diff options
| author | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2018-08-08 19:08:10 +0300 |
|---|---|---|
| committer | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2018-08-08 19:10:35 +0300 |
| commit | 79f17d45e82f3648c2459b8128ab4d516fb7640a (patch) | |
| tree | 409f59cb2a151a042068477536ef6a6098ad3f62 /src/backend/postmaster/checkpointer.c | |
| parent | a3deecb1c9af1e3d210a321401e40f22db859290 (diff) | |
| download | postgresql-79f17d45e82f3648c2459b8128ab4d516fb7640a.tar.gz postgresql-79f17d45e82f3648c2459b8128ab4d516fb7640a.zip | |
Don't run atexit callbacks in quickdie signal handlers.
exit() is not async-signal safe. Even if the libc implementation is, 3rd
party libraries might have installed unsafe atexit() callbacks. After
receiving SIGQUIT, we really just want to exit as quickly as possible, so
we don't really want to run the atexit() callbacks anyway.
The original report by Jimmy Yih was a self-deadlock in startup_die().
However, this patch doesn't address that scenario; the signal handling
while waiting for the startup packet is more complicated. But at least this
alleviates similar problems in the SIGQUIT handlers, like that reported
by Asim R P later in the same thread.
Backpatch to 9.3 (all supported versions).
Discussion: https://www.postgresql.org/message-id/CAOMx_OAuRUHiAuCg2YgicZLzPVv5d9_H4KrL_OFsFP%3DVPekigA%40mail.gmail.com
Diffstat (limited to 'src/backend/postmaster/checkpointer.c')
| -rw-r--r-- | src/backend/postmaster/checkpointer.c | 24 |
1 files changed, 9 insertions, 15 deletions
diff --git a/src/backend/postmaster/checkpointer.c b/src/backend/postmaster/checkpointer.c index 0950ada6019..b54448017d6 100644 --- a/src/backend/postmaster/checkpointer.c +++ b/src/backend/postmaster/checkpointer.c @@ -823,27 +823,21 @@ IsCheckpointOnSchedule(double progress) static void chkpt_quickdie(SIGNAL_ARGS) { - PG_SETMASK(&BlockSig); - /* - * We DO NOT want to run proc_exit() callbacks -- we're here because - * shared memory may be corrupted, so we don't want to try to clean up our - * transaction. Just nail the windows shut and get out of town. Now that - * there's an atexit callback to prevent third-party code from breaking - * things by calling exit() directly, we have to reset the callbacks - * explicitly to make this work as intended. - */ - on_exit_reset(); - - /* - * Note we do exit(2) not exit(0). This is to force the postmaster into a - * system reset cycle if some idiot DBA sends a manual SIGQUIT to a random + * We DO NOT want to run proc_exit() or atexit() callbacks -- we're here + * because shared memory may be corrupted, so we don't want to try to + * clean up our transaction. Just nail the windows shut and get out of + * town. The callbacks wouldn't be safe to run from a signal handler, + * anyway. + * + * Note we do _exit(2) not _exit(0). This is to force the postmaster into + * a system reset cycle if someone sends a manual SIGQUIT to a random * backend. This is necessary precisely because we don't clean up our * shared memory state. (The "dead man switch" mechanism in pmsignal.c * should ensure the postmaster sees this as a crash, too, but no harm in * being doubly sure.) */ - exit(2); + _exit(2); } /* SIGHUP: set flag to re-read config file at next convenient time */ |