Release date: 2018-11-08
This release contains a variety of fixes from 10.5. For information about new features in major release 10, see Section E.24.
A dump/restore is not required for those running 10.X.
However, if you use the pg_stat_statements
extension,
see the changelog entry below about that.
Also, if you are upgrading from a version earlier than 10.4, see Section E.20.
Ensure proper quoting of transition table names
when pg_dump emits CREATE TRIGGER
... REFERENCING
commands (Tom Lane)
This oversight could be exploited by an unprivileged user to gain superuser privileges during the next dump/reload or pg_upgrade run. (CVE-2018-16850)
Fix corner-case failures
in has_
family of functions (Tom Lane)
foo
_privilege()
Return NULL rather than throwing an error when an invalid object OID
is provided. Some of these functions got that right already, but not
all. has_column_privilege()
was additionally
capable of crashing on some platforms.
Fix pg_get_partition_constraintdef()
to return
NULL rather than fail when passed an invalid relation OID (Tom Lane)
Avoid O(N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
Fix parsing of standard multi-character operators that are immediately
followed by a comment or +
or -
(Andrew Gierth)
This oversight could lead to parse errors, or to incorrect assignment of precedence.
Avoid O(N^3) slowdown in lexer for long strings
of +
or -
characters
(Andrew Gierth)
Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ...
after rewinding the referenced cursor (Tom Lane)
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
Fix EvalPlanQual
to handle conditionally-executed
InitPlans properly (Andrew Gierth, Tom Lane)
This resulted in hard-to-reproduce crashes or wrong answers in
concurrent updates, if they contained code such as an uncorrelated
sub-SELECT
inside a CASE
construct.
Prevent creation of a partition in a trigger attached to its parent table (Amit Langote)
Ideally we'd allow that, but for the moment it has to be blocked to avoid crashes.
Fix problems with applying ON COMMIT DELETE ROWS
to
a partitioned temporary table (Amit Langote)
Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
This bug affected full-text-search operations, as well
as contrib/ltree
and contrib/pg_trgm
.
Disallow pushing sub-SELECT
s containing window
functions, LIMIT
, or OFFSET
to
parallel workers (Amit Kapila)
Such cases could result in inconsistent behavior due to different workers getting different answers, as a result of indeterminacy due to row-ordering variations.
Ensure that sequences owned by a foreign table are processed
by ALTER OWNER
on the table (Peter Eisentraut)
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
Ensure that the server will process
already-received NOTIFY
and SIGTERM
interrupts before waiting for client
input (Jeff Janes, Tom Lane)
Fix over-allocation of space for array_out()
's
result string (Keiichi Hirobe)
Avoid query-lifetime memory leak in XMLTABLE
(Andrew Gierth)
Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
Ensure that ApplyLogicalMappingFile()
closes the
mapping file when done with it (Tomas Vondra)
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
Fix logical decoding to handle cases where a mapped catalog table is
repeatedly rewritten, e.g., by VACUUM FULL
(Andres Freund)
Prevent starting the server with wal_level
set
to too low a value to support an existing replication slot (Andres
Freund)
Avoid crash if a utility command causes infinite recursion (Tom Lane)
When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
Fix event triggers to handle nested ALTER TABLE
commands (Michael Paquier, Álvaro Herrera)
Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)
This prevents misbehavior of functions such
as transaction_timestamp()
when executed in a
worker.
Fix transfer of expanded datums to parallel workers so that alignment is preserved, preventing crashes on alignment-picky platforms (Tom Lane, Amit Kapila)
Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)
Depending on the setting of archive_mode
, a standby
might fail to remove some WAL files that could be removed.
Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)
If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.
Randomize the random()
seed in bootstrap and
standalone backends, and in initdb
(Noah Misch)
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
Fix possible shared-memory corruption in DSA logic (Thomas Munro)
Allow DSM allocation to be interrupted (Chris Travers)
Avoid failure in a parallel worker when loading an extension that tries to access system caches within its init function (Thomas Munro)
We don't consider that to be good extension coding practice, but it mostly worked before parallel query, so continue to support it for now.
Properly handle turning full_page_writes
on
dynamically (Kyotaro Horiguchi)
Fix possible crash due to double free()
during
SP-GiST rescan (Andrew Gierth)
Prevent mis-linking of src/port and src/common functions on ELF-based BSD platforms, as well as HP-UX and Solaris (Andrew Gierth, Tom Lane)
Shared libraries loaded into a backend's address space could use the backend's versions of these functions, rather than their own copies as intended. Since the behavior of the two sets of functions isn't quite the same, this led to failures.
Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
Avoid overrun of a hash index's metapage
when BLCKSZ
is smaller than default (Dilip Kumar)
Fix missed page checksum updates in hash indexes (Amit Kapila)
Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
Fix unexpected timeouts when
using wal_sender_timeout
on a slow server
(Noah Misch)
Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)
Update the free space map during WAL replay of page all-visible/frozen flag changes (Álvaro Herrera)
Previously we were not careful about this, reasoning that the FSM is not critical data anyway. However, if it's sufficiently out of date, that can result in significant performance degradation after a standby has been promoted to primary. The FSM will eventually be healed by updates, but we'd like it to be good sooner, so work harder at maintaining it during WAL replay.
Avoid premature release of parallel-query resources when query end or tuple count limit is reached (Amit Kapila)
It's only okay to shut down the executor at this point if the caller cannot demand backwards scan afterwards.
Don't run atexit callbacks when servicing SIGQUIT
(Heikki Linnakangas)
Don't record foreign-server user mappings as members of extensions (Tom Lane)
If CREATE USER MAPPING
is executed in an extension
script, an extension dependency was created for the user mapping,
which is unexpected. Roles can't be extension members, so user
mappings shouldn't be either.
Make syslogger more robust against failures in opening CSV log files (Tom Lane)
When libpq is given multiple target host names, do the DNS lookups one at a time, not all at once (Tom Lane)
This prevents unnecessary failures or slow connections when a connection is successfully made to one of the earlier servers in the list.
Fix libpq's handling of connection timeouts so that they are properly applied per host name or IP address (Tom Lane)
Previously, some code paths failed to restart the timer when switching to a new target host, possibly resulting in premature timeout.
Fix psql, as well as documentation
examples, to call PQconsumeInput()
before
each PQnotifies()
call (Tom Lane)
This fixes cases in which psql would not
report receipt of a NOTIFY
message until after the
next command.
Fix pg_dump's
--no-publications
option to also ignore publication
tables (Gilles Darold)
In pg_dump, exclude identity sequences when their parent table is excluded from the dump (David Rowley)
Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
Ensure that pg_restore will schema-qualify
the table name when
emitting DISABLE
/ENABLE TRIGGER
commands (Tom Lane)
This avoids failures due to the new policy of running restores with restrictive search path.
Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
Enforce type cube
's dimension limit in
all contrib/cube
functions (Andrey Borodin)
Previously, some cube-related functions could construct values that
would be rejected by cube_in()
, leading to
dump/reload failures.
In contrib/pg_stat_statements
, disallow
the pg_read_all_stats
role from
executing pg_stat_statements_reset()
(Haribabu Kommi)
pg_read_all_stats
is only meant to grant permission
to read statistics, not to change them, so this grant was incorrect.
To cause this change to take effect, run ALTER EXTENSION
pg_stat_statements UPDATE
in each database
where pg_stat_statements
has been installed.
In contrib/postgres_fdw
, don't try to ship a
variable-free ORDER BY
clause to the remote server
(Andrew Gierth)
Fix contrib/unaccent
's
unaccent()
function to use
the unaccent
text search dictionary that is in the
same schema as the function (Tom Lane)
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
Adjust configure to add
an -isysroot
switch to CPPFLAGS
;
without this, PL/Perl and PL/Tcl fail to configure or build on macOS
10.14. The specific sysroot used can be overridden at configure time
or build time by setting the PG_SYSROOT
variable in
the arguments of configure
or make.
It is now recommended that Perl-related extensions
write $(perl_includespec)
rather
than -I$(perl_archlibexp)/CORE
in their compiler
flags. The latter continues to work on most platforms, but not recent
macOS.
Also, it should no longer be necessary to
specify --with-tclconfig
manually to get PL/Tcl to
build on recent macOS releases.
Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
Allow btree comparison functions to return INT_MIN
(Tom Lane)
Up to now, we've forbidden datatype-specific comparison functions from
returning INT_MIN
, which allows callers to invert
the sort order just by negating the comparison result. However, this
was never safe for comparison functions that directly return the
result of memcmp()
, strcmp()
,
etc, as POSIX doesn't place any such restriction on those functions.
At least some recent versions of memcmp()
can
return INT_MIN
, causing incorrect sort ordering.
Hence, we've removed this restriction. Callers must now use
the INVERT_COMPARE_RESULT()
macro if they wish to
invert the sort order.
Fix recursion hazard in shared-invalidation message processing (Tom Lane)
This error could, for example, result in failure to access a system
catalog or index that had just been processed by VACUUM
FULL
.
This change adds a new result code
for LockAcquire
, which might possibly affect
external callers of that function, though only very unusual usage
patterns would have an issue with it. The API
of LockAcquireExtended
is also changed.
Save and restore SPI's global variables
during SPI_connect()
and SPI_finish()
(Chapman Flack, Tom Lane)
This prevents possible interference when one SPI-using function calls another.
Avoid using potentially-under-aligned page buffers (Tom Lane)
Invent new union types PGAlignedBlock
and PGAlignedXLogBlock
, and use these in place of plain
char arrays, ensuring that the compiler can't place the buffer at a
misaligned start address. This fixes potential core dumps on
alignment-picky platforms, and may improve performance even on
platforms that allow misalignment.
Make src/port/snprintf.c
follow the C99
standard's definition of snprintf()
's result
value (Tom Lane)
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
When building on i386 with the clang
compiler, require -msse2
to be used (Andres Freund)
This avoids problems with missed floating point overflow checks.
Fix configure's detection of the result
type of strerror_r()
(Tom Lane)
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.