Re: Multixid SLRU truncation bugs at wraparound

On 09/01/2026 19:58, Andrey Borodin wrote:
>> On 6 Jan 2026, at 16:53, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>>
>> For all branches, I propose v1-0002-Add-check-for-invalid-offset-at-multixid-truncati.patch to add a check for oldestOffset == 0. That fixes the potential for catastrophic truncation with invalid offset 0.
>
> Multixid that is used in heap is WAL-logged. WAL-logged multixact has non-zero offset.
> So in non-corrupted database such as condition is impossible.
> However, I observed several incidents when AI recommended pg_resetwal to users.
> Proposed safeguard might be useful to prevent sprawling corruption in database.

+1

>> On 6 Jan 2026, at 16:53, Heikki Linnakangas <hlinnaka(at)iki(dot)fi> wrote:
>>
>> But for 'master', I propose the attached v1-0001-Remove-some-unnecessary-code-from-multixact-trunc.patch.
>
> The patch simplifies the code while maintaining correctness.
> The only issue I can think of is that clog, commit_ts and async are still using approach based on SlruScanDirectory().

Clog, commit_ts and async actually all use SimpleLruTruncate for the
truncation. Which in turn uses SlruScanDirectory().

There is one subtle difference between clog and commit_ts, and
multixact. Before truncation, clog and commit_ts use
SlruScanDirCbReportPresence to check if there are any files to remove,
and only perform the truncation if there are. Multixact doesn't do that
check, so it will write a truncation WAL record, even if there are no
files to remove, while clog/commit_ts will not. That's OK, and isn't new
with this patch anyway.

Pushed, thanks for the review!

- Heikki