PostgreSQL Changelog

What's new in PostgreSQL 16.1

Nov 10, 2023

However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below.
Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane)
This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value.
The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868)
Detect integer overflow while computing new array dimensions (Tom Lane)
When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory.
The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869)
Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio)
The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions.
The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870)
Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas)
Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update.
Prevent de-duplication of btree index entries for interval columns (Noah Misch)
There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns.
Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)
The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable.
Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra)
Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values.
Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra)
This bug might have caused unexpected failures while trying to insert large interval values into such an index.
Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley)
Some cases involving an IS NULL condition on one of the partition keys could result in a crash.
Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed)
In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE.
Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane)
If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to “invalid perminfoindex 0 in RTE with relid NNNN” errors.
Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan)
When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY(ARRAY[])) clause. This could result in missing some rows that should have been fetched.
Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley)
Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane)
Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang)
Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie)
The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended.
Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley)
Previously, a not-on-point complaint “only heap AM is supported” would be raised.
Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch)
Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind.
Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane)
Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin)
If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to “maximum total lexeme length exceeded” failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk.
Improve checks for corrupt PGLZ compressed data (Flavien Guedez)
Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie)
Fix bulk table insertion into partitioned tables (Andres Freund)
Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as “could not read block NNNN in file XXXX: read only 0 of 8192 bytes” errors.
In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe)
This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so.
In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane)
Recent refactoring accidentally removed the intended error check for this, such that it ended in “cache lookup failed for function 0” instead of a useful error message.
Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane)
No built-in parameter fits this description, but an extension could define such a parameter.
Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane)
This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition).
Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart)
This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well.
Cope with torn reads of pg_control in frontend programs (Thomas Munro)
On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error.
Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro)
Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file.
Fix “could not find pathkey item to sort” errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley)
Avoid integer overflow when computing size of backend activity string array (Jakub Wartak)
On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly.
Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas)
The block-level counters should be reset to zero at the same time we update the current-relation field.
Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz)
Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier)
This could result in some statistics about WAL I/O being forgotten in a shutdown.
Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund)
These were counted as normal-table writes when they should be counted as temp-table writes.
When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz)
Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane)
DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as “cache lookup failed”.
Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk)
Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo)
This oversight could lead to assertion failures, core dumps, or “bogus varno” errors.
Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley)
In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present.
Fix error-handling bug in RECORD type cache management (Thomas Munro)
An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop.
Treat out-of-memory failures as fatal while reading WAL (Michael Paquier)
Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay.
Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier)
Fix “could not duplicate handle” error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro)
Fix order of operations in GenericXLogFinish (Jeff Davis)
This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example).
Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin)
Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner)
Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases.
Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane)
Formerly, only the table-level ACL would get restored if both types were present.
Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera)
These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded.
Avoid false “too many client connections” errors in pgbench on Windows (Noah Misch)
Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki)
Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query.
Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley)
In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch)
This fix prevents false-positive reports of “the first child of leftmost target page is not leftmost of its level”, “block NNNN is not leftmost” or “left link/right link pair in index XXXX not in agreement”. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up.
Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed)
Such an indexscan failed to return all the entries it should.
Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov)
Suppress assorted build-time warnings on recent macOS (Tom Lane)
Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of.
When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li)
Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane)
Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file.

New in PostgreSQL 16 RC1 (Aug 31, 2023)

New in PostgreSQL 15.4 (Aug 10, 2023)

New in PostgreSQL 15.3 (May 11, 2023)

Changes:
Prevent CREATE SCHEMA from defeating changes in search_path (Alexander Lakhin)
Within a CREATE SCHEMA command, objects in the prevailing search_path, as well as those in the newly-created schema, would be visible even within a called function or script that attempted to set a secure search_path. This could allow any user having permission to create a schema to hijack the privileges of a security definer function or extension script.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2023-2454)
Enforce row-level security policies correctly after inlining a set-returning function (Stephen Frost, Tom Lane)
If a set-returning SQL-language function refers to a table having row-level security policies, and it can be inlined into a calling query, those RLS policies would not get enforced properly in some cases involving re-using a cached plan under a different role. This could allow a user to see or modify rows that should have been invisible.
The PostgreSQL Project thanks Wolfgang Walther for reporting this problem. (CVE-2023-2455)
Fix potential corruption of the template (source) database after CREATE DATABASE with the STRATEGY WAL_LOG option (Nathan Bossart, Ryo Matsumura)
Improper buffer handling created a risk that any later modification of the template's pg_class catalog would be lost.
Ix memory leakage and unnecessary disk reads during CREATE DATABASE with the STRATEGY WAL_LOG option (Andres Freund)
Avoid crash when the new schema name is omitted in CREATE SCHEMA (Michael Paquier)
The SQL standard allows writing CREATE SCHEMA AUTHORIZATION owner_name, with the schema name defaulting to owner_name. However some code paths expected the schema name to be present and would fail.
Fix various planner failures with MERGE commands (Tom Lane)
Planning could fail with errors like “variable not found in subplan target list” or “PlaceHolderVar found where not expected”.
Fix the row count reported by MERGE for some corner cases (Dean Rasheed)
The row count reported in the command tag counted rows that actually hadn't been modified due to a BEFORE ROW trigger returning NULL. This is inconsistent with what happens in plain UPDATE or DELETE, so change it to not count such rows. Also, avoid counting a row twice when MERGE moves it into a different partition of a partitioned table.
Fix MERGE problems with concurrent updates (Dean Rasheed, Álvaro Herrera)
Some cases misbehaved if a row to be updated or deleted by MERGE had just been updated by a concurrent transaction. This could lead to a crash, or the wrong merge action being executed, or no action at all.
Add support for decompiling MERGE commands (Álvaro Herrera)
This was overlooked when MERGE was added, but it's essential support for MERGE in new-style SQL functions.
Fix enabling/disabling of foreign-key triggers in partitioned tables (Tom Lane)
ALTER TABLE ... ENABLE/DISABLE TRIGGER failed if applied to a partitioned table's foreign-key enforcement triggers, because it tried to locate the clone triggers for the partitions by name, and they do not have the same name. Locate them by parent-trigger OID instead.
Disallow altering composite types that are stored in indexes (Tom Lane)
ALTER TYPE disallows non-binary-compatible modifications of composite types if they are stored in any table columns. (Perhaps that will be allowed someday, but it hasn't happened yet; the locking implications of rewriting many tables are daunting.) We overlooked the possibility that an index might contain a composite type that doesn't also appear in its table.
Disallow system columns as elements of foreign keys (Tom Lane)
Since the removal of OID as a system column, there is no plausible use-case for this, and various bits of code no longer support it. Disallow it rather than trying to fix all the cases.
Ensure that COPY TO from an RLS-enabled parent table does not copy any rows from child tables (Antonin Houska)
The documentation is quite clear that COPY TO copies rows from only the named table, not any inheritance children it may have. However, if row-level security was enabled on the table then this stopped being true.
Avoid possible crash when array_position() or array_positions() is passed an empty array (Tom Lane)
Fix possible out-of-bounds fetch in to_char() (Tom Lane)
With bad luck this could have resulted in a server crash.
Avoid buffer overread in translate() function (Daniil Anisimov)
When using the deletion feature, the function might fetch the byte just after the input string, creating a small risk of crash.
Adjust text-search-related character classification logic to correctly detect whether the prevailing locale is C (Jeff Davis)
This code got confused if the database's default collation uses ICU.
Avoid possible crash on empty input for type interval (Tom Lane)
Re-allow exponential notation in ISO-8601 interval fields (Tom Lane)
Interval input like P0.1e10D isn't officially sanctioned by ISO-8601, but we accepted it for a long time before version 15, so re-allow it.
Fix error cursor setting for parse errors in JSON string literals (Tom Lane)
Most cases in which a syntax error is detected in a string literal within a JSON value failed to set the error cursor appropriately. This led at least to an unhelpful error message (pointing to the token before the string, rather than the actual trouble spot), and could even result in a crash in v14 and later.
Fix data corruption due to vacuum_defer_cleanup_age being larger than the current 64-bit xid (Andres Freund)
In v14 and later with non-default settings of vacuum_defer_cleanup_age, it was possible to compute a very large vacuum cleanup horizon xid, leading to vacuum removing rows that are still live. v12 and v13 have a lesser form of the same problem affecting only GiST indexes, which could lead to index pages getting recycled too early.
Fix parser's failure to detect some cases of improperly-nested aggregates (Tom Lane)
This oversight could lead to executor failures for queries that should have been rejected as invalid.
Fix data structure corruption during parsing of serial SEQUENCE NAME options (David Rowley)
This can lead to trouble if an event trigger captures the corrupted parse tree.
Correctly update plan nodes' parallel-safety markings when moving initplans from one node to another (Tom Lane)
This planner oversight could lead to “subplan was not initialized” errors at runtime.
Avoid failure with PlaceHolderVars in extended-statistics code (Tom Lane)
Use of dependency-type extended statistics could fail with “PlaceHolderVar found where not expected”.
Fix incorrect tests for whether a qual clause applied to a subquery can be transformed into a window aggregate “run condition” within the subquery (David Rowley)
A SubPlan within such a clause would cause assertion failures or incorrect answers, as would some other unusual cases.
Disable the inverse-transition optimization for window aggregates when the call contains sub-SELECTs (David Rowley)
This optimization requires that the aggregate's argument expressions have repeatable results, which might not hold for a sub-SELECT.
Fix oversights in execution of nested ARRAY[] constructs (Alexander Lakhin, Tom Lane)
Correctly detect overflow of the total space needed for the result array, avoiding a possible crash due to undersized output allocation. Also ensure that any trailing padding space in the result array is zeroed; while leaving garbage there is harmless for most purposes, it can result in odd behavior later.
Prevent crash when updating a field within an array-of-domain-over-composite-type column (Dmitry Dolgov)
Fix partition pruning logic for partitioning on boolean columns (David Rowley)
Pruning with a condition like boolcol IS NOT TRUE was done incorrectly, leading to possibly not returning rows in which boolcol is NULL. Also, the rather unlikely case of partitioning on NOT boolcol was handled incorrectly.
Fix race condition in per-batch cleanup during parallel hash join (Thomas Munro, Melanie Plageman)
A crash was possible given unlucky timing and parallel_leader_participation = off (which is not the default).
Recalculate GENERATED columns after an EvalPlanQual check (Tom Lane)
In READ COMMITTED isolation mode, the effects of a row update might need to get reapplied to a newer version of the row than the query found originally. If so, we need to recompute any GENERATED columns, in case they depend on columns that were changed by the concurrent update.
Fix memory leak in Memoize plan execution (David Rowley)
Fix buffer refcount leak when using batched inserts for a foreign table included in a partitioned tree (Alexander Pyhalov)
Restore support for sub-millisecond vacuum_cost_delay settings (Thomas Munro)
Don't balance vacuum cost delay when a table has a per-relation vacuum_cost_delay setting of zero (Masahiko Sawada)
Delay balancing is supposed to be disabled whenever autovacuum is processing a table with a per-relation vacuum_cost_delay setting, but this was done only for positive settings, not zero.
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned updates (Andres Freund, Tom Lane)
Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1, ...) = (SELECT ...) with a partitioned target table could result in failure if any child table is dissimilar from the parent (for example, different physical column order). This typically manifested as failure of consistency checks in the executor; but a crash or incorrect data updates are also possible.
Fix handling of DEFAULT markers within a multi-row INSERT ... VALUES query on a view that has a DO ALSO INSERT ... SELECT rule (Dean Rasheed)
Such cases typically failed with “unrecognized node type” errors or assertion failures.
Support references to OLD and NEW within subqueries in rule actions (Dean Rasheed, Tom Lane)
Such references are really lateral references, but the server could crash if the subquery wasn't explicitly marked with LATERAL. Arrange to do that implicitly when necessary.
When decompiling a rule or SQL function body containing INSERT/UPDATE/DELETE within WITH, take care to print the correct alias for the target table (Tom Lane)
Fix glitches in SERIALIZABLE READ ONLY optimization (Thomas Munro)
Transactions already marked as “doomed” confused the safe-snapshot optimization for SERIALIZABLE READ ONLY transactions. The optimization was unnecessarily skipped in some cases. In other cases an assertion failure occurred (but there was no problem in non-assert builds).
Avoid leaking cache callback slots in the pgoutput logical decoding plugin (Shi Yu)
Multiple cycles of starting up and shutting down the plugin within a single session would eventually lead to an “out of relcache_callback_list slots” error.
Avoid unnecessary calls to custom validators for index operator class options (Alexander Korotkov)
This change fixes some cases where an unexpected error was thrown.
Avoid useless work while scanning a multi-column BRIN index with multiple scan keys (Tomas Vondra)
The existing code effectively considered only the last scan key while deciding whether a range matched, thus usually scanning more of the index than it needed to.
Fix netmask handling in BRIN inet_minmax_multi_ops opclass (Tomas Vondra)
This error triggered an assertion failure in assert-enabled builds, but is mostly harmless in production builds.
Fix dereference of dangling pointer during buffering build of a GiST index (Alexander Lakhin)
This error seems to usually be harmless in production builds, as the fetched value is noncritical; but in principle it could cause a server crash.
Ignore dropped columns and generated columns during logical replication of an update or delete action (Onder Kalaci, Shi Yu)
Replication with the REPLICA IDENTITY FULL option failed if the table contained such columns.
Correct the name of the wait event for SLRU buffer I/O for commit timestamps (Alexander Lakhin)
This wait event is named CommitTsBuffer according to the documentation, but the code had it as CommitTSBuffer. Change the code to match the documentation, as that way is more consistent with the naming of related wait events.
Re-activate reporting of wait event SLRUFlushSync (Thomas Munro)
Reporting of this type of wait was accidentally removed in code refactoring.
Avoid possible underflow when calculating how many WAL segments to keep (Kyotaro Horiguchi)
This could result in not honoring wal_keep_size accurately.
Disable startup progress reporting overhead in standby mode (Bharath Rupireddy)
In standby mode, we don't actually report progress of recovery, but we were doing work to track it anyway.
Support RSA-PSS certificates with SCRAM-SHA-256 channel binding (Jacob Champion, Heikki Linnakangas)
This feature requires building with OpenSSL 1.1.1 or newer. Both the server and libpq are affected.
Avoid race condition with process ID tracking on Windows (Thomas Munro)
The operating system could recycle a PID before the postmaster observed that that child process was gone. This could lead to tracking more than one child with the same PID, resulting in confusion.
Fix list_copy_head() to work correctly on an empty List (David Rowley)
This case is not known to be reached by any core PostgreSQL code, but extensions might rely on it working.
Add missing cases to SPI_result_code_string() (Dean Rasheed)
Fix erroneous Valgrind markings in AllocSetRealloc() (Karina Litskevich)
In the unusual case where the size of a large (>8kB) palloc chunk is decreased, a Valgrind-aware build would mismark the defined-ness state of the memory released from the chunk, possibly causing incorrect results during Valgrind testing.
Fix assertion failure for MERGE into a partitioned table with row-level security enabled (Dean Rasheed)
Avoid assertion failure when decoding a transactional logical replication message (Tomas Vondra)
Avoid locale sensitivity when processing regular expression escapes (Jeff Davis)
A backslash followed by a non-ASCII character could sometimes cause an assertion failure, depending on the prevailing locale.
Avoid trying to write an empty WAL record in log_newpage_range() when the last few pages in the specified range are empty (Matthias van de Meent)
It is not entirely clear whether this case is reachable in released branches, but if it is then an assertion failure could occur.
Fix session-lifespan memory leakage in plpgsql DO blocks that use cast expressions (Ajit Awekar, Tom Lane)
Tighten array dimensionality checks when converting Perl list structures to multi-dimensional SQL arrays (Tom Lane)
Plperl could misbehave when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. Such cases now produce errors, but previously they could result in a crash or garbage output.
Tighten array dimensionality checks when converting Python list structures to multi-dimensional SQL arrays (Tom Lane)
Plpython could misbehave when dealing with empty sub-lists, or when the nesting of sub-lists is inconsistent so that the data does not represent a rectangular array of values. The former should result in an empty output array, and the latter in an error. But some cases resulted in a crash, and others in unexpected output.
Fix unwinding of exception stack in plpython (Xing Guo)
Some rare failure cases could return without cleaning up the PG_TRY exception stack, risking a crash if another error was raised before the next stack level was unwound.
Fix inconsistent GSS-encryption error handling in libpq's PQconnectPoll() (Michael Paquier)
With gssencmode set to require, the connection was not marked dead after a GSS initialization failure. Make it fail immediately, as the equivalent case for TLS encryption has long done.
Fix possible data corruption in ecpg programs built with the -C ORACLE option (Kyotaro Horiguchi)
When ecpg_get_data() is called with varcharsize set to zero, it could write a terminating zero character into the last byte of the preceding field, truncating the data in that field.
Fix pg_dump so that partitioned tables that are hash-partitioned on an enum-type column can be restored successfully (Tom Lane)
Since the hash codes for enum values depend on the OIDs assigned to the enum, they are typically different after a dump and restore, meaning that rows often need to go into a different partition than they were in originally. Users can work around that by specifying the --load-via-partition-root option; but since there is very little chance of success without that, teach pg_dump to apply it automatically to such tables.
Also, fix pg_restore to not try to TRUNCATE target tables before restoring into them when --load-via-partition-root mode is used. This avoids a hazard of deadlocks and lost data.
Correctly detect non-seekable files on Windows (Juan José Santamaría Flecha, Michael Paquier, Daniel Watzinger)
This bug led to misbehavior when pg_dump writes to a pipe or pg_restore reads from one.
In pgbench's “prepared” mode, prepare all the commands in a pipeline before starting the pipeline (Álvaro Herrera)
This avoids a failure when a pgbench script tries to start a serializable transaction inside a pipeline.
In contrib/amcheck's heap checking code, deal correctly with tuples having zero xmin or xmax (Robert Haas)
In contrib/amcheck, deal sanely with xids that appear to be before epoch zero (Andres Freund)
In cases of corruption we might see a wrapped-around 32-bit xid that appears to be before the first xid epoch. Promoting such a value to 64-bit form produced a value far in the future, resulting in wrong reports. Return FirstNormalFullTransactionId in such cases so that things work reasonably sanely.
In contrib/basebackup_to_shell, properly detect failure to open a pipe (Robert Haas)
In contrib/hstore_plpython, avoid crashing if the Python value to be transformed isn't a mapping (Dmitry Dolgov, Tom Lane)
This should give an error, but Python 3 changed some APIs in a way that caused the check to misbehave, allowing a crash to ensue.
Require the siglen option of a GiST index on an ltree column, if specified, to be a multiple of 4 (Alexander Korotkov)
Other values result in misaligned accesses to index content, which is harmless on Intel-compatible hardware but can cause a crash on some other architectures.
In contrib/pageinspect, add defenses against incorrect input for the gist_page_items() function (Dmitry Koval)
Fix misbehavior in contrib/pg_trgm with an unsatisfiable regular expression (Tom Lane)
A regex such as $foo is legal but unsatisfiable; the regex compiler recognizes that and produces an empty NFA graph. Attempting to optimize such a graph into a pg_trgm GIN or GiST index qualification resulted in accessing off the end of a work array, possibly leading to crashes.
Fix handling of escape sequences in contrib/postgres_fdw's application_name parameter (Kyotaro Horiguchi, Michael Paquier)
The code to expand these could fail if executed in a background process, as for example during auto-analyze of a foreign table.
In contrib/pg_walinspect, limit memory usage of pg_get_wal_records_info() (Bharath Rupireddy)
Use the --strip-unneeded option when stripping static libraries with GNU-compatible strip (Tom Lane)
Previously, make install-strip used the -x option in this case. This change avoids misbehavior of llvm-strip, and gives slightly smaller output as well.
Stop recommending auto-download of DTD files for building the documentation, and indeed disable it (Aleksander Alekseev, Peter Eisentraut, Tom Lane)
It appears no longer possible to build the SGML documentation without a local installation of the DocBook DTD files. Formerly xsltproc could download those files on-the-fly from sourceforge.net; but sourceforge.net now permits only HTTPS access, and no common version of xsltproc supports that. Hence, remove the bits of our documentation suggesting that that's possible or useful, and instead add xsltproc's --nonet option to the build recipes.
When running TAP tests in PGXS builds, use a saner location for the temporary portlock directory (Peter Eisentraut)
Place it under tmp_check in the build directory. With the previous coding, a PGXS build would try to place it in the installation directory, which is not necessarily writable.
Update time zone data files to tzdata release 2023c for DST law changes in Egypt, Greenland, Morocco, and Palestine.
When observing Moscow time, Europe/Kirov and Europe/Volgograd now use the abbreviations MSK/MSD instead of numeric abbreviations, for consistency with other timezones observing Moscow time. Also, America/Yellowknife is no longer distinct from America/Edmonton; this affects some pre-1948 timestamps in that area.

New in PostgreSQL 15.2 (Feb 9, 2023)

Fix for partitioned tables to correctly update GENERATED columns in child tables if the GENERATED column does not exist in the parent table or the child generated column has different dependencies than the parent.
Several fixes for the MERGE command.
Allow a WITH RECURSIVE ... CYCLE query to access its SET output column.
Fix an issue with bulk insertions on foreign tables that could lead to logical inconsistencies, for example, a BEFORE ROW trigger may not process rows that should be available.
Reject uses of undefined variables in jsonpath existence checks.
Fix for jsonb subscripting that come directly from a text column in a table.
Honor updated values of checkpoint_completion_target on reload.
Log the correct ending timestamp in recovery_target_xid mode.
Fix issue to allow column lists longer than 100 when using logical replication.
Prevent "wrong tuple length" failure at the end of VACUUM.
Avoid an immediate commit after ANALYZE when using query pipelining.
Several fixes to the query planner, including one that provides more opportunities for using memoization with partitionwise joins.
Fix for statistics collection to correctly handle when a relation changes type (e.g. a table is converted to a view).
Ensure full text search queries can be cancelled while performing phrase matches.
Fix deadlock between DROP DATABASE and logical replication worker process.
Fix small session-lifespan memory leak when CREATE SUBSCRIPTION fails its connection attempt.
Performance improvement for replicas with hot_standby enabled that are processing SELECT queries.
Several fixes for logical decoding that improve its stability and bloat handling.
Fix the default logical replication plug-in, pgoutput, to not send columns that are not listed in a table's replication column list.
Fix possible corruption of very large tablespace map files in pg_basebackup.
Remove a harmless warning from pg_dump in --if-exists mode when the public schema has a non-default owner.
Fix the psql commands sf and ef to handle SQL-language functions that have SQL-standard function bodies (i.e. BEGIN ATOMIC).
Fix tab completion of ALTER FUNCTION/PROCEDURE/ROUTINE ... SET SCHEMA.
Update the pageinspect extension to mark its disk-accessing functions as PARALLEL RESTRICTED.
Fix the seg extension to not crash or print garbage if an input number has more than 127 digits.

New in PostgreSQL 15.1 (Nov 10, 2022)

Fix failure to remove non-first segments of large tables (Tom Lane)
PostgreSQL splits large tables into multiple files (normally with 1GB per file). The logic for dropping a table was broken and would miss removing all but the first such file, in two cases: drops of temporary tables and WAL replay of drops of regular tables. Applications that routinely create multi-gigabyte temporary tables could suffer significant disk space leakage.
Orphaned temporary-table files are removed during postmaster start, so the mere act of updating to 15.1 is sufficient to clear any leaked temporary-table storage. However, if you suffered any database crashes while using 15.0, and there might have been large tables dropped just before such crashes, it's advisable to check the database directories for files named according to the pattern NNNN.NN. If there is no matching file named just NNNN (without the .NN suffix), these files should be removed manually.
Fix handling of DEFAULT tokens that appear in a multi-row VALUES clause of an INSERT on an updatable view (Tom Lane)
This oversight could lead to “cache lookup failed for type” errors, or in older branches even to crashes.
Disallow rules named _RETURN that are not ON SELECT (Tom Lane)
This avoids confusion between a view's ON SELECT rule and any other rules it may have.
Avoid failure in EXPLAIN VERBOSE for a query using SEARCH BREADTH FIRST with constant initial values (Tom Lane)
Prevent use of MERGE on a partitioned table with foreign-table partitions (Álvaro Herrera)
The case isn't supported, and previously threw an incomprehensible error.
Fix construction of per-partition foreign key constraints while doing ALTER TABLE ATTACH PARTITION (Jehan-Guillaume de Rorthais, Álvaro Herrera)
Previously, incorrect or duplicate constraints could be constructed for the newly-added partition.
Fix planner failure with extended statistics on partitioned or inherited tables (Richard Guo, Justin Pryzby)
Some cases failed with “cache lookup failed for statistics object”.
Fix mis-ordering of WAL operations in fast insert path for GIN indexes (Matthias van de Meent, Zhang Mingli)
This mistake is not known to have any negative consequences within core PostgreSQL, but it did cause issues for some extensions.
Fix bugs in logical decoding when replay starts from a point between the beginning of a transaction and the beginning of its subtransaction (Masahiko Sawada, Kuroda Hayato)
These errors could lead to assertion failures in debug builds, and otherwise to memory leaks.
Accept interrupts in more places during logical decoding (Amit Kapila, Masahiko Sawada)
This ameliorates problems with slow shutdown of replication workers.
Prevent attempts to replicate into a foreign-table partition in replication workers (Shi Yu, Tom Lane)
Although partitioned tables can have foreign tables as partitions, replicating into such a partition isn't currently supported. The logical replication worker process would crash if it was attempted. Now, an error is thrown.
Avoid crash after function syntax error in replication workers (Maxim Orlov, Anton Melnikov, Masahiko Sawada, Tom Lane)
If a syntax error occurred in a SQL-language or PL/pgSQL-language CREATE FUNCTION or DO command executed in a logical replication worker, the worker process would crash with a null pointer dereference or assertion failure.
Avoid double call of the shutdown callback of an archiver module (Nathan Bossart, Bharath Rupireddy)
Add plan-time check for attempted access to a table that has no table access method (Tom Lane)
This prevents a crash in some catalog-corruption scenarios, for example use of a view whose ON SELECT rule is missing.
Prevent postmaster crash when shared-memory state is corrupted (Tom Lane)
The postmaster process is supposed to survive and initiate a database restart if shared memory becomes corrupted, but one bit of code was being insufficiently cautious about that.
In libpq, handle single-row mode correctly when pipelining (Denis Laxalde)
The single-row flag was not reset at the correct time if pipeline mode was also active.
Fix psql's exit status when a command-line query is canceled (Peter Eisentraut)
psql -c query would exit successfully if the query was canceled. Fix it to exit with nonzero status, as in other error cases.
Allow cross-platform tablespace relocation in pg_basebackup (Robert Haas)
Allow the remote path in --tablespace-mapping to be either a Unix-style or Windows-style absolute path, since the source server could be on a different OS than the local system.
Fix pg_dump's failure to dump comments attached to some CHECK constraints (Tom Lane)
Fix CREATE DATABASE to allow its oid parameter to exceed 231 (Tom Lane)
This oversight prevented pg_upgrade from succeeding when the source installation contained databases with OIDs larger than that.
In pg_stat_statements, fix access to already-freed memory (zhaoqigui)
This occurred if pg_stat_statements tracked a ROLLBACK command issued via extended query protocol. In debug builds it consistently led to an assertion failure. In production builds there would often be no visible ill effect; but if the freed memory had already been reused, the likely result would be to store garbage for the query string.
Fix incompatibilities with LLVM 15 (Thomas Munro, Andres Freund)
Allow use of __sync_lock_test_and_set() for spinlocks on any machine (Tom Lane)
This eases porting to new machine architectures, at least if you're using a compiler that supports this GCC builtin function.
Rename symbol REF to REF_P to avoid compile failure on recent macOS (Tom Lane)
Avoid using sprintf, to avoid compile-time deprecation warnings (Tom Lane)
Update time zone data files to tzdata release 2022f for DST law changes in Chile, Fiji, Iran, Jordan, Mexico, Palestine, and Syria, plus historical corrections for Chile, Crimea, Iran, and Mexico.
Also, the Europe/Kiev zone has been renamed to Europe/Kyiv. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake and Pacific/Wallis. (This indirectly affects zones that were already links to one of these: Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.) America/Nipigon, America/Rainy_River, America/Thunder_Bay, Europe/Uzhgorod, and Europe/Zaporozhye were also merged into nearby zones after discovering that their claimed post-1970 differences from those zones seem to have been errors. In all these cases, the previous zone name remains as an alias; but the actual data is that of the zone that was merged into.
These zone mergers result in loss of pre-1970 timezone history for the merged zones, which may be troublesome for applications expecting consistency of timestamptz display. As an example, the stored value 1944-06-01 12:00 UTC would previously display as 1944-06-01 13:00:00+01 if the Europe/Stockholm zone is selected, but now it will read out as 1944-06-01 14:00:00+02.
It is possible to build the time zone data files with options that will restore the older zone data, but that choice also inserts a lot of other old (and typically poorly-attested) zone data, resulting in more total changes from the previous release than accepting these upstream changes does. PostgreSQL has chosen to ship the tzdb data as-recommended, and so far as we are aware most major operating system distributions are doing likewise. However, if these changes cause significant problems for your application, a possible solution is to install a local build of the time zone data files using tzdb's backwards-compatibility options (see their PACKRATDATA and PACKRATLIST options).

New in PostgreSQL 15.0 (Oct 13, 2022)

New in PostgreSQL 14.5 (Aug 11, 2022)

This update fixes over 40 bugs that were reported in the last several months. The issues listed below affect PostgreSQL 14. Some of these issues may also affect other supported versions of PostgreSQL.
Included in this release:
Fix replay of CREATE DATABASE write-ahead log (WAL) records on standby servers when encountering a missing tablespace directory.
Add support for tablespaces that are plain directories instead of symbolic links to other directories.
Fix permission checks in CREATE INDEX to use the user's permissions. This fixes broken dump/restore scenarios that relied on the behavior prior to the fix for CVE-2022-1552.
In the extended query protocol, force an immediate commit after CREATE DATABASE and other commands that can't run in a transaction block.
Fix a race condition around checking transaction visibility that was more likely to happen when using synchronous replication.
Fix incorrect permission-checking code for extended statistics.
Fix extended statistics machinery to handle most common value (MCV)-type statistics on boolean-valued expressions.
Avoid planner core dump with constant = ANY(array) clauses when there are MCV-type extended statistics on the array variable.
Allow cancellation of ANALYZE while it is computing extended statistics.
Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion for triggers on partitioned tables.
Reject ROW() expressions and functions in FROM that have more than 1600 columns.
Fix memory leak in logical replication subscribers.
Fix checks in logical replication of replica identity when the target table is partitioned.
Arrange to clean up after commit-time errors within SPI_commit(), rather than expecting callers to do that. This includes a fix for the same scenario in PL/Python, which had reported crashes on Python 3.11 and memory leaks on older versions of Python 3.
Improve handling in libpq of idle states in pipeline mode.
In the psql watch command, echo a newline after cancellation with control-C.
Fix pg_upgrade to detect non-upgradable usages of functions accepting anyarray parameters.
Several postgres_fdw fixes, including prevention of batch insertions when there are WITH CHECK OPTION constraints present.

New in PostgreSQL 14.4 (Jun 16, 2022)

This release contains a variety of fixes from 14.3. For information about new features in major release 14, see Section E.5.
E.1.1. Migration to Version 14.4
A dump/restore is not required for those running 14.X.
However, if you have any indexes that were created using the CONCURRENTLY option under 14.X, you should re-index them after updating. See the first changelog entry below.
Also, if you are upgrading from a version earlier than 14.3, see Section E.2.
E.1.2. Changes:
Prevent possible corruption of indexes created or rebuilt with the CONCURRENTLY option (Álvaro Herrera)
An optimization added in v14 caused CREATE INDEX ... CONCURRENTLY and REINDEX ... CONCURRENTLY to sometimes miss indexing rows that were updated during the index build. Revert that optimization. It is recommended that any indexes made with the CONCURRENTLY option be rebuilt after installing this update. (Alternatively, rebuild them without CONCURRENTLY.)
Harden Memoize plan node against non-deterministic equality functions (David Rowley)
Memoize could crash if a data type's equality or hash functions gave inconsistent results across different calls. Throw a runtime error instead.
Fix incorrect cost estimates for Memoize plans (David Rowley)
This mistake could lead to Memoize being used when it isn't really the best plan, or to very long executor startup times due to initializing an overly-large hash table for a Memoize node.
Fix queries in which a “whole-row variable” references the result of a function that returns a domain over composite type (Tom Lane)
Fix “variable not found in subplan target list” planner error when pulling up a sub-SELECT that's referenced in a GROUPING function (Richard Guo)
Prevent pg_stat_get_subscription() from possibly returning an extra row containing garbage values (Kuntal Ghosh)
Fix COPY FROM's error checking in the case where the database encoding is SQL_ASCII while the client's encoding is a multi-byte encoding (Heikki Linnakangas)
This mistake could lead to false complaints of invalidly-encoded input data.
Avoid crashing if too many column aliases are attached to an XMLTABLE or JSON_TABLE construct (Álvaro Herrera)
When decompiling a view or rule, show a SELECT output column's AS "?column?" alias clause if it could be referenced elsewhere (Tom Lane)
Previously, this auto-generated alias was always hidden; but there are corner cases where doing so results in a non-restorable view or rule definition.
Report implicitly-created operator families to event triggers (Masahiko Sawada)
If CREATE OPERATOR CLASS results in the implicit creation of an operator family, that object was not reported to event triggers that should capture such events.
Fix control file updates made when a restartpoint is running during promotion of a standby server (Kyotaro Horiguchi)
Previously, when the restartpoint completed it could incorrectly update the last-checkpoint fields of the control file, potentially leading to PANIC and failure to restart if the server crashes before the next normal checkpoint completes.
Prevent triggering of standby's wal_receiver_timeout during logical replication of large transactions (Wang Wei, Amit Kapila)
If a large transaction on the primary server sends no data to the standby (perhaps because no table it changes is published), it was possible for the standby to timeout. Fix that by ensuring we send keepalive messages periodically in such situations.
Prevent open-file leak when reading an invalid timezone abbreviation file (Kyotaro Horiguchi)
Such cases could result in harmless warning messages.
Allow custom server parameters to have short descriptions that are NULL (Steve Chavez)
Previously, although extensions could choose to create such settings, some code paths would crash while processing them.
Remove misguided SSL key file ownership check in libpq (Tom Lane)
In the previous minor releases, we copied the server's permission checking rules for SSL private key files into libpq. But we should not have also copied the server's file-ownership check. While that works in normal use-cases, it can result in an unexpected failure for clients running as root, and perhaps in other cases.
Ensure ecpg reports server connection loss sanely (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to printing “(null)” instead of a useful error message; or in older releases it would lead to a crash.
Prevent crash after server connection loss in pg_amcheck (Tom Lane)
Misprocessing of a libpq-generated error result, such as a report of lost connection, would lead to a crash.
Adjust PL/Perl test case so it will work under Perl 5.36 (Dagfinn Ilmari Mannsåker)
Avoid incorrectly using an out-of-date libldap_r library when multiple OpenLDAP installations are present while building PostgreSQL (Tom Lane)

New in PostgreSQL 14.3 (May 12, 2022)

Changes:
Confine additional operations within “security restricted operation” sandboxes (Sergey Shinderuk, Noah Misch)
Autovacuum, CLUSTER, CREATE INDEX, REINDEX, REFRESH MATERIALIZED VIEW, and pg_amcheck activated the “security restricted operation” protection mechanism too late, or even not at all in some code paths. A user having permission to create non-temporary objects within a database could define an object that would execute arbitrary SQL code with superuser permissions the next time that autovacuum processed the object, or that some superuser ran one of the affected commands against it.
The PostgreSQL Project thanks Alexander Lakhin for reporting this problem. (CVE-2022-1552)
Fix default signature length for gist_ltree_ops indexes (Tomas Vondra, Alexander Korotkov)
The default signature length (hash size) for GiST indexes on ltree columns was accidentally changed while upgrading that operator class to support operator class parameters. If any operations had been done on such an index without first upgrading the ltree extension to version 1.2, they were done assuming that the signature length was 28 bytes rather than the intended 8. This means it is very likely that such indexes are now corrupt. For safety we recommend re-indexing all GiST indexes on ltree columns after installing this update. (Note that GiST indexes on ltree[] columns, that is arrays of ltree, are not affected.)
Stop using query-provided column aliases for the columns of whole-row variables that refer to plain tables (Tom Lane)
The column names in tuples produced by a whole-row variable (such as tbl.* in contexts other than the top level of a SELECT list) are now always those of the associated named composite type, if there is one. We'd previously attempted to make them track any column aliases that had been applied to the FROM entry the variable refers to. But that's semantically dubious, because really then the output of the variable is not at all of the composite type it claims to be. Previous attempts to deal with that inconsistency had bad results up to and including storing unreadable data on disk, so just give up on the whole idea.
In cases where it's important to be able to relabel such columns, a workaround is to introduce an extra level of sub-SELECT, so that the whole-row variable is referring to the sub-SELECT's output and not to a plain table. Then the variable is of type record to begin with and there's no issue.
Fix incorrect roundoff when extracting epoch values from intervals (Peter Eisentraut)
The new numeric-based code for EXTRACT() failed to yield results equivalent to the old float-based code, as a result of accidentally truncating the DAYS_PER_YEAR value to an integer.
Defend against pg_stat_get_replication_slot(NULL) (Andres Freund)
This function should be marked strict in the catalog data, but it was not in v14, so add a run-time check instead.
Fix incorrect output for types timestamptz and timetz in table_to_xmlschema() and allied functions (Renan Soares Lopes)
The xmlschema output for these types included a malformed regular expression.
Avoid core dump in parser for a VALUES clause with zero columns (Tom Lane)
Fix planner failure when a Result plan node appears immediately underneath an Append node (Etsuro Fujita)
Recently-added code to support asynchronous remote queries failed to handle this case, leading to crashes or errors about unrecognized node types.
Fix planner failure if a query using SEARCH or CYCLE features contains a duplicate CTE name (Tom Lane, Kyotaro Horiguchi)
When the name of the recursive WITH query is re-used within itself, the planner could crash or report odd errors such as “could not find attribute 2 in subquery targetlist”.
Fix planner errors for GROUPING() constructs that reference outer query levels (Richard Guo, Tom Lane)
Fix plan generation for index-only scans on indexes with both returnable and non-returnable columns (Tom Lane)
The previous coding could try to read non-returnable columns in addition to the returnable ones. This was fairly harmless because it didn't actually do anything with the bogus values, but it fell foul of a recently-added error check that rejected such a plan.
Avoid accessing a no-longer-pinned shared buffer while attempting to lock an outdated tuple during EvalPlanQual (Tom Lane)
The code would touch the buffer a couple more times after releasing its pin. In theory another process could recycle the buffer (or more likely, try to defragment its free space) as soon as the pin is gone, probably leading to failure to find the newer version of the tuple.
Fix query-lifespan memory leak in an IndexScan node that is performing reordering (Aliaksandr Kalenik)
Fix ALTER FUNCTION to support changing a function's parallelism property and its SET-variable list in the same command (Tom Lane)
The parallelism property change was lost if the same command also updated the function's SET clause.
Tighten lookup of the index “owned by” a constraint (Tom Lane, Japin Li)
Some code paths mistook the index depended on by a foreign key constraint for one owned by a unique or primary key constraint, resulting in odd errors during certain ALTER TABLE operations on tables having foreign key constraints.
Fix bogus errors from attempts to alter system columns of tables (Tom Lane)
The system should just tell you that you can't do it, but sometimes it would report “no owned sequence found” instead.
Fix mis-sorting of table rows when CLUSTERing using an index whose leading key is an expression (Peter Geoghegan, Thomas Munro)
The table would be rebuilt with the correct data, but in an order having little to do with the index order.
Prevent data loss if a system crash occurs shortly after a sorted GiST index build (Heikki Linnakangas)
The code path for building GiST indexes using sorting neglected to fsync the file upon completion. This could result in a corrupted index if the operating system crashed shortly later.
Fix risk of deadlock failures while dropping a partitioned index (Jimmy Yih, Gaurab Dey, Tom Lane)
Ensure that the required table and index locks are taken in the standard order (parents before children, tables before indexes). The previous coding for DROP INDEX did it differently, and so could deadlock against concurrent queries taking these locks in the standard order.
Fix race condition between DROP TABLESPACE and checkpointing (Nathan Bossart)
The checkpoint forced by DROP TABLESPACE could sometimes fail to remove all dead files from the tablespace's directory, leading to a bogus “tablespace is not empty” error.
Fix possible trouble in crash recovery after a TRUNCATE command that overlaps a checkpoint (Kyotaro Horiguchi, Heikki Linnakangas, Robert Haas)
TRUNCATE must ensure that the table's disk file is truncated before the checkpoint is allowed to complete. Otherwise, replay starting from that checkpoint might find unexpected data in the supposedly-removed pages, possibly causing replay failure.
Fix unsafe toast-data accesses during temporary object cleanup (Andres Freund)
Temporary-object deletion during server process exit could fail with “FATAL: cannot fetch toast data without an active snapshot”. This was usually harmless since the next use of that temporary schema would clean up successfully.
Re-allow underscore as the first character in a custom parameter name (Japin Li)
Such names were unintentionally disallowed in v14.
Add regress option for the compute_query_id parameter (Michael Paquier)
This is intended to facilitate testing, by allowing query IDs to be computed but not shown in EXPLAIN output.
Improve wait logic in RegisterSyncRequest (Thomas Munro)
If we run out of space in the checkpointer sync request queue (which is hopefully rare on real systems, but is common when testing with a very small buffer pool), we wait for it to drain. While waiting, we should report that as a wait event so that users know what is going on, and also watch for postmaster death, since otherwise the loop might never terminate if the checkpointer has already exited.
Wake up for latch events when the checkpointer is waiting between writes (Thomas Munro)
This improves responsiveness to backends sending sync requests. The change also creates a proper wait event class for these waits.
Fix “PANIC: xlog flush request is not satisfied” failure during standby promotion when there is a missing WAL continuation record (Sami Imseih)
Fix possibility of self-deadlock in hot standby conflict handling (Andres Freund)
With unlucky timing, the WAL-applying process could get stuck while waiting for some other process to release a buffer lock.
Fix possible mis-identification of the correct ancestor relation to publish logical replication changes through (Tomas Vondra, Hou zj, Amit Kapila)
If publish_via_partition_root is enabled, and there are multiple publications naming different ancestors of the currently-modified relation, the wrong ancestor might be chosen for reporting the change.
Ensure that logical replication apply workers can be restarted even when we're up against the max_sync_workers_per_subscription limit (Amit Kapila)
Faulty coding of the limit check caused a restarted worker to exit immediately, leaving fewer workers than there should be.
Include unchanged replica identity key columns in the WAL log for an update, if they are stored out-of-line (Dilip Kumar, Amit Kapila)
Otherwise subscribers cannot see the values and will fail to replicate the update.
Cope correctly with platforms that have no support for altering the server process's display in ps(1) (Andrew Dunstan)
Few platforms are like this (the only supported one is Cygwin), so we'd managed not to notice that refactoring introduced a potential memory clobber.
Make the server more robust against missed timer interrupts (Michael Harris, Tom Lane)
An optimization added in v14 meant that if a server process somehow missed a timer interrupt, it would never again ask the kernel for another one, thus breaking timeout detection for the remainder of the session. This seems unduly fragile, so add a recovery path.
Disallow execution of SPI functions during PL/Perl function compilation (Tom Lane)
Perl can be convinced to execute user-defined code during compilation of a PL/Perl function. However, it's not okay for such code to try to invoke SQL operations via SPI. That results in a crash, and if it didn't crash it would be a security hazard, because we really don't want code execution during function validation. Put in a check to give a friendlier error message instead.
Make libpq accept root-owned SSL private key files (David Steele)
This change synchronizes libpq's rules for safe ownership and permissions of SSL key files with the rules the server has used since release 9.6. Namely, in addition to the current rules, allow the case where the key file is owned by root and has permissions rw-r----- or less. This is helpful for system-wide management of key files.
Fix behavior of libpq's PQisBusy() function after a connection failure (Tom Lane)
If we'd detected a write failure, PQisBusy() would always return true, which is the wrong thing: we want input processing to carry on normally until we've read whatever is available from the server. The practical effect of this error is that applications using libpq's async-query API would typically detect connection loss only when PQconsumeInput() returns a hard failure. With this fix, a connection loss will normally be reported via an error PGresult object, which is a much cleaner behavior for most applications.
Re-allow database.schema.table patterns in psql, pg_dump, and pg_amcheck (Mark Dilger)
Versions before v14 silently ignored all but the schema and table fragments of a pattern containing more than one dot. Refactoring in v14 accidentally broke that use-case. Reinstate it, but now complain if the first fragment is not the name of the current database.
Make pg_ctl recheck postmaster aliveness while waiting for stop/restart/promote actions (Tom Lane)
pg_ctl would verify that the postmaster is alive as a side-effect of sending the stop or promote signal, but then it just naively waited to see the on-disk state change. If the postmaster died uncleanly without having removed its PID file or updated the control file, pg_ctl would wait until timeout. Instead make it recheck every so often that the postmaster process is still there.
Fix error handling in pg_waldump (Kyotaro Horiguchi, Andres Freund)
While trying to read a WAL file to determine the WAL segment size, pg_waldump would report an incorrect error for the case of a too-short file. In addition, the file name reported in this and related error messages could be garbage.
Ensure that contrib/pageinspect functions cope with all-zero pages (Michael Paquier)
This is a legitimate edge case, but the module was mostly unprepared for it. Arrange to return nulls, or no rows, as appropriate; that seems more useful than raising an error.
In contrib/pageinspect, add defenses against incorrect page “special space” contents, tighten checks for correct page size, and add some missing checks that an index is of the expected type (Michael Paquier, Justin Pryzby, Julien Rouhaud)
These changes make it less likely that the module will crash on bad data.
In contrib/postgres_fdw, disable batch insertion when BEFORE INSERT ... FOR EACH ROW triggers exist on the foreign table (Etsuro Fujita)
Such a trigger might query the table it's on and expect to see previously-inserted rows. With batch insertion, those rows might not be visible yet, so disable the feature to avoid unexpected behavior.
In contrib/postgres_fdw, verify that ORDER BY clauses are safe to ship before requesting a remotely-ordered query, and include a USING clause if necessary (Ronan Dunklau)
This fix prevents situations where the remote server might sort in a different order than we intend. While sometimes that would be only cosmetic, it could produce thoroughly wrong results if the remote data is used as input for a locally-performed merge join.
Fix configure to handle platforms that have sys/epoll.h but not sys/signalfd.h (Tom Lane)
Update JIT code to work with LLVM 14 (Thomas Munro)
Clean up assorted failures under clang's -fsanitize=undefined checks (Tom Lane, Andres Freund, Zhihong Yu)
Most of these changes are just for pro-forma compliance with the letter of the C and POSIX standards, and are unlikely to have any effect on production builds.
Do not add OpenSSL dependencies to libpq's pkg-config file when building without OpenSSL (Fabrice Fontaine)
Fix PL/Perl so it builds on C compilers that don't support statements nested within expressions (Tom Lane)
Fix possible build failure of pg_dumpall on Windows, when not using MSVC to build (Andres Freund)
In Windows builds, use gendef instead of pexports to build DEF files (Andrew Dunstan)
This adapts the build process to work on recent MSys tool chains.
Prevent extra expansion of shell wildcard patterns in programs built under MinGW (Andrew Dunstan)
For some reason the C library provided by MinGW will expand shell wildcard characters in a program's command-line arguments by default. This is confusing, not least because it doesn't happen under MSVC, so turn it off.
Update time zone data files to tzdata release 2022a for DST law changes in Palestine, plus historical corrections for Chile and Ukraine.

New in PostgreSQL 13.6 / 12.10 / 11.15 / 10.20 (Feb 11, 2022)

Fix for a low probability scenario of index corruption when a HOT (heap-only tuple) chain changes state during VACUUM. Encountering this issue is unlikely, but if you are concerned, please consider reindexing.
Fix for using REINDEX CONCURRENTLY on TOAST table indexes to prevent corruption. You can fix any TOAST indexes by reindexing them again.
The psql password command now defaults to setting the password for the role defined by CURRENT_USER. Additionally, the role name is now included in the password prompt.
Build extended statistics for partitioned tables. If you previously added extended statistics to a partitioned table, you should run ANALYZE on those tables. As autovacuum currently does not process partitioned tables, you must periodically run ANALYZE on any partitioned tables to update their statistics.
Fix crash with ALTER STATISTICS when the statistics object is dropped concurrently.
Fix crash with multiranges when extracting variable-length data types.
Several fixes to the query planner that lead to incorrect query results.
Several fixes for query plan memoization.
Fix startup of a physical replica to tolerate transaction ID wraparound.
When using logical replication, avoid duplicate transmission of a partitioned table's data when the publication includes both the child and parent tables.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere.
Disallow ALTER TABLE ... DROP NOT NULL for a column that is part of a replica identity index.
Several fixes for caching that correct logical replication behavior and improve performance.
Fix memory leak when updating expression indexes.
Avoid leaking memory during REASSIGN OWNED BY operations that reassign ownership of many objects.
Fix display of whole-row variables appearing in INSERT ... VALUES rules.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib.
Fix psql d command for identifying parent triggers.
Fix failures on Windows when using the terminal as data source or destination. This affected the psql copy command and using pg_recvlogical with -f -.
Fix the pg_dump --inserts and --column-inserts modes to handle tables that contain both generated and dropped columns.
Fix edge cases in how postgres_fdw handles asynchronous queries. These errors could lead to crashes or incorrect results when attempting to run parallel scans of foreign tables.

New in PostgreSQL 14.2 (Feb 10, 2022)

Bug Fixes and Improvements:
Fix for a low probability scenario of index corruption when a HOT (heap-only tuple) chain changes state during VACUUM. Encountering this issue is unlikely, but if you are concerned, please consider reindexing.
Fix for using REINDEX CONCURRENTLY on TOAST table indexes to prevent corruption. You can fix any TOAST indexes by reindexing them again.
The psql password command now defaults to setting the password for the role defined by CURRENT_USER. Additionally, the role name is now included in the password prompt.
Build extended statistics for partitioned tables. If you previously added extended statistics to a partitioned table, you should run ANALYZE on those tables. As autovacuum currently does not process partitioned tables, you must periodically run ANALYZE on any partitioned tables to update their statistics.
Fix crash with ALTER STATISTICS when the statistics object is dropped concurrently.
Fix crash with multiranges when extracting variable-length data types.
Several fixes to the query planner that lead to incorrect query results.
Several fixes for query plan memoization.
Fix startup of a physical replica to tolerate transaction ID wraparound.
When using logical replication, avoid duplicate transmission of a partitioned table's data when the publication includes both the child and parent tables.
Disallow altering data type of a partitioned table's columns when the partitioned table's row type is used as a composite type elsewhere.
Disallow ALTER TABLE ... DROP NOT NULL for a column that is part of a replica identity index.
Several fixes for caching that correct logical replication behavior and improve performance.
Fix memory leak when updating expression indexes.
Avoid leaking memory during REASSIGN OWNED BY operations that reassign ownership of many objects.
Fix display of whole-row variables appearing in INSERT ... VALUES rules.
Fix race condition that could lead to failure to localize error messages that are reported early in multi-threaded use of libpq or ecpglib.
Fix psql d command for identifying parent triggers.
Fix failures on Windows when using the terminal as data source or destination. This affected the psql copy command and using pg_recvlogical with -f -.
Fix the pg_dump --inserts and --column-inserts modes to handle tables that contain both generated and dropped columns.
Fix edge cases in how postgres_fdw handles asynchronous queries. These errors could lead to crashes or incorrect results when attempting to run parallel scans of foreign tables.

New in PostgreSQL 13.5 (Nov 16, 2021)

E.1.1. Migration to Version 13.5:
A dump/restore is not required for those running 13.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 13.2, see Section E.4.
E.1.2. Changes:
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera):
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin):
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin):
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane):
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Fix REINDEX CONCURRENTLY to preserve operator class parameters that were attached to the target index (Michael Paquier)
Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch):
If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera):
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated for all partitions of a partitioned table that is being added to or removed from a publication (Hou Zhijie, Vignesh C):
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES publication (Hou Zhijie, Vignesh C):
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane):
For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.
Fix updates of element fields in arrays of domain over composite (Tom Lane):
A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED (David Christensen):
FETCH FIRST WITH TIES necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane):
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Disallow ALTER INDEX index ALTER COLUMN col SET (options) (Nathan Bossart, Michael Paquier):
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power() (Dean Rasheed):
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane):
Regular expressions like (.){0}...1 drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane):
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane):
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane):
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane):
If a function in FROM laterally references the output of some sub-SELECT earlier in the FROM clause, and we are able to flatten that sub-SELECT into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane):
This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane):
There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot):
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar):
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov):
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund):
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Disallow LISTEN in background workers (Tom Lane):
There's no infrastructure to support this, so if someone did it, it would only result in preventing cleanup of the NOTIFY queue.
Send NOTIFY signals to other backends during transaction commit, not in the server's idle loop (Artur Zakirov, Tom Lane):
This change allows notifications to be delivered immediately after an intra-procedure COMMIT. It also allows logical replication workers to send notifications.
Refuse to rewind a cursor marked NO SCROLL if it has been held over from a previous transaction due to the WITH HOLD option (Tom Lane):
We have long forbidden fetching backwards from a NO SCROLL cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane):
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane):
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra):
The code typically produced “cache lookup error” rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow):
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot):
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Fix logical decoding's memory usage accounting to handle TOAST data correctly (Bertrand Drouvot)
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao):
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Fix computation of the WAL range to include in a backup manifest when a timeline change is involved (Kyotaro Horiguchi)
Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER clauses (Tom Lane):
If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera):
For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.
Prevent ALTER TYPE/DOMAIN/OPERATOR ... SET from changing extension membership (Tom Lane):
ALTER ... SET executed by an extension script would cause the target object to become a member of the extension if it was not already. In itself this isn't too troubling, since there's little reason for an extension script to touch an object not belonging to the extension. But ALTER TYPE SET will recurse to dependent domains, thus causing them to also become extension members. This causes unwanted side-effects from extension upgrade scripts that use that command to adjust the properties of a base type belonging to the extension. Fix by redefining these ALTER cases to never change extension membership.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby):
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane):
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h hash table reaches 2^32 elements (Yura Sokolov):
It seems unlikely that this bug has been hit in practice, as it would require work_mem settings of hundreds of gigabytes for existing uses of simplehash.h.
Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane):
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Add more defensive checks around B-tree posting list splits (Peter Geoghegan):
This change should help detect index corruption involving duplicate table TIDs.
Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro):
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix missing libpq functions on AIX (Tony Reix):
Code reorganization led to the following documented functions not being exported from libpq on AIX: pg_encoding_to_char(), pg_utf_mblen(), pg_char_to_encoding(), pg_valid_server_encoding(), and pg_valid_server_encoding_id(). Restore them to visibility.
Fix ecpg to recover correctly after malloc() failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL statement (Tom Lane):
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane):
If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov):
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada):
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane):
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type() (Tom Lane):
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho):
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or <= operator is performed (Tom Lane):
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane):
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba):
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni):
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Fix our pkg-config files to again support static linking of libpq (Peter Eisentraut)
Make pg_regexec() robust against an out-of-range search_start parameter (Tom Lane):
Return REG_NOMATCH, instead of possibly crashing, when search_start is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane):
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

New in PostgreSQL 12.9 (Nov 16, 2021)

E.1.1. Migration to Version 12.9:
A dump/restore is not required for those running 12.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 12.6, see Section E.4.
E.1.2. Changes:
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera):
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin):
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin):
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane):
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch):
If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera):
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES publication (Hou Zhijie, Vignesh C):
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane):
For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.
Fix updates of element fields in arrays of domain over composite (Tom Lane):
A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane):
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power() (Dean Rasheed):
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane):
Regular expressions like (.){0}...1 drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane):
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane):
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane):
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Fix mistranslation of PlaceHolderVars to inheritance child relations (Tom Lane):
This error could result in assertion failures, or in mis-planning of queries having partitioned or inherited tables on the nullable side of an outer join.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane):
There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot):
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar):
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov):
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund):
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Refuse to rewind a cursor marked NO SCROLL if it has been held over from a previous transaction due to the WITH HOLD option (Tom Lane):
We have long forbidden fetching backwards from a NO SCROLL cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane):
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane):
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra):
The code typically produced “cache lookup error” rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow):
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot):
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao):
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER clauses (Tom Lane):
If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera):
For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby):
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane):
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h hash table reaches 2^32 elements (Yura Sokolov):
It seems unlikely that this bug has been hit in practice, as it would require work_mem settings of hundreds of gigabytes for existing uses of simplehash.h.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro):
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix ecpg to recover correctly after malloc() failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL statement (Tom Lane):
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane):
If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov):
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada):
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane):
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type() (Tom Lane):
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho):
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or <= operator is performed (Tom Lane):
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane):
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba):
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni):
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Fix our pkg-config files to again support static linking of libpq (Peter Eisentraut)
Make pg_regexec() robust against an out-of-range search_start parameter (Tom Lane):
Return REG_NOMATCH, instead of possibly crashing, when search_start is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane):
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

New in PostgreSQL 11.14 (Nov 16, 2021)

E.1.1. Migration to Version 11.14:
A dump/restore is not required for those running 11.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 11.11, see Section E.4.
E.1.2. Changes:
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera):
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin):
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin):
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane):
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch):
If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera):
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES publication (Hou Zhijie, Vignesh C):
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane):
For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.
Fix updates of element fields in arrays of domain over composite (Tom Lane):
A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane):
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power() (Dean Rasheed):
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane):
Regular expressions like (.){0}...1 drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane):
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane):
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane):
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane):
There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot):
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar):
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov):
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund):
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Refuse to rewind a cursor marked NO SCROLL if it has been held over from a previous transaction due to the WITH HOLD option (Tom Lane):
We have long forbidden fetching backwards from a NO SCROLL cursor, but for historical reasons the prohibition didn't extend to cases in which we rewind the query altogether and then re-fetch forwards. That exception leads to inconsistencies, particularly for held-over cursors which may not have stored all the data necessary to rewind. Disallow rewinding for non-scrollable held-over cursors to block the worst inconsistencies. (v15 will remove the exception altogether.)
Fix possible failure while saving a WITH HOLD cursor at transaction end, if it had already been read to completion (Tom Lane)
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane):
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane):
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra):
The code typically produced “cache lookup error” rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow):
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ.
Fix logical decoding to correctly ignore toast-table changes for transient tables (Bertrand Drouvot):
Logical decoding normally ignores changes in transient tables such as those created during an ALTER TABLE heap rewrite. But that filtering wasn't applied to the associated toast table if any, leading to possible errors when rewriting a table that's being published.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao):
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER clauses (Tom Lane):
If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Avoid trying to clean up LLVM state after an error within LLVM (Andres Freund, Justin Pryzby):
This prevents a likely crash during backend exit after a fatal LLVM error.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane):
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h hash table reaches 2^32 elements (Yura Sokolov):
It seems unlikely that this bug has been hit in practice, as it would require work_mem settings of hundreds of gigabytes for existing uses of simplehash.h.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Fix ecpg to recover correctly after malloc() failure while establishing a connection (Michael Paquier)
Fix misevaluation of stable functions called in the arguments of a PL/pgSQL CALL statement (Tom Lane):
They were being called with an out-of-date snapshot, so that they would not see any database changes made since the start of the session's top-level command.
Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane):
If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov):
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada):
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane):
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type() (Tom Lane):
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or <= operator is performed (Tom Lane):
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane):
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba):
This is essential for reasonable performance on that platform.
Support OpenSSL 3.0.0 (Peter Eisentraut, Daniel Gustafsson, Michael Paquier)
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni):
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Make pg_regexec() robust against an out-of-range search_start parameter (Tom Lane):
Return REG_NOMATCH, instead of possibly crashing, when search_start is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane):
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

New in PostgreSQL 10.19 (Nov 16, 2021)

E.1.1. Migration to Version 10.19:
A dump/restore is not required for those running 10.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 10.16, see Section E.4.
E.1.2. Changes:
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane):
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera):
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin):
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin):
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane):
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch):
If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera):
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Ensure that the relation cache is invalidated when creating or dropping a FOR ALL TABLES publication (Hou Zhijie, Vignesh C):
This oversight could lead to improper replication behavior until all currently-existing sessions have exited.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane):
For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.
Disallow creating an ICU collation if the current database's encoding won't support it (Tom Lane):
Previously this was allowed, but then the collation could not be referenced because of the way collation lookup works; you could not use the collation, nor even drop it.
Fix corner-case loss of precision in numeric power() (Dean Rasheed):
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane):
Regular expressions like (.){0}...1 drew “invalid backreference number”. Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane):
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane):
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane):
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane):
There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar):
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov):
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund):
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane):
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane):
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Fix incorrect reporting of permissions failures on extended statistics objects (Tomas Vondra):
The code typically produced “cache lookup error” rather than the intended message.
Fix incorrect snapshot handling in parallel workers (Greg Nancarrow):
This oversight could lead to misbehavior in parallel queries if the transaction isolation level is less than REPEATABLE READ.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao):
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane):
Fix parser's processing of aggregate FILTER clauses (Tom Lane):
If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane):
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix infinite loop if a simplehash.h hash table reaches 2^32 elements (Yura Sokolov):
It seems unlikely that this bug has been hit in practice, as it would require work_mem settings of hundreds of gigabytes for existing uses of simplehash.h.
Reduce memory consumption during calculation of extended statistics (Justin Pryzby, Tomas Vondra)
Fix ecpg to recover correctly after malloc() failure while establishing a connection (Michael Paquier)
Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane):
If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov):
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada):
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane):
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type() (Tom Lane):
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or

New in PostgreSQL 9.6.24 (Nov 16, 2021)

E.1.1. Migration to Version 9.6.24:
A dump/restore is not required for those running 9.6.X.
However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.
Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.
Also, if you are upgrading from a version earlier than 9.6.21, see Section E.4.
E.1.2. Changes:
Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix float4 and float8 hash functions to produce uniform results for NaNs (Tom Lane)
Since PostgreSQL's floating-point types deem all NaNs to be equal, it's important for the hash functions to produce the same hash code for all bit-patterns that are NaNs according to the IEEE 754 standard. This failed to happen before, meaning that hash indexes and hash-based query plans might produce incorrect results for non-canonical NaN values. ('-NaN'::float8 is one way to produce such a value on most machines.) It is advisable to reindex hash indexes on floating-point columns, if there is any possibility that they might contain such values.
Prevent data loss during crash recovery of CREATE TABLESPACE, when wal_level = minimal (Noah Misch)
If the server crashed between CREATE TABLESPACE and the next checkpoint, replay would fully remove the contents of the new tablespace's directory, relying on subsequent WAL replay to restore everything within that directory. This interacts badly with optimizations that skip writing WAL (one example is COPY into a just-created table). Such optimizations are applied only when wal_level is minimal, which is not the default in v10 and later.
Don't discard a cast to the same type with unspecified type modifier (Tom Lane)
For example, if column f1 is of type numeric(18,3), the parser used to simply discard a cast like f1::numeric, on the grounds that it would have no run-time effect. That's true, but the exposed type of the expression should still be considered to be plain numeric, not numeric(18,3). This is important for correctly resolving the type of larger constructs, such as recursive UNIONs.
Fix corner-case loss of precision in numeric power() (Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid regular expression errors with capturing parentheses inside {0} (Tom Lane)
Regular expressions like (.){0}...1 drew "invalid backreference number". Other regexp engines such as Perl don't complain, though, and for that matter ours doesn't either in some closely related cases. Worse, it could throw an assertion failure instead. Fix it so that no error is thrown and instead the back-reference is silently deemed to never match.
Prevent regular expression back-references from sometimes matching when they shouldn't (Tom Lane)
The regexp engine was careless about clearing match data for capturing parentheses after rejecting a partial match. This could allow a later back-reference to match in places where it should fail for lack of a defined referent.
Fix regular expression performance bug with back-references inside iteration nodes (Tom Lane)
Incorrect back-tracking logic could result in exponential time spent looking for a match. Fortunately the problem is masked in most cases by other optimizations.
Fix incorrect results from AT TIME ZONE applied to a time with time zone value (Tom Lane)
The results were incorrect if the target time zone was specified by a dynamic timezone abbreviation (that is, one that is defined as equivalent to a full time zone name, rather than a fixed UTC offset).
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix detection of a relation that has grown to the maximum allowed length (Tom Lane)
An attempt to extend a table or index past the limit of 2^32-1 blocks was rejected, but not soon enough to prevent inconsistent internal state from being created.
Correctly track the presence of data-modifying CTEs when expanding a DO INSTEAD rule (Greg Nancarrow, Tom Lane)
The previous failure to do this could lead to problems such as unsafely choosing a parallel plan.
Ensure that walreceiver processes create all required archive notification files before exiting (Fujii Masao)
If a walreceiver exited exactly at a WAL segment boundary, it failed to make a notification file for the last-received segment, thus delaying archiving of that segment on the standby.
Avoid trying to lock the OLD and NEW pseudo-relations in a rule that uses SELECT FOR UPDATE (Masahiko Sawada, Tom Lane)
Fix parser's processing of aggregate FILTER clauses (Tom Lane)
If the FILTER expression is a plain boolean column, the semantic level of the aggregate could be mis-determined, leading to not-per-spec behavior. If the FILTER expression is itself a boolean-returning aggregate, an error should be thrown but was not, likely resulting in a crash at execution.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent "snapshot reference leak" warning when lo_export() or a related function fails (Heikki Linnakangas)
Ensure that scans of SP-GiST indexes are counted in the statistics views (Tom Lane)
Incrementing the number-of-index-scans counter was overlooked in the SP-GiST code, although per-tuple counters were advanced correctly.
Recalculate relevant wait intervals if recovery_min_apply_delay is changed during recovery (Soumyadeep Chakraborty, Ashwin Agrawal)
Fix ecpg to recover correctly after malloc() failure while establishing a connection (Michael Paquier)
Allow EXIT out of the outermost block in a PL/pgSQL routine (Tom Lane)
If the routine does not require an explicit RETURN, this usage should be valid, but it was rejected.
Remove pg_ctl's hard-coded limits on the total length of generated commands (Phil Krylov)
For example, this removes a restriction on how many command-line options can be passed through to the postmaster. Individual path names that pg_ctl deals with, such as the postmaster executable's name or the data directory name, are still limited to MAXPGPATH bytes in most cases.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Improve pg_dump's performance by avoiding making per-table queries for RLS policies, and by avoiding repetitive calls to format_type() (Tom Lane)
These changes provide only marginal improvement when dumping from a local server, but a dump from a remote server can benefit substantially due to fewer network round-trips.
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Fix failure of contrib/btree_gin indexes on "char" (not char(n)) columns, when an indexscan using the < or <= operator is performed (Tom Lane)
Such an indexscan failed to return all the entries it should.
Change contrib/pg_stat_statements to read its "query texts" file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
Add spinlock support for the RISC-V architecture (Marek Szuba)
This is essential for reasonable performance on that platform.
Set correct type identifier on OpenSSL BIO (I/O abstraction) objects created by PostgreSQL (Itamar Gafni)
This oversight probably only matters for code that is doing tasks like auditing the OpenSSL installation. But it's nominally a violation of the OpenSSL API, so fix it.
Make pg_regexec() robust against an out-of-range search_start parameter (Tom Lane)
Return REG_NOMATCH, instead of possibly crashing, when search_start is past the end of the string. This case is probably unreachable within core PostgreSQL, but extensions might be more careless about the parameter value.
Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.
Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port_of_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.

New in PostgreSQL 14.1 (Nov 11, 2021)

Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)
Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)
A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)
Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)
If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.
When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.
Ensure that parallel VACUUM doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)
A parallel VACUUM would fail to process indexes that are below the min_parallel_index_scan_size cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the VACUUM; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.
Fix CREATE INDEX CONCURRENTLY to wait for the latest prepared transactions (Andrey Borodin)
Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for PREPARE TRANSACTION commands that were still in progress when CREATE INDEX CONCURRENTLY checked for them. As before, in installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)
While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the CONCURRENTLY option. It is recommended to reindex any such indexes to make sure they are correct.
Fix REINDEX CONCURRENTLY to preserve operator class parameters that were attached to the target index (Michael Paquier)
Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)
The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to template1.
Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)
This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.
Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)
CREATE TYPE incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the CREATE TYPE command was stored in the plan cache and used again later.
Fix updates of element fields in arrays of domain over composite (Tom Lane)
A command such as UPDATE tab SET fld[1].subfld = val failed if the array's elements were domains rather than plain composites.
Disallow the combination of FETCH FIRST WITH TIES and FOR UPDATE SKIP LOCKED (David Christensen)
FETCH FIRST WITH TIES necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if FOR UPDATE is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the SKIP LOCKED option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.
Disallow ALTER INDEX index ALTER COLUMN col SET (options) (Nathan Bossart, Michael Paquier)
While the parser accepted this, it's undocumented and doesn't actually work.
Fix corner-case loss of precision in numeric power() (Dean Rasheed)
The result could be inaccurate when the first argument is very close to 1.
Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)
This error could result in crashes or incorrect query results.
Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)
If a function in FROM laterally references the output of some sub-SELECT earlier in the FROM clause, and we are able to flatten that sub-SELECT into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.
Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)
There are corner cases in which ANALYZE will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.
Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)
If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a COMMIT immediately followed by a BEGIN ... EXCEPTION block that performs a query.
Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)
This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.
Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)
This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.
Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)
There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.
Fix “could not find RecursiveUnion” error when EXPLAIN tries to print a filter condition attached to a WorkTableScan node (Tom Lane)
Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)
For historical reasons, ALTER INDEX ... RENAME can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled ALTER INDEX.
Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)
Prevent “snapshot reference leak” warning when lo_export() or a related function fails (Heikki Linnakangas)
Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)
Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)
These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when pg_trgm extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.
Add more defensive checks around B-tree posting list splits (Peter Geoghegan)
This change should help detect index corruption involving duplicate table TIDs.
Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax_multi_ops index (Tomas Vondra)
In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.
Allow the autovacuum launcher process to respond to pg_log_backend_memory_contexts() requests more quickly (Koyu Tanigawa)
Fix memory leak in HMAC hash calculations (Sergey Shinderuk)
Disallow setting huge_pages to on when shared_memory_type is sysv (Thomas Munro)
Previously, this setting was accepted, but it did nothing for lack of any implementation.
Fix checking of query type in PL/pgSQL's RETURN QUERY statement (Tom Lane)
RETURN QUERY should accept any query that can return tuples, e.g. UPDATE RETURNING. v14 accidentally disallowed anything but SELECT; moreover, the RETURN QUERY EXECUTE variant failed to apply any query-type check at all.
Fix pg_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)
If a global (unrestricted) ALTER DEFAULT PRIVILEGES command revoked some present-by-default privilege, for example EXECUTE for functions, and then a restricted ALTER DEFAULT PRIVILEGES command granted that privilege again for a selected role or schema, pg_dump failed to dump the restricted privilege grant correctly.
Make pg_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)
This oversight was usually pretty harmless, since once pg_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.
Fix crash in pg_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)
Fix incorrect filename in pg_restore's error message about an invalid large object TOC file (Daniel Gustafsson)
Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)
The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.
Prevent pg_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)
This avoids unhelpful checks of relations that will almost certainly appear inconsistent.
Make contrib/amcheck skip unlogged tables when running on a standby server (Mark Dilger)
It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.
Change contrib/pg_stat_statements to read its “query texts” file in units of at most 1GB (Tom Lane)
Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).
Fix null-pointer crash when contrib/postgres_fdw tries to report a data conversion error (Tom Lane)
Ensure that GetSharedSecurityLabel() can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)
When running a TAP test, include the module's own directory in PATH (Andrew Dunstan)
This allows tests to find built programs that are not installed, such as custom test drivers.
Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)
When running on Windows, initdb attempts to set the new cluster's timezone parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.
Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

New in PostgreSQL 14.0 (Sep 30, 2021)

PostgreSQL 14 brings a variety of features that help developers and administrators deploy their data-backed applications. PostgreSQL continues to add innovations on complex data types, including more convenient access for JSON and support for noncontiguous ranges of data. This latest release adds to PostgreSQL's trend on improving high performance and distributed data workloads, with advances in connection concurrency, high-write workloads, query parallelism and logical replication.
"This latest release of PostgreSQL advances our users' ability to manage data workloads at scale, enhances observability, and contains new features that help application developers," said Magnus Hagander, a PostgreSQL Core Team member. "PostgreSQL 14 is a testament to the dedication of the global PostgreSQL community in addressing feedback and continuing to deliver innovative database software that is deployed by organizations large and small."
PostgreSQL, an innovative data management system known for its reliability and robustness, benefits from over 25 years of open source development from a global developer community and has become the preferred open source relational database for organizations of all sizes.
JSON Conveniences and Multiranges:
PostgreSQL has supported manipulating JSON data since the release of PostgreSQL 9.2, though retrieval of values used a unique syntax. PostgreSQL 14 now lets you access JSON data using subscripts, e.g. a query like SELECT ('{ "postgres": { "release": 14 }}'::jsonb)['postgres']['release']; now works. This aligns PostgreSQL with syntax that is commonly recognized for retrieving information from JSON data. The subscripting framework added to PostgreSQL 14 can be generally extended to other nested data structures, and is also applied to the hstore data type in this release.
Range types, also first released in PostgreSQL 9.2, now have support for noncontiguous ranges through the introduction of the "multirange" data type. A multirange is an ordered list of ranges that are nonoverlapping, which lets developers write simpler queries for dealing with complex sequences of ranges. The range types native to PostgreSQL (dates, times, numbers) support multiranges, and other data types can be extended to use multirange support.
Performance Improvements for Heavy Workloads:
PostgreSQL 14 provides a significant throughput boost on workloads that use many connections, with some benchmarks showing a 2x speedup. This release continues on the recent improvements to the management of B-tree indexes by reducing index bloat on tables with frequently updated indexes.
PostgreSQL 14 introduces the ability to pipeline queries to a database, which can significantly improve performance over high latency connections or for workloads with many small write (INSERT/UPDATE/DELETE) operations. As this is a client-side feature, you can use pipeline mode with any modern PostgreSQL database with the version 14 client or a client driver built with version 14 of libpq.
Enhancements for Distributed Workloads:
Distributed PostgreSQL databases stand to benefit from PostgreSQL 14. When using logical replication, PostgreSQL can now stream in-progress transactions to subscribers, with significant performance benefits for applying large transactions on subscribers. PostgreSQL 14 also adds several other performance enhancements to the logical decoding system that powers logical replication.
Foreign data wrappers, which are used for working with federated workloads across PostgreSQL and other databases, can now leverage query parallelism in PostgreSQL 14. This release implements this ability in the postgres_fdw, the foreign data wrapper that interfaces with other PostgreSQL databases.
In addition to supporting query parallelism, postgres_fdw can now bulk insert data on foreign tables and import table partitions with the IMPORT FOREIGN SCHEMA directive.
Administration and Observability:
PostgreSQL 14 extends its performance gains to the vacuuming system, including optimizations for reducing overhead from B-Trees. This release also adds a vacuum "emergency mode" that is designed to prevent transaction ID wraparound. ANALYZE, used to collect database statistics, now runs significantly faster in PostgreSQL 14 due to its own performance improvements.
Compression for PostgreSQL's TOAST system, which is used to store larger data like blocks of text or geometries, can now be configured. PostgreSQL 14 adds LZ4 compression for TOAST columns while retaining support for pglz compression.
PostgreSQL 14 adds several new features to help with monitoring and observability, including the ability to track the progress of COPY commands, write-ahead-log (WAL) activity, and statistics on replication slots. Enabling compute_query_id lets you uniquely track a query through several PostgreSQL features, including pg_stat_activity, EXPLAIN VERBOSE, and more.
SQL Performance, Conformance, and Convenience:
Query planning and execution benefit from enhancements in PostgreSQL 14. This release includes several improvements to PostgreSQL's query parallelism support, including better performance of parallel sequential scans, the ability for PL/pgSQL to execute parallel queries when using the RETURN QUERY command, and enabling REFRESH MATERIALIZED VIEW to execute parallel queries. Additionally, queries that use nested loop joins may see performance benefits through additional caching that is added in PostgreSQL 14.
Extended statistics can now be used in PostgreSQL 14 for expressions. Additionally, window functions can now benefit from incremental sorts, a feature introduced in PostgreSQL 13.
Stored procedures, which allow for transaction control in a block of code, can now return data by using OUT parameters.
PostgreSQL 14 introduces the ability to "bin", or align, timestamps to a particular interval using the date_bin function. This release also adds the SQL conforming SEARCH and CYCLE clauses to help with ordering and cycle detection for recursive common table expressions.
Security Enhancements:
PostgreSQL 14 makes it convenient to assign read-only and write-only privileges to users on tables, views, and schemas using the pg_read_all_data and pg_write_all_data predefined roles.
Additionally, this release now makes the standards-compliant SCRAM-SHA-256 password management and authentication system the default on new PostgreSQL instances.

New in PostgreSQL 14.0 RC 1 (Sep 24, 2021)

New in PostgreSQL 13.4 (Aug 12, 2021)

Changes:
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT or ROLLBACK within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value immediately after COMMIT/ROLLBACK would fail with errors like “no known snapshots” or “missing chunk number 0 for toast value”.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR UPDATE (Tom Lane)
This should be disallowed, just as FOR UPDATE with a plain GROUP BY is disallowed, but the test for that failed to handle empty grouping sets correctly. The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH rewrites to just NOTIFY (Tom Lane)
Such cases previously crashed.
In numeric multiplication, round the result rather than failing if it would have more than 16383 digits after the decimal point (Dean Rasheed)
Fix corner-case errors and loss of precision when raising numeric values to very large powers (Dean Rasheed)
Fix division-by-zero failure in to_char() with EEEE format and a numeric input value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint) to round negative values consistently with the way it rounds positive ones (and consistently with the numeric version) (Dean Rasheed, David Rowley)
Make pg_filenode_relation(0, 0) return NULL rather than failing (Justin Pryzby)
Make ALTER EXTENSION lock the extension when adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION ADD/DROP to occur concurrently with DROP EXTENSION, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION to reject an empty slot name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)
Avoid alias conflicts in queries generated for REFRESH MATERIALIZED VIEW CONCURRENTLY (Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with certain names, notably mv and newdata.
Fix PREPARE TRANSACTION to check correctly for conflicting session-lifespan and transaction-lifespan locks (Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and transaction-lifespan locks on the same advisory-lock ID value. This restriction was not fully checked, which could lead to a PANIC during PREPARE TRANSACTION.
Fix misbehavior of DROP OWNED BY when the target role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy during DROP OWNED BY (Tom Lane)
Notably, this fixes some cases where it was necessary to be a superuser to use DROP OWNED BY.
Re-allow old-style Windows locale names in CREATE COLLATION commands (Thomas Munro)
Previously we were failing because the operating system can't provide version information for such locales. At some point we may decide to require version information, but no such policy exists yet, so re-allow the case for now.
Disallow whole-row variables in GENERATED expressions (Tom Lane)
Use of a whole-row variable clearly violates the rule that a generated column cannot depend on itself, so such cases have no well-defined behavior. The actual behavior frequently included a crash.
Fix usage of tableoid in GENERATED expressions (Tom Lane)
Some code paths failed to provide a valid value for this system column while evaluating a GENERATED expression.
Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for such a table, but it confused subsequent operations. In addition to suppressing creation of such catalog entries in ALTER TABLE commands, adjust the downstream code to cope when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE DOMAIN or ALTER DOMAIN appears in a cached plan (Tom Lane)
Make walsenders show their latest replication commands in pg_stat_activity (Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make pg_settings.pending_restart show as true when the pertinent entry in postgresql.conf has been removed (Álvaro Herrera)
Pending_restart correctly showed the case where an entry that cannot be changed without a postmaster restart has been modified, but not where the entry had been removed altogether.
On 64-bit Windows, allow the effective value of work_mem times hash_mem_multiplier to exceed 2GB (Tom Lane)
This allows hash_mem_multiplier to be used for its intended purpose of preventing large hash aggregations from spilling to disk, even when “large” means multiple gigabytes.
Fix mis-planning of queries involving regular tables that are inheritance children of foreign tables (Amit Langote)
SELECT FOR UPDATE and related commands would fail with assertion failures or “could not find junk column” errors in such cases.
Fix pullup of constant function-in-FROM results when the FROM item is marked LATERAL (Tom Lane)
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
Advance oldest-required-WAL-segment horizon properly after a replication slot is invalidated (Kyotaro Horiguchi)
If all slots were invalidated, the horizon would not move again, eventually allowing the server's WAL storage to run out of space.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve progress reporting for the sort phase of a parallel btree index build (Matthias van de Meent)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix assorted crash cases in logical replication of partitioned-table updates (Amit Langote, Tom Lane)
Fix potential crash when firing AFTER triggers of partitioned tables in logical replication workers (Tom Lane)
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Fix memory leak in logical replication output (Amit Langote)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in CREATE TABLE ... AS EXECUTE (Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix race condition when invalidating an obsolete replication slot concurrently with an attempt to drop or update it (Andres Freund, Álvaro Herrera)
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Harden B-tree posting list split code against corrupt data (Peter Geoghegan)
Throw an error, rather than crashing, for an attempt to insert an item with a TID identical to an existing entry. While that shouldn't ever happen, it has been reported to happen when the index is inconsistent with its table.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
Fix uninitialized-variable bug that could cause PL/pgSQL to act as though an INTO clause specified STRICT, even though it didn't (Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric value INT_MIN (usually -2147483648) to be converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old installation's oldestXID value (Bertrand Drouvot)
Previously, the new installation's oldestXID was set to a value old enough to (usually) force immediate anti-wraparound autovacuuming. That's not desirable from a performance standpoint; what's worse, installations using large values of autovacuum_freeze_max_age could suffer unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER EXTENSION UPDATE commands needed to bring extensions up to the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
Fix contrib/postgres_fdw to work usefully with generated columns (Etsuro Fujita)
Postgres_fdw will now behave reasonably with generated columns, so long as a generated column in a foreign table represents a generated column in the remote table. IMPORT FOREIGN SCHEMA will now import generated columns that way by default.
In contrib/postgres_fdw, avoid attempting catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL) print (null) instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs our printf implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at a ROLLBACK PREPARED record (Simon Riggs)
Improve ALTER TABLE's messages for wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5, which no longer has a separate libldap_r library (Adrian Ho, Tom Lane)
If there is no libldap_r library, we now silently assume that libldap is thread-safe.
Add new make targets world-bin and install-world-bin (Andrew Dunstan)
These are the same as world and install-world respectively, except that they do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck) to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport in the set of configure options reported by pg_config, if it had been specified (Andrew Dunstan)

New in PostgreSQL 14.0 Beta 2 (Jun 24, 2021)

New in PostgreSQL 14.0 Beta 1 (May 25, 2021)

E.1.1. Overview:
PostgreSQL 14 contains many new features and enhancements, including:
The above items and other new features of PostgreSQL 14 are explained in more detail in the sections below.
E.1.2. Migration to Version 14
A dump/restore using pg_dumpall or use of pg_upgrade or logical replication is required for those wishing to migrate data from any previous release. See Section 19.6 for general information on migrating to new major releases.
Version 14 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Prevent the containment operators (<@ and @>) for contrib/intarray from using GiST indexes (Tom Lane)
Previously a full GiST index scan was required, so just avoid that and scan the heap, which is faster. Indexes created for this purpose should be removed.
Remove deprecated containment operators @ and ~ for built-in geometric data types and contrib modules cube, hstore, intarray, and seg (Justin Pryzby)
The more consistent <@ and @> have been recommended for many years.
Fix to_tsquery() and websearch_to_tsquery() to properly parse query text containing discarded tokens (Alexander Korotkov)
Certain discarded tokens, like underscore, caused the output of these functions to produce incorrect tsquery output, e.g., both websearch_to_tsquery('"pg_class pg"') and to_tsquery('pg_class <-> pg') used to output '( pg & class ) <-> pg', but now both output 'pg <-> class <-> pg'.
Fix websearch_to_tsquery() to properly parse multiple adjacent discarded tokens in quotes (Alexander Korotkov)
Previously, quoted text that contained multiple adjacent discarded tokens were treated as multiple tokens, causing incorrect tsquery output, e.g., websearch_to_tsquery('"aaa: bbb"') used to output 'aaa <2> bbb', but now outputs 'aaa <-> bbb'.
Change the default of the password_encryption server parameter to scram-sha-256 (Peter Eisentraut)
Previously it was md5. All new passwords will be stored as SHA256 unless this server variable is changed or the password is specified in md5 format. Also, the legacy (and undocumented) boolean-like values which were previously synonyms for md5 are no longer accepted.
Overhaul the specification of clientcert in pg_hba.conf (Kyotaro Horiguchi)
Values 1/0/no-verify are no longer supported; only the strings verify-ca and verify-full can be used. Also, disallow verify-ca if cert authentication is enabled since cert requires verify-full checking.
Remove support for SSL compression (Daniel Gustafsson, Michael Paquier)
This was already disabled by default in previous Postgres releases, and most modern OpenSSL and TLS versions no longer support it.
Remove server and libpq support for the version 2 wire protocol (Heikki Linnakangas)
This was last used as the default in Postgres 7.2 (year 2002).
Change EXTRACT to return the NUMERIC data type (Peter Eisentraut)
EXTRACT(date) now throws an error for units that are not part of the date data type.
Fix handling of infinite window function ranges (Tom Lane)
Previously window frame clauses like 'inf' PRECEDING AND 'inf' FOLLOWING returned incorrect results.
Prevent tablefunc's function normal_rand() from accepting negative values (Ashutosh Bapat)
Negative values produced undesirable results.
Change var_samp() and stddev_samp() with numeric parameters to return NULL for a single NaN value (Tom Lane)
Previously NaN was returned.
Remove factorial operators ! and !! (Mark Dilger)
The factorial() function is still supported. Also remove function numeric_fac().
Disallow factorial() of negative numbers (Peter Eisentraut)
Previously such cases returned 1.
Remove support for postfix (right-unary) operators (Mark Dilger)
pg_dump and pg_upgrade will warn if postfix operators are being dumped.
Allow D and W shorthands to match newlines in newline-sensitive mode (Tom Lane)
Previously they did not match; [^[:digit:]] or [^[:word:]] can be used to get the old behavior.
Improve handling of regular expression back-references (Tom Lane)
For example, disregard ^ in its expansion in 1 in "(^d+).*1".
Disallow w as range start/end in character classes (Tom Lane)
This previously was allowed but produced incorrect results.
Force custom server variable names to match the pattern used for unquoted SQL identifiers (Tom Lane)
Return false for has_column_privilege() checks on non-existent or dropped columns when using attribute numbers (Joe Conway)
Previously such attribute numbers returned an invalid column error.
Pass doubled quote marks in ecpg SQL command strings literally (Tom Lane)
Previously 'abc''def' was passed to the server as 'abc'def', and "abc""def" was passed as "abc"def".
Disallow single-quoting of the language name in the CREATE/DROP LANGUAGE command (Peter Eisentraut)
Remove contrib program pg_standby (Justin Pryzby)
Remove composite types for sequences or toast tables (Tom Lane)
Remove operator_precedence_warning setting (Tom Lane)
This was needed for warning applications about PostgreSQL 9.5 changes.

New in PostgreSQL 13.3 / 12.7 / 11.12 / 10.17 / 9.6.22 (May 14, 2021)

Security Issues:
CVE-2021-32027: Buffer overrun from integer overflow in array subscripting calculations:
Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions, but this problem is quite old.
While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory.
The PostgreSQL project thanks Tom Lane for reporting this problem.
CVE-2021-32028: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE:
Versions Affected: 9.6 - 13. The security team typically does not test unsupported versions. The feature first appeared in 9.5.
Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas cannot use this attack at will.
The PostgreSQL project thanks Andres Freund for reporting this problem.
CVE-2021-32029: Memory disclosure in partitioned-table UPDATE ... RETURNING:
Versions Affected: 11 - 13
Using an UPDATE ... RETURNING on a purpose-crafted partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will. A user lacking the CREATE and TEMPORARY privileges on all databases and the CREATE privilege on all schemas typically cannot use this attack at will.
Bug Fixes and Improvements:
This update fixes over 45 bugs that were reported in the last several months. Some of these issues only affect version 13, but could also apply to other supported versions.
Some of these fixes include:
Fix potential incorrect computation of UPDATE ... RETURNING outputs for joined, cross-partition updates.
Fix ALTER TABLE ... ALTER CONSTRAINT when used on foreign-key constraints on partitioned tables. The command would fail to adjust the DEFERRABLE and/or INITIALLY DEFERRED properties of the constraints and triggers of leaf partitions, leading to unexpected behavior. After updating to this version, you can execute the ALTER TABLE ... ALTER CONSTRAINT command to fix any misbehaving partitioned tables.
Ensure that when a child table is attached with ALTER TABLE ... INHERIT that generated columns in the parent are generated in the same way in the child.
Forbid marking an identity column as NULL.
Allow ALTER ROLE ... SET/ALTER DATABASE ... SET to set the role, session_authorization, and temp_buffers parameters.
Ensure that REINDEX CONCURRENTLY preserves any statistics target set for the index.
Fix an issue where, in some cases, saving records within AFTER triggers could cause crashes.
Fix how to_char() handles Roman-numeral month format codes with negative intervals.
Fix use of uninitialized value while parsing an {m,n} quantifier in a BRE-mode regular expression.
Fix "could not find pathkey item to sort" planner errors that occur in some situations when the sort key involves an aggregate or window function.
Fix issue with BRIN index bitmap scans that could lead to "could not open file" errors.
Fix potentially wrong answers from GIN tsvector index searches when there are many matching records.
Fixes for COMMIT AND CHAIN functionality on both the server and psql.
Avoid incorrect timeline change while recovering uncommitted two-phase transactions from WAL, which could lead to consistency issues and the inability to restart the server.
Ensure thatwal_sync_method is set to fdatasync by default on newer FreeBSD releases.
Disable the vacuum_cleanup_index_scale_factor parameter and storage option.
Fix several memory leaks in the server, including one with SSL/TLS parameter initialization.
Restore the previous behavior of connect service=XYZ to psql, i.e. disallow environmental variables (e.g. PGPORT) from overriding entries in the service file.
Fix how pg_dump handles generated columns in partitioned tables.
Add additional checks to pg_upgrade for user tables containing non-upgradable data types.
On Windows, initdb now prints instructions about how to start the server with pg_ctl using backslash separators.
Fix pg_waldump to count XACT records correctly when generating per-record statistics.

New in PostgreSQL 13.3 (May 13, 2021)

Server:
Partitioning:
Allow pruning of partitions to happen in more cases (Yuzuko Hosoya, Amit Langote, Álvaro Herrera)
Allow partitionwise joins to happen in more cases (Ashutosh Bapat, Etsuro Fujita, Amit Langote, Tom Lane)
For example, partitionwise joins can now happen between partitioned tables even when their partition bounds do not match exactly.
Support row-level BEFORE triggers on partitioned tables (Álvaro Herrera)
However, such a trigger is not allowed to change which partition is the destination.
Allow partitioned tables to be logically replicated via publications (Amit Langote)
Previously, partitions had to be replicated individually. Now a partitioned table can be published explicitly, causing all its partitions to be published automatically. Addition/removal of a partition causes it to be likewise added to or removed from the publication. The CREATE PUBLICATION option publish_via_partition_root controls whether changes to partitions are published as their own changes or their parent's.
Allow logical replication into partitioned tables on subscribers (Amit Langote)
Previously, subscribers could only receive rows into non-partitioned tables.
Allow whole-row variables (that is, table.*) to be used in partitioning expressions (Amit Langote)
Indexes:
More efficiently store duplicates in B-tree indexes (Anastasia Lubennikova, Peter Geoghegan)
This allows efficient B-tree indexing of low-cardinality columns by storing duplicate keys only once. Users upgrading with pg_upgrade will need to use REINDEX to make an existing index use this feature.
Allow GiST and SP-GiST indexes on box columns to support ORDER BY box <-> point queries (Nikita Glukhov)
Allow GIN indexes to more efficiently handle ! (NOT) clauses in tsquery searches (Nikita Glukhov, Alexander Korotkov, Tom Lane, Julien Rouhaud)
Allow index operator classes to take parameters (Nikita Glukhov)
Allow CREATE INDEX to specify the GiST signature length and maximum number of integer ranges (Nikita Glukhov)
Indexes created on four and eight-byte integer array, tsvector, pg_trgm, ltree, and hstore columns can now control these GiST index parameters, rather than using the defaults.
Prevent indexes that use non-default collations from being added as a table's unique or primary key constraint (Tom Lane)
The index's collation must match that of the underlying column, but ALTER TABLE previously failed to check this.
Optimizer:
Improve the optimizer's selectivity estimation for containment/match operators (Tom Lane)
Allow setting the statistics target for extended statistics (Tomas Vondra)
This is controlled with the new command option ALTER STATISTICS ... SET STATISTICS. Previously this was computed based on more general statistics target settings.
Allow use of multiple extended statistics objects in a single query (Tomas Vondra)
Allow use of extended statistics objects for OR clauses and IN/ANY constant lists (Pierre Ducroquet, Tomas Vondra)
Allow functions in FROM clauses to be pulled up (inlined) if they evaluate to constants (Alexander Kuzmenkov, Aleksandr Parfenov)
General Performance:
Implement incremental sorting (James Coleman, Alexander Korotkov, Tomas Vondra)
If an intermediate query result is known to be sorted by one or more leading keys of a required sort ordering, the additional sorting can be done considering only the remaining keys, if the rows are sorted in batches that have equal leading keys.
If necessary, this can be controlled using enable_incremental_sort.
Improve the performance of sorting inet values (Brandur Leach)
Allow hash aggregation to use disk storage for large aggregation result sets (Jeff Davis)
Previously, hash aggregation was avoided if it was expected to use more than work_mem memory. Now, a hash aggregation plan can be chosen despite that. The hash table will be spilled to disk if it exceeds work_mem times hash_mem_multiplier.
This behavior is normally preferable to the old behavior, in which once hash aggregation had been chosen, the hash table would be kept in memory no matter how large it got — which could be very large if the planner had misestimated. If necessary, behavior similar to that can be obtained by increasing hash_mem_multiplier.
Allow inserts, not only updates and deletes, to trigger vacuuming activity in autovacuum (Laurenz Albe, Darafei Praliaskouski)
Previously, insert-only activity would trigger auto-analyze but not auto-vacuum, on the grounds that there could not be any dead tuples to remove. However, a vacuum scan has other useful side-effects such as setting page-all-visible bits, which improves the efficiency of index-only scans. Also, allowing an insert-only table to receive periodic vacuuming helps to spread out the work of “freezing” old tuples, so that there is not suddenly a large amount of freezing work to do when the entire table reaches the anti-wraparound threshold all at once.
If necessary, this behavior can be adjusted with the new parameters autovacuum_vacuum_insert_threshold and autovacuum_vacuum_insert_scale_factor, or the equivalent table storage options.
Add maintenance_io_concurrency parameter to control I/O concurrency for maintenance operations (Thomas Munro)
Allow WAL writes to be skipped during a transaction that creates or rewrites a relation, if wal_level is minimal (Kyotaro Horiguchi)
Relations larger than wal_skip_threshold will have their files fsync'ed rather than generating WAL. Previously this was done only for COPY operations, but the implementation had a bug that could cause data loss during crash recovery.
Improve performance when replaying DROP DATABASE commands when many tablespaces are in use (Fujii Masao)
Improve performance for truncation of very large relations (Kirk Jamison)
Improve retrieval of the leading bytes of TOAST'ed values (Binguo Bao, Andrey Borodin)
Previously, compressed out-of-line TOAST values were fully fetched even when it's known that only some leading bytes are needed. Now, only enough data to produce the result is fetched.
Improve performance of LISTEN/NOTIFY (Martijn van Oosterhout, Tom Lane)
Speed up conversions of integers to text (David Fetter)
Reduce memory usage for query strings and extension scripts that contain many SQL statements (Amit Langote)
Monitoring:
Allow EXPLAIN, auto_explain, autovacuum, and pg_stat_statements to track WAL usage statistics (Kirill Bychik, Julien Rouhaud)
Allow a sample of SQL statements, rather than all statements, to be logged (Adrien Nayrat)
A log_statement_sample_rate fraction of those statements taking more than log_min_duration_sample duration will be logged.
Add the backend type to csvlog and optionally log_line_prefix log output (Peter Eisentraut)
Improve control of prepared statement parameter logging (Alexey Bashtanov, Álvaro Herrera)
The GUC setting log_parameter_max_length controls the maximum length of parameter values output during logging of non-error statements, while log_parameter_max_length_on_error does the same for logging of statements with errors. Previously, prepared statement parameters were never logged during errors.
Allow function call backtraces to be logged after errors (Peter Eisentraut, Álvaro Herrera)
The new parameter backtrace_functions specifies which C functions should generate backtraces on error.
Make vacuum buffer counters 64-bits wide to avoid overflow (Álvaro Herrera)
System Views:
Add leader_pid to pg_stat_activity to report a parallel worker's leader process (Julien Rouhaud)
Add system view pg_stat_progress_basebackup to report the progress of streaming base backups (Fujii Masao)
Add system view pg_stat_progress_analyze to report ANALYZE progress (Álvaro Herrera, Tatsuro Yamada, Vinayak Pokale)
Add system view pg_shmem_allocations to display shared memory usage (Andres Freund, Robert Haas)
Add system view pg_stat_slru to monitor internal SLRU caches (Tomas Vondra)
Allow track_activity_query_size to be set as high as 1MB (Vyacheslav Makarov)
The previous maximum was 100kB.
Wait Events:
Report a wait event while creating a DSM segment with posix_fallocate() (Thomas Munro)
Add wait event VacuumDelay to report on cost-based vacuum delay (Justin Pryzby)
Add wait events for WAL archive and recovery pause (Fujii Masao)
The new events are BackupWaitWalArchive and RecoveryPause.
Add wait events RecoveryConflictSnapshot and RecoveryConflictTablespace to monitor recovery conflicts (Masahiko Sawada)
Improve performance of wait events on BSD-based systems (Thomas Munro)
Authentication:
Allow only superusers to view the ssl_passphrase_command setting (Insung Moon)
This was changed as a security precaution.
Change the server's default minimum TLS version for encrypted connections from 1.0 to 1.2 (Peter Eisentraut)
This choice can be controlled by ssl_min_protocol_version.
Server Configuration:
Tighten rules on which utility commands are allowed in read-only transaction mode (Robert Haas)
This change also increases the number of utility commands that can run in parallel queries.
Allow allow_system_table_mods to be changed after server start (Peter Eisentraut)
Disallow non-superusers from modifying system tables when allow_system_table_mods is set (Peter Eisentraut)
Previously, if allow_system_table_mods was set at server start, non-superusers could issue INSERT/UPDATE/DELETE commands on system tables.
Enable support for Unix-domain sockets on Windows (Peter Eisentraut)
Streaming Replication and Recovery:
Allow streaming replication configuration settings to be changed by reload (Sergei Kornilov)
Previously, a server restart was required to change primary_conninfo and primary_slot_name.
Allow WAL receivers to use a temporary replication slot when a permanent one is not specified (Peter Eisentraut, Sergei Kornilov)
This behavior can be enabled using wal_receiver_create_temp_slot.
Allow WAL storage for replication slots to be limited by max_slot_wal_keep_size (Kyotaro Horiguchi)
Replication slots that would require exceeding this value are marked invalid.
Allow standby promotion to cancel any requested pause (Fujii Masao)
Previously, promotion could not happen while the standby was in paused state.
Generate an error if recovery does not reach the specified recovery target (Leif Gunnar Erlandsen, Peter Eisentraut)
Previously, a standby would promote itself upon reaching the end of WAL, even if the target was not reached.
Allow control over how much memory is used by logical decoding before it is spilled to disk (Tomas Vondra, Dilip Kumar, Amit Kapila)
This is controlled by logical_decoding_work_mem.
Allow recovery to continue even if invalid pages are referenced by WAL (Fujii Masao)
This is enabled using ignore_invalid_pages.
Utility Commands:
Allow VACUUM to process a table's indexes in parallel (Masahiko Sawada, Amit Kapila)
The new PARALLEL option controls this.
Allow FETCH FIRST to use WITH TIES to return any additional rows that match the last result row (Surafel Temesgen)
Report planning-time buffer usage in EXPLAIN's BUFFER output (Julien Rouhaud)
Make CREATE TABLE LIKE propagate a CHECK constraint's NO INHERIT property to the created table (Ildar Musin, Chris Travers)
When using LOCK TABLE on a partitioned table, do not check permissions on the child tables (Amit Langote)
Allow OVERRIDING USER VALUE on inserts into identity columns (Dean Rasheed)
Add ALTER TABLE ... DROP EXPRESSION to allow removing the GENERATED property from a column (Peter Eisentraut)
Fix bugs in multi-step ALTER TABLE commands (Tom Lane)
IF NOT EXISTS clauses now work as expected, in that derived actions (such as index creation) do not execute if the column already exists. Also, certain cases of combining related actions into one ALTER TABLE now work when they did not before.
Add ALTER VIEW syntax to rename view columns (Fujii Masao)
Renaming view columns was already possible, but one had to write ALTER TABLE RENAME COLUMN, which is confusing.
Add ALTER TYPE options to modify a base type's TOAST properties and support functions (Tomas Vondra, Tom Lane)
Add CREATE DATABASE LOCALE option (Peter Eisentraut)
This combines the existing options LC_COLLATE and LC_CTYPE into a single option.
Allow DROP DATABASE to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule, Amit Kapila)
This is enabled by the FORCE option.
Add structure member tg_updatedcols to allow C-language update triggers to know which column(s) were updated (Peter Eisentraut)
Data Types:
Add polymorphic data types for use by functions requiring compatible arguments (Pavel Stehule)
The new data types are anycompatible, anycompatiblearray, anycompatiblenonarray, and anycompatiblerange.
Add SQL data type xid8 to expose FullTransactionId (Thomas Munro)
The existing xid data type is only four bytes so it does not provide the transaction epoch.
Add data type regcollation and associated functions, to represent OIDs of collation objects (Julien Rouhaud)
Use the glibc version in some cases as a collation version identifier (Thomas Munro)
If the glibc version changes, a warning will be issued about possible corruption of collation-dependent indexes.
Add support for collation versions on Windows (Thomas Munro)
Allow ROW expressions to have their members extracted with suffix notation (Tom Lane)
For example, (ROW(4, 5.0)).f1 now returns 4.
Functions:
Add alternate version of jsonb_set() with improved NULL handling (Andrew Dunstan)
The new function, jsonb_set_lax(), handles a NULL new value by either setting the specified key to a JSON null, deleting the key, raising an exception, or returning the jsonb value unmodified, as requested.
Add jsonpath .datetime() method (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov)
This function allows JSON values to be converted to timestamps, which can then be processed in jsonpath expressions. This change also adds jsonpath functions that support time-zone-aware output.
Add SQL functions NORMALIZE() to normalize Unicode strings, and IS NORMALIZED to check for normalization (Peter Eisentraut)
Add min() and max() aggregates for pg_lsn (Fabrízio de Royes Mello)
These are particularly useful in monitoring queries.
Allow Unicode escapes, e.g., E'unnnn' or U&'nnnn', to specify any character available in the database encoding, even when the database encoding is not UTF-8 (Tom Lane)
Allow to_date() and to_timestamp() to recognize non-English month/day names (Juan José Santamaría Flecha, Tom Lane)
The names recognized are the same as those output by to_char() with the same format patterns.
Add datetime format patterns FF1 – FF6 to specify input or output of 1 to 6 fractional-second digits (Alexander Korotkov, Nikita Glukhov, Teodor Sigaev, Oleg Bartunov)
These patterns can be used by to_char(), to_timestamp(), and jsonpath's .datetime().
Add SSSSS datetime format pattern as an SQL-standard alias for SSSS (Nikita Glukhov, Alexander Korotkov)
Add function gen_random_uuid() to generate version-4 UUIDs (Peter Eisentraut)
Previously UUID generation functions were only available in the external modules uuid-ossp and pgcrypto.
Add greatest-common-denominator (gcd) and least-common-multiple (lcm) functions (Vik Fearing)
Improve the performance and accuracy of the numeric type's square root (sqrt) and natural log (ln) functions (Dean Rasheed)
Add function min_scale() that returns the number of digits to the right of the decimal point that are required to represent a numeric value with full accuracy (Pavel Stehule)
Add function trim_scale() to reduce the scale of a numeric value by removing trailing zeros (Pavel Stehule)
Add commutators of distance operators (Nikita Glukhov)
For example, previously only point <-> line was supported, now line <-> point works too.
Create xid8 versions of all transaction ID functions (Thomas Munro)
The old xid-based functions still exist, for backward compatibility.
Allow get_bit() and set_bit() to set bits beyond the first 256MB of a bytea value (Movead Li)
Allow advisory-lock functions to be used in some parallel operations (Tom Lane)
Add the ability to remove an object's dependency on an extension (Álvaro Herrera)
The object can be a function, materialized view, index, or trigger. The syntax is ALTER .. NO DEPENDS ON.
PL/pgSQL:
Improve performance of simple PL/pgSQL expressions (Tom Lane, Amit Langote)
Improve performance of PL/pgSQL functions that use immutable expressions (Konstantin Knizhnik)
Client Interfaces:
Allow libpq clients to require channel binding for encrypted connections (Jeff Davis)
Using the libpq connection parameter channel_binding forces the other end of the TLS connection to prove it knows the user's password. This prevents man-in-the-middle attacks.
Add libpq connection parameters to control the minimum and maximum TLS version allowed for an encrypted connection (Daniel Gustafsson)
The settings are ssl_min_protocol_version and ssl_max_protocol_version. By default, the minimum TLS version is 1.2 (this represents a behavioral change from previous releases).
Allow use of passwords to unlock client certificates (Craig Ringer, Andrew Dunstan)
This is enabled by libpq's sslpassword connection parameter.
Allow libpq to use DER-encoded client certificates (Craig Ringer, Andrew Dunstan)
Fix ecpg's EXEC SQL elif directive to work correctly (Tom Lane)
Previously it behaved the same as endif followed by ifdef, so that a successful previous branch of the same if construct did not prevent expansion of the elif branch or following branches.
Client Applications:
psql:
Add transaction status (%x) to psql's default prompts (Vik Fearing)
Allow the secondary psql prompt to be blank but the same width as the primary prompt (Thomas Munro)
This is accomplished by setting PROMPT2 to %w.
Allow psql's g and gx commands to change pset output options for the duration of that single command (Tom Lane)
This feature allows syntax like g (expand=on), which is equivalent to gx.
Add psql commands to display operator classes and operator families (Sergey Cherkashin, Nikita Glukhov, Alexander Korotkov)
The new commands are dAc, dAf, dAo, and dAp.
Show table persistence in psql's dt+ and related commands (David Fetter)
In verbose mode, the table/index/view shows if the object is permanent, temporary, or unlogged.
Improve output of psql's d for TOAST tables (Justin Pryzby)
Fix redisplay after psql's e command (Tom Lane)
When exiting the editor, if the query doesn't end with a semicolon or g, the query buffer contents will now be displayed.
Add warn command to psql (David Fetter)
This is like echo except that the text is sent to stderr instead of stdout.
Add the PostgreSQL home page to command-line --help output (Peter Eisentraut)
pgbench:
Allow pgbench to partition its “accounts” table (Fabien Coelho)
This allows performance testing of partitioning.
Add pgbench command aset, which behaves like gset, but for multiple queries (Fabien Coelho)
Allow pgbench to generate its initial data server-side, rather than client-side (Fabien Coelho)
Allow pgbench to show script contents using option --show-script (Fabien Coelho)
Server Applications:
Generate backup manifests for base backups, and verify them (Robert Haas)
A new tool pg_verifybackup can verify backups.
Have pg_basebackup estimate the total backup size by default (Fujii Masao)
This computation allows pg_stat_progress_basebackup to show progress. If that is not needed, it can be disabled by using the --no-estimate-size option. Previously, this computation happened only if the --progress option was used.
Add an option to pg_rewind to configure standbys (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This matches pg_basebackup's --write-recovery-conf option.
Allow pg_rewind to use the target cluster's restore_command to retrieve needed WAL (Alexey Kondratov)
This is enabled using the -c/--restore-target-wal option.
Have pg_rewind automatically run crash recovery before rewinding (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This can be disabled by using --no-ensure-shutdown.
Increase the PREPARE TRANSACTION-related information reported by pg_waldump (Fujii Masao)
Add pg_waldump option --quiet to suppress non-error output (Andres Freund, Robert Haas)
Add pg_dump option --include-foreign-data to dump data from foreign servers (Luis Carril)
Allow vacuum commands run by vacuumdb to operate in parallel mode (Masahiko Sawada)
This is enabled with the new --parallel option.
Allow reindexdb to operate in parallel (Julien Rouhaud)
Parallel mode is enabled with the new --jobs option.
Allow dropdb to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule)
This is enabled with the -f option.
Remove --adduser and --no-adduser from createuser (Alexander Lakhin)
The long-supported preferred options for this are called --superuser and --no-superuser.
Use the directory of the pg_upgrade program as the default --new-bindir setting when running pg_upgrade (Daniel Gustafsson)
Documentation:
Add a glossary to the documentation (Corey Huinker, Jürgen Purtz, Roger Harkavy, Álvaro Herrera)
Reformat tables containing function and operator information for better clarity (Tom Lane)
Upgrade to use DocBook 4.5 (Peter Eisentraut)
Source Code:
Add support for building on Visual Studio 2019 (Haribabu Kommi)
Add build support for MSYS2 (Peter Eisentraut)
Add compare_exchange and fetch_add assembly language code for Power PC compilers (Noah Misch)
Update Snowball stemmer dictionaries used by full text search (Panagiotis Mavrogiorgos)
This adds Greek stemming and improves Danish and French stemming.
Remove support for Windows 2000 (Michael Paquier)
Remove support for non-ELF BSD systems (Peter Eisentraut)
Remove support for Python versions 2.5.X and earlier (Peter Eisentraut)
Remove support for OpenSSL 0.9.8 and 1.0.0 (Michael Paquier)
Remove configure options --disable-float8-byval and --disable-float4-byval (Peter Eisentraut)
These were needed for compatibility with some version-zero C functions, but those are no longer supported.
Pass the query string to planner hook functions (Pascal Legrand, Julien Rouhaud)
Add TRUNCATE command hook (Yuli Khodorkovskiy)
Add TLS init hook (Andrew Dunstan)
Allow building with no predefined Unix-domain socket directory (Peter Eisentraut)
Reduce the probability of SysV resource key collision on Unix platforms (Tom Lane)
Use operating system functions to reliably erase memory that contains sensitive information (Peter Eisentraut)
For example, this is used for clearing passwords stored in memory.
Add headerscheck script to test C header-file compatibility (Tom Lane)
Implement internal lists as arrays, rather than a chain of cells (Tom Lane)
This improves performance for queries that access many objects.
Change the API for TS_execute() (Tom Lane, Pavel Borisov)
TS_execute callbacks must now provide ternary (yes/no/maybe) logic. Calculating NOT queries accurately is now the default.
Additional Modules:
Allow extensions to be specified as trusted (Tom Lane)
Such extensions can be installed in a database by users with database-level CREATE privileges, even if they are not superusers. This change also removes the pg_pltemplate system catalog.
Allow non-superusers to connect to postgres_fdw foreign servers without using a password (Craig Ringer)
Specifically, allow a superuser to set password_required to false for a user mapping. Care must still be taken to prevent non-superusers from using superuser credentials to connect to the foreign server.
Allow postgres_fdw to use certificate authentication (Craig Ringer)
Different users can use different certificates.
Allow sepgsql to control access to the TRUNCATE command (Yuli Khodorkovskiy)
Add extension bool_plperl which transforms SQL booleans to/from PL/Perl booleans (Ivan Panchenko)
Have pg_stat_statements treat SELECT ... FOR UPDATE commands as distinct from those without FOR UPDATE (Andrew Gierth, Vik Fearing)
Allow pg_stat_statements to optionally track the planning time of statements (Julien Rouhaud, Pascal Legrand, Thomas Munro, Fujii Masao)
Previously only execution time was tracked.
Overhaul ltree's lquery syntax to treat NOT (!) more logically (Filip Rembialkowski, Tom Lane, Nikita Glukhov)
Also allow non-* queries to use a numeric range ({}) of matches.
Add support for binary I/O of ltree, lquery, and ltxtquery types (Nino Floris)
Add an option to dict_int to ignore the sign of integers (Jeff Janes)
Add adminpack function pg_file_sync() to allow fsync'ing a file (Fujii Masao)
Add pageinspect functions to output t_infomask/t_infomask2 values in human-readable format (Craig Ringer, Sawada Masahiko, Michael Paquier)
Add B-tree index de-duplication processing columns to pageinspect output (Peter Geoghegan)

New in PostgreSQL 13.2 / 12.6 / 11.11 / 10.16 / 9.6.21 / 9.5.25 (Feb 12, 2021)

Changes:
Fix failure to check per-column SELECT privileges in some join queries (Tom Lane)
In some cases involving joins, the parser failed to record all the columns read by a query in the column-usage bitmaps that are used for permissions checking. Although the executor would still insist on some sort of SELECT privilege to run the query, this meant that a user having SELECT privilege on only one column of a table could nonetheless read all its columns through a suitably crafted query.
A stored view that is subject to this problem will have incomplete column-usage bitmaps, and thus permissions will still not be enforced properly on the view after updating. In installations that depend on column-level permissions for security, it is recommended to CREATE OR REPLACE all user-defined views to cause them to be re-parsed.
The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2021-20229)
Fix information leakage in constraint-violation error messages (Heikki Linnakangas)
If an UPDATE command attempts to move a row to a different partition but finds that it violates some constraint on the new partition, and the columns in that partition are in different physical positions than in the parent table, the error message could reveal the contents of columns that the user does not have SELECT privilege on. (CVE-2021-3393)
Fix incorrect detection of concurrent page splits while inserting into a GiST index (Heikki Linnakangas)
Concurrent insertions could lead to a corrupt index with entries placed in the wrong pages. It's recommended to reindex any GiST index that's been subject to concurrent insertions.
Fix CREATE INDEX CONCURRENTLY to wait for concurrent prepared transactions (Andrey Borodin)
At the point where CREATE INDEX CONCURRENTLY waits for all concurrent transactions to complete so that it can see rows they inserted, it must also wait for all prepared transactions to complete, for the same reason. Its failure to do so meant that rows inserted by prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. In installations that have enabled prepared transactions (max_prepared_transactions > 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.
Avoid crash when trying to rescan an aggregation plan node that has both hashed and sorted grouping sets (Jeff Davis)
Fix possible incorrect query results when a hash aggregation node spills some tuples to disk (Tom Lane)
It was possible for aggregation grouping values to be replaced by nulls when the tuples are read back in, leading to wrong answers.
Fix edge case in incremental sort (Neil Chen)
If the last tuple of a sort batch chanced to be the first tuple of the next group of already-sorted tuples, the code did the wrong thing. This could lead to “retrieved too many tuples in a bounded sort” error messages, or to silently-wrong sorting results.
Avoid crash when a CALL or DO statement that performs a transaction rollback is executed via extended query protocol (Thomas Munro, Tom Lane)
In PostgreSQL 13, this case reliably caused a null-pointer dereference. In earlier versions the bug seems to have no visible symptoms, but it's not quite clear that it could never cause a problem.
Avoid unnecessary errors with BEFORE UPDATE triggers on partitioned tables (Álvaro Herrera)
A BEFORE UPDATE FOR EACH ROW trigger that modified the row in any way prevented UPDATE from moving the row to another partition when needed; but there is no longer any reason for this restriction.
Fix partition pruning logic to handle asymmetric hash partition sets (Tom Lane)
If a hash-partitioned table has unequally-sized partitions (that is, varying modulus values), or it lacks partitions for some remainder values, then the planner's pruning logic could mistakenly conclude that some partitions don't need to be scanned, leading to failure to find rows that the query should find.
Avoid incorrect results when WHERE CURRENT OF is applied to a cursor whose plan contains a MergeAppend node (Tom Lane)
This case is unsupported (in general, a cursor using ORDER BY is not guaranteed to be simply updatable); but the code previously did not reject it, and could silently give false matches.
Fix crash when WHERE CURRENT OF is applied to a cursor whose plan contains a custom scan node (David Geier)
Fix planner's mishandling of placeholders whose evaluation should be delayed by an outer join (Tom Lane)
This occurs in particular with trivial subqueries containing lateral references to outer-join outputs. The mistake could result in a malformed plan. The known cases trigger a “failed to assign all NestLoopParams to plan nodes” error, but other symptoms may be possible.
Fix planner's handling of placeholders during removal of useless RESULT RTEs (Tom Lane)
This oversight could lead to “no relation entry for relid N” planner errors.
Fix planner's handling of a placeholder that is computed at some join level and used only at that same level (Tom Lane)
This oversight could lead to “failed to build any N-way joins” planner errors.
Consider unsorted subpaths when planning a Gather Merge operation (James Coleman)
It's possible to use such a path by adding an explicit Sort node, and in some cases that gives rise to a superior plan.
Do not consider ORDER BY expressions involving parallel-restricted functions or set-returning functions when trying to parallelize sorts (James Coleman)
Such cases cannot safely be pushed into worker processes, but the incremental sort feature accidentally made us consider them.
Be more careful about whether index AMs support mark/restore (Andrew Gierth)
This prevents errors about missing support functions in rare edge cases.
Fix overestimate of the amount of shared memory needed for parallel queries (Takayuki Tsunakawa)
Fix ALTER DEFAULT PRIVILEGES to handle duplicated arguments safely (Michael Paquier)
Duplicate role or schema names within the same command could lead to “tuple already updated by self” errors or unique-constraint violations.
Flush ACL-related caches when pg_authid changes (Noah Misch)
This change ensures that permissions-related decisions will promptly reflect the results of ALTER ROLE ... [NO] INHERIT.
Fix failure to detect “snapshot too old” conditions in tables rewritten in the current transaction (Kyotaro Horiguchi, Noah Misch)
This is only a hazard when wal_level is set to minimal and the rewrite is performed by ALTER TABLE SET TABLESPACE.
Fix spurious failure of CREATE PUBLICATION when applied to a table created or rewritten in the current transaction (Kyotaro Horiguchi)
This is only a hazard when wal_level is set to minimal.
Prevent misprocessing of ambiguous CREATE TABLE LIKE clauses (Tom Lane)
A LIKE clause is re-examined after initial creation of the new table, to handle importation of indexes and such. It was possible for this re-examination to find a different table of the same name, causing unexpected behavior; one example is where the new table is a temporary table of the same name as the LIKE target.
Rearrange order of operations in CREATE TABLE LIKE so that indexes are cloned before building foreign key constraints (Tom Lane)
This fixes the case where a self-referential foreign key constraint declared in the outer CREATE TABLE depends on an index that's coming from the LIKE clause.
Disallow CREATE STATISTICS on system catalogs (Tomas Vondra)
Disallow converting an inheritance child table to a view (Tom Lane)
Ensure that disk space allocated for a dropped relation is released promptly at commit (Thomas Munro)
Previously, if the dropped relation spanned multiple 1GB segments, only the first segment was truncated immediately. Other segments were simply unlinked, which doesn't authorize the kernel to release the storage so long as any other backends still have the files open.
Prevent dropping a tablespace that is referenced by a partitioned relation, but is not used for any actual storage (Álvaro Herrera)
Previously this was allowed, but subsequent operations on the partitioned relation would fail.
Fix progress reporting for CLUSTER (Matthias van de Meent)
Fix handling of backslash-escaped multibyte characters in COPY FROM (Heikki Linnakangas)
A backslash followed by a multibyte character was not handled correctly. In some client character encodings, this could lead to misinterpreting part of a multibyte character as a field separator or end-of-copy-data marker.
Avoid preallocating executor hash tables in EXPLAIN without ANALYZE (Alexey Bashtanov)
Fix recently-introduced race condition in LISTEN/NOTIFY queue handling (Tom Lane)
A newly-listening backend could attempt to read SLRU pages that were in process of being truncated, possibly causing an error.
Allow the jsonb concatenation operator to handle all combinations of JSON data types (Tom Lane)
We can concatenate two JSON objects or two JSON arrays. Handle other cases by wrapping non-array inputs in one-element arrays, then performing an array concatenation. Previously, some combinations of inputs followed this rule but others arbitrarily threw an error.
Fix use of uninitialized value while parsing a * quantifier in a BRE-mode regular expression (Tom Lane)
This error could cause the quantifier to act non-greedy, that is behave like a *? quantifier would do in full regular expressions.
Fix numeric power() for the case where the exponent is exactly INT_MIN (-2147483648) (Dean Rasheed)
Previously, a result with no significant digits was produced.
Fix integer-overflow cases in substring() functions (Tom Lane, Pavel Stehule)
If the specified starting index and length overflow an integer when added together, substring() misbehaved, either throwing a bogus “negative substring length” error for a case that should succeed, or failing to complain that a negative length is negative (and instead returning the whole string, in most cases).
Prevent possible data loss from incorrect detection of the wraparound point of an SLRU log (Noah Misch)
The wraparound point typically falls in the middle of a page, which must be rounded off to a page boundary, and that was not done correctly. No issue could arise unless an installation had gotten to within one page of SLRU overflow, which is unlikely in a properly-functioning system. If this did happen, it would manifest in later “apparent wraparound” or “could not access status of transaction” errors.
Fix WAL-reading logic to handle timeline switches correctly (Kyotaro Horiguchi, Fujii Masao)
Previously, if WAL archiving is enabled, a standby could fail to follow a primary running on a newer timeline, with errors like “requested WAL segment has already been removed”.
Fix memory leak in walsender processes while sending new snapshots for logical decoding (Amit Kapila)
Fix relation cache leak in walsender processes while sending row changes via the root of a partitioned relation during logical replication (Amit Langote, Mark Zhao)
Fix walsender to accept additional commands after terminating replication (Jeff Davis)
Ensure detection of deadlocks between hot standby backends and the startup (WAL-application) process (Fujii Masao)
The startup process did not run the deadlock detection code, so that in situations where the startup process is last to join a circular wait situation, the deadlock might never be recognized.
Fix possible failure to detect recovery conflicts while deleting an index entry that references a HOT chain (Peter Geoghegan)
The code failed to traverse the HOT chain and might thus compute a too-old XID horizon, which could lead to incorrect conflict processing in hot standby. The practical impact of this bug is limited; in most cases the correct XID horizon would be found anyway from nearby operations.
Ensure that a nonempty value of krb_server_keyfile always overrides any setting of KRB5_KTNAME in the server's environment (Tom Lane)
Previously, which setting took precedence depended on whether the client requests GSS encryption.
In server log messages about failing to match connections to pg_hba.conf entries, include details about whether GSS encryption has been activated (Kyotaro Horiguchi, Tom Lane)
This is relevant data if hostgssenc or hostnogssenc entries exist.
Fix assorted issues in server's support for GSS encryption (Tom Lane)
Remove pointless restriction that only GSS authentication can be used on a GSS-encrypted connection. Add GSS encryption information to connection-authorized log messages. Include GSS-related space when computing the required size of shared memory (this omission could have caused problems with very high max_connections settings). Avoid possible infinite recursion when reporting an unrecoverable GSS encryption error.
Ensure that unserviced requests for background workers are cleaned up when the postmaster begins a “smart” or “fast” shutdown sequence (Tom Lane)
Previously, there was a race condition whereby a child process that had requested a background worker just before shutdown could wait indefinitely, preventing shutdown from completing.
Fix portability problem in parsing of recovery_target_xid values (Michael Paquier)
The target XID is potentially 64 bits wide, but it was parsed with strtoul(), causing misbehavior on platforms where long is 32 bits (such as Windows).
Avoid trying to use parallel index build in a standalone backend (Yulin Pei)
Allow index AMs to support included columns without necessarily supporting multiple key columns (Tom Lane)
While taking a base backup, avoid executing any SHA256 code if a backup manifest is not needed (Michael Paquier)
When using OpenSSL operating in FIPS mode, SHA256 hashing is rejected, leading to an error. This change makes it possible to take a base backup on such a platform, so long as --no-manifest is specified.
Avoid assertion failure during parallel aggregation of an aggregate with a non-strict deserialization function (Andrew Gierth)
No such aggregate functions exist in core PostgreSQL, but some extensions such as PostGIS provide some. The mistake is harmless anyway in a non-assert build.
Avoid assertion failure in pg_get_functiondef() when examining a function with a TRANSFORM option (Tom Lane)
Fix data structure misallocation in PL/pgSQL's CALL statement (Tom Lane)
A CALL in a PL/pgSQL procedure, to another procedure that has OUT parameters, would fail if the called procedure did a COMMIT or ROLLBACK.
In libpq, do not skip trying SSL after GSS encryption (Tom Lane)
If we successfully made a GSS-encrypted connection, but then failed during authentication, we would fall back to an unencrypted connection rather than next trying an SSL-encrypted connection. This could lead to unexpected connection failure, or to silently getting an unencrypted connection where an encrypted one is expected. Fortunately, GSS encryption could only succeed if both client and server hold valid tickets in the same Kerberos infrastructure. It seems unlikely for that to be true in an environment that requires SSL encryption instead.
Make libpq's PQconndefaults() function report the correct default value for channel_binding (Daniele Varrazzo)
In psql, re-allow including a password in a connection_string argument of a connect command (Tom Lane)
This used to work, but a recent bug fix caused the password to be ignored (resulting in prompting for a password).
In psql's d commands, don't truncate the display of column default values (Tom Lane)
Formerly, they were arbitrarily truncated at 128 characters.
Fix assorted bugs in psql's help command (Kyotaro Horiguchi, Tom Lane)
Help with two argument words failed to find a command description using only the first word, for example help reset all should show the help for RESET but did not. Also, help often failed to invoke the pager when it should. It also leaked memory.
Fix pg_dump's dumping of inherited generated columns (Peter Eisentraut)
The previous behavior resulted in (harmless) errors during restore.
In pg_dump, ensure that the restore script runs ALTER PUBLICATION ADD TABLE commands as the owner of the publication, and similarly runs ALTER INDEX ATTACH PARTITION commands as the owner of the partitioned index (Tom Lane)
Previously, these commands would be run by the role that started the restore script; which will usually work, but in corner cases that role might not have adequate permissions.
Fix pg_dump to handle WITH GRANT OPTION in an extension's initial privileges (Noah Misch)
If an extension's script creates an object and grants privileges on it with grant option, then later the user revokes such privileges, pg_dump would generate incorrect SQL for reproducing the situation. (Few if any extensions do this today.)
In pg_rewind, ensure that all WAL is accounted for when rewinding a standby server (Ian Barwick, Heikki Linnakangas)
In pgbench, disallow a digit as the first character of a variable name (Fabien Coelho)
This prevents trying to substitute variables into timestamp literal values, which may contain strings like 12:34.
Report the correct database name in connection failure error messages from some client programs (Álvaro Herrera)
If the database name was defaulted rather than given on the command line, pg_dumpall, pgbench, oid2name, and vacuumlo would produce misleading error messages after a connection failure.
Fix memory leak in contrib/auto_explain (Japin Li)
Memory consumed while producing the EXPLAIN output was not freed until the end of the current transaction (for a top-level statement) or the end of the surrounding statement (for a nested statement). This was particularly a problem with log_nested_statements enabled.
In contrib/postgres_fdw, avoid leaking open connections to remote servers when a user mapping or foreign server object is dropped (Bharath Rupireddy)
Open connections that depend on a dropped user mapping or foreign server can no longer be referenced, but formerly they were kept around anyway for the duration of the local session.
Fix faulty assertion in contrib/postgres_fdw (Etsuro Fujita)
In contrib/pgcrypto, check for error returns from OpenSSL's EVP functions (Michael Paquier)
We do not really expect errors here, but this change silences warnings from static analysis tools.
Make contrib/pg_prewarm more robust when the cluster is shut down before prewarming is complete (Tom Lane)
Previously, autoprewarm would rewrite its status file with only the block numbers that it had managed to load so far, thus perhaps largely disabling the prewarm functionality in the next startup. Instead, suppress status file updates until the initial loading pass is complete.
In contrib/pg_trgm's GiST index support, avoid crash in the rare case that picksplit is called on exactly two index items (Andrew Gierth, Alexander Korotkov)
Fix miscalculation of timeouts in contrib/pg_prewarm and contrib/postgres_fdw (Alexey Kondratov, Tom Lane)
The main loop in contrib/pg_prewarm's autoprewarm parent process underestimated its desired sleep time by a factor of 1000, causing it to consume much more CPU than intended. When waiting for a result from a remote server, contrib/postgres_fdw overestimated the desired timeout by a factor of 1000 (though this error had been mitigated by imposing a clamp to 60 seconds).
Both of these errors stemmed from incorrectly converting seconds-and-microseconds to milliseconds. Introduce a new API TimestampDifferenceMilliseconds() to make it easier to get this right in the future.
Improve configure's heuristics for selecting PG_SYSROOT on macOS (Tom Lane)
The new method is more likely to produce desirable results when Xcode is newer than the underlying operating system. Choosing a sysroot that does not match the OS version may result in nonfunctional executables.
While building on macOS, specify -isysroot in link steps as well as compile steps (James Hilliard)
This likewise improves the results when Xcode is out of sync with the operating system.
Fix JIT compilation to be compatible with LLVM 11 and LLVM 12 (Andres Freund)
Fix potential mishandling of references to boolean variables in JIT expression compilation (Andres Freund)
No field reports attributable to this have been seen, but it seems likely that it could cause problems on some architectures.
Fix compile failure with ICU 68 and later (Tom Lane)
Avoid memcpy() with a NULL source pointer and zero count during partitioned index creation (Álvaro Herrera)
While such a call is not known to cause problems in itself, some compilers assume that the arguments of memcpy() are never NULL, which could result in incorrect optimization of nearby code.
Update time zone data files to tzdata release 2021a for DST law changes in Russia (Volgograd zone) and South Sudan, plus historical corrections for Australia, Bahamas, Belize, Bermuda, Ghana, Israel, Kenya, Nigeria, Palestine, Seychelles, and Vanuatu.
Notably, the Australia/Currie zone has been corrected to the point where it is identical to Australia/Hobart.

New in PostgreSQL 13.1 / 12.5 / 11.10 / 10.15 / 9.6.20 / 9.5.24 (Nov 13, 2020)

Security Issues:
CVE-2020-25695: Multiple features escape "security restricted operation" sandbox:
Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem is quite old.
An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.
While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround.
VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object.
CVE-2020-25694: Reconnection can downgrade connection security settings:
Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem is quite old.
Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission.
Affected applications are clusterdb, pg_dump, pg_restore, psql, reindexdb, and vacuumdb. The vulnerability arises only if one invokes an affected client application with a connection string containing a security-relevant parameter.
This also fixes how the connect command of psql reuses connection parameters, i.e. all non-overridden parameters from a previous connection string now re-used.
CVE-2020-25696: psql's gset allows overwriting specially treated variables:
Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem likely arrived with the feature's debut in version 9.3.
The gset meta-command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. Using gset with a prefix not found among specially treated variables, e.g. any lowercase string, precludes the attack in an unpatched psql.
Bug Fixes and Improvements:
Fix a breakage in the replication protocol by ensuring that two "command completion" events are expected for START_REPLICATION.
Ensure fsync is called on the SLRU caches that PostgreSQL maintains. This prevents potential data loss due to an operating system crash.
Fix ALTER ROLE usage for users with the BYPASSRLS permission.
ALTER TABLE ONLY ... DROP EXPRESSION is disallowed on partitioned tables when there are child tables.
Ensure that ALTER TABLE ONLY ... ENABLE/DISABLE TRIGGER does not apply to child tables.
Fix for ALTER TABLE ... SET NOT NULL on partitioned tables to avoid a potential deadlock in parallel pg_restore.
Fix handling of expressions in CREATE TABLE LIKE with inheritance.
DROP INDEX CONCURRENTLY is disallowed on partitioned tables.
Allow LOCK TABLE to succeed on a self-referential view instead of throwing an error.
Several fixes around statistics collection and progress reporting for REINDEX CONCURRENTLY.
Ensure that GENERATED columns are updated when any columns they depend on are updated via a rule or an updatable view.
Support hash partitioning with text array columns as partition keys.
Allow the jsonpath .datetime() method to accept ISO 8601-format timestamps.
During a "smart" shutdown, ensure background processes are not terminated until all foreground client sessions are completed, fixing an issue that broke the processing of parallel queries.
Several fixes for the query planner and optimizer.
Ensure that data is de-toasted before being inserted into a BRIN index. This could manifest itself with errors like "missing chunk number 0 for toast value NNN". If you have seen a similar error in an existing BRIN index, you should be able to correct it by using REINDEX on the index.
Fix the output of EXPLAIN to have the correct XML tag nesting for incremental sort plans.
Several fixes for memory leaks, including ones involving RLS policies, using CALL with PL/pgSQL, SIGHUP processing a configuration parameter that cannot be applied without a restart, and an edge-case for index lookup for a partition.
libpq can now support arbitrary-length lines in the .pgpass file.
On Windows, psql now reads the output of a backtick command in text mode, not binary mode, so it can now properly handle newlines.
Fix how pg_dump, pg_restore, clusterdb, reindexdb, and vacuumdb use complex connection-string parameters.
When the connect command of psql reuses connection parameters, ensure that all non-overridden parameters from a previous connection string are also re-used.
Ensure that pg_dump collects per-column information about extension configuration tables, avoiding crashes when specifying --inserts.
Ensure that parallel pg_restore processes foreign keys referencing partitioned tables in the correct order.
Several fixes for contrib/pgcrypto, including a memory leak fix.

New in PostgreSQL 13.0 (Sep 27, 2020)

Server:
Partitioning:
Allow pruning of partitions to happen in more cases (Yuzuko Hosoya, Amit Langote, Álvaro Herrera)
Allow partitionwise joins to happen in more cases (Ashutosh Bapat, Etsuro Fujita, Amit Langote, Tom Lane)
For example, partitionwise joins can now happen between partitioned tables even when their partition bounds do not match exactly.
Support row-level BEFORE triggers on partitioned tables (Álvaro Herrera)
However, such a trigger is not allowed to change which partition is the destination.
Allow partitioned tables to be logically replicated via publications (Amit Langote)
Previously, partitions had to be replicated individually. Now a partitioned table can be published explicitly, causing all its partitions to be published automatically. Addition/removal of a partition causes it to be likewise added to or removed from the publication. The CREATE PUBLICATION option publish_via_partition_root controls whether changes to partitions are published as their own changes or their parent's.
Allow logical replication into partitioned tables on subscribers (Amit Langote)
Previously, subscribers could only receive rows into non-partitioned tables.
Allow whole-row variables (that is, table.*) to be used in partitioning expressions (Amit Langote)
Indexes:
More efficiently store duplicates in B-tree indexes (Anastasia Lubennikova, Peter Geoghegan)
This allows efficient B-tree indexing of low-cardinality columns by storing duplicate keys only once. Users upgrading with pg_upgrade will need to use REINDEX to make an existing index use this feature.
Allow GiST and SP-GiST indexes on box columns to support ORDER BY box <-> point queries (Nikita Glukhov)
Allow GIN indexes to more efficiently handle ! (NOT) clauses in tsquery searches (Nikita Glukhov, Alexander Korotkov, Tom Lane, Julien Rouhaud)
Allow index operator classes to take parameters (Nikita Glukhov)
Allow CREATE INDEX to specify the GiST signature length and maximum number of integer ranges (Nikita Glukhov)
Indexes created on four and eight-byte integer array, tsvector, pg_trgm, ltree, and hstore columns can now control these GiST index parameters, rather than using the defaults.
Prevent indexes that use non-default collations from being added as a table's unique or primary key constraint (Tom Lane)
The index's collation must match that of the underlying column, but ALTER TABLE previously failed to check this.
Optimizer:
Improve the optimizer's selectivity estimation for containment/match operators (Tom Lane)
Allow setting the statistics target for extended statistics (Tomas Vondra)
This is controlled with the new command option ALTER STATISTICS ... SET STATISTICS. Previously this was computed based on more general statistics target settings.
Allow use of multiple extended statistics objects in a single query (Tomas Vondra)
Allow use of extended statistics objects for OR clauses and IN/ANY constant lists (Pierre Ducroquet, Tomas Vondra)
Allow functions in FROM clauses to be pulled up (inlined) if they evaluate to constants (Alexander Kuzmenkov, Aleksandr Parfenov)
General Performance:
Implement incremental sorting (James Coleman, Alexander Korotkov, Tomas Vondra)
If an intermediate query result is known to be sorted by one or more leading keys of a required sort ordering, the additional sorting can be done considering only the remaining keys, if the rows are sorted in batches that have equal leading keys.
If necessary, this can be controlled using enable_incremental_sort.
Improve the performance of sorting inet values (Brandur Leach)
Allow hash aggregation to use disk storage for large aggregation result sets (Jeff Davis)
Previously, hash aggregation was avoided if it was expected to use more than work_mem memory. Now, a hash aggregation plan can be chosen despite that. The hash table will be spilled to disk if it exceeds work_mem times hash_mem_multiplier.
This behavior is normally preferable to the old behavior, in which once hash aggregation had been chosen, the hash table would be kept in memory no matter how large it got — which could be very large if the planner had misestimated. If necessary, behavior similar to that can be obtained by increasing hash_mem_multiplier.
Allow inserts, not only updates and deletes, to trigger vacuuming activity in autovacuum (Laurenz Albe, Darafei Praliaskouski)
Previously, insert-only activity would trigger auto-analyze but not auto-vacuum, on the grounds that there could not be any dead tuples to remove. However, a vacuum scan has other useful side-effects such as setting page-all-visible bits, which improves the efficiency of index-only scans. Also, allowing an insert-only table to receive periodic vacuuming helps to spread out the work of “freezing” old tuples, so that there is not suddenly a large amount of freezing work to do when the entire table reaches the anti-wraparound threshold all at once.
If necessary, this behavior can be adjusted with the new parameters autovacuum_vacuum_insert_threshold and autovacuum_vacuum_insert_scale_factor, or the equivalent table storage options.
Add maintenance_io_concurrency parameter to control I/O concurrency for maintenance operations (Thomas Munro)
Allow WAL writes to be skipped during a transaction that creates or rewrites a relation, if wal_level is minimal (Kyotaro Horiguchi)
Relations larger than wal_skip_threshold will have their files fsync'ed rather than generating WAL. Previously this was done only for COPY operations, but the implementation had a bug that could cause data loss during crash recovery.
Improve performance when replaying DROP DATABASE commands when many tablespaces are in use (Fujii Masao)
Improve performance for truncation of very large relations (Kirk Jamison)
Improve retrieval of the leading bytes of TOAST'ed values (Binguo Bao, Andrey Borodin)
Previously, compressed out-of-line TOAST values were fully fetched even when it's known that only some leading bytes are needed. Now, only enough data to produce the result is fetched.
Improve performance of LISTEN/NOTIFY (Martijn van Oosterhout, Tom Lane)
Speed up conversions of integers to text (David Fetter)
Reduce memory usage for query strings and extension scripts that contain many SQL statements (Amit Langote)
Monitoring:
Allow EXPLAIN, auto_explain, autovacuum, and pg_stat_statements to track WAL usage statistics (Kirill Bychik, Julien Rouhaud)
Allow a sample of SQL statements, rather than all statements, to be logged (Adrien Nayrat)
A log_statement_sample_rate fraction of those statements taking more than log_min_duration_sample duration will be logged.
Add the backend type to csvlog and optionally log_line_prefix log output (Peter Eisentraut)
Improve control of prepared statement parameter logging (Alexey Bashtanov, Álvaro Herrera)
The GUC setting log_parameter_max_length controls the maximum length of parameter values output during logging of non-error statements, while log_parameter_max_length_on_error does the same for logging of statements with errors. Previously, prepared statement parameters were never logged during errors.
Allow function call backtraces to be logged after errors (Peter Eisentraut, Álvaro Herrera)
The new parameter backtrace_functions specifies which C functions should generate backtraces on error.
Make vacuum buffer counters 64-bits wide to avoid overflow (Álvaro Herrera)
System Views:
Add leader_pid to pg_stat_activity to report a parallel worker's leader process (Julien Rouhaud)
Add system view pg_stat_progress_basebackup to report the progress of streaming base backups (Fujii Masao)
Add system view pg_stat_progress_analyze to report ANALYZE progress (Álvaro Herrera, Tatsuro Yamada, Vinayak Pokale)
Add system view pg_shmem_allocations to display shared memory usage (Andres Freund, Robert Haas)
Add system view pg_stat_slru to monitor internal SLRU caches (Tomas Vondra)
Allow track_activity_query_size to be set as high as 1MB (Vyacheslav Makarov)
The previous maximum was 100kB.
Wait Events:
Report a wait event while creating a DSM segment with posix_fallocate() (Thomas Munro)
Add wait event VacuumDelay to report on cost-based vacuum delay (Justin Pryzby)
Add wait events for WAL archive and recovery pause (Fujii Masao)
The new events are BackupWaitWalArchive and RecoveryPause.
Add wait events RecoveryConflictSnapshot and RecoveryConflictTablespace to monitor recovery conflicts (Masahiko Sawada)
Improve performance of wait events on BSD-based systems (Thomas Munro)
Authentication:
Allow only superusers to view the ssl_passphrase_command setting (Insung Moon)
This was changed as a security precaution.
Change the server's default minimum TLS version for encrypted connections from 1.0 to 1.2 (Peter Eisentraut)
This choice can be controlled by ssl_min_protocol_version.
Server Configuration:
Tighten rules on which utility commands are allowed in read-only transaction mode (Robert Haas)
This change also increases the number of utility commands that can run in parallel queries.
Allow allow_system_table_mods to be changed after server start (Peter Eisentraut)
Disallow non-superusers from modifying system tables when allow_system_table_mods is set (Peter Eisentraut)
Previously, if allow_system_table_mods was set at server start, non-superusers could issue INSERT/UPDATE/DELETE commands on system tables.
Enable support for Unix-domain sockets on Windows (Peter Eisentraut)
Streaming Replication and Recovery:
Allow streaming replication configuration settings to be changed by reload (Sergei Kornilov)
Previously, a server restart was required to change primary_conninfo and primary_slot_name.
Allow WAL receivers to use a temporary replication slot when a permanent one is not specified (Peter Eisentraut, Sergei Kornilov)
This behavior can be enabled using wal_receiver_create_temp_slot.
Allow WAL storage for replication slots to be limited by max_slot_wal_keep_size (Kyotaro Horiguchi)
Replication slots that would require exceeding this value are marked invalid.
Allow standby promotion to cancel any requested pause (Fujii Masao)
Previously, promotion could not happen while the standby was in paused state.
Generate an error if recovery does not reach the specified recovery target (Leif Gunnar Erlandsen, Peter Eisentraut)
Previously, a standby would promote itself upon reaching the end of WAL, even if the target was not reached.
Allow control over how much memory is used by logical decoding before it is spilled to disk (Tomas Vondra, Dilip Kumar, Amit Kapila)
This is controlled by logical_decoding_work_mem.
Allow recovery to continue even if invalid pages are referenced by WAL (Fujii Masao)
This is enabled using ignore_invalid_pages.
Utility Commands:
Allow VACUUM to process a table's indexes in parallel (Masahiko Sawada, Amit Kapila)
The new PARALLEL option controls this.
Allow FETCH FIRST to use WITH TIES to return any additional rows that match the last result row (Surafel Temesgen)
Report planning-time buffer usage in EXPLAIN's BUFFER output (Julien Rouhaud)
Make CREATE TABLE LIKE propagate a CHECK constraint's NO INHERIT property to the created table (Ildar Musin, Chris Travers)
When using LOCK TABLE on a partitioned table, do not check permissions on the child tables (Amit Langote)
Allow OVERRIDING USER VALUE on inserts into identity columns (Dean Rasheed)
Add ALTER TABLE ... DROP EXPRESSION to allow removing the GENERATED property from a column (Peter Eisentraut)
Fix bugs in multi-step ALTER TABLE commands (Tom Lane)
IF NOT EXISTS clauses now work as expected, in that derived actions (such as index creation) do not execute if the column already exists. Also, certain cases of combining related actions into one ALTER TABLE now work when they did not before.
Add ALTER VIEW syntax to rename view columns (Fujii Masao)
Renaming view columns was already possible, but one had to write ALTER TABLE RENAME COLUMN, which is confusing.
Add ALTER TYPE options to modify a base type's TOAST properties and support functions (Tomas Vondra, Tom Lane)
Add CREATE DATABASE LOCALE option (Peter Eisentraut)
This combines the existing options LC_COLLATE and LC_CTYPE into a single option.
Allow DROP DATABASE to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule, Amit Kapila)
This is enabled by the FORCE option.
Add structure member tg_updatedcols to allow C-language update triggers to know which column(s) were updated (Peter Eisentraut)
Data Types:
Add polymorphic data types for use by functions requiring compatible arguments (Pavel Stehule)
The new data types are anycompatible, anycompatiblearray, anycompatiblenonarray, and anycompatiblerange.
Add SQL data type xid8 to expose FullTransactionId (Thomas Munro)
The existing xid data type is only four bytes so it does not provide the transaction epoch.
Add data type regcollation and associated functions, to represent OIDs of collation objects (Julien Rouhaud)
Use the glibc version in some cases as a collation version identifier (Thomas Munro)
If the glibc version changes, a warning will be issued about possible corruption of collation-dependent indexes.
Add support for collation versions on Windows (Thomas Munro)
Allow ROW expressions to have their members extracted with suffix notation (Tom Lane)
For example, (ROW(4, 5.0)).f1 now returns 4.
Functions:
Add alternate version of jsonb_set() with improved NULL handling (Andrew Dunstan)
The new function, jsonb_set_lax(), handles a NULL new value by either setting the specified key to a JSON null, deleting the key, raising an exception, or returning the jsonb value unmodified, as requested.
Add jsonpath .datetime() method (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov)
This function allows JSON values to be converted to timestamps, which can then be processed in jsonpath expressions. This change also adds jsonpath functions that support time-zone-aware output.
Add SQL functions NORMALIZE() to normalize Unicode strings, and IS NORMALIZED to check for normalization (Peter Eisentraut)
Add min() and max() aggregates for pg_lsn (Fabrízio de Royes Mello)
These are particularly useful in monitoring queries.
Allow Unicode escapes, e.g., E'unnnn' or U&'nnnn', to specify any character available in the database encoding, even when the database encoding is not UTF-8 (Tom Lane)
Allow to_date() and to_timestamp() to recognize non-English month/day names (Juan José Santamaría Flecha, Tom Lane)
The names recognized are the same as those output by to_char() with the same format patterns.
Add datetime format patterns FF1 – FF6 to specify input or output of 1 to 6 fractional-second digits (Alexander Korotkov, Nikita Glukhov, Teodor Sigaev, Oleg Bartunov)
These patterns can be used by to_char(), to_timestamp(), and jsonpath's .datetime().
Add SSSSS datetime format pattern as an SQL-standard alias for SSSS (Nikita Glukhov, Alexander Korotkov)
Add function gen_random_uuid() to generate version-4 UUIDs (Peter Eisentraut)
Previously UUID generation functions were only available in the external modules uuid-ossp and pgcrypto.
Add greatest-common-denominator (gcd) and least-common-multiple (lcm) functions (Vik Fearing)
Improve the performance and accuracy of the numeric type's square root (sqrt) and natural log (ln) functions (Dean Rasheed)
Add function min_scale() that returns the number of digits to the right of the decimal point that are required to represent a numeric value with full accuracy (Pavel Stehule)
Add function trim_scale() to reduce the scale of a numeric value by removing trailing zeros (Pavel Stehule)
Add commutators of distance operators (Nikita Glukhov)
For example, previously only point <-> line was supported, now line <-> point works too.
Create xid8 versions of all transaction ID functions (Thomas Munro)
The old xid-based functions still exist, for backward compatibility.
Allow get_bit() and set_bit() to set bits beyond the first 256MB of a bytea value (Movead Li)
Allow advisory-lock functions to be used in some parallel operations (Tom Lane)
Add the ability to remove an object's dependency on an extension (Álvaro Herrera)
The object can be a function, materialized view, index, or trigger. The syntax is ALTER .. NO DEPENDS ON.
PL/pgSQL:
Improve performance of simple PL/pgSQL expressions (Tom Lane, Amit Langote)
Improve performance of PL/pgSQL functions that use immutable expressions (Konstantin Knizhnik)
Client Interfaces:
Allow libpq clients to require channel binding for encrypted connections (Jeff Davis)
Using the libpq connection parameter channel_binding forces the other end of the TLS connection to prove it knows the user's password. This prevents man-in-the-middle attacks.
Add libpq connection parameters to control the minimum and maximum TLS version allowed for an encrypted connection (Daniel Gustafsson)
The settings are ssl_min_protocol_version and ssl_max_protocol_version. By default, the minimum TLS version is 1.2 (this represents a behavioral change from previous releases).
Allow use of passwords to unlock client certificates (Craig Ringer, Andrew Dunstan)
This is enabled by libpq's sslpassword connection parameter.
Allow libpq to use DER-encoded client certificates (Craig Ringer, Andrew Dunstan)
Fix ecpg's EXEC SQL elif directive to work correctly (Tom Lane)
Previously it behaved the same as endif followed by ifdef, so that a successful previous branch of the same if construct did not prevent expansion of the elif branch or following branches.
Client Applications:
psql:
Add transaction status (%x) to psql's default prompts (Vik Fearing)
Allow the secondary psql prompt to be blank but the same width as the primary prompt (Thomas Munro)
This is accomplished by setting PROMPT2 to %w.
Allow psql's g and gx commands to change pset output options for the duration of that single command (Tom Lane)
This feature allows syntax like g (expand=on), which is equivalent to gx.
Add psql commands to display operator classes and operator families (Sergey Cherkashin, Nikita Glukhov, Alexander Korotkov)
The new commands are dAc, dAf, dAo, and dAp.
Show table persistence in psql's dt+ and related commands (David Fetter)
In verbose mode, the table/index/view shows if the object is permanent, temporary, or unlogged.
Improve output of psql's d for TOAST tables (Justin Pryzby)
Fix redisplay after psql's e command (Tom Lane)
When exiting the editor, if the query doesn't end with a semicolon or g, the query buffer contents will now be displayed.
Add warn command to psql (David Fetter)
This is like echo except that the text is sent to stderr instead of stdout.
Add the PostgreSQL home page to command-line --help output (Peter Eisentraut)
pgbench:
Allow pgbench to partition its “accounts” table (Fabien Coelho)
This allows performance testing of partitioning.
Add pgbench command aset, which behaves like gset, but for multiple queries (Fabien Coelho)
Allow pgbench to generate its initial data server-side, rather than client-side (Fabien Coelho)
Allow pgbench to show script contents using option --show-script (Fabien Coelho)
Server Applications:
Generate backup manifests for base backups, and verify them (Robert Haas)
A new tool pg_verifybackup can verify backups.
Have pg_basebackup estimate the total backup size by default (Fujii Masao)
This computation allows pg_stat_progress_basebackup to show progress. If that is not needed, it can be disabled by using the --no-estimate-size option. Previously, this computation happened only if the --progress option was used.
Add an option to pg_rewind to configure standbys (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This matches pg_basebackup's --write-recovery-conf option.
Allow pg_rewind to use the target cluster's restore_command to retrieve needed WAL (Alexey Kondratov)
This is enabled using the -c/--restore-target-wal option.
Have pg_rewind automatically run crash recovery before rewinding (Paul Guo, Jimmy Yih, Ashwin Agrawal)
This can be disabled by using --no-ensure-shutdown.
Increase the PREPARE TRANSACTION-related information reported by pg_waldump (Fujii Masao)
Add pg_waldump option --quiet to suppress non-error output (Andres Freund, Robert Haas)
Add pg_dump option --include-foreign-data to dump data from foreign servers (Luis Carril)
Allow vacuum commands run by vacuumdb to operate in parallel mode (Masahiko Sawada)
This is enabled with the new --parallel option.
Allow reindexdb to operate in parallel (Julien Rouhaud)
Parallel mode is enabled with the new --jobs option.
Allow dropdb to disconnect sessions using the target database, allowing the drop to succeed (Pavel Stehule)
This is enabled with the -f option.
Remove --adduser and --no-adduser from createuser (Alexander Lakhin)
The long-supported preferred options for this are called --superuser and --no-superuser.
Use the directory of the pg_upgrade program as the default --new-bindir setting when running pg_upgrade (Daniel Gustafsson)
Documentation:
Add a glossary to the documentation (Corey Huinker, Jürgen Purtz, Roger Harkavy, Álvaro Herrera)
Reformat tables containing function and operator information for better clarity (Tom Lane)
Upgrade to use DocBook 4.5 (Peter Eisentraut)
Source Code:
Add support for building on Visual Studio 2019 (Haribabu Kommi)
Add build support for MSYS2 (Peter Eisentraut)
Add compare_exchange and fetch_add assembly language code for Power PC compilers (Noah Misch)
Update Snowball stemmer dictionaries used by full text search (Panagiotis Mavrogiorgos)
This adds Greek stemming and improves Danish and French stemming.
Remove support for Windows 2000 (Michael Paquier)
Remove support for non-ELF BSD systems (Peter Eisentraut)
Remove support for Python versions 2.5.X and earlier (Peter Eisentraut)
Remove support for OpenSSL 0.9.8 and 1.0.0 (Michael Paquier)
Remove configure options --disable-float8-byval and --disable-float4-byval (Peter Eisentraut)
These were needed for compatibility with some version-zero C functions, but those are no longer supported.
Pass the query string to planner hook functions (Pascal Legrand, Julien Rouhaud)
Add TRUNCATE command hook (Yuli Khodorkovskiy)
Add TLS init hook (Andrew Dunstan)
Allow building with no predefined Unix-domain socket directory (Peter Eisentraut)
Reduce the probability of SysV resource key collision on Unix platforms (Tom Lane)
Use operating system functions to reliably erase memory that contains sensitive information (Peter Eisentraut)
For example, this is used for clearing passwords stored in memory.
Add headerscheck script to test C header-file compatibility (Tom Lane)
Implement internal lists as arrays, rather than a chain of cells (Tom Lane)
This improves performance for queries that access many objects.
Change the API for TS_execute() (Tom Lane, Pavel Borisov)
TS_execute callbacks must now provide ternary (yes/no/maybe) logic. Calculating NOT queries accurately is now the default.
Additional Modules:
Allow extensions to be specified as trusted (Tom Lane)
Such extensions can be installed in a database by users with database-level CREATE privileges, even if they are not superusers. This change also removes the pg_pltemplate system catalog.
Allow non-superusers to connect to postgres_fdw foreign servers without using a password (Craig Ringer)
Specifically, allow a superuser to set password_required to false for a user mapping. Care must still be taken to prevent non-superusers from using superuser credentials to connect to the foreign server.
Allow postgres_fdw to use certificate authentication (Craig Ringer)
Different users can use different certificates.
Allow sepgsql to control access to the TRUNCATE command (Yuli Khodorkovskiy)
Add extension bool_plperl which transforms SQL booleans to/from PL/Perl booleans (Ivan Panchenko)
Have pg_stat_statements treat SELECT ... FOR UPDATE commands as distinct from those without FOR UPDATE (Andrew Gierth, Vik Fearing)
Allow pg_stat_statements to optionally track the planning time of statements (Julien Rouhaud, Pascal Legrand, Thomas Munro, Fujii Masao)
Previously only execution time was tracked.
Overhaul ltree's lquery syntax to treat NOT (!) more logically (Filip Rembialkowski, Tom Lane, Nikita Glukhov)
Also allow non-* queries to use a numeric range ({}) of matches.
Add support for binary I/O of ltree, lquery, and ltxtquery types (Nino Floris)
Add an option to dict_int to ignore the sign of integers (Jeff Janes)
Add adminpack function pg_file_sync() to allow fsync'ing a file (Fujii Masao)
Add pageinspect functions to output t_infomask/t_infomask2 values in human-readable format (Craig Ringer, Sawada Masahiko, Michael Paquier)
Add B-tree index de-duplication processing columns to pageinspect output (Peter Geoghegan)

New in PostgreSQL 12.4 (Aug 25, 2020)

Set a secure search_path in logical replication walsenders and apply workers (Noah Misch)
A malicious user of either the publisher or subscriber database could potentially cause execution of arbitrary SQL code by the role running replication, which is often a superuser. Some of the risks here are equivalent to those described in CVE-2018-1058, and are mitigated in this patch by ensuring that the replication sender and receiver execute with empty search_path settings. (As with CVE-2018-1058, that change might cause problems for under-qualified names used in replicated tables' DDL.) Other risks are inherent in replicating objects that belong to untrusted roles; the most we can do is document that there is a hazard to consider. (CVE-2020-14349)
Make contrib modules' installation scripts more secure (Tom Lane)
Attacks similar to those described in CVE-2018-1058 could be carried out against an extension installation script, if the attacker can create objects in either the extension's target schema or the schema of some prerequisite extension. Since extensions often require superuser privilege to install, this can open a path to obtaining superuser privilege. To mitigate this risk, be more careful about the search_path used to run an installation script; disable check_function_bodies within the script; and fix catalog-adjustment queries used in some contrib modules to ensure they are secure. Also provide documentation to help third-party extension authors make their installation scripts secure. This is not a complete solution; extensions that depend on other extensions can still be at risk if installed carelessly. (CVE-2020-14350)
Fix edge cases in partition pruning (Etsuro Fujita, Dmitry Dolgov)
When there are multiple partition key columns, generation of pruning tests could misbehave if some columns had no constraining WHERE clauses or multiple constraining clauses. This could lead to server crashes, incorrect query results, or assertion failures
Fix construction of parameterized BitmapAnd and BitmapOr index scans on the inside of partition-wise nestloop joins (Tom Lane)
A plan in which such a scan needed to use a value from the outside of the join would usually crash at execution
Fix incorrect plan execution when a partitioned table is subject to both static and run-time partition pruning in the same query, and a new partition is added concurrently with the query (Amit Langote, Tom Lane)
In logical replication walsender, fix failure to send feedback messages after sending a keepalive message (Álvaro Herrera)
This is a relatively minor problem when using built-in logical replication, because the built-in walreceiver will send a feedback reply (which clears the incorrect state) fairly frequently anyway. But with some other replication systems, such as pglogical, it causes significant performance issues
Fix firing of column-specific UPDATE triggers in logical replication subscribers (Tom Lane)
The code neglected to account for the possibility of column numbers being different between the publisher and subscriber tables, so that if those were indeed different, wrong decisions might be made about which triggers to fire
Update oldest xmin and LSN values during pg_replication_slot_advance() (Michael Paquier)
This function previously failed to do that, possibly preventing resource cleanup (such as removal of no-longer-needed WAL segments) after manual advancement of a replication slot
Fix slow execution of ts_headline() (Tom Lane)
The phrase-search fix added in our previous set of minor releases could cause ts_headline() to take unreasonable amounts of time for long documents; to make matters worse, the query was not cancellable within the troublesome loop
Ensure the repeat() function can be interrupted by query cancel (Joe Conway)
Fix pg_current_logfile() to not include a carriage return (r) in its result on Windows (Tom Lane)
Ensure that pg_read_file() and related functions read until EOF is reached (Joe Conway)
Previously, if not given a specific data length to read, these functions would stop at whatever file length was reported by stat(). That's unhelpful for pipes and other sorts of virtual files
Forbid numeric NaN values in jsonpath computations (Alexander Korotkov)
Neither SQL nor JSON have the concept of NaN (not-a-number), but the jsonpath code attempted to allow such values anyway. This necessarily leads to nonstandard behavior, so it seems better to reject such values at the outset
Handle single Inf or NaN inputs correctly in floating-point aggregates (Tom Lane)
The affected aggregates are corr(), covar_pop(), regr_intercept(), regr_r2(), regr_slope(), regr_sxx(), regr_sxy(), regr_syy(), stddev_pop(), and var_pop(). The correct answer in such cases is NaN, but an algorithmic change introduced in PostgreSQL v12 had caused these aggregates to produce zero instead
Fix mis-handling of NaN inputs during parallel aggregation on numeric-type columns (Tom Lane)
If some partial aggregation workers found only NaNs while others found only non-NaNs, the results were combined incorrectly, possibly leading to the wrong overall result (i.e., not NaN when it should be)
Reject time-of-day values greater than 24 hours (Tom Lane)
The intention of the datetime input code is to allow “24:00:00” or equivalently “23:59:60”, but no larger value. However, the range check was miscoded so that it would accept “23:59:60.nnn” with nonzero fractional-second nnn. In timestamp values this would result in wrapping into the first second of the next day. In time and timetz values, the stored value would actually be more than 24 hours, causing dump/reload failures and possibly other misbehavior
Undo double-quoting of index names in EXPLAIN's non-text output formats (Tom Lane, Euler Taveira)
Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers in a plan using Gather Merge nodes (Jehan-Guillaume de Rorthais)
Fix timing of constraint revalidation in ALTER TABLE (David Rowley)
If ALTER TABLE needs to fully rewrite the table's contents (for example, due to change of a column's data type) and also needs to scan the table to re-validate foreign keys or CHECK constraints, it sometimes did things in the wrong order, leading to odd errors such as “could not read block 0 in file "base/nnnnn/nnnnn": read only 0 of 8192 bytes”
Fix REINDEX CONCURRENTLY to preserve the index's replication identity flag (Michael Paquier)
Previously, reindexing a table's replica identity index caused the setting to be lost, preventing old tuple values from being included in future logical-decoding output
Work around incorrect not-null markings for pg_subscription.subslotname and pg_subscription_rel.srsublsn (Tom Lane)
The bootstrap catalog data incorrectly marks these two catalog columns as always non-null. There's no easy way to correct that mistake in existing installations (though v13 and later will have the correct markings). The main place that depends on that marking being correct is JIT-enabled tuple deconstruction, so teach it to explicitly ignore the marking for these two columns. Also adjust some C code that accessed srsublsn without checking to see if it's null; a crash from that is improbable but perhaps not impossible
Cope with LATERAL references in restriction clauses attached to an un-flattened sub-SELECT in the FROM clause (Tom Lane)
This oversight could result in assertion failures or crashes at query execution
Use the query-specified collation for operators invoked during selectivity estimation (Tom Lane)
Previously, the collation of the underlying database column was used. But using the query's collation is arguably more correct. More importantly, now that we have nondeterministic collations, there are cases where an operator will fail outright if given a nondeterministic collation. We don't want planning to fail in cases where the query itself would work, so this means that we must use the query's collation when invoking operators for estimation purposes
Avoid believing that a never-analyzed foreign table has zero tuples (Tom Lane)
This primarily affected the planner's estimate of the number of groups that would be obtained by GROUP BY
Remove bogus warning about “leftover placeholder tuple” in BRIN index de-summarization (Álvaro Herrera)
The case can occur legitimately after a cancelled vacuum, so warning about it is overly noisy
Fix selection of tablespaces for “shared fileset” temporary files (Magnus Hagander, Tom Lane)
If temp_tablespaces is empty or explicitly names the database's primary tablespace, such files got placed into the pg_default tablespace rather than the database's primary tablespace as expected
Fix corner-case error in masking of SP-GiST index pages during WAL consistency checking (Alexander Korotkov)
This could cause false failure reports when wal_consistency_checking is enabled
Improve error handling in the server's buffile module (Thomas Munro)
Fix some cases where I/O errors were indistinguishable from reaching EOF, or were not reported at all. Also add details such as block numbers and byte counts where appropriate
Fix conflict-checking anomalies in SERIALIZABLE isolation mode (Peter Geoghegan)
If a concurrently-inserted tuple was updated by a different concurrent transaction, and neither tuple version was visible to the current transaction's snapshot, serialization conflict checking could draw the wrong conclusions about whether the tuple was relevant to the results of the current transaction. This could allow a serializable transaction to commit when it should have failed with a serialization error
Avoid repeated marking of dead btree index entries as dead (Masahiko Sawada)
While functionally harmless, this led to useless WAL traffic when checksums are enabled or wal_log_hints is on
Fix checkpointer process to discard file sync requests when fsync is off (Heikki Linnakangas)
Such requests are treated as no-ops if fsync is off, but we forgot to remove them from the checkpointer's table of pending actions. This would lead to bloat of that table, as well as possible assertion failures if fsync is later re-enabled
Avoid trouble during cleanup of a non-exclusive backup when JIT compilation has been activated during the backup (Robert Haas)
Fix failure of some code paths to acquire the correct lock before modifying pg_control (Nathan Bossart, Fujii Masao)
This oversight could allow pg_control to be written out with an inconsistent checksum, possibly causing trouble later, including inability to restart the database if it crashed before the next pg_control update
Fix errors in currtid() and currtid2() (Michael Paquier)
These functions (which are undocumented and used only by ancient versions of the ODBC driver) contained coding errors that could result in crashes, or in confusing error messages such as “could not open file” when applied to a relation having no storage
Avoid calling elog() or palloc() while holding a spinlock (Michael Paquier, Tom Lane)
Logic associated with replication slots had several violations of this coding rule. While the odds of trouble are quite low, an error in the called function would lead to a stuck spinlock
Fix assertion in logical replication subscriber to allow use of REPLICA IDENTITY FULL (Euler Taveira)
This was just an incorrect assertion, so it has no impact on standard production builds
Ensure that libpq continues to try to read from the database connection socket after a write failure (Tom Lane)
This is important not only to ensure that we collect any final error message from a dying server process, but because we do not consider the connection lost until we see a read failure. This oversight allowed libpq to continue trying to send COPY data indefinitely after a mid-transfer loss of connection, rather than reporting failure to the application
Fix bugs in libpq's management of GSS encryption state (Tom Lane)
A connection using GSS encryption could freeze up when attempting to reset it after a server restart, or when moving on to the next one of a list of candidate servers
Fix ecpg crash with bytea and cursor variables (Jehan-Guillaume de Rorthais)
Report out-of-disk-space errors properly in pg_dump and pg_basebackup (Justin Pryzby, Tom Lane, Álvaro Herrera)
Some code paths could produce silly reports like “could not write file: Success”
Make pg_restore cope with data-offset-less custom-format archive files when it needs to restore data items out of order (David Gilman, Tom Lane)
pg_dump will produce such files if it cannot seek its output (for example, if the output is piped to something). This fix primarily improves the ability to do a parallel restore from such a file
Fix parallel restore of tables having both table-level privileges and per-column privileges (Tom Lane)
The table-level privilege grants have to be applied first, but a parallel restore did not reliably order them that way; this could lead to “tuple concurrently updated” errors, or to disappearance of some per-column privilege grants. The fix for this is to include dependency links between such entries in the archive file, meaning that a new dump has to be taken with a corrected pg_dump to ensure that the problem will not recur
Ensure that pg_upgrade runs with vacuum_defer_cleanup_age set to zero in the target cluster (Bruce Momjian)
If the target cluster's configuration has been modified to set vacuum_defer_cleanup_age to a nonzero value, that prevented freezing of the system catalogs from working properly, which caused the upgrade to fail in confusing ways. Ensure that any such setting is overridden for the duration of the upgrade
Fix pg_recvlogical to drain pending messages before exiting (Noah Misch)
Without this, the replication sender might detect a send failure and exit without making the expected final update to the replication slot's LSN position. That led to re-transmitting data after the next connection. It was also possible to miss error messages sent after the last data that pg_recvlogical wants to consume
Fix pg_rewind's handling of just-deleted files in the source data directory (Justin Pryzby, Michael Paquier)
When working with an on-line source database, concurrent file deletions are possible, but pg_rewind would get confused if deletion happened between seeing a file's directory entry and examining it with stat()
Make pg_test_fsync use binary I/O mode on Windows (Michael Paquier)
Previously it wrote the test file in text mode, which is not an accurate reflection of PostgreSQL's actual usage
Fix contrib/amcheck to not complain about deleted index pages that are empty (Alexander Korotkov)
This state of affairs is normal during WAL replay
Fix failure to initialize local state correctly in contrib/dblink (Joe Conway)
With the right combination of circumstances, this could lead to dblink_close() issuing an unexpected remote COMMIT
Fix contrib/pgcrypto's misuse of deflate() (Tom Lane)
The pgp_sym_encrypt functions could produce incorrect compressed data due to mishandling of zlib's API requirements. We have no reports of this error manifesting with stock zlib, but it can be seen when using IBM's zlibNX implementation
Fix corner case in decompression logic in contrib/pgcrypto's pgp_sym_decrypt functions (Kyotaro Horiguchi, Michael Paquier)
A compressed stream can validly end with an empty packet, but the decompressor failed to handle this and would complain about corrupt data
Support building our NLS code with Microsoft Visual Studio 2015 or later (Juan José Santamaría Flecha, Davinder Singh, Amit Kapila)
Avoid possible failure of our MSVC install script when there is a file named configure several levels above the source code tree (Arnold Müller)
This could confuse some logic that looked for configure to identify the top level of the source tree

New in PostgreSQL 12.3 (May 21, 2020)

Fix possible failure with GENERATED columns (David Rowley). If a GENERATED column's value is an exact copy of another column of the table (and it is a pass-by-reference data type), it was possible to crash or insert corrupted data into the table. While it would be rather pointless for a GENERATED expression to just duplicate another column, an expression using a function that sometimes returns its input unchanged could create the situation.
Handle inheritance of generated columns better (Peter Eisentraut). When a table column is inherited during CREATE TABLE ... INHERITS, disallow changing any generation properties when the parent column is already marked GENERATED; but allow a child column to be marked GENERATED when its parent is not.
Fix cross-column references in CREATE TABLE LIKE INCLUDING GENERATED (Peter Eisentraut). CREATE TABLE ... LIKE failed when trying to copy a GENERATED expression that references a physically-later column.
Propagate ALTER TABLE ... SET STORAGE to indexes (Peter Eisentraut). Non-expression index columns have always copied the attstorage property of their table column at creation. Update them when ALTER TABLE ... SET STORAGE is done, to maintain consistency.
Preserve the indisclustered setting of indexes rewritten by ALTER TABLE (Amit Langote, Justin Pryzby). Previously, ALTER TABLE lost track of which index had been used for CLUSTER.
Preserve the replica identity properties of indexes rewritten by ALTER TABLE (Quan Zongliang, Peter Eisentraut)
Preserve the indisclustered setting of indexes rebuilt by REINDEX CONCURRENTLY (Justin Pryzby)
Lock objects sooner during DROP OWNED BY (Álvaro Herrera).This avoids failures in race-condition cases where another session is deleting some of the same objects.
Fix error-case processing for CREATE ROLE ... IN ROLE (Andrew Gierth). Some error cases would be reported as “unexpected node type” or the like, instead of the intended message.
Ensure that when a partition is detached, any triggers cloned from its formerly-parent table are removed (Justin Pryzby)
Fix crash when COLLATE is applied to a non-collatable type in a partition bound expression (Dmitry Dolgov). Ensure that unique indexes over partitioned tables match the equality semantics of the partitioning key (Guancheng Luo). This would only be an issue with index opclasses that have unusual notions of equality, but it's wrong in theory, so check.
Ensure that members of the pg_read_all_stats role can read all statistics views, as expected (Magnus Hagander). The functions underlying the pg_stat_progress_* views had not gotten this memo.
Repair performance regression in information_schema.triggers view (Tom Lane). This patch redefines that view so that an outer WHERE clause constraining the table name can be pushed down into the view, allowing its calculations to be done only for triggers belonging to the table of interest rather than all triggers in the database. In a database with many triggers this would make a significant speed difference for queries of that form. Since things worked that way before v11, this is a potential performance regression. Users who find this to be a problem can fix it by replacing the view definition (or, perhaps, just deleting and reinstalling the whole information_schema schema).
Repair performance regression in floating point overflow/underflow detection (Emre Hasegeli). Previous refactoring had resulted in isinf() being called extra times in some hot code paths.
Fix full text search to handle NOT above a phrase search correctly (Tom Lane). Queries such as !(foo<->bar) failed to find matching rows when implemented as a GiST or GIN index search.
Fix full text search for cases where a phrase search includes an item with both prefix matching and a weight restriction (Tom Lane)
Fix ts_headline() to make better headline selections when working with phrase queries (Tom Lane)
Fix bugs in gin_fuzzy_search_limit processing (Adé Heyward, Tom Lane). A small value of gin_fuzzy_search_limit could result in unexpected slowness due to unintentionally rescanning the same index page many times. Another code path failed to apply the intended filtering at all, possibly returning too many values.
Allow input of type circle to accept the format “(x,y),r” as the documentation says it does (David Zhang)
Make the get_bit() and set_bit() functions cope with bytea strings longer than 256MB (Movead Li). Since the bit number argument is only int4, it's impossible to use these functions to access bits beyond the first 256MB of a long bytea. We'll widen the argument to int8 in v13, but in the meantime, allow these functions to work on the initial substring of a long bytea.
Ignore file-not-found errors in pg_ls_waldir() and allied functions (Tom Lane). This prevents a race condition failure if a file is removed between when we see its directory entry and when we attempt to stat() it.
Avoid possibly leaking an open-file descriptor for a directory in pg_ls_dir(), pg_timezone_names(), pg_tablespace_databases(), and allied functions (Justin Pryzby)
Fix polymorphic-function type resolution to correctly infer the actual type of an anyarray output when given only an anyrange input (Tom Lane)
Fix server's connection-startup logic for case where a GSSAPI connection is rejected because support is not compiled in, and the client then tries SSL instead (Andrew Gierth). This led to a bogus “unsupported frontend protocol” failure.
Fix memory leakage during GSSAPI encryption (Tom Lane). Both the backend and libpq would leak memory equivalent to the total amount of data sent during the session, if GSSAPI encryption is in use.
Fix query-lifespan memory leak for a set-returning function used in a query's FROM clause (Andres Freund)
Avoid leakage of a hashed subplan's hash tables across multiple executions (Andreas Karlsson, Tom Lane). This mistake could result in severe memory bloat if a query re-executed a hashed subplan enough times.
Improve planner's handling of no-op domain coercions (Tom Lane). Fix some cases where a domain coercion that does nothing was not completely removed from expressions.
Avoid unlikely crash when REINDEX is terminated by a session-shutdown signal (Tom Lane)
Prevent printout of possibly-incorrect hash join table statistics in EXPLAIN (Konstantin Knizhnik, Tom Lane, Thomas Munro)
Fix reporting of elapsed time for heap truncation steps in VACUUM VERBOSE (Tatsuhito Kasahara)
Fix possible undercounting of deleted B-tree index pages in VACUUM VERBOSE output (Peter Geoghegan)
Fix wrong bookkeeping for oldest deleted page in a B-tree index (Peter Geoghegan). This could cause subtly wrong decisions about when VACUUM can skip an index cleanup scan; although it appears there may be no significant user-visible effects from that.
Ensure that TimelineHistoryRead and TimelineHistoryWrite wait states are reported in all code paths that read or write timeline history files (Masahiro Ikeda)
Avoid possibly showing “waiting” twice in a process's PS status (Masahiko Sawada)
Avoid race condition when ANALYZE replaces the catalog tuple for extended statistics data (Dean Rasheed)
Remove ill-considered skip of “redundant” anti-wraparound vacuums (Michael Paquier). This avoids a corner case where autovacuum could get into a loop of repeatedly trying and then skipping the same vacuum job.
Ensure INCLUDE'd columns are always removed from B-tree pivot tuples (Peter Geoghegan). This mistake wasted space in some rare cases, but was otherwise harmless.
Cope with invalid TOAST indexes that could be left over after a failed REINDEX CONCURRENTLY (Julien Rouhaud)
Ensure that valid index dependencies are left behind after a failed REINDEX CONCURRENTLY (Michael Paquier). Previously the old index could be left with no pg_depend links at all, so that for example it would not get dropped if the parent table is dropped.
Avoid failure if autovacuum tries to access a just-dropped temporary schema (Tom Lane). This hazard only arises if a superuser manually drops a temporary schema; which isn't normal practice, but should work.
Avoid premature recycling of WAL segments during crash recovery (Jehan-Guillaume de Rorthais). WAL segments that become ready to be archived during crash recovery were potentially recycled without being archived.
Avoid scanning irrelevant timelines during archive recovery (Kyotaro Horiguchi). This can eliminate many attempts to fetch non-existent WAL files from archive storage, which is helpful if archive access is slow.
Remove bogus “subtransaction logged without previous top-level txn record” error check in logical decoding (Arseny Sher, Amit Kapila). This condition is legitimately reachable in various scenarios, so remove the check.
Avoid possible failure after a replication slot copy, due to premature removal of WAL data (Masahiko Sawada, Arseny Sher)
Ensure that a replication slot's io_in_progress_lock is released in failure code paths (Pavan Deolasee). This could result in a walsender later becoming stuck waiting for the lock.
Ensure that generated columns are correctly handled during updates issued by logical replication (Peter Eisentraut)
Fix race conditions in synchronous standby management (Tom Lane). During a change in the synchronous_standby_names setting, there was a window in which wrong decisions could be made about whether it is OK to release transactions that are waiting for synchronous commit. Another hazard for similarly wrong decisions existed if a walsender process exited and was immediately replaced by another.
Add missing SQLSTATE values to a few error reports (Sawada Masahiko)
Fix PL/pgSQL to reliably refuse to execute an event trigger function as a plain function (Tom Lane)
Fix memory leak in libpq when using sslmode=verify-full (Roman Peshkurov). Certificate verification during connection startup could leak some memory. This would become an issue if a client process opened many database connections during its lifetime.
Fix ecpg to treat an argument of just “-” as meaning “read from stdin” on all platforms (Tom Lane)
Fix crash in psql when attempting to re-establish a failed connection (Michael Paquier)
Allow tab-completion of the filename argument to psql's gx command (Vik Fearing)
Add pg_dump support for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera). pg_dump previously ignored dependencies added this way, causing them to be forgotten during dump/restore or pg_upgrade.
Fix pg_dump to dump comments on RLS policy objects (Tom Lane)
In pg_dump, postpone restore of event triggers till the end (Fabrízio de Royes Mello, Hamid Akhtar, Tom Lane). This minimizes the risk that an event trigger could interfere with the restoration of other objects.
Ensure that pg_basebackup generates valid tar files (Robert Haas). In some cases a partial block of zeroes would be added to the end of the file. While this seems to be harmless with common versions of tar, it's not OK per the POSIX file format spec.
Make pg_checksums skip tablespace subdirectories that belong to a different PostgreSQL major version (Michael Banck, Bernd Helmle). Such subdirectories don't really belong to our database cluster, and so must not be processed.
Ignore temporary copies of pg_internal.init in pg_checksums and related programs (Michael Paquier)
Fix quoting of --encoding, --lc-ctype and --lc-collate values in createdb utility (Michael Paquier)
contrib/lo's lo_manage() function crashed if called directly rather than as a trigger (Tom Lane)
In contrib/ltree, protect against overflow of ltree and lquery length fields (Nikita Glukhov)
Work around failure in contrib/pageinspect's bt_metap() function when an oldest_xact value exceeds 2^31-1 (Peter Geoghegan). Such XIDs will now be reported as negative integers, which isn't great but it beats throwing an error. v13 will widen the output argument to int8 to provide saner reporting.
Fix cache reference leak in contrib/sepgsql (Michael Luo)
On Windows, avoid premature creation of postmaster's log file during pg_ctl start (Alexander Lakhin). The previous coding could allow the file to be created with permissions that wouldn't allow the postmaster to write on it.
Avoid failures when dealing with Unix-style locale names on Windows (Juan José Santamaría Flecha)
On Windows, set console VT100 compatibility mode in programs that support PG_COLOR colorization (Juan José Santamaría Flecha). Without this, the colorization option doesn't actually work.
Stop requiring extra parentheses in ereport() calls (Andres Freund, Tom Lane)
Use pkg-config, if available, to locate libxml2 during configure (Hugh McMaster, Tom Lane, Peter Eisentraut). If pkg-config is not present or lacks knowledge of libxml2, we still query xml2-config as before. This change could break build processes that try to make PostgreSQL use a non-default version of libxml2 by putting that version's xml2-config into the PATH. Instead, set XML2_CONFIG to point to the non-default xml2-config. That method will work with either older or newer PostgreSQL releases.
Fix Makefile dependencies for libpq and ecpg (Dagfinn Ilmari Mannsåker)
In MSVC builds, cope with spaces in the path name for Python (Victor Wagner)
In MSVC builds, fix detection of Visual Studio version to work with more language settings (Andrew Dunstan)
In MSVC builds, use -Wno-deprecated with bison versions newer than 3.0, as non-Windows builds already do (Andrew Dunstan). Update time zone data files to tzdata release 2020a for DST law changes in Morocco and the Canadian Yukon, plus historical corrections for Shanghai. The America/Godthab zone has been renamed to America/Nuuk to reflect current English usage; however, the old name remains available as a compatibility link. Also, update initdb's list of known Windows time zone names to include recent additions, improving the odds that it will correctly translate the system time zone setting on that platform.

New in PostgreSQL 12.2 (Feb 17, 2020)

New in PostgreSQL 12.1 (Nov 15, 2019)

A dump/restore is not required for those running 12.X.
E.1.2. Changes
Fix crash when ALTER TABLE adds a column without a default value along with making other changes that require a table rewrite (Andres Freund)
Fix lock handling in REINDEX CONCURRENTLY (Michael Paquier)
REINDEX CONCURRENTLY neglected to take a session-level lock on the new index version, potentially allowing other sessions to manipulate it too soon. Also, a query-cancel or session-termination interrupt arriving at the wrong time could result in failure to release the session-level locks that REINDEX CONCURRENTLY does hold.
Avoid crash due to race condition when reporting the progress of a CREATE INDEX CONCURRENTLY or REINDEX CONCURRENTLY command (Álvaro Herrera)
Avoid creating duplicate dependency entries during REINDEX CONCURRENTLY (Michael Paquier)
This bug resulted in bloat in pg_depend, but no worse consequences than that.
Prevent VACUUM from trying to freeze an old multixact ID involving a still-running transaction (Nathan Bossart, Jeremy Schneider)
This case would lead to VACUUM failing until the old transaction terminates.
Fix “wrong type of slot” error when trying to CLUSTER on an expression index (Andres Freund)
SET CONSTRAINTS ... DEFERRED failed on partitioned tables, incorrectly complaining about lack of triggers (Álvaro Herrera)
Fix failure when creating indexes for a partition, if the parent partitioned table contains any dropped columns (Michael Paquier)
Fix dropping of indexed columns in partitioned tables (Amit Langote, Michael Paquier)
Previously this might fail with an error message complaining about the dependencies of the indexes. It should automatically drop the indexes, instead.
Ensure that a partition index can be dropped after a failure to reindex it concurrently (Michael Paquier)
The index's pg_class.relispartition flag was left in the wrong state in such a case, causing DROP INDEX to fail.
Fix handling of equivalence class members for partition-wise joins (Amit Langote)
This oversight could lead either to failure to use a feasible partition-wise join plan, or to a “could not find pathkey item to sort” planner failure.
Ensure that offset expressions in WINDOW clauses are processed when a query's expressions are manipulated (Andrew Gierth)
This oversight could result in assorted failures when the offsets are nontrivial expressions. One example is that a function parameter reference in such an expression would fail if the function was inlined.
Avoid postmaster failure if a parallel query requests a background worker when no postmaster child process array slots remain free (Tom Lane)
Fix crash triggered by an EvalPlanQual recheck on a table with a BEFORE UPDATE trigger (Andres Freund)
Fix “unexpected relkind” error when a query tries to access a TOAST table (John Hsu, Michael Paquier, Tom Lane)
The error should say that permission is denied, but this case got broken during code refactoring.
Provide a relevant error context line when an error occurs while setting GUC parameters during parallel worker startup (Thomas Munro)
Ensure that fsync() is applied only to files that are opened read/write (Andres Freund, Michael Paquier)
Some code paths tried to do this after opening a file read-only, but on some platforms that causes “bad file descriptor” or similar errors.
Allow encoding conversion to succeed on longer strings than before (Álvaro Herrera, Tom Lane)
Previously, there was a hard limit of 0.25GB on the input string, but now it will work as long as the converted output is not over 1GB.
Avoid creating unnecessarily-bulky tuple stores for window functions (Andrew Gierth)
In some cases the tuple storage would include all columns of the source table(s), not just the ones that are needed by the query.
Allow repalloc() to give back space when a large chunk is reduced in size (Tom Lane)
Ensure that temporary WAL and history files are removed at the end of archive recovery (Sawada Masahiko)
Avoid failure in archive recovery if recovery_min_apply_delay is enabled (Fujii Masao)
recovery_min_apply_delay is not typically used in this configuration, but it should work.
Ignore restore_command, recovery_end_command, and recovery_min_apply_delay settings during crash recovery (Fujii Masao)
Now that these settings can be specified in postgresql.conf, they could be turned on during crash recovery, but honoring them then is undesirable. Ignore these settings until crash recovery is complete.
Fix logical replication failure when publisher and subscriber have different ideas about a table's replica identity columns (Jehan-Guillaume de Rorthais, Peter Eisentraut)
Declaring a column as part of the replica identity on the subscriber, when it does not exist at all on the publisher, led to “negative bitmapset member not allowed” errors.
Avoid unwanted delay during shutdown of a logical replication walsender (Craig Ringer, Álvaro Herrera)
Fix timeout handling in logical replication walreceiver processes (Julien Rouhaud)
Erroneous logic prevented wal_receiver_timeout from working in logical replication deployments.
Correctly time-stamp replication messages for logical decoding (Jeff Janes)
This oversight resulted, for example, in pg_stat_subscription.last_msg_send_time usually reading as NULL.
Fix race condition during backend exit, when the backend process has previously waited for synchronous replication to occur (Dongming Liu)
Avoid logging complaints about abandoned connections when using PAM authentication (Tom Lane)
libpq-based clients will typically make two connection attempts when a password is required, since they don't prompt their user for a password until their first connection attempt fails. Therefore the server is coded not to generate useless log spam when a client closes the connection upon being asked for a password. However, the PAM authentication code hadn't gotten that memo, and would generate several messages about a phantom authentication failure.
Fix misbehavior of bitshiftright() (Tom Lane)
The bitstring right shift operator failed to zero out padding space that exists in the last byte of the result when the bitstring length is not a multiple of 8. While invisible to most operations, any nonzero bits there would result in unexpected comparison behavior, since bitstring comparisons don't bother to ignore the extra bits, expecting them to always be zero.
If you have inconsistent data as a result of saving the output of bitshiftright() in a table, it's possible to fix it with something like
UPDATE mytab SET bitcol = ~(~bitcol) WHERE bitcol != ~(~bitcol);
Fix result of text position() function (also known as strpos()) for an empty search string (Tom Lane)
Historically, and per the SQL standard, the result should be one in such cases, but 12.0 returned zero.
Fix detection of edge-case integer overflow in interval multiplication (Yuya Watari)
Avoid crashes if ispell text search dictionaries contain wrong affix data (Arthur Zakirov)
Avoid memory leak while vacuuming a GiST index (Dilip Kumar)
On Windows, recognize additional spellings of the “Norwegian (Bokmål)” locale name (Tom Lane)
Fix libpq to allow trailing whitespace in the string values of integer parameters (Michael Paquier)
Version 12 tightened libpq's validation of integer parameters, but disallowing trailing whitespace seems undesirable.
In libpq, correctly report CONNECTION_BAD connection status after a failure caused by a syntactically invalid connect_timeout parameter value (Lars Kanis)
Avoid compile failure if an ECPG client includes ecpglib.h while having ENABLE_NLS defined (Tom Lane)
This risk was created by a misplaced declaration: ecpg_gettext() should not be visible to client code.
Fix scheduling of parallel restore of a foreign key constraint on a partitioned table (Álvaro Herrera)
pg_dump failed to emit full dependency information for partitioned tables' foreign keys. This could allow parallel pg_restore to try to recreate a foreign key constraint too soon.
In pg_dump, ensure stable output order for similarly-named triggers and row-level-security policy objects (Benjie Gillam)
Previously, if two triggers on different tables had the same names, they would be sorted in OID-based order, which is less desirable than sorting them by table name. Likewise for RLS policies.
In pg_upgrade, reject tables with columns of type sql_identifier, as that has changed representation in version 12 (Tomas Vondra)
Improve pg_upgrade's checks for the use of a data type that has changed representation, such as line (Tomas Vondra)
The previous coding could be fooled by cases where the data type of interest underlies a stored column of a domain or composite type.
In pg_rewind with the --dry-run option, avoid updating pg_control (Alexey Kondratov)
This could lead to failures in subsequent pg_rewind attempts.
Fix failure in pg_waldump with the -s option, when a continuation WAL record ends exactly at a page boundary (Andrey Lepikhov)
In pg_waldump with the --bkp-details option, avoid emitting extra newlines for WAL records involving full-page writes (Andres Freund)
Fix small memory leak in pg_waldump (Andres Freund)
Put back pqsignal() as an exported libpq symbol (Tom Lane)
This function was removed on the grounds that no clients should be using it, but that turns out to break usage of current libpq with very old versions of psql, and perhaps other applications.
Fix configure's test for presence of libperl so that it works on recent Red Hat releases (Tom Lane)
Previously, it could fail if the user sets CFLAGS to -O0.
Ensure correct code generation for spinlocks on PowerPC (Noah Misch)
The previous spinlock coding allowed the compiler to select register zero for use with an assembly instruction that does not accept that register, causing a build failure. We have seen only one long-ago report that matches this bug, but it could cause problems for people trying to build modified PostgreSQL code or use atypical compiler options.
On AIX, don't use the compiler option -qsrcmsg (Noah Misch)
This avoids an internal compiler error with xlc v16.1.0, with little consequence other than changing the format of compiler error messages.
Fix MSVC build process to cope with spaces in the file path of OpenSSL (Andrew Dunstan)

New in PostgreSQL 12.0.1 (Oct 4, 2019)

Overall Performance Improvements:
PostgreSQL 12 provides significant performance and maintenance enhancements to its indexing system and to partitioning.
B-tree Indexes, the standard type of indexing in PostgreSQL, have been optimized in PostgreSQL 12 to better handle workloads where the indexes are frequently modified. Using a fair use implementation of the TPC-C benchmark, PostgreSQL 12 demonstrated on average a 40% reduction in space utilization and an overall gain in query performance.
Queries on partitioned tables have also seen demonstrable improvements, particularly for tables with thousands of partitions that only need to retrieve data from a limited subset. PostgreSQL 12 also improves the performance of adding data to partitioned tables with INSERT and COPY, and includes the ability to attach a new partition to a table without blocking queries.
There are additional enhancements to indexing in PostgreSQL 12 that affect overall performance, including lower overhead in write-ahead log generation for the GiST, GIN, and SP-GiST index types, the ability to create covering indexes (the INCLUDE clause) on GiST indexes, the ability to perform K-nearest neighbor queries with the distance operator (<->) using SP-GiST indexes, and CREATE STATISTICS now supporting most-common value (MCV) statistics to help generate better query plans when using columns that are nonuniformly distributed.
Just-in-time (JIT) compilation using LLVM, introduced in PostgreSQL 11, is now enabled by default. JIT compilation can provide performance benefits to the execution of expressions in WHERE clauses, target lists, aggregates, and some internal operations, and is available if your PostgreSQL installation is compiled or packaged with LLVM.
Enhancements to SQL Conformance & Functionality:
PostgreSQL is known for its conformance to the SQL standard - one reason why it was renamed from "POSTGRES" to "PostgreSQL" - and PostgreSQL 12 adds several features to continue its implementation of the SQL standard with enhanced functionality.
PostgreSQL 12 introduces the ability to run queries over JSON documents using JSON path expressions defined in the SQL/JSON standard. Such queries may utilize the existing indexing mechanisms for documents stored in the JSONB format to efficiently retrieve data.
Common table expressions, also known as WITH queries, can now be automatically inlined by PostgreSQL 12, which in turn can help increase the performance of many existing queries. In this release, a WITH query can be inlined if it is not recursive, does not have any side-effects, and is only referenced once in a later part of a query.
PostgreSQL 12 introduces "generated columns." Defined in the SQL standard, this type of column computes its value from the contents of other columns in the same table. In this version, PostgreSQL supports "stored generated columns," where the computed value is stored on the disk.
Internationalization
PostgreSQL 12 extends its support of ICU collations by allowing users to define "nondeterministic collations" that can, for example, allow case-insensitive or accent-insensitive comparisons.
Authentication:
PostgreSQL expands on its robust authentication method support with several enhancements that provide additional security and functionality. This release introduces both client and server-side encryption for authentication over GSSAPI interfaces, as well as the ability for PostgreSQL to discover LDAP servers if PostgreSQL is compiled with OpenLDAP.
Additionally, PostgreSQL 12 now supports a form of multi-factor authentication. A PostgreSQL server can now require an authenticating client to provide a valid SSL certificate with their username using the clientcert=verify-full option and combine this with the requirement of a separate authentication method (e.g. scram-sha-256).
Administration:
PostgreSQL 12 introduces the ability to rebuild indexes without blocking writes to an index via the REINDEX CONCURRENTLY command, allowing users to avoid downtime scenarios for lengthy index rebuilds.
Additionally, PostgreSQL 12 can now enable or disable page checksums in an offline cluster using the pg_checksums command. Previously page checksums, a feature to help verify the integrity of data stored to disk, could only be enabled at the time a PostgreSQL cluster was initialized with initdb.

New in PostgreSQL 10.5-1 (Aug 9, 2018)

Changes
Fix failure to reset libpq's state fully between connection attempts (Tom Lane)
An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. (CVE-2018-10915)
Fix INSERT ... ON CONFLICT UPDATE through a view that isn't just SELECT * FROM ... (Dean Rasheed, Amit Langote)
Erroneous expansion of an updatable view could lead to crashes or “attribute ... has the wrong type” errors, if the view's SELECT list doesn't match one-to-one with the underlying table's columns. Furthermore, this bug could be leveraged to allow updates of columns that an attacking user lacks UPDATE privilege for, if that user has INSERT and UPDATE privileges for some other column(s) of the table. Any user could also use it for disclosure of server memory. (CVE-2018-10925)
Ensure that updates to the relfrozenxid and relminmxid values for “nailed” system catalogs are processed in a timely fashion (Andres Freund)
Overoptimistic caching rules could prevent these updates from being seen by other sessions, leading to spurious errors and/or data corruption. The problem was significantly worse for shared catalogs, such as pg_authid, because the stale cache data could persist into new sessions as well as existing ones.
Fix case where a freshly-promoted standby crashes before having completed its first post-recovery checkpoint (Michael Paquier, Kyotaro Horiguchi, Pavan Deolasee, Álvaro Herrera)
This led to a situation where the server did not think it had reached a consistent database state during subsequent WAL replay, preventing restart.
Avoid emitting a bogus WAL record when recycling an all-zero btree page (Amit Kapila)
This mistake has been seen to cause assertion failures, and potentially it could result in unnecessary query cancellations on hot standby servers.
During WAL replay, guard against corrupted record lengths exceeding 1GB (Michael Paquier)
Treat such a case as corrupt data. Previously, the code would try to allocate space and get a hard error, making recovery impossible.
When ending recovery, delay writing the timeline history file as long as possible (Heikki Linnakangas)
This avoids some situations where a failure during recovery cleanup (such as a problem with a two-phase state file) led to inconsistent timeline state on-disk.
Improve performance of WAL replay for transactions that drop many relations (Fujii Masao)
This change reduces the number of times that shared buffers are scanned, so that it is of most benefit when that setting is large.
Improve performance of lock releasing in standby server WAL replay (Thomas Munro)
Make logical WAL senders report streaming state correctly (Simon Riggs, Sawada Masahiko)
The code previously mis-detected whether or not it had caught up with the upstream server.
Ensure that a snapshot is provided when executing data type input functions in logical replication subscribers (Minh-Quan Tran, Álvaro Herrera)
This omission led to failures in some cases, such as domains with constraints using SQL-language functions.
Fix bugs in snapshot handling during logical decoding, allowing wrong decoding results in rare cases (Arseny Sher, Álvaro Herrera)
Add subtransaction handling in logical-replication table synchronization workers (Amit Khandekar, Robert Haas)
Previously, table synchronization could misbehave if any subtransactions were aborted after modifying a table being synchronized.
Ensure a table's cached index list is correctly rebuilt after an index creation fails partway through (Peter Geoghegan)
Previously, the failed index's OID could remain in the list, causing problems later in the same session.
Fix mishandling of empty uncompressed posting list pages in GIN indexes (Sivasubramanian Ramasubramanian, Alexander Korotkov)
This could result in an assertion failure after pg_upgrade of a pre-9.4 GIN index (9.4 and later will not create such pages).
Pad arrays of unnamed POSIX semaphores to reduce cache line sharing (Thomas Munro)
This reduces contention on many-CPU systems, fixing a performance regression (compared to previous releases) on Linux and FreeBSD.
Ensure that a process doing a parallel index scan will respond to signals (Amit Kapila)
Previously, parallel workers could get stuck waiting for a lock on an index page, and not notice requests to abort the query.
Ensure that VACUUM will respond to signals within btree page deletion loops (Andres Freund)
Corrupted btree indexes could result in an infinite loop here, and that previously wasn't interruptible without forcing a crash.
Fix hash-join costing mistake introduced with inner_unique optimization (David Rowley)
This could lead to bad plan choices in situations where that optimization was applicable.
Fix misoptimization of equivalence classes involving composite-type columns (Tom Lane)
This resulted in failure to recognize that an index on a composite column could provide the sort order needed for a mergejoin on that column.
Fix planner to avoid “ORDER/GROUP BY expression not found in targetlist” errors in some queries with set-returning functions (Tom Lane)
Fix handling of partition keys whose data type uses a polymorphic btree operator class, such as arrays (Amit Langote, Álvaro Herrera)
Fix SQL-standard FETCH FIRST syntax to allow parameters ($n), as the standard expects (Andrew Gierth)
Remove undocumented restriction against duplicate partition key columns (Yugo Nagata)
Disallow temporary tables from being partitions of non-temporary tables (Amit Langote, Michael Paquier)
While previously allowed, this case didn't work reliably.
Fix EXPLAIN's accounting for resource usage, particularly buffer accesses, in parallel workers (Amit Kapila, Robert Haas)
Fix SHOW ALL to show all settings to roles that are members of pg_read_all_settings, and also allow such roles to see source filename and line number in the pg_settings view (Laurenz Albe, Álvaro Herrera)
Fix failure to schema-qualify some object names in getObjectDescription and getObjectIdentity output (Kyotaro Horiguchi, Tom Lane)
Names of collations, conversions, text search objects, publication relations, and extended statistics objects were not schema-qualified when they should be.
Fix CREATE AGGREGATE type checking so that parallelism support functions can be attached to variadic aggregates (Alexey Bashtanov)
Widen COPY FROM's current-line-number counter from 32 to 64 bits (David Rowley)
This avoids two problems with input exceeding 4G lines: COPY FROM WITH HEADER would drop a line every 4G lines, not only the first line, and error reports could show a wrong line number.
Allow replication slots to be dropped in single-user mode (Álvaro Herrera)
This use-case was accidentally broken in release 10.0.
Fix incorrect results from variance(int4) and related aggregates when run in parallel aggregation mode (David Rowley)
Process TEXT and CDATA nodes correctly in xmltable() column expressions (Markus Winand)
Cope with possible failure of OpenSSL's RAND_bytes() function (Dean Rasheed, Michael Paquier)
Under rare circumstances, this oversight could result in “could not generate random cancel key” failures that could only be resolved by restarting the postmaster.
Fix libpq's handling of some cases where hostaddr is specified (Hari Babu, Tom Lane, Robert Haas)
PQhost() gave misleading or incorrect results in some cases. Now, it uniformly returns the host name if specified, or the host address if only that is specified, or the default host name (typically /tmp or localhost) if both parameters are omitted.
Also, the wrong value might be compared to the server name when verifying an SSL certificate.
Also, the wrong value might be compared to the host name field in ~/.pgpass. Now, that field is compared to the host name if specified, or the host address if only that is specified, or localhost if both parameters are omitted.
Also, an incorrect error message was reported for an unparseable hostaddr value.
Also, when the host, hostaddr, or port parameters contain comma-separated lists, libpq is now more careful to treat empty elements of a list as selecting the default behavior.
Add a string freeing function to ecpg's pgtypes library, so that cross-module memory management problems can be avoided on Windows (Takayuki Tsunakawa)
On Windows, crashes can ensue if the free call for a given chunk of memory is not made from the same DLL that malloc'ed the memory. The pgtypes library sometimes returns strings that it expects the caller to free, making it impossible to follow this rule. Add a PGTYPESchar_free() function that just wraps free, allowing applications to follow this rule.
Fix ecpg's support for long long variables on Windows, as well as other platforms that declare strtoll/strtoull nonstandardly or not at all (Dang Minh Huong, Tom Lane)
Fix misidentification of SQL statement type in PL/pgSQL, when a rule change causes a change in the semantics of a statement intra-session (Tom Lane)
This error led to assertion failures, or in rare cases, failure to enforce the INTO STRICT option as expected.
Fix password prompting in client programs so that echo is properly disabled on Windows when stdin is not the terminal (Matthew Stickney)
Further fix mis-quoting of values for list-valued GUC variables in dumps (Tom Lane)
The previous fix for quoting of search_path and other list-valued variables in pg_dump output turned out to misbehave for empty-string list elements, and it risked truncation of long file paths.
Fix pg_dump's failure to dump REPLICA IDENTITY properties for constraint indexes (Tom Lane)
Manually created unique indexes were properly marked, but not those created by declaring UNIQUE or PRIMARY KEY constraints.
Make pg_upgrade check that the old server was shut down cleanly (Bruce Momjian)
The previous check could be fooled by an immediate-mode shutdown.
Fix contrib/hstore_plperl to look through Perl scalar references, and to not crash if it doesn't find a hash reference where it expects one (Tom Lane)
Fix crash in contrib/ltree's lca() function when the input array is empty (Pierre Ducroquet)
Fix various error-handling code paths in which an incorrect error code might be reported (Michael Paquier, Tom Lane, Magnus Hagander)
Rearrange makefiles to ensure that programs link to freshly-built libraries (such as libpq.so) rather than ones that might exist in the system library directories (Tom Lane)
This avoids problems when building on platforms that supply old copies of PostgreSQL libraries.
Update time zone data files to tzdata release 2018e for DST law changes in North Korea, plus historical corrections for Czechoslovakia.
This update includes a redefinition of “daylight savings” in Ireland, as well as for some past years in Namibia and Czechoslovakia. In those jurisdictions, legally standard time is observed in summer, and daylight savings time in winter, so that the daylight savings offset is one hour behind standard time not one hour ahead. This does not affect either the actual UTC offset or the timezone abbreviations in use; the only known effect is that the is_dst column in the pg_timezone_names view will now be true in winter and false in summer in these cases.

New in PostgreSQL 10.4-1 (May 11, 2018)

Security Issues:
CVE-2018-1115: Too-permissive access control list on function pg_logfile_rotate()
Bug Fixes and Improvements:
This update also fixes over 50 bugs reported in the last several months. Some of these issues affect only version 10, but many affect all supported versions. These fixes include:
Fix incorrect volatility and parallel-safety markings on several built-in functions to ensure correct query planning optimizations
Several fixes for partitioning, including potential crashes as well as allowing TRUE and FALSE to be used as partition bounds
Fix where a new TOAST value could be assigned to a dead-but-not-yet-vacuumed TOAST OID, which would result in an error similar to "unexpected chunk number 0 (expected 1) for toast value nnnnn"
Fix "CREATE TABLE ... LIKE" with bigint identity columns on 32-bit platforms
Fix memory leak within the runtime of a query that repeatedly executes hash joins
Several crash fixes around queries using GROUPING SET
Avoid failure if a query-cancel or session-termination interrupt occurs while committing a prepared transaction
Reduce locking during autovacuum worker scheduling, which prevents loss of potential worker concurrency
Fix possible slow execution of REFRESH MATERIALIZED VIEW CONCURRENTLY
Several fixes around query plans that use "index-only" scans
Avoid deadlocks in concurrent CREATE INDEX CONCURRENTLY commands that are run under SERIALIZABLE or REPEATABLE READ transaction isolation
Several fixes for SP-GiST indexes, including one collation-aware searches on text columns
Fixes related to counting the number of tuples in partial GiST, SP-GiST, and Bloom indexes
Several fixes for logical decoding and replication
Fix misquoting of values for list-valued GUC variables (e.g. local_preload_libraries, session_preload_libraries, shared_preload_libraries, temp_tablespaces) in dumps
Several fixes for pg_stat_activity
Several fixes for ecpg
Fix for pg_recvlogical to ensure compatibility with PostgreSQL versions released before 10
Several fixes for pg_rewind
This update also contains tzdata release 2018d, with updates for Palestine and Antarctica (Casey Station), plus historical corrections for Portugal and its colonies, as well as Enderbury, Jamaica, Turks & Caicos Islands, and Uruguay.

New in PostgreSQL 10.3 (Mar 1, 2018)

New in PostgreSQL 10.2 (Feb 8, 2018)

Fix crash and potential disclosure of backend memory when processing partition keys containing multiple expressions
Fix potential disclosure of temporary files containing database passwords created by pg_upgrade by not allowing these files to be world-accessible
Fix cases where VACUUM would not remove dead rows if they were updated while "key-share" locked, leading to potential data corruption
Fix for GIN indexes to prevent bloat by ensuring the pending-insertions list is cleaned up by VACUUM
Fix potential index corruption with hash indexes due to failure to mark metapages as dirty
Fix several potential crash scenarios for parallel queries, including when a bitmap heap scan cannot allocate memory
Fix several potential hang-ups in parallel queries, including when a parallel worker fails to start
Fix collection of EXPLAIN statistics from parallel workers
Prevent fake deadlock failures when multiple sessions are running CREATE INDEX CONCURRENTLY
Fix for trigger behavior when using logical replication
Several fixes for "walsender" functionality to improve stability as well as visibility into the replication process
Fix logical decoding to correctly clean up disk files for crashed transactions
Several fixes for identity columns, including disallowing identity columns on tables derived from composite types and partitions
Fix handling of list partitioning constraints for partition keys of boolean and array types
Fix incorrectly generated plans for UPDATE and DELETE queries when a table has a mix of inherited regular and foreign child tables
Fix incorrect query results from cases involving GROUPING SETS when used with flattened subqueries
Fix UNION/INTERSECT/EXCEPT over zero columns, e.g. "SELECT UNION SELECT;"
Several fixes for subqueries within a LATERAL subquery
Several improvements for query planning estimation
Allow a client that supports SCRAM channel binding, such as a future version of PostgreSQL or libpq, to connect to a PostgreSQL 10 server
Fix sample INSTR() functions used to help transition from Oracle(r) PL/SQL to PostgreSQL PL/pgSQL to correctly match Oracle functional behavior
Fix pg_dump to make permissions (ACL), security label, and comment entries reliably identifiable in archive outputs
Modify behavior for contrib/cube's "cube ~> int" operator to make it compatible with KNN search. This is a backwards incompatible change and any expression indexes or materialized views using this operator will need to be reindexed and refreshed, respectively.
Several fixes in contrib/postgres_fdw to prevent query planner errors
Added modern examples of auto-start scripts for PostgreSQL on macOS in the contrib/start-scripts/macos directory
Several fixes for Windows, including postmaster startup and compatibility with libperl
Spinlock fixes and support for Motorola 68K and 88K architectures

New in PostgreSQL 10.1 (Nov 9, 2017)

Ensure that INSERT ..ON CONFLICT DO UPDATE checks table permissions and RLS policies in all cases (Dean Rasheed)
The update path of INSERT ..ON CONFLICT DO UPDATE requires SELECT permission on the columns of the arbiter index, but it failed to check for that in the case of an arbiter specified by constraint nameIn addition, for a table with row level security enabled, it failed to check updated rows against the table's SELECT policies (regardless of how the arbiter index was specified)(CVE-2017-15099)
Fix crash due to rowtype mismatch in json{b}_populate_recordset() (Michael Paquier, Tom Lane)
These functions used the result rowtype specified in the FROM ..AS clause without checking that it matched the actual rowtype of the supplied tuple valueIf it didn't, that would usually result in a crash, though disclosure of server memory contents seems possible as well(CVE-2017-15098)
Fix sample server-start scripts to become $PGUSER before opening $PGLOG (Noah Misch)
Previously, the postmaster log file was opened while still running as rootThe database owner could therefore mount an attack against another system user by making $PGLOG be a symbolic link to some other file, which would then become corrupted by appending log messages.
By default, these scripts are not installed anywhereUsers who have made use of them will need to manually recopy them, or apply the same changes to their modified versionsIf the existing $PGLOG file is root-owned, it will need to be removed or renamed out of the way before restarting the server with the corrected script(CVE-2017-12172)
Fix BRIN index summarization to handle concurrent table extension correctly (Álvaro Herrera)
Previously, a race condition allowed some table rows to be omitted from the indexIt may be necessary to reindex existing BRIN indexes to recover from past occurrences of this problem.
Fix possible failures during concurrent updates of a BRIN index (Tom Lane)
These race conditions could result in errors like “invalid index offnum” or “inconsistent range map”.
Prevent logical replication from setting non-replicated columns to nulls when replicating an UPDATE (Petr Jelinek)
Fix logical replication to fire BEFORE ROW DELETE triggers when expected (Masahiko Sawada)
Previously, that failed to happen unless the table also had a BEFORE ROW UPDATE trigger.
Fix crash when logical decoding is invoked from a SPI-using function, in particular any function written in a PL language (Tom Lane)
Ignore CTEs when looking up the target table for INSERT/UPDATE/DELETE, and prevent matching schema-qualified target table names to trigger transition table names (Thomas Munro)
This restores the pre-v10 behavior for CTEs attached to DML commands.
Avoid evaluating an aggregate function's argument expression(s) at rows where its FILTER test fails (Tom Lane)
This restores the pre-v10 (and SQL-standard) behavior.
Fix incorrect query results when multiple GROUPING SETS columns contain the same simple variable (Tom Lane)
Fix query-lifespan memory leakage while evaluating a set-returning function in a SELECT's target list (Tom Lane)
Allow parallel execution of prepared statements with generic plans (Amit Kapila, Kuntal Ghosh)
Fix incorrect parallelization decisions for nested queries (Amit Kapila, Kuntal Ghosh)
Fix parallel query handling to not fail when a recently-used role is dropped (Amit Kapila)
Fix crash in parallel execution of a bitmap scan having a BitmapAnd plan node below a BitmapOr node (Dilip Kumar)
Fix json_build_array(), json_build_object(), and their jsonb equivalents to handle explicit VARIADIC arguments correctly (Michael Paquier)
Fix autovacuum's “work item” logic to prevent possible crashes and silent loss of work items (Álvaro Herrera)
Fix corner-case crashes when columns have been added to the end of a view (Tom Lane)
Record proper dependencies when a view or rule contains FieldSelect or FieldStore expression nodes (Tom Lane)
Lack of these dependencies could allow a column or data type DROP to go through when it ought to fail, thereby causing later uses of the view or rule to get errorsThis patch does not do anything to protect existing views/rules, only ones created in the future.
Correctly detect hashability of range data types (Tom Lane)
The planner mistakenly assumed that any range type could be hashed for use in hash joins or hash aggregation, but actually it must check whether the range's subtype has hash supportThis does not affect any of the built-in range types, since they're all hashable anyway.
Correctly ignore RelabelType expression nodes when examining functional-dependency statistics (David Rowley)
This allows, e.g., extended statistics on varchar columns to be used properly.
Prevent sharing transition states between ordered-set aggregates (David Rowley)
This causes a crash with the built-in ordered-set aggregates, and probably with user-written ones as wellv11 and later will include provisions for dealing with such cases safely, but in released branches, just disable the optimization.
Prevent idle_in_transaction_session_timeout from being ignored when a statement_timeout occurred earlier (Lukas Fittl)
Fix low-probability loss of NOTIFY messages due to XID wraparound (Marko Tiikkaja, Tom Lane)
If a session executed no queries, but merely listened for notifications, for more than 2 billion transactions, it started to miss some notifications from concurrently-committing transactions.
Reduce the frequency of data flush requests during bulk file copies to avoid performance problems on macOS, particularly with its new APFS file system (Tom Lane)
Allow COPY's FREEZE option to work when the transaction isolation level is REPEATABLE READ or higher (Noah Misch)
This case was unintentionally broken by a previous bug fix.
Fix AggGetAggref() to return the correct Aggref nodes to aggregate final functions whose transition calculations have been merged (Tom Lane)
Fix insufficient schema-qualification in some new queries in pg_dump and psql (Vitaly Burovoy, Tom Lane, Noah Misch)
Avoid use of @> operator in psql's queries for d (Tom Lane)
This prevents problems when the parray_gin extension is installed, since that defines a conflicting operator.
Fix pg_basebackup's matching of tablespace paths to canonicalize both paths before comparing (Michael Paquier)
This is particularly helpful on Windows.
Fix libpq to not require user's home directory to exist (Tom Lane)
In v10, failure to find the home directory while trying to read ~/.pgpass was treated as a hard error, but it should just cause that file to not be foundBoth v10 and previous release branches made the same mistake when reading ~/.pg_service.conf, though this was less obvious since that file is not sought unless a service name is specified.
In ecpglib, correctly handle backslashes in string literals depending on whether standard_conforming_strings is set (Tsunakawa Takayuki)
Make ecpglib's Informix-compatibility mode ignore fractional digits in integer input strings, as expected (Gao Zengqi, Michael Meskes)
Fix missing temp-install prerequisites for check-like Make targets (Noah Misch)
Some non-default test procedures that are meant to work like make check failed to ensure that the temporary installation was up to date.
Update time zone data files to tzdata release 2017c for DST law changes in Fiji, Namibia, Northern Cyprus, Sudan, Tonga, and Turks & Caicos Islands, plus historical corrections for Alaska, Apia, Burma, Calcutta, Detroit, Ireland, Namibia, and Pago Pago.
In the documentation, restore HTML anchors to being upper-case strings (Peter Eisentraut)
Due to a toolchain change, the 10.0 user manual had lower-case strings for intrapage anchors, thus breaking some external links into our website documentationReturn to our previous convention of using upper-case strings

New in PostgreSQL 10.0 (Oct 5, 2017)

Logical Replication - A publish/subscribe framework for distributing data:
Logical replication extends the current replication features of PostgreSQL with the ability to send modifications on a per-database and per-table level to different PostgreSQL databases. Users can now fine-tune the data replicated to various database clusters and will have the ability to perform zero-downtime upgrades to future major PostgreSQL versions.
Declarative Table Partitioning - Convenience in dividing your data:
Table partitioning has existed for years in PostgreSQL but required a user to maintain a nontrivial set of rules and triggers for the partitioning to work. PostgreSQL 10 introduces a table partitioning syntax that lets users easily create and maintain range and list partitioned tables. The addition of the partitioning syntax is the first step in a series of planned features to provide a robust partitioning framework within PostgreSQL.
Improved Query Parallelism - Quickly conquer your analysis:
PostgreSQL 10 provides better support for parallelized queries by allowing more parts of the query execution process to be parallelized. Improvements include additional types of data scans that are parallelized as well as optimizations when the data is recombined, such as pre-sorting. These enhancements allow results to be returned more quickly.
Quorum Commit for Synchronous Replication - Distribute data with confidence:
PostgreSQL 10 introduces quorum commit for synchronous replication, which allows for flexibility in how a primary database receives acknowledgement that changes were successfully written to remote replicas. An administrator can now specify that if any number of replicas has acknowledged that a change to the database has been made, then the data can be considered safely written.
SCRAM-SHA-256 authentication - Secure your data access:
The Salted Challenge Response Authentication Mechanism (SCRAM) defined in RFC5802 defines a protocol to improve upon the secure storage and transmission of passwords by providing a framework for strong password negotiation. PostgreSQL 10 introduces the SCRAM-SHA-256 authentication method, defined in RFC7677, to provide better security than the existing MD5-based password authentication method.

New in PostgreSQL 10.0 RC 1 (Sep 21, 2017)

New in PostgreSQL 10.0 Beta 4 (Sep 1, 2017)

New in PostgreSQL 9.6.5 (Sep 1, 2017)

New in PostgreSQL 10.0 Beta 3 (Aug 11, 2017)

New in PostgreSQL 9.6.4 (Aug 11, 2017)

Three security vulnerabilities have been closed by this release:
CVE-2017-7546: Empty password accepted in some authentication methods
CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges
CVE-2017-7548: lo_put() function ignores ACLs
Bug Fixes and Improvements:
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only version 9.6, but many affect all supported versions:
pg_upgrade: corrected the documentation about the process for upgrading standby servers to ensure the primary and standbys synchronized safely. Also includes a fix to ensure the last WAL record does not have "wal_level = minimum" which would prevent standbys from connecting upon restart
Fix for issue with a concurrent locking race condition that could cause some of the updates to fail
Several fixes for low probability data corruption scenarios
Fix to prevent crash when sorting more than one billion tuples in-memory
Fix on Windows to retry creating a process if shared memory addresses could not be allocated, typically caused from antivirus software interference
Fix in libpq to ensure that failed connection attempts using GSS/SASL and SSPI authentication are reset properly
Fixes for SSL connection handling and logging
Fix to allow window functions to be used in sub-SELECT statements that are within the arguments of an aggregate function
Allow parallelism in the query plan when COPY when copying from a query
Several fixes to ALTER TABLE
Fix to ensure that ALTER USER ... SET and ALTER ROLE ... SET accepts the same syntax variants
Fixes for the statistics collector, ensuring statistics requests made just after a postmaster shutdown request will be written to disk
Fix possible creation of an invalid WAL segment during standby promotion
Several walsender / walreceiver fixes, particularly around signal handling and shutdowns / restarts
Several logic decoding fixes, including removing leakage of small subtransactions to disk
Allow a CHECK constraints to be initially NOT VALID when executing CREATE FOREIGN TABLE
Fixes to postgres_fdw for applying changes promptly after ALTER SERVER / ALTER USER MAPPING commands and improving ability to escape from an unresponsive server
Several fixes for pg_dump and pg_restore, including a fix for pg_dump output to stdout on Windows
Fix pg_basebackup output to stdout on Windows, similar to the fix for pg_dump
Fix pg_rewind to correctly handle files exceeding 2GB, though files of such size should rarely appear in a data directory
Several fixes for building PostgreSQL with Microsoft Visual C (MSVC), primarily around sourcing libraries

New in PostgreSQL 9.6.3 (May 11, 2017)

Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options
Prevent exposure of statistical information via leaky operators
Restore libpq's recognition of the PGREQUIRESSL environment variable
Fix possibly-invalid initial snapshot during logical decoding
Fix possible corruption of "init forks" of unlogged indexes
Fix incorrect reconstruction of pg_subtrans entries when a standby server replays a prepared but uncommitted two-phase transaction
Avoid possible crash in walsender due to failure to initialize a string buffer
Fix possible crash when rescanning a nearest-neighbor index-only scan on a GiST index
Prevent delays in postmaster's launching of multiple parallel worker processes
Fix postmaster's handling of fork() failure for a background worker process
Fix possible "no relation entry for relid 0" error when planning nested set operations
Fix assorted minor issues in planning of parallel queries
Avoid applying "physical targetlist" optimization to custom scans
Use the correct sub-expression when applying a FOR ALL row-level-security policy
Ensure parsing of queries in extension scripts sees the results of immediately-preceding DDL
Skip tablespace privilege checks when ALTER TABLE ... ALTER COLUMN TYPE rebuilds an existing index
Fix ALTER TABLE ... VALIDATE CONSTRAINT to not recurse to child tables when the constraint is marked NO INHERIT
Avoid dangling pointer in COPY ... TO when row-level security is active for the source table
Avoid accessing an already-closed relcache entry in CLUSTER and VACUUM FULL
Fix VACUUM to account properly for pages that could not be scanned due to conflicting page pins
Ensure that bulk-tuple-transfer loops within a hash join are interruptible by query cancel requests
Fix incorrect support for certain box operators in SP-GiST
Fix integer-overflow problems in interval comparison
Fix cursor_to_xml() to produce valid output with tableforest = false
Fix roundoff problems in float8_timestamptz() and make_interval()
These functions truncated, rather than rounded, when converting a floating-point value to integer microseconds; that could cause unexpectedly off-by-one results.
Fix pg_get_object_address() to handle members of operator families correctly
Fix cancelling of pg_stop_backup() when attempting to stop a non-exclusive backup
If pg_stop_backup() was cancelled while waiting for a non-exclusive backup to end, related state was left inconsistent; a new exclusive backup could not be started, and there were other minor problems.
Improve performance of pg_timezone_names view
Reduce memory management overhead for contexts containing many large blocks
Fix sloppy handling of corner-case errors from lseek() and close()
Neither of these system calls are likely to fail in typical situations, but if they did, fd.c could get quite confused.
Fix incorrect check for whether postmaster is running as a Windows service
This could result in attempting to write to the event log when that isn't accessible, so that no logging happens at all.
Fix ecpg to support COMMIT PREPARED and ROLLBACK PREPARED
Fix a double-free error when processing dollar-quoted string literals in ecpg
Fix pgbench to handle the combination of --connect and --rate options correctly
Fix pgbench to honor the long-form option spelling --builtin, as per its documentation
Fix pg_dump/pg_restore to correctly handle privileges for the public schema when using --clean option
Other schemas start out with no privileges granted, but public does not; this requires special-case treatment when it is dropped and restored due to the --clean option.
In pg_dump, fix incorrect schema and owner marking for comments and security labels of some types of database objects
In simple cases this caused no ill effects; but for example, a schema-selective restore might omit comments it should include, because they were not marked as belonging to the schema of their associated object.
Fix typo in pg_dump's query for initial privileges of a procedural language
This resulted in pg_dump always believing that the language had no initial privileges. Since that's true for most procedural languages, ill effects from this bug are probably rare.
Avoid emitting an invalid list file in pg_restore -l when SQL object names contain newlines
Replace newlines by spaces, which is sufficient to make the output valid for pg_restore -L's purposes.
Fix pg_upgrade to transfer comments and security labels attached to "large objects" (blobs)
Previously, blobs were correctly transferred to the new database, but any comments or security labels attached to them were lost.
Improve error handling in contrib/adminpack's pg_file_write() function
Notably, it failed to detect errors reported by fclose().
In contrib/dblink, avoid leaking the previous unnamed connection when establishing a new unnamed connection
Fix contrib/pg_trgm's extraction of trigrams from regular expressions
In some cases it would produce a broken data structure that could never match anything, leading to GIN or GiST indexscans that use a trigram index not finding any matches to the regular expression.
In contrib/postgres_fdw, allow join conditions that contain shippable extension-provided functions to be pushed to the remote server
Support Tcl 8.6 in MSVC builds
Sync our copy of the timezone library with IANA release tzcode2017b
This fixes a bug affecting some DST transitions in January 2038.
Update time zone data files to tzdata release 2017b for DST law changes in Chile, Haiti, and Mongolia, plus historical corrections for Ecuador, Kazakhstan, Liberia, and Spain. Switch to numeric abbreviations for numerous time zones in South America, the Pacific and Indian oceans, and some Asian and Middle Eastern countries.
The IANA time zone database previously provided textual abbreviations for all time zones, sometimes making up abbreviations that have little or no currency among the local population. They are in process of reversing that policy in favor of using numeric UTC offsets in zones where there is no evidence of real-world use of an English abbreviation. At least for the time being, PostgreSQL will continue to accept such removed abbreviations for timestamp input. But they will not be shown in the pg_timezone_names view nor used for output.
Use correct daylight-savings rules for POSIX-style time zone names in MSVC builds
The Microsoft MSVC build scripts neglected to install the posixrules file in the timezone directory tree. This resulted in the timezone code falling back to its built-in rule about what DST behavior to assume for a POSIX-style time zone name. For historical reasons that still corresponds to the DST rules the USA was using before 2007 (i.e., change on first Sunday in April and last Sunday in October). With this fix, a POSIX-style zone name will use the current and historical DST transition dates of the US/Eastern zone. If you don't want that, remove the posixrules file, or replace it with a copy of some other zone file (see Section 8.5.3). Note that due to caching, you may need to restart the server to get such changes to take effect.

New in PostgreSQL 9.6.2 (Feb 13, 2017)

Build corruption with CREATE INDEX CONCURRENTLY:
There existed a race condition if CREATE INDEX CONCURRENTLY was called on a column that had not been indexed before, then rows that were updated by transactions running at the same time as the CREATE INDEX CONCURRENTLY command could have been indexed incorrectly.
If you suspect this may have happened, the most reliable solution is to rebuild affected indexes after installing this update.
This issue is present in the 9.2, 9.3, 9.4, 9.5, and 9.6 series of PostgreSQL.
Fixes for visibility and write-ahead-log stability
These release contains several fixes to improve the stability of visible data and WAL logging that we wish to highlight here.
Prior to this release, data could be prematurely pruned by a vacuum operation when a special snapshot used for catalog scans was presently available. Specifically, the vacuum operation would not be aware of the oldest xmin for this special snapshot. The error would surface with a message such as:
"cache lookup failed for relation 1255"
This release ensures that vacuum operations will account for the catalog scan snapshots.
BUG FIXES AND IMPROVEMENTS:
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only the 9.6 series, but many affect all supported versions.
There are more than 75 fixes provided in this release, including:
Several fixes for operating in hot standby mode
Disallow setting the num_sync field to zero in synchronous_standby_names
Don't count background worker processes against a user's connection limit
Fix check for when an extension member object can be dropped
Fix tracking of initial privileges for extension member objects so that it works correctly with ALTER EXTENSION ... ADD/DROP
Several vacuum and autovacuum fixes
Fix CREATE OR REPLACE VIEW to update the view query before attempting to apply the new view options
Make sure ALTER TABLE preserves index tablespace assignments when rebuilding indexes
Several fixes to the query planner, including fixes for foreign tables and CTEs
Several fixes around the full-text search feature to improve accuracy and performance of the search
Several fixes and performance improvements in several array functions
Several fixes around the interaction of foreign-key constraints with trigger functions around specific ALTER TABLE operations
Remove optimizations for date/time data types that returned incorrect data
Fix incorrect use of view reloptions as regular table reloptions
Fix incorrect "target lists can have at most N entries" complaint when using ON CONFLICT with wide tables
Fix spurious "query provides a value for a dropped column" errors during INSERT or UPDATE on a table with a dropped column
Prevent multicolumn expansion of foo.* in an UPDATE source expression
Ensure that column typmods are determined accurately for multi-row VALUES constructs
Several fixes for the psql command-line tool
Prevent multiple calls of pg_start_backup() and pg_stop_backup() from running concurrently
Several fixes for pg_dump, pg_restore, and pg_basebackup, including a possible pg_basebackup failure on standby server when including WAL files
Several fixes for parallel workers and plans for parallel queries including fixing a crash if the number of workers available to a parallel query decreases during a rescan
Several fixes to PL/pgSQL, PL/Python, and PL/Tcl
Several fixes for contrib modules
Allow DOS-style line endings in ~/.pgpass files, even on Unix
Update time zone data files to tzdata release 2016j for DST law changes in northern Cyprus (adding a new zone Asia/Famagusta), Russia (adding a new zone Europe/Saratov), Tonga, and Antarctica/Casey. Historical corrections for Italy, Kazakhstan, Malta, and Palestine. Switch to preferring numeric zone abbreviations for Tonga.
Updating
All PostgreSQL update releases are cumulative. As with other minor releases, users are not required to dump and reload their database or use pg_upgrade in order to apply this update release; you may simply shut down PostgreSQL and update its binaries.
If you believe you have been affected by the aforementioned CREATE INDEX CONCURRENTLY bug, you will have to rebuild the index. Here is an example of how to rebuild an index in a production system without losing the ability to utilize the index:
CREATE INDEX CONCURRENTLY new_index_name ON table_name (column_name);
DROP INDEX CONCURRENTLY old_index_name;
ALTER INDEX new_index_name RENAME TO old_index_name;

New in PostgreSQL 9.6.0 (Sep 30, 2016)

This release will allow users to both scale up and scale out high performance database workloads. New features include parallel query, synchronous replication improvements, phrase search, and improvements to performance and usability, as well as many more features.
Scale Up with Parallel Query:
Version 9.6 adds support for parallelizing some query operations, enabling utilization of several or all of the cores on a server to return query results faster. This release includes parallel sequential (table) scan, aggregation, and joins. Depending on details and available cores, parallelism can speed up big data queries by as much as 32 times faster.
"I migrated our entire genomics data platform - all 25 billion legacy MySQL rows of it - to a single Postgres database, leveraging the row compression abilities of the JSONB datatype, and the excellent GIN, BRIN, and B-tree indexing modes. Now with version 9.6, I expect to harness the parallel query functionality to allow even greater scalability for queries against our rather large tables," said Mike Sofen, Chief Database Architect, Synthetic Genomics.
Scale Out with Synchronous Replication and postgres_fdw:
Two new options have been added to PostgreSQL's synchronous replication feature which allow it to be used to maintain consistent reads across database clusters. First, it now allows configuring groups of synchronous replicas. Second, the "remote_apply" mode creates a more consistent view of data across multiple nodes. These features support using built-in replication to maintain a set of "identical" nodes for load-balancing read workloads.
The PostgreSQL-to-PostgreSQL data federation driver, postgres_fdw, has new capabilities to execute work on remote servers. By "pushing down" sorts, joins, and batch data updates, users can distribute workload across multiple PostgreSQL servers. These features should soon be added to other FDW drivers.
"With the capabilities of remote JOIN, UPDATE and DELETE, Foreign Data Wrappers are now a complete solution for sharing data between other databases and PostgreSQL. For example, PostgreSQL can be used to handle data input going to two or more different kinds of databases," said Julyanto Sutandang, Director of Business Solutions at Equnix.
Better Text Search with Phrases:
PostgreSQL's full text search feature now supports "phrase search." This lets users search for exact phrases, or for words within a specified proximity to each other, using fast GIN indexes. Combined with new features for fine-tuning text search options, PostgreSQL is the superior option for "hybrid search" which puts together relational, JSON, and full text searching.
Smoother, Faster, and Easier to Use:
Thanks to feedback and testing by PostgreSQL users with high-volume production databases, the project has been able to improve many aspects of performance and usability in this release. Replication, aggregation, indexing, sorting, and stored procedures have all been made more efficient, and PostgreSQL now makes better use of resources with recent Linux kernels. Administration overhead for large tables and complex workloads was also reduced, especially through improvements to VACUUM.
Other Features:
New system views and functions: pg_stat_wal_receiver, pg_visibility, pg_config, pg_blocking_pids, pg_notification_queue_usage
Command progress reporting support
Cascade support for installing extensions
pg_basebackup concurrency and replication slot support
Wait Event support
View editing and crosstabs in psql
User-defined expiration for old snapshots
Index-only scans for partial indexes

New in PostgreSQL 9.6.0 RC 1 (Sep 5, 2016)

New in PostgreSQL 9.6.0 Beta 4 (Aug 11, 2016)

New in PostgreSQL 9.5.4 (Aug 11, 2016)

Two security holes have been closed by this release:
CVE-2016-5423: certain nested CASE expressions can cause the server to crash.
CVE-2016-5424: database and role names with embedded special characters can allow code injection during administrative operations like pg_dumpall. The fix for the second issue also adds an option, -reuse-previous, to psql's connect command. pg_dumpall will also refuse to handle database and role names containing line breaks after the update. For more information on these issues and how they affect backwards-compatibility, see the Release Notes.
Bug Fixes and Improvements:
This update also fixes a number of bugs reported in the last few months. Some of these issues affect only version 9.5, but many affect all supported versions
Fix misbehaviors of IS NULL/IS NOT NULL with composite values
Fix three areas where INSERT ... ON CONFLICT failed to work properly with other SQL features
Make INET and CIDR data types properly reject bad IPv6 values
Prevent crash in "point ## lseg" operator for NaN input
Avoid possible crash in pg_get_expr()
Fix several one-byte buffer over-reads in to_number()
Don't needlessly plan query if WITH NO DATA is specified
Avoid crash-unsafe state in expensive heap_update() paths
Fix hint bit update during WAL replay of row locking operations
Avoid unnecessary "could not serialize access" with FOR KEY SHARE
Avoid crash in postgres -C when the specified variable is a null string
Fix two issues with logical decoding and subtransactions
Ensure that backends see up-to-date statistics for shared catalogs
Prevent possible failure when vacuuming multixact IDs in an upgraded database
When a manual ANALYZE specifies columns, don't reset changes_since_analyze
Fix ANALYZE's overestimation of n_distinct for columns with nulls
Fix bug in b-tree mark/restore processing
Fix building of large (bigger than shared_buffers) hash indexes
Prevent infinite loop in GiST index build with NaN values
Fix possible crash during a nearest-neighbor indexscan
Fix "PANIC: failed to add BRIN tuple" error
Prevent possible crash during background worker shutdown
Many fixes for issues in parallel pg_dump and pg_restore
Make pg_basebackup accept -Z 0 as no compression
Make regression tests safe for Danish and Welsh locales
The libpq client library has also been updated to support future two-part PostgreSQL version numbers. This update also contains tzdata release 2016f, with updates for Kemerovo, Novosibirsk, Azerbaijan, Belarus, and Morocco

New in PostgreSQL 9.6.0 Beta 1 (May 17, 2016)

