Upgrading from 10.23 to 16.3 gives you 1.5 years worth of fixes (1915 of them)

List of changes:

• ⇑ Upgrade to 11 released on 2018-10-18 - docs

  • Make pg_dump dump the properties of a database, not just its contents (Haribabu Kommi)

    Previously, attributes of the database itself, such as database-level GRANT/REVOKE permissions and ALTER DATABASE SET variable settings, were only dumped by pg_dumpall. Now pg_dump --create and pg_restore --create will restore these database properties in addition to the objects within the database. pg_dumpall -g now only dumps role- and tablespace-related attributes. pg_dumpall's complete output (without -g) is unchanged.

    pg_dump and pg_restore, without --create, no longer dump/restore database-level comments and security labels; those are now treated as properties of the database.

    pg_dumpall's output script will now always create databases with their original locale and encoding, and hence will fail if the locale or encoding name is unknown to the destination system. Previously, CREATE DATABASE would be emitted without these specifications if the database locale and encoding matched the old cluster's defaults.

    pg_dumpall --clean now restores the original locale and encoding settings of the postgres and template1 databases, as well as those of user-created databases.

  • Consider syntactic form when disambiguating function versus column references (Tom Lane)

    When x is a table name or composite column, PostgreSQL has traditionally considered the syntactic forms f(x) and x.f to be equivalent, allowing tricks such as writing a function and then using it as though it were a computed-on-demand column. However, if both interpretations are feasible, the column interpretation was always chosen, leading to surprising results if the user intended the function interpretation. Now, if there is ambiguity, the interpretation that matches the syntactic form is chosen.

  • Fully enforce uniqueness of table and domain constraint names (Tom Lane)

    PostgreSQL expects the names of a table's constraints to be distinct, and likewise for the names of a domain's constraints. However, there was not rigid enforcement of this, and previously there were corner cases where duplicate names could be created.

  • Make power(numeric, numeric) and power(float8, float8) handle NaN inputs according to the POSIX standard (Tom Lane, Dang Minh Huong)

    POSIX says that NaN ^ 0 = 1 and 1 ^ NaN = 1, but all other cases with NaN input(s) should return NaN. power(numeric, numeric) just returned NaN in all such cases; now it honors the two exceptions. power(float8, float8) followed the standard if the C library does; but on some old Unix platforms the library doesn't, and there were also problems on some versions of Windows.

  • Prevent to_number() from consuming characters when the template separator does not match (Oliver Ford)

    Specifically, SELECT to_number('1234', '9,999') used to return 134. It will now return 1234. L and TH now only consume characters that are not digits, positive/negative signs, decimal points, or commas.

  • Fix to_date(), to_number(), and to_timestamp() to skip a character for each template character (Tom Lane)

    Previously, they skipped one byte for each byte of template character, resulting in strange behavior if either string contained multibyte characters.

  • Adjust the handling of backslashes inside double-quotes in template strings for to_char(), to_number(), and to_timestamp().

    Such a backslash now escapes the character after it, particularly a double-quote or another backslash.

  • Correctly handle relative path expressions in xmltable(), xpath(), and other XML-handling functions (Markus Winand)

    Per the SQL standard, relative paths start from the document node of the XML input document, not the root node as these functions previously did.

  • In the extended query protocol, make statement_timeout apply to each Execute message separately, not to all commands before Sync (Tatsuo Ishii, Andres Freund)

  • Remove the relhaspkey column from system catalog pg_class (Peter Eisentraut)

    Applications needing to check for a primary key should consult pg_index.

  • Replace system catalog pg_proc's proisagg and proiswindow columns with prokind (Peter Eisentraut)

    This new column more clearly distinguishes functions, procedures, aggregates, and window functions.

  • Correct information schema column tables.table_type to return FOREIGN instead of FOREIGN TABLE (Peter Eisentraut)

    This new output matches the SQL standard.

  • Change the ps process display labels for background workers to match the pg_stat_activity.backend_type labels (Peter Eisentraut)

  • Cause large object permission checks to happen during large object open, lo_open(), not when a read or write is attempted (Tom Lane, Michael Paquier)

    If write access is requested and not available, an error will now be thrown even if the large object is never written to.

  • Prevent non-superusers from reindexing shared catalogs (Michael Paquier, Robert Haas)

    Previously, database owners were also allowed to do this, but now it is considered outside the bounds of their privileges.

  • Remove deprecated adminpack functions pg_file_read(), pg_file_length(), and pg_logfile_rotate() (Stephen Frost)

    Equivalent functionality is now present in the core backend. Existing adminpack installs will continue to have access to these functions until they are updated via ALTER EXTENSION ... UPDATE.

  • Honor the capitalization of double-quoted command options (Daniel Gustafsson)

    Previously, option names in certain SQL commands were forcibly lower-cased even if entered with double quotes; thus for example "FillFactor" would be accepted as an index storage option, though properly its name is lower-case. Such cases will now generate an error.

  • Remove server parameter replacement_sort_tuples (Peter Geoghegan)

    Replacement sorts were determined to be no longer useful.

  • Remove WITH clause in CREATE FUNCTION (Michael Paquier)

    PostgreSQL has long supported a more standard-compliant syntax for this capability.

  • In PL/pgSQL trigger functions, the OLD and NEW variables now read as NULL when not assigned (Tom Lane)

    Previously, references to these variables could be parsed but not executed.

  • Allow the creation of partitions based on hashing a key column (Amul Sul)

  • Support indexes on partitioned tables (Álvaro Herrera, Amit Langote)

    An “index” on a partitioned table is not a physical index across the whole partitioned table, but rather a template for automatically creating similar indexes on each partition of the table.

    If the partition key is part of the index's column set, a partitioned index may be declared UNIQUE. It will represent a valid uniqueness constraint across the whole partitioned table, even though each physical index only enforces uniqueness within its own partition.

    The new command ALTER INDEX ATTACH PARTITION causes an existing index on a partition to be associated with a matching index template for its partitioned table. This provides flexibility in setting up a new partitioned index for an existing partitioned table.

  • Allow foreign keys on partitioned tables (Álvaro Herrera)

  • Allow FOR EACH ROW triggers on partitioned tables (Álvaro Herrera)

    Creation of a trigger on a partitioned table automatically creates triggers on all existing and future partitions. This also allows deferred unique constraints on partitioned tables.

  • Allow partitioned tables to have a default partition (Jeevan Ladhe, Beena Emerson, Ashutosh Bapat, Rahila Syed, Robert Haas)

    The default partition will store rows that don't match any of the other defined partitions, and is searched accordingly.

  • UPDATE statements that change a partition key column now cause affected rows to be moved to the appropriate partitions (Amit Khandekar)

  • Allow INSERT, UPDATE, and COPY on partitioned tables to properly route rows to foreign partitions (Etsuro Fujita, Amit Langote)

    This is supported by postgres_fdw foreign tables. Since the ExecForeignInsert callback function is called for this in a different way than it used to be, foreign data wrappers must be modified to cope with this change.

  • Allow faster partition elimination during query processing (Amit Langote, David Rowley, Dilip Kumar)

    This speeds access to partitioned tables with many partitions.

  • Allow partition elimination during query execution (David Rowley, Beena Emerson)

    Previously, partition elimination only happened at planning time, meaning many joins and prepared queries could not use partition elimination.

  • In an equality join between partitioned tables, allow matching partitions to be joined directly (Ashutosh Bapat)

    This feature is disabled by default but can be enabled by changing enable_partitionwise_join.

  • Allow aggregate functions on partitioned tables to be evaluated separately for each partition, subsequently merging the results (Jeevan Chalke, Ashutosh Bapat, Robert Haas)

    This feature is disabled by default but can be enabled by changing enable_partitionwise_aggregate.

  • Allow postgres_fdw to push down aggregates to foreign tables that are partitions (Jeevan Chalke)

  • Allow parallel building of a btree index (Peter Geoghegan, Rushabh Lathia, Heikki Linnakangas)

  • Allow hash joins to be performed in parallel using a shared hash table (Thomas Munro)

  • Allow UNION to run each SELECT in parallel if the individual SELECTs cannot be parallelized (Amit Khandekar, Robert Haas, Amul Sul)

  • Allow partition scans to more efficiently use parallel workers (Amit Khandekar, Robert Haas, Amul Sul)

  • Allow LIMIT to be passed to parallel workers (Robert Haas, Tom Lane)

    This allows workers to reduce returned results and use targeted index scans.

  • Allow single-evaluation queries, e.g. WHERE clause aggregate queries, and functions in the target list to be parallelized (Amit Kapila, Robert Haas)

  • Add server parameter parallel_leader_participation to control whether the leader also executes subplans (Thomas Munro)

    The default is enabled, meaning the leader will execute subplans.

  • Allow parallelization of commands CREATE TABLE ... AS, SELECT INTO, and CREATE MATERIALIZED VIEW (Haribabu Kommi)

  • Improve performance of sequential scans with many parallel workers (David Rowley)

  • Add reporting of parallel workers' sort activity in EXPLAIN (Robert Haas, Tom Lane)

  • Allow B-tree indexes to include columns that are not part of the search key or unique constraint, but are available to be read by index-only scans (Anastasia Lubennikova, Alexander Korotkov, Teodor Sigaev)

    This is enabled by the new INCLUDE clause of CREATE INDEX. It facilitates building “covering indexes” that optimize specific types of queries. Columns can be included even if their data types don't have B-tree support.

  • Improve performance of monotonically increasing index additions (Pavan Deolasee, Peter Geoghegan)

  • Improve performance of hash index scans (Ashutosh Sharma)

  • Add predicate locking for hash, GiST and GIN indexes (Shubham Barai)

    This reduces the likelihood of serialization conflicts in serializable-mode transactions.

  • Add prefix-match operator text ^@ text, which is supported by SP-GiST (Ildus Kurbangaliev)

    This is similar to using var LIKE 'word%' with a btree index, but it is more efficient.

  • Allow polygons to be indexed with SP-GiST (Nikita Glukhov, Alexander Korotkov)

  • Allow SP-GiST to use lossy representation of leaf keys (Teodor Sigaev, Heikki Linnakangas, Alexander Korotkov, Nikita Glukhov)

  • Improve selection of the most common values for statistics (Jeff Janes, Dean Rasheed)

    Previously, the most common values (MCVs) were identified based on their frequency compared to all column values. Now, MCVs are chosen based on their frequency compared to the non-MCV values. This improves the robustness of the algorithm for both uniform and non-uniform distributions.

  • Improve selectivity estimates for >= and <= (Tom Lane)

    Previously, such cases used the same selectivity estimates as > and <, respectively, unless the comparison constants are MCVs. This change is particularly helpful for queries involving BETWEEN with small ranges.

  • Reduce var = var to var IS NOT NULL where equivalent (Tom Lane)

    This leads to better selectivity estimates.

  • Improve optimizer's row count estimates for EXISTS and NOT EXISTS queries (Tom Lane)

  • Make the optimizer account for evaluation costs and selectivity of HAVING clauses (Tom Lane)

  • Add Just-in-Time (JIT) compilation of some parts of query plans to improve execution speed (Andres Freund)

    This feature requires LLVM to be available. It is not currently enabled by default, even in builds that support it.

  • Allow bitmap scans to perform index-only scans when possible (Alexander Kuzmenkov)

  • Update the free space map during VACUUM (Claudio Freire)

    This allows free space to be reused more quickly.

  • Allow VACUUM to avoid unnecessary index scans (Masahiko Sawada, Alexander Korotkov)

  • Improve performance of committing multiple concurrent transactions (Amit Kapila)

  • Reduce memory usage for queries using set-returning functions in their target lists (Andres Freund)

  • Improve the speed of aggregate computations (Andres Freund)

  • Allow postgres_fdw to push UPDATEs and DELETEs using joins to foreign servers (Etsuro Fujita)

    Previously, only non-join UPDATEs and DELETEs were pushed.

  • Add support for large pages on Windows (Takayuki Tsunakawa, Thomas Munro)

    This is controlled by the huge_pages configuration parameter.

  • Show memory usage in output from log_statement_stats, log_parser_stats, log_planner_stats, and log_executor_stats (Justin Pryzby, Peter Eisentraut)

  • Add column pg_stat_activity.backend_type to show the type of a background worker (Peter Eisentraut)

    The type is also visible in ps output.

  • Make log_autovacuum_min_duration log skipped tables that are concurrently being dropped (Nathan Bossart)

  • Add information_schema columns related to table constraints and triggers (Peter Eisentraut)

    Specifically, triggers.action_order, triggers.action_reference_old_table, and triggers.action_reference_new_table are now populated, where before they were always null. Also, table_constraints.enforced now exists but is not yet usefully populated.

  • Allow the server to specify more complex LDAP specifications in search+bind mode (Thomas Munro)

    Specifically, ldapsearchfilter allows pattern matching using combinations of LDAP attributes.

  • Allow LDAP authentication to use encrypted LDAP (Thomas Munro)

    We already supported LDAP over TLS by using ldaptls=1. This new TLS LDAP method for encrypted LDAP is enabled with ldapscheme=ldaps or ldapurl=ldaps://.

  • Improve logging of LDAP errors (Thomas Munro)

  • Add default roles that enable file system access (Stephen Frost)

    Specifically, the new roles are: pg_read_server_files, pg_write_server_files, and pg_execute_server_program. These roles now also control who can use server-side COPY and the file_fdw extension. Previously, only superusers could use these functions, and that is still the default behavior.

  • Allow access to file system functions to be controlled by GRANT/REVOKE permissions, rather than superuser checks (Stephen Frost)

    Specifically, these functions were modified: pg_ls_dir(), pg_read_file(), pg_read_binary_file(), pg_stat_file().

  • Use GRANT/REVOKE to control access to lo_import() and lo_export() (Michael Paquier, Tom Lane)

    Previously, only superusers were granted access to these functions.

    The compile-time option ALLOW_DANGEROUS_LO_FUNCTIONS has been removed.

  • Use view owner not session owner when preventing non-password access to postgres_fdw tables (Robert Haas)

    PostgreSQL only allows superusers to access postgres_fdw tables without passwords, e.g. via peer. Previously, the session owner had to be a superuser to allow such access; now the view owner is checked instead.

  • Fix invalid locking permission check in SELECT FOR UPDATE on views (Tom Lane)

  • Add server setting ssl_passphrase_command to allow supplying of the passphrase for SSL key files (Peter Eisentraut)

    Also add ssl_passphrase_command_supports_reload to specify whether the SSL configuration should be reloaded and ssl_passphrase_command called during a server configuration reload.

  • Add storage parameter toast_tuple_target to control the minimum tuple length before TOAST storage will be considered (Simon Riggs)

    The default TOAST threshold has not been changed.

  • Allow server options related to memory and file sizes to be specified in units of bytes (Beena Emerson)

    The new unit suffix is “B”. This is in addition to the existing units “kB”, “MB”, “GB” and “TB”.

  • Allow the WAL file size to be set during initdb (Beena Emerson)

    Previously, the 16MB default could only be changed at compile time.

  • Retain WAL data for only a single checkpoint (Simon Riggs)

    Previously, WAL was retained for two checkpoints.

  • Fill the unused portion of force-switched WAL segment files with zeros for improved compressibility (Chapman Flack)

  • Replicate TRUNCATE activity when using logical replication (Simon Riggs, Marco Nenciarini, Peter Eisentraut)

  • Pass prepared transaction information to logical replication subscribers (Nikhil Sontakke, Stas Kelvich)

  • Exclude unlogged tables, temporary tables, and pg_internal.init files from streaming base backups (David Steele)

    There is no need to copy such files.

  • Allow checksums of heap pages to be verified during streaming base backup (Michael Banck)

  • Allow replication slots to be advanced programmatically, rather than be consumed by subscribers (Petr Jelinek)

    This allows efficient advancement of replication slots when the contents do not need to be consumed. This is performed by pg_replication_slot_advance().

  • Add timeline information to the backup_label file (Michael Paquier)

    Also add a check that the WAL timeline matches the backup_label file's timeline.

  • Add host and port connection information to the pg_stat_wal_receiver system view (Haribabu Kommi)

  • Allow ALTER TABLE to add a column with a non-null default without doing a table rewrite (Andrew Dunstan, Serge Rielau)

    This is enabled when the default value is a constant.

  • Allow views to be locked by locking the underlying tables (Yugo Nagata)

  • Allow ALTER INDEX to set statistics-gathering targets for expression indexes (Alexander Korotkov, Adrien Nayrat)

    In psql, \d+ now shows the statistics target for indexes.

  • Allow multiple tables to be specified in one VACUUM or ANALYZE command (Nathan Bossart)

    Also, if any table mentioned in VACUUM uses a column list, then the ANALYZE keyword must be supplied; previously, ANALYZE was implied in such cases.

  • Add parenthesized options syntax to ANALYZE (Nathan Bossart)

    This is similar to the syntax supported by VACUUM.

  • Add CREATE AGGREGATE option to specify the behavior of the aggregate's finalization function (Tom Lane)

    This is helpful for allowing user-defined aggregate functions to be optimized and to work as window functions.

  • Allow the creation of arrays of domains (Tom Lane)

    This also allows array_agg() to be used on domains.

  • Support domains over composite types (Tom Lane)

    Also allow PL/Perl, PL/Python, and PL/Tcl to handle composite-domain function arguments and results. Also improve PL/Python domain handling.

  • Add casts from JSONB scalars to numeric and boolean data types (Anastasia Lubennikova)

  • Add all window function framing options specified by SQL:2011 (Oliver Ford, Tom Lane)

    Specifically, allow RANGE mode to use PRECEDING and FOLLOWING to select rows having grouping values within plus or minus the specified offset. Add GROUPS mode to include plus or minus the number of peer groups. Frame exclusion syntax was also added.

  • Add SHA-2 family of hash functions (Peter Eisentraut)

    Specifically, sha224(), sha256(), sha384(), sha512() were added.

  • Add support for 64-bit non-cryptographic hash functions (Robert Haas, Amul Sul)

  • Allow to_char() and to_timestamp() to specify the time zone's offset from UTC in hours and minutes (Nikita Glukhov, Andrew Dunstan)

    This is done with format specifications TZH and TZM.

  • Add text search function websearch_to_tsquery() that supports a query syntax similar to that used by web search engines (Victor Drobny, Dmitry Ivanov)

  • Add functions json(b)_to_tsvector() to create a text search query for matching JSON/JSONB values (Dmitry Dolgov)

  • Add SQL-level procedures, which can start and commit their own transactions (Peter Eisentraut)

    They are created with the new CREATE PROCEDURE command and invoked via CALL.

    The new ALTER/DROP ROUTINE commands allow altering/dropping of all routine-like objects, including procedures, functions, and aggregates.

    Also, writing FUNCTION is now preferred over writing PROCEDURE in CREATE OPERATOR and CREATE TRIGGER, because the referenced object must be a function not a procedure. However, the old syntax is still accepted for compatibility.

  • Add transaction control to PL/pgSQL, PL/Perl, PL/Python, PL/Tcl, and SPI server-side languages (Peter Eisentraut)

    Transaction control is only available within top-transaction-level procedures and nested DO and CALL blocks that only contain other DO and CALL blocks.

  • Add the ability to define PL/pgSQL composite-type variables as not null, constant, or with initial values (Tom Lane)

  • Allow PL/pgSQL to handle changes to composite types (e.g. record, row) that happen between the first and later function executions in the same session (Tom Lane)

    Previously, such circumstances generated errors.

  • Add extension jsonb_plpython to transform JSONB to/from PL/Python types (Anthony Bykov)

  • Add extension jsonb_plperl to transform JSONB to/from PL/Perl types (Anthony Bykov)

  • Change libpq to disable compression by default (Peter Eisentraut)

    Compression is already disabled in modern OpenSSL versions, so that the libpq setting had no effect with such libraries.

  • Add DO CONTINUE option to ecpg's WHENEVER statement (Vinayak Pokale)

    This generates a C continue statement, causing a return to the top of the contained loop when the specified condition occurs.

  • Add an ecpg mode to enable Oracle Pro*C-style handling of char arrays.

    This mode is enabled with -C.

  • Add psql command \gdesc to display the names and types of the columns in a query result (Pavel Stehule)

  • Add psql variables to report query activity and errors (Fabien Coelho)

    Specifically, the new variables are ERROR, SQLSTATE, ROW_COUNT, LAST_ERROR_MESSAGE, and LAST_ERROR_SQLSTATE.

  • Allow psql to test for the existence of a variable (Fabien Coelho)

    Specifically, the syntax :{?variable_name} allows a variable's existence to be tested in an \if statement.

  • Allow environment variable PSQL_PAGER to control psql's pager (Pavel Stehule)

    This allows psql's default pager to be specified as a separate environment variable from the pager for other applications. PAGER is still honored if PSQL_PAGER is not set.

  • Make psql's \d+ command always show the table's partitioning information (Amit Langote, Ashutosh Bapat)

    Previously, partition information would not be displayed for a partitioned table if it had no partitions. Also indicate which partitions are themselves partitioned.

  • Ensure that psql reports the proper user name when prompting for a password (Tom Lane)

    Previously, combinations of -U and a user name embedded in a URI caused incorrect reporting. Also suppress the user name before the password prompt when --password is specified.

  • Allow quit and exit to exit psql when given with no prior input (Bruce Momjian)

    Also print hints about how to exit when quit and exit are used alone on a line while the input buffer is not empty. Add a similar hint for help.

  • Make psql hint at using control-D when \q is entered alone on a line but ignored (Bruce Momjian)

    For example, \q does not exit when supplied in character strings.

  • Improve tab completion for ALTER INDEX RESET/SET (Masahiko Sawada)

  • Add infrastructure to allow psql to adapt its tab completion queries based on the server version (Tom Lane)

    Previously, tab completion queries could fail against older servers.

  • Add pgbench expression support for NULLs, booleans, and some functions and operators (Fabien Coelho)

  • Add \if conditional support to pgbench (Fabien Coelho)

  • Allow the use of non-ASCII characters in pgbench variable names (Fabien Coelho)

  • Add pgbench option --init-steps to control the initialization steps performed (Masahiko Sawada)

  • Add an approximately Zipfian-distributed random generator to pgbench (Alik Khilazhev)

  • Allow the random seed to be set in pgbench (Fabien Coelho)

  • Allow pgbench to do exponentiation with pow() and power() (Raúl Marín Rodríguez)

  • Add hashing functions to pgbench (Ildar Musin)

  • Make pgbench statistics more accurate when using --latency-limit and --rate (Fabien Coelho)

  • Add an option to pg_basebackup that creates a named replication slot (Michael Banck)

    The option --create-slot creates the named replication slot (--slot) when the WAL streaming method (--wal-method=stream) is used.

  • Allow initdb to set group read access to the data directory (David Steele)

    This is accomplished with the new initdb option --allow-group-access. Administrators can also set group permissions on the empty data directory before running initdb. Server variable data_directory_mode allows reading of data directory group permissions.

  • Add pg_verify_checksums tool to verify database checksums while offline (Magnus Hagander)

  • Allow pg_resetwal to change the WAL segment size via --wal-segsize (Nathan Bossart)

  • Add long options to pg_resetwal and pg_controldata (Nathan Bossart, Peter Eisentraut)

  • Add pg_receivewal option --no-sync to prevent synchronous WAL writes, for testing (Michael Paquier)

  • Add pg_receivewal option --endpos to specify when WAL receiving should stop (Michael Paquier)

  • Allow pg_ctl to send the SIGKILL signal to processes (Andres Freund)

    This was previously unsupported due to concerns over possible misuse.

  • Reduce the number of files copied by pg_rewind (Michael Paquier)

  • Prevent pg_rewind from running as root (Michael Paquier)

  • Add pg_dumpall option --encoding to control output encoding (Michael Paquier)

    pg_dump already had this option.

  • Add pg_dump option --load-via-partition-root to force loading of data into the partition's root table, rather than the original partition (Rushabh Lathia)

    This is useful if the system to be loaded to has different collation definitions or endianness, possibly requiring rows to be stored in different partitions than previously.

  • Add an option to suppress dumping and restoring database object comments (Robins Tharakan)

    The new pg_dump, pg_dumpall, and pg_restore option is --no-comments.

  • Add PGXS support for installing include files (Andrew Gierth)

    This supports creating extension modules that depend on other modules. Formerly there was no easy way for the dependent module to find the referenced one's include files. Several existing contrib modules that define data types have been adjusted to install relevant files. Also, PL/Perl and PL/Python now install their include files, to support creation of transform modules for those languages.

  • Install errcodes.txt to allow extensions to access the list of error codes known to PostgreSQL (Thomas Munro)

  • Convert documentation to DocBook XML (Peter Eisentraut, Alexander Lakhin, Jürgen Purtz)

    The file names still use an sgml extension for compatibility with back branches.

  • Use stdbool.h to define type bool on platforms where it's suitable, which is most (Peter Eisentraut)

    This eliminates a coding hazard for extension modules that need to include stdbool.h.

  • Overhaul the way that initial system catalog contents are defined (John Naylor)

    The initial data is now represented in Perl data structures, making it much easier to manipulate mechanically.

  • Prevent extensions from creating custom server parameters that take a quoted list of values (Tom Lane)

    This cannot be supported at present because knowledge of the parameter's property would be required even before the extension is loaded.

  • Add ability to use channel binding when using SCRAM authentication (Michael Paquier)

    Channel binding is intended to prevent man-in-the-middle attacks, but SCRAM cannot prevent them unless it can be forced to be active. Unfortunately, there is no way to do that in libpq. Support for it is expected in future versions of libpq and in interfaces not built using libpq, e.g. JDBC.

  • Allow background workers to attach to databases that normally disallow connections (Magnus Hagander)

  • Add support for hardware CRC calculations on ARMv8 (Yuqi Gu, Heikki Linnakangas, Thomas Munro)

  • Speed up lookups of built-in functions by OID (Andres Freund)

    The previous binary search has been replaced by a lookup array.

  • Speed up construction of query results (Andres Freund)

  • Improve speed of access to system caches (Andres Freund)

  • Add a generational memory allocator which is optimized for serial allocation/deallocation (Tomas Vondra)

    This reduces memory usage for logical decoding.

  • Make the computation of pg_class.reltuples by VACUUM consistent with its computation by ANALYZE (Tomas Vondra)

  • Update to use perltidy version 20170521 (Tom Lane, Peter Eisentraut)

  • Allow extension pg_prewarm to restore the previous shared buffer contents on startup (Mithun Cy, Robert Haas)

    This is accomplished by having pg_prewarm store the shared buffers' relation and block number data to disk occasionally during server operation, and at shutdown.

  • Add pg_trgm function strict_word_similarity() to compute the similarity of whole words (Alexander Korotkov)

    The function word_similarity() already existed for this purpose, but it was designed to find similar parts of words, while strict_word_similarity() computes the similarity to whole words.

  • Allow btree_gin to index bool, bpchar, name and uuid data types (Matheus Oliveira)

  • Allow cube and seg extensions to perform index-only scans using GiST indexes (Andrey Borodin)

  • Allow retrieval of negative cube coordinates using the ~> operator (Alexander Korotkov)

    This is useful for KNN-GiST searches when looking for coordinates in descending order.

  • Add Vietnamese letter handling to the unaccent extension (Dang Minh Huong, Michael Paquier)

  • Enhance amcheck to check that each heap tuple has an index entry (Peter Geoghegan)

  • Have adminpack use the new default file system access roles (Stephen Frost)

    Previously, only superusers could call adminpack functions; now role permissions are checked.

  • Widen pg_stat_statement's query ID to 64 bits (Robert Haas)

    This greatly reduces the chance of query ID hash collisions. The query ID can now potentially display as a negative value.

  • Remove the contrib/start-scripts/osx scripts since they are no longer recommended (use contrib/start-scripts/macos instead) (Tom Lane)

  • Remove the chkpass extension (Peter Eisentraut)

    This extension is no longer considered to be a usable security tool or example of how to write an extension.

• ⇑ Upgrade to 11.1 released on 2018-11-08 - docs

  • Apply the tablespace specified for a partitioned index when creating a child index (Álvaro Herrera)

    Previously, child indexes were always created in the default tablespace.

  • Fix NULL handling in parallel hashed multi-batch left joins (Andrew Gierth, Thomas Munro)

    Outer-relation rows with null values of the hash key were omitted from the join result.

  • Fix incorrect processing of an array-type coercion expression appearing within a CASE clause that has a constant test expression (Tom Lane)

  • Fix incorrect expansion of tuples lacking recently-added columns (Andrew Dunstan, Amit Langote)

    This is known to lead to crashes in triggers on tables with recently-added columns, and could have other symptoms as well.

  • Fix bugs with named or defaulted arguments in CALL argument lists (Tom Lane, Pavel Stehule)

  • Fix strictness check for strict aggregates with ORDER BY columns (Andrew Gierth, Andres Freund)

    The strictness logic incorrectly ignored rows for which the ORDER BY value(s) were null.

  • Disable recheck_on_update optimization (Tom Lane)

    This new-in-v11 feature turns out not to have been ready for prime time. Disable it until something can be done about it.

  • Fix pg_verify_checksums's determination of which files to check the checksums of (Michael Paquier)

    In some cases it complained about files that are not expected to have checksums.

  • In contrib/pg_stat_statements, disallow the pg_read_all_stats role from executing pg_stat_statements_reset() (Haribabu Kommi)

    pg_read_all_stats is only meant to grant permission to read statistics, not to change them, so this grant was incorrect.

    To cause this change to take effect, run ALTER EXTENSION pg_stat_statements UPDATE in each database where pg_stat_statements has been installed. (A database freshly created in 11.0 should not need this, but a database upgraded from a previous release probably still contains the old version of pg_stat_statements. The UPDATE command is harmless if the module was already updated.)

• ⇑ Upgrade to 11.2 released on 2019-02-14 - docs

  • Fix handling of unique indexes with INCLUDE columns on partitioned tables (Álvaro Herrera)

    The uniqueness condition was not checked properly in such cases.

  • Update catalog state correctly for partition table constraints when detaching their partition (Amit Langote, Álvaro Herrera)

    Previously, the pg_constraint.conislocal field for such a constraint might improperly be left as false, rendering it undroppable. A dump/restore or pg_upgrade would cure the problem, but if necessary, the catalog field can be adjusted manually.

  • Create or delete foreign key enforcement triggers correctly when attaching or detaching a partition in a partitioned table that has a foreign-key constraint (Amit Langote, Álvaro Herrera)

  • Avoid useless creation of duplicate foreign key constraints in partitioned tables (Álvaro Herrera)

  • When an index is created on a partitioned table using ONLY, and there are no partitions yet, mark it valid immediately (Álvaro Herrera)

    Otherwise there is no way to make it become valid.

  • Fix possible index corruption when the indexed column has a “fast default” (that is, it was added by ALTER TABLE ADD COLUMN with a constant non-NULL default value specified, after the table already contained some rows) (Andres Freund)

  • Correctly adjust “fast default” values during ALTER TABLE ... ALTER COLUMN TYPE (Andrew Dunstan)

  • Fix crash when zero rows are fed to json[b]_populate_recordset() or json[b]_to_recordset() (Tom Lane)

  • Fix incorrect JIT tuple deforming code for tables with many columns (more than approximately 800) (Andres Freund)

  • Fix performance and memory leakage issues in hash-based grouping (Andres Freund)

  • Fix parsing of collation-sensitive expressions in the arguments of a CALL statement (Peter Eisentraut)

  • Ensure proper cleanup after detecting an error in the argument list of a CALL statement (Tom Lane)

  • Fix planner failure when the first column of a row comparison matches an index column, but later column(s) do not, and the index has included (non-key) columns (Tom Lane)

  • Improve planning speed for large inheritance or partitioning table groups (Amit Langote, Etsuro Fujita)

  • Fix parsing of space-separated lists of host names in the ldapserver parameter of LDAP authentication entries in pg_hba.conf (Thomas Munro)

  • Make pgbench's random number generation fully deterministic and platform-independent when --random-seed=N is specified (Fabien Coelho, Tom Lane)

    On any specific platform, the sequence obtained with a particular value of N will probably be different from what it was before this patch.

  • Fix pg_basebackup and pg_verify_checksums to ignore temporary files appropriately (Michael Banck, Michael Paquier)

  • Make pg_dump include ALTER INDEX SET STATISTICS commands (Michael Paquier)

    When the ability to attach statistics targets to index expressions was added, we forgot to teach pg_dump about it, so that such settings were lost in dump/reload.

  • Fix pg_dump's dumping of tables that have OIDs (Peter Eisentraut)

    The WITH OIDS clause was omitted if it needed to be applied to the first table to be dumped.

  • Prevent false index-corruption reports from contrib/amcheck caused by inline-compressed data (Peter Geoghegan)

  • Include JIT-related headers in the installed set of header files (Donald Dong)

• ⇑ Upgrade to 11.3 released on 2019-05-09 - docs

  • Avoid access to already-freed memory during partition routing error reports (Michael Paquier)

    This mistake could lead to a crash, and in principle it might be possible to use it to disclose server memory contents. (CVE-2019-10129)

  • Avoid catalog corruption when an ALTER TABLE on a partitioned table finds that a partitioned index is reusable (Amit Langote, Tom Lane)

    This occurs, for example, when ALTER COLUMN TYPE finds that no physical table rewrite is required.

  • Fix failure in ALTER INDEX ... ATTACH PARTITION if the partitioned table contains more dropped columns than its partition does (Álvaro Herrera)

  • Fix failure to attach a partition's existing index to a newly-created partitioned index in some cases (Amit Langote, Álvaro Herrera)

    This would lead to errors such as “index ... not found in partition” in subsequent DDL that uses the partitioned index.

  • Fix tuple routing in multi-level partitioned tables that have dropped attributes (Amit Langote, Michael Paquier)

  • Fix failure when the slow path of foreign key constraint initial validation is applied to partitioned tables (Hadi Moshayedi, Tom Lane, Andres Freund)

    This didn't manifest except in the uncommon cases where the fast path can't be used (such as permissions problems).

  • When accessing a partition directly, and constraint_exclusion is set to on, use the partition's partition constraint as well as any CHECK constraints for exclusion checking (Amit Langote, Tom Lane)

    This change restores the behavior to what it was in v10.

  • Avoid server crash when an error occurs while trying to persist a cursor query across a transaction commit (Tom Lane)

    If a procedure attempts to commit while it has an open explicit or implicit cursor (for example, a PL/pgSQL FOR-loop query), the cursor must be executed to completion and its results saved before the transaction commit can be performed. An error occurring during such execution led to a crash.

  • Avoid possible division-by-zero in btree index vacuum logic (Piotr Stefaniak, Alexander Korotkov)

    This could lead to incorrect decisions about whether index cleanup is needed.

  • Avoid server memory leak when fetching rows from a portal one at a time (Tom Lane)

  • Avoid crash when trying to plan a partition-wise join when GEQO is active (Tom Lane)

  • Fix planner's parallel-safety assessment for grouped queries (Etsuro Fujita)

    Previously, target-list evaluation work that could have been parallelized might not be.

  • Fix mishandling of “included” index columns in planner's unique-index logic (Tom Lane)

    This could result in failing to recognize that a unique index with included columns proves uniqueness of a query result, leading to a poor plan.

  • Fix incorrect strictness check for array coercion expressions (Tom Lane)

    This might allow, for example, incorrect inlining of a strict SQL function, leading to non-enforcement of the strictness condition.

  • Fix authentication failure when attempting to use SCRAM authentication with mixed OpenSSL library versions (Michael Paquier, Peter Eisentraut)

    If libpq is using OpenSSL 1.0.1 or older while the server is using OpenSSL 1.0.2 or newer, the negotiation of which SASL mechanism to use went wrong, leading to a confusing “channel binding not supported by this build” error message.

  • Create the current_logfiles file with the same permissions as other files in the server's data directory (Haribabu Kommi)

    Previously it used the permissions specified by log_file_mode, but that can cause problems for backup utilities.

  • Fix pg_rewind failures due to failure to remove some transient files in the target data directory (Michael Paquier)

  • Make pg_verify_checksums verify that the data directory it's pointed at is of the right PostgreSQL version (Michael Paquier)

  • Change contrib/postgres_fdw to report an error when a remote partition chosen to insert a routed row into is also an UPDATE subplan target that will be updated later in the same command (Amit Langote, Etsuro Fujita)

    Previously, such situations led to server crashes or incorrect results of the UPDATE. Allowing such cases to work correctly is a matter for future work.

  • In contrib/pg_prewarm, avoid indefinitely respawning background worker processes if prewarming fails for some reason (Mithun Cy)

• ⇑ Upgrade to 11.4 released on 2019-06-20 - docs

  • Fix assorted errors in run-time partition pruning logic (Tom Lane, Amit Langote, David Rowley)

    These mistakes could lead to wrong answers in queries on partitioned tables, if the comparison value used for pruning is dynamically determined, or if multiple range-partitioned columns are involved in pruning decisions, or if stable (not immutable) comparison operators are involved.

  • Fix possible crash while trying to copy trigger definitions to a new partition (Tom Lane)

  • Fix incorrect argument null-ness checking during partial aggregation of aggregates with zero or multiple arguments (David Rowley, Kyotaro Horiguchi, Andres Freund)

  • Avoid writing an invalid empty btree index page in the unlikely case that a failure occurs while processing INCLUDEd columns during a page split (Peter Geoghegan)

    The invalid page would not affect normal index operations, but it might cause failures in subsequent VACUUMs. If that has happened to one of your indexes, recover by reindexing the index.

• ⇑ Upgrade to 11.5 released on 2019-08-08 - docs

  • Fix execution of hashed subplans that require cross-type comparison (Tom Lane, Andreas Seltenreich)

    Hashed subplans used the outer query's original comparison operator to compare entries of the hash table. This is the wrong thing if that operator is cross-type, since all the hash table entries will be of the subquery's output type. For the set of hashable cross-type operators in core PostgreSQL, this mistake seems nearly harmless on 64-bit machines, but it can result in crashes or perhaps unauthorized disclosure of server memory on 32-bit machines. Extensions might provide hashable cross-type operators that create larger risks. (CVE-2019-10209)

  • Prevent dropping a partitioned table's trigger if there are pending trigger events in child partitions (Álvaro Herrera)

    This notably applies to foreign key constraints, since those are implemented by triggers.

  • Include user-specified trigger arguments when copying a trigger definition from a partitioned table to one of its partitions (Patrick McHardy)

  • Ensure that column numbers are correctly mapped between a partitioned table and its default partition (Amit Langote)

    Some operations misbehaved if the mapping wasn't exactly one-to-one, for example if there were dropped columns in one table and not the other.

  • Ignore partitions that are foreign tables when creating indexes on partitioned tables (Álvaro Herrera)

    Previously an error was thrown on encountering a foreign-table partition, but that's unhelpful and doesn't protect against any actual problem.

  • Prune a partitioned table's default partition (that is, avoid uselessly scanning it) in more cases (Yuzuko Hosoya)

  • Fix possible failure to prune partitions when there are multiple partition key columns of boolean type (David Rowley)

  • Avoid incorrect use of parallel hash join for semi-join queries (Thomas Munro)

    This error resulted in duplicate result rows from some EXISTS queries.

  • Fix possible failure of planner's index endpoint probes (Tom Lane)

    When using a recently-created index to determine the minimum or maximum value of a column, the planner could select a recently-dead tuple that does not actually contain the endpoint value. In the worst case the tuple might contain a null, resulting in a visible error “found unexpected null value in index”; more likely we would just end up using the wrong value, degrading the quality of planning estimates.

  • Fix printing of BTREE_META_CLEANUP WAL records (Michael Paquier)

  • Prevent assertion failures due to mishandling of version-2 btree metapages (Peter Geoghegan)

  • Ensure that a record or row value returned from a PL/pgSQL function is marked with the function's declared composite type (Tom Lane)

    This avoids problems if the result is stored directly into a table.

  • Improve reliability of contrib/amcheck's index verification (Peter Geoghegan)

  • Fix handling of Perl undef values in contrib/jsonb_plperl (Ivan Panchenko)

  • Improve stability of src/test/kerberos and src/test/ldap regression tests (Thomas Munro, Tom Lane)

  • Fix pgbench regression tests to work on Windows (Fabien Coelho)

• ⇑ Upgrade to 12 released on 2019-10-03 - docs

  • Remove the special behavior of oid columns (Andres Freund, John Naylor)

    Previously, a normally-invisible oid column could be specified during table creation using WITH OIDS; that ability has been removed. Columns can still be explicitly declared as type oid. Operations on tables that have columns created using WITH OIDS will need adjustment.

    The system catalogs that previously had hidden oid columns now have ordinary oid columns. Hence, SELECT * will now output those columns, whereas previously they would be displayed only if selected explicitly.

  • Remove data types abstime, reltime, and tinterval (Andres Freund)

    These are obsoleted by SQL-standard types such as timestamp.

  • Remove the timetravel extension (Andres Freund)

  • Move recovery.conf settings into postgresql.conf (Masao Fujii, Simon Riggs, Abhijit Menon-Sen, Sergei Kornilov)

    recovery.conf is no longer used, and the server will not start if that file exists. recovery.signal and standby.signal files are now used to switch into non-primary mode. The trigger_file setting has been renamed to promote_trigger_file. The standby_mode setting has been removed.

  • Do not allow multiple conflicting recovery_target* specifications (Peter Eisentraut)

    Specifically, only allow one of recovery_target, recovery_target_lsn, recovery_target_name, recovery_target_time, and recovery_target_xid. Previously, multiple different instances of these parameters could be specified, and the last one was honored. Now, only one can be specified, though the same one can be specified multiple times and the last specification is honored.

  • Cause recovery to advance to the latest timeline by default (Peter Eisentraut)

    Specifically, recovery_target_timeline now defaults to latest. Previously, it defaulted to current.

  • Refactor code for geometric functions and operators (Emre Hasegeli)

    This could lead to more accurate, but slightly different, results compared to previous releases. Notably, cases involving NaN, underflow, overflow, and division by zero are handled more consistently than before.

  • Improve performance by using a new algorithm for output of real and double precision values (Andrew Gierth)

    Previously, displayed floating-point values were rounded to 6 (for real) or 15 (for double precision) digits by default, adjusted by the value of extra_float_digits. Now, whenever extra_float_digits is more than zero (as it now is by default), only the minimum number of digits required to preserve the exact binary value are output. The behavior is the same as before when extra_float_digits is set to zero or less.

    Also, formatting of floating-point exponents is now uniform across platforms: two digits are used unless three are necessary. In previous releases, Windows builds always printed three digits.

  • random() and setseed() now behave uniformly across platforms (Tom Lane)

    The sequence of random() values generated following a setseed() call with a particular seed value is likely to be different now than before. However, it will also be repeatable, which was not previously guaranteed because of interference from other uses of random numbers inside the server. The SQL random() function now has its own private per-session state to forestall that.

  • Change SQL-style substring() to have standard-compliant greediness behavior (Tom Lane)

    In cases where the pattern can be matched in more than one way, the initial sub-pattern is now treated as matching the least possible amount of text rather than the greatest; for example, a pattern such as %#"aa*#"% now selects the first group of a's from the input, not the last group.

  • Do not pretty-print the result of xpath() or the XMLTABLE construct (Tom Lane)

    In some cases, these functions would insert extra whitespace (newlines and/or spaces) in nodeset values. This is undesirable since depending on usage, the whitespace might be considered semantically significant.

  • Rename command-line tool pg_verify_checksums to pg_checksums (Michaël Paquier)

  • In pg_restore, require specification of -f - to send the dump contents to standard output (Euler Taveira)

    Previously, this happened by default if no destination was specified, but that was deemed to be unfriendly.

  • Disallow non-unique abbreviations in psql's \pset format command (Daniel Vérité)

    Previously, for example, \pset format a chose aligned; it will now fail since that could equally well mean asciidoc.

  • In new btree indexes, the maximum index entry length is reduced by eight bytes, to improve handling of duplicate entries (Peter Geoghegan)

    This means that a REINDEX operation on an index pg_upgrade'd from a previous release could potentially fail.

  • Cause DROP IF EXISTS FUNCTION/PROCEDURE/AGGREGATE/ROUTINE to generate an error if no argument list is supplied and there are multiple matching objects (David Rowley)

    Also improve the error message in such cases.

  • Split the pg_statistic_ext catalog into two catalogs, and add the pg_stats_ext view of it (Dean Rasheed, Tomas Vondra)

    This change supports hiding potentially-sensitive statistics data from unprivileged users.

  • Remove obsolete pg_constraint.consrc column (Peter Eisentraut)

  • Remove obsolete pg_attrdef.adsrc column (Peter Eisentraut)

  • Mark table columns of type name as having “C” collation by default (Tom Lane, Daniel Vérité)

    The comparison operators for data type name can now use any collation, rather than always using “C” collation. To preserve the previous semantics of queries, columns of type name are now explicitly marked as having “C” collation. A side effect of this is that regular-expression operators on name columns will now use the “C” collation by default, not the database collation, to determine the behavior of locale-dependent regular expression patterns (such as \w). If you want non-C behavior for a regular expression on a name column, attach an explicit COLLATE clause. (For user-defined name columns, another possibility is to specify a different collation at table creation time; but that just moves the non-backwards-compatibility to the comparison operators.)

  • Treat object-name columns in the information_schema views as being of type name, not varchar (Tom Lane)

    Per the SQL standard, object-name columns in the information_schema views are declared as being of domain type sql_identifier. In PostgreSQL, the underlying catalog columns are really of type name. This change makes sql_identifier be a domain over name, rather than varchar as before. This eliminates a semantic mismatch in comparison and sorting behavior, which can greatly improve the performance of queries on information_schema views that restrict an object-name column. Note however that inequality restrictions, for example

    SELECT ... FROM information_schema.tables WHERE table_name < 'foo';
    

    will now use “C”-locale comparison semantics by default, rather than the database's default collation as before. Sorting on these columns will also follow “C” ordering rules. The previous behavior (and inefficiency) can be enforced by adding a COLLATE "default" clause.

  • Remove the ability to disable dynamic shared memory (Kyotaro Horiguchi)

    Specifically, dynamic_shared_memory_type can no longer be set to none.

  • Parse libpq integer connection parameters more strictly (Fabien Coelho)

    In previous releases, using an incorrect integer value for connection parameters connect_timeout, keepalives, keepalives_count, keepalives_idle, keepalives_interval and port resulted in libpq either ignoring those values or failing with incorrect error messages.

  • Improve performance of many operations on partitioned tables (Amit Langote, David Rowley, Tom Lane, Álvaro Herrera)

    Allow tables with thousands of child partitions to be processed efficiently by operations that only affect a small number of partitions.

  • Allow foreign keys to reference partitioned tables (Álvaro Herrera)

  • Improve speed of COPY into partitioned tables (David Rowley)

  • Allow partition bounds to be any expression (Kyotaro Horiguchi, Tom Lane, Amit Langote)

    Such expressions are evaluated at partitioned-table creation time. Previously, only simple constants were allowed as partition bounds.

  • Allow CREATE TABLE's tablespace specification for a partitioned table to affect the tablespace of its children (David Rowley, Álvaro Herrera)

  • Avoid sorting when partitions are already being scanned in the necessary order (David Rowley)

  • ALTER TABLE ATTACH PARTITION is now performed with reduced locking requirements (Robert Haas)

  • Add partition introspection functions (Michaël Paquier, Álvaro Herrera, Amit Langote)

    The new function pg_partition_root() returns the top-most parent of a partition tree, pg_partition_ancestors() reports all ancestors of a partition, and pg_partition_tree() displays information about partitions.

  • Include partitioned indexes in the system view pg_indexes (Suraj Kharage)

  • Add psql command \dP to list partitioned tables and indexes (Pavel Stehule)

  • Improve psql \d and \z display of partitioned tables (Pavel Stehule, Michaël Paquier, Álvaro Herrera)

  • Fix bugs that could cause ALTER TABLE DETACH PARTITION to leave behind incorrect dependency state, allowing subsequent operations to misbehave, for example by not dropping a former partition child index when its table is dropped (Tom Lane)

  • Improve performance and space utilization of btree indexes with many duplicates (Peter Geoghegan, Heikki Linnakangas)

    Previously, duplicate index entries were stored unordered within their duplicate groups. This caused overhead during index inserts, wasted space due to excessive page splits, and it reduced VACUUM's ability to recycle entire pages. Duplicate index entries are now sorted in heap-storage order.

    Indexes pg_upgrade'd from previous releases will not have these benefits.

  • Allow multi-column btree indexes to be smaller (Peter Geoghegan, Heikki Linnakangas)

    Internal pages and min/max leaf page indicators now only store index keys until the change key, rather than all indexed keys. This also improves the locality of index access.

    Indexes pg_upgrade'd from previous releases will not have these benefits.

  • Improve speed of btree index insertions by reducing locking overhead (Alexander Korotkov)

  • Support INCLUDE columns in GiST indexes (Andrey Borodin)

  • Add support for nearest-neighbor (KNN) searches of SP-GiST indexes (Nikita Glukhov, Alexander Korotkov, Vlad Sterzhanov)

  • Reduce the WAL write overhead of GiST, GIN, and SP-GiST index creation (Anastasia Lubennikova, Andrey V. Lepikhov)

  • Allow index-only scans to be more efficient on indexes with many columns (Konstantin Knizhnik)

  • Improve the performance of vacuum scans of GiST indexes (Andrey Borodin, Konstantin Kuznetsov, Heikki Linnakangas)

  • Delete empty leaf pages during GiST VACUUM (Andrey Borodin)

  • Reduce locking requirements for index renaming (Peter Eisentraut)

  • Allow CREATE STATISTICS to create most-common-value statistics for multiple columns (Tomas Vondra)

    This improves optimization for queries that test several columns, requiring an estimate of the combined effect of several WHERE clauses. If the columns are correlated and have non-uniform distributions then multi-column statistics will allow much better estimates.

  • Allow common table expressions (CTEs) to be inlined into the outer query (Andreas Karlsson, Andrew Gierth, David Fetter, Tom Lane)

    Specifically, CTEs are automatically inlined if they have no side-effects, are not recursive, and are referenced only once in the query. Inlining can be prevented by specifying MATERIALIZED, or forced for multiply-referenced CTEs by specifying NOT MATERIALIZED. Previously, CTEs were never inlined and were always evaluated before the rest of the query.

  • Allow control over when generic plans are used for prepared statements (Pavel Stehule)

    This is controlled by the plan_cache_mode server parameter.

  • Improve optimization of partition and UNION ALL queries that have only a single child (David Rowley)

  • Improve processing of domains that have no check constraints (Tom Lane)

    Domains that are being used purely as type aliases no longer cause optimization difficulties.

  • Pre-evaluate calls of LEAST and GREATEST when their arguments are constants (Vik Fearing)

  • Improve optimizer's ability to verify that partial indexes with IS NOT NULL conditions are usable in queries (Tom Lane, James Coleman)

    Usability can now be recognized in more cases where the calling query involves casts or large x IN (array) clauses.

  • Compute ANALYZE statistics using the collation defined for each column (Tom Lane)

    Previously, the database's default collation was used for all statistics. This potentially gives better optimizer behavior for columns with non-default collations.

  • Improve selectivity estimates for inequality comparisons on ctid columns (Edmund Horner)

  • Improve optimization of joins on columns of type tid (Tom Lane)

    These changes primarily improve the efficiency of self-joins on ctid columns.

  • Fix the leakproofness designations of some btree comparison operators and support functions (Tom Lane)

    This allows some optimizations that previously would not have been applied in the presence of security barrier views or row-level security.

  • Enable Just-in-Time (JIT) compilation by default, if the server has been built with support for it (Andres Freund)

    Note that this support is not built by default, but has to be selected explicitly while configuring the build.

  • Speed up keyword lookup (John Naylor, Joerg Sonnenberger, Tom Lane)

  • Improve search performance for multi-byte characters in position() and related functions (Heikki Linnakangas)

  • Allow toasted values to be minimally decompressed (Paul Ramsey)

    This is useful for routines that only need to examine the initial portion of a toasted field.

  • Allow ALTER TABLE ... SET NOT NULL to avoid unnecessary table scans (Sergei Kornilov)

    This can be optimized when the table's column constraints can be recognized as disallowing nulls.

  • Allow ALTER TABLE ... SET DATA TYPE changing between timestamp and timestamptz to avoid a table rewrite when the session time zone is UTC (Noah Misch)

    In the UTC time zone, these two data types are binary compatible.

  • Improve speed in converting strings to int2 or int4 integers (Andres Freund)

  • Allow parallelized queries when in SERIALIZABLE isolation mode (Thomas Munro)

    Previously, parallelism was disabled when in this mode.

  • Use pread() and pwrite() for random I/O (Oskari Saarenmaa, Thomas Munro)

    This reduces the number of system calls required for I/O.

  • Improve the speed of setting the process title on FreeBSD (Thomas Munro)

  • Allow logging of statements from only a percentage of transactions (Adrien Nayrat)

    The parameter log_transaction_sample_rate controls this.

  • Add progress reporting to CREATE INDEX and REINDEX operations (Álvaro Herrera, Peter Eisentraut)

    Progress is reported in the pg_stat_progress_create_index system view.

  • Add progress reporting to CLUSTER and VACUUM FULL (Tatsuro Yamada)

    Progress is reported in the pg_stat_progress_cluster system view.

  • Add progress reporting to pg_checksums (Michael Banck, Bernd Helmle)

    This is enabled with the option --progress.

  • Add counter of checksum failures to pg_stat_database (Magnus Hagander)

  • Add tracking of global objects in system view pg_stat_database (Julien Rouhaud)

    Global objects are shown with a pg_stat_database.datid value of zero.

  • Add the ability to list the contents of the archive directory (Christoph Moench-Tegeder)

    The function is pg_ls_archive_statusdir().

  • Add the ability to list the contents of temporary directories (Nathan Bossart)

    The function, pg_ls_tmpdir(), optionally allows specification of a tablespace.

  • Add information about the client certificate to the system view pg_stat_ssl (Peter Eisentraut)

    The new columns are client_serial and issuer_dn. Column clientdn has been renamed to client_dn for clarity.

  • Restrict visibility of rows in pg_stat_ssl for unprivileged users (Peter Eisentraut)

  • At server start, emit a log message including the server version number (Christoph Berg)

  • Prevent logging “incomplete startup packet” if a new connection is immediately closed (Tom Lane)

    This avoids log spam from certain forms of monitoring.

  • Include the application_name, if set, in log_connections log messages (Don Seiler)

  • Make the walreceiver set its application name to the cluster name, if set (Peter Eisentraut)

  • Add the timestamp of the last received standby message to pg_stat_replication (Lim Myungkyu)

  • Add a wait event for fsync of WAL segments (Konstantin Knizhnik)

  • Add GSSAPI encryption support (Robbie Harwood, Stephen Frost)

    This feature allows TCP/IP connections to be encrypted when using GSSAPI authentication, without having to set up a separate encryption facility such as SSL. In support of this, add hostgssenc and hostnogssenc record types in pg_hba.conf for selecting connections that do or do not use GSSAPI encryption, corresponding to the existing hostssl and hostnossl record types. There is also a new gssencmode libpq option, and a pg_stat_gssapi system view.

  • Allow the clientcert pg_hba.conf option to check that the database user name matches the client certificate's common name (Julian Markwort, Marius Timmer)

    This new check is enabled with clientcert=verify-full.

  • Allow discovery of an LDAP server using DNS SRV records (Thomas Munro)

    This avoids the requirement of specifying ldapserver. It is only supported if PostgreSQL is compiled with OpenLDAP.

  • Add ability to enable/disable cluster checksums using pg_checksums (Michael Banck, Michaël Paquier)

    The cluster must be shut down for these operations.

  • Reduce the default value of autovacuum_vacuum_cost_delay to 2ms (Tom Lane)

    This allows autovacuum operations to proceed faster by default.

  • Allow vacuum_cost_delay to specify sub-millisecond delays, by accepting fractional values (Tom Lane)

  • Allow time-based server parameters to use units of microseconds (us) (Tom Lane)

  • Allow fractional input for integer server parameters (Tom Lane)

    For example, SET work_mem = '30.1GB' is now allowed, even though work_mem is an integer parameter. The value will be rounded to an integer after any required units conversion.

  • Allow units to be defined for floating-point server parameters (Tom Lane)

  • Add wal_recycle and wal_init_zero server parameters to control WAL file recycling (Jerry Jelinek)

    Avoiding file recycling can be beneficial on copy-on-write file systems like ZFS.

  • Add server parameter tcp_user_timeout to control the server's TCP timeout (Ryohei Nagaura)

  • Allow control of the minimum and maximum SSL protocol versions (Peter Eisentraut)

    The server parameters are ssl_min_protocol_version and ssl_max_protocol_version.

  • Add server parameter ssl_library to report the SSL library version used by the server (Peter Eisentraut)

  • Add server parameter shared_memory_type to control the type of shared memory to use (Andres Freund)

    This allows selection of System V shared memory, if desired.

  • Allow some recovery parameters to be changed with reload (Peter Eisentraut)

    These parameters are archive_cleanup_command, promote_trigger_file, recovery_end_command, and recovery_min_apply_delay.

  • Allow the streaming replication timeout (wal_sender_timeout) to be set per connection (Takayuki Tsunakawa)

    Previously, this could only be set cluster-wide.

  • Add function pg_promote() to promote standbys to primaries (Laurenz Albe, Michaël Paquier)

    Previously, this operation was only possible by using pg_ctl or creating a trigger file.

  • Allow replication slots to be copied (Masahiko Sawada)

    The functions for this are pg_copy_physical_replication_slot() and pg_copy_logical_replication_slot().

  • Make max_wal_senders not count as part of max_connections (Alexander Kukushkin)

  • Add an explicit value of current for recovery_target_timeline (Peter Eisentraut)

  • Make recovery fail if a two-phase transaction status file is corrupt (Michaël Paquier)

    Previously, a warning was logged and recovery continued, allowing the transaction to be lost.

  • Add REINDEX CONCURRENTLY option to allow reindexing without locking out writes (Michaël Paquier, Andreas Karlsson, Peter Eisentraut)

    This is also controlled by the reindexdb application's --concurrently option.

  • Add support for generated columns (Peter Eisentraut)

    The content of generated columns are computed from expressions (including references to other columns in the same table) rather than being specified by INSERT or UPDATE commands.

  • Add a WHERE clause to COPY FROM to control which rows are accepted (Surafel Temesgen)

    This provides a simple way to filter incoming data.

  • Allow enumerated values to be added more flexibly (Andrew Dunstan, Tom Lane, Thomas Munro)

    Previously, ALTER TYPE ... ADD VALUE could not be called in a transaction block, unless it was part of the same transaction that created the enumerated type. Now it can be called in a later transaction, so long as the new enumerated value is not referenced until after it is committed.

  • Add commands to end a transaction and start a new one (Peter Eisentraut)

    The commands are COMMIT AND CHAIN and ROLLBACK AND CHAIN.

  • Add VACUUM and CREATE TABLE options to prevent VACUUM from truncating trailing empty pages (Takayuki Tsunakawa)

    These options are vacuum_truncate and toast.vacuum_truncate. Use of these options reduces VACUUM's locking requirements, but prevents returning disk space to the operating system.

  • Allow VACUUM to skip index cleanup (Masahiko Sawada)

    This change adds a VACUUM command option INDEX_CLEANUP as well as a table storage option vacuum_index_cleanup. Use of this option reduces the ability to reclaim space and can lead to index bloat, but it is helpful when the main goal is to freeze old tuples.

  • Add the ability to skip VACUUM and ANALYZE operations on tables that cannot be locked immediately (Nathan Bossart)

    This option is called SKIP_LOCKED.

  • Allow VACUUM and ANALYZE to take optional Boolean argument specifications (Masahiko Sawada)

  • Prevent TRUNCATE, VACUUM and ANALYZE from requesting a lock on tables for which the user lacks permission (Michaël Paquier)

    This prevents unauthorized locking, which could interfere with user queries.

  • Add EXPLAIN option SETTINGS to output non-default optimizer settings (Tomas Vondra)

    This output can also be obtained when using auto_explain by setting auto_explain.log_settings.

  • Add OR REPLACE option to CREATE AGGREGATE (Andrew Gierth)

  • Allow modifications of system catalogs' options using ALTER TABLE (Peter Eisentraut)

    Modifications of catalogs' reloptions and autovacuum settings are now supported. (Setting allow_system_table_mods is still required.)

  • Use all key columns' names when selecting default constraint names for foreign keys (Peter Eisentraut)

    Previously, only the first column name was included in the constraint name, resulting in ambiguity for multi-column foreign keys.

  • Update assorted knowledge about Unicode to match Unicode 12.1.0 (Peter Eisentraut)

    This fixes, for example, cases where psql would misformat output involving combining characters.

  • Update Snowball stemmer dictionaries with support for new languages (Arthur Zakirov)

    This adds word stemming support for Arabic, Indonesian, Irish, Lithuanian, Nepali, and Tamil to full text search.

  • Allow creation of collations that report string equality for strings that are not bit-wise equal (Peter Eisentraut)

    This feature supports “nondeterministic” collations that can define case- and accent-agnostic equality comparisons. Thus, for example, a case-insensitive uniqueness constraint on a text column can be made more easily than before. This is only supported for ICU collations.

  • Add support for ICU collation attributes on older ICU versions (Peter Eisentraut)

    This allows customization of the collation rules in a consistent way across all ICU versions.

  • Allow data type name to more seamlessly be compared to other text types (Tom Lane)

    Type name now behaves much like a domain over type text that has default collation “C”. This allows cross-type comparisons to be processed more efficiently.

  • Add support for the SQL/JSON path language (Nikita Glukhov, Teodor Sigaev, Alexander Korotkov, Oleg Bartunov, Liudmila Mantrova)

    This allows execution of complex queries on JSON values using an SQL-standard language.

  • Add support for hyperbolic functions (Lætitia Avrot)

    Also add log10() as an alias for log(), for standards compliance.

  • Improve the accuracy of statistical aggregates like variance() by using more precise algorithms (Dean Rasheed)

  • Allow date_trunc() to have an additional argument to control the time zone (Vik Fearing, Tom Lane)

    This is faster and simpler than using the AT TIME ZONE clause.

  • Adjust to_timestamp()/to_date() functions to be more forgiving of template mismatches (Artur Zakirov, Alexander Korotkov, Liudmila Mantrova)

    This new behavior more closely matches the Oracle functions of the same name.

  • Fix assorted bugs in XML functions (Pavel Stehule, Markus Winand, Chapman Flack)

    Specifically, in XMLTABLE, xpath(), and xmlexists(), fix some cases where nothing was output for a node, or an unexpected error was thrown, or necessary escaping of XML special characters was omitted.

  • Allow the BY VALUE clause in XMLEXISTS and XMLTABLE (Chapman Flack)

    This SQL-standard clause has no effect in PostgreSQL's implementation, but it was unnecessarily being rejected.

  • Prevent current_schema() and current_schemas() from being run by parallel workers, as they are not parallel-safe (Michaël Paquier)

  • Allow RECORD and RECORD[] to be used as column types in a query's column definition list for a table function that is declared to return RECORD (Elvis Pranskevichus)

  • Allow SQL commands and variables with the same names as those commands to be used in the same PL/pgSQL function (Tom Lane)

    For example, allow a variable called comment to exist in a function that calls the COMMENT SQL command. Previously this combination caused a parse error.

  • Add new optional warning and error checks to PL/pgSQL (Pavel Stehule)

    The new checks allow for run-time validation of INTO column counts and single-row results.

  • Add connection parameter tcp_user_timeout to control libpq's TCP timeout (Ryohei Nagaura)

  • Allow libpq (and thus psql) to report only the SQLSTATE value in error messages (Didier Gautheron)

  • Add libpq function PQresultMemorySize() to report the memory used by a query result (Lars Kanis, Tom Lane)

  • Remove the no-display/debug flag from libpq's options connection parameter (Peter Eisentraut)

    This allows this parameter to be set by postgres_fdw.

  • Allow ecpg to create variables of data type bytea (Ryo Matsumura)

    This allows ECPG clients to interact with bytea data directly, rather than using an encoded form.

  • Add PREPARE AS support to ECPG (Ryo Matsumura)

  • Allow vacuumdb to select tables for vacuum based on their wraparound horizon (Nathan Bossart)

    The options are --min-xid-age and --min-mxid-age.

  • Allow vacuumdb to disable waiting for locks or skipping all-visible pages (Nathan Bossart)

    The options are --skip-locked and --disable-page-skipping.

  • Add colorization to the output of command-line utilities (Peter Eisentraut)

    This is enabled by setting the environment variable PG_COLOR to always or auto. The specific colors used can be adjusted by setting the environment variable PG_COLORS, using ANSI escape codes for colors. For example, the default behavior is equivalent to PG_COLORS="error=01;31:warning=01;35:locus=01".

  • Add CSV table output mode in psql (Daniel Vérité)

    This is controlled by \pset format csv or the command-line --csv option.

  • Show the manual page URL in psql's \help output for a SQL command (Peter Eisentraut)

  • Display the IP address in psql's \conninfo (Fabien Coelho)

  • Improve tab completion of CREATE TABLE, CREATE TRIGGER, CREATE EVENT TRIGGER, ANALYZE, EXPLAIN, VACUUM, ALTER TABLE, ALTER INDEX, ALTER DATABASE, and ALTER INDEX ALTER COLUMN (Dagfinn Ilmari Mannsåker, Tatsuro Yamada, Michaël Paquier, Tom Lane, Justin Pryzby)

  • Allow values produced by queries to be assigned to pgbench variables (Fabien Coelho, Álvaro Herrera)

    The command for this is \gset.

  • Improve precision of pgbench's --rate option (Tom Lane)

  • Improve pgbench's error reporting with clearer messages and return codes (Peter Eisentraut)

  • Allow control of log file rotation via pg_ctl (Kyotaro Horiguchi, Alexander Kuzmenkov, Alexander Korotkov)

    Previously, this was only possible via an SQL function or a process signal.

  • Properly detach the new server process during pg_ctl start (Paul Guo)

    This prevents the server from being shut down if the shell script that invoked pg_ctl is interrupted later.

  • Allow pg_upgrade to use the file system's cloning feature, if there is one (Peter Eisentraut)

    The --clone option has the advantages of --link, while preventing the old cluster from being changed after the new cluster has started.

  • Allow specification of the socket directory to use in pg_upgrade (Daniel Gustafsson)

    This is controlled by --socketdir; the default is the current directory.

  • Allow pg_checksums to disable fsync operations (Michaël Paquier)

    This is controlled by the --no-sync option.

  • Allow pg_rewind to disable fsync operations (Michaël Paquier)

  • Fix pg_test_fsync to report accurate open_datasync durations on Windows (Laurenz Albe)

  • When pg_dump emits data with INSERT commands rather than COPY, allow more than one data row to be included in each INSERT (Surafel Temesgen, David Rowley)

    The option controlling this is --rows-per-insert.

  • Allow pg_dump to emit INSERT ... ON CONFLICT DO NOTHING (Surafel Temesgen)

    This avoids conflict failures during restore. The option is --on-conflict-do-nothing.

  • Decouple the order of operations in a parallel pg_dump from the order used by a subsequent parallel pg_restore (Tom Lane)

    This allows pg_restore to perform more-fully-parallelized parallel restores, especially in cases where the original dump was not done in parallel. Scheduling of a parallel pg_dump is also somewhat improved.

  • Allow the extra_float_digits setting to be specified for pg_dump and pg_dumpall (Andrew Dunstan)

    This is primarily useful for making dumps that are exactly comparable across different source server versions. It is not recommended for normal use, as it may result in loss of precision when the dump is restored.

  • Add --exclude-database option to pg_dumpall (Andrew Dunstan)

  • Add CREATE ACCESS METHOD command to create new table types (Andres Freund, Haribabu Kommi, Álvaro Herrera, Alexander Korotkov, Dmitry Dolgov)

    This enables the development of new table access methods, which can optimize storage for different use cases. The existing heap access method remains the default.

  • Add planner support function interfaces to improve optimizer estimates, inlining, and indexing for functions (Tom Lane)

    This allows extensions to create planner support functions that can provide function-specific selectivity, cost, and row-count estimates that can depend on the function's arguments. Support functions can also supply simplified representations and index conditions, greatly expanding optimization possibilities.

  • Simplify renumbering manually-assigned OIDs, and establish a new project policy for management of such OIDs (John Naylor, Tom Lane)

    Patches that manually assign OIDs for new built-in objects (such as new functions) should now randomly choose OIDs in the range 8000—9999. At the end of a development cycle, the OIDs used by committed patches will be renumbered down to lower numbers, currently somewhere in the 4xxx range, using the new renumber_oids.pl script. This approach should greatly reduce the odds of OID collisions between different in-process patches.

    While there is no specific policy reserving any OIDs for external use, it is recommended that forks and other projects needing private manually-assigned OIDs use numbers in the high 7xxx range. This will avoid conflicts with recently-merged patches, and it should be a long time before the core project reaches that range.

  • Build Cygwin binaries using dynamic instead of static libraries (Marco Atzeri)

  • Remove configure switch --disable-strong-random (Michaël Paquier)

    A strong random-number source is now required.

  • printf-family functions, as well as strerror and strerror_r, now behave uniformly across platforms within Postgres code (Tom Lane)

    Notably, printf understands %m everywhere; on Windows, strerror copes with Winsock error codes (it used to do so in backend but not frontend code); and strerror_r always follows the GNU return convention.

  • Require a C99-compliant compiler, and MSVC 2013 or later on Windows (Andres Freund)

  • Use pandoc, not lynx, for generating plain-text documentation output files (Peter Eisentraut)

    This affects only the INSTALL file generated during make dist and the seldom-used plain-text postgres.txt output file. Pandoc produces better output than lynx and avoids some locale/encoding issues. Pandoc version 1.13 or later is required.

  • Support use of images in the PostgreSQL documentation (Jürgen Purtz)

  • Allow ORDER BY sorts and LIMIT clauses to be pushed to postgres_fdw foreign servers in more cases (Etsuro Fujita)

  • Improve optimizer cost accounting for postgres_fdw queries (Etsuro Fujita)

  • Properly honor WITH CHECK OPTION on views that reference postgres_fdw tables (Etsuro Fujita)

    While CHECK OPTIONs on postgres_fdw tables are ignored (because the reference is foreign), views on such tables are considered local, so this change enforces CHECK OPTIONs on them. Previously, only INSERTs and UPDATEs with RETURNING clauses that returned CHECK OPTION values were validated.

