Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kGPsb-0007ms-SB for pgsql-hackers@arkaria.postgresql.org; Thu, 10 Sep 2020 16:57:01 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1kGPsa-00082f-Qq for pgsql-hackers@arkaria.postgresql.org; Thu, 10 Sep 2020 16:57:00 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kGPsa-00082Y-K8 for pgsql-hackers@lists.postgresql.org; Thu, 10 Sep 2020 16:57:00 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by magus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kGPsX-0005Kw-Sl for pgsql-hackers@lists.postgresql.org; Thu, 10 Sep 2020 16:57:00 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 08AGut0W251831; Thu, 10 Sep 2020 12:56:55 -0400 From: Tom Lane To: Robert Haas cc: PostgreSQL Hackers Subject: Re: SIGQUIT handling, redux In-reply-to: References: <1850884.1599601164@sss.pgh.pa.us> <148145.1599703626@sss.pgh.pa.us> Comments: In-reply-to Robert Haas message dated "Thu, 10 Sep 2020 10:36:23 -0400" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <251829.1599757015.1@sss.pgh.pa.us> Date: Thu, 10 Sep 2020 12:56:55 -0400 Message-ID: <251830.1599757015@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Precedence: bulk Robert Haas writes: > On Wed, Sep 9, 2020 at 10:07 PM Tom Lane wrote: >> bgworker_die (SIGTERM) >> Calls ereport(FATAL). This is surely not any safer than, say, >> quickdie(). No, it's worse, because at least that won't try >> to go out via proc_exit(). > I think bgworker_die() is pretty much a terrible idea. Yeah. It'd likely be better to insist that bgworkers handle SIGTERM the same way backends do, via CHECK_FOR_INTERRUPTS. Not sure how big a change that would be. > I think that the only way this could actually > be safe is if you have a background worker that never uses ereport() > itself, so that the ereport() in the signal handler can't be > interrupting one that's already happening. That doesn't begin to make it safe, because quite aside from anything that happens in elog.c, we're then going to go out via proc_exit() which will invoke who knows what. >> StandbyDeadLockHandler (from SIGALRM) >> StandbyTimeoutHandler (ditto) >> Calls CancelDBBackends, which just for starters tries to acquire >> an LWLock. I think the only reason we've gotten away with this >> for this long is the high probability that by the time either >> timeout fires, we're going to be blocked on a semaphore. > Yeah, I'm not sure these are so bad. In fact, in the deadlock case, I > believe the old coding was designed to make sure we *had to* be > blocked on a semaphore, but I'm not sure whether that's still true. Looking at this closer, the only code that could get interrupted by these timeouts is a call to ProcWaitForSignal, which is void ProcWaitForSignal(uint32 wait_event_info) { (void) WaitLatch(MyLatch, WL_LATCH_SET | WL_EXIT_ON_PM_DEATH, 0, wait_event_info); ResetLatch(MyLatch); CHECK_FOR_INTERRUPTS(); } Interrupting the latch operations might be safe enough, although now I'm casting a side-eye at Munro's recent changes to share WaitEvent state all over the place. I wonder whether blocking on an LWLock inside the signal handler will break an interrupted WaitLatch. Also, man that CHECK_FOR_INTERRUPTS() looks like trouble. Could we take that out? regards, tom lane