taken by using asynchronous commit is of data loss,
not data corruption. If the database should crash, it will recover
by replaying <acronym>WAL</acronym> up to the last record that was
flushed. The database will therefore be restored to a self-consistent
state, but any transactions that were not yet flushed to disk will
not be reflected in that state. The net effect is therefore loss of
the last few transactions. Because the transactions are replayed in
commit order, no inconsistency can be introduced — for example,
if transaction B made changes relying on the effects of a previous
transaction A, it is not possible for A's effects to be lost while B's
effects are preserved.
</para>
<para>
The user can select the commit mode of each transaction, so that
it is possible to have both synchronous and asynchronous commit
transactions running concurrently. This allows flexible trade-offs
between performance and certainty of transaction durability.
The commit mode is controlled by the user-settable parameter
<xref linkend="guc-synchronous-commit"/>, which can be changed in any of
the ways that a configuration parameter can be set. The mode used for
any one transaction depends on the value of
<varname>synchronous_commit</varname> when transaction commit begins.
</para>
<para>
Certain utility commands, for instance <command>DROP TABLE</command>, are
forced to commit synchronously regardless of the setting of
<varname>synchronous_commit</varname>. This is to ensure consistency
between the server's file system and the logical state of the database.
The commands supporting two-phase commit, such as <command>PREPARE
TRANSACTION</command>, are also always synchronous.
</para>
<para>
If the database crashes during the risk window between an
asynchronous commit and the writing of the transaction's
<acronym>WAL</acronym> records,
then changes made during that transaction <emphasis>will</emphasis> be lost.
The duration of the
risk window is limited because a background process (the <quote>WAL
writer</quote>) flushes unwritten <acronym>WAL</acronym> records to disk
every <xref linkend="guc-wal-writer-delay"/> milliseconds.
The actual maximum duration of the risk window is three times
<varname>wal_writer_delay</varname> because the WAL writer is
designed to favor writing whole pages at a time during busy periods.
</para>
<caution>
<para>
An immediate-mode shutdown is equivalent to a server crash, and will
therefore cause loss of any unflushed asynchronous commits.
</para>
</caution>
<para>
Asynchronous commit provides behavior different from setting
<xref linkend="guc-fsync"/> = off.
<varname>fsync</varname> is a server-wide
setting that will alter the behavior of all transactions. It disables
all logic within <productname>PostgreSQL</productname> that attempts to synchronize
writes to different portions of the database, and therefore a system
crash (that is, a hardware or operating system crash, not a failure of
<productname>PostgreSQL</productname> itself) could result in arbitrarily bad
corruption of the database state. In many scenarios, asynchronous
commit provides most of the performance improvement that could be
obtained by turning off <varname>fsync</varname>, but without the risk
of data corruption.
</para>
<para>
<xref linkend="guc-commit-delay"/> also sounds very similar to
asynchronous commit, but it is actually a synchronous commit method
(in fact, <varname>commit_delay</varname> is ignored during an
asynchronous commit). <varname>commit_delay</varname> causes a delay
just before a transaction flushes <acronym>WAL</acronym> to disk, in
the hope that a single flush executed by one such transaction can also
serve other transactions committing at about the same time. The
setting can be thought of as a way of increasing