Release date: 2018-11-08
This release contains a variety of fixes from 10.5. For information about new features in major release 10, see Section E.9.
A dump/restore is not required for those running 10.X.
    However, if you use the pg_stat_statements extension,
    see the changelog entry below about that.
   
Also, if you are upgrading from a version earlier than 10.4, see Section E.5.
      Ensure proper quoting of transition table names
      when pg_dump emits CREATE TRIGGER
      ... REFERENCING commands (Tom Lane)
     
This oversight could be exploited by an unprivileged user to gain superuser privileges during the next dump/reload or pg_upgrade run. (CVE-2018-16850)
      Fix corner-case failures
      in has_
      family of functions (Tom Lane)
     foo_privilege()
      Return NULL rather than throwing an error when an invalid object OID
      is provided.  Some of these functions got that right already, but not
      all.  has_column_privilege() was additionally
      capable of crashing on some platforms.
     
      Fix pg_get_partition_constraintdef() to return
      NULL rather than fail when passed an invalid relation OID (Tom Lane)
     
Avoid O(N^2) slowdown in regular expression match/split functions on long strings (Andrew Gierth)
      Fix parsing of standard multi-character operators that are immediately
      followed by a comment or + or -
      (Andrew Gierth)
     
This oversight could lead to parse errors, or to incorrect assignment of precedence.
      Avoid O(N^3) slowdown in lexer for long strings
      of + or - characters
      (Andrew Gierth)
     
Fix mis-execution of SubPlans when the outer query is being scanned backwards (Andrew Gierth)
      Fix failure of UPDATE/DELETE ... WHERE CURRENT OF ...
      after rewinding the referenced cursor (Tom Lane)
     
A cursor that scans multiple relations (particularly an inheritance tree) could produce wrong behavior if rewound to an earlier relation.
      Fix EvalPlanQual to handle conditionally-executed
      InitPlans properly (Andrew Gierth, Tom Lane)
     
      This resulted in hard-to-reproduce crashes or wrong answers in
      concurrent updates, if they contained code such as an uncorrelated
      sub-SELECT inside a CASE
      construct.
     
Prevent creation of a partition in a trigger attached to its parent table (Amit Langote)
Ideally we'd allow that, but for the moment it has to be blocked to avoid crashes.
      Fix problems with applying ON COMMIT DELETE ROWS to
      a partitioned temporary table (Amit Langote)
     
Fix character-class checks to not fail on Windows for Unicode characters above U+FFFF (Tom Lane, Kenji Uno)
      This bug affected full-text-search operations, as well
      as contrib/ltree
      and contrib/pg_trgm.
     
      Disallow pushing sub-SELECTs containing window
      functions, LIMIT, or OFFSET to
      parallel workers (Amit Kapila)
     
Such cases could result in inconsistent behavior due to different workers getting different answers, as a result of indeterminacy due to row-ordering variations.
      Ensure that sequences owned by a foreign table are processed
      by ALTER OWNER on the table (Peter Eisentraut)
     
The ownership change should propagate to such sequences as well, but this was missed for foreign tables.
      Ensure that the server will process
      already-received NOTIFY
      and SIGTERM interrupts before waiting for client
      input (Jeff Janes, Tom Lane)
     
      Fix over-allocation of space for array_out()'s
      result string (Keiichi Hirobe)
     
      Avoid query-lifetime memory leak in XMLTABLE
      (Andrew Gierth)
     
Fix memory leak in repeated SP-GiST index scans (Tom Lane)
This is only known to amount to anything significant in cases where an exclusion constraint using SP-GiST receives many new index entries in a single command.
      Ensure that ApplyLogicalMappingFile() closes the
      mapping file when done with it (Tomas Vondra)
     
Previously, the file descriptor was leaked, eventually resulting in failures during logical decoding.
      Fix logical decoding to handle cases where a mapped catalog table is
      repeatedly rewritten, e.g. by VACUUM FULL
      (Andres Freund)
     
      Prevent starting the server with wal_level set
      to too low a value to support an existing replication slot (Andres
      Freund)
     
Avoid crash if a utility command causes infinite recursion (Tom Lane)
When initializing a hot standby, cope with duplicate XIDs caused by two-phase transactions on the master (Michael Paquier, Konstantin Knizhnik)
      Fix event triggers to handle nested ALTER TABLE
      commands (Michael Paquier, Álvaro Herrera)
     
Propagate parent process's transaction and statement start timestamps to parallel workers (Konstantin Knizhnik)
      This prevents misbehavior of functions such
      as transaction_timestamp() when executed in a
      worker.
     
Fix transfer of expanded datums to parallel workers so that alignment is preserved, preventing crashes on alignment-picky platforms (Tom Lane, Amit Kapila)
Fix WAL file recycling logic to work correctly on standby servers (Michael Paquier)
      Depending on the setting of archive_mode, a standby
      might fail to remove some WAL files that could be removed.
     
Fix handling of commit-timestamp tracking during recovery (Masahiko Sawada, Michael Paquier)
If commit timestamp tracking has been turned on or off, recovery might fail due to trying to fetch the commit timestamp for a transaction that did not record it.
      Randomize the random() seed in bootstrap and
      standalone backends, and in initdb
      (Noah Misch)
     
The main practical effect of this change is that it avoids a scenario where initdb might mistakenly conclude that POSIX shared memory is not available, due to name collisions caused by always using the same random seed.
Fix possible shared-memory corruption in DSA logic (Thomas Munro)
Allow DSM allocation to be interrupted (Chris Travers)
Avoid failure in a parallel worker when loading an extension that tries to access system caches within its init function (Thomas Munro)
We don't consider that to be good extension coding practice, but it mostly worked before parallel query, so continue to support it for now.
      Properly handle turning full_page_writes on
      dynamically (Kyotaro Horiguchi)
     
      Fix possible crash due to double free() during
      SP-GiST rescan (Andrew Gierth)
     
Prevent mis-linking of src/port and src/common functions on ELF-based BSD platforms, as well as HP-UX and Solaris (Andrew Gierth, Tom Lane)
Shared libraries loaded into a backend's address space could use the backend's versions of these functions, rather than their own copies as intended. Since the behavior of the two sets of functions isn't quite the same, this led to failures.
Avoid possible buffer overrun when replaying GIN page recompression from WAL (Alexander Korotkov, Sivasubramanian Ramasubramanian)
      Avoid overrun of a hash index's metapage
      when BLCKSZ is smaller than default (Dilip Kumar)
     
Fix missed page checksum updates in hash indexes (Amit Kapila)
Fix missed fsync of a replication slot's directory (Konstantin Knizhnik, Michael Paquier)
      Fix unexpected timeouts when
      using wal_sender_timeout on a slow server
      (Noah Misch)
     
Ensure that hot standby processes use the correct WAL consistency point (Alexander Kukushkin, Michael Paquier)
This prevents possible misbehavior just after a standby server has reached a consistent database state during WAL replay.
Ensure background workers are stopped properly when the postmaster receives a fast-shutdown request before completing database startup (Alexander Kukushkin)
Update the free space map during WAL replay of page all-visible/frozen flag changes (Álvaro Herrera)
Previously we were not careful about this, reasoning that the FSM is not critical data anyway. However, if it's sufficiently out of date, that can result in significant performance degradation after a standby has been promoted to primary. The FSM will eventually be healed by updates, but we'd like it to be good sooner, so work harder at maintaining it during WAL replay.
Avoid premature release of parallel-query resources when query end or tuple count limit is reached (Amit Kapila)
It's only okay to shut down the executor at this point if the caller cannot demand backwards scan afterwards.
      Don't run atexit callbacks when servicing SIGQUIT
      (Heikki Linnakangas)
     
Don't record foreign-server user mappings as members of extensions (Tom Lane)
      If CREATE USER MAPPING is executed in an extension
      script, an extension dependency was created for the user mapping,
      which is unexpected.  Roles can't be extension members, so user
      mappings shouldn't be either.
     
Make syslogger more robust against failures in opening CSV log files (Tom Lane)
When libpq is given multiple target host names, do the DNS lookups one at a time, not all at once (Tom Lane)
This prevents unnecessary failures or slow connections when a connection is successfully made to one of the earlier servers in the list.
Fix libpq's handling of connection timeouts so that they are properly applied per host name or IP address (Tom Lane)
Previously, some code paths failed to restart the timer when switching to a new target host, possibly resulting in premature timeout.
      Fix psql, as well as documentation
      examples, to call PQconsumeInput() before
      each PQnotifies() call (Tom Lane)
     
      This fixes cases in which psql would not
      report receipt of a NOTIFY message until after the
      next command.
     
      Fix pg_dump's
      --no-publications option to also ignore publication
      tables (Gilles Darold)
     
In pg_dump, exclude identity sequences when their parent table is excluded from the dump (David Rowley)
Fix possible inconsistency in pg_dump's sorting of dissimilar object names (Jacob Champion)
      Ensure that pg_restore will schema-qualify
      the table name when
      emitting DISABLE/ENABLE TRIGGER
      commands (Tom Lane)
     
This avoids failures due to the new policy of running restores with restrictive search path.
Fix pg_upgrade to handle event triggers in extensions correctly (Haribabu Kommi)
pg_upgrade failed to preserve an event trigger's extension-membership status.
Fix pg_upgrade's cluster state check to work correctly on a standby server (Bruce Momjian)
      Enforce type cube's dimension limit in
      all contrib/cube functions (Andrey Borodin)
     
      Previously, some cube-related functions could construct values that
      would be rejected by cube_in(), leading to
      dump/reload failures.
     
      In contrib/pg_stat_statements, disallow
      the pg_read_all_stats role from
      executing pg_stat_statements_reset()
      (Haribabu Kommi)
     
      pg_read_all_stats is only meant to grant permission
      to read statistics, not to change them, so this grant was incorrect.
     
      To cause this change to take effect, run ALTER EXTENSION
      pg_stat_statements UPDATE in each database
      where pg_stat_statements has been installed.
     
      In contrib/postgres_fdw, don't try to ship a
      variable-free ORDER BY clause to the remote server
      (Andrew Gierth)
     
      Fix contrib/unaccent's
      unaccent() function to use
      the unaccent text search dictionary that is in the
      same schema as the function (Tom Lane)
     
Previously it tried to look up the dictionary using the search path, which could fail if the search path has a restrictive value.
Fix build problems on macOS 10.14 (Mojave) (Tom Lane)
      Adjust configure to add
      an -isysroot switch to CPPFLAGS;
      without this, PL/Perl and PL/Tcl fail to configure or build on macOS
      10.14.  The specific sysroot used can be overridden at configure time
      or build time by setting the PG_SYSROOT variable in
      the arguments of configure
      or make.
     
      It is now recommended that Perl-related extensions
      write $(perl_includespec) rather
      than -I$(perl_archlibexp)/CORE in their compiler
      flags.  The latter continues to work on most platforms, but not recent
      macOS.
     
      Also, it should no longer be necessary to
      specify --with-tclconfig manually to get PL/Tcl to
      build on recent macOS releases.
     
Fix MSVC build and regression-test scripts to work on recent Perl versions (Andrew Dunstan)
Perl no longer includes the current directory in its search path by default; work around that.
On Windows, allow the regression tests to be run by an Administrator account (Andrew Dunstan)
To do this safely, pg_regress now gives up any such privileges at startup.
      Allow btree comparison functions to return INT_MIN
      (Tom Lane)
     
      Up to now, we've forbidden datatype-specific comparison functions from
      returning INT_MIN, which allows callers to invert
      the sort order just by negating the comparison result.  However, this
      was never safe for comparison functions that directly return the
      result of memcmp(), strcmp(),
      etc, as POSIX doesn't place any such restriction on those functions.
      At least some recent versions of memcmp() can
      return INT_MIN, causing incorrect sort ordering.
      Hence, we've removed this restriction.  Callers must now use
      the INVERT_COMPARE_RESULT() macro if they wish to
      invert the sort order.
     
Fix recursion hazard in shared-invalidation message processing (Tom Lane)
      This error could, for example, result in failure to access a system
      catalog or index that had just been processed by VACUUM
      FULL.
     
      This change adds a new result code
      for LockAcquire, which might possibly affect
      external callers of that function, though only very unusual usage
      patterns would have an issue with it.  The API
      of LockAcquireExtended is also changed.
     
      Save and restore SPI's global variables
      during SPI_connect()
      and SPI_finish() (Chapman Flack, Tom Lane)
     
This prevents possible interference when one SPI-using function calls another.
Avoid using potentially-under-aligned page buffers (Tom Lane)
      Invent new union types PGAlignedBlock
      and PGAlignedXLogBlock, and use these in place of plain
      char arrays, ensuring that the compiler can't place the buffer at a
      misaligned start address.  This fixes potential core dumps on
      alignment-picky platforms, and may improve performance even on
      platforms that allow misalignment.
     
      Make src/port/snprintf.c follow the C99
      standard's definition of snprintf()'s result
      value (Tom Lane)
     
On platforms where this code is used (mostly Windows), its pre-C99 behavior could lead to failure to detect buffer overrun, if the calling code assumed C99 semantics.
      When building on i386 with the clang
      compiler, require -msse2 to be used (Andres Freund)
     
This avoids problems with missed floating point overflow checks.
      Fix configure's detection of the result
      type of strerror_r() (Tom Lane)
     
The previous coding got the wrong answer when building with icc on Linux (and perhaps in other cases), leading to libpq not returning useful error messages for system-reported errors.
Update time zone data files to tzdata release 2018g for DST law changes in Chile, Fiji, Morocco, and Russia (Volgograd), plus historical corrections for China, Hawaii, Japan, Macau, and North Korea.