<div dir="ltr">Hi Tatsuo,<br><br>Thank you for the thorough review and the thoughtful pushback on the cross-session security concern. You&#39;re right that &quot;dml_adaptive just hits himself in the foot, your patch allows him to hit someone else&#39;s foot&quot; — that asymmetry needs a technical answer, not just a threat-model argument.<br><br>I&#39;ve addressed this in the updated patch with two mechanisms:<br><br><b>1. Maximum staleness cap (`track_table_mutation_max_staleness`)<br></b><br>New configuration parameter (default: 60 seconds, range: 0–3600000 ms). This bounds how long any single table entry can continuously force primary routing, measured from the first write that created the entry. Even under sustained writes, the entry expires after this period. If the table is written to again after expiry, a fresh entry is created.<br><br>This directly addresses the concern: the worst-case cross-session impact is bounded and configurable. An operator can look at this parameter and know: &quot;no matter what, a table&#39;s staleness effect on other sessions cannot exceed X seconds continuously.&quot;<br><br>For legitimately busy tables, the brief gap between forced expiry and the next write re-marking the table is negligible — typically milliseconds, since writes are frequent. The correctness guarantee is preserved.<br><br><b>2. Database-scoped isolation (documented)</b><br><br>The tracking is already scoped by database OID — writes in one database never affect routing decisions for sessions in a different database. I&#39;ve documented this explicitly as a security boundary in the docs. In multi-tenant deployments with separate databases, tenants are isolated from each other&#39;s write activity.<br><br>Combined with the existing safeguards (committed writes only, bounded table map size, opt-in mode), the cross-session impact is now bounded in both duration and scope.<br><br>I&#39;ve also addressed the other review comments — they should be applied in the patch as well. tests and code structure.<br><br>Thanks!</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 26, 2026 at 9:47 AM Tatsuo Ishii &lt;<a href="mailto:ishii@postgresql.org" target="_blank">ishii@postgresql.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">&gt; Added some handling for possible causes - works now.<br>
<br>
Here are comments for the patch.<br>
<br>
- Some code lines are too long. We recommend to limit each source code<br>
  line up to 78 chars. You can use following script to detect too long<br>
  lines (you can ignore reports other than *.[c]) See<br>
  <a href="https://wiki.postgresql.org/wiki/Committing_checklist" rel="noreferrer" target="_blank">https://wiki.postgresql.org/wiki/Committing_checklist</a><br>
<br>
git diff origin/master | grep -E &#39;^(\+|diff)&#39; | sed &#39;s/^+//&#39; | expand -t4 | awk &quot;length &gt; 78 || /^diff/&quot;<br>
<br>
--- /dev/null<br>
+++ b/src/test/regression/tests/043.track_table_mutation_watchdog/.gitignore<br>
<br>
Please avoid to install .gitignore. .gitignore file are maintained by<br>
pgpool core developers.<br>
<br>
+++ b/src/test/regression/tests/043.track_table_mutation_watchdog/leader.conf<br>
<br>
To test watchdog, you should use the standard watchdog_setup too.<br>
<br>
+++ b/src/utils/pool_track_table_mutation.c<br>
<br>
+static inline void<br>
+query_cache_lock(void)<br>
<br>
&quot;query_cache_*&quot; is confusing since we already have query cache<br>
feature. Please use different name.<br>
<br>
+static int<br>
+track_table_mutation_get_database_oid_internal(void)<br>
+{<br>
:<br>
:<br>
+       /* Ensure we have a valid query context */<br>
+       if (session_context-&gt;query_context == NULL)<br>
+               return oid;<br>
<br>
Why does this need? The query context is not used in this function.<br>
<br>
+/* ----------------<br>
+ * Public API implementation<br>
+ * ----------------<br>
+ */<br>
<br>
Please add a comments on what these function do.<br>
<br>
+Size<br>
+pool_track_table_mutation_shmem_size(void)<br>
<br>
+void<br>
+pool_track_table_mutation_init(void)<br>
<br>
+void<br>
+pool_track_table_mutation_child_init(void)<br>
<br>
+bool<br>
+pool_track_table_mutation_in_cold_start(void)<br>
<br>
+void<br>
+pool_track_table_mutation_trigger_global_cold_start(void)<br>
<br>
+bool<br>
+pool_track_table_mutation_table_is_stale(int table_oid, int dboid)<br>
<br>
__sync_fetch_and_add are old functions.  I recommend to replace with<br>
ordinary statements using semaphore to protect the critical region.<br>
<br>
+               __sync_fetch_and_add(&amp;track_table_mutation_shmem-&gt;state.stats_queries_checked, 1);<br>
<br>
Please add a comments on what these function do.<br>
<br>
+pool_track_table_mutation_mark_tables_written(const int *table_oids, int num_tables, int dboid)<br>
<br>
+void<br>
+pool_track_table_mutation_update_ttl(uint64 delay_us)<br>
<br>
+bool<br>
+pool_track_table_mutation_get_cached_parse(uint64 hash, bool *is_write,<br>
<br>
+void<br>
+pool_track_table_mutation_cache_parse(uint64 hash, bool is_write,<br>
+                                                       const char table_names[][TRACK_TABLE_MUTATION_TABLE_NAME_LEN],<br>
+                                                       int num_tables)<br>
<br>
+uint64<br>
+pool_track_table_mutation_normalize_and_hash(const char *query)<br>
<br>
Best regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS K.K.<br>
English: <a href="http://www.sraoss.co.jp/index_en/" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en/</a><br>
Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
</blockquote></div><div><br clear="all"></div><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="rtl" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="rtl"><div dir="ltr"><font color="#000000">Nadav Shatz</font></div><div dir="ltr"><font color="#000000">Tailor Brands | CTO</font></div></div></div></div></div></div>
