This is a complete, one-page listing of changes across all Postgres versions. All versions 10 and older are EOL (end of life) and unsupported. This page was generated on May 11, 2023 by a script (version 1.33) by Greg Sabino Mullane, and contains information for 478 versions of Postgres.
Postgres 15 (end of life: Nov 11, 2027) 15.3 (2023-05-11) 15.2 (2023-02-09) 15.1 (2022-11-10) 15.0 (2022-10-13) |
Postgres 14 (end of life: Nov 12, 2026) 14.8 (2023-05-11) 14.7 (2023-02-09) 14.6 (2022-11-10) 14.5 (2022-08-11) 14.4 (2022-06-16) 14.3 (2022-05-12) 14.2 (2022-02-10) 14.1 (2021-11-11) 14.0 (2021-09-30) |
Postgres 13 (end of life: Nov 13, 2025) 13.11 (2023-05-11) 13.10 (2023-02-09) 13.9 (2022-11-10) 13.8 (2022-08-11) 13.7 (2022-05-12) 13.6 (2022-02-10) 13.5 (2021-11-11) 13.4 (2021-08-12) 13.3 (2021-05-13) 13.2 (2021-02-11) 13.1 (2020-11-12) 13.0 (2020-09-24) |
Postgres 12 (end of life: Nov 14, 2024) 12.15 (2023-05-11) 12.14 (2023-02-09) 12.13 (2022-11-10) 12.12 (2022-08-11) 12.11 (2022-05-12) 12.10 (2022-02-10) 12.9 (2021-11-11) 12.8 (2021-08-12) 12.7 (2021-05-13) 12.6 (2021-02-11) 12.5 (2020-11-12) 12.4 (2020-08-13) 12.3 (2020-05-14) 12.2 (2020-02-13) 12.1 (2019-11-14) 12.0 (2019-10-03) |
Postgres 11 (end of life: Nov 9, 2023) 11.20 (2023-05-11) 11.19 (2023-02-09) 11.18 (2022-11-10) 11.17 (2022-08-11) 11.16 (2022-05-12) 11.15 (2022-02-10) 11.14 (2021-11-11) 11.13 (2021-08-12) 11.12 (2021-05-13) 11.11 (2021-02-11) 11.10 (2020-11-12) 11.9 (2020-08-13) 11.8 (2020-05-14) 11.7 (2020-02-13) 11.6 (2019-11-14) 11.5 (2019-08-08) 11.4 (2019-06-20) 11.3 (2019-05-09) 11.2 (2019-02-14) 11.1 (2018-11-08) 11.0 (2018-10-18) | |
Postgres 10 (end of life: Nov 10, 2022) 10.23 (2022-11-10) 10.22 (2022-08-11) 10.21 (2022-05-12) 10.20 (2022-02-10) 10.19 (2021-11-11) 10.18 (2021-08-12) 10.17 (2021-05-13) 10.16 (2021-02-11) 10.15 (2020-11-12) 10.14 (2020-08-13) 10.13 (2020-05-14) 10.12 (2020-02-13) 10.11 (2019-11-14) 10.10 (2019-08-08) 10.9 (2019-06-20) 10.8 (2019-05-09) 10.7 (2019-02-14) 10.6 (2018-11-08) 10.5 (2018-08-09) 10.4 (2018-05-10) 10.3 (2018-03-01) 10.2 (2018-02-08) 10.1 (2017-11-09) 10.0 (2017-10-05) |
Postgres 9.6 (end of life: Nov 11, 2021) 9.6.24 (2021-11-11) 9.6.23 (2021-08-12) 9.6.22 (2021-05-13) 9.6.21 (2021-02-11) 9.6.20 (2020-11-12) 9.6.19 (2020-08-13) 9.6.18 (2020-05-14) 9.6.17 (2020-02-13) 9.6.16 (2019-11-14) 9.6.15 (2019-08-08) 9.6.14 (2019-06-20) 9.6.13 (2019-05-09) 9.6.12 (2019-02-14) 9.6.11 (2018-11-08) 9.6.10 (2018-08-09) 9.6.9 (2018-05-10) 9.6.8 (2018-03-01) 9.6.7 (2018-02-08) 9.6.6 (2017-11-09) 9.6.5 (2017-08-31) 9.6.4 (2017-08-10) 9.6.3 (2017-05-11) 9.6.2 (2017-02-09) 9.6.1 (2016-10-27) 9.6.0 (2016-09-29) |
Postgres 9.5 (end of life: Feb 11, 2021) 9.5.25 (2021-02-11) 9.5.24 (2020-11-12) 9.5.23 (2020-08-13) 9.5.22 (2020-05-14) 9.5.21 (2020-02-13) 9.5.20 (2019-11-14) 9.5.19 (2019-08-08) 9.5.18 (2019-06-20) 9.5.17 (2019-05-09) 9.5.16 (2019-02-14) 9.5.15 (2018-11-08) 9.5.14 (2018-08-09) 9.5.13 (2018-05-10) 9.5.12 (2018-03-01) 9.5.11 (2018-02-08) 9.5.10 (2017-11-09) 9.5.9 (2017-08-31) 9.5.8 (2017-08-10) 9.5.7 (2017-05-11) 9.5.6 (2017-02-09) 9.5.5 (2016-10-27) 9.5.4 (2016-08-11) 9.5.3 (2016-05-12) 9.5.2 (2016-03-31) 9.5.1 (2016-02-11) 9.5.0 (2016-01-07) |
Postgres 9.4 (end of life: Feb 13, 2020) 9.4.26 (2020-02-13) 9.4.25 (2019-11-14) 9.4.24 (2019-08-08) 9.4.23 (2019-06-20) 9.4.22 (2019-05-09) 9.4.21 (2019-02-14) 9.4.20 (2018-11-08) 9.4.19 (2018-08-09) 9.4.18 (2018-05-10) 9.4.17 (2018-03-01) 9.4.16 (2018-02-08) 9.4.15 (2017-11-09) 9.4.14 (2017-08-31) 9.4.13 (2017-08-10) 9.4.12 (2017-05-11) 9.4.11 (2017-02-09) 9.4.10 (2016-10-27) 9.4.9 (2016-08-11) 9.4.8 (2016-05-12) 9.4.7 (2016-03-31) 9.4.6 (2016-02-11) 9.4.5 (2015-10-08) 9.4.4 (2015-06-12) 9.4.3 (2015-06-04) 9.4.2 (2015-05-22) 9.4.1 (2015-02-05) 9.4.0 (2014-12-18) |
Postgres 9.3 (end of life: Nov 8, 2018) 9.3.25 (2018-11-08) 9.3.24 (2018-08-09) 9.3.23 (2018-05-10) 9.3.22 (2018-03-01) 9.3.21 (2018-02-08) 9.3.20 (2017-11-09) 9.3.19 (2017-08-31) 9.3.18 (2017-08-10) 9.3.17 (2017-05-11) 9.3.16 (2017-02-09) 9.3.15 (2016-10-27) 9.3.14 (2016-08-11) 9.3.13 (2016-05-12) 9.3.12 (2016-03-31) 9.3.11 (2016-02-11) 9.3.10 (2015-10-08) 9.3.9 (2015-06-12) 9.3.8 (2015-06-04) 9.3.7 (2015-05-22) 9.3.6 (2015-02-05) 9.3.5 (2014-07-24) 9.3.4 (2014-03-20) 9.3.3 (2014-02-20) 9.3.2 (2013-12-05) 9.3.1 (2013-10-10) 9.3.0 (2013-09-09) |
Postgres 9.2 (end of life: Nov 9, 2017) 9.2.24 (2017-11-09) 9.2.23 (2017-08-31) 9.2.22 (2017-08-10) 9.2.21 (2017-05-11) 9.2.20 (2017-02-09) 9.2.19 (2016-10-27) 9.2.18 (2016-08-11) 9.2.17 (2016-05-12) 9.2.16 (2016-03-31) 9.2.15 (2016-02-11) 9.2.14 (2015-10-08) 9.2.13 (2015-06-12) 9.2.12 (2015-06-04) 9.2.11 (2015-05-22) 9.2.10 (2015-02-05) 9.2.9 (2014-07-24) 9.2.8 (2014-03-20) 9.2.7 (2014-02-20) 9.2.6 (2013-12-05) 9.2.5 (2013-10-10) 9.2.4 (2013-04-04) 9.2.3 (2013-02-07) 9.2.2 (2012-12-06) 9.2.1 (2012-09-24) 9.2.0 (2012-09-10) |
Postgres 9.1 (end of life: Oct 27, 2016) 9.1.24 (2016-10-27) 9.1.23 (2016-08-11) 9.1.22 (2016-05-12) 9.1.21 (2016-03-31) 9.1.20 (2016-02-11) 9.1.19 (2015-10-08) 9.1.18 (2015-06-12) 9.1.17 (2015-06-04) 9.1.16 (2015-05-22) 9.1.15 (2015-02-05) 9.1.14 (2014-07-24) 9.1.13 (2014-03-20) 9.1.12 (2014-02-20) 9.1.11 (2013-12-05) 9.1.10 (2013-10-10) 9.1.9 (2013-04-04) 9.1.8 (2013-02-07) 9.1.7 (2012-12-06) 9.1.6 (2012-09-24) 9.1.5 (2012-08-17) 9.1.4 (2012-06-04) 9.1.3 (2012-02-27) 9.1.2 (2011-12-05) 9.1.1 (2011-09-26) 9.1.0 (2011-09-12) |
Postgres 9.0 (end of life: Oct 8, 2015) 9.0.23 (2015-10-08) 9.0.22 (2015-06-12) 9.0.21 (2015-06-04) 9.0.20 (2015-05-22) 9.0.19 (2015-02-05) 9.0.18 (2014-07-24) 9.0.17 (2014-03-20) 9.0.16 (2014-02-20) 9.0.15 (2013-12-05) 9.0.14 (2013-10-10) 9.0.13 (2013-04-04) 9.0.12 (2013-02-07) 9.0.11 (2012-12-06) 9.0.10 (2012-09-24) 9.0.9 (2012-08-17) 9.0.8 (2012-06-04) 9.0.7 (2012-02-27) 9.0.6 (2011-12-05) 9.0.5 (2011-09-26) 9.0.4 (2011-04-18) 9.0.3 (2011-01-31) 9.0.2 (2010-12-16) 9.0.1 (2010-10-04) 9.0.0 (2010-09-20) |
Postgres 8.4 (end of life: Jul 24, 2014) 8.4.22 (2014-07-24) 8.4.21 (2014-03-20) 8.4.20 (2014-02-20) 8.4.19 (2013-12-05) 8.4.18 (2013-10-10) 8.4.17 (2013-04-04) 8.4.16 (2013-02-07) 8.4.15 (2012-12-06) 8.4.14 (2012-09-24) 8.4.13 (2012-08-17) 8.4.12 (2012-06-04) 8.4.11 (2012-02-27) 8.4.10 (2011-12-05) 8.4.9 (2011-09-26) 8.4.8 (2011-04-18) 8.4.7 (2011-01-31) 8.4.6 (2010-12-16) 8.4.5 (2010-10-04) 8.4.4 (2010-05-17) 8.4.3 (2010-03-15) 8.4.2 (2009-12-14) 8.4.1 (2009-09-09) 8.4.0 (2009-07-01) |
Postgres 8.3 (end of life: Feb 7, 2013) 8.3.23 (2013-02-07) 8.3.22 (2012-12-06) 8.3.21 (2012-09-24) 8.3.20 (2012-08-17) 8.3.19 (2012-06-04) 8.3.18 (2012-02-27) 8.3.17 (2011-12-05) 8.3.16 (2011-09-26) 8.3.15 (2011-04-18) 8.3.14 (2011-01-31) 8.3.13 (2010-12-16) 8.3.12 (2010-10-04) 8.3.11 (2010-05-17) 8.3.10 (2010-03-15) 8.3.9 (2009-12-14) 8.3.8 (2009-09-09) 8.3.7 (2009-03-16) 8.3.6 (2009-02-02) 8.3.5 (2008-11-03) 8.3.4 (2008-09-22) 8.3.3 (2008-06-12) 8.3.2 (never released!) 8.3.1 (2008-03-17) 8.3.0 (2008-02-04) |
Postgres 8.2 (end of life: Dec 5, 2011) 8.2.23 (2011-12-05) 8.2.22 (2011-09-26) 8.2.21 (2011-04-18) 8.2.20 (2011-01-31) 8.2.19 (2010-12-16) 8.2.18 (2010-10-04) 8.2.17 (2010-05-17) 8.2.16 (2010-03-15) 8.2.15 (2009-12-14) 8.2.14 (2009-09-09) 8.2.13 (2009-03-16) 8.2.12 (2009-02-02) 8.2.11 (2008-11-03) 8.2.10 (2008-09-22) 8.2.9 (2008-06-12) 8.2.8 (never released!) 8.2.7 (2008-03-17) 8.2.6 (2008-01-07) 8.2.5 (2007-09-17) 8.2.4 (2007-04-23) 8.2.3 (2007-02-07) 8.2.2 (2007-02-05) 8.2.1 (2007-01-08) 8.2.0 (2006-12-05) |
Postgres 8.1 (end of life: Nov 8, 2010) 8.1.23 (2010-12-16) 8.1.22 (2010-10-04) 8.1.21 (2010-05-17) 8.1.20 (2010-03-15) 8.1.19 (2009-12-14) 8.1.18 (2009-09-09) 8.1.17 (2009-03-16) 8.1.16 (2009-02-02) 8.1.15 (2008-11-03) 8.1.14 (2008-09-22) 8.1.13 (2008-06-12) 8.1.12 (never released!) 8.1.11 (2008-01-07) 8.1.10 (2007-09-17) 8.1.9 (2007-04-23) 8.1.8 (2007-02-07) 8.1.7 (2007-02-05) 8.1.6 (2007-01-08) 8.1.5 (2006-10-16) 8.1.4 (2006-05-23) 8.1.3 (2006-02-14) 8.1.2 (2006-01-09) 8.1.1 (2005-12-12) 8.1.0 (2005-11-08) |
Postgres 8.0 (end of life: Oct 1, 2010) 8.0.26 (2010-10-04) 8.0.25 (2010-05-17) 8.0.24 (2010-03-15) 8.0.23 (2009-12-14) 8.0.22 (2009-09-09) 8.0.21 (2009-03-16) 8.0.20 (2009-02-02) 8.0.19 (2008-11-03) 8.0.18 (2008-09-22) 8.0.17 (2008-06-12) 8.0.16 (never released!) 8.0.15 (2008-01-07) 8.0.14 (2007-09-17) 8.0.13 (2007-04-23) 8.0.12 (2007-02-07) 8.0.11 (2007-02-05) 8.0.10 (2007-01-08) 8.0.9 (2006-10-16) 8.0.8 (2006-05-23) 8.0.7 (2006-02-14) 8.0.6 (2006-01-09) 8.0.5 (2005-12-12) 8.0.4 (2005-10-04) 8.0.3 (2005-05-09) 8.0.2 (2005-04-07) 8.0.1 (2005-01-31) 8.0.0 (2005-01-19) |
Postgres 7.4 (end of life: Oct 1, 2010) 7.4.30 (2010-10-04) 7.4.29 (2010-05-17) 7.4.28 (2010-03-15) 7.4.27 (2009-12-14) 7.4.26 (2009-09-09) 7.4.25 (2009-03-16) 7.4.24 (2009-02-02) 7.4.23 (2008-11-03) 7.4.22 (2008-09-22) 7.4.21 (2008-06-12) 7.4.20 (never released!) 7.4.19 (2008-01-07) 7.4.18 (2007-09-17) 7.4.17 (2007-04-23) 7.4.16 (2007-02-05) 7.4.15 (2007-01-08) 7.4.14 (2006-10-16) 7.4.13 (2006-05-23) 7.4.12 (2006-02-14) 7.4.11 (2006-01-09) 7.4.10 (2005-12-12) 7.4.9 (2005-10-04) 7.4.8 (2005-05-09) 7.4.7 (2005-01-31) 7.4.6 (2004-10-22) 7.4.5 (2004-08-18) 7.4.4 (2004-08-16) 7.4.3 (2004-06-14) 7.4.2 (2004-03-08) 7.4.1 (2003-12-22) 7.4.0 (2003-11-17) |
Postgres 7.3 (end of life: Nov 27, 2007) 7.3.21 (2008-01-07) 7.3.20 (2007-09-17) 7.3.19 (2007-04-23) 7.3.18 (2007-02-05) 7.3.17 (2007-01-08) 7.3.16 (2006-10-16) 7.3.15 (2006-05-23) 7.3.14 (2006-02-14) 7.3.13 (2006-01-09) 7.3.12 (2005-12-12) 7.3.11 (2005-10-04) 7.3.10 (2005-05-09) 7.3.9 (2005-01-31) 7.3.8 (2004-10-22) 7.3.7 (2004-08-16) 7.3.6 (2004-03-02) 7.3.5 (2003-12-03) 7.3.4 (2003-07-24) 7.3.3 (2003-05-22) 7.3.2 (2003-02-04) 7.3.1 (2002-12-18) 7.3.0 (2002-11-27) |
Postgres 7.2 (end of life: Feb 4, 2007) 7.2.8 (2005-05-09) 7.2.7 (2005-01-31) 7.2.6 (2004-10-22) 7.2.5 (2004-08-16) 7.2.4 (2003-01-30) 7.2.3 (2002-10-01) 7.2.2 (2002-08-23) 7.2.1 (2002-03-21) 7.2.0 (2002-02-04) |
Postgres 7.1 (end of life: Apr 13, 2006) 7.1.3 (2001-08-15) 7.1.2 (2001-05-11) 7.1.1 (2001-05-05) 7.1.0 (2001-04-13) Postgres 7.0 (end of life: May 8, 2005) 7.0.3 (2000-11-11) 7.0.2 (2000-06-05) 7.0.1 (2000-06-01) 7.0.0 (2000-05-08) |
Postgres 6.5 (end of life: Jun 9, 2004) 6.5.3 (1999-10-13) 6.5.2 (1999-09-15) 6.5.1 (1999-07-15) 6.5.0 (1999-06-09) Postgres 6.4 (end of life: Oct 30, 2003) 6.4.2 (1998-12-20) 6.4.1 (1998-12-18) 6.4.0 (1998-10-30) Postgres 6.3 (end of life: Mar 1, 2003) 6.3.2 (1998-04-07) 6.3.1 (1998-03-23) 6.3.0 (1998-03-01) Postgres 6.2 (end of life) 6.2.1 (1997-10-17) 6.2.0 (1997-10-02) Postgres 6.1 (end of life) 6.1.1 (1997-07-22) 6.1.0 (1997-06-08) Postgres 6.0 and earlier... (end of life) 6.0.0 (1997-01-29) 1.09 (1996-11-04) 1.02 (1996-08-01) 1.01 (1996-02-23) 1.0 (1995-09-05) 0.03 (1995-07-21) 0.02 (1995-05-25) 0.01 (1995-05-01) |
Release date: 2023-05-11
This release contains a variety of fixes from 15.2. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.1, see Version 15.1.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)
Fix potential corruption of the template (source) database after CREATE DATABASE
with the STRATEGY WAL_LOG
option (Nathan Bossart, Ryo Matsumura)
Improper buffer handling created a risk that any later modification of the template's pg_class
catalog would be lost.
Fix memory leakage and unnecessary disk reads during CREATE DATABASE
with the STRATEGY WAL_LOG
option (Andres Freund)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Fix various planner failures with MERGE
commands (Tom Lane)
Planning could fail with errors like “variable not found in subplan target list” or “PlaceHolderVar found where not expected”.
Fix the row count reported by MERGE
for some corner cases (Dean Rasheed)
The row count reported in the command tag counted rows that actually hadn't been modified due to a BEFORE ROW
trigger returning NULL. This is inconsistent with what happens in plain UPDATE
or DELETE
, so change it to not count such rows. Also, avoid counting a row twice when MERGE
moves it into a different partition of a partitioned table.
Fix MERGE
problems with concurrent updates (Dean Rasheed, Álvaro Herrera)
Some cases misbehaved if a row to be updated or deleted by MERGE
had just been updated by a concurrent transaction. This could lead to a crash, or the wrong merge action being executed, or no action at all.
Add support for decompiling MERGE
commands (Álvaro Herrera)
This was overlooked when MERGE
was added, but it's essential support for MERGE
in new-style SQL functions.
Fix enabling/disabling of foreign-key triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER
failed if applied to a partitioned table's foreign-key enforcement triggers, because it tried to locate the clone triggers for the partitions by name, and they do not have the same name. Locate them by parent-trigger OID instead.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C
(Jeff Davis)
This code got confused if the database's default collation uses ICU.
Avoid possible crash on empty input for type interval
(Tom Lane)
Re-allow exponential notation in ISO-8601 interval fields (Tom Lane)
Interval input like P0.1e10D
isn't officially sanctioned by ISO-8601, but we accepted it for a long time before version 15, so re-allow it.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)
Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.
Fix incorrect tests for whether a qual clause applied to a subquery can be transformed into a window aggregate “run condition” within the subquery (David Rowley)
A SubPlan within such a clause would cause assertion failures or incorrect answers, as would some other unusual cases.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Fix memory leak in Memoize plan execution (David Rowley)
Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)
Restore support for sub-millisecond vacuum_cost_delay
settings (Thomas Munro)
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)
The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.
Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)
This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer
according to the documentation, but the code had it as CommitTSBuffer
. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Re-activate reporting of wait event SLRUFlushSync
(Thomas Munro)
Reporting of this type of wait was accidentally removed in code refactoring.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size
accurately.
Disable startup progress reporting overhead in standby mode (Bharath Rupireddy)
In standby mode, we don't actually report progress of recovery, but we were doing work to track it anyway.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Fix list_copy_head()
to work correctly on an empty List (David Rowley)
This case is not known to be reached by any core PostgreSQL code, but extensions might rely on it working.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Fix assertion failure for MERGE
into a partitioned table with row-level security enabled (Dean Rasheed)
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)
This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.
In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)
This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.
In contrib/amcheck
's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)
In contrib/amcheck
, deal sanely with xids that appear to be before epoch zero (Andres Freund)
In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.
In contrib/basebackup_to_shell
, properly detect failure to open a pipe (Robert Haas)
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen
option of a GiST index on an ltree
column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
In contrib/pageinspect
, add defenses against incorrect input for the gist_page_items()
function (Dmitry Koval)
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Fix handling of escape sequences in contrib/postgres_fdw
's application_name
parameter (Kyotaro Horiguchi, Michael Paquier)
The code to expand these could fail if executed in a background process, as for example during auto-analyze of a foreign table.
In contrib/pg_walinspect
, limit memory usage of pg_get_wal_records_info()
(Bharath Rupireddy)
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 15.1. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you are upgrading from a version earlier than 15.1, see Version 15.1.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862 or CVE-2022-41862)
Fix calculation of which GENERATED
columns need to be updated in child tables during an UPDATE
on a partitioned table or inheritance tree (Amit Langote, Tom Lane)
This fixes failure to update GENERATED
columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.
Fix possible failure of MERGE
to compute GENERATED
columns (Dean Rasheed)
When the first row-level action of the MERGE
was an UPDATE
, any subsequent INSERT
actions would fail to compute GENERATED
columns that were deemed unnecessary to compute for the UPDATE
action (due to not depending on any of the UPDATE
target columns).
Fix MERGE
's check for unreachable WHEN
clauses (Dean Rasheed)
A WHEN
clause following an unconditional WHEN
clause should be rejected as unreachable, but this case was not always detected.
Fix MERGE
's rule-detection test (Dean Rasheed)
MERGE
is not supported on tables with rules; but it also failed on tables that once had rules but no longer do.
In MERGE
, don't count a DO NOTHING
action as a processed tuple (Álvaro Herrera)
This makes the code's behavior match the documentation.
Allow a WITH RECURSIVE ... CYCLE
CTE to access its output column (Tom Lane)
A reference to the SET
column from within the CTE would fail with “cache lookup failed for type 0”.
Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)
In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW
triggers not seeing rows they should be able to see.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix jsonb
subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)
Using a text value fetched directly from a table as a jsonb
subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.
Improve error reporting for some buffered file read failures (Peter Eisentraut)
Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.
Remove arbitrary limit on number of elements in int2vector
and oidvector
(Tom Lane)
The input functions for these types previously rejected more than 100 elements. With the introduction of the logical replication column list feature, it's necessary to accept int2vector
s having up to 1600 columns, otherwise long column lists cause logical-replication failures.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Fix planner preprocessing oversights for window function run-condition expressions (Richard Guo, David Rowley)
This could lead to planner errors such as “WindowFunc not found in subplan target lists”.
Fix possible dangling-pointer access during execution of window function run-condition expressions (David Rowley)
In practice, because the run-condition optimization is only applied to certain window functions that happen to all return int8
, this only manifested as a problem on 32-bit builds.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)
These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query” errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Prevent the statistics machinery from getting confused when a relation's relkind changes (Andres Freund)
Converting a table to a view could lead to crashes or assertion failures.
Fix under-parenthesized display of AT TIME ZONE
constructs (Tom Lane)
This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE
is itself an expression.
Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)
If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node type”.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Fix deadlock between DROP DATABASE
and logical replication worker process (Hou Zhijie)
This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)
A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size
. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.
In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)
After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Acquire spinlock while updating shared state during logical decoding context creation (Masahiko Sawada)
We neglected to acquire the appropriate lock while updating data about two-phase transactions, potentially allowing other processes to see inconsistent data.
Fix pgoutput replication plug-in to not send columns not listed in a table's replication column list (Hou Zhijie)
UPDATE
and DELETE
events did not pay attention to the configured column list, thus sending more data than expected. This did not cause a problem when the receiver is our built-in logical replication code, but it might confuse other receivers, and in any case it wasted network bandwidth.
Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Fix int64_div_fast_to_numeric()
to work for a wider range of inputs (Dean Rasheed)
This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)
The assertion was overly strict, so this mistake was harmless in non-assert builds.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
Fix possible corruption of very large tablespace map files in pg_basebackup (Antonin Houska)
Avoid harmless warning from pg_dump in --if-exists
mode (Tom Lane)
If the public
schema has a non-default owner then use of pg_dump's --if-exists
option resulted in a warning message “warning: could not find where to insert IF EXISTS in statement "-- *not* dropping schema, since initdb creates it"”. The dump output was okay, though.
Fix psql's \sf
and \ef
commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)
These commands misidentified the start of the function body when it used new-style syntax.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Update contrib/pageinspect
to mark its disk-accessing functions as PARALLEL RESTRICTED
(Tom Lane)
This avoids possible failure if one of these functions is used to examine a temporary table, since a session's temporary tables are not accessible from parallel workers.
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 15.0. For information about new features in major release 15, see Version 15.0.
A dump/restore is not required for those running 15.X.
However, if you regularly create and drop tables exceeding 1GB, see the first changelog entry below.
Fix failure to remove non-first segments of large tables (Tom Lane)
PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.
Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern
. If there is no matching file named just NNNN
.NN
(without the NNNN
.
suffix), these files should be removed manually.NN
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Avoid failure in EXPLAIN VERBOSE
for a query using SEARCH BREADTH FIRST
with constant initial values (Tom Lane)
Prevent use of MERGE
on a partitioned table with foreign-table partitions (Álvaro Herrera)
The case isn't supported, and previously threw an incomprehensible error.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Álvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix planner failure with extended statistics on partitioned or inherited tables (Richard Guo, Justin Pryzby)
Some cases failed with “cache lookup failed for statistics object”.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Avoid double call of the shutdown callback of an archiver module (Nathan Bossart, Bharath Rupireddy)
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)
The single-row flag was not reset at the correct time if pipeline mode was also active.
Fix psql's exit status when a command-line query is canceled (Peter Eisentraut)
psql -c
would exit successfully if the query was canceled. Fix it to exit with nonzero status, as in other error cases.query
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
Fix pg_dump's failure to dump comments attached to some CHECK
constraints (Tom Lane)
Fix CREATE DATABASE
to allow its oid
parameter to exceed 231 (Tom Lane)
This oversight prevented pg_upgrade from succeeding when the source installation contained databases with OIDs larger than that.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-10-13
PostgreSQL 15 contains many new features and enhancements, including:
Support for the SQL MERGE
command.
Selective publication of tables' contents within logical replication publications, through the ability to specify column lists and row filter conditions.
More options for compression, including support for Zstandard (zstd) compression. This includes support for performing compression on the server side during pg_basebackup.
Support for structured server log output using the JSON format.
Performance improvements, particularly for in-memory and on-disk sorting.
The above items and other new features of PostgreSQL 15 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.
Version 15 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Remove PUBLIC
creation permission on the public
schema (Noah Misch)
The new default is one of the secure schema usage patterns that Section 5.9.6 has recommended since the security release for CVE-2018-1058 or CVE-2018-1058. The change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public
's existing permissions.
For existing databases, especially those having multiple users, consider revoking CREATE
permission on the public
schema to adopt this new default. For new databases having no need to defend against insider threats, granting CREATE
permission will yield the behavior of prior releases.
Change the owner of the public
schema to be the new pg_database_owner
role (Noah Misch)
This allows each database's owner to have ownership privileges on the public
schema within their database. Previously it was owned by the bootstrap superuser, so that non-superuser database owners could not do anything with it.
This change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public
's existing ownership specification.
Remove long-deprecated exclusive backup mode (David Steele, Nathan Bossart)
If the database server stops abruptly while in this mode, the server could fail to start. The non-exclusive backup mode is considered superior for all purposes. Functions pg_start_backup()
/pg_stop_backup()
have been renamed to pg_backup_start()
/pg_backup_stop()
, and the functions pg_backup_start_time()
and pg_is_in_backup()
have been removed.
Increase hash_mem_multiplier
default to 2.0 (Peter Geoghegan)
This allows query hash operations to use more work_mem
memory than other operations.
Remove server-side language plpython2u
and generic Python language plpythonu
(Andres Freund)
Python 2.x is no longer supported. While the original intent of plpythonu
was that it could eventually refer to plpython3u
, changing it now seems more likely to cause problems than solve them, so it's just been removed.
Generate an error if array_to_tsvector()
is passed an empty-string array element (Jean-Christophe Arnu)
This is prohibited because lexemes should never be empty. Users of previous Postgres releases should verify that no empty lexemes are stored because they can lead to dump/restore failures and inconsistent results.
Generate an error when chr()
is supplied with a negative argument (Peter Eisentraut)
Prevent CREATE OR REPLACE VIEW
from changing the collation of an output column (Tom Lane)
Disallow zero-length Unicode identifiers, e.g., U&""
(Peter Eisentraut)
Non-Unicode zero-length identifiers were already disallowed.
Prevent numeric literals from having non-numeric trailing characters (Peter Eisentraut)
Previously, query text like 123abc
would be interpreted as 123
followed by a separate token abc
.
Adjust JSON numeric literal processing to match the SQL/JSON-standard (Peter Eisentraut)
This accepts numeric formats like .1
and 1.
, and disallows trailing junk after numeric literals, like 1.type()
.
When interval
input provides a fractional value for a unit greater than months, round to the nearest month (Bruce Momjian)
For example, convert 1.99 years
to 2 years
, not 1 year 11 months
as before.
Improve consistency of interval
parsing with trailing periods (Tom Lane)
Numbers with trailing periods were rejected on some platforms.
Mark the interval
output function as stable, not immutable, since it depends on IntervalStyle
(Tom Lane)
This will, for example, cause creation of indexes relying on the text output of interval
values to fail.
Detect integer overflow in interval justification functions (Joe Koshakow)
The affected functions are justify_interval()
, justify_hours()
, and justify_days()
.
Change the I/O format of type "char"
for non-ASCII characters (Tom Lane)
Bytes with the high bit set are now output as a backslash and three octal digits, to avoid encoding issues.
Remove the default ADMIN OPTION
privilege a login role has on its own role membership (Robert Haas)
Previously, a login role could add/remove members of its own role, even without ADMIN OPTION
privilege.
Allow logical replication to run as the owner of the subscription (Mark Dilger)
Because row-level security policies are not checked, only superusers, roles with bypassrls
, and table owners can replicate into tables with row-level security policies.
Prevent UPDATE
and DELETE
logical replication operations on tables where the subscription owner does not have SELECT
permission on the table (Jeff Davis)
UPDATE
and DELETE
commands typically involve reading the table as well, so require the subscription owner to have table SELECT
permission.
When EXPLAIN
references the session's temporary object schema, refer to it as pg_temp
(Amul Sul)
Previously the actual schema name was reported, leading to inconsistencies across sessions.
Fix pg_statio_all_tables
to sum values for the rare case of TOAST tables with multiple indexes (Andrei Zubkov)
Previously such cases would show one row for each index.
Disallow setting custom options that match the name of an installed extension, but are not one of the extension's declared variables (Florin Irion, Tom Lane)
This change causes any such pre-existing variables to be deleted during extension load, and then prevents new ones from being created later in the session. The intent is to prevent confusion about whether a variable is associated with an extension or not.
Remove obsolete server variable stats_temp_directory
(Andres Freund, Kyotaro Horiguchi)
Improve the algorithm used to compute random()
(Fabien Coelho)
This will cause random()
's results to differ from what was emitted by prior versions, even for the same seed value.
libpq's PQsendQuery()
function is no longer supported in pipeline mode (Álvaro Herrera)
Applications that are using that combination will need to be modified to use PQsendQueryParams()
instead.
On non-Windows platforms, consult the HOME
environment variable to find the user's home directory (Anders Kaseorg)
If HOME
is empty or unset, fall back to the previous method of checking the <pwd.h>
database. This change affects libpq (for example, while looking up ~/.pgpass
) as well as various client application programs.
Remove pg_dump's --no-synchronized-snapshots
option (Tom Lane)
All still-supported server versions support synchronized snapshots, so there's no longer a need for this option.
After an error is detected in psql's --single-transaction
mode, change the final COMMIT
command to ROLLBACK
only if ON_ERROR_STOP
is set (Michael Paquier)
Avoid unnecessary casting of constants in queries sent by postgres_fdw (Dian Fay)
When column types are intentionally different between local and remote databases, such casts could cause errors.
Remove xml2's xml_is_well_formed()
function (Tom Lane)
This function has been implemented in the core backend since Postgres 9.1.
Allow custom scan providers to indicate if they support projections (Sven Klemm)
The default is now that custom scan providers are assumed to not support projections; those that do will need to be updated for this release.
Below you will find a detailed account of the changes between PostgreSQL 15 and the previous major release.
Record and check the collation version of each database (Peter Eisentraut)
This feature is designed to detect collation version changes to avoid index corruption. Function pg_database_collation_actual_version()
reports the underlying operating system collation version, and ALTER DATABASE ... REFRESH
sets the recorded database collation version to match the operating system collation version.
Allow ICU collations to be set as the default for clusters and databases (Peter Eisentraut)
Previously, only libc-based collations could be selected at the cluster and database levels. ICU collations could only be used via explicit COLLATE
clauses.
Add system view pg_ident_file_mappings
to report pg_ident.conf
information (Julien Rouhaud)
Improve planning time for queries referencing partitioned tables (David Rowley)
This change helps when only a few of many partitions are relevant.
Allow ordered scans of partitions to avoid sorting in more cases (David Rowley)
Previously, a partitioned table with a DEFAULT
partition or a LIST
partition containing multiple values could not be used for ordered partition scans. Now they can be used if such partitions are pruned during planning.
Improve foreign key behavior of updates on partitioned tables that move rows between partitions (Amit Langote)
Previously, such updates ran a delete action on the source partition and an insert action on the target partition. PostgreSQL will now run an update action on the partition root, providing cleaner semantics.
Allow CLUSTER
on partitioned tables (Justin Pryzby)
Fix ALTER TRIGGER RENAME
on partitioned tables to properly rename triggers on all partitions (Arne Roland, Álvaro Herrera)
Also prohibit cloned triggers from being renamed.
Allow btree indexes on system and TOAST tables to efficiently store duplicates (Peter Geoghegan)
Previously de-duplication was disabled for these types of indexes.
Improve lookup performance of GiST indexes that were built using sorting (Aliaksandr Kalenik, Sergei Shoulbakov, Andrey Borodin)
Allow unique constraints and indexes to treat NULL
values as not distinct (Peter Eisentraut)
Previously NULL
entries were always treated as distinct values, but this can now be changed by creating constraints and indexes using UNIQUE NULLS NOT DISTINCT
.
Allow the ^@
starts-with operator and the starts_with()
function to use btree indexes if using the C collation (Tom Lane)
Previously these could only use SP-GiST indexes.
Allow extended statistics to record statistics for a parent with all its children (Tomas Vondra, Justin Pryzby)
Regular statistics already tracked parent and parent-plus-all-children statistics separately.
Add server variable recursive_worktable_factor
to allow the user to specify the expected size of the working table of a recursive query (Simon Riggs)
Allow hash lookup for NOT IN
clauses with many constants (David Rowley, James Coleman)
Previously the code always sequentially scanned the list of values.
Allow SELECT DISTINCT
to be parallelized (David Rowley)
Speed up encoding validation of UTF-8 text by processing 16 bytes at a time (John Naylor, Heikki Linnakangas)
This will improve text-heavy operations like COPY FROM
.
Improve performance for sorts that exceed work_mem
(Heikki Linnakangas)
When the sort data no longer fits in work_mem
, switch to a batch sorting algorithm that uses more output streams than before.
Improve performance and reduce memory consumption of in-memory sorts (Ronan Dunklau, David Rowley, Thomas Munro, John Naylor)
Allow WAL full page writes to use LZ4 and Zstandard compression (Andrey Borodin, Justin Pryzby)
This is controlled by the wal_compression
server setting.
Add support for writing WAL using direct I/O on macOS (Thomas Munro)
This only works if max_wal_senders = 0
and wal_level = minimal
.
Allow vacuum to be more aggressive in setting the oldest frozen and multi transaction id (Peter Geoghegan)
Allow a query referencing multiple foreign tables to perform parallel foreign table scans in more cases (Andrey Lepikhov, Etsuro Fujita)
Improve the performance of window functions that use row_number()
, rank()
, dense_rank()
and count()
(David Rowley)
Improve the performance of spinlocks on high-core-count ARM64 systems (Geoffrey Blake)
Enable default logging of checkpoints and slow autovacuum operations (Bharath Rupireddy)
This changes the default of log_checkpoints
to on
and that of log_autovacuum_min_duration
to 10 minutes. This will cause even an idle server to generate some log output, which might cause problems on resource-constrained servers without log file rotation. These defaults should be changed in such cases.
Generate progress messages in the server log during slow server starts (Nitin Jadhav, Robert Haas)
The messages report the cause of the delay. The time interval for notification is controlled by the new server variable log_startup_progress_interval
.
Store cumulative statistics system data in shared memory (Kyotaro Horiguchi, Andres Freund, Melanie Plageman)
Previously this data was sent to a statistics collector process via UDP packets, and could only be read by sessions after transferring it via the file system. There is no longer a separate statistics collector process.
Add additional information to VACUUM VERBOSE
and autovacuum logging messages (Peter Geoghegan)
Add EXPLAIN (BUFFERS)
output for temporary file block I/O (Masahiko Sawada)
Allow log output in JSON format (Sehrope Sarkuni, Michael Paquier)
The new setting is log_destination = jsonlog
.
Allow pg_stat_reset_single_table_counters()
to reset the counters of relations shared across all databases (Sadhuprasad Patro)
Add wait events for local shell commands (Fujii Masao)
The new wait events are used when calling archive_command
, archive_cleanup_command
, restore_command
and recovery_end_command
.
Allow table accesses done by a view to optionally be controlled by privileges of the view's caller (Christoph Heiss)
Previously, view accesses were always treated as being done by the view's owner. That's still the default.
Allow members of the pg_write_server_files
predefined role to perform server-side base backups (Dagfinn Ilmari Mannsåker)
Previously only superusers could perform such backups.
Allow GRANT
to grant permissions to change individual server variables via SET
and ALTER SYSTEM
(Mark Dilger)
The new function has_parameter_privilege()
reports on this privilege.
Add predefined role pg_checkpoint
that allows members to run CHECKPOINT
(Jeff Davis)
Previously checkpoints could only be run by superusers.
Allow members of the pg_read_all_stats
predefined role to access the views pg_backend_memory_contexts
and pg_shmem_allocations
(Bharath Rupireddy)
Previously these views could only be accessed by superusers.
Allow GRANT
to grant permissions on pg_log_backend_memory_contexts()
(Jeff Davis)
Previously this function could only be run by superusers.
Add server variable shared_memory_size
to report the size of allocated shared memory (Nathan Bossart)
Add server variable shared_memory_size_in_huge_pages
to report the number of huge memory pages required (Nathan Bossart)
This is only supported on Linux.
Honor server variable shared_preload_libraries
in single-user mode (Jeff Davis)
This change supports use of shared_preload_libraries
to load custom access methods and WAL resource managers, which would be essential for database access even in single-user mode.
On Solaris, make the default setting of dynamic_shared_memory_type
be sysv
(Thomas Munro)
The previous default choice, posix
, can result in spurious failures on this platform.
Allow postgres -C
to properly report runtime-computed values (Nathan Bossart)
Previously runtime-computed values data_checksums
, wal_segment_size
, and data_directory_mode
would report values that would not be accurate on the running server. However, this does not work on a running server.
Add support for LZ4 and Zstandard compression of server-side base backups (Jeevan Ladhe, Robert Haas)
Run the checkpointer and bgwriter processes during crash recovery (Thomas Munro)
This helps to speed up long crash recoveries.
Allow WAL processing to pre-fetch needed file contents (Thomas Munro)
This is controlled by the server variable recovery_prefetch
.
Allow archiving via loadable modules (Nathan Bossart)
Previously, archiving was only done by calling shell commands. The new server variable archive_library
can be set to specify a library to be called for archiving.
No longer require IDENTIFY_SYSTEM
to be run before START_REPLICATION
(Jeff Davis)
Allow publication of all tables in a schema (Vignesh C, Hou Zhijie, Amit Kapila)
For example, this syntax is now supported: CREATE PUBLICATION pub1 FOR TABLES IN SCHEMA s1,s2
. ALTER PUBLICATION
supports a similar syntax. Tables added later to the listed schemas will also be replicated.
Allow publication content to be filtered using a WHERE
clause (Hou Zhijie, Euler Taveira, Peter Smith, Ajin Cherian, Tomas Vondra, Amit Kapila)
Rows not satisfying the WHERE
clause are not published.
Allow publication content to be restricted to specific columns (Tomas Vondra, Álvaro Herrera, Rahila Syed)
Allow skipping of transactions on a subscriber using ALTER SUBSCRIPTION ... SKIP
(Masahiko Sawada)
Add support for prepared (two-phase) transactions to logical replication (Peter Smith, Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)
The new CREATE_REPLICATION_SLOT
option is called TWO_PHASE
. pg_recvlogical now supports a new --two-phase
option during slot creation.
Prevent logical replication of empty transactions (Ajin Cherian, Hou Zhijie, Euler Taveira)
Previously, publishers would send empty transactions to subscribers if subscribed tables were not modified.
Add SQL functions to monitor the directory contents of logical replication slots (Bharath Rupireddy)
The new functions are pg_ls_logicalsnapdir()
, pg_ls_logicalmapdir()
, and pg_ls_replslotdir()
. They can be run by members of the predefined pg_monitor
role.
Allow subscribers to stop the application of logical replication changes on error (Osumi Takamichi, Mark Dilger)
This is enabled with the subscriber option disable_on_error
and avoids possible infinite error loops during stream application.
Adjust subscriber server variables to match the publisher so datetime and float8 values are interpreted consistently (Japin Li)
Some publishers might be relying on inconsistent behavior.
Add system view pg_stat_subscription_stats
to report on subscriber activity (Masahiko Sawada)
The new function pg_stat_reset_subscription_stats()
allows resetting these statistics counters.
Suppress duplicate entries in the pg_publication_tables
system view (Hou Zhijie)
In some cases a partition could appear more than once.
Add SQL MERGE
command to adjust one table to match another (Simon Riggs, Pavan Deolasee, Álvaro Herrera, Amit Langote)
This is similar to INSERT ... ON CONFLICT
but more batch-oriented.
Add support for HEADER
option in COPY
text format (Rémi Lapeyre)
The new option causes the column names to be output, and optionally verified on input.
Add new WAL-logged method for database creation (Dilip Kumar)
This is the new default method for copying the template database, as it avoids the need for checkpoints during database creation. However, it might be slow if the template database is large, so the old method is still available.
Allow CREATE DATABASE
to set the database OID (Shruthi Gowda, Antonin Houska)
Prevent DROP DATABASE
, DROP TABLESPACE
, and ALTER DATABASE SET TABLESPACE
from occasionally failing during concurrent use on Windows (Thomas Munro)
Allow foreign key ON DELETE SET
actions to affect only specified columns (Paul Martinez)
Previously, all of the columns in the foreign key were always affected.
Allow ALTER TABLE
to modify a table's ACCESS METHOD
(Justin Pryzby, Jeff Davis)
Properly call object access hooks when ALTER TABLE
causes table rewrites (Michael Paquier)
Allow creation of unlogged sequences (Peter Eisentraut)
Track dependencies on individual columns in the results of functions returning composite types (Tom Lane)
Previously, if a view or rule contained a reference to a specific column within the result of a composite-returning function, that was not noted as a dependency; the view or rule was only considered to depend on the composite type as a whole. This meant that dropping the individual column would be allowed, causing problems in later use of the view or rule. The column-level dependency is now also noted, so that dropping such a column will be rejected unless the view is changed or dropped.
Allow the scale of a numeric
value to be negative, or greater than its precision (Dean Rasheed, Tom Lane)
This allows rounding of values to the left of the decimal point, e.g., '1234'::numeric(4, -2)
returns 1200.
Improve overflow detection when casting values to interval (Joe Koshakow)
Change the I/O format of type "char"
for non-ASCII characters (Tom Lane)
Update the display width information of modern Unicode characters, like emojis (Jacob Champion)
Also update from Unicode 5.0 to 14.0.0. There is now an automated way to keep Postgres updated with Unicode releases.
Add multirange input to range_agg()
(Paul Jungwirth)
Add MIN()
and MAX()
aggregates for the xid8
data type (Ken Kato)
Add regular expression functions for compatibility with other relational systems (Gilles Darold, Tom Lane)
The new functions are regexp_count()
, regexp_instr()
, regexp_like()
, and regexp_substr()
. Some new optional arguments were also added to regexp_replace()
.
Add the ability to compute the distance between polygons
(Tom Lane)
Add to_char()
format codes of
, tzh
, and tzm
(Nitin Jadhav)
The upper-case equivalents of these were already supported.
When applying AT TIME ZONE
to a time with time zone
value, use the transaction start time rather than wall clock time to determine whether DST applies (Aleksander Alekseev, Tom Lane)
This allows the conversion to be considered stable rather than volatile, and it saves a kernel call per invocation.
Ignore NULL array elements in ts_delete()
and setweight()
functions with array arguments (Jean-Christophe Arnu)
These functions effectively ignore empty-string array elements (since those could never match a valid lexeme). It seems consistent to let them ignore NULL elements too, instead of failing.
Add support for petabyte units to pg_size_pretty()
and pg_size_bytes()
(David Christensen)
Change pg_event_trigger_ddl_commands()
to output references to other sessions' temporary schemas using the actual schema name (Tom Lane)
Previously this function reported all temporary schemas as pg_temp
, but it's misleading to use that for any but the current session's temporary schema.
Fix enforcement of PL/pgSQL variable CONSTANT
markings (Tom Lane)
Previously, a variable could be used as a CALL
output parameter or refcursor OPEN
variable despite being marked CONSTANT
.
Allow IP address matching against a server certificate's Subject Alternative Name (Jacob Champion)
Allow PQsslAttribute()
to report the SSL library type without requiring a libpq connection (Jacob Champion)
Change query cancellations sent by the client to use the same TCP settings as normal client connections (Jelte Fennema)
This allows configured TCP timeouts to apply to query cancel connections.
Prevent libpq event callback failures from forcing an error result (Tom Lane)
Allow pgbench to retry after serialization and deadlock failures (Yugo Nagata, Marina Polyakova)
Improve performance of psql's \copy
command, by sending data in larger chunks (Heikki Linnakangas)
Add \dconfig
command to report server variables (Mark Dilger, Tom Lane)
This is similar to the server-side SHOW
command, but it can process patterns to show multiple variables conveniently.
Add \getenv
command to assign the value of an environment variable to a psql variable (Tom Lane)
Add +
option to the \lo_list
and \dl
commands to show large-object privileges (Pavel Luzanov)
Add a pager option for the \watch
command (Pavel Stehule, Thomas Munro)
This is only supported on Unix and is controlled by the PSQL_WATCH_PAGER
environment variable.
Make psql include intra-query double-hyphen comments in queries sent to the server (Tom Lane, Greg Nancarrow)
Previously such comments were removed from the query before being sent. Double-hyphen comments that are before any query text are not sent, and are not recorded as separate psql history entries.
Adjust psql so that Readline's meta-#
command will insert a double-hyphen comment marker (Tom Lane)
Previously a pound marker was inserted, unless the user had taken the trouble to configure a non-default comment marker.
Make psql output all results when multiple queries are passed to the server at once (Fabien Coelho)
Previously, only the last query result was displayed. The old behavior can be restored by setting the SHOW_ALL_RESULTS
psql variable to off
.
After an error is detected in --single-transaction
mode, change the final COMMIT
command to ROLLBACK
only if ON_ERROR_STOP
is set (Michael Paquier)
Previously, detection of an error in a -c
command or -f
script file would lead to issuing ROLLBACK
at the end, regardless of the value of ON_ERROR_STOP
.
Improve psql's tab completion (Shinya Kato, Dagfinn Ilmari Mannsåker, Peter Smith, Koyu Tanigawa, Ken Kato, David Fetter, Haiying Tang, Peter Eisentraut, Álvaro Herrera, Tom Lane, Masahiko Sawada)
Limit support of psql's backslash commands to servers running PostgreSQL 9.2 or later (Tom Lane)
Remove code that was only used when running with an older server. Commands that do not require any version-specific adjustments compared to 9.2 will still work.
Make pg_dump dump public
schema ownership changes and security labels (Noah Misch)
Improve performance of dumping databases with many objects (Tom Lane)
This will also improve the performance of pg_upgrade.
Improve parallel pg_dump's performance for tables with large TOAST tables (Tom Lane)
Add dump/restore option --no-table-access-method
to force restore to only use the default table access method (Justin Pryzby)
Limit support of pg_dump and pg_dumpall to servers running PostgreSQL 9.2 or later (Tom Lane)
Add new pg_basebackup option --target
to control the base backup location (Robert Haas)
The new options are server
to write the backup locally and blackhole
to discard the backup (for testing).
Allow pg_basebackup to do server-side gzip, LZ4, and Zstandard compression and client-side LZ4 and Zstandard compression of base backup files (Dipesh Pandit, Jeevan Ladhe)
Client-side gzip
compression was already supported.
Allow pg_basebackup to compress on the server side and decompress on the client side before storage (Dipesh Pandit)
This is accomplished by specifying compression on the server side and plain output format.
Allow pg_basebackup's --compress
option to control the compression location (server or client), compression method, and compression options (Michael Paquier, Robert Haas)
Add the LZ4 compression method to pg_receivewal (Georgios Kokolatos)
This is enabled via --compress=lz4
and requires binaries to be built using --with-lz4
.
Add additional capabilities to pg_receivewal's --compress
option (Georgios Kokolatos)
Improve pg_receivewal's ability to restart at the proper WAL location (Ronan Dunklau)
Previously, pg_receivewal would start based on the WAL file stored in the local archive directory, or at the sending server's current WAL flush location. With this change, if the sending server is running Postgres 15 or later, the local archive directory is empty, and a replication slot is specified, the replication slot's restart point will be used.
Add pg_rewind option --config-file
to simplify use when server configuration files are stored outside the data directory (Gunnar Bluth)
Store pg_upgrade's log and temporary files in a subdirectory of the new cluster called pg_upgrade_output.d
(Justin Pryzby)
Previously such files were left in the current directory, requiring manual cleanup. Now they are automatically removed on successful completion of pg_upgrade.
Disable default status reporting during pg_upgrade operation if the output is not a terminal (Andres Freund)
The status reporting output can be enabled for non-tty usage by using --verbose
.
Make pg_upgrade report all databases with invalid connection settings (Jeevan Ladhe)
Previously only the first database with an invalid connection setting was reported.
Make pg_upgrade preserve tablespace and database OIDs, as well as relation relfilenode numbers (Shruthi Gowda, Antonin Houska)
Add a --no-sync
option to pg_upgrade (Michael Paquier)
This is recommended only for testing.
Limit support of pg_upgrade to old servers running PostgreSQL 9.2 or later (Tom Lane)
Allow pg_waldump output to be filtered by relation file node, block number, fork number, and full page images (David Christensen, Thomas Munro)
Make pg_waldump report statistics before an interrupted exit (Bharath Rupireddy)
For example, issuing a control-C in a terminal running pg_waldump --stats --follow
will report the current statistics before exiting. This does not work on Windows.
Improve descriptions of some transaction WAL records reported by pg_waldump (Masahiko Sawada, Michael Paquier)
Allow pg_waldump to dump information about multiple resource managers (Heikki Linnakangas)
This is enabled by specifying the --rmgr
option multiple times.
Add documentation for pg_encoding_to_char()
and pg_char_to_encoding()
(Ian Lawrence Barwick)
Document the ^@
starts-with operator (Tom Lane)
Add support for continuous integration testing using cirrus-ci (Andres Freund, Thomas Munro, Melanie Plageman)
Add configure option --with-zstd
to enable Zstandard builds (Jeevan Ladhe, Robert Haas, Michael Paquier)
Add an ABI identifier field to the magic block in loadable libraries, allowing non-community PostgreSQL distributions to identify libraries that are not compatible with other builds (Peter Eisentraut)
An ABI field mismatch will generate an error at load time.
Create a new pg_type.typcategory
value for "char"
(Tom Lane)
Some other internal-use-only types have also been assigned to this category.
Add new protocol message TARGET
to specify a new COPY
method to be used for base backups (Robert Haas)
pg_basebackup now uses this method.
Add new protocol message COMPRESSION
and COMPRESSION_DETAIL
to specify the compression method and options (Robert Haas)
Remove server support for old BASE_BACKUP
command syntax and base backup protocol (Robert Haas)
Add support for extensions to set custom backup targets (Robert Haas)
Allow extensions to define custom WAL resource managers (Jeff Davis)
Add function pg_settings_get_flags()
to get the flags of server variables (Justin Pryzby)
On Windows, export all the server's global variables using PGDLLIMPORT
markers (Robert Haas)
Previously, only specific variables were accessible to extensions on Windows.
Require GNU make version 3.81 or later to build PostgreSQL (Tom Lane)
Require OpenSSL to build the pgcrypto extension (Peter Eisentraut)
Require Perl version 5.8.3 or later (Dagfinn Ilmari Mannsåker)
Require Python version 3.2 or later (Andres Freund)
Allow amcheck to check sequences (Mark Dilger)
Improve amcheck sanity checks for TOAST tables (Mark Dilger)
Add new module basebackup_to_shell as an example of a custom backup target (Robert Haas)
Add new module basic_archive as an example of performing archiving via a library (Nathan Bossart)
Allow btree_gist indexes on boolean columns (Emre Hasegeli)
These can be used for exclusion constraints.
Fix pageinspect's page_header()
to handle 32-kilobyte page sizes (Quan Zongliang)
Previously, improper negative values could be returned in certain cases.
Add counters for temporary file block I/O to pg_stat_statements (Masahiko Sawada)
Add JIT counters to pg_stat_statements (Magnus Hagander)
Add new module pg_walinspect (Bharath Rupireddy)
This gives SQL-level output similar to pg_waldump.
Indicate the permissive/enforcing state in sepgsql log messages (Dave Page)
Allow postgres_fdw to push down CASE
expressions (Alexander Pyhalov)
Add server variable postgres_fdw.application_name
to control the application name of postgres_fdw connections (Hayato Kuroda)
Previously the remote session's application_name
could only be set on the remote server or via a postgres_fdw connection specification. postgres_fdw.application_name
supports some escape sequences for customization, making it easier to tell such connections apart on the remote server.
Allow parallel commit on postgres_fdw servers (Etsuro Fujita)
This is enabled with the CREATE SERVER
option parallel_commit
.
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2023-05-11
This release contains a variety of fixes from 14.7. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Fix enabling/disabling of cloned triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER USER
skipped cloned triggers, mistaking them for system triggers. Other variants of ENABLE/DISABLE TRIGGER
would process them, but only after improperly enforcing a superuserness check.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)
Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Fix memory leak in Memoize plan execution (David Rowley)
Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)
Restore support for sub-millisecond vacuum_cost_delay
settings (Thomas Munro)
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)
The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.
Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)
This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer
according to the documentation, but the code had it as CommitTSBuffer
. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Re-activate reporting of wait event SLRUFlushSync
(Thomas Munro)
Reporting of this type of wait was accidentally removed in code refactoring.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size
accurately.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)
This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.
In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)
This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.
In contrib/amcheck
's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)
In contrib/amcheck
, deal sanely with xids that appear to be before epoch zero (Andres Freund)
In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen
option of a GiST index on an ltree
column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
In contrib/pageinspect
, add defenses against incorrect input for the gist_page_items()
function (Dmitry Koval)
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 14.6. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862 or CVE-2022-41862)
Fix calculation of which GENERATED
columns need to be updated in child tables during an UPDATE
on a partitioned table or inheritance tree (Amit Langote, Tom Lane)
This fixes failure to update GENERATED
columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.
Allow a WITH RECURSIVE ... CYCLE
CTE to access its output column (Tom Lane)
A reference to the SET
column from within the CTE would fail with “cache lookup failed for type 0”.
Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)
In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW
triggers not seeing rows they should be able to see.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix jsonb
subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)
Using a text value fetched directly from a table as a jsonb
subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.
Improve error reporting for some buffered file read failures (Peter Eisentraut)
Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)
These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query” errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Fix under-parenthesized display of AT TIME ZONE
constructs (Tom Lane)
This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE
is itself an expression.
Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)
If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node type”.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Fix deadlock between DROP DATABASE
and logical replication worker process (Hou Zhijie)
This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)
A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size
. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.
In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)
After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix int64_div_fast_to_numeric()
to work for a wider range of inputs (Dean Rasheed)
This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)
The assertion was overly strict, so this mistake was harmless in non-assert builds.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix psql's \sf
and \ef
commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)
These commands misidentified the start of the function body when it used new-style syntax.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 14.5. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Avoid rare PANIC during updates occurring concurrently with VACUUM
(Tom Lane, Jeff Davis)
If a concurrent VACUUM
sets the all-visible flag bit in a page that UPDATE
or DELETE
is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Fix resource management bug in saving tuples for AFTER
triggers (Tom Lane)
Given the right circumstances, this manifested as a “tupdesc reference NNNN
is not owned by resource owner” error followed by a PANIC exit.
Avoid failure in EXPLAIN VERBOSE
for a query using SEARCH BREADTH FIRST
with constant initial values (Tom Lane)
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Álvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)
If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Remove pointless check on replica identity setting of partitioned tables (Hou Zhijie)
What matters is the replica identity setting of the leaf partitions, so there's no need to throw error if it's not set on the parent.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
Fix type circle
's equality comparator to handle NaNs properly (Ranier Vilela)
If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid misbehavior when choosing hash table size with very small work_mem
and large tuples (Zhang Mingli)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the plan”.
In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)
The single-row flag was not reset at the correct time if pipeline mode was also active.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list” errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Álvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 14.4. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you are upgrading from a version earlier than 14.4, see Version 14.4.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place” tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place” tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix for CVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)
Fix incorrect permissions-checking code for extended statistics (Richard Guo)
If there are extended statistics on a table that the user has only partial SELECT
permissions on, some queries would fail with “unrecognized node type” errors.
Fix extended statistics machinery to handle MCV-type statistics on boolean-valued expressions (Tom Lane)
Statistics collection worked fine, but a query containing such an expression in WHERE
would fail with “unknown clause type”.
Avoid planner core dump with
clauses when there are MCV-type extended statistics on the constant
= ANY(array
)array
variable (Tom Lane)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Allow cancellation of ANALYZE
while it is computing extended statistics (Tom Lane, Justin Pryzby)
In some scenarios with high statistics targets, it was possible to spend many seconds in an un-cancellable sort operation.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix trim_array()
to handle a zero-dimensional array argument sanely (Martin Kalcher)
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)
The replica identity columns have to be re-identified for the child partition.
Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Avoid assertion failure when min_dynamic_shared_memory
is set to a non-default value (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Improve libpq's handling of idle states in pipeline mode (Álvaro Herrera, Kyotaro Horiguchi)
This fixes “message type 0x33 arrived from server while idle” warnings, as well as possible loss of end-of-query NULL results from PQgetResult()
.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix pg_upgrade to detect non-upgradable usages of functions taking anyarray
(Justin Pryzby)
Version 14 changed some built-in functions to take type anycompatiblearray
instead of anyarray
. While this is mostly transparent, user-defined aggregates and operators built atop these functions have to be declared with exactly matching types. The presence of an object referencing the old signature will cause pg_upgrade to fail, so change it to detect and report such cases before beginning the upgrade.
Fix possible report of wrong error condition after clone()
failure in pg_upgrade with --clone
option (Justin Pryzby)
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
In contrib/postgres_fdw
, prevent batch insertion when there are WITH CHECK OPTION
constraints (Etsuro Fujita)
Such constraints cannot be checked properly if more than one row is inserted at a time.
Fix contrib/postgres_fdw
to detect failure to send an asynchronous data fetch query (Fujii Masao)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Avoid using signalfd()
on illumos systems (Thomas Munro)
This appears to trigger hangs and kernel panics, so avoid the function until a fix is available.
Release date: 2022-06-16
This release contains a variety of fixes from 14.3. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you have any indexes that were created using the CONCURRENTLY
option under 14.X, you should re-index them after updating. See the first changelog entry below.
Also, if you are upgrading from a version earlier than 14.3, see Version 14.3.
Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY
option (Álvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY
and REINDEX ... CONCURRENTLY
to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY
option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY
.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Fix COPY FROM
's error checking in the case where the database encoding is SQL_ASCII
while the client's encoding is a multi-byte encoding (Heikki Linnakangas)
This mistake could lead to false complaints of invalidly-encoded input data.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Álvaro Herrera)
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.
Prevent crash after server connection loss in pg_amcheck (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to a crash.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 14.2. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, if you have any GiST indexes on columns of type ltree
(supplied by the contrib/ltree
extension), you should re-index them after updating. See the second changelog entry below.
Also, if you are upgrading from a version earlier than 14.2, see Version 14.2.
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552 or CVE-2022-1552)
Fix default signature length for gist_ltree_ops
indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree
columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree
extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree
columns after installing this update. (Note that GiST indexes on ltree[]
columns, that is arrays of ltree
, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)
The new numeric
-based code for EXTRACT()
failed to yield results equivalent to the old float
-based code, as a result of accidentally truncating the DAYS_PER_YEAR
value to an integer.
Defend against pg_stat_get_replication_slot (NULL)
(Andres Freund)
This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)
Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.
Fix planner failure if a query using SEARCH
or CYCLE
features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)
When the name of the recursive WITH
query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlist”.
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Tighten lookup of the index “owned by” a constraint (Tom Lane, Japin Li)
Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE
operations on tables having foreign key constraints.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)
The code path for building GiST indexes using sorting neglected to fsync
the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Re-allow underscore as the first character in a custom parameter name (Japin Li)
Such names were unintentionally disallowed in v14.
Add regress
option for the compute_query_id
parameter (Michael Paquier)
This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN
output.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)
This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root
is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)
An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Re-allow database
.schema
.table
patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)
Versions before v14 silently ignored all but the schema
and table
fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, disable batch insertion when BEFORE INSERT ... FOR EACH ROW
triggers exist on the foreign table (Etsuro Fujita)
Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Fix configure to handle platforms that have sys/epoll.h
but not sys/signalfd.h
(Tom Lane)
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Do not add OpenSSL dependencies to libpq's pkg-config
file when building without OpenSSL (Fabrice Fontaine)
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 14.1. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, some bugs have been found that may have resulted in corrupted indexes, as explained in the first two changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 14.1, see Version 14.1.
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY
(Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY
tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE
locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Fix corruption of HOT chains when a RECENTLY_DEAD tuple changes state to fully DEAD during page pruning (Andres Freund)
It was possible for VACUUM
to remove a recently-dead tuple while leaving behind a redirect item that pointed to it. When the tuple's item slot is later re-used by some new tuple, that tuple would be seen as part of the pre-existing HOT chain, creating a form of index corruption. If this has happened, reindexing the table should repair the damage. However, this is an extremely low-probability scenario, so we do not recommend reindexing just on the chance that it might have happened.
Fix crash in EvalPlanQual rechecks for tables with a mix of local and foreign partitions (Etsuro Fujita)
Fix dangling pointer in COPY TO
(Bharath Rupireddy)
This oversight could cause an incorrect error message or a crash after an error in COPY
.
Avoid null-pointer crash in ALTER STATISTICS
when the statistics object is dropped concurrently (Tomas Vondra)
Correctly handle alignment padding when extracting a range from a multirange (Alexander Korotkov)
This error could cause crashes when handling multiranges over variable-length data types.
Fix over-optimistic use of hashing for anonymous RECORD
data types (Tom Lane)
This prevents some cases of “could not identify a hash function for type record” errors.
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Fix Memoize plan nodes to handle subplans that use parameters coming from above the Memoize (David Rowley)
Fix Memoize plan nodes to work correctly with non-hashable join operators (David Rowley)
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix checking of anycompatible
-family data type matches (Tom Lane)
In some cases the parser would think that a function or operator with anycompatible
-family polymorphic parameters matches a set of arguments that it really shouldn't match. In reported cases, that led to matching more than one operator to a call, leading to ambiguous-operator errors; but a failure later on is also possible.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Álvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXids”. The replica would retry, but could never get past that error.
In logical replication, avoid double transmission of a child table's data (Hou Zhijie)
If a publication includes both child and parent tables, and has the publish_via_partition_root
option set, subscribers uselessly initiated synchronization on both child and parent tables. Ensure that only the parent table is synchronized in such cases.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Ensure that replication origin timestamp is set while replicating a ROLLBACK PREPARED
operation (Masahiko Sawada)
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Fix failure of SP-GiST indexes when the indexed column's data type is binary-compatible with the declared input type of the operator class (Tom Lane)
Such cases should work, but failed with “compress method must be defined when leaf type is different from input type”.
Allow parallel vacuuming and concurrent index building to be ignored while computing oldest xmin (Masahiko Sawada)
Non-parallelized instances of these operations were already ignored, but the logic did not work for parallelized cases. Holding back the xmin horizon has undesirable effects such as delaying vacuum cleanup.
Fix memory leak when updating expression indexes (Peter Geoghegan)
An UPDATE
affecting many rows could consume significant amounts of memory.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Improve performance of walsenders sending logical changes by avoiding unnecessary cache accesses (Hou Zhijie)
Fix display of cert
authentication method's options in pg_hba_file_rules
view (Magnus Hagander)
The cert
authentication method implies clientcert=verify-full
, but the pg_hba_file_rules
view incorrectly reported clientcert=verify-ca
.
Ensure that the session targeted by pg_log_backend_memory_contexts()
sends its results only to the server's log (Fujii Masao)
Previously, a sufficiently high setting of client_min_messages
could result in the log message also being sent to the connected client. Since that client hadn't requested it, that would be surprising (and possibly a wire protocol violation).
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*”, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
When reverse-listing a SQL-standard function body, display function parameters appropriately within INSERT ... SELECT
(Tom Lane)
Previously, they'd come out as $
even when the parameter had a name.N
Fix one-byte buffer overrun when applying Unicode string normalization to an empty string (Michael Paquier)
The practical impact of this is limited thanks to alignment considerations; but in debug builds, a warning was raised.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
Fix psql \d
command's query for identifying parent triggers (Justin Pryzby)
The previous coding failed with “more than one row returned by a subquery used as an expression” if a partition had triggers and there were unrelated statement-level triggers of the same name on some parent partitioned table.
Make psql's \d
command sort a table's extended statistics objects by name not OID (Justin Pryzby)
Fix psql's tab-completion of label values for enum types (Tom Lane)
Fix failures on Windows when using the terminal as data source or destination (Dmitry Koval, Juan José Santamaría Flecha, Michael Paquier)
This affects psql's \copy
command, as well as pg_recvlogical with -f -
.
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix pg_dump's --inserts
and --column-inserts
modes to handle tables containing both generated columns and dropped columns (Tom Lane)
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Fix edge cases in postgres_fdw
's handling of asynchronous queries (Etsuro Fujita)
These errors could lead to crashes or incorrect results when attempting to parallelize scans of foreign tables.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Re-allow cross-compilation without OpenSSL (Tom Lane)
configure should assume that /dev/urandom
will be available on the target system, but it failed instead.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 14.0. For information about new features in major release 14, see Version 14.0.
A dump/restore is not required for those running 14.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Ensure that parallel VACUUM
doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)
A parallel VACUUM
would fail to process indexes that are below the min_parallel_index_scan_size
cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM
; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix REINDEX CONCURRENTLY
to preserve operator class parameters that were attached to the target index (Michael Paquier)
Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)
The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1
.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)
CREATE TYPE
incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE
command was stored in the plan cache and used again later.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES
and FOR UPDATE SKIP LOCKED
(David Christensen)
FETCH FIRST WITH TIES
necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE
is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED
option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow ALTER INDEX index ALTER COLUMN col SET (options)
(Nathan Bossart, Michael Paquier)
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)
This error could result in crashes or incorrect query results.
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
If a function in FROM
laterally references the output of some sub-SELECT
earlier in the FROM
clause, and we are able to flatten that sub-SELECT
into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix “could not find RecursiveUnion” error when EXPLAIN
tries to print a filter condition attached to a WorkTableScan node (Tom Lane)
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME
can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX
.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export()
or a related function fails (Heikki Linnakangas)
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Avoid O (N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm
extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)
In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.
Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts()
requests more quickly (Koyu Tanigawa)
Fix memory leak in HMAC hash calculations (Sergey Shinderuk)
Disallow setting huge_pages
to on
when shared_memory_type
is sysv
(Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix checking of query type in PL/pgSQL's RETURN QUERY
statement (Tom Lane)
RETURN QUERY
should accept any query that can return tuples, e.g. UPDATE RETURNING
. v14 accidentally disallowed anything but SELECT
; moreover, the RETURN QUERY EXECUTE
variant failed to apply any query-type check at all.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)
This avoids unhelpful checks of relations that will almost certainly appear inconsistent.
Make contrib/amcheck
skip unlogged tables when running on a standby server (Mark Dilger)
It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.
Change contrib/pg_stat_statements
to read its “query texts” file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
When running a TAP test, include the module's own directory in PATH
(Andrew Dunstan)
This allows tests to find built programs that are not installed, such as custom test drivers.
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-09-30
PostgreSQL 14 contains many new features and enhancements, including:
Stored procedures can now return data via OUT
parameters.
The SQL-standard SEARCH
and CYCLE
options for common table expressions have been implemented.
Subscripting can now be applied to any data type for which it is a useful notation, not only arrays. In this release, the jsonb
and hstore
types have gained subscripting operators.
Range types have been extended by adding multiranges, allowing representation of noncontiguous data ranges.
Numerous performance improvements have been made for parallel queries, heavily-concurrent workloads, partitioned tables, logical replication, and vacuuming.
B-tree index updates are managed more efficiently, reducing index bloat.
VACUUM
automatically becomes more aggressive, and skips inessential cleanup, if the database starts to approach a transaction ID wraparound condition.
Extended statistics can now be collected on expressions, allowing better planning results for complex queries.
libpq now has the ability to pipeline multiple queries, which can boost throughput over high-latency connections.
The above items and other new features of PostgreSQL 14 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.
Version 14 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
User-defined objects that reference certain built-in array functions along with their argument types must be recreated (Tom Lane)
Specifically, array_append()
, array_prepend()
, array_cat()
, array_position()
, array_positions()
, array_remove()
, array_replace()
, and width_bucket()
used to take anyarray
arguments but now take anycompatiblearray
. Therefore, user-defined objects like aggregates and operators that reference those array function signatures must be dropped before upgrading, and recreated once the upgrade completes.
Remove deprecated containment operators @
and ~
for built-in geometric data types and contrib modules cube, hstore, intarray, and seg (Justin Pryzby)
The more consistently named <@
and @>
have been recommended for many years.
Fix to_tsquery()
and websearch_to_tsquery()
to properly parse query text containing discarded tokens (Alexander Korotkov)
Certain discarded tokens, like underscore, caused the output of these functions to produce incorrect tsquery output, e.g., both websearch_to_tsquery('"pg_class pg"')
and to_tsquery('pg_class <-> pg')
used to output ( 'pg' & 'class' ) <-> 'pg'
, but now both output 'pg' <-> 'class' <-> 'pg'
.
Fix websearch_to_tsquery()
to properly parse multiple adjacent discarded tokens in quotes (Alexander Korotkov)
Previously, quoted text that contained multiple adjacent discarded tokens was treated as multiple tokens, causing incorrect tsquery output, e.g., websearch_to_tsquery('"aaa: bbb"')
used to output 'aaa' <2> 'bbb'
, but now outputs 'aaa' <-> 'bbb'
.
Change EXTRACT()
to return type numeric
instead of float8
(Peter Eisentraut)
This avoids loss-of-precision issues in some usages. The old behavior can still be obtained by using the old underlying function date_part()
.
Also, EXTRACT(date)
now throws an error for units that are not part of the date
data type.
Change var_samp()
and stddev_samp()
with numeric parameters to return NULL when the input is a single NaN value (Tom Lane)
Previously NaN
was returned.
Return false for has_column_privilege()
checks on non-existent or dropped columns when using attribute numbers (Joe Conway)
Previously such attribute numbers returned an invalid-column error.
Fix handling of infinite window function ranges (Tom Lane)
Previously window frame clauses like 'inf' PRECEDING AND 'inf' FOLLOWING
returned incorrect results.
Remove factorial operators !
and !!
, as well as function numeric_fac()
(Mark Dilger)
The factorial()
function is still supported.
Disallow factorial()
of negative numbers (Peter Eisentraut)
Previously such cases returned 1.
Remove support for postfix (right-unary) operators (Mark Dilger)
pg_dump and pg_upgrade will warn if postfix operators are being dumped.
Allow \D
and \W
shorthands to match newlines in regular expression newline-sensitive mode (Tom Lane)
Previously they did not match newlines in this mode, but that disagrees with the behavior of other common regular expression engines. [^[:digit:]]
or [^[:word:]]
can be used to get the old behavior.
Disregard constraints when matching regular expression back-references (Tom Lane)
For example, in (^\d+).*\1
, the ^
constraint should be applied at the start of the string, but not when matching \1
.
Disallow \w
as a range start or end in regular expression character classes (Tom Lane)
This previously was allowed but produced unexpected results.
Require custom server parameter names to use only characters that are valid in unquoted SQL identifiers (Tom Lane)
Change the default of the password_encryption server parameter to scram-sha-256
(Peter Eisentraut)
Previously it was md5
. All new passwords will be stored as SHA256 unless this server setting is changed or the password is specified in MD5 format. Also, the legacy (and undocumented) Boolean-like values which were previously synonyms for md5
are no longer accepted.
Remove server parameter vacuum_cleanup_index_scale_factor
(Peter Geoghegan)
This setting was ignored starting in PostgreSQL version 13.3.
Remove server parameter operator_precedence_warning
(Tom Lane)
This setting was used for warning applications about PostgreSQL 9.5 changes.
Overhaul the specification of clientcert
in pg_hba.conf
(Kyotaro Horiguchi)
Values 1
/0
/no-verify
are no longer supported; only the strings verify-ca
and verify-full
can be used. Also, disallow verify-ca
if cert authentication is enabled since cert requires verify-full
checking.
Remove support for SSL compression (Daniel Gustafsson, Michael Paquier)
This was already disabled by default in previous PostgreSQL releases, and most modern OpenSSL and TLS versions no longer support it.
Remove server and libpq support for the version 2 wire protocol (Heikki Linnakangas)
This was last used as the default in PostgreSQL 7.3 (released in 2002).
Disallow single-quoting of the language name in the CREATE/DROP LANGUAGE
command (Peter Eisentraut)
Remove the composite types that were formerly created for sequences and toast tables (Tom Lane)
Process doubled quote marks in ecpg SQL command strings correctly (Tom Lane)
Previously 'abc''def'
was passed to the server as 'abc'def'
, and "abc""def"
was passed as "abc"def"
, causing syntax errors.
Prevent the containment operators (<@
and @>
) for intarray from using GiST indexes (Tom Lane)
Previously a full GiST index scan was required, so just avoid that and scan the heap, which is faster. Indexes created for this purpose should be removed.
Remove contrib program pg_standby (Justin Pryzby)
Prevent tablefunc's function normal_rand()
from accepting negative values (Ashutosh Bapat)
Negative values produced undesirable results.
Below you will find a detailed account of the changes between PostgreSQL 14 and the previous major release.
Add predefined roles pg_read_all_data
and pg_write_all_data
(Stephen Frost)
These non-login roles can be used to give read or write permission to all tables, views, and sequences.
Add predefined role pg_database_owner
that contains only the current database's owner (Noah Misch)
This is especially useful in template databases.
Remove temporary files after backend crashes (Euler Taveira)
Previously, such files were retained for debugging purposes. If necessary, deletion can be disabled with the new server parameter remove_temp_files_after_crash.
Allow long-running queries to be canceled if the client disconnects (Sergey Cherkashin, Thomas Munro)
The server parameter client_connection_check_interval allows control over whether loss of connection is checked for intra-query. (This is supported on Linux and a few other operating systems.)
Add an optional timeout parameter to pg_terminate_backend()
(Magnus Hagander)
Allow wide tuples to be always added to almost-empty heap pages (John Naylor, Floris van Nee)
Previously tuples whose insertion would have exceeded the page's fill factor were instead added to new pages.
Add Server Name Indication (SNI) in SSL connection packets (Peter Eisentraut)
This can be disabled by turning off client connection option sslsni
.
Allow vacuum to skip index vacuuming when the number of removable index entries is insignificant (Masahiko Sawada, Peter Geoghegan)
The vacuum parameter INDEX_CLEANUP
has a new default of auto
that enables this optimization.
Allow vacuum to more eagerly add deleted btree pages to the free space map (Peter Geoghegan)
Previously vacuum could only add pages to the free space map that were marked as deleted by previous vacuums.
Allow vacuum to reclaim space used by unused trailing heap line pointers (Matthias van de Meent, Peter Geoghegan)
Allow vacuum to be more aggressive in removing dead rows during minimal-locking index operations (Álvaro Herrera)
Specifically, CREATE INDEX CONCURRENTLY
and REINDEX CONCURRENTLY
no longer limit the dead row removal of other relations.
Speed up vacuuming of databases with many relations (Tatsuhito Kasahara)
Reduce the default value of vacuum_cost_page_miss to better reflect current hardware capabilities (Peter Geoghegan)
Add ability to skip vacuuming of TOAST tables (Nathan Bossart)
VACUUM
now has a PROCESS_TOAST
option which can be set to false to disable TOAST processing, and vacuumdb has a --no-process-toast
option.
Have COPY FREEZE
appropriately update page visibility bits (Anastasia Lubennikova, Pavan Deolasee, Jeff Janes)
Cause vacuum operations to be more aggressive if the table is near xid or multixact wraparound (Masahiko Sawada, Peter Geoghegan)
This is controlled by vacuum_failsafe_age and vacuum_multixact_failsafe_age.
Increase warning time and hard limit before transaction id and multi-transaction wraparound (Noah Misch)
This should reduce the possibility of failures that occur without having issued warnings about wraparound.
Add per-index information to autovacuum logging output (Masahiko Sawada)
Improve the performance of updates and deletes on partitioned tables with many partitions (Amit Langote, Tom Lane)
This change greatly reduces the planner's overhead for such cases, and also allows updates/deletes on partitioned tables to use execution-time partition pruning.
Allow partitions to be detached in a non-blocking manner (Álvaro Herrera)
The syntax is ALTER TABLE ... DETACH PARTITION ... CONCURRENTLY
, and FINALIZE
.
Ignore COLLATE
clauses in partition boundary values (Tom Lane)
Previously any such clause had to match the collation of the partition key; but it's more consistent to consider that it's automatically coerced to the collation of the partition key.
Allow btree index additions to remove expired index entries to prevent page splits (Peter Geoghegan)
This is particularly helpful for reducing index bloat on tables whose indexed columns are frequently updated.
Allow BRIN indexes to record multiple min/max values per range (Tomas Vondra)
This is useful if there are groups of values in each page range.
Allow BRIN indexes to use bloom filters (Tomas Vondra)
This allows BRIN indexes to be used effectively with data that is not well-localized in the heap.
Allow some GiST indexes to be built by presorting the data (Andrey Borodin)
Presorting happens automatically and allows for faster index creation and smaller indexes.
Allow SP-GiST indexes to contain INCLUDE
'd columns (Pavel Borisov)
Allow hash lookup for IN
clauses with many constants (James Coleman, David Rowley)
Previously the code always sequentially scanned the list of values.
Increase the number of places extended statistics can be used for OR
clause estimation (Tomas Vondra, Dean Rasheed)
Allow extended statistics on expressions (Tomas Vondra)
This allows statistics on a group of expressions and columns, rather than only columns like previously. System view pg_stats_ext_exprs
reports such statistics.
Allow efficient heap scanning of a range of TIDs
(Edmund Horner, David Rowley)
Previously a sequential scan was required for non-equality TID
specifications.
Fix EXPLAIN CREATE TABLE AS
and EXPLAIN CREATE MATERIALIZED VIEW
to honor IF NOT EXISTS
(Bharath Rupireddy)
Previously, if the object already existed, EXPLAIN
would fail.
Improve the speed of computing MVCC visibility snapshots on systems with many CPUs and high session counts (Andres Freund)
This also improves performance when there are many idle sessions.
Add executor method to memoize results from the inner side of a nested-loop join (David Rowley)
This is useful if only a small percentage of rows is checked on the inner side. It can be disabled via server parameter enable_memoize.
Allow window functions to perform incremental sorts (David Rowley)
Improve the I/O performance of parallel sequential scans (Thomas Munro, David Rowley)
This was done by allocating blocks in groups to parallel workers.
Allow a query referencing multiple foreign tables to perform foreign table scans in parallel (Robert Haas, Kyotaro Horiguchi, Thomas Munro, Etsuro Fujita)
postgres_fdw supports this type of scan if async_capable
is set.
Allow analyze to do page prefetching (Stephen Frost)
This is controlled by maintenance_io_concurrency.
Improve performance of regular expression searches (Tom Lane)
Dramatically improve Unicode normalization performance (John Naylor)
This speeds normalize()
and IS NORMALIZED
.
Add ability to use LZ4 compression on TOAST data (Dilip Kumar)
This can be set at the column level, or set as a default via server parameter default_toast_compression. The server must be compiled with --with-lz4
to support this feature. The default setting is still pglz.
If server parameter compute_query_id is enabled, display the query id in pg_stat_activity
, EXPLAIN VERBOSE
, csvlog, and optionally in log_line_prefix (Julien Rouhaud)
A query id computed by an extension will also be displayed.
Improve logging of auto-vacuum and auto-analyze (Stephen Frost, Jakub Wartak)
This reports I/O timings for auto-vacuum and auto-analyze if track_io_timing is enabled. Also, report buffer read and dirty rates for auto-analyze.
Add information about the original user name supplied by the client to the output of log_connections (Jacob Champion)
Add system view pg_stat_progress_copy
to report COPY
progress (Josef Šimánek, Matthias van de Meent)
Add system view pg_stat_wal
to report WAL activity (Masahiro Ikeda)
Add system view pg_stat_replication_slots
to report replication slot activity (Masahiko Sawada, Amit Kapila, Vignesh C)
The function pg_stat_reset_replication_slot()
resets slot statistics.
Add system view pg_backend_memory_contexts
to report session memory usage (Atsushi Torikoshi, Fujii Masao)
Add function pg_log_backend_memory_contexts()
to output the memory contexts of arbitrary backends (Atsushi Torikoshi)
Add session statistics to the pg_stat_database
system view (Laurenz Albe)
Add columns to pg_prepared_statements
to report generic and custom plan counts (Atsushi Torikoshi, Kyotaro Horiguchi)
Add lock wait start time to pg_locks
(Atsushi Torikoshi)
Make the archiver process visible in pg_stat_activity
(Kyotaro Horiguchi)
Add wait event WalReceiverExit
to report WAL receiver exit wait time (Fujii Masao)
Implement information schema view routine_column_usage
to track columns referenced by function and procedure default expressions (Peter Eisentraut)
Allow an SSL certificate's distinguished name (DN) to be matched for client certificate authentication (Andrew Dunstan)
The new pg_hba.conf
option clientname=DN
allows comparison with certificate attributes beyond the CN
and can be combined with ident maps.
Allow pg_hba.conf
and pg_ident.conf
records to span multiple lines (Fabien Coelho)
A backslash at the end of a line allows record contents to be continued on the next line.
Allow the specification of a certificate revocation list (CRL) directory (Kyotaro Horiguchi)
This is controlled by server parameter ssl_crl_dir and libpq connection option sslcrldir. Previously only single CRL files could be specified.
Allow passwords of an arbitrary length (Tom Lane, Nathan Bossart)
Add server parameter idle_session_timeout to close idle sessions (Li Japin)
This is similar to idle_in_transaction_session_timeout.
Change checkpoint_completion_target default to 0.9 (Stephen Frost)
The previous default was 0.5.
Allow %P
in log_line_prefix to report the parallel group leader's PID for a parallel worker (Justin Pryzby)
Allow unix_socket_directories to specify paths as individual, comma-separated quoted strings (Ian Lawrence Barwick)
Previously all the paths had to be in a single quoted string.
Allow startup allocation of dynamic shared memory (Thomas Munro)
This is controlled by min_dynamic_shared_memory. This allows more use of huge pages.
Add server parameter huge_page_size to control the size of huge pages used on Linux (Odin Ugedal)
Allow standby servers to be rewound via pg_rewind (Heikki Linnakangas)
Allow the restore_command setting to be changed during a server reload (Sergei Kornilov)
You can also set restore_command
to an empty string and reload to force recovery to only read from the pg_wal
directory.
Add server parameter log_recovery_conflict_waits to report long recovery conflict wait times (Bertrand Drouvot, Masahiko Sawada)
Pause recovery on a hot standby server if the primary changes its parameters in a way that prevents replay on the standby (Peter Eisentraut)
Previously the standby would shut down immediately.
Add function pg_get_wal_replay_pause_state()
to report the recovery state (Dilip Kumar)
It gives more detailed information than pg_is_wal_replay_paused()
, which still exists.
Add new read-only server parameter in_hot_standby (Haribabu Kommi, Greg Nancarrow, Tom Lane)
This allows clients to easily detect whether they are connected to a hot standby server.
Speed truncation of small tables during recovery on clusters with a large number of shared buffers (Kirk Jamison)
Allow file system sync at the start of crash recovery on Linux (Thomas Munro)
By default, PostgreSQL opens and fsyncs each data file in the database cluster at the start of crash recovery. A new setting, recovery_init_sync_method=syncfs
, instead syncs each filesystem used by the cluster. This allows for faster recovery on systems with many database files.
Add function pg_xact_commit_timestamp_origin()
to return the commit timestamp and replication origin of the specified transaction (Movead Li)
Add the replication origin to the record returned by pg_last_committed_xact()
(Movead Li)
Allow replication origin functions to be controlled using standard function permission controls (Martín Marqués)
Previously these functions could only be executed by superusers, and this is still the default.
Allow logical replication to stream long in-progress transactions to subscribers (Dilip Kumar, Amit Kapila, Ajin Cherian, Tomas Vondra, Nikhil Sontakke, Stas Kelvich)
Previously transactions that exceeded logical_decoding_work_mem were written to disk until the transaction completed.
Enhance the logical replication API to allow streaming large in-progress transactions (Tomas Vondra, Dilip Kumar, Amit Kapila)
The output functions begin with stream
. test_decoding also supports these.
Allow multiple transactions during table sync in logical replication (Peter Smith, Amit Kapila, Takamichi Osumi)
Immediately WAL-log subtransaction and top-level XID
association (Tomas Vondra, Dilip Kumar, Amit Kapila)
This is useful for logical decoding.
Enhance logical decoding APIs to handle two-phase commits (Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)
This is controlled via pg_create_logical_replication_slot()
.
Add cache invalidation messages to the WAL during command completion when using logical replication (Dilip Kumar, Tomas Vondra, Amit Kapila)
This allows logical streaming of in-progress transactions. When logical replication is disabled, invalidation messages are generated only at transaction completion.
Allow logical decoding to more efficiently process cache invalidation messages (Dilip Kumar)
This allows logical decoding to work efficiently in presence of a large amount of DDL.
Allow control over whether logical decoding messages are sent to the replication stream (David Pirotte, Euler Taveira)
Allow logical replication subscriptions to use binary transfer mode (Dave Cramer)
This is faster than text mode, but slightly less robust.
Allow logical decoding to be filtered by xid (Markus Wanner)
SELECT
, INSERT
(PG 14.0)Reduce the number of keywords that can't be used as column labels without AS
(Mark Dilger)
There are now 90% fewer restricted keywords.
Allow an alias to be specified for JOIN
's USING
clause (Peter Eisentraut)
The alias is created by writing AS
after the USING
clause. It can be used as a table qualification for the merged USING
columns.
Allow DISTINCT
to be added to GROUP BY
to remove duplicate GROUPING SET
combinations (Vik Fearing)
For example, GROUP BY CUBE (a,b), CUBE (b,c)
will generate duplicate grouping combinations without DISTINCT
.
Properly handle DEFAULT
entries in multi-row VALUES
lists in INSERT
(Dean Rasheed)
Such cases used to throw an error.
Add SQL-standard SEARCH
and CYCLE
clauses for common table expressions (Peter Eisentraut)
The same results could be accomplished using existing syntax, but much less conveniently.
Allow column names in the WHERE
clause of ON CONFLICT
to be table-qualified (Tom Lane)
Only the target table can be referenced, however.
Allow REFRESH MATERIALIZED VIEW
to use parallelism (Bharath Rupireddy)
Allow REINDEX
to change the tablespace of the new index (Alexey Kondratov, Michael Paquier, Justin Pryzby)
This is done by specifying a TABLESPACE
clause. A --tablespace
option was also added to reindexdb to control this.
Allow REINDEX
to process all child tables or indexes of a partitioned relation (Justin Pryzby, Michael Paquier)
Allow index commands using CONCURRENTLY
to avoid waiting for the completion of other operations using CONCURRENTLY
(Álvaro Herrera)
Improve the performance of COPY FROM
in binary mode (Bharath Rupireddy, Amit Langote)
Preserve SQL standard syntax for SQL-defined functions in view definitions (Tom Lane)
Previously, calls to SQL-standard functions such as EXTRACT()
were shown in plain function-call syntax. The original syntax is now preserved when displaying a view or rule.
Add the SQL-standard clause GRANTED BY
to GRANT
and REVOKE
(Peter Eisentraut)
Add OR REPLACE
option for CREATE TRIGGER
(Takamichi Osumi)
This allows pre-existing triggers to be conditionally replaced.
Allow TRUNCATE
to operate on foreign tables (Kazutaka Onishi, Kohei KaiGai)
The postgres_fdw module also now supports this.
Allow publications to be more easily added to and removed from a subscription (Japin Li)
The new syntax is ALTER SUBSCRIPTION ... ADD/DROP PUBLICATION
. This avoids having to specify all publications to add/remove entries.
Add primary keys, unique constraints, and foreign keys to system catalogs (Peter Eisentraut)
These changes help GUI tools analyze the system catalogs. The existing unique indexes of catalogs now have associated UNIQUE
or PRIMARY KEY
constraints. Foreign key relationships are not actually stored or implemented as constraints, but can be obtained for display from the function pg_get_catalog_foreign_keys().
Allow CURRENT_ROLE
every place CURRENT_USER
is accepted (Peter Eisentraut)
Allow extensions and built-in data types to implement subscripting (Dmitry Dolgov)
Previously subscript handling was hard-coded into the server, so that subscripting could only be applied to array types. This change allows subscript notation to be used to extract or assign portions of a value of any type for which the concept makes sense.
Allow subscripting of JSONB
(Dmitry Dolgov)
JSONB
subscripting can be used to extract and assign to portions of JSONB
documents.
Add support for multirange data types (Paul Jungwirth, Alexander Korotkov)
These are like range data types, but they allow the specification of multiple, ordered, non-overlapping ranges. An associated multirange type is automatically created for every range type.
Add support for the stemming of languages Armenian, Basque, Catalan, Hindi, Serbian, and Yiddish (Peter Eisentraut)
Allow tsearch data files to have unlimited line lengths (Tom Lane)
The previous limit was 4K bytes. Also remove function t_readline()
.
Add support for Infinity
and -Infinity
values in the numeric data type (Tom Lane)
Floating-point data types already supported these.
Add point operators <<|
and |>>
representing strictly above/below tests (Emre Hasegeli)
Previously these were called >^
and <^
, but that naming is inconsistent with other geometric data types. The old names remain available, but may someday be removed.
Add operators to add and subtract LSN
and numeric (byte) values (Fujii Masao)
Allow binary data transfer to be more forgiving of array and record OID
mismatches (Tom Lane)
Create composite array types for system catalogs (Wenjing Zeng)
User-defined relations have long had composite types associated with them, and also array types over those composite types. System catalogs now do as well. This change also fixes an inconsistency that creating a user-defined table in single-user mode would fail to create a composite array type.
Allow SQL-language functions and procedures to use SQL-standard function bodies (Peter Eisentraut)
Previously only string-literal function bodies were supported. When writing a function or procedure in SQL-standard syntax, the body is parsed immediately and stored as a parse tree. This allows better tracking of function dependencies, and can have security benefits.
Allow procedures to have OUT
parameters (Peter Eisentraut)
Allow some array functions to operate on a mix of compatible data types (Tom Lane)
The functions array_append()
, array_prepend()
, array_cat()
, array_position()
, array_positions()
, array_remove()
, array_replace()
, and width_bucket()
now take anycompatiblearray
instead of anyarray
arguments. This makes them less fussy about exact matches of argument types.
Add SQL-standard trim_array()
function (Vik Fearing)
This could already be done with array slices, but less easily.
Add bytea
equivalents of ltrim()
and rtrim()
(Joel Jacobson)
Support negative indexes in split_part()
(Nikhil Benesch)
Negative values start from the last field and count backward.
Add string_to_table()
function to split a string on delimiters (Pavel Stehule)
This is similar to the regexp_split_to_table()
function.
Add unistr()
function to allow Unicode characters to be specified as backslash-hex escapes in strings (Pavel Stehule)
This is similar to how Unicode can be specified in literal strings.
Add bit_xor()
XOR aggregate function (Alexey Bashtanov)
Add function bit_count()
to return the number of bits set in a bit or byte string (David Fetter)
Add date_bin()
function (John Naylor)
This function “bins” input timestamps, grouping them into intervals of a uniform length aligned with a specified origin.
Allow make_timestamp()
/make_timestamptz()
to accept negative years (Peter Eisentraut)
Negative values are interpreted as BC
years.
Add newer regular expression substring()
syntax (Peter Eisentraut)
The new SQL-standard syntax is SUBSTRING(text SIMILAR pattern ESCAPE escapechar)
. The previous standard syntax was SUBSTRING(text FROM pattern FOR escapechar)
, which is still accepted by PostgreSQL.
Allow complemented character class escapes \D, \S
, and \W
within regular expression brackets (Tom Lane)
Add [[:word:]]
as a regular expression character class, equivalent to \w
(Tom Lane)
Allow more flexible data types for default values of lead()
and lag()
window functions (Vik Fearing)
Make non-zero floating-point values divided by infinity return zero (Kyotaro Horiguchi)
Previously such operations produced underflow errors.
Make floating-point division of NaN by zero return NaN (Tom Lane)
Previously this returned an error.
Cause exp()
and power()
for negative-infinity exponents to return zero (Tom Lane)
Previously they often returned underflow errors.
Improve the accuracy of geometric computations involving infinity (Tom Lane)
Mark built-in type coercion functions as leakproof where possible (Tom Lane)
This allows more use of functions that require type conversion in security-sensitive situations.
Change pg_describe_object()
, pg_identify_object()
, and pg_identify_object_as_address()
to always report helpful error messages for non-existent objects (Michael Paquier)
Improve PL/pgSQL's expression and assignment parsing (Tom Lane)
This change allows assignment to array slices and nested record fields.
Allow plpgsql's RETURN QUERY
to execute its query using parallelism (Tom Lane)
Improve performance of repeated CALLs within plpgsql procedures (Pavel Stehule, Tom Lane)
Add pipeline mode to libpq (Craig Ringer, Matthieu Garrigues, Álvaro Herrera)
This allows multiple queries to be sent, only waiting for completion when a specific synchronization message is sent.
Enhance libpq's target_session_attrs
parameter options (Haribabu Kommi, Greg Nancarrow, Vignesh C, Tom Lane)
The new options are read-only
, primary
, standby
, and prefer-standby
.
Improve the output format of libpq's PQtrace()
(Aya Iwata, Álvaro Herrera)
Allow an ECPG SQL identifier to be linked to a specific connection (Hayato Kuroda)
This is done via DECLARE ... STATEMENT
.
Allow vacuumdb to skip index cleanup and truncation (Nathan Bossart)
The options are --no-index-cleanup
and --no-truncate
.
Allow pg_dump to dump only certain extensions (Guillaume Lelarge)
This is controlled by option --extension
.
Add pgbench permute()
function to randomly shuffle values (Fabien Coelho, Hironobu Suzuki, Dean Rasheed)
Include disconnection times in the reconnection overhead measured by pgbench with -C
(Yugo Nagata)
Allow multiple verbose option specifications (-v
) to increase the logging verbosity (Tom Lane)
This behavior is supported by pg_dump, pg_dumpall, and pg_restore.
Allow psql's \df
and \do
commands to specify function and operator argument types (Greg Sabino Mullane, Tom Lane)
This helps reduce the number of matches printed for overloaded names.
Add an access method column to psql's \d[i|m|t]+
output (Georgios Kokolatos)
Allow psql's \dt
and \di
to show TOAST tables and their indexes (Justin Pryzby)
Add psql command \dX
to list extended statistics objects (Tatsuro Yamada)
Fix psql's \dT
to understand array syntax and backend grammar aliases, like int
for integer
(Greg Sabino Mullane, Tom Lane)
When editing the previous query or a file with psql's \e
, or using \ef
and \ev
, ignore the results if the editor exits without saving (Laurenz Albe)
Previously, such edits would load the previous query into the query buffer, and typically execute it immediately. This was deemed to be probably not what the user wants.
Improve tab completion (Vignesh C, Michael Paquier, Justin Pryzby, Georgios Kokolatos, Julien Rouhaud)
Add command-line utility pg_amcheck to simplify running contrib/amcheck
tests on many relations (Mark Dilger)
Add --no-instructions
option to initdb (Magnus Hagander)
This suppresses the server startup instructions that are normally printed.
Stop pg_upgrade from creating analyze_new_cluster
script (Magnus Hagander)
Instead, give comparable vacuumdb instructions.
Remove support for the postmaster -o
option (Magnus Hagander)
This option was unnecessary since all passed options could already be specified directly.
Rename "Default Roles" to "Predefined Roles" (Bruce Momjian, Stephen Frost)
Add documentation for the factorial()
function (Peter Eisentraut)
With the removal of the ! operator in this release, factorial()
is the only built-in way to compute a factorial.
Add configure option --with-ssl={openssl}
to allow future choice of the SSL library to use (Daniel Gustafsson, Michael Paquier)
The spelling --with-openssl
is kept for compatibility.
Add support for abstract Unix-domain sockets (Peter Eisentraut)
This is currently supported on Linux and Windows.
Allow Windows to properly handle files larger than four gigabytes (Juan José Santamaría Flecha)
For example this allows COPY,
WAL files, and relation segment files to be larger than four gigabytes.
Add server parameter debug_discard_caches to control cache flushing for test purposes (Craig Ringer)
Previously this behavior could only be set at compile time. To invoke it during initdb, use the new option --discard-caches
.
Various improvements in valgrind error detection ability (Álvaro Herrera, Peter Geoghegan)
Add a test module for the regular expression package (Tom Lane)
Add support for LLVM version 12 (Andres Freund)
Change SHA1, SHA2, and MD5 hash computations to use the OpenSSL EVP API (Michael Paquier)
This is more modern and supports FIPS mode.
Remove separate build-time control over the choice of random number generator (Daniel Gustafsson)
This is now always determined by the choice of SSL library.
Add direct conversion routines between EUC_TW and Big5 encodings (Heikki Linnakangas)
Add collation version support for FreeBSD (Thomas Munro)
Add amadjustmembers
to the index access method API (Tom Lane)
This allows an index access method to provide validity checking during creation of a new operator class or family.
Provide feature-test macros in libpq-fe.h
for recently-added libpq features (Tom Lane, Álvaro Herrera)
Historically, applications have usually used compile-time checks of PG_VERSION_NUM
to test whether a feature is available. But that's normally the server version, which might not be a good guide to libpq's version. libpq-fe.h
now offers #define
symbols denoting application-visible features added in v14; the intent is to keep adding symbols for such features in future versions.
Allow subscripting of hstore values (Tom Lane, Dmitry Dolgov)
Allow GiST/GIN pg_trgm indexes to do equality lookups (Julien Rouhaud)
This is similar to LIKE
except no wildcards are honored.
Allow the cube data type to be transferred in binary mode (KaiGai Kohei)
Allow pgstattuple_approx()
to report on TOAST tables (Peter Eisentraut)
Add contrib module pg_surgery which allows changes to row visibility (Ashutosh Sharma)
This is useful for correcting database corruption.
Add contrib module old_snapshot to report the XID
/time mapping used by an active old_snapshot_threshold (Robert Haas)
Allow amcheck to also check heap pages (Mark Dilger)
Previously it only checked B-Tree index pages.
Allow pageinspect to inspect GiST indexes (Andrey Borodin, Heikki Linnakangas)
Change pageinspect block numbers to be bigints
(Peter Eisentraut)
Mark btree_gist functions as parallel safe (Steven Winfield)
Move query hash computation from pg_stat_statements to the core server (Julien Rouhaud)
The new server parameter compute_query_id's default of auto
will automatically enable query id computation when this extension is loaded.
Cause pg_stat_statements to track top and nested statements separately (Julien Rohaud)
Previously, when tracking all statements, identical top and nested statements were tracked as a single entry; but it seems more useful to separate such usages.
Add row counts for utility commands to pg_stat_statements (Fujii Masao, Katsuragi Yuta, Seino Yuki)
Add pg_stat_statements_info
system view to show pg_stat_statements activity (Katsuragi Yuta, Yuki Seino, Naoki Nakamichi)
Allow postgres_fdw to INSERT
rows in bulk (Takayuki Tsunakawa, Tomas Vondra, Amit Langote)
Allow postgres_fdw to import table partitions if specified by IMPORT FOREIGN SCHEMA ... LIMIT TO
(Matthias van de Meent)
By default, only the root of a partitioned table is imported.
Add postgres_fdw function postgres_fdw_get_connections()
to report open foreign server connections (Bharath Rupireddy)
Allow control over whether foreign servers keep connections open after transaction completion (Bharath Rupireddy)
This is controlled by keep_connections
and defaults to on.
Allow postgres_fdw to reestablish foreign server connections if necessary (Bharath Rupireddy)
Previously foreign server restarts could cause foreign table access errors.
Add postgres_fdw functions to discard cached connections (Bharath Rupireddy)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2023-05-11
This release contains a variety of fixes from 13.10. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Fix enabling/disabling of cloned triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER USER
skipped cloned triggers, mistaking them for system triggers. Other variants of ENABLE/DISABLE TRIGGER
would process them, but only after improperly enforcing a superuserness check.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer
according to the documentation, but the code had it as CommitTSBuffer
. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size
accurately.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen
option of a GiST index on an ltree
column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 13.9. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862 or CVE-2022-41862)
Fix calculation of which GENERATED
columns need to be updated in child tables during an UPDATE
on a partitioned table or inheritance tree (Amit Langote, Tom Lane)
This fixes failure to update GENERATED
columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.
Improve error reporting for some buffered file read failures (Peter Eisentraut)
Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.
Prevent “wrong tuple length” failure at the end of VACUUM
(Ashwin Agrawal, Junfeng Yang)
This occurred if VACUUM
needed to update the current database's datfrozenxid
value and the database has so many granted privileges that its datacl
value has been pushed out-of-line.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query” errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)
A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size
. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
In contrib/sepgsql
, avoid deprecation warnings with recent libselinux (Michael Paquier)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 13.8. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Avoid rare PANIC during updates occurring concurrently with VACUUM
(Tom Lane, Jeff Davis)
If a concurrent VACUUM
sets the all-visible flag bit in a page that UPDATE
or DELETE
is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Fix resource management bug in saving tuples for AFTER
triggers (Tom Lane)
Given the right circumstances, this manifested as a “tupdesc reference NNNN
is not owned by resource owner” error followed by a PANIC exit.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Álvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)
If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Remove pointless check on replica identity setting of partitioned tables (Hou Zhijie)
What matters is the replica identity setting of the leaf partitions, so there's no need to throw error if it's not set on the parent.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
Fix type circle
's equality comparator to handle NaNs properly (Ranier Vilela)
If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid misbehavior when choosing hash table size with very small work_mem
and large tuples (Zhang Mingli)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the plan”.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list” errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Álvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 13.7. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.7, see Version 13.7.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place” tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place” tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix for CVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)
Avoid planner core dump with
clauses when there are MCV-type extended statistics on the constant
= ANY(array
)array
variable (Tom Lane)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Álvaro Herrera)
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)
The replica identity columns have to be re-identified for the child partition.
Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix possible report of wrong error condition after clone()
failure in pg_upgrade with --clone
option (Justin Pryzby)
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 13.6. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you have any GiST indexes on columns of type ltree
(supplied by the contrib/ltree
extension), you should re-index them after updating. See the second changelog entry below.
Also, if you are upgrading from a version earlier than 13.6, see Version 13.6.
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552 or CVE-2022-1552)
Fix default signature length for gist_ltree_ops
indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree
columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree
extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree
columns after installing this update. (Note that GiST indexes on ltree[]
columns, that is arrays of ltree
, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root
is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 13.5. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you have applied REINDEX CONCURRENTLY
to a TOAST table's index, or observe failures to access TOAST datums, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 13.5, see Version 13.5.
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY
(Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY
tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE
locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Avoid null-pointer crash in ALTER STATISTICS
when the statistics object is dropped concurrently (Tomas Vondra)
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix checking of anycompatible
-family data type matches (Tom Lane)
In some cases the parser would think that a function or operator with anycompatible
-family polymorphic parameters matches a set of arguments that it really shouldn't match. In reported cases, that led to matching more than one operator to a call, leading to ambiguous-operator errors; but a failure later on is also possible.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Álvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXids”. The replica would retry, but could never get past that error.
In logical replication, avoid double transmission of a child table's data (Hou Zhijie)
If a publication includes both child and parent tables, and has the publish_via_partition_root
option set, subscribers uselessly initiated synchronization on both child and parent tables. Ensure that only the parent table is synchronized in such cases.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Allow parallel vacuuming and concurrent index building to be ignored while computing oldest xmin (Masahiko Sawada)
Non-parallelized instances of these operations were already ignored, but the logic did not work for parallelized cases. Holding back the xmin horizon has undesirable effects such as delaying vacuum cleanup.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Improve performance of walsenders sending logical changes by avoiding unnecessary cache accesses (Hou Zhijie)
Fix display of cert
authentication method's options in pg_hba_file_rules
view (Magnus Hagander)
The cert
authentication method implies clientcert=verify-full
, but the pg_hba_file_rules
view incorrectly reported clientcert=verify-ca
.
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*”, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
Fix one-byte buffer overrun when applying Unicode string normalization to an empty string (Michael Paquier)
The practical impact of this is limited thanks to alignment considerations; but in debug builds, a warning was raised.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
Fix psql \d
command's query for identifying parent triggers (Justin Pryzby)
The previous coding failed with “more than one row returned by a subquery used as an expression” if a partition had triggers and there were unrelated statement-level triggers of the same name on some parent partitioned table.
Fix psql's tab-completion of label values for enum types (Tom Lane)
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix pg_dump's --inserts
and --column-inserts
modes to handle tables containing both generated columns and dropped columns (Tom Lane)
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 13.4. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 13.2, see Version 13.2.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4
and float8
hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8
is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Fix REINDEX CONCURRENTLY
to preserve operator class parameters that were attached to the target index (Michael Paquier)
Prevent data loss during crash recovery of CREATE TABLESPACE
, when wal_level
= minimal
(Noah Misch)
If the server crashed between CREATE TABLESPACE
and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY
into a just-created table). Such optimizations are applied only when wal_level
is minimal
, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated for all partitions of a partitioned table that is being added to or removed from a publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES
publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1
is of type numeric(18,3)
, the parser used to simply discard a cast like f1::numeric
, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric
, not numeric(18,3)
. This is important for correctly resolving the type of larger constructs, such as recursive UNION
s.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES
and FOR UPDATE SKIP LOCKED
(David Christensen)
FETCH FIRST WITH TIES
necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE
is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED
option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Disallow ALTER INDEX index ALTER COLUMN col SET (options)
(Nathan Bossart, Michael Paquier)
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0}
(Tom Lane)
Regular expressions like (.){0}...\1
drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE
applied to a time with time zone
value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
If a function in FROM
laterally references the output of some sub-SELECT
earlier in the FROM
clause, and we are able to flatten that sub-SELECT
into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane)
This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Disallow LISTEN
in background workers (Tom Lane)
There's no infrastructure to support this, so if someone did it, it would only result in preventing cleanup of the NOTIFY
queue.
Send NOTIFY
signals to other backends during transaction commit, not in the server's idle loop (Artur Zakirov, Tom Lane)
This change allows notifications to be delivered immediately after an intra-procedure COMMIT
. It also allows logical replication workers to send notifications.
Refuse to rewind a cursor marked NO SCROLL
if it has been held over from a previous transaction due to the WITH HOLD
option (Tom Lane)
We have long forbidden fetching backwards from a NO SCROLL
cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD
cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD
rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)
The code typically produced “cache lookup error” rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ
.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot)
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE
heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Fix logical decoding's memory usage accounting to handle TOAST data correctly (Bertrand Drouvot)
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Fix computation of the WAL range to include in a backup manifest when a timeline change is involved (Kyotaro Horiguchi)
Avoid trying to lock the OLD
and NEW
pseudo-relations in a rule that uses SELECT FOR UPDATE
(Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER
clauses (Tom Lane)
If the FILTER
expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER
expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME
can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX
.
Prevent ALTER TYPE/DOMAIN/OPERATOR ... SET
from changing extension membership (Tom Lane)
ALTER ... SET
executed by an extension script would cause the target object to become a member of the extension if it was not already. In itself this isn't too troubling, since there's little reason for an extension script to touch an object not belonging to the extension. But ALTER TYPE SET
will recurse to dependent domains, thus causing them to also become extension members. This causes unwanted side-effects from extension upgrade scripts that use that command to adjust the properties of a base type belonging to the extension. Fix by redefining these ALTER
cases to never change extension membership.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby)
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export()
or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Recalculate relevant wait intervals if recovery_min_apply_delay
is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h
hash table reaches 2^32 elements (Yura Sokolov)
It seems unlikely that this bug has been hit in practice, as it would require work_mem
settings of hundreds of gigabytes for existing uses of simplehash.h
.
Avoid O (N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm
extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Disallow setting huge_pages
to on
when shared_memory_type
is sysv
(Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix missing libpq functions on AIX (Tony Reix)
Code reorganization led to the following documented functions not being exported from libpq on AIX: pg_encoding_to_char()
, pg_utf_mblen()
, pg_char_to_encoding()
, pg_valid_server_encoding()
, and pg_valid_server_encoding_id()
. Restore them to visibility.
Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL
statement (Tom Lane)
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT
out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN
, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH
bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Fix failure of contrib/btree_gin
indexes on "char"
(not char(
) columns, when an indexscan using the n
)<
or <=
operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements
to read its “query texts” file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Fix our pkg-config
files to again support static linking of libpq (Peter Eisentraut)
Make pg_regexec()
robust against an out-of-range search_start
parameter (Tom Lane)
Return REG_NOMATCH
, instead of possibly crashing, when search_start
is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 13.3. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.2, see Version 13.2.
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677 or CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT
or ROLLBACK
within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT
/ROLLBACK
would fail with errors like “no known snapshots” or “missing chunk number 0 for toast value”.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric
values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric
version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0)
return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP
to occur concurrently with DROP EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY
.
Re-allow old-style Windows locale names in CREATE COLLATION
commands (Thomas Munro)
Previously we were failing because the operating system can't provide version information for such locales. At some point we may decide to require version information, but no such policy exists yet, so re-allow the case for now.
Disallow whole-row variables in GENERATED
expressions (Tom Lane)
Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.
Fix usage of tableoid
in GENERATED
expressions (Tom Lane)
Some code paths failed to provide a valid value for this system column while evaluating a GENERATED
expression.
Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE
commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN
or ALTER DOMAIN
appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings
.pending_restart
show as true when the pertinent entry in postgresql.conf
has been removed (Álvaro Herrera)
pending_restart
correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
On 64-bit Windows, allow the effective value of work_mem
times hash_mem_multiplier
to exceed 2GB (Tom Lane)
This allows hash_mem_multiplier
to be used for its intended purpose of preventing large hash aggregations from spilling to disk, even when “large” means multiple gigabytes.
Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)
SELECT FOR UPDATE
and related commands would fail with assertion failures or “could not find junk column” errors in such cases.
Fix pullup of constant function-in-FROM results when the FROM item is marked LATERAL
(Tom Lane)
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
Advance oldest-required-WAL-segment horizon properly after a replication slot is invalidated (Kyotaro Horiguchi)
If all slots were invalidated, the horizon would not move again, eventually allowing the server's WAL storage to run out of space.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix assorted crash cases in logical replication of partitioned-table updates (Amit Langote, Tom Lane)
Fix potential crash when firing AFTER triggers of partitioned tables in logical replication workers (Tom Lane)
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Fix memory leak in logical replication output (Amit Langote)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix race condition when invalidating an obsolete replication slot concurrently with an attempt to drop or update it (Andres Freund, Álvaro Herrera)
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Harden B-tree posting list split code against corrupt data (Peter Geoghegan)
Throw an error, rather than crashing, for an attempt to insert an item with a TID identical to an existing entry. While that shouldn't ever happen, it has been reported to happen when the index is inconsistent with its table.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO
clause specified STRICT
, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age
could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE
commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
Fix contrib/postgres_fdw
to work usefully with generated columns (Etsuro Fujita)
postgres_fdw
will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA
will now import generated columns that way by default.
In contrib/postgres_fdw
, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED
record (Simon Riggs)
Improve ALTER TABLE
's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 13.2. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, if you are upgrading from a version earlier than 13.2, see Version 13.2.
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027 or CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
If the UPDATE
list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE
path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028 or CVE-2021-32028)
Fix possibly-incorrect computation of UPDATE ... RETURNING
outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)
If an UPDATE
for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING
results for that row could produce errors or wrong answers. No error is observed unless the UPDATE
involves other tables being joined to the target table. (CVE-2021-32029 or CVE-2021-32029)
Fix adjustment of constraint deferrability properties in partitioned tables (Álvaro Herrera)
When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT
failed to adjust the DEFERRABLE
and/or INITIALLY DEFERRED
markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER
command to set the desired properties.
This change also disallows applying such an ALTER
directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTER
s must be applied at the partition root.
When attaching a child table with ALTER TABLE ... INHERIT
, insist that any generated columns in the parent be generated the same way in the child (Peter Eisentraut)
Forbid marking an identity column as nullable (Vik Fearing)
GENERATED ... AS IDENTITY
implies NOT NULL
, so don't allow it to be combined with an explicit NULL
specification.
Allow ALTER ROLE/DATABASE ... SET
to set the role
, session_authorization
, and temp_buffers
parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
Ensure that REINDEX CONCURRENTLY
preserves any statistics target that's been set for the index (Michael Paquier)
Fix COMMIT AND CHAIN
to work correctly when the current transaction has live savepoints (Fujii Masao)
Fix list-manipulation bug in WITH RECURSIVE
processing (Michael Paquier, Tom Lane)
Sufficiently deep nesting of WITH
constructs (at least seven levels) triggered core dumps or incorrect complaints of faulty WITH
nesting.
Fix bug with coercing the result of a COLLATE
expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE
appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE
has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
Fix use-after-free bug in saving tuples for AFTER
triggers (Amit Langote)
This could cause crashes in some situations.
Disallow calling window functions and procedures via the “fast path” wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
Check that the argument of pg_import_system_collations()
is a valid schema OID (Tom Lane)
Fix use of uninitialized value while parsing an \{
quantifier in a BRE-mode regular expression (Tom Lane)m
,n
\}
This error could cause the quantifier to act non-greedy, that is behave like an {
quantifier would do in full regular expressions.m
,n
}?
Fix “could not find pathkey item to sort” planner errors in some situations where the sort key involves an aggregate or window function (James Coleman, Tom Lane)
Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)
This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid
.
Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN
selectivity value, causing assertion failures or strange planner behavior.
Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file” errors.
Fix potentially wrong answers from GIN tsvector
index searches, when there are many matching tuples (Tom Lane)
If the number of index matches became large enough to make the bitmap holding them become lossy (a threshold that depends on work_mem
), the code could get confused about whether rechecks are required, allowing rows to be returned that don't actually match the query.
Fix concurrency issues with WAL segment recycling on Windows (Michael Paquier)
This reverts a change that caused intermittent “could not rename file ...: Permission denied” log messages. While there were not serious consequences, the log spam was annoying.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)
This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.
Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH
(Peter Smith)
The core code won't do this, but a replica trigger could.
Ensure we default to wal_sync_method
= fdatasync
on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync
, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
Disable the vacuum_cleanup_index_scale_factor
parameter and storage option (Peter Geoghegan)
The notion of tracking “stale” index statistics proved to interact badly with the autovacuum_vacuum_insert_threshold
parameter, resulting in unnecessary full-index scans and consequent degradation of autovacuum performance. The latter mechanism seems superior, so remove the stale-statistics logic. The control parameter for that, vacuum_cleanup_index_scale_factor
, will be removed entirely in v14. In v13, it remains present to avoid breaking existing configuration files, but it no longer does anything.
Pass the correct trigger OID to object post-alter hooks during ALTER CONSTRAINT
(Álvaro Herrera)
When updating trigger properties during ALTER CONSTRAINT
, the post-alter hook was told that we are updating a trigger, but the constraint's OID was passed instead of the trigger's.
Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
Fix uninitialized variable in walreceiver's statistics in shared memory (Fujii Masao)
This error was harmless on most platforms, but could cause issues on platforms lacking atomic variables and/or spinlock support.
Reduce the overhead of dtrace probes for LWLock operations, when dtrace support is compiled in but not active (Peter Eisentraut)
Fix failure when a PL/pgSQL DO
block makes use of both composite-type variables and transaction control (Tom Lane)
Previously, such cases led to errors about leaked tuple descriptors.
Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)
Fix psql to restore the previous behavior of \connect service=
(Tom Lane)something
A previous bug fix caused environment variables (such as PGPORT
) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
Fix psql's ON_ERROR_ROLLBACK
feature to handle COMMIT AND CHAIN
commands correctly (Arthur Nascimento)
Previously, this case failed with “savepoint "pg_psql_temporary_savepoint" does not exist”.
In psql, avoid repeated “could not print result table” failures after the first such error (Álvaro Herrera)
Fix race condition in detection of file modification by psql's \e
and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
Fix pg_dump's dumping of generated columns in partitioned tables (Peter Eisentraut)
A fix introduced in the previous minor release should not be applied to partitioned tables, only traditionally-inherited tables.
Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
Fix incorrect progress-reporting calculation in pg_checksums (Shinya Kato)
Fix pg_waldump to count XACT
records correctly when generating per-record statistics (Kyotaro Horiguchi)
Fix contrib/amcheck
to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY
and HEAP_KEYS_UPDATED
both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE
.
Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 13.1. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
However, see the first changelog item below concerning a possible need to update stored views. Also see the third and fourth changelog items, which describe cases in which reindexing indexes after the upgrade may be advisable.
Fix failure to check per-column SELECT
privileges in some join queries (Tom Lane)
In some cases involving joins, the parser failed to record all the columns read by a query in the column-usage bitmaps that are used for permissions checking. Although the executor would still insist on some sort of SELECT
privilege to run the query, this meant that a user having SELECT
privilege on only one column of a table could nonetheless read all its columns through a suitably crafted query.
A stored view that is subject to this problem will have incomplete column-usage bitmaps, and thus permissions will still not be enforced properly on the view after updating. In installations that depend on column-level permissions for security, it is recommended to CREATE OR REPLACE
all user-defined views to cause them to be re-parsed.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2021-20229 or CVE-2021-20229)
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE
command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT
privilege on. (CVE-2021-3393 or CVE-2021-3393)
Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)
Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.
Fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY
waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid crash when trying to rescan an aggregation plan node that has both hashed and sorted grouping sets (Jeff Davis)
Fix possible incorrect query results when a hash aggregation node spills some tuples to disk (Tom Lane)
It was possible for aggregation grouping values to be replaced by nulls when the tuples are read back in, leading to wrong answers.
Fix edge case in incremental sort (Neil Chen)
If the last tuple of a sort batch chanced to be the first tuple of the next group of already-sorted tuples, the code did the wrong thing. This could lead to “retrieved too many tuples in a bounded sort” error messages, or to silently-wrong sorting results.
Avoid crash when a CALL
or DO
statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)
In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.
Avoid unnecessary errors with BEFORE UPDATE
triggers on partitioned tables (Álvaro Herrera)
A BEFORE UPDATE FOR EACH ROW
trigger that modified the row in any way prevented UPDATE
from moving the row to another partition when needed; but there is no longer any reason for this restriction.
Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)
If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.
Avoid incorrect results when WHERE CURRENT OF
is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY
is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF
is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)
This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes” error, but other symptoms may be possible.
Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)
This oversight could lead to “no relation entry for relid N
” planner errors.
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N
-way joins” planner errors.
Consider unsorted subpaths when planning a Gather Merge operation (James Coleman)
It's possible to use such a path by adding an explicit Sort node, and in some cases that gives rise to a superior plan.
Do not consider ORDER BY
expressions involving parallel-restricted functions or set-returning functions when trying to parallelize sorts (James Coleman)
Such cases cannot safely be pushed into worker processes, but the incremental sort feature accidentally made us consider them.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)
Fix ALTER DEFAULT PRIVILEGES
to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self” errors or unique-constraint violations.
Flush ACL-related caches when pg_authid
changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT
.
Fix failure to detect “snapshot too old” conditions in tables rewritten in the current transaction (Kyotaro Horiguchi, Noah Misch)
This is only a hazard when wal_level
is set to minimal
and the rewrite is performed by ALTER TABLE SET TABLESPACE
.
Fix spurious failure of CREATE PUBLICATION
when applied to a table created or rewritten in the current transaction (Kyotaro Horiguchi)
This is only a hazard when wal_level
is set to minimal
.
Prevent misprocessing of ambiguous CREATE TABLE LIKE
clauses (Tom Lane)
A LIKE
clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE
target.
Rearrange order of operations in CREATE TABLE LIKE
so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE
depends on an index that's coming from the LIKE
clause.
Disallow CREATE STATISTICS
on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Álvaro Herrera)
Previously this was allowed, but subsequent operations on the partitioned relation would fail.
Fix progress reporting for CLUSTER
(Matthias van de Meent)
Fix handling of backslash-escaped multibyte characters in COPY FROM
(Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN
without ANALYZE
(Alexey Bashtanov)
Fix recently-introduced race condition in LISTEN
/NOTIFY
queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
Allow the jsonb
concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a *
quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *?
quantifier would do in full regular expressions.
Fix numeric power()
for the case where the exponent is exactly INT_MIN
(-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Fix integer-overflow cases in substring()
functions (Tom Lane, Pavel Stehule)
If the specified starting index and length overflow an integer when added together, substring()
misbehaved, either throwing a bogus “negative substring length” error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound” or “could not access status of transaction” errors.
Fix WAL-reading logic to handle timeline switches correctly (Kyotaro Horiguchi, Fujii Masao)
Previously, if WAL archiving is enabled, a standby could fail to follow a primary running on a newer timeline, with errors like “requested WAL segment has already been removed”.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix relation cache leak in walsender processes while sending row changes via the root of a partitioned relation during logical replication (Amit Langote, Mark Zhao)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)
The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.
Ensure that a nonempty value of krb_server_keyfile
always overrides any setting of KRB5_KTNAME
in the server's environment (Tom Lane)
Previously, which setting took precedence depended on whether the client requests GSS encryption.
In server log messages about failing to match connections to pg_hba.conf
entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)
This is relevant data if hostgssenc
or hostnogssenc
entries exist.
Fix assorted issues in server's support for GSS encryption (Tom Lane)
Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections
settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart” or “fast” shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid
values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long
is 32 bits (such as Windows).
Avoid trying to use parallel index build in a standalone backend (Yulin Pei)
Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)
While taking a base backup, avoid executing any SHA256 code if a backup manifest is not needed (Michael Paquier)
When using OpenSSL operating in FIPS mode, SHA256 hashing is rejected, leading to an error. This change makes it possible to take a base backup on such a platform, so long as --no-manifest
is specified.
Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)
No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.
Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM
option (Tom Lane)
Fix data structure misallocation in PL/pgSQL's CALL
statement (Tom Lane)
A CALL
in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT
or ROLLBACK
.
In libpq, do not skip trying SSL after GSS encryption (Tom Lane)
If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.
Make libpq's PQconndefaults()
function report the correct default value for channel_binding
(Daniele Varrazzo)
In psql, re-allow including a password in a connection_string
argument of a \connect
command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
In psql's \d
commands, don't truncate the display of column default values (Tom Lane)
Formerly, they were arbitrarily truncated at 128 characters.
Fix assorted bugs in psql's \help
command (Kyotaro Horiguchi, Tom Lane)
\help
with two argument words failed to find a command description using only the first word, for example \help reset all
should show the help for RESET
but did not. Also, \help
often failed to invoke the pager when it should. It also leaked memory.
Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)
The previous behavior resulted in (harmless) errors during restore.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE
commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION
commands as the owner of the partitioned index (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION
in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)
This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34
.
Report the correct database name in connection failure error messages from some client programs (Álvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain
(Japin Li)
Memory consumed while producing the EXPLAIN
output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements
enabled.
In contrib/postgres_fdw
, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
Fix faulty assertion in contrib/postgres_fdw
(Etsuro Fujita)
In contrib/pgcrypto
, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
Make contrib/pg_prewarm
more robust when the cluster is shut down before prewarming is complete (Tom Lane)
Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.
In contrib/pg_trgm
's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm
and contrib/postgres_fdw
(Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm
's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw
overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT
on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot
in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)
Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)
No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.
Fix compile failure with ICU 68 and later (Tom Lane)
Avoid memcpy()
with a NULL source pointer and zero count during partitioned index creation (Álvaro Herrera)
While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy()
are never NULL, which could result in incorrect optimization of nearby code.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 13.0. For information about new features in major release 13, see Version 13.0.
A dump/restore is not required for those running 13.X.
Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695 or CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d
parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a “connection string” containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. (CVE-2020-25694 or CVE-2020-25694)
When psql's \connect
command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. (CVE-2020-25694 or CVE-2020-25694)
Prevent psql's \gset
command from modifying specially-treated variables (Noah Misch)
\gset
without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1
, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. (CVE-2020-25696 or CVE-2020-25696)
Fix unintended breakage of the replication protocol (Álvaro Herrera)
A walsender reports two command-completion events for START_REPLICATION
. This was undocumented and apparently unintentional; so we failed to notice that a late 13.0 change removed the duplicate event. However it turns out that walreceivers require the extra event in some code paths. The most practical fix is to decree that the extra event is part of the protocol and resume generating it.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE
for users with the BYPASSRLS
attribute (Tom Lane, Stephen Frost)
The BYPASSRLS
attribute is only allowed to be changed by superusers, but other ALTER ROLE
operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Disallow ALTER TABLE ONLY ... DROP EXPRESSION
when there are child tables (Peter Eisentraut)
The current implementation cannot handle this case correctly, so just forbid it for now.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER
does not recurse to child tables (Álvaro Herrera)
Previously the ONLY
flag was ignored.
Allow LOCK TABLE
to succeed on a self-referential view (Tom Lane)
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
Retain statistics about an index across REINDEX CONCURRENTLY
(Michael Paquier, Fabrízio de Royes Mello)
Non-concurrent reindexing has always preserved such statistics.
Fix incorrect progress reporting from REINDEX CONCURRENTLY
(Matthias van de Meent, Michael Paquier)
Ensure that GENERATED
columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)
This fix also takes care of possible failure to fire a column-specific trigger in such cases.
Fix failures with collation-dependent partition bound expressions (Tom Lane)
Support hashing of text arrays (Peter Eisentraut)
Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.
Prevent internal overflows in cross-type datetime comparisons (Nikita Glukhov, Alexander Korotkov, Tom Lane)
Previously, comparing a date to a timestamp would fail if the date is past the valid range for timestamps. There were also corner cases involving overflow of close-to-the-limit timestamp values during timezone rotation.
Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC” marker to cancel out and produce AD.
Allow the jsonpath
.datetime()
method to accept ISO 8601-format timestamps (Nikita Glukhov)
This is not required by SQL, but it seems appropriate since our to_json()
functions generate that timestamp format for Javascript compatibility.
Ensure that standby servers will archive WAL timeline history files when archive_mode
is set to always
(Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix edge cases in detecting premature death of the postmaster on platforms that use kqueue()
(Thomas Munro)
Avoid generating an incorrect incremental-sort plan when the sort key is a volatile expression (James Coleman)
Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)
Fix possible infinite loop or corrupted output data in TOAST decompression (Tom Lane)
Fix counting of the number of entries in B-tree indexes during cleanup-only VACUUM
s (Peter Geoghegan)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNN”. (If you are faced with such an error from an existing index, REINDEX
should be enough to fix it.)
Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)
Fix unportable use of getnameinfo()
in pg_hba_file_rules
view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address
and netmask
columns were always null due to this error.
Avoid crash if debug_query_string
is NULL when starting a parallel worker (Noah Misch)
Avoid failures when a BEFORE ROW UPDATE
trigger returns the “old” row of a table having dropped or “missing” columns (Amit Langote, Tom Lane)
This method of suppressing an update could result in crashes, unexpected CHECK
constraint failures, or incorrect RETURNING
output, because “missing” columns would read as NULLs for those purposes. (A column is “missing” for this purpose if it was added by ALTER TABLE ADD COLUMN
with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.
Fix EXPLAIN
's output for incremental sort plans to have correct tag nesting in XML output mode (Daniel Gustafsson)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix omission of result data type coercion in some cases in SQL-language functions (Tom Lane)
This could lead to wrong results or crashes, depending on the data types involved.
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)
This has been shown to cause crashes on s390x
, and very possibly there are other cases on other platforms.
Improve code generated for compare_exchange and fetch_add operations on PPC (Noah Misch)
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix edge-case memory leak in index_get_partition()
(Justin Pryzby)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Fix memory leaks in PL/pgsql's CALL
processing (Pavel Stehule, Tom Lane)
In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
Fix ecpg's mis-processing of B'...'
and X'...'
literals (Shenhao Wang)
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (Fabrízio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts
, or underspecified (though usually correct) COPY
commands when using COPY
to reload the tables' data.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto
(Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto
(Daniel Gustafsson)
Fix recently-added timetz
test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat” to “slim”. That's just cosmetic for our purposes, as we continue to select the “fat” mode in pre-v13 branches. This change also ensures that strftime()
does not change errno
unless it fails.
Release date: 2020-09-24
PostgreSQL 13 contains many new features and enhancements, including:
Space savings and performance gains from de-duplication of B-tree index entries
Improved performance for queries that use aggregates or partitioned tables
Better query planning when using extended statistics
Parallelized vacuuming of indexes
Incremental sorting
The above items and other new features of PostgreSQL 13 are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 13 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Change SIMILAR TO ... ESCAPE NULL
to return NULL
(Tom Lane)
This new behavior matches the SQL specification. Previously a null ESCAPE
value was taken to mean using the default escape string (a backslash character). This also applies to substring(
. The previous behavior has been retained in old views by keeping the original function unchanged.text
FROM pattern
ESCAPE text
)
Make json[b]_to_tsvector()
fully check the spelling of its string
option (Dominik Czarnota)
Change the way non-default effective_io_concurrency values affect concurrency (Thomas Munro)
Previously, this value was adjusted before setting the number of concurrent requests. The value is now used directly. Conversion of old values to new ones can be done using:
SELECT round(sum(OLDVALUE
/ n::float)) AS newvalue FROM generate_series(1,OLDVALUE
) s(n);
Prevent display of auxiliary processes in pg_stat_ssl and pg_stat_gssapi system views (Euler Taveira)
Queries that join these views to pg_stat_activity and wish to see auxiliary processes will need to use left joins.
Rename various wait events to improve consistency (Fujii Masao, Tom Lane)
Fix ALTER FOREIGN TABLE ... RENAME COLUMN
to return a more appropriate command tag (Fujii Masao)
Previously it returned ALTER TABLE
; now it returns ALTER FOREIGN TABLE
.
Fix ALTER MATERIALIZED VIEW ... RENAME COLUMN
to return a more appropriate command tag (Fujii Masao)
Previously it returned ALTER TABLE
; now it returns ALTER MATERIALIZED VIEW
.
Rename configuration parameter wal_keep_segments
to wal_keep_size (Fujii Masao)
This determines how much WAL to retain for standby servers. It is specified in megabytes, rather than number of files as with the old parameter. If you previously used wal_keep_segments
, the following formula will give you an approximately equivalent setting:
wal_keep_size = wal_keep_segments * wal_segment_size (typically 16MB)
Remove support for defining operator classes using pre-PostgreSQL 8.0 syntax (Daniel Gustafsson)
Remove support for defining foreign key constraints using pre-PostgreSQL 7.3 syntax (Daniel Gustafsson)
Remove support for "opaque" pseudo-types used by pre-PostgreSQL 7.3 servers (Daniel Gustafsson)
Remove support for upgrading unpackaged (pre-9.1) extensions (Tom Lane)
The FROM
option of CREATE EXTENSION
is no longer supported. Any installations still using unpackaged extensions should upgrade them to a packaged version before updating to PostgreSQL 13.
Remove support for posixrules
files in the timezone database (Tom Lane)
IANA's timezone group has deprecated this feature, meaning that it will gradually disappear from systems' timezone databases over the next few years. Rather than have a behavioral change appear unexpectedly with a timezone data update, we have removed PostgreSQL's support for this feature as of version 13. This affects only the behavior of POSIX-style time zone specifications that lack an explicit daylight savings transition rule; formerly the transition rule could be determined by installing a custom posixrules
file, but now it is hard-wired. The recommended fix for any affected installations is to start using a geographical time zone name.
In ltree, when an lquery
pattern contains adjacent asterisks with braces, e.g., *{2}.*{3}
, properly interpret that as *{5}
(Nikita Glukhov)
Fix pageinspect's bt_metap()
to return more appropriate data types that are less likely to overflow (Peter Geoghegan)
Below you will find a detailed account of the changes between PostgreSQL 13 and the previous major release.
Allow pruning of partitions to happen in more cases (Yuzuko Hosoya, Amit Langote, Álvaro Herrera)
Allow partitionwise joins to happen in more cases (Ashutosh Bapat, Etsuro Fujita, Amit Langote, Tom Lane)
For example, partitionwise joins can now happen between partitioned tables even when their partition bounds do not match exactly.
Support row-level BEFORE
triggers on partitioned tables (Álvaro Herrera)
However, such a trigger is not allowed to change which partition is the destination.
Allow partitioned tables to be logically replicated via publications (Amit Langote)
Previously, partitions had to be replicated individually. Now a partitioned table can be published explicitly, causing all its partitions to be published automatically. Addition/removal of a partition causes it to be likewise added to or removed from the publication. The CREATE PUBLICATION
option publish_via_partition_root
controls whether changes to partitions are published as their own changes or their parent's.
Allow logical replication into partitioned tables on subscribers (Amit Langote)
Previously, subscribers could only receive rows into non-partitioned tables.
Allow whole-row variables (that is, table
.*
) to be used in partitioning expressions (Amit Langote)
More efficiently store duplicates in B-tree indexes (Anastasia Lubennikova, Peter Geoghegan)
This allows efficient B-tree indexing of low-cardinality columns by storing duplicate keys only once. Users upgrading with pg_upgrade will need to use REINDEX
to make an existing index use this feature.
Allow GiST and SP-GiST indexes on box
columns to support ORDER BY
queries (Nikita Glukhov)box
<-> point
Allow GIN indexes to more efficiently handle !
(NOT) clauses in tsquery
searches (Nikita Glukhov, Alexander Korotkov, Tom Lane, Julien Rouhaud)
Allow index operator classes to take parameters (Nikita Glukhov)
Allow CREATE INDEX
to specify the GiST signature length and maximum number of integer ranges (Nikita Glukhov)
Indexes created on four and eight-byte integer array, tsvector, pg_trgm, ltree, and hstore columns can now control these GiST index parameters, rather than using the defaults.
Prevent indexes that use non-default collations from being added as a table's unique or primary key constraint (Tom Lane)
The index's collation must match that of the underlying column, but ALTER TABLE
previously failed to check this.
Improve the optimizer's selectivity estimation for containment/match operators (Tom Lane)
Allow setting the statistics target for extended statistics (Tomas Vondra)
This is controlled with the new command option ALTER STATISTICS ... SET STATISTICS
. Previously this was computed based on more general statistics target settings.
Allow use of multiple extended statistics objects in a single query (Tomas Vondra)
Allow use of extended statistics objects for OR clauses and IN/ANY
constant lists (Pierre Ducroquet, Tomas Vondra)
Allow functions in FROM
clauses to be pulled up (inlined) if they evaluate to constants (Alexander Kuzmenkov, Aleksandr Parfenov)
Implement incremental sorting (James Coleman, Alexander Korotkov, Tomas Vondra)
If an intermediate query result is known to be sorted by one or more leading keys of a required sort ordering, the additional sorting can be done considering only the remaining keys, if the rows are sorted in batches that have equal leading keys.
If necessary, this can be controlled using enable_incremental_sort.
Improve the performance of sorting inet values (Brandur Leach)
Allow hash aggregation to use disk storage for large aggregation result sets (Jeff Davis)
Previously, hash aggregation was avoided if it was expected to use more than work_mem memory. Now, a hash aggregation plan can be chosen despite that. The hash table will be spilled to disk if it exceeds work_mem
times hash_mem_multiplier.
This behavior is normally preferable to the old behavior, in which once hash aggregation had been chosen, the hash table would be kept in memory no matter how large it got — which could be very large if the planner had misestimated. If necessary, behavior similar to that can be obtained by increasing hash_mem_multiplier
.
Allow inserts, not only updates and deletes, to trigger vacuuming activity in autovacuum (Laurenz Albe, Darafei Praliaskouski)
Previously, insert-only activity would trigger auto-analyze but not auto-vacuum, on the grounds that there could not be any dead tuples to remove. However, a vacuum scan has other useful side-effects such as setting page-all-visible bits, which improves the efficiency of index-only scans. Also, allowing an insert-only table to receive periodic vacuuming helps to spread out the work of “freezing” old tuples, so that there is not suddenly a large amount of freezing work to do when the entire table reaches the anti-wraparound threshold all at once.
If necessary, this behavior can be adjusted with the new parameters autovacuum_vacuum_insert_threshold and autovacuum_vacuum_insert_scale_factor, or the equivalent table storage options.
Add maintenance_io_concurrency parameter to control I/O concurrency for maintenance operations (Thomas Munro)
Allow WAL writes to be skipped during a transaction that creates or rewrites a relation, if wal_level is minimal
(Kyotaro Horiguchi)
Relations larger than wal_skip_threshold will have their files fsync'ed rather than generating WAL. Previously this was done only for COPY
operations, but the implementation had a bug that could cause data loss during crash recovery.
Improve performance when replaying DROP DATABASE
commands when many tablespaces are in use (Fujii Masao)
Improve performance for truncation of very large relations (Kirk Jamison)
Improve retrieval of the leading bytes of TOAST'ed values (Binguo Bao, Andrey Borodin)
Previously, compressed out-of-line TOAST values were fully fetched even when it's known that only some leading bytes are needed. Now, only enough data to produce the result is fetched.
Improve performance of LISTEN
/NOTIFY
(Martijn van Oosterhout, Tom Lane)
Speed up conversions of integers to text (David Fetter)
Reduce memory usage for query strings and extension scripts that contain many SQL statements (Amit Langote)
Allow EXPLAIN
, auto_explain, autovacuum, and pg_stat_statements to track WAL usage statistics (Kirill Bychik, Julien Rouhaud)
Allow a sample of SQL statements, rather than all statements, to be logged (Adrien Nayrat)
A log_statement_sample_rate fraction of those statements taking more than log_min_duration_sample duration will be logged.
Add the backend type to csvlog and optionally log_line_prefix log output (Peter Eisentraut)
Improve control of prepared statement parameter logging (Alexey Bashtanov, Álvaro Herrera)
The GUC setting log_parameter_max_length controls the maximum length of parameter values output during logging of non-error statements, while log_parameter_max_length_on_error does the same for logging of statements with errors. Previously, prepared statement parameters were never logged during errors.
Allow function call backtraces to be logged after errors (Peter Eisentraut, Álvaro Herrera)
The new parameter backtrace_functions specifies which C functions should generate backtraces on error.
Make vacuum buffer counters 64-bits wide to avoid overflow (Álvaro Herrera)
Add leader_pid
to pg_stat_activity to report a parallel worker's leader process (Julien Rouhaud)
Add system view pg_stat_progress_basebackup
to report the progress of streaming base backups (Fujii Masao)
Add system view pg_stat_progress_analyze
to report ANALYZE progress (Álvaro Herrera, Tatsuro Yamada, Vinayak Pokale)
Add system view pg_shmem_allocations
to display shared memory usage (Andres Freund, Robert Haas)
Add system view pg_stat_slru
to monitor internal SLRU caches (Tomas Vondra)
Allow track_activity_query_size to be set as high as 1MB (Vyacheslav Makarov)
The previous maximum was 100kB.
Report a wait event while creating a DSM segment with posix_fallocate()
(Thomas Munro)
Add wait event VacuumDelay to report on cost-based vacuum delay (Justin Pryzby)
Add wait events for WAL archive and recovery pause (Fujii Masao)
The new events are BackupWaitWalArchive and RecoveryPause.
Add wait events RecoveryConflictSnapshot and RecoveryConflictTablespace to monitor recovery conflicts (Masahiko Sawada)
Improve performance of wait events on BSD-based systems (Thomas Munro)
Allow only superusers to view the ssl_passphrase_command setting (Insung Moon)
This was changed as a security precaution.
Change the server's default minimum TLS version for encrypted connections from 1.0 to 1.2 (Peter Eisentraut)
This choice can be controlled by ssl_min_protocol_version.
Tighten rules on which utility commands are allowed in read-only transaction mode (Robert Haas)
This change also increases the number of utility commands that can run in parallel queries.
Allow allow_system_table_mods to be changed after server start (Peter Eisentraut)
Disallow non-superusers from modifying system tables when allow_system_table_mods is set (Peter Eisentraut)
Previously, if allow_system_table_mods was set at server start, non-superusers could issue INSERT
/UPDATE
/DELETE
commands on system tables.
Enable support for Unix-domain sockets on Windows (Peter Eisentraut)
Allow streaming replication configuration settings to be changed by reload (Sergei Kornilov)
Previously, a server restart was required to change primary_conninfo and primary_slot_name.
Allow WAL receivers to use a temporary replication slot when a permanent one is not specified (Peter Eisentraut, Sergei Kornilov)
This behavior can be enabled using wal_receiver_create_temp_slot.
Allow WAL storage for replication slots to be limited by max_slot_wal_keep_size (Kyotaro Horiguchi)
Replication slots that would require exceeding this value are marked invalid.
Allow standby promotion to cancel any requested pause (Fujii Masao)
Previously, promotion could not happen while the standby was in paused state.
Generate an error if recovery does not reach the specified recovery target (Leif Gunnar Erlandsen, Peter Eisentraut)
Previously, a standby would promote itself upon reaching the end of WAL, even if the target was not reached.
Allow control over how much memory is used by logical decoding before it is spilled to disk (Tomas Vondra, Dilip Kumar, Amit Kapila)
This is controlled by logical_decoding_work_mem.
Allow recovery to continue even if invalid pages are referenced by WAL (Fujii Masao)
This is enabled using ignore_invalid_pages.
Allow VACUUM
to process a table's indexes in parallel (Masahiko Sawada, Amit Kapila)
The new PARALLEL
option controls this.
Allow FETCH FIRST
to use WITH TIES
to return any additional rows that match the last result row (Surafel Temesgen)
Report planning-time buffer usage in EXPLAIN
's BUFFER
output (Julien Rouhaud)
Make CREATE TABLE LIKE
propagate a CHECK
constraint's NO INHERIT
property to the created table (Ildar Musin, Chris Travers)
When using LOCK TABLE
on a partitioned table, do not check permissions on the child tables (Amit Langote)
Allow OVERRIDING USER VALUE
on inserts into identity columns (Dean Rasheed)
Add ALTER TABLE ... DROP EXPRESSION
to allow removing the GENERATED
property from a column (Peter Eisentraut)
Fix bugs in multi-step ALTER TABLE
commands (Tom Lane)
IF NOT EXISTS
clauses now work as expected, in that derived actions (such as index creation) do not execute if the column already exists. Also, certain cases of combining related actions into one ALTER TABLE
now work when they did not before.
Add ALTER VIEW
syntax to rename view columns (Fujii Masao)
Renaming view columns was already possible, but one had to write ALTER TABLE RENAME COLUMN
, which is confusing.
Add ALTER TYPE
options to modify a base type's TOAST properties and support functions (Tomas Vondra, Tom Lane)
Add CREATE DATABASE
LOCALE
option (Peter Eisentraut)
This combines the existing options LC_COLLATE
and LC_CTYPE
into a single option.
Allow DROP DATABASE
to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule, Amit Kapila)
This is enabled by the FORCE
option.
Add structure member tg_updatedcols
to allow C-language update triggers to know which column(s) were updated (Peter Eisentraut)
Add polymorphic data types for use by functions requiring compatible arguments (Pavel Stehule)
The new data types are anycompatible
, anycompatiblearray
, anycompatiblenonarray
, and anycompatiblerange
.
Add SQL data type xid8
to expose FullTransactionId (Thomas Munro)
The existing xid
data type is only four bytes so it does not provide the transaction epoch.
Add data type regcollation
and associated functions, to represent OIDs of collation objects (Julien Rouhaud)
Use the glibc version in some cases as a collation version identifier (Thomas Munro)
If the glibc version changes, a warning will be issued about possible corruption of collation-dependent indexes.
Add support for collation versions on Windows (Thomas Munro)
Allow ROW
expressions to have their members extracted with suffix notation (Tom Lane)
For example, (ROW(4, 5.0)).f1
now returns 4.
Add alternate version of jsonb_set()
with improved NULL
handling (Andrew Dunstan)
The new function, jsonb_set_lax()
, handles a NULL
new value by either setting the specified key to a JSON null, deleting the key, raising an exception, or returning the jsonb
value unmodified, as requested.
Add jsonpath .datetime()
method (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov)
This function allows JSON values to be converted to timestamps, which can then be processed in jsonpath
expressions. This change also adds jsonpath
functions that support time-zone-aware output.
Add SQL functions NORMALIZE
() to normalize Unicode strings, and IS NORMALIZED
to check for normalization (Peter Eisentraut)
Add min()
and max()
aggregates for pg_lsn
(Fabrízio de Royes Mello)
These are particularly useful in monitoring queries.
Allow Unicode escapes, e.g., E'\u
or nnnn
'U&'\
, to specify any character available in the database encoding, even when the database encoding is not UTF-8 (Tom Lane)nnnn
'
Allow to_date()
and to_timestamp()
to recognize non-English month/day names (Juan José Santamaría Flecha, Tom Lane)
The names recognized are the same as those output by to_char()
with the same format patterns.
Add datetime format patterns FF1
– FF6
to specify input or output of 1 to 6 fractional-second digits (Alexander Korotkov, Nikita Glukhov, Teodor Sigaev, Oleg Bartunov)
These patterns can be used by to_char()
, to_timestamp()
, and jsonpath's .datetime()
.
Add SSSSS
datetime format pattern as an SQL-standard alias for SSSS
(Nikita Glukhov, Alexander Korotkov)
Add function gen_random_uuid()
to generate version-4 UUIDs (Peter Eisentraut)
Previously UUID generation functions were only available in the external modules uuid-ossp and pgcrypto.
Add greatest-common-denominator (gcd
) and least-common-multiple (lcm
) functions (Vik Fearing)
Improve the performance and accuracy of the numeric
type's square root (sqrt
) and natural log (ln
) functions (Dean Rasheed)
Add function min_scale()
that returns the number of digits to the right of the decimal point that are required to represent a numeric
value with full accuracy (Pavel Stehule)
Add function trim_scale()
to reduce the scale of a numeric
value by removing trailing zeros (Pavel Stehule)
Add commutators of distance operators (Nikita Glukhov)
For example, previously only point
<->
line
was supported, now line
<->
point
works too.
Create xid8
versions of all transaction ID functions (Thomas Munro)
The old xid
-based functions still exist, for backward compatibility.
Allow get_bit()
and set_bit()
to set bits beyond the first 256MB of a bytea
value (Movead Li)
Allow advisory-lock functions to be used in some parallel operations (Tom Lane)
Add the ability to remove an object's dependency on an extension (Álvaro Herrera)
The object can be a function, materialized view, index, or trigger. The syntax is ALTER .. NO DEPENDS ON
.
Improve performance of simple PL/pgSQL expressions (Tom Lane, Amit Langote)
Improve performance of PL/pgSQL functions that use immutable expressions (Konstantin Knizhnik)
Allow libpq clients to require channel binding for encrypted connections (Jeff Davis)
Using the libpq connection parameter channel_binding
forces the other end of the TLS connection to prove it knows the user's password. This prevents man-in-the-middle attacks.
Add libpq connection parameters to control the minimum and maximum TLS version allowed for an encrypted connection (Daniel Gustafsson)
The settings are ssl_min_protocol_version and ssl_max_protocol_version. By default, the minimum TLS version is 1.2 (this represents a behavioral change from previous releases).
Allow use of passwords to unlock client certificates (Craig Ringer, Andrew Dunstan)
This is enabled by libpq's sslpassword connection parameter.
Allow libpq to use DER-encoded client certificates (Craig Ringer, Andrew Dunstan)
Fix ecpg's EXEC SQL elif
directive to work correctly (Tom Lane)
Previously it behaved the same as endif
followed by ifdef
, so that a successful previous branch of the same if
construct did not prevent expansion of the elif
branch or following branches.
Add transaction status (%x
) to psql's default prompts (Vik Fearing)
Allow the secondary psql prompt to be blank but the same width as the primary prompt (Thomas Munro)
This is accomplished by setting PROMPT2
to %w
.
Allow psql's \g
and \gx
commands to change \pset output options for the duration of that single command (Tom Lane)
This feature allows syntax like \g (expand=on)
, which is equivalent to \gx
.
Add psql commands to display operator classes and operator families (Sergey Cherkashin, Nikita Glukhov, Alexander Korotkov)
The new commands are \dAc
, \dAf
, \dAo
, and \dAp
.
Show table persistence in psql's \dt+
and related commands (David Fetter)
In verbose mode, the table/index/view shows if the object is permanent, temporary, or unlogged.
Improve output of psql's \d
for TOAST tables (Justin Pryzby)
Fix redisplay after psql's \e
command (Tom Lane)
When exiting the editor, if the query doesn't end with a semicolon or \g
, the query buffer contents will now be displayed.
Add \warn
command to psql (David Fetter)
This is like \echo
except that the text is sent to stderr instead of stdout.
Add the PostgreSQL home page to command-line --help
output (Peter Eisentraut)
Allow pgbench to partition its “accounts” table (Fabien Coelho)
This allows performance testing of partitioning.
Add pgbench command \aset
, which behaves like \gset
, but for multiple queries (Fabien Coelho)
Allow pgbench to generate its initial data server-side, rather than client-side (Fabien Coelho)
Allow pgbench to show script contents using option --show-script
(Fabien Coelho)
Generate backup manifests for base backups, and verify them (Robert Haas)
A new tool pg_verifybackup can verify backups.
Have pg_basebackup estimate the total backup size by default (Fujii Masao)
This computation allows pg_stat_progress_basebackup
to show progress. If that is not needed, it can be disabled by using the --no-estimate-size
option. Previously, this computation happened only if the --progress
option was used.
Add an option to pg_rewind to configure standbys (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This matches pg_basebackup's --write-recovery-conf
option.
Allow pg_rewind to use the target cluster's restore_command to retrieve needed WAL (Alexey Kondratov)
This is enabled using the -c
/--restore-target-wal
option.
Have pg_rewind automatically run crash recovery before rewinding (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This can be disabled by using --no-ensure-shutdown
.
Increase the PREPARE TRANSACTION
-related information reported by pg_waldump (Fujii Masao)
Add pg_waldump option --quiet
to suppress non-error output (Andres Freund, Robert Haas)
Add pg_dump option --include-foreign-data
to dump data from foreign servers (Luis Carril)
Allow vacuum commands run by vacuumdb to operate in parallel mode (Masahiko Sawada)
This is enabled with the new --parallel
option.
Allow reindexdb to operate in parallel (Julien Rouhaud)
Parallel mode is enabled with the new --jobs
option.
Allow dropdb to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule)
This is enabled with the -f
option.
Remove --adduser
and --no-adduser
from createuser (Alexander Lakhin)
The long-supported preferred options for this are called --superuser
and --no-superuser
.
Use the directory of the pg_upgrade program as the default --new-bindir
setting when running pg_upgrade (Daniel Gustafsson)
Add a glossary to the documentation (Corey Huinker, Jürgen Purtz, Roger Harkavy, Álvaro Herrera)
Reformat tables containing function and operator information for better clarity (Tom Lane)
Upgrade to use DocBook 4.5 (Peter Eisentraut)
Add support for building on Visual Studio 2019 (Haribabu Kommi)
Add build support for MSYS2 (Peter Eisentraut)
Add compare_exchange and fetch_add assembly language code for Power PC compilers (Noah Misch)
Update Snowball stemmer dictionaries used by full text search (Panagiotis Mavrogiorgos)
This adds Greek stemming and improves Danish and French stemming.
Remove support for Windows 2000 (Michael Paquier)
Remove support for non-ELF BSD systems (Peter Eisentraut)
Remove support for Python versions 2.5.X and earlier (Peter Eisentraut)
Remove support for OpenSSL 0.9.8 and 1.0.0 (Michael Paquier)
Remove configure options --disable-float8-byval
and --disable-float4-byval
(Peter Eisentraut)
These were needed for compatibility with some version-zero C functions, but those are no longer supported.
Pass the query string to planner hook functions (Pascal Legrand, Julien Rouhaud)
Add TRUNCATE
command hook (Yuli Khodorkovskiy)
Add TLS init hook (Andrew Dunstan)
Allow building with no predefined Unix-domain socket directory (Peter Eisentraut)
Reduce the probability of SysV resource key collision on Unix platforms (Tom Lane)
Use operating system functions to reliably erase memory that contains sensitive information (Peter Eisentraut)
For example, this is used for clearing passwords stored in memory.
Add headerscheck
script to test C header-file compatibility (Tom Lane)
Implement internal lists as arrays, rather than a chain of cells (Tom Lane)
This improves performance for queries that access many objects.
Change the API for TS_execute()
(Tom Lane, Pavel Borisov)
TS_execute
callbacks must now provide ternary (yes/no/maybe) logic. Calculating NOT queries accurately is now the default.
Allow extensions to be specified as trusted (Tom Lane)
Such extensions can be installed in a database by users with database-level CREATE
privileges, even if they are not superusers. This change also removes the pg_pltemplate
system catalog.
Allow non-superusers to connect to postgres_fdw foreign servers without using a password (Craig Ringer)
Specifically, allow a superuser to set password_required
to false for a user mapping. Care must still be taken to prevent non-superusers from using superuser credentials to connect to the foreign server.
Allow postgres_fdw to use certificate authentication (Craig Ringer)
Different users can use different certificates.
Allow sepgsql to control access to the TRUNCATE
command (Yuli Khodorkovskiy)
Add extension bool_plperl which transforms SQL booleans to/from PL/Perl booleans (Ivan Panchenko)
Have pg_stat_statements treat SELECT ... FOR UPDATE
commands as distinct from those without FOR UPDATE
(Andrew Gierth, Vik Fearing)
Allow pg_stat_statements to optionally track the planning time of statements (Julien Rouhaud, Pascal Legrand, Thomas Munro, Fujii Masao)
Previously only execution time was tracked.
Overhaul ltree's lquery syntax to treat NOT
(!) more logically (Filip Rembialkowski, Tom Lane, Nikita Glukhov)
Also allow non-* queries to use a numeric range ({}) of matches.
Add support for binary I/O of ltree, lquery, and ltxtquery types (Nino Floris)
Add an option to dict_int to ignore the sign of integers (Jeff Janes)
Add adminpack function pg_file_sync()
to allow fsync'ing a file (Fujii Masao)
Add pageinspect functions to output t_infomask
/t_infomask2
values in human-readable format (Craig Ringer, Sawada Masahiko, Michael Paquier)
Add B-tree index de-duplication processing columns to pageinspect output (Peter Geoghegan)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2023-05-11
This release contains a variety of fixes from 12.14. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age
being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age
, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Recalculate GENERATED
columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED
isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED
columns, in case they depend on columns that were changed by the concurrent update.
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO
blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll()
(Michael Paquier)
With gssencmode
set to require
, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 12.13. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)
A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862 or CVE-2022-41862)
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.
Reject uses of undefined variables in jsonpath
existence checks (Alexander Korotkov, David G. Johnston)
While jsonpath
match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.
Prevent “wrong tuple length” failure at the end of VACUUM
(Ashwin Agrawal, Junfeng Yang)
This occurred if VACUUM
needed to update the current database's datfrozenxid
value and the database has so many granted privileges that its datacl
value has been pushed out-of-line.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query” errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix faulty assertion in contrib/postgres_fdw
(Etsuro Fujita)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
In contrib/sepgsql
, avoid deprecation warnings with recent libselinux (Michael Paquier)
Fix build on Microsoft Visual Studio 2013 (Tom Lane)
A previous patch supposed that all platforms of interest have snprintf()
, but MSVC 2013 isn't quite there yet. Revert to using sprintf()
on that platform.
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 12.12. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Avoid rare PANIC during updates occurring concurrently with VACUUM
(Tom Lane, Jeff Davis)
If a concurrent VACUUM
sets the all-visible flag bit in a page that UPDATE
or DELETE
is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.
This is known to be possible in versions 14 and 15. It may be only latent in previous branches.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Fix resource management bug in saving tuples for AFTER
triggers (Tom Lane)
Given the right circumstances, this manifested as a “tupdesc reference NNNN
is not owned by resource owner” error followed by a PANIC exit.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION
(Jehan-Guillaume de Rorthais, Álvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)
If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
Fix type circle
's equality comparator to handle NaNs properly (Ranier Vilela)
If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT
rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the plan”.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omission of variable storage classes when multiple varchar
or bytea
variables are declared in the same declaration (Andrey Sokolov)
For example, ecpg translated static varchar str1[10], str2[20], str3[30];
in such a way that only str1
was marked static
.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping
to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK
command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)
This avoids “variable not found in subplan target list” errors in rare cases.
Reject unwanted output from the platform's uuid_create()
function (Nazir Bilal Yavuz)
The uuid-ossp module expects libc's uuid_create()
to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid()
.)
Include new Perl test modules in standard installations (Álvaro Herrera)
Add PostgreSQL/Test/Cluster.pm
and PostgreSQL/Test/Utils.pm
to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.
On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)
This avoids a risk of deadlock in the dynamic linker on NetBSD 10.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set()
for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF
to REF_P
to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf
, to avoid compile-time deprecation warnings (Tom Lane)
Silence assorted compiler warnings from clang 15 and later (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz
display. As an example, the stored value 1944-06-01 12:00 UTC
would previously display as 1944-06-01 13:00:00+01
if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02
.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA
and PACKRATLIST
options).
Release date: 2022-08-11
This release contains a variety of fixes from 12.11. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)
This change prevents extension scripts from doing CREATE OR REPLACE
if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS
in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625 or CVE-2022-2625)
Fix replay of CREATE DATABASE
WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)
Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.
Support “in place” tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)
Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE
replay fix, which transiently creates a missing tablespace as an “in place” tablespace.
Fix permissions checks in CREATE INDEX
(Nathan Bossart, Noah Misch)
The fix for CVE-2022-1552 or CVE-2022-1552 caused CREATE INDEX
to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX
before re-granting permissions.
In extended query protocol, force an immediate commit after CREATE DATABASE
and other commands that can't run in a transaction block (Tom Lane)
If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.
Fix race condition when checking transaction visibility (Simon Riggs)
TransactionIdIsInProgress
could report false
before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT
that's referenced in a GROUPING
function (Richard Guo)
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER
to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)
In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.
Improve syntax error messages for type jsonpath
(Andrew Dunstan)
Prevent pg_stat_get_subscription()
from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Ensure that pg_stop_backup()
cleans up session state properly (Fujii Masao)
This omission could lead to assertion failures or crashes later in the session.
Fix join alias matching in FOR [KEY] UPDATE/SHARE
clauses (Dean Rasheed)
In corner cases, a misleading error could be reported.
Avoid crashing if too many column aliases are attached to an XMLTABLE
or JSON_TABLE
construct (Álvaro Herrera)
Reject ROW()
expressions and functions in FROM
that have too many columns (Tom Lane)
Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.
When decompiling a view or rule, show a SELECT
output column's AS "?column?"
alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Fix dumping of a view using a function in FROM
that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)
This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS
results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout
during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Disallow nested backup operations in logical replication walsenders (Fujii Masao)
Fix memory leak in logical replication subscribers (Hou Zhijie)
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE
flags (Haiyang Wang)
Fix erroneous assertion checks in shared hashtable management (Thomas Munro)
Arrange to clean up after commit-time errors within SPI_commit()
, rather than expecting callers to do that (Peter Eisentraut, Tom Lane)
Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT
but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit()
as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain()
except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction()
as a no-op. All known callers of SPI_commit()
immediately call SPI_start_transaction()
, so they will not notice any change. Similar remarks apply to SPI_rollback()
.
Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.
Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)
Certain operations such as EXEC SQL PREPARE
would crash (rather than reporting an error as expected) if called before establishing any database connection.
In ecpglib, avoid redundant newlocale()
calls (Noah Misch)
Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.
In psql's \watch
command, echo a newline after cancellation with control-C (Pavel Stehule)
This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.
Fix possible report of wrong error condition after clone()
failure in pg_upgrade with --clone
option (Justin Pryzby)
Fix contrib/pg_stat_statements
to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)
Ensure that contrib/postgres_fdw
sends constants of regconfig
and other reg*
types with proper schema qualification (Tom Lane)
Block signals while allocating dynamic shared memory on Linux (Thomas Munro)
This avoids problems when a signal interrupts posix_fallocate()
.
Detect unexpected EEXIST
error from shm_open()
(Thomas Munro)
This avoids a possible crash on Solaris.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)
Release date: 2022-05-12
This release contains a variety of fixes from 12.10. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.10, see Version 12.10.
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER
, CREATE INDEX
, REINDEX
, REFRESH MATERIALIZED VIEW
, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552 or CVE-2022-1552)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.*
in contexts other than the top level of a SELECT
list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM
entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT
, so that the whole-row variable is referring to the sub-SELECT
's output and not to a plain table. Then the variable is of type record
to begin with and there's no issue.
Fix incorrect output for types timestamptz
and timetz
in table_to_xmlschema()
and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES
clause with zero columns (Tom Lane)
Fix planner errors for GROUPING()
constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION
to support changing a function's parallelism property and its SET
-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET
clause.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.
Fix mis-sorting of table rows when CLUSTER
ing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX
did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE
and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE
could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.
Fix possible trouble in crash recovery after a TRUNCATE
command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE
must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription
limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)
v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: “table XYZ not found on publisher”. Arrange to deliver a more on-point message.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r-----
or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy()
function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy()
would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput()
returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult
object, which is a much cleaner behavior for most applications.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect
functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect
, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw
, verify that ORDER BY
clauses are safe to ship before requesting a remotely-ordered query, and include a USING
clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined
checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.
Release date: 2022-02-10
This release contains a variety of fixes from 12.9. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you have applied REINDEX CONCURRENTLY
to a TOAST table's index, or observe failures to access TOAST datums, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 12.9, see Version 12.9.
Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY
(Michael Paquier)
If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY
tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE
locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.
Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)
In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).
Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)
If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.
Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)
While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.
Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Álvaro Herrera)
Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)
If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXids”. The replica would retry, but could never get past that error.
Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)
The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.
Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)
Be sure to fsync
the pg_logical/mappings
subdirectory during checkpoints (Nathan Bossart)
On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.
Build extended statistics for partitioned tables (Justin Pryzby)
A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE
to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE
on the partitioned table if you want to maintain such statistics.)
Ignore extended statistics for inheritance trees (Justin Pryzby)
Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)
This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.
Disallow ALTER TABLE ... DROP NOT NULL
for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)
The same prohibition already existed for primary key indexes.
Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX
(Hou Zhijie)
Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.
Correctly update cached table state when switching REPLICA IDENTITY
index (Tang Haiying, Hou Zhijie)
Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.
Avoid leaking memory during REASSIGN OWNED BY
operations that reassign ownership of many objects (Justin Pryzby)
Fix display of cert
authentication method's options in pg_hba_file_rules
view (Magnus Hagander)
The cert
authentication method implies clientcert=verify-full
, but the pg_hba_file_rules
view incorrectly reported clientcert=verify-ca
.
Fix display of whole-row variables appearing in INSERT ... VALUES
rules (Tom Lane)
A whole-row variable would be printed as “var.*”, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.
Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)
These errors should affect only debug builds, not production.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)
Avoid calling strerror
from libpq's PQcancel
function (Tom Lane)
PQcancel
is supposed to be safe to call from a signal handler, but strerror
is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.
Make psql's \password
command default to setting the password for CURRENT_USER
, not the connection's original user name (Tom Lane)
This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE
or SET SESSION AUTHORIZATION
has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.
In psql and some other client programs, avoid trying to invoke gettext()
from a control-C signal handler (Tom Lane)
While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.
Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)
Previously it was impossible to terminate these programs via control-C while they were prompting for a password.
Fix pg_dump's dump ordering for user-defined casts (Tom Lane)
In rare cases, the output script might refer to a user-defined cast before it had been created.
Fix pg_dump's --inserts
and --column-inserts
modes to handle tables containing both generated columns and dropped columns (Tom Lane)
Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)
The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.
Fix results of index-only scans on contrib/btree_gist
indexes on char(
columns (Tom Lane)N
)
Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(
values with the expected amount of space padding. The behavior of such an index will not change immediately unless you N
)REINDEX
it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.
Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)
With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python
would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.
Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)
Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)
Add support for building with Visual Studio 2022 (Hans Buschmann)
Allow the .bat
wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)
Release date: 2021-11-11
This release contains a variety of fixes from 12.8. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 12.6, see Version 12.6.
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214 or CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214 or CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222 or CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY
to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION
commands that were still in progress when CREATE INDEX CONCURRENTLY
checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY
option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4
and float8
hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8
is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE
, when wal_level
= minimal
(Noah Misch)
If the server crashed between CREATE TABLESPACE
and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY
into a just-created table). Such optimizations are applied only when wal_level
is minimal
, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES
publication (Hou Zhijie, Vignesh C)
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1
is of type numeric(18,3)
, the parser used to simply discard a cast like f1::numeric
, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric
, not numeric(18,3)
. This is important for correctly resolving the type of larger constructs, such as recursive UNION
s.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val
failed if the array's elements were domains rather than plain composites.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power()
(Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0}
(Tom Lane)
Regular expressions like (.){0}...\1
drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE
applied to a time with time zone
value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane)
This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE
will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT
immediately followed by a BEGIN ... EXCEPTION
block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Refuse to rewind a cursor marked NO SCROLL
if it has been held over from a previous transaction due to the WITH HOLD
option (Tom Lane)
We have long forbidden fetching backwards from a NO SCROLL
cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD
cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD
rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)
The code typically produced “cache lookup error” rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ
.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot)
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE
heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD
and NEW
pseudo-relations in a rule that uses SELECT FOR UPDATE
(Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER
clauses (Tom Lane)
If the FILTER
expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER
expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME
can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX
.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby)
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export()
or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay
is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h
hash table reaches 2^32 elements (Yura Sokolov)
It seems unlikely that this bug has been hit in practice, as it would require work_mem
settings of hundreds of gigabytes for existing uses of simplehash.h
.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Disallow setting huge_pages
to on
when shared_memory_type
is sysv
(Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix ecpg to recover correctly after malloc()
failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL
statement (Tom Lane)
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT
out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN
, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH
bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES
command revoked some present-by-default privilege, for example EXECUTE
for functions, and then a restricted ALTER DEFAULT PRIVILEGES
command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type()
(Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Fix failure of contrib/btree_gin
indexes on "char"
(not char(
) columns, when an indexscan using the n
)<
or <=
operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements
to read its “query texts” file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw
tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Fix our pkg-config
files to again support static linking of libpq (Peter Eisentraut)
Make pg_regexec()
robust against an out-of-range search_start
parameter (Tom Lane)
Return REG_NOMATCH
, instead of possibly crashing, when search_start
is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel()
can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone
parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.
Release date: 2021-08-12
This release contains a variety of fixes from 12.7. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.6, see Version 12.6.
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677 or CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449 or CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT
or ROLLBACK
within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT
/ROLLBACK
would fail with errors like “no known snapshots” or “missing chunk number 0 for toast value”.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric
values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative values consistently with the way it rounds positive ones (and consistently with the numeric
version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0)
return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP
to occur concurrently with DROP EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY
.
Disallow whole-row variables in GENERATED
expressions (Tom Lane)
Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.
Fix usage of tableoid
in GENERATED
expressions (Tom Lane)
Some code paths failed to provide a valid value for this system column while evaluating a GENERATED
expression.
Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE
commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN
or ALTER DOMAIN
appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings
.pending_restart
show as true when the pertinent entry in postgresql.conf
has been removed (Álvaro Herrera)
pending_restart
correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)
SELECT FOR UPDATE
and related commands would fail with assertion failures or “could not find junk column” errors in such cases.
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO
clause specified STRICT
, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313 or CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age
could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE
commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
Fix contrib/postgres_fdw
to work usefully with generated columns (Etsuro Fujita)
postgres_fdw
will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA
will now import generated columns that way by default.
In contrib/postgres_fdw
, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED
record (Simon Riggs)
Improve ALTER TABLE
's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)
Release date: 2021-05-13
This release contains a variety of fixes from 12.6. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.6, see Version 12.6.
Prevent integer overflows in array subscripting calculations (Tom Lane)
The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027 or CVE-2021-32027)
Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE
target lists (Tom Lane)
If the UPDATE
list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE
path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.
In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028 or CVE-2021-32028)
Fix possibly-incorrect computation of UPDATE ... RETURNING
outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)
If an UPDATE
for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING
results for that row could produce errors or wrong answers. No error is observed unless the UPDATE
involves other tables being joined to the target table. (CVE-2021-32029 or CVE-2021-32029)
Fix adjustment of constraint deferrability properties in partitioned tables (Álvaro Herrera)
When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT
failed to adjust the DEFERRABLE
and/or INITIALLY DEFERRED
markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER
command to set the desired properties.
This change also disallows applying such an ALTER
directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTER
s must be applied at the partition root.
When attaching a child table with ALTER TABLE ... INHERIT
, insist that any generated columns in the parent be generated the same way in the child (Peter Eisentraut)
Forbid marking an identity column as nullable (Vik Fearing)
GENERATED ... AS IDENTITY
implies NOT NULL
, so don't allow it to be combined with an explicit NULL
specification.
Allow ALTER ROLE/DATABASE ... SET
to set the role
, session_authorization
, and temp_buffers
parameters (Tom Lane)
Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.
Ensure that REINDEX CONCURRENTLY
preserves any statistics target that's been set for the index (Michael Paquier)
Fix COMMIT AND CHAIN
to work correctly when the current transaction has live savepoints (Fujii Masao)
Fix bug with coercing the result of a COLLATE
expression to a non-collatable type (Tom Lane)
This led to a parse tree in which the COLLATE
appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE
has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.
Fix use-after-free bug in saving tuples for AFTER
triggers (Amit Langote)
This could cause crashes in some situations.
Disallow calling window functions and procedures via the “fast path” wire protocol message (Tom Lane)
Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.
Extend pg_identify_object_as_address()
to support event triggers (Joel Jacobson)
Fix to_char()
's handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)
Previously, such cases would usually cause a crash.
Check that the argument of pg_import_system_collations()
is a valid schema OID (Tom Lane)
Fix use of uninitialized value while parsing an \{
quantifier in a BRE-mode regular expression (Tom Lane)m
,n
\}
This error could cause the quantifier to act non-greedy, that is behave like an {
quantifier would do in full regular expressions.m
,n
}?
Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)
This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid
.
Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)
This typically led to a NaN
selectivity value, causing assertion failures or strange planner behavior.
Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)
If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file” errors.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)
This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.
Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)
When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.
Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH
(Peter Smith)
The core code won't do this, but a replica trigger could.
Ensure we default to wal_sync_method
= fdatasync
on recent FreeBSD (Thomas Munro)
FreeBSD 13 supports open_datasync
, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.
Pass the correct trigger OID to object post-alter hooks during ALTER CONSTRAINT
(Álvaro Herrera)
When updating trigger properties during ALTER CONSTRAINT
, the post-alter hook was told that we are updating a trigger, but the constraint's OID was passed instead of the trigger's.
Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)
This error could result in temporary files not being cleaned up promptly after a parallel query.
Fix memory leak while initializing server's SSL parameters (Michael Paquier)
This is ordinarily insignificant, but if the postmaster is repeatedly sent SIGHUP signals, the leak can build up over time.
Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)
Fix failure when a PL/pgSQL DO
block makes use of both composite-type variables and transaction control (Tom Lane)
Previously, such cases led to errors about leaked tuple descriptors.
Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)
When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)
Fix psql to restore the previous behavior of \connect service=
(Tom Lane)something
A previous bug fix caused environment variables (such as PGPORT
) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.
Fix psql's ON_ERROR_ROLLBACK
feature to handle COMMIT AND CHAIN
commands correctly (Arthur Nascimento)
Previously, this case failed with “savepoint "pg_psql_temporary_savepoint" does not exist”.
Fix race condition in detection of file modification by psql's \e
and related commands (Laurenz Albe)
A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.
Fix pg_dump's dumping of generated columns in partitioned tables (Peter Eisentraut)
A fix introduced in the previous minor release should not be applied to partitioned tables, only traditionally-inherited tables.
Fix missed file version check in pg_restore (Tom Lane)
When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.
Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)
Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.
Fix incorrect progress-reporting calculation in pg_checksums (Shinya Kato)
Fix pg_waldump to count XACT
records correctly when generating per-record statistics (Kyotaro Horiguchi)
Fix contrib/amcheck
to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY
and HEAP_KEYS_UPDATED
both being set (Julien Rouhaud)
This is a valid state after SELECT FOR UPDATE
.
Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)
Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)
Release date: 2021-02-11
This release contains a variety of fixes from 12.5. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, see the second and third changelog items below, which describe cases in which reindexing indexes after the upgrade may be advisable.
Also, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE
command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT
privilege on. (CVE-2021-3393 or CVE-2021-3393)
Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)
Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.
Fix CREATE INDEX CONCURRENTLY
to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY
waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions
> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid crash when a CALL
or DO
statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)
In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.
Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)
If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.
Avoid incorrect results when WHERE CURRENT OF
is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY
is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF
is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)
This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes” error, but other symptoms may be possible.
Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)
This oversight could lead to “no relation entry for relid N
” planner errors.
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N
-way joins” planner errors.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Adjust settings to make it more difficult to run out of DSM slots during heavy usage of parallel queries (Thomas Munro)
Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)
Fix ALTER DEFAULT PRIVILEGES
to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self” errors or unique-constraint violations.
Flush ACL-related caches when pg_authid
changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT
.
Prevent misprocessing of ambiguous CREATE TABLE LIKE
clauses (Tom Lane)
A LIKE
clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE
target.
Rearrange order of operations in CREATE TABLE LIKE
so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE
depends on an index that's coming from the LIKE
clause.
Disallow CREATE STATISTICS
on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Álvaro Herrera)
Previously this was allowed, but subsequent operations on the partitioned relation would fail.
Fix progress reporting for CLUSTER
(Matthias van de Meent)
Fix handling of backslash-escaped multibyte characters in COPY FROM
(Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN
without ANALYZE
(Alexey Bashtanov)
Fix recently-introduced race conditions in LISTEN
/NOTIFY
queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY
then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.
Allow the jsonb
concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a *
quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *?
quantifier would do in full regular expressions.
Fix numeric power()
for the case where the exponent is exactly INT_MIN
(-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Fix integer-overflow cases in substring()
functions (Tom Lane, Pavel Stehule)
If the specified starting index and length overflow an integer when added together, substring()
misbehaved, either throwing a bogus “negative substring length” error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound” or “could not access status of transaction” errors.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)
The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.
Ensure that a nonempty value of krb_server_keyfile
always overrides any setting of KRB5_KTNAME
in the server's environment (Tom Lane)
Previously, which setting took precedence depended on whether the client requests GSS encryption.
In server log messages about failing to match connections to pg_hba.conf
entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)
This is relevant data if hostgssenc
or hostnogssenc
entries exist.
Fix assorted issues in server's support for GSS encryption (Tom Lane)
Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections
settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart” or “fast” shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid
values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul()
, causing misbehavior on platforms where long
is 32 bits (such as Windows).
Avoid trying to use parallel index build in a standalone backend (Yulin Pei)
Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)
Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)
No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.
Avoid assertion failure in pg_get_functiondef()
when examining a function with a TRANSFORM
option (Tom Lane)
Fix data structure misallocation in PL/pgSQL's CALL
statement (Tom Lane)
A CALL
in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT
or ROLLBACK
.
In libpq, do not skip trying SSL after GSS encryption (Tom Lane)
If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.
In psql, re-allow including a password in a connection_string
argument of a \connect
command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
In psql's \d
commands, don't truncate the display of column default values (Tom Lane)
Formerly, they were arbitrarily truncated at 128 characters.
Fix assorted bugs in psql's \help
command (Kyotaro Horiguchi, Tom Lane)
\help
with two argument words failed to find a command description using only the first word, for example \help reset all
should show the help for RESET
but did not. Also, \help
often failed to invoke the pager when it should. It also leaked memory.
Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)
The previous behavior resulted in (harmless) errors during restore.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE
commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION
commands as the owner of the partitioned index (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION
in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)
This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34
.
Report the correct database name in connection failure error messages from some client programs (Álvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain
(Japin Li)
Memory consumed while producing the EXPLAIN
output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements
enabled.
In contrib/postgres_fdw
, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
In contrib/pgcrypto
, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
Make contrib/pg_prewarm
more robust when the cluster is shut down before prewarming is complete (Tom Lane)
Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.
In contrib/pg_trgm
's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm
and contrib/postgres_fdw
(Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm
's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw
overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds()
to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT
on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot
in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)
Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)
No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.
Fix compile failure with ICU 68 and later (Tom Lane)
Avoid memcpy()
with a NULL source pointer and zero count during partitioned index creation (Álvaro Herrera)
While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy()
are never NULL, which could result in incorrect optimization of nearby code.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.
Release date: 2020-11-12
This release contains a variety of fixes from 12.4. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Block DECLARE CURSOR ... WITH HOLD
and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)
This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.
The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695 or CVE-2020-25695)
Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)
The -d
parameter of pg_dump and pg_restore, or the --maintenance-db
parameter of the other programs mentioned, can be a “connection string” containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. (CVE-2020-25694 or CVE-2020-25694)
When psql's \connect
command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)
This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. (CVE-2020-25694 or CVE-2020-25694)
Prevent psql's \gset
command from modifying specially-treated variables (Noah Misch)
\gset
without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1
, giving the ability to execute arbitrary shell code in the user's session.
The PostgreSQL Project thanks Nick Cleaton for reporting this problem. (CVE-2020-25696 or CVE-2020-25696)
Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)
This rare problem would manifest in later “apparent wraparound” or “could not access status of transaction” errors.
Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)
This prevents possible data loss in a subsequent operating system crash.
Fix ALTER ROLE
for users with the BYPASSRLS
attribute (Tom Lane, Stephen Frost)
The BYPASSRLS
attribute is only allowed to be changed by superusers, but other ALTER ROLE
operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER
does not recurse to child tables (Álvaro Herrera)
Previously the ONLY
flag was ignored.
Avoid unnecessary recursion to partitions in ALTER TABLE SET NOT NULL
, when the target column is already marked NOT NULL
(Tom Lane)
This avoids a potential deadlock in parallel pg_restore.
Fix handling of expressions in CREATE TABLE LIKE
with inheritance (Tom Lane)
If a CREATE TABLE
command uses both LIKE
and traditional inheritance, column references in CHECK
constraints and expression indexes that came from a LIKE
parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED
expressions, in branches that have that feature.
Disallow DROP INDEX CONCURRENTLY
on a partitioned table (Álvaro Herrera, Michael Paquier)
This case failed anyway, but with a confusing error message.
Allow LOCK TABLE
to succeed on a self-referential view (Tom Lane)
It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.
Retain statistics about an index across REINDEX CONCURRENTLY
(Michael Paquier, Fabrízio de Royes Mello)
Non-concurrent reindexing has always preserved such statistics.
Fix incorrect progress reporting from REINDEX CONCURRENTLY
(Matthias van de Meent, Michael Paquier)
Ensure that GENERATED
columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)
This fix also takes care of possible failure to fire a column-specific trigger in such cases.
Recheck default partition constraints while routing an inserted or updated tuple to the correct partition (Amit Langote, Álvaro Herrera)
This fixes race conditions when partitions are added concurrently with the insertion.
Fix failures with collation-dependent partition bound expressions (Tom Lane)
Support hashing of text arrays (Peter Eisentraut)
Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.
Fix off-by-one conversion of negative years to BC dates in to_date()
and to_timestamp()
(Dar Alathar-Yemen, Tom Lane)
Also, arrange for the combination of a negative year and an explicit “BC” marker to cancel out and produce AD.
Ensure that standby servers will archive WAL timeline history files when archive_mode
is set to always
(Grigory Smolkin, Fujii Masao)
This oversight could lead to failure of subsequent PITR recovery attempts.
Fix “cache lookup failed for relation 0” failures in logical replication workers (Tom Lane)
The real-world impact is small, since the failure is unlikely, and if it does happen the worker would just exit and be restarted.
Prevent logical replication workers from sending redundant ping requests (Tom Lane)
During “smart” shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane)
The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.
Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane)
Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.
Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)
Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.
Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)
A “constant” subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.
Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)
Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)
While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Álvaro Herrera)
This oversight could lead to “failed to find parent tuple for heap-only tuple” errors.
Fix failure of parallel B-tree index scans when the index condition is unsatisfiable (James Hunter)
Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)
Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNN”. (If you are faced with such an error from an existing index, REINDEX
should be enough to fix it.)
Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Álvaro Herrera)
Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.
Fix rare “lost saved point in index” errors in scans of multicolumn GIN indexes (Tom Lane)
Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)
Fix unportable use of getnameinfo()
in pg_hba_file_rules
view (Tom Lane)
On FreeBSD 11, and possibly other platforms, the view's address
and netmask
columns were always null due to this error.
Avoid crash if debug_query_string
is NULL when starting a parallel worker (Noah Misch)
Fix use-after-free hazard when an event trigger monitors an ALTER TABLE
operation (Jehan-Guillaume de Rorthais)
Avoid failures when a BEFORE ROW UPDATE
trigger returns the “old” row of a table having dropped or “missing” columns (Amit Langote, Tom Lane)
This method of suppressing an update could result in crashes, unexpected CHECK
constraint failures, or incorrect RETURNING
output, because “missing” columns would read as NULLs for those purposes. (A column is “missing” for this purpose if it was added by ALTER TABLE ADD COLUMN
with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.
Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)
Avoid lockup when a parallel worker reports a very long error message (Vignesh C)
Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)
Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)
This has been shown to cause crashes on s390x
, and very possibly there are other cases on other platforms.
Fix relation cache memory leaks with RLS policies (Tom Lane)
Fix edge-case memory leak in index_get_partition()
(Justin Pryzby)
Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)
Fix memory leaks in PL/pgsql's CALL
processing (Pavel Stehule, Tom Lane)
Make libpq support arbitrary-length lines in .pgpass
files (Tom Lane)
This is mostly useful to allow using very long security tokens as passwords.
In libpq for Windows, call WSAStartup()
once per process and WSACleanup()
not at all (Tom Lane, Alexander Lakhin)
Previously, libpq invoked WSAStartup()
at connection start and WSACleanup()
at connection cleanup. However, it appears that calling WSACleanup()
can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)
Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)
Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.
On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)
This ensures proper handling of newlines.
Ensure that pg_dump collects per-column information about extension configuration tables (Fabrízio de Royes Mello, Tom Lane)
Failure to do this led to crashes when specifying --inserts
, or underspecified (though usually correct) COPY
commands when using COPY
to reload the tables' data.
Ensure that parallel pg_restore processes foreign keys referencing partitioned tables in the correct order (Álvaro Herrera)
Previously, it might try to restore a foreign key constraint before the required indexes were all in place, leading to an error.
Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)
Fix potential memory leak in contrib/pgcrypto
(Michael Paquier)
Add check for an unlikely failure case in contrib/pgcrypto
(Daniel Gustafsson)
Fix recently-added timetz
test case so it works when the USA is not observing daylight savings time (Tom Lane)
Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.
Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)
This absorbs upstream's change of zic's default output option from “fat” to “slim”. That's just cosmetic for our purposes, as we continue to select the “fat” mode in pre-v13 branches. This change also ensures that strftime()
does not change errno
unless it fails.
Release date: 2020-08-13
This release contains a variety of fixes from 12.3. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Set a secure search_path
in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058 or CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path
settings. (As with CVE-2018-1058 or CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349 or CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 or CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path
used to run an installation script; disable check_function_bodies
within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350 or CVE-2020-14350)
Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)
When there are multiple partition key columns, generation of pruning tests could misbehave if some columns had no constraining WHERE
clauses or multiple constraining clauses. This could lead to server crashes, incorrect query results, or assertion failures.
Fix construction of parameterized BitmapAnd and BitmapOr index scans on the inside of partition-wise nestloop joins (Tom Lane)
A plan in which such a scan needed to use a value from the outside of the join would usually crash at execution.
Fix incorrect plan execution when a partitioned table is subject to both static and run-time partition pruning in the same query, and a new partition is added concurrently with the query (Amit Langote, Tom Lane)
In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Álvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues.
Fix firing of column-specific UPDATE
triggers in logical replication subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers being different between the publisher and subscriber tables, so that if those were indeed different, wrong decisions might be made about which triggers to fire.
Update oldest xmin and LSN values during pg_replication_slot_advance()
(Michael Paquier)
This function previously failed to do that, possibly preventing resource cleanup (such as removal of no-longer-needed WAL segments) after manual advancement of a replication slot.
Fix slow execution of ts_headline()
(Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline()
to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop.
Ensure the repeat()
function can be interrupted by query cancel (Joe Conway)
Fix pg_current_logfile()
to not include a carriage return (\r
) in its result on Windows (Tom Lane)
Ensure that pg_read_file()
and related functions read until EOF is reached (Joe Conway)
Previously, if not given a specific data length to read, these functions would stop at whatever file length was reported by stat()
. That's unhelpful for pipes and other sorts of virtual files.
Forbid numeric NaN
values in jsonpath
computations (Alexander Korotkov)
Neither SQL nor JSON have the concept of NaN
(not-a-number), but the jsonpath
code attempted to allow such values anyway. This necessarily leads to nonstandard behavior, so it seems better to reject such values at the outset.
Handle single Inf
or NaN
inputs correctly in floating-point aggregates (Tom Lane)
The affected aggregates are corr()
, covar_pop()
, regr_intercept()
, regr_r2()
, regr_slope()
, regr_sxx()
, regr_sxy()
, regr_syy()
, stddev_pop()
, and var_pop()
. The correct answer in such cases is NaN
, but an algorithmic change introduced in PostgreSQL v12 had caused these aggregates to produce zero instead.
Fix mis-handling of NaN
inputs during parallel aggregation on numeric
-type columns (Tom Lane)
If some partial aggregation workers found only NaN
s while others found only non-NaN
s, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN
when it should be).
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00” or equivalently “23:59:60”, but no larger value. However, the range check was miscoded so that it would accept “23:59:60.nnn
” with nonzero fractional-second nnn
. In timestamp values this would result in wrapping into the first second of the next day. In time
and timetz
values, the stored value would actually be more than 24 hours, causing dump/reload failures and possibly other misbehavior.
Undo double-quoting of index names in EXPLAIN
's non-text output formats (Tom Lane, Euler Taveira)
Fix EXPLAIN
's accounting for resource usage, particularly buffer accesses, in parallel workers in a plan using Gather Merge
nodes (Jehan-Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE
(David Rowley)
If ALTER TABLE
needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK
constraints, it sometimes did things in the wrong order, leading to odd errors such as “could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytes”.
Fix REINDEX CONCURRENTLY
to preserve the index's replication identity flag (Michael Paquier)
Previously, reindexing a table's replica identity index caused the setting to be lost, preventing old tuple values from being included in future logical-decoding output.
Work around incorrect not-null markings for pg_subscription
.subslotname
and pg_subscription_rel
.srsublsn
(Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns as always non-null. There's no easy way to correct that mistake in existing installations (though v13 and later will have the correct markings). The main place that depends on that marking being correct is JIT-enabled tuple deconstruction, so teach it to explicitly ignore the marking for these two columns. Also adjust some C code that accessed srsublsn
without checking to see if it's null; a crash from that is improbable but perhaps not impossible.
Cope with LATERAL
references in restriction clauses attached to an un-flattened sub-SELECT
in the FROM
clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution.
Use the query-specified collation for operators invoked during selectivity estimation (Tom Lane)
Previously, the collation of the underlying database column was used. But using the query's collation is arguably more correct. More importantly, now that we have nondeterministic collations, there are cases where an operator will fail outright if given a nondeterministic collation. We don't want planning to fail in cases where the query itself would work, so this means that we must use the query's collation when invoking operators for estimation purposes.
Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY
.
Remove bogus warning about “leftover placeholder tuple” in BRIN index de-summarization (Álvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning about it is overly noisy.
Fix selection of tablespaces for “shared fileset” temporary files (Magnus Hagander, Tom Lane)
If temp_tablespaces
is empty or explicitly names the database's primary tablespace, such files got placed into the pg_default
tablespace rather than the database's primary tablespace as expected.
Fix corner-case error in masking of SP-GiST index pages during WAL consistency checking (Alexander Korotkov)
This could cause false failure reports when wal_consistency_checking
is enabled.
Improve error handling in the server's buffile
module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate.
Fix conflict-checking anomalies in SERIALIZABLE
isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error.
Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints
is on.
Fix checkpointer process to discard file sync requests when fsync
is off (Heikki Linnakangas)
Such requests are treated as no-ops if fsync
is off, but we forgot to remove them from the checkpointer's table of pending actions. This would lead to bloat of that table, as well as possible assertion failures if fsync
is later re-enabled.
Avoid trouble during cleanup of a non-exclusive backup when JIT compilation has been activated during the backup (Robert Haas)
Fix failure of some code paths to acquire the correct lock before modifying pg_control
(Nathan Bossart, Fujii Masao)
This oversight could allow pg_control
to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control
update.
Fix errors in currtid()
and currtid2()
(Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as “could not open file” when applied to a relation having no storage.
Avoid calling elog()
or palloc()
while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock.
Fix assertion in logical replication subscriber to allow use of REPLICA IDENTITY FULL
(Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard production builds.
Ensure that libpq continues to try to read from the database connection socket after a write failure (Tom Lane)
This is important not only to ensure that we collect any final error message from a dying server process, but because we do not consider the connection lost until we see a read failure. This oversight allowed libpq to continue trying to send COPY
data indefinitely after a mid-transfer loss of connection, rather than reporting failure to the application.
Fix bugs in libpq's management of GSS encryption state (Tom Lane)
A connection using GSS encryption could freeze up when attempting to reset it after a server restart, or when moving on to the next one of a list of candidate servers.
Fix ecpg crash with bytea
and cursor variables (Jehan-Guillaume de Rorthais)
Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Álvaro Herrera)
Some code paths could produce silly reports like “could not write file: Success”.
Make pg_restore cope with data-offset-less custom-format archive files when it needs to restore data items out of order (David Gilman, Tom Lane)
pg_dump will produce such files if it cannot seek its output (for example, if the output is piped to something). This fix primarily improves the ability to do a parallel restore from such a file.
Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to “tuple concurrently updated” errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur.
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age
set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age
to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade.
Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume.
Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
.
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage.
Fix contrib/amcheck
to not complain about deleted index pages that are empty (Alexander Korotkov)
This state of affairs is normal during WAL replay.
Fix failure to initialize local state correctly in contrib/dblink
(Joe Conway)
With the right combination of circumstances, this could lead to dblink_close()
issuing an unexpected remote COMMIT
.
Fix contrib/pgcrypto
's misuse of deflate()
(Tom Lane)
The pgp_sym_encrypt
functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation.
Fix corner case in decompression logic in contrib/pgcrypto
's pgp_sym_decrypt
functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data.
Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José Santamaría Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file named configure
several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure
to identify the top level of the source tree.
Release date: 2020-05-14
This release contains a variety of fixes from 12.2. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you are upgrading from a version earlier than 12.2, see Version 12.2.
Fix possible failure with GENERATED
columns (David Rowley)
If a GENERATED
column's value is an exact copy of another column of the table (and it is a pass-by-reference data type), it was possible to crash or insert corrupted data into the table. While it would be rather pointless for a GENERATED
expression to just duplicate another column, an expression using a function that sometimes returns its input unchanged could create the situation.
Handle inheritance of generated columns better (Peter Eisentraut)
When a table column is inherited during CREATE TABLE ... INHERITS
, disallow changing any generation properties when the parent column is already marked GENERATED
; but allow a child column to be marked GENERATED
when its parent is not.
Fix cross-column references in CREATE TABLE LIKE INCLUDING GENERATED
(Peter Eisentraut)
CREATE TABLE ... LIKE
failed when trying to copy a GENERATED
expression that references a physically-later column.
Propagate ALTER TABLE ... SET STORAGE
to indexes (Peter Eisentraut)
Non-expression index columns have always copied the attstorage
property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE
is done, to maintain consistency.
Preserve the indisclustered
setting of indexes rewritten by ALTER TABLE
(Amit Langote, Justin Pryzby)
Previously, ALTER TABLE
lost track of which index had been used for CLUSTER
.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE
(Quan Zongliang, Peter Eisentraut)
Preserve the indisclustered
setting of indexes rebuilt by REINDEX CONCURRENTLY
(Justin Pryzby)
Lock objects sooner during DROP OWNED BY
(Álvaro Herrera)
This avoids failures in race-condition cases where another session is deleting some of the same objects.
Fix error-case processing for CREATE ROLE ... IN ROLE
(Andrew Gierth)
Some error cases would be reported as “unexpected node type” or the like, instead of the intended message.
Ensure that when a partition is detached, any triggers cloned from its formerly-parent table are removed (Justin Pryzby)
Fix crash when COLLATE
is applied to a non-collatable type in a partition bound expression (Dmitry Dolgov)
Ensure that unique indexes over partitioned tables match the equality semantics of the partitioning key (Guancheng Luo)
This would only be an issue with index opclasses that have unusual notions of equality, but it's wrong in theory, so check.
Ensure that members of the pg_read_all_stats
role can read all statistics views, as expected (Magnus Hagander)
The functions underlying the pg_stat_progress_*
views had not gotten this memo.
Repair performance regression in information_schema
.triggers
view (Tom Lane)
This patch redefines that view so that an outer WHERE
clause constraining the table name can be pushed down into the view, allowing its calculations to be done only for triggers belonging to the table of interest rather than all triggers in the database. In a database with many triggers this would make a significant speed difference for queries of that form. Since things worked that way before v11, this is a potential performance regression. Users who find this to be a problem can fix it by replacing the view definition (or, perhaps, just deleting and reinstalling the whole information_schema
schema).
Repair performance regression in floating point overflow/underflow detection (Emre Hasegeli)
Previous refactoring had resulted in isinf()
being called extra times in some hot code paths.
Fix full text search to handle NOT above a phrase search correctly (Tom Lane)
Queries such as !(foo<->bar)
failed to find matching rows when implemented as a GiST or GIN index search.
Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
Fix ts_headline()
to make better headline selections when working with phrase queries (Tom Lane)
Fix bugs in gin_fuzzy_search_limit
processing (Adé Heyward, Tom Lane)
A small value of gin_fuzzy_search_limit
could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
Allow input of type circle
to accept the format “(
” as the documentation says it does (David Zhang)x
,y
),r
Make the get_bit()
and set_bit()
functions cope with bytea
strings longer than 256MB (Movead Li)
Since the bit number argument is only int4
, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea
. We'll widen the argument to int8
in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea
.
Ignore file-not-found errors in pg_ls_waldir()
and allied functions (Tom Lane)
This prevents a race condition failure if a file is removed between when we see its directory entry and when we attempt to stat()
it.
Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir()
, pg_timezone_names()
, pg_tablespace_databases()
, and allied functions (Justin Pryzby)
Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray
output when given only an anyrange
input (Tom Lane)
Fix server's connection-startup logic for case where a GSSAPI connection is rejected because support is not compiled in, and the client then tries SSL instead (Andrew Gierth)
This led to a bogus “unsupported frontend protocol” failure.
Fix memory leakage during GSSAPI encryption (Tom Lane)
Both the backend and libpq would leak memory equivalent to the total amount of data sent during the session, if GSSAPI encryption is in use.
Fix query-lifespan memory leak for a set-returning function used in a query's FROM
clause (Andres Freund)
Avoid leakage of a hashed subplan's hash tables across multiple executions (Andreas Karlsson, Tom Lane)
This mistake could result in severe memory bloat if a query re-executed a hashed subplan enough times.
Improve planner's handling of no-op domain coercions (Tom Lane)
Fix some cases where a domain coercion that does nothing was not completely removed from expressions.
Avoid unlikely crash when REINDEX
is terminated by a session-shutdown signal (Tom Lane)
Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN
(Konstantin Knizhnik, Tom Lane, Thomas Munro)
Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE
(Tatsuhito Kasahara)
Fix possible undercounting of deleted B-tree index pages in VACUUM VERBOSE
output (Peter Geoghegan)
Fix wrong bookkeeping for oldest deleted page in a B-tree index (Peter Geoghegan)
This could cause subtly wrong decisions about when VACUUM
can skip an index cleanup scan; although it appears there may be no significant user-visible effects from that.
Ensure that TimelineHistoryRead and TimelineHistoryWrite wait states are reported in all code paths that read or write timeline history files (Masahiro Ikeda)
Avoid possibly showing “waiting” twice in a process's PS status (Masahiko Sawada)
Avoid race condition when ANALYZE
replaces the catalog tuple for extended statistics data (Dean Rasheed)
Remove ill-considered skip of “redundant” anti-wraparound vacuums (Michael Paquier)
This avoids a corner case where autovacuum could get into a loop of repeatedly trying and then skipping the same vacuum job.
Ensure INCLUDE'd columns are always removed from B-tree pivot tuples (Peter Geoghegan)
This mistake wasted space in some rare cases, but was otherwise harmless.
Cope with invalid TOAST indexes that could be left over after a failed REINDEX CONCURRENTLY
(Julien Rouhaud)
Ensure that valid index dependencies are left behind after a failed REINDEX CONCURRENTLY
(Michael Paquier)
Previously the old index could be left with no pg_depend
links at all, so that for example it would not get dropped if the parent table is dropped.
Avoid failure if autovacuum tries to access a just-dropped temporary schema (Tom Lane)
This hazard only arises if a superuser manually drops a temporary schema; which isn't normal practice, but should work.
Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais)
WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi)
This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
Remove bogus “subtransaction logged without previous top-level txn record” error check in logical decoding (Arseny Sher, Amit Kapila)
This condition is legitimately reachable in various scenarios, so remove the check.
Avoid possible failure after a replication slot copy, due to premature removal of WAL data (Masahiko Sawada, Arseny Sher)
Ensure that a replication slot's io_in_progress_lock
is released in failure code paths (Pavan Deolasee)
This could result in a walsender later becoming stuck waiting for the lock.
Ensure that generated columns are correctly handled during updates issued by logical replication (Peter Eisentraut)
Fix race conditions in synchronous standby management (Tom Lane)
During a change in the synchronous_standby_names
setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
Fix memory leak in libpq when using sslmode=verify-full
(Roman Peshkurov)
Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
Fix ecpg to treat an argument of just “-
” as meaning “read from stdin” on all platforms (Tom Lane)
Fix crash in psql when attempting to re-establish a failed connection (Michael Paquier)
Allow tab-completion of the filename argument to psql's \gx
command (Vik Fearing)
Add pg_dump support for ALTER ... DEPENDS ON EXTENSION
(Álvaro Herrera)
pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
In pg_dump, postpone restore of event triggers till the end (Fabrízio de Royes Mello, Hamid Akhtar, Tom Lane)
This minimizes the risk that an event trigger could interfere with the restoration of other objects.
Ensure that pg_basebackup generates valid tar files (Robert Haas)
In some cases a partial block of zeroes would be added to the end of the file. While this seems to be harmless with common versions of tar, it's not OK per the POSIX file format spec.
Make pg_checksums skip tablespace subdirectories that belong to a different PostgreSQL major version (Michael Banck, Bernd Helmle)
Such subdirectories don't really belong to our database cluster, and so must not be processed.
Ignore temporary copies of pg_internal.init
in pg_checksums and related programs (Michael Paquier)
Fix quoting of --encoding
, --lc-ctype
and --lc-collate
values in createdb utility (Michael Paquier)
contrib/lo
's lo_manage()
function crashed if called directly rather than as a trigger (Tom Lane)
In contrib/ltree
, protect against overflow of ltree
and lquery
length fields (Nikita Glukhov)
Work around failure in contrib/pageinspect
's bt_metap()
function when an oldest_xact value exceeds 2^31-1 (Peter Geoghegan)
Such XIDs will now be reported as negative integers, which isn't great but it beats throwing an error. v13 will widen the output argument to int8
to provide saner reporting.
Fix cache reference leak in contrib/sepgsql
(Michael Luo)
On Windows, avoid premature creation of postmaster's log file during pg_ctl start
(Alexander Lakhin)
The previous coding could allow the file to be created with permissions that wouldn't allow the postmaster to write on it.
Avoid failures when dealing with Unix-style locale names on Windows (Juan José Santamaría Flecha)
On Windows, set console VT100 compatibility mode in programs that support PG_COLOR
colorization (Juan José Santamaría Flecha)
Without this, the colorization option doesn't actually work.
Stop requiring extra parentheses in ereport()
calls (Andres Freund, Tom Lane)
Use pkg-config, if available, to locate libxml2 during configure (Hugh McMaster, Tom Lane, Peter Eisentraut)
If pkg-config is not present or lacks knowledge of libxml2, we still query xml2-config as before.
This change could break build processes that try to make PostgreSQL use a non-default version of libxml2 by putting that version's xml2-config into the PATH
. Instead, set XML2_CONFIG
to point to the non-default xml2-config. That method will work with either older or newer PostgreSQL releases.
Fix Makefile dependencies for libpq and ecpg (Dagfinn Ilmari Mannsåker)
In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
In MSVC builds, use -Wno-deprecated
with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan)
Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai.
The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link.
Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.
Release date: 2020-02-13
This release contains a variety of fixes from 12.1. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
However, if you have any foreign key constraints referencing partitioned tables, see the two entries below about bugs in that feature.
Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION
(Álvaro Herrera)
Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720 or CVE-2020-1720)
Fix TRUNCATE ... CASCADE
to ensure all relevant partitions are truncated (Jehan-Guillaume de Rorthais)
If a partition of a partitioned table is truncated with the CASCADE
option, and the partitioned table has a foreign-key reference from another table, that table must also be truncated. The need to check this was missed if the referencing table was itself partitioned, possibly allowing rows to survive that violate the foreign-key constraint.
Hence, if you have foreign key constraints between partitioned tables, and you have done any partition-level TRUNCATE
on the referenced table, you should check to see if any foreign key violations exist. The simplest way is to add a new instance of the foreign key constraint (and, once that succeeds, drop it or the original constraint). That may be prohibitive from a locking standpoint, however, in which case you might prefer to manually query for unmatched rows.
Fix failure to attach foreign key constraints to sub-partitions (Jehan-Guillaume de Rorthais)
When adding a partition to a level below the first level of a multi-level partitioned table, foreign key constraints referencing the top partitioned table were not cloned to the new partition, leading to possible constraint violations later. Detaching and re-attaching the new partition is the cheapest way to fix this. However, if there are many partitions to be fixed, adding a new instance of the foreign key constraint might be preferable.
Fix possible crash during concurrent update on a partitioned table or inheritance tree (Tom Lane)
Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appropriate (Álvaro Herrera)
User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.
Fix logical replication subscriber code to execute per-column UPDATE
triggers when appropriate (Peter Eisentraut)
Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)
Fix possible crash or data corruption when a logical replication subscriber processes a row update (Tom Lane, Tomas Vondra)
This bug caused visible problems only if the subscriber's table contained columns that were not being copied from the publisher and had pass-by-reference data types.
Fix crash in logical replication subscriber after DDL changes on a subscribed relation (Jehan-Guillaume de Rorthais, Vignesh C)
Fix failure in logical replication publisher after a database crash and restart (Vignesh C)
Ensure that the effect of pg_replication_slot_advance()
on a physical replication slot will persist across restarts (Alexey Kondratov, Michael Paquier)
Improve efficiency of logical replication with REPLICA IDENTITY FULL
(Konstantin Knizhnik)
When searching for an existing tuple during an update or delete operation, return the first matching tuple not the last one.
Fix base backup to handle database OIDs larger than INT32_MAX
(Peter Eisentraut)
Ensure parallel plans are always shut down at the correct time (Kyotaro Horiguchi)
This oversight is known to result in “temporary file leak” warnings from multi-batch parallel hash joins.
Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)
This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.
Improve efficiency of parallel hash join on CPUs with many cores (Gang Deng, Thomas Munro)
Avoid crash in parallel CREATE INDEX
when there are no free dynamic shared memory slots (Thomas Munro)
Fall back to a non-parallel index build, instead.
Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)
Ignore the CONCURRENTLY
option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)
This avoids strange failures if the temporary table has an ON COMMIT
action. There is no benefit in using CONCURRENTLY
for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.
Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS
(Tom Lane)
Fix possible crash in BRIN index operations with box
, range
and inet
data types (Heikki Linnakangas)
Fix crash during recursive page split in GiST index build (Heikki Linnakangas)
Fix handling of deleted pages in GIN indexes (Alexander Korotkov)
Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.
Fix possible crash with a SubPlan (sub-SELECT
) within a multi-row VALUES
list (Tom Lane)
Fix failure in ALTER TABLE
when a column referenced in a GENERATED
expression has been added or changed in type earlier in the same ALTER
command (Tom Lane)
Fix failure to insert default values for “missing” attributes during tuple conversion (Vik Fearing, Andrew Gierth)
This could result in values incorrectly reading as NULL, when they come from columns that had been added by ALTER TABLE ADD COLUMN
with a constant default.
Fix unlikely panic in the checkpointer process, caused by opening relation segments that might already have been removed (Thomas Munro)
Fix crash after FileClose() failure (Noah Misch)
This issue could only be observed with data_sync_retry
enabled, since otherwise FileClose() failure would be reported as a PANIC.
Fix handling of multiple AFTER ROW
triggers on a foreign table (Etsuro Fujita)
Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)
Improve error reporting in to_date()
and to_timestamp()
(Tom Lane, Álvaro Herrera)
Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.
Fix off-by-one result for EXTRACT (ISOYEAR FROM
for BC dates (Tom Lane)timestamp
)
Ensure that the <>
operator for type char
reports indeterminate-collation errors as such, rather than as “cache lookup failed for collation 0” (Tom Lane)
Avoid treating TID scans as sequential scans (Tatsuhito Kasahara)
A refactoring oversight caused TID scans (selection by CTID) to be counted as sequential scans in the statistics views, and to take whole-table predicate locks as sequential scans do. The latter behavior could cause unnecessary serialization errors in serializable transaction mode.
Avoid stack overflow in information_schema
views when a self-referential view exists in the system catalogs (Tom Lane)
A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.
Ensure that walsender processes always show NULL for transaction start time in pg_stat_activity
(Álvaro Herrera)
Previously, the xact_start
column would sometimes show the process start time.
Improve performance of hash joins with very large inner relations (Thomas Munro)
Reduce spinlock contention when there are many active walsender processes (Pierre Ducroquet)
Fix placement of “Subplans Removed” field in EXPLAIN
output (Daniel Gustafsson, Tom Lane)
In non-text output formats, this field was emitted inside the “Plans” sub-group, resulting in syntactically invalid output. Attach it to the parent Append or MergeAppend plan node as intended. This causes the field to change position in text output format too: if there are any InitPlans attached to the same plan node, “Subplans Removed” will now appear before those.
Fix EXPLAIN
's SETTINGS
option to print as empty in non-text output formats (Tom Lane)
In the non-text output formats, fields are supposed to appear when requested, even if they have empty or zero values.
Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)
This change fixes a performance problem for partitioned tables that was created by the fix for CVE-2017-7484 or CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.
Fix planner errors induced by overly-aggressive collapsing of joins to single-row subqueries (Tom Lane)
This mistake led to errors such as “failed to construct the join relation”.
Fix “no = operator for opfamily NNNN
” planner error when trying to match a LIKE
or regex pattern-match operator to a binary-compatible index opclass (Tom Lane)
Fix edge-case crashes and misestimations in selectivity calculations for the <@
and @>
range operators (Michael Paquier, Andrey Borodin, Tom Lane)
Fix incorrect estimation for OR
clauses when using most-common-value extended statistics (Tomas Vondra)
Ignore system columns when applying most-common-value extended statistics (Tomas Vondra)
This prevents “negative bitmapset member not allowed” planner errors for affected queries.
Fix BRIN index logic to support hypothetical BRIN indexes (Julien Rouhaud, Heikki Linnakangas)
Previously, if an “index adviser” extension tried to get the planner to produce a plan involving a hypothetical BRIN index, that would fail, because the BRIN cost estimation code would always try to physically access the index's metapage. Now it checks to see if the index is only hypothetical, and uses default assumptions about the index parameters if so.
Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD
rules (Dean Rasheed)
This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.
Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)
Disallow partition key expressions that return pseudo-types, such as record
(Tom Lane)
Fix error reporting for index expressions of prohibited types (Amit Langote)
Fix dumping of views that contain only a VALUES
list to handle cases where a view output column has been renamed (Tom Lane)
Ensure that data types and collations used in XMLTABLE
constructs are accounted for when computing dependencies of a view or rule (Tom Lane)
Previously it was possible to break a view using XMLTABLE
by dropping a type, if the type was not otherwise referenced in the view. This fix does not correct the dependencies already recorded for existing views, only for newly-created ones.
Prevent unwanted downcasing and truncation of RADIUS authentication parameters (Marcos David Hartwig)
The pg_hba.conf
parser mistakenly treated these fields as SQL identifiers, which in general they aren't.
Transmit incoming NOTIFY
messages to the client before sending ReadyForQuery
, rather than after (Tom Lane)
This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.
Fix bugs in handling of non-blocking I/O when using GSSAPI encryption (Tom Lane)
These errors could result in dropping data (usually leading to subsequent wire-protocol-violation errors) or in a “livelock” situation where a sending process goes to sleep although not all its data has been sent. Moreover, libpq failed to keep separate encryption state for each connection, creating the possibility for failures in applications using multiple encrypted database connections.
Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)
This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.
Fix incorrect handling of %b
and %B
format codes in ecpg's PGTYPEStimestamp_fmt_asc()
function (Tomas Vondra)
Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.
Avoid crash after an out-of-memory failure in ecpglib (Tom Lane)
Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)
Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)
In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)
Apply more thorough syntax checking to createuser's --connection-limit
option (Álvaro Herrera)
Cope with changes of the specific type referenced by a PL/pgSQL composite-type variable in more cases (Ashutosh Sharma, Tom Lane)
Dropping and re-creating the composite type referenced by a PL/pgSQL variable could lead to “could not open relation with OID NNNN
” errors.
Avoid crash in postgres_fdw
when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...)
to the remote server (Tom Lane)
In contrib/dict_int
, reject maxlen
settings less than one (Tomas Vondra)
This prevents a possible crash with silly settings for that parameter.
Disallow NULL category values in contrib/tablefunc
's crosstab()
function (Joe Conway)
This case never worked usefully, and it would crash on some platforms.
Fix configure's probe for OpenSSL's SSL_clear_options()
function so that it works with OpenSSL versions before 1.1.0 (Michael Paquier, Daniel Gustafsson)
This problem could lead to failure to set the SSL compression option as desired, when PostgreSQL is built against an old version of OpenSSL.
Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT
, to allow extensions to access them on Windows (Pascal Legrand)
This applies to idle_in_transaction_session_timeout
, lock_timeout
, statement_timeout
, track_activities
, track_counts
, and track_functions
.
Avoid memory leak in sanity checks for “slab” memory contexts (Tomas Vondra)
This isn't an issue for production builds, since they wouldn't ordinarily have memory context checking enabled; but the leak could be quite severe in a debug build.
Fix multiple statistics entries reported by the LWLock statistics mechanism (Fujii Masao)
The LWLock statistics code (which is not built by default; it requires compiling with -DLWLOCK_STATS
) could report multiple entries for the same LWLock and backend process, as a result of faulty hashtable key creation.
Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)
This caused visible timing oddities in NOTIFY
, and perhaps other misbehavior.
Fix handling of a corner-case error result from Windows' ReadFile()
function (Thomas Munro, Juan José Santamaría Flecha)
So far as is known, this oversight just resulted in noisy log messages, not any actual query misbehavior.
On Windows, retry a few times after an ERROR_ACCESS_DENIED
file access failure (Alexander Lakhin, Tom Lane)
This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.
On Windows, work around sharing violations for the postmaster's log file when pg_ctl is used to start the postmaster very shortly after it's been stopped, for example by pg_ctl restart
(Alexander Lakhin)
Release date: 2019-11-14
This release contains a variety of fixes from 12.0. For information about new features in major release 12, see Version 12.0.
A dump/restore is not required for those running 12.X.
Fix crash when ALTER TABLE
adds a column without a default value along with making other changes that require a table rewrite (Andres Freund)
Fix lock handling in REINDEX CONCURRENTLY
(Michael Paquier)
REINDEX CONCURRENTLY
neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY
does hold.
Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY
or REINDEX CONCURRENTLY
command (Álvaro Herrera)
Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY
(Michael Paquier)
This bug resulted in bloat in pg_depend
, but no worse consequences than that.
Prevent VACUUM
from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM
failing until the old transaction terminates.
Fix “wrong type of slot” error when trying to CLUSTER
on an expression index (Andres Freund)
SET CONSTRAINTS ... DEFERRED
failed on partitioned tables, incorrectly complaining about lack of triggers (Álvaro Herrera)
Fix failure when creating indexes for a partition, if the parent partitioned table contains any dropped columns (Michael Paquier)
Fix dropping of indexed columns in partitioned tables (Amit Langote, Michael Paquier)
Previously this might fail with an error message complaining about the dependencies of the indexes. It should automatically drop the indexes, instead.
Ensure that a partition index can be dropped after a failure to reindex it concurrently (Michael Paquier)
The index's pg_class
.relispartition
flag was left in the wrong state in such a case, causing DROP INDEX
to fail.
Fix handling of equivalence class members for partition-wise joins (Amit Langote)
This oversight could lead either to failure to use a feasible partition-wise join plan, or to a “could not find pathkey item to sort” planner failure.
Ensure that offset expressions in WINDOW
clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
Fix crash triggered by an EvalPlanQual recheck on a table with a BEFORE UPDATE
trigger (Andres Freund)
Fix “unexpected relkind” error when a query tries to access a TOAST table (John Hsu, Michael Paquier, Tom Lane)
The error should say that permission is denied, but this case got broken during code refactoring.
Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
Ensure that fsync()
is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes “bad file descriptor” or similar errors.
Allow encoding conversion to succeed on longer strings than before (Álvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
Allow repalloc()
to give back space when a large chunk is reduced in size (Tom Lane)
Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
Avoid failure in archive recovery if recovery_min_apply_delay
is enabled (Fujii Masao)
recovery_min_apply_delay
is not typically used in this configuration, but it should work.
Ignore restore_command
, recovery_end_command
, and recovery_min_apply_delay
settings during crash recovery (Fujii Masao)
Now that these settings can be specified in postgresql.conf
, they could be turned on during crash recovery, but honoring them then is undesirable. Ignore these settings until crash recovery is complete.
Fix logical replication failure when publisher and subscriber have different ideas about a table's replica identity columns (Jehan-Guillaume de Rorthais, Peter Eisentraut)
Declaring a column as part of the replica identity on the subscriber, when it does not exist at all on the publisher, led to “negative bitmapset member not allowed” errors.
Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Álvaro Herrera)
Fix timeout handling in logical replication walreceiver processes (Julien Rouhaud)
Erroneous logic prevented wal_receiver_timeout
from working in logical replication deployments.
Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription
.last_msg_send_time
usually reading as NULL.
Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
Fix misbehavior of bitshiftright()
(Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright()
in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
Fix result of text position()
function (also known as strpos()
) for an empty search string (Tom Lane)
Historically, and per the SQL standard, the result should be one in such cases, but 12.0 returned zero.
Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
Avoid crashes if ispell
text search dictionaries contain wrong affix data (Arthur Zakirov)
Avoid memory leak while vacuuming a GiST index (Dilip Kumar)
On Windows, recognize additional spellings of the “Norwegian (Bokmål)” locale name (Tom Lane)
Fix libpq to allow trailing whitespace in the string values of integer parameters (Michael Paquier)
Version 12 tightened libpq's validation of integer parameters, but disallowing trailing whitespace seems undesirable.
In libpq, correctly report CONNECTION_BAD
connection status after a failure caused by a syntactically invalid connect_timeout
parameter value (Lars Kanis)
Avoid compile failure if an ECPG client includes ecpglib.h
while having ENABLE_NLS
defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext()
should not be visible to client code.
Fix scheduling of parallel restore of a foreign key constraint on a partitioned table (Álvaro Herrera)
pg_dump failed to emit full dependency information for partitioned tables' foreign keys. This could allow parallel pg_restore to try to recreate a foreign key constraint too soon.
In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
In pg_upgrade, reject tables with columns of type sql_identifier
, as that has changed representation in version 12 (Tomas Vondra)
Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line
(Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
In pg_rewind with the --dry-run
option, avoid updating pg_control
(Alexey Kondratov)
This could lead to failures in subsequent pg_rewind attempts.
Fix failure in pg_waldump with the -s
option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
In pg_waldump with the --bkp-details
option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
Fix small memory leak in pg_waldump (Andres Freund)
Put back pqsignal()
as an exported libpq symbol (Tom Lane)
This function was removed on the grounds that no clients should be using it, but that turns out to break usage of current libpq with very old versions of psql, and perhaps other applications.
Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS
to -O0
.
Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
On AIX, don't use the compiler option -qsrcmsg
(Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)
Release date: 2019-10-03
Major enhancements in PostgreSQL 12 include:
General performance improvements, including:
Optimizations to space utilization and read/write performance for B-tree indexes
Partitioning performance enhancements, including improved query performance on tables with thousands of partitions, improved insertion performance with INSERT and COPY, and the ability to execute ALTER TABLE ATTACH PARTITION
without blocking queries
Automatic (but overridable) inlining of common table expressions (CTEs)
Reduction of WAL overhead for creation of GiST, GIN, and SP-GiST indexes
Multi-column most-common-value (MCV) statistics can be defined via CREATE STATISTICS, to support better plans for queries that test several non-uniformly-distributed columns
Enhancements to administrative functionality, including:
REINDEX CONCURRENTLY
can rebuild an index without blocking writes to its table
pg_checksums can enable/disable page checksums (used for detecting data corruption) in an offline cluster
Progress reporting statistics for CREATE INDEX, REINDEX, CLUSTER, VACUUM FULL, and pg_checksums
Support for the SQL/JSON path language
Stored generated columns
Nondeterministic ICU collations, enabling case-insensitive and accent-insensitive grouping and ordering
New authentication features, including:
Encryption of TCP/IP connections when using GSSAPI authentication
Discovery of LDAP servers using DNS SRV records
Multi-factor authentication, using the clientcert=verify-full
option combined with an additional authentication method in pg_hba.conf
The above items are explained in more detail in the sections below.
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 18.6 for general information on migrating to new major releases.
Version 12 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Remove the special behavior of oid columns (Andres Freund, John Naylor)
Previously, a normally-invisible oid
column could be specified during table creation using WITH OIDS
; that ability has been removed. Columns can still be explicitly declared as type oid
. Operations on tables that have columns created using WITH OIDS
will need adjustment.
The system catalogs that previously had hidden oid
columns now have ordinary oid
columns. Hence, SELECT *
will now output those columns, whereas previously they would be displayed only if selected explicitly.
Remove data types abstime
, reltime
, and tinterval
(Andres Freund)
These are obsoleted by SQL-standard types such as timestamp
.
Remove the timetravel
extension (Andres Freund)
Move recovery.conf
settings into postgresql.conf
(Masao Fujii, Simon Riggs, Abhijit Menon-Sen, Sergei Kornilov)
recovery.conf
is no longer used, and the server will not start if that file exists. recovery.signal and standby.signal
files are now used to switch into non-primary mode. The trigger_file
setting has been renamed to promote_trigger_file. The standby_mode
setting has been removed.
Do not allow multiple conflicting recovery_target
* specifications (Peter Eisentraut)
Specifically, only allow one of recovery_target, recovery_target_lsn, recovery_target_name, recovery_target_time, and recovery_target_xid. Previously, multiple different instances of these parameters could be specified, and the last one was honored. Now, only one can be specified, though the same one can be specified multiple times and the last specification is honored.
Cause recovery to advance to the latest timeline by default (Peter Eisentraut)
Specifically, recovery_target_timeline now defaults to latest
. Previously, it defaulted to current
.
Refactor code for geometric functions and operators (Emre Hasegeli)
This could lead to more accurate, but slightly different, results compared to previous releases. Notably, cases involving NaN, underflow, overflow, and division by zero are handled more consistently than before.
Improve performance by using a new algorithm for output of real
and double precision
values (Andrew Gierth)
Previously, displayed floating-point values were rounded to 6 (for real
) or 15 (for double precision
) digits by default, adjusted by the value of extra_float_digits. Now, whenever extra_float_digits
is more than zero (as it now is by default), only the minimum number of digits required to preserve the exact binary value are output. The behavior is the same as before when extra_float_digits
is set to zero or less.
Also, formatting of floating-point exponents is now uniform across platforms: two digits are used unless three are necessary. In previous releases, Windows builds always printed three digits.
random()
and setseed()
now behave uniformly across platforms (Tom Lane)
The sequence of random()
values generated following a setseed()
call with a particular seed value is likely to be different now than before. However, it will also be repeatable, which was not previously guaranteed because of interference from other uses of random numbers inside the server. The SQL random()
function now has its own private per-session state to forestall that.
Change SQL-style substring()
to have standard-compliant greediness behavior (Tom Lane)
In cases where the pattern can be matched in more than one way, the initial sub-pattern is now treated as matching the least possible amount of text rather than the greatest; for example, a pattern such as %#"aa*#"%
now selects the first group of a
's from the input, not the last group.
Do not pretty-print the result of xpath()
or the XMLTABLE
construct (Tom Lane)
In some cases, these functions would insert extra whitespace (newlines and/or spaces) in nodeset values. This is undesirable since depending on usage, the whitespace might be considered semantically significant.
Rename command-line tool pg_verify_checksums to pg_checksums (Michaël Paquier)
In pg_restore, require specification of -f -
to send the dump contents to standard output (Euler Taveira)
Previously, this happened by default if no destination was specified, but that was deemed to be unfriendly.
Disallow non-unique abbreviations in psql's \pset format
command (Daniel Vérité)
Previously, for example, \pset format a
chose aligned
; it will now fail since that could equally well mean asciidoc
.
In new btree indexes, the maximum index entry length is reduced by eight bytes, to improve handling of duplicate entries (Peter Geoghegan)
This means that a REINDEX operation on an index pg_upgrade'd from a previous release could potentially fail.
Cause DROP IF EXISTS FUNCTION
/PROCEDURE
/AGGREGATE
/ROUTINE
to generate an error if no argument list is supplied and there are multiple matching objects (David Rowley)
Also improve the error message in such cases.
Split the pg_statistic_ext
catalog into two catalogs, and add the pg_stats_ext
view of it (Dean Rasheed, Tomas Vondra)
This change supports hiding potentially-sensitive statistics data from unprivileged users.
Remove obsolete pg_constraint
.consrc
column (Peter Eisentraut)
This column has been deprecated for a long time, because it did not update in response to other catalog changes (such as column renamings). The recommended way to get a text version of a check constraint's expression from pg_constraint
is pg_get_expr(conbin, conrelid)
. pg_get_constraintdef()
is also a useful alternative.
Remove obsolete pg_attrdef
.adsrc
column (Peter Eisentraut)
This column has been deprecated for a long time, because it did not update in response to other catalog changes (such as column renamings). The recommended way to get a text version of a default-value expression from pg_attrdef
is pg_get_expr(adbin, adrelid)
.
Mark table columns of type name as having “C” collation by default (Tom Lane, Daniel Vérité)
The comparison operators for data type name
can now use any collation, rather than always using “C” collation. To preserve the previous semantics of queries, columns of type name
are now explicitly marked as having “C” collation. A side effect of this is that regular-expression operators on name
columns will now use the “C” collation by default, not the database collation, to determine the behavior of locale-dependent regular expression patterns (such as \w
). If you want non-C behavior for a regular expression on a name
column, attach an explicit COLLATE
clause. (For user-defined name
columns, another possibility is to specify a different collation at table creation time; but that just moves the non-backwards-compatibility to the comparison operators.)
Treat object-name columns in the information_schema
views as being of type name
, not varchar
(Tom Lane)
Per the SQL standard, object-name columns in the information_schema
views are declared as being of domain type sql_identifier
. In PostgreSQL, the underlying catalog columns are really of type name
. This change makes sql_identifier
be a domain over name
, rather than varchar
as before. This eliminates a semantic mismatch in comparison and sorting behavior, which can greatly improve the performance of queries on information_schema
views that restrict an object-name column. Note however that inequality restrictions, for example
SELECT ... FROM information_schema.tables WHERE table_name < 'foo';
will now use “C”-locale comparison semantics by default, rather than the database's default collation as before. Sorting on these columns will also follow “C” ordering rules. The previous behavior (and inefficiency) can be enforced by adding a COLLATE "default"
clause.
Remove the ability to disable dynamic shared memory (Kyotaro Horiguchi)
Specifically, dynamic_shared_memory_type can no longer be set to none
.
Parse libpq integer connection parameters more strictly (Fabien Coelho)
In previous releases, using an incorrect integer value for connection parameters connect_timeout
, keepalives
, keepalives_count
, keepalives_idle
, keepalives_interval
and port
resulted in libpq either ignoring those values or failing with incorrect error messages.
Below you will find a detailed account of the changes between PostgreSQL 12 and the previous major release.
Improve performance of many operations on partitioned tables (Amit Langote, David Rowley, Tom Lane, Álvaro Herrera)
Allow tables with thousands of child partitions to be processed efficiently by operations that only affect a small number of partitions.
Allow foreign keys to reference partitioned tables (Álvaro Herrera)
Improve speed of COPY
into partitioned tables (David Rowley)
Allow partition bounds to be any expression (Kyotaro Horiguchi, Tom Lane, Amit Langote)
Such expressions are evaluated at partitioned-table creation time. Previously, only simple constants were allowed as partition bounds.
Allow CREATE TABLE
's tablespace specification for a partitioned table to affect the tablespace of its children (David Rowley, Álvaro Herrera)
Avoid sorting when partitions are already being scanned in the necessary order (David Rowley)
ALTER TABLE ATTACH PARTITION
is now performed with reduced locking requirements (Robert Haas)
Add partition introspection functions (Michaël Paquier, Álvaro Herrera, Amit Langote)
The new function pg_partition_root()
returns the top-most parent of a partition tree, pg_partition_ancestors()
reports all ancestors of a partition, and pg_partition_tree()
displays information about partitions.
Include partitioned indexes in the system view pg_indexes
(Suraj Kharage)
Add psql command \dP
to list partitioned tables and indexes (Pavel Stehule)
Improve psql \d
and \z
display of partitioned tables (Pavel Stehule, Michaël Paquier, Álvaro Herrera)
Fix bugs that could cause ALTER TABLE DETACH PARTITION
to leave behind incorrect dependency state, allowing subsequent operations to misbehave, for example by not dropping a former partition child index when its table is dropped (Tom Lane)
Improve performance and space utilization of btree indexes with many duplicates (Peter Geoghegan, Heikki Linnakangas)
Previously, duplicate index entries were stored unordered within their duplicate groups. This caused overhead during index inserts, wasted space due to excessive page splits, and it reduced VACUUM
's ability to recycle entire pages. Duplicate index entries are now sorted in heap-storage order.
Indexes pg_upgrade'd from previous releases will not have these benefits.
Allow multi-column btree indexes to be smaller (Peter Geoghegan, Heikki Linnakangas)
Internal pages and min/max leaf page indicators now only store index keys until the change key, rather than all indexed keys. This also improves the locality of index access.
Indexes pg_upgrade'd from previous releases will not have these benefits.
Improve speed of btree index insertions by reducing locking overhead (Alexander Korotkov)
Add support for nearest-neighbor (KNN) searches of SP-GiST indexes (Nikita Glukhov, Alexander Korotkov, Vlad Sterzhanov)
Reduce the WAL write overhead of GiST, GIN, and SP-GiST index creation (Anastasia Lubennikova, Andrey V. Lepikhov)
Allow index-only scans to be more efficient on indexes with many columns (Konstantin Knizhnik)
Improve the performance of vacuum scans of GiST indexes (Andrey Borodin, Konstantin Kuznetsov, Heikki Linnakangas)
Delete empty leaf pages during GiST VACUUM
(Andrey Borodin)
Reduce locking requirements for index renaming (Peter Eisentraut)
Allow CREATE STATISTICS to create most-common-value statistics for multiple columns (Tomas Vondra)
This improves optimization for queries that test several columns, requiring an estimate of the combined effect of several WHERE
clauses. If the columns are correlated and have non-uniform distributions then multi-column statistics will allow much better estimates.
Allow common table expressions (CTEs) to be inlined into the outer query (Andreas Karlsson, Andrew Gierth, David Fetter, Tom Lane)
Specifically, CTEs are automatically inlined if they have no side-effects, are not recursive, and are referenced only once in the query. Inlining can be prevented by specifying MATERIALIZED
, or forced for multiply-referenced CTEs by specifying NOT MATERIALIZED
. Previously, CTEs were never inlined and were always evaluated before the rest of the query.
Allow control over when generic plans are used for prepared statements (Pavel Stehule)
This is controlled by the plan_cache_mode server parameter.
Improve optimization of partition and UNION ALL
queries that have only a single child (David Rowley)
Improve processing of domains that have no check constraints (Tom Lane)
Domains that are being used purely as type aliases no longer cause optimization difficulties.
Pre-evaluate calls of LEAST
and GREATEST
when their arguments are constants (Vik Fearing)
Improve optimizer's ability to verify that partial indexes with IS NOT NULL
conditions are usable in queries (Tom Lane, James Coleman)
Usability can now be recognized in more cases where the calling query involves casts or large
clauses.x
IN (array
)
Compute ANALYZE
statistics using the collation defined for each column (Tom Lane)
Previously, the database's default collation was used for all statistics. This potentially gives better optimizer behavior for columns with non-default collations.
Improve selectivity estimates for inequality comparisons on ctid
columns (Edmund Horner)
Improve optimization of joins on columns of type tid
(Tom Lane)
These changes primarily improve the efficiency of self-joins on ctid
columns.
Fix the leakproofness designations of some btree comparison operators and support functions (Tom Lane)
This allows some optimizations that previously would not have been applied in the presence of security barrier views or row-level security.
Enable Just-in-Time (JIT) compilation by default, if the server has been built with support for it (Andres Freund)
Note that this support is not built by default, but has to be selected explicitly while configuring the build.
Speed up keyword lookup (John Naylor, Joerg Sonnenberger, Tom Lane)
Improve search performance for multi-byte characters in position()
and related functions (Heikki Linnakangas)
Allow toasted values to be minimally decompressed (Paul Ramsey)
This is useful for routines that only need to examine the initial portion of a toasted field.
Allow ALTER TABLE ... SET NOT NULL
to avoid unnecessary table scans (Sergei Kornilov)
This can be optimized when the table's column constraints can be recognized as disallowing nulls.
Allow ALTER TABLE ... SET DATA TYPE
changing between timestamp
and timestamptz
to avoid a table rewrite when the session time zone is UTC (Noah Misch)
In the UTC time zone, these two data types are binary compatible.
Improve speed in converting strings to int2
or int4
integers (Andres Freund)
Allow parallelized queries when in SERIALIZABLE
isolation mode (Thomas Munro)
Previously, parallelism was disabled when in this mode.
Use pread()
and pwrite()
for random I/O (Oskari Saarenmaa, Thomas Munro)
This reduces the number of system calls required for I/O.
Improve the speed of setting the process title on FreeBSD (Thomas Munro)
Allow logging of statements from only a percentage of transactions (Adrien Nayrat)
The parameter log_transaction_sample_rate controls this.
Add progress reporting to CREATE INDEX
and REINDEX
operations (Álvaro Herrera, Peter Eisentraut)
Progress is reported in the pg_stat_progress_create_index
system view.
Add progress reporting to CLUSTER
and VACUUM FULL
(Tatsuro Yamada)
Progress is reported in the pg_stat_progress_cluster
system view.
Add progress reporting to pg_checksums (Michael Banck, Bernd Helmle)
This is enabled with the option --progress
.
Add counter of checksum failures to pg_stat_database
(Magnus Hagander)
Add tracking of global objects in system view pg_stat_database
(Julien Rouhaud)
Global objects are shown with a pg_stat_database
.datid
value of zero.
Add the ability to list the contents of the archive directory (Christoph Moench-Tegeder)
The function is pg_ls_archive_statusdir()
.
Add the ability to list the contents of temporary directories (Nathan Bossart)
The function, pg_ls_tmpdir()
, optionally allows specification of a tablespace.
Add information about the client certificate to the system view pg_stat_ssl
(Peter Eisentraut)
The new columns are client_serial
and issuer_dn
. Column clientdn
has been renamed to client_dn
for clarity.
Restrict visibility of rows in pg_stat_ssl
for unprivileged users (Peter Eisentraut)
At server start, emit a log message including the server version number (Christoph Berg)
Prevent logging “incomplete startup packet” if a new connection is immediately closed (Tom Lane)
This avoids log spam from certain forms of monitoring.
Include the application_name, if set, in log_connections log messages (Don Seiler)
Make the walreceiver set its application name to the cluster name, if set (Peter Eisentraut)
Add the timestamp of the last received standby message to pg_stat_replication
(Lim Myungkyu)
Add a wait event for fsync of WAL segments (Konstantin Knizhnik)
Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)
This feature allows TCP/IP connections to be encrypted when using GSSAPI authentication, without having to set up a separate encryption facility such as SSL. In support of this, add hostgssenc
and hostnogssenc
record types in pg_hba.conf
for selecting connections that do or do not use GSSAPI encryption, corresponding to the existing hostssl
and hostnossl
record types. There is also a new gssencmode libpq option, and a pg_stat_gssapi system view.
Allow the clientcert
pg_hba.conf
option to check that the database user name matches the client certificate's common name (Julian Markwort, Marius Timmer)
This new check is enabled with clientcert=verify-full
.
Allow discovery of an LDAP server using DNS SRV records (Thomas Munro)
This avoids the requirement of specifying ldapserver
. It is only supported if PostgreSQL is compiled with OpenLDAP.
Add ability to enable/disable cluster checksums using pg_checksums (Michael Banck, Michaël Paquier)
The cluster must be shut down for these operations.
Reduce the default value of autovacuum_vacuum_cost_delay to 2ms (Tom Lane)
This allows autovacuum operations to proceed faster by default.
Allow vacuum_cost_delay to specify sub-millisecond delays, by accepting fractional values (Tom Lane)
Allow time-based server parameters to use units of microseconds (us
) (Tom Lane)
Allow fractional input for integer server parameters (Tom Lane)
For example, SET work_mem = '30.1GB'
is now allowed, even though work_mem
is an integer parameter. The value will be rounded to an integer after any required units conversion.
Allow units to be defined for floating-point server parameters (Tom Lane)
Add wal_recycle and wal_init_zero server parameters to control WAL file recycling (Jerry Jelinek)
Avoiding file recycling can be beneficial on copy-on-write file systems like ZFS.
Add server parameter tcp_user_timeout to control the server's TCP timeout (Ryohei Nagaura)
Allow control of the minimum and maximum SSL protocol versions (Peter Eisentraut)
The server parameters are ssl_min_protocol_version and ssl_max_protocol_version.
Add server parameter ssl_library to report the SSL library version used by the server (Peter Eisentraut)
Add server parameter shared_memory_type to control the type of shared memory to use (Andres Freund)
This allows selection of System V shared memory, if desired.
Allow some recovery parameters to be changed with reload (Peter Eisentraut)
These parameters are archive_cleanup_command, promote_trigger_file, recovery_end_command, and recovery_min_apply_delay.
Allow the streaming replication timeout (wal_sender_timeout) to be set per connection (Takayuki Tsunakawa)
Previously, this could only be set cluster-wide.
Add function pg_promote()
to promote standbys to primaries (Laurenz Albe, Michaël Paquier)
Previously, this operation was only possible by using pg_ctl or creating a trigger file.
Allow replication slots to be copied (Masahiko Sawada)
The functions for this are pg_copy_physical_replication_slot()
and pg_copy_logical_replication_slot()
.
Make max_wal_senders not count as part of max_connections (Alexander Kukushkin)
Add an explicit value of current
for recovery_target_timeline (Peter Eisentraut)
Make recovery fail if a two-phase transaction status file is corrupt (Michaël Paquier)
Previously, a warning was logged and recovery continued, allowing the transaction to be lost.
Add REINDEX CONCURRENTLY
option to allow reindexing without locking out writes (Michaël Paquier, Andreas Karlsson, Peter Eisentraut)
This is also controlled by the reindexdb application's --concurrently
option.
Add support for generated columns (Peter Eisentraut)
The content of generated columns are computed from expressions (including references to other columns in the same table) rather than being specified by INSERT
or UPDATE
commands.
Add a WHERE
clause to COPY FROM
to control which rows are accepted (Surafel Temesgen)
This provides a simple way to filter incoming data.
Allow enumerated values to be added more flexibly (Andrew Dunstan, Tom Lane, Thomas Munro)
Previously, ALTER TYPE ... ADD VALUE
could not be called in a transaction block, unless it was part of the same transaction that created the enumerated type. Now it can be called in a later transaction, so long as the new enumerated value is not referenced until after it is committed.
Add commands to end a transaction and start a new one (Peter Eisentraut)
The commands are COMMIT AND CHAIN
and ROLLBACK AND CHAIN
.
Add VACUUM and CREATE TABLE
options to prevent VACUUM
from truncating trailing empty pages (Takayuki Tsunakawa)
These options are vacuum_truncate
and toast.vacuum_truncate
. Use of these options reduces VACUUM
's locking requirements, but prevents returning disk space to the operating system.
Allow VACUUM
to skip index cleanup (Masahiko Sawada)
This change adds a VACUUM
command option INDEX_CLEANUP
as well as a table storage option vacuum_index_cleanup
. Use of this option reduces the ability to reclaim space and can lead to index bloat, but it is helpful when the main goal is to freeze old tuples.
Add the ability to skip VACUUM
and ANALYZE
operations on tables that cannot be locked immediately (Nathan Bossart)
This option is called SKIP_LOCKED
.
Allow VACUUM
and ANALYZE
to take optional Boolean argument specifications (Masahiko Sawada)
Prevent TRUNCATE, VACUUM
and ANALYZE
from requesting a lock on tables for which the user lacks permission (Michaël Paquier)
This prevents unauthorized locking, which could interfere with user queries.
Add EXPLAIN option SETTINGS
to output non-default optimizer settings (Tomas Vondra)
This output can also be obtained when using auto_explain by setting auto_explain.log_settings
.
Add OR REPLACE
option to CREATE AGGREGATE (Andrew Gierth)
Allow modifications of system catalogs' options using ALTER TABLE (Peter Eisentraut)
Modifications of catalogs' reloptions
and autovacuum settings are now supported. (Setting allow_system_table_mods is still required.)
Use all key columns' names when selecting default constraint names for foreign keys (Peter Eisentraut)
Previously, only the first column name was included in the constraint name, resulting in ambiguity for multi-column foreign keys.
Update assorted knowledge about Unicode to match Unicode 12.1.0 (Peter Eisentraut)
This fixes, for example, cases where psql would misformat output involving combining characters.
Update Snowball stemmer dictionaries with support for new languages (Arthur Zakirov)
This adds word stemming support for Arabic, Indonesian, Irish, Lithuanian, Nepali, and Tamil to full text search.
Allow creation of collations that report string equality for strings that are not bit-wise equal (Peter Eisentraut)
This feature supports “nondeterministic” collations that can define case- and accent-agnostic equality comparisons. Thus, for example, a case-insensitive uniqueness constraint on a text column can be made more easily than before. This is only supported for ICU collations.
Add support for ICU collation attributes on older ICU versions (Peter Eisentraut)
This allows customization of the collation rules in a consistent way across all ICU versions.
Allow data type name to more seamlessly be compared to other text types (Tom Lane)
Type name
now behaves much like a domain over type text
that has default collation “C”. This allows cross-type comparisons to be processed more efficiently.
Add support for the SQL/JSON path language (Nikita Glukhov, Teodor Sigaev, Alexander Korotkov, Oleg Bartunov, Liudmila Mantrova)
This allows execution of complex queries on JSON
values using an SQL-standard language.
Add support for hyperbolic functions (Lætitia Avrot)
Also add log10()
as an alias for log()
, for standards compliance.
Improve the accuracy of statistical aggregates like variance()
by using more precise algorithms (Dean Rasheed)
Allow date_trunc()
to have an additional argument to control the time zone (Vik Fearing, Tom Lane)
This is faster and simpler than using the AT TIME ZONE
clause.
Adjust to_timestamp()
/to_date()
functions to be more forgiving of template mismatches (Artur Zakirov, Alexander Korotkov, Liudmila Mantrova)
This new behavior more closely matches the Oracle functions of the same name.
Fix assorted bugs in XML functions (Pavel Stehule, Markus Winand, Chapman Flack)
Specifically, in XMLTABLE
, xpath()
, and xmlexists()
, fix some cases where nothing was output for a node, or an unexpected error was thrown, or necessary escaping of XML special characters was omitted.
Allow the BY VALUE
clause in XMLEXISTS
and XMLTABLE
(Chapman Flack)
This SQL-standard clause has no effect in PostgreSQL's implementation, but it was unnecessarily being rejected.
Prevent current_schema()
and current_schemas()
from being run by parallel workers, as they are not parallel-safe (Michaël Paquier)
Allow RECORD
and RECORD[]
to be used as column types in a query's column definition list for a table function that is declared to return RECORD
(Elvis Pranskevichus)
Allow SQL commands and variables with the same names as those commands to be used in the same PL/pgSQL function (Tom Lane)
For example, allow a variable called comment
to exist in a function that calls the COMMENT
SQL command. Previously this combination caused a parse error.
Add new optional warning and error checks to PL/pgSQL (Pavel Stehule)
The new checks allow for run-time validation of INTO
column counts and single-row results.
Add connection parameter tcp_user_timeout to control libpq's TCP timeout (Ryohei Nagaura)
Allow libpq (and thus psql) to report only the SQLSTATE
value in error messages (Didier Gautheron)
Add libpq function PQresultMemorySize()
to report the memory used by a query result (Lars Kanis, Tom Lane)
Remove the no-display/debug flag from libpq's options
connection parameter (Peter Eisentraut)
This allows this parameter to be set by postgres_fdw.
Allow ecpg to create variables of data type bytea
(Ryo Matsumura)
This allows ECPG clients to interact with bytea
data directly, rather than using an encoded form.
Add PREPARE AS
support to ECPG (Ryo Matsumura)
Allow vacuumdb to select tables for vacuum based on their wraparound horizon (Nathan Bossart)
The options are --min-xid-age
and --min-mxid-age
.
Allow vacuumdb to disable waiting for locks or skipping all-visible pages (Nathan Bossart)
The options are --skip-locked
and --disable-page-skipping
.
Add colorization to the output of command-line utilities (Peter Eisentraut)
This is enabled by setting the environment variable PG_COLOR
to always
or auto
. The specific colors used can be adjusted by setting the environment variable PG_COLORS
, using ANSI escape codes for colors. For example, the default behavior is equivalent to PG_COLORS="error=01;31:warning=01;35:locus=01"
.
Add CSV table output mode in psql (Daniel Vérité)
This is controlled by \pset format csv
or the command-line --csv
option.
Show the manual page URL in psql's \help
output for a SQL command (Peter Eisentraut)
Display the IP address in psql's \conninfo
(Fabien Coelho)
Improve tab completion of CREATE TABLE
, CREATE TRIGGER
, CREATE EVENT TRIGGER
, ANALYZE
, EXPLAIN
, VACUUM
, ALTER TABLE
, ALTER INDEX
, ALTER DATABASE
, and ALTER INDEX ALTER COLUMN
(Dagfinn Ilmari Mannsåker, Tatsuro Yamada, Michaël Paquier, Tom Lane, Justin Pryzby)
Allow values produced by queries to be assigned to pgbench variables (Fabien Coelho, Álvaro Herrera)
The command for this is \gset
.
Improve precision of pgbench's --rate
option (Tom Lane)
Improve pgbench's error reporting with clearer messages and return codes (Peter Eisentraut)
Allow control of log file rotation via pg_ctl (Kyotaro Horiguchi, Alexander Kuzmenkov, Alexander Korotkov)
Previously, this was only possible via an SQL function or a process signal.
Properly detach the new server process during pg_ctl start
(Paul Guo)
This prevents the server from being shut down if the shell script that invoked pg_ctl is interrupted later.
Allow pg_upgrade to use the file system's cloning feature, if there is one (Peter Eisentraut)
The --clone
option has the advantages of --link
, while preventing the old cluster from being changed after the new cluster has started.
Allow specification of the socket directory to use in pg_upgrade (Daniel Gustafsson)
This is controlled by --socketdir
; the default is the current directory.
Allow pg_checksums to disable fsync operations (Michaël Paquier)
This is controlled by the --no-sync
option.
Allow pg_rewind to disable fsync operations (Michaël Paquier)
Fix pg_test_fsync to report accurate open_datasync
durations on Windows (Laurenz Albe)
When pg_dump emits data with INSERT
commands rather than COPY
, allow more than one data row to be included in each INSERT
(Surafel Temesgen, David Rowley)
The option controlling this is --rows-per-insert
.
Allow pg_dump to emit INSERT ... ON CONFLICT DO NOTHING
(Surafel Temesgen)
This avoids conflict failures during restore. The option is --on-conflict-do-nothing
.
Decouple the order of operations in a parallel pg_dump from the order used by a subsequent parallel pg_restore (Tom Lane)
This allows pg_restore to perform more-fully-parallelized parallel restores, especially in cases where the original dump was not done in parallel. Scheduling of a parallel pg_dump is also somewhat improved.
Allow the extra_float_digits setting to be specified for pg_dump and pg_dumpall (Andrew Dunstan)
This is primarily useful for making dumps that are exactly comparable across different source server versions. It is not recommended for normal use, as it may result in loss of precision when the dump is restored.
Add --exclude-database
option to pg_dumpall (Andrew Dunstan)
Add CREATE ACCESS METHOD command to create new table types (Andres Freund, Haribabu Kommi, Álvaro Herrera, Alexander Korotkov, Dmitry Dolgov)
This enables the development of new table access methods, which can optimize storage for different use cases. The existing heap
access method remains the default.
Add planner support function interfaces to improve optimizer estimates, inlining, and indexing for functions (Tom Lane)
This allows extensions to create planner support functions that can provide function-specific selectivity, cost, and row-count estimates that can depend on the function's arguments. Support functions can also supply simplified representations and index conditions, greatly expanding optimization possibilities.
Simplify renumbering manually-assigned OIDs, and establish a new project policy for management of such OIDs (John Naylor, Tom Lane)
Patches that manually assign OIDs for new built-in objects (such as new functions) should now randomly choose OIDs in the range 8000—9999. At the end of a development cycle, the OIDs used by committed patches will be renumbered down to lower numbers, currently somewhere in the 4xxx
range, using the new renumber_oids.pl
script. This approach should greatly reduce the odds of OID collisions between different in-process patches.
While there is no specific policy reserving any OIDs for external use, it is recommended that forks and other projects needing private manually-assigned OIDs use numbers in the high 7xxx
range. This will avoid conflicts with recently-merged patches, and it should be a long time before the core project reaches that range.
Build Cygwin binaries using dynamic instead of static libraries (Marco Atzeri)
Remove configure switch --disable-strong-random
(Michaël Paquier)
A strong random-number source is now required.
printf
-family functions, as well as strerror
and strerror_r
, now behave uniformly across platforms within Postgres code (Tom Lane)
Notably, printf
understands %m
everywhere; on Windows, strerror
copes with Winsock error codes (it used to do so in backend but not frontend code); and strerror_r
always follows the GNU return convention.
Require a C99-compliant compiler, and MSVC 2013 or later on Windows (Andres Freund)
Use pandoc, not lynx, for generating plain-text documentation output files (Peter Eisentraut)
This affects only the INSTALL
file generated during make dist
and the seldom-used plain-text postgres.txt
output file. Pandoc produces better output than lynx and avoids some locale/encoding issues. Pandoc version 1.13 or later is required.
Support use of images in the PostgreSQL documentation (Jürgen Purtz)
Allow ORDER BY
sorts and LIMIT
clauses to be pushed to postgres_fdw foreign servers in more cases (Etsuro Fujita)
Improve optimizer cost accounting for postgres_fdw queries (Etsuro Fujita)
Properly honor WITH CHECK OPTION
on views that reference postgres_fdw tables (Etsuro Fujita)
While CHECK OPTION
s on postgres_fdw tables are ignored (because the reference is foreign), views on such tables are considered local, so this change enforces CHECK OPTION
s on them. Previously, only INSERT
s and UPDATE
s with RETURNING
clauses that returned CHECK OPTION
values were validated.
Allow pg_stat_statements_reset()
to be more granular (Haribabu Kommi, Amit Kapila)
The function now allows reset of statistics for specific databases, users, and queries.
Allow control of the auto_explain log level (Tom Dunstan, Andrew Dunstan)
The default is LOG
.
Update unaccent rules with new punctuation and symbols (Hugh Ranalli, Michaël Paquier)
Allow unaccent to handle some accents encoded as combining characters (Hugh Ranalli)
Allow unaccent to remove accents from Greek characters (Tasos Maschalidis)
Add a parameter to amcheck's bt_index_parent_check()
function to check each index tuple from the root of the tree (Peter Geoghegan)
Improve oid2name and vacuumlo option handling to match other commands (Tatsuro Yamada)
The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues.
Release date: 2023-05-11
This release contains a variety of fixes from 11.19. For information about new features in major release 11, see Version 11.0.
The PostgreSQL community will stop releasing updates for the 11.X release series in November 2023. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Prevent CREATE SCHEMA
from defeating changes in search_path
(Alexander Lakhin)
Within a CREATE SCHEMA
command, objects in the prevailing search_path
, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path
. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454 or CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455 or CVE-2023-2455)
Avoid crash when the new schema name is omitted in CREATE SCHEMA
(Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
, with the schema name defaulting to owner_name
owner_name
. However some code paths expected the schema name to be present and would fail.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE
disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Ensure that COPY TO
from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO
copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position()
or array_positions()
is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char()
(Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate()
function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME
options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[]
constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE
was done incorrectly, leading to possibly not returning rows in which boolcol
is NULL. Also, the rather unlikely case of partitioning on NOT boolcol
was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation
= off
(which is not the default).
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay
setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay
setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...)
with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT
markers within a multi-row INSERT ... VALUES
query on a view that has a DO ALSO INSERT ... SELECT
rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD
and NEW
within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL
. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT
/UPDATE
/DELETE
within WITH
, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY
optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY
transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput
logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL
option failed if the table contained such columns.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Add missing cases to SPI_result_code_string()
(Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc()
(Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range()
when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix possible data corruption in ecpg programs built with the -C ORACLE
option (Kyotaro Horiguchi)
When ecpg_get_data()
is called with varcharsize
set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root
option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE
target tables before restoring into them when --load-via-partition-root
mode is used. This avoids a hazard of deadlocks and lost data.
In contrib/hstore_plpython
, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Fix misbehavior in contrib/pg_trgm
with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo
is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Use the --strip-unneeded
option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip
used the -x
option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet
option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock
directory (Peter Eisentraut)
Place it under tmp_check
in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.
Release date: 2023-02-09
This release contains a variety of fixes from 11.18. For information about new features in major release 11, see Version 11.0.
The PostgreSQL community will stop releasing updates for the 11.X release series in November 2023. Users are encouraged to update to a newer release branch soon.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Allow REPLICA IDENTITY
to be set on an index that's not (yet) valid (Tom Lane)
When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY
, it generates a command sequence that applies REPLICA IDENTITY
before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.
Fix handling of DEFAULT
markers in rules that perform an INSERT
from a multi-row VALUES
list (Dean Rasheed)
In some cases a DEFAULT
marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.
Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)
If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.
Honor non-default settings of checkpoint_completion_target
(Bharath Rupireddy)
Internal state was not updated after a change in checkpoint_completion_target
, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.
Log the correct ending timestamp in recovery_target_xid
mode (Tom Lane)
When ending recovery based on the recovery_target_xid
setting with recovery_target_inclusive
= off
, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.
In extended query protocol, avoid an immediate commit after ANALYZE
if we're running a pipeline (Tom Lane)
If there's not been an explicit BEGIN TRANSACTION
, ANALYZE
would take it on itself to commit, which should not happen within a pipelined series of commands.
Reject cancel request packets having the wrong length (Andrey Borodin)
The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.
Add recursion and looping defenses in subquery pullup (Tom Lane)
A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.
Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)
This could result in “could not devise a query plan for the given query” errors.
Limit the amount of cleanup work done by get_actual_variable_range
(Simon Riggs)
Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.
Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)
Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)
The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION
, such a failure resulted in a small session-lifespan memory leak.
In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)
Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections
is set to a large value on the standby.
Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)
In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.
Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)
Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)
Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.
Prevent unsafe usage of a relation cache entry's rd_smgr
pointer (Amul Sul)
Remove various assumptions that rd_smgr
would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.
Fix latent buffer-overrun problem in WaitEventSet
logic (Thomas Munro)
The epoll
-based and kqueue
-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.
Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)
clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.
Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)
In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.
In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)
pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE
... SET SCHEMA
(Dean Rasheed)
Fix contrib/seg
to not crash or print garbage if an input number has more than 127 digits (Tom Lane)
In contrib/sepgsql
, avoid deprecation warnings with recent libselinux (Michael Paquier)
Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)
Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)
Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.
Suppress compiler warnings from Perl's header files (Andres Freund)
Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.
Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)
Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.
Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.
Release date: 2022-11-10
This release contains a variety of fixes from 11.17. For information about new features in major release 11, see Version 11.0.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.14, see Version 11.14.
Fix VACUUM
to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)
Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.
Fix handling of DEFAULT
tokens that appear in a multi-row VALUES
clause of an INSERT
on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN
that are not ON SELECT
(Tom Lane)
This avoids confusion between a view's ON SELECT
rule and any other rules it may have.
Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)
Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...)
with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)
While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.
Avoid flattening FROM
-less subqueries when the outer query has grouping sets (Tom Lane)
This oversight could lead to assertion failures or planner errors such as “variable not found in subplan target list”.
Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)
When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)
If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION
or DO
command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)
If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)
In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)
If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.
Fix use-after-free hazard in string comparisons (Tom Lane)
Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)
Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)
The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.
Improve PL/pgSQL's ability to handle parameters declared as RECORD
(Tom Lane)
Build a separate function cache entry for each concrete type passed to the RECORD
parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the plan”.
Add missing guards for NULL
connection pointer in libpq (Daniele Varrazzo, Tom Lane)
There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush()
and PQisnonblocking()
didn't get that memo, so fix them.
In ecpg, fix omis