Avoid unlikely data-loss scenarios due to rename() without fsync.
Renaming a file using rename(2) is not guaranteed to be durable in face
of crashes. Use the previously added durable_rename()/durable_link_or_rename()
in various places where we previously just renamed files.
Most of the changed call sites are arguably not critical, but it seems
better to err on the side of too much durability. The most prominent
known case where the previously missing fsyncs could cause data loss is
crashes at the end of a checkpoint. After the actual checkpoint has been
performed, old WAL files are recycled. When they're filled, their
contents are fdatasynced, but we did not fsync the containing
directory. An OS/hardware crash in an unfortunate moment could then end
up leaving that file with its old name, but new content; WAL replay
would thus not replay it.
Reported-By: Tomas Vondra
Author: Michael Paquier, Tomas Vondra, Andres Freund
Discussion: 56583BDD.9060302@2ndquadrant.com
Backpatch: All supported branches
Branch
------
master
Details
-------
http://git.postgresql.org/pg/commitdiff/1d4a0ab19a7e45aa8b94d7f720d1d9cefb81ec40
Modified Files
--------------
contrib/pg_stat_statements/pg_stat_statements.c | 6 +--
src/backend/access/transam/timeline.c | 40 +++---------------
src/backend/access/transam/xlog.c | 56 +++++--------------------
src/backend/access/transam/xlogarchive.c | 13 +-----
src/backend/postmaster/pgarch.c | 6 +--
src/backend/replication/logical/origin.c | 23 +---------
src/backend/utils/misc/guc.c | 6 +--
7 files changed, 24 insertions(+), 126 deletions(-)
