"Florian G. Pflug" <[EMAIL PROTECTED]> writes:
>> One comment is that at the time we make an entry into smgr's
>> pending-deletes list, I think we might not have acquired an XID yet
> Hm.. I was just going to implement this, but I'm now wondering if
> thats really worth it.
Basically what you'd give up is the ability to Assert() that there are
no deletable files if there's no XID, which seems to me to be an
important cross-check ... although maybe making smgr do that turns
this "cross-check" into a tautology ... hmm. I guess the case that's
bothering me is where we reach commit with deletable files and no XID.
But that should probably be an error condition anyway, ie, we should
error out and turn it into an abort. On the abort side we'd consider
it OK to have files and no XID. Seems reasonable to me.
The only way we could make this more robust is if we could have
WAL-before-data rule for file *creation*, but I think that's not
possible given that we don't know what relfilenode number we will use
until we've successfully created a file. So there will always be
windows where a crash leaks unreferenced files. There's been some
debate about having crash recovery search for and delete such files, but
so far I've resisted it on the grounds that it sounds like data loss
waiting to happen --- someday it'll delete a file you wished it'd kept.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend