Hrm, something else that just came up. On 9.6+ we use sync_file_range.
It's surely going to eat errors:
rc = sync_file_range(fd, offset, nbytes,
SYNC_FILE_RANGE_WRITE);
/* don't error out, this is just a performance optimization */
if (rc != 0)
{
ereport(WARNING,
(errcode_for_file_access(),
errmsg("could not flush dirty data: %m")));
}
so that has to panic too.
I'm very suspicious about the safety of the msync() path too.
I'll post an update to my PANIC-everywhere patch that add these cases.