"Simon Riggs" <[EMAIL PROTECTED]> writes:
> ISTM we only need to flush iff the clog would be truncated when we
> update relminxid.
Wrong :-( If the relvacuumxid change (not relminxid ... as I said, these
names aren't very transparent) makes it to disk but not all the hint
bits do, you're at risk. Crash, restart, vacuum some other table, and
*now* the global min vacuumxid advances. The fact that we're
WAL-logging the relvacuumxid change makes this scenario exceedingly
probable, if no action is taken to force out the hint bits.
The only alternative I can see is the one Heikki suggested: don't
truncate clog until the freeze horizon. That's safe (given the planned
change to WAL-log tuple freezing) and clean and simple, but a permanent
requirement of 250MB+ for pg_clog would put the final nail in the coffin
of PG's usability in small-disk-footprint environments. So I don't like
it much. I suppose it could be made more tolerable by reducing the
freeze horizon, say to 100M instead of 1G transactions. Anyone for a
GUC parameter? In a high-volume DB you'd want the larger setting to
minimize the amount of tuple freezing work. OTOH it seems like making
this configurable creates a nasty risk for PITR situations: a slave
that's configured with a smaller freeze window than the master is
probably not safe.
regards, tom lane
---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster