Upgrading from 12.4 to 12.14 gives you 2.5 years worth of fixes (479 of them)

List of changes:

• ⇑ Upgrade to 12.5 released on 2020-11-12 - docs

  • Block DECLARE CURSOR ... WITH HOLD and firing of deferred triggers within index expressions and materialized view queries (Noah Misch)

    This is essentially a leak in the “security restricted operation” sandbox mechanism. An attacker having permission to create non-temporary SQL objects could parlay this leak to execute arbitrary SQL code as a superuser.

    The PostgreSQL Project thanks Etienne Stalmans for reporting this problem. (CVE-2020-25695)

  • Fix usage of complex connection-string parameters in pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb (Tom Lane)

    The -d parameter of pg_dump and pg_restore, or the --maintenance-db parameter of the other programs mentioned, can be a “connection string” containing multiple connection parameters rather than just a database name. In cases where these programs need to initiate additional connections, such as parallel processing or processing of multiple databases, the connection string was forgotten and just the basic connection parameters (database name, host, port, and username) were used for the additional connections. This could lead to connection failures if the connection string included any other essential information, such as non-default SSL or GSS parameters. Worse, the connection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. (CVE-2020-25694)

  • When psql's \connect command re-uses connection parameters, ensure that all non-overridden parameters from a previous connection string are re-used (Tom Lane)

    This avoids cases where reconnection might fail due to omission of relevant parameters, such as non-default SSL or GSS options. Worse, the reconnection might succeed but not be encrypted as intended, or be vulnerable to man-in-the-middle attacks that the intended connection parameters would have prevented. This is largely the same problem as just cited for pg_dump et al, although psql's behavior is more complex since the user may intentionally override some connection parameters. (CVE-2020-25694)

  • Prevent psql's \gset command from modifying specially-treated variables (Noah Misch)

    \gset without a prefix would overwrite whatever variables the server told it to. Thus, a compromised server could set specially-treated variables such as PROMPT1, giving the ability to execute arbitrary shell code in the user's session.

    The PostgreSQL Project thanks Nick Cleaton for reporting this problem. (CVE-2020-25696)

  • Prevent possible data loss from concurrent truncations of SLRU logs (Noah Misch)

    This rare problem would manifest in later “apparent wraparound” or “could not access status of transaction” errors.

  • Ensure that SLRU directories are properly fsync'd during checkpoints (Thomas Munro)

    This prevents possible data loss in a subsequent operating system crash.

  • Fix ALTER ROLE for users with the BYPASSRLS attribute (Tom Lane, Stephen Frost)

    The BYPASSRLS attribute is only allowed to be changed by superusers, but other ALTER ROLE operations, such as password changes, should be allowed with only ordinary permission checks. The previous coding erroneously restricted all changes on such a role to superusers.

  • Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER does not recurse to child tables (Álvaro Herrera)

    Previously the ONLY flag was ignored.

  • Avoid unnecessary recursion to partitions in ALTER TABLE SET NOT NULL, when the target column is already marked NOT NULL (Tom Lane)

    This avoids a potential deadlock in parallel pg_restore.

  • Fix handling of expressions in CREATE TABLE LIKE with inheritance (Tom Lane)

    If a CREATE TABLE command uses both LIKE and traditional inheritance, column references in CHECK constraints and expression indexes that came from a LIKE parent table tended to get mis-numbered, resulting in wrong answers and/or bizarre error messages. The same could happen in GENERATED expressions, in branches that have that feature.

  • Disallow DROP INDEX CONCURRENTLY on a partitioned table (Álvaro Herrera, Michael Paquier)

    This case failed anyway, but with a confusing error message.

  • Allow LOCK TABLE to succeed on a self-referential view (Tom Lane)

    It previously threw an error complaining about infinite recursion, but there seems no need to disallow the case.

  • Retain statistics about an index across REINDEX CONCURRENTLY (Michael Paquier, Fabrízio de Royes Mello)

    Non-concurrent reindexing has always preserved such statistics.

  • Fix incorrect progress reporting from REINDEX CONCURRENTLY (Matthias van de Meent, Michael Paquier)

  • Ensure that GENERATED columns are updated when the column(s) they depend on are updated via a rule or an updatable view (Tom Lane)

    This fix also takes care of possible failure to fire a column-specific trigger in such cases.

  • Recheck default partition constraints while routing an inserted or updated tuple to the correct partition (Amit Langote, Álvaro Herrera)

    This fixes race conditions when partitions are added concurrently with the insertion.

  • Fix failures with collation-dependent partition bound expressions (Tom Lane)

  • Support hashing of text arrays (Peter Eisentraut)

    Array hashing failed if the array element type is collatable. Notably, this prevented using hash partitioning with a text array column as partition key.

  • Fix off-by-one conversion of negative years to BC dates in to_date() and to_timestamp() (Dar Alathar-Yemen, Tom Lane)

    Also, arrange for the combination of a negative year and an explicit “BC” marker to cancel out and produce AD.

  • Ensure that standby servers will archive WAL timeline history files when archive_mode is set to always (Grigory Smolkin, Fujii Masao)

    This oversight could lead to failure of subsequent PITR recovery attempts.

  • Fix “cache lookup failed for relation 0” failures in logical replication workers (Tom Lane)

    The real-world impact is small, since the failure is unlikely, and if it does happen the worker would just exit and be restarted.

  • Prevent logical replication workers from sending redundant ping requests (Tom Lane)

  • During “smart” shutdown, don't terminate background processes until all client (foreground) sessions are done (Tom Lane)

    The previous behavior broke parallel query processing, since the postmaster would terminate parallel workers and refuse to launch any new ones. It also caused autovacuum to cease functioning, which could have dire long-term effects if the surviving client sessions make a lot of data changes.

  • Avoid recursive consumption of stack space while processing signals in the postmaster (Tom Lane)

    Heavy use of parallel processing has been observed to cause postmaster crashes due to too many concurrent signals requesting creation of a parallel worker process.

  • Avoid running atexit handlers when exiting due to SIGQUIT (Kyotaro Horiguchi, Tom Lane)

    Most server processes followed this practice already, but the archiver process was overlooked. Backends that were still waiting for a client startup packet got it wrong, too.

  • Avoid misoptimization of subquery qualifications that reference apparently-constant grouping columns (Tom Lane)

    A “constant” subquery output column isn't really constant if it is a grouping column that appears in only some of the grouping sets.

  • Fix possible crash when considering partition-wise joins during GEQO planning (Tom Lane)

  • Avoid failure when SQL function inlining changes the shape of a potentially-hashable subplan comparison expression (Tom Lane)

  • While building or re-building an index, tolerate the appearance of new HOT chains due to concurrent updates (Anastasia Lubennikova, Álvaro Herrera)

    This oversight could lead to “failed to find parent tuple for heap-only tuple” errors.

  • Fix failure of parallel B-tree index scans when the index condition is unsatisfiable (James Hunter)

  • Ensure that data is detoasted before being inserted into a BRIN index (Tomas Vondra)

    Index entries are not supposed to contain out-of-line TOAST pointers, but BRIN didn't get that memo. This could lead to errors like “missing chunk number 0 for toast value NNN”. (If you are faced with such an error from an existing index, REINDEX should be enough to fix it.)

  • Handle concurrent desummarization correctly during BRIN index scans (Alexander Lakhin, Álvaro Herrera)

    Previously, if a page range was desummarized at just the wrong time, an index scan might falsely raise an error indicating index corruption.

  • Fix rare “lost saved point in index” errors in scans of multicolumn GIN indexes (Tom Lane)

  • Fix buffered GiST index builds to work when the index has included columns (Pavel Borisov)

  • Fix unportable use of getnameinfo() in pg_hba_file_rules view (Tom Lane)

    On FreeBSD 11, and possibly other platforms, the view's address and netmask columns were always null due to this error.

  • Avoid crash if debug_query_string is NULL when starting a parallel worker (Noah Misch)

  • Fix use-after-free hazard when an event trigger monitors an ALTER TABLE operation (Jehan-Guillaume de Rorthais)

  • Avoid failures when a BEFORE ROW UPDATE trigger returns the “old” row of a table having dropped or “missing” columns (Amit Langote, Tom Lane)

    This method of suppressing an update could result in crashes, unexpected CHECK constraint failures, or incorrect RETURNING output, because “missing” columns would read as NULLs for those purposes. (A column is “missing” for this purpose if it was added by ALTER TABLE ADD COLUMN with a non-NULL, but constant, default value.) Dropped columns could cause trouble as well.

  • Fix incorrect error message about inconsistent moving-aggregate data types (Jeff Janes)

  • Avoid lockup when a parallel worker reports a very long error message (Vignesh C)

  • Avoid unnecessary failure when transferring very large payloads through shared memory queues (Markus Wanner)

  • Fix incorrect handling of template function attributes in JIT code generation (Andres Freund)

    This has been shown to cause crashes on s390x, and very possibly there are other cases on other platforms.

  • Fix relation cache memory leaks with RLS policies (Tom Lane)

  • Fix edge-case memory leak in index_get_partition() (Justin Pryzby)

  • Fix small memory leak when SIGHUP processing decides that a new GUC variable value cannot be applied without a restart (Tom Lane)

  • Fix memory leaks in PL/pgsql's CALL processing (Pavel Stehule, Tom Lane)

  • Make libpq support arbitrary-length lines in .pgpass files (Tom Lane)

    This is mostly useful to allow using very long security tokens as passwords.

  • In libpq for Windows, call WSAStartup() once per process and WSACleanup() not at all (Tom Lane, Alexander Lakhin)

    Previously, libpq invoked WSAStartup() at connection start and WSACleanup() at connection cleanup. However, it appears that calling WSACleanup() can interfere with other program operations; notably, we have observed rare failures to emit expected output to stdout. There appear to be no ill effects from omitting the call, so do that. (This also eliminates a performance issue from repeated DLL loads and unloads when a program performs a series of database connections.)

  • Fix ecpg library's per-thread initialization logic for Windows (Tom Lane, Alexander Lakhin)

    Multi-threaded ecpg applications could suffer rare misbehavior due to incorrect locking.

  • On Windows, make psql read the output of a backtick command in text mode, not binary mode (Tom Lane)

    This ensures proper handling of newlines.

  • Ensure that pg_dump collects per-column information about extension configuration tables (Fabrízio de Royes Mello, Tom Lane)

    Failure to do this led to crashes when specifying --inserts, or underspecified (though usually correct) COPY commands when using COPY to reload the tables' data.

  • Ensure that parallel pg_restore processes foreign keys referencing partitioned tables in the correct order (Álvaro Herrera)

    Previously, it might try to restore a foreign key constraint before the required indexes were all in place, leading to an error.

  • Make pg_upgrade check for pre-existence of tablespace directories in the target cluster (Bruce Momjian)

  • Fix potential memory leak in contrib/pgcrypto (Michael Paquier)

  • Add check for an unlikely failure case in contrib/pgcrypto (Daniel Gustafsson)

  • Fix recently-added timetz test case so it works when the USA is not observing daylight savings time (Tom Lane)

  • Update time zone data files to tzdata release 2020d for DST law changes in Fiji, Morocco, Palestine, the Canadian Yukon, Macquarie Island, and Casey Station (Antarctica); plus historical corrections for France, Hungary, Monaco, and Palestine.

  • Sync our copy of the timezone library with IANA tzcode release 2020d (Tom Lane)

    This absorbs upstream's change of zic's default output option from “fat” to “slim”. That's just cosmetic for our purposes, as we continue to select the “fat” mode in pre-v13 branches. This change also ensures that strftime() does not change errno unless it fails.

• ⇑ Upgrade to 12.6 released on 2021-02-11 - docs

  • Fix information leakage in constraint-violation error messages (Heikki Linnakangas)

    If an UPDATE command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT privilege on. (CVE-2021-3393)

  • Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)

    Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.

  • Fix CREATE INDEX CONCURRENTLY to wait for concurrent prepared transactions (Andrey Borodin)

    At the point where CREATE INDEX CONCURRENTLY waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.

  • Avoid crash when a CALL or DO statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)

    In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.

  • Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)

    If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.

  • Avoid incorrect results when WHERE CURRENT OF is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)

    This case is unsupported (in general, a cursor using ORDER BY is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.

  • Fix crash when WHERE CURRENT OF is applied to a cursor whose plan contains a custom scan node (David Geier)

  • Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)

    This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes” error, but other symptoms may be possible.

  • Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)

    This oversight could lead to “no relation entry for relid N” planner errors.

  • Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)

    This oversight could lead to “failed to build any N-way joins” planner errors.

  • Be more careful about whether index AMs support mark/restore (Andrew Gierth)

    This prevents errors about missing support functions in rare edge cases.

  • Adjust settings to make it more difficult to run out of DSM slots during heavy usage of parallel queries (Thomas Munro)

  • Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)

  • Fix ALTER DEFAULT PRIVILEGES to handle duplicated arguments safely (Michael Paquier)

    Duplicate role or schema names within the same command could lead to “tuple already updated by self” errors or unique-constraint violations.

  • Flush ACL-related caches when pg_authid changes (Noah Misch)

    This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT.

  • Prevent misprocessing of ambiguous CREATE TABLE LIKE clauses (Tom Lane)

    A LIKE clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE target.

  • Rearrange order of operations in CREATE TABLE LIKE so that indexes are cloned before building foreign key constraints (Tom Lane)

    This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE depends on an index that's coming from the LIKE clause.

  • Disallow CREATE STATISTICS on system catalogs (Tomas Vondra)

  • Disallow converting an inheritance child table to a view (Tom Lane)

  • Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)

    Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.

  • Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Álvaro Herrera)

    Previously this was allowed, but subsequent operations on the partitioned relation would fail.

  • Fix progress reporting for CLUSTER (Matthias van de Meent)

  • Fix handling of backslash-escaped multibyte characters in COPY FROM (Heikki Linnakangas)

    A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.

  • Avoid preallocating executor hash tables in EXPLAIN without ANALYZE (Alexey Bashtanov)

  • Fix recently-introduced race conditions in LISTEN/NOTIFY queue handling (Tom Lane)

    A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.

    The queue tail pointer could become set to a value that's not equal to the queue position of any backend, resulting in effective disabling of the queue truncation logic. Continued use of NOTIFY then led to queue-fill warnings, and eventually to inability to send any more notifies until the server is restarted.

  • Allow the jsonb concatenation operator to handle all combinations of JSON data types (Tom Lane)

    We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.

  • Fix use of uninitialized value while parsing a * quantifier in a BRE-mode regular expression (Tom Lane)

    This error could cause the quantifier to act non-greedy, that is behave like a *? quantifier would do in full regular expressions.

  • Fix numeric power() for the case where the exponent is exactly INT_MIN (-2147483648) (Dean Rasheed)

    Previously, a result with no significant digits was produced.

  • Fix integer-overflow cases in substring() functions (Tom Lane, Pavel Stehule)

    If the specified starting index and length overflow an integer when added together, substring() misbehaved, either throwing a bogus “negative substring length” error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).

  • Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)

    The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound” or “could not access status of transaction” errors.

  • Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)

  • Fix walsender to accept additional commands after terminating replication (Jeff Davis)

  • Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)

    The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.

  • Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)

    The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.

  • Ensure that a nonempty value of krb_server_keyfile always overrides any setting of KRB5_KTNAME in the server's environment (Tom Lane)

    Previously, which setting took precedence depended on whether the client requests GSS encryption.

  • In server log messages about failing to match connections to pg_hba.conf entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)

    This is relevant data if hostgssenc or hostnogssenc entries exist.

  • Fix assorted issues in server's support for GSS encryption (Tom Lane)

    Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.

  • Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart” or “fast” shutdown sequence (Tom Lane)

    Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.

  • Fix portability problem in parsing of recovery_target_xid values (Michael Paquier)

    The target XID is potentially 64 bits wide, but it was parsed with strtoul(), causing misbehavior on platforms where long is 32 bits (such as Windows).

  • Avoid trying to use parallel index build in a standalone backend (Yulin Pei)

  • Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)

  • Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)

    No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.

  • Avoid assertion failure in pg_get_functiondef() when examining a function with a TRANSFORM option (Tom Lane)

  • Fix data structure misallocation in PL/pgSQL's CALL statement (Tom Lane)

    A CALL in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT or ROLLBACK.

  • In libpq, do not skip trying SSL after GSS encryption (Tom Lane)

    If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.

  • In psql, re-allow including a password in a connection_string argument of a \connect command (Tom Lane)

    This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).

  • In psql's \d commands, don't truncate the display of column default values (Tom Lane)

    Formerly, they were arbitrarily truncated at 128 characters.

  • Fix assorted bugs in psql's \help command (Kyotaro Horiguchi, Tom Lane)

    \help with two argument words failed to find a command description using only the first word, for example \help reset all should show the help for RESET but did not. Also, \help often failed to invoke the pager when it should. It also leaked memory.

  • Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)

    The previous behavior resulted in (harmless) errors during restore.

  • In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION commands as the owner of the partitioned index (Tom Lane)

    Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.

  • Fix pg_dump to handle WITH GRANT OPTION in an extension's initial privileges (Noah Misch)

    If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)

  • In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)

  • In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)

    This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34.

  • Report the correct database name in connection failure error messages from some client programs (Álvaro Herrera)

    If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.

  • Fix memory leak in contrib/auto_explain (Japin Li)

    Memory consumed while producing the EXPLAIN output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements enabled.

  • In contrib/postgres_fdw, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)

    Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.

  • In contrib/pgcrypto, check for error returns from OpenSSL's EVP functions (Michael Paquier)

    We do not really expect errors here, but this change silences warnings from static analysis tools.

  • Make contrib/pg_prewarm more robust when the cluster is shut down before prewarming is complete (Tom Lane)

    Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.

  • In contrib/pg_trgm's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)

  • Fix miscalculation of timeouts in contrib/pg_prewarm and contrib/postgres_fdw (Alexey Kondratov, Tom Lane)

    The main loop in contrib/pg_prewarm's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).

    Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds() to make it easier to get this right in the future.

  • Improve configure's heuristics for selecting PG_SYSROOT on macOS (Tom Lane)

    The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.

  • While building on macOS, specify -isysroot in link steps as well as compile steps (James Hilliard)

    This likewise improves the results when Xcode is out of sync with the operating system.

  • Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)

  • Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)

    No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.

  • Fix compile failure with ICU 68 and later (Tom Lane)

  • Avoid memcpy() with a NULL source pointer and zero count during partitioned index creation (Álvaro Herrera)

    While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy() are never NULL, which could result in incorrect optimization of nearby code.

  • Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.

    Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.

• ⇑ Upgrade to 12.7 released on 2021-05-13 - docs

  • Prevent integer overflows in array subscripting calculations (Tom Lane)

    The array code previously did not complain about cases where an array's lower bound plus length overflows an integer. This resulted in later entries in the array becoming inaccessible (since their subscripts could not be written as integers), but more importantly it confused subsequent assignment operations. This could lead to memory overwrites, with ensuing crashes or unwanted data modifications. (CVE-2021-32027)

  • Fix mishandling of “junk” columns in INSERT ... ON CONFLICT ... UPDATE target lists (Tom Lane)

    If the UPDATE list contains any multi-column sub-selects (which give rise to junk columns in addition to the results proper), the UPDATE path would end up storing tuples that include the values of the extra junk columns. That's fairly harmless in the short run, but if new columns are added to the table then the values would become accessible, possibly leading to malfunctions if they don't match the datatypes of the added columns.

    In addition, in versions supporting cross-partition updates, a cross-partition update triggered by such a case had the reverse problem: the junk columns were removed from the target list, typically causing an immediate crash due to malfunction of the multi-column sub-select mechanism. (CVE-2021-32028)

  • Fix possibly-incorrect computation of UPDATE ... RETURNING outputs for joined cross-partition updates (Amit Langote, Etsuro Fujita)

    If an UPDATE for a partitioned table caused a row to be moved to another partition with a physically different row type (for example, one with a different set of dropped columns), computation of RETURNING results for that row could produce errors or wrong answers. No error is observed unless the UPDATE involves other tables being joined to the target table. (CVE-2021-32029)

  • Fix adjustment of constraint deferrability properties in partitioned tables (Álvaro Herrera)

    When applied to a foreign-key constraint of a partitioned table, ALTER TABLE ... ALTER CONSTRAINT failed to adjust the DEFERRABLE and/or INITIALLY DEFERRED markings of the constraints and triggers of leaf partitions. This led to unexpected behavior of such constraints. After updating to this version, any misbehaving partitioned tables can be fixed by executing a new ALTER command to set the desired properties.

    This change also disallows applying such an ALTER directly to the constraints of leaf partitions. The only supported case is for the whole partitioning hierarchy to have identical constraint properties, so such ALTERs must be applied at the partition root.

  • When attaching a child table with ALTER TABLE ... INHERIT, insist that any generated columns in the parent be generated the same way in the child (Peter Eisentraut)

  • Forbid marking an identity column as nullable (Vik Fearing)

    GENERATED ALWAYS AS IDENTITY implies NOT NULL, so don't allow it to be combined with an explicit NULL specification.

  • Allow ALTER ROLE/DATABASE ... SET to set the role, session_authorization, and temp_buffers parameters (Tom Lane)

    Previously, over-eager validity checks might reject these commands, even if the values would have worked when used later. This created a command ordering hazard for dump/reload and upgrade scenarios.

  • Ensure that REINDEX CONCURRENTLY preserves any statistics target that's been set for the index (Michael Paquier)

  • Fix COMMIT AND CHAIN to work correctly when the current transaction has live savepoints (Fujii Masao)

  • Fix bug with coercing the result of a COLLATE expression to a non-collatable type (Tom Lane)

    This led to a parse tree in which the COLLATE appears to be applied to a non-collatable value. While that normally has no real impact (since COLLATE has no effect at runtime), it was possible to construct views that would be rejected during dump/reload.

  • Fix use-after-free bug in saving tuples for AFTER triggers (Amit Langote)

    This could cause crashes in some situations.

  • Disallow calling window functions and procedures via the “fast path” wire protocol message (Tom Lane)

    Only plain functions are supported here. While trying to call an aggregate function failed already, calling a window function would crash, and calling a procedure would work only if the procedure did no transaction control.

  • Extend pg_identify_object_as_address() to support event triggers (Joel Jacobson)

  • Fix to_char()'s handling of Roman-numeral month format codes with negative intervals (Julien Rouhaud)

    Previously, such cases would usually cause a crash.

  • Check that the argument of pg_import_system_collations() is a valid schema OID (Tom Lane)

  • Fix use of uninitialized value while parsing an \{m,n\} quantifier in a BRE-mode regular expression (Tom Lane)

    This error could cause the quantifier to act non-greedy, that is behave like an {m,n}? quantifier would do in full regular expressions.

  • Don't ignore system columns when estimating the number of groups using extended statistics (Tomas Vondra)

    This led to strange estimates for queries such as SELECT ... GROUP BY a, b, ctid.

  • Avoid divide-by-zero when estimating selectivity of a regular expression with a very long fixed prefix (Tom Lane)

    This typically led to a NaN selectivity value, causing assertion failures or strange planner behavior.

  • Fix access-off-the-end-of-the-table error in BRIN index bitmap scans (Tomas Vondra)

    If the page range size used by a BRIN index isn't a power of two, there were corner cases in which a bitmap scan could try to fetch pages past the actual end of the table, leading to “could not open file” errors.

  • Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL (Soumyadeep Chakraborty, Jimmy Yih, Kevin Yeap)

    This error could lead to subsequent WAL records being written under the wrong timeline ID, leading to consistency problems, or even complete failure to be able to restart the server, later on.

  • Ensure that locks are released while shutting down a standby server's startup process (Fujii Masao)

    When a standby server is shut down while still in recovery, some locks might be left held. This causes assertion failures in debug builds; it's unclear whether any serious consequence could occur in production builds.

  • Fix crash when a logical replication worker does ALTER SUBSCRIPTION REFRESH (Peter Smith)

    The core code won't do this, but a replica trigger could.

  • Ensure we default to wal_sync_method = fdatasync on recent FreeBSD (Thomas Munro)

    FreeBSD 13 supports open_datasync, which would normally become the default choice. However, it's unclear whether that is actually an improvement for Postgres, so preserve the existing default for now.

  • Pass the correct trigger OID to object post-alter hooks during ALTER CONSTRAINT (Álvaro Herrera)

    When updating trigger properties during ALTER CONSTRAINT, the post-alter hook was told that we are updating a trigger, but the constraint's OID was passed instead of the trigger's.

  • Ensure we finish cleaning up when interrupted while detaching a DSM segment (Thomas Munro)

    This error could result in temporary files not being cleaned up promptly after a parallel query.

  • Fix memory leak while initializing server's SSL parameters (Michael Paquier)

    This is ordinarily insignificant, but if the postmaster is repeatedly sent SIGHUP signals, the leak can build up over time.

  • Fix assorted minor memory leaks in the server (Tom Lane, Andres Freund)

  • Fix failure when a PL/pgSQL DO block makes use of both composite-type variables and transaction control (Tom Lane)

    Previously, such cases led to errors about leaked tuple descriptors.

  • Prevent infinite loop in libpq if a ParameterDescription message with a corrupt length is received (Tom Lane)

  • When initdb prints instructions about how to start the server, make the path shown for pg_ctl use backslash separators on Windows (Nitin Jadhav)

  • Fix psql to restore the previous behavior of \connect service=something (Tom Lane)

    A previous bug fix caused environment variables (such as PGPORT) to override entries in the service file in this context. Restore the previous behavior, in which the priority is the other way around.

  • Fix psql's ON_ERROR_ROLLBACK feature to handle COMMIT AND CHAIN commands correctly (Arthur Nascimento)

    Previously, this case failed with “savepoint "pg_psql_temporary_savepoint" does not exist”.

  • Fix race condition in detection of file modification by psql's \e and related commands (Laurenz Albe)

    A very fast typist could fool the code's file-timestamp-based detection of whether the temporary edit file was changed.

  • Fix pg_dump's dumping of generated columns in partitioned tables (Peter Eisentraut)

    A fix introduced in the previous minor release should not be applied to partitioned tables, only traditionally-inherited tables.

  • Fix missed file version check in pg_restore (Tom Lane)

    When reading a custom-format archive from a non-seekable source, pg_restore neglected to check the archive version. If it was fed a newer archive version than it can support, it would fail messily later on.

  • Add some more checks to pg_upgrade for user tables containing non-upgradable data types (Tom Lane)

    Fix detection of some cases where a non-upgradable data type is embedded within a container type (such as an array or range). Also disallow upgrading when user tables contain columns of system-defined composite types, since those types' OIDs are not stable across versions.

  • Fix incorrect progress-reporting calculation in pg_checksums (Shinya Kato)

  • Fix pg_waldump to count XACT records correctly when generating per-record statistics (Kyotaro Horiguchi)

  • Fix contrib/amcheck to not complain about the tuple flags HEAP_XMAX_LOCK_ONLY and HEAP_KEYS_UPDATED both being set (Julien Rouhaud)

    This is a valid state after SELECT FOR UPDATE.

  • Adjust VPATH build rules to support recent Oracle Developer Studio compiler versions (Noah Misch)

  • Fix testing of PL/Python for Python 3 on Solaris (Noah Misch)

• ⇑ Upgrade to 12.8 released on 2021-08-12 - docs

  • Fix mis-planning of repeated application of a projection step (Tom Lane)

    The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)

  • Disallow SSL renegotiation more completely (Michael Paquier)

    SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.

  • Restore the Portal-level snapshot after COMMIT or ROLLBACK within a procedure (Tom Lane)

    This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT/ROLLBACK would fail with errors like “no known snapshots” or “missing chunk number 0 for toast value”.

    Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.

  • Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)

    Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.

    Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.

  • Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE (Tom Lane)

    This should be disallowed, just as FOR UPDATE with a plain GROUP BY is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.

  • Reject cases where a query in WITH rewrites to just NOTIFY (Tom Lane)

    Such cases previously crashed.

  • In numeric multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)

  • Fix corner-case errors and loss of precision when raising numeric values to very large powers (Dean Rasheed)

  • Fix division-by-zero failure in to_char() with EEEE format and a numeric input value less than 10^(-1001) (Dean Rasheed)

  • Fix pg_size_pretty(bigint) to round negative values consistently with the way it rounds positive ones (and consistently with the numeric version) (Dean Rasheed, David Rowley)

  • Make pg_filenode_relation(0, 0) return NULL rather than failing (Justin Pryzby)

  • Make ALTER EXTENSION lock the extension when adding or removing a member object (Tom Lane)

    The previous coding allowed ALTER EXTENSION ADD/DROP to occur concurrently with DROP EXTENSION, leading to a crash or corrupt catalog entries.

  • Fix ALTER SUBSCRIPTION to reject an empty slot name (Japin Li)

  • When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)

  • Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY (Tom Lane, Bharath Rupireddy)

    This command failed on materialized views containing columns with certain names, notably mv and newdata.

  • Fix PREPARE TRANSACTION to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)

    A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION.

  • Fix misbehavior of DROP OWNED BY when the target role is listed more than once in an RLS policy (Tom Lane)

  • Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY (Tom Lane)

    Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY.

  • Disallow whole-row variables in GENERATED expressions (Tom Lane)

    Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.

  • Fix usage of tableoid in GENERATED expressions (Tom Lane)

    Some code paths failed to provide a valid value for this system column while evaluating a GENERATED expression.

  • Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)

    The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE commands, adjust the downstream code to cope when one is incorrectly present.

  • Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)

    This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.

  • Avoid corrupting the plan cache entry when CREATE DOMAIN or ALTER DOMAIN appears in a cached plan (Tom Lane)

  • Make walsenders show their latest replication commands in pg_stat_activity (Tom Lane)

    Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.

  • Make pg_settings.pending_restart show as true when the pertinent entry in postgresql.conf has been removed (Álvaro Herrera)

    pending_restart correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.

  • Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)

    SELECT FOR UPDATE and related commands would fail with assertion failures or “could not find junk column” errors in such cases.

  • Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)

    Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.

  • Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)

    File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.

  • In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)

  • Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)

  • Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)

    Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.

  • Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)

  • Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)

  • Improve checks for violations of replication protocol (Tom Lane)

    Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.

  • Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)

  • Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)

  • Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)

    This could lead to later crashes or memory leakage.

  • Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE (Tom Lane)

  • Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)

    Given the right timing, a crash could result.

  • Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)

    It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.

  • Fix latent crash in sorting code (Ronan Dunklau)

    One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.

  • Prevent infinite loops in SP-GiST index insertion (Tom Lane)

    In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.

  • Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)

  • Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO clause specified STRICT, even though it didn't (Tom Lane)

  • Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)

  • In ecpg, allow the numeric value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)

  • In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)

    An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.

  • Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)

  • Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)

  • Make pg_upgrade carry forward the old installation's oldestXID value (Bertrand Drouvot)

    Previously, the new installation's oldestXID was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age could suffer unwanted forced shutdowns soon after an upgrade.

  • Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)

    A script file is now produced containing the ALTER EXTENSION UPDATE commands needed to bring extensions up to the versions that are considered default in the new installation.

  • Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)

  • Fix contrib/postgres_fdw to work usefully with generated columns (Etsuro Fujita)

    postgres_fdw will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA will now import generated columns that way by default.

  • In contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)

    While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.

  • Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)

    Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.

  • Reduce overhead of cache-clobber testing (Tom Lane)

  • Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)

  • Make printf("%s", NULL) print (null) instead of crashing (Tom Lane)

    This should improve server robustness in corner cases, and it syncs our printf implementation with common libraries.

  • Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED record (Simon Riggs)

  • Improve ALTER TABLE's messages for wrong-relation-kind errors (Kyotaro Horiguchi)

  • Clarify error messages referring to “non-negative” values (Bharath Rupireddy)

  • Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r library (Adrian Ho, Tom Lane)

    If there is no libldap_r library, we now silently assume that libldap is thread-safe.

  • Add new make targets world-bin and install-world-bin (Andrew Dunstan)

    These are the same as world and install-world respectively, except that they do not build or install the documentation.

  • Fix make rule for TAP tests (prove_installcheck) to work in PGXS usage (Andrew Dunstan)

  • Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)

    LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.

  • Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)

    The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.

  • Enable building with GSSAPI on MSVC (Michael Paquier)

    Fix various incompatibilities with modern Kerberos builds.

  • In MSVC builds, include --with-pgport in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)

• ⇑ Upgrade to 12.9 released on 2021-11-11 - docs

  • Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

    A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

    The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)

  • Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

    A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

    The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)

  • Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)

    If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.

    When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.

  • Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)

    Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.

  • Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)

    While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.

  • Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane)

    Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.

  • Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch)

    If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.

  • Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)

    This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.

  • Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES publication (Hou Zhijie, Vignesh C)

    This oversight could lead to improper replication behavior until all currently-existing sessions have exited.

  • Don't discard a cast to the same type with unspecified type modifier (Tom Lane)

    For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.

  • Fix updates of element fields in arrays of domain over composite (Tom Lane)

    A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.

  • Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane)

    Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.

  • Fix corner-case loss of precision in numeric power() (Dean Rasheed)

    The result could be inaccurate when the first argument is very close to 1.

  • Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane)

    Regular expressions like (.){0}...\1 drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.

  • Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)

    The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.

  • Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)

    Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.

  • Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane)

    The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).

  • Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane)

    This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.

  • Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)

    There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.

  • Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)

    If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.

  • Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)

    This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.

  • Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)

    This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.

  • Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)

    There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.

  • Refuse to rewind a cursor marked NO SCROLL if it has been held over from a previous transaction due to the WITH HOLD option (Tom Lane)

    We have long forbidden fetching backwards from a NO SCROLL cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)

  • Fix possible failure while saving a WITH HOLD cursor at transaction end, if it had already been read to completion (Tom Lane)

  • Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)

    An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.

  • Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane)

    The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.

  • Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra)

    The code typically produced “cache lookup error” rather than the intended message.

  • Fix incorrect snapshot handling in parallel workers (Greg Nancarrow)

    This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ.

  • Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot)

    Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.

  • Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)

    If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.

  • Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane)

  • Fix parser's processing of aggregate FILTER clauses (Tom Lane)

    If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.

  • Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)

    For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.

  • Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby)

    This prevents a likely crash during backend exit after a fatal LLVM error.

  • Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)

  • Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)

  • Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)

    Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.

  • Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)

  • Fix infinite loop if a simplehash.h hash table reaches 2^32 elements (Yura Sokolov)

    It seems unlikely that this bug has been hit in practice, as it would require work_mem settings of hundreds of gigabytes for existing uses of simplehash.h.

  • Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)

  • Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro)

    Previously, this setting was accepted, but it did nothing for lack of any implementation.

  • Fix ecpg to recover correctly after malloc() failure while establishing a connection (Michael Paquier)

  • Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL statement (Tom Lane)

    They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.

  • Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane)

    If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.

  • Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)

    For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.

  • Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)

    If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.

  • Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)

    This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.

  • Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type() (Tom Lane)

    These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.

  • Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)

  • Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)

  • Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)

    The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.

  • Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or <= operator is performed (Tom Lane)

    Such an indexscan failed to return all the entries it should.

  • Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane)

    Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).

  • Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)

  • Add spinlock support for the RISC-V architecture (Marek Szuba)

    This is essential for reasonable performance on that platform.

  • Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)

  • Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)

    This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.

  • Fix our pkg-config files to again support static linking of libpq (Peter Eisentraut)

  • Make pg_regexec() robust against an out-of-range search_start parameter (Tom Lane)

    Return REG_NOMATCH, instead of possibly crashing, when search_start is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.

  • Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)

  • Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)

    When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.

  • Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

    Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

• ⇑ Upgrade to 12.10 released on 2022-02-10 - docs

  • Enforce standard locking protocol for TOAST table updates, to prevent problems with REINDEX CONCURRENTLY (Michael Paquier)

    If applied to a TOAST table or TOAST table's index, REINDEX CONCURRENTLY tended to produce a corrupted index. This happened because sessions updating TOAST entries released their ROW EXCLUSIVE locks immediately, rather than holding them until transaction commit as all other updates do. The fix is to make TOAST updates hold the table lock according to the normal rule. Any existing corrupted indexes can be repaired by reindexing again.

  • Fix incorrect plan creation for parallel single-child Append nodes (David Rowley)

    In some cases the Append would be simplified away when it should not be, leading to wrong query results (duplicated rows).

  • Fix index-only scan plans for cases where not all index columns can be returned (Tom Lane)

    If an index has both returnable and non-returnable columns, and one of the non-returnable columns is an expression using a table column that appears in a returnable index column, then a query using that expression could result in an index-only scan plan that attempts to read the non-returnable column, instead of recomputing the expression from the returnable column as intended. The non-returnable column would read as NULL, resulting in wrong query results.

  • Ensure that casting to an unspecified typmod generates a RelabelType node rather than a length-coercion function call (Tom Lane)

    While the coercion function should do the right thing (nothing), this translation is undesirably inefficient.

  • Fix WAL replay failure when database consistency is reached exactly at a WAL page boundary (Álvaro Herrera)

  • Fix startup of a physical replica to tolerate transaction ID wraparound (Abhijit Menon-Sen, Tomas Vondra)

    If a replica server is started while the set of active transactions on the primary crosses a wraparound boundary (so that there are some newer transactions with smaller XIDs than older ones), the replica would fail with “out-of-order XID insertion in KnownAssignedXids”. The replica would retry, but could never get past that error.

  • Remove lexical limitations for SQL commands issued on a logical replication connection (Tom Lane)

    The walsender process would fail for a SQL command containing an unquoted semicolon, or with dollar-quoted literals containing odd numbers of single or double quote marks, or when the SQL command starts with a comment. Moreover, faulty error recovery could lead to unexpected errors in later commands too.

  • Fix possible loss of the commit timestamp for the last subtransaction of a transaction (Alex Kingsborough, Kyotaro Horiguchi)

  • Be sure to fsync the pg_logical/mappings subdirectory during checkpoints (Nathan Bossart)

    On some filesystems this oversight could lead to losing logical rewrite status files after a system crash.

  • Build extended statistics for partitioned tables (Justin Pryzby)

    A previous bug fix disabled building of extended statistics for old-style inheritance trees, but it also prevented building them for partitioned tables, which was an unnecessary restriction. This change allows ANALYZE to compute values for statistics objects for partitioned tables. (But note that autovacuum does not process partitioned tables as such, so you must periodically issue manual ANALYZE on the partitioned table if you want to maintain such statistics.)

  • Ignore extended statistics for inheritance trees (Justin Pryzby)

    Currently, extended statistics values are only computed locally for each table, not for entire inheritance trees. However the values were mistakenly consulted when planning queries across inheritance trees, possibly resulting in worse-than-default estimates.

  • Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere (Tom Lane)

    This restriction has long existed for regular tables, but through an oversight it was not checked for partitioned tables.

  • Disallow ALTER TABLE ... DROP NOT NULL for a column that is part of a replica identity index (Haiying Tang, Hou Zhijie)

    The same prohibition already existed for primary key indexes.

  • Correctly update cached table state during ALTER TABLE ADD PRIMARY KEY USING INDEX (Hou Zhijie)

    Concurrent sessions failed to update their opinion of whether the table has a primary key, possibly causing incorrect logical replication behavior.

  • Correctly update cached table state when switching REPLICA IDENTITY index (Tang Haiying, Hou Zhijie)

    Concurrent sessions failed to update their opinion of which index is the replica identity one, possibly causing incorrect logical replication behavior.

  • Avoid leaking memory during REASSIGN OWNED BY operations that reassign ownership of many objects (Justin Pryzby)

  • Fix display of cert authentication method's options in pg_hba_file_rules view (Magnus Hagander)

    The cert authentication method implies clientcert=verify-full, but the pg_hba_file_rules view incorrectly reported clientcert=verify-ca.

  • Fix display of whole-row variables appearing in INSERT ... VALUES rules (Tom Lane)

    A whole-row variable would be printed as “var.*”, but that allows it to be expanded to individual columns when the rule is reloaded, resulting in different semantics. Attach an explicit cast to prevent that, as we do elsewhere.

  • Fix or remove some incorrect assertions (Simon Riggs, Michael Paquier, Alexander Lakhin)

    These errors should affect only debug builds, not production.

  • Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib (Tom Lane)

  • Avoid calling strerror from libpq's PQcancel function (Tom Lane)

    PQcancel is supposed to be safe to call from a signal handler, but strerror is not safe. The faulty usage only occurred in the unlikely event of failure to send the cancel message to the server, perhaps explaining the lack of reports.

  • Make psql's \password command default to setting the password for CURRENT_USER, not the connection's original user name (Tom Lane)

    This agrees with the documented behavior, and avoids probable permissions failure if SET ROLE or SET SESSION AUTHORIZATION has been done since the session began. To prevent confusion, the role name to be acted on is now included in the password prompt.

  • In psql and some other client programs, avoid trying to invoke gettext() from a control-C signal handler (Tom Lane)

    While no reported failures have been traced to this mistake, it seems highly unlikely to be a safe thing to do.

  • Allow canceling the initial password prompt in pg_receivewal and pg_recvlogical (Tom Lane, Nathan Bossart)

    Previously it was impossible to terminate these programs via control-C while they were prompting for a password.

  • Fix pg_dump's dump ordering for user-defined casts (Tom Lane)

    In rare cases, the output script might refer to a user-defined cast before it had been created.

  • Fix pg_dump's --inserts and --column-inserts modes to handle tables containing both generated columns and dropped columns (Tom Lane)

  • Fix possible mis-reporting of errors in pg_dump and pg_basebackup (Tom Lane)

    The previous code failed to check for errors from some kernel calls, and could report the wrong errno values in other cases.

  • Fix results of index-only scans on contrib/btree_gist indexes on char(N) columns (Tom Lane)

    Index-only scans returned column values with trailing spaces removed, which is not the expected behavior. That happened because that's how the data was stored in the index. This fix changes the code to store char(N) values with the expected amount of space padding. The behavior of such an index will not change immediately unless you REINDEX it; otherwise space-stripped values will be gradually replaced over time during updates. Queries that do not use index-only scan plans will be unaffected in any case.

  • Change configure to use Python's sysconfig module, rather than the deprecated distutils module, to determine how to build PL/Python (Peter Eisentraut, Tom Lane, Andres Freund)

    With Python 3.10, this avoids configure-time warnings about distutils being deprecated and scheduled for removal in Python 3.12. Presumably, once 3.12 is out, configure --with-python would fail altogether. This future-proofing does come at a cost: sysconfig did not exist before Python 2.7, nor before 3.2 in the Python 3 branch, so it is no longer possible to build PL/Python against long-dead Python versions.

  • Fix PL/Perl compile failure on Windows with Perl 5.28 and later (Victor Wagner)

  • Fix PL/Python compile failure with Python 3.11 and later (Peter Eisentraut)

  • Add support for building with Visual Studio 2022 (Hans Buschmann)

  • Allow the .bat wrapper scripts in our MSVC build system to be called without first changing into their directory (Anton Voloshin, Andrew Dunstan)

• ⇑ Upgrade to 12.11 released on 2022-05-12 - docs

  • Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)

    Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.

    The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)

  • Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)

    The column names in tuples produced by a whole-row variable (such as tbl.* in contexts other than the top level of a SELECT list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.

    In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT, so that the whole-row variable is referring to the sub-SELECT's output and not to a plain table. Then the variable is of type record to begin with and there's no issue.

  • Fix incorrect output for types timestamptz and timetz in table_to_xmlschema() and allied functions (Renan Soares Lopes)

    The xmlschema output for these types included a malformed regular expression.

  • Avoid core dump in parser for a VALUES clause with zero columns (Tom Lane)

  • Fix planner errors for GROUPING() constructs that reference outer query levels (Richard Guo, Tom Lane)

  • Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)

    The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.

  • Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)

    The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.

  • Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)

  • Fix ALTER FUNCTION to support changing a function's parallelism property and its SET-variable list in the same command (Tom Lane)

    The parallelism property change was lost if the same command also updated the function's SET clause.

  • Fix bogus errors from attempts to alter system columns of tables (Tom Lane)

    The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.

  • Fix mis-sorting of table rows when CLUSTERing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)

    The table would be rebuilt with the correct data, but in an order having little to do with the index order.

  • Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)

    Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.

  • Fix race condition between DROP TABLESPACE and checkpointing (Nathan Bossart)

    The checkpoint forced by DROP TABLESPACE could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.

  • Fix possible trouble in crash recovery after a TRUNCATE command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)

    TRUNCATE must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.

  • Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)

    Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.

  • Improve wait logic in RegisterSyncRequest (Thomas Munro)

    If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.

  • Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)

  • Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)

    With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.

  • Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription limit (Amit Kapila)

    Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.

  • Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)

    Otherwise subscribers cannot see the values and will fail to replicate the update.

  • Improve logical replication subscriber's error message for an unsupported relation kind (Tom Lane)

    v13 and later servers support publishing partitioned tables. Older server versions cannot handle subscribing to such a table, and they gave a very misleading error message: “table XYZ not found on publisher”. Arrange to deliver a more on-point message.

  • Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)

    Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.

  • Make libpq accept root-owned SSL private key files (David Steele)

    This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r----- or less. This is helpful for system-wide management of key files.

  • Fix behavior of libpq's PQisBusy() function after a connection failure (Tom Lane)

    If we'd detected a write failure, PQisBusy() would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput() returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult object, which is a much cleaner behavior for most applications.

  • Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)

    pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.

  • Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)

    While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.

  • Ensure that contrib/pageinspect functions cope with all-zero pages (Michael Paquier)

    This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.

  • In contrib/pageinspect, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)

    These changes make it less likely that the module will crash on bad data.

  • In contrib/postgres_fdw, verify that ORDER BY clauses are safe to ship before requesting a remotely-ordered query, and include a USING clause if necessary (Ronan Dunklau)

    This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.

  • Update JIT code to work with LLVM 14 (Thomas Munro)

  • Clean up assorted failures under clang's -fsanitize=undefined checks (Tom Lane, Andres Freund, Zhihong Yu)

    Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.

  • Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)

  • Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)

  • In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)

    This adapts the build process to work on recent MSys tool chains.

  • Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)

    For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.

  • Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.

• ⇑ Upgrade to 12.12 released on 2022-08-11 - docs

  • Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)

    This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.

    The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)

  • Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)

    Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.

  • Support “in place” tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)

    Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE replay fix, which transiently creates a missing tablespace as an “in place” tablespace.

  • Fix permissions checks in CREATE INDEX (Nathan Bossart, Noah Misch)

    The fix for CVE-2022-1552 caused CREATE INDEX to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX before re-granting permissions.

  • In extended query protocol, force an immediate commit after CREATE DATABASE and other commands that can't run in a transaction block (Tom Lane)

    If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.

  • Fix race condition when checking transaction visibility (Simon Riggs)

    TransactionIdIsInProgress could report false before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.

  • Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)

  • Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT that's referenced in a GROUPING function (Richard Guo)

  • Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)

    In certain cases, a “trigger does not exist” failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.

  • Improve syntax error messages for type jsonpath (Andrew Dunstan)

  • Prevent pg_stat_get_subscription() from possibly returning an extra row containing garbage values (Kuntal Ghosh)

  • Ensure that pg_stop_backup() cleans up session state properly (Fujii Masao)

    This omission could lead to assertion failures or crashes later in the session.

  • Fix join alias matching in FOR [KEY] UPDATE/SHARE clauses (Dean Rasheed)

    In corner cases, a misleading error could be reported.

  • Avoid crashing if too many column aliases are attached to an XMLTABLE or JSON_TABLE construct (Álvaro Herrera)

  • Reject ROW() expressions and functions in FROM that have too many columns (Tom Lane)

    Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.

  • When decompiling a view or rule, show a SELECT output column's AS "?column?" alias clause if it could be referenced elsewhere (Tom Lane)

    Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.

  • Fix dumping of a view using a function in FROM that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)

    This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.

  • Report implicitly-created operator families to event triggers (Masahiko Sawada)

    If CREATE OPERATOR CLASS results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.

  • Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)

    Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.

  • Prevent triggering of standby's wal_receiver_timeout during logical replication of large transactions (Wang Wei, Amit Kapila)

    If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.

  • Disallow nested backup operations in logical replication walsenders (Fujii Masao)

  • Fix memory leak in logical replication subscribers (Hou Zhijie)

  • Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)

    Such cases could result in harmless warning messages.

  • Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)

    Previously, although extensions could choose to create such settings, some code paths would crash while processing them.

  • Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE flags (Haiyang Wang)

  • Fix erroneous assertion checks in shared hashtable management (Thomas Munro)

  • Arrange to clean up after commit-time errors within SPI_commit(), rather than expecting callers to do that (Peter Eisentraut, Tom Lane)

    Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit() as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain() except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction() as a no-op. All known callers of SPI_commit() immediately call SPI_start_transaction(), so they will not notice any change. Similar remarks apply to SPI_rollback().

    Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.

  • Remove misguided SSL key file ownership check in libpq (Tom Lane)

    In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.

  • Ensure ecpg reports server connection loss sanely (Tom Lane)

    Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.

  • Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)

    Certain operations such as EXEC SQL PREPARE would crash (rather than reporting an error as expected) if called before establishing any database connection.

  • In ecpglib, avoid redundant newlocale() calls (Noah Misch)

    Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.

  • In psql's \watch command, echo a newline after cancellation with control-C (Pavel Stehule)

    This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.

  • Fix possible report of wrong error condition after clone() failure in pg_upgrade with --clone option (Justin Pryzby)

  • Fix contrib/pg_stat_statements to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)

  • Ensure that contrib/postgres_fdw sends constants of regconfig and other reg* types with proper schema qualification (Tom Lane)

  • Block signals while allocating dynamic shared memory on Linux (Thomas Munro)

    This avoids problems when a signal interrupts posix_fallocate().

  • Detect unexpected EEXIST error from shm_open() (Thomas Munro)

    This avoids a possible crash on Solaris.

  • Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)

  • Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)

• ⇑ Upgrade to 12.13 released on 2022-11-10 - docs

  • Avoid rare PANIC during updates occurring concurrently with VACUUM (Tom Lane, Jeff Davis)

    If a concurrent VACUUM sets the all-visible flag bit in a page that UPDATE or DELETE is in process of modifying, the updating command needs to clear that bit again; but some code paths failed to do so, ending in a PANIC exit and database restart.

    This is known to be possible in versions 14 and 15. It may be only latent in previous branches.

  • Fix VACUUM to press on if an attempted page deletion in a btree index fails to find the page's parent downlink (Peter Geoghegan)

    Rather than throwing an error, just log the issue and continue without deleting the empty page. Previously, a buggy operator class or corrupted index could indefinitely prevent completion of vacuuming of the index, eventually leading to transaction wraparound problems.

  • Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)

    This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.

  • Disallow rules named _RETURN that are not ON SELECT (Tom Lane)

    This avoids confusion between a view's ON SELECT rule and any other rules it may have.

  • Fix resource management bug in saving tuples for AFTER triggers (Tom Lane)

    Given the right circumstances, this manifested as a “tupdesc reference NNNN is not owned by resource owner” error followed by a PANIC exit.

  • Repair rare failure of MULTIEXPR_SUBLINK subplans in inherited updates (Tom Lane)

    Use of the syntax UPDATE tab SET (c1, ...) = (SELECT ...) with an inherited or partitioned target table could result in failure if the child tables are sufficiently dissimilar. This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.

  • Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION (Jehan-Guillaume de Rorthais, Álvaro Herrera)

    Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.

  • Fix generation of constraint names for per-partition foreign key constraints (Jehan-Guillaume de Rorthais)

    If the initially-given name is already in use for some constraint of the partition, a new one is selected; but it wasn't being spelled as intended.

  • Fix incorrect matching of index expressions and predicates when creating a partitioned index (Richard Guo, Tom Lane)

    While creating a partitioned index, we try to identify any existing indexes on the partitions that match the partitioned index, so that we can absorb those as child indexes instead of building new ones. Matching of expressions was not done right, so that a usable child index might be ignored, leading to creation of a duplicative index.

  • Prevent WAL corruption after a standby promotion (Dilip Kumar, Robert Haas)

    When a PostgreSQL instance performing archive recovery (but not using standby mode) is promoted, and the last WAL segment that it attempted to read ended in a partial record, the instance would write an invalid WAL segment on the new timeline.

  • Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)

    This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.

  • Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)

    These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.

  • Prevent examining system catalogs with the wrong snapshot during logical decoding (Masahiko Sawada)

    If decoding begins partway through a transaction that modifies system catalogs, the decoder may not recognize that, causing it to fail to treat that transaction as in-progress for catalog lookups.

  • Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)

    This ameliorates problems with slow shutdown of replication workers.

  • Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)

    If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION or DO command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.

  • Fix handling of read-write expanded datums that are passed to SQL functions (Tom Lane)

    If a non-inlined SQL function uses a parameter in more than one place, and one of those functions expects to be able to modify read-write datums in place, then later uses of the parameter would observe the wrong value. (Within core PostgreSQL, the expanded-datum mechanism is only used for array and composite-type values; but extensions might use it for other structured types.)

  • Fix type circle's equality comparator to handle NaNs properly (Ranier Vilela)

    If the left-hand circle had a floating-point NaN for its radius, it would be considered equal to a circle with the same center and any radius.

  • In Snowball dictionaries, don't try to stem excessively-long words (Olly Betts, Tom Lane)

    If the input word exceeds 1000 bytes, return it as-is after case folding, rather than trying to run it through the Snowball code. This restriction protects against a known recursion-to-stack-overflow problem in the Turkish stemmer, and it seems like good insurance against any other safety or performance issues that may exist in the Snowball stemmers. Such a long string is surely not a word in any human language, so it's doubtful that the stemmer would have done anything desirable with it anyway.

  • Fix use-after-free hazard in string comparisons (Tom Lane)

    Improper memory management in the string comparison functions could result in scribbling on no-longer-allocated buffers, potentially breaking things for whatever is using that memory now. This would only happen with fairly long strings (more than 1kB), and only if an ICU collation is in use.

  • Add plan-time check for attempted access to a table that has no table access method (Tom Lane)

    This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT rule is missing.

  • Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)

    The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.

  • Add some more defenses against recursion till stack overrun (Richard Guo, Tom Lane)

  • Avoid long-term memory leakage in the autovacuum launcher process (Reid Thompson)

    The lack of field reports suggests that this problem is only latent in pre-v15 branches; but it's not very clear why, so back-patch the fix anyway.

  • Improve PL/pgSQL's ability to handle parameters declared as RECORD (Tom Lane)

    Build a separate function cache entry for each concrete type passed to the RECORD parameter during a session, much as we do for polymorphic parameters. This allows some usages to work that previously failed with errors such as “type of parameter does not match that when preparing the plan”.

  • Add missing guards for NULL connection pointer in libpq (Daniele Varrazzo, Tom Lane)

    There's a convention that libpq functions should check for a NULL PGconn argument, and fail gracefully instead of crashing. PQflush() and PQisnonblocking() didn't get that memo, so fix them.

  • In ecpg, fix omission of variable storage classes when multiple varchar or bytea variables are declared in the same declaration (Andrey Sokolov)

    For example, ecpg translated static varchar str1[10], str2[20], str3[30]; in such a way that only str1 was marked static.

  • Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)

    Allow the remote path in --tablespace-mapping to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.

  • In pg_stat_statements, fix access to already-freed memory (zhaoqigui)

    This occurred if pg_stat_statements tracked a ROLLBACK command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.

  • In postgres_fdw, ensure that target lists constructed for EvalPlanQual plans will have all required columns (Richard Guo, Etsuro Fujita)

    This avoids “variable not found in subplan target list” errors in rare cases.

  • Reject unwanted output from the platform's uuid_create() function (Nazir Bilal Yavuz)

    The uuid-ossp module expects libc's uuid_create() to produce a version-1 UUID, but recent NetBSD releases produce a version-4 (random) UUID instead. Check for that, and complain if so. Drop the documentation's claim that the NetBSD implementation is usable for uuid-ossp. (If a version-4 UUID is okay for your purposes, you don't need uuid-ossp at all; just use gen_random_uuid().)

  • Include new Perl test modules in standard installations (Álvaro Herrera)

    Add PostgreSQL/Test/Cluster.pm and PostgreSQL/Test/Utils.pm to the standard installation file set in pre-version-15 branches. This is for the benefit of extensions that want to use newly-written test code in older branches.

  • On NetBSD, force dynamic symbol resolution at postmaster start (Andres Freund, Tom Lane)

    This avoids a risk of deadlock in the dynamic linker on NetBSD 10.

  • Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)

  • Allow use of __sync_lock_test_and_set() for spinlocks on any machine (Tom Lane)

    This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.

  • Rename symbol REF to REF_P to avoid compile failure on recent macOS (Tom Lane)

  • Avoid using sprintf, to avoid compile-time deprecation warnings (Tom Lane)

  • Silence assorted compiler warnings from clang 15 and later (Tom Lane)

  • Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.

    Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.

    These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz display. As an example, the stored value 1944-06-01 12:00 UTC would previously display as 1944-06-01 13:00:00+01 if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02.

    It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA and PACKRATLIST options).

• ⇑ Upgrade to 12.14 released on 2023-02-09 - docs

  • libpq can leak memory contents after GSSAPI transport encryption initiation fails (Jacob Champion)

    A modified server, or an unauthenticated man-in-the-middle, can send a not-zero-terminated error message during setup of GSSAPI (Kerberos) transport encryption. libpq will then copy that string, as well as following bytes in application memory up to the next zero byte, to its error report. Depending on what the calling application does with the error report, this could result in disclosure of application memory contents. There is also a small probability of a crash due to reading beyond the end of memory. Fix by properly zero-terminating the server message. (CVE-2022-41862)

  • Allow REPLICA IDENTITY to be set on an index that's not (yet) valid (Tom Lane)

    When pg_dump dumps a partitioned index that's marked REPLICA IDENTITY, it generates a command sequence that applies REPLICA IDENTITY before the partitioned index has been marked valid, causing restore to fail. There seems no very good reason to prohibit doing it in that order, so allow it. The marking will have no effect anyway until the index becomes valid.

  • Fix handling of DEFAULT markers in rules that perform an INSERT from a multi-row VALUES list (Dean Rasheed)

    In some cases a DEFAULT marker would not get replaced with the proper default-value expression, leading to an “unrecognized node type” error.

  • Reject uses of undefined variables in jsonpath existence checks (Alexander Korotkov, David G. Johnston)

    While jsonpath match operators threw an error for an undefined variable in the path pattern, the existence operators silently treated it as a match.

  • Fix edge-case data corruption in parallel hash joins (Dmitry Astapov)

    If the final chunk of a large tuple being written out to a temporary file was exactly 32760 bytes, it would be corrupted due to a fencepost bug. The query would typically fail later with corrupted-data symptoms.

  • Honor non-default settings of checkpoint_completion_target (Bharath Rupireddy)

    Internal state was not updated after a change in checkpoint_completion_target, possibly resulting in performing checkpoint I/O faster or slower than desired, especially if that setting was changed on-the-fly.

  • Log the correct ending timestamp in recovery_target_xid mode (Tom Lane)

    When ending recovery based on the recovery_target_xid setting with recovery_target_inclusive = off, we printed an incorrect timestamp (always 2000-01-01) in the “recovery stopping before ... transaction” log message.

  • Prevent “wrong tuple length” failure at the end of VACUUM (Ashwin Agrawal, Junfeng Yang)

    This occurred if VACUUM needed to update the current database's datfrozenxid value and the database has so many granted privileges that its datacl value has been pushed out-of-line.

  • In extended query protocol, avoid an immediate commit after ANALYZE if we're running a pipeline (Tom Lane)

    If there's not been an explicit BEGIN TRANSACTION, ANALYZE would take it on itself to commit, which should not happen within a pipelined series of commands.

  • Reject cancel request packets having the wrong length (Andrey Borodin)

    The server would process a cancel request even if its length word was too small. This led to reading beyond the end of the allocated buffer. In theory that could cause a segfault, but it seems quite unlikely to happen in practice, since the buffer would have to be very close to the end of memory. The more likely outcome was a bogus log message about wrong backend PID or cancel code. Complain about the wrong length, instead.

  • Add recursion and looping defenses in subquery pullup (Tom Lane)

    A contrived query can result in deep recursion and unreasonable amounts of time spent trying to flatten subqueries. A proper fix for that seems unduly invasive for a back-patch, but we can at least add stack depth checks and an interrupt check to allow the query to be cancelled.

  • Fix partitionwise-join code to tolerate failure to produce a plan for each partition (Tom Lane)

    This could result in “could not devise a query plan for the given query” errors.

  • Limit the amount of cleanup work done by get_actual_variable_range (Simon Riggs)

    Planner runs occurring just after deletion of a large number of tuples appearing at the end of an index could expend significant amounts of work setting the “killed” bits for those index entries. Limit the amount of work done in any one query by giving up on this process after examining 100 heap pages. All the cleanup will still happen eventually, but without so large a performance hiccup.

  • Ensure that execution of full-text-search queries can be cancelled while they are performing phrase matches (Tom Lane)

  • Fix memory leak in hashing strings with nondeterministic collations (Jeff Davis)

  • Clean up the libpq connection object after a failed replication connection attempt (Andres Freund)

    The previous coding leaked the connection object. In background code paths that's pretty harmless because the calling process will give up and exit. But in commands such as CREATE SUBSCRIPTION, such a failure resulted in a small session-lifespan memory leak.

  • In hot-standby servers, reduce processing effort for tracking XIDs known to be active on the primary (Simon Riggs, Michail Nikolaev)

    Insufficiently-aggressive cleanup of the KnownAssignedXids array could lead to poor performance, particularly when max_connections is set to a large value on the standby.

  • Fix uninitialized-memory usage in logical decoding (Masahiko Sawada)

    In certain cases, resumption of logical decoding could try to re-use XID data that had already been freed, leading to unpredictable behavior.

  • Avoid rare “failed to acquire cleanup lock” panic during WAL replay of hash-index page split operations (Robert Haas)

  • Advance a heap page's LSN when setting its all-visible bit during WAL replay (Jeff Davis)

    Failure to do this left the page possibly different on standby servers than the primary, and violated some other expectations about when the LSN changes. This seems only a theoretical hazard so far as PostgreSQL itself is concerned, but it could upset third-party tools.

  • Prevent unsafe usage of a relation cache entry's rd_smgr pointer (Amul Sul)

    Remove various assumptions that rd_smgr would stay valid over a series of operations, by wrapping all uses of it in a function that will recompute it if needed. This prevents bugs occurring when an unexpected cache flush occurs partway through such a series.

  • Fix latent buffer-overrun problem in WaitEventSet logic (Thomas Munro)

    The epoll-based and kqueue-based implementations could ask the kernel for too many events if the size of their internal buffer was different from the size of the caller's output buffer. That case is not known to occur in released PostgreSQL versions, but this error is a hazard for external modules and future bug fixes.

  • Avoid nominally-undefined behavior when accessing shared memory in 32-bit builds (Andres Freund)

    clang's undefined-behavior sanitizer complained about use of a pointer that was less aligned than it should be. It's very unlikely that this would cause a problem in non-debug builds, but it's worth fixing for testing purposes.

  • Remove faulty assertion in useless-RESULT-RTE optimization logic (Tom Lane)

  • Fix copy-and-paste errors in cache-lookup-failure messages for ACL checks (Justin Pryzby)

    In principle these errors should never be reached. But if they are, some of them reported the wrong type of object.

  • In pg_dump, avoid calling unsafe server functions before we have locks on the tables to be examined (Tom Lane, Gilles Darold)

    pg_dump uses certain server functions that can fail if examining a table that gets dropped concurrently. Avoid this type of failure by ensuring that we obtain access share lock before inquiring too deeply into a table's properties, and that we don't apply such functions to tables we don't intend to dump at all.

  • Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA (Dean Rasheed)

  • Fix faulty assertion in contrib/postgres_fdw (Etsuro Fujita)

  • Fix contrib/seg to not crash or print garbage if an input number has more than 127 digits (Tom Lane)

  • In contrib/sepgsql, avoid deprecation warnings with recent libselinux (Michael Paquier)

  • Fix build on Microsoft Visual Studio 2013 (Tom Lane)

    A previous patch supposed that all platforms of interest have snprintf(), but MSVC 2013 isn't quite there yet. Revert to using sprintf() on that platform.

  • Fix compile failure in building PL/Perl with MSVC when using Strawberry Perl (Andrew Dunstan)

  • Fix mismatch of PL/Perl built with MSVC versus a Perl library built with gcc (Andrew Dunstan)

    Such combinations could previously fail with “loadable library and perl binaries are mismatched” errors.

  • Suppress compiler warnings from Perl's header files (Andres Freund)

    Our preferred compiler options provoke warnings about constructs appearing in recent versions of Perl's header files. When using gcc, we can suppress these warnings with a pragma.

  • Fix pg_waldump to build on compilers that don't discard unused static-inline functions (Tom Lane)

  • Update time zone data files to tzdata release 2022g for DST law changes in Greenland and Mexico, plus historical corrections for northern Canada, Colombia, and Singapore.

    Notably, a new timezone America/Ciudad_Juarez has been split off from America/Ojinaga.

• source repo
• author info
• meta-info