Hi,
On 2018-07-19 16:16:31 -0400, Tom Lane wrote:
> Nico Williams <nico@cryptonector.com> writes:
> > I dunno if it is or isn't helpful. But I do know that this must be done
> > in an async-signal-safe way.
>
> I haven't actually heard a convincing reason why that's true. As per
> the previous discussion, if we happen to service the SIGQUIT at an
> unfortunate moment, we might get a deadlock or crash in the backend
> process, and thereby fail to send the message.
That crash could very well be exploitable. Corrupting internal
management state is far from guaranteed to only deadlock or crash
cleanly.
> But we're no worse off in such cases than if we'd not tried to send it
> at all. The only likely penalty is that, in the deadlock case, a few
> seconds will elapse before the postmaster runs out of patience and
> sends SIGKILL.
Which for deterministic failover *IS* a problem.
Greetings,
Andres Freund