PostgreSQL (32-bit) 歷史版本列表 Page2

更新時間：2016-04-01
更新細節：

What's new in this version:

- A dump/restore is not required for those running 9.5.X.
- However, you may need to REINDEX some indexes after applying the update, as per the first changelog entry below.

Changes:
- Disable abbreviated keys for string sorting in non-C locales (Robert Haas)
- PostgreSQL 9.5 introduced logic for speeding up comparisons of string data types by using the standard C library function strxfrm() as a substitute for strcoll(). It now emerges that most versions of glibc (Linux's implementation of the C library) have buggy implementations of strxfrm() that, in some locales, can produce string comparison results that do not match strcoll(). Until this problem can be better characterized, disable the optimization in all non-C locales. (C locale is safe since it uses neither strcoll() nor strxfrm().)
- Unfortunately, this problem affects not only sorting but also entry ordering in B-tree indexes, which means that B-tree indexes on text, varchar, or char columns may now be corrupt if they sort according to an affected locale and were built or modified under PostgreSQL 9.5.0 or 9.5.1. Users should REINDEX indexes that might be affected.
- It is not possible at this time to give an exhaustive list of known-affected locales. C locale is known safe, and there is no evidence of trouble in English-based locales such as en_US, but some other popular locales such as de_DE are affected in most glibc versions.
- Maintain row-security status properly in cached plans (Stephen Frost)
- In a session that performs queries as more than one role, the plan cache might incorrectly re-use a plan that was generated for another role ID, thus possibly applying the wrong set of policies when row-level security (RLS) is in use. (CVE-2016-2193)
- Add must-be-superuser checks to some new contrib/pageinspect functions (Andreas Seltenreich)
- Most functions in the pageinspect extension that inspect bytea values disallow calls by non-superusers, but brin_page_type() and brin_metapage_info() failed to do so. Passing contrived bytea values to them might crash the server or disclose a few bytes of server memory. Add the missing permissions checks to prevent misuse. (CVE-2016-3065)
- Fix incorrect handling of indexed ROW() comparisons (Simon Riggs)
- Flaws in a minor optimization introduced in 9.5 caused incorrect results if the ROW() comparison matches the index ordering partially but not exactly (for example, differing column order, or the index contains both ASC and DESC columns). Pending a better solution, the optimization has been removed.
- Fix incorrect handling of NULL index entries in indexed ROW() comparisons (Tom Lane)
- An index search using a row comparison such as ROW(a, b) > ROW('x', 'y') would stop upon reaching a NULL entry in the b column, ignoring the fact that there might be non-NULL b values associated with later values of a.
- Avoid unlikely data-loss scenarios due to renaming files without adequate fsync() calls before and after (Michael Paquier, Tomas Vondra, Andres Freund)
- Fix incorrect behavior when rechecking a just-modified row in a query that does SELECT FOR UPDATE/SHARE and contains some relations that need not be locked (Tom Lane)
- Rows from non-locked relations were incorrectly treated as containing all NULLs during the recheck, which could result in incorrectly deciding that the updated row no longer passes the WHERE condition, or in incorrectly outputting NULLs.
- Fix bug in json_to_record() when a field of its input object contains a sub-object with a field name matching one of the requested output column names (Tom Lane)
- Fix nonsense result from two-argument form of jsonb_object() when called with empty arrays (Michael Paquier, Andrew Dunstan)
- Fix misbehavior in jsonb_set() when converting a path array element into an integer for use as an array subscript (Michael Paquier)
- Fix misformatting of negative time zone offsets by to_char()'s OF format code (Thomas Munro, Tom Lane)
- Fix possible incorrect logging of waits done by INSERT ... ON CONFLICT (Peter Geoghegan)
- Log messages would sometimes claim that the wait was due to an exclusion constraint although no such constraint was responsible.
- Ignore recovery_min_apply_delay parameter until recovery has reached a consistent state (Michael Paquier)
- Previously, standby servers would delay application of WAL records in response to recovery_min_apply_delay even while replaying the initial portion of WAL needed to make their database state valid. Since the standby is useless until it's reached a consistent database state, this was deemed unhelpful.
- Correctly handle cases where pg_subtrans is close to XID wraparound during server startup (Jeff Janes)
- Fix assorted bugs in logical decoding (Andres Freund)
- Trouble cases included tuples larger than one page when replica identity is FULL, UPDATEs that change a primary key within a transaction large enough to be spooled to disk, incorrect reports of "subxact logged without previous toplevel record", and incorrect reporting of a transaction's commit time.
- Fix planner error with nested security barrier views when the outer view has a WHERE clause containing a correlated subquery (Dean Rasheed)
- Fix memory leak in GIN index searches (Tom Lane)
- Fix corner-case crash due to trying to free localeconv() output strings more than once (Tom Lane)
- Fix parsing of affix files for ispell dictionaries (Tom Lane)
- The code could go wrong if the affix file contained any characters whose byte length changes during case-folding, for example I in Turkish UTF8 locales.
- Avoid use of sscanf() to parse ispell dictionary files (Artur Zakirov)
- This dodges a portability problem on FreeBSD-derived platforms (including OS X).
- Fix atomic-operations code used on PPC with IBM's xlc compiler (Noah Misch)
- This error led to rare failures of concurrent operations on that platform.
- Avoid a crash on old Windows versions (before 7SP1/2008R2SP1) with an AVX2-capable CPU and a Postgres build done with Visual Studio 2013 (Christian Ullrich)
- This is a workaround for a bug in Visual Studio 2013's runtime library, which Microsoft have stated they will not fix in that version.
- Fix psql's tab completion logic to handle multibyte characters properly (Kyotaro Horiguchi, Robert Haas)
- Fix psql's tab completion for SECURITY LABEL (Tom Lane)
- Pressing TAB after SECURITY LABEL might cause a crash or offering of inappropriate keywords.
- Make pg_ctl accept a wait timeout from the PGCTLTIMEOUT environment variable, if none is specified on the command line (Noah Misch)
- This eases testing of slower buildfarm members by allowing them to globally specify a longer-than-normal timeout for postmaster startup and shutdown.
- Fix incorrect test for Windows service status in pg_ctl (Manuel Mathar)
- The previous set of minor releases attempted to fix pg_ctl to properly determine whether to send log messages to Window's Event Log, but got the test backwards.
- Fix pgbench to correctly handle the combination of -C and -M prepared options (Tom Lane)
- In pg_upgrade, skip creating a deletion script when the new data directory is inside the old data directory (Bruce Momjian)
- Blind application of the script in such cases would result in loss of the new data directory.
- In PL/Perl, properly translate empty Postgres arrays into empty Perl arrays (Alex Hunsaker)
- Make PL/Python cope with function names that aren't valid Python identifiers (Jim Nasby)
- Fix multiple mistakes in the statistics returned by contrib/pgstattuple's pgstatindex() function (Tom Lane)
- Remove dependency on psed in MSVC builds, since it's no longer provided by core Perl (Michael Paquier, Andrew Dunstan)
- Update time zone data files to tzdata release 2016c for DST law changes in Azerbaijan, Chile, Haiti, Palestine, and Russia (Altai, Astrakhan, Kirov, Sakhalin, Ulyanovsk regions), plus historical corrections for Lithuania, Moldova, and Russia (Kaliningrad, Samara, Volgograd).

更新時間：2016-02-11
更新細節：

What's new in this version:

- Fix infinite loops and buffer-overrun problems in regular expressions (Tom Lane)
- Very large character ranges in bracket expressions could cause infinite loops in some cases, and memory overwrites in other cases. (CVE-2016-0773)
- Fix an oversight that caused hash joins to miss joining to some tuples of the inner relation in rare cases (Tomas Vondra, Tom Lane)
- Avoid pushdown of HAVING clauses when grouping sets are used (Andrew Gierth)
- Fix deparsing of ON CONFLICT arbiter WHERE clauses (Peter Geoghegan)
- Make %h and %r escapes in log_line_prefix work for messages emitted due to log_connections (Tom Lane)
- Previously, %h/%r started to work just after a new session had emitted the "connection received" log message; now they work for that message too.
- Avoid leaking a token handle during SSPI authentication (Christian Ullrich)
- Fix psql's det command to interpret its pattern argument the same way as other d commands with potentially schema-qualified patterns do (Reece Hart)
- In pg_ctl on Windows, check service status to decide where to send output, rather than checking if standard output is a terminal (Michael Paquier)
- Fix assorted corner-case bugs in pg_dump's processing of extension member objects (Tom Lane)
- Fix improper quoting of domain constraint names in pg_dump (Elvis Pranskevichus)
- Make pg_dump mark a view's triggers as needing to be processed after its rule, to prevent possible failure during parallel pg_restore (Tom Lane)
- Install guards in pgbench against corner-case overflow conditions during evaluation of script-specified division or modulo operators (Fabien Coelho, Michael Paquier)
- Suppress useless warning message when pg_receivexlog connects to a pre-9.4 server (Marco Nenciarini)
- Avoid dump/reload problems when using both plpython2 and plpython3 (Tom Lane)
- In principle, both versions of PL/Python can be used in the same database, though not in the same session (because the two versions of libpython cannot safely be used concurrently). However, pg_restore and pg_upgrade both do things that can fall foul of the same-session restriction. Work around that by changing the timing of the check.
- Fix PL/Python regression tests to pass with Python 3.5 (Peter Eisentraut)
- Prevent certain PL/Java parameters from being set by non-superusers (Noah Misch)
- This change mitigates a PL/Java security bug (CVE-2016-0766), which was fixed in PL/Java by marking these parameters as superuser-only. To fix the security hazard for sites that update PostgreSQL more frequently than PL/Java, make the core code aware of them also.
- Fix ecpg-supplied header files to not contain comments continued from a preprocessor directive line onto the next line (Michael Meskes)
- Such a comment is rejected by ecpg. It's not yet clear whether ecpg itself should be changed.
- Fix hstore_to_json_loose()'s test for whether an hstore value can be converted to a JSON number (Tom Lane)
- Previously this function could be fooled by non-alphanumeric trailing characters, leading to emitting syntactically-invalid JSON.
- In contrib/postgres_fdw, fix bugs triggered by use of tableoid in data-modifying commands (Etsuro Fujita, Robert Haas)
- Fix ill-advised restriction of NAMEDATALEN to be less than 256 (Robert Haas, Tom Lane)
- Improve reproducibility of build output by ensuring filenames are given to the linker in a fixed order (Christoph Berg)
- This avoids possible bitwise differences in the produced executable files from one build to the next.
- Ensure that dynloader.h is included in the installed header files in MSVC builds (Bruce Momjian, Michael Paquier)
- Update time zone data files to tzdata release 2016a for DST law changes in Cayman Islands, Metlakatla, and Trans-Baikal Territory (Zabaykalsky Krai), plus historical corrections for Pakistan.

更新時間：2016-01-08
更新細節：

What's new in this version:

- Allow INSERTs that would generate constraint conflicts to be turned into UPDATEs or ignored
- Add GROUP BY analysis features GROUPING SETS, CUBE and ROLLUP
- Add row-level security control
- Create mechanisms for tracking the progress of replication, including methods for identifying the origin of individual changes during logical replication
- Add Block Range Indexes (BRIN)
- Substantial performance improvements for sorting
- Substantial performance improvements for multi-CPU machines

更新時間：2015-10-08
更新細節：

What's new in this version:

- A dump/restore is not required for those running 9.4.X.
- However, if you are upgrading from a version earlier than 9.4.4, see Section E.2.

CHANGES:
- Guard against stack overflows in json parsing (Oskari Saarenmaa)
- If an application constructs PostgreSQL json or jsonb values from arbitrary user input, the application's users can reliably crash the PostgreSQL server, causing momentary denial of service. (CVE-2015-5289)
- Fix contrib/pgcrypto to detect and report too-short crypt() salts (Josh Kupershmidt)
- Certain invalid salt arguments crashed the server or disclosed a few bytes of server memory. We have not ruled out the viability of attacks that arrange for presence of confidential information in the disclosed bytes, but they seem unlikely. (CVE-2015-5288)
- Fix subtransaction cleanup after a portal (cursor) belonging to an outer subtransaction fails (Tom Lane, Michael Paquier)
- A function executed in an outer-subtransaction cursor could cause an assertion failure or crash by referencing a relation created within an inner subtransaction.
- Fix possible deadlock during WAL insertion when commit_delay is set (Heikki Linnakangas)
- Ensure all relations referred to by an updatable view are properly locked during an update statement (Dean Rasheed)
- Fix insertion of relations into the relation cache "init file" (Tom Lane)
- An oversight in a patch in the most recent minor releases caused pg_trigger_tgrelid_tgname_index to be omitted from the init file. Subsequent sessions detected this, then deemed the init file to be broken and silently ignored it, resulting in a significant degradation in session startup time. In addition to fixing the bug, install some guards so that any similar future mistake will be more obvious.
- Avoid O(N^2) behavior when inserting many tuples into a SPI query result (Neil Conway)
- Improve LISTEN startup time when there are many unread notifications (Matt Newell)
- Fix performance problem when a session alters large numbers of foreign key constraints (Jan Wieck, Tom Lane)
- This was seen primarily when restoring pg_dump output for databases with many thousands of tables.
- Disable SSL renegotiation by default (Michael Paquier, Andres Freund)
- While use of SSL renegotiation is a good idea in theory, we have seen too many bugs in practice, both in the underlying OpenSSL library and in our usage of it. Renegotiation will be removed entirely in 9.5 and later. In the older branches, just change the default value of ssl_renegotiation_limit to zero (disabled).
- Lower the minimum values of the *_freeze_max_age parameters (Andres Freund)
- This is mainly to make tests of related behavior less time-consuming, but it may also be of value for installations with limited disk space.
- Limit the maximum value of wal_buffers to 2GB to avoid server crashes (Josh Berkus)
- Avoid logging complaints when a parameter that can only be set at server start appears multiple times in postgresql.conf, and fix counting of line numbers after an include_dir directive (Tom Lane)
- Fix rare internal overflow in multiplication of numeric values (Dean Rasheed)
- Guard against hard-to-reach stack overflows involving record types, range types, json, jsonb, tsquery, ltxtquery and query_int (Noah Misch)
- Fix handling of DOW and DOY in datetime input (Greg Stark)
- These tokens aren't meant to be used in datetime values, but previously they resulted in opaque internal error messages rather than "invalid input syntax".
- Add more query-cancel checks to regular expression matching (Tom Lane)
- Add recursion depth protections to regular expression, SIMILAR TO, and LIKE matching (Tom Lane)
- Suitable search patterns and a low stack depth limit could lead to stack-overrun crashes.
- Fix potential infinite loop in regular expression execution (Tom Lane)
- A search pattern that can apparently match a zero-length string, but actually doesn't match because of a back reference, could lead to an infinite loop.
- In regular expression execution, correctly record match data for capturing parentheses within a quantifier even when the match is zero-length (Tom Lane)
- Fix low-memory failures in regular expression compilation (Andreas Seltenreich)
- Fix low-probability memory leak during regular expression execution (Tom Lane)
- Fix rare low-memory failure in lock cleanup during transaction abort (Tom Lane)
- Fix "unexpected out-of-memory situation during sort" errors when using tuplestores with small work_mem settings (Tom Lane)
- Fix very-low-probability stack overrun in qsort (Tom Lane)
- Fix "invalid memory alloc request size" failure in hash joins with large work_mem settings (Tomas Vondra, Tom Lane)
- Fix assorted planner bugs (Tom Lane)
- These mistakes could lead to incorrect query plans that would give wrong answers, or to assertion failures in assert-enabled builds, or to odd planner errors such as "could not devise a query plan for the given query", "could not find pathkey item to sort", "plan should not reference subplan's variable", or "failed to assign all NestLoopParams to plan nodes". Thanks are due to Andreas Seltenreich and Piotr Stefaniak for fuzz testing that exposed these problems.
- Improve planner's performance for UPDATE/DELETE on large inheritance sets (Tom Lane, Dean Rasheed)
- Ensure standby promotion trigger files are removed at postmaster startup (Michael Paquier, Fujii Masao)
- This prevents unwanted promotion from occurring if these files appear in a database backup that is used to initialize a new standby server.
- During postmaster shutdown, ensure that per-socket lock files are removed and listen sockets are closed before we remove the postmaster.pid file (Tom Lane)
- This avoids race-condition failures if an external script attempts to start a new postmaster as soon as pg_ctl stop returns.
- Ensure that the postmaster does not exit until all its child processes are gone, even in an immediate shutdown (Tom Lane)
- Like the previous item, this avoids possible race conditions against a subsequently-started postmaster.
- Fix postmaster's handling of a startup-process crash during crash recovery (Tom Lane)
- If, during a crash recovery cycle, the startup process crashes without having restored database consistency, we'd try to launch a new startup process, which typically would just crash again, leading to an infinite loop.
- Make emergency autovacuuming for multixact wraparound more robust (Andres Freund)
- Do not print a WARNING when an autovacuum worker is already gone when we attempt to signal it, and reduce log verbosity for such signals (Tom Lane)
- Prevent autovacuum launcher from sleeping unduly long if the server clock is moved backwards a large amount (Álvaro Herrera)
- Ensure that cleanup of a GIN index's pending-insertions list is interruptable by cancel requests (Jeff Janes)
- Allow all-zeroes pages in GIN indexes to be reused (Heikki Linnakangas)
- Such a page might be left behind after a crash.
- Fix handling of all-zeroes pages in SP-GiST indexes (Heikki Linnakangas)
- VACUUM attempted to recycle such pages, but did so in a way that wasn't crash-safe.
- Fix off-by-one error that led to otherwise-harmless warnings about "apparent wraparound" in subtrans/multixact truncation (Thomas Munro)
- Fix misreporting of CONTINUE and MOVE statement types in PL/pgSQL's error context messages (Pavel Stehule, Tom Lane)
- Fix PL/Perl to handle non-ASCII error message texts correctly (Alex Hunsaker)
- Fix PL/Python crash when returning the string representation of a record result (Tom Lane)
- Fix some places in PL/Tcl that neglected to check for failure of malloc() calls (Michael Paquier, Álvaro Herrera)
- In contrib/isn, fix output of ISBN-13 numbers that begin with 979 (Fabien Coelho)
- EANs beginning with 979 (but not 9790) are considered ISBNs, but they must be printed in the new 13-digit format, not the 10-digit format.
- Improve contrib/pg_stat_statements' handling of query-text garbage collection (Peter Geoghegan)
- The external file containing query texts could bloat to very large sizes; once it got past 1GB attempts to trim it would fail, soon leading to situations where the file could not be read at all.
- Improve contrib/postgres_fdw's handling of collation-related decisions (Tom Lane)
- The main user-visible effect is expected to be that comparisons involving varchar columns will be sent to the remote server for execution in more cases than before.
- Improve libpq's handling of out-of-memory conditions (Michael Paquier, Heikki Linnakangas)
- Fix memory leaks and missing out-of-memory checks in ecpg (Michael Paquier)
- Fix psql's code for locale-aware formatting of numeric output (Tom Lane)
- The formatting code invoked by pset numericlocale on did the wrong thing for some uncommon cases such as numbers with an exponent but no decimal point. It could also mangle already-localized output from the money data type.
- Prevent crash in psql's c command when there is no current connection (Noah Misch)
- Make pg_dump handle inherited NOT VALID check constraints correctly (Tom Lane)
- Fix selection of default zlib compression level in pg_dump's directory output format (Andrew Dunstan)
- Ensure that temporary files created during a pg_dump run with tar-format output are not world-readable (Michael Paquier)
- Fix pg_dump and pg_upgrade to support cases where the postgres or template1 database is in a non-default tablespace (Marti Raudsepp, Bruce Momjian)
- Fix pg_dump to handle object privileges sanely when dumping from a server too old to have a particular privilege type (Tom Lane)
- When dumping data types from pre-9.2 servers, and when dumping functions or procedural languages from pre-7.3 servers, pg_dump would produce GRANT/REVOKE commands that revoked the owner's grantable privileges and instead granted all privileges to PUBLIC. Since the privileges involved are just USAGE and EXECUTE, this isn't a security problem, but it's certainly a surprising representation of the older systems' behavior. Fix it to leave the default privilege state alone in these cases.
- Fix pg_dump to dump shell types (Tom Lane)
- Shell types (that is, not-yet-fully-defined types) aren't useful for much, but nonetheless pg_dump should dump them.
- Fix assorted minor memory leaks in pg_dump and other client-side programs (Michael Paquier)
- Fix pgbench's progress-report behavior when a query, or pgbench itself, gets stuck (Fabien Coelho)
- Fix spinlock assembly code for Alpha hardware (Tom Lane)
- Fix spinlock assembly code for PPC hardware to be compatible with AIX's native assembler (Tom Lane)
- Building with gcc didn't work if gcc had been configured to use the native assembler, which is becoming more common.
- On AIX, test the -qlonglong compiler option rather than just assuming it's safe to use (Noah Misch)
- On AIX, use -Wl,-brtllib link option to allow symbols to be resolved at runtime (Noah Misch)
- Perl relies on this ability in 5.8.0 and later.
- Avoid use of inline functions when compiling with 32-bit xlc, due to compiler bugs (Noah Misch)
- Use librt for sched_yield() when necessary, which it is on some Solaris versions (Oskari Saarenmaa)
- Translate encoding UHC as Windows code page 949 (Noah Misch)
- This fixes presentation of non-ASCII log messages from processes that are not attached to any particular database, such as the postmaster.
- On Windows, avoid failure when doing encoding conversion to UTF16 outside a transaction, such as for log messages (Noah Misch)
- Fix postmaster startup failure due to not copying setlocale()'s return value (Noah Misch)
- This has been reported on Windows systems with the ANSI code page set to CP936 ("Chinese (Simplified, PRC)"), and may occur with other multibyte code pages.
- Fix Windows install.bat script to handle target directory names that contain spaces (Heikki Linnakangas)
- Make the numeric form of the PostgreSQL version number (e.g., 90405) readily available to extension Makefiles, as a variable named VERSION_NUM (Michael Paquier)
- Update time zone data files to tzdata release 2015g for DST law changes in Cayman Islands, Fiji, Moldova, Morocco, Norfolk Island, North Korea, Turkey, and Uruguay. There is a new zone name America/Fort_Nelson for the Canadian Northern Rockies.

