2024-05-09 This release contains a variety of fixes from 16.2. For information about new features in major release 16, see . A dump/restore is not required for those running 16.X. However, a security vulnerability was found in the system views pg_stats_ext and pg_stats_ext_exprs, potentially allowing authenticated database users to see data they shouldn't. If this is of concern in your installation, follow the steps in the first changelog entry below to rectify it. Also, if you are upgrading from a version earlier than 16.2, see . Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (Nathan Bossart) These views failed to hide statistics for expressions that involve columns the accessing user does not have permission to read. View columns such as most_common_vals might expose security-relevant data. The potential interactions here are not fully clear, so in the interest of erring on the side of safety, make rows in these views visible only to the owner of the associated table. The PostgreSQL Project thanks Lukas Fittl for reporting this problem. (CVE-2024-4317) By itself, this fix will only fix the behavior in newly initdb'd database clusters. If you wish to apply this change in an existing cluster, you will need to do the following: Find the SQL script fix-CVE-2024-4317.sql in the share directory of the PostgreSQL installation (typically located someplace like /usr/share/postgresql/). Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only v14–v16 are affected) or your minor version is too old to have the fix. In each database of the cluster, run the fix-CVE-2024-4317.sql script as superuser. In psql this would look like \i /usr/share/postgresql/fix-CVE-2024-4317.sql (adjust the file path as appropriate). Any error probably indicates that you've used the wrong script version. It will not hurt to run the script more than once. Do not forget to include the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily make it accept connections. Do that with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; and then after fixing template0, undo it with ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; Fix INSERT from multiple VALUES rows into a target column that is a domain over an array or composite type (Tom Lane) Such cases would either fail with surprising complaints about mismatched datatypes, or insert unexpected coercions that could lead to odd results. Require SELECT privilege on the target table for MERGE with a DO NOTHING clause (Álvaro Herrera) SELECT privilege would be required in all practical cases anyway, but require it even if the query reads no columns of the target table. This avoids an edge case in which MERGE would require no privileges whatever, which seems undesirable even when it's a do-nothing command. Fix handling of self-modified tuples in MERGE (Dean Rasheed) Throw an error if a target row joins to more than one source row, as required by the SQL standard. (The previous coding could silently ignore this condition if a concurrent update was involved.) Also, throw a non-misleading error if a target row is already updated by a later command in the current transaction, thanks to a BEFORE trigger or a volatile function used in the query. Fix incorrect pruning of NULL partition when a table is partitioned on a boolean column and the query has a boolean IS NOT clause (David Rowley) A NULL value satisfies a clause such as boolcol IS NOT FALSE, so pruning away a partition containing NULLs yielded incorrect answers. Make ALTER FOREIGN TABLE SET SCHEMA move any owned sequences into the new schema (Tom Lane) Moving a regular table to a new schema causes any sequences owned by the table to be moved to that schema too (along with indexes and constraints). This was overlooked for foreign tables, however. Make ALTER TABLE ... ADD COLUMN create identity/serial sequences with the same persistence as their owning tables (Peter Eisentraut) CREATE UNLOGGED TABLE will make any owned sequences be unlogged too. ALTER TABLE missed that consideration, so that an added identity column would have a logged sequence, which seems pointless. Improve ALTER TABLE ... ALTER COLUMN TYPE's error message when there is a dependent function or publication (Tom Lane) In CREATE DATABASE, recognize strategy keywords case-insensitively for consistency with other options (Tomas Vondra) Fix EXPLAIN's counting of heap pages accessed by a bitmap heap scan (Melanie Plageman) Previously, heap pages that contain no visible tuples were not counted; but it seems more consistent to count all pages returned by the bitmap index scan. Fix EXPLAIN's output for subplans in MERGE (Dean Rasheed) EXPLAIN would sometimes fail to properly display subplan Params referencing variables in other parts of the plan tree. Avoid deadlock during removal of orphaned temporary tables (Mikhail Zhilin) If the session that creates a temporary table crashes without removing the table, autovacuum will eventually try to remove the orphaned table. However, an incoming session that's been assigned the same temporary namespace will do that too. If a temporary table has a dependency (such as an owned sequence) then a deadlock could result between these two cleanup attempts. Fix updating of visibility map state in VACUUM with the DISABLE_PAGE_SKIPPING option (Heikki Linnakangas) Due to an oversight, this mode caused all heap pages to be dirtied, resulting in excess I/O. Also, visibility map bits that were incorrectly set would not get cleared. Avoid race condition while examining per-relation frozen-XID values (Noah Misch) VACUUM's computation of per-database frozen-XID values from per-relation values could get confused by a concurrent update of those values by another VACUUM. Fix buffer usage reporting for parallel vacuuming (Anthonin Bonnefoy) Buffer accesses performed by parallel workers were not getting counted in the statistics reported in VERBOSE mode. Ensure that join conditions generated from equivalence classes are applied at the correct plan level (Tom Lane) In versions before PostgreSQL 16, it was possible for generated conditions to be evaluated below outer joins when they should be evaluated above (after) the outer join, leading to incorrect query results. All versions have a similar hazard when considering joins to UNION ALL trees that have constant outputs for the join column in some SELECT arms. Fix could not find pathkey item to sort errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley) This is similar to a fix applied in 16.1, but it solves the problem for parallel plans. Prevent potentially-incorrect optimization of some window functions (David Rowley) Disable run condition optimization of ntile() and count() with non-constant arguments. This avoids possible misbehavior with sub-selects, typically leading to errors like WindowFunc not found in subplan target lists. Avoid unnecessary use of moving-aggregate mode with a non-moving window frame (Vallimaharajan G) When a plain aggregate is used as a window function, and the window frame start is specified as UNBOUNDED PRECEDING, the frame's head cannot move so we do not need to use the special (and more expensive) moving-aggregate mode. This optimization was intended all along, but due to a coding error it never triggered. Avoid use of already-freed data while planning partition-wise joins under GEQO (Tom Lane) This would typically end in a crash or unexpected error message. Avoid freeing still-in-use data in Memoize (Tender Wang, Andrei Lepikhov) In production builds this error frequently didn't cause any problems, as the freed data would most likely not get overwritten before it was used. Fix incorrectly-reported statistics kind codes in requested statistics kind X is not yet built error messages (David Rowley) Use a hash table instead of linear search for catcache list objects (Tom Lane) This change solves performance problems that were reported for certain operations in installations with many thousands of roles. Be more careful with RECORD-returning functions in FROM (Tom Lane) The output columns of such a function call must be defined by an AS clause that specifies the column names and data types. If the actual function output value doesn't match that, an error is supposed to be thrown at runtime. However, some code paths would examine the actual value prematurely, and potentially issue strange errors or suffer assertion failures if it doesn't match expectations. Fix confusion about the return rowtype of SQL-language procedures (Tom Lane) A procedure implemented in SQL language that returns a single composite-type column would cause an assertion failure or core dump. Add protective stack depth checks to some recursive functions (Egor Chindyaskin) Fix mis-rounding and overflow hazards in date_bin() (Moaaz Assali) In the case where the source timestamp is before the origin timestamp and their difference is already an exact multiple of the stride, the code incorrectly subtracted the stride anyway. Also, detect some integer-overflow cases that would have produced incorrect results. Detect integer overflow when adding or subtracting an interval to/from a timestamp (Joseph Koshakow) Some cases that should cause an out-of-range error produced an incorrect result instead. Avoid race condition in pg_get_expr() (Tom Lane) If the relation referenced by the argument is dropped concurrently, the function's intention is to return NULL, but sometimes it failed instead. Fix detection of old transaction IDs in XID status functions (Karina Litskevich) Transaction IDs more than 231 transactions in the past could be misidentified as recent, leading to misbehavior of pg_xact_status() or txid_status(). Ensure that a table's freespace map won't return a page that's past the end of the table (Ronan Dunklau) Because the freespace map isn't WAL-logged, this was possible in edge cases involving an OS crash, a replica promote, or a PITR restore. The result would be a could not read block error. Fix file descriptor leakage when an error is thrown while waiting in WaitEventSetWait (Etsuro Fujita) Avoid corrupting exception stack if an FDW implements async append but doesn't configure any wait conditions for the Append plan node to wait for (Alexander Pyhalov) Throw an error if an index is accessed while it is being reindexed (Tom Lane) Previously this was just an assertion check, but promote it into a regular runtime error. This will provide a more on-point error message when reindexing a user-defined index expression that attempts to access its own table. Ensure that index-only scans on name columns return a fully-padded value (David Rowley) The value physically stored in the index is truncated, and previously a pointer to that value was returned to callers. This provoked complaints when testing under valgrind. In theory it could result in crashes, though none have been reported. Fix race condition that could lead to reporting an incorrect conflict cause when invalidating a replication slot (Bertrand Drouvot) Fix race condition in deciding whether a table sync operation is needed in logical replication (Vignesh C) An invalidation event arriving while a subscriber identifies which tables need to be synced would be forgotten about, so that any tables newly in need of syncing might not get processed in a timely fashion. Fix crash with DSM allocations larger than 4GB (Heikki Linnakangas) Disconnect if a new server session's client socket cannot be put into non-blocking mode (Heikki Linnakangas) It was once theoretically possible for us to operate with a socket that's in blocking mode; but that hasn't worked fully in a long time, so fail at connection start rather than misbehave later. Fix inadequate error reporting with OpenSSL 3.0.0 and later (Heikki Linnakangas, Tom Lane) System-reported errors passed through by OpenSSL were reported with a numeric error code rather than anything readable. Fix thread-safety of error reporting for getaddrinfo() on Windows (Thomas Munro) A multi-threaded libpq client program could get an incorrect or corrupted error message after a network lookup failure. Avoid concurrent calls to bindtextdomain() in libpq and ecpglib (Tom Lane) Although GNU gettext's implementation seems to be fine with concurrent calls, the version available on Windows is not. Fix crash in ecpg's preprocessor if the program tries to redefine a macro that was defined on the preprocessor command line (Tom Lane) In ecpg, avoid issuing false unsupported feature will be passed to server warnings (Tom Lane) Ensure that the string result of ecpg's intoasc() function is correctly zero-terminated (Oleg Tselebrovskiy) In initdb's -c option, match parameter names case-insensitively (Tom Lane) The server treats parameter names case-insensitively, so this code should too. This avoids putting redundant entries into the generated postgresql.conf file. In psql, avoid leaking a query result after the query is cancelled (Tom Lane) This happened only when cancelling a non-last query in a query string made with \; separators. Fix pg_dumpall so that role comments, if present, will be dumped regardless of the setting of --no-role-passwords (Daniel Gustafsson, Álvaro Herrera) Skip files named .DS_Store in pg_basebackup, pg_checksums, and pg_rewind (Daniel Gustafsson) This avoids problems on macOS, where the Finder may create such files. Fix PL/pgSQL's parsing of single-line comments (---style comments) following expressions (Erik Wienhold, Tom Lane) This mistake caused parse errors if such a comment followed a WHEN expression in a PL/pgSQL CASE statement. In contrib/amcheck, don't report false match failures due to short- versus long-header values (Andrey Borodin, Michael Zhilin) A variable-length datum in a heap tuple or index tuple could have either a short or a long header, depending on compression parameters that applied when it was made. Treat these cases as equivalent rather than complaining if there's a difference. Fix bugs in BRIN output functions (Tomas Vondra) These output functions are only used for displaying index entries in contrib/pageinspect, so the errors are of limited practical concern. In contrib/postgres_fdw, avoid emitting requests to sort by a constant (David Rowley) This could occur in cases involving UNION ALL with constant-emitting subqueries. Sorting by a constant is useless of course, but it also risks being misinterpreted by the remote server, leading to ORDER BY position N is not in select list errors. Make contrib/postgres_fdw set the remote session's time zone to GMT not UTC (Tom Lane) This should have the same results for practical purposes. However, GMT is recognized by hard-wired code in the server, while UTC is looked up in the timezone database. So the old code could fail in the unlikely event that the remote server's timezone database is missing entries. In contrib/xml2, avoid use of library functions that have been deprecated in recent versions of libxml2 (Dmitry Koval) Fix incompatibility with LLVM 18 (Thomas Munro, Dmitry Dolgov) Allow make check to work with the musl C library (Thomas Munro, Bruce Momjian, Tom Lane) 2024-02-08 This release contains a variety of fixes from 16.1. For information about new features in major release 16, see . A dump/restore is not required for those running 16.X. However, one bug was fixed that could have resulted in corruption of GIN indexes during concurrent updates. If you suspect such corruption, reindex affected indexes after installing this update. Also, if you are upgrading from a version earlier than 16.1, see . Tighten security restrictions within REFRESH MATERIALIZED VIEW CONCURRENTLY (Heikki Linnakangas) One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. Fix things so that all user-determined code is run as the view's owner, as expected. The only known exploit for this error does not work in PostgreSQL 16.0 and later, so it may be that v16 is not vulnerable in practice. The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2024-0985) Fix memory leak when performing JIT inlining (Andres Freund, Daniel Gustafsson) There have been multiple reports of backend processes suffering out-of-memory conditions after sufficiently many JIT compilations. This fix should resolve that. Avoid generating incorrect partitioned-join plans (Richard Guo) Some uncommon situations involving lateral references could create incorrect plans. Affected queries could produce wrong answers, or odd failures such as variable not found in subplan target list, or executor crashes. Fix incorrect wrapping of subquery output expressions in PlaceHolderVars (Tom Lane) This fixes incorrect results when a subquery is underneath an outer join and has an output column that laterally references something outside the outer join's scope. The output column might not appear as NULL when it should do so due to the action of the outer join. Fix misprocessing of window function run conditions (Richard Guo) This oversight could lead to WindowFunc not found in subplan target lists errors. Fix detection of inner-side uniqueness for Memoize plans (Richard Guo) This mistake could lead to cache entry already complete errors. Fix computation of nullingrels when constant-folding field selection (Richard Guo) Failure to do this led to errors like wrong varnullingrels (b) (expected (b 3)) for Var 2/2. Skip inappropriate actions when MERGE causes a cross-partition update (Dean Rasheed) When executing a MERGE UPDATE action on a partitioned table, if the UPDATE is turned into a DELETE and INSERT due to changing a partition key column, skip firing AFTER UPDATE ROW triggers, as well as other post-update actions such as RLS checks. These actions would typically fail, which is why a regular UPDATE doesn't do them in such cases; MERGE shouldn't either. Cope with BEFORE ROW DELETE triggers in cross-partition MERGE updates (Dean Rasheed) If such a trigger attempted to prevent the update by returning NULL, MERGE would suffer an error or assertion failure. Prevent access to a no-longer-pinned buffer in BEFORE ROW UPDATE triggers (Alexander Lakhin, Tom Lane) If the tuple being updated had just been updated and moved to another page by another session, there was a narrow window where we would attempt to fetch data from the new tuple version without any pin on its buffer. In principle this could result in garbage data appearing in non-updated columns of the proposed new tuple. The odds of problems in practice seem rather low, however. Avoid requesting an oversize shared-memory area in parallel hash join (Thomas Munro, Andrei Lepikhov, Alexander Korotkov) The limiting value was too large, allowing invalid DSA memory alloc request size errors to occur with sufficiently large expected hash table sizes. Fix corruption of local buffer state when an error occurs while trying to extend a temporary table (Tender Wang) Fix use of wrong tuple slot while evaluating DISTINCT aggregates that have multiple arguments (David Rowley) This mistake could lead to errors such as attribute 1 of type record has wrong type. Avoid assertion failures in heap_update() and heap_delete() when a tuple to be updated by a foreign-key enforcement trigger fails the extra visibility crosscheck (Alexander Lakhin) This error had no impact in non-assert builds. Fix overly tight assertion about false_positive_rate parameter of BRIN bloom operator classes (Alexander Lakhin) This error had no impact in non-assert builds, either. Fix possible failure during ALTER TABLE ADD COLUMN on a complex inheritance tree (Tender Wang) If a grandchild table would inherit the new column via multiple intermediate parents, the command failed with tuple already updated by self. Fix problems with duplicate token names in ALTER TEXT SEARCH CONFIGURATION ... MAPPING commands (Tender Wang, Michael Paquier) Fix DROP ROLE with duplicate role names (Michael Paquier) Previously this led to a tuple already updated by self failure. Instead, ignore the duplicate. Properly lock the associated table during DROP STATISTICS (Tomas Vondra) Failure to acquire the lock could result in tuple concurrently deleted errors if the DROP executes concurrently with ANALYZE. Fix function volatility checking for GENERATED and DEFAULT expressions (Tom Lane) These places could fail to detect insertion of a volatile function default-argument expression, or decide that a polymorphic function is volatile although it is actually immutable on the datatype of interest. This could lead to improperly rejecting or accepting a GENERATED clause, or to mistakenly applying the constant-default-value optimization in ALTER TABLE ADD COLUMN. Detect that a new catalog cache entry became stale while detoasting its fields (Tom Lane) We expand any out-of-line fields in a catalog tuple before inserting it into the catalog caches. That involves database access which might cause invalidation of catalog cache entries — but the new entry isn't in the cache yet, so we would miss noticing that it should get invalidated. The result is a race condition in which an already-stale cache entry could get made, and then persist indefinitely. This would lead to hard-to-predict misbehavior. Fix by rechecking the tuple's visibility after detoasting. Fix edge-case integer overflow detection bug on some platforms (Dean Rasheed) Computing 0 - INT64_MIN should result in an overflow error, and did on most platforms. However, platforms with neither integer overflow builtins nor 128-bit integers would fail to spot the overflow, instead returning INT64_MIN. Detect Julian-date overflow when adding or subtracting an interval to/from a timestamp (Tom Lane) Some cases that should cause an out-of-range error produced an incorrect result instead. Add more checks for overflow in interval_mul() and interval_div() (Dean Rasheed) Some cases that should cause an out-of-range error produced an incorrect result instead. Allow scram_SaltedPassword() to be interrupted (Bowen Shi) With large scram_iterations values, this function could take a long time to run. Allow it to be interrupted by query cancel requests. Ensure cached statistics are discarded after a change to stats_fetch_consistency (Shinya Kato) In some code paths, it was possible for stale statistics to be returned. Make the pg_file_settings view check validity of unapplied values for settings with backend or superuser-backend context (Tom Lane) Invalid values were not noted in the view as intended. This escaped detection because there are very few settings in these groups. Match collation too when matching an existing index to a new partitioned index (Peter Eisentraut) Previously we could accept an index that has a different collation from the corresponding element of the partition key, possibly leading to misbehavior. Avoid failure if a child index is dropped concurrently with REINDEX INDEX on a partitioned index (Fei Changhong) Fix insufficient locking when cleaning up an incomplete split of a GIN index's internal page (Fei Changhong, Heikki Linnakangas) The code tried to do this with shared rather than exclusive lock on the buffer. This could lead to index corruption if two processes attempted the cleanup concurrently. Avoid premature release of buffer pin in GIN index insertion (Tom Lane) If an index root page split occurs concurrently with our own insertion, the code could fail with buffer NNNN is not owned by resource owner. Avoid failure with partitioned SP-GiST indexes (Tom Lane) Trying to use an index of this kind could lead to No such file or directory errors. Fix ownership tests for large objects (Tom Lane) Operations on large objects that require ownership privilege failed with unrecognized class ID: 2613, unless run by a superuser. Fix ownership change reporting for large objects (Tom Lane) A no-op ALTER LARGE OBJECT OWNER command (that is, one selecting the existing owner) passed the wrong class ID to the PostAlterHook, probably confusing any extension using that hook. Fix reporting of I/O timing data in EXPLAIN (BUFFERS) (Michael Paquier) The numbers labeled as shared/local actually refer only to shared buffers, so change that label to shared. Ensure durability of CREATE DATABASE (Noah Misch) If an operating system crash occurred during or shortly after CREATE DATABASE, recovery could fail, or subsequent connections to the new database could fail. If a base backup was taken in that window, similar problems could be observed when trying to use the backup. The symptom would be that the database directory, PG_VERSION file, or pg_filenode.map file was missing or empty. Add more LOG messages when starting and ending recovery from a backup (Andres Freund) This change provides additional information in the postmaster log that may be useful for diagnosing recovery problems. Prevent standby servers from incorrectly processing dead index tuples during subtransactions (Fei Changhong) The startedInRecovery flag was not correctly set for a subtransaction. This affects only processing of dead index tuples. It could allow a query in a subtransaction to ignore index entries that it should return (if they are already dead on the primary server, but not dead to the standby transaction), or to prematurely mark index entries as dead that are not yet dead on the primary. It is not clear that the latter case has any serious consequences, but it's not the intended behavior. Fix signal handling in walreceiver processes (Heikki Linnakangas) Revert a change that made walreceivers non-responsive to SIGTERM while waiting for the replication connection to be established. Fix integer overflow hazard in checking whether a record will fit into the WAL decoding buffer (Thomas Munro) This bug appears to be only latent except when running a 32-bit PostgreSQL build on a 64-bit platform. Fix deadlock between a logical replication apply worker, its tablesync worker, and a session process trying to alter the subscription (Shlok Kyal) One edge of the deadlock loop did not involve a lock wait, so the deadlock went undetected and would persist until manual intervention. Ensure that column default values are correctly transmitted by the pgoutput logical replication plugin (Nikhil Benesch) ALTER TABLE ADD COLUMN with a constant default value for the new column avoids rewriting existing tuples, instead expecting that reading code will insert the correct default into a tuple that lacks that column. If replication was subsequently initiated on the table, pgoutput would transmit NULL instead of the correct default for such a column, causing incorrect replication on the subscriber. Fix failure of logical replication's initial sync for a table with no columns (Vignesh C) This case generated an improperly-formatted COPY command. Re-validate a subscription's connection string before use (Vignesh C) This is meant to detect cases where a subscription was created without a password (which is allowed to superusers) but then the subscription owner is changed to a non-superuser. Return the correct status code when a new client disconnects without responding to the server's password challenge (Liu Lang, Tom Lane) In some cases we'd treat this as a loggable error, which was not the intention and tends to create log spam, since common clients like psql frequently do this. It may also confuse extensions that use ClientAuthentication_hook. Fix incompatibility with OpenSSL 3.2 (Tristan Partin, Bo Andreson) Use the BIO app_data field for our private storage, instead of assuming it's okay to use the data field. This mistake didn't cause problems before, but with 3.2 it leads to crashes and complaints about double frees. Be more wary about OpenSSL not setting errno on error (Tom Lane) If errno isn't set, assume the cause of the reported failure is read EOF. This fixes rare cases of strange error reports like could not accept SSL connection: Success. Fix file descriptor leakage when a foreign data wrapper's ForeignAsyncRequest function fails (Heikki Linnakangas) Fix minor memory leak in connection string validation for CREATE SUBSCRIPTION (Jeff Davis) Report ENOMEM errors from file-related system calls as ERRCODE_OUT_OF_MEMORY, not ERRCODE_INTERNAL_ERROR (Alexander Kuzmenkov) In PL/pgSQL, support SQL commands that are CREATE FUNCTION/CREATE PROCEDURE with SQL-standard bodies (Tom Lane) Previously, such cases failed with parsing errors due to the semicolon(s) appearing in the function body. Fix libpq's handling of errors in pipelines (Álvaro Herrera) The pipeline state could get out of sync if an error is returned for reasons other than a query problem (for example, if the connection is lost). Potentially this would lead to a busy-loop in the calling application. Make libpq's PQsendFlushRequest() function flush the client output buffer under the same rules as other PQsend functions (Jelte Fennema-Nio) In pipeline mode, it may still be necessary to call PQflush() as well; but this change removes some inconsistency. Avoid race condition when libpq initializes OpenSSL support concurrently in two different threads (Willi Mann, Michael Paquier) Fix timing-dependent failure in GSSAPI data transmission (Tom Lane) When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with GSSAPI caller failed to retransmit all data needing to be retried. Change initdb to always un-comment the postgresql.conf entries for the lc_xxx parameters (Kyotaro Horiguchi) initdb used to work this way before v16, and now it does again. The change caused initdb's --no-locale option to not have the intended effect on lc_messages. In pg_dump, don't dump RLS policies or security labels for extension member objects (Tom Lane, Jacob Champion) Previously, commands would be included in the dump to set these properties, which is really incorrect since they should be considered as internal affairs of the extension. Moreover, the restoring user might not have adequate privilege to set them, and indeed the dumping user might not have enough privilege to dump them (since dumping RLS policies requires acquiring lock on their table). In pg_dump, don't dump an extended statistics object if its underlying table isn't being dumped (Rian McGuire, Tom Lane) This conforms to the behavior for other dependent objects such as indexes. Properly detect out-of-memory in one code path in pg_dump (Daniel Gustafsson) Make it an error for a pgbench script to end with an open pipeline (Anthonin Bonnefoy) Previously, pgbench would behave oddly if a \startpipeline command lacked a matching \endpipeline. This seems like a scripting mistake rather than a case that pgbench needs to handle nicely, so throw an error. Fix crash in contrib/intarray if an array with an element equal to INT_MAX is inserted into a gist__int_ops index (Alexander Lakhin, Tom Lane) Report a better error when contrib/pageinspect's hash_bitmap_info() function is applied to a partitioned hash index (Alexander Lakhin, Michael Paquier) Report a better error when contrib/pgstattuple's pgstathashindex() function is applied to a partitioned hash index (Alexander Lakhin) On Windows, suppress autorun options when launching subprocesses in pg_ctl and pg_regress (Kyotaro Horiguchi) When launching a child process via cmd.exe, pass the /D flag to prevent executing any autorun commands specified in the registry. This avoids possibly-surprising side effects. Move is_valid_ascii() from mb/pg_wchar.h to utils/ascii.h (Jubilee Young) This change avoids the need to include <simd.h> in pg_wchar.h, which was causing problems for some third-party code. Fix compilation failures with libxml2 version 2.12.0 and later (Tom Lane) Fix compilation failure of WAL_DEBUG code on Windows (Bharath Rupireddy) Suppress compiler warnings from Python's header files (Peter Eisentraut, Tom Lane) Our preferred compiler options provoke warnings about constructs appearing in recent versions of Python's header files. When using gcc, we can suppress these warnings with a pragma. Avoid deprecation warning when compiling with LLVM 18 (Thomas Munro) Update time zone data files to tzdata release 2024a for DST law changes in Greenland, Kazakhstan, and Palestine, plus corrections for the Antarctic stations Casey and Vostok. Also historical corrections for Vietnam, Toronto, and Miquelon. 2023-11-09 This release contains a variety of fixes from 16.0. For information about new features in major release 16, see . A dump/restore is not required for those running 16.X. However, several mistakes have been discovered that could lead to certain types of indexes yielding wrong search results or being unnecessarily inefficient. It is advisable to REINDEX potentially-affected indexes after installing this update. See the fourth through seventh changelog entries below. Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions (Tom Lane) This error led to a text-type value being interpreted as an unknown-type value (that is, a zero-terminated string) at runtime. This could result in disclosure of server memory following the text value. The PostgreSQL Project thanks Jingzhou Fu for reporting this problem. (CVE-2023-5868) Detect integer overflow while computing new array dimensions (Tom Lane) When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. The PostgreSQL Project thanks Pedro Gallegos for reporting this problem. (CVE-2023-5869) Prevent the pg_signal_backend role from signalling background workers and autovacuum processes (Noah Misch, Jelte Fennema-Nio) The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. The PostgreSQL Project thanks Hemanth Sandrana and Mahendrakar Srinivasarao for reporting this problem. (CVE-2023-5870) Fix misbehavior during recursive page split in GiST index build (Heikki Linnakangas) Fix a case where the location of a page downlink was incorrectly tracked, and introduce some logic to allow recovering from such situations rather than silently doing the wrong thing. This error could result in incorrect answers from subsequent index searches. It may be advisable to reindex all GiST indexes after installing this update. Prevent de-duplication of btree index entries for interval columns (Noah Misch) There are interval values that are distinguishable but compare equal, for example 24:00:00 and 1 day. This breaks assumptions made by btree de-duplication, so interval columns need to be excluded from de-duplication. This oversight can cause incorrect results from index-only scans. Moreover, after updating amcheck will report an error for almost all such indexes. Users should reindex any btree indexes on interval columns. Process date values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra) The distance calculation for dates was backward, causing poor decisions about which entries to merge. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on date columns is advisable. Process large timestamp and timestamptz values more sanely in BRIN datetime_minmax_multi_ops indexes (Tomas Vondra) Infinities were mistakenly treated as having distance zero rather than a large distance from other values, causing poor decisions about which entries to merge. Also, finite-but-very-large values (near the endpoints of the representable timestamp range) could result in internal overflows, again causing poor decisions. The index still produces correct results, but is much less efficient than it should be. Reindexing BRIN minmax_multi indexes on timestamp and timestamptz columns is advisable if the column contains, or has contained, infinities or large finite values. Avoid calculation overflows in BRIN interval_minmax_multi_ops indexes with extreme interval values (Tomas Vondra) This bug might have caused unexpected failures while trying to insert large interval values into such an index. Fix partition step generation and runtime partition pruning for hash-partitioned tables with multiple partition keys (David Rowley) Some cases involving an IS NULL condition on one of the partition keys could result in a crash. Fix inconsistent rechecking of concurrently-updated rows during MERGE (Dean Rasheed) In READ COMMITTED mode, an update that finds that its target row was just updated by a concurrent transaction will recheck the query's WHERE conditions on the updated row. MERGE failed to ensure that the proper rows of other joined tables were used during this recheck, possibly resulting in incorrect decisions about whether the newly-updated row should be updated again by MERGE. Correctly identify the target table in an inherited UPDATE/DELETE/MERGE even when the parent table is excluded by constraints (Amit Langote, Tom Lane) If the initially-named table is excluded by constraints, but not all its inheritance descendants are, the first non-excluded descendant was identified as the primary target table. This would lead to firing statement-level triggers associated with that table, rather than the initially-named table as should happen. In v16, the same oversight could also lead to invalid perminfoindex 0 in RTE with relid NNNN errors. Fix edge case in btree mark/restore processing of ScalarArrayOpExpr clauses (Peter Geoghegan) When restoring an indexscan to a previously marked position, the code could miss required setup steps if the scan had advanced exactly to the end of the matches for a ScalarArrayOpExpr (that is, an indexcol = ANY(ARRAY[])) clause. This could result in missing some rows that should have been fetched. Fix intra-query memory leak in Memoize execution (Orlov Aleksej, David Rowley) Fix intra-query memory leak when a set-returning function repeatedly returns zero rows (Tom Lane) Don't crash if cursor_to_xmlschema() is applied to a non-data-returning Portal (Boyu Yang) Fix improper sharing of origin filter condition across successive pg_logical_slot_get_changes() calls (Hou Zhijie) The origin condition set by one call of this function would be re-used by later calls that did not specify the origin argument. This was not intended. Throw the intended error if pgrowlocks() is applied to a partitioned table (David Rowley) Previously, a not-on-point complaint only heap AM is supported would be raised. Handle invalid indexes more cleanly in assorted SQL functions (Noah Misch) Report an error if pgstatindex(), pgstatginindex(), pgstathashindex(), or pgstattuple() is applied to an invalid index. If brin_desummarize_range(), brin_summarize_new_values(), brin_summarize_range(), or gin_clean_pending_list() is applied to an invalid index, do nothing except to report a debug-level message. Formerly these functions attempted to process the index, and might fail in strange ways depending on what the failed CREATE INDEX had left behind. Avoid premature memory allocation failure with long inputs to to_tsvector() (Tom Lane) Fix over-allocation of the constructed tsvector in tsvectorrecv() (Denis Erokhin) If the incoming vector includes position data, the binary receive function left wasted space (roughly equal to the size of the position data) in the finished tsvector. In extreme cases this could lead to maximum total lexeme length exceeded failures for vectors that were under the length limit when emitted. In any case it could lead to wasted space on-disk. Improve checks for corrupt PGLZ compressed data (Flavien Guedez) Fix ALTER SUBSCRIPTION so that a commanded change in the run_as_owner option is actually applied (Hou Zhijie) Fix bulk table insertion into partitioned tables (Andres Freund) Improper sharing of insertion state across partitions could result in failures during COPY FROM, typically manifesting as could not read block NNNN in file XXXX: read only 0 of 8192 bytes errors. In COPY FROM, avoid evaluating column default values that will not be needed by the command (Laurenz Albe) This avoids a possible error if the default value isn't actually valid for the column, or if the default's expression would fail in the current execution context. Such edge cases sometimes arise while restoring dumps, for example. Previous releases did not fail in this situation, so prevent v16 from doing so. In COPY FROM, fail cleanly when an unsupported encoding conversion is needed (Tom Lane) Recent refactoring accidentally removed the intended error check for this, such that it ended in cache lookup failed for function 0 instead of a useful error message. Avoid crash in EXPLAIN if a parameter marked to be displayed by EXPLAIN has a NULL boot-time value (Xing Guo, Aleksander Alekseev, Tom Lane) No built-in parameter fits this description, but an extension could define such a parameter. Ensure we have a snapshot while dropping ON COMMIT DROP temp tables (Tom Lane) This prevents possible misbehavior if any catalog entries for the temp tables have fields wide enough to require toasting (such as a very complex CHECK condition). Avoid improper response to shutdown signals in child processes just forked by system() (Nathan Bossart) This fix avoids a race condition in which a child process that has been forked off by system(), but hasn't yet exec'd the intended child program, might receive and act on a signal intended for the parent server process. That would lead to duplicate cleanup actions being performed, which will not end well. Cope with torn reads of pg_control in frontend programs (Thomas Munro) On some file systems, reading pg_control may not be an atomic action when the server concurrently writes that file. This is detectable via a bad CRC. Retry a few times to see if the file becomes valid before we report error. Avoid torn reads of pg_control in relevant SQL functions (Thomas Munro) Acquire the appropriate lock before reading pg_control, to ensure we get a consistent view of that file. Fix could not find pathkey item to sort errors occurring while planning aggregate functions with ORDER BY or DISTINCT options (David Rowley) Avoid integer overflow when computing size of backend activity string array (Jakub Wartak) On 64-bit machines we will allow values of track_activity_query_size large enough to cause 32-bit overflow when multiplied by the allowed number of connections. The code actually allocating the per-backend local array was careless about this though, and allocated the array incorrectly. Fix briefly showing inconsistent progress statistics for ANALYZE on inherited tables (Heikki Linnakangas) The block-level counters should be reset to zero at the same time we update the current-relation field. Fix the background writer to report any WAL writes it makes to the statistics counters (Nazir Bilal Yavuz) Fix confusion about forced-flush behavior in pgstat_report_wal() (Ryoga Yoshida, Michael Paquier) This could result in some statistics about WAL I/O being forgotten in a shutdown. Fix statistics tracking of temporary-table extensions (Karina Litskevich, Andres Freund) These were counted as normal-table writes when they should be counted as temp-table writes. When track_io_timing is enabled, include the time taken by relation extension operations as write time (Nazir Bilal Yavuz) Track the dependencies of cached CALL statements, and re-plan them when needed (Tom Lane) DDL commands, such as replacement of a function that has been inlined into a CALL argument, can create the need to re-plan a CALL that has been cached by PL/pgSQL. That was not happening, leading to misbehavior or strange errors such as cache lookup failed. Avoid a possible pfree-a-NULL-pointer crash after an error in OpenSSL connection setup (Sergey Shinderuk) Track nesting depth correctly when inspecting RECORD-type Vars from outer query levels (Richard Guo) This oversight could lead to assertion failures, core dumps, or bogus varno errors. Track hash function and negator function dependencies of ScalarArrayOpExpr plan nodes (David Rowley) In most cases this oversight was harmless, since these functions would be unlikely to disappear while the node's original operator remains present. Fix error-handling bug in RECORD type cache management (Thomas Munro) An out-of-memory error occurring at just the wrong point could leave behind inconsistent state that would lead to an infinite loop. Treat out-of-memory failures as fatal while reading WAL (Michael Paquier) Previously this would be treated as a bogus-data condition, leading to the conclusion that we'd reached the end of WAL, which is incorrect and could lead to inconsistent WAL replay. Fix possible recovery failure due to trying to allocate memory based on a bogus WAL record length field (Thomas Munro, Michael Paquier) Fix could not duplicate handle error occurring on Windows when min_dynamic_shared_memory is set above zero (Thomas Munro) Fix order of operations in GenericXLogFinish (Jeff Davis) This code violated the conditions required for crash safety by writing WAL before marking changed buffers dirty. No core code uses this function, but extensions do (contrib/bloom does, for example). Remove incorrect assertion in PL/Python exception handling (Alexander Lakhin) Fix pg_dump to dump the new run_as_owner option of subscriptions (Philip Warner) Due to this oversight, subscriptions would always be restored with run_as_owner set to false, which is not equivalent to their behavior in pre-v16 releases. Fix pg_restore so that selective restores will include both table-level and column-level ACLs for selected tables (Euler Taveira, Tom Lane) Formerly, only the table-level ACL would get restored if both types were present. Add logic to pg_upgrade to check for use of abstime, reltime, and tinterval data types (Álvaro Herrera) These obsolete data types were removed in PostgreSQL version 12, so check to make sure they aren't present in an older database before claiming it can be upgraded. Avoid false too many client connections errors in pgbench on Windows (Noah Misch) Fix vacuumdb's handling of multiple -N switches (Nathan Bossart, Kuwamura Masaki) Multiple -N switches should exclude tables in multiple schemas, but in fact excluded nothing due to faulty construction of a generated query. Fix vacuumdb to honor its --buffer-usage-limit option in analyze-only mode (Ryoga Yoshida, David Rowley) In contrib/amcheck, do not report interrupted page deletion as corruption (Noah Misch) This fix prevents false-positive reports of the first child of leftmost target page is not leftmost of its level, block NNNN is not leftmost or left link/right link pair in index XXXX not in agreement. They appeared if amcheck ran after an unfinished btree index page deletion and before VACUUM had cleaned things up. Fix failure of contrib/btree_gin indexes on interval columns, when an indexscan using the < or <= operator is performed (Dean Rasheed) Such an indexscan failed to return all the entries it should. Add support for LLVM 16 and 17 (Thomas Munro, Dmitry Dolgov) Suppress assorted build-time warnings on recent macOS (Tom Lane) Xcode 15 (released with macOS Sonoma) changed the linker's behavior in a way that causes many duplicate-library warnings while building PostgreSQL. These were harmless, but they're annoying so avoid citing the same libraries twice. Also remove use of the -multiply_defined suppress linker switch, which apparently has been a no-op for a long time, and is now actively complained of. When building contrib/unaccent's rules file, fall back to using python if --with-python was not given and make variable PYTHON was not set (Japin Li) Remove PHOT (Phoenix Islands Time) from the default timezone abbreviations list (Tom Lane) Presence of this abbreviation in the default list can cause failures on recent Debian and Ubuntu releases, as they no longer install the underlying tzdb entry by default. Since this is a made-up abbreviation for a zone with a total human population of about two dozen, it seems unlikely that anyone will miss it. If someone does, they can put it back via a custom abbreviations file. 2023-09-14 PostgreSQL 16 contains many new features and enhancements, including: Allow parallelization of FULL and internal right OUTER hash joins Allow logical replication from standby servers Allow logical replication subscribers to apply large transactions in parallel Allow monitoring of I/O statistics using the new pg_stat_io view Add SQL/JSON constructors and identity functions Improve performance of vacuum freezing Add support for regular expression matching of user and database names in pg_hba.conf, and user names in pg_ident.conf The above items and other new features of PostgreSQL 16 are explained in more detail in the sections below. A dump/restore using or use of or logical replication is required for those wishing to migrate data from any previous release. See for general information on migrating to new major releases. Version 16 contains a number of changes that may affect compatibility with previous releases. Observe the following incompatibilities: Change assignment rules for PL/pgSQL bound cursor variables (Tom Lane) Previously, the string value of such variables was set to match the variable name during cursor assignment; now it will be assigned during OPEN, and will not match the variable name. To restore the previous behavior, assign the desired portal name to the cursor variable before OPEN. Disallow NULLS NOT DISTINCT indexes for primary keys (Daniel Gustafsson) Change REINDEX DATABASE and reindexdb to not process indexes on system catalogs (Simon Riggs) Processing such indexes is still possible using REINDEX SYSTEM and reindexdb --system. Tighten GENERATED expression restrictions on inherited and partitioned tables (Amit Langote, Tom Lane) Columns of parent/partitioned and child/partition tables must all have the same generation status, though now the actual generation expressions can be different. Remove pg_walinspect functions pg_get_wal_records_info_till_end_of_wal() and pg_get_wal_stats_till_end_of_wal() (Bharath Rupireddy) Rename server variable force_parallel_mode to debug_parallel_query (David Rowley) Remove the ability to create views manually with ON SELECT rules (Tom Lane) Remove the server variable vacuum_defer_cleanup_age (Andres Freund) This has been unnecessary since hot_standby_feedback and replication slots were added. Remove server variable promote_trigger_file (Simon Riggs) This was used to promote a standby to primary, but is now more easily accomplished with pg_ctl promote or pg_promote(). Remove read-only server variables lc_collate and lc_ctype (Peter Eisentraut) Collations and locales can vary between databases so having them as read-only server variables was unhelpful. Role inheritance now controls the default inheritance status of member roles added during GRANT (Robert Haas) The role's default inheritance behavior can be overridden with the new GRANT ... WITH INHERIT clause. This allows inheritance of some roles and not others because the members' inheritance status is set at GRANT time. Previously the inheritance status of member roles was controlled only by the role's inheritance status, and changes to a role's inheritance status affected all previous and future member roles. Restrict the privileges of CREATEROLE and its ability to modify other roles (Robert Haas) Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions. Remove symbolic links for the postmaster binary (Peter Eisentraut) Below you will find a detailed account of the changes between PostgreSQL 16 and the previous major release. Allow incremental sorts in more cases, including DISTINCT (David Rowley) Add the ability for aggregates having ORDER BY or DISTINCT to use pre-sorted data (David Rowley) The new server variable enable_presorted_aggregate can be used to disable this. Allow memoize atop a UNION ALL (Richard Guo) Allow anti-joins to be performed with the non-nullable input as the inner relation (Richard Guo) Allow parallelization of FULL and internal right OUTER hash joins (Melanie Plageman, Thomas Munro) Improve the accuracy of GIN index access optimizer costs (Ronan Dunklau) Allow more efficient addition of heap and index pages (Andres Freund) During non-freeze operations, perform page freezing where appropriate (Peter Geoghegan) This makes full-table freeze vacuums less necessary. Allow window functions to use the faster ROWS mode internally when RANGE mode is active but unnecessary (David Rowley) Allow optimization of always-increasing window functions ntile(), cume_dist() and percent_rank() (David Rowley) Allow aggregate functions string_agg() and array_agg() to be parallelized (David Rowley) Improve performance by caching RANGE and LIST partition lookups (Amit Langote, Hou Zhijie, David Rowley) Allow control of the shared buffer usage by vacuum and analyze (Melanie Plageman) The VACUUM/ANALYZE option is BUFFER_USAGE_LIMIT, and the vacuumdb option is --buffer-usage-limit. The default value is set by server variable vacuum_buffer_usage_limit, which also controls autovacuum. Support wal_sync_method=fdatasync on Windows (Thomas Munro) Allow HOT updates if only BRIN-indexed columns are updated (Matthias van de Meent, Josef Simanek, Tomas Vondra) Improve the speed of updating the process title (David Rowley) Allow xid/subxid searches and ASCII string detection to use vector operations (Nathan Bossart, John Naylor) ASCII detection is particularly useful for COPY FROM. Vector operations are also used for some C array searches. Reduce overhead of memory allocations (Andres Freund, David Rowley) Add system view pg_stat_io view to track I/O statistics (Melanie Plageman) Record statistics on the last sequential and index scans on tables (Dave Page) This information appears in pg_stat_*_tables and pg_stat_*_indexes. Record statistics on the occurrence of updated rows moving to new pages (Corey Huinker) The pg_stat_*_tables column is n_tup_newpage_upd. Add speculative lock information to the pg_locks system view (Masahiko Sawada, Noriyoshi Shinoda) The transaction id is displayed in the transactionid column and the speculative insertion token is displayed in the objid column. Add the display of prepared statement result types to the pg_prepared_statements view (Dagfinn Ilmari Mannsåker) Create subscription statistics entries at subscription creation time so stats_reset is accurate (Andres Freund) Previously entries were created only when the first statistics were reported. Correct the I/O accounting for temp relation writes shown in pg_stat_database (Melanie Plageman) Add function pg_stat_get_backend_subxact() to report on a session's subtransaction cache (Dilip Kumar) Have pg_stat_get_backend_idset(), pg_stat_get_backend_activity(), and related functions use the unchanging backend id (Nathan Bossart) Previously the index values might change during the lifetime of the session. Report stand-alone backends with a special backend type (Melanie Plageman) Add wait event SpinDelay to report spinlock sleep delays (Andres Freund) Create new wait event DSMAllocate to indicate waiting for dynamic shared memory allocation (Thomas Munro) Previously this type of wait was reported as DSMFillZeroWrite, which was also used by mmap() allocations. Add the database name to the process title of logical WAL senders (Tatsuhiro Nakamori) Physical WAL senders do not display a database name. Add checkpoint and REDO LSN information to log_checkpoints messages (Bharath Rupireddy, Kyotaro Horiguchi) Provide additional details during client certificate failures (Jacob Champion) Add predefined role pg_create_subscription with permission to create subscriptions (Robert Haas) Allow subscriptions to not require passwords (Robert Haas) This is accomplished with the option password_required=false. Simplify permissions for LOCK TABLE (Jeff Davis) Previously a user's ability to perform LOCK TABLE at various lock levels was limited to the lock levels required by the commands they had permission to execute on the table. For example, someone with UPDATE permission could perform all lock levels except ACCESS SHARE, even though it was a lesser lock level. Now users can issue lesser lock levels if they already have permission for greater lock levels. Allow ALTER GROUP group_name ADD USER user_name to be performed with ADMIN OPTION (Robert Haas) Previously CREATEROLE permission was required. Allow GRANT to use WITH ADMIN TRUE/FALSE syntax (Robert Haas) Previously only the WITH ADMIN OPTION syntax was supported. Allow roles that create other roles to automatically inherit the new role's rights or the ability to SET ROLE to the new role (Robert Haas, Shi Yu) This is controlled by server variable createrole_self_grant. Prevent users from changing the default privileges of non-inherited roles (Robert Haas) This is now only allowed for inherited roles. When granting role membership, require the granted-by role to be a role that has appropriate permissions (Robert Haas) This is a requirement even when a non-bootstrap superuser is granting role membership. Allow non-superusers to grant permissions using a granted-by user that is not the current user (Robert Haas) The current user still must have sufficient permissions given by the specified granted-by user. Add GRANT to control permission to use SET ROLE (Robert Haas) This is controlled by a new GRANT ... SET option. Add dependency tracking to roles which have granted privileges (Robert Haas) For example, removing ADMIN OPTION will fail if there are privileges using that option; CASCADE must be used to revoke dependent permissions. Add dependency tracking of grantors for GRANT records (Robert Haas) This guarantees that pg_auth_members.grantor values are always valid. Allow multiple role membership records (Robert Haas) Previously a new membership grant would remove a previous matching membership grant, even if other aspects of the grant did not match. Prevent removal of superuser privileges for the bootstrap user (Robert Haas) Restoring such users could lead to errors. Allow makeaclitem() to accept multiple privilege names (Robins Tharakan) Previously only a single privilege name, like SELECT, was accepted. Add support for Kerberos credential delegation (Stephen Frost) This is enabled with server variable gss_accept_delegation and libpq connection parameter gssdelegation. Allow the SCRAM iteration count to be set with server variable scram_iterations (Daniel Gustafsson) Improve performance of server variable management (Tom Lane) Tighten restrictions on which server variables can be reset (Masahiko Sawada) Previously, while certain variables, like transaction_isolation, were not affected by RESET ALL, they could be individually reset in inappropriate situations. Move various postgresql.conf items into new categories (Shinya Kato) This also affects the categories displayed in the pg_settings view. Prevent configuration file recursion beyond 10 levels (Julien Rouhaud) Allow autovacuum to more frequently honor changes to delay settings (Melanie Plageman) Rather than honor changes only at the start of each relation, honor them at the start of each block. Remove restrictions that archive files be durably renamed (Nathan Bossart) The archive_command command is now more likely to be called with already-archived files after a crash. Prevent archive_library and archive_command from being set at the same time (Nathan Bossart) Previously archive_library would override archive_command. Allow the postmaster to terminate children with an abort signal (Tom Lane) This allows collection of a core dump for a stuck child process. This is controlled by send_abort_for_crash and send_abort_for_kill. The postmaster's -T switch is now the same as setting send_abort_for_crash. Remove the non-functional postmaster -n option (Tom Lane) Allow the server to reserve backend slots for roles with pg_use_reserved_connections membership (Nathan Bossart) The number of reserved slots is set by server variable reserved_connections. Allow huge pages to work on newer versions of Windows 10 (Thomas Munro) This adds the special handling required to enable huge pages on newer versions of Windows 10. Add debug_io_direct setting for developer usage (Thomas Munro, Andres Freund, Bharath Rupireddy) While primarily for developers, wal_sync_method=open_sync/open_datasync has been modified to not use direct I/O with wal_level=minimal; this is now enabled with debug_io_direct=wal. Add function pg_split_walfile_name() to report the segment and timeline values of WAL file names (Bharath Rupireddy) Add support for regular expression matching on database and role entries in pg_hba.conf (Bertrand Drouvot) Regular expression patterns are prefixed with a slash. Database and role names that begin with slashes need to be double-quoted if referenced in pg_hba.conf. Improve user-column handling of pg_ident.conf to match pg_hba.conf (Jelte Fennema) Specifically, add support for all, role membership with +, and regular expressions with a leading slash. Any user name that matches these patterns must be double-quoted. Allow include files in pg_hba.conf and pg_ident.conf (Julien Rouhaud) These are controlled by include, include_if_exists, and include_dir. System views pg_hba_file_rules and pg_ident_file_mappings now display the file name. Allow pg_hba.conf tokens to be of unlimited length (Tom Lane) Add rule and map numbers to the system view pg_hba_file_rules (Julien Rouhaud) Determine the default encoding from the locale when using ICU (Jeff Davis) Previously the default was always UTF-8. Have CREATE DATABASE and CREATE COLLATION's LOCALE options, and initdb and createdb --locale options, control non-libc collation providers (Jeff Davis) Previously they only controlled libc providers. Add predefined collations unicode and ucs_basic (Peter Eisentraut) This only works if ICU support is enabled. Allow custom ICU collation rules to be created (Peter Eisentraut) This is done using CREATE COLLATION's new RULES clause, as well as new options for CREATE DATABASE, createdb, and initdb. Allow Windows to import system locales automatically (Juan José Santamaría Flecha) Previously, only ICU locales could be imported on Windows. Allow logical decoding on standbys (Bertrand Drouvot, Andres Freund, Amit Khandekar) Snapshot WAL records are required for logical slot creation but cannot be created on standbys. To avoid delays, the new function pg_log_standby_snapshot() allows creation of such records. Add server variable to control how logical decoding publishers transfer changes and how subscribers apply them (Shi Yu) The variable is debug_logical_replication_streaming. Allow logical replication initial table synchronization to copy rows in binary format (Melih Mutlu) This is only possible for subscriptions marked as binary. Allow parallel application of logical replication (Hou Zhijie, Wang Wei, Amit Kapila) The CREATE SUBSCRIPTION STREAMING option now supports parallel to enable application of large transactions by parallel workers. The number of parallel workers is controlled by the new server variable max_parallel_apply_workers_per_subscription. Wait events LogicalParallelApplyMain, LogicalParallelApplyStateChange, and LogicalApplySendData were also added. Column leader_pid was added to system view pg_stat_subscription to track parallel activity. Improve performance for logical replication apply without a primary key (Onder Kalaci, Amit Kapila) Specifically, REPLICA IDENTITY FULL can now use btree indexes rather than sequentially scanning the table to find matches. Allow logical replication subscribers to process only changes that have no origin (Vignesh C, Amit Kapila) This can be used to avoid replication loops. This is controlled by the new CREATE SUBSCRIPTION ... ORIGIN option. Perform logical replication SELECT and DML actions as the table owner (Robert Haas) This improves security and now requires subscription owners to be either superusers or to have SET ROLE permission on all roles owning tables in the replication set. The previous behavior of performing all operations as the subscription owner can be enabled with the subscription run_as_owner option. Have wal_retrieve_retry_interval operate on a per-subscription basis (Nathan Bossart) Previously the retry time was applied globally. This also adds wait events >LogicalRepLauncherDSA and LogicalRepLauncherHash. Add EXPLAIN option GENERIC_PLAN to display the generic plan for a parameterized query (Laurenz Albe) Allow a COPY FROM value to map to a column's DEFAULT (Israel Barth Rubio) Allow COPY into foreign tables to add rows in batches (Andrey Lepikhov, Etsuro Fujita) This is controlled by the postgres_fdw option batch_size. Allow the STORAGE type to be specified by CREATE TABLE (Teodor Sigaev, Aleksander Alekseev) Previously only ALTER TABLE could control this. Allow truncate triggers on foreign tables (Yugo Nagata) Allow VACUUM and vacuumdb to only process TOAST tables (Nathan Bossart) This is accomplished by having VACUUM turn off PROCESS_MAIN or by vacuumdb using the --no-process-main option. Add VACUUM options to skip or update all frozen statistics (Tom Lane, Nathan Bossart) The options are SKIP_DATABASE_STATS and ONLY_DATABASE_STATS. Change REINDEX DATABASE and REINDEX SYSTEM to no longer require an argument (Simon Riggs) Previously the database name had to be specified. Allow CREATE STATISTICS to generate a statistics name if none is specified (Simon Riggs) Allow non-decimal integer literals (Peter Eisentraut) For example, 0x42F, 0o273, and 0b100101. Allow NUMERIC to process hexadecimal, octal, and binary integers of any size (Dean Rasheed) Previously only unquoted eight-byte integers were supported with these non-decimal bases. Allow underscores in integer and numeric constants (Peter Eisentraut, Dean Rasheed) This can improve readability for long strings of digits. Accept the spelling +infinity in datetime input (Vik Fearing) Prevent the specification of epoch and infinity together with other fields in datetime strings (Joseph Koshakow) Remove undocumented support for date input in the form YyearMmonthDday (Joseph Koshakow) Add functions pg_input_is_valid() and pg_input_error_info() to check for type conversion errors (Tom Lane) Allow subqueries in the FROM clause to omit aliases (Dean Rasheed) Add support for enhanced numeric literals in SQL/JSON paths (Peter Eisentraut) For example, allow hexadecimal, octal, and binary integers and underscores between digits. Add SQL/JSON constructors (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote) The new functions JSON_ARRAY(), JSON_ARRAYAGG(), JSON_OBJECT(), and JSON_OBJECTAGG() are part of the SQL standard. Add SQL/JSON object checks (Nikita Glukhov, Teodor Sigaev, Oleg Bartunov, Alexander Korotkov, Amit Langote, Andrew Dunstan) The IS JSON checks include checks for values, arrays, objects, scalars, and unique keys. Allow JSON string parsing to use vector operations (John Naylor) Improve the handling of full text highlighting function ts_headline() for OR and NOT expressions (Tom Lane) Add functions to add, subtract, and generate timestamptz values in a specified time zone (Przemyslaw Sztoch, Gurjeet Singh) The functions are date_add(), date_subtract(), and generate_series(). Change date_trunc(unit, timestamptz, time_zone) to be an immutable function (Przemyslaw Sztoch) This allows the creation of expression indexes using this function. Add server variable SYSTEM_USER (Bertrand Drouvot) This reports the authentication method and its authenticated user. Add functions array_sample() and array_shuffle() (Martin Kalcher) Add aggregate function ANY_VALUE() which returns any value from a set (Vik Fearing) Add function random_normal() to supply normally-distributed random numbers (Paul Ramsey) Add error function erf() and its complement erfc() (Dean Rasheed) Improve the accuracy of numeric power() for integer exponents (Dean Rasheed) Add XMLSERIALIZE() option INDENT to pretty-print its output (Jim Jones) Change pg_collation_actual_version() to return a reasonable value for the default collation (Jeff Davis) Previously it returned NULL. Allow pg_read_file() and pg_read_binary_file() to ignore missing files (Kyotaro Horiguchi) Add byte specification (B) to pg_size_bytes() (Peter Eisentraut) Allow to_reg* functions to accept numeric OIDs as input (Tom Lane) Add the ability to get the current function's OID in PL/pgSQL (Pavel Stehule) This is accomplished with GET DIAGNOSTICS variable = PG_ROUTINE_OID. Add libpq connection option require_auth to specify a list of acceptable authentication methods (Jacob Champion) This can also be used to disallow certain authentication methods. Allow multiple libpq-specified hosts to be randomly selected (Jelte Fennema) This is enabled with load_balance_hosts=random and can be used for load balancing. Add libpq option sslcertmode to control transmission of the client certificate (Jacob Champion) The option values are disable, allow, and require. Allow libpq to use the system certificate pool for certificate verification (Jacob Champion, Thomas Habets) This is enabled with sslrootcert=system, which also enables sslmode=verify-full. Allow ECPG variable declarations to use typedef names that match unreserved SQL keywords (Tom Lane) This change does prevent keywords which match C typedef names from being processed as keywords in later EXEC SQL blocks. Allow psql to control the maximum width of header lines in expanded format (Platon Pronko) This is controlled by xheader_width. Add psql command \drg to show role membership details (Pavel Luzanov) The Member of output column has been removed from \du and \dg because this new command displays this information in more detail. Allow psql's access privilege commands to show system objects (Nathan Bossart) The options are \dpS and \zS. Add FOREIGN designation to psql \d+ for foreign table children and partitions (Ian Lawrence Barwick) Prevent \df+ from showing function source code (Isaac Morland) Function bodies are more easily viewed with \sf. Allow psql to submit queries using the extended query protocol (Peter Eisentraut) Passing arguments to such queries is done using the new psql \bind command. Allow psql \watch to limit the number of executions (Andrey Borodin) The \watch options can now be named when specified. Detect invalid values for psql \watch, and allow zero to specify no delay (Andrey Borodin) Allow psql scripts to obtain the exit status of shell commands and queries (Corey Huinker, Tom Lane) The new psql control variables are SHELL_ERROR and SHELL_EXIT_CODE. Various psql tab completion improvements (Vignesh C, Aleksander Alekseev, Dagfinn Ilmari Mannsåker, Shi Yu, Michael Paquier, Ken Kato, Peter Smith) Add pg_dump control of dumping child tables and partitions (Gilles Darold) The new options are --table-and-children, --exclude-table-and-children, and --exclude-table-data-and-children. Add LZ4 and Zstandard compression to pg_dump (Georgios Kokolatos, Justin Pryzby) Allow pg_dump and pg_basebackup to use long mode for compression (Justin Pryzby) Improve pg_dump to accept a more consistent compression syntax (Georgios Kokolatos) Options like --compress=gzip:5. Add initdb option to set server variables for the duration of initdb and all future server starts (Tom Lane) The option is -c name=value. Add options to createuser to control more user options (Shinya Kato) Specifically, the new options control the valid-until date, bypassing of row-level security, and role membership. Deprecate createuser option --role (Nathan Bossart) This option could be easily confused with new createuser role membership options, so option --member-of has been added with the same functionality. The --role option can still be used. Allow control of vacuumdb schema processing (Gilles Darold) These are controlled by options --schema and --exclude-schema. Use new VACUUM options to improve the performance of vacuumdb (Tom Lane, Nathan Bossart) Have pg_upgrade set the new cluster's locale and encoding (Jeff Davis) This removes the requirement that the new cluster be created with the same locale and encoding settings. Add pg_upgrade option to specify the default transfer mode (Peter Eisentraut) The option is --copy. Improve pg_basebackup to accept numeric compression options (Georgios Kokolatos, Michael Paquier) Options like --compress=server-5 are now supported. Fix pg_basebackup to handle tablespaces stored in the PGDATA directory (Robert Haas) Add pg_waldump option --save-fullpage to dump full page images (David Christensen) Allow pg_waldump options -t/--timeline to accept hexadecimal values (Peter Eisentraut) Add support for progress reporting to pg_verifybackup (Masahiko Sawada) Allow pg_rewind to properly track timeline changes (Heikki Linnakangas) Previously if pg_rewind was run after a timeline switch but before a checkpoint was issued, it might incorrectly determine that a rewind was unnecessary. Have pg_receivewal and pg_recvlogical cleanly exit on SIGTERM (Christoph Berg) This signal is often used by systemd. Build ICU support by default (Jeff Davis) This removes build flag --with-icu and adds flag --without-icu. Add support for SSE2 (Streaming SIMD Extensions 2) vector operations on x86-64 architectures (John Naylor) Add