Re: [BUG] orphaned function - Mailing list pgsql-hackers

From Gilles Darold
Subject Re: [BUG] orphaned function
Date
Msg-id 442fc35a-ae78-7435-2ebc-43a95e0beb69@darold.net
Whole thread Raw
In response to Re: [BUG] orphaned function  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: [BUG] orphaned function
List pgsql-hackers
Le 18/12/2020 à 00:26, Tom Lane a écrit :
> Gilles Darold <gilles@darold.net> writes:
>> The same problem applies if the returned type or the procedural language
>> is dropped. I have tried to fix that in ProcedureCreate() by using an
>> AccessSharedLock for the data types and languages involved in the
>> function declaration. With this patch the race condition with parameters
>> types, return types and PL languages are fixed. Only data types and
>> procedural languages with Oid greater than FirstBootstrapObjectId will
>> be locked locked. But this is probably more complex than this fix so it
>> is proposed as a separate patch
>> (v1-003-orphaned_function_types_language.patch) to not interfere with
>> the applying of Bertran's patch.
> Indeed.  This points up one of the things that is standing in the way
> of any serious consideration of applying this patch.  To my mind there
> are two fundamental, somewhat interrelated considerations that haven't
> been meaningfully addressed:
>
> 1. What set of objects is it worth trying to remove this race condition
> for, and with respect to what dependencies?  Bertrand gave no
> justification for worrying about function-to-namespace dependencies
> specifically, and you've likewise given none for expanding the patch
> to consider function-to-datatype dependencies.  There are dozens more
> cases that could be considered; but I sure don't want to be processing
> another ad-hoc fix every time someone thinks they're worried about
> another specific case.
>
> Taking a practical viewpoint, I'm far more worried about dependencies
> of tables than those of any other kind of object.  A messed-up function
> definition doesn't cost you much: you can just drop and recreate the
> function.  A table full of data is way more trouble to recreate, and
> indeed the data might be irreplaceable.  So it seems pretty silly to
> propose that we try to remove race conditions for functions' dependencies
> on datatypes without removing the same race condition for tables'
> dependencies on their column datatypes.
>
> But any of these options lead to the same question: why stop there?
> An approach that would actually be defensible, perhaps, is to incorporate
> this functionality into the dependency mechanism: any time we're about to
> create a pg_depend or pg_shdepend entry, take out an AccessShareLock on
> the referenced object, and then check to make sure it still exists.
> This would improve the dependency mechanism so it prevents creation-time
> race conditions, not just attempts to drop dependencies of
> already-committed objects.  It would mean that the one patch would be
> the end of the problem, rather than looking forward to a steady drip of
> new fixes.
>
> 2. How much are we willing to pay for this added protection?  The fact
> that we've gotten along fine without it for years suggests that the
> answer needs to be "not much".  But I'm not sure that that actually
> is the answer, especially if we don't have a policy that says "we'll
> protect against these race conditions but no other ones".  I think
> there are possibly-serious costs in three different areas:
>
> * Speed.  How much do all these additional lock acquisitions slow
> down a typical DDL command?
>
> * Number of locks taken per transaction.  This'd be particularly an
> issue for pg_restore runs using single-transaction mode: they'd take
> not only locks on the objects they create, but also a bunch of
> reference-protection locks.  It's not very hard to believe that this'd
> make a difference in whether restoring a large database is possible
> without increasing max_locks_per_transaction.
>
> * Risk of deadlock.  The reference locks themselves should be sharable,
> so maybe there isn't much of a problem, but I want to see this question
> seriously analyzed not just ignored.
>
> Obviously, the magnitude of these costs depends a lot on how many
> dependencies we want to remove the race condition for.  But that's
> exactly the reason why I don't want a piecemeal approach of fixing
> some problems now and some other problems later.  That's way too
> much like the old recipe for boiling a frog: we could gradually get
> into serious performance problems without anyone ever having stopped
> to consider the issue.
>
> In short, I think we should either go for a 100% solution if careful
> analysis shows we can afford it, or else have a reasoned policy
> why we are going to close these specific race conditions and no others
> (implying that we'll reject future patches in the same area).  We
> haven't got either thing in this thread as it stands, so I do not
> think it's anywhere near being ready to commit.
>
>             regards, tom lane


Thanks for the review,


Honestly I have never met these races condition in 25 years of 
PostgreSQL and will probably never but clearly I don't have the Amazon 
database services workload. I let Bertrand decide what to do with the 
patch and address the races condition with a more global approach 
following your advices if more work is done on this topic. I tag the 
patch as "Waiting on author".


Best regards,

-- 
Gilles Darold
LzLabs GmbH
http://www.lzlabs.com/




pgsql-hackers by date:

Previous
From: Heikki Linnakangas
Date:
Subject: Re: Incorrect allocation handling for cryptohash functions with OpenSSL
Next
From: Heikki Linnakangas
Date:
Subject: Re: Refactor routine to check for ASCII-only case