"Mikheev, Vadim" <vmikheev@SECTORBASE.COM> writes:
>> Because I think turning an elog(ERROR) into a system-wide crash is
>> not a good idea ;-). If you are correct that this behavior
>> is necessary for WAL-related critical sections, then indeed we need
>> two kinds of critical sections, one that just holds off cancel/die
>> response and one that turns elog(ERROR) into a dangerous weapon.
>> I'm going to wait and see Vadim's response before I do anything ...
> I've tried to move "dangerous" ops with non-zero probability of
> elog(ERROR) (eg new file block allocation) out of crit sections.
> Anyway we need in ERROR-->STOP for safety when changes aren't logged.
Why is that safer than just treating an ERROR as an ERROR? It seems to
me there's a real risk of a crash/restart loop if we force a restart
whenever we see an xlog-related problem.
regards, tom lane