support for Advanced SIMD (Single Instruction Multiple Data) (NEON) instructions on ARM architectures (Nathan Bossart) Have Windows binaries built with MSVC use RandomizedBaseAddress (ASLR) (Michael Paquier) This was already enabled on MinGW builds. Prevent extension libraries from exporting their symbols by default (Andres Freund, Tom Lane) Functions that need to be called from the core backend or other extensions must now be explicitly marked PGDLLEXPORT. Require Windows 10 or newer versions (Michael Paquier, Juan José Santamaría Flecha) Previously Windows Vista and Windows XP were supported. Require Perl version 5.14 or later (John Naylor) Require Bison version 2.3 or later (John Naylor) Require Flex version 2.5.35 or later (John Naylor) Require MIT Kerberos for GSSAPI support (Stephen Frost) Remove support for Visual Studio 2013 (Michael Paquier) Remove support for HP-UX (Thomas Munro) Remove support for HP/Intel Itanium (Thomas Munro) Remove support for M68K, M88K, M32R, and SuperH CPU architectures (Thomas Munro) Remove libpq support for SCM credential authentication (Michael Paquier) Backend support for this authentication method was removed in PostgresSQL 9.1. Add meson build system (Andres Freund, Nazir Bilal Yavuz, Peter Eisentraut) This eventually will replace the Autoconf and Windows-based MSVC build systems. Allow control of the location of the openssl binary used by the build system (Peter Eisentraut) Make finding openssl program a configure or meson option Add build option to allow testing of small table segment sizes (Andres Freund) The build options are --with-segsize-blocks and -Dsegsize_blocks. Add pgindent options (Andrew Dunstan) The new options are --show-diff, --silent-diff, --commit, and --help, and allow multiple --exclude options. Also require the typedef file to be explicitly specified. Options --code-base and --build were also removed. Add pg_bsd_indent source code to the main tree (Tom Lane) Improve make_ctags and make_etags (Yugo Nagata) Adjust pg_attribute columns for efficiency (Peter Eisentraut) Improve use of extension-based indexes on boolean columns (Zongliang Quan, Tom Lane) Add support for Daitch-Mokotoff Soundex to fuzzystrmatch (Dag Lem) Allow auto_explain to log values passed to parameterized statements (Dagfinn Ilmari Mannsåker) This affects queries using server-side PREPARE/EXECUTE and client-side parse/bind. Logging is controlled by auto_explain.log_parameter_max_length; by default query parameters will be logged with no length restriction. Have auto_explain's log_verbose mode honor the value of compute_query_id (Atsushi Torikoshi) Previously even if compute_query_id was enabled, log_verbose was not showing the query identifier. Change the maximum length of ltree labels from 256 to 1000 and allow hyphens (Garen Torikian) Have pg_stat_statements normalize constants used in utility commands (Michael Paquier) Previously constants appeared instead of placeholders, e.g., $1. Add pg_walinspect function pg_get_wal_block_info() to report WAL block information (Michael Paquier, Melanie Plageman, Bharath Rupireddy) Change how pg_walinspect functions pg_get_wal_records_info() and pg_get_wal_stats() interpret ending LSNs (Bharath Rupireddy) Previously ending LSNs which represent nonexistent WAL locations would generate an error, while they will now be interpreted as the end of the WAL. Add detailed descriptions of WAL records in pg_walinspect and pg_waldump (Melanie Plageman, Peter Geoghegan) Add pageinspect function bt_multi_page_stats() to report statistics on multiple pages (Hamid Akhtar) This is similar to bt_page_stats() except it can report on a range of pages. Add empty range output column to pageinspect function brin_page_items() (Tomas Vondra) Redesign archive modules to be more flexible (Nathan Bossart) Initialization changes will require modules written for older versions of Postgres to be updated. Correct inaccurate pg_stat_statements row tracking extended query protocol statements (Sami Imseih) Add pg_buffercache function pg_buffercache_usage_counts() to report usage totals (Nathan Bossart) Add pg_buffercache function pg_buffercache_summary() to report summarized buffer statistics (Melih Mutlu) Allow the schemas of required extensions to be referenced in extension scripts using the new syntax @extschema:referenced_extension_name@ (Regina Obe) Allow required extensions to be marked as non-relocatable using no_relocate (Regina Obe) This allows @extschema:referenced_extension_name@ to be treated as a constant for the lifetime of the extension. Allow postgres_fdw to do aborts in parallel (Etsuro Fujita) This is enabled with postgres_fdw option parallel_abort. Make ANALYZE on foreign postgres_fdw tables more efficient (Tomas Vondra) The postgres_fdw option analyze_sampling controls the sampling method. Restrict shipment of reg* type constants in postgres_fdw to those referencing built-in objects or extensions marked as shippable (Tom Lane) Have postgres_fdw and dblink handle interrupts during connection establishment (Andres Freund) The following individuals (in alphabetical order) have contributed to this release as patch authors, committers, reviewers, testers, or reporters of issues. Abhijit Menon-Sen Adam Mackler Adrian Klaver Ahsan Hadi Ajin Cherian Ajit Awekar Alan Hodgson Aleksander Alekseev Alex Denman Alex Kozhemyakin Alexander Korolev Alexander Korotkov Alexander Lakhin Alexander Pyhalov Alexey Borzov Alexey Ermakov Alexey Makhmutov Álvaro Herrera Amit Kapila Amit Khandekar Amit Langote Amul Sul Anastasia Lubennikova Anban Company Andreas Dijkman Andreas Karlsson Andreas Scherbaum Andrei Zubkov Andres Freund Andrew Alsup Andrew Bille Andrew Dunstan Andrew Gierth Andrew Kesper Andrey Borodin Andrey Lepikhov Andrey Sokolov Ankit Kumar Pandey Ante Kresic Anton Melnikov Anton Sidyakin Anton Voloshin Antonin Houska Arne Roland Artem Anisimov Arthur Zakirov Ashutosh Bapat Ashutosh Sharma Asim Praveen Atsushi Torikoshi Ayaki Tachikake Balazs Szilfai Benoit Lobréau Bernd Helmle Bertrand Drouvot Bharath Rupireddy Bilva Sanaba Bob Krier Boris Zentner Brad Nicholson Brar Piening Bruce Momjian Bruno da Silva Carl Sopchak Cary Huang Changhong Fei Chris Travers Christoph Berg Christophe Pettus Corey Huinker Craig Ringer Curt Kolovson Dag Lem Dagfinn Ilmari Mannsåker Daniel Gustafsson Daniel Vérité Daniel Watzinger Daniel Westermann Daniele Varrazzo Daniil Anisimov Danny Shemesh Dave Page David Christensen David G. Johnston David Geier David Gilman David Kimura David Rowley David Steele David Turon David Zhang Davinder Singh Dean Rasheed Denis Laxalde Dilip Kumar Dimos Stamatakis Dmitriy Kuzmin Dmitry Astapov Dmitry Dolgov Dmitry Koval Dong Wook Lee Dongming Liu Drew DeVault Duncan Sands Ed Maste Egor Chindyaskin Ekaterina Kiryanova Elena Indrupskaya Emmanuel Quincerot Eric Mutta Erik Rijkers Erki Eessaar Erwin Brandstetter Etsuro Fujita Eugeny Zhuzhnev Euler Taveira Evan Jones Evgeny Morozov Fabrízio de Royes Mello Farias de Oliveira Florin Irion Franz-Josef Färber Garen Torikian Georgios Kokolatos Gilles Darold Greg Stark Guillaume Lelarge Gunnar Bluth Gunnar Morling Gurjeet Singh Haiyang Wang Haiying Tang Hamid Akhtar Hans Buschmann Hao Wu Hayato Kuroda Heath Lord Heikki Linnakangas Himanshu Upadhyaya Hisahiro Kauchi Hongyu Song Hubert Lubaczewski Hung Nguyen Ian Barwick Ibrar Ahmed Ilya Gladyshev Ilya Nenashev Isaac Morland Israel Barth Rubio Jacob Champion Jacob Speidel Jaime Casanova Jakub Wartak James Coleman James Inform James Vanns Jan Wieck Japin Li Jeevan Ladhe Jeff Davis Jeff Janes Jehan-Guillaume de Rorthais Jelte Fennema Jian He Jim Jones Jinbao Chen Joe Conway Joel Jacobson John Naylor Jonathan Katz Josef Simanek Joseph Koshakow Juan José Santamaría Flecha Julien Rouhaud Julien Roze Junwang Zhao Justin Pryzby Justin Zhang Karina Litskevich Karl O. Pinc Keisuke Kuroda Ken Kato Kevin McKibbin Kieran McCusker Kirk Wolak Konstantin Knizhnik Koshi Shibagaki Kotaro Kawamoto Kui Liu Kyotaro Horiguchi Lakshmi Narayanan Sreethar Laurence Parry Laurenz Albe Luca Ferrari Lukas Fittl Maciek Sakrejda Magnus Hagander Maja Zaloznik Marcel Hofstetter Marina Polyakova Mark Dilger Marko Tiikkaja Markus Winand Martijn van Oosterhout Martin Jurca Martin Kalcher Mary Xu Masahiko Sawada Masahiro Ikeda Masao Fujii Mason Sharp Matheus Alcantara Mats Kindahl Matthias van de Meent Matthijs van der Vleuten Maxim Orlov Maxim Yablokov Mehmet Emin Karakas Melanie Plageman Melih Mutlu Micah Gates Michael Banck Michael Paquier Michail Nikolaev Michel Pelletier Mike Oh Mikhail Gribkov Mingli Zhang Miroslav Bendik Mitsuru Hinata Myo Wai Thant Naeem Akhter Naoki Okano Nathan Bossart Nazir Bilal Yavuz Neha Sharma Nick Babadzhanian Nicola Contu Nikhil Shetty Nikita Glukhov Nikolay Samokhvalov Nikolay Shaplov Nishant Sharma Nitin Jadhav Noah Misch Noboru Saito Noriyoshi Shinoda Nuko Yokohama Oleg Bartunov Oleg Tselebrovskiy Olly Betts Onder Kalaci Onur Tirtir Pablo Federico Palle Girgensohn Paul Guo Paul Jungwirth Paul Ramsey Pavel Borisov Pavel Kulakov Pavel Luzanov Pavel Stehule Peifeng Qiu Peter Eisentraut Peter Geoghegan Peter Smith Phil Florent Philippe Godfrin Platon Pronko Przemyslaw Sztoch Rachel Heaton Ranier Vilela Regina Obe Reid Thompson Reiner Peterke Richard Guo Riivo Kolka Rishu Bagga Robert Haas Robert Sjöblom Robert Treat Roberto Mello Robins Tharakan Roman Zharkov Ronan Dunklau Rushabh Lathia Ryo Matsumura Samay Sharma Sami Imseih Sandeep Thakkar Sandro Santilli Sebastien Flaesch Sébastien Lardière Sehrope Sarkuni Sergey Belyashov Sergey Pankov Sergey Shinderuk Shi Yu Shinya Kato Sho Kato Shruthi Gowda Shveta Mallik Simon Riggs Sindy Senorita Sirisha Chamarthi Sravan Kumar Stéphane Tachoires Stephen Frost Steve Chavez Stone Tickle Sven Klemm Takamichi Osumi Takeshi Ideriha Tatsuhiro Nakamori Tatsuo Ishii Teja Mupparti Tender Wang Teodor Sigaev Thiago Nunes Thom Brown Thomas Habets Thomas Mc Kay Thomas Munro Tim Carey-Smith Tim Field Timo Stolz Tom Lane Tomas Vondra Tor Erik Linnerud Torsten Förtsch Tristan Partin Troy Frericks Tushar Ahuja Valerie Woolard Vibhor Kumar Victor Spirin Victoria Shepard Vignesh C Vik Fearing Vitaly Burovoy Vitaly Davydov Wang Wei Wenjing Zeng Whale Song Will Mortensen Wolfgang Walther Xin Wen Xing Guo Xingwang Xu XueJing Zhao Yanliang Lei Youmiu Mo Yugo Nagata Yura Sokolov Yuta Katsuragi Zhen Mingyang Zheng Li Zhihong Yu Zhijie Hou Zongliang Quan Zuming Jiang