  • Allow pg_stat_statements_reset() to be more granular (Haribabu Kommi, Amit Kapila)

    The function now allows reset of statistics for specific databases, users, and queries.

  • Allow control of the auto_explain log level (Tom Dunstan, Andrew Dunstan)

    The default is LOG.

  • Update unaccent rules with new punctuation and symbols (Hugh Ranalli, Michaël Paquier)

  • Allow unaccent to handle some accents encoded as combining characters (Hugh Ranalli)

  • Allow unaccent to remove accents from Greek characters (Tasos Maschalidis)

  • Add a parameter to amcheck's bt_index_parent_check() function to check each index tuple from the root of the tree (Peter Geoghegan)

  • Improve oid2name and vacuumlo option handling to match other commands (Tatsuro Yamada)

• ⇑ Upgrade to 12.1 released on 2019-11-14 - docs

  • Fix crash when ALTER TABLE adds a column without a default value along with making other changes that require a table rewrite (Andres Freund)

  • Fix lock handling in REINDEX CONCURRENTLY (Michael Paquier)

    REINDEX CONCURRENTLY neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY does hold.

  • Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY or REINDEX CONCURRENTLY command (Álvaro Herrera)

  • Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY (Michael Paquier)

    This bug resulted in bloat in pg_depend, but no worse consequences than that.

  • Fix “wrong type of slot” error when trying to CLUSTER on an expression index (Andres Freund)

  • SET CONSTRAINTS ... DEFERRED failed on partitioned tables, incorrectly complaining about lack of triggers (Álvaro Herrera)

  • Fix failure when creating indexes for a partition, if the parent partitioned table contains any dropped columns (Michael Paquier)

  • Fix dropping of indexed columns in partitioned tables (Amit Langote, Michael Paquier)

    Previously this might fail with an error message complaining about the dependencies of the indexes. It should automatically drop the indexes, instead.

  • Ensure that a partition index can be dropped after a failure to reindex it concurrently (Michael Paquier)

    The index's pg_class.relispartition flag was left in the wrong state in such a case, causing DROP INDEX to fail.

  • Fix handling of equivalence class members for partition-wise joins (Amit Langote)

    This oversight could lead either to failure to use a feasible partition-wise join plan, or to a “could not find pathkey item to sort” planner failure.

  • Fix crash triggered by an EvalPlanQual recheck on a table with a BEFORE UPDATE trigger (Andres Freund)

  • Fix “unexpected relkind” error when a query tries to access a TOAST table (John Hsu, Michael Paquier, Tom Lane)

    The error should say that permission is denied, but this case got broken during code refactoring.

  • Ignore restore_command, recovery_end_command, and recovery_min_apply_delay settings during crash recovery (Fujii Masao)

    Now that these settings can be specified in postgresql.conf, they could be turned on during crash recovery, but honoring them then is undesirable. Ignore these settings until crash recovery is complete.

  • Fix result of text position() function (also known as strpos()) for an empty search string (Tom Lane)

    Historically, and per the SQL standard, the result should be one in such cases, but 12.0 returned zero.

  • Avoid memory leak while vacuuming a GiST index (Dilip Kumar)

  • Fix libpq to allow trailing whitespace in the string values of integer parameters (Michael Paquier)

    Version 12 tightened libpq's validation of integer parameters, but disallowing trailing whitespace seems undesirable.

  • In libpq, correctly report CONNECTION_BAD connection status after a failure caused by a syntactically invalid connect_timeout parameter value (Lars Kanis)

  • Fix scheduling of parallel restore of a foreign key constraint on a partitioned table (Álvaro Herrera)

    pg_dump failed to emit full dependency information for partitioned tables' foreign keys. This could allow parallel pg_restore to try to recreate a foreign key constraint too soon.

  • In pg_upgrade, reject tables with columns of type sql_identifier, as that has changed representation in version 12 (Tomas Vondra)

  • In pg_rewind with the --dry-run option, avoid updating pg_control (Alexey Kondratov)

    This could lead to failures in subsequent pg_rewind attempts.

  • Put back pqsignal() as an exported libpq symbol (Tom Lane)

    This function was removed on the grounds that no clients should be using it, but that turns out to break usage of current libpq with very old versions of psql, and perhaps other applications.

• ⇑ Upgrade to 12.2 released on 2020-02-13 - docs

  • Fix TRUNCATE ... CASCADE to ensure all relevant partitions are truncated (Jehan-Guillaume de Rorthais)

    If a partition of a partitioned table is truncated with the CASCADE option, and the partitioned table has a foreign-key reference from another table, that table must also be truncated. The need to check this was missed if the referencing table was itself partitioned, possibly allowing rows to survive that violate the foreign-key constraint.

    Hence, if you have foreign key constraints between partitioned tables, and you have done any partition-level TRUNCATE on the referenced table, you should check to see if any foreign key violations exist. The simplest way is to add a new instance of the foreign key constraint (and, once that succeeds, drop it or the original constraint). That may be prohibitive from a locking standpoint, however, in which case you might prefer to manually query for unmatched rows.

  • Fix failure to attach foreign key constraints to sub-partitions (Jehan-Guillaume de Rorthais)

    When adding a partition to a level below the first level of a multi-level partitioned table, foreign key constraints referencing the top partitioned table were not cloned to the new partition, leading to possible constraint violations later. Detaching and re-attaching the new partition is the cheapest way to fix this. However, if there are many partitions to be fixed, adding a new instance of the foreign key constraint might be preferable.

  • Fix possible crash during concurrent update on a partitioned table or inheritance tree (Tom Lane)

  • Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appropriate (Álvaro Herrera)

    User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.

  • Ensure that the effect of pg_replication_slot_advance() on a physical replication slot will persist across restarts (Alexey Kondratov, Michael Paquier)

  • Fix base backup to handle database OIDs larger than INT32_MAX (Peter Eisentraut)

  • Ensure parallel plans are always shut down at the correct time (Kyotaro Horiguchi)

    This oversight is known to result in “temporary file leak” warnings from multi-batch parallel hash joins.

  • Improve efficiency of parallel hash join on CPUs with many cores (Gang Deng, Thomas Munro)

  • Avoid crash in parallel CREATE INDEX when there are no free dynamic shared memory slots (Thomas Munro)

    Fall back to a non-parallel index build, instead.

  • Fix crash during recursive page split in GiST index build (Heikki Linnakangas)

  • Fix failure in ALTER TABLE when a column referenced in a GENERATED expression has been added or changed in type earlier in the same ALTER command (Tom Lane)

  • Fix failure to insert default values for “missing” attributes during tuple conversion (Vik Fearing, Andrew Gierth)

    This could result in values incorrectly reading as NULL, when they come from columns that had been added by ALTER TABLE ADD COLUMN with a constant default.

  • Fix unlikely panic in the checkpointer process, caused by opening relation segments that might already have been removed (Thomas Munro)

  • Fix handling of multiple AFTER ROW triggers on a foreign table (Etsuro Fujita)

  • Ensure that the <> operator for type char reports indeterminate-collation errors as such, rather than as “cache lookup failed for collation 0” (Tom Lane)

  • Avoid treating TID scans as sequential scans (Tatsuhito Kasahara)

    A refactoring oversight caused TID scans (selection by CTID) to be counted as sequential scans in the statistics views, and to take whole-table predicate locks as sequential scans do. The latter behavior could cause unnecessary serialization errors in serializable transaction mode.

  • Reduce spinlock contention when there are many active walsender processes (Pierre Ducroquet)

  • Fix placement of “Subplans Removed” field in EXPLAIN output (Daniel Gustafsson, Tom Lane)

    In non-text output formats, this field was emitted inside the “Plans” sub-group, resulting in syntactically invalid output. Attach it to the parent Append or MergeAppend plan node as intended. This causes the field to change position in text output format too: if there are any InitPlans attached to the same plan node, “Subplans Removed” will now appear before those.

  • Fix EXPLAIN's SETTINGS option to print as empty in non-text output formats (Tom Lane)

    In the non-text output formats, fields are supposed to appear when requested, even if they have empty or zero values.

  • Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)

    This change fixes a performance problem for partitioned tables that was created by the fix for CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.

  • Fix planner errors induced by overly-aggressive collapsing of joins to single-row subqueries (Tom Lane)

    This mistake led to errors such as “failed to construct the join relation”.

  • Fix “no = operator for opfamily NNNN” planner error when trying to match a LIKE or regex pattern-match operator to a binary-compatible index opclass (Tom Lane)

  • Fix incorrect estimation for OR clauses when using most-common-value extended statistics (Tomas Vondra)

  • Fix bugs in handling of non-blocking I/O when using GSSAPI encryption (Tom Lane)

    These errors could result in dropping data (usually leading to subsequent wire-protocol-violation errors) or in a “livelock” situation where a sending process goes to sleep although not all its data has been sent. Moreover, libpq failed to keep separate encryption state for each connection, creating the possibility for failures in applications using multiple encrypted database connections.

  • Avoid crash after an out-of-memory failure in ecpglib (Tom Lane)

  • Cope with changes of the specific type referenced by a PL/pgSQL composite-type variable in more cases (Ashutosh Sharma, Tom Lane)

    Dropping and re-creating the composite type referenced by a PL/pgSQL variable could lead to “could not open relation with OID NNNN” errors.

  • Fix configure's probe for OpenSSL's SSL_clear_options() function so that it works with OpenSSL versions before 1.1.0 (Michael Paquier, Daniel Gustafsson)

    This problem could lead to failure to set the SSL compression option as desired, when PostgreSQL is built against an old version of OpenSSL.

  • Fix handling of a corner-case error result from Windows' ReadFile() function (Thomas Munro, Juan José Santamaría Flecha)

    So far as is known, this oversight just resulted in noisy log messages, not any actual query misbehavior.

  • On Windows, work around sharing violations for the postmaster's log file when pg_ctl is used to start the postmaster very shortly after it's been stopped, for example by pg_ctl restart (Alexander Lakhin)

• ⇑ Upgrade to 12.3 released on 2020-05-14 - docs

  • Fix possible failure with GENERATED columns (David Rowley)

    If a GENERATED column's value is an exact copy of another column of the table (and it is a pass-by-reference data type), it was possible to crash or insert corrupted data into the table. While it would be rather pointless for a GENERATED expression to just duplicate another column, an expression using a function that sometimes returns its input unchanged could create the situation.

  • Handle inheritance of generated columns better (Peter Eisentraut)

    When a table column is inherited during CREATE TABLE ... INHERITS, disallow changing any generation properties when the parent column is already marked GENERATED; but allow a child column to be marked GENERATED when its parent is not.

  • Fix cross-column references in CREATE TABLE LIKE INCLUDING GENERATED (Peter Eisentraut)

    CREATE TABLE ... LIKE failed when trying to copy a GENERATED expression that references a physically-later column.

  • Propagate ALTER TABLE ... SET STORAGE to indexes (Peter Eisentraut)

    Non-expression index columns have always copied the attstorage property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE is done, to maintain consistency.

  • Preserve the indisclustered setting of indexes rebuilt by REINDEX CONCURRENTLY (Justin Pryzby)

  • Ensure that when a partition is detached, any triggers cloned from its formerly-parent table are removed (Justin Pryzby)

  • Fix crash when COLLATE is applied to a non-collatable type in a partition bound expression (Dmitry Dolgov)

  • Ensure that unique indexes over partitioned tables match the equality semantics of the partitioning key (Guancheng Luo)

    This would only be an issue with index opclasses that have unusual notions of equality, but it's wrong in theory, so check.

  • Repair performance regression in information_schema.triggers view (Tom Lane)

    This patch redefines that view so that an outer WHERE clause constraining the table name can be pushed down into the view, allowing its calculations to be done only for triggers belonging to the table of interest rather than all triggers in the database. In a database with many triggers this would make a significant speed difference for queries of that form. Since things worked that way before v11, this is a potential performance regression. Users who find this to be a problem can fix it by replacing the view definition (or, perhaps, just deleting and reinstalling the whole information_schema schema).

  • Repair performance regression in floating point overflow/underflow detection (Emre Hasegeli)

    Previous refactoring had resulted in isinf() being called extra times in some hot code paths.

  • Fix server's connection-startup logic for case where a GSSAPI connection is rejected because support is not compiled in, and the client then tries SSL instead (Andrew Gierth)

    This led to a bogus “unsupported frontend protocol” failure.

  • Fix memory leakage during GSSAPI encryption (Tom Lane)

    Both the backend and libpq would leak memory equivalent to the total amount of data sent during the session, if GSSAPI encryption is in use.

  • Fix query-lifespan memory leak for a set-returning function used in a query's FROM clause (Andres Freund)

  • Avoid leakage of a hashed subplan's hash tables across multiple executions (Andreas Karlsson, Tom Lane)

    This mistake could result in severe memory bloat if a query re-executed a hashed subplan enough times.

  • Improve planner's handling of no-op domain coercions (Tom Lane)

    Fix some cases where a domain coercion that does nothing was not completely removed from expressions.

  • Fix possible undercounting of deleted B-tree index pages in VACUUM VERBOSE output (Peter Geoghegan)

  • Fix wrong bookkeeping for oldest deleted page in a B-tree index (Peter Geoghegan)

    This could cause subtly wrong decisions about when VACUUM can skip an index cleanup scan; although it appears there may be no significant user-visible effects from that.

  • Avoid race condition when ANALYZE replaces the catalog tuple for extended statistics data (Dean Rasheed)

  • Remove ill-considered skip of “redundant” anti-wraparound vacuums (Michael Paquier)

    This avoids a corner case where autovacuum could get into a loop of repeatedly trying and then skipping the same vacuum job.

  • Ensure INCLUDE'd columns are always removed from B-tree pivot tuples (Peter Geoghegan)

    This mistake wasted space in some rare cases, but was otherwise harmless.

  • Cope with invalid TOAST indexes that could be left over after a failed REINDEX CONCURRENTLY (Julien Rouhaud)

  • Ensure that valid index dependencies are left behind after a failed REINDEX CONCURRENTLY (Michael Paquier)

    Previously the old index could be left with no pg_depend links at all, so that for example it would not get dropped if the parent table is dropped.

  • Avoid failure if autovacuum tries to access a just-dropped temporary schema (Tom Lane)

    This hazard only arises if a superuser manually drops a temporary schema; which isn't normal practice, but should work.

  • Avoid possible failure after a replication slot copy, due to premature removal of WAL data (Masahiko Sawada, Arseny Sher)

  • Ensure that generated columns are correctly handled during updates issued by logical replication (Peter Eisentraut)

  • Fix crash in psql when attempting to re-establish a failed connection (Michael Paquier)

  • Ensure that pg_basebackup generates valid tar files (Robert Haas)

    In some cases a partial block of zeroes would be added to the end of the file. While this seems to be harmless with common versions of tar, it's not OK per the POSIX file format spec.

  • Make pg_checksums skip tablespace subdirectories that belong to a different PostgreSQL major version (Michael Banck, Bernd Helmle)

    Such subdirectories don't really belong to our database cluster, and so must not be processed.

  • Ignore temporary copies of pg_internal.init in pg_checksums and related programs (Michael Paquier)

  • Work around failure in contrib/pageinspect's bt_metap() function when an oldest_xact value exceeds 2^31-1 (Peter Geoghegan)

    Such XIDs will now be reported as negative integers, which isn't great but it beats throwing an error. v13 will widen the output argument to int8 to provide saner reporting.

  • On Windows, avoid premature creation of postmaster's log file during pg_ctl start (Alexander Lakhin)

    The previous coding could allow the file to be created with permissions that wouldn't allow the postmaster to write on it.

  • On Windows, set console VT100 compatibility mode in programs that support PG_COLOR colorization (Juan José Santamaría Flecha)

    Without this, the colorization option doesn't actually work.

  • Stop requiring extra parentheses in ereport() calls (Andres Freund, Tom Lane)

  • Fix Makefile dependencies for libpq and ecpg (Dagfinn Ilmari Mannsåker)

• ⇑ Upgrade to 12.4 released on 2020-08-13 - docs

  • Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)

    When there are multiple partition key columns, generation of pruning tests could misbehave if some columns had no constraining WHERE clauses or multiple constraining clauses. This could lead to server crashes, incorrect query results, or assertion failures.

  • Fix construction of parameterized BitmapAnd and BitmapOr index scans on the inside of partition-wise nestloop joins (Tom Lane)

    A plan in which such a scan needed to use a value from the outside of the join would usually crash at execution.

  • Fix incorrect plan execution when a partitioned table is subject to both static and run-time partition pruning in the same query, and a new partition is added concurrently with the query (Amit Langote, Tom Lane)

  • Update oldest xmin and LSN values during pg_replication_slot_advance() (Michael Paquier)

    This function previously failed to do that, possibly preventing resource cleanup (such as removal of no-longer-needed WAL segments) after manual advancement of a replication slot.

  • Ensure that pg_read_file() and related functions read until EOF is reached (Joe Conway)

    Previously, if not given a specific data length to read, these functions would stop at whatever file length was reported by stat(). That's unhelpful for pipes and other sorts of virtual files.

  • Forbid numeric NaN values in jsonpath computations (Alexander Korotkov)

    Neither SQL nor JSON have the concept of NaN (not-a-number), but the jsonpath code attempted to allow such values anyway. This necessarily leads to nonstandard behavior, so it seems better to reject such values at the outset.

  • Handle single Inf or NaN inputs correctly in floating-point aggregates (Tom Lane)

    The affected aggregates are corr(), covar_pop(), regr_intercept(), regr_r2(), regr_slope(), regr_sxx(), regr_sxy(), regr_syy(), stddev_pop(), and var_pop(). The correct answer in such cases is NaN, but an algorithmic change introduced in PostgreSQL v12 had caused these aggregates to produce zero instead.

  • Fix REINDEX CONCURRENTLY to preserve the index's replication identity flag (Michael Paquier)

    Previously, reindexing a table's replica identity index caused the setting to be lost, preventing old tuple values from being included in future logical-decoding output.

  • Use the query-specified collation for operators invoked during selectivity estimation (Tom Lane)

    Previously, the collation of the underlying database column was used. But using the query's collation is arguably more correct. More importantly, now that we have nondeterministic collations, there are cases where an operator will fail outright if given a nondeterministic collation. We don't want planning to fail in cases where the query itself would work, so this means that we must use the query's collation when invoking operators for estimation purposes.

  • Fix selection of tablespaces for “shared fileset” temporary files (Magnus Hagander, Tom Lane)

    If temp_tablespaces is empty or explicitly names the database's primary tablespace, such files got placed into the pg_default tablespace rather than the database's primary tablespace as expected.

  • Fix corner-case error in masking of SP-GiST index pages during WAL consistency checking (Alexander Korotkov)

    This could cause false failure reports when wal_consistency_checking is enabled.

  • Fix checkpointer process to discard file sync requests when fsync is off (Heikki Linnakangas)

    Such requests are treated as no-ops if fsync is off, but we forgot to remove them from the checkpointer's table of pending actions. This would lead to bloat of that table, as well as possible assertion failures if fsync is later re-enabled.

  • Avoid trouble during cleanup of a non-exclusive backup when JIT compilation has been activated during the backup (Robert Haas)

  • Ensure that libpq continues to try to read from the database connection socket after a write failure (Tom Lane)

    This is important not only to ensure that we collect any final error message from a dying server process, but because we do not consider the connection lost until we see a read failure. This oversight allowed libpq to continue trying to send COPY data indefinitely after a mid-transfer loss of connection, rather than reporting failure to the application.

  • Fix bugs in libpq's management of GSS encryption state (Tom Lane)

    A connection using GSS encryption could freeze up when attempting to reset it after a server restart, or when moving on to the next one of a list of candidate servers.

  • Fix ecpg crash with bytea and cursor variables (Jehan-Guillaume de Rorthais)

  • Make pg_restore cope with data-offset-less custom-format archive files when it needs to restore data items out of order (David Gilman, Tom Lane)

    pg_dump will produce such files if it cannot seek its output (for example, if the output is piped to something). This fix primarily improves the ability to do a parallel restore from such a file.

  • Fix contrib/amcheck to not complain about deleted index pages that are empty (Alexander Korotkov)

    This state of affairs is normal during WAL replay.

• ⇑ Upgrade to 13 released on 2020-09-24 - docs

  • Change SIMILAR TO ... ESCAPE NULL to return NULL (Tom Lane)

    This new behavior matches the SQL specification. Previously a null ESCAPE value was taken to mean using the default escape string (a backslash character). This also applies to substring(text FROM pattern ESCAPE text). The previous behavior has been retained in old views by keeping the original function unchanged.

  • Make json[b]_to_tsvector() fully check the spelling of its string option (Dominik Czarnota)

  • Change the way non-default effective_io_concurrency values affect concurrency (Thomas Munro)

    Previously, this value was adjusted before setting the number of concurrent requests. The value is now used directly. Conversion of old values to new ones can be done using:

    SELECT round(sum(OLDVALUE / n::float)) AS newvalue FROM generate_series(1, OLDVALUE) s(n);
    

  • Prevent display of auxiliary processes in pg_stat_ssl and pg_stat_gssapi system views (Euler Taveira)

    Queries that join these views to pg_stat_activity and wish to see auxiliary processes will need to use left joins.

  • Rename various wait events to improve consistency (Fujii Masao, Tom Lane)

  • Fix ALTER FOREIGN TABLE ... RENAME COLUMN to return a more appropriate command tag (Fujii Masao)

    Previously it returned ALTER TABLE; now it returns ALTER FOREIGN TABLE.

  • Fix ALTER MATERIALIZED VIEW ... RENAME COLUMN to return a more appropriate command tag (Fujii Masao)

    Previously it returned ALTER TABLE; now it returns ALTER MATERIALIZED VIEW.

  • Rename configuration parameter wal_keep_segments to wal_keep_size (Fujii Masao)

    This determines how much WAL to retain for standby servers. It is specified in megabytes, rather than number of files as with the old parameter. If you previously used wal_keep_segments, the following formula will give you an approximately equivalent setting:

    wal_keep_size = wal_keep_segments * wal_segment_size (typically 16MB)
    

  • Remove support for defining operator classes using pre-PostgreSQL 8.0 syntax (Daniel Gustafsson)

  • Remove support for defining foreign key constraints using pre-PostgreSQL 7.3 syntax (Daniel Gustafsson)

  • Remove support for "opaque" pseudo-types used by pre-PostgreSQL 7.3 servers (Daniel Gustafsson)

  • Remove support for upgrading unpackaged (pre-9.1) extensions (Tom Lane)

    The FROM option of CREATE EXTENSION is no longer supported. Any installations still using unpackaged extensions should upgrade them to a packaged version before updating to PostgreSQL 13.

  • Remove support for posixrules files in the timezone database (Tom Lane)

    IANA's timezone group has deprecated this feature, meaning that it will gradually disappear from systems' timezone databases over the next few years. Rather than have a behavioral change appear unexpectedly with a timezone data update, we have removed PostgreSQL's support for this feature as of version 13. This affects only the behavior of POSIX-style time zone specifications that lack an explicit daylight savings transition rule; formerly the transition rule could be determined by installing a custom posixrules file, but now it is hard-wired. The recommended fix for any affected installations is to start using a geographical time zone name.

  • In ltree, when an lquery pattern contains adjacent asterisks with braces, e.g., *{2}.*{3}, properly interpret that as *{5} (Nikita Glukhov)

  • Fix pageinspect's bt_metap() to return more appropriate data types that are less likely to overflow (Peter Geoghegan)

  • Allow pruning of partitions to happen in more cases (Yuzuko Hosoya, Amit Langote, Álvaro Herrera)

  • Allow partitionwise joins to happen in more cases (Ashutosh Bapat, Etsuro Fujita, Amit Langote, Tom Lane)

    For example, partitionwise joins can now happen between partitioned tables even when their partition bounds do not match exactly.

  • Support row-level BEFORE triggers on partitioned tables (Álvaro Herrera)

    However, such a trigger is not allowed to change which partition is the destination.

  • Allow partitioned tables to be logically replicated via publications (Amit Langote)

    Previously, partitions had to be replicated individually. Now a partitioned table can be published explicitly, causing all its partitions to be published automatically. Addition/removal of a partition causes it to be likewise added to or removed from the publication. The CREATE PUBLICATION option publish_via_partition_root controls whether changes to partitions are published as their own changes or their parent's.

  • Allow logical replication into partitioned tables on subscribers (Amit Langote)

    Previously, subscribers could only receive rows into non-partitioned tables.

  • Allow whole-row variables (that is, table.*) to be used in partitioning expressions (Amit Langote)

  • More efficiently store duplicates in B-tree indexes (Anastasia Lubennikova, Peter Geoghegan)

    This allows efficient B-tree indexing of low-cardinality columns by storing duplicate keys only once. Users upgrading with pg_upgrade will need to use REINDEX to make an existing index use this feature.

  • Allow GiST and SP-GiST indexes on box columns to support ORDER BY box <-> point queries (Nikita Glukhov)

  • Allow GIN indexes to more efficiently handle ! (NOT) clauses in tsquery searches (Nikita Glukhov, Alexander Korotkov, Tom Lane, Julien Rouhaud)

  • Allow index operator classes to take parameters (Nikita Glukhov)

  • Allow CREATE INDEX to specify the GiST signature length and maximum number of integer ranges (Nikita Glukhov)

    Indexes created on four and eight-byte integer array, tsvector, pg_trgm, ltree, and hstore columns can now control these GiST index parameters, rather than using the defaults.

  • Prevent indexes that use non-default collations from being added as a table's unique or primary key constraint (Tom Lane)

    The index's collation must match that of the underlying column, but ALTER TABLE previously failed to check this.

  • Improve the optimizer's selectivity estimation for containment/match operators (Tom Lane)

  • Allow setting the statistics target for extended statistics (Tomas Vondra)

    This is controlled with the new command option ALTER STATISTICS ... SET STATISTICS. Previously this was computed based on more general statistics target settings.

  • Allow use of multiple extended statistics objects in a single query (Tomas Vondra)

  • Allow use of extended statistics objects for OR clauses and IN/ANY constant lists (Pierre Ducroquet, Tomas Vondra)

  • Allow functions in FROM clauses to be pulled up (inlined) if they evaluate to constants (Alexander Kuzmenkov, Aleksandr Parfenov)

  • Implement incremental sorting (James Coleman, Alexander Korotkov, Tomas Vondra)

    If an intermediate query result is known to be sorted by one or more leading keys of a required sort ordering, the additional sorting can be done considering only the remaining keys, if the rows are sorted in batches that have equal leading keys.

    If necessary, this can be controlled using enable_incremental_sort.

  • Improve the performance of sorting inet values (Brandur Leach)

  • Allow hash aggregation to use disk storage for large aggregation result sets (Jeff Davis)

    Previously, hash aggregation was avoided if it was expected to use more than work_mem memory. Now, a hash aggregation plan can be chosen despite that. The hash table will be spilled to disk if it exceeds work_mem times hash_mem_multiplier.

    This behavior is normally preferable to the old behavior, in which once hash aggregation had been chosen, the hash table would be kept in memory no matter how large it got — which could be very large if the planner had misestimated. If necessary, behavior similar to that can be obtained by increasing hash_mem_multiplier.

  • Allow inserts, not only updates and deletes, to trigger vacuuming activity in autovacuum (Laurenz Albe, Darafei Praliaskouski)

    Previously, insert-only activity would trigger auto-analyze but not auto-vacuum, on the grounds that there could not be any dead tuples to remove. However, a vacuum scan has other useful side-effects such as setting page-all-visible bits, which improves the efficiency of index-only scans. Also, allowing an insert-only table to receive periodic vacuuming helps to spread out the work of “freezing” old tuples, so that there is not suddenly a large amount of freezing work to do when the entire table reaches the anti-wraparound threshold all at once.

    If necessary, this behavior can be adjusted with the new parameters autovacuum_vacuum_insert_threshold and autovacuum_vacuum_insert_scale_factor, or the equivalent table storage options.

  • Add maintenance_io_concurrency parameter to control I/O concurrency for maintenance operations (Thomas Munro)

  • Allow WAL writes to be skipped during a transaction that creates or rewrites a relation, if wal_level is minimal (Kyotaro Horiguchi)

    Relations larger than wal_skip_threshold will have their files fsync'ed rather than generating WAL. Previously this was done only for COPY operations, but the implementation had a bug that could cause data loss during crash recovery.

  • Improve performance when replaying DROP DATABASE commands when many tablespaces are in use (Fujii Masao)

  • Improve performance for truncation of very large relations (Kirk Jamison)

  • Improve retrieval of the leading bytes of TOAST'ed values (Binguo Bao, Andrey Borodin)

    Previously, compressed out-of-line TOAST values were fully fetched even when it's known that only some leading bytes are needed. Now, only enough data to produce the result is fetched.

  • Improve performance of LISTEN/NOTIFY (Martijn van Oosterhout, Tom Lane)

  • Speed up conversions of integers to text (David Fetter)

  • Reduce memory usage for query strings and extension scripts that contain many SQL statements (Amit Langote)

  • Allow EXPLAIN, auto_explain, autovacuum, and pg_stat_statements to track WAL usage statistics (Kirill Bychik, Julien Rouhaud)

  • Allow a sample of SQL statements, rather than all statements, to be logged (Adrien Nayrat)

    A log_statement_sample_rate fraction of those statements taking more than log_min_duration_sample duration will be logged.

  • Add the backend type to csvlog and optionally log_line_prefix log output (Peter Eisentraut)

  • Improve control of prepared statement parameter logging (Alexey Bashtanov, Álvaro Herrera)

    The GUC setting log_parameter_max_length controls the maximum length of parameter values output during logging of non-error statements, while log_parameter_max_length_on_error does the same for logging of statements with errors. Previously, prepared statement parameters were never logged during errors.

  • Allow function call backtraces to be logged after errors (Peter Eisentraut, Álvaro Herrera)

    The new parameter backtrace_functions specifies which C functions should generate backtraces on error.

  • Make vacuum buffer counters 64-bits wide to avoid overflow (Álvaro Herrera)

  • Add leader_pid to pg_stat_activity to report a parallel worker's leader process (Julien Rouhaud)

  • Add system view pg_stat_progress_basebackup to report the progress of streaming base backups (Fujii Masao)

  • Add system view pg_stat_progress_analyze to report ANALYZE progress (Álvaro Herrera, Tatsuro Yamada, Vinayak Pokale)

  • Add system view pg_shmem_allocations to display shared memory usage (Andres Freund, Robert Haas)

  • Add system view pg_stat_slru to monitor internal SLRU caches (Tomas Vondra)

  • Allow track_activity_query_size to be set as high as 1MB (Vyacheslav Makarov)

    The previous maximum was 100kB.

  • Report a wait event while creating a DSM segment with posix_fallocate() (Thomas Munro)

  • Add wait event VacuumDelay to report on cost-based vacuum delay (Justin Pryzby)

  • Add wait events for WAL archive and recovery pause (Fujii Masao)

    The new events are BackupWaitWalArchive and RecoveryPause.

  • Add wait events RecoveryConflictSnapshot and RecoveryConflictTablespace to monitor recovery conflicts (Masahiko Sawada)

  • Improve performance of wait events on BSD-based systems (Thomas Munro)

  • Allow only superusers to view the ssl_passphrase_command setting (Insung Moon)

    This was changed as a security precaution.

  • Change the server's default minimum TLS version for encrypted connections from 1.0 to 1.2 (Peter Eisentraut)

    This choice can be controlled by ssl_min_protocol_version.

  • Tighten rules on which utility commands are allowed in read-only transaction mode (Robert Haas)

    This change also increases the number of utility commands that can run in parallel queries.

  • Allow allow_system_table_mods to be changed after server start (Peter Eisentraut)

  • Disallow non-superusers from modifying system tables when allow_system_table_mods is set (Peter Eisentraut)

    Previously, if allow_system_table_mods was set at server start, non-superusers could issue INSERT/UPDATE/DELETE commands on system tables.

  • Enable support for Unix-domain sockets on Windows (Peter Eisentraut)

  • Allow streaming replication configuration settings to be changed by reload (Sergei Kornilov)

    Previously, a server restart was required to change primary_conninfo and primary_slot_name.

  • Allow WAL receivers to use a temporary replication slot when a permanent one is not specified (Peter Eisentraut, Sergei Kornilov)

    This behavior can be enabled using wal_receiver_create_temp_slot.

  • Allow WAL storage for replication slots to be limited by max_slot_wal_keep_size (Kyotaro Horiguchi)

    Replication slots that would require exceeding this value are marked invalid.

  • Allow standby promotion to cancel any requested pause (Fujii Masao)

    Previously, promotion could not happen while the standby was in paused state.

  • Generate an error if recovery does not reach the specified recovery target (Leif Gunnar Erlandsen, Peter Eisentraut)

    Previously, a standby would promote itself upon reaching the end of WAL, even if the target was not reached.

  • Allow control over how much memory is used by logical decoding before it is spilled to disk (Tomas Vondra, Dilip Kumar, Amit Kapila)

    This is controlled by logical_decoding_work_mem.

  • Allow recovery to continue even if invalid pages are referenced by WAL (Fujii Masao)

    This is enabled using ignore_invalid_pages.

  • Allow VACUUM to process a table's indexes in parallel (Masahiko Sawada, Amit Kapila)

    The new PARALLEL option controls this.

  • Allow FETCH FIRST to use WITH TIES to return any additional rows that match the last result row (Surafel Temesgen)

  • Report planning-time buffer usage in EXPLAIN's BUFFER output (Julien Rouhaud)

  • Make CREATE TABLE LIKE propagate a CHECK constraint's NO INHERIT property to the created table (Ildar Musin, Chris Travers)

  • When using LOCK TABLE on a partitioned table, do not check permissions on the child tables (Amit Langote)

  • Allow OVERRIDING USER VALUE on inserts into identity columns (Dean Rasheed)

  • Add ALTER TABLE ... DROP EXPRESSION to allow removing the GENERATED property from a column (Peter Eisentraut)

  • Fix bugs in multi-step ALTER TABLE commands (Tom Lane)

    IF NOT EXISTS clauses now work as expected, in that derived actions (such as index creation) do not execute if the column already exists. Also, certain cases of combining related actions into one ALTER TABLE now work when they did not before.

  • Add ALTER VIEW syntax to rename view columns (Fujii Masao)

    Renaming view columns was already possible, but one had to write ALTER TABLE RENAME COLUMN, which is confusing.

  • Add ALTER TYPE options to modify a base type's TOAST properties and support functions (Tomas Vondra, Tom Lane)

  • Add CREATE DATABASE LOCALE option (Peter Eisentraut)

    This combines the existing options LC_COLLATE and LC_CTYPE into a single option.

  • Allow DROP DATABASE to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule, Amit Kapila)

    This is enabled by the FORCE option.

  • Add structure member tg_updatedcols to allow C-language update triggers to know which column(s) were updated (Peter Eisentraut)

  • Add polymorphic data types for use by functions requiring compatible arguments (Pavel Stehule)

    The new data types are anycompatible, anycompatiblearray, anycompatiblenonarray, and anycompatiblerange.

  • Add SQL data type xid8 to expose FullTransactionId (Thomas Munro)

    The existing xid data type is only four bytes so it does not provide the transaction epoch.

  • Add data type regcollation and associated functions, to represent OIDs of collation objects (Julien Rouhaud)

  • Use the glibc version in some cases as a collation version identifier (Thomas Munro)

    If the glibc version changes, a warning will be issued about possible corruption of collation-dependent indexes.

