Re: [bug fix] PITR corrupts the database cluster

I wrote:
> The only thing here that really bothers me is that a crash during DROP
> DATABASE/TABLESPACE could leave us with a partially populated db/ts
> that's still accessible through the system catalogs.  ...
> I guess one thing we could do is create a flag file, say
> "dead.dont.use", in the database's default-tablespace directory, and
> make new backends check for that before being willing to start up in
> that database; then make sure that removal of that file is the last
> step in DROP DATABASE.

After a bit of experimentation, it seems there's a pre-existing way that
we could do this: just remove PG_VERSION from the database's default
directory as the first filesystem action in DROP DATABASE.  If we
crash before committing, subsequent attempts to connect to that database
would fail like this:

$ psql bogus
psql: FATAL:  "base/176774" is not a valid data directory
DETAIL:  File "base/176774/PG_VERSION" is missing.

which is probably already good enough, though maybe we could add a HINT
suggesting that the DB was incompletely dropped.

To ensure this is replayed properly on slave servers, I'd be inclined to
mechanize it by (1) changing remove_dbtablespaces to ensure that the
DB's default tablespace is the first one dropped, and (2) incorporating
remove-PG_VERSION-first into rmtree().
        regards, tom lane