On Tue, Jan 19, 2021 at 12:50 PM Tom Lane <t...@sss.pgh.pa.us> wrote: > The thing that is scaring me the most is the "broadcast" aspect. > For starters, I think that that is going to be useless in the > field because of the likelihood that different backends' stack > traces will get interleaved in whatever log file the traces are > going to. Also, having hundreds of processes spitting dozens of > lines to the same place at the same time is going to expose any > little weaknesses in your logging arrangements, such as rsyslog's > tendency to drop messages under load.
+1. I don't think broadcast is a good idea. > I think it's got security hazards as well. If we restricted the > feature to cause a trace of only one process at a time, and required > that process to be logged in as the same database user as the > requestor (or at least someone with the privs of that user, such > as a superuser), that'd be less of an issue. I am not sure I see a security hazard here. I think the checks for this should have the same structure as pg_terminate_backend() and pg_cancel_backend(); whatever is required there should be required here, too, but not more, unless we have a real clear reason for such an inconsistency. > Beyond that, well, maybe it's all right. In theory anyplace that > there's a CHECK_FOR_INTERRUPTS should be okay to call elog from; > but it's completely untested whether we can do that and then > continue, as opposed to aborting the transaction or whole session. I guess that's a theoretical risk but it doesn't seem very likely. And, if we do have such a problem, I think that'd probably be a case of bad code that we would want to fix either way. > I share your estimate that there'll be small-fraction-of-a-percent > hazards that could still add up to dangerous instability if people > go wild with this. Right. I was more concerned about whether we could, for example, crash while inside the function that generates the backtrace, on some platforms or in some scenarios. That would be super-sad. I assume that the people who wrote the code tried to make sure that didn't happen but I don't really know what's reasonable to expect. -- Robert Haas EDB: http://www.enterprisedb.com