diff --git a/doc/src/sgml/release-15.sgml b/doc/src/sgml/release-15.sgml
index 9bf0aede519..fb43c336f8a 100644
--- a/doc/src/sgml/release-15.sgml
+++ b/doc/src/sgml/release-15.sgml
@@ -1,6 +1,1719 @@
+
+ Release 15.3
+
+
+ Release date:
+ 2023-05-11
+
+
+
+ This release contains a variety of fixes from 15.2.
+ For information about new features in major release 15, see
+ .
+
+
+
+ Migration to Version 15.3
+
+
+ A dump/restore is not required for those running 15.X.
+
+
+
+ However, if you are upgrading from a version earlier than 15.1,
+ see .
+
+
+
+
+ Changes
+
+
+
+
+
+
+ Fix potential corruption of the template (source) database after
+ CREATE DATABASE with the STRATEGY
+ WAL_LOG option (Nathan Bossart, Ryo Matsumura)
+
+
+
+ Improper buffer handling created a risk that any later modification
+ of the template's pg_class catalog would be
+ lost.
+
+
+
+
+
+
+ Fix memory leakage and unnecessary disk reads
+ during CREATE DATABASE with the STRATEGY
+ WAL_LOG option (Andres Freund)
+
+
+
+
+
+
+ Avoid crash when the new schema name is omitted
+ in CREATE SCHEMA (Michael Paquier)
+
+
+
+ The SQL standard allows writing CREATE SCHEMA AUTHORIZATION
+ owner_name, with the schema
+ name defaulting to owner_name. However
+ some code paths expected the schema name to be present and would
+ fail.
+
+
+
+
+
+
+ Fix various planner failures with MERGE
+ commands (Tom Lane)
+
+
+
+ Planning could fail with errors like variable not found in
+ subplan target list
or PlaceHolderVar found where not
+ expected
.
+
+
+
+
+
+
+ Fix the row count reported by MERGE for some
+ corner cases (Dean Rasheed)
+
+
+
+ The row count reported in the command tag counted rows that actually
+ hadn't been modified due to a BEFORE ROW trigger
+ returning NULL. This is inconsistent with what happens in
+ plain UPDATE or DELETE, so
+ change it to not count such rows. Also, avoid counting a row twice
+ when MERGE moves it into a different partition of
+ a partitioned table.
+
+
+
+
+
+
+ Fix MERGE problems with concurrent updates
+ (Dean Rasheed, Álvaro Herrera)
+
+
+
+ Some cases misbehaved if a row to be updated or deleted
+ by MERGE had just been updated by a concurrent
+ transaction. This could lead to a crash, or the wrong merge action
+ being executed, or no action at all.
+
+
+
+
+
+
+ Fix enabling/disabling of cloned triggers in partitioned tables
+ (Tom Lane)
+
+
+
+ ALTER TABLE ... ENABLE/DISABLE TRIGGER USER
+ skipped cloned triggers, mistaking them for system triggers.
+ Other variants of ENABLE/DISABLE TRIGGER would
+ process them, but only after improperly enforcing a superuserness
+ check.
+
+
+
+
+
+
+ Fix enabling/disabling of foreign-key triggers in partitioned tables
+ (Tom Lane)
+
+
+
+ ALTER TABLE ... ENABLE/DISABLE TRIGGER failed if
+ applied to a partitioned table's foreign-key enforcement triggers,
+ because it tried to locate the clone triggers for the partitions by
+ name, and they do not have the same name. Locate them by
+ parent-trigger OID instead.
+
+
+
+
+
+
+ Disallow altering composite types that are stored in indexes
+ (Tom Lane)
+
+
+
+ ALTER TYPE disallows non-binary-compatible
+ modifications of composite types if they are stored in any table
+ columns. (Perhaps that will be allowed someday, but it hasn't
+ happened yet; the locking implications of rewriting many tables are
+ daunting.) We overlooked the possibility that an index might
+ contain a composite type that doesn't also appear in its table.
+
+
+
+
+
+
+ Disallow system columns as elements of foreign keys (Tom Lane)
+
+
+
+ Since the removal of OID as a system column, there is no plausible
+ use-case for this, and various bits of code no longer support it.
+ Disallow it rather than trying to fix all the cases.
+
+
+
+
+
+
+ Ensure that COPY TO from an RLS-enabled parent
+ table does not copy any rows from child tables (Antonin Houska)
+
+
+
+ The documentation is quite clear that COPY TO
+ copies rows from only the named table, not any inheritance children
+ it may have. However, if row-level security was enabled on the table
+ then this stopped being true.
+
+
+
+
+
+
+ Avoid possible crash when array_position()
+ or array_positions() is passed an empty array
+ (Tom Lane)
+
+
+
+
+
+
+ Fix possible out-of-bounds fetch in to_char()
+ (Tom Lane)
+
+
+
+ With bad luck this could have resulted in a server crash.
+
+
+
+
+
+
+ Avoid buffer overread in translate() function
+ (Daniil Anisimov)
+
+
+
+ When using the deletion feature, the function might fetch the byte
+ just after the input string, creating a small risk of crash.
+
+
+
+
+
+
+ Adjust text-search-related character classification logic to
+ correctly detect whether the prevailing locale
+ is C (Jeff Davis)
+
+
+
+ This code got confused if the database's default collation uses ICU.
+
+
+
+
+
+
+ Avoid possible crash on empty input for type interval
+ (Tom Lane)
+
+
+
+
+
+
+ Re-allow exponential notation in ISO-8601 interval fields
+ (Tom Lane)
+
+
+
+ Interval input like P0.1e10D isn't officially
+ sanctioned by ISO-8601, but we accepted it for a long time before
+ version 15, so re-allow it.
+
+
+
+
+
+
+ Fix error cursor setting for parse errors in JSON string literals
+ (Tom Lane)
+
+
+
+ Most cases in which a syntax error is detected in a string literal
+ within a JSON value failed to set the error cursor appropriately.
+ This led at least to an unhelpful error message (pointing to the
+ token before the string, rather than the actual trouble spot), and
+ could even result in a crash in v14 and later.
+
+
+
+
+
+
+ Fix data corruption due to vacuum_defer_cleanup_age
+ being larger than the current 64-bit xid (Andres Freund)
+
+
+
+ In v14 and later with non-default settings
+ of vacuum_defer_cleanup_age, it was possible to
+ compute a very large vacuum cleanup horizon xid, leading to vacuum
+ removing rows that are still live. v12 and v13 have a lesser form
+ of the same problem affecting only GiST indexes, which could lead to
+ index pages getting recycled too early.
+
+
+
+
+
+
+ Fix parser's failure to detect some cases of improperly-nested
+ aggregates (Tom Lane)
+
+
+
+ This oversight could lead to executor failures for queries that
+ should have been rejected as invalid.
+
+
+
+
+
+
+ Fix data structure corruption during parsing of
+ serial SEQUENCE NAME options (David Rowley)
+
+
+
+ This can lead to trouble if an event trigger captures the corrupted
+ parse tree.
+
+
+
+
+
+
+ Correctly update plan nodes' parallel-safety markings when moving
+ initplans from one node to another (Tom Lane)
+
+
+
+ This planner oversight could lead to subplan was not
+ initialized
errors at runtime.
+
+
+
+
+
+
+ Avoid failure with PlaceHolderVars in extended-statistics code
+ (Tom Lane)
+
+
+
+ Use of dependency-type extended statistics could fail with
+ PlaceHolderVar found where not expected
.
+
+
+
+
+
+
+ Fix incorrect tests for whether a qual clause applied to a subquery
+ can be transformed into a window aggregate run
+ condition
within the subquery (David Rowley)
+
+
+
+ A SubPlan within such a clause would cause assertion failures or
+ incorrect answers, as would some other unusual cases.
+
+
+
+
+
+
+ Disable the inverse-transition optimization for window aggregates
+ when the call contains sub-SELECTs (David Rowley)
+
+
+
+ This optimization requires that the aggregate's argument expressions
+ have repeatable results, which might not hold for a sub-SELECT.
+
+
+
+
+
+
+ Fix oversights in execution of nested ARRAY[]
+ constructs (Alexander Lakhin, Tom Lane)
+
+
+
+ Correctly detect overflow of the total space needed for the result
+ array, avoiding a possible crash due to undersized output
+ allocation. Also ensure that any trailing padding space in the
+ result array is zeroed; while leaving garbage there is harmless for
+ most purposes, it can result in odd behavior later.
+
+
+
+
+
+
+ Prevent crash when updating a field within an
+ array-of-domain-over-composite-type column (Dmitry Dolgov)
+
+
+
+
+
+
+ Fix partition pruning logic for partitioning on boolean columns
+ (David Rowley)
+
+
+
+ Pruning with a condition like boolcol IS NOT TRUE
+ was done incorrectly, leading to possibly not returning rows in
+ which boolcol is NULL. Also, the rather unlikely
+ case of partitioning on NOT boolcol was handled
+ incorrectly.
+
+
+
+
+
+
+ Fix race condition in per-batch cleanup during parallel hash join
+ (Thomas Munro, Melanie Plageman)
+
+
+
+ A crash was possible given unlucky timing and
+ parallel_leader_participation
+ = off (which is not the default).
+
+
+
+
+
+
+ Recalculate GENERATED columns after an
+ EvalPlanQual check (Tom Lane)
+
+
+
+ In READ COMMITTED isolation mode, the effects of
+ a row update might need to get reapplied to a newer version of the
+ row than the query found originally. If so, we need to recompute
+ any GENERATED columns, in case they depend on
+ columns that were changed by the concurrent update.
+
+
+
+
+
+
+ Fix memory leak in Memoize plan execution (David Rowley)
+
+
+
+
+
+
+ Fix buffer refcount leak when using batched inserts for a foreign
+ table included in a partitioned tree (Alexander Pyhalov)
+
+
+
+
+
+
+ Restore support for
+ sub-millisecond vacuum_cost_delay settings
+ (Thomas Munro)
+
+
+
+
+
+
+ Don't balance vacuum cost delay when a table has a
+ per-relation vacuum_cost_delay setting of zero
+ (Masahiko Sawada)
+
+
+
+ Delay balancing is supposed to be disabled whenever autovacuum is
+ processing a table with a
+ per-relation vacuum_cost_delay setting, but this
+ was done only for positive settings, not zero.
+
+
+
+
+
+
+ Fix corner-case crashes when columns have been added to the end of a
+ view (Tom Lane)
+
+
+
+
+
+
+ Repair rare failure of MULTIEXPR_SUBLINK subplans in partitioned
+ updates (Andres Freund, Tom Lane)
+
+
+
+ Use of the syntax INSERT ... ON CONFLICT DO UPDATE SET (c1,
+ ...) = (SELECT ...) with a partitioned target table could
+ result in failure if any child table is dissimilar from the parent
+ (for example, different physical column order).
+ This typically manifested as failure of consistency checks in the
+ executor; but a crash or incorrect data updates are also possible.
+
+
+
+
+
+
+ Fix handling of DEFAULT markers within a
+ multi-row INSERT ... VALUES query on a view that
+ has a DO ALSO INSERT ... SELECT rule (Dean
+ Rasheed)
+
+
+
+ Such cases typically failed with unrecognized node
+ type
errors or assertion failures.
+
+
+
+
+
+
+ Support references to OLD
+ and NEW within subqueries in rule actions
+ (Dean Rasheed, Tom Lane)
+
+
+
+ Such references are really lateral references, but the server could
+ crash if the subquery wasn't explicitly marked
+ with LATERAL. Arrange to do that implicitly when
+ necessary.
+
+
+
+
+
+
+ When decompiling a rule or SQL function body
+ containing INSERT/UPDATE/DELETE
+ within WITH, take care to print the correct alias
+ for the target table (Tom Lane)
+
+
+
+
+
+
+ Fix glitches in SERIALIZABLE READ ONLY
+ optimization (Thomas Munro)
+
+
+
+ Transactions already marked as doomed
confused the
+ safe-snapshot optimization for SERIALIZABLE READ
+ ONLY transactions. The optimization was unnecessarily
+ skipped in some cases. In other cases an assertion failure occurred
+ (but there was no problem in non-assert builds).
+
+
+
+
+
+
+ Avoid leaking cache callback slots in
+ the pgoutput logical decoding plugin (Shi Yu)
+
+
+
+ Multiple cycles of starting up and shutting down the plugin within a
+ single session would eventually lead to an out of
+ relcache_callback_list slots
error.
+
+
+
+
+
+
+ Avoid unnecessary calls to custom validators for index operator
+ class options (Alexander Korotkov)
+
+
+
+ This change fixes some cases where an unexpected error was thrown.
+
+
+
+
+
+
+ Avoid useless work while scanning a multi-column BRIN index with
+ multiple scan keys (Tomas Vondra)
+
+
+
+ The existing code effectively considered only the last scan key
+ while deciding whether a range matched, thus usually scanning more
+ of the index than it needed to.
+
+
+
+
+
+
+ Fix netmask handling in BRIN inet_minmax_multi_ops opclass
+ (Tomas Vondra)
+
+
+
+ This error triggered an assertion failure in assert-enabled builds,
+ but is mostly harmless in production builds.
+
+
+
+
+
+
+ Fix dereference of dangling pointer during buffering build of a GiST
+ index (Alexander Lakhin)
+
+
+
+ This error seems to usually be harmless in production builds, as the
+ fetched value is noncritical; but in principle it could cause a
+ server crash.
+
+
+
+
+
+
+ Ignore dropped columns and generated columns during logical
+ replication of an update or delete action (Onder Kalaci, Shi Yu)
+
+
+
+ Replication with the REPLICA IDENTITY FULL option
+ failed if the table contained such columns.
+
+
+
+
+
+
+ Correct the name of the wait event for SLRU buffer I/O for commit
+ timestamps (Alexander Lakhin)
+
+
+
+ This wait event is named CommitTsBuffer according
+ to the documentation, but the code had it
+ as CommitTSBuffer. Change the code to match the
+ documentation, as that way is more consistent with the naming of
+ related wait events.
+
+
+
+
+
+
+ Re-activate reporting of wait event SLRUFlushSync
+ (Thomas Munro)
+
+
+
+ Reporting of this type of wait was accidentally removed in code
+ refactoring.
+
+
+
+
+
+
+ Avoid possible underflow when calculating how many WAL segments to
+ keep (Kyotaro Horiguchi)
+
+
+
+ This could result in not honoring wal_keep_size
+ accurately.
+
+
+
+
+
+
+ Disable startup progress reporting overhead in standby mode
+ (Bharath Rupireddy)
+
+
+
+ In standby mode, we don't actually report progress of recovery,
+ but we were doing work to track it anyway.
+
+
+
+
+
+
+ Support RSA-PSS certificates with SCRAM-SHA-256 channel binding
+ (Jacob Champion, Heikki Linnakangas)
+
+
+
+ This feature requires building with OpenSSL 1.1.1 or newer. Both
+ the server and libpq are affected.
+
+
+
+
+
+
+ Avoid race condition with process ID tracking on Windows (Thomas Munro)
+
+
+
+ The operating system could recycle a PID before the postmaster
+ observed that that child process was gone. This could lead to
+ tracking more than one child with the same PID, resulting in
+ confusion.
+
+
+
+
+
+
+ Fix list_copy_head() to work correctly on an
+ empty List (David Rowley)
+
+
+
+ This case is not known to be reached by any
+ core PostgreSQL code, but extensions
+ might rely on it working.
+
+
+
+
+
+
+ Add missing cases to SPI_result_code_string()
+ (Dean Rasheed)
+
+
+
+
+
+
+ Fix erroneous Valgrind markings
+ in AllocSetRealloc() (Karina Litskevich)
+
+
+
+ In the unusual case where the size of a large (>8kB) palloc chunk
+ is decreased, a Valgrind-aware build would mismark the defined-ness
+ state of the memory released from the chunk, possibly causing
+ incorrect results during Valgrind testing.
+
+
+
+
+
+
+ Fix assertion failure for MERGE into a
+ partitioned table with row-level security enabled (Dean Rasheed)
+
+
+
+
+
+
+ Avoid assertion failure when decoding a transactional logical
+ replication message (Tomas Vondra)
+
+
+
+
+
+
+ Avoid locale sensitivity when processing regular expression escapes
+ (Jeff Davis)
+
+
+
+ A backslash followed by a non-ASCII character could sometimes cause
+ an assertion failure, depending on the prevailing locale.
+
+
+
+
+
+
+ Avoid trying to write an empty WAL record
+ in log_newpage_range() when the last few pages
+ in the specified range are empty (Matthias van de Meent)
+
+
+
+ It is not entirely clear whether this case is reachable in released
+ branches, but if it is then an assertion failure could occur.
+
+
+
+
+
+
+ Fix session-lifespan memory leakage in plpgsql
+ DO blocks that use cast expressions
+ (Ajit Awekar, Tom Lane)
+
+
+
+
+
+
+ Tighten array dimensionality checks when converting Perl
+ list structures to multi-dimensional SQL arrays (Tom Lane)
+
+
+
+ plperl could misbehave when the nesting
+ of sub-lists is inconsistent so that the data does not represent a
+ rectangular array of values. Such cases now produce errors, but
+ previously they could result in a crash or garbage output.
+
+
+
+
+
+
+ Tighten array dimensionality checks when converting Python
+ list structures to multi-dimensional SQL arrays (Tom Lane)
+
+
+
+ plpython could misbehave when dealing
+ with empty sub-lists, or when the nesting of sub-lists is
+ inconsistent so that the data does not represent a rectangular array
+ of values. The former should result in an empty output array, and
+ the latter in an error. But some cases resulted in a crash, and
+ others in unexpected output.
+
+
+
+
+
+
+ Fix unwinding of exception stack
+ in plpython (Xing Guo)
+
+
+
+ Some rare failure cases could return without cleaning up the PG_TRY
+ exception stack, risking a crash if another error was raised before
+ the next stack level was unwound.
+
+
+
+
+
+
+ Fix inconsistent GSS-encryption error handling
+ in libpq's
+ PQconnectPoll()
+ (Michael Paquier)
+
+
+
+ With set to require,
+ the connection was not marked dead after a GSS initialization
+ failure. Make it fail immediately, as the equivalent case for TLS
+ encryption has long done.
+
+
+
+
+
+
+ Fix possible data corruption in ecpg
+ programs built with the option
+ (Kyotaro Horiguchi)
+
+
+
+ When ecpg_get_data() is called
+ with varcharsize set to zero, it could write a
+ terminating zero character into the last byte of the preceding
+ field, truncating the data in that field.
+
+
+
+
+
+
+ Fix pg_dump so that partitioned tables
+ that are hash-partitioned on an enum-type column can be restored
+ successfully (Tom Lane)
+
+
+
+ Since the hash codes for enum values depend on the OIDs assigned to
+ the enum, they are typically different after a dump and restore,
+ meaning that rows often need to go into a different partition than
+ they were in originally. Users can work around that by specifying
+ the option; but since
+ there is very little chance of success without that,
+ teach pg_dump to apply it automatically
+ to such tables.
+
+
+
+ Also, fix pg_restore to not try
+ to TRUNCATE target tables before restoring into
+ them when mode is used.
+ This avoids a hazard of deadlocks and lost data.
+
+
+
+
+
+
+ Correctly detect non-seekable files on Windows
+ (Juan José SantamarÃa Flecha, Michael Paquier, Daniel Watzinger)
+
+
+
+ This bug led to misbehavior when pg_dump
+ writes to a pipe or pg_restore reads from
+ one.
+
+
+
+
+
+
+ In pgbench's prepared
+ mode, prepare all the commands in a pipeline before starting the
+ pipeline (Álvaro Herrera)
+
+
+
+ This avoids a failure when a pgbench script tries to
+ start a serializable transaction inside a pipeline.
+
+
+
+
+
+
+ In contrib/amcheck's heap checking code, deal
+ correctly with tuples having zero xmin or xmax (Robert Haas)
+
+
+
+
+
+
+ In contrib/amcheck, deal sanely with xids that
+ appear to be before epoch zero (Andres Freund)
+
+
+
+ In cases of corruption we might see a wrapped-around 32-bit xid that
+ appears to be before the first xid epoch. Promoting such a value to
+ 64-bit form produced a value far in the future, resulting in wrong
+ reports. Return FirstNormalFullTransactionId in such cases so that
+ things work reasonably sanely.
+
+
+
+
+
+
+ In contrib/basebackup_to_shell, properly detect
+ failure to open a pipe (Robert Haas)
+
+
+
+
+
+
+ In contrib/hstore_plpython, avoid crashing if
+ the Python value to be transformed isn't a mapping (Dmitry Dolgov,
+ Tom Lane)
+
+
+
+ This should give an error, but Python 3 changed some APIs in a way
+ that caused the check to misbehave, allowing a crash to ensue.
+
+
+
+
+
+
+ Require the siglen option of a GiST index on
+ an ltree column, if specified, to be a multiple of 4
+ (Alexander Korotkov)
+
+
+
+ Other values result in misaligned accesses to index content, which
+ is harmless on Intel-compatible hardware but can cause a crash on
+ some other architectures.
+
+
+
+
+
+
+ In contrib/pageinspect, add defenses against
+ incorrect input for the gist_page_items() function
+ (Dmitry Koval)
+
+
+
+
+
+
+ Fix misbehavior in contrib/pg_trgm with an
+ unsatisfiable regular expression (Tom Lane)
+
+
+
+ A regex such as $foo is legal but unsatisfiable;
+ the regex compiler recognizes that and produces an empty NFA graph.
+ Attempting to optimize such a graph into a pg_trgm GIN or GiST index
+ qualification resulted in accessing off the end of a work array,
+ possibly leading to crashes.
+
+
+
+
+
+
+ Fix handling of escape sequences
+ in contrib/postgres_fdw's
+ application_name parameter (Kyotaro Horiguchi,
+ Michael Paquier)
+
+
+
+ The code to expand these could fail if executed in a background
+ process, as for example during auto-analyze of a foreign table.
+
+
+
+
+
+
+ In contrib/pg_walinspect, limit memory usage
+ of pg_get_wal_records_info() (Bharath Rupireddy)
+
+
+
+
+
+
+ Use the option when stripping
+ static libraries with
+ GNU-compatible strip (Tom Lane)
+
+
+
+ Previously, make install-strip used
+ the option in this case. This change avoids
+ misbehavior of llvm-strip, and gives
+ slightly smaller output as well.
+
+
+
+
+
+
+ Stop recommending auto-download of DTD files for building the
+ documentation, and indeed disable it (Aleksander Alekseev, Peter
+ Eisentraut, Tom Lane)
+
+
+
+ It appears no longer possible to build the SGML documentation
+ without a local installation of the DocBook DTD files.
+ Formerly xsltproc could download those
+ files on-the-fly from sourceforge.net; but sourceforge.net now
+ permits only HTTPS access, and no common version
+ of xsltproc supports that. Hence, remove
+ the bits of our documentation suggesting that that's possible or
+ useful, and instead
+ add xsltproc's
+ option to the build recipes.
+
+
+
+
+
+
+ When running TAP tests in PGXS builds, use a saner location for the
+ temporary portlock directory (Peter Eisentraut)
+
+
+
+ Place it under tmp_check in the build
+ directory. With the previous coding, a PGXS build would try to place
+ it in the installation directory, which is not necessarily writable.
+
+
+
+
+
+
+ Update time zone data files to tzdata
+ release 2023c for DST law changes in Egypt, Greenland, Morocco, and
+ Palestine.
+
+
+
+ When observing Moscow time, Europe/Kirov and Europe/Volgograd now
+ use the abbreviations MSK/MSD instead of numeric abbreviations,
+ for consistency with other timezones observing Moscow time.
+ Also, America/Yellowknife is no longer distinct from America/Edmonton;
+ this affects some pre-1948 timestamps in that area.
+
+
+
+
+
+
+
+
Release 15.2