E.52. Release 10.6

Release date: 2018-11-08

This release contains a variety of fixes from 10.5. For information about new features in major release 10, see Section E.58.

E.52.1. Migration to Version 10.6

A dump/restore is not required for those running 10.X.

However, if you use the pg_stat_statements extension, see the changelog entry below about that.

Also, if you are upgrading from a version earlier than 10.4, see Section E.54.

E.52.2. Changes

  • Ensure proper quoting of transition table names when pg_dump emits CREATE TRIGGER ... REFERENCING commands (Tom Lane)

    This oversight could be exploited by an unprivileged user to gain superuser privileges during the next dump/reload or pg_upgrade run. (CVE-2018-16850)

  • Fix corner-case failures in has_foo_privilege() family of functions (Tom Lane)

    Return NULL rather than throwing an error when an invalid object OID is provided. Some of these functions got that right already, but not all. has_column_privilege() was additionally capable of crashing on some platforms.

  • Fix pg_get_partition_constraintdef() to return NULL rather than fail when passed an invalid relation OID (Tom Lane)

  • Avoid O(N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)

  • Fix parsing of standard multi-character operators that are immediately followed by a comment or + or - (Andrew Gierth)

    This oversight could lead to parse errors, or to incorrect assignment of precedence.

  • Avoid O(N^3) slowdown in lexer for long strings of + or - characters (Andrew Gierth)

  • Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)

  • Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ... after rewinding the referenced cursor (Tom Lane)

    A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.

  • Fix EvalPlanQual to handle conditionally-executed InitPlans properly (Andrew Gierth, Tom Lane)

    This resulted in hard-to-reproduce crashes or wrong answers in concurrent updates, if they contained code such as an uncorrelated sub-SELECT inside a CASE construct.

  • Prevent creation of a partition in a trigger attached to its parent table (Amit Langote)

    Ideally we'd allow that, but for the moment it has to be blocked to avoid crashes.

  • Fix problems with applying ON COMMIT DELETE ROWS to a partitioned temporary table (Amit Langote)

  • Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)

    This bug affected full-text-search operations, as well as contrib/ltree and contrib/pg_trgm.

  • Disallow pushing sub-SELECTs containing window functions, LIMIT, or OFFSET to parallel workers (Amit Kapila)

    Such cases could result in inconsistent behavior due to different workers getting different answers, as a result of indeterminacy due to row-ordering variations.

  • Ensure that sequences owned by a foreign table are processed by ALTER OWNER on the table (Peter Eisentraut)

    The ownership change should propagate to such sequences as well, but this was missed for foreign tables.

  • Ensure that the server will process already-received NOTIFY and SIGTERM interrupts before waiting for client input (Jeff Janes, Tom Lane)

  • Fix over-allocation of space for array_out()'s result string (Keiichi Hirobe)

  • Avoid query-lifetime memory leak in XMLTABLE (Andrew Gierth)

  • Fix memory leak in repeated SP-GiST index scans (Tom Lane)

    This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.

  • Ensure that ApplyLogicalMappingFile() closes the mapping file when done with it (Tomas Vondra)

    Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.

  • Fix logical decoding to handle cases where a mapped catalog table is repeatedly rewritten, e.g., by VACUUM FULL (Andres Freund)

  • Prevent starting the server with wal_level set to too low a value to support an existing replication slot (Andres Freund)

  • Avoid crash if a utility command causes infinite recursion (Tom Lane)

  • When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)

  • Fix event triggers to handle nested ALTER TABLE commands (Michael Paquier, Álvaro Herrera)

  • Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)

    This prevents misbehavior of functions such as transaction_timestamp() when executed in a worker.

  • Fix transfer of expanded datums to parallel workers so that alignment is preserved, preventing crashes on alignment-picky platforms (Tom Lane, Amit Kapila)

  • Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)

    Depending on the setting of archive_mode, a standby might fail to remove some WAL files that could be removed.

  • Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)

    If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.

  • Randomize the random() seed in bootstrap and standalone backends, and in initdb (Noah Misch)

    The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.

  • Fix possible shared-memory corruption in DSA logic (Thomas Munro)

  • Allow DSM allocation to be interrupted (Chris Travers)

  • Avoid failure in a parallel worker when loading an extension that tries to access system caches within its init function (Thomas Munro)

    We don't consider that to be good extension coding practice, but it mostly worked before parallel query, so continue to support it for now.

  • Properly handle turning full_page_writes on dynamically (Kyotaro Horiguchi)

  • Fix possible crash due to double free() during SP-GiST rescan (Andrew Gierth)

  • Prevent mis-linking of src/port and src/common functions on ELF-based BSD platforms, as well as HP-UX and Solaris (Andrew Gierth, Tom Lane)

    Shared libraries loaded into a backend's address space could use the backend's versions of these functions, rather than their own copies as intended. Since the behavior of the two sets of functions isn't quite the same, this led to failures.

  • Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)

  • Avoid overrun of a hash index's metapage when BLCKSZ is smaller than default (Dilip Kumar)

  • Fix missed page checksum updates in hash indexes (Amit Kapila)

  • Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)

  • Fix unexpected timeouts when using wal_sender_timeout on a slow server (Noah Misch)

  • Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)

    This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.

  • Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)

  • Update the free space map during WAL replay of page all-visible/frozen flag changes (Álvaro Herrera)

    Previously we were not careful about this, reasoning that the FSM is not critical data anyway. However, if it's sufficiently out of date, that can result in significant performance degradation after a standby has been promoted to primary. The FSM will eventually be healed by updates, but we'd like it to be good sooner, so work harder at maintaining it during WAL replay.

  • Avoid premature release of parallel-query resources when query end or tuple count limit is reached (Amit Kapila)

    It's only okay to shut down the executor at this point if the caller cannot demand backwards scan afterwards.

  • Don't run atexit callbacks when servicing SIGQUIT (Heikki Linnakangas)

  • Don't record foreign-server user mappings as members of extensions (Tom Lane)

    If CREATE USER MAPPING is executed in an extension script, an extension dependency was created for the user mapping, which is unexpected. Roles can't be extension members, so user mappings shouldn't be either.

  • Make syslogger more robust against failures in opening CSV log files (Tom Lane)

  • When libpq is given multiple target host names, do the DNS lookups one at a time, not all at once (Tom Lane)

    This prevents unnecessary failures or slow connections when a connection is successfully made to one of the earlier servers in the list.

  • Fix libpq's handling of connection timeouts so that they are properly applied per host name or IP address (Tom Lane)

    Previously, some code paths failed to restart the timer when switching to a new target host, possibly resulting in premature timeout.

  • Fix psql, as well as documentation examples, to call PQconsumeInput() before each PQnotifies() call (Tom Lane)

    This fixes cases in which psql would not report receipt of a NOTIFY message until after the next command.

  • Fix pg_dump's --no-publications option to also ignore publication tables (Gilles Darold)

  • In pg_dump, exclude identity sequences when their parent table is excluded from the dump (David Rowley)

  • Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)

  • Ensure that pg_restore will schema-qualify the table name when emitting DISABLE/ENABLE TRIGGER commands (Tom Lane)

    This avoids failures due to the new policy of running restores with restrictive search path.

  • Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)

    pg_upgrade failed to preserve an event trigger's extension-membership status.

  • Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)

  • Enforce type cube's dimension limit in all contrib/cube functions (Andrey Borodin)

    Previously, some cube-related functions could construct values that would be rejected by cube_in(), leading to dump/reload failures.

  • In contrib/pg_stat_statements, disallow the pg_read_all_stats role from executing pg_stat_statements_reset() (Haribabu Kommi)

    pg_read_all_stats is only meant to grant permission to read statistics, not to change them, so this grant was incorrect.

    To cause this change to take effect, run ALTER EXTENSION pg_stat_statements UPDATE in each database where pg_stat_statements has been installed.

  • In contrib/postgres_fdw, don't try to ship a variable-free ORDER BY clause to the remote server (Andrew Gierth)

  • Fix contrib/unaccent's unaccent() function to use the unaccent text search dictionary that is in the same schema as the function (Tom Lane)

    Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.

  • Fix build problems on macOS 10.14 (Mojave) (Tom Lane)

    Adjust configure to add an -isysroot switch to CPPFLAGS; without this, PL/Perl and PL/Tcl fail to configure or build on macOS 10.14. The specific sysroot used can be overridden at configure time or build time by setting the PG_SYSROOT variable in the arguments of configure or make.

    It is now recommended that Perl-related extensions write $(perl_includespec) rather than -I$(perl_archlibexp)/CORE in their compiler flags. The latter continues to work on most platforms, but not recent macOS.

    Also, it should no longer be necessary to specify --with-tclconfig manually to get PL/Tcl to build on recent macOS releases.

  • Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)

    Perl no longer includes the current directory in its search path by default; work around that.

  • On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)

    To do this safely, pg_regress now gives up any such privileges at startup.

  • Allow btree comparison functions to return INT_MIN (Tom Lane)

    Up to now, we've forbidden datatype-specific comparison functions from returning INT_MIN, which allows callers to invert the sort order just by negating the comparison result. However, this was never safe for comparison functions that directly return the result of memcmp(), strcmp(), etc, as POSIX doesn't place any such restriction on those functions. At least some recent versions of memcmp() can return INT_MIN, causing incorrect sort ordering. Hence, we've removed this restriction. Callers must now use the INVERT_COMPARE_RESULT() macro if they wish to invert the sort order.

  • Fix recursion hazard in shared-invalidation message processing (Tom Lane)

    This error could, for example, result in failure to access a system catalog or index that had just been processed by VACUUM FULL.

    This change adds a new result code for LockAcquire, which might possibly affect external callers of that function, though only very unusual usage patterns would have an issue with it. The API of LockAcquireExtended is also changed.

  • Save and restore SPI's global variables during SPI_connect() and SPI_finish() (Chapman Flack, Tom Lane)

    This prevents possible interference when one SPI-using function calls another.

  • Avoid using potentially-under-aligned page buffers (Tom Lane)

    Invent new union types PGAlignedBlock and PGAlignedXLogBlock, and use these in place of plain char arrays, ensuring that the compiler can't place the buffer at a misaligned start address. This fixes potential core dumps on alignment-picky platforms, and may improve performance even on platforms that allow misalignment.

  • Make src/port/snprintf.c follow the C99 standard's definition of snprintf()'s result value (Tom Lane)

    On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.

  • When building on i386 with the clang compiler, require -msse2 to be used (Andres Freund)

    This avoids problems with missed floating point overflow checks.

  • Fix configure's detection of the result type of strerror_r() (Tom Lane)

    The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.

  • Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.