xact_rollback spikes when logical walsender exits

First seen: 2026-04-17 15:15:00+00:00 · Messages: 4 · Participants: 3

Latest Update

2026-05-14 · claude-opus-4-6

Technical Analysis: xact_rollback Spikes from Logical Walsender Exit

Core Problem

PostgreSQL's logical replication decoding pipeline has a subtle interaction with the database statistics subsystem that produces misleading xact_rollback counter inflation. The root cause lies in ReorderBufferProcessTXN(), which is responsible for decoding committed transactions from WAL on the publisher side.

The Mechanism

When a logical walsender decodes a committed transaction, it must access the system catalog to resolve type information, relation metadata, etc. To ensure catalog snapshot cleanup, ReorderBufferProcessTXN() calls AbortCurrentTransaction() after processing each decoded transaction. This is purely an internal cleanup mechanism — no user-visible transaction is actually being aborted.

However, AbortCurrentTransaction() invokes AtEOXact_PgStat_Database(isCommit=false), which unconditionally increments the backend-local pgStatXactRollback counter. Since the walsender is connected to a database, these rollback counts accumulate in the backend's local statistics buffer.

The Spike Pattern

The critical operational issue is the flush timing. Backend-local statistics are not reported to shared memory continuously during walsender operation — they accumulate in the backend's local counters. When the walsender exits (due to subscription disable, slot drop, or restart), pgstat_report_stat() flushes all accumulated counts at once to the shared pg_stat_database view. This produces an acute spike in xact_rollback proportional to the number of transactions decoded during the walsender's lifetime.

For high-throughput production systems, a single walsender restart can produce thousands or millions of spurious rollback counts in an instant, triggering monitoring alerts.

Why This Matters Architecturally

The pg_stat_database.xact_rollback counter is a primary operational signal for database health. SRE teams use it to detect application errors, deadlocks, and lock contention patterns. The logical replication decoding path pollutes this signal with internal housekeeping operations that have no semantic relationship to actual transaction failures. This represents a category confusion in the statistics subsystem: internal process bookkeeping is being conflated with user-visible transaction outcomes.

Proposed Solutions

Solution 1: Backend-local Skip Flag (v1 — Original Patch)

The original patch introduces a pgStatXactSkipCounters flag in pgstat_database.c. When set, AtEOXact_PgStat_Database() skips incrementing the rollback counter. The logical decoding path sets this flag around the cleanup abort.

Tradeoff: Simple and surgical, but introduces a global mutable flag that could be accidentally left set, and its semantics are specific to one caller.

Solution 2: Wrapper Function (v2 — Adopted Approach)

Vignesh suggested creating AbortCurrentTransactionWithoutXactStats() which wraps AbortCurrentTransaction() but suppresses only the AtEOXact_PgStat_Database() call (the DB-level xact_commit/xact_rollback counter). Per-relation stats and sub-transaction stat handling still execute normally.

Key design decision in v2: The suppression is scoped narrowly — only the database-level transaction counters are skipped, not all of AtEOXact_PgStat(). This preserves relation-level statistics (e.g., table access counts during catalog lookups) while eliminating only the misleading rollback count.

Solution 3: Periodic Flushing (Fujii's Suggestion)

If the definition of xact_rollback is kept broad (all rollbacks by all processes), the spike problem could be mitigated by calling pgstat_report_stat() periodically during walsender operation (after pgstat_flush_io()). This would spread the counts over time rather than accumulating them for a burst on exit.

Tradeoff: This doesn't fix the semantic problem — the counter still counts non-user-visible rollbacks — it only eliminates the acute spike pattern. Monitoring based on rollback rate would still show elevated baselines proportional to replication throughput.

Solution 4: Narrow Definition — Regular Backends Only (Fujii's Third Option)

Redefine xact_rollback to count only rollbacks from regular client backends, excluding autovacuum, walsender, and other auxiliary processes entirely.

Tradeoff: Most semantically clean from a DBA perspective, but represents a potentially breaking behavioral change. It would require documentation updates and could affect existing monitoring that depends on the current inclusive counting.

Key Design Tension

The fundamental disagreement is about what xact_rollback means. The documentation provides no explicit definition. Fujii correctly identifies three possible scopes:

  1. All rollbacks, all processes (current behavior) — maximally inclusive
  2. All rollbacks except logical decoding cleanup (patch approach) — pragmatic exclusion
  3. Only regular backend rollbacks (narrow definition) — most intuitive for operators

The thread implicitly converges on option 2 as a pragmatic fix, though option 3 would be architecturally cleaner. The v2 patch's narrow scoping (suppressing only DB-level counters, not per-relation stats) suggests the author is trying to minimize behavioral change while solving the operational problem.

Testing

The original patch includes a TAP test that verifies the fix: it sets up logical replication, processes transactions, then checks that xact_rollback in pg_stat_database does not show inflated counts. On unpatched master, the test reports 5 rollbacks vs. 0 expected.