2015-02-05 This release contains a variety of fixes from 9.3.5. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you are a Windows user and are using the Norwegian (Bokmål) locale, manual action is needed after the upgrade to replace any Norwegian (Bokmål)_Norway locale names stored in PostgreSQL system catalogs with the plain-ASCII alias Norwegian_Norway. For details see Also, if you are upgrading from a version earlier than 9.3.5, see . Fix buffer overruns in to_char() (Bruce Momjian) When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241) Fix buffer overrun in replacement *printf() functions (Tom Lane) PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242) Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch) Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243) Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas) If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244) Fix information leak via constraint-violation error messages (Stephen Frost) Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161) Lock down regression testing's temporary installations on Windows (Noah Misch) Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067) Cope with the Windows locale named Norwegian (Bokmål) (Heikki Linnakangas) Non-ASCII locale names are problematic since it's not clear what encoding they should be represented in. Map the troublesome locale name to a plain-ASCII alias, Norwegian_Norway. Avoid possible data corruption if ALTER DATABASE SET TABLESPACE is used to move a database to a new tablespace and then shortly later move it back to its original tablespace (Tom Lane) Avoid corrupting tables when ANALYZE inside a transaction is rolled back (Andres Freund, Tom Lane, Michael Paquier) If the failing transaction had earlier removed the last index, rule, or trigger from the table, the table would be left in a corrupted state with the relevant pg_class flags not set though they should be. Ensure that unlogged tables are copied correctly during CREATE DATABASE or ALTER DATABASE SET TABLESPACE (Pavan Deolasee, Andres Freund) Fix incorrect processing of CreateEventTrigStmt.eventname (Petr Jelinek) This could result in misbehavior if CREATE EVENT TRIGGER were executed as a prepared query, or via extended query protocol. Fix DROP's dependency searching to correctly handle the case where a table column is recursively visited before its table (Petr Jelinek, Tom Lane) This case is only known to arise when an extension creates both a datatype and a table using that datatype. The faulty code might refuse a DROP EXTENSION unless CASCADE is specified, which should not be required. Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane) In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug. Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood) Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera) Fix planning of SELECT FOR UPDATE when using a partial index on a child table (Kyotaro Horiguchi) In READ COMMITTED mode, SELECT FOR UPDATE must also recheck the partial index's WHERE condition when rechecking a recently-updated row to see if it still satisfies the query's WHERE condition. This requirement was missed if the index belonged to an inheritance child table, so that it was possible to incorrectly return rows that no longer satisfy the query condition. Fix corner case wherein SELECT FOR UPDATE could return a row twice, and possibly miss returning other rows (Tom Lane) In READ COMMITTED mode, a SELECT FOR UPDATE that is scanning an inheritance tree could incorrectly return a row from a prior child table instead of the one it should return from a later child table. Improve performance of EXPLAIN with large range tables (Tom Lane) Reject duplicate column names in the referenced-columns list of a FOREIGN KEY declaration (David Rowley) This restriction is per SQL standard. Previously we did not reject the case explicitly, but later on the code would fail with bizarre-looking errors. Re-enable error for SELECT ... OFFSET -1 (Tom Lane) A negative offset value has been an error since 8.4, but an optimization added in 9.3 accidentally turned the case into a no-op. Restore the expected behavior. Restore previous behavior of conversion of domains to JSON (Tom Lane) This change causes domains over numeric and boolean to be treated like their base types for purposes of conversion to JSON. It worked like that before 9.3.5 and 9.2.9, but was unintentionally changed while fixing a related problem. Fix json_agg() to not return extra trailing right brackets in its result (Tom Lane) Fix bugs in raising a numeric value to a large integral power (Tom Lane) The previous code could get a wrong answer, or consume excessive amounts of time and memory before realizing that the answer must overflow. In numeric_recv(), truncate away any fractional digits that would be hidden according to the value's dscale field (Tom Lane) A numeric value's display scale (dscale) should never be less than the number of nonzero fractional digits; but apparently there's at least one broken client application that transmits binary numeric values in which that's true. This leads to strange behavior since the extra digits are taken into account by arithmetic operations even though they aren't printed. The least risky fix seems to be to truncate away such hidden digits on receipt, so that the value is indeed what it prints as. Fix incorrect search for shortest-first regular expression matches (Tom Lane) Matching would often fail when the number of allowed iterations is limited by a ? quantifier or a bound expression. Reject out-of-range numeric timezone specifications (Tom Lane) Simple numeric timezone specifications exceeding +/- 168 hours (one week) would be accepted, but could then cause null-pointer dereference crashes in certain operations. There's no use-case for such large UTC offsets, so reject them. Fix bugs in tsquery @> tsquery operator (Heikki Linnakangas) Two different terms would be considered to match if they had the same CRC. Also, if the second operand had more terms than the first, it would be assumed not to be contained in the first; which is wrong since it might contain duplicate terms. Improve ispell dictionary's defenses against bad affix files (Tom Lane) Allow more than 64K phrases in a thesaurus dictionary (David Boutin) The previous coding could crash on an oversize dictionary, so this was deemed a back-patchable bug fix rather than a feature addition. Fix namespace handling in xpath() (Ali Akbar) Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation. Ensure that whole-row variables expose nonempty column names to functions that pay attention to column names within composite arguments (Tom Lane) In some contexts, constructs like row_to_json(tab.*) may not produce the expected column names. This is fixed properly as of 9.4; in older branches, just ensure that we produce some nonempty name. (In some cases this will be the underlying table's column name rather than the query-assigned alias that should theoretically be visible.) Fix mishandling of system columns, particularly tableoid, in FDW queries (Etsuro Fujita) Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli) This patch fixes corner-case unexpected operator NNNN planner errors, and improves the selectivity estimates for some other cases. Avoid doing indexed_column = ANY (array) as an index qualifier if that leads to an inferior plan (Andrew Gierth) In some cases, = ANY conditions applied to non-first index columns would be done as index conditions even though it would be better to use them as simple filter conditions. Fix variable not found in subplan target list planner failure when an inline-able SQL function taking a composite argument is used in a LATERAL subselect and the composite argument is a lateral reference (Tom Lane) Fix planner problems with nested append relations, such as inherited tables within UNION ALL subqueries (Tom Lane) Fail cleanly when a GiST index tuple doesn't fit on a page, rather than going into infinite recursion (Andrew Gierth) Exempt tables that have per-table cost_limit and/or cost_delay settings from autovacuum's global cost balancing rules (Álvaro Herrera) The previous behavior resulted in basically ignoring these per-table settings, which was unintended. Now, a table having such settings will be vacuumed using those settings, independently of what is going on in other autovacuum workers. This may result in heavier total I/O load than before, so such settings should be re-examined for sanity. Avoid wholesale autovacuuming when autovacuum is nominally off (Tom Lane) Even when autovacuum is nominally off, we will still launch autovacuum worker processes to vacuum tables that are at risk of XID wraparound. However, such a worker process then proceeded to vacuum all tables in the target database, if they met the usual thresholds for autovacuuming. This is at best pretty unexpected; at worst it delays response to the wraparound threat. Fix it so that if autovacuum is turned off, workers only do anti-wraparound vacuums and not any other work. During crash recovery, ensure that unlogged relations are rewritten as empty and are synced to disk before recovery is considered complete (Abhijit Menon-Sen, Andres Freund) This prevents scenarios in which unlogged relations might contain garbage data following database crash recovery. Fix race condition between hot standby queries and replaying a full-page image (Heikki Linnakangas) This mistake could result in transient errors in queries being executed in hot standby. Fix several cases where recovery logic improperly ignored WAL records for COMMIT/ABORT PREPARED (Heikki Linnakangas) The most notable oversight was that recovery_min_apply_delay failed to delay application of a two-phase commit. Prevent latest WAL file from being archived a second time at completion of crash recovery (Fujii Masao) Avoid creating unnecessary .ready marker files for timeline history files (Fujii Masao) Fix possible null pointer dereference when an empty prepared statement is used and the log_statement setting is mod or ddl (Fujii Masao) Change pgstat wait timeout warning message to be LOG level, and rephrase it to be more understandable (Tom Lane) This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads using stale statistics instead of current ones because stats collector is not responding. Fix possible corruption of postmaster's list of dynamic background workers (Andres Freund) Fix SPARC spinlock implementation to ensure correctness if the CPU is being run in a non-TSO coherency mode, as some non-Solaris kernels do (Andres Freund) Warn if OS X's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch) Fix processing of repeated dbname parameters in PQconnectdbParams() (Alex Shulgin) Unexpected behavior ensued if the first occurrence of dbname contained a connection string or URI to be expanded. Ensure that libpq reports a suitable error message on unexpected socket EOF (Marko Tiikkaja, Tom Lane) Depending on kernel behavior, libpq might return an empty error string rather than something useful when the server unexpectedly closed the socket. Clear any old error message during PQreset() (Heikki Linnakangas) If PQreset() is called repeatedly, and the connection cannot be re-established, error messages from the failed connection attempts kept accumulating in the PGconn's error string. Properly handle out-of-memory conditions while parsing connection options in libpq (Alex Shulgin, Heikki Linnakangas) Fix array overrun in ecpg's version of ParseDateTime() (Michael Paquier) In initdb, give a clearer error message if a password file is specified but is empty (Mats Erik Andersson) Fix psql's \s command to work nicely with libedit, and add pager support (Stepan Rutz, Tom Lane) When using libedit rather than readline, \s printed the command history in a fairly unreadable encoded format, and on recent libedit versions might fail altogether. Fix that by printing the history ourselves rather than having the library do it. A pleasant side-effect is that the pager is used if appropriate. This patch also fixes a bug that caused newline encoding to be applied inconsistently when saving the command history with libedit. Multiline history entries written by older psql versions will be read cleanly with this patch, but perhaps not vice versa, depending on the exact libedit versions involved. Improve consistency of parsing of psql's special variables (Tom Lane) Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors. Make psql's \watch command display nulls as specified by \pset null (Fujii Masao) Fix psql's expanded-mode display to work consistently when using border = 3 and linestyle = ascii or unicode (Stephen Frost) Fix pg_dump to handle comments on event triggers without failing (Tom Lane) Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner) Improve performance of pg_dump when the database contains many instances of multiple dependency paths between the same two objects (Tom Lane) Fix pg_dumpall to restore its ability to dump from pre-8.1 servers (Gilles Darold) Fix possible deadlock during parallel restore of a schema-only dump (Robert Haas, Tom Lane) Fix core dump in pg_dump --binary-upgrade on zero-column composite type (Rushabh Lathia) Fix failure to fsync tables in nondefault tablespaces during pg_upgrade (Abhijit Menon-Sen, Andres Freund) With an operating system crash and some bad luck, this could result in data loss during an upgrade. In pg_upgrade, cope with cases where the new cluster creates a TOAST table for a table that didn't previously have one (Bruce Momjian) Previously this could result in failures due to OID conflicts. In pg_upgrade, don't try to set autovacuum_multixact_freeze_max_age for the old cluster (Bruce Momjian) This could result in failure because not all 9.3.X versions have that parameter. Fortunately, we don't actually need to set it at all. In pg_upgrade, preserve the transaction ID epoch (Bruce Momjian) This oversight did not bother PostgreSQL proper, but could confuse some external replication tools. Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund) Fix memory leak in pg_receivexlog (Fujii Masao) Fix unintended suppression of pg_receivexlog verbose messages (Fujii Masao) Fix failure of contrib/auto_explain to print per-node timing information when doing EXPLAIN ANALYZE (Tom Lane) Fix upgrade-from-unpackaged script for contrib/citext (Tom Lane) Avoid integer overflow and buffer overrun in contrib/hstore's hstore_to_json() (Heikki Linnakangas) Fix recognition of numbers in hstore_to_json_loose(), so that JSON numbers and strings are correctly distinguished (Andrew Dunstan) Fix block number checking in contrib/pageinspect's get_raw_page() (Tom Lane) The incorrect checking logic could prevent access to some pages in non-main relation forks. Fix contrib/pgcrypto's pgp_sym_decrypt() to not fail on messages whose length is 6 less than a power of 2 (Marko Tiikkaja) Fix file descriptor leak in contrib/pg_test_fsync (Jeff Janes) This could cause failure to remove temporary files on Windows. Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier) connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further. Avoid a possible crash in contrib/xml2's xslt_process() (Mark Simonetti) libxslt seems to have an undocumented dependency on the order in which resources are freed; reorder our calls to avoid a crash. Mark some contrib I/O functions with correct volatility properties (Tom Lane) The previous over-conservative marking was immaterial in normal use, but could cause optimization problems or rejection of valid index expression definitions. Since the consequences are not large, we've just adjusted the function definitions in the extension modules' scripts, without changing version numbers. Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier) These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues. Fix setup of background workers in EXEC_BACKEND builds, eg Windows (Robert Haas) Detect incompatible OpenLDAP versions during build (Noah Misch) With OpenLDAP versions 2.4.24 through 2.4.31, inclusive, PostgreSQL backends can crash at exit. Raise a warning during configure based on the compile-time OpenLDAP version number, and test the crashing scenario in the contrib/dblink regression test. In non-MSVC Windows builds, ensure libpq.dll is installed with execute permissions (Noah Misch) Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane) This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations. Support time zone abbreviations that change UTC offset from time to time (Tom Lane) Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date. Update time zone abbreviations lists (Tom Lane) Add CST (China Standard Time) to our lists. Remove references to ADT as Arabia Daylight Time, an abbreviation that's been out of use since 2007; therefore, claiming there is a conflict with Atlantic Daylight Time doesn't seem especially helpful. Fix entirely incorrect GMT offsets for CKT (Cook Islands), FJT, and FJST (Fiji); we didn't even have them on the proper side of the date line. Update time zone data files to tzdata release 2015a. The IANA timezone database has adopted abbreviations of the form AxST/AxDT for all Australian time zones, reflecting what they believe to be current majority practice Down Under. These names do not conflict with usage elsewhere (other than ACST for Acre Summer Time, which has been in disuse since 1994). Accordingly, adopt these names into our Default timezone abbreviation set. The Australia abbreviation set now contains only CST, EAST, EST, SAST, SAT, and WST, all of which are thought to be mostly historical usage. Note that SAST has also been changed to be South Africa Standard Time in the Default abbreviation set. Also, add zone abbreviations SRET (Asia/Srednekolymsk) and XJT (Asia/Urumqi), and use WSST/WSDT for western Samoa. Also, there were DST law changes in Chile, Mexico, the Turks & Caicos Islands (America/Grand_Turk), and Fiji. There is a new zone Pacific/Bougainville for portions of Papua New Guinea. Also, numerous corrections for historical (pre-1970) time zone data. 2014-07-24 This release contains a variety of fixes from 9.3.4. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, this release corrects a logic error in pg_upgrade, as well as an index corruption problem in some GiST indexes. See the first two changelog entries below to find out whether your installation has been affected and what steps you should take if so. Also, if you are upgrading from a version earlier than 9.3.4, see . In pg_upgrade, remove pg_multixact files left behind by initdb (Bruce Momjian) If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed. To determine whether your installation has this problem, run this query as superuser, in any database of the cluster: WITH list(file) AS (SELECT * FROM pg_ls_dir('pg_multixact/offsets')) SELECT EXISTS (SELECT * FROM list WHERE file = '0000') AND NOT EXISTS (SELECT * FROM list WHERE file = '0001') AND NOT EXISTS (SELECT * FROM list WHERE file = 'FFFF') AND EXISTS (SELECT * FROM list WHERE file != '0000') AS file_0000_removal_required; If this query returns t, manually remove the file $PGDATA/pg_multixact/offsets/0000. Do nothing if the query returns f. Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns (Heikki Linnakangas) This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages (Heikki Linnakangas) This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk. Don't clear the right-link of a GiST index page while replaying updates from WAL (Heikki Linnakangas) This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby. Fix corner-case infinite loop during insertion into an SP-GiST text index (Tom Lane) Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator (Heikki Linnakangas) Fix wraparound handling for pg_multixact/members (Álvaro Herrera) Truncate pg_multixact during checkpoints, not during VACUUM (Álvaro Herrera) This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash. Fix possible inconsistency of all-visible flags after WAL recovery (Heikki Linnakangas) Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages (Andres Freund) Fix race condition when updating a tuple concurrently locked by another process (Andres Freund, Álvaro Herrera) Fix could not find pathkey item to sort planner failures with UNION ALL over subqueries reading from tables with inheritance children (Tom Lane) Don't assume a subquery's output is unique if there's a set-returning function in its targetlist (David Rowley) This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Improve planner to drop constant-NULL inputs of AND/OR when possible (Tom Lane) This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced. Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent (Tom Lane) This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations. Fix handling of nested JSON objects in json_populate_recordset() and friends (Michael Paquier, Tom Lane) A nested JSON object could result in previous fields of the parent object not being shown in the output. Fix identification of input type category in to_json() and friends (Tom Lane) This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well. Fix failure to detoast fields in composite elements of structured types (Tom Lane) This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like missing chunk number 0 for toast value ... when the now-dangling pointer is used. Fix record type has not been registered failures with whole-row references to the output of Append plan nodes (Tom Lane) Fix possible crash when invoking a user-defined function while rewinding a cursor (Tom Lane) Fix query-lifespan memory leak while evaluating the arguments for a function in FROM (Tom Lane) Fix session-lifespan memory leaks in regular-expression processing (Tom Lane, Arthur O'Dwyer, Greg Stark) Fix data encoding error in hungarian.stop (Tom Lane) Prevent foreign tables from being created with OIDS when is true (Etsuro Fujita) Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction (Andres Freund) This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION (Andres Freund) After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time. Fix REASSIGN OWNED to not fail for text search objects (Álvaro Herrera) Prevent pg_class.relminmxid values from going backwards during VACUUM FULL (Álvaro Herrera) Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace (Greg Stark, Tom Lane) This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well. Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification (Tom Lane) Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns (Tom Lane) Block signals during postmaster startup (Tom Lane) This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses (Tom Lane) Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed. Allow the root user to use postgres -C variable and postgres --describe-config (MauMau) The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios. Secure Unix-domain sockets of temporary postmasters started during make check (Noah Misch) Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections. A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary. Fix tablespace creation WAL replay to work on Windows (MauMau) Fix detection of socket creation failures on Windows (Bruce Momjian) On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as ) from the configuration file (Amit Kapila) Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows (Nikhil Deshpande) This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Fix linking of libpython on OS X (Tom Lane) The method we previously used can fail with the Python library supplied by Xcode 5.0 and later. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it (Shin-ichi Morita, Tom Lane) libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as lost synchronization with server). Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints. Ensure that LDAP lookup attempts in libpq time out as intended (Laurenz Albe) Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes (Ashutosh Bapat) Fix pg_dump to cope with a materialized view that depends on a table's primary key (Tom Lane) This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view. Fix parsing of pg_dumpall's -i switch (Tom Lane) Fix pg_restore's processing of old-style large object comments (Tom Lane) A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not (Bruce Momjian) This rare situation would manifest as relation OID mismatch errors. In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server (Bruce Momjian, Álvaro Herrera, Tom Lane) These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely. Prevent contrib/auto_explain from changing the output of a user's EXPLAIN (Tom Lane) If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information. Fix query-lifespan memory leak in contrib/dblink (MauMau, Joe Conway) In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning (Marko Kreen) Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap() (Noah Misch) In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls (Tom Lane) This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that. Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco. 2014-03-20 This release contains a variety of fixes from 9.3.3. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, the error fixed in the first changelog entry below could have resulted in corrupt data on standby servers. It may be prudent to reinitialize standby servers from fresh base backups after installing this update. Also, if you are upgrading from a version earlier than 9.3.3, see . Fix WAL replay of locking an already-updated tuple (Andres Freund, Álvaro Herrera) This error caused updated rows to not be found by index scans, resulting in inconsistent query results depending on whether an index scan was used. Subsequent processing could result in constraint violations, since the previously updated row would not be found by later index searches, thus possibly allowing conflicting rows to be inserted. Since this error is in WAL replay, it would only manifest during crash recovery or on standby servers. The improperly-replayed case most commonly arises when a table row that is referenced by a foreign-key constraint is updated concurrently with creation of a referencing row. Restore GIN metapages unconditionally to avoid torn-page risk (Heikki Linnakangas) Although this oversight could theoretically result in a corrupted index, it is unlikely to have caused any problems in practice, since the active part of a GIN metapage is smaller than a standard 512-byte disk sector. Avoid race condition in checking transaction commit status during receipt of a NOTIFY message (Marko Tiikkaja) This prevents a scenario wherein a sufficiently fast client might respond to a notification before database updates made by the notifier have become visible to the recipient. Allow materialized views to be referenced in UPDATE and DELETE commands (Michael Paquier) Previously such queries failed with a complaint about not being able to lock rows in the materialized view. Allow regular-expression operators to be terminated early by query cancel requests (Tom Lane) This prevents scenarios wherein a pathological regular expression could lock up a server process uninterruptably for a long time. Remove incorrect code that tried to allow OVERLAPS with single-element row arguments (Joshua Yanovski) This code never worked correctly, and since the case is neither specified by the SQL standard nor documented, it seemed better to remove it than fix it. Avoid getting more than AccessShareLock when de-parsing a rule or view (Dean Rasheed) This oversight resulted in pg_dump unexpectedly acquiring RowExclusiveLock locks on tables mentioned as the targets of INSERT/UPDATE/DELETE commands in rules. While usually harmless, that could interfere with concurrent transactions that tried to acquire, for example, ShareLock on those tables. Improve performance of index endpoint probes during planning (Tom Lane) This change fixes a significant performance problem that occurred when there were many not-yet-committed rows at the end of the index, which is a common situation for indexes on sequentially-assigned values such as timestamps or sequence-generated identifiers. Use non-default selectivity estimates for value IN (list) and value operator ANY (array) expressions when the righthand side is a stable expression (Tom Lane) Remove the correct per-database statistics file during DROP DATABASE (Tomas Vondra) This fix prevents a permanent leak of statistics file space. Users who have done many DROP DATABASE commands since upgrading to PostgreSQL 9.3 may wish to check their statistics directory and delete statistics files that do not correspond to any existing database. Please note that db_0.stat should not be removed. Fix walsender ping logic to avoid inappropriate disconnects under continuous load (Andres Freund, Heikki Linnakangas) walsender failed to send ping messages to the client if it was constantly busy sending WAL data; but it expected to see ping responses despite that, and would therefore disconnect once elapsed. Fix walsender's failure to shut down cleanly when client is pg_receivexlog (Fujii Masao) Check WAL level and hot standby parameters correctly when doing crash recovery that will be followed by archive recovery (Heikki Linnakangas) Fix test to see if hot standby connections can be allowed immediately after a crash (Heikki Linnakangas) Add read-only parameter to display whether page checksums are enabled (Heikki Linnakangas) Without this parameter, determining the state of checksum processing was difficult. Prevent interrupts while reporting non-ERROR messages (Tom Lane) This guards against rare server-process freezeups due to recursive entry to syslog(), and perhaps other related problems. Fix memory leak in PL/Perl when returning a composite result, including multiple-OUT-parameter cases (Alex Hunsaker) Fix tracking of psql script line numbers during \copy from out-of-line data (Kumar Rajeev Rastogi, Amit Khandekar) \copy ... from incremented the script file line number for each data line, even if the data was not coming from the script file. This mistake resulted in wrong line numbers being reported for any errors occurring later in the same script file. Fix contrib/postgres_fdw to handle multiple join conditions properly (Tom Lane) This oversight could result in sending WHERE clauses to the remote server for execution even though the clauses are not known to have the same semantics on the remote server (for example, clauses that use non-built-in operators). The query might succeed anyway, but it could also fail with errors from the remote server, or worse give silently wrong answers. Prevent intermittent could not reserve shared memory region failures on recent Windows versions (MauMau) Update time zone data files to tzdata release 2014a for DST law changes in Fiji and Turkey, plus historical changes in Israel and Ukraine. 2014-02-20 This release contains a variety of fixes from 9.3.2. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, several of the issues corrected in this release could have resulted in corruption of foreign-key constraints; that is, there might now be referencing rows for which there is no matching row in the referenced table. It may be worthwhile to recheck such constraints after installing this update. The simplest way to do that is to drop and recreate each suspect constraint; however, that will require taking an exclusive lock on both tables, so it is unlikely to be acceptable in production databases. Alternatively, you can do a manual join query between the two tables to look for unmatched rows. Note also the requirement for replication standby servers to be upgraded before their master server is upgraded. Also, if you are upgrading from a version earlier than 9.3.2, see . Shore up GRANT ... WITH ADMIN OPTION restrictions (Noah Misch) Granting a role without ADMIN OPTION is supposed to prevent the grantee from adding or removing members from the granted role, but this restriction was easily bypassed by doing SET ROLE first. The security impact is mostly that a role member can revoke the access of others, contrary to the wishes of his grantor. Unapproved role member additions are a lesser concern, since an uncooperative role member could provide most of his rights to others anyway by creating views or SECURITY DEFINER functions. (CVE-2014-0060) Prevent privilege escalation via manual calls to PL validator functions (Andres Freund) The primary role of PL validator functions is to be called implicitly during CREATE FUNCTION, but they are also normal SQL functions that a user can call explicitly. Calling a validator on a function actually written in some other language was not checked for and could be exploited for privilege-escalation purposes. The fix involves adding a call to a privilege-checking function in each validator function. Non-core procedural languages will also need to make this change to their own validator functions, if any. (CVE-2014-0061) Avoid multiple name lookups during table and index DDL (Robert Haas, Andres Freund) If the name lookups come to different conclusions due to concurrent activity, we might perform some parts of the DDL on a different table than other parts. At least in the case of CREATE INDEX, this can be used to cause the permissions checks to be performed against a different table than the index creation, allowing for a privilege escalation attack. (CVE-2014-0062) Prevent buffer overrun with long datetime strings (Noah Misch) The MAXDATELEN constant was too small for the longest possible value of type interval, allowing a buffer overrun in interval_out(). Although the datetime input functions were more careful about avoiding buffer overrun, the limit was short enough to cause them to reject some valid inputs, such as input containing a very long timezone name. The ecpg library contained these vulnerabilities along with some of its own. (CVE-2014-0063) Prevent buffer overrun due to integer overflow in size calculations (Noah Misch, Heikki Linnakangas) Several functions, mostly type input functions, calculated an allocation size without checking for overflow. If overflow did occur, a too-small buffer would be allocated and then written past. (CVE-2014-0064) Prevent overruns of fixed-size buffers (Peter Eisentraut, Jozef Mlich) Use strlcpy() and related functions to provide a clear guarantee that fixed-size buffers are not overrun. Unlike the preceding items, it is unclear whether these cases really represent live issues, since in most cases there appear to be previous constraints on the size of the input string. Nonetheless it seems prudent to silence all Coverity warnings of this type. (CVE-2014-0065) Avoid crashing if crypt() returns NULL (Honza Horak, Bruce Momjian) There are relatively few scenarios in which crypt() could return NULL, but contrib/chkpass would crash if it did. One practical case in which this could be an issue is if libc is configured to refuse to execute unapproved hashing algorithms (e.g., FIPS mode). (CVE-2014-0066) Document risks of make check in the regression testing instructions (Noah Misch, Tom Lane) Since the temporary server started by make check uses trust authentication, another user on the same machine could connect to it as database superuser, and then potentially exploit the privileges of the operating-system user who started the tests. A future release will probably incorporate changes in the testing procedure to prevent this risk, but some public discussion is needed first. So for the moment, just warn people against using make check when there are untrusted users on the same machine. (CVE-2014-0067) Rework tuple freezing protocol (Álvaro Herrera, Andres Freund) The logic for tuple freezing was unable to handle some cases involving freezing of multixact IDs, with the practical effect that shared row-level locks might be forgotten once old enough. Fixing this required changing the WAL record format for tuple freezing. While this is no issue for standalone servers, when using replication it means that standby servers must be upgraded to 9.3.3 or later before their masters are. An older standby will be unable to interpret freeze records generated by a newer master, and will fail with a PANIC message. (In such a case, upgrading the standby should be sufficient to let it resume execution.) Create separate GUC parameters to control multixact freezing (Álvaro Herrera) 9.3 requires multixact tuple labels to be frozen before they grow too old, in the same fashion as plain transaction ID labels have been frozen for some time. Previously, the transaction ID freezing parameters were used for multixact IDs too; but since the consumption rates of transaction IDs and multixact IDs can be quite different, this did not work very well. Introduce new settings , , and to control when to freeze multixacts. Account for remote row locks propagated by local updates (Álvaro Herrera) If a row was locked by transaction A, and transaction B updated it, the new version of the row created by B would be locked by A, yet visible only to B. If transaction B then again updated the row, A's lock wouldn't get checked, thus possibly allowing B to complete when it shouldn't. This case is new in 9.3 since prior versions did not have any types of row locking that would permit another transaction to update the row at all. This oversight could allow referential integrity checks to give false positives (for instance, allow deletes that should have been rejected). Applications using the new commands SELECT FOR KEY SHARE and SELECT FOR NO KEY UPDATE might also have suffered locking failures of this kind. Prevent forgetting valid row locks when one of several holders of a row lock aborts (Álvaro Herrera) This was yet another mechanism by which a shared row lock could be lost, thus possibly allowing updates that should have been prevented by foreign-key constraints. Fix incorrect logic during update chain locking (Álvaro Herrera) This mistake could result in spurious could not serialize access due to concurrent update errors in REPEATABLE READ and SERIALIZABLE transaction isolation modes. Handle wraparound correctly during extension or truncation of pg_multixact/members (Andres Freund, Álvaro Herrera) Fix handling of 5-digit filenames in pg_multixact/members (Álvaro Herrera) As of 9.3, these names can be more than 4 digits, but the directory cleanup code ignored such files. Improve performance of multixact cache code (Álvaro Herrera) Optimize updating a row that's already locked by the same transaction (Andres Freund, Álvaro Herrera) This fixes a performance regression from pre-9.3 versions when doing SELECT FOR UPDATE followed by UPDATE/DELETE. During archive recovery, prefer highest timeline number when WAL segments with the same ID are present in both the archive and pg_xlog/ (Kyotaro Horiguchi) Previously, not-yet-archived segments could get ignored during recovery. This reverts an undesirable behavioral change in 9.3.0 back to the way things worked pre-9.3. Fix possible mis-replay of WAL records when some segments of a relation aren't full size (Greg Stark, Tom Lane) The WAL update could be applied to the wrong page, potentially many pages past where it should have been. Aside from corrupting data, this error has been observed to result in significant bloat of standby servers compared to their masters, due to updates being applied far beyond where the end-of-file should have been. This failure mode does not appear to be a significant risk during crash recovery, only when initially synchronizing a standby created from a base backup taken from a quickly-changing master. Fix bug in determining when recovery has reached consistency (Tomonari Katsumata, Heikki Linnakangas) In some cases WAL replay would mistakenly conclude that the database was already consistent at the start of replay, thus possibly allowing hot-standby queries before the database was really consistent. Other symptoms such as PANIC: WAL contains references to invalid pages were also possible. Fix WAL logging of visibility map changes (Heikki Linnakangas) Fix improper locking of btree index pages while replaying a VACUUM operation in hot-standby mode (Andres Freund, Heikki Linnakangas, Tom Lane) This error could result in PANIC: WAL contains references to invalid pages failures. Ensure that insertions into non-leaf GIN index pages write a full-page WAL record when appropriate (Heikki Linnakangas) The previous coding risked index corruption in the event of a partial-page write during a system crash. When pause_at_recovery_target and recovery_target_inclusive are both set, ensure the target record is applied before pausing, not after (Heikki Linnakangas) Ensure walreceiver sends hot-standby feedback messages on time even when there is a continuous stream of data (Andres Freund, Amit Kapila) Prevent timeout interrupts from taking control away from mainline code unless ImmediateInterruptOK is set (Andres Freund, Tom Lane) This is a serious issue for any application making use of statement timeouts, as it could cause all manner of strange failures after a timeout occurred. We have seen reports of stuck spinlocks, ERRORs being unexpectedly promoted to PANICs, unkillable backends, and other misbehaviors. Fix race conditions during server process exit (Robert Haas) Ensure that signal handlers don't attempt to use the process's MyProc pointer after it's no longer valid. Fix race conditions in walsender shutdown logic and walreceiver SIGHUP signal handler (Tom Lane) Fix unsafe references to errno within error reporting logic (Christian Kruse) This would typically lead to odd behaviors such as missing or inappropriate HINT fields. Fix possible crashes from using ereport() too early during server startup (Tom Lane) The principal case we've seen in the field is a crash if the server is started in a directory it doesn't have permission to read. Clear retry flags properly in OpenSSL socket write function (Alexander Kukushkin) This omission could result in a server lockup after unexpected loss of an SSL-encrypted connection. Fix length checking for Unicode identifiers (U&"..." syntax) containing escapes (Tom Lane) A spurious truncation warning would be printed for such identifiers if the escaped form of the identifier was too long, but the identifier actually didn't need truncation after de-escaping. Fix parsing of Unicode literals and identifiers just before the end of a command string or function body (Tom Lane) Allow keywords that are type names to be used in lists of roles (Stephen Frost) A previous patch allowed such keywords to be used without quoting in places such as role identifiers; but it missed cases where a list of role identifiers was permitted, such as DROP ROLE. Fix parser crash for EXISTS(SELECT * FROM zero_column_table) (Tom Lane) Fix possible crash due to invalid plan for nested sub-selects, such as WHERE (... x IN (SELECT ...) ...) IN (SELECT ...) (Tom Lane) Fix mishandling of WHERE conditions pulled up from a LATERAL subquery (Tom Lane) The typical symptom of this bug was a JOIN qualification cannot refer to other relations error, though subtle logic errors in created plans seem possible as well. Disallow LATERAL references to the target table of an UPDATE/DELETE (Tom Lane) While this might be allowed in some future release, it was unintentional in 9.3, and didn't work quite right anyway. Fix UPDATE/DELETE of an inherited target table that has UNION ALL subqueries (Tom Lane) Without this fix, UNION ALL subqueries aren't correctly inserted into the update plans for inheritance child tables after the first one, typically resulting in no update happening for those child table(s). Fix ANALYZE to not fail on a column that's a domain over a range type (Tom Lane) Ensure that ANALYZE creates statistics for a table column even when all the values in it are too wide (Tom Lane) ANALYZE intentionally omits very wide values from its histogram and most-common-values calculations, but it neglected to do something sane in the case that all the sampled entries are too wide. In ALTER TABLE ... SET TABLESPACE, allow the database's default tablespace to be used without a permissions check (Stephen Frost) CREATE TABLE has always allowed such usage, but ALTER TABLE didn't get the memo. Fix support for extensions containing event triggers (Tom Lane) Fix cannot accept a set error when some arms of a CASE return a set and others don't (Tom Lane) Fix memory leakage in JSON functions (Craig Ringer) Properly distinguish numbers from non-numbers when generating JSON output (Andrew Dunstan) Fix checks for all-zero client addresses in pgstat functions (Kevin Grittner) Fix possible misclassification of multibyte characters by the text search parser (Tom Lane) Non-ASCII characters could be misclassified when using C locale with a multibyte encoding. On Cygwin, non-C locales could fail as well. Fix possible misbehavior in plainto_tsquery() (Heikki Linnakangas) Use memmove() not memcpy() for copying overlapping memory regions. There have been no field reports of this actually causing trouble, but it's certainly risky. Fix placement of permissions checks in pg_start_backup() and pg_stop_backup() (Andres Freund, Magnus Hagander) The previous coding might attempt to do catalog access when it shouldn't. Accept SHIFT_JIS as an encoding name for locale checking purposes (Tatsuo Ishii) Fix *-qualification of named parameters in SQL-language functions (Tom Lane) Given a composite-type parameter named foo, $1.* worked fine, but foo.* not so much. Fix misbehavior of PQhost() on Windows (Fujii Masao) It should return localhost if no host has been specified. Improve error handling in libpq and psql for failures during COPY TO STDOUT/FROM STDIN (Tom Lane) In particular this fixes an infinite loop that could occur in 9.2 and up if the server connection was lost during COPY FROM STDIN. Variants of that scenario might be possible in older versions, or with other client applications. Fix incorrect translation handling in some psql \d commands (Peter Eisentraut, Tom Lane) Ensure pg_basebackup's background process is killed when exiting its foreground process (Magnus Hagander) Fix possible incorrect printing of filenames in pg_basebackup's verbose mode (Magnus Hagander) Avoid including tablespaces inside PGDATA twice in base backups (Dimitri Fontaine, Magnus Hagander) Fix misaligned descriptors in ecpg (MauMau) In ecpg, handle lack of a hostname in the connection parameters properly (Michael Meskes) Fix performance regression in contrib/dblink connection startup (Joe Conway) Avoid an unnecessary round trip when client and server encodings match. In contrib/isn, fix incorrect calculation of the check digit for ISMN values (Fabien Coelho) Fix contrib/pgbench's progress logging to avoid overflow when the scale factor is large (Tatsuo Ishii) Fix contrib/pg_stat_statement's handling of CURRENT_DATE and related constructs (Kyotaro Horiguchi) Improve lost-connection error handling in contrib/postgres_fdw (Tom Lane) Ensure client-code-only installation procedure works as documented (Peter Eisentraut) In Mingw and Cygwin builds, install the libpq DLL in the bin directory (Andrew Dunstan) This duplicates what the MSVC build has long done. It should fix problems with programs like psql failing to start because they can't find the DLL. Avoid using the deprecated dllwrap tool in Cygwin builds (Marco Atzeri) Enable building with Visual Studio 2013 (Brar Piening) Don't generate plain-text HISTORY and src/test/regress/README files anymore (Tom Lane) These text files duplicated the main HTML and PDF documentation formats. The trouble involved in maintaining them greatly outweighs the likely audience for plain-text format. Distribution tarballs will still contain files by these names, but they'll just be stubs directing the reader to consult the main documentation. The plain-text INSTALL file will still be maintained, as there is arguably a use-case for that. Update time zone data files to tzdata release 2013i for DST law changes in Jordan and historical changes in Cuba. In addition, the zones Asia/Riyadh87, Asia/Riyadh88, and Asia/Riyadh89 have been removed, as they are no longer maintained by IANA, and never represented actual civil timekeeping practice. 2013-12-05 This release contains a variety of fixes from 9.3.1. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, this release corrects a number of potential data corruption issues. See the first three changelog entries below to find out whether your installation has been affected and what steps you can take if so. Also, if you are upgrading from a version earlier than 9.3.1, see . Fix VACUUM's tests to see whether it can update relfrozenxid (Andres Freund) In some cases VACUUM (either manual or autovacuum) could incorrectly advance a table's relfrozenxid value, allowing tuples to escape freezing, causing those rows to become invisible once 2^31 transactions have elapsed. The probability of data loss is fairly low since multiple incorrect advancements would need to happen before actual loss occurs, but it's not zero. In 9.2.0 and later, the probability of loss is higher, and it's also possible to get could not access status of transaction errors as a consequence of this bug. Users upgrading from releases 9.0.4 or 8.4.8 or earlier are not affected, but all later versions contain the bug. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix any latent corruption but will not be able to fix all pre-existing data errors. However, an installation can be presumed safe after performing this vacuuming if it has executed fewer than 2^31 update transactions in its lifetime (check this with SELECT txid_current() < 2^31). Fix multiple bugs in MultiXactId freezing (Andres Freund, Álvaro Herrera) These bugs could lead to could not access status of transaction errors, or to duplicate or vanishing rows. Users upgrading from releases prior to 9.3.0 are not affected. The issue can be ameliorated by, after upgrading, vacuuming all tables in all databases while having vacuum_freeze_table_age set to zero. This will fix latent corruption but will not be able to fix all pre-existing data errors. As a separate issue, these bugs can also cause standby servers to get out of sync with the primary, thus exhibiting data errors that are not in the primary. Therefore, it's recommended that 9.3.0 and 9.3.1 standby servers be re-cloned from the primary (e.g., with a new base backup) after upgrading. Fix initialization of pg_clog and pg_subtrans during hot standby startup (Andres Freund, Heikki Linnakangas) This bug can cause data loss on standby servers at the moment they start to accept hot-standby queries, by marking committed transactions as uncommitted. The likelihood of such corruption is small unless, at the time of standby startup, the primary server has executed many updating transactions since its last checkpoint. Symptoms include missing rows, rows that should have been deleted being still visible, and obsolete versions of updated rows being still visible alongside their newer versions. This bug was introduced in versions 9.3.0, 9.2.5, 9.1.10, and 9.0.14. Standby servers that have only been running earlier releases are not at risk. It's recommended that standby servers that have ever run any of the buggy releases be re-cloned from the primary (e.g., with a new base backup) after upgrading. Fix multiple bugs in update chain traversal (Andres Freund, Álvaro Herrera) These bugs could result in incorrect behavior, such as locking or even updating the wrong row, in the presence of concurrent updates. Spurious unable to fetch updated version of tuple errors were also possible. Fix dangling-pointer problem in fast-path locking (Tom Lane) This could lead to corruption of the lock data structures in shared memory, causing lock already held and other odd errors. Fix assorted race conditions in timeout management (Tom Lane) These errors could result in a server process becoming unresponsive because it had blocked SIGALRM and/or SIGINT. Truncate pg_multixact contents during WAL replay (Andres Freund) This avoids ever-increasing disk space consumption in standby servers. Ensure an anti-wraparound VACUUM counts a page as scanned when it's only verified that no tuples need freezing (Sergey Burladyan, Jeff Janes) This bug could result in failing to advance relfrozenxid, so that the table would still be thought to need another anti-wraparound vacuum. In the worst case the database might even shut down to prevent wraparound. Fix full-table-vacuum request mechanism for MultiXactIds (Andres Freund) This bug could result in large amounts of useless autovacuum activity. Fix race condition in GIN index posting tree page deletion (Heikki Linnakangas) This could lead to transient wrong answers or query failures. Fix unexpected spgdoinsert() failure error during SP-GiST index creation (Teodor Sigaev) Fix assorted bugs in materialized views (Kevin Grittner, Andres Freund) Re-allow duplicate table aliases if they're within aliased JOINs (Tom Lane) Historically PostgreSQL has accepted queries like SELECT ... FROM tab1 x CROSS JOIN (tab2 x CROSS JOIN tab3 y) z although a strict reading of the SQL standard would forbid the duplicate usage of table alias x. A misguided change in 9.3.0 caused it to reject some such cases that were formerly accepted. Restore the previous behavior. Avoid flattening a subquery whose SELECT list contains a volatile function wrapped inside a sub-SELECT (Tom Lane) This avoids unexpected results due to extra evaluations of the volatile function. Fix planner's processing of non-simple-variable subquery outputs nested within outer joins (Tom Lane) This error could lead to incorrect plans for queries involving multiple levels of subqueries within JOIN syntax. Fix incorrect planning in cases where the same non-strict expression appears in multiple WHERE and outer JOIN equality clauses (Tom Lane) Fix planner crash with whole-row reference to a subquery (Tom Lane) Fix incorrect generation of optimized MIN()/MAX() plans for inheritance trees (Tom Lane) The planner could fail in cases where the MIN()/MAX() argument was an expression rather than a simple variable. Fix premature deletion of temporary files (Andres Freund) Prevent intra-transaction memory leak when printing range values (Tom Lane) This fix actually cures transient memory leaks in any datatype output function, but range types are the only ones known to have had a significant problem. Fix memory leaks when reloading configuration files (Heikki Linnakangas, Hari Babu) Prevent incorrect display of dropped columns in NOT NULL and CHECK constraint violation messages (Michael Paquier and Tom Lane) Allow default arguments and named-argument notation for window functions (Tom Lane) Previously, these cases were likely to crash. Suppress trailing whitespace on each line when pretty-printing rules and views (Tom Lane) 9.3.0 generated such whitespace in many more cases than previous versions did. To reduce unexpected behavioral changes, suppress unnecessary whitespace in all cases. Fix possible read past end of memory in rule printing (Peter Eisentraut) Fix array slicing of int2vector and oidvector values (Tom Lane) Expressions of this kind are now implicitly promoted to regular int2 or oid arrays. Return a valid JSON value when converting an empty hstore value to json (Oskari Saarenmaa) Fix incorrect behaviors when using a SQL-standard, simple GMT offset timezone (Tom Lane) In some cases, the system would use the simple GMT offset value when it should have used the regular timezone setting that had prevailed before the simple offset was selected. This change also causes the timeofday function to honor the simple GMT offset zone. Prevent possible misbehavior when logging translations of Windows error codes (Tom Lane) Properly quote generated command lines in pg_ctl (Naoya Anzai and Tom Lane) This fix applies only to Windows. Fix pg_dumpall to work when a source database sets default_transaction_read_only via ALTER DATABASE SET (Kevin Grittner) Previously, the generated script would fail during restore. Fix pg_isready to handle its -d option properly (Fabrízio de Royes Mello and Fujii Masao) Fix parsing of WAL file names in pg_receivexlog (Heikki Linnakangas) This error made pg_receivexlog unable to restart streaming after stopping, once at least 4 GB of WAL had been written. Report out-of-disk-space failures properly in pg_upgrade (Peter Eisentraut) Make ecpg search for quoted cursor names case-sensitively (Zoltán Böszörményi) Fix ecpg's processing of lists of variables declared varchar (Zoltán Böszörményi) Make contrib/lo defend against incorrect trigger definitions (Marc Cousin) Update time zone data files to tzdata release 2013h for DST law changes in Argentina, Brazil, Jordan, Libya, Liechtenstein, Morocco, and Palestine. Also, new timezone abbreviations WIB, WIT, WITA for Indonesia. 2013-10-10 This release contains a variety of fixes from 9.3.0. For information about new features in the 9.3 major release, see . A dump/restore is not required for those running 9.3.X. However, if you use the hstore extension, see the first changelog entry. Ensure new-in-9.3 JSON functionality is added to the hstore extension during an update (Andrew Dunstan) Users who upgraded a pre-9.3 database containing hstore should execute ALTER EXTENSION hstore UPDATE; after installing 9.3.1, to add two new JSON functions and a cast. (If hstore is already up to date, this command does nothing.) Fix memory leak when creating B-tree indexes on range columns (Heikki Linnakangas) Fix memory leak caused by lo_open() failure (Heikki Linnakangas) Serializable snapshot fixes (Kevin Grittner, Heikki Linnakangas) Fix deadlock bug in libpq when using SSL (Stephen Frost) Fix timeline handling bugs in pg_receivexlog (Heikki Linnakangas, Andrew Gierth) Prevent CREATE FUNCTION from checking SET variables unless function body checking is enabled (Tom Lane) Remove rare inaccurate warning during vacuum of index-less tables (Heikki Linnakangas) 2013-09-09 Major enhancements in PostgreSQL 9.3 include: Add materialized views Make simple views auto-updatable Add many features for the JSON data type, including operators and functions to extract elements from JSON values Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables Add a Postgres foreign data wrapper to allow access to other Postgres servers Add support for event triggers Add optional ability to checksum data pages and report corruption Prevent non-key-field row updates from blocking foreign key checks Greatly reduce System V shared memory requirements The above items are explained in more detail in the sections below. A dump/restore using pg_dumpall, or use of pg_upgrade, is required for those wishing to migrate data from any previous release. Version 9.3 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities: Rename replication_timeout to wal_sender_timeout (Amit Kapila) This setting controls the WAL sender timeout. Require superuser privileges to set commit_delay because it can now potentially delay other sessions (Simon Riggs) Allow in-memory sorts to use their full memory allocation (Jeff Janes) Users who have set work_mem based on the previous behavior may need to revisit that setting. Throw an error if a tuple to be updated or deleted has already been updated or deleted by a BEFORE trigger (Kevin Grittner) Formerly, the originally-intended update was silently skipped, resulting in logical inconsistency since the trigger might have propagated data to other places based on the intended update. Now an error is thrown to prevent the inconsistent results from being committed. If this change affects your application, the best solution is usually to move the data-propagation actions to an AFTER trigger. This error will also be thrown if a query invokes a volatile function that modifies rows that are later modified by the query itself. Such cases likewise previously resulted in silently skipping updates. Change multicolumn ON UPDATE SET NULL/SET DEFAULT foreign key actions to affect all columns of the constraint, not just those changed in the UPDATE (Tom Lane) Previously, we would set only those referencing columns that correspond to referenced columns that were changed by the UPDATE. This was what was required by SQL-92, but more recent editions of the SQL standard specify the new behavior. Force cached plans to be replanned if the search_path changes (Tom Lane) Previously, cached plans already generated in the current session were not redone if the query was re-executed with a new search_path setting, resulting in surprising behavior. Fix to_number() to properly handle a period used as a thousands separator (Tom Lane) Previously, a period was considered to be a decimal point even when the locale says it isn't and the D format code is used to specify use of the locale-specific decimal point. This resulted in wrong answers if FM format was also used. Fix STRICT non-set-returning functions that have set-returning functions in their arguments to properly return null rows (Tom Lane) A null value passed to the strict function should result in a null output, but instead, that output row was suppressed entirely. Store WAL in a continuous stream, rather than skipping the last 16MB segment every 4GB (Heikki Linnakangas) Previously, WAL files with names ending in FF were not used because of this skipping. If you have WAL backup or restore scripts that took this behavior into account, they will need to be adjusted. In pg_constraint.confmatchtype, store the default foreign key match type (non-FULL, non-PARTIAL) as s for simple (Tom Lane) Previously this case was represented by u for unspecified. Below you will find a detailed account of the changes between PostgreSQL 9.3 and the previous major release. Prevent non-key-field row updates from blocking foreign key checks (Álvaro Herrera, Noah Misch, Andres Freund, Alexander Shulgin, Marti Raudsepp, Alexander Shulgin) This change improves concurrency and reduces the probability of deadlocks when updating tables involved in a foreign-key constraint. UPDATEs that do not change any columns referenced in a foreign key now take the new NO KEY UPDATE lock mode on the row, while foreign key checks use the new KEY SHARE lock mode, which does not conflict with NO KEY UPDATE. So there is no blocking unless a foreign-key column is changed. Add configuration variable lock_timeout to allow limiting how long a session will wait to acquire any one lock (Zoltán Böszörményi) Add SP-GiST support for range data types (Alexander Korotkov) Allow GiST indexes to be unlogged (Jeevan Chalke) Improve performance of GiST index insertion by randomizing the choice of which page to descend to when there are multiple equally good alternatives (Heikki Linnakangas) Improve concurrency of hash index operations (Robert Haas) Collect and use histograms of upper and lower bounds, as well as range lengths, for range types (Alexander Korotkov) Improve optimizer's cost estimation for index access (Tom Lane) Improve optimizer's hash table size estimate for doing DISTINCT via hash aggregation (Tom Lane) Suppress no-op Result and Limit plan nodes (Kyotaro Horiguchi, Amit Kapila, Tom Lane) Reduce optimizer overhead by not keeping plans on the basis of cheap startup cost when the optimizer only cares about total cost overall (Tom Lane) Add COPY FREEZE option to avoid the overhead of marking tuples as frozen later (Simon Riggs, Jeff Davis) Improve performance of NUMERIC calculations (Kyotaro Horiguchi) Improve synchronization of sessions waiting for commit_delay (Peter Geoghegan) This greatly improves the usefulness of commit_delay. Improve performance of the CREATE TEMPORARY TABLE ... ON COMMIT DELETE ROWS option by not truncating such temporary tables in transactions that haven't touched any temporary tables (Heikki Linnakangas) Make vacuum recheck visibility after it has removed expired tuples (Pavan Deolasee) This increases the chance of a page being marked as all-visible. Add per-resource-owner lock caches (Jeff Janes) This speeds up lock bookkeeping at statement completion in multi-statement transactions that hold many locks; it is particularly useful for pg_dump. Avoid scanning the entire relation cache at commit of a transaction that creates a new relation (Jeff Janes) This speeds up sessions that create many tables in successive small transactions, such as a pg_restore run. Improve performance of transactions that drop many relations (Tomas Vondra) Add optional ability to checksum data pages and report corruption (Simon Riggs, Jeff Davis, Greg Smith, Ants Aasma) The checksum option can be set during initdb. Split the statistics collector's data file into separate global and per-database files (Tomas Vondra) This reduces the I/O required for statistics tracking. Fix the statistics collector to operate properly in cases where the system clock goes backwards (Tom Lane) Previously, statistics collection would stop until the time again reached the latest time previously recorded. Emit an informative message to postmaster standard error when we are about to stop logging there (Tom Lane) This should help reduce user confusion about where to look for log output in common configurations that log to standard error only during postmaster startup. When an authentication failure occurs, log the relevant pg_hba.conf line, to ease debugging of unintended failures (Magnus Hagander) Improve LDAP error reporting and documentation (Peter Eisentraut) Add support for specifying LDAP authentication parameters in URL format, per RFC 4516 (Peter Eisentraut) Change the ssl_ciphers parameter to start with DEFAULT, rather than ALL, then remove insecure ciphers (Magnus Hagander) This should yield a more appropriate SSL cipher set. Parse and load pg_ident.conf once, not during each connection (Amit Kapila) This is similar to how pg_hba.conf is processed. Greatly reduce System V shared memory requirements (Robert Haas) On Unix-like systems, mmap() is now used for most of PostgreSQL's shared memory. For most users, this will eliminate any need to adjust kernel parameters for shared memory. Allow the postmaster to listen on multiple Unix-domain sockets (Honza Horák) The configuration parameter unix_socket_directory is replaced by unix_socket_directories, which accepts a list of directories. Allow a directory of configuration files to be processed (Magnus Hagander, Greg Smith, Selena Deckelmann) Such a directory is specified with include_dir in the server configuration file. Increase the maximum initdb-configured value for shared_buffers to 128MB (Robert Haas) This is the maximum value that initdb will attempt to set in postgresql.conf; the previous maximum was 32MB. Remove the external PID file, if any, on postmaster exit (Peter Eisentraut) Allow a streaming replication standby to follow a timeline switch (Heikki Linnakangas) This allows streaming standby servers to receive WAL data from a slave newly promoted to master status. Previously, other standbys would require a resync to begin following the new master. Add SQL functions pg_is_in_backup() and pg_backup_start_time() (Gilles Darold) These functions report the status of base backups. Improve performance of streaming log shipping with synchronous_commit disabled (Andres Freund) Allow much faster promotion of a streaming standby to primary (Simon Riggs, Kyotaro Horiguchi) Add the last checkpoint's redo location to pg_controldata's output (Fujii Masao) This information is useful for determining which WAL files are needed for restore. Allow tools like pg_receivexlog to run on computers with different architectures (Heikki Linnakangas) WAL files can still only be replayed on servers with the same architecture as the primary; but they can now be transmitted to and stored on machines of any architecture, since the streaming replication protocol is now machine-independent. Make pg_basebackup --write-recovery-conf output a minimal recovery.conf file (Zoltán Böszörményi, Magnus Hagander) This simplifies setting up a standby server. Allow pg_receivexlog and pg_basebackup --xlog-method to handle streaming timeline switches (Heikki Linnakangas) Add wal_receiver_timeout parameter to control the WAL receiver's timeout (Amit Kapila) This allows more rapid detection of connection failure. Change the WAL record format to allow splitting the record header across pages (Heikki Linnakangas) The new format is slightly more compact, and is more efficient to write. Implement SQL-standard LATERAL option for FROM-clause subqueries and function calls (Tom Lane) This feature allows subqueries and functions in FROM to reference columns from other tables in the FROM clause. The LATERAL keyword is optional for functions. Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita) Allow a multirow VALUES clause in a rule to reference OLD/NEW (Tom Lane) Add support for event triggers (Dimitri Fontaine, Robert Haas, Álvaro Herrera) This allows server-side functions written in event-enabled languages to be called when DDL commands are run. Allow foreign data wrappers to support writes (inserts/updates/deletes) on foreign tables (KaiGai Kohei) Add CREATE SCHEMA ... IF NOT EXISTS clause (Fabrízio de Royes Mello) Make REASSIGN OWNED also change ownership of shared objects (Álvaro Herrera) Make CREATE AGGREGATE complain if the given initial value string is not valid input for the transition datatype (Tom Lane) Suppress CREATE TABLE's messages about implicit index and sequence creation (Robert Haas) These messages now appear at DEBUG1 verbosity, so that they will not be shown by default. Allow DROP TABLE IF EXISTS to succeed when a non-existent schema is specified in the table name (Bruce Momjian) Previously, it threw an error if the schema did not exist. Provide clients with constraint violation details as separate fields (Pavel Stehule) This allows clients to retrieve table, column, data type, or constraint name error details. Previously such information had to be extracted from error strings. Client library support is required to access these fields. Support IF NOT EXISTS option in ALTER TYPE ... ADD VALUE (Andrew Dunstan) This is useful for conditionally adding values to enumerated types. Add ALTER ROLE ALL SET to establish settings for all users (Peter Eisentraut) This allows settings to apply to all users in all databases. ALTER DATABASE SET already allowed addition of settings for all users in a single database. postgresql.conf has a similar effect. Add support for ALTER RULE ... RENAME (Ali Dar) Add materialized views (Kevin Grittner) Unlike ordinary views, where the base tables are read on every access, materialized views create physical tables at creation or refresh time. Access to the materialized view then reads from its physical table. There is not yet any facility for incrementally refreshing materialized views or auto-accessing them via base table access. Make simple views auto-updatable (Dean Rasheed) Simple views that reference some or all columns from a single base table are now updatable by default. More complex views can be made updatable using INSTEAD OF triggers or INSTEAD rules. Add CREATE RECURSIVE VIEW syntax (Peter Eisentraut) Internally this is translated into CREATE VIEW ... WITH RECURSIVE .... Improve view/rule printing code to handle cases where referenced tables are renamed, or columns are renamed, added, or dropped (Tom Lane) Table and column renamings can produce cases where, if we merely substitute the new name into the original text of a rule or view, the result is ambiguous. This change fixes the rule-dumping code to insert manufactured table and column aliases when needed to preserve the original semantics. Increase the maximum size of large objects from 2GB to 4TB (Nozomi Anzai, Yugo Nagata) This change includes adding 64-bit-capable large object access functions, both in the server and in libpq. Allow text timezone designations, e.g. America/Chicago, in the T field of ISO-format timestamptz input (Bruce Momjian) Add operators and functions to extract elements from JSON values (Andrew Dunstan) Allow JSON values to be converted into records (Andrew Dunstan) Add functions to convert scalars, records, and hstore values to JSON (Andrew Dunstan) Add array_remove() and array_replace() functions (Marco Nenciarini, Gabriele Bartolini) Allow concat() and format() to properly expand VARIADIC-labeled arguments (Pavel Stehule) Improve format() to provide field width and left/right alignment options (Pavel Stehule) Make to_char(), to_date(), and to_timestamp() handle negative (BC) century values properly (Bruce Momjian) Previously the behavior was either wrong or inconsistent with positive/AD handling, e.g. with the format mask IYYY-IW-DY. Make to_date() and to_timestamp() return proper results when mixing ISO and Gregorian week/day designations (Bruce Momjian) Cause pg_get_viewdef() to start a new line by default after each SELECT target list entry and FROM entry (Marko Tiikkaja) This reduces line length in view printing, for instance in pg_dump output. Fix map_sql_value_to_xml_value() to print values of domain types the same way their base type would be printed (Pavel Stehule) There are special formatting rules for certain built-in types such as boolean; these rules now also apply to domains over these types. Allow PL/pgSQL to use RETURN with a composite-type expression (Asif Rehman) Previously, in a function returning a composite type, RETURN could only reference a variable of that type. Allow PL/pgSQL to access constraint violation details as separate fields (Pavel Stehule) Allow PL/pgSQL to access the number of rows processed by COPY (Pavel Stehule) A COPY executed in a PL/pgSQL function now updates the value retrieved by GET DIAGNOSTICS x = ROW_COUNT. Allow unreserved keywords to be used as identifiers everywhere in PL/pgSQL (Tom Lane) In certain places in the PL/pgSQL grammar, keywords had to be quoted to be used as identifiers, even if they were nominally unreserved. Add PL/Python result object string handler (Peter Eisentraut) This allows plpy.debug(rv) to output something reasonable. Make PL/Python convert OID values to a proper Python numeric type (Peter Eisentraut) Handle SPI errors raised explicitly (with PL/Python's RAISE) the same as internal SPI errors (Oskari Saarenmaa and Jan Urbanski) Prevent leakage of SPI tuple tables during subtransaction abort (Tom Lane) At the end of any failed subtransaction, the core SPI code now releases any SPI tuple tables that were created during that subtransaction. This avoids the need for SPI-using code to keep track of such tuple tables and release them manually in error-recovery code. Failure to do so caused a number of transaction-lifespan memory leakage issues in PL/pgSQL and perhaps other SPI clients. SPI_freetuptable() now protects itself against multiple freeing requests, so any existing code that did take care to clean up shouldn't be broken by this change. Allow SPI functions to access the number of rows processed by COPY (Pavel Stehule) Add command-line utility pg_isready to check if the server is ready to accept connections (Phil Sorber) Support multiple --table arguments for pg_restore, clusterdb, reindexdb, and vacuumdb (Josh Kupershmidt) This is similar to the way pg_dump's --table option works. Add --dbname option to pg_dumpall, pg_basebackup, and pg_receivexlog to allow specifying a connection string (Amit Kapila) Add libpq function PQconninfo() to return connection information (Zoltán Böszörményi, Magnus Hagander) Adjust function cost settings so psql tab completion and pattern searching are more efficient (Tom Lane) Improve psql's tab completion coverage (Jeff Janes, Dean Rasheed, Peter Eisentraut, Magnus Hagander) Allow the psql --single-transaction mode to work when reading from standard input (Fabien Coelho, Robert Haas) Previously this option only worked when reading from a file. Remove psql warning when connecting to an older server (Peter Eisentraut) A warning is still issued when connecting to a server of a newer major version than psql's. Add psql command \watch to repeatedly execute a SQL command (Will Leinweber) Add psql command \gset to store query results in psql variables (Pavel Stehule) Add SSL information to psql's \conninfo command (Alastair Turner) Add Security column to psql's \df+ output (Jon Erdman) Allow psql command \l to accept a database name pattern (Peter Eisentraut) In psql, do not allow \connect to use defaults if there is no active connection (Bruce Momjian) This might be the case if the server had crashed. Properly reset state after failure of a SQL command executed with psql's \g file (Tom Lane) Previously, the output from subsequent SQL commands would unexpectedly continue to go to the same file. Add a latex-longtable output format to psql (Bruce Momjian) This format allows tables to span multiple pages. Add a border=3 output mode to the psql latex format (Bruce Momjian) In psql's tuples-only and expanded output modes, no longer emit (No rows) for zero rows (Peter Eisentraut) In psql's unaligned, expanded output mode, no longer print an empty line for zero rows (Peter Eisentraut) Add pg_dump --jobs option to dump tables in parallel (Joachim Wieland) Make pg_dump output functions in a more predictable order (Joel Jacobson) Fix tar files emitted by pg_dump to be POSIX conformant (Brian Weaver, Tom Lane) Add --dbname option to pg_dump, for consistency with other client commands (Heikki Linnakangas) The database name could already be supplied last without a flag. Make initdb fsync the newly created data directory (Jeff Davis) This insures data integrity in event of a system crash shortly after initdb. This can be disabled by using --nosync. Add initdb --sync-only option to sync the data directory to durable storage (Bruce Momjian) This is used by pg_upgrade. Make initdb issue a warning about placing the data directory at the top of a file system mount point (Bruce Momjian) Add infrastructure to allow plug-in background worker processes (Álvaro Herrera) Create a centralized timeout API (Zoltán Böszörményi) Create libpgcommon and move pg_malloc() and other functions there (Álvaro Herrera, Andres Freund) This allows libpgport to be used solely for portability-related code. Add support for list links embedded in larger structs (Andres Freund) Use SA_RESTART for all signals, including SIGALRM (Tom Lane) Ensure that the correct text domain is used when translating errcontext() messages (Heikki Linnakangas) Standardize naming of client-side memory allocation functions (Tom Lane) Provide support for static assertions that will fail at compile time if some compile-time-constant condition is not met (Andres Freund, Tom Lane) Support Assert() in client-side code (Andrew Dunstan) Add decoration to inform the C compiler that some ereport() and elog() calls do not return (Peter Eisentraut, Andres Freund, Tom Lane, Heikki Linnakangas) Allow options to be passed to the regression test output comparison utility via PG_REGRESS_DIFF_OPTS (Peter Eisentraut) Add isolation tests for CREATE INDEX CONCURRENTLY (Abhijit Menon-Sen) Remove typedefs for int2/int4 as they are better represented as int16/int32 (Peter Eisentraut) Fix install-strip on Mac OS X (Peter Eisentraut) Remove configure flag --disable-shared, as it is no longer supported (Bruce Momjian) Rewrite pgindent in Perl (Andrew Dunstan) Provide Emacs macro to set Perl formatting to match PostgreSQL's perltidy settings (Peter Eisentraut) Run tool to check the keyword list whenever the backend grammar is changed (Tom Lane) Change the way UESCAPE is lexed, to significantly reduce the size of the lexer tables (Heikki Linnakangas) Centralize flex and bison make rules (Peter Eisentraut) This is useful for pgxs authors. Change many internal backend functions to return object OIDs rather than void (Dimitri Fontaine) This is useful for event triggers. Invent pre-commit/pre-prepare/pre-subcommit events for transaction callbacks (Tom Lane) Loadable modules that use transaction callbacks might need modification to handle these new event types. Add function pg_identify_object() to produce a machine-readable description of a database object (Álvaro Herrera) Add post-ALTER-object server hooks (KaiGai Kohei) Implement a generic binary heap and use it for Merge-Append operations (Abhijit Menon-Sen) Provide a tool to help detect timezone abbreviation changes when updating the src/timezone/data files (Tom Lane) Add pkg-config support for libpq and ecpg libraries (Peter Eisentraut) Remove src/tool/backend, now that the content is on the PostgreSQL wiki (Bruce Momjian) Split out WAL reading as an independent facility (Heikki Linnakangas, Andres Freund) Use a 64-bit integer to represent WAL positions (XLogRecPtr) instead of two 32-bit integers (Heikki Linnakangas) Generally, tools that need to read the WAL format will need to be adjusted. Allow PL/Python to support platform-specific include directories (Peter Eisentraut) Allow PL/Python on OS X to build against custom versions of Python (Peter Eisentraut) Add a Postgres foreign data wrapper contrib module to allow access to other Postgres servers (Shigeru Hanada) This foreign data wrapper supports writes. Add pg_xlogdump contrib program (Andres Freund) Add support for indexing of regular-expression searches in pg_trgm (Alexander Korotkov) Improve pg_trgm's handling of multibyte characters (Tom Lane) On a platform that does not have the wcstombs() or towlower() library functions, this could result in an incompatible change in the contents of pg_trgm indexes for non-ASCII data. In such cases, REINDEX those indexes to ensure correct search results. Add a pgstattuple function to report the size of the pending-insertions list of a GIN index (Fujii Masao) Make oid2name, pgbench, and vacuumlo set fallback_application_name (Amit Kapila) Improve output of pg_test_timing (Bruce Momjian) Improve output of pg_test_fsync (Peter Geoghegan) Create a dedicated foreign data wrapper, with its own option validator function, for dblink (Shigeru Hanada) When using this FDW to define the target of a dblink connection, instead of using a hard-wired list of connection options, the underlying libpq library is consulted to see what connection options it supports. Allow pg_upgrade to do dumps and restores in parallel (Bruce Momjian, Andrew Dunstan) This allows parallel schema dump/restore of databases, as well as parallel copy/link of data files per tablespace. Use the --jobs option to specify the level of parallelism. Make pg_upgrade create Unix-domain sockets in the current directory (Bruce Momjian, Tom Lane) This reduces the possibility that someone will accidentally connect during the upgrade. Make pg_upgrade --check mode properly detect the location of non-default socket directories (Bruce Momjian, Tom Lane) Improve performance of pg_upgrade for databases with many tables (Bruce Momjian) Improve pg_upgrade's logs by showing executed commands (Álvaro Herrera) Improve pg_upgrade's status display during copy/link (Bruce Momjian) Add --foreign-keys option to pgbench (Jeff Janes) This adds foreign key constraints to the standard tables created by pgbench, for use in foreign key performance testing. Allow pgbench to aggregate performance statistics and produce output every --aggregate-interval seconds (Tomas Vondra) Add pgbench --sampling-rate option to control the percentage of transactions logged (Tomas Vondra) Reduce and improve the status message output of pgbench's initialization mode (Robert Haas, Peter Eisentraut) Add pgbench -q mode to print one output line every five seconds (Tomas Vondra) Output pgbench elapsed and estimated remaining time during initialization (Tomas Vondra) Allow pgbench to use much larger scale factors, by changing relevant columns from integer to bigint when the requested scale factor exceeds 20000 (Greg Smith) Allow EPUB-format documentation to be created (Peter Eisentraut) Update FreeBSD kernel configuration documentation (Brad Davis) Improve WINDOW function documentation (Bruce Momjian, Florian Pflug) Add instructions for setting up the documentation tool chain on Mac OS X (Peter Eisentraut) Improve commit_delay documentation (Peter Geoghegan)