Re: PITR potentially broken in 9.2

On 2012-12-04 21:27:34 -0500, Tom Lane wrote:
> Andres Freund <andres(at)2ndquadrant(dot)com> writes:
> >> But the key is, the database was not actually consistent at that
> >> point, and so opening hot standby was a dangerous thing to do.
> >>
> >> The bug that allowed the database to open early (the original topic if
> >> this email chain) was masking this secondary issue.
>
> > Could you check whether the attached patch fixes the behaviour?
>
> Yeah, I had just come to the same conclusion: the bug is not with
> Heikki's fix, but with the pause logic. The comment says that it
> shouldn't pause unless users can connect to un-pause, but the actual
> implementation of that test is several bricks shy of a load.
>
> Your patch is better, but it's still missing a bet: what we need to be
> sure of is not merely that we *could* have told the postmaster to start
> hot standby, but that we *actually have done so*. Otherwise, it's
> flow-of-control-dependent whether it works or not; we could fail if the
> main loop hasn't gotten to CheckRecoveryConsistency since the conditions
> became true. Looking at the code in CheckRecoveryConsistency, testing
> LocalHotStandbyActive seems appropriate.

Good point.

My patch wasn't intended as something final, I just wanted confirmation
that it achieves what Jeff wants because I at least - you possibly as
well? - misunderstood him earlier. Would probably have missed the
interaction above anyway ;)

> I also thought it was pretty dangerous that this absolutely critical
> test was not placed in recoveryPausesHere() itself, rather than relying
> on the call sites to remember to do it.

Absolutely aggreed.

> So the upshot is that I propose a patch more like the attached.

Without having run anything so far it looks good to me.

Ok, night now,

Andres
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services