Upgrading from 9.6 to 10.2 gives you 1.4 years worth of fixes:

• ⇑ Upgrade to 9.6.1 released on 2016-10-27 - docs

  • Fix WAL-logging of truncation of relation free space maps and visibility maps (Pavan Deolasee, Heikki Linnakangas)

    It was possible for these files to not be correctly restored during crash recovery, or to be written incorrectly on a standby server. Bogus entries in a free space map could lead to attempts to access pages that have been truncated away from the relation itself, typically producing errors like “could not read block XXX: read only 0 of 8192 bytes”. Checksum failures in the visibility map are also possible, if checksumming is enabled.

    Procedures for determining whether there is a problem and repairing it if so are discussed at https://wiki.postgresql.org/wiki/Free_Space_Map_Problems.

  • Fix possible data corruption when pg_upgrade rewrites a relation visibility map into 9.6 format (Tom Lane)

    On big-endian machines, bytes of the new visibility map were written in the wrong order, leading to a completely incorrect map. On Windows, the old map was read using text mode, leading to incorrect results if the map happened to contain consecutive bytes that matched a carriage return/line feed sequence. The latter error would almost always lead to a pg_upgrade failure due to the map file appearing to be the wrong length.

    If you are using a big-endian machine (many non-Intel architectures are big-endian) and have used pg_upgrade to upgrade from a pre-9.6 release, you should assume that all visibility maps are incorrect and need to be regenerated. It is sufficient to truncate each relation's visibility map with contrib/pg_visibility's pg_truncate_visibility_map() function. For more information see https://wiki.postgresql.org/wiki/Visibility_Map_Problems.

  • Don't throw serialization errors for self-conflicting insertions in INSERT ... ON CONFLICT (Thomas Munro, Peter Geoghegan)

  • Fix use-after-free hazard in execution of aggregate functions using DISTINCT (Peter Geoghegan)

    This could lead to a crash or incorrect query results.

  • Fix incorrect handling of polymorphic aggregates used as window functions (Tom Lane)

    The aggregate's transition function was told that its first argument and result were of the aggregate's output type, rather than the state type. This led to errors or crashes with polymorphic transition functions.

  • Fix COPY with a column name list from a table that has row-level security enabled (Adam Brightwell)

  • Fix EXPLAIN to emit valid XML when track_io_timing is on (Markus Winand)

    Previously the XML output-format option produced syntactically invalid tags such as <I/O-Read-Time>. That is now rendered as <I-O-Read-Time>.

  • Fix statistics update for TRUNCATE in a prepared transaction (Stas Kelvich)

  • Fix bugs in merging inherited CHECK constraints while creating or altering a table (Tom Lane, Amit Langote)

    Allow identical CHECK constraints to be added to a parent and child table in either order. Prevent merging of a valid constraint from the parent table with a NOT VALID constraint on the child. Likewise, prevent merging of a NO INHERIT child constraint with an inherited constraint.

  • Show a sensible value in pg_settings.unit for min_wal_size and max_wal_size (Tom Lane)

  • Fix replacement of array elements in jsonb_set() (Tom Lane)

    If the target is an existing JSON array element, it got deleted instead of being replaced with a new value.

  • Avoid very-low-probability data corruption due to testing tuple visibility without holding buffer lock (Thomas Munro, Peter Geoghegan, Tom Lane)

  • Preserve commit timestamps across server restart (Julien Rouhaud, Craig Ringer)

    With track_commit_timestamp turned on, old commit timestamps became inaccessible after a clean server restart.

  • Fix logical WAL decoding to work properly when a subtransaction's WAL output is large enough to spill to disk (Andres Freund)

  • Fix dangling-pointer problem in logical WAL decoding (Stas Kelvich)

  • Round shared-memory allocation request to a multiple of the actual huge page size when attempting to use huge pages on Linux (Tom Lane)

    This avoids possible failures during munmap() on systems with atypical default huge page sizes. Except in crash-recovery cases, there were no ill effects other than a log message.

  • Don't try to share SSL contexts across multiple connections in libpq (Heikki Linnakangas)

    This led to assorted corner-case bugs, particularly when trying to use different SSL parameters for different connections.

  • Avoid corner-case memory leak in libpq (Tom Lane)

    The reported problem involved leaking an error report during PQreset(), but there might be related cases.

  • In pg_upgrade, check library loadability in name order (Tom Lane)

    This is a workaround to deal with cross-extension dependencies from language transform modules to their base language and data type modules.

  • Fix pg_upgrade to work correctly for extensions containing index access methods (Tom Lane)

    To allow this, the server has been extended to support ALTER EXTENSION ADD/DROP ACCESS METHOD. That functionality should have been included in the original patch to support dynamic creation of access methods, but it was overlooked.

  • Improve error reporting in pg_upgrade's file copying/linking/rewriting steps (Tom Lane, Álvaro Herrera)

  • Fix pg_dump to work against pre-7.4 servers (Amit Langote, Tom Lane)

  • Disallow specifying both --source-server and --source-target options to pg_rewind (Michael Banck)

  • Make pg_rewind turn off synchronous_commit in its session on the source server (Michael Banck, Michael Paquier)

    This allows pg_rewind to work even when the source server is using synchronous replication that is not working for some reason.

  • In pg_xlogdump, retry opening new WAL segments when using --follow option (Magnus Hagander)

    This allows for a possible delay in the server's creation of the next segment.

  • Fix contrib/pg_visibility to report the correct TID for a corrupt tuple that has been the subject of a rolled-back update (Tom Lane)

  • Fix makefile dependencies so that parallel make of PL/Python by itself will succeed reliably (Pavel Raiskup)

  • Update time zone data files to tzdata release 2016h for DST law changes in Palestine and Turkey, plus historical corrections for Turkey and some regions of Russia. Switch to numeric abbreviations for some time zones in Antarctica, the former Soviet Union, and Sri Lanka.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

    In this update, AMT is no longer shown as being in use to mean Armenia Time. Therefore, we have changed the Default abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.

• ⇑ Upgrade to 9.6.2 released on 2017-02-09 - docs

  • Fix a race condition that could cause indexes built with CREATE INDEX CONCURRENTLY to be corrupt (Pavan Deolasee, Tom Lane)

    If CREATE INDEX CONCURRENTLY was used to build an index that depends on a column not previously indexed, then rows updated by transactions that ran concurrently with the CREATE INDEX command could have received incorrect index entries. If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.

  • Ensure that the special snapshot used for catalog scans is not invalidated by premature data pruning (Tom Lane)

    Backends failed to account for this snapshot when advertising their oldest xmin, potentially allowing concurrent vacuuming operations to remove data that was still needed. This led to transient failures along the lines of “cache lookup failed for relation 1255”.

  • Fix incorrect WAL logging for BRIN indexes (Kuntal Ghosh)

    The WAL record emitted for a BRIN “revmap” page when moving an index tuple to a different page was incorrect. Replay would make the related portion of the index useless, forcing it to be recomputed.

  • Unconditionally WAL-log creation of the “init fork” for an unlogged table (Michael Paquier)

    Previously, this was skipped when wal_level = minimal, but actually it's necessary even in that case to ensure that the unlogged table is properly reset to empty after a crash.

  • If the stats collector dies during hot standby, restart it (Takayuki Tsunakawa)

  • Ensure that hot standby feedback works correctly when it's enabled at standby server start (Ants Aasma, Craig Ringer)

  • Check for interrupts while hot standby is waiting for a conflicting query (Simon Riggs)

  • Avoid constantly respawning the autovacuum launcher in a corner case (Amit Khandekar)

    This fix avoids problems when autovacuum is nominally off and there are some tables that require freezing, but all such tables are already being processed by autovacuum workers.

  • Disallow setting the num_sync field to zero in synchronous_standby_names (Fujii Masao)

    The correct way to disable synchronous standby is to set the whole value to an empty string.

  • Don't count background worker processes against a user's connection limit (David Rowley)

  • Fix check for when an extension member object can be dropped (Tom Lane)

    Extension upgrade scripts should be able to drop member objects, but this was disallowed for serial-column sequences, and possibly other cases.

  • Fix tracking of initial privileges for extension member objects so that it works correctly with ALTER EXTENSION ... ADD/DROP (Stephen Frost)

    An object's current privileges at the time it is added to the extension will now be considered its default privileges; only later changes in its privileges will be dumped by subsequent pg_dump runs.

  • Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes (Tom Lane, Michael Paquier)

    Previously, non-default settings of default_tablespace could result in broken indexes.

  • Fix incorrect updating of trigger function properties when changing a foreign-key constraint's deferrability properties with ALTER TABLE ... ALTER CONSTRAINT (Tom Lane)

    This led to odd failures during subsequent exercise of the foreign key, as the triggers were fired at the wrong times.

  • Prevent dropping a foreign-key constraint if there are pending trigger events for the referenced relation (Tom Lane)

    This avoids “could not find trigger NNN” or “relation NNN has no triggers” errors.

  • Fix ALTER TABLE ... SET DATA TYPE ... USING when child table has different column ordering than the parent (Álvaro Herrera)

    Failure to adjust the column numbering in the USING expression led to errors, typically “attribute N has wrong type”.

  • Fix processing of OID column when a table with OIDs is associated to a parent with OIDs via ALTER TABLE ... INHERIT (Amit Langote)

    The OID column should be treated the same as regular user columns in this case, but it wasn't, leading to odd behavior in later inheritance changes.

  • Ensure that CREATE TABLE ... LIKE ... WITH OIDS creates a table with OIDs, whether or not the LIKE-referenced table(s) have OIDs (Tom Lane)

  • Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options (Dean Rasheed)

    Previously the command would fail if the new options were inconsistent with the old view definition.

  • Report correct object identity during ALTER TEXT SEARCH CONFIGURATION (Artur Zakirov)

    The wrong catalog OID was reported to extensions such as logical decoding.

  • Fix commit timestamp mechanism to not fail when queried about the special XIDs FrozenTransactionId and BootstrapTransactionId (Craig Ringer)

  • Fix incorrect use of view reloptions as regular table reloptions (Tom Lane)

    The symptom was spurious “ON CONFLICT is not supported on table ... used as a catalog table” errors when the target of INSERT ... ON CONFLICT is a view with cascade option.

  • Fix incorrect “target lists can have at most N entries” complaint when using ON CONFLICT with wide tables (Tom Lane)

  • Fix spurious “query provides a value for a dropped column” errors during INSERT or UPDATE on a table with a dropped column (Tom Lane)

  • Prevent multicolumn expansion of foo.* in an UPDATE source expression (Tom Lane)

    This led to “UPDATE target count mismatch --- internal error”. Now the syntax is understood as a whole-row variable, as it would be in other contexts.

  • Ensure that column typmods are determined accurately for multi-row VALUES constructs (Tom Lane)

    This fixes problems occurring when the first value in a column has a determinable typmod (e.g., length for a varchar value) but later values don't share the same limit.

  • Throw error for an unfinished Unicode surrogate pair at the end of a Unicode string (Tom Lane)

    Normally, a Unicode surrogate leading character must be followed by a Unicode surrogate trailing character, but the check for this was missed if the leading character was the last character in a Unicode string literal (U&'...') or Unicode identifier (U&"...").

  • Fix execution of DISTINCT and ordered aggregates when multiple such aggregates are able to share the same transition state (Heikki Linnakangas)

  • Fix implementation of phrase search operators in tsquery (Tom Lane)

    Remove incorrect, and inconsistently-applied, rewrite rules that tried to transform away AND/OR/NOT operators appearing below a PHRASE operator; instead upgrade the execution engine to handle such cases correctly. This fixes assorted strange behavior and possible crashes for text search queries containing such combinations. Also fix nested PHRASE operators to work sanely in combinations other than simple left-deep trees, correct the behavior when removing stopwords from a phrase search clause, and make sure that index searches behave consistently with simple sequential-scan application of such queries.

  • Ensure that a purely negative text search query, such as !foo, matches empty tsvectors (Tom Dunstan)

    Such matches were found by GIN index searches, but not by sequential scans or GiST index searches.

  • Prevent crash when ts_rewrite() replaces a non-top-level subtree with an empty query (Artur Zakirov)

  • Fix performance problems in ts_rewrite() (Tom Lane)

  • Fix ts_rewrite()'s handling of nested NOT operators (Tom Lane)

  • Improve speed of user-defined aggregates that use array_append() as transition function (Tom Lane)

  • Fix array_fill() to handle empty arrays properly (Tom Lane)

  • Fix possible crash in array_position() or array_positions() when processing arrays of records (Junseok Yang)

  • Fix one-byte buffer overrun in quote_literal_cstr() (Heikki Linnakangas)

    The overrun occurred only if the input consisted entirely of single quotes and/or backslashes.

  • Prevent multiple calls of pg_start_backup() and pg_stop_backup() from running concurrently (Michael Paquier)

    This avoids an assertion failure, and possibly worse things, if someone tries to run these functions in parallel.

  • Disable transform that attempted to remove no-op AT TIME ZONE conversions (Tom Lane)

    This resulted in wrong answers when the simplified expression was used in an index condition.

  • Avoid discarding interval-to-interval casts that aren't really no-ops (Tom Lane)

    In some cases, a cast that should result in zeroing out low-order interval fields was mistakenly deemed to be a no-op and discarded. An example is that casting from INTERVAL MONTH to INTERVAL YEAR failed to clear the months field.

  • Fix crash if the number of workers available to a parallel query decreases during a rescan (Andreas Seltenreich)

  • Fix bugs in transmitting GUC parameter values to parallel workers (Michael Paquier, Tom Lane)

  • Allow statements prepared with PREPARE to be given parallel plans (Amit Kapila, Tobias Bussmann)

  • Fix incorrect generation of parallel plans for semi-joins (Tom Lane)

  • Fix planner's cardinality estimates for parallel joins (Robert Haas)

    Ensure that these estimates reflect the number of rows predicted to be seen by each worker, rather than the total.

  • Fix planner to avoid trying to parallelize plan nodes containing initplans or subplans (Tom Lane, Amit Kapila)

  • Ensure that cached plans are invalidated by changes in foreign-table options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)

  • Fix the plan generated for sorted partial aggregation with a constant GROUP BY clause (Tom Lane)

  • Fix “could not find plan for CTE” planner error when dealing with a UNION ALL containing CTE references (Tom Lane)

  • Fix mishandling of initplans when forcibly adding a Material node to a subplan (Tom Lane)

    The typical consequence of this mistake was a “plan should not reference subplan's variable” error.

  • Fix foreign-key-based join selectivity estimation for semi-joins and anti-joins, as well as inheritance cases (Tom Lane)

    The new code for taking the existence of a foreign key relationship into account did the wrong thing in these cases, making the estimates worse not better than the pre-9.6 code.

  • Fix pg_dump to emit the data of a sequence that is marked as an extension configuration table (Michael Paquier)

  • Fix mishandling of ALTER DEFAULT PRIVILEGES ... REVOKE in pg_dump (Stephen Frost)

    pg_dump missed issuing the required REVOKE commands in cases where ALTER DEFAULT PRIVILEGES had been used to reduce privileges to less than they would normally be.

  • Fix pg_dump to dump user-defined casts and transforms that use built-in functions (Stephen Frost)

  • Fix pg_restore with --create --if-exists to behave more sanely if an archive contains unrecognized DROP commands (Tom Lane)

    This doesn't fix any live bug, but it may improve the behavior in future if pg_restore is used with an archive generated by a later pg_dump version.

  • Fix pg_basebackup's rate limiting in the presence of slow I/O (Antonin Houska)

    If disk I/O was transiently much slower than the specified rate limit, the calculation overflowed, effectively disabling the rate limit for the rest of the run.

  • Fix pg_basebackup's handling of symlinked pg_stat_tmp and pg_replslot subdirectories (Magnus Hagander, Michael Paquier)

  • Fix possible pg_basebackup failure on standby server when including WAL files (Amit Kapila, Robert Haas)

  • Improve initdb to insert the correct platform-specific default values for the xxx_flush_after parameters into postgresql.conf (Fabien Coelho, Tom Lane)

    This is a cleaner way of documenting the default values than was used previously.

  • Fix possible mishandling of expanded arrays in domain check constraints and CASE execution (Tom Lane)

    It was possible for a PL/pgSQL function invoked in these contexts to modify or even delete an array value that needs to be preserved for additional operations.

  • Fix nested uses of PL/pgSQL functions in contexts such as domain check constraints evaluated during assignment to a PL/pgSQL variable (Tom Lane)

  • Ensure that the Python exception objects we create for PL/Python are properly reference-counted (Rafa de la Torre, Tom Lane)

    This avoids failures if the objects are used after a Python garbage collection cycle has occurred.

  • Fix PL/Tcl to support triggers on tables that have .tupno as a column name (Tom Lane)

    This matches the (previously undocumented) behavior of PL/Tcl's spi_exec and spi_execp commands, namely that a magic .tupno column is inserted only if there isn't a real column named that.

  • Allow DOS-style line endings in ~/.pgpass files, even on Unix (Vik Fearing)

    This change simplifies use of the same password file across Unix and Windows machines.

  • Fix one-byte buffer overrun if ecpg is given a file name that ends with a dot (Takayuki Tsunakawa)

  • Fix incorrect error reporting for duplicate data in psql's \crosstabview (Tom Lane)

    psql sometimes quoted the wrong row and/or column values when complaining about multiple entries for the same crosstab cell.

  • Fix psql's tab completion for ALTER DEFAULT PRIVILEGES (Gilles Darold, Stephen Frost)

  • Fix psql's tab completion for ALTER TABLE t ALTER c DROP ... (Kyotaro Horiguchi)

  • In psql, treat an empty or all-blank setting of the PAGER environment variable as meaning “no pager” (Tom Lane)

    Previously, such a setting caused output intended for the pager to vanish entirely.

  • Improve contrib/dblink's reporting of low-level libpq errors, such as out-of-memory (Joe Conway)

  • Teach contrib/dblink to ignore irrelevant server options when it uses a contrib/postgres_fdw foreign server as the source of connection options (Corey Huinker)

    Previously, if the foreign server object had options that were not also libpq connection options, an error occurred.

  • Fix portability problems in contrib/pageinspect's functions for GIN indexes (Peter Eisentraut, Tom Lane)

  • Fix possible miss of socket read events while waiting on Windows (Amit Kapila)

    This error was harmless for most uses, but it is known to cause hangs when trying to use the pldebugger extension.

  • On Windows, ensure that environment variable changes are propagated to DLLs built with debug options (Christian Ullrich)

  • Sync our copy of the timezone library with IANA release tzcode2016j (Tom Lane)

    This fixes various issues, most notably that timezone data installation failed if the target directory didn't support hard links.

  • Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.

• ⇑ Upgrade to 9.6.3 released on 2017-05-11 - docs

  • Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Michael Paquier, Feike Steenbergen)

    The previous coding allowed the owner of a foreign server object, or anyone he has granted server USAGE permission to, to see the options for all user mappings associated with that server. This might well include passwords for other users. Adjust the view definition to match the behavior of information_schema.user_mapping_options, namely that these options are visible to the user being mapped, or if the mapping is for PUBLIC and the current user is the server owner, or if the current user is a superuser. (CVE-2017-7486)

    By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, follow the corrected procedure shown in the changelog entry for CVE-2017-7547, in Section E.7.

  • Prevent exposure of statistical information via leaky operators (Peter Eisentraut)

    Some selectivity estimation functions in the planner will apply user-defined operators to values obtained from pg_statistic, such as most common values and histogram entries. This occurs before table permissions are checked, so a nefarious user could exploit the behavior to obtain these values for table columns he does not have permission to read. To fix, fall back to a default estimate if the operator's implementation function is not certified leak-proof and the calling user does not have permission to read the table column whose statistics are needed. At least one of these criteria is satisfied in most cases in practice. (CVE-2017-7484)

  • Restore libpq's recognition of the PGREQUIRESSL environment variable (Daniel Gustafsson)

    Processing of this environment variable was unintentionally dropped in PostgreSQL 9.3, but its documentation remained. This creates a security hazard, since users might be relying on the environment variable to force SSL-encrypted connections, but that would no longer be guaranteed. Restore handling of the variable, but give it lower priority than PGSSLMODE, to avoid breaking configurations that work correctly with post-9.3 code. (CVE-2017-7485)

  • Fix possibly-invalid initial snapshot during logical decoding (Petr Jelinek, Andres Freund)

    The initial snapshot created for a logical decoding replication slot was potentially incorrect. This could cause third-party tools that use logical decoding to copy incomplete/inconsistent initial data. This was more likely to happen if the source server was busy at the time of slot creation, or if another logical slot already existed.

    If you are using a replication tool that depends on logical decoding, and it should have copied a nonempty data set at the start of replication, it is advisable to recreate the replica after installing this update, or to verify its contents against the source server.

  • Fix possible corruption of “init forks” of unlogged indexes (Robert Haas, Michael Paquier)

    This could result in an unlogged index being set to an invalid state after a crash and restart. Such a problem would persist until the index was dropped and rebuilt.

  • Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction (Tom Lane)

    In most cases this turned out to have no visible ill effects, but in corner cases it could result in circular references in pg_subtrans, potentially causing infinite loops in queries that examine rows modified by the two-phase transaction.

  • Avoid possible crash in walsender due to failure to initialize a string buffer (Stas Kelvich, Fujii Masao)

  • Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index (Tom Lane)

  • Prevent delays in postmaster's launching of multiple parallel worker processes (Tom Lane)

    There could be a significant delay (up to tens of seconds) before satisfying a query's request for more than one worker process, or when multiple queries requested workers simultaneously. On most platforms this required unlucky timing, but on some it was the typical case.

  • Fix postmaster's handling of fork() failure for a background worker process (Tom Lane)

    Previously, the postmaster updated portions of its state as though the process had been launched successfully, resulting in subsequent confusion.

  • Fix possible “no relation entry for relid 0” error when planning nested set operations (Tom Lane)

  • Fix assorted minor issues in planning of parallel queries (Robert Haas)

  • Avoid applying “physical targetlist” optimization to custom scans (Dmitry Ivanov, Tom Lane)

    This optimization supposed that retrieving all columns of a tuple is inexpensive, which is true for ordinary Postgres tuples; but it might not be the case for a custom scan provider.

  • Use the correct sub-expression when applying a FOR ALL row-level-security policy (Stephen Frost)

    In some cases the WITH CHECK restriction would be applied when the USING restriction is more appropriate.

  • Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL (Julien Rouhaud, Tom Lane)

    Due to lack of a cache flush step between commands in an extension script file, non-utility queries might not see the effects of an immediately preceding catalog change, such as ALTER TABLE ... RENAME.

  • Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index (Noah Misch)

    The command failed if the calling user did not currently have CREATE privilege for the tablespace containing the index. That behavior seems unhelpful, so skip the check, allowing the index to be rebuilt where it is.

  • Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT (Amit Langote)

    This fix prevents unwanted “constraint does not exist” failures when no matching constraint is present in the child tables.

  • Avoid dangling pointer in COPY ... TO when row-level security is active for the source table (Tom Lane)

    Usually this had no ill effects, but sometimes it would cause unexpected errors or crashes.

  • Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL (Tom Lane)

    With some bad luck, this could lead to indexes on the target relation getting rebuilt with the wrong persistence setting.

  • Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins (Andrew Gierth)

    This tended to lead to underestimation of the number of tuples in the table. In the worst case of a small heavily-contended table, VACUUM could incorrectly report that the table contained no tuples, leading to very bad planning choices.

  • Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests (Tom Lane, Thomas Munro)

  • Fix incorrect support for certain box operators in SP-GiST (Nikita Glukhov)

    SP-GiST index scans using the operators &< &> &<| and |&> would yield incorrect answers.

  • Fix integer-overflow problems in interval comparison (Kyotaro Horiguchi, Tom Lane)

    The comparison operators for type interval could yield wrong answers for intervals larger than about 296000 years. Indexes on columns containing such large values should be reindexed, since they may be corrupt.

  • Fix cursor_to_xml() to produce valid output with tableforest = false (Thomas Munro, Peter Eisentraut)

    Previously it failed to produce a wrapping <table> element.

  • Fix roundoff problems in float8_timestamptz() and make_interval() (Tom Lane)

    These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.

  • Fix pg_get_object_address() to handle members of operator families correctly (Álvaro Herrera)

  • Fix cancelling of pg_stop_backup() when attempting to stop a non-exclusive backup (Michael Paquier, David Steele)

    If pg_stop_backup() was cancelled while waiting for a non-exclusive backup to end, related state was left inconsistent; a new exclusive backup could not be started, and there were other minor problems.

  • Improve performance of pg_timezone_names view (Tom Lane, David Rowley)

  • Reduce memory management overhead for contexts containing many large blocks (Tom Lane)

  • Fix sloppy handling of corner-case errors from lseek() and close() (Tom Lane)

    Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.

  • Fix incorrect check for whether postmaster is running as a Windows service (Michael Paquier)

    This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.

  • Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED (Masahiko Sawada)

  • Fix a double-free error when processing dollar-quoted string literals in ecpg (Michael Meskes)

  • Fix pgbench to handle the combination of --connect and --rate options correctly (Fabien Coelho)

  • Fix pgbench to honor the long-form option spelling --builtin, as per its documentation (Tom Lane)

  • Fix pg_dump/pg_restore to correctly handle privileges for the public schema when using --clean option (Stephen Frost)

    Other schemas start out with no privileges granted, but public does not; this requires special-case treatment when it is dropped and restored due to the --clean option.

  • In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects (Giuseppe Broccolo, Tom Lane)

    In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.

  • Fix typo in pg_dump's query for initial privileges of a procedural language (Peter Eisentraut)

    This resulted in pg_dump always believing that the language had no initial privileges. Since that's true for most procedural languages, ill effects from this bug are probably rare.

  • Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines (Tom Lane)

    Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.

  • Fix pg_upgrade to transfer comments and security labels attached to “large objects” (blobs) (Stephen Frost)

    Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.

  • Improve error handling in contrib/adminpack's pg_file_write() function (Noah Misch)

    Notably, it failed to detect errors reported by fclose().

  • In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection (Joe Conway)

  • Fix contrib/pg_trgm's extraction of trigrams from regular expressions (Tom Lane)

    In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.

  • In contrib/postgres_fdw, allow join conditions that contain shippable extension-provided functions to be pushed to the remote server (David Rowley, Ashutosh Bapat)

  • Support Tcl 8.6 in MSVC builds (Álvaro Herrera)

  • Sync our copy of the timezone library with IANA release tzcode2017b (Tom Lane)

    This fixes a bug affecting some DST transitions in January 2038.

  • Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.

    The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.

  • Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds (David Rowley)

    The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.

• ⇑ Upgrade to 9.6.4 released on 2017-08-10 - docs

  • Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options (Noah Misch)

    The fix for CVE-2017-7486 was incorrect: it allowed a user to see the options in her own user mapping, even if she did not have USAGE permission on the associated foreign server. Such options might include a password that had been provided by the server owner rather than the user herself. Since information_schema.user_mapping_options does not show the options in such cases, pg_user_mappings should not either. (CVE-2017-7547)

    By itself, this patch will only fix the behavior in newly initdb'd databases. If you wish to apply this change in an existing database, you will need to do the following:

    1. Restart the postmaster after adding allow_system_table_mods = true to postgresql.conf. (In versions supporting ALTER SYSTEM, you can use that to make the configuration change, but you'll still need a restart.)

    2. In each database of the cluster, run the following commands as superuser:

       SET search_path = pg_catalog;
       CREATE OR REPLACE VIEW pg_user_mappings AS
           SELECT
               U.oid       AS umid,
               S.oid       AS srvid,
               S.srvname   AS srvname,
               U.umuser    AS umuser,
               CASE WHEN U.umuser = 0 THEN
                   'public'
               ELSE
                   A.rolname
               END AS usename,
               CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
                            AND (pg_has_role(S.srvowner, 'USAGE')
                                 OR has_server_privilege(S.oid, 'USAGE')))
                           OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                           OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                           THEN U.umoptions
                        ELSE NULL END AS umoptions
           FROM pg_user_mapping U
                LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN
               pg_foreign_server S ON (U.umserver = S.oid);

    3. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. In PostgreSQL 9.5 and later, you can use

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

       and then after fixing template0, undo that with

       ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

       In prior versions, instead use

       UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';
       UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';

    4. Finally, remove the allow_system_table_mods configuration setting, and again restart the postmaster.

  • Disallow empty passwords in all password-based authentication methods (Heikki Linnakangas)

    libpq ignores empty password specifications, and does not transmit them to the server. So, if a user's password has been set to the empty string, it's impossible to log in with that password via psql or other libpq-based clients. An administrator might therefore believe that setting the password to empty is equivalent to disabling password login. However, with a modified or non-libpq-based client, logging in could be possible, depending on which authentication method is configured. In particular the most common method, md5, accepted empty passwords. Change the server to reject empty passwords in all cases. (CVE-2017-7546)

  • Make lo_put() check for UPDATE privilege on the target large object (Tom Lane, Michael Paquier)

    lo_put() should surely require the same permissions as lowrite(), but the check was missing, allowing any user to change the data in a large object. (CVE-2017-7548)

  • Correct the documentation about the process for upgrading standby servers with pg_upgrade (Bruce Momjian)

    The previous documentation instructed users to start/stop the primary server after running pg_upgrade but before syncing the standby servers. This sequence is unsafe.

  • Fix concurrent locking of tuple update chains (Álvaro Herrera)

    If several sessions concurrently lock a tuple update chain with nonconflicting lock modes using an old snapshot, and they all succeed, it was possible for some of them to nonetheless fail (and conclude there is no live tuple version) due to a race condition. This had consequences such as foreign-key checks failing to see a tuple that definitely exists but is being updated concurrently.

  • Fix potential data corruption when freezing a tuple whose XMAX is a multixact with exactly one still-interesting member (Teodor Sigaev)

  • Avoid integer overflow and ensuing crash when sorting more than one billion tuples in-memory (Sergey Koposov)

  • On Windows, retry process creation if we fail to reserve the address range for our shared memory in the new process (Tom Lane, Amit Kapila)

    This is expected to fix infrequent child-process-launch failures that are probably due to interference from antivirus products.

  • Fix low-probability corruption of shared predicate-lock hash table in Windows builds (Thomas Munro, Tom Lane)

  • Avoid logging clean closure of an SSL connection as though it were a connection reset (Michael Paquier)

  • Prevent sending SSL session tickets to clients (Tom Lane)

    This fix prevents reconnection failures with ticket-aware client-side SSL code.

  • Fix code for setting tcp_keepalives_idle on Solaris (Tom Lane)

  • Fix statistics collector to honor inquiry messages issued just after a postmaster shutdown and immediate restart (Tom Lane)

    Statistics inquiries issued within half a second of the previous postmaster shutdown were effectively ignored.

  • Ensure that the statistics collector's receive buffer size is at least 100KB (Tom Lane)

    This reduces the risk of dropped statistics data on older platforms whose default receive buffer size is less than that.

  • Fix possible creation of an invalid WAL segment when a standby is promoted just after it processes an XLOG_SWITCH WAL record (Andres Freund)

  • Fix walsender to exit promptly when client requests shutdown (Tom Lane)

  • Fix SIGHUP and SIGUSR1 handling in walsender processes (Petr Jelinek, Andres Freund)

  • Prevent walsender-triggered panics during shutdown checkpoints (Andres Freund, Michael Paquier)

  • Fix unnecessarily slow restarts of walreceiver processes due to race condition in postmaster (Tom Lane)

  • Fix leakage of small subtransactions spilled to disk during logical decoding (Andres Freund)

    This resulted in temporary files consuming excessive disk space.

  • Reduce the work needed to build snapshots during creation of logical-decoding slots (Andres Freund, Petr Jelinek)

    The previous algorithm was infeasibly expensive on a server with a lot of open transactions.

  • Fix race condition that could indefinitely delay creation of logical-decoding slots (Andres Freund, Petr Jelinek)

  • Reduce overhead in processing syscache invalidation events (Tom Lane)

    This is particularly helpful for logical decoding, which triggers frequent cache invalidation.

  • Remove incorrect heuristic used in some cases to estimate join selectivity based on the presence of foreign-key constraints (David Rowley)

    In some cases where a multi-column foreign key constraint existed but did not exactly match a query's join structure, the planner used an estimation heuristic that turns out not to work well at all. Revert such cases to the way they were estimated before 9.6.

  • Fix cases where an INSERT or UPDATE assigns to more than one element of a column that is of domain-over-array type (Tom Lane)

  • Allow window functions to be used in sub-SELECTs that are within the arguments of an aggregate function (Tom Lane)

  • Ensure that a view's CHECK OPTIONS clause is enforced properly when the underlying table is a foreign table (Etsuro Fujita)

    Previously, the update might get pushed entirely to the foreign server, but the need to verify the view conditions was missed if so.

  • Move autogenerated array types out of the way during ALTER ... RENAME (Vik Fearing)

    Previously, we would rename a conflicting autogenerated array type out of the way during CREATE; this fix extends that behavior to renaming operations.

  • Fix dangling pointer in ALTER TABLE when there is a comment on a constraint belonging to the table (David Rowley)

    Re-applying the comment to the reconstructed constraint could fail with a weird error message, or even crash.

  • Ensure that ALTER USER ... SET accepts all the syntax variants that ALTER ROLE ... SET does (Peter Eisentraut)

  • Allow a foreign table's CHECK constraints to be initially NOT VALID (Amit Langote)

    CREATE TABLE silently drops NOT VALID specifiers for CHECK constraints, reasoning that the table must be empty so the constraint can be validated immediately. But this is wrong for CREATE FOREIGN TABLE, where there's no reason to suppose that the underlying table is empty, and even if it is it's no business of ours to decide that the constraint can be treated as valid going forward. Skip this “optimization” for foreign tables.

  • Properly update dependency info when changing a datatype I/O function's argument or return type from opaque to the correct type (Heikki Linnakangas)

    CREATE TYPE updates I/O functions declared in this long-obsolete style, but it forgot to record a dependency on the type, allowing a subsequent DROP TYPE to leave broken function definitions behind.

  • Allow parallelism in the query plan when COPY copies from a query's result (Andres Freund)

  • Reduce memory usage when ANALYZE processes a tsvector column (Heikki Linnakangas)

  • Fix unnecessary precision loss and sloppy rounding when multiplying or dividing money values by integers or floats (Tom Lane)

  • Tighten checks for whitespace in functions that parse identifiers, such as regprocedurein() (Tom Lane)

    Depending on the prevailing locale, these functions could misinterpret fragments of multibyte characters as whitespace.

  • Use relevant #define symbols from Perl while compiling PL/Perl (Ashutosh Sharma, Tom Lane)

    This avoids portability problems, typically manifesting as a “handshake” mismatch during library load, when working with recent Perl versions.

  • In libpq, reset GSS/SASL and SSPI authentication state properly after a failed connection attempt (Michael Paquier)

    Failure to do this meant that when falling back from SSL to non-SSL connections, a GSS/SASL failure in the SSL attempt would always cause the non-SSL attempt to fail. SSPI did not fail, but it leaked memory.

  • In psql, fix failure when COPY FROM STDIN is ended with a keyboard EOF signal and then another COPY FROM STDIN is attempted (Thomas Munro)

    This misbehavior was observed on BSD-derived platforms (including macOS), but not on most others.

  • Fix pg_dump and pg_restore to emit REFRESH MATERIALIZED VIEW commands last (Tom Lane)

    This prevents errors during dump/restore when a materialized view refers to tables owned by a different user.

  • Improve pg_dump/pg_restore's reporting of error conditions originating in zlib (Vladimir Kunschikov, Álvaro Herrera)

  • Fix pg_dump with the --clean option to drop event triggers as expected (Tom Lane)

    It also now correctly assigns ownership of event triggers; before, they were restored as being owned by the superuser running the restore script.

  • Fix pg_dump with the --clean option to not fail when the public schema doesn't exist (Stephen Frost)

  • Fix pg_dump to not emit invalid SQL for an empty operator class (Daniel Gustafsson)

  • Fix pg_dump output to stdout on Windows (Kuntal Ghosh)

    A compressed plain-text dump written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.

  • Fix pg_get_ruledef() to print correct output for the ON SELECT rule of a view whose columns have been renamed (Tom Lane)

    In some corner cases, pg_dump relies on pg_get_ruledef() to dump views, so that this error could result in dump/reload failures.

  • Fix dumping of outer joins with empty constraints, such as the result of a NATURAL LEFT JOIN with no common columns (Tom Lane)

  • Fix dumping of function expressions in the FROM clause in cases where the expression does not deparse into something that looks like a function call (Tom Lane)

  • Fix pg_basebackup output to stdout on Windows (Haribabu Kommi)

    A backup written to stdout would contain corrupt data due to failure to put the file descriptor into binary mode.

  • Fix pg_rewind to correctly handle files exceeding 2GB (Kuntal Ghosh, Michael Paquier)

    Ordinarily such files won't appear in PostgreSQL data directories, but they could be present in some cases.

  • Fix pg_upgrade to ensure that the ending WAL record does not have wal_level = minimum (Bruce Momjian)

    This condition could prevent upgraded standby servers from reconnecting.

  • Fix pg_xlogdump's computation of WAL record length (Andres Freund)

  • In postgres_fdw, re-establish connections to remote servers after ALTER SERVER or ALTER USER MAPPING commands (Kyotaro Horiguchi)

    This ensures that option changes affecting connection parameters will be applied promptly.

  • In postgres_fdw, allow cancellation of remote transaction control commands (Robert Haas, Rafia Sabih)

    This change allows us to quickly escape a wait for an unresponsive remote server in many more cases than previously.

  • Increase MAX_SYSCACHE_CALLBACKS to provide more room for extensions (Tom Lane)

  • Always use -fPIC, not -fpic, when building shared libraries with gcc (Tom Lane)

    This supports larger extension libraries on platforms where it makes a difference.

  • In MSVC builds, handle the case where the openssl library is not within a VC subdirectory (Andrew Dunstan)

  • In MSVC builds, add proper include path for libxml2 header files (Andrew Dunstan)

    This fixes a former need to move things around in standard Windows installations of libxml2.

  • In MSVC builds, recognize a Tcl library that is named tcl86.lib (Noah Misch)

  • In MSVC builds, honor PROVE_FLAGS settings on vcregress.pl's command line (Andrew Dunstan)

• ⇑ Upgrade to 9.6.5 released on 2017-08-31 - docs

  • Show foreign tables in information_schema.table_privileges view (Peter Eisentraut)

    All other relevant information_schema views include foreign tables, but this one ignored them.

    Since this view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can, as a superuser, do this in psql:

    SET search_path TO information_schema;
    CREATE OR REPLACE VIEW table_privileges AS
        SELECT CAST(u_grantor.rolname AS sql_identifier) AS grantor,
               CAST(grantee.rolname AS sql_identifier) AS grantee,
               CAST(current_database() AS sql_identifier) AS table_catalog,
               CAST(nc.nspname AS sql_identifier) AS table_schema,
               CAST(c.relname AS sql_identifier) AS table_name,
               CAST(c.prtype AS character_data) AS privilege_type,
               CAST(
                 CASE WHEN
                      -- object owner always has grant options
                      pg_has_role(grantee.oid, c.relowner, 'USAGE')
                      OR c.grantable
                      THEN 'YES' ELSE 'NO' END AS yes_or_no) AS is_grantable,
               CAST(CASE WHEN c.prtype = 'SELECT' THEN 'YES' ELSE 'NO' END AS yes_or_no) AS with_hierarchy
    
        FROM (
                SELECT oid, relname, relnamespace, relkind, relowner, (aclexplode(coalesce(relacl, acldefault('r', relowner)))).* FROM pg_class
             ) AS c (oid, relname, relnamespace, relkind, relowner, grantor, grantee, prtype, grantable),
             pg_namespace nc,
             pg_authid u_grantor,
             (
               SELECT oid, rolname FROM pg_authid
               UNION ALL
               SELECT 0::oid, 'PUBLIC'
             ) AS grantee (oid, rolname)
    
        WHERE c.relnamespace = nc.oid
              AND c.relkind IN ('r', 'v', 'f')
              AND c.grantee = grantee.oid
              AND c.grantor = u_grantor.oid
              AND c.prtype IN ('INSERT', 'SELECT', 'UPDATE', 'DELETE', 'TRUNCATE', 'REFERENCES', 'TRIGGER')
              AND (pg_has_role(u_grantor.oid, 'USAGE')
                   OR pg_has_role(grantee.oid, 'USAGE')
                   OR grantee.rolname = 'PUBLIC');

    This must be repeated in each database to be fixed, including template0.

  • Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction (Tom Lane)

    This situation could result in an assertion failure. In production builds, the exit would still occur, but it would log an unexpected message about “cannot drop active portal”.

  • Remove assertion that could trigger during a fatal exit (Tom Lane)

  • Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for (Tom Lane)

    Certain ALTER commands that change the definition of a composite type or domain type are supposed to fail if there are any stored values of that type in the database, because they lack the infrastructure needed to update or check such values. Previously, these checks could miss relevant values that are wrapped inside range types or sub-domains, possibly allowing the database to become inconsistent.

  • Prevent crash when passing fixed-length pass-by-reference data types to parallel worker processes (Tom Lane)

  • Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore (Fabrízio de Royes Mello)

  • Change ecpg's parser to allow RETURNING clauses without attached C variables (Michael Meskes)

    This allows ecpg programs to contain SQL constructs that use RETURNING internally (for example, inside a CTE) rather than using it to define values to be returned to the client.

  • Change ecpg's parser to recognize backslash continuation of C preprocessor command lines (Michael Meskes)

  • Improve selection of compiler flags for PL/Perl on Windows (Tom Lane)

    This fix avoids possible crashes of PL/Perl due to inconsistent assumptions about the width of time_t values. A side-effect that may be visible to extension developers is that _USE_32BIT_TIME_T is no longer defined globally in PostgreSQL Windows builds. This is not expected to cause problems, because type time_t is not used in any PostgreSQL API definitions.

  • Fix make check to behave correctly when invoked via a non-GNU make program (Thomas Munro)

• ⇑ Upgrade to 10 released on 2017-10-05 - docs

  • Support parallel B-tree index scans (Rahila Syed, Amit Kapila, Robert Haas, Rafia Sabih)

    This change allows B-tree index pages to be searched by separate parallel workers.

  • Support parallel bitmap heap scans (Dilip Kumar)

    This allows a single index scan to dispatch parallel workers to process different areas of the heap.

  • Allow merge joins to be performed in parallel (Dilip Kumar)

  • Allow non-correlated subqueries to be run in parallel (Amit Kapila)

  • Improve ability of parallel workers to return pre-sorted data (Rushabh Lathia)

  • Increase parallel query usage in procedural language functions (Robert Haas, Rafia Sabih)

  • Add max_parallel_workers server parameter to limit the number of worker processes that can be used for query parallelism (Julien Rouhaud)

    This parameter can be set lower than max_worker_processes to reserve worker processes for purposes other than parallel queries.

  • Add write-ahead logging support to hash indexes (Amit Kapila)

    This makes hash indexes crash-safe and replicatable. The former warning message about their use is removed.

  • Improve hash index performance (Amit Kapila, Mithun Cy, Ashutosh Sharma)

  • Add SP-GiST index support for INET and CIDR data types (Emre Hasegeli)

  • Add option to allow BRIN index summarization to happen more aggressively (Álvaro Herrera)

    A new CREATE INDEX option enables auto-summarization of the previous BRIN page range when a new page range is created.

  • Add functions to remove and re-add BRIN summarization for BRIN index ranges (Álvaro Herrera)

    The new SQL function brin_summarize_range() updates BRIN index summarization for a specified range and brin_desummarize_range() removes it. This is helpful to update summarization of a range that is now smaller due to UPDATEs and DELETEs.

  • Improve accuracy in determining if a BRIN index scan is beneficial (David Rowley, Emre Hasegeli)

  • Allow faster GiST inserts and updates by reusing index space more efficiently (Andrey Borodin)

  • Reduce page locking during vacuuming of GIN indexes (Andrey Borodin)

  • Reduce locking required to change table parameters (Simon Riggs, Fabrízio Mello)

    For example, changing a table's effective_io_concurrency setting can now be done with a more lightweight lock.

  • Allow tuning of predicate lock promotion thresholds (Dagfinn Ilmari Mannsåker)

    Lock promotion can now be controlled through two new server parameters, max_pred_locks_per_relation and max_pred_locks_per_page.

  • Add multi-column optimizer statistics to compute the correlation ratio and number of distinct values (Tomas Vondra, David Rowley, Álvaro Herrera)

    New commands are CREATE STATISTICS, ALTER STATISTICS, and DROP STATISTICS. This feature is helpful in estimating query memory usage and when combining the statistics from individual columns.

  • Improve performance of queries affected by row-level security restrictions (Tom Lane)

    The optimizer now has more knowledge about where it can place RLS filter conditions, allowing better plans to be generated while still enforcing the RLS conditions safely.

  • Speed up aggregate functions that calculate a running sum using numeric-type arithmetic, including some variants of SUM(), AVG(), and STDDEV() (Heikki Linnakangas)

  • Improve performance of character encoding conversions by using radix trees (Kyotaro Horiguchi, Heikki Linnakangas)

  • Reduce expression evaluation overhead during query execution, as well as plan node calling overhead (Andres Freund)

    This is particularly helpful for queries that process many rows.

  • Allow hashed aggregation to be used with grouping sets (Andrew Gierth)

  • Use uniqueness guarantees to optimize certain join types (David Rowley)

  • Improve sort performance of the macaddr data type (Brandur Leach)

  • Reduce statistics tracking overhead in sessions that reference many thousands of relations (Aleksander Alekseev)

  • Allow explicit control over EXPLAIN's display of planning and execution time (Ashutosh Bapat)

    By default planning and execution time are displayed by EXPLAIN ANALYZE and are not displayed in other cases. The new EXPLAIN option SUMMARY allows explicit control of this.

  • Add default monitoring roles (Dave Page)

    New roles pg_monitor, pg_read_all_settings, pg_read_all_stats, and pg_stat_scan_tables allow simplified permission configuration.

  • Properly update the statistics collector during REFRESH MATERIALIZED VIEW (Jim Mlodgenski)

  • Change the default value of log_line_prefix to include current timestamp (with milliseconds) and the process ID in each line of postmaster log output (Christoph Berg)

    The previous default was an empty prefix.

  • Add functions to return the log and WAL directory contents (Dave Page)

    The new functions are pg_ls_logdir() and pg_ls_waldir() and can be executed by non-superusers with the proper permissions.

  • Add function pg_current_logfile() to read logging collector's current stderr and csvlog output file names (Gilles Darold)

  • Report the address and port number of each listening socket in the server log during postmaster startup (Tom Lane)

    Also, when logging failure to bind a listening socket, include the specific address we attempted to bind to.

  • Reduce log chatter about the starting and stopping of launcher subprocesses (Tom Lane)

    These are now DEBUG1-level messages.

  • Reduce message verbosity of lower-numbered debug levels controlled by log_min_messages (Robert Haas)

    This also changes the verbosity of client_min_messages debug levels.

  • Add pg_stat_activity reporting of low-level wait states (Michael Paquier, Robert Haas, Rushabh Lathia)

    This change enables reporting of numerous low-level wait conditions, including latch waits, file reads/writes/fsyncs, client reads/writes, and synchronous replication.

  • Show auxiliary processes, background workers, and walsender processes in pg_stat_activity (Kuntal Ghosh, Michael Paquier)

    This simplifies monitoring. A new column backend_type identifies the process type.

  • Allow pg_stat_activity to show the SQL query being executed by parallel workers (Rafia Sabih)

  • Rename pg_stat_activity.wait_event_type values LWLockTranche and LWLockNamed to LWLock (Robert Haas)

    This makes the output more consistent.

  • Add SCRAM-SHA-256 support for password negotiation and storage (Michael Paquier, Heikki Linnakangas)

    This provides better security than the existing md5 negotiation and storage method.

  • Change the password_encryption server parameter from boolean to enum (Michael Paquier)

    This was necessary to support additional password hashing options.

  • Add view pg_hba_file_rules to display the contents of pg_hba.conf (Haribabu Kommi)

    This shows the file contents, not the currently active settings.

  • Support multiple RADIUS servers (Magnus Hagander)

    All the RADIUS related parameters are now plural and support a comma-separated list of servers.

  • Allow SSL configuration to be updated during configuration reload (Andreas Karlsson, Tom Lane)

    This allows SSL to be reconfigured without a server restart, by using pg_ctl reload, SELECT pg_reload_conf(), or sending a SIGHUP signal. However, reloading the SSL configuration does not work if the server's SSL key requires a passphrase, as there is no way to re-prompt for the passphrase. The original configuration will apply for the life of the postmaster in that case.

  • Make the maximum value of bgwriter_lru_maxpages effectively unlimited (Jim Nasby)

  • After creating or unlinking files, perform an fsync on their parent directory (Michael Paquier)

    This reduces the risk of data loss after a power failure.

  • Prevent unnecessary checkpoints and WAL archiving on otherwise-idle systems (Michael Paquier)

  • Add wal_consistency_checking server parameter to add details to WAL that can be sanity-checked on the standby (Kuntal Ghosh, Robert Haas)

    Any sanity-check failure generates a fatal error on the standby.

  • Increase the maximum configurable WAL segment size to one gigabyte (Beena Emerson)

    A larger WAL segment size allows for fewer archive_command invocations and fewer WAL files to manage.

  • Add the ability to logically replicate tables to standby servers (Petr Jelinek)

    Logical replication allows more flexibility than physical replication does, including replication between different major versions of PostgreSQL and selective replication.

  • Allow waiting for commit acknowledgement from standby servers irrespective of the order they appear in synchronous_standby_names (Masahiko Sawada)

    Previously the server always waited for the active standbys that appeared first in synchronous_standby_names. The new synchronous_standby_names keyword ANY allows waiting for any number of standbys irrespective of their ordering. This is known as quorum commit.

  • Reduce configuration changes necessary to perform streaming backup and replication (Magnus Hagander, Dang Minh Huong)

    Specifically, the defaults were changed for wal_level, max_wal_senders, max_replication_slots, and hot_standby to make them suitable for these usages out-of-the-box.

  • Enable replication from localhost connections by default in pg_hba.conf (Michael Paquier)

    Previously pg_hba.conf's replication connection lines were commented out by default. This is particularly useful for pg_basebackup.

  • Add columns to pg_stat_replication to report replication delay times (Thomas Munro)

    The new columns are write_lag, flush_lag, and replay_lag.

  • Allow specification of the recovery stopping point by Log Sequence Number (LSN) in recovery.conf (Michael Paquier)

    Previously the stopping point could only be selected by timestamp or XID.

  • Allow users to disable pg_stop_backup()'s waiting for all WAL to be archived (David Steele)

    An optional second argument to pg_stop_backup() controls that behavior.

  • Allow creation of temporary replication slots (Petr Jelinek)

    Temporary slots are automatically removed on session exit or error.

  • Improve performance of hot standby replay with better tracking of Access Exclusive locks (Simon Riggs, David Rowley)

  • Speed up two-phase commit recovery performance (Stas Kelvich, Nikhil Sontakke, Michael Paquier)

  • Add XMLTABLE function that converts XML-formatted data into a row set (Pavel Stehule, Álvaro Herrera)

  • Fix regular expressions' character class handling for large character codes, particularly Unicode characters above U+7FF (Tom Lane)

    Previously, such characters were never recognized as belonging to locale-dependent character classes such as [[:alpha:]].

  • Add table partitioning syntax that automatically creates partition constraints and handles routing of tuple insertions and updates (Amit Langote)

    The syntax supports range and list partitioning.

  • Add AFTER trigger transition tables to record changed rows (Kevin Grittner, Thomas Munro)

    Transition tables are accessible from triggers written in server-side languages.

  • Allow restrictive row-level security policies (Stephen Frost)

    Previously all security policies were permissive, meaning that any matching policy allowed access. A restrictive policy must match for access to be granted. These policy types can be combined.

  • When creating a foreign-key constraint, check for REFERENCES permission on only the referenced table (Tom Lane)

    Previously REFERENCES permission on the referencing table was also required. This appears to have stemmed from a misreading of the SQL standard. Since creating a foreign key (or any other type of) constraint requires ownership privilege on the constrained table, additionally requiring REFERENCES permission seems rather pointless.

  • Allow default permissions on schemas (Matheus Oliveira)

    This is done using the ALTER DEFAULT PRIVILEGES command.

  • Add CREATE SEQUENCE AS command to create a sequence matching an integer data type (Peter Eisentraut)

    This simplifies the creation of sequences matching the range of base columns.

  • Allow COPY view FROM source on views with INSTEAD INSERT triggers (Haribabu Kommi)

    The triggers are fed the data rows read by COPY.

  • Allow the specification of a function name without arguments in DDL commands, if it is unique (Peter Eisentraut)

    For example, allow DROP FUNCTION on a function name without arguments if there is only one function with that name. This behavior is required by the SQL standard.

  • Allow multiple functions, operators, and aggregates to be dropped with a single DROP command (Peter Eisentraut)

  • Support IF NOT EXISTS in CREATE SERVER, CREATE USER MAPPING, and CREATE COLLATION (Anastasia Lubennikova, Peter Eisentraut)

  • Make VACUUM VERBOSE report the number of skipped frozen pages and oldest xmin (Masahiko Sawada, Simon Riggs)

    This information is also included in log_autovacuum_min_duration output.

  • Improve speed of VACUUM's removal of trailing empty heap pages (Claudio Freire, Álvaro Herrera)

  • Add full text search support for JSON and JSONB (Dmitry Dolgov)

    The functions ts_headline() and to_tsvector() can now be used on these data types.

  • Add support for EUI-64 MAC addresses, as a new data type macaddr8 (Haribabu Kommi)

    This complements the existing support for EUI-48 MAC addresses (type macaddr).

  • Add identity columns for assigning a numeric value to columns on insert (Peter Eisentraut)

    These are similar to SERIAL columns, but are SQL standard compliant.

  • Allow ENUM values to be renamed (Dagfinn Ilmari Mannsåker)

    This uses the syntax ALTER TYPE ... RENAME VALUE.

  • Properly treat array pseudotypes (anyarray) as arrays in to_json() and to_jsonb() (Andrew Dunstan)

    Previously columns declared as anyarray (particularly those in the pg_stats view) were converted to JSON strings rather than arrays.

  • Add operators for multiplication and division of money values with int8 values (Peter Eisentraut)

    Previously such cases would result in converting the int8 values to float8 and then using the money-and-float8 operators. The new behavior avoids possible precision loss. But note that division of money by int8 now truncates the quotient, like other integer-division cases, while the previous behavior would have rounded.

  • Check for overflow in the money type's input function (Peter Eisentraut)

  • Add simplified regexp_match() function (Emre Hasegeli)

    This is similar to regexp_matches(), but it only returns results from the first match so it does not need to return a set, making it easier to use for simple cases.

  • Add a version of jsonb's delete operator that takes an array of keys to delete (Magnus Hagander)

  • Make json_populate_record() and related functions process JSON arrays and objects recursively (Nikita Glukhov)

    With this change, array-type fields in the destination SQL type are properly converted from JSON arrays, and composite-type fields are properly converted from JSON objects. Previously, such cases would fail because the text representation of the JSON value would be fed to array_in() or record_in(), and its syntax would not match what those input functions expect.

  • Add function txid_current_if_assigned() to return the current transaction ID or NULL if no transaction ID has been assigned (Craig Ringer)

    This is different from txid_current(), which always returns a transaction ID, assigning one if necessary. Unlike that function, this function can be run on standby servers.

  • Add function txid_status() to check if a transaction was committed (Craig Ringer)

    This is useful for checking after an abrupt disconnection whether your previous transaction committed and you just didn't receive the acknowledgement.

  • Allow make_date() to interpret negative years as BC years (Álvaro Herrera)

  • Make to_timestamp() and to_date() reject out-of-range input fields (Artur Zakirov)

    For example, previously to_date('2009-06-40','YYYY-MM-DD') was accepted and returned 2009-07-10. It will now generate an error.

  • Allow PL/Python's cursor() and execute() functions to be called as methods of their plan-object arguments (Peter Eisentraut)

    This allows a more object-oriented programming style.

  • Allow PL/pgSQL's GET DIAGNOSTICS statement to retrieve values into array elements (Tom Lane)

    Previously, a syntactic restriction prevented the target variable from being an array element.

  • Allow PL/Tcl functions to return composite types and sets (Karl Lehenbauer)

  • Add a subtransaction command to PL/Tcl (Victor Wagner)

    This allows PL/Tcl queries to fail without aborting the entire function.

  • Add server parameters pltcl.start_proc and pltclu.start_proc, to allow initialization functions to be called on PL/Tcl startup (Tom Lane)

  • Allow specification of multiple host names or addresses in libpq connection strings and URIs (Robert Haas, Heikki Linnakangas)

    libpq will connect to the first responsive server in the list.

  • Allow libpq connection strings and URIs to request a read/write host, that is a master server rather than a standby server (Victor Wagner, Mithun Cy)

    This is useful when multiple host names are specified. It is controlled by libpq connection parameter target_session_attrs.

  • Allow the password file name to be specified as a libpq connection parameter (Julian Markwort)

    Previously this could only be specified via an environment variable.

  • Add function PQencryptPasswordConn() to allow creation of more types of encrypted passwords on the client side (Michael Paquier, Heikki Linnakangas)

    Previously only MD5-encrypted passwords could be created using PQencryptPassword(). This new function can also create SCRAM-SHA-256-encrypted passwords.

  • Change ecpg preprocessor version from 4.12 to 10 (Tom Lane)

    Henceforth the ecpg version will match the PostgreSQL distribution version number.

  • Add conditional branch support to psql (Corey Huinker)

    This feature adds psql meta-commands \if, \elif, \else, and \endif. This is primarily helpful for scripting.

  • Add psql \gx meta-command to execute (\g) a query in expanded mode (\x) (Christoph Berg)

  • Expand psql variable references in backtick-executed strings (Tom Lane)

    This is particularly useful in the new psql conditional branch commands.

  • Prevent psql's special variables from being set to invalid values (Daniel Vérité, Tom Lane)

    Previously, setting one of psql's special variables to an invalid value silently resulted in the default behavior. \set on a special variable now fails if the proposed new value is invalid. As a special exception, \set with an empty or omitted new value, on a boolean-valued special variable, still has the effect of setting the variable to on; but now it actually acquires that value rather than an empty string. \unset on a special variable now explicitly sets the variable to its default value, which is also the value it acquires at startup. In sum, a control variable now always has a displayable value that reflects what psql is actually doing.

  • Add variables showing server version and psql version (Fabien Coelho)

  • Improve psql's \d (display relation) and \dD (display domain) commands to show collation, nullable, and default properties in separate columns (Peter Eisentraut)

    Previously they were shown in a single “Modifiers” column.

  • Make the various \d commands handle no-matching-object cases more consistently (Daniel Gustafsson)

    They now all print the message about that to stderr, not stdout, and the message wording is more consistent.

  • Improve psql's tab completion (Jeff Janes, Ian Barwick, Andreas Karlsson, Sehrope Sarkuni, Thomas Munro, Kevin Grittner, Dagfinn Ilmari Mannsåker)

  • Add pgbench option --log-prefix to control the log file prefix (Masahiko Sawada)

  • Allow pgbench's meta-commands to span multiple lines (Fabien Coelho)

    A meta-command can now be continued onto the next line by writing backslash-return.

  • Remove restriction on placement of -M option relative to other command line options (Tom Lane)

  • Add pg_receivewal option -Z/--compress to specify compression (Michael Paquier)

  • Add pg_recvlogical option --endpos to specify the ending position (Craig Ringer)

    This complements the existing --startpos option.

  • Rename initdb options --noclean and --nosync to be spelled --no-clean and --no-sync (Vik Fearing, Peter Eisentraut)

    The old spellings are still supported.

  • Allow pg_restore to exclude schemas (Michael Banck)

    This adds a new -N/--exclude-schema option.

  • Add --no-blobs option to pg_dump (Guillaume Lelarge)

    This suppresses dumping of large objects.

  • Add pg_dumpall option --no-role-passwords to omit role passwords (Robins Tharakan, Simon Riggs)

    This allows use of pg_dumpall by non-superusers; without this option, it fails due to inability to read passwords.

  • Support using synchronized snapshots when dumping from a standby server (Petr Jelinek)

  • Issue fsync() on the output files generated by pg_dump and pg_dumpall (Michael Paquier)

    This provides more security that the output is safely stored on disk before the program exits. This can be disabled with the new --no-sync option.

  • Allow pg_basebackup to stream write-ahead log in tar mode (Magnus Hagander)

    The WAL will be stored in a separate tar file from the base backup.

  • Make pg_basebackup use temporary replication slots (Magnus Hagander)

    Temporary replication slots will be used by default when pg_basebackup uses WAL streaming with default options.

  • Be more careful about fsync'ing in all required places in pg_basebackup and pg_receivewal (Michael Paquier)

  • Add pg_basebackup option --no-sync to disable fsync (Michael Paquier)

  • Improve pg_basebackup's handling of which directories to skip (David Steele)

  • Add wait option for pg_ctl's promote operation (Peter Eisentraut)

  • Add long options for pg_ctl wait (--wait) and no-wait (--no-wait) (Vik Fearing)

  • Add long option for pg_ctl server options (--options) (Peter Eisentraut)

  • Make pg_ctl start --wait detect server-ready by watching postmaster.pid, not by attempting connections (Tom Lane)

    The postmaster has been changed to report its ready-for-connections status in postmaster.pid, and pg_ctl now examines that file to detect whether startup is complete. This is more efficient and reliable than the old method, and it eliminates postmaster log entries about rejected connection attempts during startup.

  • Reduce pg_ctl's reaction time when waiting for postmaster start/stop (Tom Lane)

    pg_ctl now probes ten times per second when waiting for a postmaster state change, rather than once per second.

  • Ensure that pg_ctl exits with nonzero status if an operation being waited for does not complete within the timeout (Peter Eisentraut)

    The start and promote operations now return exit status 1, not 0, in such cases. The stop operation has always done that.

  • Change to two-part release version numbering (Peter Eisentraut, Tom Lane)

    Release numbers will now have two parts (e.g., 10.1) rather than three (e.g., 9.6.3). Major versions will now increase just the first number, and minor releases will increase just the second number. Release branches will be referred to by single numbers (e.g., 10 rather than 9.6). This change is intended to reduce user confusion about what is a major or minor release of PostgreSQL.

  • Improve behavior of pgindent (Piotr Stefaniak, Tom Lane)

    We have switched to a new version of pg_bsd_indent based on recent improvements made by the FreeBSD project. This fixes numerous small bugs that led to odd C code formatting decisions. Most notably, lines within parentheses (such as in a multi-line function call) are now uniformly indented to match the opening paren, even if that would result in code extending past the right margin.

  • Allow the ICU library to optionally be used for collation support (Peter Eisentraut)

    The ICU library has versioning that allows detection of collation changes between versions. It is enabled via configure option --with-icu. The default still uses the operating system's native collation library.

  • Automatically mark all PG_FUNCTION_INFO_V1 functions as DLLEXPORT-ed on Windows (Laurenz Albe)

    If third-party code is using extern function declarations, they should also add DLLEXPORT markers to those declarations.

  • Remove SPI functions SPI_push(), SPI_pop(), SPI_push_conditional(), SPI_pop_conditional(), and SPI_restore_connection() as unnecessary (Tom Lane)

    Their functionality now happens automatically. There are now no-op macros by these names so that external modules don't need to be updated immediately, but eventually such calls should be removed.

    A side effect of this change is that SPI_palloc() and allied functions now require an active SPI connection; they do not degenerate to simple palloc() if there is none. That previous behavior was not very useful and posed risks of unexpected memory leaks.

  • Allow shared memory to be dynamically allocated (Thomas Munro, Robert Haas)

  • Add slab-like memory allocator for efficient fixed-size allocations (Tomas Vondra)

  • Use POSIX semaphores rather than SysV semaphores on Linux and FreeBSD (Tom Lane)

    This avoids platform-specific limits on SysV semaphore usage.

  • Improve support for 64-bit atomics (Andres Freund)

  • Enable 64-bit atomic operations on ARM64 (Roman Shaposhnik)

  • Switch to using clock_gettime(), if available, for duration measurements (Tom Lane)

    gettimeofday() is still used if clock_gettime() is not available.

  • Add more robust random number generators to be used for cryptographically secure uses (Magnus Hagander, Michael Paquier, Heikki Linnakangas)

    If no strong random number generator can be found, configure will fail unless the --disable-strong-random option is used. However, with this option, pgcrypto functions requiring a strong random number generator will be disabled.

  • Allow WaitLatchOrSocket() to wait for socket connection on Windows (Andres Freund)

  • tupconvert.c functions no longer convert tuples just to embed a different composite-type OID in them (Ashutosh Bapat, Tom Lane)

    The majority of callers don't care about the composite-type OID; but if the result tuple is to be used as a composite Datum, steps should be taken to make sure the correct OID is inserted in it.

  • Remove SCO and Unixware ports (Tom Lane)

  • Overhaul documentation build process (Alexander Lakhin)

  • Use XSLT to build the PostgreSQL documentation (Peter Eisentraut)

    Previously Jade, DSSSL, and JadeTex were used.

  • Build HTML documentation using XSLT stylesheets by default (Peter Eisentraut)

  • Allow file_fdw to read from program output as well as files (Corey Huinker, Adam Gomaa)

  • In postgres_fdw, push aggregate functions to the remote server, when possible (Jeevan Chalke, Ashutosh Bapat)

    This reduces the amount of data that must be passed from the remote server, and offloads aggregate computation from the requesting server.

  • In postgres_fdw, push joins to the remote server in more cases (David Rowley, Ashutosh Bapat, Etsuro Fujita)

  • Properly support OID columns in postgres_fdw tables (Etsuro Fujita)

    Previously OID columns always returned zeros.

  • Allow btree_gist and btree_gin to index enum types (Andrew Dunstan)

    This allows enums to be used in exclusion constraints.

  • Add indexing support to btree_gist for the UUID data type (Paul Jungwirth)

  • Add amcheck which can check the validity of B-tree indexes (Peter Geoghegan)

  • Show ignored constants as $N rather than ? in pg_stat_statements (Lukas Fittl)

  • Improve cube's handling of zero-dimensional cubes (Tom Lane)

    This also improves handling of infinite and NaN values.

  • Allow pg_buffercache to run with fewer locks (Ivan Kartyshov)

    This makes it less disruptive when run on production systems.

  • Add pgstattuple function pgstathashindex() to view hash index statistics (Ashutosh Sharma)

  • Use GRANT permissions to control pgstattuple function usage (Stephen Frost)

    This allows DBAs to allow non-superusers to run these functions.

  • Reduce locking when pgstattuple examines hash indexes (Amit Kapila)

  • Add pageinspect function page_checksum() to show a page's checksum (Tomas Vondra)

  • Add pageinspect function bt_page_items() to print page items from a page image (Tomas Vondra)

  • Add hash index support to pageinspect (Jesper Pedersen, Ashutosh Sharma)

• ⇑ Upgrade to 10.1 released on 2017-11-09 - docs

  • Ensure that INSERT ... ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed)

    The update path of INSERT ... ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint name. In addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified). (CVE-2017-15099)

  • Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane)

    These functions used the result rowtype specified in the FROM ... AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well. (CVE-2017-15098)

  • Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)

    Previously, the postmaster log file was opened while still running as root. The database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.

    By default, these scripts are not installed anywhere. Users who have made use of them will need to manually recopy them, or apply the same changes to their modified versions. If the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script. (CVE-2017-12172)

  • Fix BRIN index summarization to handle concurrent table extension correctly (Álvaro Herrera)

    Previously, a race condition allowed some table rows to be omitted from the index. It may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.

  • Fix possible failures during concurrent updates of a BRIN index (Tom Lane)

    These race conditions could result in errors like “invalid index offnum” or “inconsistent range map”.

  • Prevent logical replication from setting non-replicated columns to nulls when replicating an UPDATE (Petr Jelinek)

  • Fix logical replication to fire BEFORE ROW DELETE triggers when expected (Masahiko Sawada)

    Previously, that failed to happen unless the table also had a BEFORE ROW UPDATE trigger.

  • Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)

  • Ignore CTEs when looking up the target table for INSERT/UPDATE/DELETE, and prevent matching schema-qualified target table names to trigger transition table names (Thomas Munro)

    This restores the pre-v10 behavior for CTEs attached to DML commands.

  • Avoid evaluating an aggregate function's argument expression(s) at rows where its FILTER test fails (Tom Lane)

    This restores the pre-v10 (and SQL-standard) behavior.

  • Fix incorrect query results when multiple GROUPING SETS columns contain the same simple variable (Tom Lane)

  • Fix query-lifespan memory leakage while evaluating a set-returning function in a SELECT's target list (Tom Lane)

  • Allow parallel execution of prepared statements with generic plans (Amit Kapila, Kuntal Ghosh)

  • Fix incorrect parallelization decisions for nested queries (Amit Kapila, Kuntal Ghosh)

  • Fix parallel query handling to not fail when a recently-used role is dropped (Amit Kapila)

  • Fix crash in parallel execution of a bitmap scan having a BitmapAnd plan node below a BitmapOr node (Dilip Kumar)

  • Fix json_build_array(), json_build_object(), and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)

  • Fix autovacuum's “work item” logic to prevent possible crashes and silent loss of work items (Álvaro Herrera)

  • Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)

  • Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)

    Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errors. This patch does not do anything to protect existing views/rules, only ones created in the future.

  • Correctly detect hashability of range data types (Tom Lane)

    The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash support. This does not affect any of the built-in range types, since they're all hashable anyway.

  • Correctly ignore RelabelType expression nodes when examining functional-dependency statistics (David Rowley)

    This allows, e.g., extended statistics on varchar columns to be used properly.

  • Prevent sharing transition states between ordered-set aggregates (David Rowley)

    This causes a crash with the built-in ordered-set aggregates, and probably with user-written ones as well. v11 and later will include provisions for dealing with such cases safely, but in released branches, just disable the optimization.

  • Prevent idle_in_transaction_session_timeout from being ignored when a statement_timeout occurred earlier (Lukas Fittl)

  • Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)

    If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.

  • Reduce the frequency of data flush requests during bulk file copies to avoid performance problems on macOS, particularly with its new APFS file system (Tom Lane)

  • Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)

    This case was unintentionally broken by a previous bug fix.

  • Fix AggGetAggref() to return the correct Aggref nodes to aggregate final functions whose transition calculations have been merged (Tom Lane)

  • Fix insufficient schema-qualification in some new queries in pg_dump and psql (Vitaly Burovoy, Tom Lane, Noah Misch)

  • Avoid use of @> operator in psql's queries for \d (Tom Lane)

    This prevents problems when the parray_gin extension is installed, since that defines a conflicting operator.

  • Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)

    This is particularly helpful on Windows.

  • Fix libpq to not require user's home directory to exist (Tom Lane)

    In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be found. Both v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.

  • In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)

  • Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)

  • Fix missing temp-install prerequisites for check-like Make targets (Noah Misch)

    Some non-default test procedures that are meant to work like make check failed to ensure that the temporary installation was up to date.

  • Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.

  • In the documentation, restore HTML anchors to being upper-case strings (Peter Eisentraut)

    Due to a toolchain change, the 10.0 user manual had lower-case strings for intrapage anchors, thus breaking some external links into our website documentation. Return to our previous convention of using upper-case strings.

• ⇑ Upgrade to 10.2 released on 2018-02-08 - docs

  • Fix processing of partition keys containing multiple expressions (Álvaro Herrera, David Rowley)

    This error led to crashes or, with carefully crafted input, disclosure of arbitrary backend memory. (CVE-2018-1052)

  • Ensure that all temporary files made by pg_upgrade are non-world-readable (Tom Lane, Noah Misch)

    pg_upgrade normally restricts its temporary files to be readable and writable only by the calling user. But the temporary file containing pg_dumpall -g output would be group- or world-readable, or even writable, if the user's umask setting allows. In typical usage on multi-user machines, the umask and/or the working directory's permissions would be tight enough to prevent problems; but there may be people using pg_upgrade in scenarios where this oversight would permit disclosure of database passwords to unfriendly eyes. (CVE-2018-1053)

  • Fix vacuuming of tuples that were updated while key-share locked (Andres Freund, Álvaro Herrera)

    In some cases VACUUM would fail to remove such tuples even though they are now dead, leading to assorted data corruption scenarios.

  • Fix failure to mark a hash index's metapage dirty after adding a new overflow page, potentially leading to index corruption (Lixian Zou, Amit Kapila)

  • Ensure that vacuum will always clean up the pending-insertions list of a GIN index (Masahiko Sawada)

    This is necessary to ensure that dead index entries get removed. The old code got it backwards, allowing vacuum to skip the cleanup if some other process were running cleanup concurrently, thus risking invalid entries being left behind in the index.

  • Fix inadequate buffer locking in some LSN fetches (Jacob Champion, Asim Praveen, Ashwin Agrawal)

    These errors could result in misbehavior under concurrent load. The potential consequences have not been characterized fully.

  • Fix incorrect query results from cases involving flattening of subqueries whose outputs are used in GROUPING SETS (Heikki Linnakangas)

  • Fix handling of list partitioning constraints for partition keys of boolean or array types (Amit Langote)

  • Avoid unnecessary failure in a query on an inheritance tree that occurs concurrently with some child table being removed from the tree by ALTER TABLE NO INHERIT (Tom Lane)

  • Fix spurious deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY (Jeff Janes)

  • During VACUUM FULL, update the table's size fields in pg_class sooner (Amit Kapila)

    This prevents poor behavior when rebuilding hash indexes on the table, since those use the pg_class statistics to govern the initial hash size.

  • Fix UNION/INTERSECT/EXCEPT over zero columns (Tom Lane)

  • Disallow identity columns on typed tables and partitions (Michael Paquier)

    These cases will be treated as unsupported features for now.

  • Fix assorted failures to apply the correct default value when inserting into an identity column (Michael Paquier, Peter Eisentraut)

    In several contexts, notably COPY and ALTER TABLE ADD COLUMN, the expected default value was not applied and instead a null value was inserted.

  • Fix failures when an inheritance tree contains foreign child tables (Etsuro Fujita)

    A mix of regular and foreign tables in an inheritance tree resulted in creation of incorrect plans for UPDATE and DELETE queries. This led to visible failures in some cases, notably when there are row-level triggers on a foreign child table.

  • Repair failure with correlated sub-SELECT inside VALUES inside a LATERAL subquery (Tom Lane)

  • Fix “could not devise a query plan for the given query” planner failure for some cases involving nested UNION ALL inside a lateral subquery (Tom Lane)

  • Allow functional dependency statistics to be used for boolean columns (Tom Lane)

    Previously, although extended statistics could be declared and collected on boolean columns, the planner failed to apply them.

  • Avoid underestimating the number of groups emitted by subqueries containing set-returning functions in their grouping columns (Tom Lane)

    Cases similar to SELECT DISTINCT unnest(foo) got a lower output rowcount estimate in 10.0 than they did in earlier releases, possibly resulting in unfavorable plan choices. Restore the prior estimation behavior.

  • Fix use of triggers in logical replication workers (Petr Jelinek)

  • Fix logical decoding to correctly clean up disk files for crashed transactions (Atsushi Torikoshi)

    Logical decoding may spill WAL records to disk for transactions generating many WAL records. Normally these files are cleaned up after the transaction's commit or abort record arrives; but if no such record is ever seen, the removal code misbehaved.

  • Fix walsender timeout failure and failure to respond to interrupts when processing a large transaction (Petr Jelinek)

  • Fix race condition during replication origin drop that could allow the dropping process to wait indefinitely (Tom Lane)

  • Allow members of the pg_read_all_stats role to see walsender statistics in the pg_stat_replication view (Feike Steenbergen)

  • Show walsenders that are sending base backups as active in the pg_stat_activity view (Magnus Hagander)

  • Fix reporting of scram-sha-256 authentication method in the pg_hba_file_rules view (Michael Paquier)

    Previously this was printed as scram-sha256, possibly confusing users as to the correct spelling.

  • Fix has_sequence_privilege() to support WITH GRANT OPTION tests, as other privilege-testing functions do (Joe Conway)

  • In databases using UTF8 encoding, ignore any XML declaration that asserts a different encoding (Pavel Stehule, Noah Misch)

    We always store XML strings in the database encoding, so allowing libxml to act on a declaration of another encoding gave wrong results. In encodings other than UTF8, we don't promise to support non-ASCII XML data anyway, so retain the previous behavior for bug compatibility. This change affects only xpath() and related functions; other XML code paths already acted this way.

  • Provide for forward compatibility with future minor protocol versions (Robert Haas, Badrul Chowdhury)

    Up to now, PostgreSQL servers simply rejected requests to use protocol versions newer than 3.0, so that there was no functional difference between the major and minor parts of the protocol version number. Allow clients to request versions 3.x without failing, sending back a message showing that the server only understands 3.0. This makes no difference at the moment, but back-patching this change should allow speedier introduction of future minor protocol upgrades.

  • Allow a client that supports SCRAM channel binding (such as v11 or later libpq) to connect to a v10 server (Michael Paquier)

    v10 does not have this feature, and the connection-time negotiation about whether to use it was done incorrectly.

  • Avoid live-lock in ConditionVariableBroadcast() (Tom Lane, Thomas Munro)

    Given repeatedly-unlucky timing, a process attempting to awaken all waiters for a condition variable could loop indefinitely. Due to the limited usage of condition variables in v10, this affects only parallel index scans and some operations on replication slots.

  • Clean up waits for condition variables correctly during subtransaction abort (Robert Haas)

  • Ensure that child processes that are waiting for a condition variable will exit promptly if the postmaster process dies (Tom Lane)

  • Fix crashes in parallel queries using more than one Gather node (Thomas Munro)

  • Fix hang in parallel index scan when processing a deleted or half-dead index page (Amit Kapila)

  • Avoid crash if parallel bitmap heap scan is unable to allocate a shared memory segment (Robert Haas)

  • Cope with failure to start a parallel worker process (Amit Kapila, Robert Haas)

    Parallel query previously tended to hang indefinitely if a worker could not be started, as the result of fork() failure or other low-probability problems.

  • Avoid unnecessary failure when no parallel workers can be obtained during parallel query startup (Robert Haas)

  • Fix collection of EXPLAIN statistics from parallel workers (Amit Kapila, Thomas Munro)

  • Ensure that query strings passed to parallel workers are correctly null-terminated (Thomas Munro)

    This prevents emitting garbage in postmaster log output from such workers.

  • Avoid unsafe alignment assumptions when working with __int128 (Tom Lane)

    Typically, compilers assume that __int128 variables are aligned on 16-byte boundaries, but our memory allocation infrastructure isn't prepared to guarantee that, and increasing the setting of MAXALIGN seems infeasible for multiple reasons. Adjust the code to allow use of __int128 only when we can tell the compiler to assume lesser alignment. The only known symptom of this problem so far is crashes in some parallel aggregation queries.

  • Prevent stack-overflow crashes when planning extremely deeply nested set operations (UNION/INTERSECT/EXCEPT) (Tom Lane)

  • Avoid crash during an EvalPlanQual recheck of an indexscan that is the inner child of a merge join (Tom Lane)

    This could only happen during an update or SELECT FOR UPDATE of a join, when there is a concurrent update of some selected row.

  • Fix crash in autovacuum when extended statistics are defined for a table but can't be computed (Álvaro Herrera)

  • Fix null-pointer crashes for some types of LDAP URLs appearing in pg_hba.conf (Thomas Munro)

  • Prevent out-of-memory failures due to excessive growth of simple hash tables (Tomas Vondra, Andres Freund)

  • Fix sample INSTR() functions in the PL/pgSQL documentation (Yugo Nagata, Tom Lane)

    These functions are stated to be Oracle® compatible, but they weren't exactly. In particular, there was a discrepancy in the interpretation of a negative third parameter: Oracle thinks that a negative value indicates the last place where the target substring can begin, whereas our functions took it as the last place where the target can end. Also, Oracle throws an error for a zero or negative fourth parameter, whereas our functions returned zero.

    The sample code has been adjusted to match Oracle's behavior more precisely. Users who have copied this code into their applications may wish to update their copies.

  • Fix pg_dump to make ACL (permissions), comment, and security label entries reliably identifiable in archive output formats (Tom Lane)

    The “tag” portion of an ACL archive entry was usually just the name of the associated object. Make it start with the object type instead, bringing ACLs into line with the convention already used for comment and security label archive entries. Also, fix the comment and security label entries for the whole database, if present, to make their tags start with DATABASE so that they also follow this convention. This prevents false matches in code that tries to identify large-object-related entries by seeing if the tag starts with LARGE OBJECT. That could have resulted in misclassifying entries as data rather than schema, with undesirable results in a schema-only or data-only dump.

    Note that this change has user-visible results in the output of pg_restore --list.

  • Rename pg_rewind's copy_file_range function to avoid conflict with new Linux system call of that name (Andres Freund)

    This change prevents build failures with newer glibc versions.

  • In ecpg, detect indicator arrays that do not have the correct length and report an error (David Rader)

  • Change the behavior of contrib/cube's cube ~> int operator to make it compatible with KNN search (Alexander Korotkov)

    The meaning of the second argument (the dimension selector) has been changed to make it predictable which value is selected even when dealing with cubes of varying dimensionalities.

    This is an incompatible change, but since the point of the operator was to be used in KNN searches, it seems rather useless as-is. After installing this update, any expression indexes or materialized views using this operator will need to be reindexed/refreshed.

  • Avoid triggering a libc assertion in contrib/hstore, due to use of memcpy() with equal source and destination pointers (Tomas Vondra)

  • Fix incorrect display of tuples' null bitmaps in contrib/pageinspect (Maksim Milyutin)

  • Fix incorrect output from contrib/pageinspect's hash_page_items() function (Masahiko Sawada)

  • In contrib/postgres_fdw, avoid “outer pathkeys do not match mergeclauses” planner error when constructing a plan involving a remote join (Robert Haas)

  • In contrib/postgres_fdw, avoid planner failure when there are duplicate GROUP BY entries (Jeevan Chalke)

  • Provide modern examples of how to auto-start Postgres on macOS (Tom Lane)

    The scripts in contrib/start-scripts/osx use infrastructure that's been deprecated for over a decade, and which no longer works at all in macOS releases of the last couple of years. Add a new subdirectory contrib/start-scripts/macos containing scripts that use the newer launchd infrastructure.

  • Fix incorrect selection of configuration-specific libraries for OpenSSL on Windows (Andrew Dunstan)

  • Support linking to MinGW-built versions of libperl (Noah Misch)

    This allows building PL/Perl with some common Perl distributions for Windows.

  • Fix MSVC build to test whether 32-bit libperl needs -D_USE_32BIT_TIME_T (Noah Misch)

    Available Perl distributions are inconsistent about what they expect, and lack any reliable means of reporting it, so resort to a build-time test on what the library being used actually does.

  • On Windows, install the crash dump handler earlier in postmaster startup (Takayuki Tsunakawa)

    This may allow collection of a core dump for some early-startup failures that did not produce a dump before.

  • On Windows, avoid encoding-conversion-related crashes when emitting messages very early in postmaster startup (Takayuki Tsunakawa)

  • Use our existing Motorola 68K spinlock code on OpenBSD as well as NetBSD (David Carlier)

  • Add support for spinlocks on Motorola 88K (David Carlier)

  • Update time zone data files to tzdata release 2018c for DST law changes in Brazil, Sao Tome and Principe, plus historical corrections for Bolivia, Japan, and South Sudan. The US/Pacific-New zone has been removed (it was only an alias for America/Los_Angeles anyway).

• source repo
• author info