• Alvaro Herrera's avatar
    Truncate pg_multixact/'s contents during crash recovery · 1df0122d
    Alvaro Herrera authored
    Commit 9dc842f0 of 8.2 era prevented MultiXact truncation during crash
    recovery, because there was no guarantee that enough state had been
    setup, and because it wasn't deemed to be a good idea to remove data
    during crash recovery anyway.  Since then, due to Hot-Standby, streaming
    replication and PITR, the amount of time a cluster can spend doing crash
    recovery has increased significantly, to the point that a cluster may
    even never come out of it.  This has made not truncating the content of
    pg_multixact/ not defensible anymore.
    
    To fix, take care to setup enough state for multixact truncation before
    crash recovery starts (easy since checkpoints contain the required
    information), and move the current end-of-recovery actions to a new
    TrimMultiXact() function, analogous to TrimCLOG().
    
    At some later point, this should probably done similarly to the way
    clog.c is doing it, which is to just WAL log truncations, but we can't
    do that for the back branches.
    
    Back-patch to 9.0.  8.4 also has the problem, but since there's no hot
    standby there, it's much less pressing.  In 9.2 and earlier, this patch
    is simpler than in newer branches, because multixact access during
    recovery isn't required.  Add appropriate checks to make sure that's not
    happening.
    
    Andres Freund
    1df0122d
multixact.h 4.24 KB