From 2f38ec6a157b60291ece1deb072bfff84f317334 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Fri, 6 Aug 2021 14:54:59 -0400 Subject: [PATCH] First-draft release notes for 13.4. As usual, the release notes for older branches will be made by cutting these down, but put them up for community review first. --- doc/src/sgml/release-13.sgml | 1761 ++++++++++++++++++++++++++++++++++ 1 file changed, 1761 insertions(+) diff --git a/doc/src/sgml/release-13.sgml b/doc/src/sgml/release-13.sgml index 6a8817363a..a6b1eae6bf 100644 --- a/doc/src/sgml/release-13.sgml +++ b/doc/src/sgml/release-13.sgml @@ -1,6 +1,1767 @@ + + Release 13.4 + + + Release date: + 2021-08-12 + + + + This release contains a variety of fixes from 13.3. + For information about new features in major release 13, see + . + + + + Migration to Version 13.4 + + + A dump/restore is not required for those running 13.X. + + + + However, if you are upgrading from a version earlier than 13.2, + see . + + + + + Changes + + + + + + + Disallow SSL renegotiation more completely (Michael Paquier) + + + + SSL renegotiation has been disabled for some time, but the server + would still cooperate with a client-initiated renegotiation request. + A maliciously crafted renegotiation request could result in a server + crash (see OpenSSL issue CVE-2021-3449). Disable the feature + altogether on OpenSSL versions that permit doing so, which are + 1.1.0h and newer. + + + + + + + Restore the Portal-level snapshot after COMMIT + or ROLLBACK within a procedure (Tom Lane) + + + + This change fixes cases where an attempt to fetch a toasted value + immediately after COMMIT/ROLLBACK + would fail with errors like no known snapshots or + missing chunk number 0 for toast value. + + + + Some extensions may attempt to execute SQL code outside of any + Portal. They are responsible for ensuring that an outer snapshot + exists before doing so. Previously, not providing a snapshot might + work or it might not; now it will consistently fail + with cannot execute SQL without an outer snapshot or + portal. + + + + + + + Avoid misbehavior when persisting the output of a cursor that's + reading a non-stable query (Tom Lane) + + + + Previously, we'd always rewind and re-read the whole query result, + possibly getting results different from the earlier execution, + causing great confusion later. For a NO SCROLL cursor, we can fix + this by only storing the not-yet-read portion of the query output, + which is sufficient since a NO SCROLL cursor can't be backed up. + Cursors with the SCROLL option remain at hazard, but that was + already documented to be an unsafe option to use with a non-stable + query. Make those documentation warnings stronger. + + + + Also force NO SCROLL mode for the implicit cursor used by + a PL/pgSQL FOR-over-query loop, + to avoid this type of problem when persisting such a cursor + during an intra-procedure commit. + + + + + + + Reject SELECT ... GROUP BY GROUPING SETS (()) FOR + UPDATE (Tom Lane) + + + + This should be disallowed, just as FOR UPDATE + with a plain GROUP BY is disallowed, but the test + for that failed to handle empty grouping sets correctly. + The end result would be a null-pointer dereference in the executor. + + + + + + + Reject cases where a query in WITH + rewrites to just NOTIFY (Tom Lane) + + + + Such cases previously crashed. + + + + + + + In numeric multiplication, round the result rather than + failing if it would have more than 16383 digits after the decimal + point (Dean Rasheed) + + + + + + + Fix corner-case errors and loss of precision when + raising numeric values to very large powers + (Dean Rasheed) + + + + + + + Fix division-by-zero failure in to_char() + with EEEE format and a numeric input + value less than 10^(-1001) (Dean Rasheed) + + + + + + + Fix pg_size_pretty(bigint) to round negative + values consistently with the way it rounds positive ones (and + consistently with the numeric version) (Dean Rasheed, + David Rowley) + + + + + + + Make pg_filenode_relation(0, 0) return NULL + rather than failing (Justin Pryzby) + + + + + + + Make ALTER EXTENSION lock the extension when + adding or removing a member object (Tom Lane) + + + + The previous coding allowed ALTER EXTENSION + ADD/DROP to occur concurrently with DROP + EXTENSION, leading to a crash or corrupt catalog entries. + + + + + + + Fix ALTER SUBSCRIPTION to reject an empty slot + name (Japin Li) + + + + + + + When cloning a partitioned table's triggers to a new partition, + ensure that their enabled status is copied + (Álvaro Herrera) + + + + + + + Reduce the risk of alias conflicts in queries generated + for REFRESH MATERIALIZED VIEW CONCURRENTLY + (Bharath Rupireddy) + + + + Use table aliases that are less likely to collide with user column + names. + + + + + + + Fix PREPARE TRANSACTION to check correctly + for conflicting session-lifespan and transaction-lifespan locks + (Tom Lane) + + + + A transaction cannot be prepared if it has both session-lifespan and + transaction-lifespan locks on the same advisory-lock ID value. This + restriction was not fully checked, which could lead to a PANIC + during PREPARE TRANSACTION. + + + + + + + Fix misbehavior of DROP OWNED BY when the target + role is listed more than once in an RLS policy (Tom Lane) + + + + + + + Skip unnecessary error tests when removing a role from an RLS policy + during DROP OWNED BY (Tom Lane) + + + + Notably, this fixes some cases where it was necessary to be a + superuser to use DROP OWNED BY. + + + + + + + Re-allow old-style Windows locale names in CREATE + COLLATION commands (Thomas Munro) + + + + Previously we were failing because the operating system can't + provide version information for such locales. At some point + we may decide to require version information, but no such policy + exists yet, so re-allow the case for now. + + + + + + + Disallow whole-row variables in GENERATED + expressions (Tom Lane) + + + + Use of a whole-row variable clearly violates the rule that a + generated column cannot depend on itself, so such cases have no + well-defined behavior. The actual behavior frequently included a + crash. + + + + + + + Fix usage of tableoid + in GENERATED expressions (Tom Lane) + + + + Some code paths failed to provide a valid value for this system + column while evaluating a GENERATED expression. + + + + + + + Don't store a fast default when adding a column to a + foreign table (Andrew Dunstan) + + + + The fast default is useless since no local heap storage exists for + such a table, but it confused subsequent operations. In addition to + suppressing creation of such catalog entries in ALTER + TABLE commands, adjust the downstream code to cope + when one is incorrectly present. + + + + + + + Allow index state flags to be updated transactionally + (Michael Paquier, Andrey Lepikhov) + + + + This avoids failures when dealing with index predicates that aren't + really immutable. While that's not considered a supported case, the + original reason for using a non-transactional update here is long + gone, so we may as well change it. + + + + + + + Avoid corrupting the plan cache entry when CREATE + DOMAIN or ALTER DOMAIN appears + in a cached plan (Tom Lane) + + + + + + + Make walsenders show their latest replication commands + in pg_stat_activity (Tom Lane) + + + + Previously, a walsender would show its latest SQL command, which was + confusing if it's now doing some replication operation instead. + Now we show replication-protocol commands on the same footing as SQL + commands. + + + + + + + Make + pg_settings.pending_restart + show as true when the pertinent entry + in postgresql.conf has been removed + (Álvaro Herrera) + + + + pending_restart correctly showed the case + where an entry that cannot be changed without a postmaster restart + has been modified, but not where the entry had been removed + altogether. + + + + + + + On 64-bit Windows, allow the effective value + of work_mem + times hash_mem_multiplier to exceed 2GB + (Tom Lane) + + + + This allows hash_mem_multiplier to be used for + its intended purpose of preventing large hash aggregations from + spilling to disk, even when large means multiple + gigabytes. + + + + + + + Fix mis-planning of repeated application of a projection step + (Tom Lane) + + + + The planner could create an incorrect plan in cases where two + ProjectionPaths were stacked on top of each other. The only known + way to trigger that situation involves parallel sort operations, but + there may be other instances. The result would be crashes or + incorrect query results. + + + + + + + Fix mis-planning of queries involving regular tables that are + inheritance children of foreign tables (Amit Langote) + + + + SELECT FOR UPDATE and related commands would fail + with assertion failures or could not find junk column + errors in such cases. + + + + + + + Fix pullup of constant function-in-FROM results when the FROM item + is marked LATERAL (Tom Lane) + + + + + + + Fix corner-case failure of a new standby to follow a new primary + (Dilip Kumar, Robert Haas) + + + + Under a narrow combination of conditions, the standby could wind up + trying to follow the wrong WAL timeline. + + + + + + + Update minimum recovery point when WAL replay of a transaction abort + record causes file truncation (Fujii Masao) + + + + File truncation is irreversible, so it's no longer safe to stop + recovery at a point earlier than that record. The corresponding + case for transaction commit was fixed years ago, but this one was + overlooked. + + + + + + + Advance oldest-required-WAL-segment horizon properly after a + replication slot is invalidated (Kyotaro Horiguchi) + + + + If all slots were invalidated, the horizon would not move again, + eventually allowing the server's WAL storage to run out of space. + + + + + + + In walreceivers, avoid attempting catalog lookups after an error + (Masahiko Sawada, Bharath Rupireddy) + + + + + + + Ensure that a standby server's startup process will respond to a + shutdown signal promptly while waiting for WAL to arrive (Fujii + Masao, Soumyadeep Chakraborty) + + + + + + + Correctly clear shared state after failing to become a member of a + transaction commit group (Amit Kapila) + + + + Given the right timing, this could cause an assertion failure when + some later session re-uses the same PGPROC object. + + + + + + + Add locking to avoid reading incorrect relmapper data in the face of + a concurrent write from another process (Heikki Linnakangas) + + + + + + + Improve progress reporting for the sort phase of a parallel btree + index build (Matthias van de Meent) + + + + + + + Improve checks for violations of replication protocol (Tom Lane) + + + + Logical replication workers frequently used Asserts to check for + cases that could be triggered by invalid or out-of-order replication + commands. This seems unwise, so promote these tests to regular + error checks. + + + + + + + Fix assorted crash cases in logical replication of partitioned-table + updates (Amit Langote, Tom Lane) + + + + + + + Fix potential crash when firing AFTER triggers of partitioned tables + in logical replication workers (Tom Lane) + + + + + + + Fix deadlock when multiple logical replication workers try to + truncate the same table (Peter Smith, Haiying Tang) + + + + + + + Fix error cases and memory leaks in logical decoding of speculative + insertions (Dilip Kumar) + + + + + + + Fix memory leak in logical replication output (Amit Langote) + + + + + + + Avoid leaving an invalid record-type hash table entry behind after + an error (Sait Talha Nisanci) + + + + This could lead to later crashes or memory leakage. + + + + + + + Fix plan cache reference leaks in some error cases in + CREATE TABLE ... AS EXECUTE (Tom Lane) + + + + + + + Fix race condition in code for sharing tuple descriptors across + parallel workers (Thomas Munro) + + + + Given the right timing, a crash could result. + + + + + + + Fix race condition when invalidating an obsolete replication slot + concurrently with an attempt to drop or update it (Andres Freund, + Álvaro Herrera) + + + + + + + Fix possible race condition when releasing BackgroundWorkerSlots + (Tom Lane) + + + + It's likely that this doesn't fix any observable bug on Intel + hardware, but machines with weaker memory ordering rules could + have problems. + + + + + + + Fix latent crash in sorting code (Ronan Dunklau) + + + + One code path could attempt to free a null pointer. The case + appears unreachable in the core server's use of sorting, but perhaps + it could be triggered by extensions. + + + + + + + Harden B-tree posting list split code against corrupt data + (Peter Geoghegan) + + + + Throw an error, rather than crashing, for an attempt to insert an + item with a TID identical to an existing entry. While that + shouldn't ever happen, it has been reported to happen when the index + is inconsistent with its table. + + + + + + + Prevent infinite loops in SP-GiST index insertion (Tom Lane) + + + + In the event that INCLUDE columns take up enough space to prevent a + leaf index tuple from ever fitting on a page, the text_ops operator + class would get into an infinite loop vainly trying to make the + tuple fit. + While pre-v11 versions don't have INCLUDE columns, back-patch this + anti-looping fix to them anyway, as it seems like a good defense + against bugs in operator classes. + + + + + + + Ensure that SP-GiST index insertion can be terminated by a query + cancel request (Tom Lane, Álvaro Herrera) + + + + + + + Fix uninitialized-variable bug that could + cause PL/pgSQL to act as though + an INTO clause + specified STRICT, even though it didn't + (Tom Lane) + + + + + + + Don't abort the process for an out-of-memory failure in libpq's + printing functions (Tom Lane) + + + + + + + In ecpg, allow the numeric + value INT_MIN (usually -2147483648) to be + converted to integer (John Naylor) + + + + + + + In psql and other client programs, avoid + overrunning the ends of strings when dealing with invalidly-encoded + data (Tom Lane) + + + + An incorrectly-encoded multibyte character near the end of a string + could cause various processing loops to run past the string's + terminating NUL, with results ranging from no detectable issue to + a program crash, depending on what happens to be in the following + memory. This is reminiscent of CVE-2006-2313, although these + particular cases do not appear to have interesting security + consequences. + + + + + + + Fix pg_dump to correctly handle triggers + on partitioned tables whose enabled status is different from their + parent triggers' status + (Justin Pryzby, Álvaro Herrera) + + + + + + + Avoid invalid creation date in header warnings + observed when running pg_restore on an + archive file created in a different time zone (Tom Lane) + + + + + + + Make pg_upgrade carry forward the old + installation's oldestXID value (Bertrand Drouvot) + + + + Previously, the new installation's oldestXID was + set to a value old enough to (usually) force immediate + anti-wraparound autovacuuming. That's not desirable from a + performance standpoint; what's worse, installations using large + values of autovacuum_freeze_max_age could suffer + unwanted forced shutdowns soon after an upgrade. + + + + + + + Extend pg_upgrade to detect and warn + about extensions that should be upgraded (Bruce Momjian) + + + + A script file is now produced containing the ALTER + EXTENSION UPDATE commands needed to bring extensions up to + the versions that are considered default in the new installation. + + + + + + + Avoid problems when + switching pg_receivewal between + compressed and non-compressed WAL storage (Michael Paquier) + + + + + + + Fix contrib/postgres_fdw to work usefully with + generated columns (Etsuro Fujita) + + + + postgres_fdw will now behave reasonably with + generated columns, so long as a generated column in a foreign table + represents a generated column in the remote table. IMPORT + FOREIGN SCHEMA will now import generated columns that way + by default. + + + + + + + In contrib/postgres_fdw, avoid attempting + catalog lookups after an error (Tom Lane) + + + + While this usually worked, it's not very safe since the error might + have been one that made catalog access nonfunctional. A side effect + of the fix is that messages about data conversion errors will now + mention the query's table and column aliases (if used) rather than + the true underlying name of a foreign table or column. + + + + + + + In contrib/pgcrypto, avoid symbol name + conflicts with OpenSSL (Tom Lane) + + + + Operations using SHA224 hashing could show failures under valgrind + checking. It appears that this is only a stomp of alignment-padding + bytes and so has no real consequences, but let's fix it to be sure. + + + + + + + Improve the isolation-test infrastructure (Tom Lane, Michael Paquier) + + + + Allow isolation test steps to be annotated to show the expected + completion order. This allows getting stable results from + otherwise-racy test cases, without the long delays that we + previously used (not entirely successfully) to fend off race + conditions. + Allow non-quoted identifiers as isolation test session/step names + (formerly, all such names had to be double-quoted). + Detect and warn about unused steps in isolation tests. + Improve display of query results in isolation tests. + Remove isolationtester's dry-run mode. + Remove memory leaks in isolationtester itself. + + + + + + + Reduce overhead of cache-clobber testing (Tom Lane) + + + + + + + Fix PL/Python's regression tests to pass + with Python 3.10 (Honza Horak) + + + + + + + Make printf("%s", NULL) + print (null) instead of crashing (Tom Lane) + + + + This should improve server robustness in corner cases, and it syncs + our printf implementation with common libraries. + + + + + + + Fix incorrect log message when point-in-time recovery stops at + a ROLLBACK PREPARED record (Simon Riggs) + + + + + + + Improve ALTER TABLE's messages for + wrong-relation-kind errors (Kyotaro Horiguchi) + + + + + + + Clarify error messages referring to non-negative + values (Bharath Rupireddy) + + + + + + + Fix configure to work with OpenLDAP 2.5, + which no longer has a separate libldap_r + library (Adrian Ho, Tom Lane) + + + + If there is no libldap_r library, we now + silently assume that libldap is thread-safe. + + + + + + + Add new make targets world-bin + and install-world-bin (Andrew Dunstan) + + + + These are the same as world + and install-world respectively, except that they + do not build or install the documentation. + + + + + + + Fix make rule for TAP tests (prove_installcheck) + to work in PGXS usage (Andrew Dunstan) + + + + + + + Allow PostgreSQL version 10 to build + with ICU 69 and newer (Peter Eisentraut) + + + + + + + Adjust JIT code to prepare for forthcoming LLVM API change + (Thomas Munro, Andres Freund) + + + + LLVM 13 has made an incompatible API change that will cause crashing + of our previous JIT compiler. + + + + + + + Avoid assuming that strings returned by GSSAPI libraries are + null-terminated (Tom Lane) + + + + The GSSAPI spec provides for a string pointer and length. It seems + that in practice the next byte after the string is usually zero, + so that our previous coding didn't actually fail; but we do have + a report of AddressSanitizer complaints. + + + + + + + Enable building with GSSAPI on MSVC (Michael Paquier) + + + + Fix various incompatibilities with modern Kerberos builds. + + + + + + + In MSVC builds, include in the set of + configure options reported by pg_config, + if it had been specified (Andrew Dunstan) + + + + + + + + Release 13.3