更新時間：2015-06-13
更新細節：

What's new in this version:

Changes:
Fix possible failure to recover from an inconsistent database state:
- Recent PostgreSQL releases introduced mechanisms to protect against multixact wraparound, but some of that code did not account for the possibility that it would need to run during crash recovery, when the database may not be in a consistent state. This could result in failure to restart after a crash, or failure to start up a secondary server. The lingering effects of a previously-fixed bug in pg_upgrade could also cause such a failure, in installations that had used pg_upgrade versions between 9.3.0 and 9.3.4.
- The pg_upgrade bug in question was that it would set oldestMultiXid to 1 in pg_control even if the true value should be higher. With the fixes introduced in this release, such a situation will result in immediate emergency autovacuuming until a correct oldestMultiXid value can be determined. If that would pose a hardship, users can avoid it by doing manual vacuuming before upgrading to this release.

In detail:
- Check whether pg_controldata reports "Latest checkpoint's oldestMultiXid" to be 1. If not, there's nothing to do.
- Look in PGDATA/pg_multixact/offsets to see if there's a file named 0000. If there is, there's nothing to do.
- Otherwise, for each table that has pg_class.relminmxid equal to 1, VACUUM that table with both vacuum_multixact_freeze_min_age and vacuum_multixact_freeze_table_age set to zero. (You can use the vacuum cost delay parameters described in Section 18.4.4 to reduce the performance consequences for concurrent sessions.)

Fix rare failure to invalidate relation cache init file:
- With just the wrong timing of concurrent activity, a VACUUM FULL on a system catalog might fail to update the "init file" that's used to avoid cache-loading work for new sessions. This would result in later sessions being unable to access that catalog at all. This is a very ancient bug, but it's so hard to trigger that no reproducible case had been seen until recently.

Avoid deadlock between incoming sessions and CREATE/DROP DATABASE:
- A new session starting in a database that is the target of a DROP DATABASE command, or is the template for a CREATE DATABASE command, could cause the command to wait for five seconds and then fail, even if the new session would have exited before that.

Improve planner's cost estimates for semi-joins and anti-joins with inner indexscans:
- This type of plan is quite cheap when all the join clauses are used as index scan conditions, even if the inner scan would nominally fetch many rows, because the executor will stop after obtaining one row. The planner only partially accounted for that effect, and would therefore overestimate the cost, leading it to possibly choose some other much less efficient plan type.

更新時間：2015-06-05
更新細節：

What's new in this version:

- Avoid failures while fsync'ing data directory during crash restart
- In the previous minor releases we added a patch to fsync everything in the data directory after a crash. Unfortunately its response to any error condition was to fail, thereby preventing the server from starting up, even when the problem was quite harmless. An example is that an unwritable file in the data directory would prevent restart on some platforms; but it is common to make SSL certificate files unwritable by the server. Revise this behavior so that permissions failures are ignored altogether, and other types of failures are logged but do not prevent continuing.
- Also apply the same rules in initdb --sync-only. This case is less critical but it should act similarly.
- Fix pg_get_functiondef() to show functions' LEAKPROOF property, if set
- Fix pushJsonbValue() to unpack jbvBinary objects (Andrew Dunstan)
- This change does not affect any behavior in the core code as of 9.4, but it avoids a corner case for possible third-party callers.
- Remove configure's check prohibiting linking to a threaded libpython on OpenBSD
- The failure this restriction was meant to prevent seems to not be a problem anymore on current OpenBSD versions.

更新時間：2015-05-24
更新細節：

What's new in this version:

Migration to Version 9.4.2:
- A dump/restore is not required for those running 9.4.X.
- However, if you use contrib/citext's regexp_matches() functions, see the changelog entry below about that.
- Also, if you are upgrading from a version earlier than 9.4.1, see Section E.2. Changes:
- Avoid possible crash when client disconnects just before the authentication timeout expires
- If the timeout interrupt fired partway through the session shutdown sequence, SSL-related state would be freed twice, typically causing a crash and hence denial of service to other sessions. Experimentation shows that an unauthenticated remote attacker could trigger the bug somewhat consistently, hence treat as security issue.
- Improve detection of system-call failures
- Our replacement implementation of snprintf() failed to check for errors reported by the underlying system library calls; the main case that might be missed is out-of-memory situations. In the worst case this might lead to information exposure, due to our code assuming that a buffer had been overwritten when it hadn't been. Also, there were a few places in which security-relevant calls of other system library functions did not check for failure.
- It remains possible that some calls of the *printf() family of functions are vulnerable to information disclosure if an out-of-memory error occurs at just the wrong time. We judge the risk to not be large, but will continue analysis in this area.
- In contrib/pgcrypto, uniformly report decryption failures as "Wrong key or corrupt data"
- Previously, some cases of decryption with an incorrect key could report other error message texts. It has been shown that such variance in error reports can aid attackers in recovering keys from other systems. While it's unknown whether pgcrypto's specific behaviors are likewise exploitable, it seems better to avoid the risk by using a one-size-fits-all message.
- Protect against wraparound of multixact member IDs
- Under certain usage patterns, the existing defenses against this might be insufficient, allowing pg_multixact/members files to be removed too early, resulting in data loss. The fix for this includes modifying the server to fail transactions that would result in overwriting old multixact member ID data, and improving autovacuum to ensure it will act proactively to prevent multixact member ID wraparound, as it does for transaction ID wraparound.
- Fix incorrect declaration of contrib/citext's regexp_matches() functions
- These functions should return setof text[], like the core functions they are wrappers for; but they were incorrectly declared as returning just text[]. This mistake had two results: first, if there was no match you got a scalar null result, whereas what you should get is an empty set (zero rows). Second, the g flag was effectively ignored, since you would get only one result array even if there were multiple matches.
- While the latter behavior is clearly a bug, there might be applications depending on the former behavior; therefore the function declarations will not be changed by default until PostgreSQL 9.5. In pre-9.5 branches, the old behavior exists in version 1.0 of the citext extension, while we have provided corrected declarations in version 1.1 (which is not installed by default). To adopt the fix in pre-9.5 branches, execute ALTER EXTENSION citext UPDATE TO '1.1' in each database in which citext is installed. (You can also "update" back to 1.0 if you need to undo that.) Be aware that either update direction will require dropping and recreating any views or rules that use citext's regexp_matches() functions.
- Render infinite dates and timestamps as infinity when converting to json, rather than throwing an error
- Fix json/jsonb's populate_record() and to_record() functions to handle empty input properly
- Fix incorrect checking of deferred exclusion constraints after a HOT update
- If a new row that potentially violates a deferred exclusion constraint is HOT-updated (that is, no indexed columns change and the row can be stored back onto the same table page) later in the same transaction, the exclusion constraint would be reported as violated when the check finally occurred, even if the row(s) the new row originally conflicted with had been deleted.
- Fix behavior when changing foreign key constraint deferrability status with ALTER TABLE ... ALTER CONSTRAINT
- Operations later in the same session or concurrent sessions might not honor the status change promptly.
- Fix planning of star-schema-style queries
- Sometimes, efficient scanning of a large table requires that index parameters be provided from more than one other table (commonly, dimension tables whose keys are needed to index a large fact table). The planner should be able to find such plans, but an overly restrictive search heuristic prevented it.
- Prevent improper reordering of antijoins (NOT EXISTS joins) versus other outer joins
- This oversight in the planner has been observed to cause "could not find RelOptInfo for given relids" errors, but it seems possible that sometimes an incorrect query plan might get past that consistency check and result in silently-wrong query output.
- Fix incorrect matching of subexpressions in outer-join plan nodes
- Previously, if textually identical non-strict subexpressions were used both above and below an outer join, the planner might try to re-use the value computed below the join, which would be incorrect because the executor would force the value to NULL in case of an unmatched outer row.
- Fix GEQO planner to cope with failure of its join order heuristic (Tom Lane)
- This oversight has been seen to lead to "failed to join all relations together" errors in queries involving LATERAL, and that might happen in other cases as well.
- Ensure that row locking occurs properly when the target of an UPDATE or DELETE is a security-barrier view
- Use a file opened for read/write when syncing replication slot data during database startup
- On some platforms, the previous coding could result in errors like "could not fsync file "pg_replslot/...": Bad file descriptor".
- Fix possible deadlock at startup when max_prepared_transactions is too small
- Don't archive useless preallocated WAL files after a timeline switch
- Recursively fsync() the data directory after a crash
- This ensures consistency if another crash occurs shortly later. (The second crash would have to be a system-level crash, not just a database crash, for there to be a problem.)
- Fix autovacuum launcher's possible failure to shut down, if an error occurs after it receives SIGTERM
- Fix failure to handle invalidation messages for system catalogs early in session startup
- This oversight could result in failures in sessions that start concurrently with a VACUUM FULL on a system catalog.
- Fix crash in BackendIdGetTransactionIds() when trying to get status for a backend process that just exited
- Cope with unexpected signals in LockBufferForCleanup()
- This oversight could result in spurious errors about "multiple backends attempting to wait for pincount 1".
- Fix crash when doing COPY IN to a table with check constraints that contain whole-row references
- The known failure case only crashes in 9.4 and up, but there is very similar code in 9.3 and 9.2, so back-patch those branches as well.
- Avoid waiting for WAL flush or synchronous replication during commit of a transaction that was read-only so far as the user is concerned
- Previously, a delay could occur at commit in transactions that had written WAL due to HOT page pruning, leading to undesirable effects such as sessions getting stuck at startup if all synchronous replicas are down. Sessions have also been observed to get stuck in catchup interrupt processing when using synchronous replication; this will fix that problem as well.
- Avoid busy-waiting with short recovery_min_apply_delay values
- Fix crash when manipulating hash indexes on temporary tables
- Fix possible failure during hash index bucket split, if other processes are modifying the index concurrently
- Fix memory leaks in GIN index vacuum
- Check for interrupts while analyzing index expressions
- ANALYZE executes index expressions many times; if there are slow functions in such an expression, it's desirable to be able to cancel the ANALYZE before that loop finishes.
- Ensure tableoid of a foreign table is reported correctly when a READ COMMITTED recheck occurs after locking rows in SELECT FOR UPDATE, UPDATE, or DELETE
- Add the name of the target server to object description strings for foreign-server user mappings
- Include the schema name in object identity strings for conversions
- Recommend setting include_realm to 1 when using Kerberos/GSSAPI/SSPI authentication
- Without this, identically-named users from different realms cannot be distinguished. For the moment this is only a documentation change, but it will become the default setting in PostgreSQL 9.5.
- Remove code for matching IPv4 pg_hba.conf entries to IPv4-in-IPv6 addresses
- This hack was added in 2003 in response to a report that some Linux kernels of the time would report IPv4 connections as having IPv4-in-IPv6 addresses. However, the logic was accidentally broken in 9.0. The lack of any field complaints since then shows that it's not needed anymore. Now we have reports that the broken code causes crashes on some systems, so let's just remove it rather than fix it. (Had we chosen to fix it, that would make for a subtle and potentially security-sensitive change in the effective meaning of IPv4 pg_hba.conf entries, which does not seem like a good thing to do in minor releases.)
- Fix status reporting for terminated background workers that were never actually started
- After a database crash, don't restart background workers that are marked BGW_NEVER_RESTART
- Report WAL flush, not insert, position in IDENTIFY_SYSTEM replication command
- This avoids a possible startup failure in pg_receivexlog.
- While shutting down service on Windows, periodically send status updates to the Service Control Manager to prevent it from killing the service too soon; and ensure that pg_ctl will wait for shutdown
- Reduce risk of network deadlock when using libpq's non-blocking mode
- When sending large volumes of data, it's important to drain the input buffer every so often, in case the server has sent enough response data to cause it to block on output. (A typical scenario is that the server is sending a stream of NOTICE messages during COPY FROM STDIN.) This worked properly in the normal blocking mode, but not so much in non-blocking mode. We've modified libpq to opportunistically drain input when it can, but a full defense against this problem requires application cooperation: the application should watch for socket read-ready as well as write-ready conditions, and be sure to call PQconsumeInput() upon read-ready.
- In libpq, fix misparsing of empty values in URI connection strings
- Fix array handling in ecpg
- Fix psql to sanely handle URIs and conninfo strings as the first parameter to connect
- This syntax has been accepted (but undocumented) for a long time, but previously some parameters might be taken from the old connection instead of the given string, which was agreed to be undesirable.
- Suppress incorrect complaints from psql on some platforms that it failed to write ~/.psql_history at exit
- This misbehavior was caused by a workaround for a bug in very old (pre-2006) versions of libedit. We fixed it by removing the workaround, which will cause a similar failure to appear for anyone still using such versions of libedit. Recommendation: upgrade that library, or use libreadline.
- Fix pg_dump's rule for deciding which casts are system-provided casts that should not be dumped
- In pg_dump, fix failure to honor -Z compression level option together with -Fd
- Make pg_dump consider foreign key relationships between extension configuration tables while choosing dump order
- This oversight could result in producing dumps that fail to reload because foreign key constraints are transiently violated.
- Avoid possible pg_dump failure when concurrent sessions are creating and dropping temporary functions
- Fix dumping of views that are just VALUES(...) but have column aliases
- Ensure that a view's replication identity is correctly set to nothing during dump/restore
- Previously, if the view was involved in a circular dependency, it might wind up with an incorrect replication identity property.
- In pg_upgrade, force timeline 1 in the new cluster
- This change prevents upgrade failures caused by bogus complaints about missing WAL history files.
- In pg_upgrade, check for improperly non-connectable databases before proceeding
- In pg_upgrade, quote directory paths properly in the generated delete_old_cluster script
- In pg_upgrade, preserve database-level freezing info properly
- This oversight could cause missing-clog-file errors for tables within the postgres and template1 databases.
- Run pg_upgrade and pg_resetxlog with restricted privileges on Windows, so that they don't fail when run by an administrator
- Improve handling of readdir() failures when scanning directories in initdb and pg_basebackup
- Fix slow sorting algorithm in contrib/intarray
- Fix compile failure on Sparc V8 machines
- Silence some build warnings on OS X
- Update time zone data files to tzdata release 2015d for DST law changes in Egypt, Mongolia, and Palestine, plus historical changes in Canada and Chile. Also adopt revised zone abbreviations for the America/Adak zone (HST/HDT not HAST/HADT).

更新時間：2015-02-08
更新細節：

What's new in this version:

Fix buffer overruns in to_char() (Bruce Momjian):
- When to_char() processes a numeric formatting template calling for a large number of digits, PostgreSQL would read past the end of a buffer. When processing a crafted timestamp formatting template, PostgreSQL would write past the end of a buffer. Either case could crash the server. We have not ruled out the possibility of attacks that lead to privilege escalation, though they seem unlikely. (CVE-2015-0241)

Fix buffer overrun in replacement *printf() functions (Tom Lane):
- PostgreSQL includes a replacement implementation of printf and related functions. This code will overrun a stack buffer when formatting a floating point number (conversion specifiers e, E, f, F, g or G) with requested precision greater than about 500. This will crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. A database user can trigger such a buffer overrun through the to_char() SQL function. While that is the only affected core PostgreSQL functionality, extension modules that use printf-family functions may be at risk as well. This issue primarily affects PostgreSQL on Windows. PostgreSQL uses the system implementation of these functions where adequate, which it is on other modern platforms. (CVE-2015-0242)

Fix buffer overruns in contrib/pgcrypto (Marko Tiikkaja, Noah Misch):
- Errors in memory size tracking within the pgcrypto module permitted stack buffer overruns and improper dependence on the contents of uninitialized memory. The buffer overrun cases can crash the server, and we have not ruled out the possibility of attacks that lead to privilege escalation. (CVE-2015-0243)

Fix possible loss of frontend/backend protocol synchronization after an error (Heikki Linnakangas):
- If any error occurred while the server was in the middle of reading a protocol message from the client, it could lose synchronization and incorrectly try to interpret part of the message's data as a new protocol message. An attacker able to submit crafted binary data within a command parameter might succeed in injecting his own SQL commands this way. Statement timeout and query cancellation are the most likely sources of errors triggering this scenario. Particularly vulnerable are applications that use a timeout and also submit arbitrary user-crafted data as binary query parameters. Disabling statement timeout will reduce, but not eliminate, the risk of exploit. Our thanks to Emil Lenngren for reporting this issue. (CVE-2015-0244)

Fix information leak via constraint-violation error messages (Stephen Frost):
- Some server error messages show the values of columns that violate a constraint, such as a unique constraint. If the user does not have SELECT privilege on all columns of the table, this could mean exposing values that the user should not be able to see. Adjust the code so that values are displayed only when they came from the SQL command or could be selected by the user. (CVE-2014-8161)

Lock down regression testing's temporary installations on Windows (Noah Misch):
- Use SSPI authentication to allow connections only from the OS user who launched the test suite. This closes on Windows the same vulnerability previously closed on other platforms, namely that other users might be able to connect to the test postmaster. (CVE-2014-0067)

Fix use-of-already-freed-memory problem in EvalPlanQual processing (Tom Lane):
- In READ COMMITTED mode, queries that lock or update recently-updated rows could crash as a result of this bug.

Fix jsonb Unicode escape processing, and in consequence disallow u0000 (Tom Lane):
- Previously, the JSON Unicode escape u0000 was accepted and was stored as those six characters; but that is indistinguishable from what is stored for the input \u0000, resulting in ambiguity. Moreover, in cases where de-escaped textual output is expected, such as the ->> operator, the sequence was printed as u0000, which does not meet the expectation that JSON escaping would be removed. (Consistent behavior would require emitting a zero byte, but PostgreSQL does not support zero bytes embedded in text strings.) 9.4.0 included an ill-advised attempt to improve this situation by adjusting JSON output conversion rules; but of course that could not fix the fundamental ambiguity, and it turned out to break other usages of Unicode escape sequences. Revert that, and to avoid the core problem, reject u0000 in jsonb input. If a jsonb column contains a u0000 value stored with 9.4.0, it will henceforth read out as though it were \u0000, which is the other valid interpretation of the data stored by 9.4.0 for this case. The json type did not have the storage-ambiguity problem, but it did have the problem of inconsistent de-escaped textual output. Therefore u0000 will now also be rejected in json values when conversion to de-escaped form is required. This change does not break the ability to store u0000 in json columns so long as no processing is done on the values. This is exactly parallel to the cases in which non-ASCII Unicode escapes are allowed when the database encoding is not UTF8.

Fix namespace handling in xpath() (Ali Akbar):
- Previously, the xml value resulting from an xpath() call would not have namespace declarations if the namespace declarations were attached to an ancestor element in the input xml value, rather than to the specific element being returned. Propagate the ancestral declaration so that the result is correct when considered in isolation.

Fix assorted oversights in range-operator selectivity estimation (Emre Hasegeli):
- This patch fixes corner-case "unexpected operator NNNN" planner errors, and improves the selectivity estimates for some other cases.

Revert unintended reduction in maximum size of a GIN index item (Heikki Linnakangas):
- 9.4.0 could fail with "index row size exceeds maximum" errors for data that previous versions would accept.

Change "pgstat wait timeout" warning message to be LOG level, and rephrase it to be more understandable (Tom Lane):
- This message was originally thought to be essentially a can't-happen case, but it occurs often enough on our slower buildfarm members to be a nuisance. Reduce it to LOG level, and expend a bit more effort on the wording: it now reads "using stale statistics instead of current ones because stats collector is not responding".

Fix libpq's behavior when /etc/passwd isn't readable (Tom Lane):
- While doing PQsetdbLogin(), libpq attempts to ascertain the user's operating system name, which on most Unix platforms involves reading /etc/passwd. As of 9.4, failure to do that was treated as a hard error. Restore the previous behavior, which was to fail only if the application does not provide a database role name to connect as. This supports operation in chroot environments that lack an /etc/passwd file.
- Improve consistency of parsing of psql's special variables (Tom Lane):
- Allow variant spellings of on and off (such as 1/0) for ECHO_HIDDEN and ON_ERROR_ROLLBACK. Report a warning for unrecognized values for COMP_KEYWORD_CASE, ECHO, ECHO_HIDDEN, HISTCONTROL, ON_ERROR_ROLLBACK, and VERBOSITY. Recognize all values for all these variables case-insensitively; previously there was a mishmash of case-sensitive and case-insensitive behaviors.
- Handle unexpected query results, especially NULLs, safely in contrib/tablefunc's connectby() (Michael Paquier): connectby() previously crashed if it encountered a NULL key value. It now prints that row but doesn't recurse further.
- Numerous cleanups of warnings from Coverity static code analyzer (Andres Freund, Tatsuo Ishii, Marko Kreen, Tom Lane, Michael Paquier):
- These changes are mostly cosmetic but in some cases fix corner-case bugs, for example a crash rather than a proper error report after an out-of-memory failure. None are believed to represent security issues.

Allow CFLAGS from configure's environment to override automatically-supplied CFLAGS (Tom Lane):
- Previously, configure would add any switches that it chose of its own accord to the end of the user-specified CFLAGS string. Since most compilers process switches left-to-right, this meant that configure's choices would override the user-specified flags in case of conflicts. That should work the other way around, so adjust the logic to put the user's string at the end not the beginning.

Make pg_regress remove any temporary installation it created upon successful exit (Tom Lane):
- This results in a very substantial reduction in disk space usage during make check-world, since that sequence involves creation of numerous temporary installations.

Miscellaneous changes:
- Add CST (China Standard Time) to our lists of timezone abbreviations (Tom Lane)
- Update time zone data files to tzdata release 2015a for DST law changes in Chile and Mexico, plus historical changes in Iceland. Avoid possible deadlock while trying to acquire tuple locks in EvalPlanQual processing (Álvaro Herrera, Mark Kirkwood)
- Fix failure to wait when a transaction tries to acquire a FOR NO KEY EXCLUSIVE tuple lock, while multiple other transactions currently hold FOR SHARE locks (Álvaro Herrera)
- Improve performance of EXPLAIN with large range tables (Tom Lane)
- Fix query-duration memory leak during repeated GIN index rescans (Heikki Linnakangas)
- Fix possible crash when using nonzero gin_fuzzy_search_limit (Heikki Linnakangas)
- Assorted fixes for logical decoding (Andres Freund)
- Fix incorrect replay of WAL parameter change records that report changes in the wal_log_hints setting (Petr Jalinek)
- Warn if OS X's setlocale() starts an unwanted extra thread inside the postmaster (Noah Misch)
- Fix pg_dump to handle comments on event triggers without failing (Tom Lane)
- Allow parallel pg_dump to use --serializable-deferrable (Kevin Grittner)
- Prevent WAL files created by pg_basebackup -x/-X from being archived again when the standby is promoted (Andres Freund)

更新時間：2014-12-20
更新細節：

What's new in this version:

Server:
- Allow background worker processes to be dynamically registered, started and terminated
- The new worker_spi module shows an example of use of this feature.
- Allow dynamic allocation of shared memory segments
- This feature is illustrated in the test_shm_mq module.
- During crash recovery or immediate shutdown, send uncatchable termination signals (SIGKILL) to child processes that do not shut down promptly
- This reduces the likelihood of leaving orphaned child processes behind after postmaster shutdown, as well as ensuring that crash recovery can proceed if some child processes have become "stuck".
- Improve randomness of the database system identifier
- Make VACUUM properly report dead but not-yet-removable rows to the statistics collector
- Previously these were reported as live rows.

