On 08/04/2014 07:54 AM, Robert Haas wrote:
> 1. Most seriously, once the postmaster is gone, there's nobody to
> SIGQUIT remaining backends if somebody exits uncleanly. This means
> that a backend running without a postmaster could be running in a
> corrupt shared memory segment, which could lead to all sorts of
> misbehavior, including possible data corruption.
I've seen this in the field.
> 2. Operationally, orphaned backends prevent the system from being
> restarted. There's no easy, automatic way to kill them, so scripts
> that automatically restart the database server if it exits don't work.
I've also seen this in the field.
> Now, I don't say that any of this is a reason not to have a strong
> shared memory interlock, but I'm quite unconvinced that the current
> behavior should even be optional, let alone the default.
I always assumed that the current behavior existed because we *couldn't*
fix it, not because anybody wanted it.
--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com