SIGTERM -> elog(FATAL) -> proc_exit() is probably a bad idea

I have just finished trudging through a bunch of code and trying to make
it secure against being interrupted by die() at arbitrary instants.
However, I am under no illusion that I have succeeded in making the
world safe for SIGTERM, and you shouldn't be either. There is just way
too much code that is potentially invoked during proc_exit; even if we
fixed every line of our code, there's C library code that's not under
our control. For example, malloc/free are not interrupt-safe on many
platforms, last I heard. Do you want to put START/END_CRIT_SECTION
around every memory allocation operation? I don't.

I think we'd be lots better off to abandon the notion that we can exit
directly from the SIGTERM interrupt handler, and instead treat SIGTERM
the same way we treat QueryCancel: set a flag that is inspected at
specific places where we know we are in a good state.

Comments?

regards, tom lane