  • Add support for collation versions on Windows (Thomas Munro)

  • Allow ROW expressions to have their members extracted with suffix notation (Tom Lane)

    For example, (ROW(4, 5.0)).f1 now returns 4.

  • Add alternate version of jsonb_set() with improved NULL handling (Andrew Dunstan)

    The new function, jsonb_set_lax(), handles a NULL new value by either setting the specified key to a JSON null, deleting the key, raising an exception, or returning the jsonb value unmodified, as requested.

  • Add jsonpath .datetime() method (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov)

    This function allows JSON values to be converted to timestamps, which can then be processed in jsonpath expressions. This change also adds jsonpath functions that support time-zone-aware output.

  • Add SQL functions NORMALIZE() to normalize Unicode strings, and IS NORMALIZED to check for normalization (Peter Eisentraut)

  • Add min() and max() aggregates for pg_lsn (Fabrízio de Royes Mello)

    These are particularly useful in monitoring queries.

  • Allow Unicode escapes, e.g., E'\unnnn' or U&'\nnnn', to specify any character available in the database encoding, even when the database encoding is not UTF-8 (Tom Lane)

  • Allow to_date() and to_timestamp() to recognize non-English month/day names (Juan José Santamaría Flecha, Tom Lane)

    The names recognized are the same as those output by to_char() with the same format patterns.

  • Add datetime format patterns FF1 – FF6 to specify input or output of 1 to 6 fractional-second digits (Alexander Korotkov, Nikita Glukhov, Teodor Sigaev, Oleg Bartunov)

    These patterns can be used by to_char(), to_timestamp(), and jsonpath's .datetime().

  • Add SSSSS datetime format pattern as an SQL-standard alias for SSSS (Nikita Glukhov, Alexander Korotkov)

  • Add function gen_random_uuid() to generate version-4 UUIDs (Peter Eisentraut)

    Previously UUID generation functions were only available in the external modules uuid-ossp and pgcrypto.

  • Add greatest-common-denominator (gcd) and least-common-multiple (lcm) functions (Vik Fearing)

  • Improve the performance and accuracy of the numeric type's square root (sqrt) and natural log (ln) functions (Dean Rasheed)

  • Add function min_scale() that returns the number of digits to the right of the decimal point that are required to represent a numeric value with full accuracy (Pavel Stehule)

  • Add function trim_scale() to reduce the scale of a numeric value by removing trailing zeros (Pavel Stehule)

  • Add commutators of distance operators (Nikita Glukhov)

    For example, previously only point <-> line was supported, now line <-> point works too.

  • Create xid8 versions of all transaction ID functions (Thomas Munro)

    The old xid-based functions still exist, for backward compatibility.

  • Allow get_bit() and set_bit() to set bits beyond the first 256MB of a bytea value (Movead Li)

  • Allow advisory-lock functions to be used in some parallel operations (Tom Lane)

  • Add the ability to remove an object's dependency on an extension (Álvaro Herrera)

    The object can be a function, materialized view, index, or trigger. The syntax is ALTER .. NO DEPENDS ON.

  • Improve performance of simple PL/pgSQL expressions (Tom Lane, Amit Langote)

  • Improve performance of PL/pgSQL functions that use immutable expressions (Konstantin Knizhnik)

  • Allow libpq clients to require channel binding for encrypted connections (Jeff Davis)

    Using the libpq connection parameter channel_binding forces the other end of the TLS connection to prove it knows the user's password. This prevents man-in-the-middle attacks.

  • Add libpq connection parameters to control the minimum and maximum TLS version allowed for an encrypted connection (Daniel Gustafsson)

    The settings are ssl_min_protocol_version and ssl_max_protocol_version. By default, the minimum TLS version is 1.2 (this represents a behavioral change from previous releases).

  • Allow use of passwords to unlock client certificates (Craig Ringer, Andrew Dunstan)

    This is enabled by libpq's sslpassword connection parameter.

  • Allow libpq to use DER-encoded client certificates (Craig Ringer, Andrew Dunstan)

  • Fix ecpg's EXEC SQL elif directive to work correctly (Tom Lane)

    Previously it behaved the same as endif followed by ifdef, so that a successful previous branch of the same if construct did not prevent expansion of the elif branch or following branches.

  • Add transaction status (%x) to psql's default prompts (Vik Fearing)

  • Allow the secondary psql prompt to be blank but the same width as the primary prompt (Thomas Munro)

    This is accomplished by setting PROMPT2 to %w.

  • Allow psql's \g and \gx commands to change \pset output options for the duration of that single command (Tom Lane)

    This feature allows syntax like \g (expand=on), which is equivalent to \gx.

  • Add psql commands to display operator classes and operator families (Sergey Cherkashin, Nikita Glukhov, Alexander Korotkov)

    The new commands are \dAc, \dAf, \dAo, and \dAp.

  • Show table persistence in psql's \dt+ and related commands (David Fetter)

    In verbose mode, the table/index/view shows if the object is permanent, temporary, or unlogged.

  • Improve output of psql's \d for TOAST tables (Justin Pryzby)

  • Fix redisplay after psql's \e command (Tom Lane)

    When exiting the editor, if the query doesn't end with a semicolon or \g, the query buffer contents will now be displayed.

  • Add \warn command to psql (David Fetter)

    This is like \echo except that the text is sent to stderr instead of stdout.

  • Add the PostgreSQL home page to command-line --help output (Peter Eisentraut)

  • Allow pgbench to partition its “accounts” table (Fabien Coelho)

    This allows performance testing of partitioning.

  • Add pgbench command \aset, which behaves like \gset, but for multiple queries (Fabien Coelho)

  • Allow pgbench to generate its initial data server-side, rather than client-side (Fabien Coelho)

  • Allow pgbench to show script contents using option --show-script (Fabien Coelho)

  • Generate backup manifests for base backups, and verify them (Robert Haas)

    A new tool pg_verifybackup can verify backups.

  • Have pg_basebackup estimate the total backup size by default (Fujii Masao)

    This computation allows pg_stat_progress_basebackup to show progress. If that is not needed, it can be disabled by using the --no-estimate-size option. Previously, this computation happened only if the --progress option was used.

  • Add an option to pg_rewind to configure standbys (Paul Guo, Jimmy Yih, Ashwin Agrawal)

    This matches pg_basebackup's --write-recovery-conf option.

  • Allow pg_rewind to use the target cluster's restore_command to retrieve needed WAL (Alexey Kondratov)

    This is enabled using the -c/--restore-target-wal option.

  • Have pg_rewind automatically run crash recovery before rewinding (Paul Guo, Jimmy Yih, Ashwin Agrawal)

    This can be disabled by using --no-ensure-shutdown.

  • Increase the PREPARE TRANSACTION-related information reported by pg_waldump (Fujii Masao)

  • Add pg_waldump option --quiet to suppress non-error output (Andres Freund, Robert Haas)

  • Add pg_dump option --include-foreign-data to dump data from foreign servers (Luis Carril)

  • Allow vacuum commands run by vacuumdb to operate in parallel mode (Masahiko Sawada)

    This is enabled with the new --parallel option.

  • Allow reindexdb to operate in parallel (Julien Rouhaud)

    Parallel mode is enabled with the new --jobs option.

  • Allow dropdb to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule)

    This is enabled with the -f option.

  • Remove --adduser and --no-adduser from createuser (Alexander Lakhin)

    The long-supported preferred options for this are called --superuser and --no-superuser.

  • Use the directory of the pg_upgrade program as the default --new-bindir setting when running pg_upgrade (Daniel Gustafsson)

  • Add a glossary to the documentation (Corey Huinker, Jürgen Purtz, Roger Harkavy, Álvaro Herrera)

  • Reformat tables containing function and operator information for better clarity (Tom Lane)

  • Upgrade to use DocBook 4.5 (Peter Eisentraut)

  • Add support for building on Visual Studio 2019 (Haribabu Kommi)

  • Add build support for MSYS2 (Peter Eisentraut)

  • Add compare_exchange and fetch_add assembly language code for Power PC compilers (Noah Misch)

  • Update Snowball stemmer dictionaries used by full text search (Panagiotis Mavrogiorgos)

    This adds Greek stemming and improves Danish and French stemming.

  • Remove support for Windows 2000 (Michael Paquier)

  • Remove support for non-ELF BSD systems (Peter Eisentraut)

  • Remove support for Python versions 2.5.X and earlier (Peter Eisentraut)

  • Remove support for OpenSSL 0.9.8 and 1.0.0 (Michael Paquier)

  • Remove configure options --disable-float8-byval and --disable-float4-byval (Peter Eisentraut)

    These were needed for compatibility with some version-zero C functions, but those are no longer supported.

  • Pass the query string to planner hook functions (Pascal Legrand, Julien Rouhaud)

  • Add TRUNCATE command hook (Yuli Khodorkovskiy)

  • Add TLS init hook (Andrew Dunstan)

  • Allow building with no predefined Unix-domain socket directory (Peter Eisentraut)

  • Reduce the probability of SysV resource key collision on Unix platforms (Tom Lane)

  • Use operating system functions to reliably erase memory that contains sensitive information (Peter Eisentraut)

    For example, this is used for clearing passwords stored in memory.

  • Add headerscheck script to test C header-file compatibility (Tom Lane)

  • Implement internal lists as arrays, rather than a chain of cells (Tom Lane)

    This improves performance for queries that access many objects.

  • Change the API for TS_execute() (Tom Lane, Pavel Borisov)

    TS_execute callbacks must now provide ternary (yes/no/maybe) logic. Calculating NOT queries accurately is now the default.

  • Allow extensions to be specified as trusted (Tom Lane)

    Such extensions can be installed in a database by users with database-level CREATE privileges, even if they are not superusers. This change also removes the pg_pltemplate system catalog.

  • Allow non-superusers to connect to postgres_fdw foreign servers without using a password (Craig Ringer)

    Specifically, allow a superuser to set password_required to false for a user mapping. Care must still be taken to prevent non-superusers from using superuser credentials to connect to the foreign server.

  • Allow postgres_fdw to use certificate authentication (Craig Ringer)

    Different users can use different certificates.

  • Allow sepgsql to control access to the TRUNCATE command (Yuli Khodorkovskiy)

  • Add extension bool_plperl which transforms SQL booleans to/from PL/Perl booleans (Ivan Panchenko)

  • Have pg_stat_statements treat SELECT ... FOR UPDATE commands as distinct from those without FOR UPDATE (Andrew Gierth, Vik Fearing)

  • Allow pg_stat_statements to optionally track the planning time of statements (Julien Rouhaud, Pascal Legrand, Thomas Munro, Fujii Masao)

    Previously only execution time was tracked.

  • Overhaul ltree's lquery syntax to treat NOT (!) more logically (Filip Rembialkowski, Tom Lane, Nikita Glukhov)

    Also allow non-* queries to use a numeric range ({}) of matches.

  • Add support for binary I/O of ltree, lquery, and ltxtquery types (Nino Floris)

  • Add an option to dict_int to ignore the sign of integers (Jeff Janes)

  • Add adminpack function pg_file_sync() to allow fsync'ing a file (Fujii Masao)

  • Add pageinspect functions to output t_infomask/t_infomask2 values in human-readable format (Craig Ringer, Sawada Masahiko, Michael Paquier)

  • Add B-tree index de-duplication processing columns to pageinspect output (Peter Geoghegan)

• ⇑ Upgrade to 13.1 released on 2020-11-12 - docs

  • Fix unintended breakage of the replication protocol (Álvaro Herrera)

    A walsender reports two command-completion events for START_REPLICATION. This was undocumented and apparently unintentional; so we failed to notice that a late 13.0 change removed the duplicate event. However it turns out that walreceivers require the extra event in some code paths. The most practical fix is to decree that the extra event is part of the protocol and resume generating it.

  • Disallow ALTER TABLE ONLY ... DROP EXPRESSION when there are child tables (Peter Eisentraut)

    The current implementation cannot handle this case correctly, so just forbid it for now.

  • Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER does not recurse to child tables (Álvaro Herrera)

    Previously the ONLY flag was ignored.

  • Allow LOCK TABLE to succeed on a self-referential view (Tom Lane)

    It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.

  • Retain statistics about an index across REINDEX CONCURRENTLY (Michael Paquier, Fabrízio de Royes Mello)

    Non-concurrent reindexing has always preserved such statistics.

  • Fix incorrect progress reporting from REINDEX CONCURRENTLY (Matthias van de Meent, Michael Paquier)

  • Ensure that GENERATED columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)

    This fix also takes care of possible failure to fire a column-specific trigger in such cases.

  • Fix failures with collation-dependent partition bound expressions (Tom Lane)

  • Support hashing of text arrays (Peter Eisentraut)

    Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.

  • Prevent internal overflows in cross-type datetime comparisons (Nikita Glukhov, Alexander Korotkov, Tom Lane)

    Previously, comparing a date to a timestamp would fail if the date is past the valid range for timestamps. There were also corner cases involving overflow of close-to-the-limit timestamp values during timezone rotation.

  • Allow the jsonpath .datetime() method to accept ISO 8601-format timestamps (Nikita Glukhov)

    This is not required by SQL, but it seems appropriate since our to_json() functions generate that timestamp format for Javascript compatibility.

  • Fix edge cases in detecting premature death of the postmaster on platforms that use kqueue() (Thomas Munro)

  • Avoid generating an incorrect incremental-sort plan when the sort key is a volatile expression (James Coleman)

  • Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)

  • Fix possible infinite loop or corrupted output data in TOAST decompression (Tom Lane)

  • Fix counting of the number of entries in B-tree indexes during cleanup-only VACUUMs (Peter Geoghegan)

  • Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)

  • Avoid crash if debug_query_string is NULL when starting a parallel worker (Noah Misch)

  • Avoid failures when a BEFORE ROW UPDATE trigger returns the “old” row of a table having dropped or “missing” columns (Amit Langote, Tom Lane)

    This method of suppressing an update could result in crashes, unexpected CHECK constraint failures, or incorrect RETURNING output, because “missing” columns would read as NULLs for those purposes. (A column is “missing” for this purpose if it was added by ALTER TABLE ADD COLUMN with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.

  • Fix EXPLAIN's output for incremental sort plans to have correct tag nesting in XML output mode (Daniel Gustafsson)

  • Fix omission of result data type coercion in some cases in SQL-language functions (Tom Lane)

    This could lead to wrong results or crashes, depending on the data types involved.

  • Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)

    This has been shown to cause crashes on s390x, and very possibly there are other cases on other platforms.

  • Improve code generated for compare_exchange and fetch_add operations on PPC (Noah Misch)

  • Fix edge-case memory leak in index_get_partition() (Justin Pryzby)

  • Fix memory leaks in PL/pgsql's CALL processing (Pavel Stehule, Tom Lane)

  • Fix ecpg's mis-processing of B'...' and X'...' literals (Shenhao Wang)

• ⇑ Upgrade to 13.2 released on 2021-02-11 - docs

  • Fix failure to check per-column SELECT privileges in some join queries (Tom Lane)

    In some cases involving joins, the parser failed to record all the columns read by a query in the column-usage bitmaps that are used for permissions checking. Although the executor would still insist on some sort of SELECT privilege to run the query, this meant that a user having SELECT privilege on only one column of a table could nonetheless read all its columns through a suitably crafted query.

    A stored view that is subject to this problem will have incomplete column-usage bitmaps, and thus permissions will still not be enforced properly on the view after updating. In installations that depend on column-level permissions for security, it is recommended to CREATE OR REPLACE all user-defined views to cause them to be re-parsed.

    The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2021-20229)

  • Fix information leakage in constraint-violation error messages (Heikki Linnakangas)

    If an UPDATE command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT privilege on. (CVE-2021-3393)

  • Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)

    Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.

  • Avoid crash when trying to rescan an aggregation plan node that has both hashed and sorted grouping sets (Jeff Davis)

  • Fix possible incorrect query results when a hash aggregation node spills some tuples to disk (Tom Lane)

    It was possible for aggregation grouping values to be replaced by nulls when the tuples are read back in, leading to wrong answers.

  • Fix edge case in incremental sort (Neil Chen)

    If the last tuple of a sort batch chanced to be the first tuple of the next group of already-sorted tuples, the code did the wrong thing. This could lead to “retrieved too many tuples in a bounded sort” error messages, or to silently-wrong sorting results.

  • Avoid crash when a CALL or DO statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)

    In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.

  • Avoid unnecessary errors with BEFORE UPDATE triggers on partitioned tables (Álvaro Herrera)

    A BEFORE UPDATE FOR EACH ROW trigger that modified the row in any way prevented UPDATE from moving the row to another partition when needed; but there is no longer any reason for this restriction.

  • Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)

    If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.

  • Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)

    This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes” error, but other symptoms may be possible.

  • Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)

    This oversight could lead to “no relation entry for relid N” planner errors.

  • Consider unsorted subpaths when planning a Gather Merge operation (James Coleman)

    It's possible to use such a path by adding an explicit Sort node, and in some cases that gives rise to a superior plan.

  • Do not consider ORDER BY expressions involving parallel-restricted functions or set-returning functions when trying to parallelize sorts (James Coleman)

    Such cases cannot safely be pushed into worker processes, but the incremental sort feature accidentally made us consider them.

  • Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)

  • Fix failure to detect “snapshot too old” conditions in tables rewritten in the current transaction (Kyotaro Horiguchi, Noah Misch)

    This is only a hazard when wal_level is set to minimal and the rewrite is performed by ALTER TABLE SET TABLESPACE.

  • Fix spurious failure of CREATE PUBLICATION when applied to a table created or rewritten in the current transaction (Kyotaro Horiguchi)

    This is only a hazard when wal_level is set to minimal.

  • Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Álvaro Herrera)

    Previously this was allowed, but subsequent operations on the partitioned relation would fail.

  • Fix progress reporting for CLUSTER (Matthias van de Meent)

  • Fix recently-introduced race condition in LISTEN/NOTIFY queue handling (Tom Lane)

    A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.

  • Fix integer-overflow cases in substring() functions (Tom Lane, Pavel Stehule)

    If the specified starting index and length overflow an integer when added together, substring() misbehaved, either throwing a bogus “negative substring length” error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).

  • Fix WAL-reading logic to handle timeline switches correctly (Kyotaro Horiguchi, Fujii Masao)

    Previously, if WAL archiving is enabled, a standby could fail to follow a primary running on a newer timeline, with errors like “requested WAL segment has already been removed”.

  • Fix relation cache leak in walsender processes while sending row changes via the root of a partitioned relation during logical replication (Amit Langote, Mark Zhao)

  • Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)

    The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.

  • Ensure that a nonempty value of krb_server_keyfile always overrides any setting of KRB5_KTNAME in the server's environment (Tom Lane)

    Previously, which setting took precedence depended on whether the client requests GSS encryption.

  • In server log messages about failing to match connections to pg_hba.conf entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)

    This is relevant data if hostgssenc or hostnogssenc entries exist.

  • Fix assorted issues in server's support for GSS encryption (Tom Lane)

    Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.

  • Avoid trying to use parallel index build in a standalone backend (Yulin Pei)

  • Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)

  • While taking a base backup, avoid executing any SHA256 code if a backup manifest is not needed (Michael Paquier)

    When using OpenSSL operating in FIPS mode, SHA256 hashing is rejected, leading to an error. This change makes it possible to take a base backup on such a platform, so long as --no-manifest is specified.

  • Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)

    No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.

  • Fix data structure misallocation in PL/pgSQL's CALL statement (Tom Lane)

    A CALL in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT or ROLLBACK.

  • In libpq, do not skip trying SSL after GSS encryption (Tom Lane)

    If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.

  • Make libpq's PQconndefaults() function report the correct default value for channel_binding (Daniele Varrazzo)

  • In psql's \d commands, don't truncate the display of column default values (Tom Lane)

    Formerly, they were arbitrarily truncated at 128 characters.

  • Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)

    The previous behavior resulted in (harmless) errors during restore.

  • In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION commands as the owner of the partitioned index (Tom Lane)

    Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.

  • In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)

    This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34.

  • Fix faulty assertion in contrib/postgres_fdw (Etsuro Fujita)

  • Make contrib/pg_prewarm more robust when the cluster is shut down before prewarming is complete (Tom Lane)

    Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.

  • Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)

  • Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)

    No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.

  • Fix compile failure with ICU 68 and later (Tom Lane)

  • Avoid memcpy() with a NULL source pointer and zero count during partitioned index creation (Álvaro Herrera)

    While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy() are never NULL, which could result in incorrect optimization of nearby code.

• ⇑ Upgrade to 13.3 released on 2021-05-13 - docs

  • Fix possibly-incorrect computation of UPDATE ... RETURNING outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)

    If an UPDATE for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING results for that row could produce errors or wrong answers. No error is observed unless the UPDATE involves other tables being joined to the target table. (CVE-2021-32029)

  • Fix adjustment of constraint deferrability properties in partitioned tables (Álvaro Herrera)

    When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT failed to adjust the DEFERRABLE and/or INITIALLY DEFERRED markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER command to set the desired properties.

    This change also disallows applying such an ALTER directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTERs must be applied at the partition root.

  • When attaching a child table with ALTER TABLE ... INHERIT, insist that any generated columns in the parent be generated the same way in the child (Peter Eisentraut)

  • Ensure that REINDEX CONCURRENTLY preserves any statistics target that's been set for the index (Michael Paquier)

  • Fix COMMIT AND CHAIN to work correctly when the current transaction has live savepoints (Fujii Masao)

  • Fix list-manipulation bug in WITH RECURSIVE processing (Michael Paquier, Tom Lane)

    Sufficiently deep nesting of WITH constructs (at least seven levels) triggered core dumps or incorrect complaints of faulty WITH nesting.

  • Fix use-after-free bug in saving tuples for AFTER triggers (Amit Langote)

    This could cause crashes in some situations.

  • Fix “could not find pathkey item to sort” planner errors in some situations where the sort key involves an aggregate or window function (James Coleman, Tom Lane)

  • Fix potentially wrong answers from GIN tsvector index searches, when there are many matching tuples (Tom Lane)

    If the number of index matches became large enough to make the bitmap holding them become lossy (a threshold that depends on work_mem), the code could get confused about whether rechecks are required, allowing rows to be returned that don't actually match the query.

  • Fix concurrency issues with WAL segment recycling on Windows (Michael Paquier)

    This reverts a change that caused intermittent “could not rename file ...: Permission denied” log messages. While there were not serious consequences, the log spam was annoying.

  • Disable the vacuum_cleanup_index_scale_factor parameter and storage option (Peter Geoghegan)

    The notion of tracking “stale” index statistics proved to interact badly with the autovacuum_vacuum_insert_threshold parameter, resulting in unnecessary full-index scans and consequent degradation of autovacuum performance. The latter mechanism seems superior, so remove the stale-statistics logic. The control parameter for that, vacuum_cleanup_index_scale_factor, will be removed entirely in v14. In v13, it remains present to avoid breaking existing configuration files, but it no longer does anything.

  • Pass the correct trigger OID to object post-alter hooks during ALTER CONSTRAINT (Álvaro Herrera)

    When updating trigger properties during ALTER CONSTRAINT, the post-alter hook was told that we are updating a trigger, but the constraint's OID was passed instead of the trigger's.

  • Fix uninitialized variable in walreceiver's statistics in shared memory (Fujii Masao)

    This error was harmless on most platforms, but could cause issues on platforms lacking atomic variables and/or spinlock support.

  • Reduce the overhead of dtrace probes for LWLock operations, when dtrace support is compiled in but not active (Peter Eisentraut)

  • Fix failure when a PL/pgSQL DO block makes use of both composite-type variables and transaction control (Tom Lane)

    Previously, such cases led to errors about leaked tuple descriptors.

  • Fix psql's ON_ERROR_ROLLBACK feature to handle COMMIT AND CHAIN commands correctly (Arthur Nascimento)

    Previously, this case failed with “savepoint "pg_psql_temporary_savepoint" does not exist”.

  • In psql, avoid repeated “could not print result table” failures after the first such error (Álvaro Herrera)

  • Fix pg_dump's dumping of generated columns in partitioned tables (Peter Eisentraut)

    A fix introduced in the previous minor release should not be applied to partitioned tables, only traditionally-inherited tables.

  • Fix incorrect progress-reporting calculation in pg_checksums (Shinya Kato)

• ⇑ Upgrade to 13.4 released on 2021-08-12 - docs

  • Fix mis-planning of repeated application of a projection step (Tom Lane)

    The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)

  • Restore the Portal-level snapshot after COMMIT or ROLLBACK within a procedure (Tom Lane)

    This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT/ROLLBACK would fail with errors like “no known snapshots” or “missing chunk number 0 for toast value”.

    Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.

  • Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)

    Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.

    Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.

  • When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)

  • Re-allow old-style Windows locale names in CREATE COLLATION commands (Thomas Munro)

    Previously we were failing because the operating system can't provide version information for such locales. At some point we may decide to require version information, but no such policy exists yet, so re-allow the case for now.

  • Disallow whole-row variables in GENERATED expressions (Tom Lane)

    Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.

  • Fix usage of tableoid in GENERATED expressions (Tom Lane)

    Some code paths failed to provide a valid value for this system column while evaluating a GENERATED expression.

  • Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)

    The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE commands, adjust the downstream code to cope when one is incorrectly present.

  • On 64-bit Windows, allow the effective value of work_mem times hash_mem_multiplier to exceed 2GB (Tom Lane)

    This allows hash_mem_multiplier to be used for its intended purpose of preventing large hash aggregations from spilling to disk, even when “large” means multiple gigabytes.

  • Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)

    SELECT FOR UPDATE and related commands would fail with assertion failures or “could not find junk column” errors in such cases.

  • Fix pullup of constant function-in-FROM results when the FROM item is marked LATERAL (Tom Lane)

  • Advance oldest-required-WAL-segment horizon properly after a replication slot is invalidated (Kyotaro Horiguchi)

    If all slots were invalidated, the horizon would not move again, eventually allowing the server's WAL storage to run out of space.

  • Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)

    Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.

  • Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)

  • Fix assorted crash cases in logical replication of partitioned-table updates (Amit Langote, Tom Lane)

  • Fix potential crash when firing AFTER triggers of partitioned tables in logical replication workers (Tom Lane)

  • Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)

  • Fix memory leak in logical replication output (Amit Langote)

  • Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)

    This could lead to later crashes or memory leakage.

  • Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)

    Given the right timing, a crash could result.

  • Fix race condition when invalidating an obsolete replication slot concurrently with an attempt to drop or update it (Andres Freund, Álvaro Herrera)

  • Harden B-tree posting list split code against corrupt data (Peter Geoghegan)

    Throw an error, rather than crashing, for an attempt to insert an item with a TID identical to an existing entry. While that shouldn't ever happen, it has been reported to happen when the index is inconsistent with its table.

  • Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)

  • Fix contrib/postgres_fdw to work usefully with generated columns (Etsuro Fujita)

    postgres_fdw will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA will now import generated columns that way by default.

  • Improve ALTER TABLE's messages for wrong-relation-kind errors (Kyotaro Horiguchi)

  • Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)

    LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.

• ⇑ Upgrade to 14 released on 2021-09-30 - docs

  • User-defined objects that reference certain built-in array functions along with their argument types must be recreated (Tom Lane)

    Specifically, array_append(), array_prepend(), array_cat(), array_position(), array_positions(), array_remove(), array_replace(), and width_bucket() used to take anyarray arguments but now take anycompatiblearray. Therefore, user-defined objects like aggregates and operators that reference those array function signatures must be dropped before upgrading, and recreated once the upgrade completes.

  • Remove deprecated containment operators @ and ~ for built-in geometric data types and contrib modules cube, hstore, intarray, and seg (Justin Pryzby)

    The more consistently named <@ and @> have been recommended for many years.

  • Fix to_tsquery() and websearch_to_tsquery() to properly parse query text containing discarded tokens (Alexander Korotkov)

    Certain discarded tokens, like underscore, caused the output of these functions to produce incorrect tsquery output, e.g., both websearch_to_tsquery('"pg_class pg"') and to_tsquery('pg_class <-> pg') used to output ( 'pg' & 'class' ) <-> 'pg', but now both output 'pg' <-> 'class' <-> 'pg'.

  • Fix websearch_to_tsquery() to properly parse multiple adjacent discarded tokens in quotes (Alexander Korotkov)

    Previously, quoted text that contained multiple adjacent discarded tokens was treated as multiple tokens, causing incorrect tsquery output, e.g., websearch_to_tsquery('"aaa: bbb"') used to output 'aaa' <2> 'bbb', but now outputs 'aaa' <-> 'bbb'.

  • Change EXTRACT() to return type numeric instead of float8 (Peter Eisentraut)

    This avoids loss-of-precision issues in some usages. The old behavior can still be obtained by using the old underlying function date_part().

    Also, EXTRACT(date) now throws an error for units that are not part of the date data type.

  • Change var_samp() and stddev_samp() with numeric parameters to return NULL when the input is a single NaN value (Tom Lane)

    Previously NaN was returned.

  • Return false for has_column_privilege() checks on non-existent or dropped columns when using attribute numbers (Joe Conway)

    Previously such attribute numbers returned an invalid-column error.

  • Fix handling of infinite window function ranges (Tom Lane)

    Previously window frame clauses like 'inf' PRECEDING AND 'inf' FOLLOWING returned incorrect results.

  • Remove factorial operators ! and !!, as well as function numeric_fac() (Mark Dilger)

    The factorial() function is still supported.

  • Disallow factorial() of negative numbers (Peter Eisentraut)

    Previously such cases returned 1.

  • Remove support for postfix (right-unary) operators (Mark Dilger)

    pg_dump and pg_upgrade will warn if postfix operators are being dumped.

  • Allow \D and \W shorthands to match newlines in regular expression newline-sensitive mode (Tom Lane)

    Previously they did not match newlines in this mode, but that disagrees with the behavior of other common regular expression engines. [^[:digit:]] or [^[:word:]] can be used to get the old behavior.

  • Disregard constraints when matching regular expression back-references (Tom Lane)

    For example, in (^\d+).*\1, the ^ constraint should be applied at the start of the string, but not when matching \1.

  • Disallow \w as a range start or end in regular expression character classes (Tom Lane)

    This previously was allowed but produced unexpected results.

  • Require custom server parameter names to use only characters that are valid in unquoted SQL identifiers (Tom Lane)

  • Change the default of the password_encryption server parameter to scram-sha-256 (Peter Eisentraut)

    Previously it was md5. All new passwords will be stored as SHA256 unless this server setting is changed or the password is specified in MD5 format. Also, the legacy (and undocumented) Boolean-like values which were previously synonyms for md5 are no longer accepted.

  • Remove server parameter vacuum_cleanup_index_scale_factor (Peter Geoghegan)

    This setting was ignored starting in PostgreSQL version 13.3.

  • Remove server parameter operator_precedence_warning (Tom Lane)

    This setting was used for warning applications about PostgreSQL 9.5 changes.

  • Overhaul the specification of clientcert in pg_hba.conf (Kyotaro Horiguchi)

    Values 1/0/no-verify are no longer supported; only the strings verify-ca and verify-full can be used. Also, disallow verify-ca if cert authentication is enabled since cert requires verify-full checking.

  • Remove support for SSL compression (Daniel Gustafsson, Michael Paquier)

    This was already disabled by default in previous PostgreSQL releases, and most modern OpenSSL and TLS versions no longer support it.

  • Remove server and libpq support for the version 2 wire protocol (Heikki Linnakangas)

    This was last used as the default in PostgreSQL 7.3 (released in 2002).

  • Disallow single-quoting of the language name in the CREATE/DROP LANGUAGE command (Peter Eisentraut)

  • Remove the composite types that were formerly created for sequences and toast tables (Tom Lane)

  • Process doubled quote marks in ecpg SQL command strings correctly (Tom Lane)

    Previously 'abc''def' was passed to the server as 'abc'def', and "abc""def" was passed as "abc"def", causing syntax errors.

  • Prevent the containment operators (<@ and @>) for intarray from using GiST indexes (Tom Lane)

    Previously a full GiST index scan was required, so just avoid that and scan the heap, which is faster. Indexes created for this purpose should be removed.

  • Remove contrib program pg_standby (Justin Pryzby)

  • Prevent tablefunc's function normal_rand() from accepting negative values (Ashutosh Bapat)

    Negative values produced undesirable results.

  • Add predefined roles pg_read_all_data and pg_write_all_data (Stephen Frost)

    These non-login roles can be used to give read or write permission to all tables, views, and sequences.

  • Add predefined role pg_database_owner that contains only the current database's owner (Noah Misch)

    This is especially useful in template databases.

  • Remove temporary files after backend crashes (Euler Taveira)

    Previously, such files were retained for debugging purposes. If necessary, deletion can be disabled with the new server parameter remove_temp_files_after_crash.

  • Allow long-running queries to be canceled if the client disconnects (Sergey Cherkashin, Thomas Munro)

    The server parameter client_connection_check_interval allows control over whether loss of connection is checked for intra-query. (This is supported on Linux and a few other operating systems.)

  • Add an optional timeout parameter to pg_terminate_backend()

  • Allow wide tuples to be always added to almost-empty heap pages (John Naylor, Floris van Nee)

    Previously tuples whose insertion would have exceeded the page's fill factor were instead added to new pages.

  • Add Server Name Indication (SNI) in SSL connection packets (Peter Eisentraut)

    This can be disabled by turning off client connection option sslsni.

  • Allow vacuum to skip index vacuuming when the number of removable index entries is insignificant (Masahiko Sawada, Peter Geoghegan)

    The vacuum parameter INDEX_CLEANUP has a new default of auto that enables this optimization.

  • Allow vacuum to more eagerly add deleted btree pages to the free space map (Peter Geoghegan)

    Previously vacuum could only add pages to the free space map that were marked as deleted by previous vacuums.

  • Allow vacuum to reclaim space used by unused trailing heap line pointers (Matthias van de Meent, Peter Geoghegan)

  • Allow vacuum to be more aggressive in removing dead rows during minimal-locking index operations (Álvaro Herrera)

    Specifically, CREATE INDEX CONCURRENTLY and REINDEX CONCURRENTLY no longer limit the dead row removal of other relations.

  • Speed up vacuuming of databases with many relations (Tatsuhito Kasahara)

  • Reduce the default value of vacuum_cost_page_miss to better reflect current hardware capabilities (Peter Geoghegan)

  • Add ability to skip vacuuming of TOAST tables (Nathan Bossart)

    VACUUM now has a PROCESS_TOAST option which can be set to false to disable TOAST processing, and vacuumdb has a --no-process-toast option.

  • Have COPY FREEZE appropriately update page visibility bits (Anastasia Lubennikova, Pavan Deolasee, Jeff Janes)

  • Cause vacuum operations to be more aggressive if the table is near xid or multixact wraparound (Masahiko Sawada, Peter Geoghegan)

    This is controlled by vacuum_failsafe_age and vacuum_multixact_failsafe_age.

  • Increase warning time and hard limit before transaction id and multi-transaction wraparound (Noah Misch)

    This should reduce the possibility of failures that occur without having issued warnings about wraparound.

  • Add per-index information to autovacuum logging output (Masahiko Sawada)

  • Improve the performance of updates and deletes on partitioned tables with many partitions (Amit Langote, Tom Lane)

    This change greatly reduces the planner's overhead for such cases, and also allows updates/deletes on partitioned tables to use execution-time partition pruning.

  • Allow partitions to be detached in a non-blocking manner (Álvaro Herrera)

    The syntax is ALTER TABLE ... DETACH PARTITION ... CONCURRENTLY, and FINALIZE.

  • Ignore COLLATE clauses in partition boundary values (Tom Lane)

    Previously any such clause had to match the collation of the partition key; but it's more consistent to consider that it's automatically coerced to the collation of the partition key.

  • Allow btree index additions to remove expired index entries to prevent page splits (Peter Geoghegan)

    This is particularly helpful for reducing index bloat on tables whose indexed columns are frequently updated.

  • Allow BRIN indexes to record multiple min/max values per range (Tomas Vondra)

    This is useful if there are groups of values in each page range.

  • Allow BRIN indexes to use bloom filters (Tomas Vondra)

    This allows BRIN indexes to be used effectively with data that is not well-localized in the heap.

  • Allow some GiST indexes to be built by presorting the data (Andrey Borodin)

    Presorting happens automatically and allows for faster index creation and smaller indexes.

  • Allow SP-GiST indexes to contain INCLUDE'd columns (Pavel Borisov)

  • Allow hash lookup for IN clauses with many constants (James Coleman, David Rowley)

    Previously the code always sequentially scanned the list of values.

  • Increase the number of places extended statistics can be used for OR clause estimation (Tomas Vondra, Dean Rasheed)

  • Allow extended statistics on expressions (Tomas Vondra)

    This allows statistics on a group of expressions and columns, rather than only columns like previously. System view pg_stats_ext_exprs reports such statistics.

  • Allow efficient heap scanning of a range of TIDs (Edmund Horner, David Rowley)

    Previously a sequential scan was required for non-equality TID specifications.

  • Fix EXPLAIN CREATE TABLE AS and EXPLAIN CREATE MATERIALIZED VIEW to honor IF NOT EXISTS (Bharath Rupireddy)

    Previously, if the object already existed, EXPLAIN would fail.

  • Improve the speed of computing MVCC visibility snapshots on systems with many CPUs and high session counts (Andres Freund)

    This also improves performance when there are many idle sessions.

  • Add executor method to memoize results from the inner side of a nested-loop join (David Rowley)

    This is useful if only a small percentage of rows is checked on the inner side. It can be disabled via server parameter enable_memoize.

  • Allow window functions to perform incremental sorts (David Rowley)

  • Improve the I/O performance of parallel sequential scans (Thomas Munro, David Rowley)

    This was done by allocating blocks in groups to parallel workers.

  • Allow a query referencing multiple foreign tables to perform foreign table scans in parallel (Robert Haas, Kyotaro Horiguchi, Thomas Munro, Etsuro Fujita)

    postgres_fdw supports this type of scan if async_capable is set.

  • Allow analyze to do page prefetching (Stephen Frost)

    This is controlled by maintenance_io_concurrency.

  • Improve performance of regular expression searches (Tom Lane)

  • Dramatically improve Unicode normalization (John Naylor)

    This speeds normalize() and IS NORMALIZED.

  • Add ability to use LZ4 compression on TOAST data (Dilip Kumar)

    This can be set at the column level, or set as a default via server parameter default_toast_compression. The server must be compiled with --with-lz4 to support this feature. The default setting is still pglz.

  • If server parameter compute_query_id is enabled, display the query id in pg_stat_activity, EXPLAIN VERBOSE, csvlog, and optionally in log_line_prefix (Julien Rouhaud)

    A query id computed by an extension will also be displayed.

  • Improve logging of auto-vacuum and auto-analyze (Stephen Frost, Jakub Wartak)

    This reports I/O timings for auto-vacuum and auto-analyze if track_io_timing is enabled. Also, report buffer read and dirty rates for auto-analyze.

  • Add information about the original user name supplied by the client to the output of log_connections (Jacob Champion)

  • Add system view pg_stat_progress_copy to report COPY progress (Josef Šimánek, Matthias van de Meent)

  • Add system view pg_stat_wal to report WAL activity (Masahiro Ikeda)

  • Add system view pg_stat_replication_slots to report replication slot activity (Sawada Masahiko, Amit Kapila, Vignesh C)

    The function pg_stat_reset_replication_slot() resets slot statistics.

  • Add system view pg_backend_memory_contexts to report session memory usage (Atsushi Torikoshi, Fujii Masao)

  • Add function pg_log_backend_memory_contexts() to output the memory contexts of arbitrary backends (Atsushi Torikoshi)

  • Add session statistics to the pg_stat_database system view (Laurenz Albe)

  • Add columns to pg_prepared_statements to report generic and custom plan counts (Atsushi Torikoshi, Kyotaro Horiguchi)

  • Add lock wait start time to pg_locks (Atsushi Torikoshi)

  • Make the archiver process visible in pg_stat_activity (Kyotaro Horiguchi)

  • Add wait event WalReceiverExit to report WAL receiver exit wait time (Fujii Masao)

  • Implement information schema view routine_column_usage to track columns referenced by function and procedure default expressions (Peter Eisentraut)

  • Allow an SSL certificate's distinguished name (DN) to be matched for client certificate authentication (Andrew Dunstan)

    The new pg_hba.conf option clientname=DN allows comparison with certificate attributes beyond the CN and can be combined with ident maps.

  • Allow pg_hba.conf and pg_ident.conf records to span multiple lines (Fabien Coelho)

    A backslash at the end of a line allows record contents to be continued on the next line.

  • Allow the specification of a certificate revocation list (CRL) directory (Kyotaro Horiguchi)

    This is controlled by server parameter ssl_crl_dir and libpq connection option sslcrldir. Previously only single CRL files could be specified.

  • Allow passwords of an arbitrary length (Tom Lane, Nathan Bossart)

  • Add server parameter idle_session_timeout to close idle sessions (Li Japin)

    This is similar to idle_in_transaction_session_timeout.

  • Change checkpoint_completion_target default to 0.9 (Stephen Frost)

    The previous default was 0.5.

  • Allow %P in log_line_prefix to report the parallel group leader's PID for a parallel worker (Justin Pryzby)

  • Allow unix_socket_directories to specify paths as individual, comma-separated quoted strings (Ian Lawrence Barwick)

    Previously all the paths had to be in a single quoted string.

  • Allow startup allocation of dynamic shared memory (Thomas Munro)

    This is controlled by min_dynamic_shared_memory. This allows more use of huge pages.

  • Add server parameter huge_page_size to control the size of huge pages used on Linux (Odin Ugedal)

  • Allow standby servers to be rewound via pg_rewind (Heikki Linnakangas)

  • Allow the restore_command setting to be changed during a server reload (Sergei Kornilov)

    You can also set restore_command to an empty string and reload to force recovery to only read from the pg_wal directory.

  • Add server parameter log_recovery_conflict_waits to report long recovery conflict wait times (Bertrand Drouvot, Masahiko Sawada)

  • Pause recovery on a hot standby server if the primary changes its parameters in a way that prevents replay on the standby (Peter Eisentraut)

    Previously the standby would shut down immediately.

  • Add function pg_get_wal_replay_pause_state() to report the recovery state (Dilip Kumar)

    It gives more detailed information than pg_is_wal_replay_paused(), which still exists.

  • Add new read-only server parameter in_hot_standby (Haribabu Kommi, Greg Nancarrow, Tom Lane)

    This allows clients to easily detect whether they are connected to a hot standby server.

  • Speed truncation of small tables during recovery on clusters with a large number of shared buffers (Kirk Jamison)

  • Allow file system sync at the start of crash recovery on Linux (Thomas Munro)

    By default, PostgreSQL opens and fsyncs each data file in the database cluster at the start of crash recovery. A new setting, recovery_init_sync_method=syncfs, instead syncs each filesystem used by the cluster. This allows for faster recovery on systems with many database files.

  • Add function pg_xact_commit_timestamp_origin() to return the commit timestamp and replication origin of the specified transaction (Movead Li)

  • Add the replication origin to the record returned by pg_last_committed_xact() (Movead Li)

  • Allow replication origin functions to be controlled using standard function permission controls (Martín Marqués)

    Previously these functions could only be executed by superusers, and this is still the default.

  • Allow logical replication to stream long in-progress transactions to subscribers (Dilip Kumar, Amit Kapila, Ajin Cherian, Tomas Vondra, Nikhil Sontakke, Stas Kelvich)

    Previously transactions that exceeded logical_decoding_work_mem were written to disk until the transaction completed.

  • Enhance the logical replication API to allow streaming large in-progress transactions (Tomas Vondra, Dilip Kumar, Amit Kapila)

    The output functions begin with stream. test_decoding also supports these.

  • Allow multiple transactions during table sync in logical replication (Peter Smith, Amit Kapila, and Takamichi Osumi)

  • Immediately WAL-log subtransaction and top-level XID association (Tomas Vondra, Dilip Kumar, Amit Kapila)

    This is useful for logical decoding.

  • Enhance logical decoding APIs to handle two-phase commits (Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)

    This is controlled via pg_create_logical_replication_slot().

  • Generate WAL invalidation messages during command completion when using logical replication (Dilip Kumar, Tomas Vondra, Amit Kapila)

    When logical replication is disabled, WAL invalidation messages are generated at transaction completion. This allows logical streaming of in-progress transactions.

  • Allow logical decoding to more efficiently process cache invalidation messages (Dilip Kumar)

    This allows logical decoding to work efficiently in presence of a large amount of DDL.

  • Allow control over whether logical decoding messages are sent to the replication stream (David Pirotte, Euler Taveira)

  • Allow logical replication subscriptions to use binary transfer mode (Dave Cramer)

    This is faster than text mode, but slightly less robust.

  • Allow logical decoding to be filtered by xid (Markus Wanner)

  • Reduce the number of keywords that can't be used as column labels without AS (Mark Dilger)

    There are now 90% fewer restricted keywords.

  • Allow an alias to be specified for JOIN's USING clause (Peter Eisentraut)

    The alias is created by writing AS after the USING clause. It can be used as a table qualification for the merged USING columns.

  • Allow DISTINCT to be added to GROUP BY to remove duplicate GROUPING SET combinations (Vik Fearing)

    For example, GROUP BY CUBE (a,b), CUBE (b,c) will generate duplicate grouping combinations without DISTINCT.

  • Properly handle DEFAULT entries in multi-row VALUES lists in INSERT (Dean Rasheed)

    Such cases used to throw an error.

  • Add SQL-standard SEARCH and CYCLE clauses for common table expressions (Peter Eisentraut)

    The same results could be accomplished using existing syntax, but much less conveniently.

  • Allow column names in the WHERE clause of ON CONFLICT to be table-qualified (Tom Lane)

    Only the target table can be referenced, however.

  • Allow REFRESH MATERIALIZED VIEW to use parallelism (Bharath Rupireddy)

  • Allow REINDEX to change the tablespace of the new index (Alexey Kondratov, Michael Paquier, Justin Pryzby)

    This is done by specifying a TABLESPACE clause. A --tablespace option was also added to reindexdb to control this.

  • Allow REINDEX to process all child tables or indexes of a partitioned relation (Justin Pryzby, Michael Paquier)

  • Allow index commands using CONCURRENTLY to avoid waiting for the completion of other operations using CONCURRENTLY (Álvaro Herrera)

  • Improve the performance of COPY FROM in binary mode (Bharath Rupireddy, Amit Langote)

  • Preserve SQL standard syntax for SQL-defined functions in view definitions (Tom Lane)

    Previously, calls to SQL-standard functions such as EXTRACT() were shown in plain function-call syntax. The original syntax is now preserved when displaying a view or rule.

  • Add the SQL-standard clause GRANTED BY to GRANT and REVOKE (Peter Eisentraut)

  • Add OR REPLACE option for CREATE TRIGGER (Takamichi Osumi)

    This allows pre-existing triggers to be conditionally replaced.

  • Allow TRUNCATE to operate on foreign tables (Kazutaka Onishi, Kohei KaiGai)

    The postgres_fdw module also now supports this.

  • Allow publications to be more easily added to and removed from a subscription (Japin Li)

    The new syntax is ALTER SUBSCRIPTION ... ADD/DROP PUBLICATION. This avoids having to specify all publications to add/remove entries.

  • Add primary keys, unique constraints, and foreign keys to system catalogs (Peter Eisentraut)

    These changes help GUI tools analyze the system catalogs. The existing unique indexes of catalogs now have associated UNIQUE or PRIMARY KEY constraints. Foreign key relationships are not actually stored or implemented as constraints, but can be obtained for display from the function pg_get_catalog_foreign_keys().

  • Allow CURRENT_ROLE every place CURRENT_USER is accepted (Peter Eisentraut)

  • Allow extensions and built-in data types to implement subscripting (Dmitry Dolgov)

    Previously subscript handling was hard-coded into the server, so that subscripting could only be applied to array types. This change allows subscript notation to be used to extract or assign portions of a value of any type for which the concept makes sense.

  • Allow subscripting of JSONB (Dmitry Dolgov)

    JSONB subscripting can be used to extract and assign to portions of JSONB documents.

  • Add support for multirange data types (Paul Jungwirth, Alexander Korotkov)

    These are like range data types, but they allow the specification of multiple, ordered, non-overlapping ranges. An associated multirange type is automatically created for every range type.

  • Add support for the stemming of languages Armenian, Basque, Catalan, Hindi, Serbian, and Yiddish (Peter Eisentraut)

  • Allow tsearch data files to have unlimited line lengths (Tom Lane)

    The previous limit was 4K bytes. Also remove function t_readline().

  • Add support for Infinity and -Infinity values in the numeric data type (Tom Lane)

    Floating-point data types already supported these.

  • Add point operators <<| and |>> representing strictly above/below tests (Emre Hasegeli)

    Previously these were called >^ and <^, but that naming is inconsistent with other geometric data types. The old names remain available, but may someday be removed.

  • Add operators to add and subtract LSN and numeric (byte) values (Fujii Masao)

  • Allow binary data transfer to be more forgiving of array and record OID mismatches (Tom Lane)

  • Create composite array types for system catalogs (Wenjing Zeng)

    User-defined relations have long had composite types associated with them, and also array types over those composite types. System catalogs now do as well. This change also fixes an inconsistency that creating a user-defined table in single-user mode would fail to create a composite array type.

  • Allow SQL-language functions and procedures to use SQL-standard function bodies (Peter Eisentraut)

    Previously only string-literal function bodies were supported. When writing a function or procedure in SQL-standard syntax, the body is parsed immediately and stored as a parse tree. This allows better tracking of function dependencies, and can have security benefits.

  • Allow procedures to have OUT parameters (Peter Eisentraut)

  • Allow some array functions to operate on a mix of compatible data types (Tom Lane)

    The functions array_append(), array_prepend(), array_cat(), array_position(), array_positions(), array_remove(), array_replace(), and width_bucket() now take anycompatiblearray instead of anyarray arguments. This makes them less fussy about exact matches of argument types.

  • Add SQL-standard trim_array() function (Vik Fearing)

    This could already be done with array slices, but less easily.

  • Add bytea equivalents of ltrim() and rtrim() (Joel Jacobson)

  • Support negative indexes in split_part() (Nikhil Benesch)

    Negative values start from the last field and count backward.

  • Add string_to_table() function to split a string on delimiters (Pavel Stehule)

    This is similar to the regexp_split_to_table() function.

  • Add unistr() function to allow Unicode characters to be specified as backslash-hex escapes in strings (Pavel Stehule)

    This is similar to how Unicode can be specified in literal strings.

  • Add bit_xor() XOR aggregate function (Alexey Bashtanov)

  • Add function bit_count() to return the number of bits set in a bit or byte string (David Fetter)

  • Add date_bin() function (John Naylor)

    This function “bins” input timestamps, grouping them into intervals of a uniform length aligned with a specified origin.

  • Allow make_timestamp()/make_timestamptz() to accept negative years (Peter Eisentraut)

    Negative values are interpreted as BC years.

  • Add newer regular expression substring() syntax (Peter Eisentraut)

    The new SQL-standard syntax is SUBSTRING(text SIMILAR pattern ESCAPE escapechar). The previous standard syntax was SUBSTRING(text FROM pattern FOR escapechar), which is still accepted by PostgreSQL.

  • Allow complemented character class escapes \D, \S, and \W within regular expression brackets (Tom Lane)

  • Add [[:word:]] as a regular expression character class, equivalent to \w (Tom Lane)

  • Allow more flexible data types for default values of lead() and lag() window functions (Vik Fearing)

  • Make non-zero floating-point values divided by infinity return zero (Kyotaro Horiguchi)

    Previously such operations produced underflow errors.

  • Make floating-point division of NaN by zero return NaN (Tom Lane)

    Previously this returned an error.

  • Cause exp() and power() for negative-infinity exponents to return zero (Tom Lane)

    Previously they often returned underflow errors.

  • Improve the accuracy of geometric computations involving infinity (Tom Lane)

  • Mark built-in type coercion functions as leakproof where possible (Tom Lane)

    This allows more use of functions that require type conversion in security-sensitive situations.

  • Change pg_describe_object(), pg_identify_object(), and pg_identify_object_as_address() to always report helpful error messages for non-existent objects (Michael Paquier)

  • Improve PL/pgSQL's expression and assignment parsing (Tom Lane)

    This change allows assignment to array slices and nested record fields.

  • Allow plpgsql's RETURN QUERY to execute its query using parallelism (Tom Lane)

  • Improve performance of repeated CALLs within plpgsql procedures (Pavel Stehule, Tom Lane)

  • Add pipeline mode to libpq (Craig Ringer, Matthieu Garrigues, Álvaro Herrera)

    This allows multiple queries to be sent, only waiting for completion when a specific synchronization message is sent.

  • Enhance libpq's target_session_attrs parameter options (Haribabu Kommi, Greg Nancarrow, Vignesh C, Tom Lane)

    The new options are read-only, primary, standby, and prefer-standby.

  • Improve the output format of libpq's PQtrace() (Aya Iwata, Álvaro Herrera)

  • Allow an ECPG SQL identifier to be linked to a specific connection (Hayato Kuroda)

    This is done via DECLARE ... STATEMENT.

  • Allow vacuumdb to skip index cleanup and truncation (Nathan Bossart)

    The options are --no-index-cleanup and --no-truncate.

  • Allow pg_dump to dump only certain extensions (Guillaume Lelarge)

    This is controlled by option --extension.

  • Add pgbench permute() function to randomly shuffle values (Fabien Coelho, Hironobu Suzuki, Dean Rasheed)

  • Include disconnection times in the reconnection overhead measured by pgbench with -C (Yugo Nagata)

  • Allow multiple verbose option specifications (-v) to increase the logging verbosity (Tom Lane)

    This behavior is supported by pg_dump, pg_dumpall, and pg_restore.

  • Allow psql's \df and \do commands to specify function and operator argument types (Greg Sabino Mullane, Tom Lane)

    This helps reduce the number of matches printed for overloaded names.

  • Add an access method column to psql's \d[i|m|t]+ output (Georgios Kokolatos)

  • Allow psql's \dt and \di to show TOAST tables and their indexes (Justin Pryzby)

  • Add psql command \dX to list extended statistics objects (Tatsuro Yamada)

  • Fix psql's \dT to understand array syntax and backend grammar aliases, like int for integer (Greg Sabino Mullane, Tom Lane)

  • When editing the previous query or a file with psql's \e, or using \ef and \ev, ignore the results if the editor exits without saving (Laurenz Albe)

    Previously, such edits would load the previous query into the query buffer, and typically execute it immediately. This was deemed to be probably not what the user wants.

  • Improve tab completion (Vignesh C, Michael Paquier, Justin Pryzby, Georgios Kokolatos, Julien Rouhaud)

  • Add command-line utility pg_amcheck to simplify running contrib/amcheck tests on many relations (Mark Dilger)

  • Add --no-instructions option to initdb (Magnus Hagander)

    This suppresses the server startup instructions that are normally printed.

  • Stop pg_upgrade from creating analyze_new_cluster script (Magnus Hagander)

    Instead, give comparable vacuumdb instructions.

  • Remove support for the postmaster -o option (Magnus Hagander)

    This option was unnecessary since all passed options could already be specified directly.

  • Rename "Default Roles" to "Predefined Roles" (Bruce Momjian, Stephen Frost)

  • Add documentation for the factorial() function (Peter Eisentraut)

    With the removal of the ! operator in this release, factorial() is the only built-in way to compute a factorial.

  • Add configure option --with-ssl={openssl} to allow future choice of the SSL library to use (Daniel Gustafsson, Michael Paquier)

    The spelling --with-openssl is kept for compatibility.

  • Add support for abstract Unix-domain sockets (Peter Eisentraut)

    This is currently supported on Linux and Windows.

  • Allow Windows to properly handle files larger than four gigabytes (Juan José Santamaría Flecha)

    For example this allows COPY, WAL files, and relation segment files to be larger than four gigabytes.

  • Add server parameter debug_discard_caches to control cache flushing for test purposes (Craig Ringer)

    Previously this behavior could only be set at compile time. To invoke it during initdb, use the new option --discard-caches.

  • Various improvements in valgrind error detection ability (Álvaro Herrera, Peter Geoghegan)

  • Add a test module for the regular expression package (Tom Lane)

  • Add support for LLVM version 12 (Andres Freund)

  • Change SHA1, SHA2, and MD5 hash computations to use the OpenSSL EVP API (Michael Paquier)

    This is more modern and supports FIPS mode.

  • Remove separate build-time control over the choice of random number generator (Daniel Gustafsson)

    This is now always determined by the choice of SSL library.

  • Add direct conversion routines between EUC_TW and Big5 encodings (Heikki Linnakangas)

  • Add collation version support for FreeBSD (Thomas Munro)

  • Add amadjustmembers to the index access method API (Tom Lane)

    This allows an index access method to provide validity checking during creation of a new operator class or family.

  • Provide feature-test macros in libpq-fe.h for recently-added libpq features (Tom Lane, Álvaro Herrera)

    Historically, applications have usually used compile-time checks of PG_VERSION_NUM to test whether a feature is available. But that's normally the server version, which might not be a good guide to libpq's version. libpq-fe.h now offers #define symbols denoting application-visible features added in v14; the intent is to keep adding symbols for such features in future versions.

  • Allow subscripting of hstore values (Tom Lane, Dmitry Dolgov)

  • Allow GiST/GIN pg_trgm indexes to do equality lookups (Julien Rouhaud)

    This is similar to LIKE except no wildcards are honored.

  • Allow the cube data type to be transferred in binary mode (KaiGai Kohei)

  • Allow pgstattuple_approx() to report on TOAST tables (Peter Eisentraut)

  • Add contrib module pg_surgery which allows changes to row visibility (Ashutosh Sharma)

    This is useful for correcting database corruption.

  • Add contrib module old_snapshot to report the XID/time mapping used by an active old_snapshot_threshold (Robert Haas)

  • Allow amcheck to also check heap pages (Mark Dilger)

    Previously it only checked B-Tree index pages.

  • Allow pageinspect to inspect GiST indexes (Andrey Borodin, Heikki Linnakangas)

  • Change pageinspect block numbers to be bigints (Peter Eisentraut)

  • Mark btree_gist functions as parallel safe (Steven Winfield)

  • Move query hash computation from pg_stat_statements to the core server (Julien Rouhaud)

    The new server parameter compute_query_id's default of auto will automatically enable query id computation when this extension is loaded.

  • Cause pg_stat_statements to track top and nested statements separately (Julien Rohaud)

    Previously, when tracking all statements, identical top and nested statements were tracked as a single entry; but it seems more useful to separate such usages.

  • Add row counts for utility commands to pg_stat_statements (Fujii Masao, Katsuragi Yuta, Seino Yuki)

  • Add pg_stat_statements_info system view to show pg_stat_statements activity (Katsuragi Yuta, Yuki Seino, Naoki Nakamichi)

  • Allow postgres_fdw to INSERT rows in bulk (Takayuki Tsunakawa, Tomas Vondra, Amit Langote)

  • Allow postgres_fdw to import table partitions if specified by IMPORT FOREIGN SCHEMA ... LIMIT TO (Matthias van de Meent)

    By default, only the root of a partitioned table is imported.

  • Add postgres_fdw function postgres_fdw_get_connections() to report open foreign server connections (Bharath Rupireddy)

  • Allow control over whether foreign servers keep connections open after transaction completion (Bharath Rupireddy)

    This is controlled by keep_connections and defaults to on.

  • Allow postgres_fdw to reestablish foreign server connections if necessary (Bharath Rupireddy)

    Previously foreign server restarts could cause foreign table access errors.

  • Add postgres_fdw functions to discard cached connections (Bharath Rupireddy)

• ⇑ Upgrade to 14.1 released on 2021-11-11 - docs

  • Ensure that parallel VACUUM doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)

    A parallel VACUUM would fail to process indexes that are below the min_parallel_index_scan_size cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.

  • Fix REINDEX CONCURRENTLY to preserve operator class parameters that were attached to the target index (Michael Paquier)

  • Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)

    The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1.

  • Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)

    CREATE TYPE incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE command was stored in the plan cache and used again later.

  • Fix updates of element fields in arrays of domain over composite (Tom Lane)

    A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.

  • Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED (David Christensen)

    FETCH FIRST WITH TIES necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.

  • Disallow ALTER INDEX index ALTER COLUMN col SET (options) (Nathan Bossart, Michael Paquier)

    While the parser accepted this, it's undocumented and doesn't actually work.

  • Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)

    This error could result in crashes or incorrect query results.

  • Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)

    If a function in FROM laterally references the output of some sub-SELECT earlier in the FROM clause, and we are able to flatten that sub-SELECT into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.

  • Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)

    If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.

  • Fix “could not find RecursiveUnion” error when EXPLAIN tries to print a filter condition attached to a WorkTableScan node (Tom Lane)

  • Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)

    For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.

  • Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)

  • Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)

    These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.

  • Add more defensive checks around B-tree posting list splits (Peter Geoghegan)

    This change should help detect index corruption involving duplicate table TIDs.

  • Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)

    In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.

  • Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts() requests more quickly (Koyu Tanigawa)

  • Fix memory leak in HMAC hash calculations (Sergey Shinderuk)

  • Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro)

    Previously, this setting was accepted, but it did nothing for lack of any implementation.

  • Fix checking of query type in PL/pgSQL's RETURN QUERY statement (Tom Lane)

    RETURN QUERY should accept any query that can return tuples, e.g. UPDATE RETURNING. v14 accidentally disallowed anything but SELECT; moreover, the RETURN QUERY EXECUTE variant failed to apply any query-type check at all.

  • Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)

  • Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)

    The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.

  • Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)

    This avoids unhelpful checks of relations that will almost certainly appear inconsistent.

  • Make contrib/amcheck skip unlogged tables when running on a standby server (Mark Dilger)

    It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.

  • When running a TAP test, include the module's own directory in PATH (Andrew Dunstan)

    This allows tests to find built programs that are not installed, such as custom test drivers.

• ⇑ Upgrade to 14.2 released on 2022-02-10 - docs

  • Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY (Michael Paquier)

    If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.

  • Fix corruption of HOT chains when a RECENTLY_DEAD tuple changes state to fully DEAD during page pruning (Andres Freund)

    It was possible for VACUUM to remove a recently-dead tuple while leaving behind a redirect item that pointed to it. When the tuple's item slot is later re-used by some new tuple, that tuple would be seen as part of the pre-existing HOT chain, creating a form of index corruption. If this has happened, reindexing the table should repair the damage. However, this is an extremely low-probability scenario, so we do not recommend reindexing just on the chance that it might have happened.

  • Fix crash in EvalPlanQual rechecks for tables with a mix of local and foreign partitions (Etsuro Fujita)

  • Fix dangling pointer in COPY TO (Bharath Rupireddy)

    This oversight could cause an incorrect error message or a crash after an error in COPY.

  • Avoid null-pointer crash in ALTER STATISTICS when the statistics object is dropped concurrently (Tomas Vondra)

  • Correctly handle alignment padding when extracting a range from a multirange (Alexander Korotkov)

    This error could cause crashes when handling multiranges over variable-length data types.

  • Fix over-optimistic use of hashing for anonymous RECORD data types (Tom Lane)

    This prevents some cases of “could not identify a hash function for type record” errors.

  • Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)

    In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).

  • Fix Memoize plan nodes to handle subplans that use parameters coming from above the Memoize (David Rowley)

  • Fix Memoize plan nodes to work correctly with non-hashable join operators (David Rowley)

  • Fix checking of anycompatible-family data type matches (Tom Lane)

    In some cases the parser would think that a function or operator with anycompatible-family polymorphic parameters matches a set of arguments that it really shouldn't match. In reported cases, that led to matching more than one operator to a call, leading to ambiguous-operator errors; but a failure later on is also possible.

  • In logical replication, avoid double transmission of a child table's data (Hou Zhijie)

    If a publication includes both child and parent tables, and has the publish_via_partition_root option set, subscribers uselessly initiated synchronization on both child and parent tables. Ensure that only the parent table is synchronized in such cases.

  • Ensure that replication origin timestamp is set while replicating a ROLLBACK PREPARED operation (Masahiko Sawada)

  • Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX (Hou Zhijie)

    Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.

  • Fix failure of SP-GiST indexes when the indexed column's data type is binary-compatible with the declared input type of the operator class (Tom Lane)

    Such cases should work, but failed with “compress method must be defined when leaf type is different from input type”.

  • Allow parallel vacuuming and concurrent index building to be ignored while computing oldest xmin (Masahiko Sawada)

    Non-parallelized instances of these operations were already ignored, but the logic did not work for parallelized cases. Holding back the xmin horizon has undesirable effects such as delaying vacuum cleanup.

  • Fix memory leak when updating expression indexes (Peter Geoghegan)

    An UPDATE affecting many rows could consume significant amounts of memory.

  • Improve performance of walsenders sending logical changes by avoiding unnecessary cache accesses (Hou Zhijie)

  • Fix display of cert authentication method's options in pg_hba_file_rules view (Magnus Hagander)

    The cert authentication method implies clientcert=verify-full, but the pg_hba_file_rules view incorrectly reported clientcert=verify-ca.

  • Ensure that the session targeted by pg_log_backend_memory_contexts() sends its results only to the server's log (Fujii Masao)

    Previously, a sufficiently high setting of client_min_messages could result in the log message also being sent to the connected client. Since that client hadn't requested it, that would be surprising (and possibly a wire protocol violation).

  • When reverse-listing a SQL-standard function body, display function parameters appropriately within INSERT ... SELECT (Tom Lane)

    Previously, they'd come out as $N even when the parameter had a name.

  • Fix one-byte buffer overrun when applying Unicode string normalization to an empty string (Michael Paquier)

    The practical impact of this is limited thanks to alignment considerations; but in debug builds, a warning was raised.

  • Fix psql \d command's query for identifying parent triggers (Justin Pryzby)

    The previous coding failed with “more than one row returned by a subquery used as an expression” if a partition had triggers and there were unrelated statement-level triggers of the same name on some parent partitioned table.

  • Make psql's \d command sort a table's extended statistics objects by name not OID (Justin Pryzby)

  • Fix psql's tab-completion of label values for enum types (Tom Lane)

  • Fix failures on Windows when using the terminal as data source or destination (Dmitry Koval, Juan José Santamaría Flecha, Michael Paquier)

    This affects psql's \copy command, as well as pg_recvlogical with -f -.

  • Fix pg_dump's --inserts and --column-inserts modes to handle tables containing both generated columns and dropped columns (Tom Lane)

  • Fix edge cases in postgres_fdw's handling of asynchronous queries (Etsuro Fujita)

    These errors could lead to crashes or incorrect results when attempting to parallelize scans of foreign tables.

  • Re-allow cross-compilation without OpenSSL (Tom Lane)

    configure should assume that /dev/urandom will be available on the target system, but it failed instead.

• ⇑ Upgrade to 14.3 released on 2022-05-12 - docs

  • Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov)

    The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.)

  • Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)

    The new numeric-based code for EXTRACT() failed to yield results equivalent to the old float-based code, as a result of accidentally truncating the DAYS_PER_YEAR value to an integer.

  • Defend against pg_stat_get_replication_slot(NULL) (Andres Freund)

    This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.

  • Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)

    Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.

  • Fix planner failure if a query using SEARCH or CYCLE features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)

    When the name of the recursive WITH query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlist”.

  • Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)

    The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.

  • Tighten lookup of the index “owned by” a constraint (Tom Lane, Japin Li)

    Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE operations on tables having foreign key constraints.

  • Fix bogus errors from attempts to alter system columns of tables (Tom Lane)

    The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.

  • Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)

    The code path for building GiST indexes using sorting neglected to fsync the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.

  • Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)

    Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.

  • Re-allow underscore as the first character in a custom parameter name (Japin Li)

    Such names were unintentionally disallowed in v14.

  • Add regress option for the compute_query_id parameter (Michael Paquier)

    This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN output.

  • Improve wait logic in RegisterSyncRequest (Thomas Munro)

    If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.

  • Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)

    This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.

  • Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)

    If publish_via_partition_root is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.

  • Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)

    Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.

  • Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)

    An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.

  • Fix behavior of libpq's PQisBusy() function after a connection failure (Tom Lane)

    If we'd detected a write failure, PQisBusy() would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput() returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult object, which is a much cleaner behavior for most applications.

  • Re-allow database.schema.table patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)

    Versions before v14 silently ignored all but the schema and table fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.

  • Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)

    While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.

  • In contrib/postgres_fdw, disable batch insertion when BEFORE INSERT ... FOR EACH ROW triggers exist on the foreign table (Etsuro Fujita)

    Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.

  • Fix configure to handle platforms that have sys/epoll.h but not sys/signalfd.h (Tom Lane)

  • Update JIT code to work with LLVM 14 (Thomas Munro)

  • Do not add OpenSSL dependencies to libpq's pkg-config file when building without OpenSSL (Fabrice Fontaine)

• ⇑ Upgrade to 14.4 released on 2022-06-16 - docs

  • Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)

    An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)

  • Harden Memoize plan node against non-deterministic equality functions (David Rowley)

    Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.

  • Fix incorrect cost estimates for Memoize plans (David Rowley)

    This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.

  • Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)

  • Fix COPY FROM's error checking in the case where the database encoding is SQL_ASCII while the client's encoding is a multi-byte encoding (Heikki Linnakangas)

    This mistake could lead to false complaints of invalidly-encoded input data.

  • Prevent crash after server connection loss in pg_amcheck (Tom Lane)

    Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to a crash.

  • Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)

• ⇑ Upgrade to 14.5 released on 2022-08-11 - docs

  • Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)

  • Fix incorrect permissions-checking code for extended statistics (Richard Guo)

    If there are extended statistics on a table that the user has only partial SELECT permissions on, some queries would fail with “unrecognized node type” errors.

  • Fix extended statistics machinery to handle MCV-type statistics on boolean-valued expressions (Tom Lane)

    Statistics collection worked fine, but a query containing such an expression in WHERE would fail with “unknown clause type”.

  • Avoid planner core dump with constant = ANY(array) clauses when there are MCV-type extended statistics on the array variable (Tom Lane)

  • Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)

    In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.

  • Allow cancellation of ANALYZE while it is computing extended statistics (Tom Lane, Justin Pryzby)

    In some scenarios with high statistics targets, it was possible to spend many seconds in an un-cancellable sort operation.

  • Improve syntax error messages for type jsonpath (Andrew Dunstan)

  • Fix trim_array() to handle a zero-dimensional array argument sanely (Martin Kalcher)

  • Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)

    The replica identity columns have to be re-identified for the child partition.

  • Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)

  • Fix erroneous assertion checks in shared hashtable management (Thomas Munro)

  • Avoid assertion failure when min_dynamic_shared_memory is set to a non-default value (Thomas Munro)

  • Arrange to clean up after commit-time errors within SPI_commit(), rather than expecting callers to do that (Peter Eisentraut, Tom Lane)

    Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit() as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain() except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction() as a no-op. All known callers of SPI_commit() immediately call SPI_start_transaction(), so they will not notice any change. Similar remarks apply to SPI_rollback().

    Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.

  • Improve libpq's handling of idle states in pipeline mode (Álvaro Herrera, Kyotaro Horiguchi)

    This fixes “message type 0x33 arrived from server while idle” warnings, as well as possible loss of end-of-query NULL results from PQgetResult().

  • Fix pg_upgrade to detect non-upgradable usages of functions taking anyarray (Justin Pryzby)

    Version 14 changed some built-in functions to take type anycompatiblearray instead of anyarray. While this is mostly transparent, user-defined aggregates and operators built atop these functions have to be declared with exactly matching types. The presence of an object referencing the old signature will cause pg_upgrade to fail, so change it to detect and report such cases before beginning the upgrade.

  • Fix possible report of wrong error condition after clone() failure in pg_upgrade with --clone option (Justin Pryzby)

  • In contrib/postgres_fdw, prevent batch insertion when there are WITH CHECK OPTION constraints (Etsuro Fujita)

    Such constraints cannot be checked properly if more than one row is inserted at a time.

  • Fix contrib/postgres_fdw to detect failure to send an asynchronous data fetch query (Fujii Masao)

  • Avoid using signalfd() on illumos systems (Thomas Munro)

    This appears to trigger hangs and kernel panics, so avoid the function until a fix is available.

• ⇑ Upgrade to 15 released on 2022-10-13 - docs

  • Remove PUBLIC creation permission on the public schema (Noah Misch)

    The new default is one of the secure schema usage patterns that Section 5.9.6 has recommended since the security release for CVE-2018-1058. The change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public's existing permissions.

    For existing databases, especially those having multiple users, consider revoking CREATE permission on the public schema to adopt this new default. For new databases having no need to defend against insider threats, granting CREATE permission will yield the behavior of prior releases.

  • Change the owner of the public schema to be the new pg_database_owner role (Noah Misch)

    This allows each database's owner to have ownership privileges on the public schema within their database. Previously it was owned by the bootstrap superuser, so that non-superuser database owners could not do anything with it.

    This change applies to new database clusters and to newly-created databases in existing clusters. Upgrading a cluster or restoring a database dump will preserve public's existing ownership specification.

  • Remove long-deprecated exclusive backup mode (David Steele, Nathan Bossart)

    If the database server stops abruptly while in this mode, the server could fail to start. The non-exclusive backup mode is considered superior for all purposes. Functions pg_start_backup()/pg_stop_backup() have been renamed to pg_backup_start()/pg_backup_stop(), and the functions pg_backup_start_time() and pg_is_in_backup() have been removed.

  • Increase hash_mem_multiplier default to 2.0 (Peter Geoghegan)

    This allows query hash operations to use more work_mem memory than other operations.

  • Remove server-side language plpython2u and generic Python language plpythonu (Andres Freund)

    Python 2.x is no longer supported. While the original intent of plpythonu was that it could eventually refer to plpython3u, changing it now seems more likely to cause problems than solve them, so it's just been removed.

  • Generate an error if array_to_tsvector() is passed an empty-string array element (Jean-Christophe Arnu)

    This is prohibited because lexemes should never be empty. Users of previous Postgres releases should verify that no empty lexemes are stored because they can lead to dump/restore failures and inconsistent results.

  • Generate an error when chr() is supplied with a negative argument (Peter Eisentraut)

  • Prevent CREATE OR REPLACE VIEW from changing the collation of an output column (Tom Lane)

  • Disallow zero-length Unicode identifiers, e.g., U&"" (Peter Eisentraut)

    Non-Unicode zero-length identifiers were already disallowed.

  • Prevent numeric literals from having non-numeric trailing characters (Peter Eisentraut)

    Previously, query text like 123abc would be interpreted as 123 followed by a separate token abc.

  • Adjust JSON numeric literal processing to match the SQL/JSON-standard (Peter Eisentraut)

    This accepts numeric formats like .1 and 1., and disallows trailing junk after numeric literals, like 1.type().

  • When interval input provides a fractional value for a unit greater than months, round to the nearest month (Bruce Momjian)

    For example, convert 1.99 years to 2 years, not 1 year 11 months as before.

  • Improve consistency of interval parsing with trailing periods (Tom Lane)

    Numbers with trailing periods were rejected on some platforms.

  • Mark the interval output function as stable, not immutable, since it depends on IntervalStyle (Tom Lane)

    This will, for example, cause creation of indexes relying on the text output of interval values to fail.

  • Detect integer overflow in interval justification functions (Joe Koshakow)

    The affected functions are justify_interval(), justify_hours(), and justify_days().

  • Change the I/O format of type "char" for non-ASCII characters (Tom Lane)

    Bytes with the high bit set are now output as a backslash and three octal digits, to avoid encoding issues.

  • Remove the default ADMIN OPTION privilege a login role has on its own role membership (Robert Haas)

    Previously, a login role could add/remove members of its own role, even without ADMIN OPTION privilege.

  • Allow logical replication to run as the owner of the subscription (Mark Dilger)

    Because row-level security policies are not checked, only superusers, roles with bypassrls, and table owners can replicate into tables with row-level security policies.

  • Prevent UPDATE and DELETE logical replication operations on tables where the subscription owner does not have SELECT permission on the table (Jeff Davis)

    UPDATE and DELETE commands typically involve reading the table as well, so require the subscription owner to have table SELECT permission.

  • When EXPLAIN references the session's temporary object schema, refer to it as pg_temp (Amul Sul)

    Previously the actual schema name was reported, leading to inconsistencies across sessions.

  • Fix pg_statio_all_tables to sum values for the rare case of TOAST tables with multiple indexes (Andrei Zubkov)

    Previously such cases would show one row for each index.

  • Disallow setting custom options that match the name of an installed extension, but are not one of the extension's declared variables (Florin Irion, Tom Lane)

    This change causes any such pre-existing variables to be deleted during extension load, and then prevents new ones from being created later in the session. The intent is to prevent confusion about whether a variable is associated with an extension or not.

  • Remove obsolete server variable stats_temp_directory (Andres Freund, Kyotaro Horiguchi)

  • Improve the algorithm used to compute random() (Fabien Coelho)

    This will cause random()'s results to differ from what was emitted by prior versions, even for the same seed value.

  • libpq's PQsendQuery() function is no longer supported in pipeline mode (Álvaro Herrera)

    Applications that are using that combination will need to be modified to use PQsendQueryParams() instead.

  • On non-Windows platforms, consult the HOME environment variable to find the user's home directory (Anders Kaseorg)

    If HOME is empty or unset, fall back to the previous method of checking the <pwd.h> database. This change affects libpq (for example, while looking up ~/.pgpass) as well as various client application programs.

  • Remove pg_dump's --no-synchronized-snapshots option (Tom Lane)

    All still-supported server versions support synchronized snapshots, so there's no longer a need for this option.

  • After an error is detected in psql's --single-transaction mode, change the final COMMIT command to ROLLBACK only if ON_ERROR_STOP is set (Michael Paquier)

  • Avoid unnecessary casting of constants in queries sent by postgres_fdw (Dian Fay)

    When column types are intentionally different between local and remote databases, such casts could cause errors.

  • Remove xml2's xml_is_well_formed() function (Tom Lane)

    This function has been implemented in the core backend since Postgres 9.1.

  • Allow custom scan providers to indicate if they support projections (Sven Klemm)

    The default is now that custom scan providers are assumed to not support projections; those that do will need to be updated for this release.

  • Record and check the collation version of each database (Peter Eisentraut)

    This feature is designed to detect collation version changes to avoid index corruption. Function pg_database_collation_actual_version() reports the underlying operating system collation version, and ALTER DATABASE ... REFRESH sets the recorded database collation version to match the operating system collation version.

  • Allow ICU collations to be set as the default for clusters and databases (Peter Eisentraut)

    Previously, only libc-based collations could be selected at the cluster and database levels. ICU collations could only be used via explicit COLLATE clauses.

  • Add system view pg_ident_file_mappings to report pg_ident.conf information (Julien Rouhaud)

  • Improve planning time for queries referencing partitioned tables (David Rowley)

    This change helps when only a few of many partitions are relevant.

  • Allow ordered scans of partitions to avoid sorting in more cases (David Rowley)

    Previously, a partitioned table with a DEFAULT partition or a LIST partition containing multiple values could not be used for ordered partition scans. Now they can be used if such partitions are pruned during planning.

  • Improve foreign key behavior of updates on partitioned tables that move rows between partitions (Amit Langote)

    Previously, such updates ran a delete action on the source partition and an insert action on the target partition. PostgreSQL will now run an update action on the partition root, providing cleaner semantics.

  • Allow CLUSTER on partitioned tables (Justin Pryzby)

  • Fix ALTER TRIGGER RENAME on partitioned tables to properly rename triggers on all partitions (Arne Roland, Álvaro Herrera)

    Also prohibit cloned triggers from being renamed.

  • Allow btree indexes on system and TOAST tables to efficiently store duplicates (Peter Geoghegan)

    Previously de-duplication was disabled for these types of indexes.

  • Improve lookup performance of GiST indexes that were built using sorting (Aliaksandr Kalenik, Sergei Shoulbakov, Andrey Borodin)

  • Allow unique constraints and indexes to treat NULL values as not distinct (Peter Eisentraut)

    Previously NULL entries were always treated as distinct values, but this can now be changed by creating constraints and indexes using UNIQUE NULLS NOT DISTINCT.

  • Allow the ^@ starts-with operator and the starts_with() function to use btree indexes if using the C collation (Tom Lane)

    Previously these could only use SP-GiST indexes.

  • Allow extended statistics to record statistics for a parent with all its children (Tomas Vondra, Justin Pryzby)

    Regular statistics already tracked parent and parent-plus-all-children statistics separately.

  • Add server variable recursive_worktable_factor to allow the user to specify the expected size of the working table of a recursive query (Simon Riggs)

  • Allow hash lookup for NOT IN clauses with many constants (David Rowley, James Coleman)

    Previously the code always sequentially scanned the list of values.

  • Allow SELECT DISTINCT to be parallelized (David Rowley)

  • Speed up encoding validation of UTF-8 text by processing 16 bytes at a time (John Naylor, Heikki Linnakangas)

    This will improve text-heavy operations like COPY FROM.

  • Improve performance for sorts that exceed work_mem (Heikki Linnakangas)

    When the sort data no longer fits in work_mem, switch to a batch sorting algorithm that uses more output streams than before.

  • Improve performance and reduce memory consumption of in-memory sorts (Ronan Dunklau, David Rowley, Thomas Munro, John Naylor)

  • Allow WAL full page writes to use LZ4 and Zstandard compression (Andrey Borodin, Justin Pryzby)

    This is controlled by the wal_compression server setting.

  • Add support for writing WAL using direct I/O on macOS (Thomas Munro)

    This only works if max_wal_senders = 0 and wal_level = minimal.

  • Allow vacuum to be more aggressive in setting the oldest frozen and multi transaction id (Peter Geoghegan)

  • Allow a query referencing multiple foreign tables to perform parallel foreign table scans in more cases (Andrey Lepikhov, Etsuro Fujita)

  • Improve the performance of window functions that use row_number(), rank(), dense_rank() and count() (David Rowley)

  • Improve the performance of spinlocks on high-core-count ARM64 systems (Geoffrey Blake)

  • Enable default logging of checkpoints and slow autovacuum operations (Bharath Rupireddy)

    This changes the default of log_checkpoints to on and that of log_autovacuum_min_duration to 10 minutes. This will cause even an idle server to generate some log output, which might cause problems on resource-constrained servers without log file rotation. These defaults should be changed in such cases.

  • Generate progress messages in the server log during slow server starts (Nitin Jadhav, Robert Haas)

    The messages report the cause of the delay. The time interval for notification is controlled by the new server variable log_startup_progress_interval.

  • Store cumulative statistics system data in shared memory (Kyotaro Horiguchi, Andres Freund, Melanie Plageman)

    Previously this data was sent to a statistics collector process via UDP packets, and could only be read by sessions after transferring it via the file system. There is no longer a separate statistics collector process.

  • Add additional information to VACUUM VERBOSE and autovacuum logging messages (Peter Geoghegan)

  • Add EXPLAIN (BUFFERS) output for temporary file block I/O (Masahiko Sawada)

  • Allow log output in JSON format (Sehrope Sarkuni, Michael Paquier)

    The new setting is log_destination = jsonlog.

  • Allow pg_stat_reset_single_table_counters() to reset the counters of relations shared across all databases (Sadhuprasad Patro)

  • Add wait events for local shell commands (Fujii Masao)

    The new wait events are used when calling archive_command, archive_cleanup_command, restore_command and recovery_end_command.

  • Allow table accesses done by a view to optionally be controlled by privileges of the view's caller (Christoph Heiss)

    Previously, view accesses were always treated as being done by the view's owner. That's still the default.

  • Allow members of the pg_write_server_files predefined role to perform server-side base backups (Dagfinn Ilmari Mannsåker)

    Previously only superusers could perform such backups.

  • Allow GRANT to grant permissions to change individual server variables via SET and ALTER SYSTEM (Mark Dilger)

    The new function has_parameter_privilege() reports on this privilege.

  • Add predefined role pg_checkpoint that allows members to run CHECKPOINT (Jeff Davis)

    Previously checkpoints could only be run by superusers.

  • Allow members of the pg_read_all_stats predefined role to access the views pg_backend_memory_contexts and pg_shmem_allocations (Bharath Rupireddy)

    Previously these views could only be accessed by superusers.

  • Allow GRANT to grant permissions on pg_log_backend_memory_contexts() (Jeff Davis)

    Previously this function could only be run by superusers.

  • Add server variable shared_memory_size to report the size of allocated shared memory (Nathan Bossart)

  • Add server variable shared_memory_size_in_huge_pages to report the number of huge memory pages required (Nathan Bossart)

    This is only supported on Linux.

  • Honor server variable shared_preload_libraries in single-user mode (Jeff Davis)

    This change supports use of shared_preload_libraries to load custom access methods and WAL resource managers, which would be essential for database access even in single-user mode.

  • On Solaris, make the default setting of dynamic_shared_memory_type be sysv (Thomas Munro)

    The previous default choice, posix, can result in spurious failures on this platform.

  • Allow postgres -C to properly report runtime-computed values (Nathan Bossart)

    Previously runtime-computed values data_checksums, wal_segment_size, and data_directory_mode would report values that would not be accurate on the running server. However, this does not work on a running server.

  • Add support for LZ4 and Zstandard compression of server-side base backups (Jeevan Ladhe, Robert Haas)

  • Run the checkpointer and bgwriter processes during crash recovery (Thomas Munro)

    This helps to speed up long crash recoveries.

  • Allow WAL processing to pre-fetch needed file contents (Thomas Munro)

    This is controlled by the server variable recovery_prefetch.

  • Allow archiving via loadable modules (Nathan Bossart)

    Previously, archiving was only done by calling shell commands. The new server variable archive_library can be set to specify a library to be called for archiving.

  • No longer require IDENTIFY_SYSTEM to be run before START_REPLICATION (Jeff Davis)

  • Allow publication of all tables in a schema (Vignesh C, Hou Zhijie, Amit Kapila)

    For example, this syntax is now supported: CREATE PUBLICATION pub1 FOR TABLES IN SCHEMA s1,s2. ALTER PUBLICATION supports a similar syntax. Tables added later to the listed schemas will also be replicated.

  • Allow publication content to be filtered using a WHERE clause (Hou Zhijie, Euler Taveira, Peter Smith, Ajin Cherian, Tomas Vondra, Amit Kapila)

    Rows not satisfying the WHERE clause are not published.

  • Allow publication content to be restricted to specific columns (Tomas Vondra, Álvaro Herrera, Rahila Syed)

  • Allow skipping of transactions on a subscriber using ALTER SUBSCRIPTION ... SKIP (Masahiko Sawada)

  • Add support for prepared (two-phase) transactions to logical replication (Peter Smith, Ajin Cherian, Amit Kapila, Nikhil Sontakke, Stas Kelvich)

    The new CREATE_REPLICATION_SLOT option is called TWO_PHASE. pg_recvlogical now supports a new --two-phase option during slot creation.

  • Prevent logical replication of empty transactions (Ajin Cherian, Hou Zhijie, Euler Taveira)

    Previously, publishers would send empty transactions to subscribers if subscribed tables were not modified.

  • Add SQL functions to monitor the directory contents of logical replication slots (Bharath Rupireddy)

    The new functions are pg_ls_logicalsnapdir(), pg_ls_logicalmapdir(), and pg_ls_replslotdir(). They can be run by members of the predefined pg_monitor role.

  • Allow subscribers to stop the application of logical replication changes on error (Osumi Takamichi, Mark Dilger)

    This is enabled with the subscriber option disable_on_error and avoids possible infinite error loops during stream application.

  • Adjust subscriber server variables to match the publisher so datetime and float8 values are interpreted consistently (Japin Li)

    Some publishers might be relying on inconsistent behavior.

  • Add system view pg_stat_subscription_stats to report on subscriber activity (Masahiko Sawada)

    The new function pg_stat_reset_subscription_stats() allows resetting these statistics counters.

  • Suppress duplicate entries in the pg_publication_tables system view (Hou Zhijie)

    In some cases a partition could appear more than once.

  • Add SQL MERGE command to adjust one table to match another (Simon Riggs, Pavan Deolasee, Álvaro Herrera, Amit Langote)

    This is similar to INSERT ... ON CONFLICT but more batch-oriented.

  • Add support for HEADER option in COPY text format (Rémi Lapeyre)

    The new option causes the column names to be output, and optionally verified on input.

  • Add new WAL-logged method for database creation (Dilip Kumar)

    This is the new default method for copying the template database, as it avoids the need for checkpoints during database creation. However, it might be slow if the template database is large, so the old method is still available.

  • Allow CREATE DATABASE to set the database OID (Shruthi Gowda, Antonin Houska)

  • Prevent DROP DATABASE, DROP TABLESPACE, and ALTER DATABASE SET TABLESPACE from occasionally failing during concurrent use on Windows (Thomas Munro)

  • Allow foreign key ON DELETE SET actions to affect only specified columns (Paul Martinez)

    Previously, all of the columns in the foreign key were always affected.

  • Allow ALTER TABLE to modify a table's ACCESS METHOD (Justin Pryzby, Jeff Davis)

  • Properly call object access hooks when ALTER TABLE causes table rewrites (Michael Paquier)

  • Allow creation of unlogged sequences (Peter Eisentraut)

  • Track dependencies on individual columns in the results of functions returning composite types (Tom Lane)

    Previously, if a view or rule contained a reference to a specific column within the result of a composite-returning function, that was not noted as a dependency; the view or rule was only considered to depend on the composite type as a whole. This meant that dropping the individual column would be allowed, causing problems in later use of the view or rule. The column-level dependency is now also noted, so that dropping such a column will be rejected unless the view is changed or dropped.

  • Allow the scale of a numeric value to be negative, or greater than its precision (Dean Rasheed, Tom Lane)

    This allows rounding of values to the left of the decimal point, e.g., '1234'::numeric(4, -2) returns 1200.

  • Improve overflow detection when casting values to interval (Joe Koshakow)

  • Change the I/O format of type "char" for non-ASCII characters (Tom Lane)

  • Update the display width information of modern Unicode characters, like emojis (Jacob Champion)

    Also update from Unicode 5.0 to 14.0.0. There is now an automated way to keep Postgres updated with Unicode releases.

  • Add multirange input to range_agg() (Paul Jungwirth)

  • Add MIN() and MAX() aggregates for the xid8 data type (Ken Kato)

  • Add regular expression functions for compatibility with other relational systems (Gilles Darold, Tom Lane)

    The new functions are regexp_count(), regexp_instr(), regexp_like(), and regexp_substr(). Some new optional arguments were also added to regexp_replace().

  • Add the ability to compute the distance between polygons (Tom Lane)

  • Add to_char() format codes of, tzh, and tzm (Nitin Jadhav)

    The upper-case equivalents of these were already supported.

  • When applying AT TIME ZONE to a time with time zone value, use the transaction start time rather than wall clock time to determine whether DST applies (Aleksander Alekseev, Tom Lane)

    This allows the conversion to be considered stable rather than volatile, and it saves a kernel call per invocation.

  • Ignore NULL array elements in ts_delete() and setweight() functions with array arguments (Jean-Christophe Arnu)

    These functions effectively ignore empty-string array elements (since those could never match a valid lexeme). It seems consistent to let them ignore NULL elements too, instead of failing.

  • Add support for petabyte units to pg_size_pretty() and pg_size_bytes() (David Christensen)

  • Change pg_event_trigger_ddl_commands() to output references to other sessions' temporary schemas using the actual schema name (Tom Lane)

    Previously this function reported all temporary schemas as pg_temp, but it's misleading to use that for any but the current session's temporary schema.

  • Fix enforcement of PL/pgSQL variable CONSTANT markings (Tom Lane)

    Previously, a variable could be used as a CALL output parameter or refcursor OPEN variable despite being marked CONSTANT.

  • Allow IP address matching against a server certificate's Subject Alternative Name (Jacob Champion)

  • Allow PQsslAttribute() to report the SSL library type without requiring a libpq connection (Jacob Champion)

  • Change query cancellations sent by the client to use the same TCP settings as normal client connections (Jelte Fennema)

    This allows configured TCP timeouts to apply to query cancel connections.

  • Prevent libpq event callback failures from forcing an error result (Tom Lane)

  • Allow pgbench to retry after serialization and deadlock failures (Yugo Nagata, Marina Polyakova)

  • Improve performance of psql's \copy command, by sending data in larger chunks (Heikki Linnakangas)

  • Add \dconfig command to report server variables (Mark Dilger, Tom Lane)

    This is similar to the server-side SHOW command, but it can process patterns to show multiple variables conveniently.

  • Add \getenv command to assign the value of an environment variable to a psql variable (Tom Lane)

  • Add + option to the \lo_list and \dl commands to show large-object privileges (Pavel Luzanov)

  • Add a pager option for the \watch command (Pavel Stehule, Thomas Munro)

    This is only supported on Unix and is controlled by the PSQL_WATCH_PAGER environment variable.

  • Make psql include intra-query double-hyphen comments in queries sent to the server (Tom Lane, Greg Nancarrow)

    Previously such comments were removed from the query before being sent. Double-hyphen comments that are before any query text are not sent, and are not recorded as separate psql history entries.

  • Adjust psql so that Readline's meta-# command will insert a double-hyphen comment marker (Tom Lane)

    Previously a pound marker was inserted, unless the user had taken the trouble to configure a non-default comment marker.

  • Make psql output all results when multiple queries are passed to the server at once (Fabien Coelho)

    Previously, only the last query result was displayed. The old behavior can be restored by setting the SHOW_ALL_RESULTS psql variable to off.

  • After an error is detected in --single-transaction mode, change the final COMMIT command to ROLLBACK only if ON_ERROR_STOP is set (Michael Paquier)

    Previously, detection of an error in a -c command or -f script file would lead to issuing ROLLBACK at the end, regardless of the value of ON_ERROR_STOP.

  • Improve psql's tab completion (Shinya Kato, Dagfinn Ilmari Mannsåker, Peter Smith, Koyu Tanigawa, Ken Kato, David Fetter, Haiying Tang, Peter Eisentraut, Álvaro Herrera, Tom Lane, Masahiko Sawada)

  • Limit support of psql's backslash commands to servers running PostgreSQL 9.2 or later (Tom Lane)

    Remove code that was only used when running with an older server. Commands that do not require any version-specific adjustments compared to 9.2 will still work.

  • Make pg_dump dump public schema ownership changes and security labels (Noah Misch)

  • Improve performance of dumping databases with many objects (Tom Lane)

    This will also improve the performance of pg_upgrade.

  • Improve parallel pg_dump's performance for tables with large TOAST tables (Tom Lane)

  • Add dump/restore option --no-table-access-method to force restore to only use the default table access method (Justin Pryzby)

  • Limit support of pg_dump and pg_dumpall to servers running PostgreSQL 9.2 or later (Tom Lane)

  • Add new pg_basebackup option --target to control the base backup location (Robert Haas)

    The new options are server to write the backup locally and blackhole to discard the backup (for testing).

  • Allow pg_basebackup to do server-side gzip, LZ4, and Zstandard compression and client-side LZ4 and Zstandard compression of base backup files (Dipesh Pandit, Jeevan Ladhe)

    Client-side gzip compression was already supported.

  • Allow pg_basebackup to compress on the server side and decompress on the client side before storage (Dipesh Pandit)

    This is accomplished by specifying compression on the server side and plain output format.

  • Allow pg_basebackup's --compress option to control the compression location (server or client), compression method, and compression options (Michael Paquier, Robert Haas)

  • Add the LZ4 compression method to pg_receivewal (Georgios Kokolatos)

    This is enabled via --compress=lz4 and requires binaries to be built using --with-lz4.

  • Add additional capabilities to pg_receivewal's --compress option (Georgios Kokolatos)

  • Improve pg_receivewal's ability to restart at the proper WAL location (Ronan Dunklau)

    Previously, pg_receivewal would start based on the WAL file stored in the local archive directory, or at the sending server's current WAL flush location. With this change, if the sending server is running Postgres 15 or later, the local archive directory is empty, and a replication slot is specified, the replication slot's restart point will be used.

  • Add pg_rewind option --config-file to simplify use when server configuration files are stored outside the data directory (Gunnar Bluth)

  • Store pg_upgrade's log and temporary files in a subdirectory of the new cluster called pg_upgrade_output.d (Justin Pryzby)

    Previously such files were left in the current directory, requiring manual cleanup. Now they are automatically removed on successful completion of pg_upgrade.

  • Disable default status reporting during pg_upgrade operation if the output is not a terminal (Andres Freund)

    The status reporting output can be enabled for non-tty usage by using --verbose.

  • Make pg_upgrade report all databases with invalid connection settings (Jeevan Ladhe)

    Previously only the first database with an invalid connection setting was reported.

  • Make pg_upgrade preserve tablespace and database OIDs, as well as relation relfilenode numbers (Shruthi Gowda, Antonin Houska)

  • Add a --no-sync option to pg_upgrade (Michael Paquier)

    This is recommended only for testing.

  • Limit support of pg_upgrade to old servers running PostgreSQL 9.2 or later (Tom Lane)

  • Allow pg_waldump output to be filtered by relation file node, block number, fork number, and full page images (David Christensen, Thomas Munro)

  • Make pg_waldump report statistics before an interrupted exit (Bharath Rupireddy)

    For example, issuing a control-C in a terminal running pg_waldump --stats --follow will report the current statistics before exiting. This does not work on Windows.

  • Improve descriptions of some transaction WAL records reported by pg_waldump (Masahiko Sawada, Michael Paquier)

  • Allow pg_waldump to dump information about multiple resource managers (Heikki Linnakangas)

    This is enabled by specifying the --rmgr option multiple times.

  • Add documentation for pg_encoding_to_char() and pg_char_to_encoding() (Ian Lawrence Barwick)

  • Document the ^@ starts-with operator (Tom Lane)

  • Add support for continuous integration testing using cirrus-ci (Andres Freund, Thomas Munro, Melanie Plageman)

  • Add configure option --with-zstd to enable Zstandard builds (Jeevan Ladhe, Robert Haas, Michael Paquier)

  • Add an ABI identifier field to the magic block in loadable libraries, allowing non-community PostgreSQL distributions to identify libraries that are not compatible with other builds (Peter Eisentraut)

    An ABI field mismatch will generate an error at load time.

  • Create a new pg_type.typcategory value for "char" (Tom Lane)

    Some other internal-use-only types have also been assigned to this category.

  • Add new protocol message TARGET to specify a new COPY method to be used for base backups (Robert Haas)

    pg_basebackup now uses this method.

  • Add new protocol message COMPRESSION and COMPRESSION_DETAIL to specify the compression method and options (Robert Haas)

  • Remove server support for old BASE_BACKUP command syntax and base backup protocol (Robert Haas)

  • Add support for extensions to set custom backup targets (Robert Haas)

  • Allow extensions to define custom WAL resource managers (Jeff Davis)

  • Add function pg_settings_get_flags() to get the flags of server variables (Justin Pryzby)

  • On Windows, export all the server's global variables using PGDLLIMPORT markers (Robert Haas)

    Previously, only specific variables were accessible to extensions on Windows.

  • Require GNU make version 3.81 or later to build PostgreSQL (Tom Lane)

  • Require OpenSSL to build the pgcrypto extension (Peter Eisentraut)

  • Require Perl version 5.8.3 or later (Dagfinn Ilmari Mannsåker)

  • Require Python version 3.2 or later (Andres Freund)

  • Allow amcheck to check sequences (Mark Dilger)

  • Improve amcheck sanity checks for TOAST tables (Mark Dilger)

  • Add new module basebackup_to_shell as an example of a custom backup target (Robert Haas)

  • Add new module basic_archive as an example of performing archiving via a library (Nathan Bossart)

  • Allow btree_gist indexes on boolean columns (Emre Hasegeli)

    These can be used for exclusion constraints.

  • Fix pageinspect's page_header() to handle 32-kilobyte page sizes (Quan Zongliang)

    Previously, improper negative values could be returned in certain cases.

  • Add counters for temporary file block I/O to pg_stat_statements (Masahiko Sawada)

  • Add JIT counters to pg_stat_statements (Magnus Hagander)

  • Add new module pg_walinspect (Bharath Rupireddy)

    This gives SQL-level output similar to pg_waldump.

  • Indicate the permissive/enforcing state in sepgsql log messages (Dave Page)

  • Allow postgres_fdw to push down CASE expressions (Alexander Pyhalov)

  • Add server variable postgres_fdw.application_name to control the application name of postgres_fdw connections (Hayato Kuroda)

    Previously the remote session's application_name could only be set on the remote server or via a postgres_fdw connection specification. postgres_fdw.application_name supports some escape sequences for customization, making it easier to tell such connections apart on the remote server.

  • Allow parallel commit on postgres_fdw servers (Etsuro Fujita)

    This is enabled with the CREATE SERVER option parallel_commit.

• ⇑ Upgrade to 15.1 released on 2022-11-10 - docs

  • Fix failure to remove non-first segments of large tables (Tom Lane)

    PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.

    Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern NNNN.NN. If there is no matching file named just NNNN (without the .NN suffix), these files should be removed manually.

  • Avoid failure in EXPLAIN VERBOSE for a query using SEARCH BREADTH FIRST with constant initial values (Tom Lane)

  • Prevent use of MERGE on a partitioned table with foreign-table partitions (Álvaro Herrera)

    The case isn't supported, and previously threw an incomprehensible error.

  • Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION (Jehan-Guillaume de Rorthais, Álvaro Herrera)

    Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.

  • Fix planner failure with extended statistics on partitioned or inherited tables (Richard Guo, Justin Pryzby)

    Some cases failed with “cache lookup failed for statistics object”.

  • Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)

    Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.

  • Avoid double call of the shutdown callback of an archiver module (Nathan Bossart, Bharath Rupireddy)

  • Add plan-time check for attempted access to a table that has no table access method (Tom Lane)

    This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT rule is missing.

  • In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)

    The single-row flag was not reset at the correct time if pipeline mode was also active.

  • Fix psql's exit status when a command-line query is canceled (Peter Eisentraut)

    psql -c query would exit successfully if the query was canceled. Fix it to exit with nonzero status, as in other error cases.

  • Fix pg_dump's failure to dump comments attached to some CHECK constraints (Tom Lane)

  • Fix CREATE DATABASE to allow its oid parameter to exceed 2³¹ (Tom Lane)

    This oversight prevented pg_upgrade from succeeding when the source installation contained databases with OIDs larger than that.

  • Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)

  • Avoid using sprintf, to avoid compile-time deprecation warnings (Tom Lane)

• ⇑ Upgrade to 15.2 released on 2023-02-09 - docs

  • libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)

    A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862)

  • Fix calculation of which GENERATED columns need to be updated in child tables during an UPDATE on a partitioned table or inheritance tree (Amit Langote, Tom Lane)

    This fixes failure to update GENERATED columns that do not exist in the parent table, or that have different dependencies than are in the parent column's generation expression.

  • Fix possible failure of MERGE to compute GENERATED columns (Dean Rasheed)

    When the first row-level action of the MERGE was an UPDATE, any subsequent INSERT actions would fail to compute GENERATED columns that were deemed unnecessary to compute for the UPDATE action (due to not depending on any of the UPDATE target columns).

  • Fix MERGE's check for unreachable WHEN clauses (Dean Rasheed)

    A WHEN clause following an unconditional WHEN clause should be rejected as unreachable, but this case was not always detected.

  • Fix MERGE's rule-detection test (Dean Rasheed)

    MERGE is not supported on tables with rules; but it also failed on tables that once had rules but no longer do.

  • In MERGE, don't count a DO NOTHING action as a processed tuple (Álvaro Herrera)

    This makes the code's behavior match the documentation.

  • Allow a WITH RECURSIVE ... CYCLE CTE to access its output column (Tom Lane)

    A reference to the SET column from within the CTE would fail with “cache lookup failed for type 0”.

  • Fix handling of pending inserts when doing a bulk insertion to a foreign table (Etsuro Fujita)

    In some cases pending insertions were not flushed to the FDW soon enough, leading to logical inconsistencies, for example BEFORE ROW triggers not seeing rows they should be able to see.

  • Allow REPLICA IDENTITY to be set on an index that's not (yet) valid (Tom Lane)

    When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY, it generates a command sequence that applies REPLICA IDENTITY before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.

  • Fix handling of DEFAULT markers in rules that perform an INSERT from a multi-row VALUES list (Dean Rasheed)

    In some cases a DEFAULT marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.

  • Reject uses of undefined variables in jsonpath existence checks (Alexander Korotkov, David G. Johnston)

    While jsonpath match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.

  • Fix jsonb subscripting to cope with toasted subscript values (Tom Lane, David G. Johnston)

    Using a text value fetched directly from a table as a jsonb subscript was likely to fail. Fetches would usually not find any matching element. Assignments could store the value with a garbage key, although keys long enough to cause that problem are probably rare in the field.

  • Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)

    If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.

  • Honor non-default settings of checkpoint_completion_target (Bharath Rupireddy)

    Internal state was not updated after a change in checkpoint_completion_target, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.

  • Log the correct ending timestamp in recovery_target_xid mode (Tom Lane)

    When ending recovery based on the recovery_target_xid setting with recovery_target_inclusive = off, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.

  • Improve error reporting for some buffered file read failures (Peter Eisentraut)

    Correctly report a short read, giving the numbers of bytes desired and actually read, instead of reporting an irrelevant error code. Most places got this right already, but some recently-written replication logic did not.

  • Remove arbitrary limit on number of elements in int2vector and oidvector (Tom Lane)

    The input functions for these types previously rejected more than 100 elements. With the introduction of the logical replication column list feature, it's necessary to accept int2vectors having up to 1600 columns, otherwise long column lists cause logical-replication failures.

  • In extended query protocol, avoid an immediate commit after ANALYZE if we're running a pipeline (Tom Lane)

    If there's not been an explicit BEGIN TRANSACTION, ANALYZE would take it on itself to commit, which should not happen within a pipelined series of commands.

  • Reject cancel request packets having the wrong length (Andrey Borodin)

    The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.

  • Fix planner preprocessing oversights for window function run-condition expressions (Richard Guo, David Rowley)

    This could lead to planner errors such as “WindowFunc not found in subplan target lists”.

  • Fix possible dangling-pointer access during execution of window function run-condition expressions (David Rowley)

    In practice, because the run-condition optimization is only applied to certain window functions that happen to all return int8, this only manifested as a problem on 32-bit builds.

  • Add recursion and looping defenses in subquery pullup (Tom Lane)

    A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.

  • Fix planner issues when combining Memoize nodes with partitionwise joins or parameterized nestloops (Richard Guo)

    These errors could lead to not using Memoize in contexts where it would be useful, or possibly to wrong query plans.

  • Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)

    This could result in “could not devise a query plan for the given query” errors.

  • Limit the amount of cleanup work done by get_actual_variable_range (Simon Riggs)

    Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.

  • Prevent the statistics machinery from getting confused when a relation's relkind changes (Andres Freund)

    Converting a table to a view could lead to crashes or assertion failures.

  • Fix under-parenthesized display of AT TIME ZONE constructs (Tom Lane)

    This could result in dump/restore failures for rules or views in which an argument of AT TIME ZONE is itself an expression.

  • Prevent clobbering of cached parsetrees for utility statements in SQL functions (Tom Lane, Daniel Gustafsson)

    If a SQL-language function executes the same utility command more than once within a single calling query, it could crash or report strange errors such as “unrecognized node type”.

  • Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)

  • Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)

  • Fix deadlock between DROP DATABASE and logical replication worker process (Hou Zhijie)

    This was caused by an ill-advised choice to block interrupts while creating a logical replication slot in the worker. In version 15 that could lead to an undetected deadlock. In version 14, no deadlock has been observed, but it's still a bad idea to block interrupts while waiting for network I/O.

  • Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)

    The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION, such a failure resulted in a small session-lifespan memory leak.

  • In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)

    Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections is set to a large value on the standby.

  • Ignore invalidated logical-replication slots while determining oldest catalog xmin (Sirisha Chamarthi)

    A replication slot could prevent cleanup of dead tuples in the system catalogs even after it becomes invalidated due to exceeding max_slot_wal_keep_size. Thus, failure of a replication consumer could lead to indefinitely-large catalog bloat.

  • In logical decoding, notify the remote node when a transaction is detected to have crashed (Hou Zhijie)

    After a server restart, we'll re-stream the changes for transactions occurring shortly before the restart. Some of these transactions probably never completed; when we realize that one didn't we throw away the relevant decoding state locally, but we neglected to tell the subscriber about it. That led to the subscriber keeping useless streaming files until it's next restarted.

  • Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)

    In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.

  • Acquire spinlock while updating shared state during logical decoding context creation (Masahiko Sawada)

    We neglected to acquire the appropriate lock while updating data about two-phase transactions, potentially allowing other processes to see inconsistent data.

  • Fix pgoutput replication plug-in to not send columns not listed in a table's replication column list (Hou Zhijie)

    UPDATE and DELETE events did not pay attention to the configured column list, thus sending more data than expected. This did not cause a problem when the receiver is our built-in logical replication code, but it might confuse other receivers, and in any case it wasted network bandwidth.

  • Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)

  • Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)

    Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.

  • Fix int64_div_fast_to_numeric() to work for a wider range of inputs (Dean Rasheed)

    This function misbehaved with some values of its second argument. No such usages exist in core PostgreSQL, but it's clearly a hazard for external modules, so repair.

  • Fix latent buffer-overrun problem in WaitEventSet logic (Thomas Munro)

    The epoll-based and kqueue-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.

  • Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)

    clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.

  • Fix assertion failure in BRIN minmax-multi opclasses (Tomas Vondra)

    The assertion was overly strict, so this mistake was harmless in non-assert builds.

  • Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)

  • Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)

    In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.

  • Fix possible corruption of very large tablespace map files in pg_basebackup (Antonin Houska)

  • Avoid harmless warning from pg_dump in --if-exists mode (Tom Lane)

    If the public schema has a non-default owner then use of pg_dump's --if-exists option resulted in a warning message “warning: could not find where to insert IF EXISTS in statement "-- *not* dropping schema, since initdb creates it"”. The dump output was okay, though.

  • Fix psql's \sf and \ef commands to handle SQL-language functions that have SQL-standard function bodies (Tom Lane)

    These commands misidentified the start of the function body when it used new-style syntax.

  • Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA (Dean Rasheed)

  • Update contrib/pageinspect to mark its disk-accessing functions as PARALLEL RESTRICTED (Tom Lane)

    This avoids possible failure if one of these functions is used to examine a temporary table, since a session's temporary tables are not accessible from parallel workers.

  • Fix contrib/seg to not crash or print garbage if an input number has more than 127 digits (Tom Lane)

  • Fix build on Microsoft Visual Studio 2013 (Tom Lane)

    A previous patch supposed that all platforms of interest have snprintf(), but MSVC 2013 isn't quite there yet. Revert to using sprintf() on that platform.

  • Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)

  • Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)

    Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.

  • Suppress compiler warnings from Perl's header files (Andres Freund)

    Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.

  • Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)

  • Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.

    Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.

• ⇑ Upgrade to 15.3 released on 2023-05-11 - docs

  • Prevent CREATE SCHEMA from defeating changes in search_path (Alexander Lakhin)

    Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.

    The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454)

  • Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)

    If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.

    The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455)

  • Fix potential corruption of the template (source) database after CREATE DATABASE with the STRATEGY WAL_LOG option (Nathan Bossart, Ryo Matsumura)

    Improper buffer handling created a risk that any later modification of the template's pg_class catalog would be lost.

  • Fix memory leakage and unnecessary disk reads during CREATE DATABASE with the STRATEGY WAL_LOG option (Andres Freund)

  • Avoid crash when the new schema name is omitted in CREATE SCHEMA (Michael Paquier)

    The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.

  • Fix various planner failures with MERGE commands (Tom Lane)

    Planning could fail with errors like “variable not found in subplan target list” or “PlaceHolderVar found where not expected”.

  • Fix the row count reported by MERGE for some corner cases (Dean Rasheed)

    The row count reported in the command tag counted rows that actually hadn't been modified due to a BEFORE ROW trigger returning NULL. This is inconsistent with what happens in plain UPDATE or DELETE, so change it to not count such rows. Also, avoid counting a row twice when MERGE moves it into a different partition of a partitioned table.

  • Fix MERGE problems with concurrent updates (Dean Rasheed, Álvaro Herrera)

    Some cases misbehaved if a row to be updated or deleted by MERGE had just been updated by a concurrent transaction. This could lead to a crash, or the wrong merge action being executed, or no action at all.

  • Add support for decompiling MERGE commands (Álvaro Herrera)

    This was overlooked when MERGE was added, but it's essential support for MERGE in new-style SQL functions.

  • Fix enabling/disabling of foreign-key triggers in partitioned tables (Tom Lane)

    ALTER TABLE ... ENABLE/DISABLE TRIGGER failed if applied to a partitioned table's foreign-key enforcement triggers, because it tried to locate the clone triggers for the partitions by name, and they do not have the same name. Locate them by parent-trigger OID instead.

  • Disallow altering composite types that are stored in indexes (Tom Lane)

    ALTER TYPE disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.

  • Disallow system columns as elements of foreign keys (Tom Lane)

    Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.

  • Ensure that COPY TO from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)

    The documentation is quite clear that COPY TO copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.

  • Avoid possible crash when array_position() or array_positions() is passed an empty array (Tom Lane)

  • Fix possible out-of-bounds fetch in to_char() (Tom Lane)

    With bad luck this could have resulted in a server crash.

  • Avoid buffer overread in translate() function (Daniil Anisimov)

    When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.

  • Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C (Jeff Davis)

    This code got confused if the database's default collation uses ICU.

  • Avoid possible crash on empty input for type interval (Tom Lane)

  • Re-allow exponential notation in ISO-8601 interval fields (Tom Lane)

    Interval input like P0.1e10D isn't officially sanctioned by ISO-8601, but we accepted it for a long time before version 15, so re-allow it.

  • Fix error cursor setting for parse errors in JSON string literals (Tom Lane)

    Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.

  • Fix data corruption due to vacuum_defer_cleanup_age being larger than the current 64-bit xid (Andres Freund)

    In v14 and later with non-default settings of vacuum_defer_cleanup_age, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.

  • Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)

    This oversight could lead to executor failures for queries that should have been rejected as invalid.

  • Fix data structure corruption during parsing of serial SEQUENCE NAME options (David Rowley)

    This can lead to trouble if an event trigger captures the corrupted parse tree.

  • Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)

    This planner oversight could lead to “subplan was not initialized” errors at runtime.

  • Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)

    Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.

  • Fix incorrect tests for whether a qual clause applied to a subquery can be transformed into a window aggregate “run condition” within the subquery (David Rowley)

    A SubPlan within such a clause would cause assertion failures or incorrect answers, as would some other unusual cases.

  • Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)

    This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.

  • Fix oversights in execution of nested ARRAY[] constructs (Alexander Lakhin, Tom Lane)

    Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.

  • Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)

  • Fix partition pruning logic for partitioning on boolean columns (David Rowley)

    Pruning with a condition like boolcol IS NOT TRUE was done incorrectly, leading to possibly not returning rows in which boolcol is NULL. Also, the rather unlikely case of partitioning on NOT boolcol was handled incorrectly.

  • Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)

    A crash was possible given unlucky timing and parallel_leader_participation = off (which is not the default).

  • Recalculate GENERATED columns after an EvalPlanQual check (Tom Lane)

    In READ COMMITTED isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED columns, in case they depend on columns that were changed by the concurrent update.

  • Fix memory leak in Memoize plan execution (David Rowley)

  • Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)

  • Restore support for sub-millisecond vacuum_cost_delay settings (Thomas Munro)

  • Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay setting of zero (Masahiko Sawada)

    Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay setting, but this was done only for positive settings, not zero.

  • Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)

    Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...) with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.

  • Fix handling of DEFAULT markers within a multi-row INSERT ... VALUES query on a view that has a DO ALSO INSERT ... SELECT rule (Dean Rasheed)

    Such cases typically failed with “unrecognized node type” errors or assertion failures.

  • Support references to OLD and NEW within subqueries in rule actions (Dean Rasheed, Tom Lane)

    Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL. Arrange to do that implicitly when necessary.

  • When decompiling a rule or SQL function body containing INSERT/UPDATE/DELETE within WITH, take care to print the correct alias for the target table (Tom Lane)

  • Fix glitches in SERIALIZABLE READ ONLY optimization (Thomas Munro)

    Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).

  • Avoid leaking cache callback slots in the pgoutput logical decoding plugin (Shi Yu)

    Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.

  • Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)

    This change fixes some cases where an unexpected error was thrown.

  • Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)

    The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.

  • Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)

    This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.

  • Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)

    This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.

  • Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)

    Replication with the REPLICA IDENTITY FULL option failed if the table contained such columns.

  • Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)

    This wait event is named CommitTsBuffer according to the documentation, but the code had it as CommitTSBuffer. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.

  • Re-activate reporting of wait event SLRUFlushSync (Thomas Munro)

    Reporting of this type of wait was accidentally removed in code refactoring.

  • Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)

    This could result in not honoring wal_keep_size accurately.

  • Disable startup progress reporting overhead in standby mode (Bharath Rupireddy)

    In standby mode, we don't actually report progress of recovery, but we were doing work to track it anyway.

  • Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)

    This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.

  • Avoid race condition with process ID tracking on Windows (Thomas Munro)

    The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.

  • Fix list_copy_head() to work correctly on an empty List (David Rowley)

    This case is not known to be reached by any core PostgreSQL code, but extensions might rely on it working.

  • Add missing cases to SPI_result_code_string() (Dean Rasheed)

  • Fix erroneous Valgrind markings in AllocSetRealloc() (Karina Litskevich)

    In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.

  • Fix assertion failure for MERGE into a partitioned table with row-level security enabled (Dean Rasheed)

  • Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)

  • Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)

    A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.

  • Avoid trying to write an empty WAL record in log_newpage_range() when the last few pages in the specified range are empty (Matthias van de Meent)

    It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.

  • Fix session-lifespan memory leakage in plpgsql DO blocks that use cast expressions (Ajit Awekar, Tom Lane)

  • Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)

    plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.

  • Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)

    plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.

  • Fix unwinding of exception stack in plpython (Xing Guo)

    Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.

  • Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll() (Michael Paquier)

    With gssencmode set to require, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.

  • Fix possible data corruption in ecpg programs built with the -C ORACLE option (Kyotaro Horiguchi)

    When ecpg_get_data() is called with varcharsize set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.

  • Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)

    Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.

    Also, fix pg_restore to not try to TRUNCATE target tables before restoring into them when --load-via-partition-root mode is used. This avoids a hazard of deadlocks and lost data.

  • Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)

    This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.

  • In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)

    This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.

  • In contrib/amcheck's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)

  • In contrib/amcheck, deal sanely with xids that appear to be before epoch zero (Andres Freund)

    In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.

  • In contrib/basebackup_to_shell, properly detect failure to open a pipe (Robert Haas)

  • In contrib/hstore_plpython, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)

    This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.

  • Require the siglen option of a GiST index on an ltree column, if specified, to be a multiple of 4 (Alexander Korotkov)

    Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.

  • In contrib/pageinspect, add defenses against incorrect input for the gist_page_items() function (Dmitry Koval)

  • Fix misbehavior in contrib/pg_trgm with an unsatisfiable regular expression (Tom Lane)

    A regex such as $foo is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.

  • Fix handling of escape sequences in contrib/postgres_fdw's application_name parameter (Kyotaro Horiguchi, Michael Paquier)

    The code to expand these could fail if executed in a background process, as for example during auto-analyze of a foreign table.

  • In contrib/pg_walinspect, limit memory usage of pg_get_wal_records_info() (Bharath Rupireddy)

  • Use the --strip-unneeded option when stripping static libraries with GNU-compatible strip (Tom Lane)

    Previously, make install-strip used the -x option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.

  • Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)

    It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet option to the build recipes.

  • When running TAP tests in PGXS builds, use a saner location for the temporary portlock directory (Peter Eisentraut)

    Place it under tmp_check in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.

  • Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.

    When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.

• ⇑ Upgrade to 15.4 released on 2023-08-10 - docs

  • Disallow substituting a schema or owner name into an extension script if the name contains a quote, backslash, or dollar sign (Noah Misch)

    This restriction guards against SQL-injection hazards for trusted extensions.

    The PostgreSQL Project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem. (CVE-2023-39417)

  • Fix MERGE to enforce row security policies properly (Dean Rasheed)

    When MERGE performs an UPDATE action, it should enforce any UPDATE or SELECT RLS policies defined on the target table, to be consistent with the way that a plain UPDATE with a WHERE clause works. Instead it was enforcing INSERT RLS policies for both INSERT and UPDATE actions.

    In addition, when MERGE performs a DO NOTHING action, it applied the target table's DELETE RLS policies to existing rows, even though those rows are not being deleted. While it's not a security problem, this could result in unwanted errors.

    The PostgreSQL Project thanks Dean Rasheed for reporting this problem. (CVE-2023-39418)

  • Fix confusion between empty (no rows) ranges and all-NULL ranges in BRIN indexes, as well as incorrect merging of all-NULL summaries (Tomas Vondra)

    Each of these oversights could result in forgetting that a BRIN index range contains any NULL values, potentially allowing subsequent queries that should return NULL values to miss doing so.

    This fix will not in itself correct faulty BRIN entries. It's recommended to REINDEX any BRIN indexes that may be used to search for nulls.

  • Avoid leaving a corrupted database behind when DROP DATABASE is interrupted (Andres Freund)

    If DROP DATABASE was interrupted after it had already begun taking irreversible steps, the target database remained accessible (because the removal of its pg_database row would roll back), but it would have corrupt contents. Fix by marking the database as inaccessible before we begin to perform irreversible operations. A failure after that will leave the database still partially present, but nothing can be done with it except to issue another DROP DATABASE.

  • Ensure that partitioned indexes are correctly marked as valid or not at creation (Michael Paquier)

    If a new partitioned index matches an existing but invalid index on one of the partitions, the partitioned index could end up being marked valid prematurely. This could lead to misbehavior or assertion failures in subsequent queries on the partitioned table.

  • Ignore invalid child indexes when matching partitioned indexes to child indexes during ALTER TABLE ATTACH PARTITION (Michael Paquier)

    Such an index will now be ignored, and a new child index created instead.

  • Fix possible failure when marking a partitioned index valid after all of its partitions have been attached (Michael Paquier)

    The update of the index's pg_index entry could use stale data for other columns. One reported symptom is an “attempted to update invisible tuple” error.

  • Fix ALTER EXTENSION SET SCHEMA to complain if the extension contains any objects outside the extension's schema (Michael Paquier, Heikki Linnakangas)

    Erroring out if the extension contains objects in multiple schemas was always intended; but the check was mis-coded so that it would fail to detect some cases, leading to surprising behavior.

  • Fix tracking of tables' access method dependencies (Michael Paquier)

    ALTER TABLE ... SET ACCESS METHOD failed to update relevant pg_depend entries when changing a table's access method. When using non-built-in access methods, this creates a risk that an access method could be dropped even though tables still depend on it. This fix corrects the logic in ALTER TABLE, but it will not adjust any already-missing pg_depend entries.

  • Don't use partial unique indexes for uniqueness proofs in the planner (David Rowley)

    This could give rise to incorrect plans, since the presumed uniqueness of rows read from a table might not hold if the index in question isn't used to scan the table.

  • Don't Memoize lateral joins with volatile join conditions (Richard Guo)

    Applying Memoize to a sub-plan that contains volatile filter conditions is likely to lead to wrong answers. The check to avoid doing this missed some cases that can arise when using LATERAL.

  • Avoid producing incorrect plans for foreign joins with pseudoconstant join clauses (Etsuro Fujita)

    The planner currently lacks support for attaching pseudoconstant join clauses to a pushed-down remote join, so disable generation of remote joins in such cases. (A better solution will require ABI-breaking changes of planner data structures, so it will have to wait for a future major release.)

  • Correctly handle sub-SELECTs in RLS policy expressions and security-barrier views when expanding rule actions (Tom Lane)

  • Fix race conditions in conflict detection for SERIALIZABLE isolation mode (Thomas Munro)

    Conflicts could be missed when using bitmap heap scans, when using GIN indexes, and when examining an initially-empty btree index. All these cases could lead to serializability failures due to improperly allowing conflicting transactions to commit.

  • Fix misbehavior of EvalPlanQual checks with inherited or partitioned target tables (Tom Lane)

    This oversight could lead to update or delete actions in READ COMMITTED isolation mode getting performed when they should have been skipped because of a conflicting concurrent update.

  • Fix hash join with an inner-side hash key that contains Params coming from an outer nested loop (Tom Lane)

    When rescanning the join after the values of such Params have changed, we must rebuild the hash table, but neglected to do so. This could result in missing join output rows.

  • Fix intermittent failures when trying to update a field of a composite column (Tom Lane)

    If the overall value of the composite column is wide enough to require out-of-line toasting, then an unluckily-timed cache flush could cause errors or server crashes.

  • Prevent query-lifespan memory leaks in some UPDATE queries with triggers (Tomas Vondra)

  • Prevent query-lifespan memory leaks when an Incremental Sort plan node is rescanned (James Coleman, Laurenz Albe, Tom Lane)

  • Accept fractional seconds in the input to jsonpath's datetime() method (Tom Lane)

  • Prevent stack-overflow crashes with very complex text search patterns (Tom Lane)

  • Allow tokens up to 10240 bytes long in pg_hba.conf and pg_ident.conf (Tom Lane)

    The previous limit of 256 bytes has been found insufficient for some use-cases.

  • Ensure that all existing placeholders are checked for matches when an extension declares its GUC prefix to be reserved (Karina Litskevich, Ekaterina Sokolova)

    Faulty loop logic could cause some entries to be skipped.

  • Fix mishandling of C++ out-of-memory conditions (Heikki Linnakangas)

    If JIT is in use, running out of memory in a C++ new call would lead to a PostgreSQL FATAL error, instead of the expected C++ exception.

  • Fix rare null-pointer crash in plancache.c (Tom Lane)

  • Avoid leaking a stats entry for a subscription when it is dropped (Masahiko Sawada)

  • Avoid losing track of possibly-useful shared memory segments when a page free results in coalescing ranges of free space (Dongming Liu)

    Ensure that the segment is moved into the appropriate “bin” for its new amount of free space, so that it will be found by subsequent searches.

  • Allow VACUUM to continue after detecting certain types of b-tree index corruption (Peter Geoghegan)

    If an invalid sibling-page link is detected, log the issue and press on, rather than throwing an error as before. Nothing short of REINDEX will fix the broken index, but preventing VACUUM from completing until that is done risks making matters far worse.

  • Ensure that WrapLimitsVacuumLock is released after VACUUM detects invalid data in pg_database.datfrozenxid or pg_database.datminmxid (Andres Freund)

    Failure to release this lock could lead to a deadlock later, although the lock would be cleaned up if the session exits or encounters some other error.

  • Avoid double replay of prepared transactions during crash recovery (suyu.cmj, Michael Paquier)

    After a crash partway through a checkpoint with some two-phase transaction state data already flushed to disk by this checkpoint, crash recovery could attempt to replay the prepared transaction(s) twice, leading to a fatal error such as “lock is already held” in the startup process.

  • Ensure that a newly created, but still empty table is fsync'ed at the next checkpoint (Heikki Linnakangas)

    Without this, if there is an operating system crash causing the empty file to disappear, subsequent operations on the table might fail with “could not open file” errors.

  • Ensure that creation of the init fork of an unlogged index is WAL-logged (Heikki Linnakangas)

    While an unlogged index's main data fork is not WAL-logged, its init fork should be, to ensure that we have a consistent state to restore the index to after a crash. This step was missed if the init fork contains no data, which is a case not used by any standard index AM; but perhaps some extension behaves that way.

  • Silence bogus “missing contrecord” errors (Thomas Munro)

    Treat this case as plain end-of-WAL to avoid logging inaccurate complaints from pg_waldump and walsender.

  • Fix overly strict assertion in jsonpath code (David Rowley)

    This assertion failed if a query applied the .type() operator to a like_regex result. There was no bug in non-assert builds.

  • Avoid assertion failure when processing an empty statement via the extended query protocol in an already-aborted transaction (Tom Lane)

  • Avoid assertion failure when the stats_fetch_consistency setting is changed intra-transaction (Kyotaro Horiguchi)

  • Fix contrib/fuzzystrmatch's Soundex difference() function to handle empty input sanely (Alexander Lakhin, Tom Lane)

    An input string containing no alphabetic characters resulted in unpredictable output.

  • Tighten whitespace checks in contrib/hstore input (Evan Jones)

    In some cases, characters would be falsely recognized as whitespace and hence discarded.

  • Disallow oversize input arrays with contrib/intarray's gist__int_ops index opclass (Ankit Kumar Pandey, Alexander Lakhin)

    Previously this code would report a NOTICE but press on anyway, creating an invalid index entry that presents a risk of crashes when the index is read.

  • Avoid useless double decompression of GiST index entries in contrib/intarray (Konstantin Knizhnik, Matthias van de Meent, Tom Lane)

  • Fix contrib/pageinspect's gist_page_items() function to work when there are included index columns (Alexander Lakhin, Michael Paquier)

    Previously, if the index has included columns, gist_page_items() would fail to display those values on index leaf pages, or crash outright on non-leaf pages.

  • In psql, ignore the PSQL_WATCH_PAGER environment variable when stdin/stdout are not a terminal (Tom Lane)

    This corresponds to the treatment of PSQL_PAGER in commands besides \watch.

  • Fix pg_dump to correctly handle new-style SQL-language functions whose bodies require parse-time dependencies on unique indexes (Tom Lane)

    Such cases can arise from GROUP BY and ON CONFLICT clauses, for example. The function must then be postponed until after the unique index in the dump output, but pg_dump did not do that and instead printed a warning about “could not resolve dependency loop”.

  • Improve pg_dump's display of details about dependency-loop problems (Tom Lane)

  • Avoid crash in pgbench with an empty pipeline and prepared mode (Álvaro Herrera)

  • Ensure that pg_index.indisreplident is kept up-to-date in relation cache entries (Shruthi Gowda)

    This value could be stale in some cases. There is no core code that relies on the relation cache's copy, so this is only a latent bug as far as Postgres itself is concerned; but there may be extensions for which it is a live bug.

  • Fix make_etags script to work with non-Exuberant ctags (Masahiko Sawada)

• ⇑ Upgrade to 16 released on 2023-09-14 - docs

  • Change assignment rules for PL/pgSQL bound cursor variables (Tom Lane)

    Previously, the string value of such variables was set to match the variable name during cursor assignment; now it will be assigned during OPEN, and will not match the variable name. To restore the previous behavior, assign the desired portal name to the cursor variable before OPEN.

  • Disallow NULLS NOT DISTINCT indexes for primary keys (Daniel Gustafsson)

  • Change REINDEX DATABASE and reindexdb to not process indexes on system catalogs (Simon Riggs)

    Processing such indexes is still possible using REINDEX SYSTEM and reindexdb --system.

  • Tighten GENERATED expression restrictions on inherited and partitioned tables (Amit Langote, Tom Lane)

    Columns of parent/partitioned and child/partition tables must all have the same generation status, though now the actual generation expressions can be different.

  • Remove pg_walinspect functions pg_get_wal_records_info_till_end_of_wal() and pg_get_wal_stats_till_end_of_wal() (Bharath Rupireddy)

  • Rename server variable force_parallel_mode to debug_parallel_query (David Rowley)

  • Remove the ability to create views manually with ON SELECT rules (Tom Lane)

  • Remove the server variable vacuum_defer_cleanup_age (Andres Freund)

    This has been unnecessary since hot_standby_feedback and replication slots were added.

  • Remove server variable promote_trigger_file (Simon Riggs)

    This was used to promote a standby to primary, but is now easier accomplished with pg_ctl promote or pg_promote().

  • Remove read-only server variables lc_collate and lc_ctype (Peter Eisentraut)

    Collations and locales can vary between databases so having them as read-only server variables was unhelpful.

  • Role inheritance now controls the default inheritance status of member roles added during GRANT (Robert Haas)

    The role's default inheritance behavior can be overridden with the new GRANT ... WITH INHERIT clause. This allows inheritance of some roles and not others because the members' inheritance status is set at GRANT time. Previously the inheritance status of member roles was controlled only by the role's inheritance status, and changes to a role's inheritance status affected all previous and future member roles.

  • Restrict the privileges of CREATEROLE and its ability to modify other roles (Robert Haas)

    Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions.

  • Remove symbolic links for the postmaster binary (Peter Eisentraut)

  • Allow incremental sorts in more cases, including DISTINCT (David Rowley)

  • Add the ability for aggregates having ORDER BY or DISTINCT to use pre-sorted data (David Rowley)

    The new server variable enable_presorted_aggregate can be used to disable this.

  • Allow memoize atop a UNION ALL (Richard Guo)

  • Allow anti-joins to be performed with the non-nullable input as the inner relation (Richard Guo)

  • Allow parallelization of FULL and internal right OUTER hash joins (Melanie Plageman, Thomas Munro)

  • Improve the accuracy of GIN index access optimizer costs (Ronan Dunklau)

  • Allow more efficient addition of heap and index pages (Andres Freund)

  • During non-freeze operations, perform page freezing where appropriate (Peter Geoghegan)

    This makes full-table freeze vacuums less necessary.

  • Allow window functions to use the faster ROWS mode internally when RANGE mode is active but unnecessary (David Rowley)

  • Allow optimization of always-increasing window functions ntile(), cume_dist() and percent_rank() (David Rowley)

  • Allow aggregate functions string_agg() and array_agg() to be parallelized (David Rowley)

  • Improve performance by caching RANGE and LIST partition lookups (Amit Langote, Hou Zhijie, David Rowley)

  • Allow control of the shared buffer usage by vacuum and analyze (Melanie Plageman)

    The VACUUM/ANALYZE option is BUFFER_USAGE_LIMIT, and the vacuumdb option is --buffer-usage-limit. The default value is set by server variable vacuum_buffer_usage_limit, which also controls autovacuum.

  • Support wal_sync_method=fdatasync on Windows (Thomas Munro)

  • Allow HOT updates if only BRIN-indexed columns are updated (Matthias van de Meent, Josef Simanek, Tomas Vondra)

  • Improve the speed of updating the process title (David Rowley)

  • Allow xid/subxid searches and ASCII string detection to use vector operations (Nathan Bossart, John Naylor)

    ASCII detection is particularly useful for COPY FROM. Vector operations are also used for some C array searches.

  • Reduce overhead of memory allocations (Andres Freund, David Rowley)

  • Add system view pg_stat_io view to track I/O statistics (Melanie Plageman)

  • Record statistics on the last sequential and index scans on tables (Dave Page)

    This information appears in pg_stat_*_tables and pg_stat_*_indexes.

  • Record statistics on the occurrence of updated rows moving to new pages (Corey Huinker)

    The pg_stat_*_tables column is n_tup_newpage_upd.

  • Add speculative lock information to the pg_locks system view (Masahiko Sawada, Noriyoshi Shinoda)

    The transaction id is displayed in the transactionid column and the speculative insertion token is displayed in the objid column.

  • Add the display of prepared statement result types to the pg_prepared_statements view (Dagfinn Ilmari Mannsåker)

  • Create subscription statistics entries at subscription creation time so stats_reset is accurate (Andres Freund)

    Previously entries were created only when the first statistics were reported.

  • Correct the I/O accounting for temp relation writes shown in pg_stat_database (Melanie Plageman)

  • Add function pg_stat_get_backend_subxact() to report on a session's subtransaction cache (Dilip Kumar)

  • Have pg_stat_get_backend_idset(), pg_stat_get_backend_activity(), and related functions use the unchanging backend id (Nathan Bossart)

    Previously the index values might change during the lifetime of the session.

  • Report stand-alone backends with a special backend type (Melanie Plageman)

  • Add wait event SpinDelay to report spinlock sleep delays (Andres Freund)

  • Create new wait event DSMAllocate to indicate waiting for dynamic shared memory allocation (Thomas Munro)

    Previously this type of wait was reported as DSMFillZeroWrite, which was also used by mmap() allocations.

  • Add the database name to the process title of logical WAL senders (Tatsuhiro Nakamori)

    Physical WAL senders do not display a database name.

  • Add checkpoint and REDO LSN information to log_checkpoints messages (Bharath Rupireddy, Kyotaro Horiguchi)

  • Provide additional details during client certificate failures (Jacob Champion)

  • Add predefined role pg_create_subscription with permission to create subscriptions (Robert Haas)

  • Allow subscriptions to not require passwords (Robert Haas)

    This is accomplished with the option password_required=false.

  • Simplify permissions for LOCK TABLE (Jeff Davis)

    Previously a user's ability to perform LOCK TABLE at various lock levels was limited to the lock levels required by the commands they had permission to execute on the table. For example, someone with UPDATE permission could perform all lock levels except ACCESS SHARE, even though it was a lesser lock level. Now users can issue lesser lock levels if they already have permission for greater lock levels.

  • Allow GRANT group_name TO user_name to be performed with ADMIN OPTION (Robert Haas)

    Previously CREATEROLE permission was required.

  • Allow GRANT to use WITH ADMIN TRUE/FALSE syntax (Robert Haas)

    Previously only the WITH ADMIN OPTION syntax was supported.

  • Allow roles that create other roles to automatically inherit the new role's rights or the ability to SET ROLE to the new role (Robert Haas, Shi Yu)

    This is controlled by server variable createrole_self_grant.

  • Prevent users from changing the default privileges of non-inherited roles (Robert Haas)

    This is now only allowed for inherited roles.

  • When granting role membership, require the granted-by role to be a role that has appropriate permissions (Robert Haas)

    This is a requirement even when a non-bootstrap superuser is granting role membership.

  • Allow non-superusers to grant permissions using a granted-by user that is not the current user (Robert Haas)

    The current user still must have sufficient permissions given by the specified granted-by user.

  • Add GRANT to control permission to use SET ROLE (Robert Haas)

    This is controlled by a new GRANT ... SET option.

  • Add dependency tracking to roles which have granted privileges (Robert Haas)

    For example, removing ADMIN OPTION will fail if there are privileges using that option; CASCADE must be used to revoke dependent permissions.

  • Add dependency tracking of grantors for GRANT records (Robert Haas)

    This guarantees that pg_auth_members.grantor values are always valid.

  • Allow multiple role membership records (Robert Haas)

    Previously a new membership grant would remove a previous matching membership grant, even if other aspects of the grant did not match.

  • Prevent removal of superuser privileges for the bootstrap user (Robert Haas)

    Restoring such users could lead to errors.

  • Allow makeaclitem() to accept multiple privilege names (Robins Tharakan)

    Previously only a single privilege name, like SELECT, was accepted.

  • Add support for Kerberos credential delegation (Stephen Frost)

    This is enabled with server variable gss_accept_delegation and libpq connection parameter gssdelegation.

  • Allow the SCRAM iteration count to be set with server variable scram_iterations (Daniel Gustafsson)

  • Improve performance of server variable management (Tom Lane)

  • Tighten restrictions on which server variables can be reset (Masahiko Sawada)

    Previously, while certain variables, like transaction_isolation, were not affected by RESET ALL, they could be individually reset in inappropriate situations.

  • Move various postgresql.conf items into new categories (Shinya Kato)

    This also affects the categories displayed in the pg_settings view.

  • Prevent configuration file recursion beyond 10 levels (Julien Rouhaud)

  • Allow autovacuum to more frequently honor changes to delay settings (Melanie Plageman)

    Rather than honor changes only at the start of each relation, honor them at the start of each block.

  • Remove restrictions that archive files be durably renamed (Nathan Bossart)

    The archive_command command is now more likely to be called with already-archived files after a crash.

  • Prevent archive_library and archive_command from being set at the same time (Nathan Bossart)

    Previously archive_library would override archive_command.

  • Allow the postmaster to terminate children with an abort signal (Tom Lane)

    This allows collection of a core dump for a stuck child process. This is controlled by send_abort_for_crash and send_abort_for_kill. The postmaster's -T switch is now the same as setting send_abort_for_crash.

  • Remove the non-functional postmaster -n option (Tom Lane)

  • Allow the server to reserve backend slots for roles with pg_use_reserved_connections membership (Nathan Bossart)

    The number of reserved slots is set by server variable reserved_connections.

  • Allow huge pages to work on newer versions of Windows 10 (Thomas Munro)

    This adds the special handling required to enable huge pages on newer versions of Windows 10.

  • Add debug_io_direct setting for developer usage (Thomas Munro, Andres Freund, Bharath Rupireddy)

    While primarily for developers, wal_sync_method=open_sync/open_datasync has been modified to not use direct I/O with wal_level=minimal; this is now enabled with debug_io_direct=wal.

