Split up process latch initialization for more-fail-soft behavior.
In the previous coding, new backend processes would attempt to create their
self-pipe during the OwnLatch call in InitProcess. However, pipe creation
could fail if the kernel is short of resources; and the system does not
recover gracefully from a FATAL error right there, since we have armed the
dead-man switch for this process and not yet set up the on_shmem_exit
callback that would disarm it. The postmaster then forces an unnecessary
database-wide crash and restart, as reported by Sean Chittenden.
There are various ways we could rearrange the code to fix this, but the
simplest and sanest seems to be to split out creation of the self-pipe into
a new function InitializeLatchSupport, which must be called from a place
where failure is allowed. For most processes that gets called in
InitProcess or InitAuxiliaryProcess, but processes that don't call either
but still use latches need their own calls.
Back-patch to 9.1, which has only a part of the latch logic that 9.2 and
HEAD have, but nonetheless includes this bug.
Branch
------
REL9_2_STABLE
Details
-------
http://git.postgresql.org/pg/commitdiff/4d4005cb48f5d48d059bf90b849a43299881c3be
Modified Files
--------------
src/backend/port/unix_latch.c | 72 +++++++++++++++++++-----------------
src/backend/port/win32_latch.c | 6 +++
src/backend/postmaster/pgarch.c | 6 ++-
src/backend/postmaster/pgstat.c | 2 +
src/backend/postmaster/syslogger.c | 2 +
src/backend/storage/lmgr/proc.c | 14 +++++++
src/include/storage/latch.h | 1 +
7 files changed, 67 insertions(+), 36 deletions(-)
