Hi, On 2022-08-04 19:14:08 -0400, Tom Lane wrote: > Andres Freund <and...@anarazel.de> writes: > > On 2022-08-04 18:05:25 -0400, Tom Lane wrote: > >> In any case, DROP DATABASE is far from the only place with a problem. > > > What other place has a database corrupting potential of this magnitude just > > because interrupts are accepted? We throw valid s_b contents away and then > > accept interrupts before committing - with predictable results. We also > > accept > > interrupts as part of deleting the db data dir (due to catalog access). > > Those things would be better handled by moving the data-discarding > steps to post-commit. Maybe that argues for having an internal > commit halfway through DROP DATABASE: remove pg_database row, > commit, start new transaction, clean up.
That'd still require holding interrupts, I think. We shouldn't accept interrupts until the on-disk data is actually deleted. In theory I think we should have a pg_database column indicating whether the database is valid or not. For database creation, insert the pg_database row with valid=false, commit, then do the filesystem operation, then mark as valid, commit. For database drop, mark as invalid, commit, remove filesystem stuff, delete row, commit. With dropdb allowed against an invalid database, but obviously nothing else. But clearly this isn't a short term / backpatchable thing. Greetings, Andres Freund