  • Add function pg_split_walfile_name() to report the segment and timeline values of WAL file names (Bharath Rupireddy)

  • Add support for regular expression matching on database and role entries in pg_hba.conf (Bertrand Drouvot)

    Regular expression patterns are prefixed with a slash. Database and role names that begin with slashes need to be double-quoted if referenced in pg_hba.conf.

  • Improve user-column handling of pg_ident.conf to match pg_hba.conf (Jelte Fennema)

    Specifically, add support for all, role membership with +, and regular expressions with a leading slash. Any user name that matches these patterns must be double-quoted.

  • Allow include files in pg_hba.conf and pg_ident.conf (Julien Rouhaud)

    These are controlled by include, include_if_exists, and include_dir. System views pg_hba_file_rules and pg_ident_file_mappings now display the file name.

  • Allow pg_hba.conf tokens to be of unlimited length (Tom Lane)

  • Add rule and map numbers to the system view pg_hba_file_rules (Julien Rouhaud)

  • Determine the default encoding from the locale when using ICU (Jeff Davis)

    Previously the default was always UTF-8.

  • Have CREATE DATABASE and CREATE COLLATION's LOCALE options, and initdb and createdb --locale options, control non-libc collation providers (Jeff Davis)

    Previously they only controlled libc providers.

  • Add predefined collations unicode and ucs_basic (Peter Eisentraut)

    This only works if ICU support is enabled.

  • Allow custom ICU collation rules to be created (Peter Eisentraut)

    This is done using CREATE COLLATION's new RULES clause, as well as new options for CREATE DATABASE, createdb, and initdb.

  • Allow Windows to import system locales automatically (Juan José Santamaría Flecha)

    Previously, only ICU locales could be imported on Windows.

  • Allow logical decoding on standbys (Bertrand Drouvot, Andres Freund, Amit Khandekar)

    Snapshot WAL records are required for logical slot creation but cannot be created on standbys. To avoid delays, the new function pg_log_standby_snapshot() allows creation of such records.

  • Add server variable to control how logical decoding publishers transfer changes and how subscribers apply them (Shi Yu)

    The variable is debug_logical_replication_streaming.

  • Allow logical replication initial table synchronization to copy rows in binary format (Melih Mutlu)

    This is only possible for subscriptions marked as binary.

  • Allow parallel application of logical replication (Hou Zhijie, Wang Wei, Amit Kapila)

    The CREATE SUBSCRIPTION STREAMING option now supports parallel to enable application of large transactions by parallel workers. The number of parallel workers is controlled by the new server variable max_parallel_apply_workers_per_subscription. Wait events LogicalParallelApplyMain, LogicalParallelApplyStateChange, and LogicalApplySendData were also added. Column leader_pid was added to system view pg_stat_subscription to track parallel activity.

  • Improve performance for logical replication apply without a primary key (Onder Kalaci, Amit Kapila)

    Specifically, REPLICA IDENTITY FULL can now use btree indexes rather than sequentially scanning the table to find matches.

  • Allow logical replication subscribers to process only changes that have no origin (Vignesh C, Amit Kapila)

    This can be used to avoid replication loops. This is controlled by the new CREATE SUBSCRIPTION ... ORIGIN option.

  • Perform logical replication SELECT and DML actions as the table owner (Robert Haas)

    This improves security and now requires subscription owners to be either superusers or to have SET ROLE permission on all roles owning tables in the replication set. The previous behavior of performing all operations as the subscription owner can be enabled with the subscription run_as_owner option.

  • Have wal_retrieve_retry_interval operate on a per-subscription basis (Nathan Bossart)

    Previously the retry time was applied globally. This also adds wait events >LogicalRepLauncherDSA and LogicalRepLauncherHash.

  • Add EXPLAIN option GENERIC_PLAN to display the generic plan for a parameterized query (Laurenz Albe)

  • Allow a COPY FROM value to map to a column's DEFAULT (Israel Barth Rubio)

  • Allow COPY into foreign tables to add rows in batches (Andrey Lepikhov, Etsuro Fujita)

    This is controlled by the postgres_fdw option batch_size.

  • Allow the STORAGE type to be specified by CREATE TABLE (Teodor Sigaev, Aleksander Alekseev)

    Previously only ALTER TABLE could control this.

  • Allow truncate triggers on foreign tables (Yugo Nagata)

  • Allow VACUUM and vacuumdb to only process TOAST tables (Nathan Bossart)

    This is accomplished by having VACUUM turn off PROCESS_MAIN or by vacuumdb using the --no-process-main option.

  • Add VACUUM options to skip or update all frozen statistics (Tom Lane, Nathan Bossart)

    The options are SKIP_DATABASE_STATS and ONLY_DATABASE_STATS.

  • Change REINDEX DATABASE and REINDEX SYSTEM to no longer require an argument (Simon Riggs)

    Previously the database name had to be specified.

  • Allow CREATE STATISTICS to generate a statistics name if none is specified (Simon Riggs)

  • Allow non-decimal integer literals (Peter Eisentraut)

    For example, 0x42F, 0o273, and 0b100101.

  • Allow NUMERIC to process hexadecimal, octal, and binary integers of any size (Dean Rasheed)

    Previously only unquoted eight-byte integers were supported with these non-decimal bases.

  • Allow underscores in integer and numeric constants (Peter Eisentraut, Dean Rasheed)

    This can improve readability for long strings of digits.

  • Accept the spelling +infinity in datetime input (Vik Fearing)

  • Prevent the specification of epoch and infinity together with other fields in datetime strings (Joseph Koshakow)

  • Remove undocumented support for date input in the form YyearMmonthDday (Joseph Koshakow)

  • Add functions pg_input_is_valid() and pg_input_error_info() to check for type conversion errors (Tom Lane)

  • Allow subqueries in the FROM clause to omit aliases (Dean Rasheed)

  • Add support for enhanced numeric literals in SQL/JSON paths (Peter Eisentraut)

    For example, allow hexadecimal, octal, and binary integers and underscores between digits.

  • Add SQL/JSON constructors (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote)

    The new functions JSON_ARRAY(), JSON_ARRAYAGG(), JSON_OBJECT(), and JSON_OBJECTAGG() are part of the SQL standard.

  • Add SQL/JSON object checks (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote, Andrew Dunstan)

    The IS JSON checks include checks for values, arrays, objects, scalars, and unique keys.

  • Allow JSON string parsing to use vector operations (John Naylor)

  • Improve the handling of full text highlighting function ts_headline() for OR and NOT expressions (Tom Lane)

  • Add functions to add, subtract, and generate timestamptz values in a specified time zone (Przemyslaw Sztoch, Gurjeet Singh)

    The functions are date_add(), date_subtract(), and generate_series().

  • Change date_trunc(unit, timestamptz, time_zone) to be an immutable function (Przemyslaw Sztoch)

    This allows the creation of expression indexes using this function.

  • Add server variable SYSTEM_USER (Bertrand Drouvot)

    This reports the authentication method and its authenticated user.

  • Add functions array_sample() and array_shuffle() (Martin Kalcher)

  • Add aggregate function ANY_VALUE() which returns any value from a set (Vik Fearing)

  • Add function random_normal() to supply normally-distributed random numbers (Paul Ramsey)

  • Add error function erf() and its complement erfc() (Dean Rasheed)

  • Improve the accuracy of numeric power() for integer exponents (Dean Rasheed)

  • Add XMLSERIALIZE() option INDENT to pretty-print its output (Jim Jones)

  • Change pg_collation_actual_version() to return a reasonable value for the default collation (Jeff Davis)

    Previously it returned NULL.

  • Allow pg_read_file() and pg_read_binary_file() to ignore missing files (Kyotaro Horiguchi)

  • Add byte specification (B) to pg_size_bytes() (Peter Eisentraut)

  • Allow to_reg* functions to accept numeric OIDs as input (Tom Lane)

  • Add the ability to get the current function's OID in PL/pgSQL (Pavel Stehule)

    This is accomplished with GET DIAGNOSTICS variable = PG_ROUTINE_OID.

  • Add libpq connection option require_auth to specify a list of acceptable authentication methods (Jacob Champion)

    This can also be used to disallow certain authentication methods.

  • Allow multiple libpq-specified hosts to be randomly selected (Jelte Fennema)

    This is enabled with load_balance_hosts=random and can be used for load balancing.

  • Add libpq option sslcertmode to control transmission of the client certificate (Jacob Champion)

    The option values are disable, allow, and require.

  • Allow libpq to use the system certificate pool for certificate verification (Jacob Champion, Thomas Habets)

    This is enabled with sslrootcert=system, which also enables sslmode=verify-full.

  • Allow ECPG variable declarations to use typedef names that match unreserved SQL keywords (Tom Lane)

    This change does prevent keywords which match C typedef names from being processed as keywords in later EXEC SQL blocks.

  • Allow psql to control the maximum width of header lines in expanded format (Platon Pronko)

    This is controlled by xheader_width.

  • Add psql command \drg to show role membership details (Pavel Luzanov)

    The Member of output column has been removed from \du and \dg because this new command displays this informaion in more detail.

  • Allow psql's access privilege commands to show system objects (Nathan Bossart)

    The options are \dpS and \zS.

  • Add FOREIGN designation to psql \d+ for foreign table children and partitions (Ian Lawrence Barwick)

  • Prevent \df+ from showing function source code (Isaac Morland)

    Function bodies are more easily viewed with \sf.

  • Allow psql to submit queries using the extended query protocol (Peter Eisentraut)

    Passing arguments to such queries is done using the new psql \bind command.

  • Allow psql \watch to limit the number of executions (Andrey Borodin)

    The \watch options can now be named when specified.

  • Detect invalid values for psql \watch, and allow zero to specify no delay (Andrey Borodin)

  • Allow psql scripts to obtain the exit status of shell commands and queries (Corey Huinker, Tom Lane)

    The new psql control variables are SHELL_ERROR and SHELL_EXIT_CODE.

  • Various psql tab completion improvements (Vignesh C, Aleksander Alekseev, Dagfinn Ilmari Mannsåker, Shi Yu, Michael Paquier, Ken Kato, Peter Smith)

  • Add pg_dump control of dumping child tables and partitions (Gilles Darold)

    The new options are --table-and-children, --exclude-table-and-children, and --exclude-table-data-and-children.

  • Add LZ4 and Zstandard compression to pg_dump (Georgios Kokolatos, Justin Pryzby)

  • Allow pg_dump and pg_basebackup to use long mode for compression (Justin Pryzby)

  • Improve pg_dump to accept a more consistent compression syntax (Georgios Kokolatos)

    Options like --compress=gzip:5.

  • Add initdb option to set server variables for the duration of initdb and all future server starts (Tom Lane)

    The option is -c name=value.

  • Add options to createuser to control more user options (Shinya Kato)

    Specifically, the new options control the valid-until date, bypassing of row-level security, and role membership.

  • Deprecate createuser option --role (Nathan Bossart)

    This option could be easily confused with new createuser role membership options, so option --member-of has been added with the same functionality. The --role option can still be used.

  • Allow control of vacuumdb schema processing (Gilles Darold)

    These are controlled by options --schema and --exclude-schema.

  • Use new VACUUM options to improve the performance of vacuumdb (Tom Lane, Nathan Bossart)

  • Have pg_upgrade set the new cluster's locale and encoding (Jeff Davis)

    This removes the requirement that the new cluster be created with the same locale and encoding settings.

  • Add pg_upgrade option to specify the default transfer mode (Peter Eisentraut)

    The option is --copy.

  • Improve pg_basebackup to accept numeric compression options (Georgios Kokolatos, Michael Paquier)

    Options like --compress=server-5 are now supported.

  • Fix pg_basebackup to handle tablespaces stored in the PGDATA directory (Robert Haas)

  • Add pg_waldump option --save-fullpage to dump full page images (David Christensen)

  • Allow pg_waldump options -t/--timeline to accept hexadecimal values (Peter Eisentraut)

  • Add support for progress reporting to pg_verifybackup (Masahiko Sawada)

  • Allow pg_rewind to properly track timeline changes (Heikki Linnakangas)

    Previously if pg_rewind was run after a timeline switch but before a checkpoint was issued, it might incorrectly determine that a rewind was unnecessary.

  • Have pg_receivewal and pg_recvlogical cleanly exit on SIGTERM (Christoph Berg)

    This signal is often used by systemd.

  • Build ICU support by default (Jeff Davis)

    This removes build flag --with-icu and adds flag --without-icu.

  • Add support for SSE2 (Streaming SIMD Extensions 2) vector operations on x86-64 architectures (John Naylor)

  • Add support for Advanced SIMD (Single Instruction Multiple Data) (NEON) instructions on ARM architectures (Nathan Bossart)

  • Have Windows binaries built with MSVC use RandomizedBaseAddress (ASLR) (Michael Paquier)

    This was already enabled on MinGW builds.

  • Prevent extension libraries from exporting their symbols by default (Andres Freund, Tom Lane)

    Functions that need to be called from the core backend or other extensions must now be explicitly marked PGDLLEXPORT.

  • Require Windows 10 or newer versions (Michael Paquier, Juan José Santamaría Flecha)

    Previously Windows Vista and Windows XP were supported.

  • Require Perl version 5.14 or later (John Naylor)

  • Require Bison version 2.3 or later (John Naylor)

  • Require Flex version 2.5.35 or later (John Naylor)

  • Require MIT Kerberos for GSSAPI support (Stephen Frost)

  • Remove support for Visual Studio 2013 (Michael Paquier)

  • Remove support for HP-UX (Thomas Munro)

  • Remove support for HP/Intel Itanium (Thomas Munro)

  • Remove support for M68K, M88K, M32R, and SuperH CPU architectures (Thomas Munro)

  • Remove libpq support for SCM credential authentication (Michael Paquier)

    Backend support for this authentication method was removed in PostgresSQL 9.1.

  • Add meson build system (Andres Freund, Nazir Bilal Yavuz, Peter Eisentraut)

    This eventually will replace the Autoconf and Windows-based MSVC build systems.

  • Allow control of the location of the openssl binary used by the build system (Peter Eisentraut)

    Make finding openssl program a configure or meson option

  • Add build option to allow testing of small WAL segment sizes (Andres Freund)

    The build options are --with-segsize-blocks and -Dsegsize_blocks.

  • Add pgindent options (Andrew Dunstan)

    The new options are --show-diff, --silent-diff, --commit, and --help, and allow multiple --exclude options. Also require the typedef file to be explicitly specified. Options --code-base and --build were also removed.

  • Add pg_bsd_indent source code to the main tree (Tom Lane)

  • Improve make_ctags and make_etags (Yugo Nagata)

  • Adjust pg_attribute columns for efficiency (Peter Eisentraut)

  • Improve use of extension-based indexes on boolean columns (Zongliang Quan, Tom Lane)

  • Add support for Daitch-Mokotoff Soundex to fuzzystrmatch (Dag Lem)

  • Allow auto_explain to log values passed to parameterized statements (Dagfinn Ilmari Mannsåker)

    This affects queries using server-side PREPARE/EXECUTE and client-side parse/bind. Logging is controlled by auto_explain.log_parameter_max_length; by default query parameters will be logged with no length restriction.

  • Have auto_explain's log_verbose mode honor the value of compute_query_id (Atsushi Torikoshi)

    Previously even if compute_query_id was enabled, log_verbose was not showing the query identifier.

  • Change the maximum length of ltree labels from 256 to 1000 and allow hyphens (Garen Torikian)

  • Have pg_stat_statements normalize constants used in utility commands (Michael Paquier)

    Previously constants appeared instead of placeholders, e.g., $1.

  • Add pg_walinspect function pg_get_wal_block_info() to report WAL block information (Michael Paquier, Melanie Plageman, Bharath Rupireddy)

  • Change how pg_walinspect functions pg_get_wal_records_info() and pg_get_wal_stats() interpret ending LSNs (Bharath Rupireddy)

    Previously ending LSNs which represent nonexistent WAL locations would generate an error, while they will now be interpreted as the end of the WAL.

  • Add detailed descriptions of WAL records in pg_walinspect and pg_waldump (Melanie Plageman, Peter Geoghegan)

  • Add pageinspect function bt_multi_page_stats() to report statistics on multiple pages (Hamid Akhtar)

    This is similar to bt_page_stats() except it can report on a range of pages.

  • Add empty range output column to pageinspect function brin_page_items() (Tomas Vondra)

  • Redesign archive modules to be more flexible (Nathan Bossart)

    Initialization changes will require modules written for older versions of Postgres to be updated.

  • Correct inaccurate pg_stat_statements row tracking extended query protocol statements (Sami Imseih)

  • Add pg_buffercache function pg_buffercache_usage_counts() to report usage totals (Nathan Bossart)

  • Add pg_buffercache function pg_buffercache_summary() to report summarized buffer statistics (Melih Mutlu)

  • Allow the schemas of required extensions to be referenced in extension scripts using the new syntax @extschema:referenced_extension_name@ (Regina Obe)

  • Allow required extensions to be marked as non-relocatable using no_relocate (Regina Obe)

    This allows @extschema:referenced_extension_name@ to be treated as a constant for the lifetime of the extension.

  • Allow postgres_fdw to do aborts in parallel (Etsuro Fujita)

    This is enabled with postgres_fdw option parallel_abort.

  • Make ANALYZE on foreign postgres_fdw tables more efficient (Tomas Vondra)

    The postgres_fdw option analyze_sampling controls the sampling method.

  • Restrict shipment of reg* type constants in postgres_fdw to those referencing built-in objects or extensions marked as shippable (Tom Lane)

  • Have postgres_fdw and dblink handle interrupts during connection establishment (Andres Freund)

• ⇑ Upgrade to 16.1 released on 2023-11-09 - docs

  • Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)

    This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.

    The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)

  • Detect integer overflow while computing new array dimensions (Tom Lane)

    When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.

    The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869)

  • Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)

    The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.

    Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.

    The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870)

  • Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)

    Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.

  • Prevent de-duplication of btree index entries for interval columns (Noah Misch)

    There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.

  • Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

    The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.

  • Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)

    Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.

  • Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)

    This bug might have caused unexpected failures while trying to insert large interval values into such an index.

  • Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)

    Some cases involving an IS NULL condition on one of the partition keys could result in a crash.

  • Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)

    In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.

  • Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)

    If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.

  • Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)

    When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY(ARRAY[])) clause. This could result in missing some rows that should have been fetched.

  • Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)

  • Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)

  • Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)

  • Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie)

    The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.

  • Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)

    Previously, a not-on-point complaint “only heap AM is supported” would be raised.

  • Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)

    Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.

  • Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)

  • Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)

    If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.

  • Improve checks for corrupt PGLZ compressed data (Flavien Guedez)

  • Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie)

  • Fix bulk table insertion into partitioned tables (Andres Freund)

    Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.

  • In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)

    This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.

  • In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)

    Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.

  • Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)

    No built-in parameter fits this description, but an extension could define such a parameter.

  • Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)

    This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).

  • Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)

    This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.

  • Cope with torn reads of pg_control in frontend programs (Thomas Munro)

    On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.

  • Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)

    Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.

  • Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)

  • Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)

    On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.

  • Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)

    The block-level counters should be reset to zero at the same time we update the current-relation field.

  • Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)

  • Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)

    This could result in some statistics about WAL I/O being forgotten in a shutdown.

  • Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)

    These were counted as normal-table writes when they should be counted as temp-table writes.

  • When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)

  • Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)

    DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.

  • Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)

  • Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)

    This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.

  • Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)

    In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.

  • Fix error-handling bug in RECORD type cache management (Thomas Munro)

    An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.

  • Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)

    Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.

  • Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)

  • Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)

  • Fix order of operations in GenericXLogFinish (Jeff Davis)

    This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).

  • Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)

  • Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner)

    Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.

  • Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)

    Formerly, only the table-level ACL would get restored if both types were present.

  • Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)

    These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.

  • Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)

  • Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki)

    Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.

  • Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley)

  • In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)

    This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.

  • Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)

    Such an indexscan failed to return all the entries it should.

  • Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)

  • Suppress assorted build-time warnings on recent macOS (Tom Lane)

    Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.

  • When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)

  • Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)

    Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.

• ⇑ Upgrade to 16.2 released on 2024-02-08 - docs

  • Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (Heikki Linnakangas)

    One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. Fix things so that all user-determined code is run as the view's owner, as expected.

    The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice.

    The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2024-0985)

  • Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson)

    There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that.

  • Avoid generating incorrect partitioned-join plans (Richard Guo)

    Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as “variable not found in subplan target list”, or executor crashes.

  • Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane)

    This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join.

  • Fix misprocessing of window function run conditions (Richard Guo)

    This oversight could lead to “WindowFunc not found in subplan target lists” errors.

  • Fix detection of inner-side uniqueness for Memoize plans (Richard Guo)

    This mistake could lead to “cache entry already complete” errors.

  • Fix computation of nullingrels when constant-folding field selection (Richard Guo)

    Failure to do this led to errors like “wrong varnullingrels (b) (expected (b 3)) for Var 2/2”.

  • Skip inappropriate actions when MERGE causes a cross-partition update (Dean Rasheed)

    When executing a MERGE UPDATE action on a partitioned table, if the UPDATE is turned into a DELETE and INSERT due to changing a partition key column, skip firing AFTER UPDATE ROW triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regular UPDATE doesn't do them in such cases; MERGE shouldn't either.

  • Cope with BEFORE ROW DELETE triggers in cross-partition MERGE updates (Dean Rasheed)

    If such a trigger attempted to prevent the update by returning NULL, MERGE would suffer an error or assertion failure.

  • Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE triggers (Alexander Lakhin, Tom Lane)

    If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however.

  • Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov)

    The limiting value was too large, allowing “invalid DSA memory alloc request size” errors to occur with sufficiently large expected hash table sizes.

  • Fix corruption of local buffer state when an error occurs while trying to extend a temporary table (Tender Wang)

  • Fix use of wrong tuple slot while evaluating DISTINCT aggregates that have multiple arguments (David Rowley)

    This mistake could lead to errors such as “attribute 1 of type record has wrong type”.

  • Avoid assertion failures in heap_update() and heap_delete() when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin)

    This error had no impact in non-assert builds.

  • Fix possible failure during ALTER TABLE ADD COLUMN on a complex inheritance tree (Tender Wang)

    If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with “tuple already updated by self”.

  • Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING commands (Tender Wang, Michael Paquier)

  • Fix DROP ROLE with duplicate role names (Michael Paquier)

    Previously this led to a “tuple already updated by self” failure. Instead, ignore the duplicate.

  • Properly lock the associated table during DROP STATISTICS (Tomas Vondra)

    Failure to acquire the lock could result in “tuple concurrently deleted” errors if the DROP executes concurrently with ANALYZE.

  • Fix function volatility checking for GENERATED and DEFAULT expressions (Tom Lane)

    These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN.

  • Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane)

    We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting.

  • Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed)

    Computing 0 - INT64_MIN should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN.

  • Detect Julian-date overflow when adding or subtracting an interval to/from a timestamp (Tom Lane)

    Some cases that should cause an out-of-range error produced an incorrect result instead.

  • Add more checks for overflow in interval_mul() and interval_div() (Dean Rasheed)

    Some cases that should cause an out-of-range error produced an incorrect result instead.

  • Allow scram_SaltedPassword() to be interrupted (Bowen Shi)

    With large scram_iterations values, this function could take a long time to run. Allow it to be interrupted by query cancel requests.

  • Ensure cached statistics are discarded after a change to stats_fetch_consistency (Shinya Kato)

    In some code paths, it was possible for stale statistics to be returned.

  • Make the pg_file_settings view check validity of unapplied values for settings with backend or superuser-backend context (Tom Lane)

    Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups.

  • Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut)

    Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior.

  • Avoid failure if a child index is dropped concurrently with REINDEX INDEX on a partitioned index (Fei Changhong)

  • Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas)

    The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently.

  • Avoid premature release of buffer pin in GIN index insertion (Tom Lane)

    If an index root page split occurs concurrently with our own insertion, the code could fail with “buffer NNNN is not owned by resource owner”.

  • Avoid failure with partitioned SP-GiST indexes (Tom Lane)

    Trying to use an index of this kind could lead to “No such file or directory” errors.

  • Fix ownership tests for large objects (Tom Lane)

    Operations on large objects that require ownership privilege failed with “unrecognized class ID: 2613”, unless run by a superuser.

  • Fix ownership change reporting for large objects (Tom Lane)

    A no-op ALTER LARGE OBJECT OWNER command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook, probably confusing any extension using that hook.

  • Fix reporting of I/O timing data in EXPLAIN (BUFFERS) (Michael Paquier)

    The numbers labeled as “shared/local” actually refer only to shared buffers, so change that label to “shared”.

  • Ensure durability of CREATE DATABASE (Noah Misch)

    If an operating system crash occurred during or shortly after CREATE DATABASE, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory, PG_VERSION file, or pg_filenode.map file was missing or empty.

  • Add more LOG messages when starting and ending recovery from a backup (Andres Freund)

    This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems.

  • Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong)

    The startedInRecovery flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior.

  • Fix signal handling in walreceiver processes (Heikki Linnakangas)

    Revert a change that made walreceivers non-responsive to SIGTERM while waiting for the replication connection to be established.

  • Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro)

    This bug appears to be only latent except when running a 32-bit PostgreSQL build on a 64-bit platform.

  • Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal)

    One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention.

  • Ensure that column default values are correctly transmitted by the pgoutput logical replication plugin (Nikhil Benesch)

    ALTER TABLE ADD COLUMN with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table, pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber.

  • Fix failure of logical replication's initial sync for a table with no columns (Vignesh C)

    This case generated an improperly-formatted COPY command.

  • Re-validate a subscription's connection string before use (Vignesh C)

    This is meant to detect cases where a subscription was created without a password (which is allowed to superusers) but then the subscription owner is changed to a non-superuser.

  • Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane)

    In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook.

  • Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson)

    Use the BIO “app_data” field for our private storage, instead of assuming it's okay to use the “data” field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees.

  • Be more wary about OpenSSL not setting errno on error (Tom Lane)

    If errno isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like “could not accept SSL connection: Success”.

  • Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest function fails (Heikki Linnakangas)

  • Fix minor memory leak in connection string validation for CREATE SUBSCRIPTION (Jeff Davis)

  • Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY, not ERRCODE_INTERNAL_ERROR (Alexander Kuzmenkov)

  • In PL/pgSQL, support SQL commands that are CREATE FUNCTION/CREATE PROCEDURE with SQL-standard bodies (Tom Lane)

    Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body.

  • Fix libpq's handling of errors in pipelines (Álvaro Herrera)

    The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application.

  • Make libpq's PQsendFlushRequest() function flush the client output buffer under the same rules as other PQsend functions (Jelte Fennema-Nio)

    In pipeline mode, it may still be necessary to call PQflush() as well; but this change removes some inconsistency.

  • Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier)

  • Fix timing-dependent failure in GSSAPI data transmission (Tom Lane)

    When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with “GSSAPI caller failed to retransmit all data needing to be retried”.

  • Change initdb to always un-comment the postgresql.conf entries for the lc_xxx parameters (Kyotaro Horiguchi)

    initdb used to work this way before v16, and now it does again. The change caused initdb's --no-locale option to not have the intended effect on lc_messages.

  • In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion)

    Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table).

  • In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane)

    This conforms to the behavior for other dependent objects such as indexes.

  • Properly detect out-of-memory in one code path in pg_dump (Daniel Gustafsson)

  • Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy)

    Previously, pgbench would behave oddly if a \startpipeline command lacked a matching \endpipeline. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error.

  • In contrib/bloom, fix overly tight assertion about false_positive_rate (Alexander Lakhin)

  • Fix crash in contrib/intarray if an array with an element equal to INT_MAX is inserted into a gist__int_ops index (Alexander Lakhin, Tom Lane)

  • Report a better error when contrib/pageinspect's hash_bitmap_info() function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier)

  • Report a better error when contrib/pgstattuple's pgstathashindex() function is applied to a partitioned hash index (Alexander Lakhin)

  • On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi)

    When launching a child process via cmd.exe, pass the /D flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects.

  • Move is_valid_ascii() from mb/pg_wchar.h to utils/ascii.h (Jubilee Young)

    This change avoids the need to include <simd.h> in pg_wchar.h, which was causing problems for some third-party code.

  • Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane)

  • Fix compilation failure of WAL_DEBUG code on Windows (Bharath Rupireddy)

  • Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane)

    Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma.

  • Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro)

  • Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon.

• ⇑ Upgrade to 16.3 released on 2024-05-09 - docs

  • Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (Nathan Bossart)

    These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table.

    The PostgreSQL Project thanks Lukas Fittl for reporting this problem. (CVE-2024-4317)

    By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following:

    1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix.

    2. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like

       \i /usr/share/postgresql/fix-CVE-2024-4317.sql
       

       (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once.

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
       

       and then after fixing template0, undo it with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
       

  • Fix INSERT from multiple VALUES rows into a target column that is a domain over an array or composite type (Tom Lane)

    Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results.

  • Require SELECT privilege on the target table for MERGE with a DO NOTHING clause (Álvaro Herrera)

    SELECT privilege would be required in all practical cases anyway, but require it even if the query reads no columns of the target table. This avoids an edge case in which MERGE would require no privileges whatever, which seems undesirable even when it's a do-nothing command.

  • Fix handling of self-modified tuples in MERGE (Dean Rasheed)

    Throw an error if a target row joins to more than one source row, as required by the SQL standard. (The previous coding could silently ignore this condition if a concurrent update was involved.) Also, throw a non-misleading error if a target row is already updated by a later command in the current transaction, thanks to a BEFORE trigger or a volatile function used in the query.

  • Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause (David Rowley)

    A NULL value satisfies a clause such as boolcol IS NOT FALSE, so pruning away a partition containing NULLs yielded incorrect answers.

  • Make ALTER FOREIGN TABLE SET SCHEMA move any owned sequences into the new schema (Tom Lane)

    Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however.

  • Make ALTER TABLE ... ADD COLUMN create identity/serial sequences with the same persistence as their owning tables (Peter Eisentraut)

    CREATE UNLOGGED TABLE will make any owned sequences be unlogged too. ALTER TABLE missed that consideration, so that an added identity column would have a logged sequence, which seems pointless.

  • Improve ALTER TABLE ... ALTER COLUMN TYPE's error message when there is a dependent function or publication (Tom Lane)

  • In CREATE DATABASE, recognize strategy keywords case-insensitively for consistency with other options (Tomas Vondra)

  • Fix EXPLAIN's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman)

    Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan.

  • Fix EXPLAIN's output for subplans in MERGE (Dean Rasheed)

    EXPLAIN would sometimes fail to properly display subplan Params referencing variables in other parts of the plan tree.

  • Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin)

    If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts.

  • Fix updating of visibility map state in VACUUM with the DISABLE_PAGE_SKIPPING option (Heikki Linnakangas)

    Due to an oversight, this mode caused all heap pages to be dirtied, resulting in excess I/O. Also, visibility map bits that were incorrectly set would not get cleared.

  • Avoid race condition while examining per-relation frozen-XID values (Noah Misch)

    VACUUM's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM.

  • Fix buffer usage reporting for parallel vacuuming (Anthonin Bonnefoy)

    Buffer accesses performed by parallel workers were not getting counted in the statistics reported in VERBOSE mode.

  • Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane)

    In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL trees that have constant outputs for the join column in some SELECT arms.

  • Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)

    This is similar to a fix applied in 16.1, but it solves the problem for parallel plans.

  • Prevent potentially-incorrect optimization of some window functions (David Rowley)

    Disable “run condition” optimization of ntile() and count() with non-constant arguments. This avoids possible misbehavior with sub-selects, typically leading to errors like “WindowFunc not found in subplan target lists”.

  • Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G)

    When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered.

  • Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane)

    This would typically end in a crash or unexpected error message.

  • Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov)

    In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used.

  • Fix incorrectly-reported statistics kind codes in “requested statistics kind X is not yet built” error messages (David Rowley)

  • Use a hash table instead of linear search for “catcache list” objects (Tom Lane)

    This change solves performance problems that were reported for certain operations in installations with many thousands of roles.

  • Be more careful with RECORD-returning functions in FROM (Tom Lane)

    The output columns of such a function call must be defined by an AS clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations.

  • Fix confusion about the return rowtype of SQL-language procedures (Tom Lane)

    A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump.

  • Add protective stack depth checks to some recursive functions (Egor Chindyaskin)

  • Fix mis-rounding and overflow hazards in date_bin() (Moaaz Assali)

    In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results.

  • Detect integer overflow when adding or subtracting an interval to/from a timestamp (Joseph Koshakow)

    Some cases that should cause an out-of-range error produced an incorrect result instead.

  • Avoid race condition in pg_get_expr() (Tom Lane)

    If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead.

  • Fix detection of old transaction IDs in XID status functions (Karina Litskevich)

    Transaction IDs more than 2³¹ transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status() or txid_status().

  • Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau)

    Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a “could not read block” error.

  • Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait (Etsuro Fujita)

  • Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov)

  • Throw an error if an index is accessed while it is being reindexed (Tom Lane)

    Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table.

  • Ensure that index-only scans on name columns return a fully-padded value (David Rowley)

    The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported.

  • Fix race condition that could lead to reporting an incorrect conflict cause when invalidating a replication slot (Bertrand Drouvot)

  • Fix race condition in deciding whether a table sync operation is needed in logical replication (Vignesh C)

    An invalidation event arriving while a subscriber identifies which tables need to be synced would be forgotten about, so that any tables newly in need of syncing might not get processed in a timely fashion.

  • Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas)

  • Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas)

    It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later.

  • Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane)

    System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable.

  • Fix thread-safety of error reporting for getaddrinfo() on Windows (Thomas Munro)

    A multi-threaded libpq client program could get an incorrect or corrupted error message after a network lookup failure.

  • Avoid concurrent calls to bindtextdomain() in libpq and ecpglib (Tom Lane)

    Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not.

  • Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane)

  • In ecpg, avoid issuing false “unsupported feature will be passed to server” warnings (Tom Lane)

  • Ensure that the string result of ecpg's intoasc() function is correctly zero-terminated (Oleg Tselebrovskiy)

  • In initdb's -c option, match parameter names case-insensitively (Tom Lane)

    The server treats parameter names case-insensitively, so this code should too. This avoids putting redundant entries into the generated postgresql.conf file.

  • In psql, avoid leaking a query result after the query is cancelled (Tom Lane)

    This happened only when cancelling a non-last query in a query string made with \; separators.

  • Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords (Daniel Gustafsson, Álvaro Herrera)

  • Skip files named .DS_Store in pg_basebackup, pg_checksums, and pg_rewind (Daniel Gustafsson)

    This avoids problems on macOS, where the Finder may create such files.

  • Fix PL/pgSQL's parsing of single-line comments (---style comments) following expressions (Erik Wienhold, Tom Lane)

    This mistake caused parse errors if such a comment followed a WHEN expression in a PL/pgSQL CASE statement.

  • In contrib/amcheck, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin)

    A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference.

  • Fix bugs in BRIN output functions (Tomas Vondra)

    These output functions are only used for displaying index entries in contrib/pageinspect, so the errors are of limited practical concern.

  • In contrib/postgres_fdw, avoid emitting requests to sort by a constant (David Rowley)

    This could occur in cases involving UNION ALL with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to “ORDER BY position N is not in select list” errors.

  • Make contrib/postgres_fdw set the remote session's time zone to GMT not UTC (Tom Lane)

    This should have the same results for practical purposes. However, GMT is recognized by hard-wired code in the server, while UTC is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries.

  • In contrib/xml2, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval)

  • Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov)

  • Allow make check to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane)