AW: AW: WAL-based allocation of XIDs is insecure

> >> 5. We will now run a new transaction with the same XID that was in use
> >> before the crash. If that transaction commits, then we have a tuple on
> >> disk that will be considered valid --- and should not be.
>
> > I do not think this is true. Before any modification to a page the
> > original page will be written to the log (aka physical log).
>
> Hmm. Actually, what is written to the log is the *modified* page not
> its original contents.

Well, that sure is not what was discussed on the list for implementation !!
The physical log page should be the page as it was during the last checkpoint.
Anything else would also not have the benefit of fixing the index page problem
this solution was intended to fix in the first place. I thus really doubt above statement.

> However, on studying the buffer manager I see
> that it tries to fsync the log entry describing the last mod to a data
> page before it writes out the page itself. So perhaps that can be
> relied on to ensure all XIDs known in the heap are known in the log.

Each page about to be modified should be written to the txlog once,
and only once before the first modification after each checkpoint.

During rollforward the pages are written back to the heap, thus no open
XIDs can be in heap pages.

> However, I'd just as soon have the NEXTXID log records too to be doubly
> sure. I do now agree that we needn't fsync the NEXTXID records,
> however.

I do not really see an additional benefit. If the WAL is busted those records are
likely busted too.

Andreas