granicus.if.org Git - postgresql/commit

author	Alvaro Herrera <alvherre@alvh.no-ip.org>
	Fri, 28 Jun 2013 21:20:53 +0000 (17:20 -0400)
committer	Alvaro Herrera <alvherre@alvh.no-ip.org>
	Fri, 28 Jun 2013 21:49:46 +0000 (17:49 -0400)
commit	82233ce7ea42d6ba519aaec63008aff49da6c7af
tree	ccc35e8eec335f908d75b3b181a339548ea64bb2	tree \| snapshot
parent	457d6cf049c57cabe9b46ea13f26138040a214ec	commit \| diff

Send SIGKILL to children if they don't die quickly in immediate shutdown

On immediate shutdown, or during a restart-after-crash sequence,
postmaster used to send SIGQUIT (and then abandon ship if shutdown); but
this is not a good strategy if backends don't die because of that
signal.  (This might happen, for example, if a backend gets tangled
trying to malloc() due to gettext(), as in an example illustrated by
MauMau.)  This causes problems when later trying to restart the server,
because some processes are still attached to the shared memory segment.

Instead of just abandoning such backends to their fates, we now have
postmaster hang around for a little while longer, send a SIGKILL after
some reasonable waiting period, and then exit.  This makes immediate
shutdown more reliable.

There is disagreement on whether it's best for postmaster to exit after
sending SIGKILL, or to stick around until all children have reported
death.  If this controversy is resolved differently than what this patch
implements, it's an easy change to make.

Bug reported by MauMau in message 20DAEA8949EC4E2289C6E8E58560DEC0@maumau

MauMau and Álvaro Herrera

doc/src/sgml/runtime.sgml		diff \| blob \| history
src/backend/postmaster/postmaster.c		diff \| blob \| history
src/port/kill.c		diff \| blob \| history