in CREATE SCHEMA (Michael Paquier)

  The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.

• Fix various planner failures with MERGE commands (Tom Lane)

  Planning could fail with errors like “variable not found in subplan target list” or “PlaceHolderVar found where not expected”.

• Fix the row count reported by MERGE for some corner cases (Dean Rasheed)

  The row count reported in the command tag counted rows that actually hadn't been modified due to a BEFORE ROW trigger returning NULL. This is inconsistent with what happens in plain UPDATE or DELETE, so change it to not count such rows. Also, avoid counting a row twice when MERGE moves it into a different partition of a partitioned table.

• Fix MERGE problems with concurrent updates (Dean Rasheed, Álvaro Herrera)

  Some cases misbehaved if a row to be updated or deleted by MERGE had just been updated by a concurrent transaction. This could lead to a crash, or the wrong merge action being executed, or no action at all.

• Add support for decompiling MERGE commands (Álvaro Herrera)

  This was overlooked when MERGE was added, but it's essential support for MERGE in new-style SQL functions.

• Fix enabling/disabling of foreign-key triggers in partitioned tables (Tom Lane)

  ALTER TABLE ... ENABLE/DISABLE TRIGGER failed if applied to a partitioned table's foreign-key enforcement triggers, because it tried to locate the clone triggers for the partitions by name, and they do not have the same name. Locate them by parent-trigger OID instead.

• Disallow altering composite types that are stored in indexes (Tom Lane)

  ALTER TYPE disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.

• Disallow system columns as elements of foreign keys (Tom Lane)

  Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.

• Ensure that COPY TO from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)

  The documentation is quite clear that COPY TO copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.

• Avoid possible crash when array_position() or array_positions() is passed an empty array (Tom Lane)

• Fix possible out-of-bounds fetch in to_char() (Tom Lane)

  With bad luck this could have resulted in a server crash.

• Avoid buffer overread in translate() function (Daniil Anisimov)

  When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.

• Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C (Jeff Davis)

  This code got confused if the database's default collation uses ICU.

• Avoid possible crash on empty input for type interval (Tom Lane)

• Re-allow exponential notation in ISO-8601 interval fields (Tom Lane)

  Interval input like P0.1e10D isn't officially sanctioned by ISO-8601, but we accepted it for a long time before version 15, so re-allow it.

• Fix error cursor setting for parse errors in JSON string literals (Tom Lane)

  Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.

• Fix data corruption due to vacuum_defer_cleanup_age being larger than the current 64-bit xid (Andres Freund)

  In v14 and later with non-default settings of vacuum_defer_cleanup_age, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.

• Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)

  This oversight could lead to executor failures for queries that should have been rejected as invalid.

• Fix data structure corruption during parsing of serial SEQUENCE NAME options (David Rowley)

  This can lead to trouble if an event trigger captures the corrupted parse tree.

• Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)

  This planner oversight could lead to “subplan was not initialized” errors at runtime.

• Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)

  Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.

• Fix incorrect tests for whether a qual clause applied to a subquery can be transformed into a window aggregate “run condition” within the subquery (David Rowley)

  A SubPlan within such a clause would cause assertion failures or incorrect answers, as would some other unusual cases.

• Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)

  This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.

• Fix oversights in execution of nested ARRAY[] constructs (Alexander Lakhin, Tom Lane)

  Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.

• Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)

• Fix partition pruning logic for partitioning on boolean columns (David Rowley)

  Pruning with a condition like boolcol IS NOT TRUE was done incorrectly, leading to possibly not returning rows in which boolcol is NULL. Also, the rather unlikely case of partitioning on NOT boolcol was handled incorrectly.

• Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)

  A crash was possible given unlucky timing and parallel_leader_participation = off (which is not the default).

• Recalculate GENERATED columns after an EvalPlanQual check (Tom Lane)

  In READ COMMITTED isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED columns, in case they depend on columns that were changed by the concurrent update.

• Fix memory leak in Memoize plan execution (David Rowley)

• Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)

• Restore support for sub-millisecond vacuum_cost_delay settings (Thomas Munro)

• Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay setting of zero (Masahiko Sawada)

  Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay setting, but this was done only for positive settings, not zero.

• Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)

• Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)

  Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...) with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.

• Fix handling of DEFAULT markers within a multi-row INSERT ... VALUES query on a view that has a DO ALSO INSERT ... SELECT rule (Dean Rasheed)

  Such cases typically failed with “unrecognized node type” errors or assertion failures.

• Support references to OLD and NEW within subqueries in rule actions (Dean Rasheed, Tom Lane)

  Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL. Arrange to do that implicitly when necessary.

• When decompiling a rule or SQL function body containing INSERT/UPDATE/DELETE within WITH, take care to print the correct alias for the target table (Tom Lane)

• Fix glitches in SERIALIZABLE READ ONLY optimization (Thomas Munro)

  Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).

• Avoid leaking cache callback slots in the pgoutput logical decoding plugin (Shi Yu)

  Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.

• Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)

  This change fixes some cases where an unexpected error was thrown.

• Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)

  The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.

• Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)

  This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.

• Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)

  This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.

• Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)

  Replication with the REPLICA IDENTITY FULL option failed if the table contained such columns.

• Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)

  This wait event is named CommitTsBuffer according to the documentation, but the code had it as CommitTSBuffer. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.

• Re-activate reporting of wait event SLRUFlushSync (Thomas Munro)

  Reporting of this type of wait was accidentally removed in code refactoring.

• Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)

  This could result in not honoring wal_keep_size accurately.

• Disable startup progress reporting overhead in standby mode (Bharath Rupireddy)

  In standby mode, we don't actually report progress of recovery, but we were doing work to track it anyway.

• Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)

  This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.

• Avoid race condition with process ID tracking on Windows (Thomas Munro)

  The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.

• Fix list_copy_head() to work correctly on an empty List (David Rowley)

  This case is not known to be reached by any core PostgreSQL code, but extensions might rely on it working.

• Add missing cases to SPI_result_code_string() (Dean Rasheed)

• Fix erroneous Valgrind markings in AllocSetRealloc() (Karina Litskevich)

  In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.

• Fix assertion failure for MERGE into a partitioned table with row-level security enabled (Dean Rasheed)

• Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)

• Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)

  A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.

• Avoid trying to write an empty WAL record in log_newpage_range() when the last few pages in the specified range are empty (Matthias van de Meent)

  It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.

• Fix session-lifespan memory leakage in plpgsql DO blocks that use cast expressions (Ajit Awekar, Tom Lane)

• Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)

  plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.

• Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)

  plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.

• Fix unwinding of exception stack in plpython (Xing Guo)

  Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.

• Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll() (Michael Paquier)

  With gssencmode set to require, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.

• Fix possible data corruption in ecpg programs built with the -C ORACLE option (Kyotaro Horiguchi)

  When ecpg_get_data() is called with varcharsize set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.

• Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)

  Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.

  Also, fix pg_restore to not try to TRUNCATE target tables before restoring into them when --load-via-partition-root mode is used. This avoids a hazard of deadlocks and lost data.

• Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)

  This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.

• In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)

  This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.

• In contrib/amcheck's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)

• In contrib/amcheck, deal sanely with xids that appear to be before epoch zero (Andres Freund)

  In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.

• In contrib/basebackup_to_shell, properly detect failure to open a pipe (Robert Haas)

• In contrib/hstore_plpython, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)

  This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.

• Require the siglen option of a GiST index on an ltree column, if specified, to be a multiple of 4 (Alexander Korotkov)

  Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.

• In contrib/pageinspect, add defenses against incorrect input for the gist_page_items() function (Dmitry Koval)

• Fix misbehavior in contrib/pg_trgm with an unsatisfiable regular expression (Tom Lane)

  A regex such as $foo is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.

• Fix handling of escape sequences in contrib/postgres_fdw's application_name parameter (Kyotaro Horiguchi, Michael Paquier)

  The code to expand these could fail if executed in a background process, as for example during auto-analyze of a foreign table.

• In contrib/pg_walinspect, limit memory usage of pg_get_wal_records_info() (Bharath Rupireddy)

• Use the --strip-unneeded option when stripping static libraries with GNU-compatible strip (Tom Lane)

  Previously, make install-strip used the -x option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.

• Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)

  It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet option to the build recipes.

• When running TAP tests in PGXS builds, use a saner location for the temporary portlock directory (Peter Eisentraut)

  Place it under tmp_check in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.

• Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.

  When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.

Postgres version 15.2

Release date: 2023-02-09

This release contains a variety of fixes from 15.1. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.2

A dump/restore is not required for those running 15.X.

However, if you are upgrading from a version earlier than 15.1, see Version 15.1.

 Changes

• libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)

  A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862 or CVE-2022-41862)

• Fix calculation of which GENERATED columns need to be updated in child tables during an UPDATE on a partitioned table or inheritance tree (Amit Langote, Tom Lane)

  This fixes failure to update GENERATED columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.

• Fix possible failure of MERGE to compute GENERATED columns (Dean Rasheed)

  When the first row-level action of the MERGE was an UPDATE, any subsequent INSERT actions would fail to compute GENERATED columns that were deemed unnecessary to compute for the UPDATE action (due to not depending on any of the UPDATE target columns).

• Fix MERGE's check for unreachable WHEN clauses (Dean Rasheed)

  A WHEN clause following an unconditional WHEN clause should be rejected as unreachable, but this case was not always detected.

• Fix MERGE's rule-detection test (Dean Rasheed)

  MERGE is not supported on tables with rules; but it also failed on tables that once had rules but no longer do.

• In MERGE, don't count a DO NOTHING action as a processed tuple (Álvaro Herrera)

  This makes the code's behavior match the documentation.

• Allow a WITH RECURSIVE ... CYCLE CTE to access its output column (Tom Lane)

  A reference to the SET column from within the CTE would fail with “cache lookup failed for type 0”.

• Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)

  In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW triggers not seeing rows they should be able to see.

• Allow REPLICA IDENTITY to be set on an index that's not (yet) valid (Tom Lane)

  When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY, it generates a command sequence that applies REPLICA IDENTITY before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.

• Fix handling of DEFAULT markers in rules that perform an INSERT from a multi-row VALUES list (Dean Rasheed)

  In some cases a DEFAULT marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.

• Reject uses of undefined variables in jsonpath existence checks (Alexander Korotkov, David G. Johnston)

  While jsonpath match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.

• Fix jsonb subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)

  Using a text value fetched directly from a table as a jsonb subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.

• Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)

  If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.

• Honor non-default settings of checkpoint_completion_target (Bharath Rupireddy)

  Internal state was not updated after a change in checkpoint_completion_target, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.

• Log the correct ending timestamp in recovery_target_xid mode (Tom Lane)

  When ending recovery based on the recovery_target_xid setting with recovery_target_inclusive = off, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.

• Improve error reporting for some buffered file read failures (Peter Eisentraut)

  Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.

• Remove arbitrary limit on number of elements in int2vector and oidvector (Tom Lane)

  The input functions for these types previously rejected more than 100 elements. With the introduction of the logical replication column list feature, it's necessary to accept int2vectors having up to 1600 columns, otherwise long column lists cause logical-replication failures.

• In extended query protocol, avoid an immediate commit after ANALYZE if we're running a pipeline (Tom Lane)

  If there's not been an explicit BEGIN TRANSACTION, ANALYZE would take it on itself to commit, which should not happen within a pipelined series of commands.

• Reject cancel request packets having the wrong length (Andrey Borodin)

  The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.

• Fix planner preprocessing oversights for window function run-condition expressions (Richard Guo, David Rowley)

  This could lead to planner errors such as “WindowFunc not found in subplan target lists”.

• Fix possible dangling-pointer access during execution of window function run-condition expressions (David Rowley)

  In practice, because the run-condition optimization is only applied to certain window functions that happen to all return int8, this only manifested as a problem on 32-bit builds.

• Add recursion and looping defenses in subquery pullup (Tom Lane)

  A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.

• Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)

  These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.

• Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)

  This could result in “could not devise a query plan for the given query” errors.

• Limit the amount of cleanup work done by get_actual_variable_range (Simon Riggs)

  Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.

• Prevent the statistics machinery from getting confused when a relation's relkind changes (Andres Freund)

  Converting a table to a view could lead to crashes or assertion failures.

• Fix under-parenthesized display of AT TIME ZONE constructs (Tom Lane)

  This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE is itself an expression.

• Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)

  If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node type”.

• Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)

• Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)

• Fix deadlock between DROP DATABASE and logical replication worker process (Hou Zhijie)

  This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.

• Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)

  The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION, such a failure resulted in a small session-lifespan memory leak.

• In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)

  Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections is set to a large value on the standby.

• Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)

  A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.

• In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)

  After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.

• Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)

  In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.

• Acquire spinlock while updating shared state during logical decoding context creation (Masahiko Sawada)

  We neglected to acquire the appropriate lock while updating data about two-phase transactions, potentially allowing other processes to see inconsistent data.

• Fix pgoutput replication plug-in to not send columns not listed in a table's replication column list (Hou Zhijie)

  UPDATE and DELETE events did not pay attention to the configured column list, thus sending more data than expected. This did not cause a problem when the receiver is our built-in logical replication code, but it might confuse other receivers, and in any case it wasted network bandwidth.

• Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)

• Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)

  Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.

• Fix int64_div_fast_to_numeric() to work for a wider range of inputs (Dean Rasheed)

  This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.

• Fix latent buffer-overrun problem in WaitEventSet logic (Thomas Munro)

  The epoll-based and kqueue-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.

• Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)

  clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.

• Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)

  The assertion was overly strict, so this mistake was harmless in non-assert builds.

• Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)

• Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)

  In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.

• Fix possible corruption of very large tablespace map files in pg_basebackup (Antonin Houska)

• Avoid harmless warning from pg_dump in --if-exists mode (Tom Lane)

  If the public schema has a non-default owner then use of pg_dump's --if-exists option resulted in a warning message “warning: could not find where to insert IF EXISTS in statement "-- *not* dropping schema, since initdb creates it"”. The dump output was okay, though.

• Fix psql's \sf and \ef commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)

  These commands misidentified the start of the function body when it used new-style syntax.

• Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA (Dean Rasheed)

• Update contrib/pageinspect to mark its disk-accessing functions as PARALLEL RESTRICTED (Tom Lane)

  This avoids possible failure if one of these functions is used to examine a temporary table, since a session's temporary tables are not accessible from parallel workers.

• Fix contrib/seg to not crash or print garbage if an input number has more than 127 digits (Tom Lane)

• Fix build on Microsoft Visual Studio 2013 (Tom Lane)

  A previous patch supposed that all platforms of interest have snprintf(), but MSVC 2013 isn't quite there yet. Revert to using sprintf() on that platform.

• Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)

• Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)

  Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.

• Suppress compiler warnings from Perl's header files (Andres Freund)

  Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.

• Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)

• Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.

  Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.

Postgres version 15.1

Release date: 2022-11-10

This release contains a variety of fixes from 15.0. For information about new features in major release 15, see Version 15.0.

 Migration to Version 15.1

A dump/restore is not required for those running 15.X.

However, if you regularly create and drop tables exceeding 1GB, see the first changelog entry below.

 Changes

• Fix failure to remove non-first segments of large tables (Tom Lane)

  PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.

  Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern NNNN.NN. If there is no matching file named just NNNN (without the .NN suffix), these files should be removed manually.

• Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)

  This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.

• Disallow rules named _RETURN that are not ON SELECT (Tom Lane)

  This avoids confusion between a view's ON SELECT rule and any other rules it may have.

• Avoid failure in EXPLAIN VERBOSE for a query using SEARCH BREADTH FIRST with constant initial values (Tom Lane)

• Prevent use of MERGE on a partitioned table with foreign-table partitions (Álvaro Herrera)

  The case isn't supported, and previously threw an incomprehensible error.

• Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION (Jehan-Guillaume de Rorthais, Álvaro Herrera)

  Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.

• Fix planner failure with extended statistics on partitioned or inherited tables (Richard Guo, Justin Pryzby)

  Some cases failed with “cache lookup failed for statistics object”.

• Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)

  This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.

• Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)

  These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.

• Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)

  This ameliorates problems with slow shutdown of replication workers.

• Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)

  Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.

• Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)

  If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION or DO command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.

• Avoid double call of the shutdown callback of an archiver module (Nathan Bossart, Bharath Rupireddy)

• Add plan-time check for attempted access to a table that has no table access method (Tom Lane)

  This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT rule is missing.

• Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)

  The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.

• In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)

  The single-row flag was not reset at the correct time if pipeline mode was also active.

• Fix psql's exit status when a command-line query is canceled (Peter Eisentraut)

  psql -c query would exit successfully if the query was canceled. Fix it to exit with nonzero status, as in other error cases.

• Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)

  Allow the remote path in --tablespace-mapping to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.

• Fix pg_dump's failure to dump comments attached to some CHECK constraints (Tom Lane)

• Fix CREATE DATABASE to allow its oid parameter to exceed 2³¹ (Tom Lane)

  This oversight prevented pg_upgrade from succeeding when the source installation contained databases with OIDs larger than that.

• In pg_stat_statements, fix access to already-freed memory (zhaoqigui)

  This occurred if pg_stat_statements tracked a ROLLBACK command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.

• Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)

• Allow use of __sync_lock_test_and_set() for spinlocks on any machine (Tom Lane)

  This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.

• Rename symbol REF to REF_P to avoid compile failure on recent macOS (Tom Lane)

• Avoid using sprintf, to avoid compile-time deprecation warnings (Tom Lane)

• Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.

  Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.

  These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz display. As an example, the stored value 1944-06-01 12:00 UTC would previously display as 1944-06-01 13:00:00+01 if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02.

  It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA and PACKRATLIST options).

Postgres version 15.0

Release date: 2022-10-13

 Overview

PostgreSQL 15 contains many new features and enhancements, including:

• Support for the SQL MERGE command.

• Selective publication of tables' contents within logical replication publications, through the ability to specify column lists and row filter conditions.

• More options for compression, including support for Zstandard (zstd) compression. This includes support for performing compression on the server side during pg_basebackup.

• Support for structured server log output using the JSON format.

• Performance improvements, particularly for in-memory and on-disk sorting.

The above items and other new features of PostgreSQL 15 are explained in more detail in the sections below.

 Migration to Version 15

A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.

Version 15 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:

• Remove PUBLIC creation permission on the public schema (Noah Misch)

  The new default is one of the secure schema usage patterns that Section 5.9.6 has recommended since the security release for CVE-2018-1058 or CVE-2018-1058. The change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public's existing permissions.

  For existing databases, especially those having multiple users, consider revoking CREATE permission on the public schema to adopt this new default. For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases.

• Change the owner of the public schema to be the new pg_database_owner role (Noah Misch)

  This allows each database's owner to have ownership privileges on the public schema within their database. Previously it was owned by the bootstrap superuser, so that non-superuser database owners could not do anything with it.

  This change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public's existing ownership specification.

• Remove long-deprecated exclusive backup mode (David Steele, Nathan Bossart)

  If the database server stops abruptly while in this mode, the server could fail to start. The non-exclusive backup mode is considered superior for all purposes. Functions pg_start_backup()/pg_stop_backup() have been renamed to pg_backup_start()/pg_backup_stop(), and the functions pg_backup_start_time() and pg_is_in_backup() have been removed.

• Increase hash_mem_multiplier default to 2.0 (Peter Geoghegan)

  This allows query hash operations to use more work_mem memory than other operations.

• Remove server-side language plpython2u and generic Python language plpythonu (Andres Freund)

  Python 2.x is no longer supported. While the original intent of plpythonu was that it could eventually refer to plpython3u, changing it now seems more likely to cause problems than solve them, so it's just been removed.

• Generate an error if array_to_tsvector() is passed an empty-string array element (Jean-Christophe Arnu)

  This is prohibited because lexemes should never be empty. Users of previous Postgres releases should verify that no empty lexemes are stored because they can lead to dump/restore failures and inconsistent results.

• Generate an error when chr() is supplied with a negative argument (Peter Eisentraut)

• Prevent CREATE OR REPLACE VIEW from changing the collation of an output column (Tom Lane)

• Disallow zero-length Unicode identifiers, e.g., U&"" (Peter Eisentraut)

  Non-Unicode zero-length identifiers were already disallowed.

• Prevent numeric literals from having non-numeric trailing characters (Peter Eisentraut)

  Previously, query text like 123abc would be interpreted as 123 followed by a separate token abc.

• Adjust JSON numeric literal processing to match the SQL/JSON-standard (Peter Eisentraut)

  This accepts numeric formats like .1 and 1., and disallows trailing junk after numeric literals, like 1.type().

• When interval input provides a fractional value for a unit greater than months, round to the nearest month (Bruce Momjian)

  For example, convert 1.99 years to 2 years, not 1 year 11 months as before.

• Improve consistency of interval parsing with trailing periods (Tom Lane)

  Numbers with trailing periods were rejected on some platforms.

• Mark the interval output function as stable, not immutable, since it depends on IntervalStyle (Tom Lane)

  This will, for example, cause creation of indexes relying on the text output of interval values to fail.

• Detect integer overflow in interval justification functions (Joe Koshakow)

  The affected functions are justify_interval(), justify_hours(), and justify_days().

• Change the I/O format of type "char" for non-ASCII characters (Tom Lane)

  Bytes with the high bit set are now output as a backslash and three octal digits, to avoid encoding issues.

• Remove the default ADMIN OPTION privilege a login role has on its own role membership (Robert Haas)

  Previously, a login role could add/remove members of its own role, even without ADMIN OPTION privilege.

• Allow logical replication to run as the owner of the subscription (Mark Dilger)

  Because row-level security policies are not checked, only superusers, roles with bypassrls, and table owners can replicate into tables with row-level security policies.

• Prevent UPDATE and DELETE logical replication operations on tables where the subscription owner does not have SELECT permission on the table (Jeff Davis)

  UPDATE and DELETE commands typically involve reading the table as well, so require the subscription owner to have table SELECT permission.

• When EXPLAIN references the session's temporary object schema, refer to it as pg_temp (Amul Sul)

  Previously the actual schema name was reported, leading to inconsistencies across sessions.

• Fix pg_statio_all_tables to sum values for the rare case of TOAST tables with multiple indexes (Andrei Zubkov)

  Previously such cases would show one row for each index.

• Disallow setting custom options that match the name of an installed extension, but are not one of the extension's declared variables (Florin Irion, Tom Lane)

  This change causes any such pre-existing variables to be deleted during extension load, and then prevents new ones from being created later in the session. The intent is to prevent confusion about whether a variable is associated with an extension or not.

• Remove obsolete server variable stats_temp_directory (Andres Freund, Kyotaro Horiguchi)

• Improve the algorithm used to compute random() (Fabien Coelho)

  This will cause random()'s results to differ from what was emitted by prior versions, even for the same seed value.

• libpq's PQsendQuery() function is no longer supported in pipeline mode (Álvaro Herrera)

  Applications that are using that combination will need to be modified to use PQsendQueryParams() instead.

• On non-Windows platforms, consult the HOME environment variable to find the user's home directory (Anders Kaseorg)

  If HOME is empty or unset, fall back to the previous method of checking the <pwd.h> database. This change affects libpq (for example, while looking up ~/.pgpass) as well as various client application programs.

• Remove pg_dump's --no-synchronized-snapshots option (Tom Lane)

  All still-supported server versions support synchronized snapshots, so there's no longer a need for this option.

• After an error is detected in psql's --single-transaction mode, change the final COMMIT command to ROLLBACK only if ON_ERROR_STOP is set (Michael Paquier)

• Avoid unnecessary casting of constants in queries sent by postgres_fdw (Dian Fay)

  When column types are intentionally different between local and remote databases, such casts could cause errors.

• Remove xml2's xml_is_well_formed() function (Tom Lane)

  This function has been implemented in the core backend since Postgres 9.1.

• Allow custom scan providers to indicate if they support projections (Sven Klemm)

  The default is now that custom scan providers are assumed to not support projections; those that do will need to be updated for this release.

 Changes

Below you will find a detailed account of the changes between PostgreSQL 15 and the previous major release.

 Server (PG 15.0)

• Record and check the collation version of each database (Peter Eisentraut)

  This feature is designed to detect collation version changes to avoid index corruption. Function pg_database_collation_actual_version() reports the underlying operating system collation version, and ALTER DATABASE ... REFRESH sets the recorded database collation version to match the operating system collation version.

• Allow ICU collations to be set as the default for clusters and databases (Peter Eisentraut)

  Previously, only libc-based collations could be selected at the cluster and database levels. ICU collations could only be used via explicit COLLATE clauses.

• Add system view pg_ident_file_mappings to report pg_ident.conf information (Julien Rouhaud)

 Partitioning (PG 15.0)

• Improve planning time for queries referencing partitioned tables (David Rowley)

  This change helps when only a few of many partitions are relevant.

• Allow ordered scans of partitions to avoid sorting in more cases (David Rowley)

  Previously, a partitioned table with a DEFAULT partition or a LIST partition containing multiple values could not be used for ordered partition scans. Now they can be used if such partitions are pruned during planning.

• Improve foreign key behavior of updates on partitioned tables that move rows between partitions (Amit Langote)

  Previously, such updates ran a delete action on the source partition and an insert action on the target partition. PostgreSQL will now run an update action on the partition root, providing cleaner semantics.

• Allow CLUSTER on partitioned tables (Justin Pryzby)

• Fix ALTER TRIGGER RENAME on partitioned tables to properly rename triggers on all partitions (Arne Roland, Álvaro Herrera)

  Also prohibit cloned triggers from being renamed.

 Indexes (PG 15.0)

• Allow btree indexes on system and TOAST tables to efficiently store duplicates (Peter Geoghegan)

  Previously de-duplication was disabled for these types of indexes.

• Improve lookup performance of GiST indexes that were built using sorting (Aliaksandr Kalenik, Sergei Shoulbakov, Andrey Borodin)

• Allow unique constraints and indexes to treat NULL values as not distinct (Peter Eisentraut)

  Previously NULL entries were always treated as distinct values, but this can now be changed by creating constraints and indexes using UNIQUE NULLS NOT DISTINCT.

• Allow the ^@ starts-with operator and the starts_with() function to use btree indexes if using the C collation (Tom Lane)

  Previously these could only use SP-GiST indexes.

 Optimizer (PG 15.0)

• Allow extended statistics to record statistics for a parent with all its children (Tomas Vondra, Justin Pryzby)

  Regular statistics already tracked parent and parent-plus-all-children statistics separately.

• Add server variable recursive_worktable_factor to allow the user to specify the expected size of the working table of a recursive query (Simon Riggs)

 General Performance (PG 15.0)

• Allow hash lookup for NOT IN clauses with many constants (David Rowley, James Coleman)

  Previously the code always sequentially scanned the list of values.

• Allow SELECT DISTINCT to be parallelized (David Rowley)

• Speed up encoding validation of UTF-8 text by processing 16 bytes at a time (John Naylor, Heikki Linnakangas)

  This will improve text-heavy operations like COPY FROM.

• Improve performance for sorts that exceed work_mem (Heikki Linnakangas)

  When the sort data no longer fits in work_mem, switch to a batch sorting algorithm that uses more output streams than before.

• Improve performance and reduce memory consumption of in-memory sorts (Ronan Dunklau, David Rowley, Thomas Munro, John Naylor)

• Allow WAL full page writes to use LZ4 and Zstandard compression (Andrey Borodin, Justin Pryzby)

  This is controlled by the wal_compression server setting.

• Add support for writing WAL using direct I/O on macOS (Thomas Munro)

  This only works if max_wal_senders = 0 and wal_level = minimal.

• Allow vacuum to be more aggressive in setting the oldest frozen and multi transaction id (Peter Geoghegan)

• Allow a query referencing multiple foreign tables to perform parallel foreign table scans in more cases (Andrey Lepikhov, Etsuro Fujita)

• Improve the performance of window functions that use row_number(), rank(), dense_rank() and count() (David Rowley)

• Improve the performance of spinlocks on high-core-count ARM64 systems (Geoffrey Blake)

 Monitoring (PG 15.0)

• Enable default logging of checkpoints and slow autovacuum operations (Bharath Rupireddy)

  This changes the default of log_checkpoints to on and that of log_autovacuum_min_duration to 10 minutes. This will cause even an idle server to generate some log output, which might cause problems on resource-constrained servers without log file rotation. These defaults should be changed in such cases.

• Generate progress messages in the server log during slow server starts (Nitin Jadhav, Robert Haas)

  The messages report the cause of the delay. The time interval for notification is controlled by the new server variable log_startup_progress_interval.

• Store cumulative statistics system data in shared memory (Kyotaro Horiguchi, Andres Freund, Melanie Plageman)

  Previously this data was sent to a statistics collector process via UDP packets, and could only be read by sessions after transferring it via the file system. There is no longer a separate statistics collector process.

• Add additional information to VACUUM VERBOSE and autovacuum logging messages (Peter Geoghegan)

• Add EXPLAIN (BUFFERS) output for temporary file block I/O (Masahiko Sawada)

• Allow log output in JSON format (Sehrope Sarkuni, Michael Paquier)

  The new setting is log_destination = jsonlog.

• Allow pg_stat_reset_single_table_counters() to reset the counters of relations shared across all databases (Sadhuprasad Patro)

• Add wait events for local shell commands (Fujii Masao)

  The new wait events are used when calling archive_command, archive_cleanup_command, restore_command and recovery_end_command.

 Privileges (PG 15.0)

• Allow table accesses done by a view to optionally be controlled by privileges of the view's caller (Christoph Heiss)

  Previously, view accesses were always treated as being done by the view's owner. That's still the default.

• Allow members of the pg_write_server_files predefined role to perform server-side base backups (Dagfinn Ilmari Mannsåker)

  Previously only superusers could perform such backups.

• Allow GRANT to grant permissions to change individual server variables via SET and ALTER SYSTEM (Mark Dilger)

  The new function has_parameter_privilege() reports on this privilege.

• Add predefined role pg_checkpoint that allows members to run CHECKPOINT (Jeff Davis)

  Previously checkpoints could only be run by superusers.

• Allow members of the pg_read_all_stats predefined role to access the views pg_backend_memory_contexts and pg_shmem_allocations (Bharath Rupireddy)

  Previously these views could only be accessed by superusers.

• Allow GRANT to grant permissions on pg_log_backend_memory_contexts() (Jeff Davis)

  Previously this function could only be run by superusers.

 Server Configuration (PG 15.0)

• Add server variable shared_memory_size to report the size of allocated shared memory (Nathan Bossart)

• Add server variable shared_memory_size_in_huge_pages to report the number of huge memory pages required (Nathan Bossart)

  This is only supported on Linux.

• Honor server variable shared_preload_libraries in single-user mode (Jeff Davis)

  This change supports use of shared_preload_libraries to load custom access methods and WAL resource managers, which would be essential for database access even in single-user mode.

• On Solaris, make the default setting of dynamic_shared_memory_type be sysv (Thomas Munro)

  The previous default choice, posix, can result in spurious failures on this platform.

• Allow postgres -C to properly report runtime-computed values (Nathan Bossart)

  Previously runtime-computed values data_checksums, wal_segment_size, and data_directory_mode would report values that would not be accurate on the running server. However, this does not work on a running server.

 Streaming Replication and Recovery (PG 15.0)

• Add support for LZ4 and Zstandard compression of server-side base backups (Jeevan Ladhe, Robert Haas)

• Run the checkpointer and bgwriter processes during crash recovery (Thomas Munro)

  This helps to speed up long crash recoveries.

• Allow WAL processing to pre-fetch needed file contents (Thomas Munro)

  This is controlled by the server variable recovery_prefetch.

• Allow archiving via loadable modules (Nathan Bossart)

  Previously, archiving was only done by calling shell commands. The new server variable archive_library can be set to specify a library to be called for archiving.

• No longer require IDENTIFY_SYSTEM to be run before START_REPLICATION (Jeff Davis)

 Logical Replication (PG 15.0)

• Allow publication of all tables in a schema (Vignesh C, Hou Zhijie, Amit Kapila)

  For example, this syntax is now supported: CREATE PUBLICATION pub1 FOR TABLES IN SCHEMA s1,s2. ALTER PUBLICATION supports a similar syntax. Tables added later to the listed schemas will also be replicated.

• Allow publication content to be filtered using a WHERE clause (Hou Zhijie, Euler Taveira, Peter Smith, Ajin Cherian, Tomas Vondra, Amit Kapila)

  Rows not satisfying the WHERE clause are not published.

• Allow publication content to be restricted to specific columns (Tomas Vondra, Álvaro Herrera, Rahila Syed)

• Allow skipping of transactions on a subscriber using ALTER SUBSCRIPTION ... SKIP (Masahiko Sawada)

• Add support for prepared (two-phase) transactions to logical replication (Peter Smith, Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)

  The new CREATE_REPLICATION_SLOT option is called TWO_PHASE. pg_recvlogical now supports a new --two-phase option during slot creation.

• Prevent logical replication of empty transactions (Ajin Cherian, Hou Zhijie, Euler Taveira)

  Previously, publishers would send empty transactions to subscribers if subscribed tables were not modified.

• Add SQL functions to monitor the directory contents of logical replication slots (Bharath Rupireddy)

  The new functions are pg_ls_logicalsnapdir(), pg_ls_logicalmapdir(), and pg_ls_replslotdir(). They can be run by members of the predefined pg_monitor role.

• Allow subscribers to stop the application of logical replication changes on error (Osumi Takamichi, Mark Dilger)

  This is enabled with the subscriber option disable_on_error and avoids possible infinite error loops during stream application.

• Adjust subscriber server variables to match the publisher so datetime and float8 values are interpreted consistently (Japin Li)

  Some publishers might be relying on inconsistent behavior.

• Add system view pg_stat_subscription_stats to report on subscriber activity (Masahiko Sawada)

  The new function pg_stat_reset_subscription_stats() allows resetting these statistics counters.

• Suppress duplicate entries in the pg_publication_tables system view (Hou Zhijie)

  In some cases a partition could appear more than once.

 Utility Commands (PG 15.0)

• Add SQL MERGE command to adjust one table to match another (Simon Riggs, Pavan Deolasee, Álvaro Herrera, Amit Langote)

  This is similar to INSERT ... ON CONFLICT but more batch-oriented.

• Add support for HEADER option in COPY text format (Rémi Lapeyre)

  The new option causes the column names to be output, and optionally verified on input.

• Add new WAL-logged method for database creation (Dilip Kumar)

  This is the new default method for copying the template database, as it avoids the need for checkpoints during database creation. However, it might be slow if the template database is large, so the old method is still available.

• Allow CREATE DATABASE to set the database OID (Shruthi Gowda, Antonin Houska)

• Prevent DROP DATABASE, DROP TABLESPACE, and ALTER DATABASE SET TABLESPACE from occasionally failing during concurrent use on Windows (Thomas Munro)

• Allow foreign key ON DELETE SET actions to affect only specified columns (Paul Martinez)

  Previously, all of the columns in the foreign key were always affected.

• Allow ALTER TABLE to modify a table's ACCESS METHOD (Justin Pryzby, Jeff Davis)

• Properly call object access hooks when ALTER TABLE causes table rewrites (Michael Paquier)

• Allow creation of unlogged sequences (Peter Eisentraut)

• Track dependencies on individual columns in the results of functions returning composite types (Tom Lane)

  Previously, if a view or rule contained a reference to a specific column within the result of a composite-returning function, that was not noted as a dependency; the view or rule was only considered to depend on the composite type as a whole. This meant that dropping the individual column would be allowed, causing problems in later use of the view or rule. The column-level dependency is now also noted, so that dropping such a column will be rejected unless the view is changed or dropped.

 Data Types (PG 15.0)

• Allow the scale of a numeric value to be negative, or greater than its precision (Dean Rasheed, Tom Lane)

  This allows rounding of values to the left of the decimal point, e.g., '1234'::numeric(4, -2) returns 1200.

• Improve overflow detection when casting values to interval (Joe Koshakow)

• Change the I/O format of type "char" for non-ASCII characters (Tom Lane)

• Update the display width information of modern Unicode characters, like emojis (Jacob Champion)

  Also update from Unicode 5.0 to 14.0.0. There is now an automated way to keep Postgres updated with Unicode releases.

 Functions (PG 15.0)

• Add multirange input to range_agg() (Paul Jungwirth)

• Add MIN() and MAX() aggregates for the xid8 data type (Ken Kato)

• Add regular expression functions for compatibility with other relational systems (Gilles Darold, Tom Lane)

  The new functions are regexp_count(), regexp_instr(), regexp_like(), and regexp_substr(). Some new optional arguments were also added to regexp_replace().

• Add the ability to compute the distance between polygons (Tom Lane)

• Add to_char() format codes of, tzh, and tzm (Nitin Jadhav)

  The upper-case equivalents of these were already supported.

• When applying AT TIME ZONE to a time with time zone value, use the transaction start time rather than wall clock time to determine whether DST applies (Aleksander Alekseev, Tom Lane)

  This allows the conversion to be considered stable rather than volatile, and it saves a kernel call per invocation.

• Ignore NULL array elements in ts_delete() and setweight() functions with array arguments (Jean-Christophe Arnu)

  These functions effectively ignore empty-string array elements (since those could never match a valid lexeme). It seems consistent to let them ignore NULL elements too, instead of failing.

• Add support for petabyte units to pg_size_pretty() and pg_size_bytes() (David Christensen)

• Change pg_event_trigger_ddl_commands() to output references to other sessions' temporary schemas using the actual schema name (Tom Lane)

  Previously this function reported all temporary schemas as pg_temp, but it's misleading to use that for any but the current session's temporary schema.

 PL/pgSQL (PG 15.0)

• Fix enforcement of PL/pgSQL variable CONSTANT markings (Tom Lane)

  Previously, a variable could be used as a CALL output parameter or refcursor OPEN variable despite being marked CONSTANT.

 libpq (PG 15.0)

• Allow IP address matching against a server certificate's Subject Alternative Name (Jacob Champion)

• Allow PQsslAttribute() to report the SSL library type without requiring a libpq connection (Jacob Champion)

• Change query cancellations sent by the client to use the same TCP settings as normal client connections (Jelte Fennema)

  This allows configured TCP timeouts to apply to query cancel connections.

• Prevent libpq event callback failures from forcing an error result (Tom Lane)

 Client Applications (PG 15.0)

• Allow pgbench to retry after serialization and deadlock failures (Yugo Nagata, Marina Polyakova)

 psql (PG 15.0)

• Improve performance of psql's \copy command, by sending data in larger chunks (Heikki Linnakangas)

• Add \dconfig command to report server variables (Mark Dilger, Tom Lane)

  This is similar to the server-side SHOW command, but it can process patterns to show multiple variables conveniently.

• Add \getenv command to assign the value of an environment variable to a psql variable (Tom Lane)

• Add + option to the \lo_list and \dl commands to show large-object privileges (Pavel Luzanov)

• Add a pager option for the \watch command (Pavel Stehule, Thomas Munro)

  This is only supported on Unix and is controlled by the PSQL_WATCH_PAGER environment variable.

• Make psql include intra-query double-hyphen comments in queries sent to the server (Tom Lane, Greg Nancarrow)

  Previously such comments were removed from the query before being sent. Double-hyphen comments that are before any query text are not sent, and are not recorded as separate psql history entries.

• Adjust psql so that Readline's meta-# command will insert a double-hyphen comment marker (Tom Lane)

  Previously a pound marker was inserted, unless the user had taken the trouble to configure a non-default comment marker.

• Make psql output all results when multiple queries are passed to the server at once (Fabien Coelho)

  Previously, only the last query result was displayed. The old behavior can be restored by setting the SHOW_ALL_RESULTS psql variable to off.

• After an error is detected in --single-transaction mode, change the final COMMIT command to ROLLBACK only if ON_ERROR_STOP is set (Michael Paquier)

  Previously, detection of an error in a -c command or -f script file would lead to issuing ROLLBACK at the end, regardless of the value of ON_ERROR_STOP.

• Improve psql's tab completion (Shinya Kato, Dagfinn Ilmari Mannsåker, Peter Smith, Koyu Tanigawa, Ken Kato, David Fetter, Haiying Tang, Peter Eisentraut, Álvaro Herrera, Tom Lane, Masahiko Sawada)

• Limit support of psql's backslash commands to servers running PostgreSQL 9.2 or later (Tom Lane)

  Remove code that was only used when running with an older server. Commands that do not require any version-specific adjustments compared to 9.2 will still work.

 pg_dump (PG 15.0)

• Make pg_dump dump public schema ownership changes and security labels (Noah Misch)

• Improve performance of dumping databases with many objects (Tom Lane)

  This will also improve the performance of pg_upgrade.

• Improve parallel pg_dump's performance for tables with large TOAST tables (Tom Lane)

• Add dump/restore option --no-table-access-method to force restore to only use the default table access method (Justin Pryzby)

• Limit support of pg_dump and pg_dumpall to servers running PostgreSQL 9.2 or later (Tom Lane)

 Server Applications (PG 15.0)

• Add new pg_basebackup option --target to control the base backup location (Robert Haas)

  The new options are server to write the backup locally and blackhole to discard the backup (for testing).

• Allow pg_basebackup to do server-side gzip, LZ4, and Zstandard compression and client-side LZ4 and Zstandard compression of base backup files (Dipesh Pandit, Jeevan Ladhe)

  Client-side gzip compression was already supported.

• Allow pg_basebackup to compress on the server side and decompress on the client side before storage (Dipesh Pandit)

  This is accomplished by specifying compression on the server side and plain output format.

• Allow pg_basebackup's --compress option to control the compression location (server or client), compression method, and compression options (Michael Paquier, Robert Haas)

• Add the LZ4 compression method to pg_receivewal (Georgios Kokolatos)

  This is enabled via --compress=lz4 and requires binaries to be built using --with-lz4.

• Add additional capabilities to pg_receivewal's --compress option (Georgios Kokolatos)

• Improve pg_receivewal's ability to restart at the proper WAL location (Ronan Dunklau)

  Previously, pg_receivewal would start based on the WAL file stored in the local archive directory, or at the sending server's current WAL flush location. With this change, if the sending server is running Postgres 15 or later, the local archive directory is empty, and a replication slot is specified, the replication slot's restart point will be used.

• Add pg_rewind option --config-file to simplify use when server configuration files are stored outside the data directory (Gunnar Bluth)

 pg_upgrade (PG 15.0)

• Store pg_upgrade's log and temporary files in a subdirectory of the new cluster called pg_upgrade_output.d (Justin Pryzby)

  Previously such files were left in the current directory, requiring manual cleanup. Now they are automatically removed on successful completion of pg_upgrade.

• Disable default status reporting during pg_upgrade operation if the output is not a terminal (Andres Freund)

  The status reporting output can be enabled for non-tty usage by using --verbose.

• Make pg_upgrade report all databases with invalid connection settings (Jeevan Ladhe)

  Previously only the first database with an invalid connection setting was reported.

• Make pg_upgrade preserve tablespace and database OIDs, as well as relation relfilenode numbers (Shruthi Gowda, Antonin Houska)

• Add a --no-sync option to pg_upgrade (Michael Paquier)

  This is recommended only for testing.

• Limit support of pg_upgrade to old servers running PostgreSQL 9.2 or later (Tom Lane)

 pg_waldump (PG 15.0)

• Allow pg_waldump output to be filtered by relation file node, block number, fork number, and full page images (David Christensen, Thomas Munro)

• Make pg_waldump report statistics before an interrupted exit (Bharath Rupireddy)

  For example, issuing a control-C in a terminal running pg_waldump --stats --follow will report the current statistics before exiting. This does not work on Windows.

• Improve descriptions of some transaction WAL records reported by pg_waldump (Masahiko Sawada, Michael Paquier)

• Allow pg_waldump to dump information about multiple resource managers (Heikki Linnakangas)

  This is enabled by specifying the --rmgr option multiple times.

 Documentation (PG 15.0)

• Add documentation for pg_encoding_to_char() and pg_char_to_encoding() (Ian Lawrence Barwick)

• Document the ^@ starts-with operator (Tom Lane)

 Source Code (PG 15.0)

• Add support for continuous integration testing using cirrus-ci (Andres Freund, Thomas Munro, Melanie Plageman)

• Add configure option --with-zstd to enable Zstandard builds (Jeevan Ladhe, Robert Haas, Michael Paquier)

• Add an ABI identifier field to the magic block in loadable libraries, allowing non-community PostgreSQL distributions to identify libraries that are not compatible with other builds (Peter Eisentraut)

  An ABI field mismatch will generate an error at load time.

• Create a new pg_type.typcategory value for "char" (Tom Lane)

  Some other internal-use-only types have also been assigned to this category.

• Add new protocol message TARGET to specify a new COPY method to be used for base backups (Robert Haas)

  pg_basebackup now uses this method.

• Add new protocol message COMPRESSION and COMPRESSION_DETAIL to specify the compression method and options (Robert Haas)

• Remove server support for old BASE_BACKUP command syntax and base backup protocol (Robert Haas)

• Add support for extensions to set custom backup targets (Robert Haas)

• Allow extensions to define custom WAL resource managers (Jeff Davis)

• Add function pg_settings_get_flags() to get the flags of server variables (Justin Pryzby)

• On Windows, export all the server's global variables using PGDLLIMPORT markers (Robert Haas)

  Previously, only specific variables were accessible to extensions on Windows.

• Require GNU make version 3.81 or later to build PostgreSQL (Tom Lane)

• Require OpenSSL to build the pgcrypto extension (Peter Eisentraut)

• Require Perl version 5.8.3 or later (Dagfinn Ilmari Mannsåker)

• Require Python version 3.2 or later (Andres Freund)

 Additional Modules (PG 15.0)

• Allow amcheck to check sequences (Mark Dilger)

• Improve amcheck sanity checks for TOAST tables (Mark Dilger)

• Add new module basebackup_to_shell as an example of a custom backup target (Robert Haas)

• Add new module basic_archive as an example of performing archiving via a library (Nathan Bossart)

• Allow btree_gist indexes on boolean columns (Emre Hasegeli)

  These can be used for exclusion constraints.

• Fix pageinspect's page_header() to handle 32-kilobyte page sizes (Quan Zongliang)

  Previously, improper negative values could be returned in certain cases.

• Add counters for temporary file block I/O to pg_stat_statements (Masahiko Sawada)

• Add JIT counters to pg_stat_statements (Magnus Hagander)

• Add new module pg_walinspect (Bharath Rupireddy)

  This gives SQL-level output similar to pg_waldump.

• Indicate the permissive/enforcing state in sepgsql log messages (Dave Page)

 postgres_fdw (PG 15.0)

• Allow postgres_fdw to push down CASE expressions (Alexander Pyhalov)

• Add server variable postgres_fdw.application_name to control the application name of postgres_fdw connections (Hayato Kuroda)

  Previously the remote session's application_name could only be set on the remote server or via a postgres_fdw connection specification. postgres_fdw.application_name supports some escape sequences for customization, making it easier to tell such connections apart on the remote server.

• Allow parallel commit on postgres_fdw servers (Etsuro Fujita)

  This is enabled with the CREATE SERVER option parallel_commit.

 Acknowledgments

The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.

• Abhijit Menon-Sen
• Adam Brusselback
• Adam Mackler
• Adrian Ho
• Ahsan Hadi
• Ajin Cherian
• Alastair McKinley
• Aleksander Alekseev
• Ales Zeleny
• Alex Kingsborough
• Alex Kozhemyakin
• Alexander Korotkov
• Alexander Kukushkin
• Alexander Lakhin
• Alexander Nawratil
• Alexander Pyhalov
• Alexey Borzov
• Alexey Ermakov
• Aliaksandr Kalenik
• Álvaro Herrera
• Amit Kapila
• Amit Khandekar
• Amit Langote
• Amul Sul
• Anastasia Lubennikova
• Anders Kaseorg
• Andreas Dijkman
• Andreas Grob
• Andreas Seltenreich
• Andrei Zubkov
• Andres Freund
• Andrew Alsup
• Andrew Bille
• Andrew Dunstan
• Andrew Gierth
• Andrew Kesper
• Andrey Borodin
• Andrey Lepikhov
• Andrey Sokolov
• Andy Fan
• Anton Melnikov
• Anton Voloshin
• Antonin Houska
• Arjan van de Ven
• Arne Roland
• Arthur Zakirov
• Ashutosh Bapat
• Ashutosh Sharma
• Ashwin Agrawal
• Asif Rehman
• Asim Praveen
• Atsushi Torikoshi
• Aya Iwata
• Bauyrzhan Sakhariyev
• Benoit Lobréau
• Bernd Dorn
• Bertrand Drouvot
• Bharath Rupireddy
• Björn Harrtell
• Boris Kolpackov
• Boris Korzun
• Brad Nicholson
• Brar Piening
• Bruce Momjian
• Bruno da Silva
• Bryn Llewellyn
• Carl Sopchak
• Cary Huang
• Chapman Flack
• Chen Jiaoqian
• Chris Bandy
• Chris Lowder
• Christian Quest
• Christoph Berg
• Christoph Heiss
• Christophe Pettus
• Christopher Painter-Wakefield
• Claudio Freire
• Clemens Zeidler
• Corey Huinker
• Dag Lem
• Dagfinn Ilmari Mannsåker
• Dan Kubb
• Daniel Cherniy
• Daniel Gustafsson
• Daniel Polski
• Daniel Vérité
• Daniel Westermann
• Daniele Varrazzo
• Daniil Anisimov
• Danny Shemesh
• Darafei Praliaskouski
• Daria Lepikhova
• Dave Cramer
• Dave Page
• David Christensen
• David Fetter
• David G. Johnston
• David Rowley
• David Steele
• David Zhang
• Dean Rasheed
• Dian Fay
• Dilip Kumar
• Dipesh Pandit
• Dmitry Dolgov
• Dmitry Koval
• Dmitry Marakasov
• Dominique Devienne
• Dong Wook
• Drew DeVault
• Eduard Català
• Egor Chindyaskin
• Egor Rogov
• Ekaterina Kiryanova
• Elena Indrupskaya
• Elvis Pranskevichus
• Emmanuel Quincerot
• Emre Hasegeli
• Eric Mutta
• Erica Zhang
• Erik Rijkers
• Erki Eessaar
• Etsuro Fujita
• Euler Taveira
• Fabien Coelho
• Fabrice Chapuis
• Fabrice Fontaine
• Fabrízio de Royes Mello
• Feike Steenbergen
• Filip Gospodinov
• Florin Irion
• Floris Van Nee
• Frédéric Yhuel
• Gabriela Serventi
• Gabriele Varrazzo
• Gaurab Dey
• Geoff Winkless
• Geoffrey Blake
• Georgios Kokolatos
• Gilles Darold
• Greg Nancarrow
• Greg Rychlewski
• Greg Sabino Mullane
• Greg Stark
• Gregory Smith
• Guillaume Lelarge
• Gunnar Bluth
• Gurjeet Singh
• Haiyang Wang
• Haiying Tang
• Hannu Krosing
• Hans Buschmann
• Hayato Kuroda
• Heath Lord
• Heikki Linnakangas
• Herwig Goemans
• Himanshu Upadhyaya
• Holly Roberts
• Hou Zhijie
• Hubert Lubaczewski
• Ian Barwick
• Ian Campbell
• Ibrar Ahmed
• Ildus Kurbangaliev
• Ilya Anfimov
• Itamar Gafni
• Jacob Champion
• Jaime Casanova
• Jakub Wartak
• James Coleman
• James Hilliard
• James Inform
• Jan Piotrowski
• Japin Li
• Jason Harvey
• Jason Kim
• Jean-Christophe Arnu
• Jeevan Ladhe
• Jeff Davis
• Jeff Janes
• Jehan-Guillaume de Rorthais
• Jelte Fennema
• Jeremy Evans
• Jeremy Schneider
• Jian Guo
• Jian He
• Jimmy Yih
• Jiri Fejfar
• Jitka Plesníková
• Joe Conway
• Joe Wildish
• Joel Jacobson
• Joey Bodoia
• John Naylor
• Jonathan Katz
• Josef Simanek
• Joseph Koshakow
• Josh Soref
• Joshua Brindle
• Juan José Santamaría Flecha
• Julien Rouhaud
• Julien Roze
• Junwang Zhao
• Jürgen Purtz
• Justin Pryzby
• Ken Kato
• Kevin Burke
• Kevin Grittner
• Kevin Humphreys
• Kevin McKibbin
• Kevin Sweet
• Kevin Zheng
• Klaudie Willis
• Konstantin Knizhnik
• Konstantina Skovola
• Kosei Masumura
• Kotaro Kawamoto
• Koyu Tanigawa
• Kuntal Ghosh
• Kyotaro Horiguchi
• Lars Kanis
• Lauren Fliksteen
• Laurent Hasson
• Laurenz Albe
• Leslie Lemaire
• Liam Bowen
• Lingjie Qiang
• Liu Huailing
• Louis Jachiet
• Lukas Fittl
• Ma Liangzhu
• Maciek Sakrejda
• Magnus Hagander
• Mahendra Singh Thalor
• Maksim Milyutin
• Marc Bachmann
• Marcin Krupowicz
• Marcus Gartner
• Marek Szuba
• Marina Polyakova
• Mario Emmenlauer
• Mark Dilger
• Mark Murawski
• Mark Wong
• Markus Wanner
• Markus Winand
• Martijn van Oosterhout
• Martin Jurca
• Martin Kalcher
• Martín Marqués
• Masahiko Sawada
• Masahiro Ikeda
• Masao Fujii
• Masaya Kawamoto
• Masayuki Hirose
• Matthias van de Meent
• Matthijs van der Vleuten
• Maxim Orlov
• Maxim Yablokov
• Melanie Plageman
• Michael Banck
• Michael Harris
• Michael J. Sullivan
• Michael Meskes
• Michael Mühlbeyer
• Michael Paquier
• Michael Powers
• Mike Fiedler
• Mike Oh
• Mikhail Kulagin
• Miles Delahunty
• Naoki Okano
• Nathan Bossart
• Nathan Long
• Nazir Bilal Yavuz
• Neha Sharma
• Neil Chen
• Nicola Contu
• Nicolas Lutic
• Nikhil Benesch
• Nikhil Shetty
• Nikhil Sontakke
• Nikita Glukhov
• Nikolai Berkoff
• Nikolay Samokhvalov
• Nikolay Shaplov
• Nitin Jadhav
• Noah Misch
• Noboru Saito
• Noriyoshi Shinoda
• Olaf Bohlen
• Olly Betts
• Onder Kalaci
• Oskar Stenberg
• Otto Kekalainen
• Paul Guo
• Paul Jungwirth
• Paul Martinez
• Pavan Deolasee
• Pavel Borisov
• Pavel Luzanov
• Pavel Stehule
• Peter Eisentraut
• Peter Geoghegan
• Peter Slavov
• Peter Smith
• Petr Jelínek
• Phil Florent
• Phil Krylov
• Pierre-Aurélien Georges
• Prabhat Sahu
• Quan Zongliang
• Rachel Heaton
• Rahila Syed
• Rajakavitha Kodhandapani
• Rajkumar Raghuwanshi
• Ranier Vilela
• Rei Kamigishi
• Reid Thompson
• Rémi Lapeyre
• Renan Soares Lopes
• Richard Guo
• Richard Wesley
• RKN Sai Krishna
• Robert Haas
• Robert Treat
• Roberto Mello
• Robins Tharakan
• Roger Mason
• Roman Zharkov
• Ronan Dunklau
• Rui Zhao
• Ryan Kelly
• Ryo Matsumura
• Ryohei Takahashi
• Sadhuprasad Patro
• Sait Talha Nisanci
• Sami Imseih
• Sandeep Thakkar
• Sebastian Kemper
• Sehrope Sarkuni
• Sergei Kornilov
• Sergei Shoulbakov
• Sergey Shinderuk
• Shay Rojansky
• Shenhao Wang
• Shi Yu
• Shinya Kato
• Shruthi Gowda
• Simon Perepelitsa
• Simon Riggs
• Sirisha Chamarthi
• Soumyadeep Chakraborty
• Stan Hu
• Stas Kelvich
• Stefen Hillman
• Stephen Frost
• Steve Chavez
• Sumanta Mukherjee
• Suraj Khamkar
• Suraj Kharage
• Sven Klemm
• Takamichi Osumi
• Takayuki Tsunakawa
• Takeshi Ideriha
• Tatsuhiro Nakamori
• Tatsuhito Kasahara
• Tatsuo Ishii
• Tatsuro Yamada
• Teja Mupparti
• Teodor Sigaev
• Thibaud Walkowiak
• Thom Brown
• Thomas McKay
• Thomas Munro
• Tim McNamara
• Timo Stolz
• Timur Khanjanov
• Tom Lane
• Tomas Barton
• Tomas Vondra
• Tony Reix
• Troy Frericks
• Tushar Ahuja
• Victor Wagner
• Victor Yegorov
• Vignesh C
• Vik Fearing
• Vincas Dargis
• Vitaly Burovoy
• Vitaly Voronov
• Vladimir Sitnikov
• Wang Ke
• Wei Sun
• Wei Wang
• Whale Song
• Will Mortensen
• Wolfgang Walther
• Yanliang Lei
• Yaoguang Chen
• Yogendra Suralkar
• YoungHwan Joo
• Yugo Nagata
• Yukun Wang
• Yura Sokolov
• Yusuke Egashira
• Yuzuko Hosoya
• Zhang Mingli
• Zhang Wenjie
• Zhihong Yu
• Zhiyong Wu

Postgres version 14.10

Release date: 2023-11-09

This release contains a variety of fixes from 14.9. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.10

A dump/restore is not required for those running 14.X.

However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.

Also, if you are upgrading from a version earlier than 14.9, see Version 14.9.

 Changes

• Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)

  This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.

  The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868 or CVE-2023-5868)

• Detect integer overflow while computing new array dimensions (Tom Lane)

  When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.

  The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869 or CVE-2023-5869)

• Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)

  The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.

  Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.

  The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870 or CVE-2023-5870)

• Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)

  Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.

• Prevent de-duplication of btree index entries for interval columns (Noah Misch)

  There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.

• Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.

• Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

  Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.

• Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)

  This bug might have caused unexpected failures while trying to insert large interval values into such an index.

• Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)

  Some cases involving an IS NULL condition on one of the partition keys could result in a crash.

• Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)

  If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.

• Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)

  When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY (ARRAY[])) clause. This could result in missing some rows that should have been fetched.

• Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)

• Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)

• Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)

• Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)

  Previously, a not-on-point complaint “only heap AM is supported” would be raised.

• Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)

  Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.

• Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)

• Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)

  If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.

• Fix incorrect coding in gtsvector_picksplit() (Alexander Lakhin)

  This could lead to poor page-split decisions in GiST indexes on tsvector columns.

• Improve checks for corrupt PGLZ compressed data (Flavien Guedez)

• Fix COMMIT AND CHAIN/ROLLBACK AND CHAIN to work properly when there is an unreleased savepoint (Liu Xiang, Tom Lane)

  Instead of propagating the current transaction's properties to the new transaction, they propagated some previous transaction's properties.

• In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)

  Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.

• Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)

  No built-in parameter fits this description, but an extension could define such a parameter.

• Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)

  This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).

• Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)

  This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.

• Cope with torn reads of pg_control in frontend programs (Thomas Munro)

  On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.

• Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)

  Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.

• Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)

  On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.

• Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)

  The block-level counters should be reset to zero at the same time we update the current-relation field.

• Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)

• Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)

  DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.

• Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)

  This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.

• Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)

  In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.

• Fix error-handling bug in RECORD type cache management (Thomas Munro)

  An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.

• Fix assertion failure when logical decoding is retried in the same session after an error (Hou Zhijie)

• Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)

  Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.

• Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)

• Ensure that standby-mode WAL recovery reports an error when an invalid page header is found (Yugo Nagata, Kyotaro Horiguchi)

• Fix datatype size confusion in logical tape management (Ranier Vilela)

  Integer overflow was possible on platforms where long is wider than int, although it would take a multiple-terabyte temporary file to cause a problem.

• Avoid unintended close of syslogger process's stdin (Heikki Linnakangas)

• Avoid doing plan cache revalidation of utility statements that do not receive interesting processing during parse analysis (Tom Lane)

  Aside from saving a few cycles, this prevents failure after a cache invalidation for statements that must not set a snapshot, such as SET TRANSACTION ISOLATION LEVEL.

• Keep by-reference attmissingval values in a long-lived context while they are being used (Andrew Dunstan)

  This avoids possible use of dangling pointers when a tuple slot outlives the tuple descriptor with which its value was constructed.

• Recalculate the effective value of search_path after ALTER ROLE (Jeff Davis)

  This ensures that after renaming a role, the meaning of the special string $user is re-determined.

• Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)

• Fix order of operations in GenericXLogFinish (Jeff Davis)

  This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).

• Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)

• Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)

  Formerly, only the table-level ACL would get restored if both types were present.

• Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)

  These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.

• Avoid generating invalid temporary slot names in pg_basebackup (Jelte Fennema)

  This has only been seen to occur when the server connection runs through pgbouncer.

• Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)

• In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)

  This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.

• Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)

  Such an indexscan failed to return all the entries it should.

• Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)

• Suppress assorted build-time warnings on recent macOS (Tom Lane)

  Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.

• When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)

• Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)

  Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.

Postgres version 14.9

Release date: 2023-08-10

This release contains a variety of fixes from 14.8. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.9

A dump/restore is not required for those running 14.X.

However, if you use BRIN indexes, it may be advisable to reindex them; see the second changelog entry below.

Also, if you are upgrading from a version earlier than 14.4, see Version 14.4.

 Changes

• Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)

  This restriction guards against SQL-injection hazards for trusted extensions.

  The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417 or CVE-2023-39417)

• Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)

  Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.

  This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX any BRIN indexes that may be used to search for nulls.

• Avoid leaving a corrupted database behind when DROP DATABASE is interrupted (Andres Freund)

  If DROP DATABASE was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE.

• Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)

  If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.

• Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION (Michael Paquier)

  Such an index will now be ignored, and a new child index created instead.

• Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)

  The update of the index's pg_index entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple” error.

• Fix ALTER EXTENSION SET SCHEMA to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)

  Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.

• Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)

  This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.

• Don't Memoize lateral joins with volatile join conditions (Richard Guo)

  Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL.

• Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)

  The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)

• Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)

• Fix race conditions in conflict detection for SERIALIZABLE isolation mode (Thomas Munro)

  Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.

• Fix misbehavior of EvalPlanQual checks with inherited or partitioned target tables (Tom Lane)

  This oversight could lead to update or delete actions in READ COMMITTED isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.

• Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)

  When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.

• Fix intermittent failures when trying to update a field of a composite column (Tom Lane)

  If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.

• Prevent query-lifespan memory leaks in some UPDATE queries with triggers (Tomas Vondra)

• Prevent query-lifespan memory leaks when an Incremental Sort plan node is rescanned (James Coleman, Laurenz Albe, Tom Lane)

• Accept fractional seconds in the input to jsonpath's datetime() method (Tom Lane)

• Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)

• Allow tokens up to 10240 bytes long in pg_hba.conf and pg_ident.conf (Tom Lane)

  The previous limit of 256 bytes has been found insufficient for some use-cases.

• Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)

  If JIT is in use, running out of memory in a C++ new call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.

• Fix rare null-pointer crash in plancache.c (Tom Lane)

• Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)

  Ensure that the segment is moved into the appropriate “bin” for its new amount of free space, so that it will be found by subsequent searches.

• Allow VACUUM to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)

  If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX will fix the broken index, but preventing VACUUM from completing until that is done risks making matters far worse.

• Ensure that WrapLimitsVacuumLock is released after VACUUM detects invalid data in pg_database.datfrozenxid or pg_database.datminmxid (Andres Freund)

  Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.

• Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)

  After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held” in the startup process.

• Fix possible failure while promoting a standby server, if archiving is enabled and two-phase transactions need to be recovered (Julian Markwort)

  If any required two-phase transactions were logged in the most recent (partial) log segment, promotion would fail with an incorrect complaint about “requested WAL segment has already been removed”.

• Ensure that a newly created, but still empty table is fsync'ed at the next checkpoint (Heikki Linnakangas)

  Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file” errors.

• Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)

  While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.

• Fix missing reinitializations of delay-checkpoint-end flags (suyu.cmj)

  This could result in unnecessary delays of checkpoints, or in assertion failures in assert-enabled builds.

• Fix overly strict assertion in jsonpath code (David Rowley)

  This assertion failed if a query applied the .type() operator to a like_regex result. There was no bug in non-assert builds.

• Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)

• Fix contrib/fuzzystrmatch's Soundex difference() function to handle empty input sanely (Alexander Lakhin, Tom Lane)

  An input string containing no alphabetic characters resulted in unpredictable output.

• Tighten whitespace checks in contrib/hstore input (Evan Jones)

  In some cases, characters would be falsely recognized as whitespace and hence discarded.

• Disallow oversize input arrays with contrib/intarray's gist__int_ops index opclass (Ankit Kumar Pandey, Alexander Lakhin)

  Previously this code would report a NOTICE but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.

• Avoid useless double decompression of GiST index entries in contrib/intarray (Konstantin Knizhnik, Matthias van de Meent, Tom Lane)

• Fix contrib/pageinspect's gist_page_items() function to work when there are included index columns (Alexander Lakhin, Michael Paquier)

  Previously, if the index has included columns, gist_page_items() would fail to display those values on index leaf pages, or crash outright on non-leaf pages.

• Fix pg_dump to correctly handle new-style SQL-language functions whose bodies require parse-time dependencies on unique indexes (Tom Lane)

  Such cases can arise from GROUP BY and ON CONFLICT clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loop”.

• Ensure that pg_index.indisreplident is kept up-to-date in relation cache entries (Shruthi Gowda)

  This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.

Postgres version 14.8

Release date: 2023-05-11

This release contains a variety of fixes from 14.7. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.8

A dump/restore is not required for those running 14.X.

However, if you are upgrading from a version earlier than 14.4, see Version 14.4.

 Changes

• Prevent CREATE SCHEMA from defeating changes in search_path (Alexander Lakhin)

  Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.

  The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)

• Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)

  If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.

  The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)

• Avoid crash when the new schema name is omitted in CREATE SCHEMA (Michael Paquier)

  The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.

• Fix enabling/disabling of cloned triggers in partitioned tables (Tom Lane)

  ALTER TABLE ... ENABLE/DISABLE TRIGGER USER skipped cloned triggers, mistaking them for system triggers. Other variants of ENABLE/DISABLE TRIGGER would process them, but only after improperly enforcing a superuserness check.

• Disallow altering composite types that are stored in indexes (Tom Lane)

  ALTER TYPE disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.

• Disallow system columns as elements of foreign keys (Tom Lane)

  Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.

• Ensure that COPY TO from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)

  The documentation is quite clear that COPY TO copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.

• Avoid possible crash when array_position() or array_positions() is passed an empty array (Tom Lane)

• Fix possible out-of-bounds fetch in to_char() (Tom Lane)

  With bad luck this could have resulted in a server crash.

• Avoid buffer overread in translate() function (Daniil Anisimov)

  When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.

• Fix error cursor setting for parse errors in JSON string literals (Tom Lane)

  Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.

• Fix data corruption due to vacuum_defer_cleanup_age being larger than the current 64-bit xid (Andres Freund)

  In v14 and later with non-default settings of vacuum_defer_cleanup_age, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.

• Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)

  This oversight could lead to executor failures for queries that should have been rejected as invalid.

• Fix data structure corruption during parsing of serial SEQUENCE NAME options (David Rowley)

  This can lead to trouble if an event trigger captures the corrupted parse tree.

• Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)

  This planner oversight could lead to “subplan was not initialized” errors at runtime.

• Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)

  Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.

• Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)

  This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.

• Fix oversights in execution of nested ARRAY[] constructs (Alexander Lakhin, Tom Lane)

  Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.

• Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)

• Fix partition pruning logic for partitioning on boolean columns (David Rowley)

  Pruning with a condition like boolcol IS NOT TRUE was done incorrectly, leading to possibly not returning rows in which boolcol is NULL. Also, the rather unlikely case of partitioning on NOT boolcol was handled incorrectly.

• Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)

  A crash was possible given unlucky timing and parallel_leader_participation = off (which is not the default).

• Recalculate GENERATED columns after an EvalPlanQual check (Tom Lane)

  In READ COMMITTED isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED columns, in case they depend on columns that were changed by the concurrent update.

• Fix memory leak in Memoize plan execution (David Rowley)

• Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)

• Restore support for sub-millisecond vacuum_cost_delay settings (Thomas Munro)

• Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay setting of zero (Masahiko Sawada)

  Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay setting, but this was done only for positive settings, not zero.

• Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)

• Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)

  Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...) with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.

• Fix handling of DEFAULT markers within a multi-row INSERT ... VALUES query on a view that has a DO ALSO INSERT ... SELECT rule (Dean Rasheed)

  Such cases typically failed with “unrecognized node type” errors or assertion failures.

• Support references to OLD and NEW within subqueries in rule actions (Dean Rasheed, Tom Lane)

  Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL. Arrange to do that implicitly when necessary.

• When decompiling a rule or SQL function body containing INSERT/UPDATE/DELETE within WITH, take care to print the correct alias for the target table (Tom Lane)

• Fix glitches in SERIALIZABLE READ ONLY optimization (Thomas Munro)

  Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).

• Avoid leaking cache callback slots in the pgoutput logical decoding plugin (Shi Yu)

  Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.

• Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)

  This change fixes some cases where an unexpected error was thrown.

• Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)

  The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.

• Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)

  This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.

• Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)

  This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.

• Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)

  Replication with the REPLICA IDENTITY FULL option failed if the table contained such columns.

• Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)

  This wait event is named CommitTsBuffer according to the documentation, but the code had it as CommitTSBuffer. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.

• Re-activate reporting of wait event SLRUFlushSync (Thomas Munro)

  Reporting of this type of wait was accidentally removed in code refactoring.

• Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)

  This could result in not honoring wal_keep_size accurately.

• Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)

  This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.

• Avoid race condition with process ID tracking on Windows (Thomas Munro)

  The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.

• Add missing cases to SPI_result_code_string() (Dean Rasheed)

• Fix erroneous Valgrind markings in AllocSetRealloc() (Karina Litskevich)

  In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.

• Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)

• Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)

  A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.

• Avoid trying to write an empty WAL record in log_newpage_range() when the last few pages in the specified range are empty (Matthias van de Meent)

  It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.

• Fix session-lifespan memory leakage in plpgsql DO blocks that use cast expressions (Ajit Awekar, Tom Lane)

• Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)

  plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.

• Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)

  plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.

• Fix unwinding of exception stack in plpython (Xing Guo)

  Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.

• Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll() (Michael Paquier)

  With gssencmode set to require, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.

• Fix possible data corruption in ecpg programs built with the -C ORACLE option (Kyotaro Horiguchi)

  When ecpg_get_data() is called with varcharsize set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.

• Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)

  Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.

  Also, fix pg_restore to not try to TRUNCATE target tables before restoring into them when --load-via-partition-root mode is used. This avoids a hazard of deadlocks and lost data.

• Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)

  This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.

• In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)

  This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.

• In contrib/amcheck's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)

• In contrib/amcheck, deal sanely with xids that appear to be before epoch zero (Andres Freund)

  In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.

• In contrib/hstore_plpython, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)

  This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.

• Require the siglen option of a GiST index on an ltree column, if specified, to be a multiple of 4 (Alexander Korotkov)

  Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.

• In contrib/pageinspect, add defenses against incorrect input for the gist_page_items() function (Dmitry Koval)

• Fix misbehavior in contrib/pg_trgm with an unsatisfiable regular expression (Tom Lane)

  A regex such as $foo is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.

• Use the --strip-unneeded option when stripping static libraries with GNU-compatible strip (Tom Lane)

  Previously, make install-strip used the -x option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.

• Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)

  It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet option to the build recipes.

• When running TAP tests in PGXS builds, use a saner location for the temporary portlock directory (Peter Eisentraut)

  Place it under tmp_check in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.

• Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.

  When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.

Postgres version 14.7

Release date: 2023-02-09

This release contains a variety of fixes from 14.6. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.7

A dump/restore is not required for those running 14.X.

However, if you are upgrading from a version earlier than 14.4, see Version 14.4.

 Changes

• libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)

  A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862 or CVE-2022-41862)

• Fix calculation of which GENERATED columns need to be updated in child tables during an UPDATE on a partitioned table or inheritance tree (Amit Langote, Tom Lane)

  This fixes failure to update GENERATED columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.

• Allow a WITH RECURSIVE ... CYCLE CTE to access its output column (Tom Lane)

  A reference to the SET column from within the CTE would fail with “cache lookup failed for type 0”.

• Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)

  In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW triggers not seeing rows they should be able to see.

• Allow REPLICA IDENTITY to be set on an index that's not (yet) valid (Tom Lane)

  When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY, it generates a command sequence that applies REPLICA IDENTITY before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.

• Fix handling of DEFAULT markers in rules that perform an INSERT from a multi-row VALUES list (Dean Rasheed)

  In some cases a DEFAULT marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.

• Reject uses of undefined variables in jsonpath existence checks (Alexander Korotkov, David G. Johnston)

  While jsonpath match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.

• Fix jsonb subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)

  Using a text value fetched directly from a table as a jsonb subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.

• Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)

  If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.

• Honor non-default settings of checkpoint_completion_target (Bharath Rupireddy)

  Internal state was not updated after a change in checkpoint_completion_target, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.

• Log the correct ending timestamp in recovery_target_xid mode (Tom Lane)

  When ending recovery based on the recovery_target_xid setting with recovery_target_inclusive = off, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.

• Improve error reporting for some buffered file read failures (Peter Eisentraut)

  Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.

• In extended query protocol, avoid an immediate commit after ANALYZE if we're running a pipeline (Tom Lane)

  If there's not been an explicit BEGIN TRANSACTION, ANALYZE would take it on itself to commit, which should not happen within a pipelined series of commands.

• Reject cancel request packets having the wrong length (Andrey Borodin)

  The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.

• Add recursion and looping defenses in subquery pullup (Tom Lane)

  A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.

• Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)

  These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.

• Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)

  This could result in “could not devise a query plan for the given query” errors.

• Limit the amount of cleanup work done by get_actual_variable_range (Simon Riggs)

  Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.

• Fix under-parenthesized display of AT TIME ZONE constructs (Tom Lane)

  This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE is itself an expression.

• Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)

  If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node type”.

• Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)

• Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)

• Fix deadlock between DROP DATABASE and logical replication worker process (Hou Zhijie)

  This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.

• Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)

  The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION, such a failure resulted in a small session-lifespan memory leak.

• In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)

  Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections is set to a large value on the standby.

• Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)

  A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.

• In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)

  After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.

• Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)

  In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.

• Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)

• Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)

  Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.

• Prevent unsafe usage of a relation cache entry's rd_smgr pointer (Amul Sul)

  Remove various assumptions that rd_smgr would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.

• Fix int64_div_fast_to_numeric() to work for a wider range of inputs (Dean Rasheed)

  This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.

• Fix latent buffer-overrun problem in WaitEventSet logic (Thomas Munro)

  The epoll-based and kqueue-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.

• Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)

  clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.

• Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)

  The assertion was overly strict, so this mistake was harmless in non-assert builds.

• Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)

• Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)

  In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.

• In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)

  pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.

• Fix psql's \sf and \ef commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)

  These commands misidentified the start of the function body when it used new-style syntax.

• Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA (Dean Rasheed)

• Fix contrib/seg to not crash or print garbage if an input number has more than 127 digits (Tom Lane)

• Fix build on Microsoft Visual Studio 2013 (Tom Lane)

  A previous patch supposed that all platforms of interest have snprintf(), but MSVC 2013 isn't quite there yet. Revert to using sprintf() on that platform.

• Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)

• Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)

  Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.

• Suppress compiler warnings from Perl's header files (Andres Freund)

  Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.

• Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)

• Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.

  Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.

Postgres version 14.6

Release date: 2022-11-10

This release contains a variety of fixes from 14.5. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.6

A dump/restore is not required for those running 14.X.

However, if you are upgrading from a version earlier than 14.4, see Version 14.4.

 Changes

• Avoid rare PANIC during updates occurring concurrently with VACUUM (Tom Lane, Jeff Davis)

  If a concurrent VACUUM sets the all-visible flag bit in a page that UPDATE or DELETE is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.

  This is known to be possible in versions 14 and 15. It may be only latent in previous branches.

• Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)

  This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.

• Disallow rules named _RETURN that are not ON SELECT (Tom Lane)

  This avoids confusion between a view's ON SELECT rule and any other rules it may have.

• Fix resource management bug in saving tuples for AFTER triggers (Tom Lane)

  Given the right circumstances, this manifested as a “tupdesc reference NNNN is not owned by resource owner” error followed by a PANIC exit.

• Avoid failure in EXPLAIN VERBOSE for a query using SEARCH BREADTH FIRST with constant initial values (Tom Lane)

• Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION (Jehan-Guillaume de Rorthais, Álvaro Herrera)

  Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.

• Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)

  If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.

• Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)

  While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.

• Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)

  When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.

• Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)

  This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.

• Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)

  These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.

• Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)

  If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.

• Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)

  This ameliorates problems with slow shutdown of replication workers.

• Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)

  Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.

• Remove pointless check on replica identity setting of partitioned tables (Hou Zhijie)

  What matters is the replica identity setting of the leaf partitions, so there's no need to throw error if it's not set on the parent.

• Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)

  If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION or DO command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.

• Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)

  If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)

• Fix type circle's equality comparator to handle NaNs properly (Ranier Vilela)

  If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.

• In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)

  If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.

• Fix use-after-free hazard in string comparisons (Tom Lane)

  Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.

• Add plan-time check for attempted access to a table that has no table access method (Tom Lane)

  This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT rule is missing.

• Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)

  The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.

• Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)

• Avoid misbehavior when choosing hash table size with very small work_mem and large tuples (Zhang Mingli)

• Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)

  The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.

• Improve PL/pgSQL's ability to handle parameters declared as RECORD (Tom Lane)

  Build a separate function cache entry for each concrete type passed to the RECORD parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the plan”.

• In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)

  The single-row flag was not reset at the correct time if pipeline mode was also active.

• Add missing guards for NULL connection pointer in libpq (Daniele Varrazzo, Tom Lane)

  There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush() and PQisnonblocking() didn't get that memo, so fix them.

• In ecpg, fix omission of variable storage classes when multiple varchar or bytea variables are declared in the same declaration (Andrey Sokolov)

  For example, ecpg translated static varchar str1[10], str2[20], str3[30]; in such a way that only str1 was marked static.

• Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)

  Allow the remote path in --tablespace-mapping to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.

• In pg_stat_statements, fix access to already-freed memory (zhaoqigui)

  This occurred if pg_stat_statements tracked a ROLLBACK command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.

• In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)

  This avoids “variable not found in subplan target list” errors in rare cases.

• Reject unwanted output from the platform's uuid_create() function (Nazir Bilal Yavuz)

  The uuid-ossp module expects libc's uuid_create() to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid().)

• Include new Perl test modules in standard installations (Álvaro Herrera)

  Add PostgreSQL/Test/Cluster.pm and PostgreSQL/Test/Utils.pm to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.

• On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)

  This avoids a risk of deadlock in the dynamic linker on NetBSD 10.

• Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)

• Allow use of __sync_lock_test_and_set() for spinlocks on any machine (Tom Lane)

  This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.

• Rename symbol REF to REF_P to avoid compile failure on recent macOS (Tom Lane)

• Avoid using sprintf, to avoid compile-time deprecation warnings (Tom Lane)

• Silence assorted compiler warnings from clang 15 and later (Tom Lane)

• Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.

  Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.

  These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz display. As an example, the stored value 1944-06-01 12:00 UTC would previously display as 1944-06-01 13:00:00+01 if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02.

  It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA and PACKRATLIST options).

Postgres version 14.5

Release date: 2022-08-11

This release contains a variety of fixes from 14.4. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.5

A dump/restore is not required for those running 14.X.

However, if you are upgrading from a version earlier than 14.4, see Version 14.4.

 Changes

• Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)

  This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.

  The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625 or CVE-2022-2625)

• Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)

  Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.

• Support “in place” tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)

  Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE replay fix, which transiently creates a missing tablespace as an “in place” tablespace.

• Fix permissions checks in CREATE INDEX (Nathan Bossart, Noah Misch)

  The fix for CVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX before re-granting permissions.

• In extended query protocol, force an immediate commit after CREATE DATABASE and other commands that can't run in a transaction block (Tom Lane)

  If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.

• Fix race condition when checking transaction visibility (Simon Riggs)

  TransactionIdIsInProgress could report false before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.

• Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)

• Fix incorrect permissions-checking code for extended statistics (Richard Guo)

  If there are extended statistics on a table that the user has only partial SELECT permissions on, some queries would fail with “unrecognized node type” errors.

• Fix extended statistics machinery to handle MCV-type statistics on boolean-valued expressions (Tom Lane)

  Statistics collection worked fine, but a query containing such an expression in WHERE would fail with “unknown clause type”.

• Avoid planner core dump with constant = ANY(array) clauses when there are MCV-type extended statistics on the array variable (Tom Lane)

• Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)

  In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.

• Allow cancellation of ANALYZE while it is computing extended statistics (Tom Lane, Justin Pryzby)

  In some scenarios with high statistics targets, it was possible to spend many seconds in an un-cancellable sort operation.

• Improve syntax error messages for type jsonpath (Andrew Dunstan)

• Ensure that pg_stop_backup() cleans up session state properly (Fujii Masao)

  This omission could lead to assertion failures or crashes later in the session.

• Fix trim_array() to handle a zero-dimensional array argument sanely (Martin Kalcher)

• Fix join alias matching in FOR [KEY] UPDATE/SHARE clauses (Dean Rasheed)

  In corner cases, a misleading error could be reported.

• Reject ROW() expressions and functions in FROM that have too many columns (Tom Lane)

  Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.

• Fix dumping of a view using a function in FROM that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)

  This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.

• Disallow nested backup operations in logical replication walsenders (Fujii Masao)

• Fix memory leak in logical replication subscribers (Hou Zhijie)

• Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)

  The replica identity columns have to be re-identified for the child partition.

• Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)

• Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE flags (Haiyang Wang)

• Fix erroneous assertion checks in shared hashtable management (Thomas Munro)

• Avoid assertion failure when min_dynamic_shared_memory is set to a non-default value (Thomas Munro)

• Arrange to clean up after commit-time errors within SPI_commit(), rather than expecting callers to do that (Peter Eisentraut, Tom Lane)

  Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit() as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain() except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction() as a no-op. All known callers of SPI_commit() immediately call SPI_start_transaction(), so they will not notice any change. Similar remarks apply to SPI_rollback().

  Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.

• Improve libpq's handling of idle states in pipeline mode (Álvaro Herrera, Kyotaro Horiguchi)

  This fixes “message type 0x33 arrived from server while idle” warnings, as well as possible loss of end-of-query NULL results from PQgetResult().

• Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)

  Certain operations such as EXEC SQL PREPARE would crash (rather than reporting an error as expected) if called before establishing any database connection.

• In ecpglib, avoid redundant newlocale() calls (Noah Misch)

  Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.

• In psql's \watch command, echo a newline after cancellation with control-C (Pavel Stehule)

  This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.

• Fix pg_upgrade to detect non-upgradable usages of functions taking anyarray (Justin Pryzby)

  Version 14 changed some built-in functions to take type anycompatiblearray instead of anyarray. While this is mostly transparent, user-defined aggregates and operators built atop these functions have to be declared with exactly matching types. The presence of an object referencing the old signature will cause pg_upgrade to fail, so change it to detect and report such cases before beginning the upgrade.

• Fix possible report of wrong error condition after clone() failure in pg_upgrade with --clone option (Justin Pryzby)

• Fix contrib/pg_stat_statements to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)

• In contrib/postgres_fdw, prevent batch insertion when there are WITH CHECK OPTION constraints (Etsuro Fujita)

  Such constraints cannot be checked properly if more than one row is inserted at a time.

• Fix contrib/postgres_fdw to detect failure to send an asynchronous data fetch query (Fujii Masao)

• Ensure that contrib/postgres_fdw sends constants of regconfig and other reg* types with proper schema qualification (Tom Lane)

• Block signals while allocating dynamic shared memory on Linux (Thomas Munro)

  This avoids problems when a signal interrupts posix_fallocate().

• Detect unexpected EEXIST error from shm_open() (Thomas Munro)

  This avoids a possible crash on Solaris.

• Avoid using signalfd() on illumos systems (Thomas Munro)

  This appears to trigger hangs and kernel panics, so avoid the function until a fix is available.

Postgres version 14.4

Release date: 2022-06-16

This release contains a variety of fixes from 14.3. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.4

A dump/restore is not required for those running 14.X.

However, if you have any indexes that were created using the CONCURRENTLY option under 14.X, you should re-index them after updating. See the first changelog entry below.

Also, if you are upgrading from a version earlier than 14.3, see Version 14.3.

 Changes

• Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)

  An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)

• Harden Memoize plan node against non-deterministic equality functions (David Rowley)

  Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.

• Fix incorrect cost estimates for Memoize plans (David Rowley)

  This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.

• Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)

• Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT that's referenced in a GROUPING function (Richard Guo)

• Prevent pg_stat_get_subscription() from possibly returning an extra row containing garbage values (Kuntal Ghosh)

• Fix COPY FROM's error checking in the case where the database encoding is SQL_ASCII while the client's encoding is a multi-byte encoding (Heikki Linnakangas)

  This mistake could lead to false complaints of invalidly-encoded input data.

• Avoid crashing if too many column aliases are attached to an XMLTABLE or JSON_TABLE construct (Álvaro Herrera)

• When decompiling a view or rule, show a SELECT output column's AS "?column?" alias clause if it could be referenced elsewhere (Tom Lane)

  Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.

• Report implicitly-created operator families to event triggers (Masahiko Sawada)

  If CREATE OPERATOR CLASS results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.

• Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)

  Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.

• Prevent triggering of standby's wal_receiver_timeout during logical replication of large transactions (Wang Wei, Amit Kapila)

  If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.

• Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)

  Such cases could result in harmless warning messages.

• Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)

  Previously, although extensions could choose to create such settings, some code paths would crash while processing them.

• Remove misguided SSL key file ownership check in libpq (Tom Lane)

  In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.

• Ensure ecpg reports server connection loss sanely (Tom Lane)

  Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.

• Prevent crash after server connection loss in pg_amcheck (Tom Lane)

  Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to a crash.

• Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)

• Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)

Postgres version 14.3

Release date: 2022-05-12

This release contains a variety of fixes from 14.2. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.3

A dump/restore is not required for those running 14.X.

However, if you have any GiST indexes on columns of type ltree (supplied by the contrib/ltree extension), you should re-index them after updating. See the second changelog entry below.

Also, if you are upgrading from a version earlier than 14.2, see Version 14.2.

 Changes

• Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)

  Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.

  The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552 or CVE-2022-1552)

• Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov)

  The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.)

• Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)

  The column names in tuples produced by a whole-row variable (such as tbl.* in contexts other than the top level of a SELECT list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.

  In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT, so that the whole-row variable is referring to the sub-SELECT's output and not to a plain table. Then the variable is of type record to begin with and there's no issue.

• Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)

  The new numeric-based code for EXTRACT() failed to yield results equivalent to the old float-based code, as a result of accidentally truncating the DAYS_PER_YEAR value to an integer.

• Defend against pg_stat_get_replication_slot (NULL) (Andres Freund)

  This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.

• Fix incorrect output for types timestamptz and timetz in table_to_xmlschema() and allied functions (Renan Soares Lopes)

  The xmlschema output for these types included a malformed regular expression.

• Avoid core dump in parser for a VALUES clause with zero columns (Tom Lane)

• Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)

  Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.

• Fix planner failure if a query using SEARCH or CYCLE features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)

  When the name of the recursive WITH query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlist”.

• Fix planner errors for GROUPING() constructs that reference outer query levels (Richard Guo, Tom Lane)

• Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)

  The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.

• Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)

  The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.

• Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)

• Fix ALTER FUNCTION to support changing a function's parallelism property and its SET-variable list in the same command (Tom Lane)

  The parallelism property change was lost if the same command also updated the function's SET clause.

• Tighten lookup of the index “owned by” a constraint (Tom Lane, Japin Li)

  Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE operations on tables having foreign key constraints.

• Fix bogus errors from attempts to alter system columns of tables (Tom Lane)

  The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.

• Fix mis-sorting of table rows when CLUSTERing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)

  The table would be rebuilt with the correct data, but in an order having little to do with the index order.

• Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)

  The code path for building GiST indexes using sorting neglected to fsync the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.

• Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)

  Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.

• Fix race condition between DROP TABLESPACE and checkpointing (Nathan Bossart)

  The checkpoint forced by DROP TABLESPACE could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.

• Fix possible trouble in crash recovery after a TRUNCATE command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)

  TRUNCATE must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.

• Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)

  Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.

• Re-allow underscore as the first character in a custom parameter name (Japin Li)

  Such names were unintentionally disallowed in v14.

• Add regress option for the compute_query_id parameter (Michael Paquier)

  This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN output.

• Improve wait logic in RegisterSyncRequest (Thomas Munro)

  If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.

• Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)

  This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.

• Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)

• Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)

  With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.

• Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)

  If publish_via_partition_root is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.

• Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription limit (Amit Kapila)

  Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.

• Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)

  Otherwise subscribers cannot see the values and will fail to replicate the update.

• Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)

  Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.

• Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)

  An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.

• Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)

  Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.

• Make libpq accept root-owned SSL private key files (David Steele)

  This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r----- or less. This is helpful for system-wide management of key files.

• Fix behavior of libpq's PQisBusy() function after a connection failure (Tom Lane)

  If we'd detected a write failure, PQisBusy() would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput() returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult object, which is a much cleaner behavior for most applications.

• Re-allow database.schema.table patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)

  Versions before v14 silently ignored all but the schema and table fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.

• Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)

  pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.

• Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)

  While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.

• Ensure that contrib/pageinspect functions cope with all-zero pages (Michael Paquier)

  This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.

• In contrib/pageinspect, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)

  These changes make it less likely that the module will crash on bad data.

• In contrib/postgres_fdw, disable batch insertion when BEFORE INSERT ... FOR EACH ROW triggers exist on the foreign table (Etsuro Fujita)

  Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.

• In contrib/postgres_fdw, verify that ORDER BY clauses are safe to ship before requesting a remotely-ordered query, and include a USING clause if necessary (Ronan Dunklau)

  This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.

• Fix configure to handle platforms that have sys/epoll.h but not sys/signalfd.h (Tom Lane)

• Update JIT code to work with LLVM 14 (Thomas Munro)

• Clean up assorted failures under clang's -fsanitize=undefined checks (Tom Lane, Andres Freund, Zhihong Yu)

  Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.

• Do not add OpenSSL dependencies to libpq's pkg-config file when building without OpenSSL (Fabrice Fontaine)

• Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)

• Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)

• In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)

  This adapts the build process to work on recent MSys tool chains.

• Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)

  For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.

• Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.

Postgres version 14.2

Release date: 2022-02-10

This release contains a variety of fixes from 14.1. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.2

A dump/restore is not required for those running 14.X.

However, some bugs have been found that may have resulted in corrupted indexes, as explained in the first two changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.

Also, if you are upgrading from a version earlier than 14.1, see Version 14.1.

 Changes

• Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY (Michael Paquier)

  If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.

• Fix corruption of HOT chains when a RECENTLY_DEAD tuple changes state to fully DEAD during page pruning (Andres Freund)

  It was possible for VACUUM to remove a recently-dead tuple while leaving behind a redirect item that pointed to it. When the tuple's item slot is later re-used by some new tuple, that tuple would be seen as part of the pre-existing HOT chain, creating a form of index corruption. If this has happened, reindexing the table should repair the damage. However, this is an extremely low-probability scenario, so we do not recommend reindexing just on the chance that it might have happened.

• Fix crash in EvalPlanQual rechecks for tables with a mix of local and foreign partitions (Etsuro Fujita)

• Fix dangling pointer in COPY TO (Bharath Rupireddy)

  This oversight could cause an incorrect error message or a crash after an error in COPY.

• Avoid null-pointer crash in ALTER STATISTICS when the statistics object is dropped concurrently (Tomas Vondra)

• Correctly handle alignment padding when extracting a range from a multirange (Alexander Korotkov)

  This error could cause crashes when handling multiranges over variable-length data types.

• Fix over-optimistic use of hashing for anonymous RECORD data types (Tom Lane)

  This prevents some cases of “could not identify a hash function for type record” errors.

• Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)

  In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).

• Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)

  If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.

• Fix Memoize plan nodes to handle subplans that use parameters coming from above the Memoize (David Rowley)

• Fix Memoize plan nodes to work correctly with non-hashable join operators (David Rowley)

• Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)

  While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.

• Fix checking of anycompatible-family data type matches (Tom Lane)

  In some cases the parser would think that a function or operator with anycompatible-family polymorphic parameters matches a set of arguments that it really shouldn't match. In reported cases, that led to matching more than one operator to a call, leading to ambiguous-operator errors; but a failure later on is also possible.

• Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Álvaro Herrera)

• Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)

  If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXids”. The replica would retry, but could never get past that error.

• In logical replication, avoid double transmission of a child table's data (Hou Zhijie)

  If a publication includes both child and parent tables, and has the publish_via_partition_root option set, subscribers uselessly initiated synchronization on both child and parent tables. Ensure that only the parent table is synchronized in such cases.

• Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)

  The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.

• Ensure that replication origin timestamp is set while replicating a ROLLBACK PREPARED operation (Masahiko Sawada)

• Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)

• Be sure to fsync the pg_logical/mappings subdirectory during checkpoints (Nathan Bossart)

  On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.

• Build extended statistics for partitioned tables (Justin Pryzby)

  A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE on the partitioned table if you want to maintain such statistics.)

• Ignore extended statistics for inheritance trees (Justin Pryzby)

  Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.

• Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)

  This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.

• Disallow ALTER TABLE ... DROP NOT NULL for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)

  The same prohibition already existed for primary key indexes.

• Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX (Hou Zhijie)

  Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.

• Correctly update cached table state when switching REPLICA IDENTITY index (Tang Haiying, Hou Zhijie)

  Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.

• Fix failure of SP-GiST indexes when the indexed column's data type is binary-compatible with the declared input type of the operator class (Tom Lane)

  Such cases should work, but failed with “compress method must be defined when leaf type is different from input type”.

• Allow parallel vacuuming and concurrent index building to be ignored while computing oldest xmin (Masahiko Sawada)

  Non-parallelized instances of these operations were already ignored, but the logic did not work for parallelized cases. Holding back the xmin horizon has undesirable effects such as delaying vacuum cleanup.

• Fix memory leak when updating expression indexes (Peter Geoghegan)

  An UPDATE affecting many rows could consume significant amounts of memory.

• Avoid leaking memory during REASSIGN OWNED BY operations that reassign ownership of many objects (Justin Pryzby)

• Improve performance of walsenders sending logical changes by avoiding unnecessary cache accesses (Hou Zhijie)

• Fix display of cert authentication method's options in pg_hba_file_rules view (Magnus Hagander)

  The cert authentication method implies clientcert=verify-full, but the pg_hba_file_rules view incorrectly reported clientcert=verify-ca.

• Ensure that the session targeted by pg_log_backend_memory_contexts() sends its results only to the server's log (Fujii Masao)

  Previously, a sufficiently high setting of client_min_messages could result in the log message also being sent to the connected client. Since that client hadn't requested it, that would be surprising (and possibly a wire protocol violation).

• Fix display of whole-row variables appearing in INSERT ... VALUES rules (Tom Lane)

  A whole-row variable would be printed as “var.*”, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.

• When reverse-listing a SQL-standard function body, display function parameters appropriately within INSERT ... SELECT (Tom Lane)

  Previously, they'd come out as $N even when the parameter had a name.

• Fix one-byte buffer overrun when applying Unicode string normalization to an empty string (Michael Paquier)

  The practical impact of this is limited thanks to alignment considerations; but in debug builds, a warning was raised.

• Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)

  These errors should affect only debug builds, not production.

• Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)

• Avoid calling strerror from libpq's PQcancel function (Tom Lane)

  PQcancel is supposed to be safe to call from a signal handler, but strerror is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.

• Make psql's \password command default to setting the password for CURRENT_USER, not the connection's original user name (Tom Lane)

  This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE or SET SESSION AUTHORIZATION has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.

• Fix psql \d command's query for identifying parent triggers (Justin Pryzby)

  The previous coding failed with “more than one row returned by a subquery used as an expression” if a partition had triggers and there were unrelated statement-level triggers of the same name on some parent partitioned table.

• Make psql's \d command sort a table's extended statistics objects by name not OID (Justin Pryzby)

• Fix psql's tab-completion of label values for enum types (Tom Lane)

• Fix failures on Windows when using the terminal as data source or destination (Dmitry Koval, Juan José Santamaría Flecha, Michael Paquier)

  This affects psql's \copy command, as well as pg_recvlogical with -f -.

• In psql and some other client programs, avoid trying to invoke gettext() from a control-C signal handler (Tom Lane)

  While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.

• Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)

  Previously it was impossible to terminate these programs via control-C while they were prompting for a password.

• Fix pg_dump's dump ordering for user-defined casts (Tom Lane)

  In rare cases, the output script might refer to a user-defined cast before it had been created.

• Fix pg_dump's --inserts and --column-inserts modes to handle tables containing both generated columns and dropped columns (Tom Lane)

• Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)

  The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.

• Fix results of index-only scans on contrib/btree_gist indexes on char(N) columns (Tom Lane)

  Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(N) values with the expected amount of space padding. The behavior of such an index will not change immediately unless you REINDEX it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.

• Fix edge cases in postgres_fdw's handling of asynchronous queries (Etsuro Fujita)

  These errors could lead to crashes or incorrect results when attempting to parallelize scans of foreign tables.

• Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)

  With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.

• Re-allow cross-compilation without OpenSSL (Tom Lane)

  configure should assume that /dev/urandom will be available on the target system, but it failed instead.

• Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)

• Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)

• Add support for building with Visual Studio 2022 (Hans Buschmann)

• Allow the .bat wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)

Postgres version 14.1

Release date: 2021-11-11

This release contains a variety of fixes from 14.0. For information about new features in major release 14, see Version 14.0.

 Migration to Version 14.1

A dump/restore is not required for those running 14.X.

However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.

Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.

 Changes

• Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

  A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

  The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214 or CVE-2021-23214)

• Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

  A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214 or CVE-2021-23214.

  The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222 or CVE-2021-23222)

• Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)

  If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.

  When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.

• Ensure that parallel VACUUM doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)

  A parallel VACUUM would fail to process indexes that are below the min_parallel_index_scan_size cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.

• Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)

  Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.

• Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)

  While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.

• Fix REINDEX CONCURRENTLY to preserve operator class parameters that were attached to the target index (Michael Paquier)

• Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)

  The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1.

• Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)

  This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.

• Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)

  CREATE TYPE incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE command was stored in the plan cache and used again later.

• Fix updates of element fields in arrays of domain over composite (Tom Lane)

  A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.

• Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED (David Christensen)

  FETCH FIRST WITH TIES necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.

• Disallow ALTER INDEX index ALTER COLUMN col SET (options) (Nathan Bossart, Michael Paquier)

  While the parser accepted this, it's undocumented and doesn't actually work.

• Fix corner-case loss of precision in numeric power() (Dean Rasheed)

  The result could be inaccurate when the first argument is very close to 1.

• Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)

  This error could result in crashes or incorrect query results.

• Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)

  If a function in FROM laterally references the output of some sub-SELECT earlier in the FROM clause, and we are able to flatten that sub-SELECT into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.

• Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)

  There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.

• Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)

  If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.

• Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)

  This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.

• Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)

  This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.

• Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)

  There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.

• Fix “could not find RecursiveUnion” error when EXPLAIN tries to print a filter condition attached to a WorkTableScan node (Tom Lane)

• Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)

  For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.

• Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)

• Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)

• Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)

• Avoid O (N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)

  These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.

• Add more defensive checks around B-tree posting list splits (Peter Geoghegan)

  This change should help detect index corruption involving duplicate table TIDs.

• Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)

  In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.

• Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts() requests more quickly (Koyu Tanigawa)

• Fix memory leak in HMAC hash calculations (Sergey Shinderuk)

• Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro)

  Previously, this setting was accepted, but it did nothing for lack of any implementation.

• Fix checking of query type in PL/pgSQL's RETURN QUERY statement (Tom Lane)

  RETURN QUERY should accept any query that can return tuples, e.g. UPDATE RETURNING. v14 accidentally disallowed anything but SELECT; moreover, the RETURN QUERY EXECUTE variant failed to apply any query-type check at all.

• Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)

  If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.

• Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)

  This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.

• Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)

• Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)

• Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)

  The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.

• Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)

  This avoids unhelpful checks of relations that will almost certainly appear inconsistent.

• Make contrib/amcheck skip unlogged tables when running on a standby server (Mark Dilger)

  It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.

• Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane)

  Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).

• Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)

• Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)

• When running a TAP test, include the module's own directory in PATH (Andrew Dunstan)

  This allows tests to find built programs that are not installed, such as custom test drivers.

• Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)

  When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.

• Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

  Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

Postgres version 14.0

Release date: 2021-09-30

 Overview

PostgreSQL 14 contains many new features and enhancements, including:

• Stored procedures can now return data via OUT parameters.

• The SQL-standard SEARCH and CYCLE options for common table expressions have been implemented.

• Subscripting can now be applied to any data type for which it is a useful notation, not only arrays. In this release, the jsonb and hstore types have gained subscripting operators.

• Range types have been extended by adding multiranges, allowing representation of noncontiguous data ranges.

• Numerous performance improvements have been made for parallel queries, heavily-concurrent workloads, partitioned tables, logical replication, and vacuuming.

• B-tree index updates are managed more efficiently, reducing index bloat.

• VACUUM automatically becomes more aggressive, and skips inessential cleanup, if the database starts to approach a transaction ID wraparound condition.

• Extended statistics can now be collected on expressions, allowing better planning results for complex queries.

• libpq now has the ability to pipeline multiple queries, which can boost throughput over high-latency connections.

The above items and other new features of PostgreSQL 14 are explained in more detail in the sections below.

 Migration to Version 14

A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.

Version 14 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:

• User-defined objects that reference certain built-in array functions along with their argument types must be recreated (Tom Lane)

  Specifically, array_append(), array_prepend(), array_cat(), array_position(), array_positions(), array_remove(), array_replace(), and width_bucket() used to take anyarray arguments but now take anycompatiblearray. Therefore, user-defined objects like aggregates and operators that reference those array function signatures must be dropped before upgrading, and recreated once the upgrade completes.

• Remove deprecated containment operators @ and ~ for built-in geometric data types and contrib modules cube, hstore, intarray, and seg (Justin Pryzby)

  The more consistently named <@ and @> have been recommended for many years.

• Fix to_tsquery() and websearch_to_tsquery() to properly parse query text containing discarded tokens (Alexander Korotkov)

  Certain discarded tokens, like underscore, caused the output of these functions to produce incorrect tsquery output, e.g., both websearch_to_tsquery('"pg_class pg"') and to_tsquery('pg_class <-> pg') used to output ( 'pg' & 'class' ) <-> 'pg', but now both output 'pg' <-> 'class' <-> 'pg'.

• Fix websearch_to_tsquery() to properly parse multiple adjacent discarded tokens in quotes (Alexander Korotkov)

  Previously, quoted text that contained multiple adjacent discarded tokens was treated as multiple tokens, causing incorrect tsquery output, e.g., websearch_to_tsquery('"aaa: bbb"') used to output 'aaa' <2> 'bbb', but now outputs 'aaa' <-> 'bbb'.

• Change EXTRACT() to return type numeric instead of float8 (Peter Eisentraut)

  This avoids loss-of-precision issues in some usages. The old behavior can still be obtained by using the old underlying function date_part().

  Also, EXTRACT(date) now throws an error for units that are not part of the date data type.

• Change var_samp() and stddev_samp() with numeric parameters to return NULL when the input is a single NaN value (Tom Lane)

  Previously NaN was returned.

• Return false for has_column_privilege() checks on non-existent or dropped columns when using attribute numbers (Joe Conway)

  Previously such attribute numbers returned an invalid-column error.

• Fix handling of infinite window function ranges (Tom Lane)

  Previously window frame clauses like 'inf' PRECEDING AND 'inf' FOLLOWING returned incorrect results.

• Remove factorial operators ! and !!, as well as function numeric_fac() (Mark Dilger)

  The factorial() function is still supported.

• Disallow factorial() of negative numbers (Peter Eisentraut)

  Previously such cases returned 1.

• Remove support for postfix (right-unary) operators (Mark Dilger)

  pg_dump and pg_upgrade will warn if postfix operators are being dumped.

• Allow \D and \W shorthands to match newlines in regular expression newline-sensitive mode (Tom Lane)

  Previously they did not match newlines in this mode, but that disagrees with the behavior of other common regular expression engines. [^[:digit:]] or [^[:word:]] can be used to get the old behavior.

• Disregard constraints when matching regular expression back-references (Tom Lane)

  For example, in (^\d+).*\1, the ^ constraint should be applied at the start of the string, but not when matching \1.

• Disallow \w as a range start or end in regular expression character classes (Tom Lane)

  This previously was allowed but produced unexpected results.

• Require custom server parameter names to use only characters that are valid in unquoted SQL identifiers (Tom Lane)

• Change the default of the password_encryption server parameter to scram-sha-256 (Peter Eisentraut)

  Previously it was md5. All new passwords will be stored as SHA256 unless this server setting is changed or the password is specified in MD5 format. Also, the legacy (and undocumented) Boolean-like values which were previously synonyms for md5 are no longer accepted.

• Remove server parameter vacuum_cleanup_index_scale_factor (Peter Geoghegan)

  This setting was ignored starting in PostgreSQL version 13.3.

• Remove server parameter operator_precedence_warning (Tom Lane)

  This setting was used for warning applications about PostgreSQL 9.5 changes.

• Overhaul the specification of clientcert in pg_hba.conf (Kyotaro Horiguchi)

  Values 1/0/no-verify are no longer supported; only the strings verify-ca and verify-full can be used. Also, disallow verify-ca if cert authentication is enabled since cert requires verify-full checking.

• Remove support for SSL compression (Daniel Gustafsson, Michael Paquier)

  This was already disabled by default in previous PostgreSQL releases, and most modern OpenSSL and TLS versions no longer support it.

• Remove server and libpq support for the version 2 wire protocol (Heikki Linnakangas)

  This was last used as the default in PostgreSQL 7.3 (released in 2002).

• Disallow single-quoting of the language name in the CREATE/DROP LANGUAGE command (Peter Eisentraut)

• Remove the composite types that were formerly created for sequences and toast tables (Tom Lane)

• Process doubled quote marks in ecpg SQL command strings correctly (Tom Lane)

  Previously 'abc''def' was passed to the server as 'abc'def', and "abc""def" was passed as "abc"def", causing syntax errors.

• Prevent the containment operators (<@ and @>) for intarray from using GiST indexes (Tom Lane)

  Previously a full GiST index scan was required, so just avoid that and scan the heap, which is faster. Indexes created for this purpose should be removed.

• Remove contrib program pg_standby (Justin Pryzby)

• Prevent tablefunc's function normal_rand() from accepting negative values (Ashutosh Bapat)

  Negative values produced undesirable results.

 Changes

Below you will find a detailed account of the changes between PostgreSQL 14 and the previous major release.

 Server (PG 14.0)

• Add predefined roles pg_read_all_data and pg_write_all_data (Stephen Frost)

  These non-login roles can be used to give read or write permission to all tables, views, and sequences.

• Add predefined role pg_database_owner that contains only the current database's owner (Noah Misch)

  This is especially useful in template databases.

• Remove temporary files after backend crashes (Euler Taveira)

  Previously, such files were retained for debugging purposes. If necessary, deletion can be disabled with the new server parameter remove_temp_files_after_crash.

• Allow long-running queries to be canceled if the client disconnects (Sergey Cherkashin, Thomas Munro)

  The server parameter client_connection_check_interval allows control over whether loss of connection is checked for intra-query. (This is supported on Linux and a few other operating systems.)

• Add an optional timeout parameter to pg_terminate_backend() (Magnus Hagander)

• Allow wide tuples to be always added to almost-empty heap pages (John Naylor, Floris van Nee)

  Previously tuples whose insertion would have exceeded the page's fill factor were instead added to new pages.

• Add Server Name Indication (SNI) in SSL connection packets (Peter Eisentraut)

  This can be disabled by turning off client connection option sslsni.

 Vacuuming (PG 14.0)

• Allow vacuum to skip index vacuuming when the number of removable index entries is insignificant (Masahiko Sawada, Peter Geoghegan)

  The vacuum parameter INDEX_CLEANUP has a new default of auto that enables this optimization.

• Allow vacuum to more eagerly add deleted btree pages to the free space map (Peter Geoghegan)

  Previously vacuum could only add pages to the free space map that were marked as deleted by previous vacuums.

• Allow vacuum to reclaim space used by unused trailing heap line pointers (Matthias van de Meent, Peter Geoghegan)

• Allow vacuum to be more aggressive in removing dead rows during minimal-locking index operations (Álvaro Herrera)

  Specifically, CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY no longer limit the dead row removal of other relations.

• Speed up vacuuming of databases with many relations (Tatsuhito Kasahara)

• Reduce the default value of vacuum_cost_page_miss to better reflect current hardware capabilities (Peter Geoghegan)

• Add ability to skip vacuuming of TOAST tables (Nathan Bossart)

  VACUUM now has a PROCESS_TOAST option which can be set to false to disable TOAST processing, and vacuumdb has a --no-process-toast option.

• Have COPY FREEZE appropriately update page visibility bits (Anastasia Lubennikova, Pavan Deolasee, Jeff Janes)

• Cause vacuum operations to be more aggressive if the table is near xid or multixact wraparound (Masahiko Sawada, Peter Geoghegan)

  This is controlled by vacuum_failsafe_age and vacuum_multixact_failsafe_age.

• Increase warning time and hard limit before transaction id and multi-transaction wraparound (Noah Misch)

  This should reduce the possibility of failures that occur without having issued warnings about wraparound.

• Add per-index information to autovacuum logging output (Masahiko Sawada)

 Partitioning (PG 14.0)

• Improve the performance of updates and deletes on partitioned tables with many partitions (Amit Langote, Tom Lane)

  This change greatly reduces the planner's overhead for such cases, and also allows updates/deletes on partitioned tables to use execution-time partition pruning.

• Allow partitions to be detached in a non-blocking manner (Álvaro Herrera)

  The syntax is ALTER TABLE ... DETACH PARTITION ... CONCURRENTLY, and FINALIZE.

• Ignore COLLATE clauses in partition boundary values (Tom Lane)

  Previously any such clause had to match the collation of the partition key; but it's more consistent to consider that it's automatically coerced to the collation of the partition key.

 Indexes (PG 14.0)

• Allow btree index additions to remove expired index entries to prevent page splits (Peter Geoghegan)

  This is particularly helpful for reducing index bloat on tables whose indexed columns are frequently updated.

• Allow BRIN indexes to record multiple min/max values per range (Tomas Vondra)

  This is useful if there are groups of values in each page range.

• Allow BRIN indexes to use bloom filters (Tomas Vondra)

  This allows BRIN indexes to be used effectively with data that is not well-localized in the heap.

• Allow some GiST indexes to be built by presorting the data (Andrey Borodin)

  Presorting happens automatically and allows for faster index creation and smaller indexes.

• Allow SP-GiST indexes to contain INCLUDE'd columns (Pavel Borisov)