Release date: 2021-08-12
This release contains a variety of fixes from 11.12. For information about new features in major release 11, see Section E.21.
A dump/restore is not required for those running 11.X.
However, if you are upgrading from a version earlier than 11.11, see Section E.10.
Fix mis-planning of repeated application of a projection step (Tom Lane)
The planner could create an incorrect plan in cases where two ProjectionPaths were stacked on top of each other. The only known way to trigger that situation involves parallel sort operations, but there may be other instances. The result would be crashes or incorrect query results. Disclosure of server memory contents is also possible. (CVE-2021-3677)
Disallow SSL renegotiation more completely (Michael Paquier)
SSL renegotiation has been disabled for some time, but the server would still cooperate with a client-initiated renegotiation request. A maliciously crafted renegotiation request could result in a server crash (see OpenSSL issue CVE-2021-3449). Disable the feature altogether on OpenSSL versions that permit doing so, which are 1.1.0h and newer.
Restore the Portal-level snapshot after COMMIT
or ROLLBACK
within a procedure (Tom Lane)
This change fixes cases where an attempt to fetch a toasted value
immediately after COMMIT
/ROLLBACK
would fail with errors like “no known snapshots” or
“missing chunk number 0 for toast value”.
Some extensions may attempt to execute SQL code outside of any Portal. They are responsible for ensuring that an outer snapshot exists before doing so. Previously, not providing a snapshot might work or it might not; now it will consistently fail with “cannot execute SQL without an outer snapshot or portal”.
Avoid misbehavior when persisting the output of a cursor that's reading a non-stable query (Tom Lane)
Previously, we'd always rewind and re-read the whole query result, possibly getting results different from the earlier execution, causing great confusion later. For a NO SCROLL cursor, we can fix this by only storing the not-yet-read portion of the query output, which is sufficient since a NO SCROLL cursor can't be backed up. Cursors with the SCROLL option remain at hazard, but that was already documented to be an unsafe option to use with a non-stable query. Make those documentation warnings stronger.
Also force NO SCROLL mode for the implicit cursor used by a PL/pgSQL FOR-over-query loop, to avoid this type of problem when persisting such a cursor during an intra-procedure commit.
Reject SELECT ... GROUP BY GROUPING SETS (()) FOR
UPDATE
(Tom Lane)
This should be disallowed, just as FOR UPDATE
with a plain GROUP BY
is disallowed, but the test
for that failed to handle empty grouping sets correctly.
The end result would be a null-pointer dereference in the executor.
Reject cases where a query in WITH
rewrites to just NOTIFY
(Tom Lane)
Such cases previously crashed.
In numeric
multiplication, round the result rather than
failing if it would have more than 16383 digits after the decimal
point (Dean Rasheed)
Fix corner-case errors and loss of precision when
raising numeric
values to very large powers
(Dean Rasheed)
Fix division-by-zero failure in to_char()
with EEEE
format and a numeric
input
value less than 10^(-1001) (Dean Rasheed)
Fix pg_size_pretty(bigint)
to round negative
values consistently with the way it rounds positive ones (and
consistently with the numeric
version) (Dean Rasheed,
David Rowley)
Make pg_filenode_relation(0, 0)
return NULL
rather than failing (Justin Pryzby)
Make ALTER EXTENSION
lock the extension when
adding or removing a member object (Tom Lane)
The previous coding allowed ALTER EXTENSION
ADD/DROP
to occur concurrently with DROP
EXTENSION
, leading to a crash or corrupt catalog entries.
Fix ALTER SUBSCRIPTION
to reject an empty slot
name (Japin Li)
When cloning a partitioned table's triggers to a new partition, ensure that their enabled status is copied (Álvaro Herrera)
Avoid alias conflicts in queries generated
for REFRESH MATERIALIZED VIEW CONCURRENTLY
(Tom Lane, Bharath Rupireddy)
This command failed on materialized views containing columns with
certain names, notably mv
and newdata
.
Fix PREPARE TRANSACTION
to check correctly
for conflicting session-lifespan and transaction-lifespan locks
(Tom Lane)
A transaction cannot be prepared if it has both session-lifespan and
transaction-lifespan locks on the same advisory-lock ID value. This
restriction was not fully checked, which could lead to a PANIC
during PREPARE TRANSACTION
.
Fix misbehavior of DROP OWNED BY
when the target
role is listed more than once in an RLS policy (Tom Lane)
Skip unnecessary error tests when removing a role from an RLS policy
during DROP OWNED BY
(Tom Lane)
Notably, this fixes some cases where it was necessary to be a
superuser to use DROP OWNED BY
.
Don't store a “fast default” when adding a column to a foreign table (Andrew Dunstan)
The fast default is useless since no local heap storage exists for
such a table, but it confused subsequent operations. In addition to
suppressing creation of such catalog entries in ALTER
TABLE
commands, adjust the downstream code to cope
when one is incorrectly present.
Allow index state flags to be updated transactionally (Michael Paquier, Andrey Lepikhov)
This avoids failures when dealing with index predicates that aren't really immutable. While that's not considered a supported case, the original reason for using a non-transactional update here is long gone, so we may as well change it.
Avoid corrupting the plan cache entry when CREATE
DOMAIN
or ALTER DOMAIN
appears
in a cached plan (Tom Lane)
Make walsenders show their latest replication commands
in pg_stat_activity
(Tom Lane)
Previously, a walsender would show its latest SQL command, which was confusing if it's now doing some replication operation instead. Now we show replication-protocol commands on the same footing as SQL commands.
Make
pg_settings
.pending_restart
show as true when the pertinent entry
in postgresql.conf
has been removed
(Álvaro Herrera)
pending_restart
correctly showed the case
where an entry that cannot be changed without a postmaster restart
has been modified, but not where the entry had been removed
altogether.
Fix corner-case failure of a new standby to follow a new primary (Dilip Kumar, Robert Haas)
Under a narrow combination of conditions, the standby could wind up trying to follow the wrong WAL timeline.
Update minimum recovery point when WAL replay of a transaction abort record causes file truncation (Fujii Masao)
File truncation is irreversible, so it's no longer safe to stop recovery at a point earlier than that record. The corresponding case for transaction commit was fixed years ago, but this one was overlooked.
In walreceivers, avoid attempting catalog lookups after an error (Masahiko Sawada, Bharath Rupireddy)
Ensure that a standby server's startup process will respond to a shutdown signal promptly while waiting for WAL to arrive (Fujii Masao, Soumyadeep Chakraborty)
Correctly clear shared state after failing to become a member of a transaction commit group (Amit Kapila)
Given the right timing, this could cause an assertion failure when some later session re-uses the same PGPROC object.
Add locking to avoid reading incorrect relmapper data in the face of a concurrent write from another process (Heikki Linnakangas)
Improve checks for violations of replication protocol (Tom Lane)
Logical replication workers frequently used Asserts to check for cases that could be triggered by invalid or out-of-order replication commands. This seems unwise, so promote these tests to regular error checks.
Fix deadlock when multiple logical replication workers try to truncate the same table (Peter Smith, Haiying Tang)
Fix error cases and memory leaks in logical decoding of speculative insertions (Dilip Kumar)
Avoid leaving an invalid record-type hash table entry behind after an error (Sait Talha Nisanci)
This could lead to later crashes or memory leakage.
Fix plan cache reference leaks in some error cases in
CREATE TABLE ... AS EXECUTE
(Tom Lane)
Fix race condition in code for sharing tuple descriptors across parallel workers (Thomas Munro)
Given the right timing, a crash could result.
Fix possible race condition when releasing BackgroundWorkerSlots (Tom Lane)
It's likely that this doesn't fix any observable bug on Intel hardware, but machines with weaker memory ordering rules could have problems.
Fix latent crash in sorting code (Ronan Dunklau)
One code path could attempt to free a null pointer. The case appears unreachable in the core server's use of sorting, but perhaps it could be triggered by extensions.
Prevent infinite loops in SP-GiST index insertion (Tom Lane)
In the event that INCLUDE columns take up enough space to prevent a leaf index tuple from ever fitting on a page, the text_ops operator class would get into an infinite loop vainly trying to make the tuple fit. While pre-v11 versions don't have INCLUDE columns, back-patch this anti-looping fix to them anyway, as it seems like a good defense against bugs in operator classes.
Ensure that SP-GiST index insertion can be terminated by a query cancel request (Tom Lane, Álvaro Herrera)
Fix uninitialized-variable bug that could
cause PL/pgSQL to act as though
an INTO
clause
specified STRICT
, even though it didn't
(Tom Lane)
Don't abort the process for an out-of-memory failure in libpq's printing functions (Tom Lane)
In ecpg, allow the numeric
value INT_MIN (usually -2147483648) to be
converted to integer (John Naylor)
In psql and other client programs, avoid overrunning the ends of strings when dealing with invalidly-encoded data (Tom Lane)
An incorrectly-encoded multibyte character near the end of a string could cause various processing loops to run past the string's terminating NUL, with results ranging from no detectable issue to a program crash, depending on what happens to be in the following memory. This is reminiscent of CVE-2006-2313, although these particular cases do not appear to have interesting security consequences.
Fix pg_dump to correctly handle triggers on partitioned tables whose enabled status is different from their parent triggers' status (Justin Pryzby, Álvaro Herrera)
Avoid “invalid creation date in header” warnings observed when running pg_restore on an archive file created in a different time zone (Tom Lane)
Make pg_upgrade carry forward the old
installation's oldestXID
value (Bertrand Drouvot)
Previously, the new installation's oldestXID
was
set to a value old enough to (usually) force immediate
anti-wraparound autovacuuming. That's not desirable from a
performance standpoint; what's worse, installations using large
values of autovacuum_freeze_max_age
could suffer
unwanted forced shutdowns soon after an upgrade.
Extend pg_upgrade to detect and warn about extensions that should be upgraded (Bruce Momjian)
A script file is now produced containing the ALTER
EXTENSION UPDATE
commands needed to bring extensions up to
the versions that are considered default in the new installation.
Avoid problems when switching pg_receivewal between compressed and non-compressed WAL storage (Michael Paquier)
In contrib/postgres_fdw
, avoid attempting
catalog lookups after an error (Tom Lane)
While this usually worked, it's not very safe since the error might have been one that made catalog access nonfunctional. A side effect of the fix is that messages about data conversion errors will now mention the query's table and column aliases (if used) rather than the true underlying name of a foreign table or column.
Improve the isolation-test infrastructure (Tom Lane, Michael Paquier)
Allow isolation test steps to be annotated to show the expected completion order. This allows getting stable results from otherwise-racy test cases, without the long delays that we previously used (not entirely successfully) to fend off race conditions. Allow non-quoted identifiers as isolation test session/step names (formerly, all such names had to be double-quoted). Detect and warn about unused steps in isolation tests. Improve display of query results in isolation tests. Remove isolationtester's “dry-run” mode. Remove memory leaks in isolationtester itself.
Reduce overhead of cache-clobber testing (Tom Lane)
Fix PL/Python's regression tests to pass with Python 3.10 (Honza Horak)
Make printf("%s", NULL)
print (null)
instead of crashing (Tom Lane)
This should improve server robustness in corner cases, and it syncs
our printf
implementation with common libraries.
Fix incorrect log message when point-in-time recovery stops at
a ROLLBACK PREPARED
record (Simon Riggs)
Improve ALTER TABLE
's messages for
wrong-relation-kind errors (Kyotaro Horiguchi)
Clarify error messages referring to “non-negative” values (Bharath Rupireddy)
Fix configure to work with OpenLDAP 2.5,
which no longer has a separate libldap_r
library (Adrian Ho, Tom Lane)
If there is no libldap_r
library, we now
silently assume that libldap
is thread-safe.
Add new make targets world-bin
and install-world-bin
(Andrew Dunstan)
These are the same as world
and install-world
respectively, except that they
do not build or install the documentation.
Fix make rule for TAP tests (prove_installcheck
)
to work in PGXS usage (Andrew Dunstan)
Adjust JIT code to prepare for forthcoming LLVM API change (Thomas Munro, Andres Freund)
LLVM 13 has made an incompatible API change that will cause crashing of our previous JIT compiler.
Avoid assuming that strings returned by GSSAPI libraries are null-terminated (Tom Lane)
The GSSAPI spec provides for a string pointer and length. It seems that in practice the next byte after the string is usually zero, so that our previous coding didn't actually fail; but we do have a report of AddressSanitizer complaints.
Enable building with GSSAPI on MSVC (Michael Paquier)
Fix various incompatibilities with modern Kerberos builds.
In MSVC builds, include --with-pgport
in the set of
configure options reported by pg_config,
if it had been specified (Andrew Dunstan)