Re: Error handling (or lack of it) in RemovePgTempFilesInDir

Michael Paquier <michael(dot)paquier(at)gmail(dot)com> writes:
> On Tue, Dec 5, 2017 at 10:51 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Uh ... I'm confused? That particular change only concerns whether we emit
>> a log message, not whether the action is attempted or succeeds.

> From the commit mentioned upthread, this switches one hard failure
> when opening pg_tblspc to a LOG report:
> @@ -3014,7 +3018,7 @@ RemovePgTempFiles(void)
> */
> spc_dir = AllocateDir("pg_tblspc");

> - while ((spc_de = ReadDir(spc_dir, "pg_tblspc")) != NULL)
> + while ((spc_de = ReadDirExtended(spc_dir, "pg_tblspc", LOG)) != NULL)
> {

That's not the same commit you just mentioned. The point with this one is
that RemovePgTempFiles is a noncritical operation: if we fail to remove
temp files, it's still safe to start up, because those temp files won't
cause failures later. (This is the exact opposite of the situation for
ResetUnloggedRelations's directory scans, which is why I changed that one
in the opposite direction.)

The general theory I'm operating on is that we should endeavor to
let the database start in any situation where that doesn't involve
a data-corruption hazard. Yeah, it might not be nice if we leave
GB worth of temp files around, but is a postmaster start failure
better? I don't think so.

regards, tom lane