Hi hackers, > >> After using a patch for a while it became obvious that PANICing during > >> termination is not a good idea. Even when we wait for synchronous > >> replication. It generates undesired coredumps. > >> I think in presence of SIGTERM it's reasonable to say that we cannot > >> protect user anymore. > >> PFA v3.
This patch, although solving a concrete and important problem, looks more like a quick workaround than an appropriate solution. Or is it just me? Ideally, the transaction should be committed only after getting a reply from the standby. If the user cancels the transaction, it doesn't get committed anywhere. This is what people into distributed systems would expect unless stated otherwise, at least. Although I realize how complicated it is to implement, especially considering all the possible corner cases (netsplit right after getting a reply, etc). Maybe we could come up with a less than ideal, but still sound and easy-to-understand model, which, as soon as you learned it, doesn't bring unexpected surprises to the user. I believe at this point it's important to agree if the community is ready to accept a patch as is to make existing users suffer less and iterate afterward. Or we choose not to do it and to come up with another idea. Personally, I don't have any better ideas, thus maybe accepting Andrey's patch would be the lesser of two evils. -- Best regards, Aleksander Alekseev