Amit kapila <amit.kapila@huawei.com> writes:
>> AFAIR pg_controldata fit on a disk sector so it can not be half written.
> It can be corrupt due to some other reasons as well like torn disk sector.
"Torn disk sector"? Please, this is nonsense. Disks cannot write half
a sector and then stop. A sufficiently badly designed drive might
attempt to start a write when it didn't have enough power left to finish
... but the result of that would be a corrupt sector with a non-matching
CRC, not one that read back okay but contained erroneous data.
> The suggested patch improves the logic to recover corrupt control file. So that is the reason I felt it will be
relevantto do this patch.
Well, we invented pg_resetxlog with the thought that it might be useful
for such situations, but I'm not sure offhand that we've ever seen a
field report of corrupted pg_control files. For instance, a quick
search in the archives for "incorrect checksum in control file" turns up
only cases of pilot error, such as supposing that a 32-bit database
could be used with a 64-bit server or vice versa. Actual hardware
failures on the pg_control file could be expected to result in something
like "could not read from control file: I/O error", which I find no
evidence for at all in the archives.
Before adding new code to improve the situation, it would be good to
have (a) evidence that there's a problem worth solving, and (b) a theory
as to what likely-to-occur cases the new code is going to make better,
while not making things worse in other likely-to-occur cases. Case in
point here is that it's not immediately obvious that we should trust
the contents of WAL more than pg_control --- the former gets a whole
lot more write traffic and hence has many more opportunities for
failure.
At the moment I don't see that we have either (a) or (b), so I think
it's pretty dubious to be making any changes of this sort.
regards, tom lane