Skip to content

PostgreSql 中文文档
PostgreSql 中文文档

开发云 / PostgreSql 中文文档

通知 21
Star 3
Fork 7
PostgreSql 中文文档
PostgreSql 中文文档

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
release-14-1.md 15.3 KB
Newer Older
K
pg docs init  
KyleZhang 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 
## E.2. Release 14.1

[E.2.1. Migration to Version 14.1](release-14-1.html#id-1.11.6.6.4)[E.2.2. Changes](release-14-1.html#id-1.11.6.6.5)

**Release date:** 2021-11-11

 This release contains a variety of fixes from 14.0. For information about new features in major release 14, see [Section E.3](release-14.html).

### E.2.1. Migration to Version 14.1

 A dump/restore is not required for those running 14.X.

 However, note that installations using physical replication should update standby servers before the primary server, as explained in the third changelog entry below.

 Also, several bugs have been found that may have resulted in corrupted indexes, as explained in the next several changelog entries. If any of those cases apply to you, it's recommended to reindex possibly-affected indexes after updating.

### E.2.2. Changes

* Make the server reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

   A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

   The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23214)

* Make libpq reject extraneous data after an SSL or GSS encryption handshake (Tom Lane)

   A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

   The PostgreSQL Project thanks Jacob Champion for reporting this problem. (CVE-2021-23222)

* Fix physical replication for cases where the primary crashes after shipping a WAL segment that ends with a partial WAL record (Álvaro Herrera)

   If the primary did not survive long enough to finish writing the rest of the incomplete WAL record, then the previous crash-recovery logic had it back up and overwrite WAL starting from the beginning of the incomplete WAL record. This is problematic since standby servers may already have copies of that WAL segment. They will then see an inconsistent next segment, and will not be able to recover without manual intervention. To fix, do not back up over a WAL segment boundary when restarting after a crash. Instead write a new type of WAL record at the start of the next WAL segment, informing readers that the incomplete WAL record will never be finished and must be disregarded.

   When applying this update, it's best to update standby servers before the primary, so that they will be ready to handle this new WAL record type if the primary happens to crash.

* Ensure that parallel `VACUUM` doesn't miss any indexes (Peter Geoghegan, Masahiko Sawada)

   A parallel `VACUUM` would fail to process indexes that are below the `min_parallel_index_scan_size` cutoff, if the table also has at least two indexes that are above that size. This could result in those indexes becoming corrupt, since they'd still contain references to any heap entries removed by the `VACUUM`; subsequent queries using such indexes would be likely to return rows they shouldn't. This problem does not affect autovacuum, since it doesn't use parallel vacuuming. However, it is advisable to reindex any manually-vacuumed tables that have the right mix of index sizes.

* Fix `CREATE INDEX CONCURRENTLY` to wait for the latest prepared transactions (Andrey Borodin)

   Rows inserted by just-prepared transactions might be omitted from the new index, causing queries relying on the index to miss such rows. The previous fix for this type of problem failed to account for `PREPARE TRANSACTION` commands that were still in progress when `CREATE INDEX CONCURRENTLY` checked for them. As before, in installations that have enabled prepared transactions (`max_prepared_transactions` \> 0), it's recommended to reindex any concurrently-built indexes in case this problem occurred when they were built.

* Avoid race condition that can cause backends to fail to add entries for new rows to an index being built concurrently (Noah Misch, Andrey Borodin)

   While it's apparently rare in the field, this case could potentially affect any index built or reindexed with the `CONCURRENTLY` option. It is recommended to reindex any such indexes to make sure they are correct.

* Fix `REINDEX CONCURRENTLY` to preserve operator class parameters that were attached to the target index (Michael Paquier)

* Fix incorrect creation of shared dependencies when cloning a database that contains non-builtin objects (Aleksander Alekseev)

   The effects of this error are probably limited in practice. In principle, it could allow a role to be dropped while it still owns objects; but most installations would never want to drop a role that had been used for objects they'd added to `template1`.

* Ensure that the relation cache is invalidated for a table being attached to or detached from a partitioned table (Amit Langote, Álvaro Herrera)

   This oversight could allow misbehavior of subsequent inserts/updates addressed directly to the partition, but only in currently-existing sessions.

* Fix corruption of parse tree while creating a range type (Alex Kozhemyakin, Sergey Shinderuk)

  `CREATE TYPE` incorrectly freed an element of the parse tree, which could cause problems for a later event trigger, or if the `CREATE TYPE` command was stored in the plan cache and used again later.

* Fix updates of element fields in arrays of domain over composite (Tom Lane)

   A command such as `UPDATE tab SET fld[1].subfld = val` failed if the array's elements were domains rather than plain composites.

* Disallow the combination of `FETCH FIRST WITH TIES` and `FOR UPDATE SKIP LOCKED` (David Christensen)

  `FETCH FIRST WITH TIES` necessarily fetches one more row than requested, since it cannot stop until it finds a row that is not a tie. In our current implementation, if `FOR UPDATE` is used then that row will also get locked even though it is not returned. That results in undesirable behavior if the `SKIP LOCKED` option is specified. It's difficult to change this without introducing a different set of undesirable behaviors, so for now, forbid the combination.

* Disallow `ALTER INDEX index ALTER COLUMN col SET (options)` (Nathan Bossart, Michael Paquier)

   While the parser accepted this, it's undocumented and doesn't actually work.

* Fix corner-case loss of precision in numeric `power()` (Dean Rasheed)

   The result could be inaccurate when the first argument is very close to 1.

* Avoid choosing the wrong hash equality operator for Memoize plans (David Rowley)

   This error could result in crashes or incorrect query results.

* Fix planner error with pulling up subquery expressions into function rangetable entries (Tom Lane)

   If a function in `FROM` laterally references the output of some sub-`SELECT` earlier in the `FROM` clause, and we are able to flatten that sub-`SELECT` into the outer query, the expression(s) copied into the function expression were not fully processed. This could lead to crashes at execution.

* Avoid using MCV-only statistics to estimate the range of a column (Tom Lane)

   There are corner cases in which `ANALYZE` will build a most-common-values (MCV) list but not a histogram, even though the MCV list does not account for all the observed values. In such cases, keep the planner from using the MCV list alone to estimate the range of column values.

* Fix restoration of a Portal's snapshot inside a subtransaction (Bertrand Drouvot)

   If a procedure commits or rolls back a transaction, and then its next significant action is inside a new subtransaction, snapshot management went wrong, leading to a dangling pointer and probable crash. A typical example in PL/pgSQL is a `COMMIT` immediately followed by a `BEGIN ... EXCEPTION` block that performs a query.

* Clean up correctly if a transaction fails after exporting its snapshot (Dilip Kumar)

   This oversight would only cause a problem if the same session attempted to export a snapshot again. The most likely scenario for that is creation of a replication slot (followed by rollback) and then creation of another replication slot.

* Prevent wraparound of overflowed-subtransaction tracking on standby servers (Kyotaro Horiguchi, Alexander Korotkov)

   This oversight could cause significant performance degradation (manifesting as excessive SubtransSLRU traffic) on standby servers.

* Ensure that prepared transactions are properly accounted for during promotion of a standby server (Michael Paquier, Andres Freund)

   There was a narrow window where a prepared transaction could be omitted from a snapshot taken by a concurrently-running session. If that session then used the snapshot to perform data updates, erroneous results or data corruption could occur.

* Fix “could not find RecursiveUnion” error when `EXPLAIN` tries to print a filter condition attached to a WorkTableScan node (Tom Lane)

* Ensure that the correct lock level is used when renaming a table (Nathan Bossart, Álvaro Herrera)

   For historical reasons, `ALTER INDEX ... RENAME` can be applied to any sort of relation. The lock level required to rename an index is lower than that required to rename a table or other kind of relation, but the code got this wrong and would use the weaker lock level whenever the command is spelled `ALTER INDEX`.

* Avoid null-pointer-dereference crash when dropping a role that owns objects being dropped concurrently (Álvaro Herrera)

* Prevent “snapshot reference leak” warning when `lo_export()` or a related function fails (Heikki Linnakangas)

* Fix inefficient code generation for CoerceToDomain expression nodes (Ranier Vilela)

* Avoid O(N^2) behavior in some list-manipulation operations (Nathan Bossart, Tom Lane)

   These changes fix slow processing in several scenarios, including: when a standby replays a transaction that held many exclusive locks on the primary; when many files are due to be unlinked after a checkpoint; when hash aggregation involves many batches; and when `pg_trgm` extracts indexable conditions from a complex regular expression. Only the first of these scenarios has actually been reported from the field, but they all seem like plausible consequences of inefficient list deletions.

* Add more defensive checks around B-tree posting list splits (Peter Geoghegan)

   This change should help detect index corruption involving duplicate table TIDs.

* Avoid assertion failure when inserting NaN into a BRIN float8 or float4 minmax\_multi\_ops index (Tomas Vondra)

   In production builds, such cases would result in a somewhat inefficient, but not actually incorrect, index.

* Allow the autovacuum launcher process to respond to `pg_log_backend_memory_contexts()` requests more quickly (Koyu Tanigawa)

* Fix memory leak in HMAC hash calculations (Sergey Shinderuk)

* Disallow setting `huge_pages` to `on` when `shared_memory_type` is `sysv` (Thomas Munro)

   Previously, this setting was accepted, but it did nothing for lack of any implementation.

* Fix checking of query type in PL/pgSQL's `RETURN QUERY` statement (Tom Lane)

  `RETURN QUERY` should accept any query that can return tuples, e.g. `UPDATE RETURNING`. v14 accidentally disallowed anything but `SELECT`; moreover, the `RETURN QUERY EXECUTE` variant failed to apply any query-type check at all.

* Fix pg\_dump to dump non-global default privileges correctly (Neil Chen, Masahiko Sawada)

   If a global (unrestricted) `ALTER DEFAULT PRIVILEGES` command revoked some present-by-default privilege, for example `EXECUTE` for functions, and then a restricted `ALTER DEFAULT PRIVILEGES` command granted that privilege again for a selected role or schema, pg\_dump failed to dump the restricted privilege grant correctly.

* Make pg\_dump acquire shared lock on partitioned tables that are to be dumped (Tom Lane)

   This oversight was usually pretty harmless, since once pg\_dump has locked any of the leaf partitions, that would suffice to prevent significant DDL on the partitioned table itself. However problems could ensue when dumping a childless partitioned table, since no relevant lock would be held.

* Fix crash in pg\_dump when attempting to dump trigger definitions from a pre-8.3 server (Tom Lane)

* Fix incorrect filename in pg\_restore's error message about an invalid large object TOC file (Daniel Gustafsson)

* Ensure that pgbench exits with non-zero status after a socket-level failure (Yugo Nagata, Fabien Coelho)

   The desired behavior is to finish out the run but then exit with status 2. Also, fix the reporting of such errors.

* Prevent pg\_amcheck from checking temporary relations, as well as indexes that are invalid or not ready (Mark Dilger)

   This avoids unhelpful checks of relations that will almost certainly appear inconsistent.

* Make `contrib/amcheck` skip unlogged tables when running on a standby server (Mark Dilger)

   It's appropriate to do this since such tables will be empty, and unlogged indexes were already handled similarly.

* Change `contrib/pg_stat_statements` to read its “query texts” file in units of at most 1GB (Tom Lane)

   Such large query text files are very unusual, but if they do occur, the previous coding would fail on Windows 64 (which rejects individual read requests of more than 2GB).

* Fix null-pointer crash when `contrib/postgres_fdw` tries to report a data conversion error (Tom Lane)

* Ensure that `GetSharedSecurityLabel()` can be used in a newly-started session that has not yet built its critical relation cache entries (Jeff Davis)

* When running a TAP test, include the module's own directory in `PATH` (Andrew Dunstan)

   This allows tests to find built programs that are not installed, such as custom test drivers.

* Use the CLDR project's data to map Windows time zone names to IANA time zones (Tom Lane)

   When running on Windows, initdb attempts to set the new cluster's `timezone` parameter to the IANA time zone matching the system's prevailing time zone. We were using a mapping table that we'd generated years ago and updated only fitfully; unsurprisingly, it contained a number of errors as well as omissions of recently-added zones. It turns out that CLDR has been tracking the most appropriate mappings, so start using their data. This change will not affect any existing installation, only newly-initialized clusters.

* Update time zone data files to tzdata release 2021e for DST law changes in Fiji, Jordan, Palestine, and Samoa, plus historical corrections for Barbados, Cook Islands, Guyana, Niue, Portugal, and Tonga.

   Also, the Pacific/Enderbury zone has been renamed to Pacific/Kanton. Also, the following zones have been merged into nearby, more-populous zones whose clocks have agreed with them since 1970: Africa/Accra, America/Atikokan, America/Blanc-Sablon, America/Creston, America/Curacao, America/Nassau, America/Port\_of\_Spain, Antarctica/DumontDUrville, and Antarctica/Syowa. In all these cases, the previous zone name remains as an alias.