Hi, On 2018-07-19 16:16:31 -0400, Tom Lane wrote: > Nico Williams <n...@cryptonector.com> writes: > > I dunno if it is or isn't helpful. But I do know that this must be done > > in an async-signal-safe way. > > I haven't actually heard a convincing reason why that's true. As per > the previous discussion, if we happen to service the SIGQUIT at an > unfortunate moment, we might get a deadlock or crash in the backend > process, and thereby fail to send the message.
That crash could very well be exploitable. Corrupting internal management state is far from guaranteed to only deadlock or crash cleanly. > But we're no worse off in such cases than if we'd not tried to send it > at all. The only likely penalty is that, in the deadlock case, a few > seconds will elapse before the postmaster runs out of patience and > sends SIGKILL. Which for deterministic failover *IS* a problem. Greetings, Andres Freund