Upgrading from 9.3 to 10.2 gives you 4.4 years worth of fixes (1624 of them)

List of changes:

• ⇑ Upgrade to 9.3.1 released on 2013-10-10 - docs

  • Ensure new-in-9.3 JSON functionality is added to the hstore extension during an update (Andrew Dunstan)

    Users who upgraded a pre-9.3 database containing hstore should execute

    ALTER EXTENSION hstore UPDATE;

    after installing 9.3.1, to add two new JSON functions and a cast. (If hstore is already up to date, this command does nothing.)

  • Fix memory leak when creating B-tree indexes on range columns (Heikki Linnakangas)

  • Fix memory leak caused by lo_open() failure (Heikki Linnakangas)

  • Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas)

  • Fix deadlock bug in libpq when using SSL (Stephen Frost)

  • Fix timeline handling bugs in pg_receivexlog (Heikki Linnakangas, Andrew Gierth)

  • Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane)

  • Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas)

• ⇑ Upgrade to 9.3.2 released on 2013-12-05 - docs

  • Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund)

    In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get “could not access status of transaction” errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.

    The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).

  • Fix multiple bugs in MultiXactId freezing (Andres Freund, Álvaro Herrera)

    These bugs could lead to “could not access status of transaction” errors, or to duplicate or vanishing rows. Users upgrading from releases prior to 9.3.0 are not affected.

    The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix latent corruption but will not be able to fix all pre-existing data errors.

    As a separate issue, these bugs can also cause standby servers to get out of sync with the primary, thus exhibiting data errors that are not in the primary. Therefore, it's recommended that 9.3.0 and 9.3.1 standby servers be re-cloned from the primary (e.g., with a new base backup) after upgrading.

  • Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas)

    This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.

    This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.

  • Fix multiple bugs in update chain traversal (Andres Freund, Álvaro Herrera)

    These bugs could result in incorrect behavior, such as locking or even updating the wrong row, in the presence of concurrent updates. Spurious “unable to fetch updated version of tuple” errors were also possible.

  • Fix dangling-pointer problem in fast-path locking (Tom Lane)

    This could lead to corruption of the lock data structures in shared memory, causing “lock already held” and other odd errors.

  • Fix assorted race conditions in timeout management (Tom Lane)

    These errors could result in a server process becoming unresponsive because it had blocked SIGALRM and/or SIGINT.

  • Truncate pg_multixact contents during WAL replay (Andres Freund)

    This avoids ever-increasing disk space consumption in standby servers.

  • Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing (Sergey Burladyan, Jeff Janes)

    This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound.

  • Fix full-table-vacuum request mechanism for MultiXactIds (Andres Freund)

    This bug could result in large amounts of useless autovacuum activity.

  • Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas)

    This could lead to transient wrong answers or query failures.

  • Fix “unexpected spgdoinsert() failure” error during SP-GiST index creation (Teodor Sigaev)

  • Fix assorted bugs in materialized views (Kevin Grittner, Andres Freund)

  • Re-allow duplicate table aliases if they're within aliased JOINs (Tom Lane)

    Historically PostgreSQL has accepted queries like

    SELECT ... FROM tab1 x CROSS JOIN (tab2 x CROSS JOIN tab3 y) z

    although a strict reading of the SQL standard would forbid the duplicate usage of table alias x. A misguided change in 9.3.0 caused it to reject some such cases that were formerly accepted. Restore the previous behavior.

  • Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane)

    This avoids unexpected results due to extra evaluations of the volatile function.

  • Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane)

    This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.

  • Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane)

  • Fix planner crash with whole-row reference to a subquery (Tom Lane)

  • Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane)

    The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable.

  • Fix premature deletion of temporary files (Andres Freund)

  • Prevent intra-transaction memory leak when printing range values (Tom Lane)

    This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem.

  • Fix memory leaks when reloading configuration files (Heikki Linnakangas, Hari Babu)

  • Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane)

  • Allow default arguments and named-argument notation for window functions (Tom Lane)

    Previously, these cases were likely to crash.

  • Suppress trailing whitespace on each line when pretty-printing rules and views (Tom Lane)

    9.3.0 generated such whitespace in many more cases than previous versions did. To reduce unexpected behavioral changes, suppress unnecessary whitespace in all cases.

  • Fix possible read past end of memory in rule printing (Peter Eisentraut)

  • Fix array slicing of int2vector and oidvector values (Tom Lane)

    Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.

  • Return a valid JSON value when converting an empty hstore value to json (Oskari Saarenmaa)

  • Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane)

    In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone.

  • Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane)

  • Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane)

    This fix applies only to Windows.

  • Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner)

    Previously, the generated script would fail during restore.

  • Fix pg_isready to handle its -d option properly (Fabrízio de Royes Mello and Fujii Masao)

  • Fix parsing of WAL file names in pg_receivexlog (Heikki Linnakangas)

    This error made pg_receivexlog unable to restart streaming after stopping, once at least 4 GB of WAL had been written.

  • Report out-of-disk-space failures properly in pg_upgrade (Peter Eisentraut)

  • Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi)

  • Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi)

  • Make contrib/lo defend against incorrect trigger definitions (Marc Cousin)

  • Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.

• ⇑ Upgrade to 9.3.3 released on 2014-02-20 - docs

  • Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch)

    Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060)

  • Prevent privilege escalation via manual calls to PL validator functions (Andres Freund)

    The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061)

  • Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund)

    If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062)

  • Prevent buffer overrun with long datetime strings (Noah Misch)

    The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063)

  • Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas)

    Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064)

  • Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich)

    Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065)

  • Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian)

    There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., “FIPS mode”). (CVE-2014-0066)

  • Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane)

    Since the temporary server started by make check uses “trust” authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067)

  • Rework tuple freezing protocol (Álvaro Herrera, Andres Freund)

    The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough.

    Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.)

  • Create separate GUC parameters to control multixact freezing (Álvaro Herrera)

    9.3 requires multixact tuple labels to be frozen before they grow too old, in the same fashion as plain transaction ID labels have been frozen for some time. Previously, the transaction ID freezing parameters were used for multixact IDs too; but since the consumption rates of transaction IDs and multixact IDs can be quite different, this did not work very well. Introduce new settings vacuum_multixact_freeze_min_age, vacuum_multixact_freeze_table_age, and autovacuum_multixact_freeze_max_age to control when to freeze multixacts.

  • Account for remote row locks propagated by local updates (Álvaro Herrera)

    If a row was locked by transaction A, and transaction B updated it, the new version of the row created by B would be locked by A, yet visible only to B. If transaction B then again updated the row, A's lock wouldn't get checked, thus possibly allowing B to complete when it shouldn't. This case is new in 9.3 since prior versions did not have any types of row locking that would permit another transaction to update the row at all.

    This oversight could allow referential integrity checks to give false positives (for instance, allow deletes that should have been rejected). Applications using the new commands SELECT FOR KEY SHARE and SELECT FOR NO KEY UPDATE might also have suffered locking failures of this kind.

  • Prevent “forgetting” valid row locks when one of several holders of a row lock aborts (Álvaro Herrera)

    This was yet another mechanism by which a shared row lock could be lost, thus possibly allowing updates that should have been prevented by foreign-key constraints.

  • Fix incorrect logic during update chain locking (Álvaro Herrera)

    This mistake could result in spurious “could not serialize access due to concurrent update” errors in REPEATABLE READ and SERIALIZABLE transaction isolation modes.

  • Handle wraparound correctly during extension or truncation of pg_multixact/members (Andres Freund, Álvaro Herrera)

  • Fix handling of 5-digit filenames in pg_multixact/members (Álvaro Herrera)

    As of 9.3, these names can be more than 4 digits, but the directory cleanup code ignored such files.

  • Improve performance of multixact cache code (Álvaro Herrera)

  • Optimize updating a row that's already locked by the same transaction (Andres Freund, Álvaro Herrera)

    This fixes a performance regression from pre-9.3 versions when doing SELECT FOR UPDATE followed by UPDATE/DELETE.

  • During archive recovery, prefer highest timeline number when WAL segments with the same ID are present in both the archive and pg_xlog/ (Kyotaro Horiguchi)

    Previously, not-yet-archived segments could get ignored during recovery. This reverts an undesirable behavioral change in 9.3.0 back to the way things worked pre-9.3.

  • Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane)

    The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant “bloat” of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.

  • Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas)

    In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as “PANIC: WAL contains references to invalid pages” were also possible.

  • Fix WAL logging of visibility map changes (Heikki Linnakangas)

  • Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)

    This error could result in “PANIC: WAL contains references to invalid pages” failures.

  • Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas)

    The previous coding risked index corruption in the event of a partial-page write during a system crash.

  • When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)

  • Ensure walreceiver sends hot-standby feedback messages on time even when there is a continuous stream of data (Andres Freund, Amit Kapila)

  • Prevent timeout interrupts from taking control away from mainline code unless ImmediateInterruptOK is set (Andres Freund, Tom Lane)

    This is a serious issue for any application making use of statement timeouts, as it could cause all manner of strange failures after a timeout occurred. We have seen reports of “stuck” spinlocks, ERRORs being unexpectedly promoted to PANICs, unkillable backends, and other misbehaviors.

  • Fix race conditions during server process exit (Robert Haas)

    Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.

  • Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)

  • Fix unsafe references to errno within error reporting logic (Christian Kruse)

    This would typically lead to odd behaviors such as missing or inappropriate HINT fields.

  • Fix possible crashes from using ereport() too early during server startup (Tom Lane)

    The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.

  • Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)

    This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.

  • Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)

    A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.

  • Fix parsing of Unicode literals and identifiers just before the end of a command string or function body (Tom Lane)

  • Allow keywords that are type names to be used in lists of roles (Stephen Frost)

    A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.

  • Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane)

  • Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)

  • Fix mishandling of WHERE conditions pulled up from a LATERAL subquery (Tom Lane)

    The typical symptom of this bug was a “JOIN qualification cannot refer to other relations” error, though subtle logic errors in created plans seem possible as well.

  • Disallow LATERAL references to the target table of an UPDATE/DELETE (Tom Lane)

    While this might be allowed in some future release, it was unintentional in 9.3, and didn't work quite right anyway.

  • Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane)

    Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s).

  • Fix ANALYZE to not fail on a column that's a domain over a range type (Tom Lane)

  • Ensure that ANALYZE creates statistics for a table column even when all the values in it are “too wide” (Tom Lane)

    ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.

  • In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)

    CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.

  • Fix support for extensions containing event triggers (Tom Lane)

  • Fix “cannot accept a set” error when some arms of a CASE return a set and others don't (Tom Lane)

  • Fix memory leakage in JSON functions (Craig Ringer)

  • Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan)

  • Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner)

  • Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)

    Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.

  • Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas)

    Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky.

  • Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander)

    The previous coding might attempt to do catalog access when it shouldn't.

  • Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)

  • Fix *-qualification of named parameters in SQL-language functions (Tom Lane)

    Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much.

  • Fix misbehavior of PQhost() on Windows (Fujii Masao)

    It should return localhost if no host has been specified.

  • Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)

    In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.

  • Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane)

  • Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander)

  • Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)

  • Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)

  • Fix misaligned descriptors in ecpg (MauMau)

  • In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)

  • Fix performance regression in contrib/dblink connection startup (Joe Conway)

    Avoid an unnecessary round trip when client and server encodings match.

  • In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)

  • Fix contrib/pgbench's progress logging to avoid overflow when the scale factor is large (Tatsuo Ishii)

  • Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi)

  • Improve lost-connection error handling in contrib/postgres_fdw (Tom Lane)

  • Ensure client-code-only installation procedure works as documented (Peter Eisentraut)

  • In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)

    This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.

  • Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)

  • Enable building with Visual Studio 2013 (Brar Piening)

  • Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)

    These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.

  • Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.

    In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.

• ⇑ Upgrade to 9.3.4 released on 2014-03-20 - docs

  • Fix WAL replay of locking an already-updated tuple (Andres Freund, Álvaro Herrera)

    This error caused updated rows to not be found by index scans, resulting in inconsistent query results depending on whether an index scan was used. Subsequent processing could result in constraint violations, since the previously updated row would not be found by later index searches, thus possibly allowing conflicting rows to be inserted. Since this error is in WAL replay, it would only manifest during crash recovery or on standby servers. The improperly-replayed case most commonly arises when a table row that is referenced by a foreign-key constraint is updated concurrently with creation of a referencing row.

  • Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas)

    Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.

  • Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja)

    This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.

  • Allow materialized views to be referenced in UPDATE and DELETE commands (Michael Paquier)

    Previously such queries failed with a complaint about not being able to lock rows in the materialized view.

  • Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane)

    This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptibly for a long time.

  • Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski)

    This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.

  • Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed)

    This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.

  • Improve performance of index endpoint probes during planning (Tom Lane)

    This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.

  • Use non-default selectivity estimates for value IN (list) and value operator ANY (array) expressions when the righthand side is a stable expression (Tom Lane)

  • Remove the correct per-database statistics file during DROP DATABASE (Tomas Vondra)

    This fix prevents a permanent leak of statistics file space. Users who have done many DROP DATABASE commands since upgrading to PostgreSQL 9.3 may wish to check their statistics directory and delete statistics files that do not correspond to any existing database. Please note that db_0.stat should not be removed.

  • Fix walsender ping logic to avoid inappropriate disconnects under continuous load (Andres Freund, Heikki Linnakangas)

    walsender failed to send ping messages to the client if it was constantly busy sending WAL data; but it expected to see ping responses despite that, and would therefore disconnect once wal_sender_timeout elapsed.

  • Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao)

  • Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery (Heikki Linnakangas)

  • Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas)

  • Add read-only data_checksums parameter to display whether page checksums are enabled (Heikki Linnakangas)

    Without this parameter, determining the state of checksum processing was difficult.

  • Prevent interrupts while reporting non-ERROR messages (Tom Lane)

    This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems.

  • Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker)

  • Fix tracking of psql script line numbers during \copy from out-of-line data (Kumar Rajeev Rastogi, Amit Khandekar)

    \copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file.

  • Fix contrib/postgres_fdw to handle multiple join conditions properly (Tom Lane)

    This oversight could result in sending WHERE clauses to the remote server for execution even though the clauses are not known to have the same semantics on the remote server (for example, clauses that use non-built-in operators). The query might succeed anyway, but it could also fail with errors from the remote server, or worse give silently wrong answers.

  • Prevent intermittent “could not reserve shared memory region” failures on recent Windows versions (MauMau)

  • Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.

• ⇑ Upgrade to 9.3.5 released on 2014-07-24 - docs

  • In pg_upgrade, remove pg_multixact files left behind by initdb (Bruce Momjian)

    If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed. To determine whether your installation has this problem, run this query as superuser, in any database of the cluster:

    WITH list(file) AS (SELECT * FROM pg_ls_dir('pg_multixact/offsets'))
    SELECT EXISTS (SELECT * FROM list WHERE file = '0000') AND
           NOT EXISTS (SELECT * FROM list WHERE file = '0001') AND
           NOT EXISTS (SELECT * FROM list WHERE file = 'FFFF') AND
           EXISTS (SELECT * FROM list WHERE file != '0000')
           AS file_0000_removal_required;

    If this query returns t, manually remove the file $PGDATA/pg_multixact/offsets/0000. Do nothing if the query returns f.

  • Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas)

    This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.

  • Protect against torn pages when deleting GIN list pages (Heikki Linnakangas)

    This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.

  • Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas)

    This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.

  • Fix corner-case infinite loop during insertion into an SP-GiST text index (Tom Lane)

  • Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator (Heikki Linnakangas)

  • Fix wraparound handling for pg_multixact/members (Álvaro Herrera)

  • Truncate pg_multixact during checkpoints, not during VACUUM (Álvaro Herrera)

    This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash.

  • Fix possible inconsistency of all-visible flags after WAL recovery (Heikki Linnakangas)

  • Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund)

  • Fix race condition when updating a tuple concurrently locked by another process (Andres Freund, Álvaro Herrera)

  • Fix “could not find pathkey item to sort” planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane)

  • Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley)

    This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).

  • Improve planner to drop constant-NULL inputs of AND/OR when possible (Tom Lane)

    This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced.

  • Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent (Tom Lane)

    This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations.

  • Fix handling of nested JSON objects in json_populate_recordset() and friends (Michael Paquier, Tom Lane)

    A nested JSON object could result in previous fields of the parent object not being shown in the output.

  • Fix identification of input type category in to_json() and friends (Tom Lane)

    This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well.

  • Fix failure to detoast fields in composite elements of structured types (Tom Lane)

    This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like “missing chunk number 0 for toast value ...” when the now-dangling pointer is used.

  • Fix “record type has not been registered” failures with whole-row references to the output of Append plan nodes (Tom Lane)

  • Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane)

  • Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane)

  • Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark)

  • Fix data encoding error in hungarian.stop (Tom Lane)

  • Prevent foreign tables from being created with OIDS when default_with_oids is true (Etsuro Fujita)

  • Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund)

    This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.

  • Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund)

    After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.

  • Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera)

  • Prevent pg_class.relminmxid values from going backwards during VACUUM FULL (Álvaro Herrera)

  • Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace (Greg Stark, Tom Lane)

    This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well.

  • Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification (Tom Lane)

  • Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns (Tom Lane)

  • Block signals during postmaster startup (Tom Lane)

    This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.

  • Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane)

    Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.

  • Allow the root user to use postgres -C variable and postgres --describe-config (MauMau)

    The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios.

  • Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch)

    Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.

    A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.

  • Fix tablespace creation WAL replay to work on Windows (MauMau)

  • Fix detection of socket creation failures on Windows (Bruce Momjian)

  • On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file (Amit Kapila)

    Previously, if such a parameter were changed in the file post-startup, the change would have no effect.

  • Properly quote executable path names on Windows (Nikhil Deshpande)

    This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.

  • Fix linking of libpython on macOS (Tom Lane)

    The method we previously used can fail with the Python library supplied by Xcode 5.0 and later.

  • Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane)

    libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as “lost synchronization with server”). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints.

  • Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe)

  • Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat)

  • Fix pg_dump to cope with a materialized view that depends on a table's primary key (Tom Lane)

    This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view.

  • Fix parsing of pg_dumpall's -i switch (Tom Lane)

  • Fix pg_restore's processing of old-style large object comments (Tom Lane)

    A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.

  • Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not (Bruce Momjian)

    This rare situation would manifest as “relation OID mismatch” errors.

  • In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server (Bruce Momjian, Álvaro Herrera, Tom Lane)

    These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely.

  • Prevent contrib/auto_explain from changing the output of a user's EXPLAIN (Tom Lane)

    If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information.

  • Fix query-lifespan memory leak in contrib/dblink (MauMau, Joe Conway)

  • In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen)

  • Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap() (Noah Misch)

  • In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane)

    This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.

  • Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.

• ⇑ Upgrade to 9.4 released on 2014-12-18 - docs

  • Tighten checks for multidimensional array input (Bruce Momjian)

    Previously, an input array string that started with a single-element sub-array could later contain multi-element sub-arrays, e.g. '{{1}, {2,3}}'::int[] would be accepted.

  • When converting values of type date, timestamp or timestamptz to JSON, render the values in a format compliant with ISO 8601 (Andrew Dunstan)

    Previously such values were rendered according to the current DateStyle setting; but many JSON processors require timestamps to be in ISO 8601 format. If necessary, the previous behavior can be obtained by explicitly casting the datetime value to text before passing it to the JSON conversion function.

  • The json #> text[] path extraction operator now returns its lefthand input, not NULL, if the array is empty (Tom Lane)

    This is consistent with the notion that this represents zero applications of the simple field/element extraction operator ->. Similarly, json #>> text[] with an empty array merely coerces its lefthand input to text.

  • Corner cases in the JSON field/element/path extraction operators now return NULL rather than raising an error (Tom Lane)

    For example, applying field extraction to a JSON array now yields NULL not an error. This is more consistent (since some comparable cases such as no-such-field already returned NULL), and it makes it safe to create expression indexes that use these operators, since they will now not throw errors for any valid JSON input.

  • Cause consecutive whitespace in to_timestamp() and to_date() format strings to consume a corresponding number of characters in the input string (whitespace or not), then conditionally consume adjacent whitespace, if not in FX mode (Jeevan Chalke)

    Previously, consecutive whitespace characters in a non-FX format string behaved like a single whitespace character and consumed all adjacent whitespace in the input string. For example, previously a format string of three spaces would consume only the first space in ' 12', but it will now consume all three characters.

  • Fix ts_rank_cd() to ignore stripped lexemes (Alex Hill)

    Previously, stripped lexemes were treated as if they had a default location, producing a rank of dubious usefulness.

  • For functions declared to take VARIADIC "any", an actual parameter marked as VARIADIC must be of a determinable array type (Pavel Stehule)

    Such parameters can no longer be written as an undecorated string literal or NULL; a cast to an appropriate array data type will now be required. Note that this does not affect parameters not marked VARIADIC.

  • Ensure that whole-row variables expose the expected column names to functions that pay attention to column names within composite arguments (Tom Lane)

    Constructs like row_to_json(tab.*) now always emit column names that match the column aliases visible for table tab at the point of the call. In previous releases the emitted column names would sometimes be the table's actual column names regardless of any aliases assigned in the query.

  • DISCARD now also discards sequence-related state (Fabrízio de Royes Mello, Robert Haas)

  • Rename EXPLAIN ANALYZE's "total runtime" output to "execution time" (Tom Lane)

    Now that planning time is also reported, the previous name was confusing.

  • SHOW TIME ZONE now outputs simple numeric UTC offsets in POSIX timezone format (Tom Lane)

    Previously, such timezone settings were displayed as interval values. The new output is properly interpreted by SET TIME ZONE when passed as a simple string, whereas the old output required special treatment to be re-parsed correctly.

  • Foreign data wrappers that support updating foreign tables must consider the possible presence of AFTER ROW triggers (Noah Misch)

    When an AFTER ROW trigger is present, all columns of the table must be returned by updating actions, since the trigger might inspect any or all of them. Previously, foreign tables never had triggers, so the FDW might optimize away fetching columns not mentioned in the RETURNING clause (if any).

  • Prevent CHECK constraints from referencing system columns, except tableoid (Amit Kapila)

    Previously such check constraints were allowed, but they would often cause errors during restores.

  • Use the last specified recovery target parameter if multiple target parameters are specified (Heikki Linnakangas)

    Previously, there was an undocumented precedence order among the recovery_target_xxx parameters.

  • On Windows, automatically preserve quotes in command strings supplied by the user (Heikki Linnakangas)

    User commands that did their own quote preservation might need adjustment. This is likely to be an issue for commands used in archive_command, restore_command, and COPY TO/FROM PROGRAM.

  • Remove catalog column pg_class.reltoastidxid (Michael Paquier)

  • Remove catalog column pg_rewrite.ev_attr (Kevin Grittner)

    Per-column rules have not been supported since PostgreSQL 7.3.

  • Remove native support for Kerberos authentication (--with-krb5, etc) (Magnus Hagander)

    The supported way to use Kerberos authentication is with GSSAPI. The native code has been deprecated since PostgreSQL 8.3.

  • In PL/Python, handle domains over arrays like the underlying array type (Rodolfo Campero)

    Previously such values were treated as strings.

  • Make libpq's PQconnectdbParams() and PQpingParams() functions process zero-length strings as defaults (Adrian Vondendriesch)

    Previously, these functions treated zero-length string values as selecting the default in only some cases.

  • Change empty arrays returned by the intarray module to be zero-dimensional arrays (Bruce Momjian)

    Previously, empty arrays were returned as zero-length one-dimensional arrays, whose text representation looked the same as zero-dimensional arrays ({}), but they acted differently in array operations. intarray's behavior in this area now matches the built-in array operators.

  • pg_upgrade now uses -U or --username to specify the user name (Bruce Momjian)

    Previously this option was spelled -u or --user, but that was inconsistent with other tools.

  • Allow background worker processes to be dynamically registered, started and terminated (Robert Haas)

    The new worker_spi module shows an example of use of this feature.

  • Allow dynamic allocation of shared memory segments (Robert Haas, Amit Kapila)

    This feature is illustrated in the test_shm_mq module.

  • During crash recovery or immediate shutdown, send uncatchable termination signals (SIGKILL) to child processes that do not shut down promptly (MauMau, Álvaro Herrera)

    This reduces the likelihood of leaving orphaned child processes behind after postmaster shutdown, as well as ensuring that crash recovery can proceed if some child processes have become "stuck".

  • Improve randomness of the database system identifier (Tom Lane)

  • Make VACUUM properly report dead but not-yet-removable rows to the statistics collector (Hari Babu)

    Previously these were reported as live rows.

  • Reduce GIN index size (Alexander Korotkov, Heikki Linnakangas)

    Indexes upgraded via pg_upgrade will work fine but will still be in the old, larger GIN format. Use REINDEX to recreate old GIN indexes in the new format.

  • Improve speed of multi-key GIN lookups (Alexander Korotkov, Heikki Linnakangas)

  • Add GiST index support for inet and cidr data types (Emre Hasegeli)

    Such indexes improve subnet and supernet lookups and ordering comparisons.

  • Fix rare race condition in B-tree page deletion (Heikki Linnakangas)

  • Make the handling of interrupted B-tree page splits more robust (Heikki Linnakangas)

  • Allow multiple backends to insert into WAL buffers concurrently (Heikki Linnakangas)

    This improves parallel write performance.

  • Conditionally write only the modified portion of updated rows to WAL (Amit Kapila)

  • Improve performance of aggregate functions used as window functions (David Rowley, Florian Pflug, Tom Lane)

  • Improve speed of aggregates that use numeric state values (Hadi Moshayedi)

  • Attempt to freeze tuples when tables are rewritten with CLUSTER or VACUUM FULL (Robert Haas, Andres Freund)

    This can avoid the need to freeze the tuples in the future.

  • Improve speed of COPY with default nextval() columns (Simon Riggs)

  • Improve speed of accessing many different sequences in the same session (David Rowley)

  • Raise hard limit on the number of tuples held in memory during sorting and B-tree index builds (Noah Misch)

  • Reduce memory allocated by PL/pgSQL DO blocks (Tom Lane)

  • Make the planner more aggressive about extracting restriction clauses from mixed AND/OR clauses (Tom Lane)

  • Disallow pushing volatile WHERE clauses down into DISTINCT subqueries (Tom Lane)

    Pushing down a WHERE clause can produce a more efficient plan overall, but at the cost of evaluating the clause more often than is implied by the text of the query; so don't do it if the clause contains any volatile functions.

  • Auto-resize the catalog caches (Heikki Linnakangas)

    This reduces memory consumption for sessions accessing only a few tables, and improves performance for sessions accessing many tables.

  • Add pg_stat_archiver system view to report WAL archiver activity (Gabriele Bartolini)

  • Add n_mod_since_analyze columns to pg_stat_all_tables and related system views (Mark Kirkwood)

    These columns expose the system's estimate of the number of changed tuples since the table's last ANALYZE. This estimate drives decisions about when to auto-analyze.

  • Add backend_xid and backend_xmin columns to the system view pg_stat_activity, and a backend_xmin column to pg_stat_replication (Christian Kruse)

  • Add support for SSL ECDH key exchange (Marko Kreen)

    This allows use of Elliptic Curve keys for server authentication. Such keys are faster and have better security than RSA keys. The new configuration parameter ssl_ecdh_curve controls which curve is used for ECDH.

  • Improve the default ssl_ciphers setting (Marko Kreen)

  • By default, the server not the client now controls the preference order of SSL ciphers (Marko Kreen)

    Previously, the order specified by ssl_ciphers was usually ignored in favor of client-side defaults, which are not configurable in most PostgreSQL clients. If desired, the old behavior can be restored via the new configuration parameter ssl_prefer_server_ciphers.

  • Make log_connections show SSL encryption information (Andreas Kunert)

  • Improve SSL renegotiation handling (Álvaro Herrera)

  • Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries (Amit Kapila)

    Previously such settings could only be changed by manually editing postgresql.conf.

  • Add autovacuum_work_mem configuration parameter to control the amount of memory used by autovacuum workers (Peter Geoghegan)

  • Add huge_pages parameter to allow using huge memory pages on Linux (Christian Kruse, Richard Poole, Abhijit Menon-Sen)

    This can improve performance on large-memory systems.

  • Add max_worker_processes parameter to limit the number of background workers (Robert Haas)

    This is helpful in configuring a standby server to have the required number of worker processes (the same as the primary).

  • Add superuser-only session_preload_libraries parameter to load libraries at session start (Peter Eisentraut)

    In contrast to local_preload_libraries, this parameter can load any shared library, not just those in the $libdir/plugins directory.

  • Add wal_log_hints parameter to enable WAL logging of hint-bit changes (Sawada Masahiko)

    Hint bit changes are not normally logged, except when checksums are enabled. This is useful for external tools like pg_rewind.

  • Increase the default settings of work_mem and maintenance_work_mem by four times (Bruce Momjian)

    The new defaults are 4MB and 64MB respectively.

  • Increase the default setting of effective_cache_size to 4GB (Bruce Momjian, Tom Lane)

  • Allow printf-style space padding to be specified in log_line_prefix (David Rowley)

  • Allow terabyte units (TB) to be used when specifying configuration variable values (Simon Riggs)

  • Show PIDs of lock holders and waiters and improve information about relations in log_lock_waits log messages (Christian Kruse)

  • Reduce server logging level when loading shared libraries (Peter Geoghegan)

    The previous level was LOG, which was too verbose for libraries loaded per-session.

  • On Windows, make SQL_ASCII-encoded databases and server processes (e.g., postmaster) emit messages in the character encoding of the server's Windows user locale (Alexander Law, Noah Misch)

    Previously these messages were output in the Windows ANSI code page.

  • Add replication slots to coordinate activity on streaming standbys with the node they are streaming from (Andres Freund, Robert Haas)

    Replication slots allow preservation of resources like WAL files on the primary until they are no longer needed by standby servers.

  • Add recovery parameter recovery_min_apply_delay to delay replication (Robert Haas, Fabrízio de Royes Mello, Simon Riggs)

    Delaying replay on standby servers can be useful for recovering from user errors.

  • Add recovery_target option immediate to stop WAL recovery as soon as a consistent state is reached (MauMau, Heikki Linnakangas)

  • Improve recovery target processing (Heikki Linnakangas)

    The timestamp reported by pg_last_xact_replay_timestamp() now reflects already-committed records, not transactions about to be committed. Recovering to a restore point now replays the restore point, rather than stopping just before the restore point.

  • pg_switch_xlog() now clears any unused trailing space in the old WAL file (Heikki Linnakangas)

    This improves the compression ratio for WAL files.

  • Report failure return codes from external recovery commands (Peter Eisentraut)

  • Reduce spinlock contention during WAL replay (Heikki Linnakangas)

  • Write WAL records of running transactions more frequently (Andres Freund)

    This allows standby servers to start faster and clean up resources more aggressively.

  • Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format (Andres Freund)

  • Add new wal_level setting logical to enable logical change-set encoding in WAL (Andres Freund)

  • Add table-level parameter REPLICA IDENTITY to control logical replication (Andres Freund)

  • Add relation option user_catalog_table to identify user-created tables involved in logical change-set encoding (Andres Freund)

  • Add pg_recvlogical application to receive logical-decoding data (Andres Freund)

  • Add test_decoding module to illustrate logical decoding at the SQL level (Andres Freund)

  • Add WITH ORDINALITY syntax to number the rows returned from a set-returning function in the FROM clause (Andrew Gierth, David Fetter)

    This is particularly useful for functions like unnest().

  • Add ROWS FROM() syntax to allow horizontal concatenation of set-returning functions in the FROM clause (Andrew Gierth)

  • Allow SELECT to have an empty target list (Tom Lane)

    This was added so that views that select from a table with zero columns can be dumped and restored correctly.

  • Ensure that SELECT ... FOR UPDATE NOWAIT does not wait in corner cases involving already-concurrently-updated tuples (Craig Ringer and Thomas Munro)

  • Add DISCARD SEQUENCES command to discard cached sequence-related state (Fabrízio de Royes Mello, Robert Haas)

    DISCARD ALL will now also discard such information.

  • Add FORCE NULL option to COPY FROM, which causes quoted strings matching the specified null string to be converted to NULLs in CSV mode (Ian Barwick, Michael Paquier)

    Without this option, only unquoted matching strings will be imported as null values.

  • Issue warnings for commands used outside of transaction blocks when they can have no effect (Bruce Momjian)

    New warnings are issued for SET LOCAL, SET CONSTRAINTS, SET TRANSACTION and ABORT when used outside a transaction block.

  • Make EXPLAIN ANALYZE show planning time (Andreas Karlsson)

  • Make EXPLAIN show the grouping columns in Agg and Group nodes (Tom Lane)

  • Make EXPLAIN ANALYZE show exact and lossy block counts in bitmap heap scans (Etsuro Fujita)

  • Allow a materialized view to be refreshed without blocking other sessions from reading the view meanwhile (Kevin Grittner)

    This is done with REFRESH MATERIALIZED VIEW CONCURRENTLY.

  • Allow views to be automatically updated even if they contain some non-updatable columns (Dean Rasheed)

    Previously the presence of non-updatable output columns such as expressions, literals, and function calls prevented automatic updates. Now INSERTs, UPDATEs and DELETEs are supported, provided that they do not attempt to assign new values to any of the non-updatable columns.

  • Allow control over whether INSERTs and UPDATEs can add rows to an auto-updatable view that would not appear in the view (Dean Rasheed)

    This is controlled with the new CREATE VIEW clause WITH CHECK OPTION.

  • Allow security barrier views to be automatically updatable (Dean Rasheed)

  • Support triggers on foreign tables (Ronan Dunklau)

  • Allow moving groups of objects from one tablespace to another using the ALL IN TABLESPACE ... SET TABLESPACE form of ALTER TABLE, ALTER INDEX, or ALTER MATERIALIZED VIEW (Stephen Frost)

  • Allow changing foreign key constraint deferrability via ALTER TABLE ... ALTER CONSTRAINT (Simon Riggs)

  • Reduce lock strength for some ALTER TABLE commands (Simon Riggs, Noah Misch, Robert Haas)

    Specifically, VALIDATE CONSTRAINT, CLUSTER ON, SET WITHOUT CLUSTER, ALTER COLUMN SET STATISTICS, ALTER COLUMN SET (attribute_option), ALTER COLUMN RESET (attribute_option) no longer require ACCESS EXCLUSIVE locks.

  • Allow tablespace options to be set in CREATE TABLESPACE (Vik Fearing)

    Formerly these options could only be set via ALTER TABLESPACE.

  • Allow CREATE AGGREGATE to define the estimated size of the aggregate's transition state data (Hadi Moshayedi)

    Proper use of this feature allows the planner to better estimate how much memory will be used by aggregates.

  • Fix DROP IF EXISTS to avoid errors for non-existent objects in more cases (Pavel Stehule, Dean Rasheed)

  • Improve how system relations are identified (Andres Freund, Robert Haas)

    Previously, relations once moved into the pg_catalog schema could no longer be modified or dropped.

  • Fully implement the line data type (Peter Eisentraut)

    The line segment data type (lseg) has always been fully supported. The previous line data type (which was enabled only via a compile-time option) is not binary or dump-compatible with the new implementation.

  • Add pg_lsn data type to represent a WAL log sequence number (LSN) (Robert Haas, Michael Paquier)

  • Allow single-point polygons to be converted to circles (Bruce Momjian)

  • Support time zone abbreviations that change UTC offset from time to time (Tom Lane)

    Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.

  • Allow 5+ digit years for non-ISO timestamp and date strings, where appropriate (Bruce Momjian)

  • Add checks for overflow/underflow of interval values (Bruce Momjian)

  • Add jsonb, a more capable and efficient data type for storing JSON data (Oleg Bartunov, Teodor Sigaev, Alexander Korotkov, Peter Geoghegan, Andrew Dunstan)

    This new type allows faster access to values within a JSON document, and faster and more useful indexing of JSON columns. Scalar values in jsonb documents are stored as appropriate scalar SQL types, and the JSON document structure is pre-parsed rather than being stored as text as in the original json data type.

  • Add new JSON functions to allow for the construction of arbitrarily complex JSON trees (Andrew Dunstan, Laurence Rowe)

    New functions include json_array_elements_text(), json_build_array(), json_object(), json_object_agg(), json_to_record(), and json_to_recordset().

  • Add json_typeof() to return the data type of a json value (Andrew Tipton)

  • Add pg_sleep_for(interval) and pg_sleep_until(timestamp) to specify delays more flexibly (Vik Fearing, Julien Rouhaud)

    The existing pg_sleep() function only supports delays specified in seconds.

  • Add cardinality() function for arrays (Marko Tiikkaja)

    This returns the total number of elements in the array, or zero for an array with no elements.

  • Add SQL functions to allow large object reads/writes at arbitrary offsets (Pavel Stehule)

  • Allow unnest() to take multiple arguments, which are individually unnested then horizontally concatenated (Andrew Gierth)

  • Add functions to construct times, dates, timestamps, timestamptzs, and intervals from individual values, rather than strings (Pavel Stehule)

    These functions' names are prefixed with make_, e.g. make_date().

  • Make to_char()'s TZ format specifier return a useful value for simple numeric time zone offsets (Tom Lane)

    Previously, to_char(CURRENT_TIMESTAMP, 'TZ') returned an empty string if the timezone was set to a constant like -4.

  • Add timezone offset format specifier OF to to_char() (Bruce Momjian)

  • Improve the random seed used for random() (Honza Horak)

  • Tighten validity checking for Unicode code points in chr(int) (Tom Lane)

    This function now only accepts values that are valid UTF8 characters according to RFC 3629.

  • Add functions for looking up objects in pg_class, pg_proc, pg_type, and pg_operator that do not generate errors for non-existent objects (Yugo Nagata, Nozomi Anzai, Robert Haas)

    For example, to_regclass() does a lookup in pg_class similarly to the regclass input function, but it returns NULL for a non-existent object instead of failing.

  • Add function pg_filenode_relation() to allow for more efficient lookup of relation names from filenodes (Andres Freund)

  • Add parameter_default column to information_schema.parameters view (Peter Eisentraut)

  • Make information_schema.schemata show all accessible schemas (Peter Eisentraut)

    Previously it only showed schemas owned by the current user.

  • Add control over which rows are passed into aggregate functions via the FILTER clause (David Fetter)

  • Support ordered-set (WITHIN GROUP) aggregates (Atri Sharma, Andrew Gierth, Tom Lane)

  • Add standard ordered-set aggregates percentile_cont(), percentile_disc(), mode(), rank(), dense_rank(), percent_rank(), and cume_dist() (Atri Sharma, Andrew Gierth)

  • Support VARIADIC aggregate functions (Tom Lane)

  • Allow polymorphic aggregates to have non-polymorphic state data types (Tom Lane)

    This allows proper declaration in SQL of aggregates like the built-in aggregate array_agg().

  • Add event trigger support to PL/Perl and PL/Tcl (Dimitri Fontaine)

  • Convert numeric values to decimal in PL/Python (Szymon Guz, Ronan Dunklau)

    Previously such values were converted to Python float values, risking loss of precision.

  • Add ability to retrieve the current PL/pgSQL call stack using GET DIAGNOSTICS (Pavel Stehule, Stephen Frost)

  • Add option print_strict_params to display the parameters passed to a query that violated a STRICT constraint (Marko Tiikkaja)

  • Add variables plpgsql.extra_warnings and plpgsql.extra_errors to enable additional PL/pgSQL warnings and errors (Marko Tiikkaja, Petr Jelinek)

    Currently only warnings/errors about shadowed variables are available.

  • Make libpq's PQconndefaults() function ignore invalid service files (Steve Singer, Bruce Momjian)

    Previously it returned NULL if an incorrect service file was encountered.

  • Accept TLS protocol versions beyond TLSv1 in libpq (Marko Kreen)

  • Add createuser option -g to specify role membership (Christopher Browne)

  • Add vacuumdb option --analyze-in-stages to analyze in stages of increasing granularity (Peter Eisentraut)

    This allows minimal statistics to be created quickly.

  • Make pg_resetxlog with option -n output current and potentially changed values (Rajeev Rastogi)

  • Make initdb throw error for incorrect locale settings, rather than silently falling back to a default choice (Tom Lane)

  • Make pg_ctl return exit code 4 for an inaccessible data directory (Amit Kapila, Bruce Momjian)

    This behavior more closely matches the Linux Standard Base (LSB) Core Specification.

  • On Windows, ensure that a non-absolute -D path specification is interpreted relative to pg_ctl's current directory (Kumar Rajeev Rastogi)

    Previously it would be interpreted relative to whichever directory the underlying Windows service was started in.

  • Allow sizeof() in ECPG C array definitions (Michael Meskes)

  • Make ECPG properly handle nesting of C-style comments in both C and SQL text (Michael Meskes)

  • Suppress "No rows" output in psql expanded mode when the footer is disabled (Bruce Momjian)

  • Allow Control-C to abort psql when it's hung at connection startup (Peter Eisentraut)

  • Make psql's \db+ show tablespace options (Magnus Hagander)

  • Make \do+ display the functions that implement the operators (Marko Tiikkaja)

  • Make \d+ output an OID line only if an oid column exists in the table (Bruce Momjian)

    Previously, the presence or absence of an oid column was always reported.

  • Make \d show disabled system triggers (Bruce Momjian)

    Previously, if you disabled all triggers, only user triggers would show as disabled.

  • Fix \copy to no longer require a space between stdin and a semicolon (Etsuro Fujita)

  • Output the row count at the end of \copy, just like COPY already did (Kumar Rajeev Rastogi)

  • Fix \conninfo to display the server's IP address for connections using hostaddr (Fujii Masao)

    Previously \conninfo could not display the server's IP address in such cases.

  • Show the SSL protocol version in \conninfo (Marko Kreen)

  • Add tab completion for \pset (Pavel Stehule)

  • Allow \pset with no arguments to show all settings (Gilles Darold)

  • Make \s display the name of the history file it wrote without converting it to an absolute path (Tom Lane)

    The code previously attempted to convert a relative file name to an absolute path for display, but frequently got it wrong.

  • Allow pg_restore options -I, -P, -T and -n to be specified multiple times (Heikki Linnakangas)

    This allows multiple objects to be restored in one operation.

  • Optionally add IF EXISTS clauses to the DROP commands emitted when removing old objects during a restore (Pavel Stehule)

    This change prevents unnecessary errors when removing old objects. The new --if-exists option for pg_dump, pg_dumpall, and pg_restore is only available when --clean is also specified.

  • Add pg_basebackup option --xlogdir to specify the pg_xlog directory location (Haribabu Kommi)

  • Allow pg_basebackup to relocate tablespaces in the backup copy (Steeve Lennmark)

    This is particularly useful for using pg_basebackup on the same machine as the primary.

  • Allow network-stream base backups to be throttled (Antonin Houska)

    This can be controlled with the pg_basebackup --max-rate parameter.

  • Improve the way tuples are frozen to preserve forensic information (Robert Haas, Andres Freund)

    This change removes the main objection to freezing tuples as soon as possible. Code that inspects tuple flag bits will need to be modified.

  • No longer require function prototypes for functions marked with the PG_FUNCTION_INFO_V1 macro (Peter Eisentraut)

    This change eliminates the need to write boilerplate prototypes. Note that the PG_FUNCTION_INFO_V1 macro must appear before the corresponding function definition to avoid compiler warnings.

  • Remove SnapshotNow and HeapTupleSatisfiesNow() (Robert Haas)

    All existing uses have been switched to more appropriate snapshot types. Catalog scans now use MVCC snapshots.

  • Add an API to allow memory allocations over one gigabyte (Noah Misch)

  • Add psprintf() to simplify memory allocation during string composition (Peter Eisentraut, Tom Lane)

  • Support printf() size modifier z to print size_t values (Andres Freund)

  • Change API of appendStringInfoVA() to better use vsnprintf() (David Rowley, Tom Lane)

  • Allow new types of external toast datums to be created (Andres Freund)

  • Add single-reader, single-writer, lightweight shared message queue (Robert Haas)

  • Improve spinlock speed on x86_64 CPUs (Heikki Linnakangas)

  • Remove spinlock support for unsupported platforms SINIX, Sun3, and NS32K (Robert Haas)

  • Remove IRIX port (Robert Haas)

  • Reduce the number of semaphores required by --disable-spinlocks builds (Robert Haas)

  • Rewrite duplicate_oids Unix shell script in Perl (Andrew Dunstan)

  • Add Test Anything Protocol (TAP) tests for client programs (Peter Eisentraut)

    Currently, these tests are run by make check-world only if the --enable-tap-tests option was given to configure. This might become the default behavior in some future release.

  • Add make targets check-tests and installcheck-tests, which allow selection of individual tests to be run (Andrew Dunstan)

  • Remove maintainer-check makefile rule (Peter Eisentraut)

    The default build rules now include all the formerly-optional tests.

  • Improve support for VPATH builds of PGXS modules (Cédric Villemain, Andrew Dunstan, Peter Eisentraut)

  • Upgrade to Autoconf 2.69 (Peter Eisentraut)

  • Add a configure flag that appends custom text to the PG_VERSION string (Oskari Saarenmaa)

    This is useful for packagers building custom binaries.

  • Improve DocBook XML validity (Peter Eisentraut)

  • Fix various minor security and sanity issues reported by the Coverity scanner (Stephen Frost)

  • Improve detection of invalid memory usage when testing PostgreSQL with Valgrind (Noah Misch)

  • Improve sample Emacs configuration file emacs.samples (Peter Eisentraut)

    Also add .dir-locals.el to the top of the source tree.

  • Allow pgindent to accept a command-line list of typedefs (Bruce Momjian)

  • Make pgindent smarter about blank lines around preprocessor conditionals (Bruce Momjian)

  • Avoid most uses of dlltool in Cygwin and Mingw builds (Marco Atzeri, Hiroshi Inoue)

  • Support client-only installs in MSVC (Windows) builds (MauMau)

  • Add pg_prewarm extension to preload relation data into the shared buffer cache at server start (Robert Haas)

    This allows reaching full operating performance more quickly.

  • Add UUID random number generator gen_random_uuid() to pgcrypto (Oskari Saarenmaa)

    This allows creation of version 4 UUIDs without requiring installation of uuid-ossp.

  • Allow uuid-ossp to work with the BSD or e2fsprogs UUID libraries, not only the OSSP UUID library (Matteo Beccati)

    This improves the uuid-ossp module's portability since it no longer has to have the increasingly-obsolete OSSP library. The module's name is now rather a misnomer, but we won't change it.

  • Add option to auto_explain to include trigger execution time (Horiguchi Kyotaro)

  • Fix pgstattuple to not report rows from uncommitted transactions as dead (Robert Haas)

  • Make pgstattuple functions use regclass-type arguments (Satoshi Nagayasu)

    While text-type arguments are still supported, they may be removed in a future major release.

  • Improve consistency of pgrowlocks output to honor snapshot rules more consistently (Robert Haas)

  • Improve pg_trgm's choice of trigrams for indexed regular expression searches (Alexander Korotkov)

    This change discourages use of trigrams containing whitespace, which are usually less selective.

  • Allow pg_xlogdump to report a live log stream with --follow (Heikki Linnakangas)

  • Store cube data more compactly (Stas Kelvich)

    Existing data must be dumped/restored to use the new format. The old format can still be read.

  • Reduce vacuumlo client-side memory usage by using a cursor (Andrew Dunstan)

  • Dramatically reduce memory consumption in pg_upgrade (Bruce Momjian)

  • Pass pg_upgrade's user name (-U) option to generated analyze scripts (Bruce Momjian)

  • Remove line length limit for pgbench scripts (Sawada Masahiko)

    The previous line limit was BUFSIZ.

  • Add long option names to pgbench (Fabien Coelho)

  • Add pgbench option --rate to control the transaction rate (Fabien Coelho)

  • Add pgbench option --progress to print periodic progress reports (Fabien Coelho)

  • Make pg_stat_statements use a file, rather than shared memory, for query text storage (Peter Geoghegan)

    This removes the previous limitation on query text length, and allows a higher number of unique statements to be tracked by default.

  • Allow reporting of pg_stat_statements's internal query hash identifier (Daniel Farina, Sameer Thakur, Peter Geoghegan)

  • Add the ability to retrieve all pg_stat_statements information except the query text (Peter Geoghegan)

    This allows monitoring tools to fetch query text only for just-created entries, improving performance during repeated querying of the statistics.

  • Make pg_stat_statements ignore DEALLOCATE commands (Fabien Coelho)

    It already ignored PREPARE, as well as planning time in general, so this seems more consistent.

  • Save the statistics file into $PGDATA/pg_stat at server shutdown, rather than $PGDATA/global (Fujii Masao)

• ⇑ Upgrade to 9.4.1 released on 2015-02-05 - docs

  • Fix buffer overruns in to_char() (Bruce Momjian)

    When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241)

  • Fix buffer overrun in replacement *printf() functions (Tom Lane)

    PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well.

    This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)

  • Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch)

    Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243)

  • Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas)

    If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)

  • Fix information leak via constraint-violation error messages (Stephen Frost)

    Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161)

  • Lock down regression testing's temporary installations on Windows (Noah Misch)

    Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)

  • Cope with the Windows locale named "Norwegian (Bokmål)" (Heikki Linnakangas)

    Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, "Norwegian_Norway".

    9.4.0 mapped the troublesome name to "norwegian-bokmal", but that turns out not to work on all Windows configurations. "Norwegian_Norway" is now recommended instead.

  • Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane)

    In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.

  • Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood)

  • Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera)

  • Improve performance of EXPLAIN with large range tables (Tom Lane)

  • Fix jsonb Unicode escape processing, and in consequence disallow \u0000 (Tom Lane)

    Previously, the JSON Unicode escape \u0000 was accepted and was stored as those six characters; but that is indistinguishable from what is stored for the input \\u0000, resulting in ambiguity. Moreover, in cases where de-escaped textual output is expected, such as the ->> operator, the sequence was printed as \u0000, which does not meet the expectation that JSON escaping would be removed. (Consistent behavior would require emitting a zero byte, but PostgreSQL does not support zero bytes embedded in text strings.) 9.4.0 included an ill-advised attempt to improve this situation by adjusting JSON output conversion rules; but of course that could not fix the fundamental ambiguity, and it turned out to break other usages of Unicode escape sequences. Revert that, and to avoid the core problem, reject \u0000 in jsonb input.

    If a jsonb column contains a \u0000 value stored with 9.4.0, it will henceforth read out as though it were \\u0000, which is the other valid interpretation of the data stored by 9.4.0 for this case.

    The json type did not have the storage-ambiguity problem, but it did have the problem of inconsistent de-escaped textual output. Therefore \u0000 will now also be rejected in json values when conversion to de-escaped form is required. This change does not break the ability to store \u0000 in json columns so long as no processing is done on the values. This is exactly parallel to the cases in which non-ASCII Unicode escapes are allowed when the database encoding is not UTF8.

  • Fix namespace handling in xpath() (Ali Akbar)

    Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation.

  • Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli)

    This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases.

  • Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas)

    9.4.0 could fail with "index row size exceeds maximum" errors for data that previous versions would accept.

  • Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas)

  • Fix possible crash when using nonzero gin_fuzzy_search_limit (Heikki Linnakangas)

  • Assorted fixes for logical decoding (Andres Freund)

  • Fix incorrect replay of WAL parameter change records that report changes in the wal_log_hints setting (Petr Jelinek)

  • Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane)

    This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".

  • Warn if macOS's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch)

  • Fix libpq's behavior when /etc/passwd isn't readable (Tom Lane)

    While doing PQsetdbLogin(), libpq attempts to ascertain the user's operating system name, which on most Unix platforms involves reading /etc/passwd. As of 9.4, failure to do that was treated as a hard error. Restore the previous behavior, which was to fail only if the application does not provide a database role name to connect as. This supports operation in chroot environments that lack an /etc/passwd file.

  • Improve consistency of parsing of psql's special variables (Tom Lane)

    Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.

  • Fix pg_dump to handle comments on event triggers without failing (Tom Lane)

  • Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner)

  • Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)

  • Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier)

    connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further.

  • Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)

    These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.

  • Allow CFLAGS from configure's environment to override automatically-supplied CFLAGS (Tom Lane)

    Previously, configure would add any switches that it chose of its own accord to the end of the user-specified CFLAGS string. Since most compilers process switches left-to-right, this meant that configure's choices would override the user-specified flags in case of conflicts. That should work the other way around, so adjust the logic to put the user's string at the end not the beginning.

  • Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane)

    This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.

  • Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane)

  • Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland.

• ⇑ Upgrade to 9.4.2 released on 2015-05-22 - docs

  • Avoid possible crash when client disconnects just before the authentication timeout expires (Benkocs Norbert Attila)

    If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue. (CVE-2015-3165)

  • Improve detection of system-call failures (Noah Misch)

    Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure.

    It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area. (CVE-2015-3166)

  • In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data" (Noah Misch)

    Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message. (CVE-2015-3167)

  • Protect against wraparound of multixact member IDs (Álvaro Herrera, Robert Haas, Thomas Munro)

    Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound.

  • Fix incorrect declaration of contrib/citext's regexp_matches() functions (Tom Lane)

    These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.

    While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also "update" back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions.

  • Render infinite dates and timestamps as infinity when converting to json, rather than throwing an error (Andrew Dunstan)

  • Fix json/jsonb's populate_record() and to_record() functions to handle empty input properly (Andrew Dunstan)

  • Fix incorrect checking of deferred exclusion constraints after a HOT update (Tom Lane)

    If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.

  • Fix behavior when changing foreign key constraint deferrability status with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)

    Operations later in the same session or concurrent sessions might not honor the status change promptly.

  • Fix planning of star-schema-style queries (Tom Lane)

    Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.

  • Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins (Tom Lane)

    This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.

  • Fix incorrect matching of subexpressions in outer-join plan nodes (Tom Lane)

    Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.

  • Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)

    This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.

  • Ensure that row locking occurs properly when the target of an UPDATE or DELETE is a security-barrier view (Stephen Frost)

  • Use a file opened for read/write when syncing replication slot data during database startup (Andres Freund)

    On some platforms, the previous coding could result in errors like "could not fsync file "pg_replslot/...": Bad file descriptor".

  • Fix possible deadlock at startup when max_prepared_transactions is too small (Heikki Linnakangas)

  • Don't archive useless preallocated WAL files after a timeline switch (Heikki Linnakangas)

  • Recursively fsync() the data directory after a crash (Abhijit Menon-Sen, Robert Haas)

    This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)

  • Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM (Álvaro Herrera)

  • Fix failure to handle invalidation messages for system catalogs early in session startup (Tom Lane)

    This oversight could result in failures in sessions that start concurrently with a VACUUM FULL on a system catalog.

  • Fix crash in BackendIdGetTransactionIds() when trying to get status for a backend process that just exited (Tom Lane)

  • Cope with unexpected signals in LockBufferForCleanup() (Andres Freund)

    This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".

  • Fix crash when doing COPY IN to a table with check constraints that contain whole-row references (Tom Lane)

    The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.

  • Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned (Andres Freund)

    Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.

  • Avoid busy-waiting with short recovery_min_apply_delay values (Andres Freund)

  • Fix crash when manipulating hash indexes on temporary tables (Heikki Linnakangas)

  • Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently (Tom Lane)

  • Fix memory leaks in GIN index vacuum (Heikki Linnakangas)

  • Check for interrupts while analyzing index expressions (Jeff Janes)

    ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.

  • Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE (Etsuro Fujita)

  • Add the name of the target server to object description strings for foreign-server user mappings (Álvaro Herrera)

  • Include the schema name in object identity strings for conversions (Álvaro Herrera)

  • Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication (Stephen Frost)

    Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.

  • Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses (Tom Lane)

    This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)

  • Fix status reporting for terminated background workers that were never actually started (Robert Haas)

  • After a database crash, don't restart background workers that are marked BGW_NEVER_RESTART (Amit Khandekar)

  • Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command (Heikki Linnakangas)

    This avoids a possible startup failure in pg_receivexlog.

  • While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown (Krystian Bigaj)

  • Reduce risk of network deadlock when using libpq's non-blocking mode (Heikki Linnakangas)

    When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready.

  • In libpq, fix misparsing of empty values in URI connection strings (Thomas Fanghaenel)

  • Fix array handling in ecpg (Michael Meskes)

  • Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect (David Fetter, Andrew Dunstan, Álvaro Herrera)

    This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.

  • Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit (Tom Lane)

    This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.

  • Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped (Tom Lane)

  • In pg_dump, fix failure to honor -Z compression level option together with -Fd (Michael Paquier)

  • Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order (Gilles Darold, Michael Paquier, Stephen Frost)

    This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.

  • Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions (Tom Lane)

  • Fix dumping of views that are just VALUES(...) but have column aliases (Tom Lane)

  • Ensure that a view's replication identity is correctly set to nothing during dump/restore (Marko Tiikkaja)

    Previously, if the view was involved in a circular dependency, it might wind up with an incorrect replication identity property.

  • In pg_upgrade, force timeline 1 in the new cluster (Bruce Momjian)

    This change prevents upgrade failures caused by bogus complaints about missing WAL history files.

  • In pg_upgrade, check for improperly non-connectable databases before proceeding (Bruce Momjian)

  • In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script (Bruce Momjian)

  • In pg_upgrade, preserve database-level freezing info properly (Bruce Momjian)

    This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.

  • Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator (Muhammad Asif Naeem)

  • Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup (Marco Nenciarini)

  • Fix slow sorting algorithm in contrib/intarray (Tom Lane)

  • Fix compile failure on Sparc V8 machines (Rob Rowan)

  • Silence some build warnings on macOS (Tom Lane)

  • Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).

• ⇑ Upgrade to 9.4.3 released on 2015-06-04 - docs

  • Avoid failures while fsync'ing data directory during crash restart (Abhijit Menon-Sen, Tom Lane)

    In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing.

    Also apply the same rules in initdb --sync-only. This case is less critical but it should act similarly.

  • Fix pg_get_functiondef() to show functions' LEAKPROOF property, if set (Jeevan Chalke)

  • Fix pushJsonbValue() to unpack jbvBinary objects (Andrew Dunstan)

    This change does not affect any behavior in the core code as of 9.4, but it avoids a corner case for possible third-party callers.

  • Remove configure's check prohibiting linking to a threaded libpython on OpenBSD (Tom Lane)

    The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.

• ⇑ Upgrade to 9.4.4 released on 2015-06-12 - docs

  • Fix possible failure to recover from an inconsistent database state (Robert Haas)

    Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4.

    The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release. In detail:

    1. Check whether pg_controldata reports "Latest checkpoint's oldestMultiXid" to be 1. If not, there's nothing to do.

    2. Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do.

    3. Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both vacuum_multixact_freeze_min_age and vacuum_multixact_freeze_table_age set to zero. (You can use the vacuum cost delay parameters described in Section 18.4.4 to reduce the performance consequences for concurrent sessions.)

  • Fix rare failure to invalidate relation cache init file (Tom Lane)

    With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.

  • Avoid deadlock between incoming sessions and CREATE/DROP DATABASE (Tom Lane)

    A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.

  • Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans (Tom Lane, Tomas Vondra)

    This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type.

• ⇑ Upgrade to 9.4.5 released on 2015-10-08 - docs

  • Guard against stack overflows in json parsing (Oskari Saarenmaa)

    If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)

  • Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)

    Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)

  • Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)

    A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.

  • Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)

  • Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)

  • Fix insertion of relations into the relation cache "init file" (Tom Lane)

    An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.

  • Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)

  • Improve LISTEN startup time when there are many unread notifications (Matt Newell)

  • Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)

    This was seen primarily when restoring pg_dump output for databases with many thousands of tables.

  • Disable SSL renegotiation by default (Michael Paquier, Andres Freund)

    While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).

  • Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)

    This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.

  • Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)

  • Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)

  • Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)

  • Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)

  • Fix handling of DOW and DOY in datetime input (Greg Stark)

    These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".

  • Add more query-cancel checks to regular expression matching (Tom Lane)

  • Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)

    Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.

  • Fix potential infinite loop in regular expression execution (Tom Lane)

    A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.

  • In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)

  • Fix low-memory failures in regular expression compilation (Andreas Seltenreich)

  • Fix low-probability memory leak during regular expression execution (Tom Lane)

  • Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)

  • Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)

  • Fix very-low-probability stack overrun in qsort (Tom Lane)

  • Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)

  • Fix assorted planner bugs (Tom Lane)

    These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.

  • Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)

  • Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)

    This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.

  • During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)

    This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.

  • Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)

    Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.

  • Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)

    If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.

  • Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)

  • Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)

  • Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)

  • Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)

  • Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)

    Such a page might be left behind after a crash.

  • Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)

    VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.

  • Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)

  • Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)

  • Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)

  • Fix PL/Python crash when returning the string representation of a record result (Tom Lane)

  • Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)

  • In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)

    EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.

  • Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)

    The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.

  • Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)

    The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.

  • Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)

  • Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)

  • Fix psql's code for locale-aware formatting of numeric output (Tom Lane)

    The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.

  • Prevent crash in psql's \c command when there is no current connection (Noah Misch)

  • Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)

  • Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)

  • Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)

  • Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)

  • Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)

    When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.

  • Fix pg_dump to dump shell types (Tom Lane)

    Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.

  • Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)

  • Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)

  • Fix spinlock assembly code for Alpha hardware (Tom Lane)

  • Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)

    Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.

  • On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)

  • On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)

    Perl relies on this ability in 5.8.0 and later.

  • Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)

  • Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)

  • Translate encoding UHC as Windows code page 949 (Noah Misch)

    This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.

  • On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)

  • Fix postmaster startup failure due to not copying setlocale()'s return value (Noah Misch)

    This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.

  • Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)

  • Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)

  • Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

• ⇑ Upgrade to 9.5 released on 2016-01-07 - docs

  • Adjust operator precedence to match the SQL standard (Tom Lane)

    The precedence of <=, >= and <> has been reduced to match that of <, > and =. The precedence of IS tests (e.g., x IS NULL) has been reduced to be just below these six comparison operators. Also, multi-keyword operators beginning with NOT now have the precedence of their base operator (for example, NOT BETWEEN now has the same precedence as BETWEEN) whereas before they had inconsistent precedence, behaving like NOT with respect to their left operand but like their base operator with respect to their right operand. The new configuration parameter operator_precedence_warning can be enabled to warn about queries in which these precedence changes result in different parsing choices.

  • Change pg_ctl's default shutdown mode from smart to fast (Bruce Momjian)

    This means the default behavior will be to forcibly cancel existing database sessions, not simply wait for them to exit.

  • Use assignment cast behavior for data type conversions in PL/pgSQL assignments, rather than converting to and from text (Tom Lane)

    This change causes conversions of Booleans to strings to produce true or false, not t or f. Other type conversions may succeed in more cases than before; for example, assigning a numeric value 3.9 to an integer variable will now assign 4 rather than failing. If no assignment-grade cast is defined for the particular source and destination types, PL/pgSQL will fall back to its old I/O conversion behavior.

  • Allow characters in server command-line options to be escaped with a backslash (Andres Freund)

    Formerly, spaces in the options string always separated options, so there was no way to include a space in an option value. Including a backslash in an option value now requires writing \\.

  • Change the default value of the GSSAPI include_realm parameter to 1, so that by default the realm is not removed from a GSS or SSPI principal name (Stephen Frost)

  • Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size (Heikki Linnakangas)

    If you previously adjusted checkpoint_segments, the following formula will give you an approximately equivalent setting:

    max_wal_size = (3 * checkpoint_segments) * 16MB

    Note that the default setting for max_wal_size is much higher than the default checkpoint_segments used to be, so adjusting it might no longer be necessary.

  • Control the Linux OOM killer via new environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE, instead of compile-time options LINUX_OOM_SCORE_ADJ and LINUX_OOM_ADJ (Gurjeet Singh)

  • Decommission server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund)

    While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL. The ssl_renegotiation_limit parameter still exists, but cannot be set to anything but zero (disabled). It's not documented anymore, either.

  • Remove server configuration parameter autocommit, which was already deprecated and non-operational (Tom Lane)

  • Remove the pg_authid catalog's rolcatupdate field, as it had no usefulness (Adam Brightwell)

  • The pg_stat_replication system view's sent field is now NULL, not zero, when it has no valid value (Magnus Hagander)

  • Allow json and jsonb array extraction operators to accept negative subscripts, which count from the end of JSON arrays (Peter Geoghegan, Andrew Dunstan)

    Previously, these operators returned NULL for negative subscripts.

  • Add Block Range Indexes (BRIN) (Álvaro Herrera)

    BRIN indexes store only summary data (such as minimum and maximum values) for ranges of heap blocks. They are therefore very compact and cheap to update; but if the data is naturally clustered, they can still provide substantial speedup of searches.

  • Allow queries to perform accurate distance filtering of bounding-box-indexed objects (polygons, circles) using GiST indexes (Alexander Korotkov, Heikki Linnakangas)

    Previously, to exploit such an index a subquery had to be used to select a large number of rows ordered by bounding-box distance, and the result then had to be filtered further with a more accurate distance calculation.

  • Allow GiST indexes to perform index-only scans (Anastasia Lubennikova, Heikki Linnakangas, Andreas Karlsson)

  • Add configuration parameter gin_pending_list_limit to control the size of GIN pending lists (Fujii Masao)

    This value can also be set on a per-index basis as an index storage parameter. Previously the pending-list size was controlled by work_mem, which was awkward because appropriate values for work_mem are often much too large for this purpose.

  • Issue a warning during the creation of hash indexes because they are not crash-safe (Bruce Momjian)

  • Improve the speed of sorting of varchar, text, and numeric fields via "abbreviated" keys (Peter Geoghegan, Andrew Gierth, Robert Haas)

  • Extend the infrastructure that allows sorting to be performed by inlined, non-SQL-callable comparison functions to cover CREATE INDEX, REINDEX, and CLUSTER (Peter Geoghegan)

  • Improve performance of hash joins (Tomas Vondra, Robert Haas)

  • Improve concurrency of shared buffer replacement (Robert Haas, Amit Kapila, Andres Freund)

  • Reduce the number of page locks and pins during index scans (Kevin Grittner)

    The primary benefit of this is to allow index vacuums to be blocked less often.

  • Make per-backend tracking of buffer pins more memory-efficient (Andres Freund)

  • Improve lock scalability (Andres Freund)

    This particularly addresses scalability problems when running on systems with multiple CPU sockets.

  • Allow the optimizer to remove unnecessary references to left-joined subqueries (David Rowley)

  • Allow pushdown of query restrictions into subqueries with window functions, where appropriate (David Rowley)

  • Allow a non-leakproof function to be pushed down into a security barrier view if the function does not receive any view output columns (Dean Rasheed)

  • Teach the planner to use statistics obtained from an expression index on a boolean-returning function, when a matching function call appears in WHERE (Tom Lane)

  • Make ANALYZE compute basic statistics (null fraction and average column width) even for columns whose data type lacks an equality function (Oleksandr Shulgin)

  • Speed up CRC (cyclic redundancy check) computations and switch to CRC-32C (Abhijit Menon-Sen, Heikki Linnakangas)

  • Improve bitmap index scan performance (Teodor Sigaev, Tom Lane)

  • Speed up CREATE INDEX by avoiding unnecessary memory copies (Robert Haas)

  • Increase the number of buffer mapping partitions (Amit Kapila, Andres Freund, Robert Haas)

    This improves performance for highly concurrent workloads.

  • Add per-table autovacuum logging control via new log_autovacuum_min_duration storage parameter (Michael Paquier)

  • Add new configuration parameter cluster_name (Thomas Munro)

    This string, typically set in postgresql.conf, allows clients to identify the cluster. This name also appears in the process title of all server processes, allowing for easier identification of processes belonging to the same cluster.

  • Prevent non-superusers from changing log_disconnections on connection startup (Fujii Masao)

  • Check "Subject Alternative Names" in SSL server certificates, if present (Alexey Klyukin)

    When they are present, this replaces checks against the certificate's "Common Name".

  • Add system view pg_stat_ssl to report SSL connection information (Magnus Hagander)

  • Add libpq functions to return SSL information in an implementation-independent way (Heikki Linnakangas)

    While PQgetssl() can still be used to call OpenSSL functions, it is now considered deprecated because future versions of libpq might support other SSL implementations. When possible, use the new functions PQsslAttribute(), PQsslAttributeNames(), and PQsslInUse() to obtain SSL information in an SSL-implementation-independent way.

  • Make libpq honor any OpenSSL thread callbacks (Jan Urbanski)

    Previously they were overwritten.

  • Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size (Heikki Linnakangas)

    This change allows the allocation of a large number of WAL files without keeping them after they are no longer needed. Therefore the default for max_wal_size has been set to 1GB, much larger than the old default for checkpoint_segments. Also note that standby servers perform restartpoints to try to limit their WAL space consumption to max_wal_size; previously they did not pay any attention to checkpoint_segments.

  • Control the Linux OOM killer via new environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE (Gurjeet Singh)

    The previous OOM control infrastructure involved compile-time options LINUX_OOM_SCORE_ADJ and LINUX_OOM_ADJ, which are no longer supported. The new behavior is available in all builds.

  • Allow recording of transaction commit time stamps when configuration parameter track_commit_timestamp is enabled (Álvaro Herrera, Petr Jelínek)

    Time stamp information can be accessed using functions pg_xact_commit_timestamp() and pg_last_committed_xact().

  • Allow local_preload_libraries to be set by ALTER ROLE SET (Peter Eisentraut, Kyotaro Horiguchi)

  • Allow autovacuum workers to respond to configuration parameter changes during a run (Michael Paquier)

  • Make configuration parameter debug_assertions read-only (Andres Freund)

    This means that assertions can no longer be turned off if they were enabled at compile time, allowing for more efficient code optimization. This change also removes the postgres -A option.

  • Allow setting effective_io_concurrency on systems where it has no effect (Peter Eisentraut)

  • Add system view pg_file_settings to show the contents of the server's configuration files (Sawada Masahiko)

  • Add pending_restart to the system view pg_settings to indicate a change has been made but will not take effect until a database restart (Peter Eisentraut)

  • Allow ALTER SYSTEM values to be reset with ALTER SYSTEM RESET (Vik Fearing)

    This command removes the specified setting from postgresql.auto.conf.

  • Create mechanisms for tracking the progress of replication, including methods for identifying the origin of individual changes during logical replication (Andres Freund)

    This is helpful when implementing replication solutions.

  • Rework truncation of the multixact commit log to be properly WAL-logged (Andres Freund)

    This makes things substantially simpler and more robust.

  • Add recovery.conf parameter recovery_target_action to control post-recovery activity (Petr Jelínek)

    This replaces the old parameter pause_at_recovery_target.

  • Add new archive_mode value always to allow standbys to always archive received WAL files (Fujii Masao)

  • Add configuration parameter wal_retrieve_retry_interval to control WAL read retry after failure (Alexey Vasiliev, Michael Paquier)

    This is particularly helpful for warm standbys.

  • Allow compression of full-page images stored in WAL (Rahila Syed, Michael Paquier)

    This feature reduces WAL volume, at the cost of more CPU time spent on WAL logging and WAL replay. It is controlled by a new configuration parameter wal_compression, which currently is off by default.

  • Archive WAL files with suffix .partial during standby promotion (Heikki Linnakangas)

  • Add configuration parameter log_replication_commands to log replication commands (Fujii Masao)

    By default, replication commands, e.g. IDENTIFY_SYSTEM, are not logged, even when log_statement is set to all.

  • Report the processes holding replication slots in pg_replication_slots (Craig Ringer)

    The new output column is active_pid.

  • Allow recovery.conf's primary_conninfo setting to use connection URIs, e.g. postgres:// (Alexander Shulgin)

  • Allow INSERTs that would generate constraint conflicts to be turned into UPDATEs or ignored (Peter Geoghegan, Heikki Linnakangas, Andres Freund)

    The syntax is INSERT ... ON CONFLICT DO NOTHING/UPDATE. This is the Postgres implementation of the popular UPSERT command.

  • Add GROUP BY analysis features GROUPING SETS, CUBE and ROLLUP (Andrew Gierth, Atri Sharma)

  • Allow setting multiple target columns in an UPDATE from the result of a single sub-SELECT (Tom Lane)

    This is accomplished using the syntax UPDATE tab SET (col1, col2, ...) = (SELECT ...).

  • Add SELECT option SKIP LOCKED to skip locked rows (Thomas Munro)

    This does not throw an error for locked rows like NOWAIT does.

  • Add SELECT option TABLESAMPLE to return a subset of a table (Petr Jelínek)

    This feature supports the SQL-standard table sampling methods. In addition, there are provisions for user-defined table sampling methods.

  • Suggest possible matches for mistyped column names (Peter Geoghegan, Robert Haas)

  • Add more details about sort ordering in EXPLAIN output (Marius Timmer, Lukas Kreft, Arne Scheffer)

    Details include COLLATE, DESC, USING, and NULLS FIRST/LAST.

  • Make VACUUM log the number of pages skipped due to pins (Jim Nasby)

  • Make TRUNCATE properly update the pg_stat* tuple counters (Alexander Shulgin)

  • Allow REINDEX to reindex an entire schema using the SCHEMA option (Sawada Masahiko)

  • Add VERBOSE option to REINDEX (Sawada Masahiko)

  • Prevent REINDEX DATABASE and SCHEMA from outputting object names, unless VERBOSE is used (Simon Riggs)

  • Remove obsolete FORCE option from REINDEX (Fujii Masao)

  • Add row-level security control (Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean Rasheed, Stephen Frost)

    This feature allows row-by-row control over which users can add, modify, or even see rows in a table. This is controlled by new commands CREATE/ALTER/DROP POLICY and ALTER TABLE ... ENABLE/DISABLE ROW SECURITY.

  • Allow changing of the WAL logging status of a table after creation with ALTER TABLE ... SET LOGGED / UNLOGGED (Fabrízio de Royes Mello)

  • Add IF NOT EXISTS clause to CREATE TABLE AS, CREATE INDEX, CREATE SEQUENCE, and CREATE MATERIALIZED VIEW (Fabrízio de Royes Mello)

  • Add support for IF EXISTS to ALTER TABLE ... RENAME CONSTRAINT (Bruce Momjian)

  • Allow some DDL commands to accept CURRENT_USER or SESSION_USER, meaning the current user or session user, in place of a specific user name (Kyotaro Horiguchi, Álvaro Herrera)

    This feature is now supported in ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and ALTER object OWNER TO commands.

  • Support comments on domain constraints (Álvaro Herrera)

  • Reduce lock levels of some create and alter trigger and foreign key commands (Simon Riggs, Andreas Karlsson)

  • Allow LOCK TABLE ... ROW EXCLUSIVE MODE for those with INSERT privileges on the target table (Stephen Frost)

    Previously this command required UPDATE, DELETE, or TRUNCATE privileges.

  • Apply table and domain CHECK constraints in order by name (Tom Lane)

    The previous ordering was indeterminate.

  • Allow CREATE/ALTER DATABASE to manipulate datistemplate and datallowconn (Vik Fearing)

    This allows these per-database settings to be changed without manually modifying the pg_database system catalog.

  • Add support for IMPORT FOREIGN SCHEMA (Ronan Dunklau, Michael Paquier, Tom Lane)

    This command allows automatic creation of local foreign tables that match the structure of existing tables on a remote server.

  • Allow CHECK constraints to be placed on foreign tables (Shigeru Hanada, Etsuro Fujita)

    Such constraints are assumed to be enforced on the remote server, and are not enforced locally. However, they are assumed to hold for purposes of query optimization, such as constraint exclusion.

  • Allow foreign tables to participate in inheritance (Shigeru Hanada, Etsuro Fujita)

    To let this work naturally, foreign tables are now allowed to have check constraints marked as not valid, and to set storage and OID characteristics, even though these operations are effectively no-ops for a foreign table.

  • Allow foreign data wrappers and custom scans to implement join pushdown (KaiGai Kohei)

  • Whenever a ddl_command_end event trigger is installed, capture details of DDL activity for it to inspect (Álvaro Herrera)

    This information is available through a set-returning function pg_event_trigger_ddl_commands(), or by inspection of C data structures if that function doesn't provide enough detail.

  • Allow event triggers on table rewrites caused by ALTER TABLE (Dimitri Fontaine)

  • Add event trigger support for database-level COMMENT, SECURITY LABEL, and GRANT/REVOKE (Álvaro Herrera)

  • Add columns to the output of pg_event_trigger_dropped_objects (Álvaro Herrera)

    This allows simpler processing of delete operations.

  • Allow the xml data type to accept empty or all-whitespace content values (Peter Eisentraut)

    This is required by the SQL/XML specification.

  • Allow macaddr input using the format xxxx-xxxx-xxxx (Herwin Weststrate)

  • Disallow non-SQL-standard syntax for interval with both precision and field specifications (Bruce Momjian)

    Per the standard, such type specifications should be written as, for example, INTERVAL MINUTE TO SECOND(2). PostgreSQL formerly allowed this to be written as INTERVAL(2) MINUTE TO SECOND, but it must now be written in the standard way.

  • Add selectivity estimators for inet/cidr operators and improve estimators for text search functions (Emre Hasegeli, Tom Lane)

  • Add data types regrole and regnamespace to simplify entering and pretty-printing the OID of a role or namespace (Kyotaro Horiguchi)

  • Add jsonb functions jsonb_set() and jsonb_pretty() (Dmitry Dolgov, Andrew Dunstan, Petr Jelínek)

  • Add jsonb generator functions to_jsonb(), jsonb_object(), jsonb_build_object(), jsonb_build_array(), jsonb_agg(), and jsonb_object_agg() (Andrew Dunstan)

    Equivalent functions already existed for type json.

  • Reduce casting requirements to/from json and jsonb (Tom Lane)

  • Allow text, text array, and integer values to be subtracted from jsonb documents (Dmitry Dolgov, Andrew Dunstan)

  • Add jsonb || operator (Dmitry Dolgov, Andrew Dunstan)

  • Add json_strip_nulls() and jsonb_strip_nulls() functions to remove JSON null values from documents (Andrew Dunstan)

  • Add generate_series() for numeric values (Plato Malugin)

  • Allow array_agg() and ARRAY() to take arrays as inputs (Ali Akbar, Tom Lane)

  • Add functions array_position() and array_positions() to return subscripts of array values (Pavel Stehule)

  • Add a point-to-polygon distance operator <-> (Alexander Korotkov)

  • Allow multibyte characters as escapes in SIMILAR TO and SUBSTRING (Jeff Davis)

    Previously, only a single-byte character was allowed as an escape.

  • Add a width_bucket() variant that supports any sortable data type and non-uniform bucket widths (Petr Jelínek)

  • Add an optional missing_ok argument to pg_read_file() and related functions (Michael Paquier, Heikki Linnakangas)

  • Allow => to specify named parameters in function calls (Pavel Stehule)

    Previously only := could be used. This requires removing the possibility for => to be a user-defined operator. Creation of user-defined => operators has been issuing warnings since PostgreSQL 9.0.

  • Add POSIX-compliant rounding for platforms that use PostgreSQL-supplied rounding functions (Pedro Gimeno Fortea)

  • Add function pg_get_object_address() to return OIDs that uniquely identify an object, and function pg_identify_object_as_address() to return object information based on OIDs (Álvaro Herrera)

  • Loosen security checks for viewing queries in pg_stat_activity, executing pg_cancel_backend(), and executing pg_terminate_backend() (Stephen Frost)

    Previously, only the specific role owning the target session could perform these operations; now membership in that role is sufficient.

  • Add pg_stat_get_snapshot_timestamp() to output the time stamp of the statistics snapshot (Matt Kelly)

    This represents the last time the snapshot file was written to the file system.

  • Add mxid_age() to compute multi-xid age (Bruce Momjian)

  • Add min()/max() aggregates for inet/cidr data types (Haribabu Kommi)

  • Use 128-bit integers, where supported, as accumulators for some aggregate functions (Andreas Karlsson)

  • Improve support for composite types in PL/Python (Ed Behn, Ronan Dunklau)

    This allows PL/Python functions to return arrays of composite types.

  • Reduce lossiness of PL/Python floating-point value conversions (Marko Kreen)

  • Allow specification of conversion routines between SQL data types and data types of procedural languages (Peter Eisentraut)

    This change adds new commands CREATE/DROP TRANSFORM. This also adds optional transformations between the hstore and ltree types to/from PL/Perl and PL/Python.

  • Improve PL/pgSQL array performance (Tom Lane)

  • Add an ASSERT statement in PL/pgSQL (Pavel Stehule)

  • Allow more PL/pgSQL keywords to be used as identifiers (Tom Lane)

  • Move pg_archivecleanup, pg_test_fsync, pg_test_timing, and pg_xlogdump from contrib to src/bin (Peter Eisentraut)

    This should result in these programs being installed by default in most installations.

  • Add pg_rewind, which allows re-synchronizing a master server after failback (Heikki Linnakangas)

  • Allow pg_receivexlog to manage physical replication slots (Michael Paquier)

    This is controlled via new --create-slot and --drop-slot options.

  • Allow pg_receivexlog to synchronously flush WAL to storage using new --synchronous option (Furuya Osamu, Fujii Masao)

    Without this, WAL files are fsync'ed only on close.

  • Allow vacuumdb to vacuum in parallel using new --jobs option (Dilip Kumar)

  • In vacuumdb, do not prompt for the same password repeatedly when multiple connections are necessary (Haribabu Kommi, Michael Paquier)

  • Add --verbose option to reindexdb (Sawada Masahiko)

  • Make pg_basebackup use a tablespace mapping file when using tar format, to support symbolic links and file paths of 100+ characters in length on MS Windows (Amit Kapila)

  • Add pg_xlogdump option --stats to display summary statistics (Abhijit Menon-Sen)

  • Allow psql to produce AsciiDoc output (Szymon Guz)

  • Add an errors mode that displays only failed commands to psql's ECHO variable (Pavel Stehule)

    This behavior can also be selected with psql's -b option.

  • Provide separate column, header, and border linestyle control in psql's unicode linestyle (Pavel Stehule)

    Single or double lines are supported; the default is single.

  • Add new option %l in psql's PROMPT variables to display the current multiline statement line number (Sawada Masahiko)

  • Add \pset option pager_min_lines to control pager invocation (Andrew Dunstan)

  • Improve psql line counting used when deciding to invoke the pager (Andrew Dunstan)

  • psql now fails if the file specified by an --output or --log-file switch cannot be written (Tom Lane, Daniel Vérité)

    Previously, it effectively ignored the switch in such cases.

  • Add psql tab completion when setting the search_path variable (Jeff Janes)

    Currently only the first schema can be tab-completed.

  • Improve psql's tab completion for triggers and rules (Andreas Karlsson)

  • Add psql \? help sections variables and options (Pavel Stehule)

    \? variables shows psql's special variables and \? options shows the command-line options. \? commands shows the meta-commands, which is the traditional output and remains the default. These help displays can also be obtained with the command-line option --help=section.

  • Show tablespace size in psql's \db+ (Fabrízio de Royes Mello)

  • Show data type owners in psql's \dT+ (Magnus Hagander)

  • Allow psql's \watch to output \timing information (Fujii Masao)

    Also prevent --echo-hidden from echoing \watch queries, since that is generally unwanted.

  • Make psql's \sf and \ef commands honor ECHO_HIDDEN (Andrew Dunstan)

  • Improve psql tab completion for \set, \unset, and :variable names (Pavel Stehule)

  • Allow tab completion of role names in psql \c commands (Ian Barwick)

  • Allow pg_dump to share a snapshot taken by another session using --snapshot (Simon Riggs, Michael Paquier)

    The remote snapshot must have been exported by pg_export_snapshot() or logical replication slot creation. This can be used to share a consistent snapshot across multiple pg_dump processes.

  • Support table sizes exceeding 8GB in tar archive format (Tom Lane)

    The POSIX standard for tar format does not allow elements of a tar archive to exceed 8GB, but most modern implementations of tar support an extension that does allow it. Use the extension format when necessary, rather than failing.

  • Make pg_dump always print the server and pg_dump versions (Jing Wang)

    Previously, version information was only printed in --verbose mode.

  • Remove the long-ignored -i/--ignore-version option from pg_dump, pg_dumpall, and pg_restore (Fujii Masao)

  • Support multiple pg_ctl -o options, concatenating their values (Bruce Momjian)

  • Allow control of pg_ctl's event source logging on MS Windows (MauMau)

    This only controls pg_ctl, not the server, which has separate settings in postgresql.conf.

  • If the server's listen address is set to a wildcard value (0.0.0.0 in IPv4 or :: in IPv6), connect via the loopback address rather than trying to use the wildcard address literally (Kondo Yuta)

    This fix primarily affects Windows, since on other platforms pg_ctl will prefer to use a Unix-domain socket.

  • Move pg_upgrade from contrib to src/bin (Peter Eisentraut)

    In connection with this change, the functionality previously provided by the pg_upgrade_support module has been moved into the core server.

  • Support multiple pg_upgrade -o/-O options, concatenating their values (Bruce Momjian)

  • Improve database collation comparisons in pg_upgrade (Heikki Linnakangas)

  • Remove support for upgrading from 8.3 clusters (Bruce Momjian)

  • Move pgbench from contrib to src/bin (Peter Eisentraut)

  • Fix calculation of TPS number "excluding connections establishing" (Tatsuo Ishii, Fabien Coelho)

    The overhead for connection establishment was miscalculated whenever the number of pgbench threads was less than the number of client connections. Although this is clearly a bug, we won't back-patch it into pre-9.5 branches since it makes TPS numbers not comparable to previous results.

  • Allow counting of pgbench transactions that take over a specified amount of time (Fabien Coelho)

    This is controlled by a new --latency-limit option.

  • Allow pgbench to generate Gaussian/exponential distributions using \setrandom (Kondo Mitsumasa, Fabien Coelho)

  • Allow pgbench's \set command to handle arithmetic expressions containing more than one operator, and add % (modulo) to the set of operators it supports (Robert Haas, Fabien Coelho)

  • Simplify WAL record format (Heikki Linnakangas)

    This allows external tools to more easily track what blocks are modified.

  • Improve the representation of transaction commit and abort WAL records (Andres Freund)

  • Add atomic memory operations API (Andres Freund)

  • Allow custom path and scan methods (KaiGai Kohei, Tom Lane)

    This allows extensions greater control over the optimizer and executor.

  • Allow foreign data wrappers to do post-filter locking (Etsuro Fujita)

  • Foreign tables can now take part in INSERT ... ON CONFLICT DO NOTHING queries (Peter Geoghegan, Heikki Linnakangas, Andres Freund)

    Foreign data wrappers must be modified to handle this. INSERT ... ON CONFLICT DO UPDATE is not supported on foreign tables.

  • Improve hash_create()'s API for selecting simple-binary-key hash functions (Teodor Sigaev, Tom Lane)

  • Improve parallel execution infrastructure (Robert Haas, Amit Kapila, Noah Misch, Rushabh Lathia, Jeevan Chalke)

  • Remove Alpha (CPU) and Tru64 (OS) ports (Andres Freund)

  • Remove swap-byte-based spinlock implementation for ARMv5 and earlier CPUs (Robert Haas)

    ARMv5's weak memory ordering made this locking implementation unsafe. Spinlock support is still possible on newer gcc implementations with atomics support.

  • Generate an error when excessively long (100+ character) file paths are written to tar files (Peter Eisentraut)

    Tar does not support such overly-long paths.

  • Change index operator class for columns pg_seclabel.provider and pg_shseclabel.provider to be text_pattern_ops (Tom Lane)

    This avoids possible problems with these indexes when different databases of a cluster have different default collations.

  • Change the spinlock primitives to function as compiler barriers (Robert Haas)

  • Allow higher-precision time stamp resolution on Windows 8, Windows Server 2012, and later Windows systems (Craig Ringer)

  • Install shared libraries to bin in MS Windows (Peter Eisentraut, Michael Paquier)

  • Install src/test/modules together with contrib on MSVC builds (Michael Paquier)

  • Allow configure's --with-extra-version option to be honored by the MSVC build (Michael Paquier)

  • Pass PGFILEDESC into MSVC contrib builds (Michael Paquier)

  • Add icons to all MSVC-built binaries and version information to all MS Windows binaries (Noah Misch)

    MinGW already had such icons.

  • Add optional-argument support to the internal getopt_long() implementation (Michael Paquier, Andres Freund)

    This is used by the MSVC build.

  • Add statistics for minimum, maximum, mean, and standard deviation times to pg_stat_statements (Mitsumasa Kondo, Andrew Dunstan)

  • Add pgcrypto function pgp_armor_headers() to extract PGP armor headers (Marko Tiikkaja, Heikki Linnakangas)

  • Allow empty replacement strings in unaccent (Mohammad Alhashash)

    This is useful in languages where diacritic signs are represented as separate characters.

  • Allow multicharacter source strings in unaccent (Tom Lane)

    This could be useful in languages where diacritic signs are represented as separate characters. It also allows more complex unaccent dictionaries.

  • Add contrib modules tsm_system_rows and tsm_system_time to allow additional table sampling methods (Petr Jelínek)

  • Add GIN index inspection functions to pageinspect (Heikki Linnakangas, Peter Geoghegan, Michael Paquier)

  • Add information about buffer pins to pg_buffercache display (Andres Freund)

  • Allow pgstattuple to report approximate answers with less overhead using pgstattuple_approx() (Abhijit Menon-Sen)

  • Move dummy_seclabel, test_shm_mq, test_parser, and worker_spi from contrib to src/test/modules (Álvaro Herrera)

    These modules are only meant for server testing, so they do not need to be built or installed when packaging PostgreSQL.

• ⇑ Upgrade to 9.5.1 released on 2016-02-11 - docs

  • Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)

    Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)

  • Fix an oversight that caused hash joins to miss joining to some tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)

  • Avoid pushdown of HAVING clauses when grouping sets are used (Andrew Gierth)

  • Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter Geoghegan)

  • Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)

    Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.

  • Avoid leaking a token handle during SSPI authentication (Christian Ullrich)

  • Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)

  • In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)

  • Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)

  • Fix improper quoting of domain constraint names in pg_dump (Elvis Pranskevichus)

  • Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)

  • Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)

  • Suppress useless warning message when pg_receivexlog connects to a pre-9.4 server (Marco Nenciarini)

  • Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)

    In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.

  • Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)

  • Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)

    This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.

  • Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)

    Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.

  • Fix hstore_to_json_loose()'s test for whether an hstore value can be converted to a JSON number (Tom Lane)

    Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.

  • In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)

  • Fix ill-advised restriction of NAMEDATALEN to be less than 256 (Robert Haas, Tom Lane)

  • Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)

    This avoids possible bitwise differences in the produced executable files from one build to the next.

  • Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)

  • Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.

• ⇑ Upgrade to 9.5.2 released on 2016-03-31 - docs

  • Disable abbreviated keys for string sorting in non-C locales (Robert Haas)

    PostgreSQL 9.5 introduced logic for speeding up comparisons of string data types by using the standard C library function strxfrm() as a substitute for strcoll(). It now emerges that most versions of glibc (Linux's implementation of the C library) have buggy implementations of strxfrm() that, in some locales, can produce string comparison results that do not match strcoll(). Until this problem can be better characterized, disable the optimization in all non-C locales. (C locale is safe since it uses neither strcoll() nor strxfrm().)

    Unfortunately, this problem affects not only sorting but also entry ordering in B-tree indexes, which means that B-tree indexes on text, varchar, or char columns may now be corrupt if they sort according to an affected locale and were built or modified under PostgreSQL 9.5.0 or 9.5.1. Users should REINDEX indexes that might be affected.

    It is not possible at this time to give an exhaustive list of known-affected locales. C locale is known safe, and there is no evidence of trouble in English-based locales such as en_US, but some other popular locales such as de_DE are affected in most glibc versions.

  • Maintain row-security status properly in cached plans (Stephen Frost)

    In a session that performs queries as more than one role, the plan cache might incorrectly re-use a plan that was generated for another role ID, thus possibly applying the wrong set of policies when row-level security (RLS) is in use. (CVE-2016-2193)

  • Add must-be-superuser checks to some new contrib/pageinspect functions (Andreas Seltenreich)

    Most functions in the pageinspect extension that inspect bytea values disallow calls by non-superusers, but brin_page_type() and brin_metapage_info() failed to do so. Passing contrived bytea values to them might crash the server or disclose a few bytes of server memory. Add the missing permissions checks to prevent misuse. (CVE-2016-3065)

  • Fix incorrect handling of indexed ROW() comparisons (Simon Riggs)

    Flaws in a minor optimization introduced in 9.5 caused incorrect results if the ROW() comparison matches the index ordering partially but not exactly (for example, differing column order, or the index contains both ASC and DESC columns). Pending a better solution, the optimization has been removed.

  • Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)

    An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.

  • Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)

  • Fix incorrect behavior when rechecking a just-modified row in a query that does SELECT FOR UPDATE/SHARE and contains some relations that need not be locked (Tom Lane)

    Rows from non-locked relations were incorrectly treated as containing all NULLs during the recheck, which could result in incorrectly deciding that the updated row no longer passes the WHERE condition, or in incorrectly outputting NULLs.

  • Fix bug in json_to_record() when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)

  • Fix nonsense result from two-argument form of jsonb_object() when called with empty arrays (Michael Paquier, Andrew Dunstan)

  • Fix misbehavior in jsonb_set() when converting a path array element into an integer for use as an array subscript (Michael Paquier)

  • Fix misformatting of negative time zone offsets by to_char()'s OF format code (Thomas Munro, Tom Lane)

  • Fix possible incorrect logging of waits done by INSERT ... ON CONFLICT (Peter Geoghegan)

    Log messages would sometimes claim that the wait was due to an exclusion constraint although no such constraint was responsible.

  • Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)

    Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.

  • Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)

  • Fix assorted bugs in logical decoding (Andres Freund)

    Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.

  • Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)

  • Fix memory leak in GIN index searches (Tom Lane)

  • Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)

  • Fix parsing of affix files for ispell dictionaries (Tom Lane)

    The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.

  • Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)

    This dodges a portability problem on FreeBSD-derived platforms (including macOS).

  • Fix atomic-operations code used on PPC with IBM's xlc compiler (Noah Misch)

    This error led to rare failures of concurrent operations on that platform.

  • Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)

    This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.

  • Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)

  • Fix psql's tab completion for SECURITY LABEL (Tom Lane)

    Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.

  • Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)

    This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.

  • Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)

    The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.

  • Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)

  • In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)

    Blind application of the script in such cases would result in loss of the new data directory.

  • In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)

  • Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)

  • Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)

  • Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)

  • Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).

• ⇑ Upgrade to 9.5.3 released on 2016-05-12 - docs

  • Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)

    This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.

  • Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join (Tom Lane)

  • Fix incorrect handling of equivalence-class tests in multilevel nestloop plans (Tom Lane)

    Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.

  • Fix corner-case parser failures occurring when operator_precedence_warning is turned on (Tom Lane)

    An example is that SELECT (ARRAY[])::text[] gave an error, though it worked without the parentheses.

  • Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)

  • Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion (Tom Lane)

    The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.

  • Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp() (Tom Lane)

    These could advance off the end of the input string, causing subsequent format codes to read garbage.

  • Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT (Tom Lane)

  • Disallow newlines in ALTER SYSTEM parameter values (Tom Lane)

    The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.

  • Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected (David Rowley)

  • Avoid possible misbehavior after failing to remove a tablespace symlink (Tom Lane)

  • Fix crash in logical decoding on alignment-picky platforms (Tom Lane, Andres Freund)

    The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.

  • Avoid repeated requests for feedback from receiver while shutting down walsender (Nick Cleaton)

  • Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set (Tom Lane)

    This is for consistency with a behavior recently added to pg_ctl; it eases automated testing on slow machines.

  • Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class (Tom Lane)

    In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.

  • Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old (Tom Lane)

    pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.

  • Fix atomic operations for PPC when using IBM's XLC compiler (Noah Misch)

  • Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks (Tom Lane)

  • Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function (Thomas Munro)

  • Fix reporting of errors from bind() and listen() system calls on Windows (Tom Lane)

  • Reduce verbosity of compiler output when building with Microsoft Visual Studio (Christian Ullrich)

  • Support building with Visual Studio 2015 (Michael Paquier, Petr Jelínek)

    Note that builds made with VS2015 will not run on Windows versions before Windows Vista.

  • Fix putenv() to work properly with Visual Studio 2013 (Michael Paquier)

  • Avoid possibly-unsafe use of Windows' FormatMessage() function (Christian Ullrich)

    Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.

  • Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.

• ⇑ Upgrade to 9.5.4 released on 2016-08-11 - docs

  • Fix possible mis-evaluation of nested CASE-WHEN expressions (Heikki Linnakangas, Michael Paquier, Tom Lane)

    A CASE expression appearing within the test value subexpression of another CASE could become confused about whether its own test value was null or not. Also, inlining of a SQL function implementing the equality operator used by a CASE expression could result in passing the wrong test value to functions called within a CASE expression in the SQL function's body. If the test values were of different data types, a crash might result; moreover such situations could be abused to allow disclosure of portions of server memory. (CVE-2016-5423)

  • Fix client programs' handling of special characters in database and role names (Noah Misch, Nathan Bossart, Michael Paquier)

    Numerous places in vacuumdb and other client programs could become confused by database and role names containing double quotes or backslashes. Tighten up quoting rules to make that safe. Also, ensure that when a conninfo string is used as a database name parameter to these programs, it is correctly treated as such throughout.

    Fix handling of paired double quotes in psql's \connect and \password commands to match the documentation.

    Introduce a new -reuse-previous option in psql's \connect command to allow explicit control of whether to re-use connection parameters from a previous connection. (Without this, the choice is based on whether the database name looks like a conninfo string, as before.) This allows secure handling of database names containing special characters in pg_dumpall scripts.

    pg_dumpall now refuses to deal with database and role names containing carriage returns or newlines, as it seems impractical to quote those characters safely on Windows. In future we may reject such names on the server side, but that step has not been taken yet.

    These are considered security fixes because crafted object names containing special characters could have been used to execute commands with superuser privileges the next time a superuser executes pg_dumpall or other routine maintenance operations. (CVE-2016-5424)

  • Fix corner-case misbehaviors for IS NULL/IS NOT NULL applied to nested composite values (Andrew Gierth, Tom Lane)

    The SQL standard specifies that IS NULL should return TRUE for a row of all null values (thus ROW(NULL,NULL) IS NULL yields TRUE), but this is not meant to apply recursively (thus ROW(NULL, ROW(NULL,NULL)) IS NULL yields FALSE). The core executor got this right, but certain planner optimizations treated the test as recursive (thus producing TRUE in both cases), and contrib/postgres_fdw could produce remote queries that misbehaved similarly.

  • Fix "unrecognized node type" error for INSERT ... ON CONFLICT within a recursive CTE (a WITH item) (Peter Geoghegan)

  • Fix INSERT ... ON CONFLICT to successfully match index expressions or index predicates that are simplified during the planner's expression preprocessing phase (Tom Lane)

  • Correctly handle violations of exclusion constraints that apply to the target table of an INSERT ... ON CONFLICT command, but are not one of the selected arbiter indexes (Tom Lane)

    Such a case should raise a normal constraint-violation error, but it got into an infinite loop instead.

  • Fix INSERT ... ON CONFLICT to not fail if the target table has a unique index on OID (Tom Lane)

  • Make the inet and cidr data types properly reject IPv6 addresses with too many colon-separated fields (Tom Lane)

  • Prevent crash in close_ps() (the point ## lseg operator) for NaN input coordinates (Tom Lane)

    Make it return NULL instead of crashing.

  • Avoid possible crash in pg_get_expr() when inconsistent values are passed to it (Michael Paquier, Thomas Munro)

  • Fix several one-byte buffer over-reads in to_number() (Peter Eisentraut)

    In several cases the to_number() function would read one more character than it should from the input string. There is a small chance of a crash, if the input happens to be adjacent to the end of memory.

  • Do not run the planner on the query contained in CREATE MATERIALIZED VIEW or CREATE TABLE AS when WITH NO DATA is specified (Michael Paquier, Tom Lane)

    This avoids some unnecessary failure conditions, for example if a stable function invoked by the materialized view depends on a table that doesn't exist yet.

  • Avoid unsafe intermediate state during expensive paths through heap_update() (Masahiko Sawada, Andres Freund)

    Previously, these cases locked the target tuple (by setting its XMAX) but did not WAL-log that action, thus risking data integrity problems if the page were spilled to disk and then a database crash occurred before the tuple update could be completed.

  • Fix hint bit update during WAL replay of row locking operations (Andres Freund)

    The only known consequence of this problem is that row locks held by a prepared, but uncommitted, transaction might fail to be enforced after a crash and restart.

  • Avoid unnecessary "could not serialize access" errors when acquiring FOR KEY SHARE row locks in serializable mode (Álvaro Herrera)

  • Make sure "expanded" datums returned by a plan node are read-only (Tom Lane)

    This avoids failures in some cases where the result of a lower plan node is referenced in multiple places in upper nodes. So far as core PostgreSQL is concerned, only array values returned by PL/pgSQL functions are at risk; but extensions might use expanded datums for other things.

  • Avoid crash in postgres -C when the specified variable has a null string value (Michael Paquier)

  • Prevent unintended waits for the receiver in WAL sender processes (Kyotaro Horiguchi)

  • Fix possible loss of large subtransactions in logical decoding (Petru-Florin Mihancea)

  • Fix failure of logical decoding when a subtransaction contains no actual changes (Marko Tiikkaja, Andrew Gierth)

  • Ensure that backends see up-to-date statistics for shared catalogs (Tom Lane)

    The statistics collector failed to update the statistics file for shared catalogs after a request from a regular backend. This problem was partially masked because the autovacuum launcher regularly makes requests that did cause such updates; however, it became obvious with autovacuum disabled.

  • Avoid redundant writes of the statistics files when multiple backends request updates close together (Tom Lane, Tomas Vondra)

  • Avoid consuming a transaction ID during VACUUM (Alexander Korotkov)

    Some cases in VACUUM unnecessarily caused an XID to be assigned to the current transaction. Normally this is negligible, but if one is up against the XID wraparound limit, consuming more XIDs during anti-wraparound vacuums is a very bad thing.

  • Prevent possible failure when vacuuming multixact IDs in an installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth, Álvaro Herrera)

    The usual symptom of this bug is errors like "MultiXactId NNN has not been created yet -- apparent wraparound".

  • When a manual ANALYZE specifies a column list, don't reset the table's changes_since_analyze counter (Tom Lane)

    If we're only analyzing some columns, we should not prevent routine auto-analyze from happening for the other columns.

  • Fix ANALYZE's overestimation of n_distinct for a unique or nearly-unique column with many null entries (Tom Lane)

    The nulls could get counted as though they were themselves distinct values, leading to serious planner misestimates in some types of queries.

  • Prevent autovacuum from starting multiple workers for the same shared catalog (Álvaro Herrera)

    Normally this isn't much of a problem because the vacuum doesn't take long anyway; but in the case of a severely bloated catalog, it could result in all but one worker uselessly waiting instead of doing useful work on other tables.

  • Fix bug in b-tree mark/restore processing (Kevin Grittner)

    This error could lead to incorrect join results or assertion failures in a merge join whose inner source node is a b-tree indexscan.

  • Avoid duplicate buffer lock release when abandoning a b-tree index page deletion attempt (Tom Lane)

    This mistake prevented VACUUM from completing in some cases involving corrupt b-tree indexes.

  • Fix building of large (bigger than shared_buffers) hash indexes (Tom Lane)

    The code path used for large indexes contained a bug causing incorrect hash values to be inserted into the index, so that subsequent index searches always failed, except for tuples inserted into the index after the initial build.

  • Prevent infinite loop in GiST index build for geometric columns containing NaN component values (Tom Lane)

  • Fix possible crash during a nearest-neighbor (ORDER BY distance) indexscan on a contrib/btree_gist index on an interval column (Peter Geoghegan)

  • Fix "PANIC: failed to add BRIN tuple" error when attempting to update a BRIN index entry (Álvaro Herrera)

  • Fix possible crash during background worker shutdown (Dmitry Ivanov)

  • Fix PL/pgSQL's handling of the INTO clause within IMPORT FOREIGN SCHEMA commands (Tom Lane)

  • Fix contrib/btree_gin to handle the smallest possible bigint value correctly (Peter Eisentraut)

  • Teach libpq to correctly decode server version from future servers (Peter Eisentraut)

    It's planned to switch to two-part instead of three-part server version numbers for releases after 9.6. Make sure that PQserverVersion() returns the correct value for such cases.

  • Fix ecpg's code for unsigned long long array elements (Michael Meskes)

  • In pg_dump with both -c and -C options, avoid emitting an unwanted CREATE SCHEMA public command (David Johnston, Tom Lane)

  • Improve handling of SIGTERM/control-C in parallel pg_dump and pg_restore (Tom Lane)

    Make sure that the worker processes will exit promptly, and also arrange to send query-cancel requests to the connected backends, in case they are doing something long-running such as a CREATE INDEX.

  • Fix error reporting in parallel pg_dump and pg_restore (Tom Lane)

    Previously, errors reported by pg_dump or pg_restore worker processes might never make it to the user's console, because the messages went through the master process, and there were various deadlock scenarios that would prevent the master process from passing on the messages. Instead, just print everything to stderr. In some cases this will result in duplicate messages (for instance, if all the workers report a server shutdown), but that seems better than no message.

  • Ensure that parallel pg_dump or pg_restore on Windows will shut down properly after an error (Kyotaro Horiguchi)

    Previously, it would report the error, but then just sit until manually stopped by the user.

  • Make parallel pg_dump fail cleanly when run against a standby server (Magnus Hagander)

    This usage is not supported unless --no-synchronized-snapshots is specified, but the error was not handled very well.

  • Make pg_dump behave better when built without zlib support (Kyotaro Horiguchi)

    It didn't work right for parallel dumps, and emitted some rather pointless warnings in other cases.

  • Make pg_basebackup accept -Z 0 as specifying no compression (Fujii Masao)

  • Fix makefiles' rule for building AIX shared libraries to be safe for parallel make (Noah Misch)

  • Fix TAP tests and MSVC scripts to work when build directory's path name contains spaces (Michael Paquier, Kyotaro Horiguchi)

  • Be more predictable about reporting "statement timeout" versus "lock timeout" (Tom Lane)

    On heavily loaded machines, the regression tests sometimes failed due to reporting "lock timeout" even though the statement timeout should have occurred first.

  • Make regression tests safe for Danish and Welsh locales (Jeff Janes, Tom Lane)

    Change some test data that triggered the unusual sorting rules of these locales.

  • Update our copy of the timezone code to match IANA's tzcode release 2016c (Tom Lane)

    This is needed to cope with anticipated future changes in the time zone data files. It also fixes some corner-case bugs in coping with unusual time zones.

  • Update time zone data files to tzdata release 2016f for DST law changes in Kemerovo and Novosibirsk, plus historical corrections for Azerbaijan, Belarus, and Morocco.

• ⇑ Upgrade to 9.6 released on 2016-09-29 - docs

  • Improve the pg_stat_activity view's information about what a process is waiting for (Amit Kapila, Ildus Kurbangaliev)

    Historically a process has only been shown as waiting if it was waiting for a heavyweight lock. Now waits for lightweight locks and buffer pins are also shown in pg_stat_activity. Also, the type of lock being waited for is now visible. These changes replace the waiting column with wait_event_type and wait_event.

  • In to_char(), do not count a minus sign (when needed) as part of the field width for time-related fields (Bruce Momjian)

    For example, to_char('-4 years'::interval, 'YY') now returns -04, rather than -4.

  • Make extract() behave more reasonably with infinite inputs (Vitaly Burovoy)

    Historically the extract() function just returned zero given an infinite timestamp, regardless of the given field name. Make it return infinity or -infinity as appropriate when the requested field is one that is monotonically increasing (e.g, year, epoch), or NULL when it is not (e.g., day, hour). Also, throw the expected error for bad field names.

  • Remove PL/pgSQL's "feature" that suppressed the innermost line of CONTEXT for messages emitted by RAISE commands (Pavel Stehule)

    This ancient backwards-compatibility hack was agreed to have outlived its usefulness.

  • Fix the default text search parser to allow leading digits in email and host tokens (Artur Zakirov)

    In most cases this will result in few changes in the parsing of text. But if you have data where such addresses occur frequently, it may be worth rebuilding dependent tsvector columns and indexes so that addresses of this form will be found properly by text searches.

  • Extend contrib/unaccent's standard unaccent.rules file to handle all diacritics known to Unicode, and to expand ligatures correctly (Thomas Munro, Léonard Benedetti)

    The previous version neglected to convert some less-common letters with diacritic marks. Also, ligatures are now expanded into separate letters. Installations that use this rules file may wish to rebuild tsvector columns and indexes that depend on the result.

  • Remove the long-deprecated CREATEUSER/NOCREATEUSER options from CREATE ROLE and allied commands (Tom Lane)

    CREATEUSER actually meant SUPERUSER, for ancient backwards-compatibility reasons. This has been a constant source of confusion for people who (reasonably) expect it to mean CREATEROLE. It has been deprecated for ten years now, so fix the problem by removing it.

  • Treat role names beginning with pg_ as reserved (Stephen Frost)

    User creation of such role names is now disallowed. This prevents conflicts with built-in roles created by initdb.

  • Change a column name in the information_schema.routines view from result_cast_character_set_name to result_cast_char_set_name (Clément Prévost)

    The SQL:2011 standard specifies the longer name, but that appears to be a mistake, because adjacent column names use the shorter style, as do other information_schema views.

  • psql's -c option no longer implies --no-psqlrc (Pavel Stehule, Catalin Iacob)

    Write --no-psqlrc (or its abbreviation -X) explicitly to obtain the old behavior. Scripts so modified will still work with old versions of psql.

  • Improve pg_restore's -t option to match all types of relations, not only plain tables (Craig Ringer)

  • Change the display format used for NextXID in pg_controldata and related places (Joe Conway, Bruce Momjian)

    Display epoch-and-transaction-ID values in the format number:number. The previous format number/number was confusingly similar to that used for LSNs.

  • Update extension functions to be marked parallel-safe where appropriate (Andreas Karlsson)

    Many of the standard extensions have been updated to allow their functions to be executed within parallel query worker processes. These changes will not take effect in databases pg_upgrade'd from prior versions unless you apply ALTER EXTENSION UPDATE to each such extension (in each database of a cluster).

  • Parallel queries (Robert Haas, Amit Kapila, David Rowley, many others)

    With 9.6, PostgreSQL introduces initial support for parallel execution of large queries. Only strictly read-only queries where the driving table is accessed via a sequential scan can be parallelized. Hash joins and nested loops can be performed in parallel, as can aggregation (for supported aggregates). Much remains to be done, but this is already a useful set of features.

    Parallel query execution is not (yet) enabled by default. To allow it, set the new configuration parameter max_parallel_workers_per_gather to a value larger than zero. Additional control over use of parallelism is available through other new configuration parameters force_parallel_mode, parallel_setup_cost, parallel_tuple_cost, and min_parallel_relation_size.

  • Provide infrastructure for marking the parallel-safety status of functions (Robert Haas, Amit Kapila)

  • Allow GIN index builds to make effective use of maintenance_work_mem settings larger than 1 GB (Robert Abraham, Teodor Sigaev)

  • Add pages deleted from a GIN index's pending list to the free space map immediately (Jeff Janes, Teodor Sigaev)

    This reduces bloat if the table is not vacuumed often.

  • Add gin_clean_pending_list() function to allow manual invocation of pending-list cleanup for a GIN index (Jeff Janes)

    Formerly, such cleanup happened only as a byproduct of vacuuming or analyzing the parent table.

  • Improve handling of dead index tuples in GiST indexes (Anastasia Lubennikova)

    Dead index tuples are now marked as such when an index scan notices that the corresponding heap tuple is dead. When inserting tuples, marked-dead tuples will be removed if needed to make space on the page.

  • Add an SP-GiST operator class for type box (Alexander Lebedev)

  • Improve sorting performance by using quicksort, not replacement selection sort, when performing external sort steps (Peter Geoghegan)

    The new approach makes better use of the CPU cache for typical cache sizes and data volumes. Where necessary, the behavior can be adjusted via the new configuration parameter replacement_sort_tuples.

  • Speed up text sorts where the same string occurs multiple times (Peter Geoghegan)

  • Speed up sorting of uuid, bytea, and char(n) fields by using "abbreviated" keys (Peter Geoghegan)

    Support for abbreviated keys has also been added to the non-default operator classes text_pattern_ops, varchar_pattern_ops, and bpchar_pattern_ops. Processing of ordered-set aggregates can also now exploit abbreviated keys.

  • Speed up CREATE INDEX CONCURRENTLY by treating TIDs as 64-bit integers during sorting (Peter Geoghegan)

  • Reduce contention for the ProcArrayLock (Amit Kapila, Robert Haas)

  • Improve performance by moving buffer content locks into the buffer descriptors (Andres Freund, Simon Riggs)

  • Replace shared-buffer header spinlocks with atomic operations to improve scalability (Alexander Korotkov, Andres Freund)

  • Use atomic operations, rather than a spinlock, to protect an LWLock's wait queue (Andres Freund)

  • Partition the shared hash table freelist to reduce contention on multi-CPU-socket servers (Aleksander Alekseev)

  • Reduce interlocking on standby servers during the replay of btree index vacuuming operations (Simon Riggs)

    This change avoids substantial replication delays that sometimes occurred while replaying such operations.

  • Improve ANALYZE's estimates for columns with many nulls (Tomas Vondra, Alex Shulgin)

    Previously ANALYZE tended to underestimate the number of non-NULL distinct values in a column with many NULLs, and was also inaccurate in computing the most-common values.

  • Improve planner's estimate of the number of distinct values in a query result (Tomas Vondra)

  • Use foreign key relationships to infer selectivity for join predicates (Tomas Vondra, David Rowley)

    If a table t has a foreign key restriction, say (a,b) REFERENCES r (x,y), then a WHERE condition such as t.a = r.x AND t.b = r.y cannot select more than one r row per t row. The planner formerly considered these AND conditions to be independent and would often drastically misestimate selectivity as a result. Now it compares the WHERE conditions to applicable foreign key constraints and produces better estimates.

  • Avoid re-vacuuming pages containing only frozen tuples (Masahiko Sawada, Robert Haas, Andres Freund)

    Formerly, anti-wraparound vacuum had to visit every page of a table, even pages where there was nothing to do. Now, pages containing only already-frozen tuples are identified in the table's visibility map, and can be skipped by vacuum even when doing transaction wraparound prevention. This should greatly reduce the cost of maintaining large tables containing mostly-unchanging data.

    If necessary, vacuum can be forced to process all-frozen pages using the new DISABLE_PAGE_SKIPPING option. Normally this should never be needed, but it might help in recovering from visibility-map corruption.

  • Avoid useless heap-truncation attempts during VACUUM (Jeff Janes, Tom Lane)

    This change avoids taking an exclusive table lock in some cases where no truncation is possible. The main benefit comes from avoiding unnecessary query cancellations on standby servers.

  • Allow old MVCC snapshots to be invalidated after a configurable timeout (Kevin Grittner)

    Normally, deleted tuples cannot be physically removed by vacuuming until the last transaction that could "see" them is gone. A transaction that stays open for a long time can thus cause considerable table bloat because space cannot be recycled. This feature allows setting a time-based limit, via the new configuration parameter old_snapshot_threshold, on how long an MVCC snapshot is guaranteed to be valid. After that, dead tuples are candidates for removal. A transaction using an outdated snapshot will get an error if it attempts to read a page that potentially could have contained such data.

  • Ignore GROUP BY columns that are functionally dependent on other columns (David Rowley)

    If a GROUP BY clause includes all columns of a non-deferred primary key, as well as other columns of the same table, those other columns are redundant and can be dropped from the grouping. This saves computation in many common cases.

  • Allow use of an index-only scan on a partial index when the index's WHERE clause references columns that are not indexed (Tomas Vondra, Kyotaro Horiguchi)

    For example, an index defined by CREATE INDEX tidx_partial ON t(b) WHERE a > 0 can now be used for an index-only scan by a query that specifies WHERE a > 0 and does not otherwise use a. Previously this was disallowed because a is not listed as an index column.

  • Perform checkpoint writes in sorted order (Fabien Coelho, Andres Freund)

    Previously, checkpoints wrote out dirty pages in whatever order they happen to appear in shared buffers, which usually is nearly random. That performs poorly, especially on rotating media. This change causes checkpoint-driven writes to be done in order by file and block number, and to be balanced across tablespaces.

  • Where feasible, trigger kernel writeback after a configurable number of writes, to prevent accumulation of dirty data in kernel disk buffers (Fabien Coelho, Andres Freund)

    PostgreSQL writes data to the kernel's disk cache, from where it will be flushed to physical storage in due time. Many operating systems are not smart about managing this and allow large amounts of dirty data to accumulate before deciding to flush it all at once, causing long delays for new I/O requests until the flushing finishes. This change attempts to alleviate this problem by explicitly requesting data flushes after a configurable interval.

    On Linux, sync_file_range() is used for this purpose, and the feature is on by default on Linux because that function has few downsides. This flushing capability is also available on other platforms if they have msync() or posix_fadvise(), but those interfaces have some undesirable side-effects so the feature is disabled by default on non-Linux platforms.

    The new configuration parameters backend_flush_after, bgwriter_flush_after, checkpoint_flush_after, and wal_writer_flush_after control this behavior.

  • Improve aggregate-function performance by sharing calculations across multiple aggregates if they have the same arguments and transition functions (David Rowley)

    For example, SELECT AVG(x), VARIANCE(x) FROM tab can use a single per-row computation for both aggregates.

  • Speed up visibility tests for recently-created tuples by checking the current transaction's snapshot, not pg_clog, to decide if the source transaction should be considered committed (Jeff Janes, Tom Lane)

  • Allow tuple hint bits to be set sooner than before (Andres Freund)

  • Improve performance of short-lived prepared transactions (Stas Kelvich, Simon Riggs, Pavan Deolasee)

    Two-phase commit information is now written only to WAL during PREPARE TRANSACTION, and will be read back from WAL during COMMIT PREPARED if that happens soon thereafter. A separate state file is created only if the pending transaction does not get committed or aborted by the time of the next checkpoint.

  • Improve performance of memory context destruction (Jan Wieck)

  • Improve performance of resource owners with many tracked objects (Aleksander Alekseev)

  • Improve speed of the output functions for timestamp, time, and date data types (David Rowley, Andres Freund)

  • Avoid some unnecessary cancellations of hot-standby queries during replay of actions that take AccessExclusive locks (Jeff Janes)

  • Extend relations multiple blocks at a time when there is contention for the relation's extension lock (Dilip Kumar)

    This improves scalability by decreasing contention.

  • Increase the number of clog buffers for better scalability (Amit Kapila, Andres Freund)

  • Speed up expression evaluation in PL/pgSQL by keeping ParamListInfo entries for simple variables valid at all times (Tom Lane)

  • Avoid reducing the SO_SNDBUF setting below its default on recent Windows versions (Chen Huajun)

  • Disable update_process_title by default on Windows (Takayuki Tsunakawa)

    The overhead of updating the process title is much larger on Windows than most other platforms, and it is also less useful to do it since most Windows users do not have tools that can display process titles.

  • Add pg_stat_progress_vacuum system view to provide progress reporting for VACUUM operations (Amit Langote, Robert Haas, Vinayak Pokale, Rahila Syed)

  • Add pg_control_system(), pg_control_checkpoint(), pg_control_recovery(), and pg_control_init() functions to expose fields of pg_control to SQL (Joe Conway, Michael Paquier)

  • Add pg_config system view (Joe Conway)

    This view exposes the same information available from the pg_config command-line utility, namely assorted compile-time configuration information for PostgreSQL.

  • Add a confirmed_flush_lsn column to the pg_replication_slots system view (Marko Tiikkaja)

  • Add pg_stat_wal_receiver system view to provide information about the state of a hot-standby server's WAL receiver process (Michael Paquier)

  • Add pg_blocking_pids() function to reliably identify which sessions block which others (Tom Lane)

    This function returns an array of the process IDs of any sessions that are blocking the session with the given process ID. Historically users have obtained such information using a self-join on the pg_locks view. However, it is unreasonably tedious to do it that way with any modicum of correctness, and the addition of parallel queries has made the old approach entirely impractical, since locks might be held or awaited by child worker processes rather than the session's main process.

  • Add function pg_current_xlog_flush_location() to expose the current transaction log flush location (Tomas Vondra)

  • Add function pg_notification_queue_usage() to report how full the NOTIFY queue is (Brendan Jurd)

  • Limit the verbosity of memory context statistics dumps (Tom Lane)

    The memory usage dump that is output to the postmaster log during an out-of-memory failure now summarizes statistics when there are a large number of memory contexts, rather than possibly generating a very large report. There is also a "grand total" summary line now.

  • Add a BSD authentication method to allow use of the BSD Authentication service for PostgreSQL client authentication (Marisa Emerson)

    BSD Authentication is currently only available on OpenBSD.

  • When using PAM authentication, provide the client IP address or host name to PAM modules via the PAM_RHOST item (Grzegorz Sampolski)

  • Provide detail in the postmaster log for more types of password authentication failure (Tom Lane)

    All ordinarily-reachable password authentication failure cases should now provide specific DETAIL fields in the log.

  • Support RADIUS passwords up to 128 characters long (Marko Tiikkaja)

  • Add new SSPI authentication parameters compat_realm and upn_username to control whether NetBIOS or Kerberos realm names and user names are used during SSPI authentication (Christian Ullrich)

  • Allow sessions to be terminated automatically if they are in idle-in-transaction state for too long (Vik Fearing)

    This behavior is controlled by the new configuration parameter idle_in_transaction_session_timeout. It can be useful to prevent forgotten transactions from holding locks or preventing vacuum cleanup for too long.

  • Raise the maximum allowed value of checkpoint_timeout to 24 hours (Simon Riggs)

  • Allow effective_io_concurrency to be set per-tablespace to support cases where different tablespaces have different I/O characteristics (Julien Rouhaud)

  • Add log_line_prefix option %n to print the current time in Unix epoch form, with milliseconds (Tomas Vondra, Jeff Davis)

  • Add syslog_sequence_numbers and syslog_split_messages configuration parameters to provide more control over the message format when logging to syslog (Peter Eisentraut)

  • Merge the archive and hot_standby values of the wal_level configuration parameter into a single new value replica (Peter Eisentraut)

    Making a distinction between these settings is no longer useful, and merging them is a step towards a planned future simplification of replication setup. The old names are still accepted but are converted to replica internally.

  • Add configure option --with-systemd to enable calling sd_notify() at server start and stop (Peter Eisentraut)

    This allows the use of systemd service units of type notify, which greatly simplifies the management of PostgreSQL under systemd.

  • Allow the server's SSL key file to have group read access if it is owned by root (Christoph Berg)

    Formerly, we insisted the key file be owned by the user running the PostgreSQL server, but that is inconvenient on some systems (such as Debian) that are configured to manage certificates centrally. Therefore, allow the case where the key file is owned by root and has group read access. It is up to the operating system administrator to ensure that the group does not include any untrusted users.

  • Force backends to exit if the postmaster dies (Rajeev Rastogi, Robert Haas)

    Under normal circumstances the postmaster should always outlive its child processes. If for some reason the postmaster dies, force backend sessions to exit with an error. Formerly, existing backends would continue to run until their clients disconnect, but that is unsafe and inefficient. It also prevents a new postmaster from being started until the last old backend has exited. Backends will detect postmaster death when waiting for client I/O, so the exit will not be instantaneous, but it should happen no later than the end of the current query.

  • Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)

    When using serializable transaction isolation, it is desirable that any error due to concurrent transactions should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this does not reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error if the application explicitly checked for the presence of a conflicting key (and did not find it) earlier in the transaction.

  • Ensure that invalidation messages are recorded in WAL even when issued by a transaction that has no XID assigned (Andres Freund)

    This fixes some corner cases in which transactions on standby servers failed to notice changes, such as new indexes.

  • Prevent multiple processes from trying to clean a GIN index's pending list concurrently (Teodor Sigaev, Jeff Janes)

    This had been intentionally allowed, but it causes race conditions that can result in vacuum missing index entries it needs to delete.

  • Allow synchronous replication to support multiple simultaneous synchronous standby servers, not just one (Masahiko Sawada, Beena Emerson, Michael Paquier, Fujii Masao, Kyotaro Horiguchi)

    The number of standby servers that must acknowledge a commit before it is considered complete is now configurable as part of the synchronous_standby_names parameter.

  • Add new setting remote_apply for configuration parameter synchronous_commit (Thomas Munro)

    In this mode, the master waits for the transaction to be applied on the standby server, not just written to disk. That means that you can count on a transaction started on the standby to see all commits previously acknowledged by the master.

  • Add a feature to the replication protocol, and a corresponding option to pg_create_physical_replication_slot(), to allow reserving WAL immediately when creating a replication slot (Gurjeet Singh, Michael Paquier)

    This allows the creation of a replication slot to guarantee that all the WAL needed for a base backup will be available.

  • Add a --slot option to pg_basebackup (Peter Eisentraut)

    This lets pg_basebackup use a replication slot defined for WAL streaming. After the base backup completes, selecting the same slot for regular streaming replication allows seamless startup of the new standby server.

  • Extend pg_start_backup() and pg_stop_backup() to support non-exclusive backups (Magnus Hagander)

  • Allow functions that return sets of tuples to return simple NULLs (Andrew Gierth, Tom Lane)

    In the context of SELECT FROM function(...), a function that returned a set of composite values was previously not allowed to return a plain NULL value as part of the set. Now that is allowed and interpreted as a row of NULLs. This avoids corner-case errors with, for example, unnesting an array of composite values.

  • Fully support array subscripts and field selections in the target column list of an INSERT with multiple VALUES rows (Tom Lane)

    Previously, such cases failed if the same target column was mentioned more than once, e.g., INSERT INTO tab (x[1], x[2]) VALUES (...).

  • When appropriate, postpone evaluation of SELECT output expressions until after an ORDER BY sort (Konstantin Knizhnik)

    This change ensures that volatile or expensive functions in the output list are executed in the order suggested by ORDER BY, and that they are not evaluated more times than required when there is a LIMIT clause. Previously, these properties held if the ordering was performed by an index scan or pre-merge-join sort, but not if it was performed by a top-level sort.

  • Widen counters recording the number of tuples processed to 64 bits (Andreas Scherbaum)

    This change allows command tags, e.g. SELECT, to correctly report tuple counts larger than 4 billion. This also applies to PL/pgSQL's GET DIAGNOSTICS ... ROW_COUNT command.

  • Avoid doing encoding conversions by converting through the MULE_INTERNAL encoding (Tom Lane)

    Previously, many conversions for Cyrillic and Central European single-byte encodings were done by converting to a related MULE_INTERNAL coding scheme and then to the destination encoding. Aside from being inefficient, this meant that when the conversion encountered an untranslatable character, the error message would confusingly complain about failure to convert to or from MULE_INTERNAL, rather than the user-visible encoding.

  • Consider performing joins of foreign tables remotely only when the tables will be accessed under the same role ID (Shigeru Hanada, Ashutosh Bapat, Etsuro Fujita)

    Previously, the foreign join pushdown infrastructure left the question of security entirely up to individual foreign data wrappers, but that made it too easy for an FDW to inadvertently create subtle security holes. So, make it the core code's job to determine which role ID will access each table, and do not attempt join pushdown unless the role is the same for all relevant relations.

  • Allow COPY to copy the output of an INSERT/UPDATE/DELETE ... RETURNING query (Marko Tiikkaja)

    Previously, an intermediate CTE had to be written to get this result.

  • Introduce ALTER object DEPENDS ON EXTENSION (Abhijit Menon-Sen)

    This command allows a database object to be marked as depending on an extension, so that it will be dropped automatically if the extension is dropped (without needing CASCADE). However, the object is not part of the extension, and thus will be dumped separately by pg_dump.

  • Make ALTER object SET SCHEMA do nothing when the object is already in the requested schema, rather than throwing an error as it historically has for most object types (Marti Raudsepp)

  • Add options to ALTER OPERATOR to allow changing the selectivity functions associated with an existing operator (Yury Zhuravlev)

  • Add an IF NOT EXISTS option to ALTER TABLE ADD COLUMN (Fabrízio de Royes Mello)

  • Reduce the lock strength needed by ALTER TABLE when setting fillfactor and autovacuum-related relation options (Fabrízio de Royes Mello, Simon Riggs)

  • Introduce CREATE ACCESS METHOD to allow extensions to create index access methods (Alexander Korotkov, Petr Jelínek)

  • Add a CASCADE option to CREATE EXTENSION to automatically create any extensions the requested one depends on (Petr Jelínek)

  • Make CREATE TABLE ... LIKE include an OID column if any source table has one (Bruce Momjian)

  • If a CHECK constraint is declared NOT VALID in a table creation command, automatically mark it as valid (Amit Langote, Amul Sul)

    This is safe because the table has no existing rows. This matches the longstanding behavior of FOREIGN KEY constraints.

  • Fix DROP OPERATOR to clear pg_operator.oprcom and pg_operator.oprnegate links to the dropped operator (Roma Sokolov)

    Formerly such links were left as-is, which could pose a problem in the somewhat unlikely event that the dropped operator's OID was reused for another operator.

  • Do not show the same subplan twice in EXPLAIN output (Tom Lane)

    In certain cases, typically involving SubPlan nodes in index conditions, EXPLAIN would print data for the same subplan twice.

  • Disallow creation of indexes on system columns, except for OID columns (David Rowley)

    Such indexes were never considered supported, and would very possibly misbehave since the system might change the system-column fields of a tuple without updating indexes. However, previously there were no error checks to prevent them from being created.

  • Use the privilege system to manage access to sensitive functions (Stephen Frost)

    Formerly, many security-sensitive functions contained hard-wired checks that would throw an error if they were called by a non-superuser. This forced the use of superuser roles for some relatively pedestrian tasks. The hard-wired error checks are now gone in favor of making initdb revoke the default public EXECUTE privilege on these functions. This allows installations to choose to grant usage of such functions to trusted roles that do not need all superuser privileges.

  • Create some built-in roles that can be used to grant access to what were previously superuser-only functions (Stephen Frost)

    Currently the only such role is pg_signal_backend, but more are expected to be added in future.

  • Improve full-text search to support searching for phrases, that is, lexemes appearing adjacent to each other in a specific order, or with a specified distance between them (Teodor Sigaev, Oleg Bartunov, Dmitry Ivanov)

    A phrase-search query can be specified in tsquery input using the new operators <-> and <N>. The former means that the lexemes before and after it must appear adjacent to each other in that order. The latter means they must be exactly N lexemes apart.

  • Allow omitting one or both boundaries in an array slice specifier, e.g. array_col[3:] (Yury Zhuravlev)

    Omitted boundaries are taken as the upper or lower limit of the corresponding array subscript. This allows simpler specification for many common use-cases.

  • Be more careful about out-of-range dates and timestamps (Vitaly Burovoy)

    This change prevents unexpected out-of-range errors for timestamp with time zone values very close to the implementation limits. Previously, the "same" value might be accepted or not depending on the timezone setting, meaning that a dump and reload could fail on a value that had been accepted when presented. Now the limits are enforced according to the equivalent UTC time, not local time, so as to be independent of timezone.

    Also, PostgreSQL is now more careful to detect overflow in operations that compute new date or timestamp values, such as date + integer.

  • For geometric data types, make sure infinity and NaN component values are treated consistently during input and output (Tom Lane)

    Such values will now always print the same as they would in a simple float8 column, and be accepted the same way on input. Previously the behavior was platform-dependent.

  • Upgrade the ispell dictionary type to handle modern Hunspell files and support more languages (Artur Zakirov)

  • Implement look-behind constraints in regular expressions (Tom Lane)

    A look-behind constraint is like a lookahead constraint in that it consumes no text; but it checks for existence (or nonexistence) of a match ending at the current point in the string, rather than one starting at the current point. Similar features exist in many other regular-expression engines.

  • In regular expressions, if an apparent three-digit octal escape \nnn would exceed 377 (255 decimal), assume it is a two-digit octal escape instead (Tom Lane)

    This makes the behavior match current Tcl releases.

  • Add transaction ID operators xid <> xid and xid <> int4, for consistency with the corresponding equality operators (Michael Paquier)

  • Add jsonb_insert() function to insert a new element into a jsonb array, or a not-previously-existing key into a jsonb object (Dmitry Dolgov)

  • Improve the accuracy of the ln(), log(), exp(), and pow() functions for type numeric (Dean Rasheed)

  • Add a scale(numeric) function to extract the display scale of a numeric value (Marko Tiikkaja)

  • Add trigonometric functions that work in degrees (Dean Rasheed)

    For example, sind() measures its argument in degrees, whereas sin() measures in radians. These functions go to some lengths to deliver exact results for values where an exact result can be expected, for instance sind(30) = 0.5.

  • Ensure that trigonometric functions handle infinity and NaN inputs per the POSIX standard (Dean Rasheed)

    The POSIX standard says that these functions should return NaN for NaN input, and should throw an error for out-of-range inputs including infinity. Previously our behavior varied across platforms.

  • Make to_timestamp(float8) convert float infinity to timestamp infinity (Vitaly Burovoy)

    Formerly it just failed on an infinite input.

  • Add new functions for tsvector data (Stas Kelvich)

    The new functions are ts_delete(), ts_filter(), unnest(), tsvector_to_array(), array_to_tsvector(), and a variant of setweight() that sets the weight only for specified lexeme(s).

  • Allow ts_stat() and tsvector_update_trigger() to operate on values that are of types binary-compatible with the expected argument type, not just exactly that type; for example allow citext where text is expected (Teodor Sigaev)

  • Add variadic functions num_nulls() and num_nonnulls() that count the number of their arguments that are null or non-null (Marko Tiikkaja)

    An example usage is CHECK(num_nonnulls(a,b,c) = 1) which asserts that exactly one of a,b,c is not NULL. These functions can also be used to count the number of null or nonnull elements in an array.

  • Add function parse_ident() to split a qualified, possibly quoted SQL identifier into its parts (Pavel Stehule)

  • In to_number(), interpret a V format code as dividing by 10 to the power of the number of digits following V (Bruce Momjian)

    This makes it operate in an inverse fashion to to_char().

  • Make the to_reg*() functions accept type text not cstring (Petr Korobeinikov)

    This avoids the need to write an explicit cast in most cases where the argument is not a simple literal constant.

  • Add pg_size_bytes() function to convert human-readable size strings to numbers (Pavel Stehule, Vitaly Burovoy, Dean Rasheed)

    This function converts strings like those produced by pg_size_pretty() into bytes. An example usage is SELECT oid::regclass FROM pg_class WHERE pg_total_relation_size(oid) > pg_size_bytes('10 GB').

  • In pg_size_pretty(), format negative numbers similarly to positive ones (Adrian Vondendriesch)

    Previously, negative numbers were never abbreviated, just printed in bytes.

  • Add an optional missing_ok argument to the current_setting() function (David Christensen)

    This allows avoiding an error for an unrecognized parameter name, instead returning a NULL.

  • Change various catalog-inspection functions to return NULL for invalid input (Michael Paquier)

    pg_get_viewdef() now returns NULL if given an invalid view OID, and several similar functions likewise return NULL for bad input. Previously, such cases usually led to "cache lookup failed" errors, which are not meant to occur in user-facing cases.

  • Fix pg_replication_origin_xact_reset() to not have any arguments (Fujii Masao)

    The documentation said that it has no arguments, and the C code did not expect any arguments, but the entry in pg_proc mistakenly specified two arguments.

  • In PL/pgSQL, detect mismatched CONTINUE and EXIT statements while compiling a function, rather than at execution time (Jim Nasby)

  • Extend PL/Python's error-reporting and message-reporting functions to allow specifying additional message fields besides the primary error message (Pavel Stehule)

  • Allow PL/Python functions to call themselves recursively via SPI, and fix the behavior when multiple set-returning PL/Python functions are called within one query (Alexey Grishchenko, Tom Lane)

  • Fix session-lifespan memory leaks in PL/Python (Heikki Linnakangas, Haribabu Kommi, Tom Lane)

  • Modernize PL/Tcl to use Tcl's "object" APIs instead of simple strings (Jim Nasby, Karl Lehenbauer)

    This can improve performance substantially in some cases. Note that PL/Tcl now requires Tcl 8.4 or later.

  • In PL/Tcl, make database-reported errors return additional information in Tcl's errorCode global variable (Jim Nasby, Tom Lane)

    This feature follows the Tcl convention for returning auxiliary data about an error.

  • Fix PL/Tcl to perform encoding conversion between the database encoding and UTF-8, which is what Tcl expects (Tom Lane)

    Previously, strings were passed through without conversion, leading to misbehavior with non-ASCII characters when the database encoding was not UTF-8.

  • Add a nonlocalized version of the severity field in error and notice messages (Tom Lane)

    This change allows client code to determine severity of an error or notice without having to worry about localized variants of the severity strings.

  • Introduce a feature in libpq whereby the CONTEXT field of messages can be suppressed, either always or only for non-error messages (Pavel Stehule)

    The default behavior of PQerrorMessage() is now to print CONTEXT only for errors. The new function PQsetErrorContextVisibility() can be used to adjust this.

  • Add support in libpq for regenerating an error message with a different verbosity level (Alex Shulgin)

    This is done with the new function PQresultVerboseErrorMessage(). This supports psql's new \errverbose feature, and may be useful for other clients as well.

  • Improve libpq's PQhost() function to return useful data for default Unix-socket connections (Tom Lane)

    Previously it would return NULL if no explicit host specification had been given; now it returns the default socket directory path.

  • Fix ecpg's lexer to handle line breaks within comments starting on preprocessor directive lines (Michael Meskes)

  • Add a --strict-names option to pg_dump and pg_restore (Pavel Stehule)

    This option causes the program to complain if there is no match for a -t or -n option, rather than silently doing nothing.

  • In pg_dump, dump locally-made changes of privilege assignments for system objects (Stephen Frost)

    While it has always been possible for a superuser to change the privilege assignments for built-in or extension-created objects, such changes were formerly lost in a dump and reload. Now, pg_dump recognizes and dumps such changes. (This works only when dumping from a 9.6 or later server, however.)

  • Allow pg_dump to dump non-extension-owned objects that are within an extension-owned schema (Martín Marqués)

    Previously such objects were ignored because they were mistakenly assumed to belong to the extension owning their schema.

  • In pg_dump output, include the table name in object tags for object types that are only uniquely named per-table (for example, triggers) (Peter Eisentraut)

  • Support multiple -c and -f command-line options (Pavel Stehule, Catalin Iacob)

    The specified operations are carried out in the order in which the options are given, and then psql terminates.

  • Add a \crosstabview command that prints the results of a query in a cross-tabulated display (Daniel Vérité)

    In the crosstab display, data values from one query result column are placed in a grid whose column and row headers come from other query result columns.

  • Add an \errverbose command that shows the last server error at full verbosity (Alex Shulgin)

    This is useful after getting an unexpected error — you no longer need to adjust the VERBOSITY variable and recreate the failure in order to see error fields that are not shown by default.

  • Add \ev and \sv commands for editing and showing view definitions (Petr Korobeinikov)

    These are parallel to the existing \ef and \sf commands for functions.

  • Add a \gexec command that executes a query and re-submits the result(s) as new queries (Corey Huinker)

  • Allow \pset C string to set the table title, for consistency with \C string (Bruce Momjian)

  • In \pset expanded auto mode, do not use expanded format for query results with only one column (Andreas Karlsson, Robert Haas)

  • Improve the headers output by the \watch command (Michael Paquier, Tom Lane)

    Include the \pset title string if one has been set, and shorten the prefabricated part of the header to be timestamp (every Ns). Also, the timestamp format now obeys psql's locale environment.

  • Improve tab-completion logic to consider the entire input query, not only the current line (Tom Lane)

    Previously, breaking a command into multiple lines defeated any tab completion rules that needed to see words on earlier lines.

  • Numerous minor improvements in tab-completion behavior (Peter Eisentraut, Vik Fearing, Kevin Grittner, Kyotaro Horiguchi, Jeff Janes, Andreas Karlsson, Fujii Masao, Thomas Munro, Masahiko Sawada, Pavel Stehule)

  • Add a PROMPT option %p to insert the process ID of the connected backend (Julien Rouhaud)

  • Introduce a feature whereby the CONTEXT field of messages can be suppressed, either always or only for non-error messages (Pavel Stehule)

    Printing CONTEXT only for errors is now the default behavior. This can be changed by setting the special variable SHOW_CONTEXT.

  • Make \df+ show function access privileges and parallel-safety attributes (Michael Paquier)

  • SQL commands in pgbench scripts are now ended by semicolons, not newlines (Kyotaro Horiguchi, Tom Lane)

    This change allows SQL commands in scripts to span multiple lines. Existing custom scripts will need to be modified to add a semicolon at the end of each line that does not have one already. (Doing so does not break the script for use with older versions of pgbench.)

  • Support floating-point arithmetic, as well as some built-in functions, in expressions in backslash commands (Fabien Coelho)

  • Replace \setrandom with built-in functions (Fabien Coelho)

    The new built-in functions include random(), random_exponential(), and random_gaussian(), which perform the same work as \setrandom, but are easier to use since they can be embedded in larger expressions. Since these additions have made \setrandom obsolete, remove it.

  • Allow invocation of multiple copies of the built-in scripts, not only custom scripts (Fabien Coelho)

    This is done with the new -b switch, which works similarly to -f for custom scripts.

  • Allow changing the selection probabilities (weights) for scripts (Fabien Coelho)

    When multiple scripts are specified, each pgbench transaction randomly chooses one to execute. Formerly this was always done with uniform probability, but now different selection probabilities can be specified for different scripts.

  • Collect statistics for each script in a multi-script run (Fabien Coelho)

    This feature adds an intermediate level of detail to existing global and per-command statistics printouts.

  • Add a --progress-timestamp option to report progress with Unix epoch timestamps, instead of time since the run started (Fabien Coelho)

  • Allow the number of client connections (-c) to not be an exact multiple of the number of threads (-j) (Fabien Coelho)

  • When the -T option is used, stop promptly at the end of the specified time (Fabien Coelho)

    Previously, specifying a low transaction rate could cause pgbench to wait significantly longer than specified.

  • Improve error reporting during initdb's post-bootstrap phase (Tom Lane)

    Previously, an error here led to reporting the entire input file as the "failing query"; now just the current query is reported. To get the desired behavior, queries in initdb's input files must be separated by blank lines.

  • Speed up initdb by using just one standalone-backend session for all the post-bootstrap steps (Tom Lane)

  • Improve pg_rewind so that it can work when the target timeline changes (Alexander Korotkov)

    This allows, for example, rewinding a promoted standby back to some state of the old master's timeline.

  • Remove obsolete heap_formtuple/heap_modifytuple/heap_deformtuple functions (Peter Geoghegan)

  • Add macros to make AllocSetContextCreate() calls simpler and safer (Tom Lane)

    Writing out the individual sizing parameters for a memory context is now deprecated in favor of using one of the new macros ALLOCSET_DEFAULT_SIZES, ALLOCSET_SMALL_SIZES, or ALLOCSET_START_SMALL_SIZES. Existing code continues to work, however.

  • Unconditionally use static inline functions in header files (Andres Freund)

    This may result in warnings and/or wasted code space with very old compilers, but the notational improvement seems worth it.

  • Improve TAP testing infrastructure (Michael Paquier, Craig Ringer, Álvaro Herrera, Stephen Frost)

    Notably, it is now possible to test recovery scenarios using this infrastructure.

  • Make trace_lwlocks identify individual locks by name (Robert Haas)

  • Improve psql's tab-completion code infrastructure (Thomas Munro, Michael Paquier)

    Tab-completion rules are now considerably easier to write, and more compact.

  • Nail the pg_shseclabel system catalog into cache, so that it is available for access during connection authentication (Adam Brightwell)

    The core code does not use this catalog for authentication, but extensions might wish to consult it.

  • Restructure index access method API to hide most of it at the C level (Alexander Korotkov, Andrew Gierth)

    This change modernizes the index AM API to look more like the designs we have adopted for foreign data wrappers and tablesample handlers. This simplifies the C code and makes it much more practical to define index access methods in installable extensions. A consequence is that most of the columns of the pg_am system catalog have disappeared. New inspection functions have been added to allow SQL queries to determine index AM properties that used to be discoverable from pg_am.

  • Add pg_init_privs system catalog to hold original privileges of initdb-created and extension-created objects (Stephen Frost)

    This infrastructure allows pg_dump to dump changes that an installation may have made in privileges attached to system objects. Formerly, such changes would be lost in a dump and reload, but now they are preserved.

  • Change the way that extensions allocate custom LWLocks (Amit Kapila, Robert Haas)

    The RequestAddinLWLocks() function is removed, and replaced by RequestNamedLWLockTranche(). This allows better identification of custom LWLocks, and is less error-prone.

  • Improve the isolation tester to allow multiple sessions to wait concurrently, allowing testing of deadlock scenarios (Robert Haas)

  • Introduce extensible node types (KaiGai Kohei)

    This change allows FDWs or custom scan providers to store data in a plan tree in a more convenient format than was previously possible.

  • Make the planner deal with post-scan/join query steps by generating and comparing Paths, replacing a lot of ad-hoc logic (Tom Lane)

    This change provides only marginal user-visible improvements today, but it enables future work on a lot of upper-planner improvements that were impractical to tackle using the old code structure.

  • Support partial aggregation (David Rowley, Simon Riggs)

    This change allows the computation of an aggregate function to be split into separate parts, for example so that parallel worker processes can cooperate on computing an aggregate. In future it might allow aggregation across local and remote data to occur partially on the remote end.

  • Add a generic command progress reporting facility (Vinayak Pokale, Rahila Syed, Amit Langote, Robert Haas)

  • Separate out psql's flex lexer to make it usable by other client programs (Tom Lane, Kyotaro Horiguchi)

    This eliminates code duplication for programs that need to be able to parse SQL commands well enough to identify command boundaries. Doing that in full generality is more painful than one could wish, and up to now only psql has really gotten it right among our supported client programs.

    A new source-code subdirectory src/fe_utils/ has been created to hold this and other code that is shared across our client programs. Formerly such sharing was accomplished by symbolic linking or copying source files at build time, which was ugly and required duplicate compilation.

  • Introduce WaitEventSet API to allow efficient waiting for event sets that usually do not change from one wait to the next (Andres Freund, Amit Kapila)

  • Add a generic interface for writing WAL records (Alexander Korotkov, Petr Jelínek, Markus Nullmeier)

    This change allows extensions to write WAL records for changes to pages using a standard layout. The problem of needing to replay WAL without access to the extension is solved by having generic replay code. This allows extensions to implement, for example, index access methods and have WAL support for them.

  • Support generic WAL messages for logical decoding (Petr Jelínek, Andres Freund)

    This feature allows extensions to insert data into the WAL stream that can be read by logical-decoding plugins, but is not connected to physical data restoration.

  • Allow SP-GiST operator classes to store an arbitrary "traversal value" while descending the index (Alexander Lebedev, Teodor Sigaev)

    This is somewhat like the "reconstructed value", but it could be any arbitrary chunk of data, not necessarily of the same data type as the indexed column.

  • Introduce a LOG_SERVER_ONLY message level for ereport() (David Steele)

    This level acts like LOG except that the message is never sent to the client. It is meant for use in auditing and similar applications.

  • Provide a Makefile target to build all generated headers (Michael Paquier, Tom Lane)

    submake-generated-headers can now be invoked to ensure that generated backend header files are up-to-date. This is useful in subdirectories that might be built "standalone".

  • Support OpenSSL 1.1.0 (Andreas Karlsson, Heikki Linnakangas)

  • Add configuration parameter auto_explain.sample_rate to allow contrib/auto_explain to capture just a configurable fraction of all queries (Craig Ringer, Julien Rouhaud)

    This allows reduction of overhead for heavy query traffic, while still getting useful information on average.

  • Add contrib/bloom module that implements an index access method based on Bloom filtering (Teodor Sigaev, Alexander Korotkov)

    This is primarily a proof-of-concept for non-core index access methods, but it could be useful in its own right for queries that search many columns.

  • In contrib/cube, introduce distance operators for cubes, and support kNN-style searches in GiST indexes on cube columns (Stas Kelvich)

  • Make contrib/hstore's hstore_to_jsonb_loose() and hstore_to_json_loose() functions agree on what is a number (Tom Lane)

    Previously, hstore_to_jsonb_loose() would convert numeric-looking strings to JSON numbers, rather than strings, even if they did not exactly match the JSON syntax specification for numbers. This was inconsistent with hstore_to_json_loose(), so tighten the test to match the JSON syntax.

  • Add selectivity estimation functions for contrib/intarray operators to improve plans for queries using those operators (Yury Zhuravlev, Alexander Korotkov)

  • Make contrib/pageinspect's heap_page_items() function show the raw data in each tuple, and add new functions tuple_data_split() and heap_page_item_attrs() for inspection of individual tuple fields (Nikolay Shaplov)

  • Add an optional S2K iteration count parameter to contrib/pgcrypto's pgp_sym_encrypt() function (Jeff Janes)

  • Add support for "word similarity" to contrib/pg_trgm (Alexander Korotkov, Artur Zakirov)

    These functions and operators measure the similarity between one string and the most similar single word of another string.

  • Add configuration parameter pg_trgm.similarity_threshold for contrib/pg_trgm's similarity threshold (Artur Zakirov)

    This threshold has always been configurable, but formerly it was controlled by special-purpose functions set_limit() and show_limit(). Those are now deprecated.

  • Improve contrib/pg_trgm's GIN operator class to speed up index searches in which both common and rare keys appear (Jeff Janes)

  • Improve performance of similarity searches in contrib/pg_trgm GIN indexes (Christophe Fornaroli)

  • Add contrib/pg_visibility module to allow examining table visibility maps (Robert Haas)

  • Add ssl_extension_info() function to contrib/sslinfo, to print information about SSL extensions present in the X509 certificate used for the current connection (Dmitry Voronin)

  • Allow extension-provided operators and functions to be sent for remote execution, if the extension is whitelisted in the foreign server's options (Paul Ramsey)

    Users can enable this feature when the extension is known to exist in a compatible version in the remote database. It allows more efficient execution of queries involving extension operators.

  • Consider performing sorts on the remote server (Ashutosh Bapat)

  • Consider performing joins on the remote server (Shigeru Hanada, Ashutosh Bapat)

  • When feasible, perform UPDATE or DELETE entirely on the remote server (Etsuro Fujita)

    Formerly, remote updates involved sending a SELECT FOR UPDATE command and then updating or deleting the selected rows one-by-one. While that is still necessary if the operation requires any local processing, it can now be done remotely if all elements of the query are safe to send to the remote server.

  • Allow the fetch size to be set as a server or table option (Corey Huinker)

    Formerly, postgres_fdw always fetched 100 rows at a time from remote queries; now that behavior is configurable.

  • Use a single foreign-server connection for local user IDs that all map to the same remote user (Ashutosh Bapat)

  • Transmit query cancellation requests to the remote server (Michael Paquier, Etsuro Fujita)

    Previously, a local query cancellation request did not cause an already-sent remote query to terminate early.

• ⇑ Upgrade to 9.6.1 released on 2016-10-27 - docs

  • Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)

    It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like "could not read block XXX: read only 0 of 8192 bytes". Checksum failures in the visibility map are also possible, if checksumming is enabled.

    Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.

  • Fix possible data corruption when pg_upgrade rewrites a relation visibility map into 9.6 format (Tom Lane)

    On big-endian machines, bytes of the new visibility map were written in the wrong order, leading to a completely incorrect map. On Windows, the old map was read using text mode, leading to incorrect results if the map happened to contain consecutive bytes that matched a carriage return/line feed sequence. The latter error would almost always lead to a pg_upgrade failure due to the map file appearing to be the wrong length.

    If you are using a big-endian machine (many non-Intel architectures are big-endian) and have used pg_upgrade to upgrade from a pre-9.6 release, you should assume that all visibility maps are incorrect and need to be regenerated. It is sufficient to truncate each relation's visibility map with contrib/pg_visibility's pg_truncate_visibility_map() function. For more information see https://wiki.postgresql.org/wiki/Visibility_Map_Problems.

  • Don't throw serialization errors for self-conflicting insertions in INSERT ... ON CONFLICT (Thomas Munro, Peter Geoghegan)

  • Fix use-after-free hazard in execution of aggregate functions using DISTINCT (Peter Geoghegan)

    This could lead to a crash or incorrect query results.

  • Fix incorrect handling of polymorphic aggregates used as window functions (Tom Lane)

    The aggregate's transition function was told that its first argument and result were of the aggregate's output type, rather than the state type. This led to errors or crashes with polymorphic transition functions.

  • Fix COPY with a column name list from a table that has row-level security enabled (Adam Brightwell)

  • Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)

    Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.

  • Fix statistics update for TRUNCATE in a prepared transaction (Stas Kelvich)

  • Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)

    Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.

  • Show a sensible value in pg_settings.unit for min_wal_size and max_wal_size (Tom Lane)

  • Fix replacement of array elements in jsonb_set() (Tom Lane)

    If the target is an existing JSON array element, it got deleted instead of being replaced with a new value.

  • Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)

  • Preserve commit timestamps across server restart (Julien Rouhaud, Craig Ringer)

    With track_commit_timestamp turned on, old commit timestamps became inaccessible after a clean server restart.

  • Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)

  • Fix dangling-pointer problem in logical WAL decoding (Stas Kelvich)

  • Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)

    This avoids possible failures during munmap() on systems with atypical default huge page sizes. Except in crash-recovery cases, there were no ill effects other than a log message.

  • Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)

    This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.

  • Avoid corner-case memory leak in libpq (Tom Lane)

    The reported problem involved leaking an error report during PQreset(), but there might be related cases.

  • In pg_upgrade, check library loadability in name order (Tom Lane)

    This is a workaround to deal with cross-extension dependencies from language transform modules to their base language and data type modules.

  • Fix pg_upgrade to work correctly for extensions containing index access methods (Tom Lane)

    To allow this, the server has been extended to support ALTER EXTENSION ADD/DROP ACCESS METHOD. That functionality should have been included in the original patch to support dynamic creation of access methods, but it was overlooked.

  • Improve error reporting in pg_upgrade's file copying/linking/rewriting steps (Tom Lane, Álvaro Herrera)

  • Fix pg_dump to work against pre-7.4 servers (Amit Langote, Tom Lane)

  • Disallow specifying both --source-server and --source-target options to pg_rewind (Michael Banck)

  • Make pg_rewind turn off synchronous_commit in its session on the source server (Michael Banck, Michael Paquier)

    This allows pg_rewind to work even when the source server is using synchronous replication that is not working for some reason.

  • In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)

    This allows for a possible delay in the server's creation of the next segment.

  • Fix contrib/pg_visibility to report the correct TID for a corrupt tuple that has been the subject of a rolled-back update (Tom Lane)

  • Fix makefile dependencies so that parallel make of PL/Python by itself will succeed reliably (Pavel Raiskup)

  • Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

    In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.

• ⇑ Upgrade to 9.6.2 released on 2017-02-09 - docs

  • Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)

    If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.

  • Ensure that the special snapshot used for catalog scans is not invalidated by premature data pruning (Tom Lane)

    Backends failed to account for this snapshot when advertising their oldest xmin, potentially allowing concurrent vacuuming operations to remove data that was still needed. This led to transient failures along the lines of "cache lookup failed for relation 1255".

  • Fix incorrect WAL logging for BRIN indexes (Kuntal Ghosh)

    The WAL record emitted for a BRIN "revmap" page when moving an index tuple to a different page was incorrect. Replay would make the related portion of the index useless, forcing it to be recomputed.

  • Unconditionally WAL-log creation of the "init fork" for an unlogged table (Michael Paquier)

    Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.

  • If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)

  • Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)

  • Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)

  • Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)

    This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.

  • Disallow setting the num_sync field to zero in synchronous_standby_names (Fujii Masao)

    The correct way to disable synchronous standby is to set the whole value to an empty string.

  • Don't count background worker processes against a user's connection limit (David Rowley)

  • Fix check for when an extension member object can be dropped (Tom Lane)

    Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.

  • Fix tracking of initial privileges for extension member objects so that it works correctly with ALTER EXTENSION ... ADD/DROP (Stephen Frost)

    An object's current privileges at the time it is added to the extension will now be considered its default privileges; only later changes in its privileges will be dumped by subsequent pg_dump runs.

  • Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)

    Previously, non-default settings of default_tablespace could result in broken indexes.

  • Fix incorrect updating of trigger function properties when changing a foreign-key constraint's deferrability properties with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)

    This led to odd failures during subsequent exercise of the foreign key, as the triggers were fired at the wrong times.

  • Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)

    This avoids "could not find trigger NNN" or "relation NNN has no triggers" errors.

  • Fix ALTER TABLE ... SET DATA TYPE ... USING when child table has different column ordering than the parent (Álvaro Herrera)

    Failure to adjust the column numbering in the USING expression led to errors, typically "attribute N has wrong type".

  • Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)

    The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.

  • Ensure that CREATE TABLE ... LIKE ... WITH OIDS creates a table with OIDs, whether or not the LIKE-referenced table(s) have OIDs (Tom Lane)

  • Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options (Dean Rasheed)

    Previously the command would fail if the new options were inconsistent with the old view definition.

  • Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)

    The wrong catalog OID was reported to extensions such as logical decoding.

  • Fix commit timestamp mechanism to not fail when queried about the special XIDs FrozenTransactionId and BootstrapTransactionId (Craig Ringer)

  • Fix incorrect use of view reloptions as regular table reloptions (Tom Lane)

    The symptom was spurious "ON CONFLICT is not supported on table ... used as a catalog table" errors when the target of INSERT ... ON CONFLICT is a view with cascade option.

  • Fix incorrect "target lists can have at most N entries" complaint when using ON CONFLICT with wide tables (Tom Lane)

  • Fix spurious "query provides a value for a dropped column" errors during INSERT or UPDATE on a table with a dropped column (Tom Lane)

  • Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)

    This led to "UPDATE target count mismatch --- internal error". Now the syntax is understood as a whole-row variable, as it would be in other contexts.

  • Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)

    This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.

  • Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)

    Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").

  • Fix execution of DISTINCT and ordered aggregates when multiple such aggregates are able to share the same transition state (Heikki Linnakangas)

  • Fix implementation of phrase search operators in tsquery (Tom Lane)

    Remove incorrect, and inconsistently-applied, rewrite rules that tried to transform away AND/OR/NOT operators appearing below a PHRASE operator; instead upgrade the execution engine to handle such cases correctly. This fixes assorted strange behavior and possible crashes for text search queries containing such combinations. Also fix nested PHRASE operators to work sanely in combinations other than simple left-deep trees, correct the behavior when removing stopwords from a phrase search clause, and make sure that index searches behave consistently with simple sequential-scan application of such queries.

  • Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)

    Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.

  • Prevent crash when ts_rewrite() replaces a non-top-level subtree with an empty query (Artur Zakirov)

  • Fix performance problems in ts_rewrite() (Tom Lane)

  • Fix ts_rewrite()'s handling of nested NOT operators (Tom Lane)

  • Improve speed of user-defined aggregates that use array_append() as transition function (Tom Lane)

  • Fix array_fill() to handle empty arrays properly (Tom Lane)

  • Fix possible crash in array_position() or array_positions() when processing arrays of records (Junseok Yang)

  • Fix one-byte buffer overrun in quote_literal_cstr() (Heikki Linnakangas)

    The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.

  • Prevent multiple calls of pg_start_backup() and pg_stop_backup() from running concurrently (Michael Paquier)

    This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.

  • Disable transform that attempted to remove no-op AT TIME ZONE conversions (Tom Lane)

    This resulted in wrong answers when the simplified expression was used in an index condition.

  • Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)

    In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.

  • Fix crash if the number of workers available to a parallel query decreases during a rescan (Andreas Seltenreich)

  • Fix bugs in transmitting GUC parameter values to parallel workers (Michael Paquier, Tom Lane)

  • Allow statements prepared with PREPARE to be given parallel plans (Amit Kapila, Tobias Bussmann)

  • Fix incorrect generation of parallel plans for semi-joins (Tom Lane)

  • Fix planner's cardinality estimates for parallel joins (Robert Haas)

    Ensure that these estimates reflect the number of rows predicted to be seen by each worker, rather than the total.

  • Fix planner to avoid trying to parallelize plan nodes containing initplans or subplans (Tom Lane, Amit Kapila)

  • Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)

  • Fix the plan generated for sorted partial aggregation with a constant GROUP BY clause (Tom Lane)

  • Fix "could not find plan for CTE" planner error when dealing with a UNION ALL containing CTE references (Tom Lane)

  • Fix mishandling of initplans when forcibly adding a Material node to a subplan (Tom Lane)

    The typical consequence of this mistake was a "plan should not reference subplan's variable" error.

  • Fix foreign-key-based join selectivity estimation for semi-joins and anti-joins, as well as inheritance cases (Tom Lane)

    The new code for taking the existence of a foreign key relationship into account did the wrong thing in these cases, making the estimates worse not better than the pre-9.6 code.

  • Fix pg_dump to emit the data of a sequence that is marked as an extension configuration table (Michael Paquier)

  • Fix mishandling of ALTER DEFAULT PRIVILEGES ... REVOKE in pg_dump (Stephen Frost)

    pg_dump missed issuing the required REVOKE commands in cases where ALTER DEFAULT PRIVILEGES had been used to reduce privileges to less than they would normally be.

  • Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)

  • Fix pg_restore with --create --if-exists to behave more sanely if an archive contains unrecognized DROP commands (Tom Lane)

    This doesn't fix any live bug, but it may improve the behavior in future if pg_restore is used with an archive generated by a later pg_dump version.

  • Fix pg_basebackup's rate limiting in the presence of slow I/O (Antonin Houska)

    If disk I/O was transiently much slower than the specified rate limit, the calculation overflowed, effectively disabling the rate limit for the rest of the run.

  • Fix pg_basebackup's handling of symlinked pg_stat_tmp and pg_replslot subdirectories (Magnus Hagander, Michael Paquier)

  • Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)

  • Improve initdb to insert the correct platform-specific default values for the xxx_flush_after parameters into postgresql.conf (Fabien Coelho, Tom Lane)

    This is a cleaner way of documenting the default values than was used previously.

  • Fix possible mishandling of expanded arrays in domain check constraints and CASE execution (Tom Lane)

    It was possible for a PL/pgSQL function invoked in these contexts to modify or even delete an array value that needs to be preserved for additional operations.

  • Fix nested uses of PL/pgSQL functions in contexts such as domain check constraints evaluated during assignment to a PL/pgSQL variable (Tom Lane)

  • Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)

    This avoids failures if the objects are used after a Python garbage collection cycle has occurred.

  • Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)

    This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.

  • Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)

    This change simplifies use of the same password file across Unix and Windows machines.

  • Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)

  • Fix incorrect error reporting for duplicate data in psql's \crosstabview (Tom Lane)

    psql sometimes quoted the wrong row and/or column values when complaining about multiple entries for the same crosstab cell.

  • Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)

  • Fix psql's tab completion for ALTER TABLE t ALTER c DROP ... (Kyotaro Horiguchi)

  • In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning "no pager" (Tom Lane)

    Previously, such a setting caused output intended for the pager to vanish entirely.

  • Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)

  • Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)

    Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.

  • Fix portability problems in contrib/pageinspect's functions for GIN indexes (Peter Eisentraut, Tom Lane)

  • Fix possible miss of socket read events while waiting on Windows (Amit Kapila)

    This error was harmless for most uses, but it is known to cause hangs when trying to use the pldebugger extension.

  • On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)

  • Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)

    This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.

  • Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.

• ⇑ Upgrade to 9.6.3 released on 2017-05-11 - docs

  • Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)

    The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. (CVE-2017-7486)

    By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry for CVE-2017-7547, in Section E.13.

  • Prevent exposure of statistical information via leaky operators (Peter Eisentraut)

    Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. (CVE-2017-7484)

  • Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)

    Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. (CVE-2017-7485)

  • Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)

    The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.

    If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.

  • Fix possible corruption of "init forks" of unlogged indexes (Robert Haas, Michael Paquier)

    This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.

  • Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)

    In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.

  • Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)

  • Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index (Tom Lane)

  • Prevent delays in postmaster's launching of multiple parallel worker processes (Tom Lane)

    There could be a significant delay (up to tens of seconds) before satisfying a query's request for more than one worker process, or when multiple queries requested workers simultaneously. On most platforms this required unlucky timing, but on some it was the typical case.

  • Fix postmaster's handling of fork() failure for a background worker process (Tom Lane)

    Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.

  • Fix possible "no relation entry for relid 0" error when planning nested set operations (Tom Lane)

  • Fix assorted minor issues in planning of parallel queries (Robert Haas)

  • Avoid applying "physical targetlist" optimization to custom scans (Dmitry Ivanov, Tom Lane)

    This optimization supposed that retrieving all columns of a tuple is inexpensive, which is true for ordinary Postgres tuples; but it might not be the case for a custom scan provider.

  • Use the correct sub-expression when applying a FOR ALL row-level-security policy (Stephen Frost)

    In some cases the WITH CHECK restriction would be applied when the USING restriction is more appropriate.

  • Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)

    Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.

  • Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)

    The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.

  • Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)

    This fix prevents unwanted "constraint does not exist" failures when no matching constraint is present in the child tables.

  • Avoid dangling pointer in COPY ... TO when row-level security is active for the source table (Tom Lane)

    Usually this had no ill effects, but sometimes it would cause unexpected errors or crashes.

  • Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL (Tom Lane)

    With some bad luck, this could lead to indexes on the target relation getting rebuilt with the wrong persistence setting.

  • Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)

    This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.

  • Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)

  • Fix incorrect support for certain box operators in SP-GiST (Nikita Glukhov)

    SP-GiST index scans using the operators &< &> &<| and |&> would yield incorrect answers.

  • Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)

    The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.

  • Fix cursor_to_xml() to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)

    Previously it failed to produce a wrapping <table> element.

  • Fix roundoff problems in float8_timestamptz() and make_interval() (Tom Lane)

    These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.

  • Fix pg_get_object_address() to handle members of operator families correctly (Álvaro Herrera)

  • Fix cancelling of pg_stop_backup() when attempting to stop a non-exclusive backup (Michael Paquier, David Steele)

    If pg_stop_backup() was cancelled while waiting for a non-exclusive backup to end, related state was left inconsistent; a new exclusive backup could not be started, and there were other minor problems.

  • Improve performance of pg_timezone_names view (Tom Lane, David Rowley)

  • Reduce memory management overhead for contexts containing many large blocks (Tom Lane)

  • Fix sloppy handling of corner-case errors from lseek() and close() (Tom Lane)

    Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.

  • Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)

    This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.

  • Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)

  • Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)

  • Fix pgbench to handle the combination of --connect and --rate options correctly (Fabien Coelho)

  • Fix pgbench to honor the long-form option spelling --builtin, as per its documentation (Tom Lane)

  • Fix pg_dump/pg_restore to correctly handle privileges for the public schema when using --clean option (Stephen Frost)

    Other schemas start out with no privileges granted, but public does not; this requires special-case treatment when it is dropped and restored due to the --clean option.

  • In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)

    In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.

  • Fix typo in pg_dump's query for initial privileges of a procedural language (Peter Eisentraut)

    This resulted in pg_dump always believing that the language had no initial privileges. Since that's true for most procedural languages, ill effects from this bug are probably rare.

  • Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)

    Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.

  • Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs) (Stephen Frost)

    Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.

  • Improve error handling in contrib/adminpack's pg_file_write() function (Noah Misch)

    Notably, it failed to detect errors reported by fclose().

  • In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)

  • Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)

    In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.

  • In contrib/postgres_fdw, allow join conditions that contain shippable extension-provided functions to be pushed to the remote server (David Rowley, Ashutosh Bapat)

  • Support Tcl 8.6 in MSVC builds (Álvaro Herrera)

  • Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)

    This fixes a bug affecting some DST transitions in January 2038.

  • Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

  • Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)

    The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.

• ⇑ Upgrade to 9.6.4 released on 2017-08-10 - docs

  • Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)

    The fix for CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. (CVE-2017-7547)

    By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:

    1. Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)

    2. In each database of the cluster, run the following commands as superuser:

       SET search_path = pg_catalog;
       CREATE OR REPLACE VIEW pg_user_mappings AS
           SELECT
               U.oid       AS umid,
               S.oid       AS srvid,
               S.srvname   AS srvname,
               U.umuser    AS umuser,
               CASE WHEN U.umuser = 0 THEN
                   'public'
               ELSE
                   A.rolname
               END AS usename,
               CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
                            AND (pg_has_role(S.srvowner, 'USAGE')
                                 OR has_server_privilege(S.oid, 'USAGE')))
                           OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                           OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                           THEN U.umoptions
                        ELSE NULL END AS umoptions
           FROM pg_user_mapping U
                LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
               pg_foreign_server S ON (U.umserver = S.oid);

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

       and then after fixing template0, undo that with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

       In prior versions, instead use

       UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
       UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';

    4. Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.

  • Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)

    libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. (CVE-2017-7546)

  • Make lo_put() check for UPDATE privilege on the target large object (Tom Lane, Michael Paquier)

    lo_put() should surely require the same permissions as lowrite(), but the check was missing, allowing any user to change the data in a large object. (CVE-2017-7548)

  • Correct the documentation about the process for upgrading standby servers with pg_upgrade (Bruce Momjian)

    The previous documentation instructed users to start/stop the primary server after running pg_upgrade but before syncing the standby servers. This sequence is unsafe.

  • Fix concurrent locking of tuple update chains (Álvaro Herrera)

    If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.

  • Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)

  • Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)

  • On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)

    This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.

  • Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)

  • Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)

  • Prevent sending SSL session tickets to clients (Tom Lane)

    This fix prevents reconnection failures with ticket-aware client-side SSL code.

  • Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)

  • Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)

    Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.

  • Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)

    This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.

  • Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)

  • Fix walsender to exit promptly when client requests shutdown (Tom Lane)

  • Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)

  • Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)

  • Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)

  • Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)

    This resulted in temporary files consuming excessive disk space.

  • Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)

    The previous algorithm was infeasibly expensive on a server with a lot of open transactions.

  • Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)

  • Reduce overhead in processing syscache invalidation events (Tom Lane)

    This is particularly helpful for logical decoding, which triggers frequent cache invalidation.

  • Remove incorrect heuristic used in some cases to estimate join selectivity based on the presence of foreign-key constraints (David Rowley)

    In some cases where a multi-column foreign key constraint existed but did not exactly match a query's join structure, the planner used an estimation heuristic that turns out not to work well at all. Revert such cases to the way they were estimated before 9.6.

  • Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)

  • Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)

  • Ensure that a view's CHECK OPTIONS clause is enforced properly when the underlying table is a foreign table (Etsuro Fujita)

    Previously, the update might get pushed entirely to the foreign server, but the need to verify the view conditions was missed if so.

  • Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)

    Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.

  • Fix dangling pointer in ALTER TABLE when there is a comment on a constraint belonging to the table (David Rowley)

    Re-applying the comment to the reconstructed constraint could fail with a weird error message, or even crash.

  • Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)

  • Allow a foreign table's CHECK constraints to be initially NOT VALID (Amit Langote)

    CREATE TABLE silently drops NOT VALID specifiers for CHECK constraints, reasoning that the table must be empty so the constraint can be validated immediately. But this is wrong for CREATE FOREIGN TABLE, where there's no reason to suppose that the underlying table is empty, and even if it is it's no business of ours to decide that the constraint can be treated as valid going forward. Skip this "optimization" for foreign tables.

  • Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)

    CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.

  • Allow parallelism in the query plan when COPY copies from a query's result (Andres Freund)

  • Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)

  • Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)

  • Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein() (Tom Lane)

    Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.

  • Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)

    This avoids portability problems, typically manifesting as a "handshake" mismatch during library load, when working with recent Perl versions.

  • In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)

    Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.

  • In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)

    This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.

  • Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)

    This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.

  • Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Álvaro Herrera)

  • Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)

    It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.

  • Fix pg_dump with the --clean option to not fail when the public schema doesn't exist (Stephen Frost)

  • Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)

  • Fix pg_dump output to stdout on Windows (Kuntal Ghosh)

    A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.

  • Fix pg_get_ruledef() to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane)

    In some corner cases, pg_dump relies on pg_get_ruledef() to dump views, so that this error could result in dump/reload failures.

  • Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)

  • Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)

  • Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)

    A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.

  • Fix pg_rewind to correctly handle files exceeding 2GB (Kuntal Ghosh, Michael Paquier)

    Ordinarily such files won't appear in PostgreSQL data directories, but they could be present in some cases.

  • Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)

    This condition could prevent upgraded standby servers from reconnecting.

  • Fix pg_xlogdump's computation of WAL record length (Andres Freund)

  • In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)

    This ensures that option changes affecting connection parameters will be applied promptly.

  • In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)

    This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.

  • Increase MAX_SYSCACHE_CALLBACKS to provide more room for extensions (Tom Lane)

  • Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)

    This supports larger extension libraries on platforms where it makes a difference.

  • In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)

  • In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)

    This fixes a former need to move things around in standard Windows installations of libxml2.

  • In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)

  • In MSVC builds, honor PROVE_FLAGS settings on vcregress.pl's command line (Andrew Dunstan)

• ⇑ Upgrade to 9.6.5 released on 2017-08-31 - docs

  • Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)

    All other relevant information_schema views include foreign tables, but this one ignored them.

    Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:

    SET search_path TO information_schema;
    CREATE OR REPLACE VIEW table_privileges AS
        SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor,
               CAST(grantee.rolname AS sql_identifier) AS grantee,
               CAST(current_database() AS sql_identifier) AS table_catalog,
               CAST(nc.nspname AS sql_identifier) AS table_schema,
               CAST(c.relname AS sql_identifier) AS table_name,
               CAST(c.prtype AS character_data) AS privilege_type,
               CAST(
                 CASE WHEN
                      -- object owner always has grant options
                      pg_has_role(grantee.oid, c.relowner, 'USAGE')
                      OR c.grantable
                      THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable,
               CAST(CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy
    
        FROM (
                SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class
             ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable),
             pg_namespace nc,
             pg_authid u_grantor,
             (
               SELECT oid, rolname FROM pg_authid
               UNION ALL
               SELECT 0::oid, 'PUBLIC'
             ) AS grantee (oid, rolname)
    
        WHERE c.relnamespace = nc.oid
              AND c.relkind IN ('r', 'v', 'f')
              AND c.grantee = grantee.oid
              AND c.grantor = u_grantor.oid
              AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER')
              AND (pg_has_role(u_grantor.oid, 'USAGE')
                   OR pg_has_role(grantee.oid, 'USAGE')
                   OR grantee.rolname = 'PUBLIC');

    This must be repeated in each database to be fixed, including template0.

  • Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)

    This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about "cannot drop active portal".

  • Remove assertion that could trigger during a fatal exit (Tom Lane)

  • Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)

    Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.

  • Prevent crash when passing fixed-length pass-by-reference data types to parallel worker processes (Tom Lane)

  • Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (Fabrízio de Royes Mello)

  • Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)

    This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.

  • Change ecpg's parser to recognize backslash continuation of C preprocessor command lines (Michael Meskes)

  • Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)

    This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.

  • Fix make check to behave correctly when invoked via a non-GNU make program (Thomas Munro)

• ⇑ Upgrade to 10 released on 2017-10-05 - docs

  • Hash indexes must be rebuilt after pg_upgrade-ing from any previous major PostgreSQL version (Mithun Cy, Robert Haas, Amit Kapila)

    Major hash index improvements necessitated this requirement. pg_upgrade will create a script to assist with this.

  • Rename write-ahead log directory pg_xlog to pg_wal, and rename transaction status directory pg_clog to pg_xact (Michael Paquier)

    Users have occasionally thought that these directories contained only inessential log files, and proceeded to remove write-ahead log files or transaction status files manually, causing irrecoverable data loss. These name changes are intended to discourage such errors in future.

  • Rename SQL functions, tools, and options that reference “xlog” to “wal” (Robert Haas)

    For example, pg_switch_xlog() becomes pg_switch_wal(), pg_receivexlog becomes pg_receivewal, and --xlogdir becomes --waldir. This is for consistency with the change of the pg_xlog directory name; in general, the “xlog” terminology is no longer used in any user-facing places.

  • Rename WAL-related functions and views to use lsn instead of location (David Rowley)

    There was previously an inconsistent mixture of the two terminologies.

  • Change the implementation of set-returning functions appearing in a query's SELECT list (Andres Freund)

    Set-returning functions are now evaluated before evaluation of scalar expressions in the SELECT list, much as though they had been placed in a LATERAL FROM-clause item. This allows saner semantics for cases where multiple set-returning functions are present. If they return different numbers of rows, the shorter results are extended to match the longest result by adding nulls. Previously the results were cycled until they all terminated at the same time, producing a number of rows equal to the least common multiple of the functions' periods. In addition, set-returning functions are now disallowed within CASE and COALESCE constructs. For more information see Section 37.4.8.

  • Use standard row constructor syntax in UPDATE ... SET (column_list) = row_constructor (Tom Lane)

    The row_constructor can now begin with the keyword ROW; previously that had to be omitted. If just one column name appears in the column_list, then the row_constructor now must use the ROW keyword, since otherwise it is not a valid row constructor but just a parenthesized expression. Also, an occurrence of table_name.* within the row_constructor is now expanded into multiple columns, as occurs in other uses of row_constructors.

  • When ALTER TABLE ... ADD PRIMARY KEY marks columns NOT NULL, that change now propagates to inheritance child tables as well (Michael Paquier)

  • Prevent statement-level triggers from firing more than once per statement (Tom Lane)

    Cases involving writable CTEs updating the same table updated by the containing statement, or by another writable CTE, fired BEFORE STATEMENT or AFTER STATEMENT triggers more than once. Also, if there were statement-level triggers on a table affected by a foreign key enforcement action (such as ON DELETE CASCADE), they could fire more than once per outer SQL statement. This is contrary to the SQL standard, so change it.

  • Move sequences' metadata fields into a new pg_sequence system catalog (Peter Eisentraut)

    A sequence relation now stores only the fields that can be modified by nextval(), that is last_value, log_cnt, and is_called. Other sequence properties, such as the starting value and increment, are kept in a corresponding row of the pg_sequence catalog. ALTER SEQUENCE updates are now fully transactional, implying that the sequence is locked until commit. The nextval() and setval() functions remain nontransactional.

    The main incompatibility introduced by this change is that selecting from a sequence relation now returns only the three fields named above. To obtain the sequence's other properties, applications must look into pg_sequence. The new system view pg_sequences can also be used for this purpose; it provides column names that are more compatible with existing code.

    Also, sequences created for SERIAL columns now generate positive 32-bit wide values, whereas previous versions generated 64-bit wide values. This has no visible effect if the values are only stored in a column.

    The output of psql's \d command for a sequence has been redesigned, too.

  • Make pg_basebackup stream the WAL needed to restore the backup by default (Magnus Hagander)

    This changes pg_basebackup's -X/--wal-method default to stream. An option value none has been added to reproduce the old behavior. The pg_basebackup option -x has been removed (instead, use -X fetch).

  • Change how logical replication uses pg_hba.conf (Peter Eisentraut)

    In previous releases, a logical replication connection required the replication keyword in the database column. As of this release, logical replication matches a normal entry with a database name or keywords such as all. Physical replication continues to use the replication keyword. Since built-in logical replication is new in this release, this change only affects users of third-party logical replication plugins.

  • Make all pg_ctl actions wait for completion by default (Peter Eisentraut)

    Previously some pg_ctl actions didn't wait for completion, and required the use of -w to do so.

  • Change the default value of the log_directory server parameter from pg_log to log (Andreas Karlsson)

  • Add configuration option ssl_dh_params_file to specify file name for custom OpenSSL DH parameters (Heikki Linnakangas)

    This replaces the hardcoded, undocumented file name dh1024.pem. Note that dh1024.pem is no longer examined by default; you must set this option if you want to use custom DH parameters.

  • Increase the size of the default DH parameters used for OpenSSL ephemeral DH ciphers to 2048 bits (Heikki Linnakangas)

    The size of the compiled-in DH parameters has been increased from 1024 to 2048 bits, making DH key exchange more resistant to brute-force attacks. However, some old SSL implementations, notably some revisions of Java Runtime Environment version 6, will not accept DH parameters longer than 1024 bits, and hence will not be able to connect over SSL. If it's necessary to support such old clients, you can use custom 1024-bit DH parameters instead of the compiled-in defaults. See ssl_dh_params_file.

  • Remove the ability to store unencrypted passwords on the server (Heikki Linnakangas)

    The password_encryption server parameter no longer supports off or plain. The UNENCRYPTED option is no longer supported in CREATE/ALTER USER ... PASSWORD. Similarly, the --unencrypted option has been removed from createuser. Unencrypted passwords migrated from older versions will be stored encrypted in this release. The default setting for password_encryption is still md5.

  • Add min_parallel_table_scan_size and min_parallel_index_scan_size server parameters to control parallel queries (Amit Kapila, Robert Haas)

    These replace min_parallel_relation_size, which was found to be too generic.

  • Don't downcase unquoted text within shared_preload_libraries and related server parameters (QL Zhuo)

    These settings are really lists of file names, but they were previously treated as lists of SQL identifiers, which have different parsing rules.

  • Remove sql_inheritance server parameter (Robert Haas)

    Changing this setting from the default value caused queries referencing parent tables to not include child tables. The SQL standard requires them to be included, however, and this has been the default since PostgreSQL 7.1.

  • Allow multi-dimensional arrays to be passed into PL/Python functions, and returned as nested Python lists (Alexey Grishchenko, Dave Cramer, Heikki Linnakangas)

    This feature requires a backwards-incompatible change to the handling of arrays of composite types in PL/Python. Previously, you could return an array of composite values by writing, e.g., [[col1, col2], [col1, col2]]; but now that is interpreted as a two-dimensional array. Composite types in arrays must now be written as Python tuples, not lists, to resolve the ambiguity; that is, write [(col1, col2), (col1, col2)] instead.

  • Remove PL/Tcl's “module” auto-loading facility (Tom Lane)

    This functionality has been replaced by new server parameters pltcl.start_proc and pltclu.start_proc, which are easier to use and more similar to features available in other PLs.

  • Remove pg_dump/pg_dumpall support for dumping from pre-8.0 servers (Tom Lane)

    Users needing to dump from pre-8.0 servers will need to use dump programs from PostgreSQL 9.6 or earlier. The resulting output should still load successfully into newer servers.

  • Remove support for floating-point timestamps and intervals (Tom Lane)

    This removes configure's --disable-integer-datetimes option. Floating-point timestamps have few advantages and have not been the default since PostgreSQL 8.3.

  • Remove server support for client/server protocol version 1.0 (Tom Lane)

    This protocol hasn't had client support since PostgreSQL 6.3.

  • Remove contrib/tsearch2 module (Robert Haas)

    This module provided compatibility with the version of full text search that shipped in pre-8.3 PostgreSQL releases.

  • Remove createlang and droplang command-line applications (Peter Eisentraut)

    These had been deprecated since PostgreSQL 9.1. Instead, use CREATE EXTENSION and DROP EXTENSION directly.

  • Remove support for version-0 function calling conventions (Andres Freund)

    Extensions providing C-coded functions must now conform to version 1 calling conventions. Version 0 has been deprecated since 2001.

  • Support parallel B-tree index scans (Rahila Syed, Amit Kapila, Robert Haas, Rafia Sabih)

    This change allows B-tree index pages to be searched by separate parallel workers.

  • Support parallel bitmap heap scans (Dilip Kumar)

    This allows a single index scan to dispatch parallel workers to process different areas of the heap.

  • Allow merge joins to be performed in parallel (Dilip Kumar)

  • Allow non-correlated subqueries to be run in parallel (Amit Kapila)

  • Improve ability of parallel workers to return pre-sorted data (Rushabh Lathia)

  • Increase parallel query usage in procedural language functions (Robert Haas, Rafia Sabih)

  • Add max_parallel_workers server parameter to limit the number of worker processes that can be used for query parallelism (Julien Rouhaud)

    This parameter can be set lower than max_worker_processes to reserve worker processes for purposes other than parallel queries.

  • Enable parallelism by default by changing the default setting of max_parallel_workers_per_gather to 2.

  • Add write-ahead logging support to hash indexes (Amit Kapila)

    This makes hash indexes crash-safe and replicatable. The former warning message about their use is removed.

  • Improve hash index performance (Amit Kapila, Mithun Cy, Ashutosh Sharma)

  • Add SP-GiST index support for INET and CIDR data types (Emre Hasegeli)

  • Add option to allow BRIN index summarization to happen more aggressively (Álvaro Herrera)

    A new CREATE INDEX option enables auto-summarization of the previous BRIN page range when a new page range is created.

  • Add functions to remove and re-add BRIN summarization for BRIN index ranges (Álvaro Herrera)

    The new SQL function brin_summarize_range() updates BRIN index summarization for a specified range and brin_desummarize_range() removes it. This is helpful to update summarization of a range that is now smaller due to UPDATEs and DELETEs.

  • Improve accuracy in determining if a BRIN index scan is beneficial (David Rowley, Emre Hasegeli)

  • Allow faster GiST inserts and updates by reusing index space more efficiently (Andrey Borodin)

  • Reduce page locking during vacuuming of GIN indexes (Andrey Borodin)

  • Reduce locking required to change table parameters (Simon Riggs, Fabrízio Mello)

    For example, changing a table's effective_io_concurrency setting can now be done with a more lightweight lock.

  • Allow tuning of predicate lock promotion thresholds (Dagfinn Ilmari Mannsåker)

    Lock promotion can now be controlled through two new server parameters, max_pred_locks_per_relation and max_pred_locks_per_page.

  • Add multi-column optimizer statistics to compute the correlation ratio and number of distinct values (Tomas Vondra, David Rowley, Álvaro Herrera)

    New commands are CREATE STATISTICS, ALTER STATISTICS, and DROP STATISTICS. This feature is helpful in estimating query memory usage and when combining the statistics from individual columns.

  • Improve performance of queries affected by row-level security restrictions (Tom Lane)

    The optimizer now has more knowledge about where it can place RLS filter conditions, allowing better plans to be generated while still enforcing the RLS conditions safely.

  • Speed up aggregate functions that calculate a running sum using numeric-type arithmetic, including some variants of SUM(), AVG(), and STDDEV() (Heikki Linnakangas)

  • Improve performance of character encoding conversions by using radix trees (Kyotaro Horiguchi, Heikki Linnakangas)

  • Reduce expression evaluation overhead during query execution, as well as plan node calling overhead (Andres Freund)

    This is particularly helpful for queries that process many rows.

  • Allow hashed aggregation to be used with grouping sets (Andrew Gierth)

  • Use uniqueness guarantees to optimize certain join types (David Rowley)

  • Improve sort performance of the macaddr data type (Brandur Leach)

  • Reduce statistics tracking overhead in sessions that reference many thousands of relations (Aleksander Alekseev)

  • Allow explicit control over EXPLAIN's display of planning and execution time (Ashutosh Bapat)

    By default planning and execution time are displayed by EXPLAIN ANALYZE and are not displayed in other cases. The new EXPLAIN option SUMMARY allows explicit control of this.

  • Add default monitoring roles (Dave Page)

    New roles pg_monitor, pg_read_all_settings, pg_read_all_stats, and pg_stat_scan_tables allow simplified permission configuration.

  • Properly update the statistics collector during REFRESH MATERIALIZED VIEW (Jim Mlodgenski)

  • Change the default value of log_line_prefix to include current timestamp (with milliseconds) and the process ID in each line of postmaster log output (Christoph Berg)

    The previous default was an empty prefix.

  • Add functions to return the log and WAL directory contents (Dave Page)

    The new functions are pg_ls_logdir() and pg_ls_waldir() and can be executed by non-superusers with the proper permissions.

  • Add function pg_current_logfile() to read logging collector's current stderr and csvlog output file names (Gilles Darold)

  • Report the address and port number of each listening socket in the server log during postmaster startup (Tom Lane)

    Also, when logging failure to bind a listening socket, include the specific address we attempted to bind to.

  • Reduce log chatter about the starting and stopping of launcher subprocesses (Tom Lane)

    These are now DEBUG1-level messages.

  • Reduce message verbosity of lower-numbered debug levels controlled by log_min_messages (Robert Haas)

    This also changes the verbosity of client_min_messages debug levels.

  • Add pg_stat_activity reporting of low-level wait states (Michael Paquier, Robert Haas, Rushabh Lathia)

    This change enables reporting of numerous low-level wait conditions, including latch waits, file reads/writes/fsyncs, client reads/writes, and synchronous replication.

  • Show auxiliary processes, background workers, and walsender processes in pg_stat_activity (Kuntal Ghosh, Michael Paquier)

    This simplifies monitoring. A new column backend_type identifies the process type.

  • Allow pg_stat_activity to show the SQL query being executed by parallel workers (Rafia Sabih)

  • Rename pg_stat_activity.wait_event_type values LWLockTranche and LWLockNamed to LWLock (Robert Haas)

    This makes the output more consistent.

  • Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas)

    This provides better security than the existing md5 negotiation and storage method.

  • Change the password_encryption server parameter from boolean to enum (Michael Paquier)

    This was necessary to support additional password hashing options.

  • Add view pg_hba_file_rules to display the contents of pg_hba.conf (Haribabu Kommi)

    This shows the file contents, not the currently active settings.

  • Support multiple RADIUS servers (Magnus Hagander)

    All the RADIUS related parameters are now plural and support a comma-separated list of servers.

  • Allow SSL configuration to be updated during configuration reload (Andreas Karlsson, Tom Lane)

    This allows SSL to be reconfigured without a server restart, by using pg_ctl reload, SELECT pg_reload_conf(), or sending a SIGHUP signal. However, reloading the SSL configuration does not work if the server's SSL key requires a passphrase, as there is no way to re-prompt for the passphrase. The original configuration will apply for the life of the postmaster in that case.

  • Make the maximum value of bgwriter_lru_maxpages effectively unlimited (Jim Nasby)

  • After creating or unlinking files, perform an fsync on their parent directory (Michael Paquier)

    This reduces the risk of data loss after a power failure.

  • Prevent unnecessary checkpoints and WAL archiving on otherwise-idle systems (Michael Paquier)

  • Add wal_consistency_checking server parameter to add details to WAL that can be sanity-checked on the standby (Kuntal Ghosh, Robert Haas)

    Any sanity-check failure generates a fatal error on the standby.

  • Increase the maximum configurable WAL segment size to one gigabyte (Beena Emerson)

    A larger WAL segment size allows for fewer archive_command invocations and fewer WAL files to manage.

  • Add the ability to logically replicate tables to standby servers (Petr Jelinek)

    Logical replication allows more flexibility than physical replication does, including replication between different major versions of PostgreSQL and selective replication.

  • Allow waiting for commit acknowledgment from standby servers irrespective of the order they appear in synchronous_standby_names (Masahiko Sawada)

    Previously the server always waited for the active standbys that appeared first in synchronous_standby_names. The new synchronous_standby_names keyword ANY allows waiting for any number of standbys irrespective of their ordering. This is known as quorum commit.

  • Reduce configuration changes necessary to perform streaming backup and replication (Magnus Hagander, Dang Minh Huong)

    Specifically, the defaults were changed for wal_level, max_wal_senders, max_replication_slots, and hot_standby to make them suitable for these usages out-of-the-box.

  • Enable replication from localhost connections by default in pg_hba.conf (Michael Paquier)

    Previously pg_hba.conf's replication connection lines were commented out by default. This is particularly useful for pg_basebackup.

  • Add columns to pg_stat_replication to report replication delay times (Thomas Munro)

    The new columns are write_lag, flush_lag, and replay_lag.

  • Allow specification of the recovery stopping point by Log Sequence Number (LSN) in recovery.conf (Michael Paquier)

    Previously the stopping point could only be selected by timestamp or XID.

  • Allow users to disable pg_stop_backup()'s waiting for all WAL to be archived (David Steele)

    An optional second argument to pg_stop_backup() controls that behavior.

  • Allow creation of temporary replication slots (Petr Jelinek)

    Temporary slots are automatically removed on session exit or error.

  • Improve performance of hot standby replay with better tracking of Access Exclusive locks (Simon Riggs, David Rowley)

  • Speed up two-phase commit recovery performance (Stas Kelvich, Nikhil Sontakke, Michael Paquier)

  • Add XMLTABLE function that converts XML-formatted data into a row set (Pavel Stehule, Álvaro Herrera)

  • Fix regular expressions' character class handling for large character codes, particularly Unicode characters above U+7FF (Tom Lane)

    Previously, such characters were never recognized as belonging to locale-dependent character classes such as [[:alpha:]].

  • Add table partitioning syntax that automatically creates partition constraints and handles routing of tuple insertions and updates (Amit Langote)

    The syntax supports range and list partitioning.

  • Add AFTER trigger transition tables to record changed rows (Kevin Grittner, Thomas Munro)

    Transition tables are accessible from triggers written in server-side languages.

  • Allow restrictive row-level security policies (Stephen Frost)

    Previously all security policies were permissive, meaning that any matching policy allowed access. A restrictive policy must match for access to be granted. These policy types can be combined.

  • When creating a foreign-key constraint, check for REFERENCES permission on only the referenced table (Tom Lane)

    Previously REFERENCES permission on the referencing table was also required. This appears to have stemmed from a misreading of the SQL standard. Since creating a foreign key (or any other type of) constraint requires ownership privilege on the constrained table, additionally requiring REFERENCES permission seems rather pointless.

  • Allow default permissions on schemas (Matheus Oliveira)

    This is done using the ALTER DEFAULT PRIVILEGES command.

  • Add CREATE SEQUENCE AS command to create a sequence matching an integer data type (Peter Eisentraut)

    This simplifies the creation of sequences matching the range of base columns.

  • Allow COPY view FROM source on views with INSTEAD INSERT triggers (Haribabu Kommi)

    The triggers are fed the data rows read by COPY.

  • Allow the specification of a function name without arguments in DDL commands, if it is unique (Peter Eisentraut)

    For example, allow DROP FUNCTION on a function name without arguments if there is only one function with that name. This behavior is required by the SQL standard.

  • Allow multiple functions, operators, and aggregates to be dropped with a single DROP command (Peter Eisentraut)

  • Support IF NOT EXISTS in CREATE SERVER, CREATE USER MAPPING, and CREATE COLLATION (Anastasia Lubennikova, Peter Eisentraut)

  • Make VACUUM VERBOSE report the number of skipped frozen pages and oldest xmin (Masahiko Sawada, Simon Riggs)

    This information is also included in log_autovacuum_min_duration output.

  • Improve speed of VACUUM's removal of trailing empty heap pages (Claudio Freire, Álvaro Herrera)

  • Add full text search support for JSON and JSONB (Dmitry Dolgov)

    The functions ts_headline() and to_tsvector() can now be used on these data types.

  • Add support for EUI-64 MAC addresses, as a new data type macaddr8 (Haribabu Kommi)

    This complements the existing support for EUI-48 MAC addresses (type macaddr).

  • Add identity columns for assigning a numeric value to columns on insert (Peter Eisentraut)

    These are similar to SERIAL columns, but are SQL standard compliant.

  • Allow ENUM values to be renamed (Dagfinn Ilmari Mannsåker)

    This uses the syntax ALTER TYPE ... RENAME VALUE.

  • Properly treat array pseudotypes (anyarray) as arrays in to_json() and to_jsonb() (Andrew Dunstan)

    Previously columns declared as anyarray (particularly those in the pg_stats view) were converted to JSON strings rather than arrays.

  • Add operators for multiplication and division of money values with int8 values (Peter Eisentraut)

    Previously such cases would result in converting the int8 values to float8 and then using the money-and-float8 operators. The new behavior avoids possible precision loss. But note that division of money by int8 now truncates the quotient, like other integer-division cases, while the previous behavior would have rounded.

  • Check for overflow in the money type's input function (Peter Eisentraut)

  • Add simplified regexp_match() function (Emre Hasegeli)

    This is similar to regexp_matches(), but it only returns results from the first match so it does not need to return a set, making it easier to use for simple cases.

  • Add a version of jsonb's delete operator that takes an array of keys to delete (Magnus Hagander)

  • Make json_populate_record() and related functions process JSON arrays and objects recursively (Nikita Glukhov)

    With this change, array-type fields in the destination SQL type are properly converted from JSON arrays, and composite-type fields are properly converted from JSON objects. Previously, such cases would fail because the text representation of the JSON value would be fed to array_in() or record_in(), and its syntax would not match what those input functions expect.

  • Add function txid_current_if_assigned() to return the current transaction ID or NULL if no transaction ID has been assigned (Craig Ringer)

    This is different from txid_current(), which always returns a transaction ID, assigning one if necessary. Unlike that function, this function can be run on standby servers.

  • Add function txid_status() to check if a transaction was committed (Craig Ringer)

    This is useful for checking after an abrupt disconnection whether your previous transaction committed and you just didn't receive the acknowledgment.

  • Allow make_date() to interpret negative years as BC years (Álvaro Herrera)

  • Make to_timestamp() and to_date() reject out-of-range input fields (Artur Zakirov)

    For example, previously to_date('2009-06-40','YYYY-MM-DD') was accepted and returned 2009-07-10. It will now generate an error.

  • Allow PL/Python's cursor() and execute() functions to be called as methods of their plan-object arguments (Peter Eisentraut)

    This allows a more object-oriented programming style.

  • Allow PL/pgSQL's GET DIAGNOSTICS statement to retrieve values into array elements (Tom Lane)

    Previously, a syntactic restriction prevented the target variable from being an array element.

  • Allow PL/Tcl functions to return composite types and sets (Karl Lehenbauer)

  • Add a subtransaction command to PL/Tcl (Victor Wagner)

    This allows PL/Tcl queries to fail without aborting the entire function.

  • Add server parameters pltcl.start_proc and pltclu.start_proc, to allow initialization functions to be called on PL/Tcl startup (Tom Lane)

  • Allow specification of multiple host names or addresses in libpq connection strings and URIs (Robert Haas, Heikki Linnakangas)

    libpq will connect to the first responsive server in the list.

  • Allow libpq connection strings and URIs to request a read/write host, that is a master server rather than a standby server (Victor Wagner, Mithun Cy)

    This is useful when multiple host names are specified. It is controlled by libpq connection parameter target_session_attrs.

  • Allow the password file name to be specified as a libpq connection parameter (Julian Markwort)

    Previously this could only be specified via an environment variable.

  • Add function PQencryptPasswordConn() to allow creation of more types of encrypted passwords on the client side (Michael Paquier, Heikki Linnakangas)

    Previously only MD5-encrypted passwords could be created using PQencryptPassword(). This new function can also create SCRAM-SHA-256-encrypted passwords.

  • Change ecpg preprocessor version from 4.12 to 10 (Tom Lane)

    Henceforth the ecpg version will match the PostgreSQL distribution version number.

  • Add conditional branch support to psql (Corey Huinker)

    This feature adds psql meta-commands \if, \elif, \else, and \endif. This is primarily helpful for scripting.

  • Add psql \gx meta-command to execute (\g) a query in expanded mode (\x) (Christoph Berg)

  • Expand psql variable references in backtick-executed strings (Tom Lane)

    This is particularly useful in the new psql conditional branch commands.

  • Prevent psql's special variables from being set to invalid values (Daniel Vérité, Tom Lane)

    Previously, setting one of psql's special variables to an invalid value silently resulted in the default behavior. \set on a special variable now fails if the proposed new value is invalid. As a special exception, \set with an empty or omitted new value, on a boolean-valued special variable, still has the effect of setting the variable to on; but now it actually acquires that value rather than an empty string. \unset on a special variable now explicitly sets the variable to its default value, which is also the value it acquires at startup. In sum, a control variable now always has a displayable value that reflects what psql is actually doing.

  • Add variables showing server version and psql version (Fabien Coelho)

  • Improve psql's \d (display relation) and \dD (display domain) commands to show collation, nullable, and default properties in separate columns (Peter Eisentraut)

    Previously they were shown in a single “Modifiers” column.

  • Make the various \d commands handle no-matching-object cases more consistently (Daniel Gustafsson)

    They now all print the message about that to stderr, not stdout, and the message wording is more consistent.

  • Improve psql's tab completion (Jeff Janes, Ian Barwick, Andreas Karlsson, Sehrope Sarkuni, Thomas Munro, Kevin Grittner, Dagfinn Ilmari Mannsåker)

  • Add pgbench option --log-prefix to control the log file prefix (Masahiko Sawada)

  • Allow pgbench's meta-commands to span multiple lines (Fabien Coelho)

    A meta-command can now be continued onto the next line by writing backslash-return.

  • Remove restriction on placement of -M option relative to other command line options (Tom Lane)

  • Add pg_receivewal option -Z/--compress to specify compression (Michael Paquier)

  • Add pg_recvlogical option --endpos to specify the ending position (Craig Ringer)

    This complements the existing --startpos option.

  • Rename initdb options --noclean and --nosync to be spelled --no-clean and --no-sync (Vik Fearing, Peter Eisentraut)

    The old spellings are still supported.

  • Allow pg_restore to exclude schemas (Michael Banck)

    This adds a new -N/--exclude-schema option.

  • Add --no-blobs option to pg_dump (Guillaume Lelarge)

    This suppresses dumping of large objects.

  • Add pg_dumpall option --no-role-passwords to omit role passwords (Robins Tharakan, Simon Riggs)

    This allows use of pg_dumpall by non-superusers; without this option, it fails due to inability to read passwords.

  • Support using synchronized snapshots when dumping from a standby server (Petr Jelinek)

  • Issue fsync() on the output files generated by pg_dump and pg_dumpall (Michael Paquier)

    This provides more security that the output is safely stored on disk before the program exits. This can be disabled with the new --no-sync option.

  • Allow pg_basebackup to stream write-ahead log in tar mode (Magnus Hagander)

    The WAL will be stored in a separate tar file from the base backup.

  • Make pg_basebackup use temporary replication slots (Magnus Hagander)

    Temporary replication slots will be used by default when pg_basebackup uses WAL streaming with default options.

  • Be more careful about fsync'ing in all required places in pg_basebackup and pg_receivewal (Michael Paquier)

  • Add pg_basebackup option --no-sync to disable fsync (Michael Paquier)

  • Improve pg_basebackup's handling of which directories to skip (David Steele)

  • Add wait option for pg_ctl's promote operation (Peter Eisentraut)

  • Add long options for pg_ctl wait (--wait) and no-wait (--no-wait) (Vik Fearing)

  • Add long option for pg_ctl server options (--options) (Peter Eisentraut)

  • Make pg_ctl start --wait detect server-ready by watching postmaster.pid, not by attempting connections (Tom Lane)

    The postmaster has been changed to report its ready-for-connections status in postmaster.pid, and pg_ctl now examines that file to detect whether startup is complete. This is more efficient and reliable than the old method, and it eliminates postmaster log entries about rejected connection attempts during startup.

  • Reduce pg_ctl's reaction time when waiting for postmaster start/stop (Tom Lane)

    pg_ctl now probes ten times per second when waiting for a postmaster state change, rather than once per second.

  • Ensure that pg_ctl exits with nonzero status if an operation being waited for does not complete within the timeout (Peter Eisentraut)

    The start and promote operations now return exit status 1, not 0, in such cases. The stop operation has always done that.

  • Change to two-part release version numbering (Peter Eisentraut, Tom Lane)

    Release numbers will now have two parts (e.g., 10.1) rather than three (e.g., 9.6.3). Major versions will now increase just the first number, and minor releases will increase just the second number. Release branches will be referred to by single numbers (e.g., 10 rather than 9.6). This change is intended to reduce user confusion about what is a major or minor release of PostgreSQL.

  • Improve behavior of pgindent (Piotr Stefaniak, Tom Lane)

    We have switched to a new version of pg_bsd_indent based on recent improvements made by the FreeBSD project. This fixes numerous small bugs that led to odd C code formatting decisions. Most notably, lines within parentheses (such as in a multi-line function call) are now uniformly indented to match the opening paren, even if that would result in code extending past the right margin.

  • Allow the ICU library to optionally be used for collation support (Peter Eisentraut)

    The ICU library has versioning that allows detection of collation changes between versions. It is enabled via configure option --with-icu. The default still uses the operating system's native collation library.

  • Automatically mark all PG_FUNCTION_INFO_V1 functions as DLLEXPORT-ed on Windows (Laurenz Albe)

    If third-party code is using extern function declarations, they should also add DLLEXPORT markers to those declarations.

  • Remove SPI functions SPI_push(), SPI_pop(), SPI_push_conditional(), SPI_pop_conditional(), and SPI_restore_connection() as unnecessary (Tom Lane)

    Their functionality now happens automatically. There are now no-op macros by these names so that external modules don't need to be updated immediately, but eventually such calls should be removed.

    A side effect of this change is that SPI_palloc() and allied functions now require an active SPI connection; they do not degenerate to simple palloc() if there is none. That previous behavior was not very useful and posed risks of unexpected memory leaks.

  • Allow shared memory to be dynamically allocated (Thomas Munro, Robert Haas)

  • Add slab-like memory allocator for efficient fixed-size allocations (Tomas Vondra)

  • Use POSIX semaphores rather than SysV semaphores on Linux and FreeBSD (Tom Lane)

    This avoids platform-specific limits on SysV semaphore usage.

  • Improve support for 64-bit atomics (Andres Freund)

  • Enable 64-bit atomic operations on ARM64 (Roman Shaposhnik)

  • Switch to using clock_gettime(), if available, for duration measurements (Tom Lane)

    gettimeofday() is still used if clock_gettime() is not available.

  • Add more robust random number generators to be used for cryptographically secure uses (Magnus Hagander, Michael Paquier, Heikki Linnakangas)

    If no strong random number generator can be found, configure will fail unless the --disable-strong-random option is used. However, with this option, pgcrypto functions requiring a strong random number generator will be disabled.

  • Allow WaitLatchOrSocket() to wait for socket connection on Windows (Andres Freund)

  • tupconvert.c functions no longer convert tuples just to embed a different composite-type OID in them (Ashutosh Bapat, Tom Lane)

    The majority of callers don't care about the composite-type OID; but if the result tuple is to be used as a composite Datum, steps should be taken to make sure the correct OID is inserted in it.

  • Remove SCO and Unixware ports (Tom Lane)

  • Overhaul documentation build process (Alexander Lakhin)

  • Use XSLT to build the PostgreSQL documentation (Peter Eisentraut)

    Previously Jade, DSSSL, and JadeTex were used.

  • Build HTML documentation using XSLT stylesheets by default (Peter Eisentraut)

  • Allow file_fdw to read from program output as well as files (Corey Huinker, Adam Gomaa)

  • In postgres_fdw, push aggregate functions to the remote server, when possible (Jeevan Chalke, Ashutosh Bapat)

    This reduces the amount of data that must be passed from the remote server, and offloads aggregate computation from the requesting server.

  • In postgres_fdw, push joins to the remote server in more cases (David Rowley, Ashutosh Bapat, Etsuro Fujita)

  • Properly support OID columns in postgres_fdw tables (Etsuro Fujita)

    Previously OID columns always returned zeros.

  • Allow btree_gist and btree_gin to index enum types (Andrew Dunstan)

    This allows enums to be used in exclusion constraints.

  • Add indexing support to btree_gist for the UUID data type (Paul Jungwirth)

  • Add amcheck which can check the validity of B-tree indexes (Peter Geoghegan)

  • Show ignored constants as $N rather than ? in pg_stat_statements (Lukas Fittl)

  • Improve cube's handling of zero-dimensional cubes (Tom Lane)

    This also improves handling of infinite and NaN values.

  • Allow pg_buffercache to run with fewer locks (Ivan Kartyshov)

    This makes it less disruptive when run on production systems.

  • Add pgstattuple function pgstathashindex() to view hash index statistics (Ashutosh Sharma)

  • Use GRANT permissions to control pgstattuple function usage (Stephen Frost)

    This allows DBAs to allow non-superusers to run these functions.

  • Reduce locking when pgstattuple examines hash indexes (Amit Kapila)

  • Add pageinspect function page_checksum() to show a page's checksum (Tomas Vondra)

  • Add pageinspect function bt_page_items() to print page items from a page image (Tomas Vondra)

  • Add hash index support to pageinspect (Jesper Pedersen, Ashutosh Sharma)

• ⇑ Upgrade to 10.1 released on 2017-11-09 - docs

  • Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed)

    The update path of INSERT ... ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified). (CVE-2017-15099)

  • Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane)

    These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098)

  • Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)

    Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.

    By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. (CVE-2017-12172)

  • Fix BRIN index summarization to handle concurrent table extension correctly (Álvaro Herrera)

    Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.

  • Fix possible failures during concurrent updates of a BRIN index (Tom Lane)

    These race conditions could result in errors like “invalid index offnum” or “inconsistent range map”.

  • Prevent logical replication from setting non-replicated columns to nulls when replicating an UPDATE (Petr Jelinek)

  • Fix logical replication to fire BEFORE ROW DELETE triggers when expected (Masahiko Sawada)

    Previously, that failed to happen unless the table also had a BEFORE ROW UPDATE trigger.

  • Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)

  • Ignore CTEs when looking up the target table for INSERT/UPDATE/DELETE, and prevent matching schema-qualified target table names to trigger transition table names (Thomas Munro)

    This restores the pre-v10 behavior for CTEs attached to DML commands.

  • Avoid evaluating an aggregate function's argument expression(s) at rows where its FILTER test fails (Tom Lane)

    This restores the pre-v10 (and SQL-standard) behavior.

  • Fix incorrect query results when multiple GROUPING SETS columns contain the same simple variable (Tom Lane)

  • Fix query-lifespan memory leakage while evaluating a set-returning function in a SELECT's target list (Tom Lane)

  • Allow parallel execution of prepared statements with generic plans (Amit Kapila, Kuntal Ghosh)

  • Fix incorrect parallelization decisions for nested queries (Amit Kapila, Kuntal Ghosh)

  • Fix parallel query handling to not fail when a recently-used role is dropped (Amit Kapila)

  • Fix crash in parallel execution of a bitmap scan having a BitmapAnd plan node below a BitmapOr node (Dilip Kumar)

  • Fix json_build_array(), json_build_object(), and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)

  • Fix autovacuum's “work item” logic to prevent possible crashes and silent loss of work items (Álvaro Herrera)

  • Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)

  • Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)

    Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.

  • Correctly detect hashability of range data types (Tom Lane)

    The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.

  • Correctly ignore RelabelType expression nodes when examining functional-dependency statistics (David Rowley)

    This allows, e.g., extended statistics on varchar columns to be used properly.

  • Prevent sharing transition states between ordered-set aggregates (David Rowley)

    This causes a crash with the built-in ordered-set aggregates, and probably with user-written ones as well. v11 and later will include provisions for dealing with such cases safely, but in released branches, just disable the optimization.

  • Prevent idle_in_transaction_session_timeout from being ignored when a statement_timeout occurred earlier (Lukas Fittl)

  • Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)

    If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.

  • Reduce the frequency of data flush requests during bulk file copies to avoid performance problems on macOS, particularly with its new APFS file system (Tom Lane)

  • Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)

    This case was unintentionally broken by a previous bug fix.

  • Fix AggGetAggref() to return the correct Aggref nodes to aggregate final functions whose transition calculations have been merged (Tom Lane)

  • Fix insufficient schema-qualification in some new queries in pg_dump and psql (Vitaly Burovoy, Tom Lane, Noah Misch)

  • Avoid use of @> operator in psql's queries for \d (Tom Lane)

    This prevents problems when the parray_gin extension is installed, since that defines a conflicting operator.

  • Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)

    This is particularly helpful on Windows.

  • Fix libpq to not require user's home directory to exist (Tom Lane)

    In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.

  • In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)

  • Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)

  • Fix missing temp-install prerequisites for check-like Make targets (Noah Misch)

    Some non-default test procedures that are meant to work like make check failed to ensure that the temporary installation was up to date.

  • Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.

  • In the documentation, restore HTML anchors to being upper-case strings (Peter Eisentraut)

    Due to a toolchain change, the 10.0 user manual had lower-case strings for intrapage anchors, thus breaking some external links into our website documentation. Return to our previous convention of using upper-case strings.

• ⇑ Upgrade to 10.2 released on 2018-02-08 - docs

  • Fix processing of partition keys containing multiple expressions (Álvaro Herrera, David Rowley)

    This error led to crashes or, with carefully crafted input, disclosure of arbitrary backend memory. (CVE-2018-1052)

  • Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)

    pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. (CVE-2018-1053)

  • Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Álvaro Herrera)

    In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.

  • Fix failure to mark a hash index's metapage dirty after adding a new overflow page, potentially leading to index corruption (Lixian Zou, Amit Kapila)

  • Ensure that vacuum will always clean up the pending-insertions list of a GIN index (Masahiko Sawada)

    This is necessary to ensure that dead index entries get removed. The old code got it backwards, allowing vacuum to skip the cleanup if some other process were running cleanup concurrently, thus risking invalid entries being left behind in the index.

  • Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)

    These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.

  • Fix incorrect query results from cases involving flattening of subqueries whose outputs are used in GROUPING SETS (Heikki Linnakangas)

  • Fix handling of list partitioning constraints for partition keys of boolean or array types (Amit Langote)

  • Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)

  • Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY (Jeff Janes)

  • During VACUUM FULL, update the table's size fields in pg_class sooner (Amit Kapila)

    This prevents poor behavior when rebuilding hash indexes on the table, since those use the pg_class statistics to govern the initial hash size.

  • Fix UNION/INTERSECT/EXCEPT over zero columns (Tom Lane)

  • Disallow identity columns on typed tables and partitions (Michael Paquier)

    These cases will be treated as unsupported features for now.

  • Fix assorted failures to apply the correct default value when inserting into an identity column (Michael Paquier, Peter Eisentraut)

    In several contexts, notably COPY and ALTER TABLE ADD COLUMN, the expected default value was not applied and instead a null value was inserted.

  • Fix failures when an inheritance tree contains foreign child tables (Etsuro Fujita)

    A mix of regular and foreign tables in an inheritance tree resulted in creation of incorrect plans for UPDATE and DELETE queries. This led to visible failures in some cases, notably when there are row-level triggers on a foreign child table.

  • Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)

  • Fix “could not devise a query plan for the given query” planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)

  • Allow functional dependency statistics to be used for boolean columns (Tom Lane)

    Previously, although extended statistics could be declared and collected on boolean columns, the planner failed to apply them.

  • Avoid underestimating the number of groups emitted by subqueries containing set-returning functions in their grouping columns (Tom Lane)

    Cases similar to SELECT DISTINCT unnest(foo) got a lower output rowcount estimate in 10.0 than they did in earlier releases, possibly resulting in unfavorable plan choices. Restore the prior estimation behavior.

  • Fix use of triggers in logical replication workers (Petr Jelinek)

  • Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)

    Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.

  • Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)

  • Fix race condition during replication origin drop that could allow the dropping process to wait indefinitely (Tom Lane)

  • Allow members of the pg_read_all_stats role to see walsender statistics in the pg_stat_replication view (Feike Steenbergen)

  • Show walsenders that are sending base backups as active in the pg_stat_activity view (Magnus Hagander)

  • Fix reporting of scram-sha-256 authentication method in the pg_hba_file_rules view (Michael Paquier)

    Previously this was printed as scram-sha256, possibly confusing users as to the correct spelling.

  • Fix has_sequence_privilege() to support WITH GRANT OPTION tests, as other privilege-testing functions do (Joe Conway)

  • In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)

    We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath() and related functions; other XML code paths already acted this way.

  • Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)

    Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.

  • Allow a client that supports SCRAM channel binding (such as v11 or later libpq) to connect to a v10 server (Michael Paquier)

    v10 does not have this feature, and the connection-time negotiation about whether to use it was done incorrectly.

  • Avoid live-lock in ConditionVariableBroadcast() (Tom Lane, Thomas Munro)

    Given repeatedly-unlucky timing, a process attempting to awaken all waiters for a condition variable could loop indefinitely. Due to the limited usage of condition variables in v10, this affects only parallel index scans and some operations on replication slots.

  • Clean up waits for condition variables correctly during subtransaction abort (Robert Haas)

  • Ensure that child processes that are waiting for a condition variable will exit promptly if the postmaster process dies (Tom Lane)

  • Fix crashes in parallel queries using more than one Gather node (Thomas Munro)

  • Fix hang in parallel index scan when processing a deleted or half-dead index page (Amit Kapila)

  • Avoid crash if parallel bitmap heap scan is unable to allocate a shared memory segment (Robert Haas)

  • Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)

    Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork() failure or other low-probability problems.

  • Avoid unnecessary failure when no parallel workers can be obtained during parallel query startup (Robert Haas)

  • Fix collection of EXPLAIN statistics from parallel workers (Amit Kapila, Thomas Munro)

  • Ensure that query strings passed to parallel workers are correctly null-terminated (Thomas Munro)

    This prevents emitting garbage in postmaster log output from such workers.

  • Avoid unsafe alignment assumptions when working with __int128 (Tom Lane)

    Typically, compilers assume that __int128 variables are aligned on 16-byte boundaries, but our memory allocation infrastructure isn't prepared to guarantee that, and increasing the setting of MAXALIGN seems infeasible for multiple reasons. Adjust the code to allow use of __int128 only when we can tell the compiler to assume lesser alignment. The only known symptom of this problem so far is crashes in some parallel aggregation queries.

  • Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)

  • Avoid crash during an EvalPlanQual recheck of an indexscan that is the inner child of a merge join (Tom Lane)

    This could only happen during an update or SELECT FOR UPDATE of a join, when there is a concurrent update of some selected row.

  • Fix crash in autovacuum when extended statistics are defined for a table but can't be computed (Álvaro Herrera)

  • Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)

  • Prevent out-of-memory failures due to excessive growth of simple hash tables (Tomas Vondra, Andres Freund)

  • Fix sample INSTR() functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)

    These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.

    The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.

  • Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)

    The “tag” portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.

    Note that this change has user-visible results in the output of pg_restore --list.

  • Rename pg_rewind's copy_file_range function to avoid conflict with new Linux system call of that name (Andres Freund)

    This change prevents build failures with newer glibc versions.

  • In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)

  • Change the behavior of contrib/cube's cube ~> int operator to make it compatible with KNN search (Alexander Korotkov)

    The meaning of the second argument (the dimension selector) has been changed to make it predictable which value is selected even when dealing with cubes of varying dimensionalities.

    This is an incompatible change, but since the point of the operator was to be used in KNN searches, it seems rather useless as-is. After installing this update, any expression indexes or materialized views using this operator will need to be reindexed/refreshed.

  • Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy() with equal source and destination pointers (Tomas Vondra)

  • Fix incorrect display of tuples' null bitmaps in contrib/pageinspect (Maksim Milyutin)

  • Fix incorrect output from contrib/pageinspect's hash_page_items() function (Masahiko Sawada)

  • In contrib/postgres_fdw, avoid “outer pathkeys do not match mergeclauses” planner error when constructing a plan involving a remote join (Robert Haas)

  • In contrib/postgres_fdw, avoid planner failure when there are duplicate GROUP BY entries (Jeevan Chalke)

  • Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)

    The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.

  • Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)

  • Support linking to MinGW-built versions of libperl (Noah Misch)

    This allows building PL/Perl with some common Perl distributions for Windows.

  • Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)

    Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.

  • On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)

    This may allow collection of a core dump for some early-startup failures that did not produce a dump before.

  • On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)

  • Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)

  • Add support for spinlocks on Motorola 88K (David Carlier)

  • Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).