Release 9.4.12Release Date2017-05-11
This release contains a variety of fixes from 9.4.11.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.12
A dump/restore is not required for those running 9.4.X.
However, if you are using third-party replication tools that depend
on logical decoding>, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.11,
see .
Changes
Fix possibly-invalid initial snapshot during logical decoding
(Petr Jelinek, Andres Freund)
The initial snapshot created for a logical decoding replication slot
was potentially incorrect. This could cause third-party tools that
use logical decoding to copy incomplete/inconsistent initial data.
This was more likely to happen if the source server was busy at the
time of slot creation, or if another logical slot already existed.
If you are using a replication tool that depends on logical decoding,
and it should have copied a nonempty data set at the start of
replication, it is advisable to recreate the replica after
installing this update, or to verify its contents against the source
server.
Fix possible corruption of init forks> of unlogged indexes
(Robert Haas, Michael Paquier)
This could result in an unlogged index being set to an invalid state
after a crash and restart. Such a problem would persist until the
index was dropped and rebuilt.
Fix incorrect reconstruction of pg_subtrans> entries
when a standby server replays a prepared but uncommitted two-phase
transaction (Tom Lane)
In most cases this turned out to have no visible ill effects, but in
corner cases it could result in circular references
in pg_subtrans>, potentially causing infinite loops
in queries that examine rows modified by the two-phase transaction.
Avoid possible crash in walsender> due to failure
to initialize a string buffer (Stas Kelvich, Fujii Masao)
Fix postmaster's handling of fork()> failure for a
background worker process (Tom Lane)
Previously, the postmaster updated portions of its state as though
the process had been launched successfully, resulting in subsequent
confusion.
Ensure parsing of queries in extension scripts sees the results of
immediately-preceding DDL (Julien Rouhaud, Tom Lane)
Due to lack of a cache flush step between commands in an extension
script file, non-utility queries might not see the effects of an
immediately preceding catalog change, such as ALTER TABLE
... RENAME>.
Skip tablespace privilege checks when ALTER TABLE ... ALTER
COLUMN TYPE> rebuilds an existing index (Noah Misch)
The command failed if the calling user did not currently have
CREATE> privilege for the tablespace containing the index.
That behavior seems unhelpful, so skip the check, allowing the
index to be rebuilt where it is.
Fix ALTER TABLE ... VALIDATE CONSTRAINT> to not recurse
to child tables when the constraint is marked NO INHERIT>
(Amit Langote)
This fix prevents unwanted constraint does not exist> failures
when no matching constraint is present in the child tables.
Fix VACUUM> to account properly for pages that could not
be scanned due to conflicting page pins (Andrew Gierth)
This tended to lead to underestimation of the number of tuples in
the table. In the worst case of a small heavily-contended
table, VACUUM> could incorrectly report that the table
contained no tuples, leading to very bad planning choices.
Ensure that bulk-tuple-transfer loops within a hash join are
interruptible by query cancel requests (Tom Lane, Thomas Munro)
Fix integer-overflow problems in interval> comparison (Kyotaro
Horiguchi, Tom Lane)
The comparison operators for type interval> could yield wrong
answers for intervals larger than about 296000 years. Indexes on
columns containing such large values should be reindexed, since they
may be corrupt.
Fix cursor_to_xml()> to produce valid output
with tableforest> = false
(Thomas Munro, Peter Eisentraut)
Previously it failed to produce a wrapping <table>>
element.
Fix roundoff problems in float8_timestamptz()>
and make_interval()> (Tom Lane)
These functions truncated, rather than rounded, when converting a
floating-point value to integer microseconds; that could cause
unexpectedly off-by-one results.
Improve performance of pg_timezone_names> view
(Tom Lane, David Rowley)
Reduce memory management overhead for contexts containing many large
blocks (Tom Lane)
Fix sloppy handling of corner-case errors from lseek()>
and close()> (Tom Lane)
Neither of these system calls are likely to fail in typical situations,
but if they did, fd.c> could get quite confused.
Fix incorrect check for whether postmaster is running as a Windows
service (Michael Paquier)
This could result in attempting to write to the event log when that
isn't accessible, so that no logging happens at all.
Fix ecpg> to support COMMIT PREPARED>
and ROLLBACK PREPARED> (Masahiko Sawada)
Fix a double-free error when processing dollar-quoted string literals
in ecpg> (Michael Meskes)
In pg_dump>, fix incorrect schema and owner marking for
comments and security labels of some types of database objects
(Giuseppe Broccolo, Tom Lane)
In simple cases this caused no ill effects; but for example, a
schema-selective restore might omit comments it should include, because
they were not marked as belonging to the schema of their associated
object.
Avoid emitting an invalid list file in pg_restore -l>
when SQL object names contain newlines (Tom Lane)
Replace newlines by spaces, which is sufficient to make the output
valid for pg_restore -L>'s purposes.
Fix pg_upgrade> to transfer comments and security labels
attached to large objects> (blobs) (Stephen Frost)
Previously, blobs were correctly transferred to the new database, but
any comments or security labels attached to them were lost.
Improve error handling
in contrib/adminpack>'s pg_file_write()>
function (Noah Misch)
Notably, it failed to detect errors reported
by fclose()>.
In contrib/dblink>, avoid leaking the previous unnamed
connection when establishing a new unnamed connection (Joe Conway)
Fix contrib/pg_trgm>'s extraction of trigrams from regular
expressions (Tom Lane)
In some cases it would produce a broken data structure that could never
match anything, leading to GIN or GiST indexscans that use a trigram
index not finding any matches to the regular expression.
In contrib/postgres_fdw>,
transmit query cancellation requests to the remote server
(Michael Paquier, Etsuro Fujita)
Previously, a local query cancellation request did not cause an
already-sent remote query to terminate early. This is a back-patch
of work originally done for 9.6.
Support OpenSSL 1.1.0 (Heikki Linnakangas, Andreas Karlsson, Tom Lane)
This is a back-patch of work previously done in newer branches;
it's needed since many platforms are adopting newer OpenSSL versions.
Support Tcl 8.6 in MSVC builds (Álvaro Herrera)
Sync our copy of the timezone library with IANA release tzcode2017b
(Tom Lane)
This fixes a bug affecting some DST transitions in January 2038.
Update time zone data files to tzdata> release 2017b
for DST law changes in Chile, Haiti, and Mongolia, plus historical
corrections for Ecuador, Kazakhstan, Liberia, and Spain.
Switch to numeric abbreviations for numerous time zones in South
America, the Pacific and Indian oceans, and some Asian and Middle
Eastern countries.
The IANA time zone database previously provided textual abbreviations
for all time zones, sometimes making up abbreviations that have little
or no currency among the local population. They are in process of
reversing that policy in favor of using numeric UTC offsets in zones
where there is no evidence of real-world use of an English
abbreviation. At least for the time being, PostgreSQL>
will continue to accept such removed abbreviations for timestamp input.
But they will not be shown in the pg_timezone_names>
view nor used for output.
Use correct daylight-savings rules for POSIX-style time zone names
in MSVC builds (David Rowley)
The Microsoft MSVC build scripts neglected to install
the posixrules> file in the timezone directory tree.
This resulted in the timezone code falling back to its built-in
rule about what DST behavior to assume for a POSIX-style time zone
name. For historical reasons that still corresponds to the DST rules
the USA was using before 2007 (i.e., change on first Sunday in April
and last Sunday in October). With this fix, a POSIX-style zone name
will use the current and historical DST transition dates of
the US/Eastern> zone. If you don't want that, remove
the posixrules> file, or replace it with a copy of some
other zone file (see ). Note that
due to caching, you may need to restart the server to get such changes
to take effect.
Release 9.4.11Release Date2017-02-09
This release contains a variety of fixes from 9.4.10.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.11
A dump/restore is not required for those running 9.4.X.
However, if your installation has been affected by the bug described in
the first changelog entry below, then after updating you may need
to take action to repair corrupted indexes.
Also, if you are upgrading from a version earlier than 9.4.10,
see .
Changes
Fix a race condition that could cause indexes built
with CREATE INDEX CONCURRENTLY> to be corrupt
(Pavan Deolasee, Tom Lane)
If CREATE INDEX CONCURRENTLY> was used to build an index
that depends on a column not previously indexed, then rows
updated by transactions that ran concurrently with
the CREATE INDEX> command could have received incorrect
index entries. If you suspect this may have happened, the most
reliable solution is to rebuild affected indexes after installing
this update.
Ensure that the special snapshot used for catalog scans is not
invalidated by premature data pruning (Tom Lane)
Backends failed to account for this snapshot when advertising their
oldest xmin, potentially allowing concurrent vacuuming operations to
remove data that was still needed. This led to transient failures
along the lines of cache lookup failed for relation 1255>.
Unconditionally WAL-log creation of the init fork> for an
unlogged table (Michael Paquier)
Previously, this was skipped when
= minimal>, but actually it's necessary even in that case
to ensure that the unlogged table is properly reset to empty after a
crash.
Reduce interlocking on standby servers during the replay of btree
index vacuuming operations (Simon Riggs)
This change avoids substantial replication delays that sometimes
occurred while replaying such operations.
If the stats collector dies during hot standby, restart it (Takayuki
Tsunakawa)
Ensure that hot standby feedback works correctly when it's enabled at
standby server start (Ants Aasma, Craig Ringer)
Check for interrupts while hot standby is waiting for a conflicting
query (Simon Riggs)
Avoid constantly respawning the autovacuum launcher in a corner case
(Amit Khandekar)
This fix avoids problems when autovacuum is nominally off and there
are some tables that require freezing, but all such tables are
already being processed by autovacuum workers.
Fix check for when an extension member object can be dropped (Tom Lane)
Extension upgrade scripts should be able to drop member objects,
but this was disallowed for serial-column sequences, and possibly
other cases.
Make sure ALTER TABLE> preserves index tablespace
assignments when rebuilding indexes (Tom Lane, Michael Paquier)
Previously, non-default settings
of could result in broken
indexes.
Fix incorrect updating of trigger function properties when changing a
foreign-key constraint's deferrability properties with ALTER
TABLE ... ALTER CONSTRAINT> (Tom Lane)
This led to odd failures during subsequent exercise of the foreign
key, as the triggers were fired at the wrong times.
Prevent dropping a foreign-key constraint if there are pending
trigger events for the referenced relation (Tom Lane)
This avoids could not find trigger NNN>
or relation NNN> has no triggers errors.
Fix processing of OID column when a table with OIDs is associated to
a parent with OIDs via ALTER TABLE ... INHERIT> (Amit
Langote)
The OID column should be treated the same as regular user columns in
this case, but it wasn't, leading to odd behavior in later
inheritance changes.
Fix CREATE OR REPLACE VIEW> to update the view query
before attempting to apply the new view options (Dean Rasheed)
Previously the command would fail if the new options were
inconsistent with the old view definition.
Report correct object identity during ALTER TEXT SEARCH
CONFIGURATION> (Artur Zakirov)
The wrong catalog OID was reported to extensions such as logical
decoding.
Check for serializability conflicts before reporting
constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable
that any error due to concurrent transactions should manifest
as a serialization failure, thereby cueing the application that
a retry might succeed. Unfortunately, this does not reliably
happen for duplicate-key failures caused by concurrent insertions.
This change ensures that such an error will be reported as a
serialization error if the application explicitly checked for
the presence of a conflicting key (and did not find it) earlier
in the transaction.
Prevent multicolumn expansion of foo>.*> in
an UPDATE> source expression (Tom Lane)
This led to UPDATE target count mismatch --- internal
error>. Now the syntax is understood as a whole-row variable,
as it would be in other contexts.
Ensure that column typmods are determined accurately for
multi-row VALUES> constructs (Tom Lane)
This fixes problems occurring when the first value in a column has a
determinable typmod (e.g., length for a varchar> value) but
later values don't share the same limit.
Throw error for an unfinished Unicode surrogate pair at the end of a
Unicode string (Tom Lane)
Normally, a Unicode surrogate leading character must be followed by a
Unicode surrogate trailing character, but the check for this was
missed if the leading character was the last character in a Unicode
string literal (U&'...'>) or Unicode identifier
(U&"...">).
Ensure that a purely negative text search query, such
as !foo>, matches empty tsvector>s (Tom Dunstan)
Such matches were found by GIN index searches, but not by sequential
scans or GiST index searches.
Prevent crash when ts_rewrite()> replaces a non-top-level
subtree with an empty query (Artur Zakirov)
Fix performance problems in ts_rewrite()> (Tom Lane)
Fix ts_rewrite()>'s handling of nested NOT operators
(Tom Lane)
Fix array_fill()> to handle empty arrays properly (Tom Lane)
Fix one-byte buffer overrun in quote_literal_cstr()>
(Heikki Linnakangas)
The overrun occurred only if the input consisted entirely of single
quotes and/or backslashes.
Prevent multiple calls of pg_start_backup()>
and pg_stop_backup()> from running concurrently (Michael
Paquier)
This avoids an assertion failure, and possibly worse things, if
someone tries to run these functions in parallel.
Avoid discarding interval>-to-interval> casts
that aren't really no-ops (Tom Lane)
In some cases, a cast that should result in zeroing out
low-order interval> fields was mistakenly deemed to be a
no-op and discarded. An example is that casting from INTERVAL
MONTH> to INTERVAL YEAR> failed to clear the months field.
Ensure that cached plans are invalidated by changes in foreign-table
options (Amit Langote, Etsuro Fujita, Ashutosh Bapat)
Fix pg_dump> to dump user-defined casts and transforms
that use built-in functions (Stephen Frost)
Fix pg_restore> with
This doesn't fix any live bug, but it may improve the behavior in
future if pg_restore> is used with an archive
generated by a later pg_dump> version.
Fix pg_basebackup>'s rate limiting in the presence of
slow I/O (Antonin Houska)
If disk I/O was transiently much slower than the specified rate
limit, the calculation overflowed, effectively disabling the rate
limit for the rest of the run.
Fix pg_basebackup>'s handling of
symlinked pg_stat_tmp> and pg_replslot>
subdirectories (Magnus Hagander, Michael Paquier)
Fix possible pg_basebackup> failure on standby
server when including WAL files (Amit Kapila, Robert Haas)
Ensure that the Python exception objects we create for PL/Python are
properly reference-counted (Rafa de la Torre, Tom Lane)
This avoids failures if the objects are used after a Python garbage
collection cycle has occurred.
Fix PL/Tcl to support triggers on tables that have .tupno>
as a column name (Tom Lane)
This matches the (previously undocumented) behavior of
PL/Tcl's spi_exec> and spi_execp> commands,
namely that a magic .tupno> column is inserted only if
there isn't a real column named that.
Allow DOS-style line endings in ~/.pgpass> files,
even on Unix (Vik Fearing)
This change simplifies use of the same password file across Unix and
Windows machines.
Fix one-byte buffer overrun if ecpg> is given a file
name that ends with a dot (Takayuki Tsunakawa)
Fix psql>'s tab completion for ALTER DEFAULT
PRIVILEGES> (Gilles Darold, Stephen Frost)
In psql>, treat an empty or all-blank setting of
the PAGER> environment variable as meaning no
pager> (Tom Lane)
Previously, such a setting caused output intended for the pager to
vanish entirely.
Improve contrib/dblink>'s reporting of
low-level libpq> errors, such as out-of-memory
(Joe Conway)
Teach contrib/dblink> to ignore irrelevant server options
when it uses a contrib/postgres_fdw> foreign server as
the source of connection options (Corey Huinker)
Previously, if the foreign server object had options that were not
also libpq> connection options, an error occurred.
On Windows, ensure that environment variable changes are propagated
to DLLs built with debug options (Christian Ullrich)
Sync our copy of the timezone library with IANA release tzcode2016j
(Tom Lane)
This fixes various issues, most notably that timezone data
installation failed if the target directory didn't support hard
links.
Update time zone data files to tzdata> release 2016j
for DST law changes in northern Cyprus (adding a new zone
Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga,
and Antarctica/Casey.
Historical corrections for Italy, Kazakhstan, Malta, and Palestine.
Switch to preferring numeric zone abbreviations for Tonga.
Release 9.4.10Release Date2016-10-27
This release contains a variety of fixes from 9.4.9.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.10
A dump/restore is not required for those running 9.4.X.
However, if your installation has been affected by the bug described in
the first changelog entry below, then after updating you may need
to take action to repair corrupted free space maps.
Also, if you are upgrading from a version earlier than 9.4.6,
see .
Changes
Fix WAL-logging of truncation of relation free space maps and
visibility maps (Pavan Deolasee, Heikki Linnakangas)
It was possible for these files to not be correctly restored during
crash recovery, or to be written incorrectly on a standby server.
Bogus entries in a free space map could lead to attempts to access
pages that have been truncated away from the relation itself, typically
producing errors like could not read block XXX>:
read only 0 of 8192 bytes. Checksum failures in the
visibility map are also possible, if checksumming is enabled.
Procedures for determining whether there is a problem and repairing it
if so are discussed at
>.
Fix incorrect creation of GIN index WAL records on big-endian machines
(Tom Lane)
The typical symptom was unexpected GIN leaf action> errors
during WAL replay.
Fix SELECT FOR UPDATE/SHARE> to correctly lock tuples that
have been updated by a subsequently-aborted transaction
(Álvaro Herrera)
In 9.5 and later, the SELECT> would sometimes fail to
return such tuples at all. A failure has not been proven to occur in
earlier releases, but might be possible with concurrent updates.
Fix EvalPlanQual rechecks involving CTE scans (Tom Lane)
The recheck would always see the CTE as returning no rows, typically
leading to failure to update rows that were recently updated.
Fix improper repetition of previous results from hashed aggregation in
a subquery (Andrew Gierth)
The test to see if we can reuse a previously-computed hash table of
the aggregate state values neglected the possibility of an outer query
reference appearing in an aggregate argument expression. A change in
the value of such a reference should lead to recalculating the hash
table, but did not.
Fix query-lifespan memory leak in a bulk UPDATE> on a table
with a PRIMARY KEY> or REPLICA IDENTITY> index
(Tom Lane)
Fix EXPLAIN> to emit valid XML when
is on (Markus Winand)
Previously the XML output-format option produced syntactically invalid
tags such as <I/O-Read-Time>>. That is now
rendered as <I-O-Read-Time>>.
Suppress printing of zeroes for unmeasured times
in EXPLAIN> (Maksim Milyutin)
Certain option combinations resulted in printing zero values for times
that actually aren't ever measured in that combination. Our general
policy in EXPLAIN> is not to print such fields at all, so
do that consistently in all cases.
Fix timeout length when VACUUM> is waiting for exclusive
table lock so that it can truncate the table (Simon Riggs)
The timeout was meant to be 50 milliseconds, but it was actually only
50 microseconds, causing VACUUM> to give up on truncation
much more easily than intended. Set it to the intended value.
Fix bugs in merging inherited CHECK> constraints while
creating or altering a table (Tom Lane, Amit Langote)
Allow identical CHECK> constraints to be added to a parent
and child table in either order. Prevent merging of a valid
constraint from the parent table with a NOT VALID>
constraint on the child. Likewise, prevent merging of a NO
INHERIT> child constraint with an inherited constraint.
Remove artificial restrictions on the values accepted
by numeric_in()> and numeric_recv()>
(Tom Lane)
We allow numeric values up to the limit of the storage format (more
than 1e100000>), so it seems fairly pointless
that numeric_in()> rejected scientific-notation exponents
above 1000. Likewise, it was silly for numeric_recv()> to
reject more than 1000 digits in an input value.
Avoid very-low-probability data corruption due to testing tuple
visibility without holding buffer lock (Thomas Munro, Peter Geoghegan,
Tom Lane)
Fix logical WAL decoding to work properly when a subtransaction's WAL
output is large enough to spill to disk (Andres Freund)
Fix buffer overread in logical WAL decoding (Tom Lane)
Logical decoding of a tuple update record read 23 bytes too many,
which was usually harmless but with very bad luck could result in a
crash.
Fix file descriptor leakage when truncating a temporary relation of
more than 1GB (Andres Freund)
Disallow starting a standalone backend with standby_mode>
turned on (Michael Paquier)
This can't do anything useful, since there will be no WAL receiver
process to fetch more WAL data; and it could result in misbehavior
in code that wasn't designed with this situation in mind.
Properly initialize replication slot state when recycling a
previously-used slot (Michael Paquier)
This failure to reset all of the fields of the slot could
prevent VACUUM> from removing dead tuples.
Round shared-memory allocation request to a multiple of the actual
huge page size when attempting to use huge pages on Linux (Tom Lane)
This avoids possible failures during munmap()> on systems
with atypical default huge page sizes. Except in crash-recovery
cases, there were no ill effects other than a log message.
Use a more random value for the dynamic shared memory control
segment's ID (Robert Haas, Tom Lane)
Previously, the same value would be chosen every time, because it was
derived from random()> but srandom()> had not
yet been called. While relatively harmless, this was not the intended
behavior.
On Windows, retry creation of the dynamic shared memory control
segment after an access-denied error (Kyotaro Horiguchi, Amit Kapila)
Windows sometimes returns ERROR_ACCESS_DENIED> rather
than ERROR_ALREADY_EXISTS> when there is an existing
segment. This led to postmaster startup failure due to believing that
the former was an unrecoverable error.
Don't try to share SSL contexts across multiple connections
in libpq> (Heikki Linnakangas)
This led to assorted corner-case bugs, particularly when trying to use
different SSL parameters for different connections.
Avoid corner-case memory leak in libpq> (Tom Lane)
The reported problem involved leaking an error report
during PQreset()>, but there might be related cases.
Make ecpg>'s
Fix pgbench>'s calculation of average latency
(Fabien Coelho)
The calculation was incorrect when there were \sleep>
commands in the script, or when the test duration was specified in
number of transactions rather than total time.
In pg_dump>, never dump range constructor functions
(Tom Lane)
This oversight led to pg_upgrade> failures with
extensions containing range types, due to duplicate creation of the
constructor functions.
In pg_xlogdump>, retry opening new WAL segments when
using
This allows for a possible delay in the server's creation of the next
segment.
Fix pg_xlogdump> to cope with a WAL file that begins
with a continuation record spanning more than one page (Pavan
Deolasee)
Fix contrib/pg_buffercache> to work
when shared_buffers> exceeds 256GB (KaiGai Kohei)
Fix contrib/intarray/bench/bench.pl> to print the results
of the EXPLAIN> it does when given the
Install TAP test infrastructure so that it's available for extension
testing (Craig Ringer)
When PostgreSQL> has been configured
with
In MSVC builds, include pg_recvlogical> in a
client-only installation (MauMau)
Update Windows time zone mapping to recognize some time zone names
added in recent Windows versions (Michael Paquier)
Prevent failure of obsolete dynamic time zone abbreviations (Tom Lane)
If a dynamic time zone abbreviation does not match any entry in the
referenced time zone, treat it as equivalent to the time zone name.
This avoids unexpected failures when IANA removes abbreviations from
their time zone database, as they did in tzdata>
release 2016f and seem likely to do again in the future. The
consequences were not limited to not recognizing the individual
abbreviation; any mismatch caused
the pg_timezone_abbrevs> view to fail altogether.
Update time zone data files to tzdata> release 2016h
for DST law changes in Palestine and Turkey, plus historical
corrections for Turkey and some regions of Russia.
Switch to numeric abbreviations for some time zones in Antarctica,
the former Soviet Union, and Sri Lanka.
The IANA time zone database previously provided textual abbreviations
for all time zones, sometimes making up abbreviations that have little
or no currency among the local population. They are in process of
reversing that policy in favor of using numeric UTC offsets in zones
where there is no evidence of real-world use of an English
abbreviation. At least for the time being, PostgreSQL>
will continue to accept such removed abbreviations for timestamp input.
But they will not be shown in the pg_timezone_names>
view nor used for output.
In this update, AMT> is no longer shown as being in use to
mean Armenia Time. Therefore, we have changed the Default>
abbreviation set to interpret it as Amazon Time, thus UTC-4 not UTC+4.
Release 9.4.9Release Date2016-08-11
This release contains a variety of fixes from 9.4.8.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.9
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.6,
see .
Changes
Fix possible mis-evaluation of
nested CASE>-WHEN> expressions (Heikki
Linnakangas, Michael Paquier, Tom Lane)
A CASE> expression appearing within the test value
subexpression of another CASE> could become confused about
whether its own test value was null or not. Also, inlining of a SQL
function implementing the equality operator used by
a CASE> expression could result in passing the wrong test
value to functions called within a CASE> expression in the
SQL function's body. If the test values were of different data
types, a crash might result; moreover such situations could be abused
to allow disclosure of portions of server memory. (CVE-2016-5423)
Fix client programs' handling of special characters in database and
role names (Noah Misch, Nathan Bossart, Michael Paquier)
Numerous places in vacuumdb> and other client programs
could become confused by database and role names containing double
quotes or backslashes. Tighten up quoting rules to make that safe.
Also, ensure that when a conninfo string is used as a database name
parameter to these programs, it is correctly treated as such throughout.
Fix handling of paired double quotes
in psql>'s \connect>
and \password> commands to match the documentation.
Introduce a new pg_dumpall> now refuses to deal with database and role
names containing carriage returns or newlines, as it seems impractical
to quote those characters safely on Windows. In future we may reject
such names on the server side, but that step has not been taken yet.
These are considered security fixes because crafted object names
containing special characters could have been used to execute
commands with superuser privileges the next time a superuser
executes pg_dumpall> or other routine maintenance
operations. (CVE-2016-5424)
Fix corner-case misbehaviors for IS NULL>/IS NOT
NULL> applied to nested composite values (Andrew Gierth, Tom Lane)
The SQL standard specifies that IS NULL> should return
TRUE for a row of all null values (thus ROW(NULL,NULL) IS
NULL> yields TRUE), but this is not meant to apply recursively
(thus ROW(NULL, ROW(NULL,NULL)) IS NULL> yields FALSE).
The core executor got this right, but certain planner optimizations
treated the test as recursive (thus producing TRUE in both cases),
and contrib/postgres_fdw> could produce remote queries
that misbehaved similarly.
Make the inet> and cidr> data types properly reject
IPv6 addresses with too many colon-separated fields (Tom Lane)
Prevent crash in close_ps()>
(the point> ##> lseg> operator)
for NaN input coordinates (Tom Lane)
Make it return NULL instead of crashing.
Avoid possible crash in pg_get_expr()> when inconsistent
values are passed to it (Michael Paquier, Thomas Munro)
Fix several one-byte buffer over-reads in to_number()>
(Peter Eisentraut)
In several cases the to_number()> function would read one
more character than it should from the input string. There is a
small chance of a crash, if the input happens to be adjacent to the
end of memory.
Do not run the planner on the query contained in CREATE
MATERIALIZED VIEW> or CREATE TABLE AS>
when WITH NO DATA> is specified (Michael Paquier,
Tom Lane)
This avoids some unnecessary failure conditions, for example if a
stable function invoked by the materialized view depends on a table
that doesn't exist yet.
Avoid unsafe intermediate state during expensive paths
through heap_update()> (Masahiko Sawada, Andres Freund)
Previously, these cases locked the target tuple (by setting its XMAX)
but did not WAL-log that action, thus risking data integrity problems
if the page were spilled to disk and then a database crash occurred
before the tuple update could be completed.
Fix hint bit update during WAL replay of row locking operations
(Andres Freund)
The only known consequence of this problem is that row locks held by
a prepared, but uncommitted, transaction might fail to be enforced
after a crash and restart.
Avoid unnecessary could not serialize access> errors when
acquiring FOR KEY SHARE> row locks in serializable mode
(Álvaro Herrera)
Avoid crash in postgres -C> when the specified variable
has a null string value (Michael Paquier)
Fix possible loss of large subtransactions in logical decoding
(Petru-Florin Mihancea)
Fix failure of logical decoding when a subtransaction contains no
actual changes (Marko Tiikkaja, Andrew Gierth)
Ensure that backends see up-to-date statistics for shared catalogs
(Tom Lane)
The statistics collector failed to update the statistics file for
shared catalogs after a request from a regular backend. This problem
was partially masked because the autovacuum launcher regularly makes
requests that did cause such updates; however, it became obvious with
autovacuum disabled.
Avoid redundant writes of the statistics files when multiple
backends request updates close together (Tom Lane, Tomas Vondra)
Avoid consuming a transaction ID during VACUUM>
(Alexander Korotkov)
Some cases in VACUUM> unnecessarily caused an XID to be
assigned to the current transaction. Normally this is negligible,
but if one is up against the XID wraparound limit, consuming more
XIDs during anti-wraparound vacuums is a very bad thing.
Avoid canceling hot-standby queries during VACUUM FREEZE>
(Simon Riggs, Álvaro Herrera)
VACUUM FREEZE> on an otherwise-idle master server could
result in unnecessary cancellations of queries on its standby
servers.
Prevent possible failure when vacuuming multixact IDs in an
installation that has been pg_upgrade'd from pre-9.3 (Andrew Gierth,
Álvaro Herrera)
The usual symptom of this bug is errors
like MultiXactId NNN> has not been created
yet -- apparent wraparound.
When a manual ANALYZE> specifies a column list, don't
reset the table's changes_since_analyze> counter
(Tom Lane)
If we're only analyzing some columns, we should not prevent routine
auto-analyze from happening for the other columns.
Fix ANALYZE>'s overestimation of n_distinct>
for a unique or nearly-unique column with many null entries (Tom
Lane)
The nulls could get counted as though they were themselves distinct
values, leading to serious planner misestimates in some types of
queries.
Prevent autovacuum from starting multiple workers for the same shared
catalog (Álvaro Herrera)
Normally this isn't much of a problem because the vacuum doesn't take
long anyway; but in the case of a severely bloated catalog, it could
result in all but one worker uselessly waiting instead of doing
useful work on other tables.
Avoid duplicate buffer lock release when abandoning a b-tree index
page deletion attempt (Tom Lane)
This mistake prevented VACUUM> from completing in some
cases involving corrupt b-tree indexes.
Prevent infinite loop in GiST index build for geometric columns
containing NaN component values (Tom Lane)
Fix contrib/btree_gin> to handle the smallest
possible bigint> value correctly (Peter Eisentraut)
Teach libpq to correctly decode server version from future servers
(Peter Eisentraut)
It's planned to switch to two-part instead of three-part server
version numbers for releases after 9.6. Make sure
that PQserverVersion()> returns the correct value for
such cases.
Fix ecpg>'s code for unsigned long long>
array elements (Michael Meskes)
In pg_dump> with both
Improve handling of SIGTERM>/control-C in
parallel pg_dump> and pg_restore> (Tom
Lane)
Make sure that the worker processes will exit promptly, and also arrange
to send query-cancel requests to the connected backends, in case they
are doing something long-running such as a CREATE INDEX>.
Fix error reporting in parallel pg_dump>
and pg_restore> (Tom Lane)
Previously, errors reported by pg_dump>
or pg_restore> worker processes might never make it to
the user's console, because the messages went through the master
process, and there were various deadlock scenarios that would prevent
the master process from passing on the messages. Instead, just print
everything to stderr>. In some cases this will result in
duplicate messages (for instance, if all the workers report a server
shutdown), but that seems better than no message.
Ensure that parallel pg_dump>
or pg_restore> on Windows will shut down properly
after an error (Kyotaro Horiguchi)
Previously, it would report the error, but then just sit until
manually stopped by the user.
Make pg_dump> behave better when built without zlib
support (Kyotaro Horiguchi)
It didn't work right for parallel dumps, and emitted some rather
pointless warnings in other cases.
Make pg_basebackup> accept -Z 0> as
specifying no compression (Fujii Masao)
Fix makefiles' rule for building AIX shared libraries to be safe for
parallel make (Noah Misch)
Fix TAP tests and MSVC scripts to work when build directory's path
name contains spaces (Michael Paquier, Kyotaro Horiguchi)
Be more predictable about reporting statement timeout>
versus lock timeout> (Tom Lane)
On heavily loaded machines, the regression tests sometimes failed due
to reporting lock timeout> even though the statement timeout
should have occurred first.
Make regression tests safe for Danish and Welsh locales (Jeff Janes,
Tom Lane)
Change some test data that triggered the unusual sorting rules of
these locales.
Update our copy of the timezone code to match
IANA's tzcode> release 2016c (Tom Lane)
This is needed to cope with anticipated future changes in the time
zone data files. It also fixes some corner-case bugs in coping with
unusual time zones.
Update time zone data files to tzdata> release 2016f
for DST law changes in Kemerovo and Novosibirsk, plus historical
corrections for Azerbaijan, Belarus, and Morocco.
Release 9.4.8Release Date2016-05-12
This release contains a variety of fixes from 9.4.7.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.8
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.6,
see .
Changes
Clear the OpenSSL error queue before OpenSSL calls, rather than
assuming it's clear already; and make sure we leave it clear
afterwards (Peter Geoghegan, Dave Vitek, Peter Eisentraut)
This change prevents problems when there are multiple connections
using OpenSSL within a single process and not all the code involved
follows the same rules for when to clear the error queue.
Failures have been reported specifically when a client application
uses SSL connections in libpq> concurrently with
SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL.
It's possible for similar problems to arise within the server as well,
if an extension module establishes an outgoing SSL connection.
Fix failed to build any N>-way joins
planner error with a full join enclosed in the right-hand side of a
left join (Tom Lane)
Fix incorrect handling of equivalence-class tests in multilevel
nestloop plans (Tom Lane)
Given a three-or-more-way equivalence class of variables, such
as X.X = Y.Y = Z.Z>, it was possible for the planner to omit
some of the tests needed to enforce that all the variables are actually
equal, leading to join rows being output that didn't satisfy
the WHERE> clauses. For various reasons, erroneous plans
were seldom selected in practice, so that this bug has gone undetected
for a long time.
Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)
Fix query-lifespan memory leak and potential index corruption hazard in
GIN index insertion (Tom Lane)
The memory leak would typically not amount to much in simple queries,
but it could be very substantial during a large GIN index build with
high maintenance_work_mem>.
Fix possible misbehavior of TH>, th>,
and Y,YYY> format codes in to_timestamp()>
(Tom Lane)
These could advance off the end of the input string, causing subsequent
format codes to read garbage.
Fix dumping of rules and views in which the array>
argument of a value> operator>
ANY (array>) construct is a sub-SELECT
(Tom Lane)
Disallow newlines in ALTER SYSTEM> parameter values
(Tom Lane)
The configuration-file parser doesn't support embedded newlines in
string literals, so we mustn't allow them in values to be inserted
by ALTER SYSTEM>.
Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX> to
work properly if an index on OID is selected (David Rowley)
Fix crash in logical decoding on alignment-picky platforms (Tom Lane,
Andres Freund)
The failure occurred only with a transaction large enough to spill to
disk and a primary-key change within that transaction.
Avoid repeated requests for feedback from receiver while shutting down
walsender (Nick Cleaton)
Make pg_regress> use a startup timeout from the
PGCTLTIMEOUT> environment variable, if that's set (Tom Lane)
This is for consistency with a behavior recently added
to pg_ctl>; it eases automated testing on slow machines.
Fix pg_upgrade> to correctly restore extension
membership for operator families containing only one operator class
(Tom Lane)
In such a case, the operator family was restored into the new database,
but it was no longer marked as part of the extension. This had no
immediate ill effects, but would cause later pg_dump>
runs to emit output that would cause (harmless) errors on restore.
Fix pg_upgrade> to not fail when new-cluster TOAST rules
differ from old (Tom Lane)
pg_upgrade> had special-case code to handle the
situation where the new PostgreSQL> version thinks that
a table should have a TOAST table while the old version did not. That
code was broken, so remove it, and instead do nothing in such cases;
there seems no reason to believe that we can't get along fine without
a TOAST table if that was okay according to the old version's rules.
Reduce the number of SysV semaphores used by a build configured with
Rename internal function strtoi()>
to strtoint()> to avoid conflict with a NetBSD library
function (Thomas Munro)
Fix reporting of errors from bind()>
and listen()> system calls on Windows (Tom Lane)
Reduce verbosity of compiler output when building with Microsoft Visual
Studio (Christian Ullrich)
Fix putenv()> to work properly with Visual Studio 2013
(Michael Paquier)
Avoid possibly-unsafe use of Windows' FormatMessage()>
function (Christian Ullrich)
Use the FORMAT_MESSAGE_IGNORE_INSERTS> flag where
appropriate. No live bug is known to exist here, but it seems like a
good idea to be careful.
Update time zone data files to tzdata> release 2016d
for DST law changes in Russia and Venezuela. There are new zone
names Europe/Kirov> and Asia/Tomsk> to reflect
the fact that these regions now have different time zone histories from
adjacent regions.
Release 9.4.7Release Date2016-03-31
This release contains a variety of fixes from 9.4.6.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.7
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.6,
see .
Changes
Fix incorrect handling of NULL index entries in
indexed ROW()> comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) >
ROW('x', 'y')> would stop upon reaching a NULL entry in
the b> column, ignoring the fact that there might be
non-NULL b> values associated with later values
of a>.
Avoid unlikely data-loss scenarios due to renaming files without
adequate fsync()> calls before and after (Michael Paquier,
Tomas Vondra, Andres Freund)
Fix bug in json_to_record()> when a field of its input
object contains a sub-object with a field name matching one of the
requested output column names (Tom Lane)
Fix misformatting of negative time zone offsets
by to_char()>'s OF> format code
(Thomas Munro, Tom Lane)
Ignore parameter until
recovery has reached a consistent state (Michael Paquier)
Previously, standby servers would delay application of WAL records in
response to recovery_min_apply_delay> even while replaying
the initial portion of WAL needed to make their database state valid.
Since the standby is useless until it's reached a consistent database
state, this was deemed unhelpful.
Correctly handle cases where pg_subtrans> is close to XID
wraparound during server startup (Jeff Janes)
Fix assorted bugs in logical decoding (Andres Freund)
Trouble cases included tuples larger than one page when replica
identity is FULL>, UPDATE>s that change a
primary key within a transaction large enough to be spooled to disk,
incorrect reports of subxact logged without previous toplevel
record>, and incorrect reporting of a transaction's commit time.
Fix planner error with nested security barrier views when the outer
view has a WHERE> clause containing a correlated subquery
(Dean Rasheed)
Fix corner-case crash due to trying to free localeconv()>
output strings more than once (Tom Lane)
Fix parsing of affix files for ispell> dictionaries
(Tom Lane)
The code could go wrong if the affix file contained any characters
whose byte length changes during case-folding, for
example I> in Turkish UTF8 locales.
Avoid use of sscanf()> to parse ispell>
dictionary files (Artur Zakirov)
This dodges a portability problem on FreeBSD-derived platforms
(including macOS).
Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an
AVX2-capable CPU and a Postgres build done with Visual Studio 2013
(Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime
library, which Microsoft have stated they will not fix in that
version.
Fix psql>'s tab completion logic to handle multibyte
characters properly (Kyotaro Horiguchi, Robert Haas)
Fix psql>'s tab completion for
SECURITY LABEL> (Tom Lane)
Pressing TAB after SECURITY LABEL> might cause a crash
or offering of inappropriate keywords.
Make pg_ctl> accept a wait timeout from the
PGCTLTIMEOUT> environment variable, if none is specified on
the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them
to globally specify a longer-than-normal timeout for postmaster
startup and shutdown.
Fix incorrect test for Windows service status
in pg_ctl> (Manuel Mathar)
The previous set of minor releases attempted to
fix pg_ctl> to properly determine whether to send log
messages to Window's Event Log, but got the test backwards.
Fix pgbench> to correctly handle the combination
of -C> and -M prepared> options (Tom Lane)
In pg_upgrade>, skip creating a deletion script when
the new data directory is inside the old data directory (Bruce
Momjian)
Blind application of the script in such cases would result in loss of
the new data directory.
In PL/Perl, properly translate empty Postgres arrays into empty Perl
arrays (Alex Hunsaker)
Make PL/Python cope with function names that aren't valid Python
identifiers (Jim Nasby)
Fix multiple mistakes in the statistics returned
by contrib/pgstattuple>'s pgstatindex()>
function (Tom Lane)
Remove dependency on psed> in MSVC builds, since it's no
longer provided by core Perl (Michael Paquier, Andrew Dunstan)
Update time zone data files to tzdata> release 2016c
for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia
(Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus
historical corrections for Lithuania, Moldova, and Russia
(Kaliningrad, Samara, Volgograd).
Release 9.4.6Release Date2016-02-11
This release contains a variety of fixes from 9.4.5.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.6
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading an installation that contains any GIN
indexes that use the (non-default) jsonb_path_ops> operator
class, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.4,
see .
Changes
Fix inconsistent hash calculations in jsonb_path_ops> GIN
indexes (Tom Lane)
When processing jsonb> values that contain both scalars and
sub-objects at the same nesting level, for example an array containing
both scalars and sub-arrays, key hash values could be calculated
differently than they would be for the same key in a different context.
This could result in queries not finding entries that they should find.
Fixing this means that existing indexes may now be inconsistent with the
new hash calculation code. Users
should REINDEX> jsonb_path_ops> GIN indexes after
installing this update to make sure that all searches work as expected.
Fix infinite loops and buffer-overrun problems in regular expressions
(Tom Lane)
Very large character ranges in bracket expressions could cause
infinite loops in some cases, and memory overwrites in other cases.
(CVE-2016-0773)
Perform an immediate shutdown if the postmaster.pid> file
is removed (Tom Lane)
The postmaster now checks every minute or so
that postmaster.pid> is still there and still contains its
own PID. If not, it performs an immediate shutdown, as though it had
received SIGQUIT>. The main motivation for this change
is to ensure that failed buildfarm runs will get cleaned up without
manual intervention; but it also serves to limit the bad effects if a
DBA forcibly removes postmaster.pid> and then starts a new
postmaster.
In SERIALIZABLE> transaction isolation mode, serialization
anomalies could be missed due to race conditions during insertions
(Kevin Grittner, Thomas Munro)
Fix failure to emit appropriate WAL records when doing ALTER
TABLE ... SET TABLESPACE> for unlogged relations (Michael Paquier,
Andres Freund)
Even though the relation's data is unlogged, the move must be logged or
the relation will be inaccessible after a standby is promoted to master.
Fix possible misinitialization of unlogged relations at the end of
crash recovery (Andres Freund, Michael Paquier)
Ensure walsender slots are fully re-initialized when being re-used
(Magnus Hagander)
Fix ALTER COLUMN TYPE> to reconstruct inherited check
constraints properly (Tom Lane)
Fix REASSIGN OWNED> to change ownership of composite types
properly (Álvaro Herrera)
Fix REASSIGN OWNED> and ALTER OWNER> to correctly
update granted-permissions lists when changing owners of data types,
foreign data wrappers, or foreign servers (Bruce Momjian,
Álvaro Herrera)
Fix REASSIGN OWNED> to ignore foreign user mappings,
rather than fail (Álvaro Herrera)
Fix possible crash after doing query rewrite for an updatable view
(Stephen Frost)
Fix planner's handling of LATERAL> references (Tom
Lane)
This fixes some corner cases that led to failed to build any
N-way joins> or could not devise a query plan> planner
failures.
Add more defenses against bad planner cost estimates for GIN index
scans when the index's internal statistics are very out-of-date
(Tom Lane)
Make planner cope with hypothetical GIN indexes suggested by an index
advisor plug-in (Julien Rouhaud)
Speed up generation of unique table aliases in EXPLAIN> and
rule dumping, and ensure that generated aliases do not
exceed NAMEDATALEN> (Tom Lane)
Fix dumping of whole-row Vars in ROW()>
and VALUES()> lists (Tom Lane)
Translation of minus-infinity dates and timestamps to json>
or jsonb> incorrectly rendered them as plus-infinity (Tom Lane)
Fix possible internal overflow in numeric> division
(Dean Rasheed)
Fix enforcement of restrictions inside parentheses within regular
expression lookahead constraints (Tom Lane)
Lookahead constraints aren't allowed to contain backrefs, and
parentheses within them are always considered non-capturing, according
to the manual. However, the code failed to handle these cases properly
inside a parenthesized subexpression, and would give unexpected
results.
Conversion of regular expressions to indexscan bounds could produce
incorrect bounds from regexps containing lookahead constraints
(Tom Lane)
Fix regular-expression compiler to handle loops of constraint arcs
(Tom Lane)
The code added for CVE-2007-4772 was both incomplete, in that it didn't
handle loops involving more than one state, and incorrect, in that it
could cause assertion failures (though there seem to be no bad
consequences of that in a non-assert build). Multi-state loops would
cause the compiler to run until the query was canceled or it reached
the too-many-states error condition.
