Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kG6bZ-0006pn-4y for pgsql-hackers@arkaria.postgresql.org; Wed, 09 Sep 2020 20:22:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kG6bX-0000e0-CO for pgsql-hackers@arkaria.postgresql.org; Wed, 09 Sep 2020 20:22:07 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kG6bX-0000ds-5g for pgsql-hackers@lists.postgresql.org; Wed, 09 Sep 2020 20:22:07 +0000 Received: from out4-smtp.messagingengine.com ([66.111.4.28]) by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kG6bU-0002Yw-QG for pgsql-hackers@lists.postgresql.org; Wed, 09 Sep 2020 20:22:06 +0000 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 1F6575C00CE; Wed, 9 Sep 2020 16:22:03 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Wed, 09 Sep 2020 16:22:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=n+iQeHz0ac3hs0kkCBSgASQ5HeK Ziwig+OzO6LQZmYk=; b=LuJ5ijQzil0lHccAeP6YHm3mc5AleDhbwj8aR1onlLA ge8/RjiFac6yTfPyFtlKb/9ze21ssvxXU8wWWwhPHFI+AAAQZgfpzXESw4A/JKsd JTw5roGXIuu/J/QsnClm2neAyVYPnv7deMcMAliI2yNegUoy/QmW3FRJ0vH1/s2U 46k0beAaz3rgZTm+AMsMJeT+OUAtvSwR9Dt/W1hi0CgoJ+KQPqk3pzfpG6hkqj5g 2QBfIprkrGaiIFxwStv4U708Dgs0/msf/PkYrJU7WQ4IB+LecnkCxcUBMKVrFv7H mVaT/oRSTyDzFMIGhzyPD3lag+6OZrAQ9QtLYv0Lltg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=n+iQeH z0ac3hs0kkCBSgASQ5HeKZiwig+OzO6LQZmYk=; b=SZtscvsD2P75NwwrIzDhcK /8iN8Y7fTnp/kioDylZHKvmaCuVb20YCHPQw3SJ/2bDjnGp6PioaZtnBjZcPISsF hQmmEv8rxMUaNsAQdIL3TLgkvQAGQT2IPVnPMgwglc+J7fGXMEj1612vsyZybt0D DlUxefJMDYAxL2kTlSaxqnLWdOywj+qL1L8DFOpgqsffYdkMDN0iIpbN1n2DwmB6 oHPQxGNHk1P+fBMq20NbWzyE6O2IioL4eRkstyhu2QrLKOKE/uV1dmbJEqaCHoN8 rFqlovc+YzvSH1Z16LDKWE0qXLwCa3+a1BTwyyk/xRDdGWu+kaOcMCqZcsqfIoMA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudehhedgudeghecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttd ertddttddvnecuhfhrohhmpeetnhgurhgvshcuhfhrvghunhguuceorghnughrvghssegr nhgrrhgriigvlhdruggvqeenucggtffrrghtthgvrhhnpedukefhkeelueegveetheelff ffjeegleeuudelfeefuedtleffueejfffhueffudenucfkphepieejrdduiedtrddvudej rddvhedtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh eprghnughrvghssegrnhgrrhgriigvlhdruggv X-ME-Proxy: Received: from intern.anarazel.de (c-67-160-217-250.hsd1.ca.comcast.net [67.160.217.250]) by mail.messagingengine.com (Postfix) with ESMTPA id B90E63280060; Wed, 9 Sep 2020 16:22:02 -0400 (EDT) Date: Wed, 9 Sep 2020 13:22:01 -0700 From: Andres Freund To: Tom Lane Cc: pgsql-hackers@lists.postgresql.org Subject: Re: SIGQUIT handling, redux Message-ID: <20200909202201.unpjmshshu7sge6i@alap3.anarazel.de> References: <1850884.1599601164@sss.pgh.pa.us> <20200909192620.dylomoxknmt6rdb3@alap3.anarazel.de> <110116.1599682140@sss.pgh.pa.us> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <110116.1599682140@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk Hi, On 2020-09-09 16:09:00 -0400, Tom Lane wrote: > Andres Freund writes: > > I wish startup_die() weren't named startup_ - every single time I see > > the name I think it's about the startup process... > > We could call it startup_packet_die or something? Yea, I think that'd be good. > > I think StartupPacketTimeoutHandler is another case? > > Yeah. Although it's a lot less risky, since if the timeout is reached > we're almost certainly waiting for client input. An adversary could control that to a significant degree - but ordinarily I agree... > >> In passing, it's worth noting that startup_die() isn't really much safer > >> for SIGTERM than it is for SIGQUIT; the only argument for distinguishing > >> those is that code that applies BlockSig will at least manage to block the > >> former. > > > Which is pretty unconvincing... > > Agreed, it'd be nice if this were less shaky. On the other hand, > we've seen darn few complaints traceable to this AFAIR. I'm not > really sure it's worth putting a lot of effort into. Not sure how many would plausibly reach us though. A common reaction will likely just to be to force-restart the server, not to fully investigate the issue. Particularly because it'll often be once something already has gone wrong... > >> I don't want to give up trying to send a message to the client. > > > That still doesn't make much sense to me. The potential for hanging > > (e.g. inside malloc) is so much worse than not sending a message... > > We see backends going through this code on a very regular basis in the > buildfarm, but complete hangs are rare as can be. I think you > overestimate the severity of the problem. I don't think the BF exercises the problmetic paths to a significant degree. It's mostly local socket connections, and where not it's localhost. There's no slow DNS, no more complicated authentication methods, no packet loss. How often do we ever actually end up even getting close to any of the paths but immediate shutdowns? And in the SIGQUIT path, how often do we end up in the SIGKILL path, masking potential deadlocks? > > I only had one coffee so far (and it looks like the sun has died > > outside), so maybe I'm just slow: But, uh, we don't currently send a > > message startup_die(), right? > > So that part is about quickdie()? > > Right. Note that startup_die() is pre-authentication, so I'm doubtful > that we should tell the would-be client anything about the state of > the server at that point, even ignoring these risk factors. (I'm a > bit inclined to remove the comment suggesting that'd be desirable.) Yea, I think just putting in an editorialized version of your paragraph would make sense. Greetings, Andres Freund