Add missing permissions checks for ALTER ... DEPENDS ON EXTENSION (Álvaro Herrera)

Marking an object as dependent on an extension did not have any privilege check whatsoever. This oversight allowed any user to mark routines, triggers, materialized views, or indexes as droppable by anyone able to drop an extension. Require that the calling user own the specified object (and hence have privilege to drop it). (CVE-2020-1720)

Fix TRUNCATE ... CASCADE to ensure all relevant partitions are truncated (Jehan-Guillaume de Rorthais)

If a partition of a partitioned table is truncated with the CASCADE option, and the partitioned table has a foreign-key reference from another table, that table must also be truncated. The need to check this was missed if the referencing table was itself partitioned, possibly allowing rows to survive that violate the foreign-key constraint.

Hence, if you have foreign key constraints between partitioned tables, and you have done any partition-level TRUNCATE on the referenced table, you should check to see if any foreign key violations exist. The simplest way is to add a new instance of the foreign key constraint (and, once that succeeds, drop it or the original constraint). That may be prohibitive from a locking standpoint, however, in which case you might prefer to manually query for unmatched rows.

Fix failure to attach foreign key constraints to sub-partitions (Jehan-Guillaume de Rorthais)

When adding a partition to a level below the first level of a multi-level partitioned table, foreign key constraints referencing the top partitioned table were not cloned to the new partition, leading to possible constraint violations later. Detaching and re-attaching the new partition is the cheapest way to fix this. However, if there are many partitions to be fixed, adding a new instance of the foreign key constraint might be preferable.

Fix possible crash during concurrent update on a partitioned table or inheritance tree (Tom Lane)

Ensure that row triggers on partitioned tables are correctly cloned to sub-partitions when appropriate (Álvaro Herrera)

User-defined triggers (but not triggers for foreign key or deferred unique constraints) might be missed when creating or attaching a partition.

Fix logical replication subscriber code to execute per-column UPDATE triggers when appropriate (Peter Eisentraut)

Avoid failure in logical decoding when a large transaction must be spilled into many separate temporary files (Amit Khandekar)

Fix possible crash or data corruption when a logical replication subscriber processes a row update (Tom Lane, Tomas Vondra)

This bug caused visible problems only if the subscriber's table contained columns that were not being copied from the publisher and had pass-by-reference data types.

Fix crash in logical replication subscriber after DDL changes on a subscribed relation (Jehan-Guillaume de Rorthais, Vignesh C)

Fix failure in logical replication publisher after a database crash and restart (Vignesh C)

Ensure that the effect of pg_replication_slot_advance() on a physical replication slot will persist across restarts (Alexey Kondratov, Michael Paquier)

Improve efficiency of logical replication with REPLICA IDENTITY FULL (Konstantin Knizhnik)

When searching for an existing tuple during an update or delete operation, return the first matching tuple not the last one.

Fix base backup to handle database OIDs larger than INT32_MAX (Peter Eisentraut)

Ensure parallel plans are always shut down at the correct time (Kyotaro Horiguchi)

This oversight is known to result in “temporary file leak” warnings from multi-batch parallel hash joins.

Prevent premature shutdown of a Gather or GatherMerge plan node that is underneath a Limit node (Amit Kapila)

This avoids failure if such a plan node needs to be scanned more than once, as for instance if it is on the inside of a nestloop.

Improve efficiency of parallel hash join on CPUs with many cores (Gang Deng, Thomas Munro)

Avoid crash in parallel CREATE INDEX when there are no free dynamic shared memory slots (Thomas Munro)

Fall back to a non-parallel index build, instead.

Avoid memory leak when there are no free dynamic shared memory slots (Thomas Munro)

Ignore the CONCURRENTLY option when performing an index creation, drop, or rebuild on a temporary table (Michael Paquier, Heikki Linnakangas, Andres Freund)

This avoids strange failures if the temporary table has an ON COMMIT action. There is no benefit in using CONCURRENTLY for a temporary table anyway, since other sessions cannot access the table, making the extra processing pointless.

Fix possible failure when resetting expression indexes on temporary tables that are marked ON COMMIT DELETE ROWS (Tom Lane)

Fix possible crash in BRIN index operations with box, range and inet data types (Heikki Linnakangas)

Fix crash during recursive page split in GiST index build (Heikki Linnakangas)

Fix handling of deleted pages in GIN indexes (Alexander Korotkov)

Avoid possible deadlocks, incorrect updates of a deleted page's state, and failure to traverse through a recently-deleted page.

Fix possible crash with a SubPlan (sub-SELECT) within a multi-row VALUES list (Tom Lane)

Fix failure in ALTER TABLE when a column referenced in a GENERATED expression has been added or changed in type earlier in the same ALTER command (Tom Lane)

Fix failure to insert default values for “missing” attributes during tuple conversion (Vik Fearing, Andrew Gierth)

This could result in values incorrectly reading as NULL, when they come from columns that had been added by ALTER TABLE ADD COLUMN with a constant default.

Fix unlikely panic in the checkpointer process, caused by opening relation segments that might already have been removed (Thomas Munro)

Fix crash after FileClose() failure (Noah Misch)

This issue could only be observed with data_sync_retry enabled, since otherwise FileClose() failure would be reported as a PANIC.

Fix handling of multiple AFTER ROW triggers on a foreign table (Etsuro Fujita)

Fix unlikely crash with pass-by-reference aggregate transition states (Andres Freund, Teodor Sigaev)

Improve error reporting in to_date() and to_timestamp() (Tom Lane, Álvaro Herrera)

Reports about incorrect month or day names in input strings could truncate the input in the middle of a multi-byte character, leading to an improperly encoded error message that could cause follow-on failures. Truncate at the next whitespace instead.

Fix off-by-one result for EXTRACT(ISOYEAR FROM timestamp) for BC dates (Tom Lane)

Ensure that the <> operator for type char reports indeterminate-collation errors as such, rather than as “cache lookup failed for collation 0” (Tom Lane)

Avoid treating TID scans as sequential scans (Tatsuhito Kasahara)

A refactoring oversight caused TID scans (selection by CTID) to be counted as sequential scans in the statistics views, and to take whole-table predicate locks as sequential scans do. The latter behavior could cause unnecessary serialization errors in serializable transaction mode.

Avoid stack overflow in information_schema views when a self-referential view exists in the system catalogs (Tom Lane)

A self-referential view can't work; it will always result in infinite recursion. We handled that situation correctly when trying to execute the view, but not when inquiring whether it is automatically updatable.

Ensure that walsender processes always show NULL for transaction start time in pg_stat_activity (Álvaro Herrera)

Previously, the xact_start column would sometimes show the process start time.

Improve performance of hash joins with very large inner relations (Thomas Munro)

Reduce spinlock contention when there are many active walsender processes (Pierre Ducroquet)

Fix placement of “Subplans Removed” field in EXPLAIN output (Daniel Gustafsson, Tom Lane)

In non-text output formats, this field was emitted inside the “Plans” sub-group, resulting in syntactically invalid output. Attach it to the parent Append or MergeAppend plan node as intended. This causes the field to change position in text output format too: if there are any InitPlans attached to the same plan node, “Subplans Removed” will now appear before those.

Fix EXPLAIN's SETTINGS option to print as empty in non-text output formats (Tom Lane)

In the non-text output formats, fields are supposed to appear when requested, even if they have empty or zero values.

Allow the planner to apply potentially-leaky tests to child-table statistics, if the user can read the corresponding column of the table that's actually named in the query (Dilip Kumar, Amit Langote)

This change fixes a performance problem for partitioned tables that was created by the fix for CVE-2017-7484. That security fix disallowed applying leaky operators to statistics for columns that the current user doesn't have permission to read directly. However, it's somewhat common to grant permissions only on the parent partitioned table and not bother to do so on individual partitions. In such cases, the user can read the column via the parent, so there's no point in this security restriction; it only results in poorer planner estimates than necessary.

Fix planner errors induced by overly-aggressive collapsing of joins to single-row subqueries (Tom Lane)

This mistake led to errors such as “failed to construct the join relation”.

Fix “no = operator for opfamily NNNN” planner error when trying to match a LIKE or regex pattern-match operator to a binary-compatible index opclass (Tom Lane)

Fix edge-case crashes and misestimations in selectivity calculations for the <@ and @> range operators (Michael Paquier, Andrey Borodin, Tom Lane)

Fix incorrect estimation for OR clauses when using most-common-value extended statistics (Tomas Vondra)

Ignore system columns when applying most-common-value extended statistics (Tomas Vondra)

This prevents “negative bitmapset member not allowed” planner errors for affected queries.

Fix BRIN index logic to support hypothetical BRIN indexes (Julien Rouhaud, Heikki Linnakangas)

Previously, if an “index adviser” extension tried to get the planner to produce a plan involving a hypothetical BRIN index, that would fail, because the BRIN cost estimation code would always try to physically access the index's metapage. Now it checks to see if the index is only hypothetical, and uses default assumptions about the index parameters if so.

Improve error reporting for attempts to use automatic updating of views with conditional INSTEAD rules (Dean Rasheed)

This has never been supported, but previously the error was thrown only at execution time, so that it could be masked by planner errors.

Prevent a composite type from being included in itself indirectly via a range type (Tom Lane, Julien Rouhaud)

Disallow partition key expressions that return pseudo-types, such as record (Tom Lane)

Fix error reporting for index expressions of prohibited types (Amit Langote)

Fix dumping of views that contain only a VALUES list to handle cases where a view output column has been renamed (Tom Lane)

Ensure that data types and collations used in XMLTABLE constructs are accounted for when computing dependencies of a view or rule (Tom Lane)

Previously it was possible to break a view using XMLTABLE by dropping a type, if the type was not otherwise referenced in the view. This fix does not correct the dependencies already recorded for existing views, only for newly-created ones.

Prevent unwanted downcasing and truncation of RADIUS authentication parameters (Marcos David)

The pg_hba.conf parser mistakenly treated these fields as SQL identifiers, which in general they aren't.

Transmit incoming NOTIFY messages to the client before sending ReadyForQuery, rather than after (Tom Lane)

This change ensures that, with libpq and other client libraries that act similarly to it, any notifications received during a transaction will be available by the time the client thinks the transaction is complete. This probably makes no difference in practical applications (which would need to cope with asynchronous notifications in any case); but it makes it easier to build test cases with reproducible behavior.

Fix bugs in handling of non-blocking I/O when using GSSAPI encryption (Tom Lane)

These errors could result in dropping data (usually leading to subsequent wire-protocol-violation errors) or in a “livelock” situation where a sending process goes to sleep although not all its data has been sent. Moreover, libpq failed to keep separate encryption state for each connection, creating the possibility for failures in applications using multiple encrypted database connections.

Allow libpq to parse all GSS-related connection parameters even when the GSSAPI code hasn't been compiled in (Tom Lane)

This makes the behavior similar to our SSL support, where it was long ago deemed to be a good idea to always accept all the related parameters, even if some are ignored or restricted due to lack of the feature in a particular build.

Fix incorrect handling of %b and %B format codes in ecpg's PGTYPEStimestamp_fmt_asc() function (Tomas Vondra)

Due to an off-by-one error, these codes would print the wrong month name, or possibly crash.

Avoid crash after an out-of-memory failure in ecpglib (Tom Lane)

Fix parallel pg_dump/pg_restore to more gracefully handle failure to create worker processes (Tom Lane)

Prevent possible crash or lockup when attempting to terminate a parallel pg_dump/pg_restore run via a signal (Tom Lane)

In pg_upgrade, look inside arrays and ranges while searching for non-upgradable data types in tables (Tom Lane)

Apply more thorough syntax checking to createuser's --connection-limit option (Álvaro Herrera)

Cope with changes of the specific type referenced by a PL/pgSQL composite-type variable in more cases (Ashutosh Sharma, Tom Lane)

Dropping and re-creating the composite type referenced by a PL/pgSQL variable could lead to “could not open relation with OID NNNN” errors.

Avoid crash in postgres_fdw when trying to send a command like UPDATE remote_tab SET (x,y) = (SELECT ...) to the remote server (Tom Lane)

In contrib/dict_int, reject maxlen settings less than one (Tomas Vondra)

This prevents a possible crash with silly settings for that parameter.

Disallow NULL category values in contrib/tablefunc's crosstab() function (Joe Conway)

This case never worked usefully, and it would crash on some platforms.

Fix configure's probe for OpenSSL's SSL_clear_options() function so that it works with OpenSSL versions before 1.1.0 (Michael Paquier, Daniel Gustafsson)

This problem could lead to failure to set the SSL compression option as desired, when PostgreSQL is built against an old version of OpenSSL.

Mark some timeout and statistics-tracking GUC variables as PGDLLIMPORT, to allow extensions to access them on Windows (Pascal Legrand)

This applies to idle_in_transaction_session_timeout, lock_timeout, statement_timeout, track_activities, track_counts, and track_functions.

Avoid memory leak in sanity checks for “slab” memory contexts (Tomas Vondra)

This isn't an issue for production builds, since they wouldn't ordinarily have memory context checking enabled; but the leak could be quite severe in a debug build.

Fix multiple statistics entries reported by the LWLock statistics mechanism (Fujii Masao)

The LWLock statistics code (which is not built by default; it requires compiling with -DLWLOCK_STATS) could report multiple entries for the same LWLock and backend process, as a result of faulty hashtable key creation.

Fix race condition that led to delayed delivery of interprocess signals on Windows (Amit Kapila)

This caused visible timing oddities in NOTIFY, and perhaps other misbehavior.

Fix handling of a corner-case error result from Windows' ReadFile() function (Thomas Munro, Juan José Santamaría Flecha)

So far as is known, this oversight just resulted in noisy log messages, not any actual query misbehavior.

On Windows, retry a few times after an ERROR_ACCESS_DENIED file access failure (Alexander Lakhin, Tom Lane)

This helps cope with cases where a file open attempt fails because the targeted file is flagged for deletion but not yet actually gone. pg_ctl, for example, frequently failed with such an error when probing to see if the postmaster had shut down yet.

On Windows, work around sharing violations for the postmaster's log file when pg_ctl is used to start the postmaster very shortly after it's been stopped, for example by pg_ctl restart (Alexander Lakhin)