E.4. Release 14.5

Do not let extension scripts replace objects not already belonging to the extension (Tom Lane)

This change prevents extension scripts from doing CREATE OR REPLACE if there is an existing object that does not belong to the extension. It also prevents CREATE IF NOT EXISTS in the same situation. This prevents a form of trojan-horse attack in which a hostile database user could become the owner of an extension object and then modify it to compromise future uses of the object by other users. As a side benefit, it also reduces the risk of accidentally replacing objects one did not mean to.

The PostgreSQL Project thanks Sven Klemm for reporting this problem. (CVE-2022-2625)

Fix replay of CREATE DATABASE WAL records on standby servers (Kyotaro Horiguchi, Asim R Praveen, Paul Guo)

Standby servers may encounter missing tablespace directories when replaying database-creation WAL records. Prior to this patch, a standby would fail to recover in such a case; however, such directories could be legitimately missing. Create the tablespace (as a plain directory), then check that it has been dropped again once replay reaches a consistent state.

Support " in place " tablespaces (Thomas Munro, Michael Paquier, Álvaro Herrera)

Normally a Postgres tablespace is a symbolic link to a directory on some other filesystem. This change allows it to just be a plain directory. While this has no use for separating tables onto different filesystems, it is a convenient setup for testing. Moreover, it is necessary to support the CREATE DATABASE replay fix, which transiently creates a missing tablespace as an " in place " tablespace.

Fix permissions checks in CREATE INDEX (Nathan Bossart, Noah Misch)

The fix for CVE-2022-1552 caused CREATE INDEX to apply the table owner's permissions while performing lookups of operator classes and other objects, where formerly the calling user's permissions were used. This broke dump/restore scenarios, because pg_dump issues CREATE INDEX before re-granting permissions.

In extended query protocol, force an immediate commit after CREATE DATABASE and other commands that can't run in a transaction block (Tom Lane)

If the client does not send a Sync message immediately after such a command, but instead sends another command, any failure in that command would lead to rolling back the preceding command, typically leaving inconsistent state on-disk (such as a missing or extra database directory). The mechanisms intended to prevent that situation turn out to work for multiple commands in a simple-Query message, but not for a series of extended-protocol messages. To prevent inconsistency without breaking use-cases that work today, force an implicit commit after such commands.

Fix race condition when checking transaction visibility (Simon Riggs)

TransactionIdIsInProgress could report false before the subject transaction is considered visible, leading to various misbehaviors. The race condition window is normally very narrow, but use of synchronous replication makes it much wider, because the wait for a synchronous replica happens in that window.

Fix incorrect plans when sorting by an expression that contains a non-top-level set-returning function (Richard Guo, Tom Lane)

Fix incorrect permissions-checking code for extended statistics (Richard Guo)

If there are extended statistics on a table that the user has only partial SELECT permissions on, some queries would fail with " unrecognized node type " errors.

Fix extended statistics machinery to handle MCV-type statistics on boolean-valued expressions (Tom Lane)

Statistics collection worked fine, but a query containing such an expression in WHERE would fail with " unknown clause type " .

Avoid planner core dump with constant = ANY( array ) clauses when there are MCV-type extended statistics on the array variable (Tom Lane)

Fix ALTER TABLE ... ENABLE/DISABLE TRIGGER to handle recursion correctly for triggers on partitioned tables (Álvaro Herrera, Amit Langote)

In certain cases, a " trigger does not exist " failure would occur because the command would try to adjust the trigger on a child partition that doesn't have it.

Allow cancellation of ANALYZE while it is computing extended statistics (Tom Lane, Justin Pryzby)

In some scenarios with high statistics targets, it was possible to spend many seconds in an un-cancellable sort operation.

Improve syntax error messages for type jsonpath (Andrew Dunstan)

Ensure that pg_stop_backup() cleans up session state properly (Fujii Masao)

This omission could lead to assertion failures or crashes later in the session.

Fix trim_array() to handle a zero-dimensional array argument sanely (Martin Kalcher)

Fix join alias matching in FOR [KEY] UPDATE/SHARE clauses (Dean Rasheed)

In corner cases, a misleading error could be reported.

Reject ROW() expressions and functions in FROM that have too many columns (Tom Lane)

Cases with more than about 1600 columns are unsupported, and have always failed at execution. However, it emerges that some earlier code could be driven to assertion failures or crashes by queries with more than 32K columns. Add a parse-time check to prevent that.

Fix dumping of a view using a function in FROM that returns a composite type, when column(s) of the composite type have been dropped since the view was made (Tom Lane)

This oversight could lead to dump/reload or pg_upgrade failures, as the dumped view would have too many column aliases for the function.

Disallow nested backup operations in logical replication walsenders (Fujii Masao)

Fix memory leak in logical replication subscribers (Hou Zhijie)

Fix logical replication's checking of replica identity when the target table is partitioned (Shi Yu, Hou Zhijie)

The replica identity columns have to be re-identified for the child partition.

Fix failures to update cached schema data in a logical replication subscriber after a schema change on the publisher (Shi Yu, Hou Zhijie)

Fix WAL consistency checking logic to correctly handle BRIN_EVACUATE_PAGE flags (Haiyang Wang)

Fix erroneous assertion checks in shared hashtable management (Thomas Munro)

Avoid assertion failure when min_dynamic_shared_memory is set to a non-default value (Thomas Munro)

Arrange to clean up after commit-time errors within SPI_commit() , rather than expecting callers to do that (Peter Eisentraut, Tom Lane)

Proper cleanup is complicated and requires use of low-level facilities, so it's not surprising that no known caller got it right. This led to misbehaviors when a PL procedure issued COMMIT but a failure occurred (such as a deferred constraint check). To improve matters, redefine SPI_commit() as starting a new transaction, so that it becomes equivalent to SPI_commit_and_chain() except that you get default transaction characteristics instead of preserving the prior transaction's characteristics. To make this somewhat transparent API-wise, redefine SPI_start_transaction() as a no-op. All known callers of SPI_commit() immediately call SPI_start_transaction() , so they will not notice any change. Similar remarks apply to SPI_rollback() .

Also fix PL/Python, which omitted any handling of such errors at all, resulting in jumping out of the Python interpreter. This is reported to crash Python 3.11. Older Python releases leak some memory but seem okay with it otherwise.

Improve libpq 's handling of idle states in pipeline mode (Álvaro Herrera, Kyotaro Horiguchi)

This fixes " message type 0x33 arrived from server while idle " warnings, as well as possible loss of end-of-query NULL results from PQgetResult() .

Avoid core dump in ecpglib with unexpected orders of operations (Tom Lane)

Certain operations such as EXEC SQL PREPARE would crash (rather than reporting an error as expected) if called before establishing any database connection.

In ecpglib , avoid redundant newlocale() calls (Noah Misch)

Allocate a C locale object once per process when first connecting, rather than creating and freeing locale objects once per query. This mitigates a libc memory leak on AIX, and may offer some performance benefit everywhere.

In psql 's \watch command, echo a newline after cancellation with control-C (Pavel Stehule)

This prevents libedit (and possibly also libreadline) from becoming confused about which column the cursor is in.

Fix pg_upgrade to detect non-upgradable usages of functions taking anyarray (Justin Pryzby)

Version 14 changed some built-in functions to take type anycompatiblearray instead of anyarray . While this is mostly transparent, user-defined aggregates and operators built atop these functions have to be declared with exactly matching types. The presence of an object referencing the old signature will cause pg_upgrade to fail, so change it to detect and report such cases before beginning the upgrade.

Fix possible report of wrong error condition after clone() failure in pg_upgrade with --clone option (Justin Pryzby)

Fix contrib/pg_stat_statements to avoid problems with very large query-text files on 32-bit platforms (Tom Lane)

In contrib/postgres_fdw , prevent batch insertion when there are WITH CHECK OPTION constraints (Etsuro Fujita)

Such constraints cannot be checked properly if more than one row is inserted at a time.

Fix contrib/postgres_fdw to detect failure to send an asynchronous data fetch query (Fujii Masao)

Ensure that contrib/postgres_fdw sends constants of regconfig and other reg* types with proper schema qualification (Tom Lane)

Block signals while allocating dynamic shared memory on Linux (Thomas Munro)

This avoids problems when a signal interrupts posix_fallocate() .

Detect unexpected EEXIST error from shm_open() (Thomas Munro)

This avoids a possible crash on Solaris.

Avoid using signalfd() on illumos systems (Thomas Munro)

This appears to trigger hangs and kernel panics, so avoid the function until a fix is available.