On 2014-07-20 18:39:06 -0400, Tom Lane wrote:
> Andres Freund <andres@2ndquadrant.com> writes:
> > On 2014-07-20 18:16:51 -0400, Tom Lane wrote:
> >> My point is that the cutoff multi xid won't be new enough to remove
> >> non-LOCKED_ONLY (ie, post-9.3) mxids.
>
> > Why not? Afaics this will continue to happen until multixacts are
> > wrapped around once? So the cutoff multi will be new enough for that at
> > some point after the pg_upgrade?
>
> Before that happens, nextMultiXid will catch up with the minmxid = 1
> values, and they'll be in the past, and then we're at the same point
> that we're at to begin with if we used 9.3.5 pg_upgrade.
There'll be problems earlier than that afaics. Consider what happens if
a pg_upgrade happened at NextMulti=3000000000 which will have set
minmxid=1. If, after that, a couple 100k multis have been used, but
fewer than autovacuum_freeze_max_age normal xids were consumed we're in
an unfortunate situation.
If any *single* full table vacuum after that calls
vac_update_datfrozenxid() which just needs its datfrozenxid advance by
one we're in trouble: vac_truncate_clog() will be called with minMulti =
GetOldestMultiXactId(). Note that the latter only returns the oldest
*running* multi. Because vac_truncate_clog() only finds 1s in
datfrozenxid it'll ignore all of them because of:
if (MultiXactIdPrecedes(dbform->datminmxid, minMulti))
{
minMulti = dbform->datminmxid;
minmulti_datoid = HeapTupleGetOid(tuple);
}
and calls
SetMultiXactIdLimit(minMulti, minmulti_datoid);
If the vacuum happened without a concurrent backend using multis active
this will set the limit to the *current* NextMulti. Then
TruncateMultiXact() called after the checkpoint will truncate away
everything up to the current NextMulti essentially corrupting rows
created in 9.3+.
> > Luckily in most cases full table vacuums triggered due to normal xids
> > will prevent bad problems though.
>
> Yeah. While it's not that comfortable to rely on that, we were reliant
> on that effect in every pre-9.3 branch, so I'm not terribly upset about
> it continuing to be the case in existing 9.3 installations.
Well, there's a pretty fundamental distinction to < 9.3: The worst that
could happen before is a transient error while *writing*. Now it can
happen during reading.
Greetings,
Andres Freund
--
Andres Freund http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services