Improve memory-usage accounting in regular-expression compiler
(Tom Lane)
This causes the code to emit regular expression is too
complex> errors in some cases that previously used unreasonable
amounts of time and memory.
Improve performance of regular-expression compiler (Tom Lane)
Make %h> and %r> escapes
in log_line_prefix> work for messages emitted due
to log_connections> (Tom Lane)
Previously, %h>/%r> started to work just after a
new session had emitted the connection received> log message;
now they work for that message too.
On Windows, ensure the shared-memory mapping handle gets closed in
child processes that don't need it (Tom Lane, Amit Kapila)
This oversight resulted in failure to recover from crashes
whenever logging_collector> is turned on.
Fix possible failure to detect socket EOF in non-blocking mode on
Windows (Tom Lane)
It's not entirely clear whether this problem can happen in pre-9.5
branches, but if it did, the symptom would be that a walsender process
would wait indefinitely rather than noticing a loss of connection.
Avoid leaking a token handle during SSPI authentication
(Christian Ullrich)
In psql>, ensure that libreadline>'s idea
of the screen size is updated when the terminal window size changes
(Merlin Moncure)
Previously, libreadline> did not notice if the window
was resized during query output, leading to strange behavior during
later input of multiline queries.
Fix psql>'s \det> command to interpret its
pattern argument the same way as other \d> commands with
potentially schema-qualified patterns do (Reece Hart)
Avoid possible crash in psql>'s \c> command
when previous connection was via Unix socket and command specifies a
new hostname and same username (Tom Lane)
In pg_ctl start -w>, test child process status directly
rather than relying on heuristics (Tom Lane, Michael Paquier)
Previously, pg_ctl> relied on an assumption that the new
postmaster would always create postmaster.pid> within five
seconds. But that can fail on heavily-loaded systems,
causing pg_ctl> to report incorrectly that the
postmaster failed to start.
Except on Windows, this change also means that a pg_ctl start
-w> done immediately after another such command will now reliably
fail, whereas previously it would report success if done within two
seconds of the first command.
In pg_ctl start -w>, don't attempt to use a wildcard listen
address to connect to the postmaster (Kondo Yuta)
On Windows, pg_ctl> would fail to detect postmaster
startup if listen_addresses> is set to 0.0.0.0>
or ::>, because it would try to use that value verbatim as
the address to connect to, which doesn't work. Instead assume
that 127.0.0.1> or ::1>, respectively, is the
right thing to use.
In pg_ctl> on Windows, check service status to decide
where to send output, rather than checking if standard output is a
terminal (Michael Paquier)
In pg_dump> and pg_basebackup>, adopt
the GNU convention for handling tar-archive members exceeding 8GB
(Tom Lane)
The POSIX standard for tar> file format does not allow
archive member files to exceed 8GB, but most modern implementations
of tar> support an extension that fixes that. Adopt
this extension so that pg_dump> with
Fix assorted corner-case bugs in pg_dump>'s processing
of extension member objects (Tom Lane)
Make pg_dump> mark a view's triggers as needing to be
processed after its rule, to prevent possible failure during
parallel pg_restore> (Tom Lane)
Ensure that relation option values are properly quoted
in pg_dump> (Kouhei Sutou, Tom Lane)
A reloption value that isn't a simple identifier or number could lead
to dump/reload failures due to syntax errors in CREATE statements
issued by pg_dump>. This is not an issue with any
reloption currently supported by core PostgreSQL>, but
extensions could allow reloptions that cause the problem.
Avoid repeated password prompts during parallel pg_dump>
(Zeus Kronion)
Fix pg_upgrade>'s file-copying code to handle errors
properly on Windows (Bruce Momjian)
Install guards in pgbench> against corner-case overflow
conditions during evaluation of script-specified division or modulo
operators (Fabien Coelho, Michael Paquier)
Fix failure to localize messages emitted
by pg_receivexlog> and pg_recvlogical>
(Ioseph Kim)
Avoid dump/reload problems when using both plpython2>
and plpython3> (Tom Lane)
In principle, both versions of PL/Python> can be used in
the same database, though not in the same session (because the two
versions of libpython> cannot safely be used concurrently).
However, pg_restore> and pg_upgrade> both
do things that can fall foul of the same-session restriction. Work
around that by changing the timing of the check.
Fix PL/Python> regression tests to pass with Python 3.5
(Peter Eisentraut)
Fix premature clearing of libpq>'s input buffer when
socket EOF is seen (Tom Lane)
This mistake caused libpq> to sometimes not report the
backend's final error message before reporting server closed the
connection unexpectedly>.
Prevent certain PL/Java> parameters from being set by
non-superusers (Noah Misch)
This change mitigates a PL/Java> security bug
(CVE-2016-0766), which was fixed in PL/Java> by marking
these parameters as superuser-only. To fix the security hazard for
sites that update PostgreSQL> more frequently
than PL/Java>, make the core code aware of them also.
Improve libpq>'s handling of out-of-memory situations
(Michael Paquier, Amit Kapila, Heikki Linnakangas)
Fix order of arguments
in ecpg>-generated typedef> statements
(Michael Meskes)
Use %g> not %f> format
in ecpg>'s PGTYPESnumeric_from_double()>
(Tom Lane)
Fix ecpg>-supplied header files to not contain comments
continued from a preprocessor directive line onto the next line
(Michael Meskes)
Such a comment is rejected by ecpg>. It's not yet clear
whether ecpg> itself should be changed.
Fix hstore_to_json_loose()>'s test for whether
an hstore> value can be converted to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric trailing
characters, leading to emitting syntactically-invalid JSON.
Ensure that contrib/pgcrypto>'s crypt()>
function can be interrupted by query cancel (Andreas Karlsson)
In contrib/postgres_fdw>, fix bugs triggered by use
of tableoid> in data-modifying commands (Etsuro Fujita,
Robert Haas)
Accept flex> versions later than 2.5.x
(Tom Lane, Michael Paquier)
Now that flex 2.6.0 has been released, the version checks in our build
scripts needed to be adjusted.
Improve reproducibility of build output by ensuring filenames are given
to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable
files from one build to the next.
Install our missing> script where PGXS builds can find it
(Jim Nasby)
This allows sane behavior in a PGXS build done on a machine where build
tools such as bison> are missing.
Ensure that dynloader.h> is included in the installed
header files in MSVC builds (Bruce Momjian, Michael Paquier)
Add variant regression test expected-output file to match behavior of
current libxml2> (Tom Lane)
The fix for libxml2>'s CVE-2015-7499 causes it not to
output error context reports in some cases where it used to do so.
This seems to be a bug, but we'll probably have to live with it for
some time, so work around it.
Update time zone data files to tzdata> release 2016a for
DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal
Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.
Release 9.4.5Release Date2015-10-08
This release contains a variety of fixes from 9.4.4.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.5
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.4,
see .
Changes
Guard against stack overflows in json> parsing
(Oskari Saarenmaa)
If an application constructs PostgreSQL json>
or jsonb> values from arbitrary user input, the application's
users can reliably crash the PostgreSQL server, causing momentary
denial of service. (CVE-2015-5289)
Fix contrib/pgcrypto> to detect and report
too-short crypt()> salts (Josh Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few
bytes of server memory. We have not ruled out the viability of
attacks that arrange for presence of confidential information in the
disclosed bytes, but they seem unlikely. (CVE-2015-5288)
Fix subtransaction cleanup after a portal (cursor) belonging to an
outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an
assertion failure or crash by referencing a relation created within an
inner subtransaction.
Fix possible deadlock during WAL insertion
when commit_delay> is set (Heikki Linnakangas)
Ensure all relations referred to by an updatable view are properly
locked during an update statement (Dean Rasheed)
Fix insertion of relations into the relation cache init file>
(Tom Lane)
An oversight in a patch in the most recent minor releases
caused pg_trigger_tgrelid_tgname_index> to be omitted
from the init file. Subsequent sessions detected this, then deemed the
init file to be broken and silently ignored it, resulting in a
significant degradation in session startup time. In addition to fixing
the bug, install some guards so that any similar future mistake will be
more obvious.
Avoid O(N^2) behavior when inserting many tuples into a SPI query
result (Neil Conway)
Improve LISTEN> startup time when there are many unread
notifications (Matt Newell)
Fix performance problem when a session alters large numbers of foreign
key constraints (Jan Wieck, Tom Lane)
This was seen primarily when restoring pg_dump> output
for databases with many thousands of tables.
Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen
too many bugs in practice, both in the underlying OpenSSL library and
in our usage of it. Renegotiation will be removed entirely in 9.5 and
later. In the older branches, just change the default value
of ssl_renegotiation_limit> to zero (disabled).
Lower the minimum values of the *_freeze_max_age> parameters
(Andres Freund)
This is mainly to make tests of related behavior less time-consuming,
but it may also be of value for installations with limited disk space.
Limit the maximum value of wal_buffers> to 2GB to avoid
server crashes (Josh Berkus)
Avoid logging complaints when a parameter that can only be set at
server start appears multiple times in postgresql.conf>,
and fix counting of line numbers after an include_dir>
directive (Tom Lane)
Fix rare internal overflow in multiplication of numeric> values
(Dean Rasheed)
Guard against hard-to-reach stack overflows involving record types,
range types, json>, jsonb>, tsquery>,
ltxtquery> and query_int> (Noah Misch)
Fix handling of DOW> and DOY> in datetime input
(Greg Stark)
These tokens aren't meant to be used in datetime values, but previously
they resulted in opaque internal error messages rather
than invalid input syntax>.
Add more query-cancel checks to regular expression matching (Tom Lane)
Add recursion depth protections to regular expression, SIMILAR
TO>, and LIKE> matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to
stack-overrun crashes.
Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but
actually doesn't match because of a back reference, could lead to an
infinite loop.
In regular expression execution, correctly record match data for
capturing parentheses within a quantifier even when the match is
zero-length (Tom Lane)
Fix low-memory failures in regular expression compilation
(Andreas Seltenreich)
Fix low-probability memory leak during regular expression execution
(Tom Lane)
Fix rare low-memory failure in lock cleanup during transaction abort
(Tom Lane)
Fix unexpected out-of-memory situation during sort> errors
when using tuplestores with small work_mem> settings (Tom
Lane)
Fix very-low-probability stack overrun in qsort> (Tom Lane)
Fix invalid memory alloc request size> failure in hash joins
with large work_mem> settings (Tomas Vondra, Tom Lane)
Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong
answers, or to assertion failures in assert-enabled builds, or to odd
planner errors such as could not devise a query plan for the
given query>, could not find pathkey item to
sort>, plan should not reference subplan's variable>,
or failed to assign all NestLoopParams to plan nodes>.
Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz
testing that exposed these problems.
Improve planner's performance for UPDATE>/DELETE>
on large inheritance sets (Tom Lane, Dean Rasheed)
Ensure standby promotion trigger files are removed at postmaster
startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear
in a database backup that is used to initialize a new standby server.
During postmaster shutdown, ensure that per-socket lock files are
removed and listen sockets are closed before we remove
the postmaster.pid> file (Tom Lane)
This avoids race-condition failures if an external script attempts to
start a new postmaster as soon as pg_ctl stop> returns.
Ensure that the postmaster does not exit until all its child processes
are gone, even in an immediate shutdown (Tom Lane)
Like the previous item, this avoids possible race conditions against a
subsequently-started postmaster.
Fix postmaster's handling of a startup-process crash during crash
recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without
having restored database consistency, we'd try to launch a new startup
process, which typically would just crash again, leading to an infinite
loop.
Make emergency autovacuuming for multixact wraparound more robust
(Andres Freund)
Do not print a WARNING> when an autovacuum worker is already
gone when we attempt to signal it, and reduce log verbosity for such
signals (Tom Lane)
Prevent autovacuum launcher from sleeping unduly long if the server
clock is moved backwards a large amount (Álvaro Herrera)
Ensure that cleanup of a GIN index's pending-insertions list is
interruptable by cancel requests (Jeff Janes)
Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
Fix handling of all-zeroes pages in SP-GiST indexes (Heikki
Linnakangas)
VACUUM> attempted to recycle such pages, but did so in a
way that wasn't crash-safe.
Fix off-by-one error that led to otherwise-harmless warnings
about apparent wraparound> in subtrans/multixact truncation
(Thomas Munro)
Fix misreporting of CONTINUE> and MOVE> statement
types in PL/pgSQL>'s error context messages
(Pavel Stehule, Tom Lane)
Fix PL/Perl> to handle non-ASCII> error
message texts correctly (Alex Hunsaker)
Fix PL/Python> crash when returning the string
representation of a record> result (Tom Lane)
Fix some places in PL/Tcl> that neglected to check for
failure of malloc()> calls (Michael Paquier, Álvaro
Herrera)
In contrib/isn>, fix output of ISBN-13 numbers that begin
with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they
must be printed in the new 13-digit format, not the 10-digit format.
Improve contrib/pg_stat_statements>' handling of
query-text garbage collection (Peter Geoghegan)
The external file containing query texts could bloat to very large
sizes; once it got past 1GB attempts to trim it would fail, soon
leading to situations where the file could not be read at all.
Improve contrib/postgres_fdw>'s handling of
collation-related decisions (Tom Lane)
The main user-visible effect is expected to be that comparisons
involving varchar> columns will be sent to the remote server
for execution in more cases than before.
Improve libpq>'s handling of out-of-memory conditions
(Michael Paquier, Heikki Linnakangas)
Fix memory leaks and missing out-of-memory checks
in ecpg> (Michael Paquier)
Fix psql>'s code for locale-aware formatting of numeric
output (Tom Lane)
The formatting code invoked by \pset numericlocale on>
did the wrong thing for some uncommon cases such as numbers with an
exponent but no decimal point. It could also mangle already-localized
output from the money> data type.
Prevent crash in psql>'s \c> command when
there is no current connection (Noah Misch)
Make pg_dump> handle inherited NOT VALID>
check constraints correctly (Tom Lane)
Fix selection of default zlib> compression level
in pg_dump>'s directory output format (Andrew Dunstan)
Ensure that temporary files created during a pg_dump>
run with tar>-format output are not world-readable (Michael
Paquier)
Fix pg_dump> and pg_upgrade> to support
cases where the postgres> or template1> database
is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
Fix pg_dump> to handle object privileges sanely when
dumping from a server too old to have a particular privilege type
(Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping
functions or procedural languages from pre-7.3
servers, pg_dump> would
produce GRANT>/REVOKE> commands that revoked the
owner's grantable privileges and instead granted all privileges
to PUBLIC>. Since the privileges involved are
just USAGE> and EXECUTE>, this isn't a security
problem, but it's certainly a surprising representation of the older
systems' behavior. Fix it to leave the default privilege state alone
in these cases.
Fix pg_dump> to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for
much, but nonetheless pg_dump> should dump them.
Fix assorted minor memory leaks in pg_dump> and other
client-side programs (Michael Paquier)
Fix pgbench>'s progress-report behavior when a query,
or pgbench> itself, gets stuck (Fabien Coelho)
Fix spinlock assembly code for Alpha hardware (Tom Lane)
Fix spinlock assembly code for PPC hardware to be compatible
with AIX>'s native assembler (Tom Lane)
Building with gcc> didn't work if gcc>
had been configured to use the native assembler, which is becoming more
common.
On AIX>, test the -qlonglong> compiler option
rather than just assuming it's safe to use (Noah Misch)
On AIX>, use -Wl,-brtllib> link option to allow
symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
Avoid use of inline functions when compiling with
32-bit xlc>, due to compiler bugs (Noah Misch)
Use librt> for sched_yield()> when necessary,
which it is on some Solaris versions (Oskari Saarenmaa)
Translate encoding UHC> as Windows code page 949
(Noah Misch)
This fixes presentation of non-ASCII log messages from processes that
are not attached to any particular database, such as the postmaster.
On Windows, avoid failure when doing encoding conversion to UTF16
outside a transaction, such as for log messages (Noah Misch)
Fix postmaster startup failure due to not
copying setlocale()>'s return value (Noah Misch)
This has been reported on Windows systems with the ANSI code page set
to CP936 (Chinese (Simplified, PRC)>), and may occur with
other multibyte code pages.
Fix Windows install.bat> script to handle target directory
names that contain spaces (Heikki Linnakangas)
Make the numeric form of the PostgreSQL> version number
(e.g., 90405>) readily available to extension Makefiles,
as a variable named VERSION_NUM> (Michael Paquier)
Update time zone data files to tzdata> release 2015g for
DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk
Island, North Korea, Turkey, and Uruguay. There is a new zone name
America/Fort_Nelson> for the Canadian Northern Rockies.
Release 9.4.4Release Date2015-06-12
This release contains a small number of fixes from 9.4.3.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.4
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading an installation that was previously
upgraded using a pg_upgrade> version between 9.3.0 and
9.3.4 inclusive, see the first changelog entry below.
Also, if you are upgrading from a version earlier than 9.4.2,
see .
Changes
Fix possible failure to recover from an inconsistent database state
(Robert Haas)
Recent PostgreSQL> releases introduced mechanisms to
protect against multixact wraparound, but some of that code did not
account for the possibility that it would need to run during crash
recovery, when the database may not be in a consistent state. This
could result in failure to restart after a crash, or failure to start
up a secondary server. The lingering effects of a previously-fixed
bug in pg_upgrade> could also cause such a failure, in
installations that had used pg_upgrade> versions
between 9.3.0 and 9.3.4.
The pg_upgrade> bug in question was that it would
set oldestMultiXid> to 1 in pg_control> even
if the true value should be higher. With the fixes introduced in
this release, such a situation will result in immediate emergency
autovacuuming until a correct oldestMultiXid> value can
be determined. If that would pose a hardship, users can avoid it by
doing manual vacuuming before> upgrading to this release.
In detail:
Check whether pg_controldata> reports Latest
checkpoint's oldestMultiXid> to be 1. If not, there's nothing
to do.
Look in PGDATA/pg_multixact/offsets> to see if there's a
file named 0000>. If there is, there's nothing to do.
Otherwise, for each table that has
pg_class>.relminmxid> equal to 1,
VACUUM> that table with
both
and set to
zero. (You can use the vacuum cost delay parameters described
in to reduce
the performance consequences for concurrent sessions.)
Fix rare failure to invalidate relation cache init file (Tom Lane)
With just the wrong timing of concurrent activity, a VACUUM
FULL> on a system catalog might fail to update the init file>
that's used to avoid cache-loading work for new sessions. This would
result in later sessions being unable to access that catalog at all.
This is a very ancient bug, but it's so hard to trigger that no
reproducible case had been seen until recently.
Avoid deadlock between incoming sessions and CREATE/DROP
DATABASE> (Tom Lane)
A new session starting in a database that is the target of
a DROP DATABASE> command, or is the template for
a CREATE DATABASE> command, could cause the command to wait
for five seconds and then fail, even if the new session would have
exited before that.
Improve planner's cost estimates for semi-joins and anti-joins with
inner indexscans (Tom Lane, Tomas Vondra)
This type of plan is quite cheap when all the join clauses are used
as index scan conditions, even if the inner scan would nominally
fetch many rows, because the executor will stop after obtaining one
row. The planner only partially accounted for that effect, and would
therefore overestimate the cost, leading it to possibly choose some
other much less efficient plan type.
Release 9.4.3Release Date2015-06-04
This release contains a small number of fixes from 9.4.2.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.3
A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.2,
see .
Changes
Avoid failures while fsync>'ing data directory during
crash restart (Abhijit Menon-Sen, Tom Lane)
In the previous minor releases we added a patch to fsync>
everything in the data directory after a crash. Unfortunately its
response to any error condition was to fail, thereby preventing the
server from starting up, even when the problem was quite harmless.
An example is that an unwritable file in the data directory would
prevent restart on some platforms; but it is common to make SSL
certificate files unwritable by the server. Revise this behavior so
that permissions failures are ignored altogether, and other types of
failures are logged but do not prevent continuing.
Also apply the same rules in initdb --sync-only>.
This case is less critical but it should act similarly.
Fix pg_get_functiondef()> to show
functions' LEAKPROOF> property, if set (Jeevan Chalke)
Fix pushJsonbValue()> to unpack jbvBinary>
objects (Andrew Dunstan)
This change does not affect any behavior in the core code as of 9.4,
but it avoids a corner case for possible third-party callers.
Remove configure>'s check prohibiting linking to a
threaded libpython>
on OpenBSD> (Tom Lane)
The failure this restriction was meant to prevent seems to not be a
problem anymore on current OpenBSD>
versions.
Release 9.4.2Release Date2015-05-22
This release contains a variety of fixes from 9.4.1.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.2
A dump/restore is not required for those running 9.4.X.
However, if you use contrib/citext>'s
regexp_matches()> functions, see the changelog entry below
about that.
Also, if you are upgrading from a version earlier than 9.4.1,
see .
Changes
Avoid possible crash when client disconnects just before the
authentication timeout expires (Benkocs Norbert Attila)
If the timeout interrupt fired partway through the session shutdown
sequence, SSL-related state would be freed twice, typically causing a
crash and hence denial of service to other sessions. Experimentation
shows that an unauthenticated remote attacker could trigger the bug
somewhat consistently, hence treat as security issue.
(CVE-2015-3165)
Improve detection of system-call failures (Noah Misch)
Our replacement implementation of snprintf()> failed to
check for errors reported by the underlying system library calls;
the main case that might be missed is out-of-memory situations.
In the worst case this might lead to information exposure, due to our
code assuming that a buffer had been overwritten when it hadn't been.
Also, there were a few places in which security-relevant calls of other
system library functions did not check for failure.
It remains possible that some calls of the *printf()>
family of functions are vulnerable to information disclosure if an
out-of-memory error occurs at just the wrong time. We judge the risk
to not be large, but will continue analysis in this area.
(CVE-2015-3166)
In contrib/pgcrypto>, uniformly report decryption failures
as Wrong key or corrupt data> (Noah Misch)
Previously, some cases of decryption with an incorrect key could report
other error message texts. It has been shown that such variance in
error reports can aid attackers in recovering keys from other systems.
While it's unknown whether pgcrypto>'s specific behaviors
are likewise exploitable, it seems better to avoid the risk by using a
one-size-fits-all message.
(CVE-2015-3167)
Protect against wraparound of multixact member IDs
(Álvaro Herrera, Robert Haas, Thomas Munro)
Under certain usage patterns, the existing defenses against this might
be insufficient, allowing pg_multixact/members> files to be
removed too early, resulting in data loss.
The fix for this includes modifying the server to fail transactions
that would result in overwriting old multixact member ID data, and
improving autovacuum to ensure it will act proactively to prevent
multixact member ID wraparound, as it does for transaction ID
wraparound.
Fix incorrect declaration of contrib/citext>'s
regexp_matches()> functions (Tom Lane)
These functions should return setof text[]>, like the core
functions they are wrappers for; but they were incorrectly declared as
returning just text[]>. This mistake had two results: first,
if there was no match you got a scalar null result, whereas what you
should get is an empty set (zero rows). Second, the g> flag
was effectively ignored, since you would get only one result array even
if there were multiple matches.
While the latter behavior is clearly a bug, there might be applications
depending on the former behavior; therefore the function declarations
will not be changed by default until PostgreSQL> 9.5.
In pre-9.5 branches, the old behavior exists in version 1.0 of
the citext> extension, while we have provided corrected
declarations in version 1.1 (which is not> installed by
default). To adopt the fix in pre-9.5 branches, execute
ALTER EXTENSION citext UPDATE TO '1.1'> in each database in
which citext> is installed. (You can also update>
back to 1.0 if you need to undo that.) Be aware that either update
direction will require dropping and recreating any views or rules that
use citext>'s regexp_matches()> functions.
Render infinite dates and timestamps as infinity> when
converting to json>, rather than throwing an error
(Andrew Dunstan)
Fix json>/jsonb>'s populate_record()>
and to_record()> functions to handle empty input properly
(Andrew Dunstan)
Fix incorrect checking of deferred exclusion constraints after a HOT
update (Tom Lane)
If a new row that potentially violates a deferred exclusion constraint
is HOT-updated (that is, no indexed columns change and the row can be
stored back onto the same table page) later in the same transaction,
the exclusion constraint would be reported as violated when the check
finally occurred, even if the row(s) the new row originally conflicted
with had been deleted.
Fix behavior when changing foreign key constraint deferrability status
with ALTER TABLE ... ALTER CONSTRAINT> (Tom Lane)
Operations later in the same session or concurrent sessions might not
honor the status change promptly.
Fix planning of star-schema-style queries (Tom Lane)
Sometimes, efficient scanning of a large table requires that index
parameters be provided from more than one other table (commonly,
dimension tables whose keys are needed to index a large fact table).
The planner should be able to find such plans, but an overly
restrictive search heuristic prevented it.
Prevent improper reordering of antijoins (NOT EXISTS joins) versus
other outer joins (Tom Lane)
This oversight in the planner has been observed to cause could
not find RelOptInfo for given relids> errors, but it seems possible
that sometimes an incorrect query plan might get past that consistency
check and result in silently-wrong query output.
Fix incorrect matching of subexpressions in outer-join plan nodes
(Tom Lane)
Previously, if textually identical non-strict subexpressions were used
both above and below an outer join, the planner might try to re-use
the value computed below the join, which would be incorrect because the
executor would force the value to NULL in case of an unmatched outer row.
Fix GEQO planner to cope with failure of its join order heuristic
(Tom Lane)
This oversight has been seen to lead to failed to join all
relations together> errors in queries involving LATERAL>,
and that might happen in other cases as well.
Ensure that row locking occurs properly when the target of
an UPDATE> or DELETE> is a security-barrier view
(Stephen Frost)
Use a file opened for read/write when syncing replication slot data
during database startup (Andres Freund)
On some platforms, the previous coding could result in errors like
could not fsync file "pg_replslot/...": Bad file descriptor>.
Fix possible deadlock at startup
when max_prepared_transactions> is too small
(Heikki Linnakangas)
Don't archive useless preallocated WAL files after a timeline switch
(Heikki Linnakangas)
Recursively fsync()> the data directory after a crash
(Abhijit Menon-Sen, Robert Haas)
This ensures consistency if another crash occurs shortly later. (The
second crash would have to be a system-level crash, not just a database
crash, for there to be a problem.)
Fix autovacuum launcher's possible failure to shut down, if an error
occurs after it receives SIGTERM (Álvaro Herrera)
Fix failure to handle invalidation messages for system catalogs
early in session startup (Tom Lane)
This oversight could result in failures in sessions that start
concurrently with a VACUUM FULL> on a system catalog.
Fix crash in BackendIdGetTransactionIds()> when trying
to get status for a backend process that just exited (Tom Lane)
Cope with unexpected signals in LockBufferForCleanup()>
(Andres Freund)
This oversight could result in spurious errors about multiple
backends attempting to wait for pincount 1>.
Fix crash when doing COPY IN> to a table with check
constraints that contain whole-row references (Tom Lane)
The known failure case only crashes in 9.4 and up, but there is very
similar code in 9.3 and 9.2, so back-patch those branches as well.
Avoid waiting for WAL flush or synchronous replication during commit of
a transaction that was read-only so far as the user is concerned
(Andres Freund)
Previously, a delay could occur at commit in transactions that had
written WAL due to HOT page pruning, leading to undesirable effects
such as sessions getting stuck at startup if all synchronous replicas
are down. Sessions have also been observed to get stuck in catchup
interrupt processing when using synchronous replication; this will fix
that problem as well.
Avoid busy-waiting with short recovery_min_apply_delay>
values (Andres Freund)
Fix crash when manipulating hash indexes on temporary tables
(Heikki Linnakangas)
Fix possible failure during hash index bucket split, if other processes
are modifying the index concurrently (Tom Lane)
Fix memory leaks in GIN index vacuum (Heikki Linnakangas)
Check for interrupts while analyzing index expressions (Jeff Janes)
ANALYZE> executes index expressions many times; if there are
slow functions in such an expression, it's desirable to be able to
cancel the ANALYZE> before that loop finishes.
Ensure tableoid> of a foreign table is reported
correctly when a READ COMMITTED> recheck occurs after
locking rows in SELECT FOR UPDATE>, UPDATE>,
or DELETE> (Etsuro Fujita)
Add the name of the target server to object description strings for
foreign-server user mappings (Álvaro Herrera)
Include the schema name in object identity strings for conversions
(Álvaro Herrera)
Recommend setting include_realm> to 1 when using
Kerberos/GSSAPI/SSPI authentication (Stephen Frost)
Without this, identically-named users from different realms cannot be
distinguished. For the moment this is only a documentation change, but
it will become the default setting in PostgreSQL> 9.5.
Remove code for matching IPv4 pg_hba.conf> entries to
IPv4-in-IPv6 addresses (Tom Lane)
This hack was added in 2003 in response to a report that some Linux
kernels of the time would report IPv4 connections as having
IPv4-in-IPv6 addresses. However, the logic was accidentally broken in
9.0. The lack of any field complaints since then shows that it's not
needed anymore. Now we have reports that the broken code causes
crashes on some systems, so let's just remove it rather than fix it.
(Had we chosen to fix it, that would make for a subtle and potentially
security-sensitive change in the effective meaning of
IPv4 pg_hba.conf> entries, which does not seem like a good
thing to do in minor releases.)
Fix status reporting for terminated background workers that were never
actually started (Robert Haas)
After a database crash, don't restart background workers that are
marked BGW_NEVER_RESTART> (Amit Khandekar)
Report WAL flush, not insert, position in IDENTIFY_SYSTEM>
replication command (Heikki Linnakangas)
This avoids a possible startup failure
in pg_receivexlog>.
While shutting down service on Windows, periodically send status
updates to the Service Control Manager to prevent it from killing the
service too soon; and ensure that pg_ctl> will wait for
shutdown (Krystian Bigaj)
Reduce risk of network deadlock when using libpq>'s
non-blocking mode (Heikki Linnakangas)
When sending large volumes of data, it's important to drain the input
buffer every so often, in case the server has sent enough response data
to cause it to block on output. (A typical scenario is that the server
is sending a stream of NOTICE messages during COPY FROM
STDIN>.) This worked properly in the normal blocking mode, but not
so much in non-blocking mode. We've modified libpq>
to opportunistically drain input when it can, but a full defense
against this problem requires application cooperation: the application
should watch for socket read-ready as well as write-ready conditions,
and be sure to call PQconsumeInput()> upon read-ready.
In libpq>, fix misparsing of empty values in URI
connection strings (Thomas Fanghaenel)
Fix array handling in ecpg> (Michael Meskes)
Fix psql> to sanely handle URIs and conninfo strings as
the first parameter to \connect>
(David Fetter, Andrew Dunstan, Álvaro Herrera)
This syntax has been accepted (but undocumented) for a long time, but
previously some parameters might be taken from the old connection
instead of the given string, which was agreed to be undesirable.
Suppress incorrect complaints from psql> on some
platforms that it failed to write ~/.psql_history> at exit
(Tom Lane)
This misbehavior was caused by a workaround for a bug in very old
(pre-2006) versions of libedit>. We fixed it by
removing the workaround, which will cause a similar failure to appear
for anyone still using such versions of libedit>.
Recommendation: upgrade that library, or use libreadline>.
Fix pg_dump>'s rule for deciding which casts are
system-provided casts that should not be dumped (Tom Lane)
In pg_dump>, fix failure to honor -Z>
compression level option together with -Fd>
(Michael Paquier)
Make pg_dump> consider foreign key relationships
between extension configuration tables while choosing dump order
(Gilles Darold, Michael Paquier, Stephen Frost)
This oversight could result in producing dumps that fail to reload
because foreign key constraints are transiently violated.
Avoid possible pg_dump> failure when concurrent sessions
are creating and dropping temporary functions (Tom Lane)
Fix dumping of views that are just VALUES(...)> but have
column aliases (Tom Lane)
Ensure that a view's replication identity is correctly set
to nothing> during dump/restore (Marko Tiikkaja)
Previously, if the view was involved in a circular dependency,
it might wind up with an incorrect replication identity property.
In pg_upgrade>, force timeline 1 in the new cluster
(Bruce Momjian)
This change prevents upgrade failures caused by bogus complaints about
missing WAL history files.
In pg_upgrade>, check for improperly non-connectable
databases before proceeding
(Bruce Momjian)
In pg_upgrade>, quote directory paths
properly in the generated delete_old_cluster> script
(Bruce Momjian)
In pg_upgrade>, preserve database-level freezing info
properly
(Bruce Momjian)
This oversight could cause missing-clog-file errors for tables within
the postgres> and template1> databases.
Run pg_upgrade> and pg_resetxlog> with
restricted privileges on Windows, so that they don't fail when run by
an administrator (Muhammad Asif Naeem)
Improve handling of readdir()> failures when scanning
directories in initdb> and pg_basebackup>
(Marco Nenciarini)
Fix slow sorting algorithm in contrib/intarray> (Tom Lane)
Fix compile failure on Sparc V8 machines (Rob Rowan)
Silence some build warnings on macOS (Tom Lane)
Update time zone data files to tzdata> release 2015d
for DST law changes in Egypt, Mongolia, and Palestine, plus historical
changes in Canada and Chile. Also adopt revised zone abbreviations for
the America/Adak zone (HST/HDT not HAST/HADT).
Release 9.4.1Release Date2015-02-05
This release contains a variety of fixes from 9.4.0.
For information about new features in the 9.4 major release, see
.
Migration to Version 9.4.1
A dump/restore is not required for those running 9.4.X.
However, if you are a Windows user and are using the Norwegian
(Bokmål)> locale, manual action is needed after the upgrade to
replace any Norwegian (Bokmål)_Norway>
or norwegian-bokmal> locale names stored
in PostgreSQL> system catalogs with the plain-ASCII
alias Norwegian_Norway>. For details see
>
Changes
Fix buffer overruns in to_char()>
(Bruce Momjian)
When to_char()> processes a numeric formatting template
calling for a large number of digits, PostgreSQL>
would read past the end of a buffer. When processing a crafted
timestamp formatting template, PostgreSQL> would write
past the end of a buffer. Either case could crash the server.
We have not ruled out the possibility of attacks that lead to
privilege escalation, though they seem unlikely.
(CVE-2015-0241)
Fix buffer overrun in replacement *printf()> functions
(Tom Lane)
PostgreSQL> includes a replacement implementation
of printf> and related functions. This code will overrun
a stack buffer when formatting a floating point number (conversion
specifiers e>, E>, f>, F>,
g> or G>) with requested precision greater than
about 500. This will crash the server, and we have not ruled out the
possibility of attacks that lead to privilege escalation.
A database user can trigger such a buffer overrun through
the to_char()> SQL function. While that is the only
affected core PostgreSQL> functionality, extension
modules that use printf-family functions may be at risk as well.
This issue primarily affects PostgreSQL> on Windows.
PostgreSQL> uses the system implementation of these
functions where adequate, which it is on other modern platforms.
(CVE-2015-0242)
Fix buffer overruns in contrib/pgcrypto>
(Marko Tiikkaja, Noah Misch)
Errors in memory size tracking within the pgcrypto>
module permitted stack buffer overruns and improper dependence on the
contents of uninitialized memory. The buffer overrun cases can
crash the server, and we have not ruled out the possibility of
attacks that lead to privilege escalation.
(CVE-2015-0243)
Fix possible loss of frontend/backend protocol synchronization after
an error
(Heikki Linnakangas)
If any error occurred while the server was in the middle of reading a
protocol message from the client, it could lose synchronization and
incorrectly try to interpret part of the message's data as a new
protocol message. An attacker able to submit crafted binary data
within a command parameter might succeed in injecting his own SQL
commands this way. Statement timeout and query cancellation are the
most likely sources of errors triggering this scenario. Particularly
vulnerable are applications that use a timeout and also submit
arbitrary user-crafted data as binary query parameters. Disabling
statement timeout will reduce, but not eliminate, the risk of
exploit. Our thanks to Emil Lenngren for reporting this issue.
(CVE-2015-0244)
Fix information leak via constraint-violation error messages
(Stephen Frost)
Some server error messages show the values of columns that violate
a constraint, such as a unique constraint. If the user does not have
SELECT> privilege on all columns of the table, this could
mean exposing values that the user should not be able to see. Adjust
the code so that values are displayed only when they came from the SQL
command or could be selected by the user.
(CVE-2014-8161)
Lock down regression testing's temporary installations on Windows
(Noah Misch)
Use SSPI authentication to allow connections only from the OS user
who launched the test suite. This closes on Windows the same
vulnerability previously closed on other platforms, namely that other
users might be able to connect to the test postmaster.
(CVE-2014-0067)
Cope with the Windows locale named Norwegian (Bokmål)>
(Heikki Linnakangas)
Non-ASCII locale names are problematic since it's not clear what
encoding they should be represented in. Map the troublesome locale
name to a plain-ASCII alias, Norwegian_Norway>.
9.4.0 mapped the troublesome name to norwegian-bokmal>,
but that turns out not to work on all Windows configurations.
Norwegian_Norway> is now recommended instead.
Fix use-of-already-freed-memory problem in EvalPlanQual processing
(Tom Lane)
In READ COMMITTED> mode, queries that lock or update
recently-updated rows could crash as a result of this bug.
Avoid possible deadlock while trying to acquire tuple locks
in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood)
Fix failure to wait when a transaction tries to acquire a FOR
NO KEY EXCLUSIVE> tuple lock, while multiple other transactions
currently hold FOR SHARE> locks (Álvaro Herrera)
Improve performance of EXPLAIN> with large range tables
(Tom Lane)
Fix jsonb> Unicode escape processing, and in consequence
disallow \u0000> (Tom Lane)
Previously, the JSON Unicode escape \u0000> was accepted
and was stored as those six characters; but that is indistinguishable
from what is stored for the input \\u0000>, resulting in
ambiguity. Moreover, in cases where de-escaped textual output is
expected, such as the ->>> operator, the sequence was
printed as \u0000>, which does not meet the expectation
that JSON escaping would be removed. (Consistent behavior would
require emitting a zero byte, but PostgreSQL> does not
support zero bytes embedded in text strings.) 9.4.0 included an
ill-advised attempt to improve this situation by adjusting JSON output
conversion rules; but of course that could not fix the fundamental
ambiguity, and it turned out to break other usages of Unicode escape
sequences. Revert that, and to avoid the core problem,
reject \u0000> in jsonb> input.
If a jsonb> column contains a \u0000> value stored
with 9.4.0, it will henceforth read out as though it
were \\u0000>, which is the other valid interpretation of
the data stored by 9.4.0 for this case.
The json> type did not have the storage-ambiguity problem, but
it did have the problem of inconsistent de-escaped textual output.
Therefore \u0000> will now also be rejected
in json> values when conversion to de-escaped form is
required. This change does not break the ability to
store \u0000> in json> columns so long as no
processing is done on the values. This is exactly parallel to the
cases in which non-ASCII Unicode escapes are allowed when the database
encoding is not UTF8.
Fix namespace handling in xpath()> (Ali Akbar)
Previously, the xml> value resulting from
an xpath()> call would not have namespace declarations if
the namespace declarations were attached to an ancestor element in the
input xml> value, rather than to the specific element being
returned. Propagate the ancestral declaration so that the result is
correct when considered in isolation.
Fix assorted oversights in range-operator selectivity estimation
(Emre Hasegeli)
This patch fixes corner-case unexpected operator NNNN> planner
errors, and improves the selectivity estimates for some other cases.
Revert unintended reduction in maximum size of a GIN index item
(Heikki Linnakangas)
9.4.0 could fail with index row size exceeds maximum> errors
for data that previous versions would accept.
Fix query-duration memory leak during repeated GIN index rescans
(Heikki Linnakangas)
Fix possible crash when using
nonzero gin_fuzzy_search_limit> (Heikki Linnakangas)
Assorted fixes for logical decoding (Andres Freund)
Fix incorrect replay of WAL parameter change records that report
changes in the wal_log_hints> setting (Petr Jelinek)
Change pgstat wait timeout> warning message to be LOG level,
and rephrase it to be more understandable (Tom Lane)
This message was originally thought to be essentially a can't-happen
case, but it occurs often enough on our slower buildfarm members to be
a nuisance. Reduce it to LOG level, and expend a bit more effort on
the wording: it now reads using stale statistics instead of
current ones because stats collector is not responding>.
Warn if macOS's setlocale()> starts an unwanted extra
thread inside the postmaster (Noah Misch)
Fix libpq>'s behavior when /etc/passwd>
isn't readable (Tom Lane)
While doing PQsetdbLogin()>, libpq>
attempts to ascertain the user's operating system name, which on most
Unix platforms involves reading /etc/passwd>. As of 9.4,
failure to do that was treated as a hard error. Restore the previous
behavior, which was to fail only if the application does not provide a
database role name to connect as. This supports operation in chroot
environments that lack an /etc/passwd> file.
Improve consistency of parsing of psql>'s special
variables (Tom Lane)
Allow variant spellings of on> and off> (such
as 1>/0>) for ECHO_HIDDEN>
and ON_ERROR_ROLLBACK>. Report a warning for unrecognized
values for COMP_KEYWORD_CASE>, ECHO>,
ECHO_HIDDEN>, HISTCONTROL>,
ON_ERROR_ROLLBACK>, and VERBOSITY>. Recognize
all values for all these variables case-insensitively; previously
there was a mishmash of case-sensitive and case-insensitive behaviors.
Fix pg_dump> to handle comments on event triggers
without failing (Tom Lane)
Allow parallel pg_dump> to
use
Prevent WAL files created by pg_basebackup -x/-X> from
being archived again when the standby is promoted (Andres Freund)
Handle unexpected query results, especially NULLs, safely in
contrib/tablefunc>'s connectby()>
(Michael Paquier)
connectby()> previously crashed if it encountered a NULL
key value. It now prints that row but doesn't recurse further.
Numerous cleanups of warnings from Coverity static code analyzer
(Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier)
These changes are mostly cosmetic but in some cases fix corner-case
bugs, for example a crash rather than a proper error report after an
out-of-memory failure. None are believed to represent security
issues.
Allow CFLAGS> from configure>'s environment
to override automatically-supplied CFLAGS> (Tom Lane)
Previously, configure> would add any switches that it
chose of its own accord to the end of the
user-specified CFLAGS> string. Since most compilers
process switches left-to-right, this meant that configure's choices
would override the user-specified flags in case of conflicts. That
should work the other way around, so adjust the logic to put the
user's string at the end not the beginning.
Make pg_regress> remove any temporary installation it
created upon successful exit (Tom Lane)
This results in a very substantial reduction in disk space usage
during make check-world>, since that sequence involves
creation of numerous temporary installations.
Add CST (China Standard Time) to our lists of timezone abbreviations
(Tom Lane)
Update time zone data files to tzdata> release 2015a
for DST law changes in Chile and Mexico, plus historical changes in
Iceland.
Release 9.4Release Date2014-12-18Overview
Major enhancements in PostgreSQL> 9.4 include:
Add jsonb>, a more
capable and efficient data type for storing JSON> data
Add new SQL> command
for changing postgresql.conf> configuration file entries
Reduce lock strength for some
commands
Allow materialized views>
to be refreshed without blocking concurrent reads
Add support for logical decoding>
of WAL data, to allow database changes to be streamed out in a
customizable format
Allow background worker processes>
to be dynamically registered, started and terminated
The above items are explained in more detail in the sections below.
Migration to Version 9.4
A dump/restore using , or use
of , is required for those wishing to migrate
data from any previous release.
Version 9.4 contains a number of changes that may affect compatibility
with previous releases. Observe the following incompatibilities:
Tighten checks for multidimensional array input (Bruce Momjian)
Previously, an input array string that started with a single-element
sub-array could later contain multi-element sub-arrays,
e.g. '{{1}, {2,3}}'::int[]> would be accepted.
When converting values of type date>, timestamp>
or timestamptz>
to JSON, render the
values in a format compliant with ISO 8601 (Andrew Dunstan)
Previously such values were rendered according to the current
setting; but many JSON processors
require timestamps to be in ISO 8601 format. If necessary, the
previous behavior can be obtained by explicitly casting the datetime
value to text> before passing it to the JSON conversion
function.
The json#>> text[]> path extraction operator now
returns its lefthand input, not NULL, if the array is empty (Tom Lane)
This is consistent with the notion that this represents zero
applications of the simple field/element extraction
operator ->>. Similarly, json#>>> text[]> with an empty array merely
coerces its lefthand input to text.
Corner cases in
the JSON
field/element/path extraction operators now return NULL rather
than raising an error (Tom Lane)
For example, applying field extraction to a JSON array now yields NULL
not an error. This is more consistent (since some comparable cases such
as no-such-field already returned NULL), and it makes it safe to create
expression indexes that use these operators, since they will now not
throw errors for any valid JSON input.
Cause consecutive whitespace in to_timestamp()>
and to_date()> format strings to consume a corresponding
number of characters in the input string (whitespace or not), then
conditionally consume adjacent whitespace, if not in FX>
mode (Jeevan Chalke)
Previously, consecutive whitespace characters in a non-FX>
format string behaved like a single whitespace character and consumed
all adjacent whitespace in the input string. For example, previously
a format string of three spaces would consume only the first space in
' 12'>, but it will now consume all three characters.
Fix ts_rank_cd()>
to ignore stripped lexemes (Alex Hill)
Previously, stripped lexemes were treated as if they had a default
location, producing a rank of dubious usefulness.
For functions declared to
take VARIADIC
"any">, an actual parameter marked as VARIADIC>
must be of a determinable array type (Pavel Stehule)
Such parameters can no longer be written as an undecorated string
literal or NULL>; a cast to an appropriate array data type
will now be required. Note that this does not affect parameters not
marked VARIADIC>.
Ensure that whole-row variables expose the expected column names
to functions that pay attention to column names within composite
arguments (Tom Lane)
Constructs like row_to_json(tab.*)> now always emit column
names that match the column aliases visible for table tab>
at the point of the call. In previous releases the emitted column
names would sometimes be the table's actual column names regardless
of any aliases assigned in the query.
now also discards sequence-related state
(Fabrízio de Royes Mello, Robert Haas)
Rename EXPLAIN
ANALYZE>'s total runtime output
to execution time (Tom Lane)
Now that planning time is also reported, the previous name was
confusing.
SHOW TIME ZONE> now
outputs simple numeric UTC offsets in POSIX> timezone
format (Tom Lane)
Previously, such timezone settings were displayed as interval> values.
The new output is properly interpreted by SET TIME ZONE>
when passed as a simple string, whereas the old output required
special treatment to be re-parsed correctly.
Foreign data wrappers that support updating foreign tables must
consider the possible presence of AFTER ROW> triggers
(Noah Misch)
When an AFTER ROW> trigger is present, all columns of the
table must be returned by updating actions, since the trigger might
inspect any or all of them. Previously, foreign tables never had
triggers, so the FDW might optimize away fetching columns not mentioned
in the RETURNING> clause (if any).
Prevent CHECK>
constraints from referencing system columns, except
tableoid> (Amit Kapila)
Previously such check constraints were allowed, but they would often
cause errors during restores.
Use the last specified recovery
target parameter if multiple target parameters are specified
(Heikki Linnakangas)
Previously, there was an undocumented precedence order among
the recovery_target_xxx> parameters.
On Windows, automatically preserve quotes in command strings supplied
by the user (Heikki Linnakangas)
User commands that did their own quote preservation might need
adjustment. This is likely to be an issue for commands used in
, ,
and COPY TO/FROM PROGRAM>.
Remove catalog column pg_class.reltoastidxid>
(Michael Paquier)
Remove catalog column pg_rewrite.ev_attr>
(Kevin Grittner)
Per-column rules have not been supported since
PostgreSQL> 7.3.
Remove native support for Kerberos> authentication
(
The supported way to use Kerberos> authentication is
with GSSAPI>. The native code has been deprecated since
PostgreSQL> 8.3.
In PL/Python>, handle domains over arrays like the
underlying array type (Rodolfo Campero)
Previously such values were treated as strings.
Make libpq's PQconnectdbParams()>
and PQpingParams()>
functions process zero-length strings as defaults (Adrian
Vondendriesch)
Previously, these functions treated zero-length string values as
selecting the default in only some cases.
Change empty arrays returned by the module
to be zero-dimensional arrays (Bruce Momjian)
Previously, empty arrays were returned as zero-length one-dimensional
arrays, whose text representation looked the same as zero-dimensional
arrays ({}>), but they acted differently in array
operations. intarray>'s behavior in this area now
matches the built-in array operators.
now uses
Previously this option was spelled Changes
Below you will find a detailed account of the changes between
PostgreSQL 9.4 and the previous major
release.
Server
Allow background worker processes
to be dynamically registered, started and terminated (Robert Haas)
The new worker_spi> module shows an example of use
of this feature.
Allow dynamic allocation of shared memory segments (Robert Haas,
Amit Kapila)
This feature is illustrated in the test_shm_mq
module.
During crash recovery or immediate shutdown, send uncatchable
termination signals (SIGKILL>) to child processes
that do not shut down promptly (MauMau, Álvaro Herrera)
This reduces the likelihood of leaving orphaned child processes
behind after shutdown, as well
as ensuring that crash recovery can proceed if some child processes
have become stuck>.
Improve randomness of the database system identifier (Tom Lane)
Make properly report dead but
not-yet-removable rows to the statistics collector (Hari Babu)
Previously these were reported as live rows.
Indexes
Reduce GIN> index size
(Alexander Korotkov, Heikki Linnakangas)
Indexes upgraded via will work fine
but will still be in the old, larger GIN> format.
Use to recreate old GIN indexes in the
new format.
Improve speed of multi-key GIN> lookups (Alexander Korotkov,
Heikki Linnakangas)
Add GiST> index support
for inet> and
cidr> data types
(Emre Hasegeli)
Such indexes improve subnet and supernet
lookups and ordering comparisons.
Fix rare race condition in B-tree page deletion (Heikki Linnakangas)
Make the handling of interrupted B-tree page splits more robust
(Heikki Linnakangas)
General Performance
Allow multiple backends to insert
into WAL> buffers
concurrently (Heikki Linnakangas)
This improves parallel write performance.
Conditionally write only the modified portion of updated rows to
WAL> (Amit Kapila)
Improve performance of aggregate functions used as window functions
(David Rowley, Florian Pflug, Tom Lane)
Improve speed of aggregates that
use numeric> state
values (Hadi Moshayedi)
Attempt to freeze
tuples when tables are rewritten with or VACUUM FULL> (Robert Haas,
Andres Freund)
This can avoid the need to freeze the tuples in the future.
Improve speed of with default nextval()>
columns (Simon Riggs)
Improve speed of accessing many different sequences in the same session
(David Rowley)
Raise hard limit on the number of tuples held in memory during sorting
and B-tree index builds (Noah Misch)
Reduce memory allocated by PL/pgSQL>
blocks (Tom Lane)
Make the planner more aggressive about extracting restriction clauses
from mixed AND>/OR> clauses (Tom Lane)
Disallow pushing volatile WHERE> clauses down
into DISTINCT> subqueries (Tom Lane)
Pushing down a WHERE> clause can produce a more
efficient plan overall, but at the cost of evaluating the clause
more often than is implied by the text of the query; so don't do it
if the clause contains any volatile functions.
Auto-resize the catalog caches (Heikki Linnakangas)
This reduces memory consumption for sessions accessing only a few
tables, and improves performance for sessions accessing many tables.
Monitoring
Add system view to
report WAL> archiver activity
(Gabriele Bartolini)
Add n_mod_since_analyze> columns to
and related system views
(Mark Kirkwood)
These columns expose the system's estimate of the number of changed
tuples since the table's last . This
estimate drives decisions about when to auto-analyze.
Add backend_xid> and backend_xmin>
columns to the system view ,
and a backend_xmin> column to
(Christian Kruse)
SSL>
Add support for SSL> ECDH> key exchange
(Marko Kreen)
This allows use of Elliptic Curve keys for server authentication.
Such keys are faster and have better security than RSA>
keys. The new configuration parameter
controls which curve is used for ECDH>.
Improve the default setting
(Marko Kreen)
By default, the server not the client now controls the preference
order of SSL> ciphers
(Marko Kreen)
Previously, the order specified by
was usually ignored in favor of client-side defaults, which are not
configurable in most PostgreSQL> clients. If
desired, the old behavior can be restored via the new configuration
parameter .
Make show SSL>
encryption information (Andreas Kunert)
Improve SSL> renegotiation handling (Álvaro
Herrera)
Server Settings
Add new SQL> command
for changing postgresql.conf> configuration file entries
(Amit Kapila)
Previously such settings could only be changed by manually
editing postgresql.conf>.
Add configuration parameter
to control the amount of memory used by autovacuum workers
(Peter Geoghegan)
Add parameter to allow using huge
memory pages on Linux (Christian Kruse, Richard Poole, Abhijit
Menon-Sen)
This can improve performance on large-memory systems.
Add parameter
to limit the number of background workers (Robert Haas)
This is helpful in configuring a standby server to have the
required number of worker processes (the same as the primary).
Add superuser-only
parameter to load libraries at session start (Peter Eisentraut)
In contrast to , this
parameter can load any shared library, not just those in
the $libdir/plugins> directory.
Add parameter to enable WAL
logging of hint-bit changes (Sawada Masahiko)
Hint bit changes are not normally logged, except when checksums are
enabled. This is useful for external tools
like pg_rewind>.
Increase the default settings of
and by four times (Bruce
Momjian)
The new defaults are 4MB and 64MB respectively.
Increase the default setting of
to 4GB (Bruce Momjian, Tom Lane)
Allow printf-style space padding to be
specified in (David Rowley)
Allow terabyte units (TB>) to be used when specifying
configuration variable values (Simon Riggs)
Show PID>s of lock holders and waiters and improve
information about relations in
log messages (Christian Kruse)
Reduce server logging level when loading shared libraries (Peter
Geoghegan)
The previous level was LOG>, which was too verbose
for libraries loaded per-session.
On Windows, make SQL_ASCII>-encoded databases and server
processes (e.g., ) emit messages in
the character encoding of the server's Windows user locale
(Alexander Law, Noah Misch)
Previously these messages were output in the Windows
ANSI> code page.
Replication and Recovery
Add replication
slots to coordinate activity on streaming standbys with the
node they are streaming from (Andres Freund, Robert Haas)
Replication slots allow preservation of resources like
WAL> files on the primary until they are no longer
needed by standby servers.
Add recovery parameter
to delay replication (Robert Haas, Fabrízio de Royes Mello,
Simon Riggs)
Delaying replay on standby servers can be useful for recovering
from user errors.
Add
option
Improve recovery target processing (Heikki Linnakangas)
The timestamp reported
by pg_last_xact_replay_timestamp()>
now reflects already-committed records, not transactions about to
be committed. Recovering to a restore point now replays the restore
point, rather than stopping just before the restore point.
pg_switch_xlog()>
now clears any unused trailing space in the old WAL> file
(Heikki Linnakangas)
This improves the compression ratio for WAL> files.
Report failure return codes from external recovery commands>
(Peter Eisentraut)
Reduce spinlock contention during WAL> replay (Heikki
Linnakangas)
Write WAL> records of running transactions more
frequently (Andres Freund)
This allows standby servers to start faster and clean up resources
more aggressively.
Logical Decoding>
Logical decoding allows database changes to be streamed in a
configurable format. The data is read from
the WAL> and transformed into the
desired target format. To implement this feature, the following changes
were made:
Add support for logical decoding>
of WAL data, to allow database changes to be streamed out in a
customizable format
(Andres Freund)
Add new setting
Add table-level parameter REPLICA IDENTITY>
to control logical replication (Andres Freund)
Add relation option
Add application to receive
logical-decoding data (Andres Freund)
Add module to illustrate logical
decoding at the SQL> level (Andres Freund)
Queries
Add WITH
ORDINALITY> syntax to number the rows returned from a
set-returning function in the FROM> clause
(Andrew Gierth, David Fetter)
This is particularly useful for functions like
unnest()>.
Add ROWS
FROM()> syntax to allow horizontal concatenation of
set-returning functions in the FROM> clause (Andrew Gierth)
Allow to have
an empty target list (Tom Lane)
This was added so that views that select from a table with zero
columns can be dumped and restored correctly.
Ensure that SELECT ... FOR UPDATE
NOWAIT> does not wait in corner cases involving
already-concurrently-updated tuples (Craig Ringer and Thomas Munro)
Utility Commands
Add DISCARD
SEQUENCES> command to discard cached sequence-related state
(Fabrízio de Royes Mello, Robert Haas)
DISCARD ALL> will now also discard such information.
Add FORCE NULL> option
to COPY FROM>, which
causes quoted strings matching the specified null string to be
converted to NULLs in CSV> mode (Ian Barwick, Michael
Paquier)
Without this option, only unquoted matching strings will be imported
as null values.
Issue warnings for commands used outside of transaction blocks
when they can have no effect (Bruce Momjian)
New warnings are issued for SET
LOCAL>, SET CONSTRAINTS>, SET TRANSACTION> and
ABORT> when used outside a transaction block.
Make EXPLAIN ANALYZE> show planning time (Andreas
Karlsson)
Make EXPLAIN> show the grouping columns in Agg and
Group nodes (Tom Lane)
Make EXPLAIN ANALYZE> show exact and lossy
block counts in bitmap heap scans (Etsuro Fujita)
Views
Allow a materialized view>
to be refreshed without blocking other sessions from reading the view
meanwhile (Kevin Grittner)
This is done with REFRESH MATERIALIZED
VIEW CONCURRENTLY>.
Allow views to be automatically
updated even if they contain some non-updatable columns
(Dean Rasheed)
Previously the presence of non-updatable output columns such as
expressions, literals, and function calls prevented automatic
updates. Now INSERT>s, UPDATE>s and
DELETE>s are supported, provided that they do not
attempt to assign new values to any of the non-updatable columns.
Allow control over whether INSERT>s and
UPDATE>s can add rows to an auto-updatable view that
would not appear in the view (Dean Rasheed)
This is controlled with the new
clause WITH CHECK OPTION>.
Allow security barrier views>
to be automatically updatable (Dean Rasheed)
Object Manipulation
Support triggers on foreign
tables> (Ronan Dunklau)
Allow moving groups of objects from one tablespace to another
using the ALL IN TABLESPACE ... SET TABLESPACE> form of
, , or
(Stephen Frost)
Allow changing foreign key constraint deferrability
via ... ALTER
CONSTRAINT> (Simon Riggs)
Reduce lock strength for some
commands
(Simon Riggs, Noah Misch, Robert Haas)
Specifically, VALIDATE CONSTRAINT>, CLUSTER
ON>, SET WITHOUT CLUSTER>, ALTER COLUMN
SET STATISTICS>, ALTER COLUMN> SET>
Allow tablespace options to be set
in (Vik Fearing)
Formerly these options could only be set
via .
Allow to define the estimated
size of the aggregate's transition state data (Hadi Moshayedi)
Proper use of this feature allows the planner to better estimate
how much memory will be used by aggregates.
Fix DROP IF EXISTS> to avoid errors for non-existent
objects in more cases (Pavel Stehule, Dean Rasheed)
Improve how system relations are identified (Andres Freund,
Robert Haas)
Previously, relations once moved into the pg_catalog>
schema could no longer be modified or dropped.
Data Types
Fully implement the line> data type (Peter
Eisentraut)
The line segment> data type (lseg>) has always been
fully supported. The previous line> data type (which was
enabled only via a compile-time option) is not binary or
dump-compatible with the new implementation.
Add pg_lsn>
data type to represent a WAL> log sequence number
(LSN>) (Robert Haas, Michael Paquier)
Allow single-point polygon>s to be converted
to circle>s
(Bruce Momjian)
Support time zone abbreviations that change UTC offset from time to
time (Tom Lane)
Previously, PostgreSQL> assumed that the UTC offset
associated with a time zone abbreviation (such as EST>)
never changes in the usage of any particular locale. However this
assumption fails in the real world, so introduce the ability for a
zone abbreviation to represent a UTC offset that sometimes changes.
Update the zone abbreviation definition files to make use of this
feature in timezone locales that have changed the UTC offset of their
abbreviations since 1970 (according to the IANA timezone database).
In such timezones, PostgreSQL> will now associate the
correct UTC offset with the abbreviation depending on the given date.
Allow 5+ digit years for non-ISO> timestamp> and
date> strings, where appropriate (Bruce Momjian)
Add checks for overflow/underflow of interval> values
(Bruce Momjian)
JSON>
Add jsonb>, a more
capable and efficient data type for storing JSON> data
(Oleg Bartunov, Teodor Sigaev, Alexander
Korotkov, Peter Geoghegan, Andrew Dunstan)
This new type allows faster access to values within a JSON
document, and faster and more useful indexing of JSON columns.
Scalar values in jsonb> documents are stored as appropriate
scalar SQL types, and the JSON document structure is pre-parsed
rather than being stored as text as in the original json>
data type.
Add new JSON functions to allow for the construction
of arbitrarily complex JSON trees (Andrew Dunstan, Laurence Rowe)
New functions include json_array_elements_text()>,
json_build_array()>, json_object()>,
json_object_agg()>, json_to_record()>,
and json_to_recordset()>.
Add json_typeof()>
to return the data type of a json> value (Andrew Tipton)
Functions
Add pg_sleep_for(interval)>
and pg_sleep_until(timestamp)> to specify
delays more flexibly (Vik Fearing, Julien Rouhaud)
The existing pg_sleep()> function only supports delays
specified in seconds.
Add cardinality()>
function for arrays (Marko Tiikkaja)
This returns the total number of elements in the array, or zero
for an array with no elements.
Add SQL> functions to allow large
object reads/writes at arbitrary offsets (Pavel Stehule)
Allow unnest()>
to take multiple arguments, which are individually unnested then
horizontally concatenated (Andrew Gierth)
Add functions to construct time>s, date>s,
timestamp>s, timestamptz>s, and interval>s
from individual values, rather than strings (Pavel Stehule)
These functions' names are prefixed with make_>,
e.g. make_date()>.
Make to_char()>'s
TZ> format specifier return a useful value for simple
numeric time zone offsets (Tom Lane)
Previously, to_char(CURRENT_TIMESTAMP, 'TZ')> returned
an empty string if the timezone> was set to a constant
like -4>.
Add timezone offset format specifier OF> to to_char()>
(Bruce Momjian)
Improve the random seed used for random()>
(Honza Horak)
Tighten validity checking for Unicode code points in chr(int)>
(Tom Lane)
This function now only accepts values that are valid UTF8 characters
according to RFC 3629.
System Information Functions
Add functions for looking up objects in pg_class>,
pg_proc>, pg_type>, and
pg_operator> that do not generate errors for
non-existent objects (Yugo Nagata, Nozomi Anzai,
Robert Haas)
For example, to_regclass()>
does a lookup in pg_class> similarly to
the regclass> input function, but it returns NULL for a
non-existent object instead of failing.
Add function pg_filenode_relation()>
to allow for more efficient lookup of relation names from filenodes
(Andres Freund)
Add parameter_default> column to information_schema.parameters>
view (Peter Eisentraut)
Make information_schema.schemata>
show all accessible schemas (Peter Eisentraut)
Previously it only showed schemas owned by the current user.
Aggregates
Add control over which rows are passed
into aggregate functions via the FILTER> clause
(David Fetter)
Support ordered-set (WITHIN GROUP>)
aggregates (Atri Sharma, Andrew Gierth, Tom Lane)
Add standard ordered-set aggregates percentile_cont()>,
percentile_disc()>, mode()>, rank()>,
dense_rank()>, percent_rank()>, and
cume_dist()>
(Atri Sharma, Andrew Gierth)
Support VARIADIC>
aggregate functions (Tom Lane)
Allow polymorphic aggregates to have non-polymorphic state data
types (Tom Lane)
This allows proper declaration in SQL of aggregates like the built-in
aggregate array_agg()>.
Server-Side Languages
Add event trigger support to PL/Perl>
and PL/Tcl> (Dimitri Fontaine)
Convert numeric>
values to decimal> in PL/Python
(Szymon Guz, Ronan Dunklau)
Previously such values were converted to Python float> values,
risking loss of precision.
PL/pgSQL Server-Side Language
Add ability to retrieve the current PL/pgSQL call stack
using GET
DIAGNOSTICS>
(Pavel Stehule, Stephen Frost)
Add option
print_strict_params>
to display the parameters passed to a query that violated a
STRICT> constraint (Marko Tiikkaja)
Add variables plpgsql.extra_warnings>
and plpgsql.extra_errors> to enable additional PL/pgSQL
warnings and errors (Marko Tiikkaja, Petr Jelinek)
Currently only warnings/errors about shadowed variables are available.
libpq>
Make libpq's PQconndefaults()>
function ignore invalid service files (Steve Singer, Bruce Momjian)
Previously it returned NULL if an incorrect service file was
encountered.
Accept TLS> protocol versions beyond TLSv1>
in libpq (Marko Kreen)
Client Applications
Add option
-g>
to specify role membership (Christopher Browne)
Add
option
--analyze-in-stages> to analyze in stages of
increasing granularity (Peter Eisentraut)
This allows minimal statistics to be created quickly.
Make pg_resetxlog>>
with option
-n> output current and potentially changed
values (Rajeev Rastogi)
Make throw error for incorrect locale
settings, rather than silently falling back to a default choice
(Tom Lane)
Make return exit code 4> for
an inaccessible data directory (Amit Kapila, Bruce Momjian)
This behavior more closely matches the Linux Standard Base
(LSB>) Core Specification.
On Windows, ensure that a non-absolute
-D> path
specification is interpreted relative
to 's current directory
(Kumar Rajeev Rastogi)
Previously it would be interpreted relative to whichever directory
the underlying Windows service was started in.
Allow sizeof()> in ECPG
C array definitions (Michael Meskes)
Make ECPG properly handle nesting
of C-style comments in both C and SQL> text
(Michael Meskes)
Suppress No rows output in psql>
expanded>
mode when the footer is disabled (Bruce Momjian)
Allow Control-C to abort psql> when it's hung at
connection startup (Peter Eisentraut)
Backslash Commands
Make psql>'s \db+> show tablespace options
(Magnus Hagander)
Make \do+> display the functions
that implement the operators (Marko Tiikkaja)
Make \d+> output an
OID> line only if an oid column
exists in the table (Bruce Momjian)
Previously, the presence or absence of an oid
column was always reported.
Make \d> show disabled system triggers (Bruce
Momjian)
Previously, if you disabled all triggers, only user triggers
would show as disabled.
Fix \copy> to no longer require
a space between stdin> and a semicolon (Etsuro Fujita)
Output the row count at the end of \copy>, just
like COPY> already did (Kumar Rajeev Rastogi)
Fix \conninfo> to display the
server's IP> address for connections using
hostaddr> (Fujii Masao)
Previously \conninfo> could not display the server's
IP> address in such cases.
Show the SSL> protocol version in
\conninfo> (Marko Kreen)
Add tab completion for \pset>
(Pavel Stehule)
Allow \pset> with no arguments
to show all settings (Gilles Darold)
Make \s> display the name of the history file it wrote
without converting it to an absolute path (Tom Lane)
The code previously attempted to convert a relative file name to
an absolute path for display, but frequently got it wrong.
Allow options
-I>,
-P>,
-T> and
-n>
to be specified multiple times (Heikki Linnakangas)
This allows multiple objects to be restored in one operation.
Optionally add IF EXISTS> clauses to the DROP>
commands emitted when removing old objects during a restore (Pavel
Stehule)
This change prevents unnecessary errors when removing old objects.
The new
--if-exists> option
for , ,
and is only available
when
--clean> is also specified.
Add pg_basebackup> option
--xlogdir>
to specify the pg_xlog> directory location (Haribabu
Kommi)
Allow pg_basebackup> to relocate tablespaces in
the backup copy (Steeve Lennmark)
This is particularly useful for using pg_basebackup>
on the same machine as the primary.
Allow network-stream base backups to be throttled (Antonin Houska)
This can be controlled with the pg_basebackup>
--max-rate> parameter.
Source Code
Improve the way tuples are frozen to preserve forensic information
(Robert Haas, Andres Freund)
This change removes the main objection to freezing tuples as soon
as possible. Code that inspects tuple flag bits will need to be
modified.
No longer require function prototypes for functions marked with the
PG_FUNCTION_INFO_V1>
macro (Peter Eisentraut)
This change eliminates the need to write boilerplate prototypes.
Note that the PG_FUNCTION_INFO_V1> macro must appear
before the corresponding function definition to avoid compiler
warnings.
Remove SnapshotNow> and
HeapTupleSatisfiesNow()> (Robert Haas)
All existing uses have been switched to more appropriate snapshot
types. Catalog scans now use MVCC> snapshots.
Add an API> to allow memory allocations over one gigabyte
(Noah Misch)
Add psprintf()> to simplify memory allocation during
string composition (Peter Eisentraut, Tom Lane)
Support printf()> size modifier z> to
print size_t> values (Andres Freund)
Change API> of appendStringInfoVA()>
to better use vsnprintf()> (David Rowley, Tom Lane)
Allow new types of external toast datums to be created (Andres
Freund)
Add single-reader, single-writer, lightweight shared message queue
(Robert Haas)
Improve spinlock speed on x86_64 CPU>s (Heikki
Linnakangas)
Remove spinlock support for unsupported platforms
SINIX>, Sun3>, and
NS32K> (Robert Haas)
Remove IRIX> port (Robert Haas)
Reduce the number of semaphores required by
--disable-spinlocks> builds (Robert Haas)
Rewrite duplicate_oids> Unix shell script in
Perl> (Andrew Dunstan)
Add Test Anything Protocol (TAP>) tests for client
programs (Peter Eisentraut)
Currently, these tests are run by make check-world>
only if the
--enable-tap-tests> option was given
to configure>.
This might become the default behavior in some future release.
Add make targets
check-tests> and
installcheck-tests>, which allow selection of individual
tests to be run (Andrew Dunstan)
The default build rules now include all the formerly-optional tests.
Improve support for VPATH> builds of PGXS>
modules (Cédric Villemain, Andrew Dunstan, Peter Eisentraut)
Upgrade to Autoconf 2.69 (Peter Eisentraut)
Add a configure> flag that appends custom text to the
PG_VERSION> string (Oskari Saarenmaa)
This is useful for packagers building custom binaries.
Improve DocBook XML> validity (Peter Eisentraut)
Fix various minor security and sanity issues reported by the
Coverity> scanner (Stephen Frost)
Improve detection of invalid memory usage when testing
PostgreSQL> with Valgrind>
(Noah Misch)
Improve sample Emacs> configuration file
emacs.samples> (Peter Eisentraut)
Also add .dir-locals.el> to the top of the source tree.
Allow pgindent> to accept a command-line list
of typedefs (Bruce Momjian)
Make pgindent> smarter about blank lines
around preprocessor conditionals (Bruce Momjian)
Avoid most uses of dlltool
in Cygwin> and
Mingw> builds (Marco Atzeri, Hiroshi Inoue)
Support client-only installs in MSVC> (Windows) builds
(MauMau)
Additional Modules
Add extension to preload relation data
into the shared buffer cache at server start (Robert Haas)
This allows reaching full operating performance more quickly.
Add UUID> random number generator
gen_random_uuid()> to
(Oskari Saarenmaa)
This allows creation of version 4 UUID>s without
requiring installation of .
Allow to work with
the BSD> or e2fsprogs> UUID libraries,
not only the OSSP> UUID library (Matteo Beccati)
This improves the uuid-ossp> module's portability
since it no longer has to have the increasingly-obsolete OSSP
library. The module's name is now rather a misnomer, but we won't
change it.
Add option to to include trigger
execution time (Horiguchi Kyotaro)
Fix to not report rows from
uncommitted transactions as dead (Robert Haas)
Make functions
use regclass-type arguments (Satoshi Nagayasu)
While text-type arguments are still supported, they
may be removed in a future major release.
Improve consistency of output to honor
snapshot rules more consistently (Robert Haas)
Improve 's choice of trigrams for indexed
regular expression searches (Alexander Korotkov)
This change discourages use of trigrams containing whitespace, which
are usually less selective.
Allow pg_xlogdump>>
to report a live log stream with
--follow>
(Heikki Linnakangas)
Store data more compactly (Stas Kelvich)
Existing data must be dumped/restored to use the new format.
The old format can still be read.
Reduce client-side memory usage by using
a cursor (Andrew Dunstan)
Dramatically reduce memory consumption
in (Bruce Momjian)
Pass 's user name (
-U>) option to
generated analyze scripts (Bruce Momjian)
Remove line length limit for pgbench> scripts (Sawada
Masahiko)
The previous line limit was BUFSIZ>.
Add long option names to pgbench> (Fabien Coelho)
Add pgbench> option
--rate> to control
the transaction rate (Fabien Coelho)
Add pgbench> option
--progress> to
print periodic progress reports
(Fabien Coelho)
Make pg_stat_statements> use a file, rather than
shared memory, for query text storage (Peter Geoghegan)
This removes the previous limitation on query text length, and
allows a higher number of unique statements to be tracked by default.
Allow reporting of pg_stat_statements>'s internal
query hash identifier (Daniel Farina, Sameer Thakur, Peter
Geoghegan)
Add the ability to retrieve all pg_stat_statements>
information except the query text (Peter Geoghegan)
This allows monitoring tools to fetch query text only for
just-created entries, improving performance during repeated querying
of the statistics.
Make pg_stat_statements> ignore DEALLOCATE>
commands (Fabien Coelho)
It already ignored PREPARE>, as well as planning time in
general, so this seems more consistent.
Save the statistics file into $PGDATA/pg_stat> at server
shutdown, rather than $PGDATA/global> (Fujii Masao)