Major enhancements in PostgreSQL 9.6 include:
Parallel sequential scans, joins and aggregates
Elimination of repetitive scanning of old data by autovacuum
Synchronous replication now allows multiple standby servers for increased reliability
Full-text search for phrases
Support for remote joins, sorts, and updates in postgres_fdw
Substantial performance improvements, especially in the area of improving scalability on many-CPU servers
Migration to Version 9.6:
A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.6 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
To be filled in, but issues are called out in relevant sections below
CHANGES:
Below you will find a detailed account of the changes between PostgreSQL 9.6 and the previous major release.
Server:
Parallel Queries:
Parallel queries (Robert Haas, Amit Kapila, David Rowley, many others)
With 9.6, PostgreSQL introduces initial support for parallel execution of large queries. Only strictly read-only queries where the driving table is accessed via a sequential scan can be parallelized. Hash joins and nested loops can be performed in parallel, as can aggregation (for supported aggregates). Much remains to be done, but this is already a useful set of features.
Use of parallel query execution can be controlled through the new configuration parameters max_parallel_degree, force_parallel_mode, parallel_setup_cost, and parallel_tuple_cost.
Provide infrastructure for marking functions as parallel-safe or not (Robert Haas, Amit Kapila)
Indexes:
Allow GIN index builds to make effective use of maintenance_work_mem settings larger than 1GB (Robert Abraham, Teodor Sigaev)
Add pages deleted from a GIN index's pending list to the free space map immediately, to reduce bloat if the table isn't vacuumed often (Jeff Janes, Teodor Sigaev)
Add gin_clean_pending_list() function to allow manual invocation of pending-list cleanup for a GIN index, separately from vacuuming or analyzing the parent table (Jeff Janes)
Improve handling of dead index tuples in GiST indexes (Anastasia Lubennikova)
Dead index tuples are now marked as such when an index scan notices that the corresponding heap tuple is dead; and when inserting tuples, marked-dead tuples will be removed if needed to make space on the page.
Add an SP-GiST operator class for type box (Alexander Lebedev)
General Performance:
Avoid re-vacuuming pages containing only frozen tuples (Masahiko Sawada, Robert Haas)
Formerly, an anti-wraparound vacuum had to visit every page of a table whether or not there was anything to do there. Now, pages containing only already-frozen tuples are identified in the table's visibility map, and can be skipped by vacuum even when it's doing transaction wraparound prevention. This should greatly reduce the cost of maintaining large tables containing mostly-unchanging data.
Avoid useless heap-truncation attempts during VACUUM (Jeff Janes, Tom Lane)
This change avoids taking an exclusive table lock in some cases where no truncation is really possible. The main benefit comes from avoiding unnecessary query cancellations on standby servers.
Reduce interlocking on standby servers during replay of btree index vacuuming operations (Simon Riggs)
This change avoids substantial replication delays that sometimes occurred while replaying such operations.
Drop entries from GROUP BY if they are functionally dependent on other entries (David Rowley)
If a GROUP BY clause includes all columns of a non-deferred primary key, as well as other columns of the same relation, those other columns are redundant and can be dropped from the grouping. This saves computation in many common cases.
When appropriate, postpone evaluation of SELECT output expressions till after ORDER BY sorting (Konstantin Knizhnik)
This change ensures that volatile or expensive functions in the output list are executed in the order suggested by ORDER BY, and that they are not evaluated more times than required when there's a LIMIT. Previously, these properties held if the ordering was performed by an indexscan or pre-mergejoin sort, but not if it was performed by a top-level sort step.
Where feasible, trigger kernel writeback after a configurable number of writes, to prevent accumulation of dirty data in kernel disk buffers (Fabien Coelho, Andres Freund)
PostgreSQL writes data to the kernel's disk cache, from where it should be flushed to physical storage in due time. Many operating systems are not very smart about managing this, and will allow large amounts of dirty data to accumulate then decide to flush it all at once, leading to long delays for new I/O requests. This change attempts to alleviate this problem by explicitly requesting data flushes after a configurable interval.
On Linux, sync_file_range() is used for this purpose, and the feature is on by default because that function has few downsides. The feature is also available on other platforms that have msync() or posix_fadvise(), but those interfaces have some undesirable side-effects so the feature is not enabled by default on other platforms.
The new configuration parameters backend_flush_after, bgwriter_flush_after, checkpoint_flush_after, and wal_writer_flush_after control this behavior.
Perform checkpoint writes in sorted order (Fabien Coelho, Andres Freund)
Previously, checkpoints wrote out dirty pages in whatever order they happen to appear in within shared buffers, which usually is nearly random. That performs poorly, especially on rotating media. This change causes checkpoint-driven writes to be done in order by file and block number, and to be balanced across tablespaces.
Allow old MVCC snapshots to be invalidated after a configurable timeout (Kevin Grittner)
Normally, deleted tuples cannot be physically removed by vacuuming until the last transaction that could "see" them is gone. A transaction that stays open for a long time can thus cause considerable table bloat because space cannot be recycled. This feature allows setting a time-based limit, via the new configuration parameter old_snapshot_threshold, on how long an MVCC snapshot is guaranteed valid. After that, dead tuples are candidates for removal. A transaction using an outdated snapshot will get an error, but only if it attempts to read a page that's been modified recently enough that it might have contained such data.
Allow using an index-only scan with a partial index when the index's predicate involves column(s) not stored in the index (Tomas Vondra, Kyotaro Horiguchi)
An index-only scan is now allowed if the query mentions such columns only in WHERE clauses that match the index predicate.
Use foreign key relationships to infer selectivity for multi-column join predicates (Tomas Vondra, David Rowley)
If a table t has a multi-column foreign key restriction, say (a,b) REFERENCES r (x,y), then a WHERE condition such as t.a = r.x AND t.b = r.y cannot select more than one r row per t row. The planner formerly considered the AND'ed conditions to be independent and would often drastically misestimate the selectivity as a result. Now it compares the WHERE conditions to applicable foreign key constraints and arrives at a better estimate.
Improve aggregate-function performance by sharing calculations across multiple aggregates if they have the same arguments and transition functions (David Rowley)
Speed up visibility tests for recently-created tuples by checking our transaction snapshot, not pg_clog, to decide if the source transaction should be considered committed (Jeff Janes, Tom Lane)
Allow tuple hint bits to be set sooner than before (Andres Freund)
Improve performance of short-lived prepared transactions (Stas Kelvich, Simon Riggs, Pavan Deolasee)
Two-phase commit information is now written only to WAL during PREPARE TRANSACTION, and read back from there during COMMIT PREPARED. A separate state file is created only if the pending transaction does not get committed or aborted by the time of the next checkpoint.
Improve performance of memory context destruction (Jan Wieck)
Improve performance of ResourceOwners with many tracked objects (Aleksander Alekseev)
Improve speed of the output functions for timestamps, times, and dates (David Rowley, Andres Freund)
Avoid some unnecessary cancellations of hot-standby queries during replay of actions that take AccessExclusiveLocks (Jeff Janes)
Improve ANALYZE's estimates for columns with many nulls (Tomas Vondra, Alex Shulgin)
Previously the code tended to underestimate the number of non-null distinct values in a column with many nulls, and it also might make poor decisions about what is a most-common value.
Improve planner's estimate of the number of distinct values in a query result (Tomas Vondra)
Extend relations multiple blocks at a time, when there is contention for the relation's extension lock (Dilip Kumar)
This improves scalability by decreasing contention.
Improve sorting performance by using quicksort, not replacement selection, within steps of an external sort (Peter Geoghegan)
The new approach makes better use of CPU cache for typical cache sizes and data volumes. Where necessary, the behavior can be adjusted via the new configuration parameter replacement_sort_tuples, which see for further details.
Speed up text sorts where the same strings occur multiple times (Peter Geoghegan)
Speed up sorting of uuid, bytea, and char(n) fields by using "abbreviated" keys (Peter Geoghegan)
Support for abbreviated keys has also been added to the non-default operator classes text_pattern_ops, varchar_pattern_ops, and bpchar_pattern_ops. Processing of ordered-set aggregates can also now exploit abbreviated keys.
Speed up CREATE INDEX CONCURRENTLY by treating TIDs as 64-bit integers during the sort phase (Peter Geoghegan)
Increase the number of clog buffers for better scalability (Amit Kapila, Andres Freund)
Reduce contention for the ProcArrayLock (Amit Kapila, Robert Haas)
Improve performance by moving buffer content locks into the buffer descriptors (Andres Freund, Simon Riggs)
Replace shared-buffer header spinlocks with atomic operations to improve scalability (Alexander Korotkov, Andres Freund)
Use atomic operations, rather than a spinlock, to protect an LWLock's wait queue (Andres Freund)
Partition the freelist for shared hash tables, to reduce contention on many-CPU servers (Aleksander Alekseev)
Speed up expression evaluation in PL/pgSQL by keeping ParamListInfo entries for simple variables valid at all times (Tom Lane)
Avoid reducing the SO_SNDBUF setting below its default on recent Windows versions (Chen Huajun)
Monitoring:
Improve the pg_stat_activity view's information about what a process is waiting for (Amit Kapila, Ildus Kurbangaliev)
Historically a process has only been shown as waiting if it was waiting for a heavyweight lock. Now waits for lightweight locks and buffer pins are also shown in pg_stat_activity. Also, the type of lock being waited for is now visible. These changes replace the waiting column with wait_event_type and wait_event.
Add pg_stat_progress_vacuum system view to provide progress reporting for VACUUM operations (Amit Langote, Robert Haas, Vinayak Pokale, Rahila Syed)
Add pg_config system view (Joe Conway)
This view exposes the same information available from the pg_config utility, namely assorted compile-time configuration information for PostgreSQL.
Add a confirmed_flush_lsn column to the pg_replication_slots system view (Marko Tiikkaja)
Add pg_stat_wal_receiver system view to provide information about the state of a hot-standby server's WAL receiver process (Michael Paquier)
Add pg_blocking_pids() function to reliably identify which sessions block which others (Tom Lane)
This function returns an array of the process IDs of any sessions that are blocking the session with the given process ID. Historically users have obtained such information using a self-join on the pg_locks view; but it's unreasonably tedious to do it that way with any modicum of correctness, and the addition of parallel queries has made the approach entirely impractical, since locks might be held or awaited by child worker processes rather than the session's main process.
Add pg_control_system(), pg_control_checkpoint(), pg_control_recovery(), and pg_control_init() functions to expose fields of pg_control to SQL (Joe Conway, Michael Paquier)
Add function pg_current_xlog_flush_location() to expose the current transaction log flush location (Tomas Vondra)
Add function pg_notification_queue_usage() to report how full the NOTIFY queue is (Brendan Jurd)
Limit the verbosity of memory context statistics dumps (Tom Lane)
The memory usage dump printed to the postmaster log during an out-of-memory failure now summarizes statistics when there are a large number of memory contexts, rather than possibly printing a very large report. There's also a "grand total" summary line now.
Change display format for NextXID in pg_controldata and related places (Joe Conway, Bruce Momjian)
Display epoch-and-transaction-ID values in the format number:number. The previous format number/number was confusingly similar to that used for LSNs.
Authentication:
Create a bsd authentication method to allow use of the BSD Authentication service for PostgreSQL client authentication (Marisa Emerson)
BSD Authentication is currently only available on OpenBSD.
When using PAM authentication, provide the client IP address or host name to PAM modules via the PAM_RHOST item (Grzegorz Sampolski)
Provide detail in the postmaster log for more password authentication failures (Tom Lane)
All ordinarily-reachable password authentication failure cases should now provide specific DETAIL fields in the log.
Support RADIUS passwords up to 128 characters long (Marko Tiikkaja)
Add new SSPI authentication parameters compat_realm and upn_username, to control whether NetBIOS or Kerberos realm names and user names are used during SSPI authentication (Christian Ullrich)
Server Configuration:
Add --with-systemd configure switch to enable calling sd_notify() at server start and stop (Peter Eisentraut)
This allows the use of systemd service units of type notify, which greatly simplifies management of PostgreSQL under systemd.
Allow effective_io_concurrency to be set as a tablespace parameter, to support cases where different tablespaces have different I/O characteristics (Julien Rouhaud)
Allow sessions to be terminated automatically if they sit too long in an idle-in-transaction state (Vik Fearing)
This behavior is enabled and controlled by the new configuration parameter idle_in_transaction_session_timeout. It can be useful to prevent forgotten transactions from holding onto locks or preventing vacuum cleanup for very long periods.
Add log_line_prefix option %n to print the time as a Unix epoch, with milliseconds (Tomas Vondra, Jeff Davis)
Add syslog_sequence_numbers and syslog_split_messages configuration parameters to provide more control over message format when logging to syslog (Peter Eisentraut)
Merge the archive and hot_standby values of the wal_level configuration parameter into a single value replica (Peter Eisentraut)
Making a distinction between these settings no longer appears to be a good idea, and it's in the way of planned future simplification of replication setup. The old names are still accepted but are converted internally.
Allow the server's SSL key file to have group read access if owned by root (Christoph Berg)
Formerly we insisted on the key file being owned by the user running the PostgreSQL server, but that is inconvenient for some systems (such as Debian) that wish to manage certificates centrally. So also allow the case where the key file is owned by root and has group read access. It's up to the root admin to ensure that such a group doesn't include any untrusted users.
Reliability:
Force backends to exit if the postmaster dies (Rajeev Rastogi, Robert Haas)
Under normal circumstances the postmaster should always outlive its child processes. If for some reason it dies, cause backend sessions to exit with an error. Formerly, existing backends would continue to run until their client disconnects; but that is unsafe and inefficient, and furthermore it prevents a new postmaster from being started until the last old backend is gone. Backends will detect postmaster death when waiting for client I/O, so the exit will not be instantaneous, but in most circumstances it should happen no later than the end of the current query.
Check for serializability conflicts before reporting constraint-violation failures (Thomas Munro)
When using serializable transaction isolation, it is desirable that any error due to a concurrent transaction should manifest as a serialization failure, thereby cueing the application that a retry might succeed. Unfortunately, this doesn't reliably happen for duplicate-key failures caused by concurrent insertions. This change ensures that such an error will be reported as a serialization error, if the application explicitly checked for the presence of a conflicting key (and didn't find it) earlier in the transaction.
Ensure that invalidation messages are recorded in WAL even when issued by a transaction that has no XID assigned (Andres Freund)
This fixes some corner cases in which transactions on standby servers failed to notice changes such as new indexes.
Prevent multiple processes from trying to clean a GIN index's pending list concurrently (Teodor Sigaev, Jeff Janes)
This had been intentionally allowed, but it causes race conditions that can result in vacuum missing index entries it needs to delete.
Replication and Recovery:
Support synchronous replication with multiple synchronous standby servers, not just one (Masahiko Sawada, Beena Emerson, Michael Paquier, Fujii Masao, Kyotaro Horiguchi)
The number of standby servers that must acknowledge a commit before it's considered done is now configurable as part of the synchronous_standby_names parameter.
Add new setting remote_apply for configuration parameter synchronous_commit (Thomas Munro)
In this mode, the master waits for the transaction to be applied on the standby server, not just written to disk. That means that you can count on a transaction started on the standby to see all commits previously acknowledged by the master.
Add a feature to the replication protocol, and a corresponding option to the pg_create_physical_replication_slot() function, to allow reserving WAL immediately when creating a replication slot (Gurjeet Singh, Michael Paquier)
This allows creation of a replication slot to guarantee that all the WAL for a base backup will be available afterwards.
Add a --slot option to pg_basebackup (Peter Eisentraut)
This lets pg_basebackup use a replication slot defined for WAL streaming. After the base backup completes, selecting the same slot for regular streaming replication allows seamless startup of the new standby server.
Extend pg_start_backup() and pg_stop_backup() to support non-exclusive backups (Magnus Hagander)
Queries:
Widen tuples-processed counters to 64 bits (Andreas Scherbaum)
This change allows command tags for SELECT etc. to correctly report tuple counts larger than 4 billion. So will PL/pgSQL's GET DIAGNOSTICS ... ROW_COUNT command.
Avoid doing encoding conversions by double-conversion through MULE_INTERNAL encoding (Tom Lane)
Previously, many conversions for Cyrillic and Central European single-byte encodings were done by converting to a related MULE_INTERNAL coding scheme and then to the destination encoding. Aside from being inefficient, this meant that when the conversion encountered an untranslatable character, the error message would confusingly complain about failure to convert to or from MULE_INTERNAL, rather than the user-visible encodings.
Consider performing joins of foreign tables remotely only when the applicable user mappings match (Shigeru Hanada, Ashutosh Bapat)
Previously, the foreign join pushdown infrastructure left the question of security entirely up to individual foreign data wrappers, but it would be easy for an FDW to inadvertently open up subtle security holes that way. So, make it the core code's job to determine which user mapping OID is relevant, and don't attempt join pushdown unless it's the same for all relevant relations.
Utility Commands:
Allow COPY to copy the output of an INSERT/UPDATE/DELETE ... RETURNING query (Marko Tiikkaja)
Previously, an intermediate CTE had to be written to get this result.
Introduce ALTER object DEPENDS ON EXTENSION (Abhijit Menon-Sen)
This command allows a database object to be marked as depending on an extension, so that it will automatically go away if the extension is dropped (without needing CASCADE). But the object is not part of the extension, and thus for example will be dumped separately by pg_dump.
Make ALTER object SET SCHEMA do nothing when the object is already in the requested schema, rather than throwing an error as it historically has for most object types (Marti Raudsepp)
Add options to ALTER OPERATOR to change the selectivity functions associated with an existing operator (Yury Zhuravlev)
Add an IF NOT EXISTS option to ALTER TABLE ADD COLUMN (Fabrízio de Royes Mello)
Reduce the lock strength needed by ALTER TABLE when setting fillfactor and autovacuum-related relation options (Fabrízio de Royes Mello, Simon Riggs)
Introduce CREATE ACCESS METHOD to allow extensions to create index access methods (Alexander Korotkov, Petr Jelínek)
Add a CASCADE option to CREATE EXTENSION, to automatically create extensions it depends on (Petr Jelínek)
Remove the long-deprecated CREATEUSER/NOCREATEUSER options from CREATE ROLE and allied commands (Tom Lane)
CREATEUSER actually meant SUPERUSER, for ancient backwards-compatibility reasons. That's been a constant source of confusion for people who (reasonably) expect it to mean CREATEROLE. It's been deprecated for ten years now, so fix the problem by removing it.
Make CREATE TABLE ... LIKE include an OID column if any source table has one (Bruce Momjian)
If a CHECK constraint is declared NOT VALID in a table creation command, automatically mark it valid (Amit Langote, Amul Sul)
This matches the longstanding behavior of FOREIGN KEY constraints.
Fix DROP OPERATOR to clear pg_operator.oprcom and pg_operator.oprnegate links to the dropped operator (Roma Sokolov)
Formerly such links were left as-is, which could pose a problem in the somewhat unlikely event that the dropped operator's OID was reused for another operator.
Disallow creation of indexes on system columns, except for OID (David Rowley)
Such indexes were never considered supported, and would very possibly misbehave since the system might change the system-column fields of a tuple without updating indexes. But there was no error check to prevent them from being created.
Permissions Management:
Use the privilege system to manage access to sensitive functions (Stephen Frost)
Formerly, many security-sensitive functions contained hard-wired checks that would throw an error if they were called by a non-superuser role. This forced use of superuser roles for some relatively pedestrian tasks. The hard-wired error checks are now gone in favor of making initdb revoke the default public EXECUTE privilege on these functions. This allows installations to choose to grant usage of such functions to trusted roles that need not have full superuser privilege.
Treat role names beginning with pg_ as reserved (Stephen Frost)
User creation of such role names is now disallowed. This prevents conflicts with built-in roles created by initdb.
Create some built-in roles that can be used to grant access to what were previously superuser-only functions (Stephen Frost)
Data Types:
Allow omitting one or both boundaries in an array slice specifier, for example array_col[3:] (Yury Zhuravlev)
Omitted boundaries are taken as the upper or lower limit of the corresponding array subscript. This allows simpler specification of many common use-cases.
Be more careful about out-of-range dates and timestamps (Vitaly Burovoy)
This change prevents unexpected out-of-range errors for timestamp with time zone values very close to the implementation limits. Previously, the "same" value might be accepted or not depending on the timezone setting, meaning that a dump and reload could fail on a value that had been accepted when presented. Now the limits are enforced according to the equivalent UTC time, not local time, so as to be independent of timezone.
Also, PostgreSQL is now more careful to detect overflow in operations that compute new date or timestamp values, such as date + integer.
In the geometric data types, make sure that infinity and NaN component values are treated consistently during input and output (Tom Lane)
Such values will now always print the same way as they would in a simple float8 column, and be accepted the same way on input as well. Previously the behavior was somewhat platform-dependent.
Improve full-text search to support searching for phrases, that is, lexemes appearing adjacent to each other in a specific order, or with at most a specified distance between them (Teodor Sigaev, Oleg Bartunov, Dmitry Ivanov)
A phrase-search query can be specified in tsquery input using the new operators and . The former means that the lexemes before and after it must appear adjacent to each other in that order. The latter means they can be separated by up to N other lexemes.
Fix text search parser to allow leading digits in email and host tokens (Artur Zakirov)
In most cases this will result in few changes in the parsing of text. But if you have data where such addresses occur frequently, it may be worth rebuilding dependent tsvector columns and indexes, so that addresses of this form will be found properly by text searches.
Upgrade the ispell dictionary to handle modern Hunspell files and support more languages (Artur Zakirov)
Implement lookbehind constraints in regular expressions (Tom Lane)
A lookbehind constraint is like a lookahead constraint in that it consumes no text; but it checks for existence (or nonexistence) of a match ending at the current point in the string, rather than one starting at the current point. Similar features exist in many other regular-expression engines.
In regular expressions, if an apparent three-digit octal escape \nnn would exceed 377 (255 decimal), assume it is a two-digit octal escape instead (Tom Lane)
This makes the behavior match current Tcl releases.
Add xid xid and xid int4 operators, for consistency with the corresponding = operators (Michael Paquier)
Functions:
Add jsonb_insert() function to insert a new element into a jsonb array, or a not-previously-existing key into a jsonb object (Dmitry Dolgov)
Improve the accuracy of the ln(), log(), exp(), and pow() functions for type numeric (Dean Rasheed)
Add a scale(numeric) function to extract the display scale of a numeric value (Marko Tiikkaja)
Add trigonometric functions that work in degrees (Dean Rasheed)
For example, sind() measures its argument in degrees, whereas sin() measures in radians. These functions go to some lengths to deliver exact results for values where an exact result can be expected, such as sind(30) = 0.5 exactly.
Ensure that trigonometric functions handle infinity and NaN inputs per the POSIX standard (Dean Rasheed)
The POSIX standard says that these functions should return NaN for NaN input, and should throw an error for out-of-range inputs including infinity; but previously, our actual behavior varied across platforms.
Make extract() behave more reasonably with infinite inputs (Vitaly Burovoy)
Historically the extract() function just returned zero given an infinite timestamp, regardless of the given unit name. Make it return infinity or -infinity as appropriate when the requested field is one that is monotonically increasing (e.g, year, epoch), or NULL when it is not (e.g., day, hour). Also, throw the expected error for bad unit names.
Make to_timestamp(float8) convert float infinity to timestamp infinity (Vitaly Burovoy)
Formerly it just failed on an infinite input.
Add new functions for tsvector data (Stas Kelvich)
These are ts_delete(), ts_filter(), unnest(), tsvector_to_array(), array_to_tsvector(), and a variant of setweight() that sets the weight only for specified lexeme(s).
Allow ts_stat_sql() and tsvector_update_trigger() to operate on values that are of types binary-compatible with the expected argument type, not just that argument type; for example allow citext where text is expected (Teodor Sigaev)
Add variadic functions num_nulls() and num_nonnulls() that count the number of their arguments that are null or nonnull (Marko Tiikkaja)
An example usage is CHECK(num_nonnulls(a,b,c) = 1) which asserts that exactly one of a,b,c isn't NULL. These functions can also be used to count the number of null or nonnull elements in an array.
Add function parse_ident() to split a qualified, possibly quoted SQL identifier into its parts (Pavel Stehule)
In to_char(), do not count a minus sign (when needed) as part of the field width for time-related fields (Bruce Momjian)
For example, to_char('-4 years'::interval, 'YY') now returns -04, rather than -4.
In to_number(), interpret V as dividing by 10 to the power of the number of digits following V (Bruce Momjian)
This makes it operate in an inverse fashion to to_char().
Make the to_reg*() functions accept type text not cstring (Petr Korobeinikov)
This avoids the need to write an explicit cast in most cases where the argument isn't a simple literal constant.
Add pg_size_bytes() function to convert human-readable size strings to numbers (Pavel Stehule, Vitaly Burovoy, Dean Rasheed)
This function converts strings like those produced by pg_size_pretty() into sizes in bytes. An example usage is SELECT oid::regclass FROM pg_class WHERE pg_total_relation_size(oid) > pg_size_bytes('10 GB').
In pg_size_pretty(), format negative numbers similarly to positive ones (Adrian Vondendriesch)
Previously, negative numbers were never abbreviated, just printed in bytes.
Add an optional missing_ok argument to the current_setting() function (David Christensen)
This allows avoiding an error for an unrecognized parameter name; instead the result is NULL.
Server-Side Languages:
In PL/pgSQL, detect mismatched CONTINUE and EXIT statements while compiling PL/pgSQL functions, rather than at execution (Jim Nasby)
Remove PL/pgSQL's "feature" that suppressed the innermost line of CONTEXT for messages emitted by RAISE commands (Pavel Stehule)
This ancient backwards-compatibility hack was agreed to have outlived its usefulness.
Extend PL/Python's error-reporting and message-reporting functions to allow specifying additional message fields besides the primary error message (Pavel Stehule)
Allow PL/Python functions to call themselves recursively via SPI, and fix the behavior when multiple set-returning PL/Python functions are called within one query (Alexey Grishchenko, Tom Lane)
Fix session-lifespan memory leaks in PL/Python (Heikki Linnakangas, Haribabu Kommi, Tom Lane)
Modernize PL/Tcl to use Tcl's "object" APIs instead of simple strings (Jim Nasby, Karl Lehenbauer)
This can improve performance substantially in some cases. Note that PL/Tcl now requires Tcl 8.4 or later.
In PL/Tcl, make database-reported errors return additional information in Tcl's errorCode global variable (Jim Nasby, Tom Lane)
This feature follows the Tcl convention for returning auxiliary data about an error.
Fix PL/Tcl to perform encoding conversion between the database encoding and UTF-8, which is what Tcl expects (Tom Lane)
Previously, strings were passed through without conversion, leading to misbehavior with non-ASCII characters when the database encoding isn't UTF-8.
Client Interfaces:
Introduce a feature in libpq whereby the CONTEXT field of messages can be suppressed, either always or only for non-error messages (Pavel Stehule)
The default behavior of PQerrorMessage() is now to print CONTEXT only for errors. The new function PQsetErrorContextVisibility() can be used to adjust this.
Add support in libpq for regenerating an error message with a different verbosity level (Alex Shulgin)
This supports psql's new \errverbose feature, and may be useful for other clients as well.
Improve libpq's PQhost() function to return useful data for default Unix-socket connections (Tom Lane)
Previously it would return NULL if no explicit host specification had been given; now it returns the default socket directory path.
Fix ecpg's lexer to handle line breaks within comments starting on preprocessor directive lines (Michael Meskes)
Client Applications:
Add --strict-names option to pg_dump and pg_restore (Pavel Stehule)
This option causes the program to complain if there is no match for a -t or -n option, rather than silently doing nothing.
In pg_dump, dump locally-made changes in privilege assignments for system objects (Stephen Frost)
While it's always been possible for a superuser to change the privilege assignments for built-in or extension-created objects, such changes were formerly lost in a dump and reload. Now, pg_dump recognizes and dumps such changes. (This works only when dumping from a 9.6 or later server, however.)
In pg_dump, include the table name in object tags for object types that are only uniquely named per-table (for example, triggers) (Peter Eisentraut)
Improve pg_restore's -t switch to match all types of relations, not only plain tables (Craig Ringer)
psql:
Support multiple -c and -f command-line options (Pavel Stehule, Catalin Iacob)
To allow this with sane behavior, one backwards incompatibility had to be introduced: -c no longer implies --no-psqlrc.
Add a \crosstabview command that prints the results of a query in a cross-tabulated display (Daniel Vérité)
In the crosstab display, data values from one query result column are placed in a grid whose column and row headers come from other query result columns.
Add an \errverbose command that shows the last server error at full verbosity (Alex Shulgin)
This is very handy after getting an unexpected error — you no longer need to adjust the VERBOSITY variable and recreate the failure in order to see error fields that aren't shown by default.
Add \ev and \sv commands for editing and showing view definitions (Petr Korobeinikov)
These are parallel to the existing \ef and \sf commands for functions.
Add a \gexec command that executes a query and re-submits the result(s) as new queries (Corey Huinker)
Allow \pset C string to set the table title, for consistency with \C string (Bruce Momjian)
In \pset expanded auto mode, do not use expanded format for query results with only one column (Andreas Karlsson, Robert Haas)
Improve the headers output by the \watch command (Michael Paquier, Tom Lane)
Include the \pset title string if one has been set, and shorten the prefabricated part of the header to be timestamp (every Ns).
Improve tab-completion logic to consider the entire input query, not only the current line (Tom Lane)
Previously, breaking a command into multiple lines defeated any tab completion rules that would have needed to see words on earlier lines.
Numerous minor improvements in tab-completion behavior (Peter Eisentraut, Vik Fearing, Kevin Grittner, Kyotaro Horiguchi, Jeff Janes, Andreas Karlsson, Fujii Masao, Thomas Munro, Masahiko Sawada, Pavel Stehule)
Add a PROMPT option %p to insert the process ID of the connected backend (Julien Rouhaud)
Introduce a feature whereby the CONTEXT field of messages can be suppressed, either always or only for non-error messages (Pavel Stehule)
Printing CONTEXT only for errors is now the default behavior. This can be changed by setting the special variable SHOW_CONTEXT.
pgbench:
SQL commands in pgbench scripts are now ended by semicolons, not newlines (Kyotaro Horiguchi, Tom Lane)
This change allows SQL commands in scripts to span multiple lines. Existing custom scripts will need to be modified to add a semicolon at the end of each line that does not have one already. (Doing so does not break the script for use with older versions of pgbench.)
Support floating-point arithmetic, as well as some built-in functions, in expressions in backslash commands (Fabien Coelho)
Replace \setrandom with built-in functions (Fabien Coelho)
The new built-in functions include random(), random_exponential(), and random_gaussian(), which perform the same work as \setrandom, but are easier to use since they can be embedded in larger expressions. Since these additions have made \setrandom obsolete, remove it.
Allow invocation of multiple copies of the built-in scripts, not only custom scripts (Fabien Coelho)
This is done with the new -b switch, which works similarly to -f for custom scripts.
Allow changing the selection probabilities (weights) for scripts (Fabien Coelho)
When multiple scripts are specified, each pgbench transaction randomly chooses one to execute. Formerly this was always done with uniform probability, but now different selection probabilities can be specified for different scripts.
Collect statistics for each script in a multi-script run (Fabien Coelho)
This feature adds an intermediate level of detail to existing global and per-command statistics printouts.
Add a --progress-timestamp option to report progress with Unix epoch timestamps, instead of time since the run started (Fabien Coelho)
Allow the number of client connections (-c) to not be an exact multiple of the number of threads (-t) (Fabien Coelho)
When the -T option is used, stop promptly at the end of the specified time (Fabien Coelho)
Previously, specifying a low transaction rate could cause pgbench to wait significantly longer than that.
Server Applications:
Improve error reporting during initdb's post-bootstrap phase (Tom Lane)
Previously, an error here led to reporting the entire input file as the "failing query"; now just the current query is reported. To get the desired behavior, queries in initdb's input files must be separated by blank lines.
Speed up initdb by using just one standalone-backend session for all the post-bootstrap steps (Tom Lane)
Improve pg_rewind so that it can work when the target timeline changes (Alexander Korotkov)
This allows, for example, rewinding a promoted standby back to some state of the old master's timeline.
Source Code:
Remove obsolete heap_formtuple/heap_modifytuple/heap_deformtuple functions (Peter Geoghegan)
Unconditionally use static inline functions in header files (Andres Freund)
This may result in warnings and/or wasted code space with very old compilers, but the notational improvement seems worth it.
Improve TAP testing infrastructure (Michael Paquier, Craig Ringer, Álvaro Herrera, Stephen Frost)
Notably, it is now possible to test recovery scenarios using this infrastructure.
Make trace_lwlocks identify individual locks by name (Robert Haas)
Improve psql's tab-completion code infrastructure (Thomas Munro, Michael Paquier)
Tab-completion rules are now considerably easier to write, and more compact.
Nail the pg_shseclabel system catalog into cache, so that it is available for access during connection authentication (Adam Brightwell)
The core code doesn't use this catalog for authentication, but extensions might wish to consult it.
Restructure index access method API to hide most of it at the C level (Alexander Korotkov)
This change modernizes the index AM API to look more like the designs we've adopted for foreign data wrappers and tablesample handlers. This simplifies the C code and should make it more feasible to define index access methods in installable extensions. A consequence is that most of the columns of the pg_am system catalog have disappeared.
Add pg_init_privs system catalog to hold original privileges of initdb-created and extension-created objects (Stephen Frost)
This infrastructure allows pg_dump to dump changes that an installation may have made in privileges attached to system objects. Formerly, such changes would be lost in a dump and reload, but now they can be preserved.
Change the way that extensions allocate custom LWLocks (Amit Kapila, Robert Haas)
The RequestAddinLWLocks() function is removed, and replaced by RequestNamedLWLockTranche(). This allows better identification of custom LWLocks, and is less error-prone.
Improve the isolation tester to allow multiple sessions to wait concurrently, allowing testing of deadlock scenarios (Robert Haas)
Introduce extensible node types (KaiGai Kohei)
This change allows FDWs or custom scan providers to store data in a plan tree in a more convenient format than was previously possible.
Make the planner deal with post-scan/join query steps by generating and comparing Paths, replacing a lot of very ad-hoc logic (Tom Lane)
This change provides only marginal user-visible improvements today, but it enables future work on a lot of upper-planner improvements that were impractical to tackle in the old code structure.
Support partial aggregation (David Rowley, Simon Riggs)
This change allows the computation of an aggregate function to be split into separate parts, for example so that parallel worker processes can cooperate on computing an aggregate. In future it might allow aggregation across local and remote data to occur partially on the remote end.
Add a generic command progress reporting facility (Vinayak Pokale, Rahila Syed, Amit Langote, Robert Haas)
Separate out psql's flex lexer to make it usable by other client programs too (Tom Lane, Kyotaro Horiguchi)
This eliminates code duplication for programs that need to be able to parse SQL commands well enough to identify command boundaries. Doing that in full generality is more painful than one could wish, and up to now only psql has really gotten it right among our supported client programs.
A new source-code subdirectory src/fe_utils/ has been created to hold this and other code that's shared across our client programs. Formerly such sharing was accomplished by symlinking or copying source files at build time, which was ugly and required duplicate compilation work.
Introduce WaitEventSet API to allow efficient waiting for event sets that usually don't change from one wait to the next (Andres Freund, Amit Kapila)
Add a generic interface for writing WAL records (Alexander Korotkov, Petr Jelínek, Markus Nullmeier)
This change allows extensions to write WAL records for changes to pages with standard layout. The problem of needing to replay WAL without access to the extension is solved by having generic replay code. This allows extensions to implement, for example, index access methods and have WAL support for them.
Support generic WAL messages for logical decoding (Petr Jelínek, Andres Freund)
This feature allows extensions to insert data into the WAL stream that can be read by logical-decoding plugins, but is not connected to physical data restoration.
Allow SP-GiST operator classes to store an arbitrary "traversal value" while descending the index (Alexander Lebedev, Teodor Sigaev)
This is somewhat like the "reconstructed value", but it could be any arbitrary chunk of data, it need not be of the same data type as the indexed column.
Introduce a LOG_SERVER_ONLY message level for ereport() (David Steele)
This level acts like LOG except that the message is never sent to the client. It's meant for use in auditing and similar applications.
Additional Modules:
Add configuration parameter auto_explain.sample_rate to allow contrib/auto_explain to capture just a configurable fraction of all queries (Craig Ringer, Julien Rouhaud)
This allows reduction of overhead for heavy query traffic, while still getting useful information on average.
Add contrib/bloom module that implements an index access method based on Bloom filtering (Teodor Sigaev, Alexander Korotkov)
This is primarily a proof-of-concept for non-core index access methods, but it could be useful in its own right for queries that involve searches on many columns.
In contrib/cube, introduce distance operators for cubes, and support kNN-style searches in GiST indexes on cube columns (Stas Kelvich)
Make contrib/hstore's hstore_to_jsonb_loose() and hstore_to_json_loose() functions agree on what's a number (Tom Lane)
Previously, hstore_to_jsonb_loose() would convert numeric-looking strings to JSON numbers, rather than strings, even if they did not exactly match the JSON syntax specification for numbers. This was inconsistent with hstore_to_json_loose(), so tighten the test to match the JSON syntax.
Add selectivity estimation functions for contrib/intarray operators, to improve plans for queries using those operators (Yury Zhuravlev, Alexander Korotkov)
Make contrib/pageinspect's heap_page_items() function show the raw data in each tuple, and add new functions tuple_data_split() and heap_page_item_attrs() for inspection of individual tuple fields (Nikolay Shaplov)
Add an optional S2K iteration count parameter to contrib/pgcrypto's pgp_sym_encrypt() function (Jeff Janes)
Add support for "word similarity" to contrib/pg_trgm (Alexander Korotkov, Artur Zakirov)
These functions and operators measure the similarity between one string and the most similar single word of another string.
Add configuration parameter pg_trgm.similarity_threshold for contrib/pg_trgm's similarity threshold (Artur Zakirov)
This threshold has always been configurable, but formerly it was controlled by special-purpose functions set_limit() and show_limit(). Those are now deprecated.
Improve contrib/pg_trgm's GIN operator class to speed up index searches in which both common and rare keys appear (Jeff Janes)
Improve performance of similarity searches in contrib/pg_trgm GIN indexes (Christophe Fornaroli)
Add contrib/pg_visibility module to allow examining table visibility maps (Robert Haas)
Add ssl_extension_info() function to contrib/sslinfo, to print information about SSL extensions present in the X509 certificate used for the current connection (Dmitry Voronin)
Extend contrib/unaccent's standard unaccent.rules file to handle all diacritics known to Unicode, and expand ligatures correctly (Thomas Munro, Leonard Benedetti)
The previous version omitted some less-common letters with diacritic marks. It now also expands ligatures into separate letters. Installations that use this rules file may wish to rebuild tsvector columns and indexes that depend on the result.
postgres_fdw:
Allow extension-provided operators and functions to be sent for remote execution, if the extension is whitelisted in the foreign server's options (Paul Ramsey)
Users can enable this feature when the extension is known to exist in a compatible version in the remote database. It allows more efficient execution of queries involving extension operators.
Consider performing sorts on the remote server (Ashutosh Bapat)
Consider performing joins on the remote server (Shigeru Hanada, Ashutosh Bapat)
When feasible, perform UPDATE or DELETE entirely on the remote server (Etsuro Fujita)
Formerly, this involved sending a SELECT FOR UPDATE command and then updating or deleting the selected rows one-by-one. While that's still necessary if the operation requires any local processing, it can now be done remotely if all elements of the query are safe to send to the remote server.
Allow the fetch size to be set as a server or table option (Corey Huinker)
Formerly, postgres_fdw always fetched 100 rows at a time from remote queries; now that behavior is adjustable.
Use a single foreign-server connection for local user IDs that all map to the same remote user (Ashutosh Bapat)
Transmit query cancellation requests to the remote server (Michael Paquier)
Previously, a local query cancellation request did nothing to cause an already-sent remote query to terminate early.

New in PostgreSQL 9.5.3 (May 17, 2016)

A dump/restore is not required for those running 9.5.X.
However, if you are upgrading from a version earlier than 9.5.2, see Section E.2.
Changes:
Clear the OpenSSL error queue before OpenSSL calls, rather than assuming it's clear already; and make sure we leave it clear afterwards
This change prevents problems when there are multiple connections using OpenSSL within a single process and not all the code involved follows the same rules for when to clear the error queue. Failures have been reported specifically when a client application uses SSL connections in libpq concurrently with SSL connections using the PHP, Python, or Ruby wrappers for OpenSSL. It's possible for similar problems to arise within the server as well, if an extension module establishes an outgoing SSL connection.
Fix "failed to build any N-way joins" planner error with a full join enclosed in the right-hand side of a left join
Fix incorrect handling of equivalence-class tests in multilevel nestloop plans
Given a three-or-more-way equivalence class of variables, such as X.X = Y.Y = Z.Z, it was possible for the planner to omit some of the tests needed to enforce that all the variables are actually equal, leading to join rows being output that didn't satisfy the WHERE clauses. For various reasons, erroneous plans were seldom selected in practice, so that this bug has gone undetected for a long time.
Fix corner-case parser failures occurring when operator_precedence_warning is turned on
An example is that SELECT (ARRAY[])::text[] gave an error, though it worked without the parentheses.
Fix query-lifespan memory leak in GIN index scans (Julien Rouhaud)
Fix query-lifespan memory leak and potential index corruption hazard in GIN index insertion
The memory leak would typically not amount to much in simple queries, but it could be very substantial during a large GIN index build with high maintenance_work_mem.
Fix possible misbehavior of TH, th, and Y,YYY format codes in to_timestamp()
These could advance off the end of the input string, causing subsequent format codes to read garbage.
Fix dumping of rules and views in which the array argument of a value operator ANY (array) construct is a sub-SELECT
Disallow newlines in ALTER SYSTEM parameter values
The configuration-file parser doesn't support embedded newlines in string literals, so we mustn't allow them in values to be inserted by ALTER SYSTEM.
Fix ALTER TABLE ... REPLICA IDENTITY USING INDEX to work properly if an index on OID is selected
Avoid possible misbehavior after failing to remove a tablespace symlink
Fix crash in logical decoding on alignment-picky platforms
The failure occurred only with a transaction large enough to spill to disk and a primary-key change within that transaction.
Avoid repeated requests for feedback from receiver while shutting down walsender
Make pg_regress use a startup timeout from the PGCTLTIMEOUT environment variable, if that's set
This is for consistency with a behavior recently added to pg_ctl; it eases automat
Fix pg_upgrade to correctly restore extension membership for operator families containing only one operator class
In such a case, the operator family was restored into the new database, but it was no longer marked as part of the extension. This had no immediate ill effects, but would cause later pg_dump runs to emit output that would cause (harmless) errors on restore.
Fix pg_upgrade to not fail when new-cluster TOAST rules differ from old
pg_upgrade had special-case code to handle the situation where the new PostgreSQL version thinks that a table should have a TOAST table while the old version did not. That code was broken, so remove it, and instead do nothing in such cases; there seems no reason to believe that we can't get along fine without a TOAST table if that was okay according to the old version's rules.
Fix atomic operations for PPC when using IBM's XLC compiler
Reduce the number of SysV semaphores used by a build configured with --disable-spinlocks
Rename internal function strtoi() to strtoint() to avoid conflict with a NetBSD library function
Fix reporting of errors from bind() and listen() system calls on Windows
Reduce verbosity of compiler output when building with Microsoft Visual Studio
Support building with Visual Studio 2015
Note that builds made with VS2015 will not run on Windows versions before Windows Vista.
Fix putenv() to work properly with Visual Studio 2013
Avoid possibly-unsafe use of Windows' FormatMessage() function
Use the FORMAT_MESSAGE_IGNORE_INSERTS flag where appropriate. No live bug is known to exist here, but it seems like a good idea to be careful.
Update time zone data files to tzdata release 2016d for DST law changes in Russia and Venezuela. There are new zone names Europe/Kirov and Asia/Tomsk to reflect the fact that these regions now have different time zone histories from adjacent regions.

New in PostgreSQL 9.5.2 (Apr 1, 2016)

A dump/restore is not required for those running 9.5.X.
However, you may need to REINDEX some indexes after applying the update, as per the first changelog entry below.
Changes:
Disable abbreviated keys for string sorting in non-C locales (Robert Haas)
PostgreSQL 9.5 introduced logic for speeding up comparisons of string data types by using the standard C library function strxfrm() as a substitute for strcoll(). It now emerges that most versions of glibc (Linux's implementation of the C library) have buggy implementations of strxfrm() that, in some locales, can produce string comparison results that do not match strcoll(). Until this problem can be better characterized, disable the optimization in all non-C locales. (C locale is safe since it uses neither strcoll() nor strxfrm().)
Unfortunately, this problem affects not only sorting but also entry ordering in B-tree indexes, which means that B-tree indexes on text, varchar, or char columns may now be corrupt if they sort according to an affected locale and were built or modified under PostgreSQL 9.5.0 or 9.5.1. Users should REINDEX indexes that might be affected.
It is not possible at this time to give an exhaustive list of known-affected locales. C locale is known safe, and there is no evidence of trouble in English-based locales such as en_US, but some other popular locales such as de_DE are affected in most glibc versions.
Maintain row-security status properly in cached plans (Stephen Frost)
In a session that performs queries as more than one role, the plan cache might incorrectly re-use a plan that was generated for another role ID, thus possibly applying the wrong set of policies when row-level security (RLS) is in use. (CVE-2016-2193)
Add must-be-superuser checks to some new contrib/pageinspect functions (Andreas Seltenreich)
Most functions in the pageinspect extension that inspect bytea values disallow calls by non-superusers, but brin_page_type() and brin_metapage_info() failed to do so. Passing contrived bytea values to them might crash the server or disclose a few bytes of server memory. Add the missing permissions checks to prevent misuse. (CVE-2016-3065)
Fix incorrect handling of indexed ROW() comparisons (Simon Riggs)
Flaws in a minor optimization introduced in 9.5 caused incorrect results if the ROW() comparison matches the index ordering partially but not exactly (for example, differing column order, or the index contains both ASC and DESC columns). Pending a better solution, the optimization has been removed.
Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)
Fix incorrect behavior when rechecking a just-modified row in a query that does SELECT FOR UPDATE/SHARE and contains some relations that need not be locked (Tom Lane)
Rows from non-locked relations were incorrectly treated as containing all NULLs during the recheck, which could result in incorrectly deciding that the updated row no longer passes the WHERE condition, or in incorrectly outputting NULLs.
Fix bug in json_to_record() when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)
Fix nonsense result from two-argument form of jsonb_object() when called with empty arrays (Michael Paquier, Andrew Dunstan)
Fix misbehavior in jsonb_set() when converting a path array element into an integer for use as an array subscript (Michael Paquier)
Fix misformatting of negative time zone offsets by to_char()'s OF format code (Thomas Munro, Tom Lane)
Fix possible incorrect logging of waits done by INSERT ... ON CONFLICT (Peter Geoghegan)
Log messages would sometimes claim that the wait was due to an exclusion constraint although no such constraint was responsible.
Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)
Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.
Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
Fix assorted bugs in logical decoding (Andres Freund)
Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.
Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)
Fix memory leak in GIN index searches (Tom Lane)
Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)
Fix parsing of affix files for ispell dictionaries (Tom Lane)
The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)
This dodges a portability problem on FreeBSD-derived platforms (including OS X).
Fix atomic-operations code used on PPC with IBM's xlc compiler (Noah Misch)
This error led to rare failures of concurrent operations on that platform.
Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
Fix psql's tab completion for SECURITY LABEL (Tom Lane)
Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)
Blind application of the script in such cases would result in loss of the new data directory.
In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)
Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).

New in PostgreSQL 9.5.1 (Feb 11, 2016)

CHANGES:
Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)
Fix an oversight that caused hash joins to miss joining to some tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)
Avoid pushdown of HAVING clauses when grouping sets are used (Andrew Gierth)
Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter Geoghegan)
Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
Fix psql's \det command to interpret its pattern argument the same way as other \d commands with potentially schema-qualified patterns do (Reece Hart)
In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
Fix improper quoting of domain constraint names in pg_dump (Elvis Pranskevichus)
Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
Suppress useless warning message when pg_receivexlog connects to a pre-9.4 server (Marco Nenciarini)
Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
Fix hstore_to_json_loose()'s test for whether an hstore value can be converted to a JSON number (Tom Lane)
Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)
Fix ill-advised restriction of NAMEDATALEN to be less than 256 (Robert Haas, Tom Lane)
Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
This avoids possible bitwise differences in the produced executable files from one build to the next.
Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.

New in PostgreSQL 9.5.0 (Jan 8, 2016)

New in PostgreSQL 9.5.0 Beta 2 (Nov 13, 2015)

Overview:
Major enhancements in PostgreSQL 9.5 include:
... to be filled in ...
A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release.
Version 9.5 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities:
Adjust operator precedence to match the SQL standard (Tom Lane)
The precedence of = and has been reduced to match that of and =. The precedence of IS tests (e.g., x IS NULL) has been reduced to be just below these six comparison operators. Also, multi-keyword operators beginning with NOT now have the precedence of their base operator (for example, NOT BETWEEN now has the same precedence as BETWEEN) whereas before they had inconsistent precedence, behaving like NOT with respect to their left operand but like their base operator with respect to their right operand. The new configuration parameter operator_precedence_warning can be enabled to warn about queries in which these precedence changes result in different parsing choices.
Change pg_ctl's default shutdown mode from smart to fast (Bruce Momjian)
Use assignment cast behavior for data type conversions in PL/pgSQL assignments, rather than converting to and from text (Tom Lane)
This change causes conversions of Booleans to strings to produce true or false, not t or f. Other type conversions may succeed in more cases than before; for example, assigning a numeric value 3.9 to an integer variable will now assign 4 rather than failing. If no assignment-grade cast is defined for the particular source and destination types, PL/pgSQL will fall back to its old I/O conversion behavior.
Allow characters in server command-line options to be escaped with a backslash (Andres Freund)
Formerly, spaces in the options string always separated options, so there was no way to include a space in an option value. Including a backslash in an option value now requires writing \\.
Change the default value of include_realm to 1, so that by default the realm is not removed from a GSS or SSPI principal name (Stephen Frost)
Fix REASSIGN OWNED and ALTER OWNER TO to properly update permissions lists (ACLs) when changing ownership of types, foreign data wrappers, and foreign servers (Bruce Momjian)
The configuration parameter checkpoint_segments has been removed. Its place is taken by the new setting max_wal_size. If you had previously tuned checkpoint_segments, the following formula will give you an approximately equivalent setting:
max_wal_size = (3 * checkpoint_segments) * 16MB
Note that the default setting for max_wal_size is much higher than the default checkpoint_segments used to be, so setting this might no longer be necessary.
Disable server configuration parameter ssl_renegotiation_limit, which was deprecated in earlier releases (Andres Freund)
While SSL renegotiation is a good idea in theory, it has caused enough bugs to be considered a net negative in practice, and it is due to be removed from future versions of the relevant standards. We have therefore removed support for it from PostgreSQL. The ssl_renegotiation_limit parameter still exists, but cannot be set to anything but zero (disabled). It's not documented anymore, either.
Remove server configuration parameter autocommit, which was already deprecated and non-operational (Tom Lane)
Remove pg_authid's rolcatupdate field, as it had no value (Adam Brightwell)
Allow json and jsonb array extraction operators to accept negative subscripts, which count from the end of JSON arrays. Previously, these operators returned NULL for negative subscripts. (Peter Geoghegan, Andrew Dunstan)
Changes:
Below you will find a detailed account of the changes between PostgreSQL 9.5 and the previous major release.
Server:
Add Block Range Indexes (BRIN) (Álvaro Herrera)
BRIN indexes are very compact and cheap to update by storing min/max values for a range of heap blocks.
Allow queries to perform accurate distance filtering of bounding-box-indexed objects (polygons, circles) using GiST indexes (Alexander Korotkov, Heikki Linnakangas)
Previously, a common table expression was required to return a large number of rows ordered by bounding-box distance, and then filtered further with a more accurate non-bounding-box distance calculation.
Allow GiST indexes to perform index-only scans (Anastasia Lubennikova, Heikki Linnakangas, Andreas Karlsson)
Add configuration parameter gin_pending_list_limit to control the size of GIN pending lists (Fujii Masao)
Previously the list size was controlled by work_mem. This can also be set as an index storage parameter.
Issue a warning during the creation of hash indexes because they are not crash-safe (Bruce Momjian)
General Performance:
Improve the speed of sorting VARCHAR, TEXT, and NUMERIC fields (Peter Geoghegan, Andrew Gierth, Robert Haas)
Extend the infrastructure that allows sorting to be performed by inlined, non-SQL-callable comparison functions to cover CREATE INDEX, REINDEX, and CLUSTER (Peter Geoghegan)
Improve in-memory hash performance (Tomas Vondra, Robert Haas)
Improve concurrency of shared buffer replacement (Robert Haas, Amit Kapila)
Reduce the number of page locks and pins during index scans (Kevin Grittner)
The primary benefit of this is to allow index vacuums to be blocked less often.
Make backend local tracking of buffer pins memory efficient (Andres Freund)
Previously each session allocated an array with space for every buffer in shared_buffers.
Improve lock scalability (Andres Freund)
This particularly addresses scalability problems when running on systems with multiple CPU sockets.
Allow the optimizer to remove unnecessary references to left outer join subqueries (David Rowley)
Allow pushdown of query restrictions into window functions, where appropriate (David Rowley)
Allow non-leakproof functions to be passed into security barrier views if the function does not reference any table columns (Dean Rasheed)
Teach the planner to use statistics obtained from an expression index on a boolean-returning function, when a matching function call appears in WHERE (Tom Lane)
Make ANALYZE compute basic statistics (null fraction and average column width) even for columns whose data type lacks an equality function (Oleksandr Shulgin)
Speed up CRC (cyclic redundancy check) computations and switch to CRC-32C (Abhijit Menon-Sen, Heikki Linnakangas)
Improve bitmap index scan performance (Teodor Sigaev, Tom Lane)
Speed up CREATE INDEX by avoiding unnecessary memory copies (Robert Haas)
Increase the number of buffer mapping partitions (Amit Kapila, Andres Freund, Robert Haas)
This improves performance for highly concurrent workloads.
Monitoring:
Add per-table autovacuum logging control via log_min_autovacuum_duration (Michael Paquier)
Add new configuration parameter cluster_name (Thomas Munro)
This string, typically set in postgresql.conf, allows clients to identify the cluster. This name also appears in the process title of all server processes, allowing for easier identification of processes belonging to the same cluster.
Prevent non-superusers from changing log_disconnections on connection startup (Fujii Masao)
SSL:
Check "Subject Alternative Names" in SSL server certificates, if present (Alexey Klyukin)
When they are present, this replaces checks against the certificate's "Common Name".
Add system view pg_stat_ssl to report SSL connection information (Magnus Hagander)
Add libpq functions to return SSL information in an implementation-independent way (Heikki Linnakangas)
While PQgetssl() can still be used to call OpenSSL functions, it is now considered deprecated because future versions of libpq might support other SSL implementations. When possible, use the new functions PQsslAttribute(), PQsslAttributeNames(), and PQsslInUse() to obtain SSL information in an SSL-implementation-independent way.
Make libpq honor any OpenSSL thread callbacks (Jan Urbanski)
Previously they were overwritten.
Server Settings:
Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size (Heikki Linnakangas)
This allows the allocation of a large number of WAL files without keeping them if they are not needed. Thus the default for max_wal_size has been increased to 1GB.
Add configuration parameter wal_compression to control compression of full page images stored in WAL (Rahila Syed, Michael Paquier)
Allow recording of transaction commit time stamps when configuration parameter track_commit_timestamp is enabled (Álvaro Herrera, Petr Jelínek)
Time stamp information can be accessed using functions pg_xact_commit_timestamp() and pg_last_committed_xact().
Allow local_preload_libraries to be set by ALTER ROLE SET (Peter Eisentraut, Kyotaro Horiguchi)
Allow running autovacuum workers to respond to configuration parameter changes (Michael Paquier)
Make configuration parameter debug_assertions read-only (Andres Freund)
This means that assertions can no longer be turned off if they were enabled at compile time, allowing for more efficient code optimization. This change also removed the postgres -A option.
Allow setting effective_io_concurrency on systems where it has no effect (Peter Eisentraut)
Add environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE to help control the Linux OOM killer (Gurjeet Singh)
The previous OOM control infrastructure involved a compile-time option.
Add system view pg_file_settings to show the contents of the server's configuration files (Sawada Masahiko)
Add pending_restart to the system view pg_settings to indicate a change is pending a restart (Peter Eisentraut)
Allow ALTER SYSTEM values to be reset with ALTER SYSTEM RESET (Vik Fearing)
This command removes the setting from postgresql.auto.conf.
Replication and Recovery:
Rework truncation of the multixact commit log to be properly WAL-logged (Andres Freund)
This makes things substantially simpler and more robust.
Add recovery.conf parameter recovery_target_action to control post-recovery activity (Petr Jelínek)
This replaces the old parameter pause_at_recovery_target.
Add new archive_mode value always to allow standbys to always archive received WAL files (Fujii Masao)
Add configuration parameter wal_retrieve_retry_interval to control WAL read retry after failure (Alexey Vasiliev, Michael Paquier)
This is particularly helpful for warm standbys.
Archive WAL files with suffix .partial during standby promotion (Heikki Linnakangas)
nfiguration parameter log_replication_commands to log replication commands (Fujii Masao)
By default, replication commands, e.g. IDENTIFY_SYSTEM, are not logged, even when log_statement is set to all.
Allow labeling of the origin progress of logical replication changes (Andres Freund)
This is helpful when implementing replication solutions.
Report the processes holding replication slots in pg_replication_slots (Craig Ringer)
The new output column is active_pid.
Allow recovery.conf's primary_conninfo to use connection URIs, e.g. postgres:// (Alexander Shulgin)
Queries:
Allow INSERTS that would generate constraint conflicts to be turned into UPDATEs or ignored (Peter Geoghegan, Heikki Linnakangas, Andres Freund)
The syntax is INSERT ... ON CONFLICT DO NOTHING/UPDATE. This is the Postgres implementation of the popular UPSERT command.
Add GROUP BY analysis functions GROUPING SETS, CUBE and ROLLUP (Andrew Gierth, Atri Sharma)
Allow setting multiple target columns in an UPDATE from the result of a single sub-SELECT (Tom Lane)
This is accomplished using the syntax UPDATE tab SET (col1, col2, ...) = (SELECT ...).
Add new SELECT option SKIP LOCKED to skip locked rows (Thomas Munro)
This does not throw an error for locked rows like NOWAIT does.
Add SELECT option TABLESAMPLE to return a subset of a table (Petr Jelínek)
Suggest possible matches for mistyped column names (Peter Geoghegan, Robert Haas)
Utility Commands:
Add more details about sort ordering in EXPLAIN output (Marius Timmer, Lukas Kreft, Arne Scheffer)
Details include COLLATE, DESC, USING, and NULLS FIRST/LAST.
Have VACUUM log the number of pages skipped due to pins (Jim Nasby)
Have TRUNCATE properly update the pg_stat* tuple counters (Alexander Shulgin)
REINDEX:
Allow REINDEX to reindex an entire schema using the SCHEMA option (Sawada Masahiko)
Add VERBOSE option to REINDEX (Sawada Masahiko)
Prevent REINDEX DATABASE and SCHEMA from outputting object names, unless VERBOSE is used (Simon Riggs)
Remove obsolete FORCE option from REINDEX (Fujii Masao)
Object Manipulation:
Add row-level security control (Craig Ringer, KaiGai Kohei, Adam Brightwell, Dean Rasheed, Stephen Frost)
This controls viewing and adding/modifying rows via new commands CREATE/ALTER/DROP POLICY and ALTER TABLE ... ENABLE/DISABLE ROW SECURITY.
Allow changing of the WAL logging status of a table after creation with ALTER TABLE .. SET LOGGED / UNLOGGED (Fabrízio de Royes Mello)
Add IF NOT EXISTS clause to CREATE TABLE AS, CREATE INDEX, CREATE SEQUENCE, and CREATE MATERIALIZED VIEW (Fabrízio de Royes Mello)
Add support for IF EXISTS to ALTER TABLE ... RENAME CONSTRAINT (Bruce Momjian)
Allow CURRENT/SESSION_USER to specify the current user in some commands (Kyotaro Horiguchi, Álvaro Herrera)
Commands include ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and various ALTER OBJECT / OWNER TO commands.
Allow comments on domain constraints (Álvaro Herrera)
Reduce lock levels of some create and alter trigger and foreign key commands (Simon Riggs, Andreas Karlsson)
Allow LOCK TABLE .. ROW EXCLUSIVE MODE for those with INSERT privileges (Stephen Frost)
Previously only UPDATE, DELETE, and TRUNCATE privileges allowed this.
Apply table and domain CHECK constraints in name order (Tom Lane)
The previous order was indeterminate.
Allow CREATE/ALTER DATABASE to manipulate datistemplate and datallowconn (Vik Fearing)
This allows these database settings to be changed more easily than modifying the pg_database system table.
CREATE FOREIGN DATA WRAPPER:
Add support for IMPORT FOREIGN SCHEMA (Ronan Dunklau, Michael Paquier, Tom Lane)
This command allows automatic creation of local foreign tables that match the structure of existing tables on a remote server.
Allow foreign tables to participate in inheritance (Shigeru Hanada, Etsuro Fujita)
This also allows foreign tables to mark check constraints as not valid, and to set storage and OID characteristics.
Allow CHECK constraints to be placed on foreign tables (Shigeru Hanada, Etsuro Fujita)
These constraints are assumed to be enforced on the remote server, and are not enforced locally. However, they are assumed to hold for purposes of query optimization, such as constraint exclusion.
Allow foreign data wrappers and custom scans to implement join pushdown (KaiGai Kohei)
CREATE EVENT TRIGGER:
Add a set-returning function pg_event_trigger_ddl_commands(), which returns DDL activity associated with event triggers (Álvaro Herrera)
Allow event triggers on table rewrites caused by ALTER TABLE (Dimitri Fontaine)
Add event trigger support for database-level COMMENT, SECURITY LABEL, and GRANT/REVOKE (Álvaro Herrera)
Add columns to the output of pg_event_trigger_dropped_objects (Álvaro Herrera)
This allows simpler processing of delete operations.
Data Types:
Allow the XML data type to accept empty or all-whitespace values (Peter Eisentraut)
This is required by the SQL/XML specification.
Allow MACADDR input using the format xxxx-xxxx-xxxx (Herwin Weststrate)
Tighten syntax of INTERVAL precision specifications (Bruce Momjian)
Only allow interval precision to be specified after the INTERVAL keyword if no units are specified.
Add selectivity estimators for INET/CIDR operators and improve estimators for text search functions (Emre Hasegeli, Tom Lane)
JSON:
Add JSONB functions jsonb_set() and jsonb_pretty() (Dmitry Dolgov, Andrew Dunstan, Petr Jelínek)
Add several generator functions for JSONB that already existed for JSON (Andrew Dunstan)
These are to_jsonb(), jsonb_object(), jsonb_build_object(), jsonb_build_array(), jsonb_agg(), and jsonb_object_agg().
Reduce casting requirements to/from JSON and JSONB (Tom Lane)
Allow TEXT, TEXT array, and INTEGER values to be subtracted from JSONB documents (Dmitry Dolgov, Andrew Dunstan)
Add JSONB operator || (Dmitry Dolgov, Andrew Dunstan)
Add json_strip_nulls() and jsonb_strip_nulls() functions to remove JSON null values from documents (Andrew Dunstan)
Functions:
Add generate_series() for NUMERIC values (Plato Malugin)
Allow array_agg() and ARRAY() to take arrays as inputs (Ali Akbar, Tom Lane)
Add functions array_position() and array_positions() to return subscripts of array values (Pavel Stehule)
Add point-to-polygon distance operator () (Alexander Korotkov)
Allow multibyte characters as escape in SIMILAR TO and SUBSTRING (Jeff Davis)
Previously, only a single-byte character was allowed as an escape.
Add a width_bucket() variant that supports any sortable data type and non-uniform bucket widths (Petr Jelínek)
Add an optional missing_ok argument to pg_read_file() and related functions (Michael Paquier, Heikki Linnakangas)
Allow => to specify named parameters in function calls (Pavel Stehule)
Previously only := could be used. This requires removing the possibility for => to be a user-defined operator. Creation of user-defined => operators has been issuing warnings since PostgreSQL 9.0.
Add POSIX-compliant rounding for platforms that use PostgreSQL-supplied rounding functions (Pedro Gimeno Fortea)
System Information Functions and Views:
Add function pg_get_object_address() to return OIDs that uniquely identify an object, and function pg_identify_object_as_address() to return object information based on OIDs (Álvaro Herrera)
Loosen security checks for viewing queries in pg_stat_activity, executing pg_cancel_backend(), and executing pg_terminate_backend() (Stephen Frost)
Now, role membership is sufficient; previously only the same role could perform these operations.
Add pg_stat_get_snapshot_timestamp() to output the time stamp of the statistics snapshot (Matt Kelly)
This represents the last time the snapshot files was written to the file system.
Add mxid_age() to compute multi-xid age (Bruce Momjian)
Add data types regrole regnamespace that returns the OID of a role (Kyotaro Horiguchi)
Aggregates:
Add MIN()/MAX() aggregates for INET/CIDR data types (Haribabu Kommi)
Use 128-bit integers, where supported, as aggregate accumulators (Andreas Karlsson)
Server-Side Languages:
Improve support for composite types in PL/Python (Ed Behn, Ronan Dunklau)
This allows PL/Python functions to return arrays of composite types.
Reduce lossiness of PL/Python floating value conversions (Marko Kreen)
Allow specification of conversion routines between SQL data types and data types of procedural languages (Peter Eisentraut)
This change adds new commands CREATE/DROP TRANSFORM. This also adds optional transformations between the hstore and ltree types to/from PL/Perl and PL/Python.
PL/pgSQL Server-Side Language:
Improve PL/pgSQL array performance (Tom Lane)
Add ASSERT statement in PL/pgSQL (Pavel Stehule)
Allow more PL/pgSQL keywords to be used as identifiers (Tom Lane)
Client Applications:
Move pg_archivecleanup, pg_test_fsync, pg_test_timing, and pg_xlogdump from contrib to src/bin (Peter Eisentraut)
Add pg_rewind, which allows re-synchronizing a master server after failback (Heikki Linnakangas)
Allow pg_receivexlog to manage physical replication slots (Michael Paquier)
This is controlled via new --create-slot and --drop-slot options.
Allow the pg_receivexlog to synchronously flush WAL to storage using --synchronous (Furuya Osamu, Fujii Masao)
Without this, WAL files are fsynced only on close.
Allow vacuumdb to vacuum in parallel using --jobs (Dilip Kumar)
Add --verbose option to reindexdb (Sawada Masahiko)
Make pg_basebackup use a tablespace mapping file when using tar format, to support symbolic links and file paths of 100+ characters in length on MS Windows (Amit Kapila)
Add pg_xlogdump option --stats to display summary statistics (Abhijit Menon-Sen)
psql:
Allow psql to produce AsciiDoc output (Szymon Guz)
Add errors mode to psql's ECHO variable to display only failed commands (Pavel Stehule)
This can also be enabled with the psql -b option.
Provide separate column, header, and border linestyle control in psql's unicode linestyle (Pavel Stehule)
Single or double lines are supported; the default is single.
Add psql PROMPT variables option (%l) to display the multiline statement line number (Sawada Masahiko)
Add psql setting pager_min_lines to control pager invocation (Andrew Dunstan)
Improve psql line counting used when deciding to invoke the pager (Andrew Dunstan)
Add psql tab completion when setting the search_path variable (Jeff Janes)
Currently only the first schema can be tab-completed.
Improve psql's tab completion for triggers and rules (Andreas Karlsson)
Backslash Commands:
Add psql \? help sections variables and options (Pavel Stehule)
variables outputs psql variables and options shows command-line options. \? commands is the default output. This help information can also be output via --help=section.
Show tablespace size in psql's \db+ (Fabrízio de Royes Mello)
Show data type owners in psql's \dT+ (Magnus Hagander)
Allow psql's \watch to output \timing information (Fujii Masao)
Also prevent --echo-hidden from echoing \watch queries.
Allow psql's \sf and \ef to honor ECHO_HIDDEN (Andrew Dunstan)
Improve psql tab completion for \set, \unset, and :variable names (Pavel Stehule)
Allow tab completion of role names in psql \c commands (Ian Barwick)
pg_dump:
Allow pg_dump to share a snapshot taken by another session using --snapshot (Simon Riggs, Michael Paquier)
The remote snapshot must have been exported by pg_export_snapshot() or logical replication slot creation. This can be used by another pg_dump to use a share a consistent snapshot across pg_dump processes.
Always have pg_dump print server and pg_dump versions (Jing Wang)
Previously, version information was only printed in --verbose mode.
Remove the long-ignored -i/--ignore-version option from pg_dump, pg_dumpall, and pg_restore (Fujii Masao)
pg_ctl:
Allow multiple pg_ctl -o options to be appended (Bruce Momjian)
Allow control of pg_ctl's event source logging on MS Windows (MauMau)
This only controls pg_ctl, not the server, which has separate settings in postgresql.conf.
pg_upgrade:
Move pg_upgrade from contrib to src/bin (Peter Eisentraut)
In connection with this change, the functionality previously provided by the pg_upgrade_support module has been moved into the core server.
Allow multiple pg_upgrade -o/-O options to be appended (Bruce Momjian)
Improve database collation comparisons in pg_upgrade (Heikki Linnakangas)
Document the use of rsync for standby server upgrades using pg_upgrade (Stephen Frost, Bruce Momjian)
Remove support for upgrading from 8.3 clusters (Bruce Momjian)
pgbench:
Move pgbench from contrib to src/bin (Peter Eisentraut)
Fix calculation of TPS number "excluding connections establishing" (Tatsuo Ishii, Fabien Coelho)
The overhead for connection establishment was miscalculated whenever the number of pgbench threads was less than the number of client connections. Although this is clearly a bug, we won't back-patch it into pre-9.5 branches since it makes TPS numbers not comparable to previous results.
Allow counting of pgbench transactions that take over a specified amount of time (Fabien Coelho)
This is controlled by new --latency-limit option.
Allow pgbench to generate Gaussian/exponential distributions using \setrandom (Kondo Mitsumasa, Fabien Coelho)
Allow pgbench's \set command to handle multi-operator expressions (Robert Haas, Fabien Coelho)
Source Code:
Simplify WAL record format (Heikki Linnakangas)
This allows external tools to more easily track what blocks are modified.
Add atomic memory operations API (Andres Freund)
Allow custom path and scan methods (KaiGai Kohei, Tom Lane)
This allows extensions greater control over the optimizer and executor.
Allow foreign data wrappers to do post-filter locking (Etsuro Fujita)
Foreign tables can now take part in INSERT ... ON CONFLICT DO NOTHING queries (Peter Geoghegan, Heikki Linnakangas, Andres Freund)
Foreign data wrappers must be modified to handle this. INSERT ... ON CONFLICT DO UPDATE is not supported on foreign tables.
Improve hash_create()'s API for selecting simple-binary-key hash functions (Teodor Sigaev, Tom Lane)
Improve parallel execution infrastructure (Robert Haas, Amit Kapila, Noah Misch, Rushabh Lathia, Jeevan Chalke)
Remove Alpha (CPU) and Tru64 (OS) ports (Andres Freund)
Remove swap-byte-based spinlock implementation for ARMv5 and earlier CPUs (Robert Haas)
ARMv5's weak memory ordering made this locking implementation unsafe. Spinlock support is still possible on newer gcc implementations with atomics support.
Generate an error when excessively long (100+ character) file paths are written to tar files (Peter Eisentraut)
Tar does not support such overly-long paths.
Change index operator class for columns pg_seclabel.provider and pg_shseclabel.provider to be text_pattern_ops (Tom Lane)
This avoids possible problems with these indexes when different databases of a cluster have different default collations.
Change the spinlock primitives to function as compiler barriers (Robert Haas)
MS Windows:
Allow higher-precision time stamp resolution on Windows 8 or Windows Server 2012 and later Windows systems (Craig Ringer)
Install shared libraries to bin in MS Windows (Peter Eisentraut, Michael Paquier)
Install src/test/modules together with contrib on MSVC builds (Michael Paquier)
Allow configure's --with-extra-version to be honored by the MSVC build (Michael Paquier)
Pass PGFILEDESC into MSVC contrib builds (Michael Paquier)
Add icons to all MSVC-built binaries and version information to all MS Windows binaries (Noah Misch)
MinGW already had such icons.
Add optional-argument support to the internal getopt_long() implementation (Michael Paquier, Andres Freund)
This is used by the MSVC build.
Additional Modules:
Add statistics for minimum, maximum, mean, and standard deviation times to pg_stat_statements (Mitsumasa Kondo, Andrew Dunstan)
Add pgcrypto function pgp_armor_headers() to extract PGP armor headers (Marko Tiikkaja, Heikki Linnakangas)
Allow empty replacement strings in unaccent (Mohammad Alhashash)
This is useful in languages where diacritic signs are represented as separate characters.
Allow multicharacter source strings in unaccent (Tom Lane)
This could be useful in languages where diacritic signs are represented as separate characters. It also allows more complex unaccent dictionaries.
Add contrib modules tsm_system_rows and tsm_system_time to allow additional table sampling methods (Petr Jelínek)
Add GIN index inspection functions to pageinspect (Heikki Linnakangas, Peter Geoghegan, Michael Paquier)
Add information about buffer pins to pg_buffercache display (Andres Freund)
Allow pgstattuple to report approximate answers with less overhead using pgstattuple_approx() (Abhijit Menon-Sen)
Move dummy_seclabel, test_shm_mq, test_parser, and worker_spi from contrib to src/test/modules (Álvaro Herrera)
These modules are only meant for server testing, so they do not need to be built or installed when packaging PostgreSQL.

New in PostgreSQL 9.4.5 (Oct 8, 2015)

A dump/restore is not required for those running 9.4.X.
However, if you are upgrading from a version earlier than 9.4.4, see Section E.2.
CHANGES:
Guard against stack overflows in json parsing (Oskari Saarenmaa)
If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)
Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)
Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)
Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)
Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
Fix insertion of relations into the relation cache "init file" (Tom Lane)
An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
Improve LISTEN startup time when there are many unread notifications (Matt Newell)
Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
Fix handling of DOW and DOY in datetime input (Greg Stark)
These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
Add more query-cancel checks to regular expression matching (Tom Lane)
Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
Fix potential infinite loop in regular expression execution (Tom Lane)
A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
Fix low-probability memory leak during regular expression execution (Tom Lane)
Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
Fix very-low-probability stack overrun in qsort (Tom Lane)
Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
Fix assorted planner bugs (Tom Lane)
These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)
Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)
Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
Such a page might be left behind after a crash.
Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)
In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)
The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
The formatting code invoked by \pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
Prevent crash in psql's \c command when there is no current connection (Noah Misch)
Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
Fix pg_dump to dump shell types (Tom Lane)
Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)
Fix spinlock assembly code for Alpha hardware (Tom Lane)
Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
Perl relies on this ability in 5.8.0 and later.
Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)
Translate encoding UHC as Windows code page 949 (Noah Misch)
This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)
Fix postmaster startup failure due to not copying setlocale()'s return value (Noah Misch)
This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

New in PostgreSQL 9.5.0 Alpha 2 (Aug 7, 2015)

New in PostgreSQL 9.5.0 Alpha 1 (Jul 2, 2015)

CHANGES:
Server:
Indexes:
Add Block Range Indexes (BRIN)
BRIN indexes are very compact and cheap to update by storing min/max values for a range of heap blocks.
Allow queries to perform accurate distance filtering of bounding-box-indexed objects (polygons, circles) using GiST indexes
Previously, a common table expression was required to return a large number of rows ordered by bounding-box distance, and then filtered further with a more accurate non-bounding-box distance calculation.
Allow GiST indexes to perform index-only scans
Add configuration parameter gin_pending_list_limit to control the size of GIN pending lists
Previously the list size was controlled by work_mem. This can also be set as an index storage parameter.
Issue a warning during the creation of hash indexes because they are not crash-safe
General Performance:
Improve the speed of sorting character and numeric fields
Extend the infrastructure that allows sorting to be performed by inlined, non-SQL-callable comparison functions to cover CREATE INDEX, REINDEX, and CLUSTER
Improve in-memory hash performance
Improve concurrency of shared buffer replacement
Reduce the number of page locks and pins during index scans
The primary benefit of this is to allow index vacuums to be blocked less often.
Make backend local tracking of buffer pins memory efficient
Previously each session allocated an array with space for every buffer in shared_buffers.
Improve lock scalability
This particularly addresses scalability problems when running on systems with multiple CPU sockets.
Allow the optimizer to remove unnecessary references to left outer join subqueries
Allow pushdown of query restrictions into window functions, where appropriate
Speed up CRC (cyclic redundancy check) computations
Improve bitmap index scan performance
Speed up CREATE INDEX by avoiding unneccessary memory copies
Monitoring:
Add per-table autovacuum logging control via log_min_autovacuum_duration
Add new configuration parameter cluster_name
This string, typically set in postgresql.conf, allows clients to identify the cluster. This name also appears in the process title of all server processes, allowing for easier identification of processes belonging to the same cluster.
Prevent non-superusers from changing log_disconnections on connection startup
SSL:
Check "Subject Alternative Names" in SSL server certificates, if present
When they are present, this replaces checks against the certificate's "Common Name".
Add system view pg_stat_ssl to report SSL connection information
Add libpq function PQsslAttribute() that returns SSL information
While PQgetssl() can still be used to call OpenSSL functions, PQsslAttribute() returns SSL information in an SSL-implementation-independent way. (Future versions of libpq might support other SSL implementations.)
Make libpq honor any OpenSSL thread callbacks
Previously they were overwritten.
Server Settings:
Replace configuration parameter checkpoint_segments with min_wal_size and max_wal_size
This allows the allocation of a large number of WAL files without keeping them if they are not needed. Thus the default for max_wal_size has been increased to 1GB.
Add configuration parameter wal_compression to control compression of full page images stored in WAL
Allow recording of transaction commit timestamps when configuration parameter track_commit_timestamp is enabled
Timestamp information can be accessed using functions pg_xact_commit_timestamp() and pg_last_committed_xact().
Allow local_preload_libraries to be set by ALTER ROLE SET
Allow running autovacuum workers to respond to configuration parameter changes
Make configuration parameter debug_assertions read-only
This means that assertions can no longer be turned off if they were enabled at compile time, allowing for more efficient code optimization. This change also removed the postgres -A option.
Allow setting effective_io_concurrency on systems where it has no effect
Add environment variables PG_OOM_ADJUST_FILE and PG_OOM_ADJUST_VALUE to help control the Linux OOM killer
The previous OOM control infrastructure involved a compile-time option.
Add system view pg_file_settings to show the contents of the server's configuration files
Add pending_restart to the system view pg_settings to indicate a change is pending a restart
Allow ALTER SYSTEM values to be reset with ALTER SYSTEM RESET
This command removes the setting from postgresql.auto.conf.
Replication and Recovery:
Add recovery.conf parameter recovery_target_action to control post-recovery activity
This replaces the old parameter pause_at_recovery_target.
Add new archive_mode value always to allow standbys to always archive received WAL files
Add configuration parameter wal_retrieve_retry_interval to control WAL read retry after failure
This is particularly helpful for warm standbys.
Archive WAL files with suffix .partial during standby promotion
Add configuration parameter log_replication_commands to log replication commands
By default, replication commands, e.g. IDENTIFY_SYSTEM, are not logged, even when log_statement is set to all.
Allow labeling of the origin of logical replication changes
This helps with change tracking.
Report the processes holding replication slots in pg_replication_slots
The new output column is active_pid.
Allow recovery.conf's primary_conninfo to use connection URIs, e.g. postgres://
Queries:
Allow INSERTS that would generate constraint conflicts to be turned into UPDATEs or ignored
The syntax is INSERT ... ON CONFLICT DO NOTHING/UPDATE. This is the Postgres implementation of the popular UPSERT command.
Add GROUP BY analysis functions GROUPING SETS, CUBE and ROLLUP
Allow to set multiple columns in an UPDATE to the result of a single subselect
This is accomplished using the syntax UPDATE tab SET (col1, col2, ...) = (SELECT ...).
Add new SELECT option SKIP LOCKED to skip locked rows
This does not throw an error for locked rows like NOWAIT does.
Add SELECT option TABLESAMPLE to return a subset of a table
Suggest possible matches for mistyped column names
Utility Commands:
Add more details about sort ordering in EXPLAIN output
Details include COLLATE, DESC, USING, and NULLS FIRST/LAST.
Have VACUUM log the number of pages skipped due to pins
Have TRUNCATE properly update the pg_stat* tuple counters
REINDEX:
Allow REINDEX to reindex an entire schema using the SCHEMA option
Add VERBOSE option to REINDEX
Prevent REINDEX DATABASE and SCHEMA from outputting object names, unless VERBOSE is used
Remove obsolete FORCE option from REINDEX
Object Manipulation:
Add row-level security control
This controls viewing and adding/modifying rows via new commands CREATE/ALTER/DROP POLICY and ALTER TABLE ... ENABLE/DISABLE ROW SECURITY.
Allow to convert a WAL logged table to an UNLOGGED one, and the other way round with ALTER TABLE .. SET LOGGED / UNLOGGED
Add IF NOT EXISTS clause to CREATE TABLE AS, CREATE INDEX, CREATE SEQUENCE, and CREATE MATERIALIZED VIEW
Add support for IF EXISTS to ALTER TABLE ... RENAME CONSTRAINT
Allow CURRENT/SESSION_USER to specify the current user in some commands
Commands include ALTER USER, ALTER GROUP, ALTER ROLE, GRANT, and various ALTER OBJECT / OWNER TO commands.
Allow comments on domain constraints
Reduce lock levels of some create and alter trigger and foreign key commands
Allow LOCK TABLE .. ROW EXCLUSIVE MODE for those with INSERT privileges
Previously only UPDATE, DELETE, and TRUNCATE privileges allowed this.
Apply table and domain CHECK constraints in name order
The previous order was indeterminate.
Allow CREATE/ALTER DATABASE to manipulate datistemplate and datallowconn
This allows these database settings to be changed more easily than modifying the pg_database system table.
CREATE FOREIGN DATA WRAPPER:
Add support for IMPORT FOREIGN SCHEMA
This command allows automatic creation of local foreign tables that match the structure of existing tables on a remote server.
Allow foreign tables to participate in inheritance
This also allows foreign tables to mark check constraints as not valid, and to set storage and OID characteristics.
Allow CHECK constraints to be placed on foreign tables
These constraints are assumed to be enforced on the remote server, and are not enforced locally. However, they are assumed to hold for purposes of query optimization, such as constraint exclusion.
Allow foreign data wrappers and custom scans to implement join pushdown
CREATE EVENT TRIGGER:
Add a set-returning function pg_event_trigger_ddl_commands(), which returns DDL activity associated with event triggers
Allow event triggers on table rewrites caused by ALTER TABLE
Add event trigger support for database-level COMMENT, SECURITY LABEL, and GRANT/REVOKE
Add columns to the output of pg_event_trigger_dropped_objects
This allows simpler processing of delete operations.
Data Types:
Allow the XML data type to accept empty or all-whitespace values
This is required by the SQL/XML specification.
Fix XML xpath() handling to return namespace declarations even if the namespace is in a parent element
Previously the namespace was not returned, potentially leading to invalid XML.
Allow MACADDR input using the format xxxx-xxxx-xxxx
Tighten syntax of INTERVAL precision specifications
Only allow interval precision to be specified after the INTERVAL keyword if no units are specified.
Add selectivity estimators for INET/CIDR operators and improve estimators for text search functions
JSON:
Add JSONB functions jsonb_set() and jsonb_pretty()
Add several generator functions for JSONB that already existed for JSON
These are to_jsonb(), jsonb_object(), jsonb_build_object(), jsonb_build_array(), jsonb_agg(), and jsonb_object_agg().
Reduce casting requirements to/from JSON and JSONB
Allow TEXT, TEXT array, and INTEGER values to be subtracted from JSONB documents
Add JSONB operator
Add json_strip_nulls() and jsonb_strip_nulls() functions to remove JSON null values from documents
Functions:
Add generate_series() for NUMERIC values
Allow array_agg() and ARRAY() to take arrays as inputs
Add functions array_position() and array_positions() to return subscripts of array values
Add point-to-polygon distance operator ()
Allow multi-byte characters as escape in SIMILAR TO and SUBSTRING
Previously, only a single-byte character was allowed as an escape.
Add a width_bucket() variant that supports any sortable data type and non-uniform bucket widths
Allow => to specify named parameters in function calls
Previously only := could be used. This requires removing the possibility for => to be a user-defined operator. Creation of user-defined => operators has been issuing warnings since Postgres 9.0.
Add POSIX-compliant rounding for platforms that use Postgres-supplied rounding functions
System Information Functions and Views:
Add function pg_get_object_address() to return OIDs that uniquely identify an object
Add function pg_identify_object_as_address() to return object information based on OIDs
Loosen security checks for viewing queries in pg_stat_activity, executing pg_cancel_backend(), and executing pg_terminate_backend()
Now, role membership is sufficient; previously only the same role could perform these operations.
Add pg_stat_get_snapshot_timestamp() to output the timestamp of the statistics snapshot
This represents the last time the snapshot files was written to the file system.
Add mxid_age() to compute multi-xid age
Add data types regrole regnamespace that returns the OID of a role
Aggregates:
Add MIN()/MAX() aggregates for INET/CIDR data types
Use 128-bit integers, where supported, as aggregate accumulators
Server-Side Languages:
Improve support for composite types in PL/Python
This allows PL/Python functions to return arrays of composite types.
Reduce lossiness of PL/Python floating value conversions
Allow specification of conversion routines between SQL data types and data types of procedural languages
This change adds new commands CREATE/DROP TRANSFORM. This also adds optional transformations between the hstore and ltree types to/from PL/Perl and PL/Python.
PL/pgSQL Server-Side Language:
Improve PL/pgSQL array performance
Add ASSERT statement in PL/pgSQL
Allow more PL/pgSQL keywords to be used as identifiers
Client Applications:
Move pg_archivecleanup, pg_test_fsync, pg_test_timing, and pg_xlogdump from contrib to src/bin
Add pg_rewind, which allows re-synchronizing a master server after failback
Allow pg_receivexlog to manage physical replication slots
This is controlled via new --create-slot and --drop-slot options.
Allow the pg_receivexlog to synchronously flush WAL to storage using --synchronous
Without this, WAL files are fsynced only on close.
Allow vacuumdb to vacuum in parallel using --jobs
Add --verbose option to reindexdb
Make pg_basebackup use a tablespace mapping file when using tar format, to support symbolic links and file paths of 100+ characters in length on MS Windows
Add pg_xlogdump option --stats to display summary statistics
psql:
Allow psql to produce AsciiDoc output
Add errors mode to psql's ECHO variable to display only failed commands
This can also be enabled with the psql -b option.
Allow column, header, and border control to psql's Unicode style
Single or double output is supported; the default is single.
Add psql PROMPT variables option (%l) to display the multi-line statement line number
Add psql setting pager_min_lines to control pager invocation
Improve psql line counting used when deciding to invoke the pager
Add psql tab completion when setting the search_path variable
Currently only the first schema can be tab-completed.
Improve psql's tab completion for triggers and rules
Backslash Commands:
Add psql \? help sections variables and options
variables outputs psql variables and options shows command-line options. \? commands is the default output. This help information can also be output via --help=section.
Show tablespace size in psql's \db+
Show data type owners in psql's \dT+
Allow psql's \watch to output \timing information
Also prevent --echo-hidden from echoing \watch queries.
Allow psql's \sf and \ef to honor ECHO_HIDDEN
Improve psql tab completion for \set, \unset, and :variable names
Allow tab completion of role names in psql \c commands
pg_dump
Allow pg_dump to share a snapshot taken by another session using --snapshot
The remote snapshot must have been exported by pg_export_snapshot() or been defined when creating a logical replication slot. This can be used by parallel pg_dump to use a consistent snapshot across pg_dump processes.
Always have pg_dump print server and pg_dump versions
Previously, version information was only printed in --verbose mode.
pg_ctl:
Change pg_ctl's default shutdown mode from smart to fast
Allow multiple pg_ctl -o options to be appended
Allow control of pg_ctl's event source logging on MS Windows
This only controls pg_ctl, not the server, which has separate settings in postgresql.conf.
pg_upgrade:
Move pg_upgrade from contrib to src/bin
In connection with this change, the functionality previously provided by the pg_upgrade_support module has been moved into the core server.
Allow multiple pg_upgrade -o/-O options to be appended
Improve database collation comparisons in pg_upgrade
Document the use of rsync for standby server upgrades using pg_upgrade
Remove support for upgrading from 8.3 clusters
pgbench:
Move pgbench from contrib to src/bin
Allow counting of pgbench transactions that take over a specified amount of time
This is controlled by new --latency-limit option.
Allow pgbench to generate Gaussian/exponential distributions using \setrandom
Allow pgbench's \set command to handle multi-operator expressions
Source Code:
Simplify WAL record format
This allows external tools to more easily track what blocks are modified.
Add atomic memory operations API
Allow custom path and scan methods
This allows extensions greater control over the optimizer and executor.
Allow foreign data wrappers to do post-filter locking
Improve hash_create()'s API for selecting simple-binary-key hash functions
Improve parallel execution infrastructure
Remove Alpha (CPU) and Tru64 (OS) ports
Remove swap-byte-based spinlock implementation for ARMv5 and earlier CPUs
ARMv5's weak memory ordering made this locking implementation unsafe. Spinlock support is still possible on newer gcc implementations with atomics support.
Generate an error when excessively long (100+ character) file paths are written to tar files
Tar does not support such overly-long paths.
Change index opclass for columns pg_seclabel.provider and pg_shseclabel.provider to be text_pattern_ops
This avoids possible problems with these indexes when different databases of a cluster have different default collations.
Change the spinlock primitives to function as compiler barriers
MS Windows:
Allow higher-precision timestamp resolution on Windows 8 or Windows Server 2012 and later Windows systems
Install shared libraries to bin in MS Windows
Install src/test/modules together with contrib on MSVC builds
Allow configure's --with-extra-version to be honored by the MSVC build Pass PGFILEDESC into MSVC contrib builds
Add icons to all MSVC-built binaries and version information to all MS Windows binaries
MinGW already had such icons.
Add optional-argument support to the internal getopt_long() implementation
This is used by the MSVC build.
Additional Modules:
Add statistics for minimum, maximum, mean, and standard deviation times to pg_stat_statements
Add pgcrypto function pgp_armor_headers() to extract PGP armor headers
Allow empty replacement strings in unaccent
This is useful in languages where diacritic signs are represented as separate characters.
Allow multi-character source strings in unaccent
This could be useful in languages where diacritic signs are represented as separate characters. It also allows more complex unaccent dictionaries.
Add contrib modules tsm_system_rows and tsm_system_time to allow additional table sampling methods
Add GIN index inspection functions to pageinspect
Add information about buffer pins to pg_buffercache display
Allow pgstattuple to report approximate answers with less overhead using pgstattuple_approx()
Move dummy_seclabel, test_shm_mq, test_parser, and worker_spi from contrib to src/test/modules
These modules are only meant for server testing, so they do not need to be built or installed when packaging PostgreSQL.

New in PostgreSQL 9.4.4 (Jun 13, 2015)

Changes:
Fix possible failure to recover from an inconsistent database state
Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4.
The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release.
In detail
Check whether pg_controldata reports "Latest checkpoint's oldestMultiXid" to be 1. If not, there's nothing to do.
Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do.
Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both vacuum_multixact_freeze_min_age and vacuum_multixact_freeze_table_age set to zero. (You can use the vacuum cost delay parameters described in Section 18.4.4 to reduce the performance consequences for concurrent sessions.)
Fix rare failure to invalidate relation cache init file
With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.
Avoid deadlock between incoming sessions and CREATE/DROP DATABASE
A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.
Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans
This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type.

New in PostgreSQL 9.4.3.1 (Jun 4, 2015)

New in PostgreSQL 9.4.2.1 (May 23, 2015)

Migration to Version 9.4.2:
A dump/restore is not required for those running 9.4.X.
However, if you use contrib/citext's regexp_matches() functions, see the changelog entry below about that.
Also, if you are upgrading from a version earlier than 9.4.1, see Section E.2.
Changes:
Avoid possible crash when client disconnects just before the authentication timeout expires
If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue.
Improve detection of system-call failures
Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure.
It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area.
In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data"
Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message.
Protect against wraparound of multixact member IDs
Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound.
Fix incorrect declaration of contrib/citext's regexp_matches() functions
These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also "update" back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions.
Render infinite dates and timestamps as infinity when converting to json, rather than throwing an error
Fix json/jsonb's populate_record() and to_record() functions to handle empty input properly
Fix incorrect checking of deferred exclusion constraints after a HOT update
If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
Fix behavior when changing foreign key constraint deferrability status with ALTER TABLE ... ALTER CONSTRAINT
Operations later in the same session or concurrent sessions might not honor the status change promptly.
Fix planning of star-schema-style queries
Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.
Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins
This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
Fix incorrect matching of subexpressions in outer-join plan nodes
Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
Ensure that row locking occurs properly when the target of an UPDATE or DELETE is a security-barrier view
Use a file opened for read/write when syncing replication slot data during database startup
On some platforms, the previous coding could result in errors like "could not fsync file "pg_replslot/...": Bad file descriptor".
Fix possible deadlock at startup when max_prepared_transactions is too small
Don't archive useless preallocated WAL files after a timeline switch
Recursively fsync() the data directory after a crash
This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM
Fix failure to handle invalidation messages for system catalogs early in session startup
This oversight could result in failures in sessions that start concurrently with a VACUUM FULL on a system catalog.
Fix crash in BackendIdGetTransactionIds() when trying to get status for a backend process that just exited
Cope with unexpected signals in LockBufferForCleanup()
This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
Fix crash when doing COPY IN to a table with check constraints that contain whole-row references
The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.
Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned
Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
Avoid busy-waiting with short recovery_min_apply_delay values
Fix crash when manipulating hash indexes on temporary tables
Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently
Fix memory leaks in GIN index vacuum
Check for interrupts while analyzing index expressions
ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE
Add the name of the target server to object description strings for foreign-server user mappings
Include the schema name in object identity strings for conversions
Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication
Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses
This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
Fix status reporting for terminated background workers that were never actually started
After a database crash, don't restart background workers that are marked BGW_NEVER_RESTART
Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command
This avoids a possible startup failure in pg_receivexlog.
While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown
Reduce risk of network deadlock when using libpq's non-blocking mode
When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready.
In libpq, fix misparsing of empty values in URI connection strings
Fix array handling in ecpg
Fix psql to sanely handle URIs and conninfo strings as the first parameter to \connect
This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit
This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped
In pg_dump, fix failure to honor -Z compression level option together with -Fd
Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order
This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions
Fix dumping of views that are just VALUES(...) but have column aliases
Ensure that a view's replication identity is correctly set to nothing during dump/restore
Previously, if the view was involved in a circular dependency, it might wind up with an incorrect replication identity property.
In pg_upgrade, force timeline 1 in the new cluster
This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
In pg_upgrade, check for improperly non-connectable databases before proceeding
In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script
In pg_upgrade, preserve database-level freezing info properly
This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator
Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup
Fix slow sorting algorithm in contrib/intarray
Fix compile failure on Sparc V8 machines
Silence some build warnings on OS X
Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).

New in PostgreSQL 9.4.0.1 (Dec 20, 2014)

Server:
Allow background worker processes to be dynamically registered, started and terminated
The new worker_spi module shows an example of use of this feature.
Allow dynamic allocation of shared memory segments
This feature is illustrated in the test_shm_mq module.
During crash recovery or immediate shutdown, send uncatchable termination signals (SIGKILL) to child processes that do not shut down promptly
This reduces the likelihood of leaving orphaned child processes behind after postmaster shutdown, as well as ensuring that crash recovery can proceed if some child processes have become "stuck".
Improve randomness of the database system identifier
Make VACUUM properly report dead but not-yet-removable rows to the statistics collector
Previously these were reported as live rows.
Indexes:
Reduce GIN index size
Indexes upgraded via pg_upgrade will work fine but will still be in the old, larger GIN format. Use REINDEX to recreate old GIN indexes in the new format
Improve speed of multi-key GIN lookups
Add GiST index support for inet and cidr data types
Such indexes improve subnet and supernet lookups and ordering comparisons
Fix rare race condition in B-tree page deletion
Make the handling of interrupted B-tree page splits more robust
General Performance:
Allow multiple backends to insert into WAL buffers concurrently
This improves parallel write performance.
Conditionally write only the modified portion of updated rows to WAL
Improve performance of aggregate functions used as window functions
Improve speed of aggregates that use numeric state values
Attempt to freeze tuples when tables are rewritten with CLUSTER or VACUUM FULL
This can avoid the need to freeze the tuples in the future.
Improve speed of COPY with default nextval() columns
Improve speed of accessing many different sequences in the same session
Raise hard limit on the number of tuples held in memory during sorting and B-tree index builds
Reduce memory allocated by PL/pgSQL DO blocks
Make the planner more aggressive about extracting restriction clauses from mixed AND/OR clauses
Disallow pushing volatile WHERE clauses down into DISTINCT subqueries
Pushing down a WHERE clause can produce a more efficient plan overall, but at the cost of evaluating the clause more often than is implied by the text of the query; so don't do it if the clause contains any volatile functions.
Auto-resize the catalog caches
This reduces memory consumption for sessions accessing only a few tables, and improves performance for sessions accessing many tables.
Monitoring:
Add pg_stat_archiver system view to report WAL archiver activity
Add n_mod_since_analyze columns to pg_stat_all_tables and related system views
These columns expose the system's estimate of the number of changed tuples since the table's last ANALYZE. This estimate drives decisions about when to auto-analyze.
Add backend_xid and backend_xmin columns to the system view pg_stat_activity, and a backend_xmin column to pg_stat_replication
SSL:
Add support for SSL ECDH key exchange
This allows use of Elliptic Curve keys for server authentication. Such keys are faster and have better security than RSA keys. The new configuration parameter ssl_ecdh_curve controls which curve is used for ECDH.
Improve the default ssl_ciphers setting
By default, the server not the client now controls the preference order of SSL ciphers
Previously, the order specified by ssl_ciphers was usually ignored in favor of client-side defaults, which are not configurable in most PostgreSQL clients. If desired, the old behavior can be restored via the new configuration parameter ssl_prefer_server_ciphers.
Make log_connections show SSL encryption information (Andreas Kunert)
Improve SSL renegotiation handling
Server Settings:
Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries
Previously such settings could only be changed by manually editing postgresql.conf.
Add autovacuum_work_mem configuration parameter to control the amount of memory used by autovacuum workers
Add huge_pages parameter to allow using huge memory pages on Linux
This can improve performance on large-memory systems.
Add max_worker_processes parameter to limit the number of background workers
This is helpful in configuring a standby server to have the required number of worker processes (the same as the primary).
Add superuser-only session_preload_libraries parameter to load libraries at session start
In contrast to local_preload_libraries, this parameter can load any shared library, not just those in the $libdir/plugins directory.
Add wal_log_hints parameter to enable WAL logging of hint-bit changes
Hint bit changes are not normally logged, except when checksums are enabled. This is useful for external tools like pg_rewind.
Increase the default settings of work_mem and maintenance_work_mem by four times
The new defaults are 4MB and 64MB respectively.
Increase the default setting of effective_cache_size to 4GB
Allow printf-style space padding to be specified in log_line_prefix (David Rowley)
Allow terabyte units (TB) to be used when specifying configuration variable values
Show PIDs of lock holders and waiters and improve information about relations in log_lock_waits log messages
Reduce server logging level when loading shared libraries
The previous level was LOG, which was too verbose for libraries loaded per-session.
On Windows, make SQL_ASCII-encoded databases and server processes (e.g., postmaster) emit messages in the character encoding of the server's Windows user locale
Previously these messages were output in the Windows ANSI code page.
Replication and Recovery:
Add replication slots to coordinate activity on streaming standbys with the node they are streaming from
Replication slots allow preservation of resources like WAL files on the primary until they are no longer needed by standby servers.
Add recovery parameter recovery_min_apply_delay to delay replication
Delaying replay on standby servers can be useful for recovering from user errors.
Add recovery_target option immediate to stop WAL recovery as soon as a consistent state is reached
Improve recovery target processing
The timestamp reported by pg_last_xact_replay_timestamp() now reflects already-committed records, not transactions about to be committed. Recovering to a restore point now replays the restore point, rather than stopping just before the restore point.
pg_switch_xlog() now clears any unused trailing space in the old WAL file
This improves the compression ratio for WAL files.
Report failure return codes from external recovery commands
Reduce spinlock contention during WAL replay
Write WAL records of running transactions more frequently
This allows standby servers to start faster and clean up resources more aggressively.
Logical Decoding - allows database changes to be streamed in a configurable format. The data is read from the WAL and transformed into the desired target format. To implement this feature, the following changes were made:
Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format
Add new wal_level setting logical to enable logical change-set encoding in WAL
Add table-level parameter REPLICA IDENTITY to control logical replication
Add relation option user_catalog_table to identify user-created tables involved in logical change-set encoding
Add pg_recvlogical application to receive logical-decoding data
Add test_decoding module to illustrate logical decoding at the SQL level
Queries:
Add WITH ORDINALITY syntax to number the rows returned from a set-returning function in the FROM clause
This is particularly useful for functions like unnest().
Add ROWS FROM() syntax to allow horizontal concatenation of set-returning functions in the FROM clause
Allow SELECT to have an empty target list
This was added so that views that select from a table with zero columns can be dumped and restored correctly.
Ensure that SELECT ... FOR UPDATE NOWAIT does not wait in corner cases involving already-concurrently-updated tuples
Utility Commands:
Add DISCARD SEQUENCES command to discard cached sequence-related state
DISCARD ALL will now also discard such information.
Add FORCE NULL option to COPY FROM, which causes quoted strings matching the specified null string to be converted to NULLs in CSV mode
Without this option, only unquoted matching strings will be imported as null values.
Issue warnings for commands used outside of transaction blocks when they can have no effect
New warnings are issued for SET LOCAL, SET CONSTRAINTS, SET TRANSACTION and ABORT when used outside a transaction block.
EXPLAIN:
Make EXPLAIN ANALYZE show planning time
Make EXPLAIN show the grouping columns in Agg and Group nodes
Make EXPLAIN ANALYZE show exact and lossy block counts in bitmap heap scans
Views:
Allow a materialized view to be refreshed without blocking other sessions from reading the view meanwhile
This is done with REFRESH MATERIALIZED VIEW CONCURRENTLY.
Allow views to be automatically updated even if they contain some non-updatable columns
Previously the presence of non-updatable output columns such as expressions, literals, and function calls prevented automatic updates. Now INSERTs, UPDATEs and DELETEs are supported, provided that they do not attempt to assign new values to any of the non-updatable columns.
Allow control over whether INSERTs and UPDATEs can add rows to an auto-updatable view that would not appear in the view
This is controlled with the new CREATE VIEW clause WITH CHECK OPTION.
Allow security barrier views to be automatically updatable
Object Manipulation:
Support triggers on foreign tables
Allow moving groups of objects from one tablespace to another using the ALL IN TABLESPACE ... SET TABLESPACE form of ALTER TABLE, ALTER INDEX, or ALTER MATERIALIZED VIEW
Allow changing foreign key constraint deferrability via ALTER TABLE ... ALTER CONSTRAINT
Reduce lock strength for some ALTER TABLE commands
Specifically, VALIDATE CONSTRAINT, CLUSTER ON, SET WITHOUT CLUSTER, ALTER COLUMN SET STATISTICS, ALTER COLUMN SET (attribute_option), ALTER COLUMN RESET (attribute_option) no longer require ACCESS EXCLUSIVE locks.
Allow tablespace options to be set in CREATE TABLESPACE (Vik Fearing)
Formerly these options could only be set via ALTER TABLESPACE.
Allow CREATE AGGREGATE to define the estimated size of the aggregate's transition state data
Proper use of this feature allows the planner to better estimate how much memory will be used by aggregates.
Fix DROP IF EXISTS to avoid errors for non-existent objects in more cases
Improve how system relations are identified
Previously, relations once moved into the pg_catalog schema could no longer be modified or dropped.
Data Types:
Fully implement the line data type
The line segment data type (lseg) has always been fully supported. The previous line data type (which was enabled only via a compile-time option) is not binary or dump-compatible with the new implementation.
Add pg_lsn data type to represent a WAL log sequence number (LSN)
Allow single-point polygons to be converted to circles (Bruce Momjian)
Support time zone abbreviations that change UTC offset from time to time
Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
Allow 5+ digit years for non-ISO timestamp and date strings, where appropriate
JSON:
Add jsonb, a more capable and efficient data type for storing JSON data
This new type allows faster access to values within a JSON document, and faster and more useful indexing of JSON columns. Scalar values in jsonb documents are stored as appropriate scalar SQL types, and the JSON document structure is pre-parsed rather than being stored as text as in the original json data type.
Add new JSON functions to allow for the construction of arbitrarily complex JSON trees
New functions include json_array_elements_text(), json_build_array(), json_object(), json_object_agg(), json_to_record(), and json_to_recordset().
Add json_typeof() to return the data type of a json value (Andrew Tipton)
Add checks for overflow/underflow of interval values
Functions:
Add pg_sleep_for(interval) and pg_sleep_until(timestamp) to specify delays more flexibly
The existing pg_sleep() function only supports delays specified in seconds.
Add cardinality() function for arrays
This returns the total number of elements in the array, or zero for an array with no elements.
Add SQL functions to allow large object reads/writes at arbitrary offsets
Allow unnest() to take multiple arguments, which are individually unnested then horizontally concatenated
Add functions to construct times, dates, timestamps, timestamptzs, and intervals from individual values, rather than strings
These functions' names are prefixed with make_, e.g. make_date().
Make to_char()'s TZ format specifier return a useful value for simple numeric time zone offsets
Previously, to_char(CURRENT_TIMESTAMP, 'TZ') returned an empty string if the timezone was set to a constant like -4.
Add timezone offset format specifier OF to to_char()
Improve the random seed used for random()
Tighten validity checking for Unicode code points in chr(int)
This function now only accepts values that are valid UTF8 characters according to RFC 3629.
System Information Functions:
Add functions for looking up objects in pg_class, pg_proc, pg_type, and pg_operator that do not generate errors for non-existent objects
For example, to_regclass() does a lookup in pg_class similarly to the regclass input function, but it returns NULL for a non-existent object instead of failing.
Add function pg_filenode_relation() to allow for more efficient lookup of relation names from filenodes
Add parameter_default column to information_schema.parameters view
Make information_schema.schemata show all accessible schemas
Previously it only showed schemas owned by the current user.
Aggregates:
Add control over which rows are passed into aggregate functions via the FILTER clause
Support ordered-set (WITHIN GROUP) aggregates
Add standard ordered-set aggregates percentile_cont(), percentile_disc(), mode(), rank(), dense_rank(), percent_rank(), and cume_dist()
Support VARIADIC aggregate functions
Allow polymorphic aggregates to have non-polymorphic state data types
This allows proper declaration in SQL of aggregates like the built-in aggregate array_agg().
Server-Side Languages:
Add event trigger support to PL/Perl and PL/Tcl
Convert numeric values to decimal in PL/Python
Previously such values were converted to Python float values, risking loss of precision.
PL/pgSQL Server-Side Language:
Add ability to retrieve the current PL/PgSQL call stack using GET DIAGNOSTICS
Add option print_strict_params to display the parameters passed to a query that violated a STRICT constraint
Add variables plpgsql.extra_warnings and plpgsql.extra_errors to enable additional PL/pgSQL warnings and errors
Currently only warnings/errors about shadowed variables are available.
libpq:
Make libpq's PQconndefaults() function ignore invalid service files
Previously it returned NULL if an incorrect service file was encountered.
Accept TLS protocol versions beyond TLSv1 in libpq
Client Applications:
Add createuser option -g to specify role membership (Chistopher Browne)
Add vacuumdb option --analyze-in-stages to analyze in stages of increasing granularity
This allows minimal statistics to be created quickly.
Make pg_resetxlog with option -n output current and potentially changed values
Make initdb throw error for incorrect locale settings, rather than silently falling back to a default choice
Make pg_ctl return exit code 4 for an inaccessible data directory
This behavior more closely matches the Linux Standard Base (LSB) Core Specification.
On Windows, ensure that a non-absolute -D path specification is interpreted relative to pg_ctl's current directory
Previously it would be interpreted relative to whichever directory the underlying Windows service was started in.
Allow sizeof() in ECPG C array definitions
Make ECPG properly handle nesting of C-style comments in both C and SQL text
psql:
Suppress "No rows" output in psql expanded mode when the footer is disabled
Allow Control-C to abort psql when it's hung at connection startup
Backslash Commands:
Make psql's \db+ show tablespace options
Make \do+ display the functions that implement the operators
Make \d+ output an OID line only if an oid column exists in the table
Previously, the presence or absence of an oid column was always reported.
Make \d show disabled system triggers
Previously, if you disabled all triggers, only user triggers would show as disabled.
Fix \copy to no longer require a space between stdin and a semicolon
Output the row count at the end of \copy, just like COPY already did
Fix \conninfo to display the server's IP address for connections using hostaddr
Previously \conninfo could not display the server's IP address in such cases.
Show the SSL protocol version in \conninfo
Add tab completion for \pset
Allow \pset with no arguments to show all settings
Make \s display the name of the history file it wrote without converting it to an absolute path
The code previously attempted to convert a relative file name to an absolute path for display, but frequently got it wrong.
pg_dump:
Allow pg_restore options -I, -P, -T and -n to be specified multiple times
This allows multiple objects to be restored in one operation
Optionally add IF EXISTS clauses to the DROP commands emitted when removing old objects during a restore
This change prevents unnecessary errors when removing old objects. The new --if-exists option for pg_dump, pg_dumpall, and pg_restore is only available when --clean is also specified
pg_basebackup:
Add pg_basebackup option --xlogdir to specify the pg_xlog directory location
Allow pg_basebackup to relocate tablespaces in the backup copy
This is particularly useful for using pg_basebackup on the same machine as the primary.
Allow network-stream base backups to be throttled
This can be controlled with the pg_basebackup --max-rate parameter.
Source Code:
Improve the way tuples are frozen to preserve forensic information
This change removes the main objection to freezing tuples as soon as possible. Code that inspects tuple flag bits will need to be modified.
No longer require function prototypes for functions marked with the PG_FUNCTION_INFO_V1 macro
This change eliminates the need to write boilerplate prototypes. Note that the PG_FUNCTION_INFO_V1 macro must appear before the corresponding function definition to avoid compiler warnings.
Remove SnapshotNow and HeapTupleSatisfiesNow()
All existing uses have been switched to more appropriate snapshot types. Catalog scans now use MVCC snapshots.
Add an API to allow memory allocations over one gigabyte
Add psprintf() to simplify memory allocation during string composition
Support printf() size modifier z to print size_t values
Change API of appendStringInfoVA() to better use vsnprintf()
Allow new types of external toast datums to be created
Add single-reader, single-writer, lightweight shared message queue
Improve spinlock speed on x86_64 CPUs
Remove spinlock support for unsupported platforms SINIX, Sun3, and NS32K
Remove IRIX port
Reduce the number of semaphores required by --disable-spinlocks builds
Rewrite duplicate_oids Unix shell script in Perl
Add Test Anything Protocol (TAP) tests for client programs
Currently, these tests are run by make check-world only if the --enable-tap-tests option was given to configure. This might become the default behavior in some future release.
Add make targets check-tests and installcheck-tests, which allow selection of individual tests to be run
Remove maintainer-check makefile rule
The default build rules now include all the formerly-optional tests.
Improve support for VPATH builds of PGXS modules
Upgrade to Autoconf 2.69
Add a configure flag that appends custom text to the PG_VERSION string
This is useful for packagers building custom binaries.
Improve DocBook XML validity
Fix various minor security and sanity issues reported by the Coverity scanner
Improve detection of invalid memory usage when testing PostgreSQL with Valgrind
Improve sample Emacs configuration file emacs.samples
Also add .dir-locals.el to the top of the source tree.
Allow pgindent to accept a command-line list of typedefs
Make pgindent smarter about blank lines around preprocessor conditionals
Avoid most uses of dlltool in Cygwin and Mingw builds
Support client-only installs in MSVC (Windows) builds
Additional Modules:
Add pg_prewarm extension to preload relation data into the shared buffer cache at server start
This allows reaching full operating performance more quickly.
Add UUID random number generator gen_random_uuid() to pgcrypto
This allows creation of version 4 UUIDs without requiring installation of uuid-ossp.
Allow uuid-ossp to work with the BSD or e2fsprogs UUID libraries, not only the OSSP UUID library
This improves the uuid-ossp module's portability since it no longer has to have the increasingly-obsolete OSSP library. The module's name is now rather a misnomer, but we won't change it.
Add option to auto_explain to include trigger execution time
Fix pgstattuple to not report rows from uncommitted transactions as dead
Make pgstattuple functions use regclass-type arguments
While text-type arguments are still supported, they may be removed in a future major release.
Improve consistency of pgrowlocks output to honor snapshot rules more consistently
Improve pg_trgm's choice of trigrams for indexed regular expression searches
This change discourages use of trigrams containing whitespace, which are usually less selective.
Allow pg_xlogdump to report a live log stream with --follow
Store cube data more compactly
Existing data must be dumped/restored to use the new format. The old format can still be read.
Reduce vacuumlo client-side memory usage by using a cursor
Dramatically reduce memory consumption in pg_upgrade
Pass pg_upgrade's user name (-U) option to generated analyze scripts
pgbench:
Remove line length limit for pgbench scripts
The previous line limit was BUFSIZ
Add long option names to pgbench
Add pgbench option --rate to control the transaction rate
Add pgbench option --progress to print periodic progress reports
pg_stat_statements:
Make pg_stat_statements use a file, rather than shared memory, for query text storage
This removes the previous limitation on query text length, and allows a higher number of unique statements to be tracked by default
Allow reporting of pg_stat_statements's internal query hash identifier
Add the ability to retrieve all pg_stat_statements information except the query text
This allows monitoring tools to fetch query text only for just-created entries, improving performance during repeated querying of the statistics
Make pg_stat_statements ignore DEALLOCATE commands
It already ignored PREPARE, as well as planning time in general, so this seems more consistent
Save the statistics file into $PGDATA/pg_stat at server shutdown, rather than $PGDATA/global

New in PostgreSQL 9.4.0 Beta 3 (Oct 9, 2014)

New in PostgreSQL 9.4.0 Beta 2 (Jul 31, 2014)

New in PostgreSQL 9.3.5 (Jul 24, 2014)

In pg_upgrade, remove pg_multixact files left behind by initdb:
If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed.
Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns:
This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update.
Protect against torn pages when deleting GIN list pages:
This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
Don't clear the right-link of a GiST index page while replaying updates from WAL:
This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
Fix corner-case infinite loop during insertion into an SP-GiST text index
Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator
Fix wraparound handling for pg_multixact/members
Truncate pg_multixact during checkpoints, not during VACUUM:
This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash.
Fix possible inconsistency of all-visible flags after WAL recovery
Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages
Fix race condition when updating a tuple concurrently locked by another process
Fix "could not find pathkey item to sort" planner failures with UNION ALL over subqueries reading from tables with inheritance children
Don't assume a subquery's output is unique if there's a set-returning function in its targetlist:
This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y).
Improve planner to drop constant-NULL inputs of AND/OR when possible:
This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced.
Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent:
This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations.
Fix handling of nested JSON objects in json_populate_recordset() and friends:
A nested JSON object could result in previous fields of the parent object not being shown in the output.
Fix identification of input type category in to_json() and friends:
This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well.
Fix failure to detoast fields in composite elements of structured types:
This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes
Fix possible crash when invoking a user-defined function while rewinding a cursor
Fix query-lifespan memory leak while evaluating the arguments for a function in FROM
Fix session-lifespan memory leaks in regular-expression processing
Fix data encoding error in hungarian.stop
Prevent foreign tables from being created with OIDS when default_with_oids is true
Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction:
This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction.
Clear pg_stat_activity.xact_start during PREPARE TRANSACTION:
After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
Fix REASSIGN OWNED to not fail for text search objects
Prevent pg_class.relminmxid values from going backwards during VACUUM FULL
Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace:
This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well.
Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification
Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns
Block signals during postmaster startup:
This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up.
Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses:
Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed.
Allow the root user to use postgres -C variable and postgres --describe-config:
The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios.
Secure Unix-domain sockets of temporary postmasters started during make check:
Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
Fix tablespace creation WAL replay to work on Windows
Fix detection of socket creation failures on Windows
On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file:
Previously, if such a parameter were changed in the file post-startup, the change would have no effect.
Properly quote executable path names on Windows:
This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs.
Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it:
libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as "lost synchronization with server"). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints.
Ensure that LDAP lookup attempts in libpq time out as intended
Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes
Fix pg_dump to cope with a materialized view that depends on a table's primary key:
This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view.
Fix parsing of pg_dumpall's -i switch
Fix pg_restore's processing of old-style large object comments:
A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects.
Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not:
This rare situation would manifest as "relation OID mismatch" errors.
In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server:
These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely.
Prevent contrib/auto_explain from changing the output of a user's EXPLAIN:
If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information.
Fix query-lifespan memory leak in contrib/dblink
In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning
Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap()
In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls:
This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.

New in PostgreSQL 9.4.0 Beta 1 (Jul 23, 2014)

New in PostgreSQL 9.3.4 (Mar 21, 2014)

Fix WAL replay of locking an already-updated tuple:
This error caused updated rows to not be found by index scans, resulting in inconsistent query results depending on whether an index scan was used. Subsequent processing could result in constraint violations, since the previously updated row would not be found by later index searches, thus possibly allowing conflicting rows to be inserted. Since this error is in WAL replay, it would only manifest during crash recovery or on standby servers. The improperly-replayed case most commonly arises when a table row that is referenced by a foreign-key constraint is updated concurrently with creation of a referencing row.
Restore GIN metapages unconditionally to avoid torn-page risk:
Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector.
Avoid race condition in checking transaction commit status during receipt of a NOTIFY message:
This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient.
Allow materialized views to be referenced in UPDATE and DELETE commands:
Previously such queries failed with a complaint about not being able to lock rows in the materialized view.
Allow regular-expression operators to be terminated early by query cancel requests:
This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time.
Remove incorrect code that tried to allow OVERLAPS with single-element row arguments:
This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it.
Avoid getting more than AccessShareLock when de-parsing a rule or view:
This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables.
Improve performance of index endpoint probes during planning:
This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers.
Remove the correct per-database statistics file during DROP DATABASE:
This fix prevents a permanent leak of statistics file space. Users who have done many DROP DATABASE commands since upgrading to PostgreSQL 9.3 may wish to check their statistics directory and delete statistics files that do not correspond to any existing database. Please note that db_0.stat should not be removed.
Fix walsender ping logic to avoid inappropriate disconnects under continuous load:
walsender failed to send ping messages to the client if it was constantly busy sending WAL data; but it expected to see ping responses despite that, and would therefore disconnect once wal_sender_timeout elapsed.
Add read-only data_checksums parameter to display whether page checksums are enabled:
Without this parameter, determining the state of checksum processing was difficult.
Prevent interrupts while reporting non-ERROR messages:
This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems.
Fix tracking of psql script line numbers during \copy from out-of-line data:
\copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file.
Fix contrib/postgres_fdw to handle multiple join conditions properly:
This oversight could result in sending WHERE clauses to the remote server for execution even though the clauses are not known to have the same semantics on the remote server (for example, clauses that use non-built-in operators). The query might succeed anyway, but it could also fail with errors from the remote server, or worse give silently wrong answers.
Use non-default selectivity estimates for value IN (list) and value operator ANY (array) expressions when the righthand side is a stable expression
Fix walsender's failure to shut down cleanly when client is pg_receivexlog
Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery
Fix test to see if hot standby connections can be allowed immediately after a crash
Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases
Prevent intermittent "could not reserve shared memory region" failures on recent Windows versions
Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine.

New in PostgreSQL 9.3.3 (Feb 21, 2014)

Shore up GRANT ... WITH ADMIN OPTION restrictions:
Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060)
Prevent privilege escalation via manual calls to PL validator functions (Andres Freund):
The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061)
Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund):
If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062)
Prevent buffer overrun with long datetime strings (Noah Misch):
The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063)
Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas):
Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064)
Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich):
Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065)
Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian):
There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., "FIPS mode"). (CVE-2014-0066)
Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane):
Since the temporary server started by make check uses "trust" authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067)
Rework tuple freezing protocol (Álvaro Herrera, Andres Freund):
The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough.
Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.)
Create separate GUC parameters to control multixact freezing (Álvaro Herrera):
9.3 requires multixact tuple labels to be frozen before they grow too old, in the same fashion as plain transaction ID labels have been frozen for some time. Previously, the transaction ID freezing parameters were used for multixact IDs too; but since the consumption rates of transaction IDs and multixact IDs can be quite different, this did not work very well. Introduce new settings vacuum_multixact_freeze_min_age, vacuum_multixact_freeze_table_age, and autovacuum_multixact_freeze_max_age to control when to freeze multixacts.
Account for remote row locks propagated by local updates (Álvaro Herrera):
If a row was locked by transaction A, and transaction B updated it, the new version of the row created by B would be locked by A, yet visible only to B. If transaction B then again updated the row, A's lock wouldn't get checked, thus possibly allowing B to complete when it shouldn't. This case is new in 9.3 since prior versions did not have any types of row locking that would permit another transaction to update the row at all.
This oversight could allow referential integrity checks to give false positives (for instance, allow deletes that should have been rejected). Applications using the new commands SELECT FOR KEY SHARE and SELECT FOR NO KEY UPDATE might also have suffered locking failures of this kind.
Prevent "forgetting" valid row locks when one of several holders of a row lock aborts (Álvaro Herrera):
This was yet another mechanism by which a shared row lock could be lost, thus possibly allowing updates that should have been prevented by foreign-key constraints.
Fix incorrect logic during update chain locking (Álvaro Herrera):
This mistake could result in spurious "could not serialize access due to concurrent update" errors in REPEATABLE READ and SERIALIZABLE transaction isolation modes.
Handle wraparound correctly during extension or truncation of pg_multixact/members (Andres Freund, Álvaro Herrera)
Fix handling of 5-digit filenames in pg_multixact/members (Álvaro Herrera):
As of 9.3, these names can be more than 4 digits, but the directory cleanup code ignored such files.
Improve performance of multixact cache code (Álvaro Herrera)
Optimize updating a row that's already locked by the same transaction (Andres Freund, Álvaro Herrera)
This fixes a performance regression from pre-9.3 versions when doing SELECT FOR UPDATE followed by UPDATE/DELETE.
During archive recovery, prefer highest timeline number when WAL segments with the same ID are present in both the archive and pg_xlog/ (Kyotaro Horiguchi)
Previously, not-yet-archived segments could get ignored during recovery. This reverts an undesirable behavioral change in 9.3.0 back to the way things worked pre-9.3.
Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane):
The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant "bloat" of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master.
Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas):
In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as "PANIC: WAL contains references to invalid pages" were also possible.
Fix WAL logging of visibility map changes (Heikki Linnakangas):
Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane)
This error could result in "PANIC: WAL contains references to invalid pages" failures.
Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas):
The previous coding risked index corruption in the event of a partial-page write during a system crash.
When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas)
Ensure walreceiver sends hot-standby feedback messages on time even when there is a continuous stream of data (Andres Freund, Amit Kapila)
Prevent timeout interrupts from taking control away from mainline code unless ImmediateInterruptOK is set (Andres Freund, Tom Lane)
This is a serious issue for any application making use of statement timeouts, as it could cause all manner of strange failures after a timeout occurred. We have seen reports of "stuck" spinlocks, ERRORs being unexpectedly promoted to PANICs, unkillable backends, and other misbehaviors.
Fix race conditions during server process exit (Robert Haas)
Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid.
Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane)
Fix unsafe references to errno within error reporting logic (Christian Kruse)
This would typically lead to odd behaviors such as missing or inappropriate HINT fields.
Fix possible crashes from using ereport() too early during server startup (Tom Lane)
The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read.
Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin)
This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection.
Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane)
A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping.
Fix parsing of Unicode literals and identifiers just before the end of a command string or function body (Tom Lane)
Allow keywords that are type names to be used in lists of roles (Stephen Frost)
A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE.
Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane)
Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane)
Fix mishandling of WHERE conditions pulled up from a LATERAL subquery (Tom Lane)
The typical symptom of this bug was a "JOIN qualification cannot refer to other relations" error, though subtle logic errors in created plans seem possible as well.
Disallow LATERAL references to the target table of an UPDATE/DELETE (Tom Lane)
While this might be allowed in some future release, it was unintentional in 9.3, and didn't work quite right anyway.
Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane)
Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s).
Fix ANALYZE to not fail on a column that's a domain over a range type (Tom Lane)
Ensure that ANALYZE creates statistics for a table column even when all the values in it are "too wide" (Tom Lane)
ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide.
In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost)
CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo.
Fix support for extensions containing event triggers (Tom Lane)
Fix "cannot accept a set" error when some arms of a CASE return a set and others don't (Tom Lane)
Fix memory leakage in JSON functions (Craig Ringer)
Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan)
Fix possible misclassification of multibyte characters by the text search parser (Tom Lane)
Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well.
Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas)
Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky.
Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander)
The previous coding might attempt to do catalog access when it shouldn't.
Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii)
Fix *-qualification of named parameters in SQL-language functions (Tom Lane)
Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much.
Fix misbehavior of PQhost() on Windows (Fujii Masao)
It should return localhost if no host has been specified.
Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane)
In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications.
Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane)
Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander)
Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander)
Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander)
Fix misaligned descriptors in ecpg (MauMau)
In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes)
Fix performance regression in contrib/dblink connection startup (Joe Conway)
Avoid an unnecessary round trip when client and server encodings match.
In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho)
Fix contrib/pgbench's progress logging to avoid overflow when the scale factor is large (Tatsuo Ishii)
Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi)
Improve lost-connection error handling in contrib/postgres_fdw (Tom Lane)
Ensure client-code-only installation procedure works as documented (Peter Eisentraut)
In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan)
This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL.
Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri)
Enable building with Visual Studio 2013 (Brar Piening)
Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane)
These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that.
Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba.
In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice.

New in PostgreSQL 9.3.2 (Dec 6, 2013)

Fix VACUUM's tests to see whether it can update relfrozenxid:
In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get "could not access status of transaction" errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31).
Fix multiple bugs in MultiXactId freezing:
These bugs could lead to "could not access status of transaction" errors, or to duplicate or vanishing rows. Users upgrading from releases prior to 9.3.0 are not affected.
The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix latent corruption but will not be able to fix all pre-existing data errors.
As a separate issue, these bugs can also cause standby servers to get out of sync with the primary, thus exhibiting data errors that are not in the primary. Therefore, it's recommended that 9.3.0 and 9.3.1 standby servers be re-cloned from the primary (e.g., with a new base backup) after upgrading.
Fix initialization of pg_clog and pg_subtrans during hot standby startup:
This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions.
This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading.
Fix multiple bugs in update chain traversal:
These bugs could result in incorrect behavior, such as locking or even updating the wrong row, in the presence of concurrent updates. Spurious "unable to fetch updated version of tuple" errors were also possible.
Fix dangling-pointer problem in fast-path locking:
This could lead to corruption of the lock data structures in shared memory, causing "lock already held" and other odd errors.
Fix assorted race conditions in timeout management:
These errors could result in a server process becoming unresponsive because it had blocked SIGALRM and/or SIGINT.
Truncate pg_multixact contents during WAL replay:
This avoids ever-increasing disk space consumption in standby servers.
Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing:
This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound.
Fix full-table-vacuum request mechanism for MultiXactIds:
This bug could result in large amounts of useless autovacuum activity.
Fix race condition in GIN index posting tree page deletion:
This could lead to transient wrong answers or query failures.
Fix "unexpected spgdoinsert() failure" error during SP-GiST index creation
Fix assorted bugs in materialized views
Re-allow duplicate table aliases if they're within aliased JOINs:
Historically PostgreSQL has accepted queries like
SELECT ... FROM tab1 x CROSS JOIN (tab2 x CROSS JOIN tab3 y) z
although a strict reading of the SQL standard would forbid the duplicate usage of table alias x. A misguided change in 9.3.0 caused it to reject some such cases that were formerly accepted. Restore the previous behavior.
Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT:
This avoids unexpected results due to extra evaluations of the volatile function.
Fix planner's processing of non-simple-variable subquery outputs nested within outer joins:
This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax.
Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses
Fix planner crash with whole-row reference to a subquery
Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees
The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable.
Fix premature deletion of temporary files
Prevent intra-transaction memory leak when printing range values:
This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem.
Fix memory leaks when reloading configuration files
Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages
Allow default arguments and named-argument notation for window functions
Previously, these cases were likely to crash.
Suppress trailing whitespace on each line when pretty-printing rules and views:
9.3.0 generated such whitespace in many more cases than previous versions did. To reduce unexpected behavioral changes, suppress unnecessary whitespace in all cases.
Fix possible read past end of memory in rule printing
Fix array slicing of int2vector and oidvector values:
Expressions of this kind are now implicitly promoted to regular int2 or oid arrays.
Return a valid JSON value when converting an empty hstore value to json
Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone:
In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone.
Prevent possible misbehavior when logging translations of Windows error codes
Properly quote generated command lines in pg_ctl:
This fix applies only to Windows.
Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET:
Previously, the generated script would fail during restore.
Fix pg_isready to handle its -d option properly
Fix parsing of WAL file names in pg_receivexlog
This error made pg_receivexlog unable to restart streaming after stopping, once at least 4 GB of WAL had been written.
Report out-of-disk-space failures properly in pg_upgrade
Make ecpg search for quoted cursor names case-sensitively
Fix ecpg's processing of lists of variables declared varchar
Make contrib/lo defend against incorrect trigger definitions
Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia.

New in PostgreSQL 9.3.1 (Oct 10, 2013)

New in PostgreSQL 9.3.0 (Sep 9, 2013)

New in PostgreSQL 9.2.4 (Apr 4, 2013)

Changes:
Fix insecure parsing of server command-line switches (Mitsumasa Kondo, Kyotaro Horiguchi)
A connection request containing a database name that begins with "-" could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. (CVE-2013-1899)
Reset OpenSSL randomness state in each postmaster child process (Marko Kreen). This avoids a scenario wherein random numbers generated by contrib/pgcrypto functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. (CVE-2013-1900)
Make REPLICATION privilege checks test current user not authenticated user (Noah Misch)
An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. (CVE-2013-1901)
Fix GiST indexes to not use "fuzzy" geometric comparisons when it's not appropriate to do so (Alexander Korotkov). The core geometric types perform comparisons using "fuzzy" equality, but gist_box_same must do exact comparisons, else GiST indexes using it might become inconsistent. After installing this update, users should REINDEX any GiST indexes on box, polygon, circle, or point columns, since all of these use gist_box_same.
Fix erroneous range-union and penalty logic in GiST indexes that use contrib/btree_gist for variable-width data types, that is text, bytea, bit, and numeric columns (Tom Lane). These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in useless index bloat. Users are advised to REINDEX such indexes after installing this update.
Fix bugs in GiST page splitting code for multi-column indexes (Tom Lane). These errors could result in inconsistent indexes in which some keys that are present would not be found by searches, and also in indexes that are unnecessarily inefficient to search. Users are advised to REINDEX multi-column GiST indexes after installing this update.
Fix gist_point_consistent to handle fuzziness consistently (Alexander Korotkov)
Index scans on GiST indexes on point columns would sometimes yield results different from a sequential scan, because gist_point_consistent disagreed with the underlying operator code about whether to do comparisons exactly or fuzzily.
Fix buffer leak in WAL replay (Heikki Linnakangas). This bug could result in "incorrect local pin count" errors during replay, making recovery impossible.
Ensure we do crash recovery before entering archive recovery, if the database was not stopped cleanly and a recovery.conf file is present (Heikki Linnakangas, Kyotaro Horiguchi, Mitsumasa Kondo). This is needed to ensure that the database is consistent in certain scenarios, such as initializing a standby server with a filesystem snapshot from a running server.
Avoid deleting not-yet-archived WAL files during crash recovery (Heikki Linnakangas, Fujii Masao)
Fix race condition in DELETE RETURNING (Tom Lane). Under the right circumstances, DELETE RETURNING could attempt to fetch data from a shared buffer that the current process no longer has any pin on. If some other process changed the buffer meanwhile, this would lead to garbage RETURNING output, or even a crash.
Fix infinite-loop risk in regular expression compilation (Tom Lane, Don Porter)
Fix potential null-pointer dereference in regular expression compilation (Tom Lane)
Fix to_char() to use ASCII-only case-folding rules where appropriate (Tom Lane). This fixes misbehavior of some template patterns that should be locale-independent, but mishandled "I" and "i" in Turkish locales.
Fix unwanted rejection of timestamp 1999-12-31 24:00:00 (Tom Lane)
Fix SQL-language functions to be safely usable as support functions for range types (Tom Lane)
Fix logic error when a single transaction does UNLISTEN then LISTEN (Tom Lane). The session wound up not listening for notify events at all, though it surely should listen in this case.
Fix possible planner crash after columns have been added to a view that's depended on by another view (Tom Lane)
Fix performance issue in EXPLAIN (ANALYZE, TIMING OFF) (Pavel Stehule)
Remove useless "picksplit doesn't support secondary split" log messages (Josh Hansen, Tom Lane). This message seems to have been added in expectation of code that was never written, and probably never will be, since GiST's default handling of secondary splits is actually pretty good. So stop nagging end users about it.
Remove vestigial secondary-split support in gist_box_picksplit() (Tom Lane). Not only was this implementation of secondary-split not better than the default implementation, it's actually worse. So remove it and let the default code path handle the case.
Fix possible failure to send a session's last few transaction commit/abort counts to the statistics collector (Tom Lane)
Eliminate memory leaks in PL/Perl's spi_prepare() function (Alex Hunsaker, Tom Lane)
Fix pg_dumpall to handle database names containing "=" correctly (Heikki Linnakangas)
Avoid crash in pg_dump when an incorrect connection string is given (Heikki Linnakangas). Ignore invalid indexes in pg_dump and pg_upgrade (Michael Paquier, Bruce Momjian). Dumping invalid indexes can cause problems at restore time, for example if the reason the index creation failed was because it tried to enforce a uniqueness condition not satisfied by the table's data. Also, if the index creation is in fact still in progress, it seems reasonable to consider it to be an uncommitted DDL change, which pg_dump wouldn't be expected to dump anyway. pg_upgrade now also skips invalid indexes rather than failing.
In pg_basebackup, include only the current server version's subdirectory when backing up a tablespace (Heikki Linnakangas)
Add a server version check in pg_basebackup and pg_receivexlog, so they fail cleanly with version combinations that won't work (Heikki Linnakangas)
Fix contrib/dblink to handle inconsistent settings of DateStyle or IntervalStyle safely (Daniel Farina, Tom Lane). Previously, if the remote server had different settings of these parameters, ambiguous dates might be read incorrectly. This fix ensures that datetime and interval columns fetched by a dblink query will be interpreted correctly. Note however that inconsistent settings are still risky, since literal values appearing in SQL commands sent to the remote server might be interpreted differently than they would be locally.
Fix contrib/pg_trgm's similarity() function to return zero for trigram-less strings (Tom Lane). Previously it returned NaN due to internal division by zero.
Enable building PostgreSQL with Microsoft Visual Studio 2012 (Brar Piening, Noah Misch)
Update time zone data files to tzdata release 2013b for DST law changes in Chile, Haiti, Morocco, Paraguay, and some Russian areas. Also, historical zone data corrections for numerous places. Also, update the time zone abbreviation files for recent changes in Russia and elsewhere: CHOT, GET, IRKT, KGT, KRAT, MAGT, MAWT, MSK, NOVT, OMST, TKT, VLAT, WST, YAKT, YEKT now follow their current meanings, and VOLT (Europe/Volgograd) and MIST (Antarctica/Macquarie) are added to the default abbreviations list.

New in PostgreSQL 9.2.3 (Feb 8, 2013)

Changes:
Prevent execution of enum_recv from SQL
The function was misdeclared, allowing a simple SQL command to crash the server. In principle an attacker might be able to use it to examine the contents of server memory.
Fix multiple problems in detection of when a consistent database state has been reached during WAL replay
Fix detection of end-of-backup point when no actual redo work is required
This mistake could result in incorrect "WAL ends before end of online backup" errors.
Update minimum recovery point when truncating a relation file
Once data has been discarded, it's no longer safe to stop recovery at an earlier point in the timeline.
Fix recycling of WAL segments after changing recovery target timeline
Properly restore timeline history files from archive on cascading standby servers
Fix lock conflict detection on hot-standby servers
Fix missing cancellations in hot standby mode
The need to cancel conflicting hot-standby queries would sometimes be missed, allowing those queries to see inconsistent data.
Prevent recovery pause feature from pausing before users can connect
Fix SQL grammar to allow subscripting or field selection from a sub-SELECT result
Fix performance problems with autovacuum truncation in busy workloads
Truncation of empty pages at the end of a table requires exclusive lock, but autovacuum was coded to fail (and release the table lock) when there are conflicting lock requests. Under load, it is easily possible that truncation would never occur, resulting in table bloat. Fix by performing a partial truncation, releasing the lock, then attempting to re-acquire the lock and continue. This fix also greatly reduces the average time before autovacuum releases the lock after a conflicting request arrives.
Improve performance of SPI_execute and related functions, thereby improving PL/pgSQL's EXECUTE
Remove some data-copying overhead that was added in 9.2 as a consequence of revisions in the plan caching mechanism. This eliminates a performance regression compared to 9.1, and also saves memory, especially when the query string to be executed contains many SQL statements.
A side benefit is that multi-statement query strings are now processed fully serially, that is we complete execution of earlier statements before running parse analysis and planning on the following ones. This eliminates a long-standing issue, in that DDL that should affect the behavior of a later statement will now behave as expected.
Restore pre-9.2 cost estimates for index usage
An ill-considered change of a fudge factor led to undesirably high cost estimates for use of very large indexes.
Fix intermittent crash in DROP INDEX CONCURRENTLY
Fix potential corruption of shared-memory lock table during CREATE/DROP INDEX CONCURRENTLY
Fix COPY's multiple-tuple-insertion code for the case of a tuple larger than page size minus fillfactor
The previous coding could get into an infinite loop.
Protect against race conditions when scanning pg_tablespace
CREATE DATABASE and DROP DATABASE could misbehave if there were concurrent updates of pg_tablespace entries.
Prevent DROP OWNED from trying to drop whole databases or tablespaces
For safety, ownership of these objects must be reassigned, not dropped.
Fix error in vacuum_freeze_table_age implementation (Andres Freund)
The main consequence of this mistake is that lowering vacuum_freeze_min_age would cause full-table vacuuming scans to occur much more frequently than intended.
Prevent misbehavior when a RowExpr or XmlExpr is parse-analyzed twice
This mistake could be user-visible in contexts such as CREATE TABLE LIKE INCLUDING INDEXES.
Improve defenses against integer overflow in hashtable sizing calculations
Fix some bugs associated with privileges on datatypes
There were some issues with default privileges for types, and pg_dump failed to dump such privileges at all.
Fix failure to ignore leftover temporary tables after a server crash
Fix failure to rotate postmaster log files for size reasons on Windows
Reject out-of-range dates in to_date()
Fix pg_extension_config_dump() to handle extension-update cases properly
This function will now replace any existing entry for the target table, making it usable in extension update scripts.
Fix PL/pgSQL's reporting of plan-time errors in possibly-simple expressions
The previous coding resulted in sometimes omitting the first line in the CONTEXT traceback for the error.
Fix PL/Python's handling of functions used as triggers on multiple tables
Ensure that non-ASCII prompt strings are translated to the correct code page on Windows
This bug affected psql and some other client programs.
Fix possible crash in psql's \? command when not connected to a database
Fix possible error if a relation file is removed while pg_basebackup is running
Tolerate timeline switches while pg_basebackup -X fetch is backing up a standby server
Make pg_dump exclude data of unlogged tables when running on a hot-standby server
This would fail anyway because the data is not available on the standby server, so it seems most convenient to assume --no-unlogged-table-data automatically.
Fix pg_upgrade to deal with invalid indexes safely
Fix pg_upgrade's -O/-o options
Fix one-byte buffer overrun in libpq's PQprintTuples
This ancient function is not used anywhere by PostgreSQL itself, but it might still be used by some client code.
Make ecpglib use translated messages properly
Properly install ecpg_compat and pgtypes libraries on MSVC
Include our version of isinf() in libecpg if it's not provided by the system
Rearrange configure's tests for supplied functions so it is not fooled by bogus exports from libedit/libreadline
Ensure Windows build number increases over time
Make pgxs build executables with the right .exe suffix when cross-compiling for Windows
Add new timezone abbreviation FET
This is now used in some eastern-European time zones.

New in PostgreSQL 9.2.2 (Dec 7, 2012)

Changes:
Fix multiple bugs associated with CREATE/DROP INDEX CONCURRENTLY
An error introduced while adding DROP INDEX CONCURRENTLY allowed incorrect indexing decisions to be made during the initial phase of CREATE INDEX CONCURRENTLY; so that indexes built by that command could be corrupt. It is recommended that indexes built in 9.2.X with CREATE INDEX CONCURRENTLY be rebuilt after applying this update.
In addition, fix CREATE/DROP INDEX CONCURRENTLY to use in-place updates when changing the state of an index's pg_index row. This prevents race conditions that could cause concurrent sessions to miss updating the target index, thus again resulting in corrupt concurrently-created indexes.
Also, fix various other operations to ensure that they ignore invalid indexes resulting from a failed CREATE INDEX CONCURRENTLY command. The most important of these is VACUUM, because an auto-vacuum could easily be launched on the table before corrective action can be taken to fix or remove the invalid index.
Also fix DROP INDEX CONCURRENTLY to not disable insertions into the target index until all queries using it are done.
Also fix misbehavior if DROP INDEX CONCURRENTLY is canceled: the previous coding could leave an un-droppable index behind.
Correct predicate locking for DROP INDEX CONCURRENTLY
Previously, SSI predicate locks were processed at the wrong time, possibly leading to incorrect behavior of serializable transactions executing in parallel with the DROP.
Fix buffer locking during WAL replay
The WAL replay code was insufficiently careful about locking buffers when replaying WAL records that affect more than one page. This could result in hot standby queries transiently seeing inconsistent states, resulting in wrong answers or unexpected failures.
Fix an error in WAL generation logic for GIN indexes
This could result in index corruption, if a torn-page failure occurred.
Fix an error in WAL replay logic for SP-GiST indexes
This could result in index corruption after a crash, or on a standby server.
Fix incorrect detection of end-of-base-backup location during WAL recovery
This mistake allowed hot standby mode to start up before the database reaches a consistent state.
Properly remove startup process's virtual XID lock when promoting a hot standby server to normal running
This oversight could prevent subsequent execution of certain operations such as CREATE INDEX CONCURRENTLY.
Avoid bogus "out-of-sequence timeline ID" errors in standby mode
Prevent the postmaster from launching new child processes after it's received a shutdown signal
This mistake could result in shutdown taking longer than it should, or even never completing at all without additional user action.
Fix the syslogger process to not fail when log_rotation_age exceeds 2^31 milliseconds (about 25 days)
Fix WaitLatch() to return promptly when the requested timeout expires
With the previous coding, a steady stream of non-wait-terminating interrupts could delay return from WaitLatch() indefinitely. This has been shown to be a problem for the autovacuum launcher process, and might cause trouble elsewhere as well.
Avoid corruption of internal hash tables when out of memory
Prevent file descriptors for dropped tables from being held open past transaction end
This should reduce problems with long-since-dropped tables continuing to occupy disk space.
Prevent database-wide crash and restart when a new child process is unable to create a pipe for its latch
Although the new process must fail, there is no good reason to force a database-wide restart, so avoid that. This improves robustness when the kernel is nearly out of file descriptors.
Avoid planner crash with joins to unflattened subqueries
Fix planning of non-strict equivalence clauses above outer joins
The planner could derive incorrect constraints from a clause equating a non-strict construct to something else, for example WHERE COALESCE(foo, 0) = 0 when foo is coming from the nullable side of an outer join. 9.2 showed this type of error in more cases than previous releases, but the basic bug has been there for a long time.
Fix SELECT DISTINCT with index-optimized MIN/MAX on an inheritance tree
The planner would fail with "failed to re-find MinMaxAggInfo record" given this combination of factors.
Make sure the planner sees implicit and explicit casts as equivalent for all purposes, except in the minority of cases where there's actually a semantic difference
Include join clauses when considering whether partial indexes can be used for a query
A strict join clause can be sufficient to establish an x IS NOT NULL predicate, for example. This fixes a planner regression in 9.2, since previous versions could make comparable deductions.
Limit growth of planning time when there are many indexable join clauses for the same index
Improve planner's ability to prove exclusion constraints from equivalence classes
Fix partial-row matching in hashed subplans to handle cross-type cases correctly
This affects multicolumn NOT IN subplans, such as WHERE (a, b) NOT IN (SELECT x, y FROM ...) when for instance b and y are int4 and int8 respectively. This mistake led to wrong answers or crashes depending on the specific datatypes involved.
Fix btree mark/restore functions to handle array keys
This oversight could result in wrong answers from merge joins whose inner side is an index scan using an indexed_column = ANY(array) condition.
Revert patch for taking fewer snapshots
The 9.2 change to reduce the number of snapshots taken during query execution led to some anomalous behaviors not seen in previous releases, because execution would proceed with a snapshot acquired before locking the tables used by the query. Thus, for example, a query would not be guaranteed to see updates committed by a preceding transaction even if that transaction had exclusive lock. We'll probably revisit this in future releases, but meanwhile put it back the way it was before 9.2.
Acquire buffer lock when re-fetching the old tuple for an AFTER ROW UPDATE/DELETE trigger
In very unusual circumstances, this oversight could result in passing incorrect data to a trigger WHEN condition, or to the precheck logic for a foreign-key enforcement trigger. That could result in a crash, or in an incorrect decision about whether to fire the trigger.
Fix ALTER COLUMN TYPE to handle inherited check constraints properly
This worked correctly in pre-8.4 releases, and now works correctly in 8.4 and later.
Fix ALTER EXTENSION SET SCHEMA's failure to move some subsidiary objects into the new schema
Handle CREATE TABLE AS EXECUTE correctly in extended query protocol
Don't modify the input parse tree in DROP RULE IF NOT EXISTS and DROP TRIGGER IF NOT EXISTS
This mistake would cause errors if a cached statement of one of these types was re-executed.
Fix REASSIGN OWNED to handle grants on tablespaces
Ignore incorrect pg_attribute entries for system columns for views
Views do not have any system columns. However, we forgot to remove such entries when converting a table to a view. That's fixed properly for 9.3 and later, but in previous branches we need to defend against existing mis-converted views.
Fix rule printing to dump INSERT INTO table DEFAULT VALUES correctly
Guard against stack overflow when there are too many UNION/INTERSECT/EXCEPT clauses in a query
Prevent platform-dependent failures when dividing the minimum possible integer value by -1
Fix possible access past end of string in date parsing
Fix failure to advance XID epoch if XID wraparound happens during a checkpoint and wal_level is hot_standby
While this mistake had no particular impact on PostgreSQL itself, it was bad for applications that rely on txid_current() and related functions: the TXID value would appear to go backwards.
Fix pg_terminate_backend() and pg_cancel_backend() to not throw error for a non-existent target process
This case already worked as intended when called by a superuser, but not so much when called by ordinary users.
Fix display of pg_stat_replication.sync_state at a page boundary
Produce an understandable error message if the length of the path name for a Unix-domain socket exceeds the platform-specific limit
Formerly, this would result in something quite unhelpful, such as "Non-recoverable failure in name resolution".
Fix memory leaks when sending composite column values to the client
Save some cycles by not searching for subtransaction locks at commit
In a transaction holding many exclusive locks, this useless activity could be quite costly.
Make pg_ctl more robust about reading the postmaster.pid file
This fixes race conditions and possible file descriptor leakage.
Fix possible crash in psql if incorrectly-encoded data is presented and the client_encoding setting is a client-only encoding, such as SJIS
Make pg_dump dump SEQUENCE SET items in the data not pre-data section of the archive
This fixes an undesirable inconsistency between the meanings of --data-only and --section=data, and also fixes dumping of sequences that are marked as extension configuration tables.
Fix pg_dump's handling of DROP DATABASE commands in --clean mode
Beginning in 9.2.0, pg_dump --clean would issue a DROP DATABASE command, which was either useless or dangerous depending on the usage scenario. It no longer does that. This change also fixes the combination of --clean and --create to work sensibly, i.e., emit DROP DATABASE then CREATE DATABASE before reconnecting to the target database.
Fix pg_dump for views with circular dependencies and no relation options
The previous fix to dump relation options when a view is involved in a circular dependency didn't work right for the case that the view has no options; it emitted ALTER VIEW foo SET () which is invalid syntax.
Fix bugs in the restore.sql script emitted by pg_dump in tar output format
The script would fail outright on tables whose names include upper-case characters. Also, make the script capable of restoring data in --inserts mode as well as the regular COPY mode.
Fix pg_restore to accept POSIX-conformant tar files
The original coding of pg_dump's tar output mode produced files that are not fully conformant with the POSIX standard. This has been corrected for version 9.3. This patch updates previous branches so that they will accept both the incorrect and the corrected formats, in hopes of avoiding compatibility problems when 9.3 comes out.
Fix tar files emitted by pg_basebackup to be POSIX conformant
Fix pg_resetxlog to locate postmaster.pid correctly when given a relative path to the data directory
This mistake could lead to pg_resetxlog not noticing that there is an active postmaster using the data directory.
Fix libpq's lo_import() and lo_export() functions to report file I/O errors properly
Fix ecpg's processing of nested structure pointer variables
Fix ecpg's ecpg_get_data function to handle arrays properly
Prevent pg_upgrade from trying to process TOAST tables for system catalogs
This fixes an error seen when the information_schema has been dropped and recreated. Other failures were also possible.
Improve pg_upgrade performance by setting synchronous_commit to off in the new cluster
Make contrib/pageinspect's btree page inspection functions take buffer locks while examining pages
Work around unportable behavior of malloc(0) and realloc(NULL, 0)
On platforms where these calls return NULL, some code mistakenly thought that meant out-of-memory. This is known to have broken pg_dump for databases containing no user-defined aggregates. There might be other cases as well.
Ensure that make install for an extension creates the extension installation directory
Previously, this step was missed if MODULEDIR was set in the extension's Makefile.
Fix pgxs support for building loadable modules on AIX
Building modules outside the original source tree didn't work on AIX.
Update time zone data files to tzdata release 2012j for DST law changes in Cuba, Israel, Jordan, Libya, Palestine, Western Samoa, and portions of Brazil.

New in PostgreSQL 9.2.1 (Sep 24, 2012)

New in PostgreSQL 9.2.0 (Sep 10, 2012)

New in PostgreSQL 9.1.5-1 (Aug 18, 2012)

Prevent access to external files/URLs via XML entity references
xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. While the external data wouldn't get returned directly to the user, portions of it could be exposed in error messages if the data didn't parse as valid XML; and in any case the mere ability to check existence of a file might be useful to an attacker. (CVE-2012-3489)
Prevent access to external files/URLs via contrib/xml2's xslt_process()
libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. Disable that through proper use of libxslt's security options. (CVE-2012-3488)
Also, remove xslt_process()'s ability to fetch documents and stylesheets from external files/URLs. While this was a documented "feature", it was long regarded as a bad idea. The fix for CVE-2012-3489 broke that capability, and rather than expend effort on trying to fix it, we're just going to summarily remove it.
Prevent too-early recycling of btree index pages
When we allowed read-only transactions to skip assigning XIDs, we introduced the possibility that a deleted btree page could be recycled while a read-only transaction was still in flight to it. This would result in incorrect index search results. The probability of such an error occurring in the field seems very low because of the timing requirements, but nonetheless it should be fixed.
Fix crash-safety bug with newly-created-or-reset sequences
If ALTER SEQUENCE was executed on a freshly created or reset sequence, and then precisely one nextval() call was made on it, and then the server crashed, WAL replay would restore the sequence to a state in which it appeared that no nextval() had been done, thus allowing the first sequence value to be returned again by the next nextval() call. In particular this could manifest for serial columns, since creation of a serial column's sequence includes an ALTER SEQUENCE OWNED BY step.
Fix race condition in enum-type value comparisons
Comparisons could fail when encountering an enum value added since the current query started.
Fix txid_current() to report the correct epoch when not in hot standby
This fixes a regression introduced in the previous minor release.
Prevent selection of unsuitable replication connections as the synchronous standby (Fujii Masao)
The master might improperly choose pseudo-servers such as pg_receivexlog or pg_basebackup as the synchronous standby, and then wait indefinitely for them.
Fix bug in startup of Hot Standby when a master transaction has many subtransactions (Andres Freund)
This mistake led to failures reported as "out-of-order XID insertion in KnownAssignedXids".
Ensure the backup_label file is fsync'd after pg_start_backup() (Dave Kerr)
Fix timeout handling in walsender processes (Tom Lane)
WAL sender background processes neglected to establish a SIGALRM handler, meaning they would wait forever in some corner cases where a timeout ought to happen.
Wake walsenders after each background flush by walwriter (Andres Freund, Simon Riggs)
This greatly reduces replication delay when the workload contains only asynchronously-committed transactions.
Fix LISTEN/NOTIFY to cope better with I/O problems, such as out of disk space (Tom Lane)
After a write failure, all subsequent attempts to send more NOTIFY messages would fail with messages like "Could not read from file "pg_notify/nnnn" at offset nnnnn: Success".
Only allow autovacuum to be auto-canceled by a directly blocked process (Tom Lane)
The original coding could allow inconsistent behavior in some cases; in particular, an autovacuum could get canceled after less than deadlock_timeout grace period.
Improve logging of autovacuum cancels (Robert Haas)
Fix log collector so that log_truncate_on_rotation works during the very first log rotation after server start (Tom Lane)
Fix WITH attached to a nested set operation (UNION/INTERSECT/EXCEPT) (Tom Lane)
Ensure that a whole-row reference to a subquery doesn't include any extra GROUP BY or ORDER BY columns (Tom Lane)
Fix dependencies generated during ALTER TABLE ... ADD CONSTRAINT USING INDEX (Tom Lane)
This command left behind a redundant pg_depend entry for the index, which could confuse later operations, notably ALTER TABLE ... ALTER COLUMN TYPE on one of the indexed columns.
Fix REASSIGN OWNED to work on extensions (Alvaro Herrera)
Disallow copying whole-row references in CHECK constraints and index definitions during CREATE TABLE (Tom Lane)
This situation can arise in CREATE TABLE with LIKE or INHERITS. The copied whole-row variable was incorrectly labeled with the row type of the original table not the new one. Rejecting the case seems reasonable for LIKE, since the row types might well diverge later. For INHERITS we should ideally allow it, with an implicit coercion to the parent table's row type; but that will require more work than seems safe to back-patch.
Fix memory leak in ARRAY(SELECT ...) subqueries (Heikki Linnakangas, Tom Lane)
Fix planner to pass correct collation to operator selectivity estimators (Tom Lane)
This was not previously required by any core selectivity estimation function, but third-party code might need it.
Fix extraction of common prefixes from regular expressions (Tom Lane)
The code could get confused by quantified parenthesized subexpressions, such as ^(foo)?bar. This would lead to incorrect index optimization of searches for such patterns.
Fix bugs with parsing signed hh:mm and hh:mm:ss fields in interval constants (Amit Kapila, Tom Lane)
Fix pg_dump to better handle views containing partial GROUP BY lists (Tom Lane)
A view that lists only a primary key column in GROUP BY, but uses other table columns as if they were grouped, gets marked as depending on the primary key. Improper handling of such primary key dependencies in pg_dump resulted in poorly-ordered dumps, which at best would be inefficient to restore and at worst could result in outright failure of a parallel pg_restore run.
In PL/Perl, avoid setting UTF8 flag when in SQL_ASCII encoding (Alex Hunsaker, Kyotaro Horiguchi, Alvaro Herrera)
Use Postgres' encoding conversion functions, not Python's, when converting a Python Unicode string to the server encoding in PL/Python (Jan Urbanski)
This avoids some corner-case problems, notably that Python doesn't support all the encodings Postgres does. A notable functional change is that if the server encoding is SQL_ASCII, you will get the UTF-8 representation of the string; formerly, any non-ASCII characters in the string would result in an error.
Fix mapping of PostgreSQL encodings to Python encodings in PL/Python (Jan Urbanski)
Report errors properly in contrib/xml2's xslt_process() (Tom Lane)
Update time zone data files to tzdata release 2012e for DST law changes in Morocco and Tokelau

New in PostgreSQL 9.1.4-1 (Jun 4, 2012)

Fix incorrect password transformation in contrib/pgcrypto's DES crypt() function (Solar Designer)
If a password string contained the byte value 0x80, the remainder of the password was ignored, causing the password to be much weaker than it appeared. With this fix, the rest of the string is properly included in the DES hash. Any stored password values that are affected by this bug will thus no longer match, so the stored values may need to be updated. (CVE-2012-2143)
Ignore SECURITY DEFINER and SET attributes for a procedural language's call handler
Applying such attributes to a call handler could crash the server. (CVE-2012-2655)
Make contrib/citext's upgrade script fix collations of citext arrays and domains over citext
Release 9.1.2 provided a fix for collations of citext columns and indexes in databases upgraded or reloaded from pre-9.1 installations, but that fix was incomplete: it neglected to handle arrays and domains over citext. This release extends the module's upgrade script to handle these cases. As before, if you have already run the upgrade script, you'll need to run the collation update commands by hand instead. See the 9.1.2 release notes for more information about doing this.
Allow numeric timezone offsets in timestamp input to be up to 16 hours away from UTC
Some historical time zones have offsets larger than 15 hours, the previous limit. This could result in dumped data values being rejected during reload.
Fix timestamp conversion to cope when the given time is exactly the last DST transition time for the current timezone
This oversight has been there a long time, but was not noticed previously because most DST-using zones are presumed to have an indefinite sequence of future DST transitions.
Fix text to name and char to name casts to perform string truncation correctly in multibyte encodings
Fix memory copying bug in to_tsquery()
Ensure txid_current() reports the correct epoch when executed in hot standby
Fix planner's handling of outer PlaceHolderVars within subqueries
This bug concerns sub-SELECTs that reference variables coming from the nullable side of an outer join of the surrounding query. In 9.1, queries affected by this bug would fail with "ERROR: Upper-level PlaceHolderVar found where not expected". But in 9.0 and 8.4, you'd silently get possibly-wrong answers, since the value transmitted into the subquery wouldn't go to null when it should.
Fix planning of UNION ALL subqueries with output columns that are not simple variables
Planning of such cases got noticeably worse in 9.1 as a result of a misguided fix for "MergeAppend child's targetlist doesn't match MergeAppend" errors. Revert that fix and do it another way.
Fix slow session startup when pg_attribute is very large
If pg_attribute exceeds one-fourth of shared_buffers, cache rebuilding code that is sometimes needed during session start would trigger the synchronized-scan logic, causing it to take many times longer than normal. The problem was particularly acute if many new sessions were starting at once.
Ensure sequential scans check for query cancel reasonably often
A scan encountering many consecutive pages that contain no live tuples would not respond to interrupts meanwhile.
Ensure the Windows implementation of PGSemaphoreLock() clears ImmediateInterruptOK before returning
This oversight meant that a query-cancel interrupt received later in the same query could be accepted at an unsafe time, with unpredictable but not good consequences.
Show whole-row variables safely when printing views or rules
Corner cases involving ambiguous names (that is, the name could be either a table or column name of the query) were printed in an ambiguous way, risking that the view or rule would be interpreted differently after dump and reload. Avoid the ambiguous case by attaching a no-op cast.
Fix COPY FROM to properly handle null marker strings that correspond to invalid encoding
A null marker string such as E'\\0' should work, and did work in the past, but the case got broken in 8.4.
Fix EXPLAIN VERBOSE for writable CTEs containing RETURNING clauses
Fix PREPARE TRANSACTION to work correctly in the presence of advisory locks
Historically, PREPARE TRANSACTION has simply ignored any session-level advisory locks the session holds, but this case was accidentally broken in 9.1.
Fix truncation of unlogged tables
Ignore missing schemas during non-interactive assignments of search_path
This re-aligns 9.1's behavior with that of older branches. Previously 9.1 would throw an error for nonexistent schemas mentioned in search_path settings obtained from places such as ALTER DATABASE SET.
Fix bugs with temporary or transient tables used in extension scripts
This includes cases such as a rewriting ALTER TABLE within an extension update script, since that uses a transient table behind the scenes.
Ensure autovacuum worker processes perform stack depth checking properly
Previously, infinite recursion in a function invoked by auto-ANALYZE could crash worker processes.
Fix logging collector to not lose log coherency under high load
The collector previously could fail to reassemble large messages if it got too busy.
Fix logging collector to ensure it will restart file rotation after receiving SIGHUP
Fix "too many LWLocks taken" failure in GiST indexes
Fix WAL replay logic for GIN indexes to not fail if the index was subsequently dropped
Correctly detect SSI conflicts of prepared transactions after a crash
Avoid synchronous replication delay when committing a transaction that only modified temporary tables
In such a case the transaction's commit record need not be flushed to standby servers, but some of the code didn't know that and waited for it to happen anyway.
Fix error handling in pg_basebackup
Fix walsender to not go into a busy loop if connection is terminated
Fix memory leak in PL/pgSQL's RETURN NEXT command
Fix PL/pgSQL's GET DIAGNOSTICS command when the target is the function's first variable
Ensure that PL/Perl package-qualifies the _TD variable
This bug caused trigger invocations to fail when they are nested within a function invocation that changes the current package.
Fix PL/Python functions returning composite types to accept a string for their result value
This case was accidentally broken by the 9.1 additions to allow a composite result value to be supplied in other formats, such as dictionaries.
Fix potential access off the end of memory in psql's expanded display (\x) mode
Fix several performance problems in pg_dump when the database contains many objects
pg_dump could get very slow if the database contained many schemas, or if many objects are in dependency loops, or if there are many owned sequences.
Fix memory and file descriptor leaks in pg_restore when reading a directory-format archive
Fix pg_upgrade for the case that a database stored in a non-default tablespace contains a table in the cluster's default tablespace
In ecpg, fix rare memory leaks and possible overwrite of one byte after the sqlca_t structure
Fix contrib/dblink's dblink_exec() to not leak temporary database connections upon error
Fix contrib/dblink to report the correct connection name in error messages
Fix contrib/vacuumlo to use multiple transactions when dropping many large objects
This change avoids exceeding max_locks_per_transaction when many objects need to be dropped. The behavior can be adjusted with the new -l (limit) option.
Update time zone data files to tzdata release 2012c for DST law changes in Antarctica, Armenia, Chile, Cuba, Falkland Islands, Gaza, Haiti, Hebron, Morocco, Syria, and Tokelau Islands; also historical corrections for Canada.

New in PostgreSQL 9.2.0 Beta 1 (May 15, 2012)

New in PostgreSQL 9.1.3-1 (Feb 28, 2012)

Require execute permission on the trigger function for CREATE TRIGGER
This missing check could allow another user to execute a trigger function with forged input data, by installing it on a table he owns. This is only of significance for trigger functions marked SECURITY DEFINER, since otherwise trigger functions run as the table owner anyway. (CVE-2012-0866)
Remove arbitrary limitation on length of common name in SSL certificates
Both libpq and the server truncated the common name extracted from an SSL certificate at 32 bytes. Normally this would cause nothing worse than an unexpected verification failure, but there are some rather-implausible scenarios in which it might allow one certificate holder to impersonate another. The victim would have to have a common name exactly 32 bytes long, and the attacker would have to persuade a trusted CA to issue a certificate in which the common name has that string as a prefix. Impersonating a server would also require some additional exploit to redirect client connections. (CVE-2012-0867)
Convert newlines to spaces in names written in pg_dump comments
pg_dump was incautious about sanitizing object names that are emitted within SQL comments in its output script. A name containing a newline would at least render the script syntactically incorrect. Maliciously crafted object names could present a SQL injection risk when the script is reloaded. (CVE-2012-0868)
Fix btree index corruption from insertions concurrent with vacuuming
An index page split caused by an insertion could sometimes cause a concurrently-running VACUUM to miss removing index entries that it should remove. After the corresponding table rows are removed, the dangling index entries would cause errors (such as "could not read block N in file ...") or worse, silently wrong query results after unrelated rows are re-inserted at the now-free table locations. This bug has been present since release 8.2, but occurs so infrequently that it was not diagnosed until now. If you have reason to suspect that it has happened in your database, reindexing the affected index will fix things.
Fix transient zeroing of shared buffers during WAL replay
The replay logic would sometimes zero and refill a shared buffer, so that the contents were transiently invalid. In hot standby mode this can result in a query that's executing in parallel seeing garbage data. Various symptoms could result from that, but the most common one seems to be "invalid memory alloc request size".
Fix handling of data-modifying WITH subplans in READ COMMITTED rechecking
A WITH clause containing INSERT/UPDATE/DELETE would crash if the parent UPDATE or DELETE command needed to be re-evaluated at one or more rows due to concurrent updates in READ COMMITTED mode.
Fix corner case in SSI transaction cleanup
When finishing up a read-write serializable transaction, a crash could occur if all remaining active serializable transactions are read-only.
Fix postmaster to attempt restart after a hot-standby crash
A logic error caused the postmaster to terminate, rather than attempt to restart the cluster, if any backend process crashed while operating in hot standby mode.
Fix CLUSTER/VACUUM FULL handling of toast values owned by recently-updated rows
This oversight could lead to "duplicate key value violates unique constraint" errors being reported against the toast table's index during one of these commands.
Update per-column permissions, not only per-table permissions, when changing table owner
Failure to do this meant that any previously granted column permissions were still shown as having been granted by the old owner. This meant that neither the new owner nor a superuser could revoke the now-untraceable-to-table-owner permissions.
Support foreign data wrappers and foreign servers in REASSIGN OWNED
This command failed with "unexpected classid" errors if it needed to change the ownership of any such objects.
Allow non-existent values for some settings in ALTER USER/DATABASE SET
Allow default_text_search_config, default_tablespace, and temp_tablespaces to be set to names that are not known. This is because they might be known in another database where the setting is intended to be used, or for the tablespace cases because the tablespace might not be created yet. The same issue was previously recognized for search_path, and these settings now act like that one.
Fix "unsupported node type" error caused by COLLATE in an INSERT expression
Avoid crashing when we have problems deleting table files post-commit
Dropping a table should lead to deleting the underlying disk files only after the transaction commits. In event of failure then (for instance, because of wrong file permissions) the code is supposed to just emit a warning message and go on, since it's too late to abort the transaction. This logic got broken as of release 8.4, causing such situations to result in a PANIC and an unrestartable database.
Recover from errors occurring during WAL replay of DROP TABLESPACE
Replay will attempt to remove the tablespace's directories, but there are various reasons why this might fail (for example, incorrect ownership or permissions on those directories). Formerly the replay code would panic, rendering the database unrestartable without manual intervention. It seems better to log the problem and continue, since the only consequence of failure to remove the directories is some wasted disk space.
Fix race condition in logging AccessExclusiveLocks for hot standby
Sometimes a lock would be logged as being held by "transaction zero". This is at least known to produce assertion failures on slave servers, and might be the cause of more serious problems.
Track the OID counter correctly during WAL replay, even when it wraps around
Previously the OID counter would remain stuck at a high value until the system exited replay mode. The practical consequences of that are usually nil, but there are scenarios wherein a standby server that's been promoted to master might take a long time to advance the OID counter to a reasonable value once values are needed.
Prevent emitting misleading "consistent recovery state reached" log message at the beginning of crash recovery (Heikki Linnakangas)
Fix initial value of pg_stat_replication.replay_location
Previously, the value shown would be wrong until at least one WAL record had been replayed.
Fix regular expression back-references with * attached
Rather than enforcing an exact string match, the code would effectively accept any string that satisfies the pattern sub-expression referenced by the back-reference symbol.
A similar problem still afflicts back-references that are embedded in a larger quantified expression, rather than being the immediate subject of the quantifier. This will be addressed in a future PostgreSQL release.
Fix recently-introduced memory leak in processing of inet/cidr values
A patch in the December 2011 releases of PostgreSQL caused memory leakage in these operations, which could be significant in scenarios such as building a btree index on such a column.
Fix planner's ability to push down index-expression restrictions through UNION ALL
This type of optimization was inadvertently disabled by a fix for another problem in 9.1.2.
Fix planning of WITH clauses referenced in UPDATE/DELETE on an inherited table
This bug led to "could not find plan for CTE" failures.
Fix GIN cost estimation to handle column IN (...) index conditions
This oversight would usually lead to crashes if such a condition could be used with a GIN index.
Prevent assertion failure when exiting a session with an open, failed transaction
This bug has no impact on normal builds with asserts not enabled.
Fix dangling pointer after CREATE TABLE AS/SELECT INTO in a SQL-language function
In most cases this only led to an assertion failure in assert-enabled builds, but worse consequences seem possible.
Avoid double close of file handle in syslogger on Windows
Ordinarily this error was invisible, but it would cause an exception when running on a debug version of Windows.
Fix I/O-conversion-related memory leaks in plpgsql
Certain operations would leak memory until the end of the current function.
Work around bug in perl's SvPVutf8() function
This function crashes when handed a typeglob or certain read-only objects such as $^V. Make plperl avoid passing those to it.
In pg_dump, don't dump contents of an extension's configuration tables if the extension itself is not being dumped
Improve pg_dump's handling of inherited table columns
pg_dump mishandled situations where a child column has a different default expression than its parent column. If the default is textually identical to the parent's default, but not actually the same (for instance, because of schema search path differences) it would not be recognized as different, so that after dump and restore the child would be allowed to inherit the parent's default. Child columns that are NOT NULL where their parent is not could also be restored subtly incorrectly.
Fix pg_restore's direct-to-database mode for INSERT-style table data
Direct-to-database restores from archive files made with --inserts or --column-inserts options fail when using pg_restore from a release dated September or December 2011, as a result of an oversight in a fix for another problem. The archive file itself is not at fault, and text-mode output is okay.
Teach pg_upgrade to handle renaming of plpython's shared library
Upgrading a pre-9.1 database that included plpython would fail because of this oversight.
Allow pg_upgrade to process tables containing regclass columns
Since pg_upgrade now takes care to preserve pg_class OIDs, there was no longer any reason for this restriction.
Make libpq ignore ENOTDIR errors when looking for an SSL client certificate file
This allows SSL connections to be established, though without a certificate, even when the user's home directory is set to something like /dev/null.
Fix some more field alignment issues in ecpg's SQLDA area
Allow AT option in ecpg DEALLOCATE statements
The infrastructure to support this has been there for awhile, but through an oversight there was still an error check rejecting the case.
Do not use the variable name when defining a varchar structure in ecpg
Fix contrib/auto_explain's JSON output mode to produce valid JSON
The output used brackets at the top level, when it should have used braces.
Fix error in contrib/intarray's int[] & int[] operator (Guillaume Lelarge)
If the smallest integer the two input arrays have in common is 1, and there are smaller values in either array, then 1 would be incorrectly omitted from the result.
Fix error detection in contrib/pgcrypto's encrypt_iv() and decrypt_iv()
These functions failed to report certain types of invalid-input errors, and would instead return random garbage values for incorrect input.
Fix one-byte buffer overrun in contrib/test_parser
The code would try to read one more byte than it should, which would crash in corner cases. Since contrib/test_parser is only example code, this is not a security issue in itself, but bad example code is still bad.
Use __sync_lock_test_and_set() for spinlocks on ARM, if available
This function replaces our previous use of the SWPB instruction, which is deprecated and not available on ARMv6 and later. Reports suggest that the old code doesn't fail in an obvious way on recent ARM boards, but simply doesn't interlock concurrent accesses, leading to bizarre failures in multiprocess operation.
Use -fexcess-precision=standard option when building with gcc versions that accept it
This prevents assorted scenarios wherein recent versions of gcc will produce creative results.
Allow use of threaded Python on FreeBSD
Our configure script previously believed that this combination wouldn't work; but FreeBSD fixed the problem, so remove that error check.
Allow MinGW builds to use standardly-named OpenSSL libraries

New in PostgreSQL 9.1.2-1 (Dec 5, 2011)

Fix bugs in information_schema.referential_constraints view (Tom Lane). This view was being insufficiently careful about matching the foreign-key constraint to the depended-on primary or unique key constraint. That could result in failure to show a foreign key constraint at all, or showing it multiple times, or claiming that it depends on a different constraint than the one it really does. Since the view definition is installed by initdb, merely upgrading will not fix the problem. If you need to fix this in an existing installation, you can (as a superuser) drop the information_schema schema then re-create it by sourcing SHAREDIR/information_schema.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.) This must be repeated in each database to be fixed.
Make contrib/citext's upgrade script fix collations of citext columns and indexes (Tom Lane). Existing citext columns and indexes aren't correctly marked as being of a collatable data type during pg_upgrade from a pre-9.1 server. That leads to operations on them failing with errors such as "could not determine which collation to use for string comparison". This change allows them to be fixed by the same script that upgrades the citext module into a proper 9.1 extension during CREATE EXTENSION citext FROM unpackaged. If you have a previously-upgraded database that is suffering from this problem, and you already ran the CREATE EXTENSION command, you can manually run (as superuser) the UPDATE commands found at the end of SHAREDIR/extension/citext--unpackaged--1.0.sql. (Run pg_config --sharedir if you're uncertain where SHAREDIR is.)
Fix possible crash during UPDATE or DELETE that joins to the output of a scalar-returning function (Tom Lane)
A crash could only occur if the target row had been concurrently updated, so this problem surfaced only intermittently.
Fix incorrect replay of WAL records for GIN index updates (Tom Lane)
This could result in transiently failing to find index entries after a crash, or on a hot-standby server. The problem would be repaired by the next VACUUM of the index, however.
Fix TOAST-related data corruption during CREATE TABLE dest AS SELECT * FROM src or INSERT INTO dest SELECT * FROM src (Tom Lane). If a table has been modified by ALTER TABLE ADD COLUMN, attempts to copy its data verbatim to another table could produce corrupt results in certain corner cases. The problem can only manifest in this precise form in 8.4 and later, but we patched earlier versions as well in case there are other code paths that could trigger the same bug.
Fix possible failures during hot standby startup (Simon Riggs)
Start hot standby faster when initial snapshot is incomplete (Simon Riggs)
Fix race condition during toast table access from stale syscache entries (Tom Lane)
The typical symptom was transient errors like "missing chunk number 0 for toast value NNNNN in pg_toast_2619", where the cited toast table would always belong to a system catalog.
Track dependencies of functions on items used in parameter default expressions (Tom Lane). Previously, a referenced object could be dropped without having dropped or modified the function, leading to misbehavior when the function was used. Note that merely installing this update will not fix the missing dependency entries; to do that, you'd need to CREATE OR REPLACE each such function afterwards. If you have functions whose defaults depend on non-built-in objects, doing so is recommended.
Fix incorrect management of placeholder variables in nestloop joins (Tom Lane). This bug is known to lead to "variable not found in subplan target list" planner errors, and could possibly result in wrong query output when outer joins are involved.
Fix window functions that sort by expressions involving aggregates (Tom Lane). Previously these could fail with "could not find pathkey item to sort" planner errors.
Fix "MergeAppend child's targetlist doesn't match MergeAppend" planner errors (Tom Lane)
Fix index matching for operators with both collatable and noncollatable inputs (Tom Lane). In 9.1.0, an indexable operator that has a non-collatable left-hand input type and a collatable right-hand input type would not be recognized as matching the left-hand column's index. An example is the hstore ? text operator.
Allow inlining of set-returning SQL functions with multiple OUT parameters (Tom Lane)
Don't trust deferred-unique indexes for join removal (Tom Lane and Marti Raudsepp). A deferred uniqueness constraint might not hold intra-transaction, so assuming that it does could give incorrect query results.
Make DatumGetInetP() unpack inet datums that have a 1-byte header, and add a new macro, DatumGetInetPP(), that does not (Heikki Linnakangas). This change affects no core code, but might prevent crashes in add-on code that expects DatumGetInetP() to produce an unpacked datum as per usual convention.
Improve locale support in money type's input and output (Tom Lane). Aside from not supporting all standard lc_monetary formatting options, the input and output functions were inconsistent, meaning there were locales in which dumped money values could not be re-read.
Don't let transform_null_equals affect CASE foo WHEN NULL ... constructs (Heikki Linnakangas). transform_null_equals is only supposed to affect foo = NULL expressions written directly by the user, not equality checks generated internally by this form of CASE.
Change foreign-key trigger creation order to better support self-referential foreign keys (Tom Lane). For a cascading foreign key that references its own table, a row update will fire both the ON UPDATE trigger and the CHECK trigger as one event. The ON UPDATE trigger must execute first, else the CHECK will check a non-final state of the row and possibly throw an inappropriate error. However, the firing order of these triggers is determined by their names, which generally sort in creation order since the triggers have auto-generated names following the convention "RI_ConstraintTrigger_NNNN". A proper fix would require modifying that convention, which we will do in 9.2, but it seems risky to change it in existing releases. So this patch just changes the creation order of the triggers. Users encountering this type of error should drop and re-create the foreign key constraint to get its triggers into the right order.
Fix IF EXISTS to work correctly in DROP OPERATOR FAMILY (Robert Haas)
Disallow dropping of an extension from within its own script (Tom Lane). This prevents odd behavior in case of incorrect management of extension dependencies.
Don't mark auto-generated types as extension members (Robert Haas). Relation rowtypes and automatically-generated array types do not need to have their own extension membership entries in pg_depend, and creating such entries complicates matters for extension upgrades.
Cope with invalid pre-existing search_path settings during CREATE EXTENSION (Tom Lane)
Avoid floating-point underflow while tracking buffer allocation rate (Greg Matthews). While harmless in itself, on certain platforms this would result in annoying kernel log messages.
Prevent autovacuum transactions from running in serializable mode (Tom Lane). Autovacuum formerly used the cluster-wide default transaction isolation level, but there is no need for it to use anything higher than READ COMMITTED, and using SERIALIZABLE could result in unnecessary delays for other processes.
Ensure walsender processes respond promptly to SIGTERM (Magnus Hagander)
Exclude postmaster.opts from base backups (Magnus Hagander)
Preserve configuration file name and line number values when starting child processes under Windows (Tom Lane). Formerly, these would not be displayed correctly in the pg_settings view.
Fix incorrect field alignment in ecpg's SQLDA area (Zoltan Boszormenyi)
Preserve blank lines within commands in psql's command history (Robert Haas). The former behavior could cause problems if an empty line was removed from within a string literal, for example.
Avoid platform-specific infinite loop in pg_dump (Steve Singer)
Fix compression of plain-text output format in pg_dump (Adrian Klaver and Tom Lane). pg_dump has historically understood -Z with no -F switch to mean that it should emit a gzip-compressed version of its plain text output. Restore that behavior.
Fix pg_dump to dump user-defined casts between auto-generated types, such as table rowtypes (Tom Lane)
Fix missed quoting of foreign server names in pg_dump (Tom Lane)
Assorted fixes for pg_upgrade (Bruce Momjian)
Handle exclusion constraints correctly, avoid failures on Windows, don't complain about mismatched toast table names in 8.4 databases.
In PL/pgSQL, allow foreign tables to define row types (Alexander Soudakov)
Fix up conversions of PL/Perl functions' results (Alex Hunsaker and Tom Lane)
Restore the pre-9.1 behavior that PL/Perl functions returning void ignore the result value of their last Perl statement; 9.1.0 would throw an error if that statement returned a reference. Also, make sure it works to return a string value for a composite type, so long as the string meets the type's input format. In addition, throw errors for attempts to return Perl arrays or hashes when the function's declared result type is not an array or composite type, respectively. (Pre-9.1 versions rather uselessly returned strings like ARRAY(0x221a9a0) or HASH(0x221aa90) in such cases.)
Ensure PL/Perl strings are always correctly UTF8-encoded (Amit Khandekar and Alex Hunsaker)
Use the preferred version of xsubpp to build PL/Perl, not necessarily the operating system's main copy (David Wheeler and Alex Hunsaker)
Correctly propagate SQLSTATE in PL/Python exceptions (Mika Eloranta and Jan Urbanski)
Do not install PL/Python extension files for Python major versions other than the one built against (Peter Eisentraut)
Change all the contrib extension script files to report a useful error message if they are fed to psql (Andrew Dunstan and Tom Lane). This should help teach people about the new method of using CREATE EXTENSION to load these files. In most cases, sourcing the scripts directly would fail anyway, but with harder-to-interpret messages.
Fix incorrect coding in contrib/dict_int and contrib/dict_xsyn (Tom Lane). Some functions incorrectly assumed that memory returned by palloc() is guaranteed zeroed.
Remove contrib/sepgsql tests from the regular regression test mechanism (Tom Lane). Since these tests require root privileges for setup, they're impractical to run automatically. Switch over to a manual approach instead, and provide a testing script to help with that.
Fix assorted errors in contrib/unaccent's configuration file parsing (Tom Lane)
Honor query cancel interrupts promptly in pgstatindex() (Robert Haas)
Fix incorrect quoting of log file name in Mac OS X start script (Sidar Lopez)
Revert unintentional enabling of WAL_DEBUG (Robert Haas). Fortunately, as debugging tools go, this one is pretty cheap; but it's not intended to be enabled by default, so revert.
Ensure VPATH builds properly install all server header files (Peter Eisentraut)
Shorten file names reported in verbose error messages (Peter Eisentraut). Regular builds have always reported just the name of the C file containing the error message call, but VPATH builds formerly reported an absolute path name.
Fix interpretation of Windows timezone names for Central America (Tom Lane). Map "Central America Standard Time" to CST6, not CST6CDT, because DST is generally not observed anywhere in Central America. Update time zone data files to tzdata release 2011n for DST law changes in Brazil, Cuba, Fiji, Palestine, Russia, and Samoa; also historical corrections for Alaska and British East Africa.

New in PostgreSQL 9.1.1-1 (Sep 26, 2011)

New in PostgreSQL 9.1.0-1 (Sep 12, 2011)

New in PostgreSQL 9.1 Beta 2 (Jun 23, 2011)

New in PostgreSQL 9.0.4-1 (Jun 23, 2011)

Fix pg_upgrade's handling of TOAST tables
Suppress incorrect "PD_ALL_VISIBLE flag was incorrectly set" warning
Use better SQLSTATE error codes for hot standby conflict cases
Prevent intermittent hang in interactions of startup process with bgwriter process
Disallow including a composite type in itself
Avoid potential deadlock during catalog cache initialization
Fix dangling-pointer problem in BEFORE ROW UPDATE trigger handling when there was a concurrent update to the target tuple
Disallow DROP TABLE when there are pending deferred trigger events for the table
Allow "replication" as a user name in pg_hba.conf
Prevent crash triggered by constant-false WHERE conditions during GEQO optimization
Improve planner's handling of semi-join and anti-join cases
Fix handling of SELECT FOR UPDATE in a sub-SELECT
Fix selectivity estimation for text search to account for NULLs
Fix get_actual_variable_range() to support hypothetical indexes injected by an index adviser plugin
Fix PL/Python memory leak involving array slices
Allow libpq's SSL initialization to succeed when user's home directory is unavailable
Fix libpq to return a useful error message for errors detected in conninfo_array_parse
Fix ecpg preprocessor's handling of float constants
Fix parallel pg_restore to handle comments on POST_DATA items correctly
Fix pg_restore to cope with long lines (over 1KB) in TOC files
Put in more safeguards against crashing due to division-by-zero with overly enthusiastic compiler optimization
Support use of dlopen() in FreeBSD and OpenBSD on MIPS
Fix compilation failures on HP-UX
Avoid crash when trying to write to the Windows console very early in process startup
Support building with MinGW 64 bit compiler for Windows
Fix version-incompatibility problem with libintl on Windows
Fix usage of xcopy in Windows build scripts to work correctly under Windows 7
Fix path separator used by pg_regress on Cygwin
Update time zone data files to tzdata release 2011f for DST law changes in Chile, Cuba, Falkland Islands, Morocco, Samoa, and Turkey; also historical corrections for South Australia, Alaska, and Hawaii.

New in PostgreSQL 9.1 Beta 1 (May 4, 2011)

New in PostgreSQL 9.0.2-1 (Dec 17, 2010)

Changes:
Force the default wal_sync_method to be fdatasync on Linux (Tom Lane, Marti Raudsepp)
The default on Linux has actually been fdatasync for many years, but recent kernel changes caused PostgreSQL to choose open_datasync instead. This choice did not result in any performance improvement, and caused outright failures on certain filesystems, notably ext4 with the data=journal mount option.
Fix "too many KnownAssignedXids" error during Hot Standby replay (Heikki Linnakangas)
Fix race condition in lock acquisition during Hot Standby (Simon Riggs)
Avoid unnecessary conflicts during Hot Standby (Simon Riggs)
This fixes some cases where replay was considered to conflict with standby queries (causing delay of replay or possibly cancellation of the queries), but there was no real conflict.
Fix assorted bugs in WAL replay logic for GIN indexes (Tom Lane)
This could result in "bad buffer id: 0" failures or corruption of index contents during replication.
Fix recovery from base backup when the starting checkpoint WAL record is not in the same WAL segment as its redo point (Jeff Davis)
Fix corner-case bug when streaming replication is enabled immediately after creating the master database cluster (Heikki Linnakangas)
Fix persistent slowdown of autovacuum workers when multiple workers remain active for a long time (Tom Lane)
The effective vacuum_cost_limit for an autovacuum worker could drop to nearly zero if it processed enough tables, causing it to run extremely slowly.
Fix long-term memory leak in autovacuum launcher (Alvaro Herrera)
Avoid failure when trying to report an impending transaction wraparound condition from outside a transaction (Tom Lane)
This oversight prevented recovery after transaction wraparound got too close, because database startup processing would fail.
Add support for detecting register-stack overrun on IA64 (Tom Lane)
The IA64 architecture has two hardware stacks. Full prevention of stack-overrun failures requires checking both.
Add a check for stack overflow in copyObject() (Tom Lane)
Certain code paths could crash due to stack overflow given a sufficiently complex query.
Fix detection of page splits in temporary GiST indexes (Heikki Linnakangas)
It is possible to have a "concurrent" page split in a temporary index, if for example there is an open cursor scanning the index when an insertion is done. GiST failed to detect this case and hence could deliver wrong results when execution of the cursor continued.
Fix error checking during early connection processing (Tom Lane)
The check for too many child processes was skipped in some cases, possibly leading to postmaster crash when attempting to add the new child process to fixed-size arrays.
Improve efficiency of window functions (Tom Lane)
Certain cases where a large number of tuples needed to be read in advance, but work_mem was large enough to allow them all to be held in memory, were unexpectedly slow. percent_rank(), cume_dist() and ntile() in particular were subject to this problem.
Avoid memory leakage while ANALYZE'ing complex index expressions (Tom Lane)
Ensure an index that uses a whole-row Var still depends on its table (Tom Lane)
An index declared like create index i on t (foo(t.*)) would not automatically get dropped when its table was dropped.
Add missing support in DROP OWNED BY for removing foreign data wrapper/server privileges belonging to a user (Heikki Linnakangas)
Do not "inline" a SQL function with multiple OUT parameters (Tom Lane)
This avoids a possible crash due to loss of information about the expected result rowtype.
Fix crash when inline-ing a set-returning function whose argument list contains a reference to an inline-able user function (Tom Lane)
Behave correctly if ORDER BY, LIMIT, FOR UPDATE, or WITH is attached to the VALUES part of INSERT ... VALUES (Tom Lane)
Make the OFF keyword unreserved (Heikki Linnakangas)
This prevents problems with using off as a variable name in PL/pgSQL. That worked before 9.0, but was now broken because PL/pgSQL now treats all core reserved words as reserved.
Fix constant-folding of COALESCE() expressions (Tom Lane)
The planner would sometimes attempt to evaluate sub-expressions that in fact could never be reached, possibly leading to unexpected errors.
Fix "could not find pathkey item to sort" planner failure with comparison of whole-row Vars (Tom Lane)
Fix postmaster crash when connection acceptance (accept() or one of the calls made immediately after it) fails, and the postmaster was compiled with GSSAPI support (Alexander Chernikov)
Retry after receiving an invalid response packet from a RADIUS authentication server (Magnus Hagander)
This fixes a low-risk potential denial of service condition.
Fix missed unlink of temporary files when log_temp_files is active (Tom Lane)
If an error occurred while attempting to emit the log message, the unlink was not done, resulting in accumulation of temp files.
Add print functionality for InhRelation nodes (Tom Lane)
This avoids a failure when debug_print_parse is enabled and certain types of query are executed.
Fix incorrect calculation of distance from a point to a horizontal line segment (Tom Lane)
This bug affected several different geometric distance-measurement operators.
Fix incorrect calculation of transaction status in ecpg (Itagaki Takahiro)
Fix errors in psql's Unicode-escape support (Tom Lane)
Speed up parallel pg_restore when the archive contains many large objects (blobs) (Tom Lane)
Fix PL/pgSQL's handling of "simple" expressions to not fail in recursion or error-recovery cases (Tom Lane)
Fix PL/pgSQL's error reporting for no-such-column cases (Tom Lane)
As of 9.0, it would sometimes report "missing FROM-clause entry for table foo" when "record foo has no field bar" would be more appropriate.
Fix PL/Python to honor typmod (i.e., length or precision restrictions) when assigning to tuple fields (Tom Lane)
This fixes a regression from 8.4.
Fix PL/Python's handling of set-returning functions (Jan Urbanski)
Attempts to call SPI functions within the iterator generating a set result would fail.
Fix bug in contrib/cube's GiST picksplit algorithm (Alexander Korotkov)
This could result in considerable inefficiency, though not actually incorrect answers, in a GiST index on a cube column. If you have such an index, consider REINDEXing it after installing this update.
Don't emit "identifier will be truncated" notices in contrib/dblink except when creating new connections (Itagaki Takahiro)
Fix potential coredump on missing public key in contrib/pgcrypto (Marti Raudsepp)
Fix buffer overrun in contrib/pg_upgrade (Hernan Gonzalez)
Fix memory leak in contrib/xml2's XPath query functions (Tom Lane)
Update time zone data files to tzdata release 2010o for DST law changes in Fiji and Samoa; also historical corrections for Hong Kong.

New in PostgreSQL 9.0.1-1 (Oct 6, 2010)

Use a separate interpreter for each calling SQL userid in PL/Perl and PL/Tcl:
This change prevents security problems that can be caused by subverting Perl or Tcl code that will be executed later in the same session under another SQL user identity (for example, within a SECURITY DEFINER function). Most scripting languages offer numerous ways that that might be done, such as redefining standard functions or operators called by the target function. Without this change, any SQL user with Perl or Tcl language usage rights can do essentially anything with the SQL privileges of the target function's owner.
The cost of this change is that intentional communication among Perl and Tcl functions becomes more difficult. To provide an escape hatch, PL/PerlU and PL/TclU functions continue to use only one interpreter per session. This is not considered a security issue since all such functions execute at the trust level of a database superuser already.
It is likely that third-party procedural languages that claim to offer trusted execution have similar security issues. We advise contacting the authors of any PL you are depending on for security-critical purposes.
Improve pg_get_expr() security fix so that the function can still be used on the output of a sub-select
Fix incorrect placement of placeholder evaluation:
This bug could result in query outputs being non-null when they should be null, in cases where the inner side of an outer join is a sub-select with non-strict expressions in its output list.
Fix join removal's handling of placeholder expressions
Fix possible duplicate scans of UNION ALL member relations
Prevent infinite loop in ProcessIncomingNotify() after unlistening
Prevent show_session_authorization() from crashing within autovacuum processes
Re-allow input of Julian dates prior to 0001-01-01 AD:
Input such as 'J100000'::date worked before 8.4, but was unintentionally broken by added error-checking.
Make psql recognize DISCARD ALL as a command that should not be encased in a transaction block in autocommit-off mode
Update build infrastructure and documentation to reflect the source code repository's move from CVS to Git

New in PostgreSQL 8.4.3-1 (Apr 27, 2010)

Changes:
Add new configuration parameter ssl_renegotiation_limit to control how often we do session key renegotiation for an SSL connection (Magnus)
This can be set to zero to disable renegotiation completely, which may be required if a broken SSL library is used. In particular, some vendors are shipping stopgap patches for CVE-2009-3555 that cause renegotiation attempts to fail.
Fix possible deadlock during backend startup (Tom)
Fix possible crashes due to not handling errors during relcache reload cleanly (Tom)
Fix possible crash due to use of dangling pointer to a cached plan (Tatsuo)
Fix possible crash due to overenthusiastic invalidation of cached plan for ROLLBACK (Tom)
Fix possible crashes when trying to recover from a failure in subtransaction start (Tom)
Fix server memory leak associated with use of savepoints and a client encoding different from server's encoding (Tom)
Fix incorrect WAL data emitted during end-of-recovery cleanup of a GIST index page split (Yoichi Hirai)
This would result in index corruption, or even more likely an error during WAL replay, if we were unlucky enough to crash during end-of-recovery cleanup after having completed an incomplete GIST insertion.
Fix bug in WAL redo cleanup method for GIN indexes (Heikki)
Fix incorrect comparison of scan key in GIN index search (Teodor)
Make substring() for bit types treat any negative length as meaning "all the rest of the string" (Tom)
The previous coding treated only -1 that way, and would produce an invalid result value for other negative values, possibly leading to a crash (CVE-2010-0442).
Fix integer-to-bit-string conversions to handle the first fractional byte correctly when the output bit width is wider than the given integer by something other than a multiple of 8 bits (Tom)
Fix some cases of pathologically slow regular expression matching (Tom)
Fix bug occurring when trying to inline a SQL function that returns a set of a composite type that contains dropped columns (Tom)
Fix bug with trying to update a field of an element of a composite-type array column (Tom)
Avoid failure when EXPLAIN has to print a FieldStore or assignment ArrayRef expression (Tom)
These cases can arise now that EXPLAIN VERBOSE tries to print plan node target lists.
Avoid an unnecessary coercion failure in some cases where an undecorated literal string appears in a subquery within UNION/INTERSECT/EXCEPT (Tom)
This fixes a regression for some cases that worked before 8.4.
Avoid undesirable rowtype compatibility check failures in some cases where a whole-row Var has a rowtype that contains dropped columns (Tom)
Fix the STOP WAL LOCATION entry in backup history files to report the next WAL segment's name when the end location is exactly at a segment boundary (Itagaki Takahiro)
Always pass the catalog ID to an option validator function specified in CREATE FOREIGN DATA WRAPPER (Martin Pihlak)
Fix some more cases of temporary-file leakage (Heikki)
This corrects a problem introduced in the previous minor release. One case that failed is when a plpgsql function returning set is called within another function's exception handler.
Add support for doing FULL JOIN ON FALSE (Tom)
This prevents a regression from pre-8.4 releases for some queries that can now be simplified to a constant-false join condition.
Improve constraint exclusion processing of boolean-variable cases, in particular make it possible to exclude a partition that has a "bool_column = false" constraint (Tom)
Prevent treating an INOUT cast as representing binary compatibility (Heikki)
Include column name in the message when warning about inability to grant or revoke column-level privileges (Stephen Frost)
This is more useful than before and helps to prevent confusion when a REVOKE generates multiple messages, which formerly appeared to be duplicates.
When reading pg_hba.conf and related files, do not treat @something as a file inclusion request if the @ appears inside quote marks; also, never treat @ by itself as a file inclusion request (Tom)
This prevents erratic behavior if a role or database name starts with @. If you need to include a file whose path name contains spaces, you can still do so, but you must write @"/path to/file" rather than putting the quotes around the whole construct.
Prevent infinite loop on some platforms if a directory is named as an inclusion target in pg_hba.conf and related files (Tom)
Fix possible infinite loop if SSL_read or SSL_write fails without setting errno (Tom)
This is reportedly possible with some Windows versions of openssl.
Disallow GSSAPI authentication on local connections, since it requires a hostname to function correctly (Magnus)
Protect ecpg against applications freeing strings unexpectedly (Michael)
Make ecpg report the proper SQLSTATE if the connection disappears (Michael)
Fix translation of cell contents in psql \d output (Heikki)
Fix psql's numericlocale option to not format strings it shouldn't in latex and troff output formats (Heikki)
Fix a small per-query memory leak in psql (Tom)
Make psql return the correct exit status (3) when ON_ERROR_STOP and --single-transaction are both specified and an error occurs during the implied COMMIT (Bruce)
Fix pg_dump's output of permissions for foreign servers (Heikki)
Fix possible crash in parallel pg_restore due to out-of-range dependency IDs (Tom)
Fix plpgsql failure in one case where a composite column is set to NULL (Tom)
Fix possible failure when calling PL/Perl functions from PL/PerlU or vice versa (Tim Bunce)
Add volatile markings in PL/Python to avoid possible compiler-specific misbehavior (Zdenek Kotala)
Ensure PL/Tcl initializes the Tcl interpreter fully (Tom)
The only known symptom of this oversight is that the Tcl clock command misbehaves if using Tcl 8.5 or later.
Prevent ExecutorEnd from being run on portals created within a failed transaction or subtransaction (Tom)
This is known to cause issues when using contrib/auto_explain.
Prevent crash in contrib/dblink when too many key columns are specified to a dblink_build_sql_* function (Rushabh Lathia, Joe Conway)
Allow zero-dimensional arrays in contrib/ltree operations (Tom)
This case was formerly rejected as an error, but it's more convenient to treat it the same as a zero-element array. In particular this avoids unnecessary failures when an ltree operation is applied to the result of ARRAY(SELECT ...) and the sub-select returns no rows.
Fix assorted crashes in contrib/xml2 caused by sloppy memory management (Tom)
Make building of contrib/xml2 more robust on Windows (Andrew)
Fix race condition in Windows signal handling (Radu Ilie)
One known symptom of this bug is that rows in pg_listener could be dropped under heavy load.
Make the configure script report failure if the C compiler does not provide a working 64-bit integer datatype (Tom)
This case has been broken for some time, and no longer seems worth supporting, so just reject it at configure time instead.
Update time zone data files to tzdata release 2010e for DST law changes in Bangladesh, Chile, Fiji, Mexico, Paraguay, Samoa.

New in PostgreSQL 8.4.0-1 (Jul 2, 2009)

E.1.1. Overview
After many years of development, PostgreSQL has become feature-complete in many areas. This release shows a targeted approach to adding features (e.g., authentication, monitoring, space reuse), and adds capabilities defined in the later SQL standards. The major areas of enhancement are:
Windowing Functions
Common Table Expressions and Recursive Queries
Default and variadic parameters for functions
Parallel Restore
Column Permissions
Per-database locale settings
Improved hash indexes
Improved join performance for EXISTS and NOT EXISTS queries
Easier-to-use Warm Standby
Automatic sizing of the Free Space Map
Visibility Map (greatly reduces vacuum overhead for slowly-changing tables)
Version-aware psql (backslash commands work against older servers)
Support SSL certificates for user authentication
Per-function runtime statistics
Easy editing of functions in psql
New contrib modules: pg_stat_statements, auto_explain, citext, btree_gin
The above items are explained in more detail in the sections below.
E.1.2. Migration to Version 8.4
A dump/restore using pg_dump is required for those wishing to migrate data from any previous release.
Observe the following incompatibilities:
E.1.2.1. General
Use 64-bit integer datetimes by default (Neil Conway)
Previously this was selected by configure's --enable-integer-datetimes option. To retain the old behavior, build with --disable-integer-datetimes.
Remove ipcclean utility command (Bruce)
The utility only worked on a few platforms. Users should use their operating system tools instead.
E.1.2.2. Server Settings
Change default setting for log_min_messages to warning (previously it was notice) to reduce log file volume (Tom)
Change default setting for max_prepared_transactions to zero (previously it was 5) (Tom)
Make debug_print_parse, debug_print_rewritten, and debug_print_plan output appear at LOG message level, not DEBUG1 as formerly (Tom)
Make debug_pretty_print default to on (Tom)
Remove explain_pretty_print parameter (no longer needed) (Tom)
Make log_temp_files settable by superusers only, like other logging options (Simon Riggs)
Remove automatic appending of the epoch timestamp when no % escapes are present in log_filename (Robert Haas)
This change was made because some users wanted a fixed log filename, for use with an external log rotation tool.
Remove log_restartpoints from recovery.conf; instead use log_checkpoints (Simon)
Remove krb_realm and krb_server_hostname; these are now set in pg_hba.conf instead (Magnus)
There are also significant changes in pg_hba.conf, as described below.
E.1.2.3. Queries
Change TRUNCATE and LOCK to apply to child tables of the specified table(s) (Peter)
These commands now accept an ONLY option that prevents processing child tables; this option must be used if the old behavior is needed.
SELECT DISTINCT and UNION/INTERSECT/EXCEPT no longer always produce sorted output (Tom)
Previously, these types of queries always removed duplicate rows by means of Sort/Unique processing (i.e., sort then remove adjacent duplicates). Now they can be implemented by hashing, which will not produce sorted output. If an application relied on the output being in sorted order, the recommended fix is to add an ORDER BY clause. As a short-term workaround, the previous behavior can be restored by disabling enable_hashagg, but that is a very performance-expensive fix. SELECT DISTINCT ON never uses hashing, however, so its behavior is unchanged.
Force child tables to inherit CHECK constraints from parents (Alex Hunsaker, Nikhil Sontakke, Tom)
Formerly it was possible to drop such a constraint from a child table, allowing rows that violate the constraint to be visible when scanning the parent table. This was deemed inconsistent, as well as contrary to SQL standard.
Disallow negative LIMIT or OFFSET values, rather than treating them as zero (Simon)
Disallow LOCK TABLE outside a transaction block (Tom)
Such an operation is useless because the lock would be released immediately.
Sequences now contain an additional start_value column (Zoltan Boszormenyi)
This supports ALTER SEQUENCE ... RESTART.
E.1.2.4. Functions and Operators
Make numeric zero raised to a fractional power return 0, rather than throwing an error, and make numeric zero raised to the zero power return 1, rather than error (Bruce)
This matches the longstanding float8 behavior.
Allow unary minus of floating-point values to produce minus zero (Tom)
The changed behavior is more IEEE-standard compliant.
Throw an error if an escape character is the last character in a LIKE pattern (i.e., it has nothing to escape) (Tom)
Previously, such an escape character was silently ignored, thus possibly masking application logic errors.
Remove ~=~ and ~~ operators formerly used for LIKE index comparisons (Tom)
Pattern indexes now use the regular equality operator.
xpath() now passes its arguments to libxml without any changes (Andrew)
This means that the XML argument must be a well-formed XML document. The previous coding attempted to allow XML fragments, but it did not work well.
Make xmlelement() format attribute values just like content values (Peter)
Previously, attribute values were formatted according to the normal SQL output behavior, which is sometimes at odds with XML rules.
Rewrite memory management for libxml-using functions (Tom)
This change should avoid some compatibility problems with use of libxml in PL/Perl and other add-on code.
Adopt a faster algorithm for hash functions (Kenneth Marshall, based on work of Bob Jenkins)
Many of the built-in hash functions now deliver different results on little-endian and big-endian platforms.
E.1.2.4.1. Temporal Functions and Operators
DateStyle no longer controls interval output formatting; instead there is a new variable IntervalStyle (Ron Mayer)
Improve consistency of handling of fractional seconds in timestamp and interval output (Ron Mayer)
This may result in displaying a different number of fractional digits than before, or rounding instead of truncating.
Make to_char()'s localized month/day names depend on LC_TIME, not LC_MESSAGES (Euler Taveira de Oliveira)
Cause to_date() and to_timestamp() to more consistently report errors for invalid input (Brendan Jurd)
Previous versions would often ignore or silently misread input that did not match the format string. Such cases will now result in an error.
Fix to_timestamp() to not require upper/lower case matching for meridian (AM/PM) and era (BC/AD) format designations (Brendan Jurd)
For example, input value ad now matches the format string AD.
E.1.3. Changes
Below you will find a detailed account of the changes between PostgreSQL 8.4 and the previous major release.
E.1.3.1. Performance
Improve optimizer statistics calculations (Jan Urbanski, Tom)
In particular, estimates for full-text-search operators are greatly improved.
Allow SELECT DISTINCT and UNION/INTERSECT/EXCEPT to use hashing (Tom)
This means that these types of queries no longer automatically produce sorted output.
Create explicit concepts of semi-joins and anti-joins (Tom)
This work formalizes our previous ad-hoc treatment of IN (SELECT ...) clauses, and extends it to EXISTS and NOT EXISTS clauses. It should result in significantly better planning of EXISTS and NOT EXISTS queries. In general, logically equivalent IN and EXISTS clauses should now have similar performance, whereas previously IN often won.
Improve optimization of sub-selects beneath outer joins (Tom)
Formerly, a sub-select or view could not be optimized very well if it appeared within the nullable side of an outer join and contained non-strict expressions (for instance, constants) in its result list.
Improve the performance of text_position() and related functions by using Boyer-Moore-Horspool searching (David Rowley)
This is particularly helpful for long search patterns.
Reduce I/O load of writing the statistics collection file by writing the file only when requested (Martin Pihlak)
Improve performance for bulk inserts (Robert Haas, Simon)
Increase the default value of default_statistics_target from 10 to 100 (Greg Sabino Mullane, Tom)
The maximum value was also increased from 1000 to 10000.
Perform constraint_exclusion checking by default in queries involving inheritance or UNION ALL (Tom)
A new constraint_exclusion setting, partition, was added to specify this behavior.
Allow I/O read-ahead for bitmap index scans (Greg Stark)
The amount of read-ahead is controlled by effective_io_concurrency. This feature is available only if the kernel has posix_fadvise() support.
Inline simple set-returning SQL functions in FROM clauses (Richard Rowell)
Improve performance of multi-batch hash joins by providing a special case for join key values that are especially common in the outer relation (Bryce Cutt, Ramon Lawrence)
Reduce volume of temporary data in multi-batch hash joins by suppressing "physical tlist" optimization (Michael Henderson, Ramon Lawrence)
Avoid waiting for idle-in-transaction sessions during CREATE INDEX CONCURRENTLY (Simon)
Improve performance of shared cache invalidation (Tom)
E.1.3.2. Server
E.1.3.2.1. Settings
Convert many postgresql.conf settings to enumerated values so that pg_settings can display the valid values (Magnus)
Add cursor_tuple_fraction parameter to control the fraction of a cursor's rows that the planner assumes will be fetched (Robert Hell)
Allow underscores in the names of custom variable classes in postgresql.conf (Tom)
E.1.3.2.2. Authentication and security
Remove support for the (insecure) crypt authentication method (Magnus)
This effectively obsoletes pre-PostgreSQL 7.2 client libraries, as there is no longer any non-plaintext password method that they can use.
Support regular expressions in pg_ident.conf (Magnus)
Allow Kerberos/GSSAPI parameters to be changed without restarting the postmaster (Magnus)
Support SSL certificate chains in server certificate file (Andrew Gierth)
Including the full certificate chain makes the client able to verify the certificate without having all intermediate CA certificates present in the local store, which is often the case for commercial CAs.
Report appropriate error message for combination of MD5 authentication and db_user_namespace enabled (Bruce)
E.1.3.2.3. pg_hba.conf
Change all authentication options to use name=value syntax (Magnus)
This makes incompatible changes to the ldap, pam and ident authentication methods. All pg_hba.conf entries with these methods need to be rewritten using the new format.
Remove the ident sameuser option, instead making that behavior the default if no usermap is specified (Magnus)
Allow a usermap parameter for all external authentication methods (Magnus)
Previously a usermap was only supported for ident authentication.
Add clientcert option to control requesting of a client certificate (Magnus)
Previously this was controlled by the presence of a root certificate file in the server's data directory.
Add cert authentication method to allow user authentication via SSL certificates (Magnus)
Previously SSL certificates could only verify that the client had access to a certificate, not authenticate a user.
Allow krb5, gssapi and sspi realm and krb5 host settings to be specified in pg_hba.conf (Magnus)
These override the settings in postgresql.conf.
Add include_realm parameter for krb5, gssapi, and sspi methods (Magnus)
This allows identical usernames from different realms to be authenticated as different database users using usermaps.
Parse pg_hba.conf fully when it is loaded, so that errors are reported immediately (Magnus)
Previously, most errors in the file wouldn't be detected until clients tried to connect, so an erroneous file could render the system unusable. With the new behavior, if an error is detected during reload then the bad file is rejected and the postmaster continues to use its old copy.
Show all parsing errors in pg_hba.conf instead of aborting after the first one (Selena Deckelmann)
Support ident authentication over Unix-domain sockets on Solaris (Garick Hamlin)
E.1.3.2.4. Continuous Archiving
Provide an option to pg_start_backup() to force its implied checkpoint to finish as quickly as possible (Tom)
The default behavior avoids excess I/O consumption, but that is pointless if no concurrent query activity is going on.
Make pg_stop_backup() wait for modified WAL files to be archived (Simon)
This guarantees that the backup is valid at the time pg_stop_backup() completes.
When archiving is enabled, rotate the last WAL segment at shutdown so that all transactions can be archived immediately (Guillaume Smet, Heikki)
Delay "smart" shutdown while a continuous archiving base backup is in progress (Laurenz Albe)
Cancel a continuous archiving base backup if "fast" shutdown is requested (Laurenz Albe)
Allow recovery.conf boolean variables to take the same range of string values as postgresql.conf boolean variables (Bruce)
E.1.3.2.5. Monitoring
Add pg_conf_load_time() to report when the PostgreSQL configuration files were last loaded (George Gensure)
Add pg_terminate_backend() to safely terminate a backend (the SIGTERM signal works also) (Tom, Bruce)
While it's always been possible to SIGTERM a single backend, this was previously considered unsupported; and testing of the case found some bugs that are now fixed.
Add ability to track user-defined functions' call counts and runtimes (Martin Pihlak)
Function statistics appear in a new system view, pg_stat_user_functions. Tracking is controlled by the new parameter track_functions.
Allow specification of the maximum query string size in pg_stat_activity via new track_activity_query_size parameter (Thomas Lee)
Increase the maximum line length sent to syslog, in hopes of improving performance (Tom)
Add read-only configuration variables segment_size, wal_block_size, and wal_segment_size (Bernd Helmle)
When reporting a deadlock, report the text of all queries involved in the deadlock to the server log (Itagaki Takahiro)
Add pg_stat_get_activity(pid) function to return information about a specific process id (Magnus)
Allow the location of the server's statistics file to be specified via stats_temp_directory (Magnus)
This allows the statistics file to be placed in a RAM-resident directory to reduce I/O requirements. On startup/shutdown, the file is copied to its traditional location ($PGDATA/global/) so it is preserved across restarts.
E.1.3.3. Queries
Add support for WINDOW functions (Hitoshi Harada)
Add support for WITH clauses (CTEs), including WITH RECURSIVE (Yoshiyuki Asaba, Tatsuo Ishii, Tom)
Add TABLE command (Peter)
TABLE tablename is a SQL standard short-hand for SELECT * FROM tablename.
Allow AS to be optional when specifying a SELECT (or RETURNING) column output label (Hiroshi Saito)
This works so long as the column label is not any PostgreSQL keyword; otherwise AS is still needed.
Support set-returning functions in SELECT result lists even for functions that return their result via a tuplestore (Tom)
In particular, this means that functions written in PL/PgSQL and other PL languages can now be called this way.
Support set-returning functions in the output of aggregation and grouping queries (Tom)
Allow SELECT FOR UPDATE/SHARE to work on inheritance trees (Tom)
Add infrastructure for SQL/MED (Martin Pihlak, Peter)
There are no remote or external SQL/MED capabilities yet, but this change provides a standardized and future-proof system for managing connection information for modules like dblink and plproxy.
Invalidate cached plans when referenced schemas, functions, operators, or operator classes are modified (Martin Pihlak, Tom)
This improves the system's ability to respond to on-the-fly DDL changes.
Allow comparison of composite types and allow arrays of anonymous composite types (Tom)
This allows constructs such as row(1, 1.1) = any (array[row(7, 7.7), row(1, 1.0)]). This is particularly useful in recursive queries.
Add support for Unicode string literal and identifier specifications using code points, e.g. U&'d061t+000061' (Peter)
Reject 00 in string literals and COPY data (Tom)
Previously, this was accepted but had the effect of terminating the string contents.
Improve the parser's ability to report error locations (Tom)
An error location is now reported for many semantic errors, such as mismatched datatypes, that previously could not be localized.
E.1.3.3.1. TRUNCATE
Support statement-level ON TRUNCATE triggers (Simon)
Add RESTART/CONTINUE IDENTITY options for TRUNCATE TABLE (Zoltan Boszormenyi)
The start value of a sequence can be changed by ALTER SEQUENCE START WITH.
Allow TRUNCATE tab1, tab1 to succeed (Bruce)
Add a separate TRUNCATE permission (Robert Haas)
E.1.3.3.2. EXPLAIN
Make EXPLAIN VERBOSE show the output columns of each plan node (Tom)
Previously EXPLAIN VERBOSE output an internal representation of the query plan. (That behavior is now available via debug_print_plan.)
Make EXPLAIN identify subplans and initplans with individual labels (Tom)
Make EXPLAIN honor debug_print_plan (Tom)
Allow EXPLAIN on CREATE TABLE AS (Peter)
E.1.3.3.3. LIMIT/OFFSET
Allow sub-selects in LIMIT and OFFSET (Tom)
Add SQL-standard syntax for LIMIT/OFFSET capabilities (Peter)
To wit, OFFSET num {ROW|ROWS} FETCH {FIRST|NEXT} [num] {ROW|ROWS} ONLY.
E.1.3.4. Object Manipulation
Add support for column-level privileges (Stephen Frost, KaiGai Kohei)
Refactor multi-object DROP operations to reduce the need for CASCADE (Alex Hunsaker)
For example, if table B has a dependency on table A, the command DROP TABLE A, B no longer requires the CASCADE option.
Fix various problems with concurrent DROP commands by ensuring that locks are taken before we begin to drop dependencies of an object (Tom)
Improve reporting of dependencies during DROP commands (Tom)
Add WITH [NO] DATA clause to CREATE TABLE AS, per the SQL standard (Peter, Tom)
Add support for user-defined I/O conversion casts (Heikki)
Allow CREATE AGGREGATE to use an internal transition datatype (Tom)
Add LIKE clause to CREATE TYPE (Tom)
This simplifies creation of data types that use the same internal representation as an existing type.
Allow specification of the type category and "preferred" status for user-defined base types (Tom)
This allows more control over the coercion behavior of user-defined types.
Allow CREATE OR REPLACE VIEW to add columns to the end of a view (Robert Haas)
E.1.3.4.1. ALTER
Add ALTER TYPE RENAME (Petr Jelinek)
Add ALTER SEQUENCE ... RESTART (with no parameter) to reset a sequence to its initial value (Zoltan Boszormenyi)
Modify the ALTER TABLE syntax to allow all reasonable combinations for tables, indexes, sequences, and views (Tom)
This change allows the following new syntaxes:
ALTER SEQUENCE OWNER TO
ALTER VIEW ALTER COLUMN SET/DROP DEFAULT
ALTER VIEW OWNER TO
ALTER VIEW SET SCHEMA
There is no actual new functionality here, but formerly you had to say ALTER TABLE to do these things, which was confusing.
Add support for the syntax ALTER TABLE ... ALTER COLUMN ... SET DATA TYPE (Peter)
This is SQL-standard syntax for functionality that was already supported.
Make ALTER TABLE SET WITHOUT OIDS rewrite the table to physically remove OID values (Tom)
Also, add ALTER TABLE SET WITH OIDS to rewrite the table to add OIDs.
E.1.3.4.2. Database Manipulation
Improve reporting of CREATE/DROP/RENAME DATABASE failure when uncommitted prepared transactions are the cause (Tom)
Make LC_COLLATE and LC_CTYPE into per-database settings (Radek Strnad, Heikki)
This makes collation similar to encoding, which was always configurable per database.
Improve checks that the database encoding, collation (LC_COLLATE), and character classes (LC_CTYPE) match (Heikki, Tom)
Note in particular that a new database's encoding and locale settings can be changed only when copying from template0. This prevents possibly copying data that doesn't match the settings.
Add ALTER DATABASE SET TABLESPACE to move a database to a new tablespace (Guillaume Lelarge, Bernd Helmle)
E.1.3.5. Utility Operations
Add a VERBOSE option to the CLUSTER command and clusterdb (Jim Cox)
Decrease memory requirements for recording pending trigger events (Tom)
E.1.3.5.1. Indexes
Dramatically improve the speed of building and accessing hash indexes (Tom Raney, Shreya Bhargava)
This allows hash indexes to be sometimes faster than btree indexes. However, hash indexes are still not crash-safe.
Make hash indexes store only the hash code, not the full value of the indexed column (Xiao Meng)
This greatly reduces the size of hash indexes for long indexed values, improving performance.
Implement fast update option for GIN indexes (Teodor, Oleg)
This option greatly improves update speed at a small penalty in search speed.
xxx_pattern_ops indexes can now be used for simple equality comparisons, not only for LIKE (Tom)
E.1.3.5.2. Full Text Indexes
Remove the requirement to use @@@ when doing GIN weighted lookups on full text indexes (Tom, Teodor)
The normal @@ text search operator can be used instead.
Add an optimizer selectivity function for @@ text search operations (Jan Urbanski)
Allow prefix matching in full text searches (Teodor Sigaev, Oleg Bartunov)
Support multi-column GIN indexes (Teodor Sigaev)
Improve support for Nepali language and Devanagari alphabet (Teodor)
E.1.3.5.3. VACUUM
Track free space in separate per-relation "fork" files (Heikki)
Free space discovered by VACUUM is now recorded in *_fsm files, rather than in a fixed-sized shared memory area. The max_fsm_pages and max_fsm_relations settings have been removed, greatly simplifying administration of free space management.
Add a visibility map to track pages that do not require vacuuming (Heikki)
This allows VACUUM to avoid scanning all of a table when only a portion of the table needs vacuuming. The visibility map is stored in per-relation "fork" files.
Add vacuum_freeze_table_age parameter to control when VACUUM should ignore the visibility map and do a full table scan to freeze tuples (Heikki)
Track transaction snapshots more carefully (Alvaro)
This improves VACUUM's ability to reclaim space in the presence of long-running transactions.
Add ability to specify per-relation autovacuum and TOAST parameters in CREATE TABLE (Alvaro, Euler Taveira de Oliveira)
Autovacuum options used to be stored in a system table.
Add --freeze option to vacuumdb (Bruce)
E.1.3.6. Data Types
Add a CaseSensitive option for text search synonym dictionaries (Simon)
Improve the precision of NUMERIC division (Tom)
Add basic arithmetic operators for int2 with int8 (Tom)
This eliminates the need for explicit casting in some situations.
Allow UUID input to accept an optional hyphen after every fourth digit (Robert Haas)
Allow on/off as input for the boolean data type (Itagaki Takahiro)
Allow spaces around NaN in the input string for type numeric (Sam Mason)
E.1.3.6.1. Temporal Data Types
Reject year 0 BC and years 000 and 0000 (Tom)
Previously these were interpreted as 1 BC. (Note: years 0 and 00 are still assumed to be the year 2000.)
Include SGT (Singapore time) in the default list of known time zone abbreviations (Tom)
Support infinity and -infinity as values of type date (Tom)
Make parsing of interval literals more standard-compliant (Tom, Ron Mayer)
For example, INTERVAL '1' YEAR now does what it's supposed to.
Allow interval fractional-seconds precision to be specified after the second keyword, for SQL standard compliance (Tom)
Formerly the precision had to be specified after the keyword interval. (For backwards compatibility, this syntax is still supported, though deprecated.) Data type definitions will now be output using the standard format.
Support the IS0 8601 interval syntax (Ron Mayer, Kevin Grittner)
For example, INTERVAL 'P1Y2M3DT4H5M6.7S' is now supported.
Add IntervalStyle parameter which controls how interval values are output (Ron Mayer)
Valid values are: postgres, postgres_verbose, sql_standard, iso_8601. This setting also controls the handling of negative interval input when only some fields have positive/negative designations.
Improve consistency of handling of fractional seconds in timestamp and interval output (Ron Mayer)
E.1.3.6.2. Arrays
Improve the handling of casts applied to ARRAY[] constructs, such as ARRAY[...]::integer[] (Brendan Jurd)
Formerly PostgreSQL attempted to determine a data type for the ARRAY[] construct without reference to the ensuing cast. This could fail unnecessarily in many cases, in particular when the ARRAY[] construct was empty or contained only ambiguous entries such as NULL. Now the cast is consulted to determine the type that the array elements must be.
Make SQL-syntax ARRAY dimensions optional to match the SQL standard (Peter)
Add array_ndims() to return the number of dimensions of an array (Robert Haas)
Add array_length() to return the length of an array for a specified dimension (Jim Nasby, Robert Haas, Peter Eisentraut)
Add aggregate function array_agg(), which returns all aggregated values as a single array (Robert Haas, Jeff Davis, Peter)
Add unnest(), which converts an array to individual row values (Tom)
This is the opposite of array_agg().
Add array_fill() to create arrays initialized with a value (Pavel Stehule)
Add generate_subscripts() to simplify generating the range of an array's subscripts (Pavel Stehule)
E.1.3.6.3. Wide-Value Storage (TOAST)
Consider TOAST compression on values as short as 32 bytes (previously 256 bytes) (Greg Stark)
Require 25% minimum space savings before using TOAST compression (previously 20% for small values and any-savings-at-all for large values) (Greg)
Improve TOAST heuristics for rows that have a mix of large and small toastable fields, so that we prefer to push large values out of line and don't compress small values unnecessarily (Greg, Tom)
E.1.3.7. Functions
Document that setseed() allows values from -1 to 1 (not just 0 to 1), and enforce the valid range (Kris Jurka)
Add server-side function lo_import(filename, oid) (Tatsuo)
Add quote_nullable(), which behaves like quote_literal() but returns the string NULL for a null argument (Brendan Jurd)
Improve full text search headline() function to allow extracting several fragments of text (Sushant Sinha)
Add suppress_redundant_updates_trigger() trigger function to avoid overhead for non-data-changing updates (Andrew)
Add div(numeric, numeric) to perform numeric division without rounding (Tom)
Add timestamp and timestamptz versions of generate_series() (Hitoshi Harada)
E.1.3.7.1. Object Information Functions
Implement current_query() for use by functions that need to know the currently running query (Tomas Doran)
Add pg_get_keywords() to return a list of the parser keywords (Dave Page)
Add pg_get_functiondef() to see a function's definition (Abhijit Menon-Sen)
Allow the second argument of pg_get_expr() to be zero when deparsing an expression that does not contain variables (Tom)
Modify pg_relation_size() to use regclass (Heikki)
pg_relation_size(data_type_name) no longer works.
Add boot_val and reset_val columns to pg_settings output (Greg Smith)
Add source file name and line number columns to pg_settings output for variables set in a configuration file (Magnus, Alvaro)
For security reasons, these columns are only visible to superusers.
Add support for CURRENT_CATALOG, CURRENT_SCHEMA, SET CATALOG, SET SCHEMA (Peter)
These provide SQL-standard syntax for existing features.
Add pg_typeof() which returns the data type of any value (Brendan Jurd)
Make version() return information about whether the server is a 32- or 64-bit binary (Bruce)
Fix the behavior of information schema columns is_insertable_into and is_updatable to be consistent (Peter)
Improve the behavior of information schema datetime_precision columns (Peter)
These columns now show zero for date columns, and 6 (the default precision) for time, timestamp, and interval without a declared precision, rather than showing null as formerly.
Convert remaining builtin set-returning functions to use OUT parameters (Jaime Casanova)
This makes it possible to call these functions without specifying a column list: pg_show_all_settings(), pg_lock_status(), pg_prepared_xact(), pg_prepared_statement(), pg_cursor()
Make pg_*_is_visible() and has_*_privilege() functions return NULL for invalid OIDs, rather than reporting an error (Tom)
Extend has_*_privilege() functions to allow inquiring about the OR of multiple privileges in one call (Stephen Frost, Tom)
Add has_column_privilege() and has_any_column_privilege() functions (Stephen Frost, Tom)
E.1.3.7.2. Function Creation
Support variadic functions (functions with a variable number of arguments) (Pavel Stehule)
Only trailing arguments can be optional, and they all must be of the same data type.
Support default values for function arguments (Pavel Stehule)
Add CREATE FUNCTION ... RETURNS TABLE clause (Pavel Stehule)
Allow SQL-language functions to return the output of an INSERT/UPDATE/DELETE RETURNING clause (Tom)
E.1.3.7.3. PL/PgSQL Server-Side Language
Support EXECUTE USING for easier insertion of data values into a dynamic query string (Pavel Stehule)
Allow looping over the results of a cursor using a FOR loop (Pavel Stehule)
Support RETURN QUERY EXECUTE (Pavel Stehule)
Improve the RAISE command (Pavel Stehule)
Support DETAIL and HINT fields
Support specification of the SQLSTATE error code
Support an exception name parameter
Allow RAISE without parameters in an exception block to re-throw the current error
Allow specification of SQLSTATE codes in EXCEPTION lists (Pavel Stehule)
This is useful for handling custom SQLSTATE codes.
Support the CASE statement (Pavel Stehule)
Make RETURN QUERY set the special FOUND and GET DIAGNOSTICS ROW_COUNT variables (Pavel Stehule)
Make FETCH and MOVE set the GET DIAGNOSTICS ROW_COUNT variable (Andrew Gierth)
Make EXIT without a label always exit the innermost loop (Tom)
Formerly, if there were a BEGIN block more closely nested than any loop, it would exit that block instead. The new behavior matches Oracle(TM) and is also what was previously stated by our own documentation.
Make processing of string literals and nested block comments match the main SQL parser's processing (Tom)
In particular, the format string in RAISE now works the same as any other string literal, including being subject to standard_conforming_strings. This change also fixes other cases in which valid commands would fail when standard_conforming_strings is on.
Avoid memory leakage when the same function is called at varying exception-block nesting depths (Tom)
E.1.3.8. Client Applications
Fix pg_ctl restart to preserve command-line arguments (Bruce)
Add -w/--no-password option that prevents password prompting in all utilities that have a -W/--password option (Peter)
Remove -q (quiet) option of createdb, createuser, dropdb, dropuser (Peter)
These options have had no effect since PostgreSQL 8.3.
E.1.3.8.1. psql
Remove verbose startup banner; now just suggest help (Joshua Drake)
Make help show common backslash commands (Greg Sabino Mullane)
Add pset format wrapped mode to wrap output to the screen width, or file/pipe output too if pset columns is set (Bryce Nesbitt)
Allow all supported spellings of boolean values in pset, rather than just on and off (Bruce)
Formerly, any string other than "off" was silently taken to mean true. psql will now complain about unrecognized spellings (but still take them as true).
Use the pager for wide output (Bruce)
Require a space between a one-letter backslash command and its first argument (Bernd Helmle)
This removes a historical source of ambiguity.
Improve tab completion support for schema-qualified and quoted identifiers (Greg Sabino Mullane)
Add optional on/off argument for iming (David Fetter)
Display access control rights on multiple lines (Brendan Jurd, Andreas Scherbaum)
Make l show database access privileges (Andrew Gilligan)
Make l+ show database sizes, if permissions allow (Andrew Gilligan)
Add the ef command to edit function definitions (Abhijit Menon-Sen)
E.1.3.8.2. psql d* commands
Make d* commands that do not have a pattern argument show system objects only if the S modifier is specified (Greg Sabino Mullane, Bruce)
The former behavior was inconsistent across different variants of d, and in most cases it provided no easy way to see just user objects.
Improve d* commands to work with older PostgreSQL server versions (back to 7.4), not only the current server version (Guillaume Lelarge)
Make d show foreign-key constraints that reference the selected table (Kenneth D'Souza)
Make d on a sequence show its column values (Euler Taveira de Oliveira)
Add column storage type and other relation options to the d+ display (Gregory Stark, Euler Taveira de Oliveira)
Show relation size in dt+ output (Dickson S. Guedes)
Show the possible values of enum types in dT+ (David Fetter)
Allow dC to accept a wildcard pattern, which matches either datatype involved in the cast (Tom)
Add a function type column to df's output, and add options to list only selected types of functions (David Fetter)
Make df not hide functions that take or return type cstring (Tom)
Previously, such functions were hidden because most of them are datatype I/O functions, which were deemed uninteresting. The new policy about hiding system functions by default makes this wart unnecessary.
E.1.3.8.3. pg_dump
Add a --no-tablespaces option to pg_dump/pg_dumpall/pg_restore so that dumps can be restored to clusters that have non-matching tablespace layouts (Gavin Roy)
Remove -d and -D options from pg_dump and pg_dumpall (Tom)
These options were too frequently confused with the option to select a database name in other PostgreSQL client applications. The functionality is still available, but you must now spell out the long option name --inserts or --column-inserts.
Remove -i/--ignore-version option from pg_dump and pg_dumpall (Tom)
Use of this option does not throw an error, but it has no effect. This option was removed because the version checks are necessary for safety.
Disable statement_timeout during dump and restore (Joshua Drake)
Add pg_dump/pg_dumpall option --lock-wait-timeout (David Gould)
This allows dumps to fail if unable to acquire a shared lock within the specified amount of time.
Reorder pg_dump --data-only output to dump tables referenced by foreign keys before the referencing tables (Tom)
This allows data loads when foreign keys are already present. If circular references make a safe ordering impossible, a NOTICE is issued.
Allow pg_dump, pg_dumpall, and pg_restore to use a specified role (Benedek L�szl�)
Allow pg_restore to use multiple concurrent connections to do the restore (Andrew)
The number of concurrent connections is controlled by the option --jobs. This is supported only for custom-format archives.
E.1.3.9. Programming Tools
E.1.3.9.1. libpq
Allow the OID to be specified when importing a large object, via new function lo_import_with_oid() (Tatsuo)
Add "events" support (Andrew Chernow, Merlin Moncure)
This adds the ability to register callbacks to manage private data associated with PGconn and PGresult objects.
Improve error handling to allow the return of multiple error messages as multi-line error reports (Magnus)
Make PQexecParams() and related functions return PGRES_EMPTY_QUERY for an empty query (Tom)
They previously returned PGRES_COMMAND_OK.
Document how to avoid the overhead of WSACleanup() on Windows (Andrew Chernow)
Do not rely on Kerberos tickets to determine the default database username (Magnus)
Previously, a Kerberos-capable build of libpq would use the principal name from any available Kerberos ticket as default database username, even if the connection wasn't using Kerberos authentication. This was deemed inconsistent and confusing. The default username is now determined the same way with or without Kerberos. Note however that the database username must still match the ticket when Kerberos authentication is used.
E.1.3.9.2. libpq SSL (Secure Sockets Layer) support
Fix certificate validation for SSL connections (Magnus)
libpq now supports verifying both the certificate and the name of the server when making SSL connections. If a root certificate is not available to use for verification, SSL connections will fail. The sslmode parameter is used to enable certificate verification and set the level of checking. The default is still not to do any verification, allowing connections to SSL-enabled servers without requiring a root certificate on the client.
Support wildcard server certificates (Magnus)
If a certificate CN starts with *, it will be treated as a wildcard when matching the hostname, allowing the use of the same certificate for multiple servers.
Allow the file locations for client certificates to be specified (Mark Woodward, Alvaro, Magnus)
Add a PQinitOpenSSL function to allow greater control over OpenSSL/libcrypto initialization (Andrew Chernow)
Make libpq unregister its OpenSSL callbacks when no database connections remain open (Bruce, Magnus, Russell Smith)
This is required for applications that unload the libpq library, otherwise invalid OpenSSL callbacks will remain.
E.1.3.9.3. ecpg
Add localization support for messages (Euler Taveira de Oliveira)
ecpg parser is now automatically generated from the server parser (Michael)
Previously the ecpg parser was hand-maintained.
E.1.3.9.4. Server Programming Interface (SPI)
Add support for single-use plans with out-of-line parameters (Tom)
Add new SPI_OK_REWRITTEN return code for SPI_execute() (Heikki)
This is used when a command is rewritten to another type of command.
Remove unnecessary inclusions from executor/spi.h (Tom)
SPI-using modules might need to add some #include lines if they were depending on spi.h to include things for them.
E.1.3.10. Build Options
Update build system to use Autoconf 2.61 (Peter)
Require GNU bison for source code builds (Peter)
This has effectively been required for several years, but now there is no infrastructure claiming to support other parser tools.
Add pg_config --htmldir option (Peter)
Pass float4 by value inside the server (Zoltan Boszormenyi)
Add configure option --disable-float4-byval to use the old behavior. External C functions that use old-style (version 0) call convention and pass or return float4 values will be broken by this change, so you may need the configure option if you have such functions and don't want to update them.
Pass float8, int8, and related datatypes by value inside the server on 64-bit platforms (Zoltan Boszormenyi)
Add configure option --disable-float8-byval to use the old behavior. As above, this change might break old-style external C functions.
Add configure options --with-segsize, --with-blocksize, --with-wal-blocksize, --with-wal-segsize (Zdenek Kotala, Tom)
This simplifies build-time control over several constants that previously could only be changed by editing pg_config_manual.h.
Allow threaded builds on Solaris 2.5 (Bruce)
Use the system's getopt_long() on Solaris (Zdenek Kotala, Tom)
This makes option processing more consistent with what Solaris users expect.
Add support for the Sun Studio compiler on Linux (Julius Stroffek)
Append the major version number to the backend gettext domain, and the soname major version number to libraries' gettext domain (Peter)
This simplifies parallel installations of multiple versions.
Add support for code coverage testing with gcov (Michelle Caisse)
Allow out-of-tree builds on Mingw and Cygwin (Richard Evans)
Fix the use of Mingw as a cross-compiling source platform (Peter)
E.1.3.11. Source Code
Support 64-bit time zone data files (Heikki)
This adds support for daylight saving time (DST) calculations beyond the year 2038.
Deprecate use of platform's time_t data type (Tom)
Some platforms have migrated to 64-bit time_t, some have not, and Windows can't make up its mind what it's doing. Define pg_time_t to have the same meaning as time_t, but always be 64 bits (unless the platform has no 64-bit integer type), and use that type in all module APIs and on-disk data formats.
Fix bug in handling of the time zone database when cross-compiling (Richard Evans)
Link backend object files in one step, rather than in stages (Peter)
Improve gettext support to allow better translation of plurals (Peter)
Add message translation support to the PL languages (Alvaro, Peter)
Add more DTrace probes (Robert Lor)
Enable DTrace support on Mac OS X Leopard and other non-Solaris platforms (Robert Lor)
Simplify and standardize conversions between C strings and text datums, by providing common functions for the purpose (Brendan Jurd, Tom)
Clean up the include/catalog/ header files so that frontend programs can include them without including postgres.h (Zdenek Kotala)
Make name char-aligned, and suppress zero-padding of name entries in indexes (Tom)
Recover better if dynamically-loaded code executes exit() (Tom)
Add a hook to let plug-ins monitor the executor (Itagaki Takahiro)
Add a hook to allow the planner's statistics lookup behavior to be overridden (Simon Riggs)
Add shmem_startup_hook() for custom shared memory requirements (Tom)
Replace the index access method amgetmulti entry point with amgetbitmap, and extend the API for amgettuple to support run-time determination of operator lossiness (Heikki, Tom, Teodor)
The API for GIN and GiST opclass consistent functions has been extended as well.
Add support for partial-match searches in GIN indexes (Teodor Sigaev, Oleg Bartunov)
Replace pg_class column reltriggers with boolean relhastriggers (Simon)
Also remove unused pg_class columns relukeys, relfkeys, and relrefs.
Add a relistemp column to pg_class to ease identification of temporary tables (Tom)
Move platform FAQs into the main documentation (Peter)
Prevent parser input files from being built with any conflicts (Peter)
Add support for the KOI8U (Ukrainian) encoding (Peter)
Add Japanese message translations (Japan PostgreSQL Users Group)
This used to be maintained as a separate project.
Fix problem when setting LC_MESSAGES on MSVC-built systems (Hiroshi Inoue, Hiroshi Saito, Magnus)
E.1.3.12. Contrib
Add contrib/auto_explain to automatically run EXPLAIN on queries exceeding a specified duration (Itagaki Takahiro, Tom)
Add contrib/btree_gin to allow GIN indexes to handle more datatypes (Oleg, Teodor)
Add contrib/citext to provide a case-insensitive, multibyte-aware text data type (David Wheeler)
Add contrib/pg_stat_statements for server-wide tracking of statement execution statistics (Itagaki Takahiro)
Add duration and query mode options to contrib/pgbench (Itagaki Takahiro)
Make contrib/pgbench use table names pgbench_accounts, pgbench_branches, pgbench_history, and pgbench_tellers, rather than just accounts, branches, history, and tellers (Tom)
This is to reduce the risk of accidentally destroying real data by running pgbench.
Fix contrib/pgstattuple to handle tables and indexes with over 2 billion pages (Tatsuhito Kasahara)
In contrib/fuzzystrmatch, add a version of the Levenshtein string-distance function that allows the user to specify the costs of insertion, deletion, and substitution (Volkan Yazici)
Make contrib/ltree support multibyte encodings (laser)
Enable contrib/dblink to use connection information stored in the SQL/MED catalogs (Joe Conway)
Improve contrib/dblink's reporting of errors from the remote server (Joe Conway)
Make contrib/dblink set client_encoding to match the local database's encoding (Joe Conway)
This prevents encoding problems when communicating with a remote database that uses a different encoding.
Make sure contrib/dblink uses a password supplied by the user, and not accidentally taken from the server's .pgpass file (Joe Conway)
This is a minor security enhancement.
Add fsm_page_contents() to contrib/pageinspect (Heikki)
Modify get_raw_page() to support free space map (*_fsm) files. Also update contrib/pg_freespacemap.
Add support for multibyte encodings to contrib/pg_trgm (Teodor)
Rewrite contrib/intagg to use new functions array_agg() and unnest() (Tom)
Make contrib/pg_standby recover all available WAL before failover (Fujii Masao, Simon, Heikki)
To make this work safely, you now need to set the new recovery_end_command option in recovery.conf to clean up the trigger file after failover. pg_standby will no longer remove the trigger file itself.
contrib/pg_standby's -l option is now a no-op, because it is unsafe to use a symlink (Simon)

New in PostgreSQL 8.4 RC1 (Jun 16, 2009)

New in PostgreSQL 8.4 Beta 2 (May 19, 2009)

New in PostgreSQL 8.3 Beta 1 (Oct 10, 2007)

Full text search is now a built-in feature
Support for the SQL/XML standard, including a new xml builtin data type
enum data types
UUID data type, similar to that defined by RFC 4122
Arrays of composite types
ORDER BY ... NULLS FIRST/LAST
Updatable cursors (UPDATE/DELETE WHERE CURRENT OF cursor_name)
Per-function parameter settings
User-defined types can now have type modifiers (parameters)
Declarations such as varchar(42) are no longer restricted to use by built-in data types.
Automatic plan invalidation when table definitions change. This will particularly ease usage of temporary tables in PL/PgSQL functions.
Numerous improvements in logging and statistics collection capabilities, including the ability to emit postmaster log messages in CSV format that can be directly loaded into a database table for analysis
SSPI/GSSAPI authentication support
Multiple autovacuum worker processes, and other autovacuum improvements. Autovacuum is now considered mature enough to be enabled by default.
The entire PostgreSQL system can now be compiled with Microsoft Visual C
This will improve the ability of Windows-based developers to contribute to the project. Windows executables made with Visual C may also have better stability and performance than those made with other tool sets.
Asynchronous commit option to allow transactions to be reported committed before they have actually been flushed to disk. This would not, of course, be acceptable if the client takes some critical external action on the assumption that the transaction will be remembered; but for certain applications, it is an acceptable risk for some or all transactions to use this mode. Unlike existing options such as fsync, asynchronous commit does not risk database corruption; the worst case is that after a crash, the last few reportedly-committed transactions will not have taken effect.
"Distributed" checkpoints to spread out the I/O load of a checkpoint
Heap-Only Tuples (HOT) to reduce overhead of updates
Just-in-time background writer strategy to improve disk write efficiency
Reduction of on-disk data size through reducing both per-tuple and per-field overheads
Efficiency improvements for large sequential scans, including prevention of cache flushing and "piggybacking" to let concurrent scans read the table only once
Top-N sorting
Lazy XID assignment to reduce the cost of read-only transactions. For applications in which there are a large number of read-only transactions, this helps not only by reducing overhead for the transactions themselves, but by reducing overhead that's driven by the rate of XID consumption; notably, reducing contention for transaction log buffers and reducing the frequency of anti-wraparound vacuuming.