Re: xid wraparound danger due to INDEX_CLEANUP false - Mailing list pgsql-hackers

From Andres Freund
Subject Re: xid wraparound danger due to INDEX_CLEANUP false
Date
Msg-id 20200429195443.4ytg4ksjxsd7vdt7@alap3.anarazel.de
Whole thread Raw
In response to Re: xid wraparound danger due to INDEX_CLEANUP false  (Peter Geoghegan <pg@bowt.ie>)
Responses Re: xid wraparound danger due to INDEX_CLEANUP false
List pgsql-hackers
Hi,

On 2020-04-29 11:28:00 -0700, Peter Geoghegan wrote:
> On Thu, Apr 16, 2020 at 11:27 AM Andres Freund <andres@anarazel.de> wrote:
> > Sure, there is some pre-existing wraparound danger for individual
> > pages. But it's a pretty narrow corner case before INDEX_CLEANUP
> > off.
> >
> > That comment says something about "shared-memory free space map", making
> > it sound like any crash would loose the page. But it's a normal FSM
> > these days. Vacuum will insert the deleted page into the free space
> > map. So either the FSM would need to be corrupted to not find the
> > inserted page anymore, or the index would need to grow slow enough to
> > not use a page before the wraparound.  And then such wrapped around xids
> > would exist on individual pages. Not on all deleted pages, like with
> > INDEX_CLEANUP false.
> 
> Is that really that narrow, even without "INDEX_CLEANUP false"? It's
> not as if the index needs to grow very slowly to have only very few
> page splits hour to hour (it depends on whether the inserts are random
> or not, and so on). Especially if you had a bulk DELETE affecting many
> rows, which is hardly that uncommon.

Well, you'd need to have a workload that has bulk deletes, high xid
usage *and* doesn't insert new data to use those empty pages


> Fundamentally, btvacuumpage() doesn't freeze 32-bit XIDs (from
> bpto.xact) when it recycles deleted pages. It simply puts them in the
> FSM without changing anything about the page itself. This means
> surprisingly little in the context of nbtree: the
> _bt_page_recyclable() XID check that takes place in btvacuumpage()
> also takes place in _bt_getbuf(), at the point where the page actually
> gets recycled by the client. That's not great.

I think it's quite foolish for btvacuumpage() to not freeze xids. If we
only do so when necessary (i.e. older than a potential new relfrozenxid,
and only when the vacuum didn't yet skip pages), the costs are pretty
miniscule.


> It wouldn't be so unreasonable if btvacuumpage() actually did freeze
> the bpto.xact value at the point where it puts the page in the FSM. It
> doesn't need to be crash safe; it can work as a hint.

I'd much rather make sure the xid is guaranteed to be removed. As
outlined above, the cost would be small, and I think the likelihood of
the consequences of wrapped around xids getting worse over time is
substantial.


> Note that we still need to keep the original bpto.xact XID around for
> _bt_log_reuse_page() (also, do we need to worry _bt_log_reuse_page()
> with a wrapped-around XID?).

I'd just WAL log the reuse when freezing the xid. Then there's no worry
about wraparounds. And I don't think it'd cause additional conflicts;
the vacuum itself (or a prior vacuum) would also have to cause them, I
think?

Greetings,

Andres Freund



pgsql-hackers by date:

Previous
From: Justin Pryzby
Date:
Subject: Re: Cleanup/remove/update references to OID column
Next
From: Corey Huinker
Date:
Subject: Re: Add A Glossary