Andres Freund <andres@2ndquadrant.com> writes:
> On 2014-08-09 14:00:49 -0400, Tom Lane wrote:
>> I don't think it's anywhere near as black-and-white as you guys claim.
>> What it comes down to is whether allowing existing transactions/sessions
>> to finish is more important than allowing new sessions to start.
>> Depending on the application, either could be more important.
> Nah. The current behaviour circumvents security measures we normally
> consider absolutely essential. If the postmaster died some bad shit went
> on. The likelihood of hitting corner case bugs where it's important that
> we react to a segfault/panic with a restart/crash replay is rather high.
What's your point? Once a new postmaster starts, it *will* do a crash
restart, because certainly no shutdown checkpoint ever happened. The
only issue here is what grace period existing orphaned backends are given
to finish their work --- and it's not possible for the answer to that
to be "zero", so you don't get to assume that nothing happens in
backend-land after the instant of postmaster crash.
regards, tom lane