Indexes:
- Reduce GIN index size
- Indexes upgraded via pg_upgrade will work fine but will still be in the old, larger GIN format. Use REINDEX to recreate old GIN indexes in the new format
- Improve speed of multi-key GIN lookups
- Add GiST index support for inet and cidr data types
- Such indexes improve subnet and supernet lookups and ordering comparisons
- Fix rare race condition in B-tree page deletion
- Make the handling of interrupted B-tree page splits more robust

General Performance:
- Allow multiple backends to insert into WAL buffers concurrently
- This improves parallel write performance.
- Conditionally write only the modified portion of updated rows to WAL
- Improve performance of aggregate functions used as window functions
- Improve speed of aggregates that use numeric state values
- Attempt to freeze tuples when tables are rewritten with CLUSTER or VACUUM FULL
- This can avoid the need to freeze the tuples in the future.
- Improve speed of COPY with default nextval() columns
- Improve speed of accessing many different sequences in the same session
- Raise hard limit on the number of tuples held in memory during sorting and B-tree index builds
- Reduce memory allocated by PL/pgSQL DO blocks
- Make the planner more aggressive about extracting restriction clauses from mixed AND/OR clauses
- Disallow pushing volatile WHERE clauses down into DISTINCT subqueries
- Pushing down a WHERE clause can produce a more efficient plan overall, but at the cost of evaluating the clause more often than is implied by the text of the query; so don't do it if the clause contains any volatile functions.
- Auto-resize the catalog caches
- This reduces memory consumption for sessions accessing only a few tables, and improves performance for sessions accessing many tables.

Monitoring:
- Add pg_stat_archiver system view to report WAL archiver activity
- Add n_mod_since_analyze columns to pg_stat_all_tables and related system views
- These columns expose the system's estimate of the number of changed tuples since the table's last ANALYZE. This estimate drives decisions about when to auto-analyze.
- Add backend_xid and backend_xmin columns to the system view pg_stat_activity, and a backend_xmin column to pg_stat_replication

SSL:
- Add support for SSL ECDH key exchange
- This allows use of Elliptic Curve keys for server authentication. Such keys are faster and have better security than RSA keys. The new configuration parameter ssl_ecdh_curve controls which curve is used for ECDH.
- Improve the default ssl_ciphers setting
- By default, the server not the client now controls the preference order of SSL ciphers
- Previously, the order specified by ssl_ciphers was usually ignored in favor of client-side defaults, which are not configurable in most PostgreSQL clients. If desired, the old behavior can be restored via the new configuration parameter ssl_prefer_server_ciphers.
- Make log_connections show SSL encryption information (Andreas Kunert)
- Improve SSL renegotiation handling

Server Settings:
- Add new SQL command ALTER SYSTEM for changing postgresql.conf configuration file entries
- Previously such settings could only be changed by manually editing postgresql.conf.
- Add autovacuum_work_mem configuration parameter to control the amount of memory used by autovacuum workers
- Add huge_pages parameter to allow using huge memory pages on Linux
- This can improve performance on large-memory systems.
- Add max_worker_processes parameter to limit the number of background workers
- This is helpful in configuring a standby server to have the required number of worker processes (the same as the primary).
- Add superuser-only session_preload_libraries parameter to load libraries at session start
- In contrast to local_preload_libraries, this parameter can load any shared library, not just those in the $libdir/plugins directory.
- Add wal_log_hints parameter to enable WAL logging of hint-bit changes
- Hint bit changes are not normally logged, except when checksums are enabled. This is useful for external tools like pg_rewind.
- Increase the default settings of work_mem and maintenance_work_mem by four times
- The new defaults are 4MB and 64MB respectively.
- Increase the default setting of effective_cache_size to 4GB
- Allow printf-style space padding to be specified in log_line_prefix (David Rowley)
- Allow terabyte units (TB) to be used when specifying configuration variable values
- Show PIDs of lock holders and waiters and improve information about relations in log_lock_waits log messages
- Reduce server logging level when loading shared libraries
- The previous level was LOG, which was too verbose for libraries loaded per-session.
- On Windows, make SQL_ASCII-encoded databases and server processes (e.g., postmaster) emit messages in the character encoding of the server's Windows user locale
- Previously these messages were output in the Windows ANSI code page.

Replication and Recovery:
- Add replication slots to coordinate activity on streaming standbys with the node they are streaming from
- Replication slots allow preservation of resources like WAL files on the primary until they are no longer needed by standby servers.
- Add recovery parameter recovery_min_apply_delay to delay replication
- Delaying replay on standby servers can be useful for recovering from user errors.
- Add recovery_target option immediate to stop WAL recovery as soon as a consistent state is reached
- Improve recovery target processing
- The timestamp reported by pg_last_xact_replay_timestamp() now reflects already-committed records, not transactions about to be committed. Recovering to a restore point now replays the restore point, rather than stopping just before the restore point.
- pg_switch_xlog() now clears any unused trailing space in the old WAL file
- This improves the compression ratio for WAL files.
- Report failure return codes from external recovery commands
- Reduce spinlock contention during WAL replay
- Write WAL records of running transactions more frequently
- This allows standby servers to start faster and clean up resources more aggressively.
- Logical Decoding - allows database changes to be streamed in a configurable format. The data is read from the WAL and transformed into the desired target format. To implement this feature, the following changes were made:
- Add support for logical decoding of WAL data, to allow database changes to be streamed out in a customizable format
- Add new wal_level setting logical to enable logical change-set encoding in WAL
- Add table-level parameter REPLICA IDENTITY to control logical replication
- Add relation option user_catalog_table to identify user-created tables involved in logical change-set encoding
- Add pg_recvlogical application to receive logical-decoding data
- Add test_decoding module to illustrate logical decoding at the SQL level

Queries:
- Add WITH ORDINALITY syntax to number the rows returned from a set-returning function in the FROM clause
- This is particularly useful for functions like unnest().
- Add ROWS FROM() syntax to allow horizontal concatenation of set-returning functions in the FROM clause
- Allow SELECT to have an empty target list
- This was added so that views that select from a table with zero columns can be dumped and restored correctly.
- Ensure that SELECT ... FOR UPDATE NOWAIT does not wait in corner cases involving already-concurrently-updated tuples

Utility Commands:
- Add DISCARD SEQUENCES command to discard cached sequence-related state
- DISCARD ALL will now also discard such information.
- Add FORCE NULL option to COPY FROM, which causes quoted strings matching the specified null string to be converted to NULLs in CSV mode
- Without this option, only unquoted matching strings will be imported as null values.
- Issue warnings for commands used outside of transaction blocks when they can have no effect
- New warnings are issued for SET LOCAL, SET CONSTRAINTS, SET TRANSACTION and ABORT when used outside a transaction block.

EXPLAIN:
- Make EXPLAIN ANALYZE show planning time
- Make EXPLAIN show the grouping columns in Agg and Group nodes
- Make EXPLAIN ANALYZE show exact and lossy block counts in bitmap heap scans

Views:
- Allow a materialized view to be refreshed without blocking other sessions from reading the view meanwhile
- This is done with REFRESH MATERIALIZED VIEW CONCURRENTLY.
- Allow views to be automatically updated even if they contain some non-updatable columns
- Previously the presence of non-updatable output columns such as expressions, literals, and function calls prevented automatic updates. Now INSERTs, UPDATEs and DELETEs are supported, provided that they do not attempt to assign new values to any of the non-updatable columns.
- Allow control over whether INSERTs and UPDATEs can add rows to an auto-updatable view that would not appear in the view
- This is controlled with the new CREATE VIEW clause WITH CHECK OPTION.
- Allow security barrier views to be automatically updatable

Object Manipulation:
- Support triggers on foreign tables
- Allow moving groups of objects from one tablespace to another using the ALL IN TABLESPACE ... SET TABLESPACE form of ALTER TABLE, ALTER INDEX, or ALTER MATERIALIZED VIEW
- Allow changing foreign key constraint deferrability via ALTER TABLE ... ALTER CONSTRAINT
- Reduce lock strength for some ALTER TABLE commands
- Specifically, VALIDATE CONSTRAINT, CLUSTER ON, SET WITHOUT CLUSTER, ALTER COLUMN SET STATISTICS, ALTER COLUMN SET (attribute_option), ALTER COLUMN RESET (attribute_option) no longer require ACCESS EXCLUSIVE locks.
- Allow tablespace options to be set in CREATE TABLESPACE (Vik Fearing)
- Formerly these options could only be set via ALTER TABLESPACE.
- Allow CREATE AGGREGATE to define the estimated size of the aggregate's transition state data
- Proper use of this feature allows the planner to better estimate how much memory will be used by aggregates.
- Fix DROP IF EXISTS to avoid errors for non-existent objects in more cases
- Improve how system relations are identified
- Previously, relations once moved into the pg_catalog schema could no longer be modified or dropped.

Data Types:
- Fully implement the line data type
- The line segment data type (lseg) has always been fully supported. The previous line data type (which was enabled only via a compile-time option) is not binary or dump-compatible with the new implementation.
- Add pg_lsn data type to represent a WAL log sequence number (LSN)
- Allow single-point polygons to be converted to circles (Bruce Momjian)
- Support time zone abbreviations that change UTC offset from time to time
- Previously, PostgreSQL assumed that the UTC offset associated with a time zone abbreviation (such as EST) never changes in the usage of any particular locale. However this assumption fails in the real world, so introduce the ability for a zone abbreviation to represent a UTC offset that sometimes changes. Update the zone abbreviation definition files to make use of this feature in timezone locales that have changed the UTC offset of their abbreviations since 1970 (according to the IANA timezone database). In such timezones, PostgreSQL will now associate the correct UTC offset with the abbreviation depending on the given date.
- Allow 5+ digit years for non-ISO timestamp and date strings, where appropriate

JSON:
- Add jsonb, a more capable and efficient data type for storing JSON data
- This new type allows faster access to values within a JSON document, and faster and more useful indexing of JSON columns. Scalar values in jsonb documents are stored as appropriate scalar SQL types, and the JSON document structure is pre-parsed rather than being stored as text as in the original json data type.
- Add new JSON functions to allow for the construction of arbitrarily complex JSON trees
- New functions include json_array_elements_text(), json_build_array(), json_object(), json_object_agg(), json_to_record(), and json_to_recordset().
- Add json_typeof() to return the data type of a json value (Andrew Tipton)
- Add checks for overflow/underflow of interval values

Functions:
- Add pg_sleep_for(interval) and pg_sleep_until(timestamp) to specify delays more flexibly
- The existing pg_sleep() function only supports delays specified in seconds.
- Add cardinality() function for arrays
- This returns the total number of elements in the array, or zero for an array with no elements.
- Add SQL functions to allow large object reads/writes at arbitrary offsets
- Allow unnest() to take multiple arguments, which are individually unnested then horizontally concatenated
- Add functions to construct times, dates, timestamps, timestamptzs, and intervals from individual values, rather than strings
- These functions' names are prefixed with make_, e.g. make_date().
- Make to_char()'s TZ format specifier return a useful value for simple numeric time zone offsets
- Previously, to_char(CURRENT_TIMESTAMP, 'TZ') returned an empty string if the timezone was set to a constant like -4.
- Add timezone offset format specifier OF to to_char()
- Improve the random seed used for random()
- Tighten validity checking for Unicode code points in chr(int)
- This function now only accepts values that are valid UTF8 characters according to RFC 3629.

System Information Functions:
- Add functions for looking up objects in pg_class, pg_proc, pg_type, and pg_operator that do not generate errors for non-existent objects
- For example, to_regclass() does a lookup in pg_class similarly to the regclass input function, but it returns NULL for a non-existent object instead of failing.
- Add function pg_filenode_relation() to allow for more efficient lookup of relation names from filenodes
- Add parameter_default column to information_schema.parameters view
- Make information_schema.schemata show all accessible schemas
- Previously it only showed schemas owned by the current user.

Aggregates:
- Add control over which rows are passed into aggregate functions via the FILTER clause
- Support ordered-set (WITHIN GROUP) aggregates
- Add standard ordered-set aggregates percentile_cont(), percentile_disc(), mode(), rank(), dense_rank(), percent_rank(), and cume_dist()
- Support VARIADIC aggregate functions
- Allow polymorphic aggregates to have non-polymorphic state data types
- This allows proper declaration in SQL of aggregates like the built-in aggregate array_agg().

Server-Side Languages:
- Add event trigger support to PL/Perl and PL/Tcl
- Convert numeric values to decimal in PL/Python
- Previously such values were converted to Python float values, risking loss of precision.

PL/pgSQL Server-Side Language:
- Add ability to retrieve the current PL/PgSQL call stack using GET DIAGNOSTICS
- Add option print_strict_params to display the parameters passed to a query that violated a STRICT constraint
- Add variables plpgsql.extra_warnings and plpgsql.extra_errors to enable additional PL/pgSQL warnings and errors
- Currently only warnings/errors about shadowed variables are available.

libpq:
- Make libpq's PQconndefaults() function ignore invalid service files
- Previously it returned NULL if an incorrect service file was encountered.
- Accept TLS protocol versions beyond TLSv1 in libpq

Client Applications:
- Add createuser option -g to specify role membership (Chistopher Browne)
- Add vacuumdb option --analyze-in-stages to analyze in stages of increasing granularity
- This allows minimal statistics to be created quickly.
- Make pg_resetxlog with option -n output current and potentially changed values
- Make initdb throw error for incorrect locale settings, rather than silently falling back to a default choice
- Make pg_ctl return exit code 4 for an inaccessible data directory
- This behavior more closely matches the Linux Standard Base (LSB) Core Specification.
- On Windows, ensure that a non-absolute -D path specification is interpreted relative to pg_ctl's current directory
- Previously it would be interpreted relative to whichever directory the underlying Windows service was started in.
- Allow sizeof() in ECPG C array definitions
- Make ECPG properly handle nesting of C-style comments in both C and SQL text

psql:
- Suppress "No rows" output in psql expanded mode when the footer is disabled
- Allow Control-C to abort psql when it's hung at connection startup

Backslash Commands:
- Make psql's db+ show tablespace options
- Make do+ display the functions that implement the operators
- Make d+ output an OID line only if an oid column exists in the table
- Previously, the presence or absence of an oid column was always reported.
- Make d show disabled system triggers
- Previously, if you disabled all triggers, only user triggers would show as disabled.
- Fix copy to no longer require a space between stdin and a semicolon
- Output the row count at the end of copy, just like COPY already did
- Fix conninfo to display the server's IP address for connections using hostaddr
- Previously conninfo could not display the server's IP address in such cases.
- Show the SSL protocol version in conninfo
- Add tab completion for pset
- Allow pset with no arguments to show all settings
- Make s display the name of the history file it wrote without converting it to an absolute path
- The code previously attempted to convert a relative file name to an absolute path for display, but frequently got it wrong.

pg_dump:
- Allow pg_restore options -I, -P, -T and -n to be specified multiple times
- This allows multiple objects to be restored in one operation
- Optionally add IF EXISTS clauses to the DROP commands emitted when removing old objects during a restore
- This change prevents unnecessary errors when removing old objects. The new --if-exists option for pg_dump, pg_dumpall, and pg_restore is only available when --clean is also specified

pg_basebackup:
- Add pg_basebackup option --xlogdir to specify the pg_xlog directory location
- Allow pg_basebackup to relocate tablespaces in the backup copy
- This is particularly useful for using pg_basebackup on the same machine as the primary.
- Allow network-stream base backups to be throttled
- This can be controlled with the pg_basebackup --max-rate parameter.

Source Code:
- Improve the way tuples are frozen to preserve forensic information
- This change removes the main objection to freezing tuples as soon as possible. Code that inspects tuple flag bits will need to be modified.
- No longer require function prototypes for functions marked with the PG_FUNCTION_INFO_V1 macro
- This change eliminates the need to write boilerplate prototypes. Note that the PG_FUNCTION_INFO_V1 macro must appear before the corresponding function definition to avoid compiler warnings.
- Remove SnapshotNow and HeapTupleSatisfiesNow()
- All existing uses have been switched to more appropriate snapshot types. Catalog scans now use MVCC snapshots.
- Add an API to allow memory allocations over one gigabyte
- Add psprintf() to simplify memory allocation during string composition
- Support printf() size modifier z to print size_t values
- Change API of appendStringInfoVA() to better use vsnprintf()
- Allow new types of external toast datums to be created
- Add single-reader, single-writer, lightweight shared message queue
- Improve spinlock speed on x86_64 CPUs
- Remove spinlock support for unsupported platforms SINIX, Sun3, and NS32K
- Remove IRIX port
- Reduce the number of semaphores required by --disable-spinlocks builds
- Rewrite duplicate_oids Unix shell script in Perl
- Add Test Anything Protocol (TAP) tests for client programs
- Currently, these tests are run by make check-world only if the --enable-tap-tests option was given to configure. This might become the default behavior in some future release.
- Add make targets check-tests and installcheck-tests, which allow selection of individual tests to be run
- Remove maintainer-check makefile rule
- The default build rules now include all the formerly-optional tests.
- Improve support for VPATH builds of PGXS modules
- Upgrade to Autoconf 2.69
- Add a configure flag that appends custom text to the PG_VERSION string
- This is useful for packagers building custom binaries.
- Improve DocBook XML validity
- Fix various minor security and sanity issues reported by the Coverity scanner
- Improve detection of invalid memory usage when testing PostgreSQL with Valgrind
- Improve sample Emacs configuration file emacs.samples
- Also add .dir-locals.el to the top of the source tree.
- Allow pgindent to accept a command-line list of typedefs
- Make pgindent smarter about blank lines around preprocessor conditionals
- Avoid most uses of dlltool in Cygwin and Mingw builds
- Support client-only installs in MSVC (Windows) builds

Additional Modules:
- Add pg_prewarm extension to preload relation data into the shared buffer cache at server start
- This allows reaching full operating performance more quickly.
- Add UUID random number generator gen_random_uuid() to pgcrypto
- This allows creation of version 4 UUIDs without requiring installation of uuid-ossp.
- Allow uuid-ossp to work with the BSD or e2fsprogs UUID libraries, not only the OSSP UUID library
- This improves the uuid-ossp module's portability since it no longer has to have the increasingly-obsolete OSSP library. The module's name is now rather a misnomer, but we won't change it.
- Add option to auto_explain to include trigger execution time
- Fix pgstattuple to not report rows from uncommitted transactions as dead
- Make pgstattuple functions use regclass-type arguments
- While text-type arguments are still supported, they may be removed in a future major release.
- Improve consistency of pgrowlocks output to honor snapshot rules more consistently
- Improve pg_trgm's choice of trigrams for indexed regular expression searches
- This change discourages use of trigrams containing whitespace, which are usually less selective.
- Allow pg_xlogdump to report a live log stream with --follow
- Store cube data more compactly
- Existing data must be dumped/restored to use the new format. The old format can still be read.
- Reduce vacuumlo client-side memory usage by using a cursor
- Dramatically reduce memory consumption in pg_upgrade
- Pass pg_upgrade's user name (-U) option to generated analyze scripts

pgbench:
- Remove line length limit for pgbench scripts
- The previous line limit was BUFSIZ
- Add long option names to pgbench
- Add pgbench option --rate to control the transaction rate
- Add pgbench option --progress to print periodic progress reports

pg_stat_statements:
- Make pg_stat_statements use a file, rather than shared memory, for query text storage
- This removes the previous limitation on query text length, and allows a higher number of unique statements to be tracked by default
- Allow reporting of pg_stat_statements's internal query hash identifier
- Add the ability to retrieve all pg_stat_statements information except the query text
- This allows monitoring tools to fetch query text only for just-created entries, improving performance during repeated querying of the statistics
- Make pg_stat_statements ignore DEALLOCATE commands
- It already ignored PREPARE, as well as planning time in general, so this seems more consistent
- Save the statistics file into $PGDATA/pg_stat at server shutdown, rather than $PGDATA/global

更新時間：2014-07-25
更新細節：

What's new in this version:

In pg_upgrade, remove pg_multixact files left behind by initdb:
- If you used a pre-9.3.5 version of pg_upgrade to upgrade a database cluster to 9.3, it might have left behind a file $PGDATA/pg_multixact/offsets/0000 that should not be there and will eventually cause problems in VACUUM. However, in common cases this file is actually valid and must not be removed. Correctly initialize padding bytes in contrib/btree_gist indexes on bit columns:
- This error could result in incorrect query results due to values that should compare equal not being seen as equal. Users with GiST indexes on bit or bit varying - columns should REINDEX those indexes after installing this update. Protect against torn pages when deleting GIN list pages:
- This fix prevents possible index corruption if a system crash occurs while the page update is being written to disk.
- Don't clear the right-link of a GiST index page while replaying updates from WAL:
- This error could lead to transiently wrong answers from GiST index scans performed in Hot Standby.
- Fix corner-case infinite loop during insertion into an SP-GiST text index
- Fix incorrect answers from SP-GiST index searches with -|- (range adjacency) operator
- Fix wraparound handling for pg_multixact/members Truncate pg_multixact during checkpoints, not during VACUUM:
- This change ensures that pg_multixact segments can't be removed if they'd still be needed during WAL replay after a crash.
- Fix possible inconsistency of all-visible flags after WAL recovery
- Fix possibly-incorrect cache invalidation during nested calls to ReceiveSharedInvalidMessages
- Fix race condition when updating a tuple concurrently locked by another process
- Fix "could not find pathkey item to sort" planner failures with UNION ALL over subqueries reading from tables with inheritance children Don't assume a subquery's output is unique if there's a set-returning function in its targetlist:
- This oversight could lead to misoptimization of constructs like WHERE x IN (SELECT y, generate_series(1,10) FROM t GROUP BY y). Improve planner to drop constant-NULL inputs of AND/OR when possible:
- This change fixes some cases where the more aggressive parameter substitution done by 9.2 and later can lead to a worse plan than older versions produced.
- Ensure that the planner sees equivalent VARIADIC and non-VARIADIC function calls as equivalent:
- This bug could for example result in failure to use expression indexes involving variadic functions. It might be necessary to re-create such indexes, and/or re-create views including variadic function calls that should match the indexes, for the fix to be effective for existing 9.3 installations. Fix handling of nested JSON objects in json_populate_recordset() and friends:
- A nested JSON object could result in previous fields of the parent object not being shown in the output. Fix identification of input type category in to_json() and friends:
- This is known to have led to inadequate quoting of money fields in the JSON result, and there may have been wrong results for other data types as well. Fix failure to detoast fields in composite elements of structured types:
- This corrects cases where TOAST pointers could be copied into other tables without being dereferenced. If the original data is later deleted, it would lead to errors like "missing chunk number 0 for toast value ..." when the now-dangling pointer is used.
- Fix "record type has not been registered" failures with whole-row references to the output of Append plan nodes
- Fix possible crash when invoking a user-defined function while rewinding a cursor
- Fix query-lifespan memory leak while evaluating the arguments for a function in FROM
- Fix session-lifespan memory leaks in regular-expression processing
- Fix data encoding error in hungarian.stop
- Prevent foreign tables from being created with OIDS when default_with_oids is true Fix liveness checks for rows that were inserted in the current transaction and then deleted by a now-rolled-back subtransaction:
- This could cause problems (at least spurious warnings, and at worst an infinite loop) if CREATE INDEX or CLUSTER were done later in the same transaction. Clear pg_stat_activity.xact_start during PREPARE TRANSACTION:
- After the PREPARE, the originating session is no longer in a transaction, so it should not continue to display a transaction start time.
- Fix REASSIGN OWNED to not fail for text search objects
- Prevent pg_class.relminmxid values from going backwards during VACUUM FULL Reduce indentation in rule/view dumps to improve readability and avoid excessive whitespace:
- This change reduces the amount of indentation applied to nested constructs, including some cases that the user probably doesn't think of as nested, such as UNION lists. Previously, deeply nested constructs were printed with an amount of whitespace growing as O(N^2), which created a performance problem and even risk of out-of-memory failures. Now the indentation is reduced modulo 40, which is initially odd to look at but seems to preserve readability better than simply limiting the indentation would do. Redundant parenthesization of UNION lists has been reduced as well.
- Fix dumping of rules/views when subsequent addition of a column has resulted in multiple input columns matching a USING specification
- Repair view printing for some cases involving functions in FROM that return a composite type containing dropped columns Block signals during postmaster startup:
- This ensures that the postmaster will properly clean up after itself if, for example, it receives SIGINT while still starting up. Fix client host name lookup when processing pg_hba.conf entries that specify host names instead of IP addresses:
- Ensure that reverse-DNS lookup failures are reported, instead of just silently not matching such entries. Also ensure that we make only one reverse-DNS lookup attempt per connection, not one per host name entry, which is what previously happened if the lookup attempts failed. Allow the root user to use postgres -C variable and postgres --describe-config:
- The prohibition on starting the server as root does not need to extend to these operations, and relaxing it prevents failure of pg_ctl in some scenarios. Secure Unix-domain sockets of temporary postmasters started during make check:
- Any local user able to access the socket file could connect as the server's bootstrap superuser, then proceed to execute arbitrary code as the operating-system user running the test, as we previously noted in CVE-2014-0067. This change defends against that risk by placing the server's socket in a temporary, mode 0700 subdirectory of /tmp. The hazard remains however on platforms where Unix sockets are not supported, notably Windows, because then the temporary postmaster must accept local TCP connections.
- A useful side effect of this change is to simplify make check testing in builds that override DEFAULT_PGSOCKET_DIR. Popular non-default values like /var/run/postgresql are often not writable by the build user, requiring workarounds that will no longer be necessary.
- Fix tablespace creation WAL replay to work on Windows
- Fix detection of socket creation failures on Windows On Windows, allow new sessions to absorb values of PGC_BACKEND parameters (such as log_connections) from the configuration file:
- Previously, if such a parameter were changed in the file post-startup, the change would have no effect. Properly quote executable path names on Windows:
- This oversight could cause initdb and pg_upgrade to fail on Windows, if the installation path contained both spaces and @ signs. Avoid buffer bloat in libpq when the server consistently sends data faster than the client can absorb it:
- libpq could be coerced into enlarging its input buffer until it runs out of memory (which would be reported misleadingly as "lost synchronization with server"). - Under ordinary circumstances it's quite far-fetched that data could be continuously transmitted more quickly than the recv() loop can absorb it, but this has been observed when the client is artificially slowed by scheduler constraints.
- Ensure that LDAP lookup attempts in libpq time out as intended
- Fix ecpg to do the right thing when an array of char * is the target for a FETCH statement returning more than one row, as well as some other array-handling fixes Fix pg_dump to cope with a materialized view that depends on a table's primary key:
- This occurs if the view's query relies on functional dependency to abbreviate a GROUP BY list. pg_dump got sufficiently confused that it dumped the materialized view as a regular view.
- Fix parsing of pg_dumpall's -i switch Fix pg_restore's processing of old-style large object comments:
- A direct-to-database restore from an archive file generated by a pre-9.0 version of pg_dump would usually fail if the archive contained more than a few comments for large objects. Fix pg_upgrade for cases where the new server creates a TOAST table but the old version did not:
- This rare situation would manifest as "relation OID mismatch" errors. In pg_upgrade, preserve pg_database.datminmxid and pg_class.relminmxid values from the old cluster, or insert reasonable values when upgrading from pre-9.3; also defend against unreasonable values in the core server:
- These changes prevent scenarios in which autovacuum might insist on scanning the entire cluster's contents immediately upon starting the new cluster, or in which tracking of unfrozen MXID values might be disabled completely. Prevent contrib/auto_explain from changing the output of a user's EXPLAIN:
- If auto_explain is active, it could cause an EXPLAIN (ANALYZE, TIMING OFF) command to nonetheless print timing information.
- Fix query-lifespan memory leak in contrib/dblink
- In contrib/pgcrypto functions, ensure sensitive information is cleared from stack variables before returning
- Prevent use of already-freed memory in contrib/pgstattuple's pgstat_heap() In contrib/uuid-ossp, cache the state of the OSSP UUID library across calls:
- This improves the efficiency of UUID generation and reduces the amount of entropy drawn from /dev/urandom, on platforms that have that.
- Update time zone data files to tzdata release 2014e for DST law changes in Crimea, Egypt, and Morocco.