Problems with ALTER DOMAIN patch
| От | Tom Lane |
|---|---|
| Тема | Problems with ALTER DOMAIN patch |
| Дата | |
| Msg-id | 26956.1039541992@sss.pgh.pa.us обсуждение исходный текст |
| Ответы |
Re: Problems with ALTER DOMAIN patch
(Rod Taylor <rbt@rbt.ca>)
|
| Список | pgsql-hackers |
I've been looking at the recently-committed ALTER DOMAIN patch, and I
think it's got some serious if not fatal problems. Specifically, the
approach to adding/dropping constraints associated with domains doesn't
work.
1. Insufficient locking, guise 1: there's no protection against someone
else dropping a column or whole table between the time you find a
pg_attribute entry in get_rels_with_domain and the time you actually
process it in AlterDomainNotNull or AlterDomainAddConstraint. The code
appears to think that holding RowExclusiveLock on pg_attribute will
protect it somehow, but that doesn't (and shouldn't) do any such thing.
This will result in at best an elog and at worst coredump when you try
to scan the no-longer-present table or column.
2. Insufficient locking, guise 2: there's no protection against someone
else adding a column or table while you're processing an ALTER DOMAIN,
either. This means that constraint checks will be missed. Example:
<< backend 1 >>
regression=# create domain mydom int4;
CREATE DOMAIN
regression=# begin;
BEGIN
regression=# alter domain mydom set not null;
ALTER DOMAIN
<< don't commit yet; in backend 2 do >>
regression=# create table foo (f1 mydom);
CREATE TABLE
regression=# insert into foo values(null);
INSERT 149688 1
<< now in backend 1: >>
regression=# commit;
COMMIT
<< now in backend 2: >>
regression=# insert into foo values(null);
ERROR: Domain mydom does not allow NULL values
regression=# select * from foo;f1
----
(1 row)
Not a very watertight domain constraint, is it? The begin/commit is not
necessary to cause a failure, it just makes it easy to make the window
for failure wide enough to hit in a manually entered example.
3. Too much locking, guise 1: the ALTER DOMAIN command will acquire
exclusive lock on every table that it scans, and will hold all these
locks until it commits. This can easily result in deadlocks --- against
other ALTER DOMAIN commands, or just against any random other
transaction that is unlucky enough to try to write any two tables
touched by the ALTER DOMAIN. AFAICS you don't need an exclusive lock,
you just want to prevent updates of the table until the domain changes
are committed, so ShareLock would be sufficient; that would reduce but
not eliminate the risk of deadlock.
4. Too much locking, guise 2: the ExclusiveLock acquired on pg_class by
get_rels_with_domain has no useful effect, since it's released again
at the end of the scan; it does manage to shut down most sorts of schema
changes while get_rels_with_domain runs, however. This is bad enough,
but:
5. Performance sucks. In the regression database on my machine, "alter
domain mydom set not null" takes over six seconds --- that's for a
freshly created domain that's not used *anywhere*. This can be blamed
entirely on the inefficient implementation of get_rels_with_domain.
In a database with more tables performance would get much worse; it's
basically O(N^2). And it's holding ExclusiveLock on pg_class the whole
time :-(. (A reasonably efficient way to make the same search would be
to use pg_depend to look for columns that depend on the domain type ---
this might find a few indirect dependencies, but it would certainly be
lots faster than repeated seqscans over pg_attribute.)
6. Permission bogosity: as per discussion yesterday, ownership of a
schema does not grant ownership rights on contained objects.
7. No mechanism for causing constraint changes to actually propagate
after they are made. This is more a fault of the design of the domain
constraint patch than it is of the alter patch, but nonetheless alter is
what exposes it. The problem is particularly acute because you chose to
insert a domain's constraint expressions into coercion operations at
expression parsing time, which is far too early. A stored rule that has
a coerce-to-domain operation in it will have a frozen idea of what
constraints it should be enforcing. Probably the expression tree should
just have a "CoerceToDomain foo" node in it, and at executor startup
this node would have to look to the pg_type entry for foo to see exactly
what it should be enforcing at the moment.
Some of these are fixable, but I don't actually see any fix for point 2
short of creating some entirely new locking convention. Currently, only
relations can be locked, but you'd really need an enforceable lock on
the type itself to make a watertight solution, I think. Since we've
never had any sort of supported ALTER TYPE operation before, the issue
hasn't come up before ...
regards, tom lane
В списке pgsql-hackers по дате отправления: