diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2022-10-11 18:54:31 -0400 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2022-10-11 18:54:31 -0400 |
| commit | 8f98352b5ed9f1c32ad9277a83d4adf5e1055a15 (patch) | |
| tree | 58fd5ed23de09d8367eba1b57d67c62aed34762c /src/backend/executor/nodeSubplan.c | |
| parent | abc510fa2a34eba00406e9ce330b77e1d9c4ccdf (diff) | |
| download | postgresql-8f98352b5ed9f1c32ad9277a83d4adf5e1055a15.tar.gz postgresql-8f98352b5ed9f1c32ad9277a83d4adf5e1055a15.zip | |
Harden pmsignal.c against clobbered shared memory.
The postmaster is not supposed to do anything that depends
fundamentally on shared memory contents, because that creates
the risk that a backend crash that trashes shared memory will
take the postmaster down with it, preventing automatic recovery.
In commit 969d7cd43 I lost sight of this principle and coded
AssignPostmasterChildSlot() in such a way that it could fail
or even crash if the shared PMSignalState structure became
corrupted. Remarkably, we've not seen field reports of such
crashes; but I managed to induce one while testing the recent
changes around palloc chunk headers.
To fix, make a semi-duplicative state array inside the postmaster
so that we need consult only local state while choosing a "child
slot" for a new backend. Ensure that other postmaster-executed
routines in pmsignal.c don't have critical dependencies on the
shared state, either. Corruption of PMSignalState might now
lead ReleasePostmasterChildSlot() to conclude that backend X
failed, when actually backend Y was the one that trashed things.
But that doesn't matter, because we'll force a cluster-wide reset
regardless.
Back-patch to all supported branches, since this is an old bug.
Discussion: https://postgr.es/m/3436789.1665187055@sss.pgh.pa.us
Diffstat (limited to 'src/backend/executor/nodeSubplan.c')
0 files changed, 0 insertions, 0 deletions