Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitab35b9d

Browse files
committed
Harden pmsignal.c against clobbered shared memory.
The postmaster is not supposed to do anything that dependsfundamentally on shared memory contents, because that createsthe risk that a backend crash that trashes shared memory willtake the postmaster down with it, preventing automatic recovery.In commit969d7cd I lost sight of this principle and codedAssignPostmasterChildSlot() in such a way that it could failor even crash if the shared PMSignalState structure becamecorrupted. Remarkably, we've not seen field reports of suchcrashes; but I managed to induce one while testing the recentchanges around palloc chunk headers.To fix, make a semi-duplicative state array inside the postmasterso that we need consult only local state while choosing a "childslot" for a new backend. Ensure that other postmaster-executedroutines in pmsignal.c don't have critical dependencies on theshared state, either. Corruption of PMSignalState might nowlead ReleasePostmasterChildSlot() to conclude that backend Xfailed, when actually backend Y was the one that trashed things.But that doesn't matter, because we'll force a cluster-wide resetregardless.Back-patch to all supported branches, since this is an old bug.Discussion:https://postgr.es/m/3436789.1665187055@sss.pgh.pa.us
1 parent23e2a06 commitab35b9d

File tree

1 file changed

+43
-12
lines changed

1 file changed

+43
-12
lines changed

‎src/backend/storage/ipc/pmsignal.c

Lines changed: 43 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@
2222
#include"replication/walsender.h"
2323
#include"storage/pmsignal.h"
2424
#include"storage/shmem.h"
25+
#include"utils/memutils.h"
2526

2627

2728
/*
@@ -65,12 +66,20 @@ struct PMSignalData
6566
sig_atomic_tPMSignalFlags[NUM_PMSIGNALS];
6667
/* per-child-process flags */
6768
intnum_child_flags;/* # of entries in PMChildFlags[] */
68-
intnext_child_flag;/* next slot to try to assign */
6969
sig_atomic_tPMChildFlags[FLEXIBLE_ARRAY_MEMBER];
7070
};
7171

72+
/* PMSignalState pointer is valid in both postmaster and child processes */
7273
NON_EXEC_STATICvolatilePMSignalData*PMSignalState=NULL;
7374

75+
/*
76+
* These static variables are valid only in the postmaster. We keep a
77+
* duplicative private array so that we can trust its state even if some
78+
* failing child has clobbered the PMSignalData struct in shared memory.
79+
*/
80+
staticintnum_child_inuse;/* # of entries in PMChildInUse[] */
81+
staticintnext_child_inuse;/* next slot to try to assign */
82+
staticbool*PMChildInUse;/* true if i'th flag slot is assigned */
7483

7584
/*
7685
* PMSignalShmemSize
@@ -102,7 +111,25 @@ PMSignalShmemInit(void)
102111
if (!found)
103112
{
104113
MemSet(PMSignalState,0,PMSignalShmemSize());
105-
PMSignalState->num_child_flags=MaxLivePostmasterChildren();
114+
num_child_inuse=MaxLivePostmasterChildren();
115+
PMSignalState->num_child_flags=num_child_inuse;
116+
117+
/*
118+
* Also allocate postmaster's private PMChildInUse[] array. We
119+
* might've already done that in a previous shared-memory creation
120+
* cycle, in which case free the old array to avoid a leak. (Do it
121+
* like this to support the possibility that MaxLivePostmasterChildren
122+
* changed.) In a standalone backend, we do not need this.
123+
*/
124+
if (PostmasterContext!=NULL)
125+
{
126+
if (PMChildInUse)
127+
pfree(PMChildInUse);
128+
PMChildInUse= (bool*)
129+
MemoryContextAllocZero(PostmasterContext,
130+
num_child_inuse*sizeof(bool));
131+
}
132+
next_child_inuse=0;
106133
}
107134
}
108135

@@ -150,21 +177,24 @@ CheckPostmasterSignal(PMSignalReason reason)
150177
int
151178
AssignPostmasterChildSlot(void)
152179
{
153-
intslot=PMSignalState->next_child_flag;
180+
intslot=next_child_inuse;
154181
intn;
155182

156183
/*
157-
* Scan for a free slot. We track the last slot assigned so as not to
158-
* waste time repeatedly rescanning low-numbered slots.
184+
* Scan for a free slot. Notice that we trust nothing about the contents
185+
* of PMSignalState, but use only postmaster-local data for this decision.
186+
* We track the last slot assigned so as not to waste time repeatedly
187+
* rescanning low-numbered slots.
159188
*/
160-
for (n=PMSignalState->num_child_flags;n>0;n--)
189+
for (n=num_child_inuse;n>0;n--)
161190
{
162191
if (--slot<0)
163-
slot=PMSignalState->num_child_flags-1;
164-
if (PMSignalState->PMChildFlags[slot]==PM_CHILD_UNUSED)
192+
slot=num_child_inuse-1;
193+
if (!PMChildInUse[slot])
165194
{
195+
PMChildInUse[slot]= true;
166196
PMSignalState->PMChildFlags[slot]=PM_CHILD_ASSIGNED;
167-
PMSignalState->next_child_flag=slot;
197+
next_child_inuse=slot;
168198
returnslot+1;
169199
}
170200
}
@@ -186,7 +216,7 @@ ReleasePostmasterChildSlot(int slot)
186216
{
187217
boolresult;
188218

189-
Assert(slot>0&&slot <=PMSignalState->num_child_flags);
219+
Assert(slot>0&&slot <=num_child_inuse);
190220
slot--;
191221

192222
/*
@@ -196,17 +226,18 @@ ReleasePostmasterChildSlot(int slot)
196226
*/
197227
result= (PMSignalState->PMChildFlags[slot]==PM_CHILD_ASSIGNED);
198228
PMSignalState->PMChildFlags[slot]=PM_CHILD_UNUSED;
229+
PMChildInUse[slot]= false;
199230
returnresult;
200231
}
201232

202233
/*
203234
* IsPostmasterChildWalSender - check if given slot is in use by a
204-
* walsender process.
235+
* walsender process. This is called only by the postmaster.
205236
*/
206237
bool
207238
IsPostmasterChildWalSender(intslot)
208239
{
209-
Assert(slot>0&&slot <=PMSignalState->num_child_flags);
240+
Assert(slot>0&&slot <=num_child_inuse);
210241
slot--;
211242

212243
if (PMSignalState->PMChildFlags[slot]==PM_CHILD_WALSENDER)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp