Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ulXDN-002Hvy-EA for pgsql-hackers@arkaria.postgresql.org; Mon, 11 Aug 2025 18:25:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ulXDL-002z1Y-Pj for pgsql-hackers@arkaria.postgresql.org; Mon, 11 Aug 2025 18:25:44 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ulXDL-002z1Q-GX for pgsql-hackers@lists.postgresql.org; Mon, 11 Aug 2025 18:25:43 +0000 Received: from mail-ej1-x631.google.com ([2a00:1450:4864:20::631]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1ulXDJ-00049e-0g for pgsql-hackers@lists.postgresql.org; Mon, 11 Aug 2025 18:25:43 +0000 Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-af937728c3eso888609766b.0 for ; Mon, 11 Aug 2025 11:25:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1754936738; x=1755541538; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DHdMlBrsNJaDo0Z7PVQVLvwhUv2Ou+DtUp5oP7G5irE=; b=MLwmP0GEPKwQTJ1FUblPMDGPwv/7t7mKo693J5QK+mPIYDGriQNpxTXDH4JHn+9aFK oM7sAerCPAhCB546vSP7q1XnyYsOkUBNDaNNvAx80n354knZ1RHfALUsp563kOVtUt6n oN+r9f1usLOl2YdkmS7hff/sZ+KPCq51ReaeLgcIuSF4im/+zHSBtzznQYmxoWaCJCZZ z09QcW8TgEB/cNgjsh5CoxiWIxP+gN8nfzRDETfUy0Pd2HpRFYfftqV13dd6xg5JVr8g UeHQQGCv2jz+r8uPE6GOAchYfoLe4PAEri7EgkBR1Hl9S6gtkgOu5JKvEwrzk8syHNT5 aDxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1754936738; x=1755541538; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DHdMlBrsNJaDo0Z7PVQVLvwhUv2Ou+DtUp5oP7G5irE=; b=wStsdnpeIA7sny2F7uLYSKN9uNmFHDQRxoGupL3XiY8jRl9n9CYhm8Rg6uf8n9b2ev Jq9le7Y6LynGJJYVKnAE9QiniNY4vE8qLkufVpVOEWsif+maOrtxXtCrQ+LOKes+ROvO 4CTYFgUMafycu9vyu6gMi0JV5PZSNPwbBaKVreKpHTMFrczwjPdyPHFVzLsE9jHbtcoP PMCKJYyEINRRQAVs8metq3Su7q/249fgTNlhbK6CeNtXsw7A5KlwiPPcICWTaLBC3VLs ESdy1WlwJN36Yu43TR25UwsXtlXk/oj1Ohwgnsu4I5qzvAQiZSX5or7gA/r4P6TkN9Xk chjA== X-Forwarded-Encrypted: i=1; AJvYcCXx4CQlVCQiugB360Ts1Rj1PuIijGncxm6PncfjUUawoPFBi2AueTxVz/wFU89h0Zzom3wT1nm1zsFO2Nvt@lists.postgresql.org X-Gm-Message-State: AOJu0YyFznlGDmdw6cED2jXIoaNHLo7wmBxCTQIahlcYKrykScM5fkYQ loVSIoDGLt6Q7VrBz0OR/cqsBKq03OMmz9puv8xLLH/pf1cWq8cSjRSSSEtv59tz4NXx0u5FwoI /+GOoT4kEbUtPmguBwqpDAvSuCivbWf8= X-Gm-Gg: ASbGnct955yJJZYYzbMKr2vZB1srP/ELwZ+vvXuOjbTcz5jaCFr9+2tQAYTBJvIrzJJ KD134w5ME43mRF4jUXAOp5J0WcDO3tHODFc17Lo7jB4OkXrSsCYmn2FiuuvAaXcVp/FKVVKtFbL 1TpgNO6I7narcAL7PqZ1QPe1TdhDg43+Ytrb/88W821N2y2SIaL6zXifDNQWu/giPAzzMdERAb8 RLp6maf X-Google-Smtp-Source: AGHT+IGwhiv9EOjd4WCu0n22cVjSTZEdW7BJoBPxyxdIOCPNXn+a47zcXIm3iL/AwIs9nSVWNEtYmccm9kb8Ts5hGms= X-Received: by 2002:a17:907:9703:b0:ad2:e08:e9e2 with SMTP id a640c23a62f3a-afa1d772c53mr55198666b.27.1754936738154; Mon, 11 Aug 2025 11:25:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Robert Haas Date: Mon, 11 Aug 2025 14:25:25 -0400 X-Gm-Features: Ac12FXyb304l0Fbz3l5gJHll_jykS5lVEstE5yWUsLnADcSffi7PHFIbl4NtX34 Message-ID: Subject: Re: ReplicationSlotRelease() crashes when the instance is in the single user mode To: Paul A Jungwirth Cc: "Hayato Kuroda (Fujitsu)" , Amit Kapila , Michael Paquier , "David G. Johnston" , "Zhijie Hou (Fujitsu)" , Tom Lane , Bertrand Drouvot , "pgsql-hackers@lists.postgresql.org" , Mutaamba Maasha Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Tue, Aug 5, 2025 at 12:51=E2=80=AFPM Paul A Jungwirth wrote: > No one has replied yet, but I vote for forbidding these functions. I > can't articulate a full theory for which functions we restrict in > single-user mode, and I think we should permit as much as possible. > But any theory would weigh usefulness against risk. Here no one has > found a use-case for several years, and executing user-supplied code > in an unusual, higher-risk scenario seems like a good reason to be > cautious. Also without tests for single-user mode, I'm extra wary. If > single-user support is desired by someone, they could submit a patch. I don't feel good about the direction from which this patch is attacking the problem. The original stack trace looks like this: postgres(ExceptionalCondition+0xab)[0xb86a2a] postgres(ReplicationSlotRelease+0x5a)[0x8df10b] postgres(pg_replication_slot_advance+0x330)[0x8e46ed] ReplicationSlotRelease() is called near the end of pg_replication_slot_advance. IIUC, this means that we successfully acquired the slot and did all the work, and then failed a sanity check afterward. So, I see two possibilities: either it's not OK to acquire a replication slot in single-user mode, in which case this should have failed earlier, or it's also OK to release it, in which case this should not have failed at all. Interestingly, I see that ReplicationSlotAcquire() features a special case whose specific purpose is to allow it to work in single-user mode, which makes me rather suspect that the latter is correct. It is possible that it was intentional that acquiring works in single-user mode and dropping (other than via ReplicationSlotDropAcquired) does not, but so far I see nothing in the comments suggesting that. In any event, that inconsistency between how ReplicationSlotAcquire() works and how ReplicationSlotRelease() works seems to me to be the core thing that should be fixed here. If the selected fix also requires error checks in higher-level functions, as added by this patch, then well and good. But right now, the proposed patch isn't trying to fix the definitional inconsistency in the underlying layer at all, and is instead just installing guard rails to try to keep anyone from bumping into it. That seems like a bad direction to go -- it feels like we're blocking access to potentially-useful functionality because of an assertion failure that might just be slightly sloppy coding. --=20 Robert Haas EDB: http://www.enterprisedb.com