Re: ALTER TABLE lock strength reduction patch is unsafe - Mailing list pgsql-hackers
| From | Noah Misch |
|---|---|
| Subject | Re: ALTER TABLE lock strength reduction patch is unsafe |
| Date | |
| Msg-id | 20130801005351.GA325106@tornado.leadboat.com Whole thread Raw |
| In response to | Re: ALTER TABLE lock strength reduction patch is unsafe (Simon Riggs <simon@2ndQuadrant.com>) |
| Responses |
Re: ALTER TABLE lock strength reduction patch is unsafe
Re: ALTER TABLE lock strength reduction patch is unsafe Re: ALTER TABLE lock strength reduction patch is unsafe |
| List | pgsql-hackers |
On Mon, Jul 15, 2013 at 05:50:40PM +0100, Simon Riggs wrote: > On 15 July 2013 15:06, Robert Haas <robertmhaas@gmail.com> wrote: > > Generally, the question on the table is: to what extent do MVCC > > catalog scans make the world safe for concurrent DDL, or put > > negatively, what hazards remain? > > On Tom's test I've been unable to find a single problem. > > > Noah discovered an interesting one recently: apparently, the relcache > > machinery has some logic in it that depends on the use of > > AccessExclusiveLock in subtle ways. I'm going to attempt to explain > > it, and maybe he can jump in and explain it better. Essentially, the > > problem is that when a relcache reload occurs, certain data structures > > (like the tuple descriptor, but there are others) are compared against > > the old version of the same data structure. If there are no changes, > > we do nothing; else, we free the old one and install the new one. The > > reason why we don't free the old one and install the new one > > unconditionally is because other parts of the backend might have > > pointers to the old data structure, so just replacing it all the time > > would result in crashes. Since DDL requires AccessExclusiveLock + > > CheckTableNotInUse(), any actual change to the data structure will > > happen when we haven't got any pointers anyway. > If you look at this as a generalised problem you probably can find > some issues, but that doesn't mean they apply in the specific cases > we're addressing. > > The lock reductions we are discussing in all cases have nothing at all > to do with structure and only relate to various options. Except in the > case of constraints, though even there I see no issues as yet. I was able to distill the above hypothesis into an actual crash with reduce_lock_levels.v13.patch. Test recipe: 1. Build with --enable-cassert and with -DCATCACHE_FORCE_RELEASE=1. An AcceptInvalidationMessages() will then happen at nearly every syscache lookup, making it far easier to hit a problem of this sort. 2. Run these commands as setup: create table root (c int); create table part (check (c > 0), check (c > 0)) inherits (root); 3. Attach a debugger to your session and set a breakpoint at plancat.c:660 (as of commit 16f38f72ab2b8a3b2d45ba727d213bb31111cea4). 4. Run this in your session; the breakpoint will trip: select * from root where c = -1; 5. Start another session and run: alter table part add check (c > 0); 6. Exit the debugger to release the first session. It will crash. plancache.c:657 stashes a pointer to memory belonging to the rd_att of a relcache entry. It then proceeds to call eval_const_expressions(), which performs a syscache lookup in its simplify_function() subroutine. Under CATCACHE_FORCE_RELEASE, the syscache lookup reliably prompts an AcceptInvalidationMessages(). The ensuing RelationClearRelation() against "part" notices the new constraint, decides keep_tupdesc = false, and frees the existing tupdesc. plancache.c is now left holding a pointer into freed memory. The next loop iteration will crash when it dereferences a pointer stored within that freed memory at plancat.c:671. A remediation strategy that seemed attractive when I last contemplated this problem is to repoint rd_att immediately but arrange to free the obsolete TupleDesc in AtEOXact_RelationCache(). -- Noah Misch EnterpriseDB http://www.enterprisedb.com
pgsql-hackers by date: