Release date: 2019-02-14
This release contains a variety of fixes from 9.6.11. For information about new features in the 9.6 major release, see Section E.20.
A dump/restore is not required for those running 9.6.X.
However, if you are upgrading from a version earlier than 9.6.9, see Section E.11.
By default, panic instead of retrying after
fsync() failure, to avoid possible data corruption (Craig Ringer, Thomas Munro)
Some popular operating systems discard kernel data buffers when unable to write them out, reporting this as
fsync() failure. If we reissue the
fsync() request it will succeed, but in fact the data has been lost, so continuing risks database corruption. By raising a panic condition instead, we can replay from WAL, which may contain the only remaining copy of the data in such a situation. While this is surely ugly and inefficient, there are few alternatives, and fortunately the case happens very rarely.
A new server parameter data_sync_retry has been added to control this; if you are certain that your kernel does not discard dirty data buffers in such scenarios, you can set data_sync_retry to on to restore the old behavior.
Include each major release branch's release notes in the documentation for only that branch, rather than that branch and all later ones (Tom Lane)
The duplication induced by the previous policy was getting out of hand. Our plan is to provide a full archive of release notes on the project's web site, but not duplicate it within each release.
Avoid possible deadlock when acquiring multiple buffer locks (Nishant Fnu)
Avoid deadlock between hot-standby queries and replay of GIN index page deletion (Alexander Korotkov)
Fix possible crashes in logical replication when index expressions or predicates are in use (Peter Eisentraut)
Avoid useless and expensive logical decoding of TOAST data during a table rewrite (Tomas Vondra)
Fix logic for stopping a subset of WAL senders when synchronous replication is enabled (Paul Guo, Michael Paquier)
Avoid possibly writing an incorrect replica identity field in a tuple deletion WAL record (Stas Kelvich)
Make the archiver prioritize WAL history files over WAL data files while choosing which file to archive next (David Steele)
Fix possible crash in UPDATE with a multiple SET clause using a sub-SELECT as source (Tom Lane)
Avoid crash if libxml2 returns a null error message (Sergio Conde Gómez)
Fix spurious grouping-related parser errors caused by inconsistent handling of collation assignment (Andrew Gierth)
In some cases, expressions that should be considered to match were not seen as matching, if they included operations on collatable data types.
Check whether the comparison function underlying
GREATEST() is leakproof, rather than just assuming it is (Tom Lane)
Actual information leaks from btree comparison functions are typically hard to provoke, but in principle they could happen.
Fix incorrect planning of queries involving nested loops both above and below a Gather plan node (Tom Lane)
If both levels of nestloop needed to pass the same variable into their right-hand sides, an incorrect plan would be generated.
Fix incorrect planning of queries in which a lateral reference must be evaluated at a foreign table scan (Tom Lane)
Fix corner-case underestimation of the cost of a merge join (Tom Lane)
The planner could prefer a merge join when the outer key range is much smaller than the inner key range, even if there are so many duplicate keys on the inner side that this is a poor choice.
Avoid O(N^2) planning time growth when a query contains many thousand indexable clauses (Tom Lane)
Improve ANALYZE's handling of concurrently-updated rows (Jeff Janes, Tom Lane)
Previously, rows deleted by an in-progress transaction were omitted from ANALYZE's sample, but this has been found to lead to more inconsistency than including them would do. In effect, the sample now corresponds to an MVCC snapshot as of ANALYZE's start time.
Make TRUNCATE ignore inheritance child tables that are temporary tables of other sessions (Amit Langote, Michael Paquier)
This brings TRUNCATE into line with the behavior of other commands. Previously, such cases usually ended in failure.
Fix TRUNCATE to update the statistics counters for the right table (Tom Lane)
If the truncated table had a TOAST table, that table's counters were reset instead.
Process ALTER TABLE ONLY ADD COLUMN IF NOT EXISTS correctly (Greg Stark)
Allow UNLISTEN in hot-standby mode (Shay Rojansky)
This is necessarily a no-op, because LISTEN isn't allowed in hot-standby mode; but allowing the dummy operation simplifies session-state-reset logic in clients.
Fix missing role dependencies in some schema and data type permissions lists (Tom Lane)
In some cases it was possible to drop a role to which permissions had been granted. This caused no immediate problem, but a subsequent dump/reload or upgrade would fail, with symptoms involving attempts to grant privileges to all-numeric role names.
Ensure relation caches are updated properly after adding or removing foreign key constraints (Álvaro Herrera)
This oversight could result in existing sessions failing to enforce a newly-created constraint, or continuing to enforce a dropped one.
Ensure relation caches are updated properly after renaming constraints (Amit Langote)
Make autovacuum more aggressive about removing leftover temporary tables, and also remove leftover temporary tables during DISCARD TEMP (Álvaro Herrera)
This helps ensure that remnants from a crashed session are cleaned up more promptly.
Fix replay of GiST index micro-vacuum operations so that concurrent hot-standby queries do not see inconsistent state (Alexander Korotkov)
Prevent empty GIN index pages from being reclaimed too quickly, causing failures of concurrent searches (Andrey Borodin, Alexander Korotkov)
Fix edge-case failures in float-to-integer coercions (Andrew Gierth, Tom Lane)
Values very slightly above the maximum valid integer value might not be rejected, and then would overflow, producing the minimum valid integer instead. Also, values that should round to the minimum or maximum integer value might be incorrectly rejected.
When making a PAM authentication request, don't set the PAM_RHOST variable if the connection is via a Unix socket (Thomas Munro)
Previously that variable would be set to [local], which is at best unhelpful, since it's supposed to be a host name.
Disallow setting client_min_messages higher than ERROR (Jonah Harris, Tom Lane)
Previously, it was possible to set this variable to FATAL or PANIC, which had the effect of suppressing transmission of ordinary error messages to the client. However, that's contrary to guarantees that are given in the PostgreSQL wire protocol specification, and it caused some clients to become very confused. In released branches, fix this by silently treating such settings as meaning ERROR instead. Version 12 and later will reject those alternatives altogether.
Fix ecpglib to use
_configthreadlocale() in preference to
setlocale() (Michael Meskes, Tom Lane)
setlocale() is not thread-local, and might not even be thread-safe, the previous coding caused problems in multi-threaded ecpg applications.
Fix incorrect results for numeric data passed through an ecpg SQLDA (SQL Descriptor Area) (Daisuke Higuchi)
Values with leading zeroes were not copied correctly.
Fix psql's \g target meta-command to work with COPY TO STDOUT (Daniel Vérité)
Previously, the target option was ignored, so that the copy data always went to the current query output target.
Make psql's LaTeX output formats render special characters properly (Tom Lane)
Backslash and some other ASCII punctuation characters were not rendered correctly, leading to document syntax errors or wrong characters in the output.
Fix pg_dump's handling of materialized views with indirect dependencies on primary keys (Tom Lane)
This led to mis-labeling of such views' dump archive entries, causing harmless warnings about "archive items not in correct section order"; less harmlessly, selective-restore options depending on those labels, such as --section, might misbehave.
Avoid null-pointer-dereference crash on some platforms when pg_dump or pg_restore tries to report an error (Tom Lane)
Fix contrib/hstore to calculate correct hash values for empty hstore values that were created in version 8.4 or before (Andrew Gierth)
The previous coding did not give the same result as for an empty hstore value created by a newer version, thus potentially causing wrong results in hash joins or hash aggregation. It is advisable to reindex any hash indexes built on hstore columns, if the table might contain data that was originally stored as far back as 8.4 and was never dumped/reloaded since then.
Avoid crashes and excessive runtime with large inputs to contrib/intarray's gist__int_ops index support (Andrew Gierth)
Support new Makefile variables PG_CFLAGS, PG_CXXFLAGS, and PG_LDFLAGS in pgxs builds (Christoph Berg)
This simplifies customization of extension build processes.
Fix Perl-coded build scripts to not assume "." is in the search path, since recent Perl versions don't include that (Andrew Dunstan)
Fix server command-line option parsing problems on OpenBSD (Tom Lane)
Relocate call of set_rel_pathlist_hook so that extensions can use it to supply partial paths for parallel queries (KaiGai Kohei)
This is not expected to affect existing use-cases.
Update time zone data files to tzdata release 2018i for DST law changes in Kazakhstan, Metlakatla, and Sao Tome and Principe. Kazakhstan's Qyzylorda zone is split in two, creating a new zone Asia/Qostanay, as some areas did not change UTC offset. Historical corrections for Hong Kong and numerous Pacific islands.