Re: heap_tuple_needs_freeze false positive

On Thu, Feb 2, 2012 at 11:27 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
>> I'm not convinced that it's a bug.  Suppose that xmax is set but is
>> hinted as invalid.
>
> XMAX_INVALID is not a "hint".  When it's set, the contents of the field
> must be presumed to be garbage.  Any code failing to adhere to that rule
> is broken.
>
>> We process the table and advanced relfrozenxid;
>> then, we crash.  After recovery, it's possible that the hint bit is
>> gone (after all, setting hint bits isn't WAL-logged).  Now we're in
>> big trouble, because the next CLOG lookup on that xmax value might not
>> happen until it's been reused, and we might get a different answer
>> than before.
>
> I believe we have adequate defenses against that, and even if we did
> not, that doesn't make the code in question less wrong.

I believe the adequate defense that we have is precisely the logic you
are proposing to change. Regardless of whether you want to call
XMAX_INVALID a hint or, say, a giant tortoise, I am fairly sure that
we don't WAL-log setting it. That means that a bit set before a crash
won't necessarily still be set after a crash. But the corresponding
relfrozenxid advancement will be WAL-logged, leading to the problem
scenario I described.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company