| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Kyotaro Horiguchi <horikyota(dot)ntt(at)gmail(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org, ethmertz(at)amazon(dot)com, nathandbossart(at)gmail(dot)com, pgsql(at)j-davis(dot)com, sawada(dot)mshk(at)gmail(dot)com |
| Subject: | Re: Incorrect handling of OOM in WAL replay leading to data loss |
| Date: | 2023-08-01 05:03:36 |
| Message-ID: | ZMiSKDYZ93e7fFB7@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Aug 01, 2023 at 01:51:13PM +0900, Kyotaro Horiguchi wrote:
> I believe a database server is not supposed to be executed under such
> a memory-constrained environment.
I don't really follow this argument. The backend and the frontends
are reliable on OOM, where we generate ERRORs or even FATALs depending
on the code path involved. A memory bounded environment is something
that can easily happen if one's not careful enough with the sizing of
the instance. For example, this error can be triggered on a standby
with read-only queries that put pressure on the host's memory.
> One issue on changing that behavior is that there's not a simple way
> to detect a broken record before loading it into memory. We might be
> able to implement a fallback mechanism for example that loads the
> record into an already-allocated buffer (which is smaller than the
> specified length) just to verify if it's corrupted. However, I
> question whether it's worth the additional complexity. And I'm not
> sure what if the first allocation failed.
Perhaps we could rely more on a fallback memory, especially if it is
possible to use that for the header validation. That seems like a
separate thing, still.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Davis | 2023-08-01 05:28:31 | Re: Faster "SET search_path" |
| Previous Message | Hayato Kuroda (Fujitsu) | 2023-08-01 04:51:55 | Fix compilation warnings when CFLAGS -Og is specified |