| From: | Amit Kapila <amit(dot)kapila16(at)gmail(dot)com> |
|---|---|
| To: | Noah Misch <noah(at)leadboat(dot)com> |
| Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: ERROR during end-of-xact/FATAL |
| Date: | 2013-11-10 05:12:52 |
| Message-ID: | CAA4eK1JFY=T6k8Lnf-ZR2AGvXLaFdFmyTMemUoRm+_s56P7mcA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Sat, Nov 9, 2013 at 2:43 AM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Wed, Nov 06, 2013 at 10:14:53AM +0530, Amit Kapila wrote:
>> On Thu, Oct 31, 2013 at 8:22 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
>> About unclean FATAL-then-ERROR scenario, one way to deal at high level
>> could be to treat such a case as backend crash in which case
>> postmaster reinitialises shared memory and other stuff.
>>
>> > If we can't manage to
>> > free a shared memory resource like a lock or buffer pin, we really must PANIC.
>>
>> Can't we try to initialise the shared memory and other resources,
>> wouldn't that resolve the problem's that can occur due to scenario
>> explained by you?
>
> A PANIC will reinitialize everything relevant, largely resolving the problems
> around ERROR during FATAL. It's a heavy-handed solution, but it may well be
> the best solution. Efforts to harden CommitTransaction() and
> AbortTransaction() seem well-spent, but the additional effort to make FATAL
> exit cope where AbortTransaction() or another exit action could not cope seems
> to be slicing ever-smaller portions of additional robustness.
>
> I pondered a variant of that conclusion that distinguished critical cleanup
> needs from the rest. Each shared resource (heavyweight locks, buffer pins,
> LWLocks) would have an on_shmem_exit() callback that cleans up the resource
> under a critical section. (AtProcExit_Buffers() used to fill such a role, but
> resowner.c's work during AbortTransaction() has mostly supplanted it.) The
> ShutdownPostgres callback would not use a critical section, so lesser failures
> in AbortTransaction() would not upgrade to a PANIC. But I'm leaning against
> such a complication on the grounds that it would add seldom-tested code paths
> posing as much a chance of eroding robustness as bolstering it.
I think here PANIC is safe and less complicated solution for this
situation. Apart from this we can try to avoid palloc or other such
errors in AbortTransaction/CommitTransaction path.
With Regards,
Amit Kapila.
EnterpriseDB: http://www.enterprisedb.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2013-11-10 05:41:25 | Re: PostgreSQL Service on Windows does not start. ~ "is not a valid Win32 application" |
| Previous Message | Amit Kapila | 2013-11-10 03:59:24 | Re: patch to fix unused variable warning on windows build |