diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2015-07-09 13:22:23 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2015-07-09 13:22:23 -0400 |
| commit | da1e7eb72ef6748f6c8b379e1ceacbecbcab9976 (patch) | |
| tree | 69ef6b2a9c1fd3e88b18b8799e874e21cb1b0613 /src/backend/executor/nodeRecursiveunion.c | |
| parent | f0357edeb32adf735ad22620d0b4bd4ba088457c (diff) | |
| download | postgresql-da1e7eb72ef6748f6c8b379e1ceacbecbcab9976.tar.gz postgresql-da1e7eb72ef6748f6c8b379e1ceacbecbcab9976.zip | |
Fix postmaster's handling of a startup-process crash.
Ordinarily, a failure (unexpected exit status) of the startup subprocess
should be considered fatal, so the postmaster should just close up shop
and quit. However, if we sent the startup process a SIGQUIT or SIGKILL
signal, the failure is hardly "unexpected", and we should attempt restart;
this is necessary for recovery from ordinary backend crashes in hot-standby
scenarios. I attempted to implement the latter rule with a two-line patch
in commit 442231d7f71764b8c628044e7ce2225f9aa43b67, but it now emerges that
that patch was a few bricks shy of a load: it failed to distinguish the
case of a signaled startup process from the case where the new startup
process crashes before reaching database consistency. That resulted in
infinitely respawning a new startup process only to have it crash again.
To handle this properly, we really must track whether we have sent the
*current* startup process a kill signal. Rather than add yet another
ad-hoc boolean to the postmaster's state, I chose to unify this with the
existing RecoveryError flag into an enum tracking the startup process's
state. That seems more consistent with the postmaster's general state
machine design.
Back-patch to 9.0, like the previous patch.
Diffstat (limited to 'src/backend/executor/nodeRecursiveunion.c')
0 files changed, 0 insertions, 0 deletions