Hi,
On 2022-08-04 19:14:08 -0400, Tom Lane wrote:
> Andres Freund <andres@anarazel.de> writes:
> > On 2022-08-04 18:05:25 -0400, Tom Lane wrote:
> >> In any case, DROP DATABASE is far from the only place with a problem.
>
> > What other place has a database corrupting potential of this magnitude just
> > because interrupts are accepted? We throw valid s_b contents away and then
> > accept interrupts before committing - with predictable results. We also accept
> > interrupts as part of deleting the db data dir (due to catalog access).
>
> Those things would be better handled by moving the data-discarding
> steps to post-commit. Maybe that argues for having an internal
> commit halfway through DROP DATABASE: remove pg_database row,
> commit, start new transaction, clean up.
That'd still require holding interrupts, I think. We shouldn't accept
interrupts until the on-disk data is actually deleted.
In theory I think we should have a pg_database column indicating whether the
database is valid or not. For database creation, insert the pg_database row
with valid=false, commit, then do the filesystem operation, then mark as
valid, commit. For database drop, mark as invalid, commit, remove filesystem
stuff, delete row, commit. With dropdb allowed against an invalid database,
but obviously nothing else. But clearly this isn't a short term /
backpatchable thing.
Greetings,
Andres Freund
