Ah, OK - I wasn't aware that cancellation was actually delivered as a regular POSIX signal... You're right about the lack of guarantees then.
In that case, I'm guessing not much could be do to guarantee sane cancellation behavior... I do understand the "best effort" idea around cancellations. However, it seems different to say "we'll try our best and the cancellation may not be delivered" (no bad consequences except maybe performance), and to say "we'll try our best but the cancellation may be delivered randomly to any query you send from the moment you send the cancellation". The second makes it very difficult to design a 100% sane, deterministic application... Any plans to address this in protocol 4?
Would you have any further recommendations or guidelines to make the situation as sane as possible? I guess I could block any new SQL queries while a cancellation on that connection is still outstanding (meaning that the cancellation connection hasn't yet been closed). As you mentioned this wouldn't be a 100% solution since it would only cover signal sending, but better than nothing?