diff --git a/doc/src/sgml/release-14.sgml b/doc/src/sgml/release-14.sgml
index 70adcf4c333..34f4b610a83 100644
--- a/doc/src/sgml/release-14.sgml
+++ b/doc/src/sgml/release-14.sgml
@@ -1,6 +1,1103 @@
+
+ Release 14.16
+
+
+ Release date:
+ 2025-02-13
+
+
+
+ This release contains a variety of fixes from 14.15.
+ For information about new features in major release 14, see
+ .
+
+
+
+ Migration to Version 14.16
+
+
+ A dump/restore is not required for those running 14.X.
+
+
+
+ However, if you are upgrading from a version earlier than 14.14,
+ see .
+
+
+
+
+ Changes
+
+
+
+
+
+
+ Exclude parallel workers from connection privilege checks and limits
+ (Tom Lane)
+ §
+
+
+
+ Do not
+ check datallowconn, rolcanlogin,
+ and ACL_CONNECT privileges when starting a
+ parallel worker, instead assuming that it's enough for the leader
+ process to have passed similar checks originally. This avoids, for
+ example, unexpected failures of parallelized queries when the leader
+ is running as a role that lacks login privilege. In the same vein,
+ enforce ReservedConnections,
+ datconnlimit, and rolconnlimit
+ limits only against regular backends, and count only regular
+ backends while checking if the limits were already reached. Those
+ limits are meant to prevent excessive consumption of process slots
+ for regular backends --- but parallel workers and other special
+ processes have their own pools of process slots with their own limit
+ checks.
+
+
+
+
+
+
+ Keep TransactionXmin in sync
+ with MyProc->xmin (Heikki Linnakangas)
+ §
+
+
+
+ This oversight could permit a process to try to access data that had
+ already been vacuumed away. One known consequence is
+ transient could not access status of transaction
+ errors.
+
+
+
+
+
+
+ Fix race condition that could cause failure to add a newly-inserted
+ catalog entry to a catalog cache list (Heikki Linnakangas)
+ §
+
+
+
+ This could result, for example, in failure to use a newly-created
+ function within an existing session.
+
+
+
+
+
+
+ Prevent possible catalog corruption when a system catalog is
+ vacuumed concurrently with an update (Noah Misch)
+ §
+
+
+
+
+
+
+ Fix data corruption when relation truncation fails (Thomas Munro)
+ §
+ §
+ §
+
+
+
+ The filesystem calls needed to perform relation truncation could
+ fail, leaving inconsistent state on disk (for example, effectively
+ reviving deleted data). We can't really prevent that, but we can
+ recover by dint of making such failures into PANICs, so that
+ consistency is restored by replaying from WAL up to just before the
+ attempted truncation. This isn't a hugely desirable behavior, but
+ such failures are rare enough that it seems an acceptable solution.
+
+
+
+
+
+
+ Prevent checkpoints from starting during relation truncation
+ (Robert Haas)
+ §
+
+
+
+ This avoids a race condition wherein the modified file might not get
+ fsync'd before completing the checkpoint, creating a risk of data
+ corruption if the operating system crashes soon after.
+
+
+
+
+
+
+ Use rename()
+ not link()/unlink() to
+ rename files (Nathan Bossart)
+ §
+
+
+
+ The previous coding was intended to assure that the operation could
+ not accidentally overwrite an existing file. However a failure
+ could leave two links to the same file in existence, confusing
+ subsequent operations and creating a risk of data corruption.
+ In practice we do not use this functionality in places where the
+ target filename could already exist, so it seems better to give up
+ the no-overwrite guarantee to remove the multiple-link hazard.
+
+
+
+
+
+
+ Avoid possibly losing an update of
+ pg_database.datfrozenxid
+ when VACUUM runs concurrently with
+ a REASSIGN OWNED that changes that database's
+ owner (Kirill Reshke)
+ §
+
+
+
+
+
+
+ Fix incorrect tg_updatedcols values
+ passed to AFTER UPDATE triggers (Tom Lane)
+ §
+
+
+
+ In some cases the tg_updatedcols bitmap
+ could describe the set of columns updated by an earlier command in
+ the same transaction, fooling the trigger into doing the wrong
+ thing.
+
+
+
+ Also, prevent memory bloat caused by making too many copies of
+ the tg_updatedcols bitmap.
+
+
+
+
+
+
+ Fix mis-processing of to_timestamp's
+ FFn format codes
+ (Tom Lane)
+ §
+
+
+
+ An integer format code immediately
+ preceding FFn would
+ consume all available digits, leaving none
+ for FFn.
+
+
+
+
+
+
+ When deparsing an XMLTABLE() expression, ensure
+ that XML namespace names are double-quoted when necessary (Dean
+ Rasheed)
+ §
+
+
+
+
+
+
+ Include the ldapscheme option
+ in pg_hba_file_rules() output (Laurenz Albe)
+ §
+ §
+
+
+
+
+
+
+ Don't merge UNION operations if their column
+ collations aren't consistent (Tom Lane)
+ §
+
+
+
+ Previously we ignored collations when deciding if it's safe to
+ merge UNION steps into a single
+ N-way UNION operation. This was arguably valid
+ before the introduction of nondeterministic collations, but it's not
+ anymore, since the collation in use can affect the definition of
+ uniqueness.
+
+
+
+
+
+
+ Fix missed expression processing for partition pruning steps
+ (Tom Lane)
+ §
+
+
+
+ This oversight could lead to unrecognized node type
+ errors, and perhaps other problems, in queries accessing partitioned
+ tables.
+
+
+
+
+
+
+ Allow dshash tables to grow past 1GB (Matthias van de Meent)
+ §
+
+
+
+ This avoids errors like invalid DSA memory alloc request
+ size. The case can occur for example in transactions that
+ process several million tables.
+
+
+
+
+
+
+ Avoid possible integer overflow
+ in bringetbitmap() (James Hunter, Evgeniy
+ Gorbanyov)
+ §
+
+
+
+ Since the result is only used for statistical purposes, the effects
+ of this error were mostly cosmetic.
+
+
+
+
+
+
+ Prevent streaming standby servers from looping infinitely when
+ reading a WAL record that crosses pages (Kyotaro Horiguchi,
+ Alexander Kukushkin)
+ §
+
+
+
+ This would happen when the record's continuation is on a page that
+ needs to be read from a different WAL source.
+
+
+
+
+
+
+ Improve performance of archiver process with many status files
+ (Nathan Bossart)
+ §
+
+
+
+ This change back-patches a fix originally made in v15, in response
+ to reports of extremely poor archiving performance leading to
+ downtime or loss of replicas.
+
+
+
+
+
+
+ Fix unintended promotion of FATAL errors to PANIC during early
+ process startup (Noah Misch)
+ §
+
+
+
+ This fixes some unlikely cases that would result in PANIC:
+ proc_exit() called in child process.
+
+
+
+
+
+
+ Fix cases where an operator family member operator or support
+ procedure could become a dangling reference (Tom Lane)
+ §
+ §
+
+
+
+ In some cases a data type could be dropped while references to its
+ OID still remain in pg_amop
+ or pg_amproc. While that caused no
+ immediate issues, an attempt to drop the owning operator family
+ would fail, and pg_dump would produce
+ bogus output when dumping the operator family. This fix causes
+ creation and modification of operator families/classes to add
+ needed dependency entries so that dropping a data type will also
+ drop any dependent operator family elements. That does not help
+ vulnerable pre-existing operator families, though, so a band-aid has
+ also been added to DROP OPERATOR FAMILY to
+ prevent failure when dropping a family that has dangling members.
+
+
+
+
+
+
+ Fix multiple memory leaks in logical decoding output (Vignesh C,
+ Masahiko Sawada, Boyu Yang)
+ §
+ §
+
+
+
+
+
+
+ Avoid low-probability crash on out-of-memory, due to missing check
+ for failure return from malloc()
+ (Karina Litskevich)
+ §
+
+
+
+
+
+
+ Avoid integer overflow while
+ testing wal_skip_threshold condition (Tom Lane)
+ §
+
+
+
+ A transaction that created a very large relation could mistakenly
+ decide to ensure durability by copying the relation into WAL instead
+ of fsync'ing it, thereby negating the point
+ of wal_skip_threshold. (This only matters
+ when wal_level is set
+ to minimal, else a WAL copy is required anyway.)
+
+
+
+
+
+
+ Fix unsafe order of operations during cache lookups (Noah Misch)
+ §
+
+
+
+ The only known consequence was a usually-harmless you don't
+ own a lock of type ExclusiveLock warning
+ during GRANT TABLESPACE.
+
+
+
+
+
+
+ Fix possible failed to resolve name failures when
+ using JIT on older ARM platforms (Thomas Munro)
+ §
+
+
+
+ This could occur as a consequence of inconsistency about the default
+ setting of between gcc and clang.
+ At least Debian and Ubuntu are known to ship gcc and clang compilers
+ that target armv8-a but differ on the use of outline atomics by
+ default.
+
+
+
+
+
+
+ Fix handling of Windows junction points that are not
+ of PostgreSQL origin (Thomas Munro)
+ §
+ §
+
+
+
+ Previously, initdb would fail if the path
+ to the data directory included junction points whose expansion isn't
+ in drive absolute format, or whose expansion points
+ to another junction point.
+
+
+
+
+
+
+ Fix assertion failure in WITH RECURSIVE ... UNION
+ queries (David Rowley)
+ §
+
+
+
+
+
+
+ Avoid assertion failure in rule deparsing if a set operation leaf
+ query contains set operations (Man Zeng, Tom Lane)
+ §
+
+
+
+
+
+
+ Avoid edge-case assertion failure in parallel query startup (Tom Lane)
+ §
+
+
+
+
+
+
+ In NULLIF(), avoid passing a read-write
+ expanded object pointer to the data type's equality function
+ (Tom Lane)
+ §
+
+
+
+ The equality function could modify or delete the object if it's
+ given a read-write pointer, which would be bad if we decide to
+ return it as the NULLIF() result. There is
+ probably no problem with any built-in equality function, but it's
+ easy to demonstrate a failure with one coded in PL/pgSQL.
+
+
+
+
+
+
+ Ensure that expression preprocessing is applied to a default null
+ value in INSERT (Tom Lane)
+ §
+
+
+
+ If the target column is of a domain type, the planner must insert a
+ coerce-to-domain step not just a null constant, and this expression
+ missed going through some required processing steps. There is no
+ known consequence with domains based on core data types, but in
+ theory an error could occur with domains based on extension types.
+
+
+
+
+
+
+ Repair memory leaks in PL/Python (Mat Arye, Tom Lane)
+ §
+
+
+
+ Repeated use of PLyPlan.execute
+ or plpy.cursor resulted in memory leakage for
+ the duration of the calling PL/Python function.
+
+
+
+
+
+
+ Fix PL/Tcl to compile with Tcl 9 (Peter Eisentraut)
+ §
+
+
+
+
+
+
+ In the ecpg preprocessor, fix possible
+ misprocessing of cursors that reference out-of-scope variables
+ (Tom Lane)
+ §
+
+
+
+
+
+
+ In ecpg, fix compile-time warnings about
+ unsupported use of COPY ... FROM STDIN (Ryo
+ Kanbayashi)
+ §
+
+
+
+ Previously, the intended warning was not issued due to a typo.
+
+
+
+
+
+
+ Fix psql to safely handle file path names
+ that are encoded in SJIS (Tom Lane)
+ §
+
+
+
+ Some two-byte characters in SJIS have a second byte that is equal to
+ ASCII backslash (\). These characters were
+ corrupted by path name normalization, preventing access to files
+ whose names include such characters.
+
+
+
+
+
+
+ Fix use of wrong version of pqsignal()
+ in pgbench
+ and psql (Fujii Masao, Tom Lane)
+ §
+
+
+
+ This error could lead to misbehavior when using
+ the option in pgbench
+ or the \watch command
+ in psql, due to interrupted system calls
+ not being resumed as expected.
+
+
+
+
+
+
+ Fix misexecution of some nested \if constructs
+ in pgbench (Michail Nikolaev)
+ §
+
+
+
+ An \if command appearing within a false
+ (not-being-executed) \if branch was incorrectly
+ treated the same as \elif.
+
+
+
+
+
+
+ In pgbench, fix possible misdisplay of
+ progress messages during table initialization (Yushi Ogiwara, Tatsuo
+ Ishii, Fujii Masao)
+ §
+ §
+
+
+
+
+
+
+ Make pg_controldata more robust against
+ corrupted pg_control files (Ilyasov Ian, Anton
+ Voloshin)
+ §
+
+
+
+ Since pg_controldata will attempt to
+ print the contents of pg_control even if the
+ CRC check fails, it must take care not to misbehave for invalid
+ field values. This patch fixes some issues triggered by invalid
+ timestamps and apparently-negative WAL segment sizes.
+
+
+
+
+
+
+ Fix possible crash in pg_dump with
+ identity sequences attached to tables that are extension members
+ (Tom Lane)
+ §
+
+
+
+
+
+
+ Fix pg_basebackup to correctly
+ handle pg_wal.tar files exceeding 2GB on
+ Windows (Davinder Singh, Thomas Munro)
+ §
+ §
+
+
+
+
+
+
+ Update configuration probes that determine the compiler switches
+ needed to access ARM CRC instructions (Tom Lane)
+ §
+
+
+
+ On ARM platforms where the baseline CPU target lacks CRC
+ instructions, we need to supply a switch to
+ persuade the compiler to compile such instructions. Recent versions
+ of gcc reject the value we were trying, leading to silently falling
+ back to software CRC.
+
+
+
+
+
+
+ During configure, if a C23 compiler is
+ detected, try asking for C17 (Thomas Munro)
+ §
+
+
+
+ PostgreSQL versions before v16 will not
+ compile under C23 rules. If the chosen compiler defaults to C23 or
+ later, try adding a -std=gnu17 switch to change
+ that. (If this won't work for your compiler, manually
+ specify CFLAGS with a suitable switch.)
+
+
+
+
+
+
+ Update time zone data files to tzdata
+ release 2025a for DST law changes in Paraguay, plus historical
+ corrections for the Philippines (Tom Lane)
+ §
+
+
+
+
+
+
+
+
Release 14.15