Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wa8F0-001YKt-2W for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Jun 2026 08:36:50 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wa8Ez-00AWvj-0x for pgsql-hackers@arkaria.postgresql.org; Thu, 18 Jun 2026 08:36:49 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wa8Ey-00AWvb-2u for pgsql-hackers@lists.postgresql.org; Thu, 18 Jun 2026 08:36:49 +0000 Received: from mail-ed1-x532.google.com ([2a00:1450:4864:20::532]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wa8Ew-000000013wP-0cTy for pgsql-hackers@lists.postgresql.org; Thu, 18 Jun 2026 08:36:48 +0000 Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-695f6438518so323963a12.0 for ; Thu, 18 Jun 2026 01:36:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781771805; cv=none; d=google.com; s=arc-20240605; b=iwIFH0Q7rKO3K5u1/xhUJaMszkL2PjxQmqrJZ2xgqJYw4moTBZ9OP+/DnqK/bQsa4Z EWwrQx0EDgXkTS+3TTwC+ALsEq27AAhoKAEWpOOjs4jS6u0mOu53PveIYVvhpdsffu4w fHHH7uoHcVhOYh2GddVPcQ8Rm/odYvVgAq1JYHwPjk2vZkg8uLndl634ZhWcS/+pqmbm ExVDbfB/Pc0ZGkTmFwJ+zaY0H9sg9a0xI5KTHurLbaYTgTRiKeZ+JKLoL8Y0uzfpag3v OnLV4EhfODSpq1s6gB+mKyOY+BIkRhA7KclbBxkYwA8oGUzofruqhlnckomLjPI6NOvF QQBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=cK8BPwzNCSWatYB7U2mmNO5dMRHOBJeoSMc0/lPc2Hk=; fh=4fls8pw3Ny/L9FdlEYWmaGdOzz7+nhHRZ7TkA6vo8ac=; b=P96L4EWyPZoslovmu+OCiWNJuCW2I5W4vhiZAsFb3ZNRuYwxZbUAwsQQECndHsmZrf vz9GwoITWnsJA9Jsthrj2Go+qUrfgl194v7dz3hNpsJHT7pTOMqcO1g4CqcFGvDJYQAe PQ2YMT7TfN39Wkike3Ljc9wuS1xrCRpFNOZqZTri7tzS6wDFZ46a4xJyZmfp2LFtretK 34khe4grWQnZctR5aexpOevpzABbH0oAbqDMnGNL6Aq1gm4v/jmZUK18b15CADZhLbB1 sZ+pEBTllR7KMiU6bmVYZoSY2RGjPTWdhczIxUPfsX/K10KrBtlzWhUFCPiqQyl0moKy 23jQ==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781771805; x=1782376605; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cK8BPwzNCSWatYB7U2mmNO5dMRHOBJeoSMc0/lPc2Hk=; b=LTdCOahkGkK6RAP5gmAwoXc8szCGe3amAZR2e+/upsXQDL4v8/8FtvnIHCqhN0p9yN PMLQ1ZMdmt9KSTzQRZGbcPImtS2I3RnDBTBdyXzphZKs1Bfup9tW7sXC+P1lta/MjSUs 26g9m5GjXP3dq6ZK12v6KmF/WFUcJ7FWRyUlS6frZMkA0pf15swiPbx8HorGTVFXubTE Ma4ueeXUbCMpP4x7qQ0+mRbSN1xD6927lEn9y6CXFXQuiShCD+8N9L9YLaraNZWeN5XG 192NumAmA2QrRGKeSwdgCZpvF6806cLCHEgQDjlRuOyPa6ioRMocLsxyZJrosCsAxRtN aqQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781771805; x=1782376605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=cK8BPwzNCSWatYB7U2mmNO5dMRHOBJeoSMc0/lPc2Hk=; b=T2Pb0DdkFwCEz+w6lHGJalyQY8VJuQEJOIhLVraVIqC/UcSPh5s5rzaFt0/JFZAYlO PABay/Y/xpSk3BWMoWosupnf31V+3VfTLnkgAstAPn6K0QqGtzX/oECKDzJaDDj7E7Df OCHedGS+vGZdIVNNqx5KlT9T1SsXnXabvagnLRinlTxr/yt50/VPPXNpp7mdP9iM/r+i OVsw1VyQp+ziS04+pHRTVKJg5ipuvDnNLKiCPYwAkxLr8gg/kOZbPRJCrY8yuyuMCLWV QeOSx+7T8glrqU8IAw9nzbl83WsiHKhBRkzw74GKU4lS9gOKDYbLmjoyIY+206I5/PjV jS2g== X-Forwarded-Encrypted: i=1; AFNElJ+HKdMiD2iYb2CdiBK7UTmTTOIMFA2oStMEy2EaqmHEbLDzWrX76V/K07gCNJ3/8ebbuhfqug2SYMx9Gelu@lists.postgresql.org X-Gm-Message-State: AOJu0YxE9Cn6vFfqbD+0z//NUXh2nf3QyBsSX8tZtt75EJNgaEUUczr+ kZgJpYPXBOBr9baMbEGP4KaHi4VIVFeQAda9EGlagsb4YAzYbeN80zOcoEn3c5uBQQ4kCNPNiYn poIo4xBspBgTGcHjMlwMLcQR+RY2kHE0= X-Gm-Gg: AfdE7cmbicg9AV9Tjnzxw9o2z4nI/umvjrFdER0ghJHymuHna1sAjl3rBLAaaYEeQh1 wSyb4hSZQdh5uw6KgFUmBgVtZk4+IF2dtydTbXaXaT14IMKvlhDWD0M3/9Pbp5965BfcuIcC4nE d6V/XmWWL3hXobk88kGiPrYGBFX/kVCAQoDVpjxc8vQjBZCthVb86SnQWweeN56GlrychaINlOk W/y1xL/u+70lDMPaUBxmMtdXdPZp+1oYeUNymsk74ZMJX101PQn2RtA4Aog1LN/YCkEhyMXRZXq 9jm3ndCpTEk0zfrSzLKB25UpOijvdxiqtiLOsEl9tRF+kmEQSOYMPo+p0wwTVD2jAVu6fbaX3Mf iBsNKdGyByo2PlAJACUxCK4kVlUI= X-Received: by 2002:a17:906:ee8b:b0:c05:7524:884d with SMTP id a640c23a62f3a-c05a73aeffemr466145766b.37.1781771804308; Thu, 18 Jun 2026 01:36:44 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Xuneng Zhou Date: Thu, 18 Jun 2026 16:36:32 +0800 X-Gm-Features: AVVi8CfDpx1qxsVa8BB5iL4vNvrKOOngbPo-eed-dwR7pv2P7_Ms0pZTbrK-MpM Message-ID: Subject: Re: Fix race in ReplicationSlotRelease for ephemeral slots To: Amit Kapila Cc: Fujii Masao , "Zhijie Hou (Fujitsu)" , Srinath Reddy Sadipiralla , PostgreSQL Hackers Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Jun 18, 2026 at 11:20=E2=80=AFAM Amit Kapila wrote: > > On Wed, Jun 17, 2026 at 12:59=E2=80=AFPM Xuneng Zhou wrote: > > > > On Tue, Jun 16, 2026 at 8:46=E2=80=AFPM Fujii Masao wrote: > > > > > > On Fri, Jun 12, 2026 at 7:54=E2=80=AFPM Amit Kapila wrote: > > > > I feel even if there is an argument to do such a refactoring, it ca= n > > > > be done separately. We can push forward with 0001 and then do more > > > > discussion for 0002, if required. I can take care of 0001 unless > > > > Fujii-San wishes to take care of it? > > > > > > Yeah, please feel free to work on 0001. > > > > > > Regarding 0002, since the race is very rare and non-fatal, I'm okay > > > with accepting the risk rather than adding more refactoring just to > > > avoid it. > > > > > > I'm a bit tempted to add a source comment explaining the risk and > > > why we accept it, though, so other developers can understand > > > the tradeoff. For example: > > > > > > diff --git a/src/backend/replication/logical/slotsync.c > > > b/src/backend/replication/logical/slotsync.c > > > index 05637344363..ca49f20e7d9 100644 > > > --- a/src/backend/replication/logical/slotsync.c > > > +++ b/src/backend/replication/logical/slotsync.c > > > @@ -560,6 +560,12 @@ drop_local_obsolete_slots(List *remote_slot_list= ) > > > * the same shared memory as that of > > > 'local_slot'. Thus check if > > > * local_slot is still the synced one before > > > performing the actual > > > * drop. > > > + * > > > + * Because local_slot still points to a > > > reusable slot-array entry, > > > + * fields such as name or database OID could > > > already be stale here. > > > + * That could cause an incorrect cleanup > > > decision for this cycle or > > > + * briefly lock an unrelated database. We > > > accept that risk because > > > + * this race is rare and non-fatal. > > > */ > > > SpinLockAcquire(&local_slot->mutex); > > > synced_slot =3D local_slot->in_use && > > > local_slot->data.synced; > > > > Thanks for suggesting the comment! It helps to clarify the situation > > and the trade-off we made here. I tweaked it a bit and added it to the > > patches prepared by Zhijie. > > > > + * > + * We cannot close this window by holding > + * ReplicationSlotControlLock while taking the database lock, > + * because the database-drop path holds the database lock and then > + * scans replication slots. > > The database-drop path acquires ReplicationSlotControlLock in shared > mode, so not sure if the above is completely correct, here you are > going in the direction of trying to defend that no easy solution > exists which needs more thought. I agree that this phrasing could be misleading. The dangerous part is in the later actual slot drop. Eventually the database-drop path needs ReplicationSlotControlLock in exclusive mode to set slot->in_use =3D false. If the slotsync holds ReplicationSlotControlLock in shared mode while it tries to take DB AccessShareLock. Then this would lead to a deadlock. On second thought, I=E2=80=99m inclined not to add a comment explaining the constraint here, since it would be difficult to do so concisely and it's not directly related to the issue. > Fujii-San's proposal was better but > there also we may need to be a bit more specific about "That could > cause an incorrect cleanup decision ...", otherwise, it makes the > comment unclear. OK, how about elaborate it a bit like this: /* * In the small window between getting the slot to drop and * locking the database, there is a possibility of a parallel * database drop by the startup process and the creation of a new * slot by the user. This new user-created slot may end up using * the same shared memory as that of 'local_slot'. * * If that happens, local_slot now describes the replacement slot: * local_sync_slot_required() may have made its drop decision using * the replacement slot's name or invalidation state, and slot_database * may refer to the replacement slot's database. Thus check if * local_slot is still a synced slot before performing the actual drop. * This does not prove it is the original slot, but it prevents dropping * an ordinary user-created replacement slot, and the copied database OID * keeps lock/unlock symmetric. The remaining risk is limited to this * cleanup cycle, such as briefly holding an unrelated database lock, and * is acceptable here because this race is rare. */ > I am planning to commit and backpatch the fix for the first problem > based on what Hou-San has shared (v2-*), then we can discuss how to > improve the existing comments and if we agree on something, that can > be a HEAD-only patch. Thanks! -- Regards, Xuneng Zhou HighGo Software Co., Ltd.