Databases
CLOG, XID wraparound, and MultiXact: deep visibility internals
Postgres has 32-bit transaction ids. At 2 billion, they wrap — and old xmin values would suddenly appear newer than they are, making every old row invisible. Postgres solves this with freezing, autovacuum’s highest-priority task. Sentry hit this in 2017 and had to freeze tables manually under fire.
Snapshot visibility, bit by bit
The visibility decision Postgres makes on every tuple it scans is implemented in src/backend/utils/time/snapmgr.c and src/backend/access/heap/heapam_visibility.c. The key function is HeapTupleSatisfiesMVCC(HeapTuple tuple, Snapshot snapshot, Buffer buffer).
It walks a decision tree across t_infomask bits:
HEAP_XMIN_COMMITTED/HEAP_XMIN_INVALIDHEAP_XMAX_COMMITTED/HEAP_XMAX_INVALID
These hint bits short-circuit the common cases without touching the commit log. When the bits are not set (the row was committed but the hint bit has not yet been written by a later scan), the function consults the CLOG (commit log) to determine commit status, then writes back the hint bit so the next visit is fast.
Hint-bit propagation effect: a SELECT immediately after a long INSERT can be slower than the same SELECT a second later. The first scan touches every tuple’s CLOG entry and writes hint bits; the second scan reads the bits directly. This is not a bug — it is a one-time cost per new tuple.
Two different transactions cannot disagree on visibility because the rule is a pure function of the tuple’s xmin/xmax and the reader’s snapshot.
| Step | What happens |
|---|---|
| 1. Check HEAP_XMIN_COMMITTED hint bit | If set: xmin is definitely committed, skip CLOG |
| 2. If hint bit not set: consult CLOG | Read 2-bit commit status from pg_xact/ pages |
| 3. Write hint bit back | Future scans skip CLOG for this tuple |
| 4. Apply snapshot rule | Is xmin committed and not in xip? Is xmax absent/rolled-back/in xip? |
The CLOG (commit log)
Each committed-or-aborted transaction’s outcome is recorded in pg_xact/ (formerly pg_clog/): two bits per transaction id, packed into 8 KB pages. At 2 bits per transaction, one page covers 16,384 transactions.
The CLOG is heavily cached (the clog_buffers setting controls how many pages live in shared buffers). After a transaction commits, its CLOG bits are durable on disk thanks to WAL — the COMMIT record on disk is what makes the transaction’s effect visible to future readers.
This is why fsync = on and synchronous_commit = on are non-negotiable for durability: a commit acknowledged before the WAL hit disk could leave CLOG inconsistent on recovery.
Transaction id wraparound and freezing
Postgres transaction ids are 32-bit. At roughly 2 billion active transactions the counter would wrap, and old xmin/xmax values would suddenly appear newer than they are — a correctness disaster.
Postgres prevents this by freezing: once a tuple is old enough (older than autovacuum_freeze_max_age, default 200 million transactions), VACUUM rewrites its t_xmin to the special FrozenTransactionId value, which is always visible to any snapshot.
Wraparound prevention vacuum is the highest-priority autovacuum task — it runs even when autovacuum = off. On a database that approaches 2 billion transactions without enough freezing, Postgres refuses new connections and shuts down with:
database is not accepting commands to avoid wraparound data lossOperations monitoring:
SELECT datname, age(datfrozenxid) FROM pg_database;- Alert at 1 billion (age = 1,000,000,000)
- Page at 1.5 billion
Real outage: Sentry 2017 — autovacuum fell behind on a cluster; they ended up doing manual freezing under fire to recover.
MultiXact and shared row locks
When more than one transaction wants to hold a non-exclusive lock on the same row (e.g., two transactions both running SELECT ... FOR SHARE), Postgres cannot fit multiple xids into a tuple’s single t_xmax field. It instead allocates a MultiXactId — a 32-bit id pointing into pg_multixact/ that lists the participating transactions and their lock modes.
MultiXacts have their own wraparound (also 2 billion), tracked separately and frozen on a separate cadence. A workload that uses heavy SELECT ... FOR KEY SHARE (the implicit lock from foreign-key checks) can hit MultiXact wraparound long before XID wraparound.
SELECT datname, age(datfrozenxid), age(datminmxid) FROM pg_database;Both ages need monitoring; the lower of the two determines your effective safety margin.
- HOT chain length (typical)
- 4–8 versions before break
- Default fillfactor
- 100 (tables), 90 (indexes)
- MultiXact wraparound
- 2B, separate from XID
- Freeze trigger
- autovacuum_freeze_max_age 200M
- SSI false-positive rate
- 0.1–1% healthy; >5% tune
- pg_repack online cost
- transient 2x disk
- idle_in_transaction_session_timeout
- 5–15 min recommended
- Logical slot lag risk
- orphan slot pins xmin
A SELECT immediately after a long INSERT runs slower than the same SELECT one second later. What is the most likely cause?
Why does Postgres refuse connections when the transaction id age approaches 2 billion?
A workload with heavy SELECT ... FOR KEY SHARE (implicit foreign-key check locks) hits an unexpected autovacuum wraparound warning. What counter is most likely approaching its limit?
- 01What are hint bits, where do they live, and why do they exist?
- 02What is XID freezing and why is it the highest-priority autovacuum task?
- 03What is a MultiXactId and when does Postgres allocate one?
HeapTupleSatisfiesMVCC walks t_infomask hint bits before consulting CLOG (two bits per xid in pg_xact/). Hint bits are written lazily on first read, creating a one-time per-tuple CLOG lookup cost. Postgres transaction ids are 32-bit and approach wraparound at ~2 billion; VACUUM freezes old tuples by writing FrozenTransactionId into t_xmin, making them permanently visible. This is autovacuum’s highest-priority task — Sentry 2017 is the canonical production incident where skipping it led to emergency shutdown. Shared row locks (SELECT FOR SHARE/FOR KEY SHARE) use MultiXactIds, a separate 32-bit counter with its own wraparound deadline; monitor both age(datfrozenxid) and age(datminmxid).
appears again in140
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- The incident loop: from pager to postmortem to preventionmiddle
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior