"Simon Riggs" <[EMAIL PROTECTED]> writes: > ISTM we only need to flush iff the clog would be truncated when we > update relminxid.
Wrong :-( If the relvacuumxid change (not relminxid ... as I said, these names aren't very transparent) makes it to disk but not all the hint bits do, you're at risk. Crash, restart, vacuum some other table, and *now* the global min vacuumxid advances. The fact that we're WAL-logging the relvacuumxid change makes this scenario exceedingly probable, if no action is taken to force out the hint bits. The only alternative I can see is the one Heikki suggested: don't truncate clog until the freeze horizon. That's safe (given the planned change to WAL-log tuple freezing) and clean and simple, but a permanent requirement of 250MB+ for pg_clog would put the final nail in the coffin of PG's usability in small-disk-footprint environments. So I don't like it much. I suppose it could be made more tolerable by reducing the freeze horizon, say to 100M instead of 1G transactions. Anyone for a GUC parameter? In a high-volume DB you'd want the larger setting to minimize the amount of tuple freezing work. OTOH it seems like making this configurable creates a nasty risk for PITR situations: a slave that's configured with a smaller freeze window than the master is probably not safe. regards, tom lane ---------------------------(end of broadcast)--------------------------- TIP 2: Don't 'kill -9' the postmaster