On Fri, Jun 21, 2013 at 11:19 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I think that's the Tom Lane theory. The Robert Haas theory is that if
>> the postmaster has died, there's no reason to suppose that it hasn't
>> corrupted shared memory on the way down, or that the system isn't
>> otherwise heavily fuxxored in some way.
>
> Eh? The postmaster does its level best never to touch shared memory
> (after initialization anyway).
And yet it certainly does - see pmsignal.c, for example. Besides
which, as Andres points out, if the postmaster is dead, there is zip
for a guarantee that some OTHER backend hasn't panicked. I think it's
just ridiculous to suppose that the system can run in any sort of
reasonable way without the postmaster. The whole reason why we work
so hard to make sure that the postmaster doesn't die in the first
place is because we need it to clean up when things go horribly wrong.If that cleanup function is important, then we
needa living
postmaster at all times. If it's not important, then our extreme
paranoia about what operations the postmaster is permitted to engage
in is overblown.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company