Ignore interrupts during quickdie().

Once the administrator has called for an immediate shutdown or a backend
crash has triggered a reinitialization, no mere SIGINT or SIGTERM should
change that course.  Such derailment remains possible when the signal
arrives before quickdie() blocks signals.  That being a narrow race
affecting most PostgreSQL signal handlers in some way, leave it for
another patch.  Back-patch this to all supported versions.

diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c
index b22ea3deb684a31858ddfb5896de022da86bbe14..382112c727c4d23e927637e15b628ce42959d088 100644 (file)
--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
@@ -2488,6 +2488,13 @@ quickdie(SIGNAL_ARGS)
 {
        PG_SETMASK(&BlockSig);
 
+       /*
+        * Prevent interrupts while exiting; though we just blocked signals that
+        * would queue new interrupts, one may have been pending.  We don't want a
+        * quickdie() downgraded to a mere query cancel.
+        */
+       HOLD_INTERRUPTS();
+
        /*
         * Ideally this should be ereport(FATAL), but then we'd not get control
         * back...