NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit9c39d7a

committed

Fix postmaster's handling of a startup-process crash.

Ordinarily, a failure (unexpected exit status) of the startup subprocessshould be considered fatal, so the postmaster should just close up shopand quit. However, if we sent the startup process a SIGQUIT or SIGKILLsignal, the failure is hardly "unexpected", and we should attempt restart;this is necessary for recovery from ordinary backend crashes in hot-standbyscenarios. I attempted to implement the latter rule with a two-line patchin commit442231d, but it now emerges thatthat patch was a few bricks shy of a load: it failed to distinguish thecase of a signaled startup process from the case where the new startupprocess crashes before reaching database consistency. That resulted ininfinitely respawning a new startup process only to have it crash again.To handle this properly, we really must track whether we have sent the*current* startup process a kill signal. Rather than add yet anotherad-hoc boolean to the postmaster's state, I chose to unify this with theexisting RecoveryError flag into an enum tracking the startup process'sstate. That seems more consistent with the postmaster's general statemachine design.Back-patch to 9.0, like the previous patch.

1 parent6327730 commit9c39d7aCopy full SHA for 9c39d7a

File tree

1 file changed

+33

-14

lines changed

src/backend/postmaster
- postmaster.c

1 file changed

+33

-14

lines changed

`‎src/backend/postmaster/postmaster.c`

Lines changed: 33 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -275,6 +275,17 @@ static pid_t StartupPID = 0,`
`275`	`275`	`PgStatPID=0,`
`276`	`276`	`SysLoggerPID=0;`
`277`	`277`
	`278`	`+/* Startup process's status */`
	`279`	`+typedefenum`
	`280`	`+{`
	`281`	`+STARTUP_NOT_RUNNING,`
	`282`	`+STARTUP_RUNNING,`
	`283`	`+STARTUP_SIGNALED,/* we sent it a SIGQUIT or SIGKILL */`
	`284`	`+STARTUP_CRASHED`
	`285`	`+}StartupStatusEnum;`
	`286`	`+`
	`287`	`+staticStartupStatusEnumStartupStatus=STARTUP_NOT_RUNNING;`
	`288`	`+`
`278`	`289`	`/* Startup/shutdown state */`
`279`	`290`	`#defineNoShutdown0`
`280`	`291`	`#defineSmartShutdown1`
`@@ -283,7 +294,6 @@ static pid_t StartupPID = 0,`
`283`	`294`	`staticintShutdown=NoShutdown;`
`284`	`295`
`285`	`296`	`staticboolFatalError= false;/* T if recovering from backend crash */`
`286`		`-staticboolRecoveryError= false;/* T if WAL recovery failed */`
`287`	`297`
`288`	`298`	`/*`
`289`	`299`	`* We use a simple state machine to control startup, shutdown, and`
`@@ -326,8 +336,6 @@ static bool RecoveryError = false;/* T if WAL recovery failed */`
`326`	`336`	`* states, nor in PM_SHUTDOWN states (because we don't enter those states`
`327`	`337`	`* when trying to recover from a crash). It can be true in PM_STARTUP state,`
`328`	`338`	`* because we don't clear it until we've successfully started WAL redo.`
`329`		`- * Similarly, RecoveryError means that we have crashed during recovery, and`
`330`		`- * should not try to restart.`
`331`	`339`	`*/`
`332`	`340`	`typedefenum`
`333`	`341`	`{`
`@@ -1266,6 +1274,7 @@ PostmasterMain(int argc, char *argv[])`
`1266`	`1274`	`*/`
`1267`	`1275`	`StartupPID=StartupDataBase();`
`1268`	`1276`	`Assert(StartupPID!=0);`
	`1277`	`+StartupStatus=STARTUP_RUNNING;`
`1269`	`1278`	`pmState=PM_STARTUP;`
`1270`	`1279`
`1271`	`1280`	`/* Some workers may be scheduled to start now */`
`@@ -2565,6 +2574,7 @@ reaper(SIGNAL_ARGS)`
`2565`	`2574`	`if (Shutdown>NoShutdown&&`
`2566`	`2575`	`(EXIT_STATUS_0(exitstatus)\|\|EXIT_STATUS_1(exitstatus)))`
`2567`	`2576`	`{`
	`2577`	`+StartupStatus=STARTUP_NOT_RUNNING;`
`2568`	`2578`	`pmState=PM_WAIT_BACKENDS;`
`2569`	`2579`	`/* PostmasterStateMachine logic does the rest */`
`2570`	`2580`	`continue;`
`@@ -2587,16 +2597,18 @@ reaper(SIGNAL_ARGS)`
`2587`	`2597`	`/*`
`2588`	`2598`	`* After PM_STARTUP, any unexpected exit (including FATAL exit) of`
`2589`	`2599`	`* the startup process is catastrophic, so kill other children,`
`2590`		`- * and setRecoveryError so we don't try to reinitialize after`
`2591`		`- * they're gone. Exception: ifFatalError isalready set, that`
`2592`		`- *implies we previously sent the startup process a SIGQUIT, so`
	`2600`	`+ * and setStartupStatus so we don't try to reinitialize after`
	`2601`	`+ * they're gone. Exception: ifStartupStatus isSTARTUP_SIGNALED,`
	`2602`	`+ *then we previously sent the startup process a SIGQUIT; so`
`2593`	`2603`	`* that's probably the reason it died, and we do want to try to`
`2594`	`2604`	`* restart in that case.`
`2595`	`2605`	`*/`
`2596`	`2606`	`if (!EXIT_STATUS_0(exitstatus))`
`2597`	`2607`	`{`
`2598`		`-if (!FatalError)`
`2599`		`-RecoveryError= true;`
	`2608`	`+if (StartupStatus==STARTUP_SIGNALED)`
	`2609`	`+StartupStatus=STARTUP_NOT_RUNNING;`
	`2610`	`+else`
	`2611`	`+StartupStatus=STARTUP_CRASHED;`
`2600`	`2612`	`HandleChildCrash(pid,exitstatus,`
`2601`	`2613`	`_("startup process"));`
`2602`	`2614`	`continue;`
`@@ -2605,6 +2617,7 @@ reaper(SIGNAL_ARGS)`
`2605`	`2617`	`/*`
`2606`	`2618`	`* Startup succeeded, commence normal operations`
`2607`	`2619`	`*/`
	`2620`	`+StartupStatus=STARTUP_NOT_RUNNING;`
`2608`	`2621`	`FatalError= false;`
`2609`	`2622`	`ReachedNormalRunning= true;`
`2610`	`2623`	`pmState=PM_RUN;`
`@@ -3115,14 +3128,18 @@ HandleChildCrash(int pid, int exitstatus, const char *procname)`
`3115`	`3128`
`3116`	`3129`	`/* Take care of the startup process too */`
`3117`	`3130`	`if (pid==StartupPID)`
	`3131`	`+{`
`3118`	`3132`	`StartupPID=0;`
	`3133`	`+StartupStatus=STARTUP_CRASHED;`
	`3134`	`+}`
`3119`	`3135`	`elseif (StartupPID!=0&& !FatalError)`
`3120`	`3136`	`{`
`3121`	`3137`	`ereport(DEBUG2,`
`3122`	`3138`	`(errmsg_internal("sending %s to process %d",`
`3123`	`3139`	`(SendStop ?"SIGSTOP" :"SIGQUIT"),`
`3124`	`3140`	`(int)StartupPID)));`
`3125`	`3141`	`signal_child(StartupPID, (SendStop ?SIGSTOP :SIGQUIT));`
	`3142`	`+StartupStatus=STARTUP_SIGNALED;`
`3126`	`3143`	`}`
`3127`	`3144`
`3128`	`3145`	`/* Take care of the bgwriter too */`
`@@ -3502,13 +3519,14 @@ PostmasterStateMachine(void)`
`3502`	`3519`	`}`
`3503`	`3520`
`3504`	`3521`	`/*`
`3505`		`- * Ifrecoveryfailed, or the user does not want an automatic restart`
`3506`		`- * after backend crashes, wait for all non-syslogger children to exit, and`
`3507`		`- * then exit postmaster. We don't try to reinitialize whenrecovery fails,`
`3508`		`- * because more than likely it will just fail again and we will keep`
`3509`		`- * trying forever.`
	`3522`	`+ * Ifthe startup processfailed, or the user does not want an automatic`
	`3523`	`+ *restartafter backend crashes, wait for all non-syslogger children to`
	`3524`	`+ *exit, andthen exit postmaster.We don't try to reinitialize whenthe`
	`3525`	`+ *startup process fails,because more than likely it will just fail again`
	`3526`	`+ *and we will keeptrying forever.`
`3510`	`3527`	`*/`
`3511`		`-if (pmState==PM_NO_CHILDREN&& (RecoveryError\|\| !restart_after_crash))`
	`3528`	`+if (pmState==PM_NO_CHILDREN&&`
	`3529`	`+(StartupStatus==STARTUP_CRASHED\|\| !restart_after_crash))`
`3512`	`3530`	`ExitPostmaster(1);`
`3513`	`3531`
`3514`	`3532`	`/*`
`@@ -3525,6 +3543,7 @@ PostmasterStateMachine(void)`
`3525`	`3543`
`3526`	`3544`	`StartupPID=StartupDataBase();`
`3527`	`3545`	`Assert(StartupPID!=0);`
	`3546`	`+StartupStatus=STARTUP_RUNNING;`
`3528`	`3547`	`pmState=PM_STARTUP;`
`3529`	`3548`	`}`
`3530`	`3549`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9c39d7a

File tree

1 file changed

1 file changed

`‎src/backend/postmaster/postmaster.c`

0 commit comments