Обсуждение: Re: [BUGS] BUG #5305: Postgres service stops when closing Windows session
[moving to -hackers] On Thu, Aug 19, 2010 at 9:43 PM, Robert Haas <robertmhaas@gmail.com> wrote: > I suspect this is the same problem as bug #4897, and probably also the > same problem as this: > http://archives.postgresql.org/pgsql-bugs/2009-08/msg00114.php > > and maybe also this and this: > http://archives.postgresql.org/pgsql-bugs/2010-02/msg00179.php > http://archives.postgresql.org/pgsql-admin/2009-05/msg00105.php > > Unfortunately, it seems that no one has been able to get a stack trace yet. Bruce pointed out yet another report of this problem to me: http://archives.postgresql.org/pgsql-general/2010-08/msg00550.php After some discussion with Magnus, I think what is going on here is that the postmaster kicks off a new child process, which terminates before it actually starts running our code, either in OS-supplied code or some sort of "filter" like anti-spam or anti-virus software. It's presumably NOT dying in our code because - at least AFAICS - we don't exit(128) anywhere. One way we could possibly improve the situation is to not treat this as a child crash - that is, don't do a crash-and-restart cycle; just treat that backend as having done elog(FATAL). The trick is that you need a reliable way to distinguish between a regular child crash and an "early" child crash. Magnus suggested perhaps we could create a mutex that the child grabs before mapping shared memory; the postmaster could check whether the mutex had been taken. If so, we handle the crash normally; if not, we just chalk it up to experience and continue on. This isn't really a "fix" for the bug in the sense that the nicest thing of all would be to prevent the child from exiting abnormally in the first place. But it's far from clear that we can control that. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas <robertmhaas@gmail.com> writes: > After some discussion with Magnus, I think what is going on here is > that the postmaster kicks off a new child process, which terminates > before it actually starts running our code, either in OS-supplied code > or some sort of "filter" like anti-spam or anti-virus software. It's > presumably NOT dying in our code because - at least AFAICS - we don't > exit(128) anywhere. IIRC, in POSIX-compliant shells there's a specific convention about what exit(128) means, and it's something that could result from exec() failure. It might be too much of a stretch to suppose that Windows is following that, but if it is, that would square with your idea that this is happening during child process startup. > One way we could possibly improve the situation > is to not treat this as a child crash - that is, don't do a > crash-and-restart cycle; just treat that backend as having done > elog(FATAL). That seems to me like a great idea for decreasing reliability, not increasing it. If you mistakenly classify a child death as "not a crash" then you're really seriously hosed; the best outcome you can hope for is that the database freezes up without doing any major damage to itself. Furthermore, even if it is an early exit and you can afford to ignore it, the client side is still going to see a dropped connection and tell the user that the server crashed, and we're still going to get bug reports about that. I would be inclined to write this off as Windows randomness that's unfixable on our end. We could recommend that people take a closer look at what AV software they have installed and maybe try some other one. regards, tom lane
On Mon, Aug 23, 2010 at 17:09, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> After some discussion with Magnus, I think what is going on here is >> that the postmaster kicks off a new child process, which terminates >> before it actually starts running our code, either in OS-supplied code >> or some sort of "filter" like anti-spam or anti-virus software. It's >> presumably NOT dying in our code because - at least AFAICS - we don't >> exit(128) anywhere. > > IIRC, in POSIX-compliant shells there's a specific convention about what > exit(128) means, and it's something that could result from exec() > failure. It might be too much of a stretch to suppose that Windows is > following that, but if it is, that would square with your idea that this > is happening during child process startup. It is (assuming the idea is correct). The problem is that the error code is not delivered at CreateProcess() time - it's delivered later. >> One way we could possibly improve the situation >> is to not treat this as a child crash - that is, don't do a >> crash-and-restart cycle; just treat that backend as having done >> elog(FATAL). > > That seems to me like a great idea for decreasing reliability, not > increasing it. If you mistakenly classify a child death as "not > a crash" then you're really seriously hosed; the best outcome you > can hope for is that the database freezes up without doing any > major damage to itself. > > Furthermore, even if it is an early exit and you can afford to ignore > it, the client side is still going to see a dropped connection and tell > the user that the server crashed, and we're still going to get bug > reports about that. Yes, but it's Less Evil. > I would be inclined to write this off as Windows randomness that's > unfixable on our end. We could recommend that people take a closer > look at what AV software they have installed and maybe try some other > one. It may well be, but we can at least attempt to mitigate it, no? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes: > On Mon, Aug 23, 2010 at 17:09, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> I would be inclined to write this off as Windows randomness that's >> unfixable on our end. �We could recommend that people take a closer >> look at what AV software they have installed and maybe try some other >> one. > It may well be, but we can at least attempt to mitigate it, no? I'm not excited about a "mitigation" approach that introduces new data-loss hazards of its very own. That doesn't meet the Less Evil standard in my eyes. [ thinks for a bit... ] Although maybe it'd be all right to piggyback on the dead-man-switch code that already exists in pmsignal.c. If the child process hasn't got as far as doing MarkPostmasterChildActive, then in principle it should be okay to assume it hasn't touched shared memory. This really is independent of what exit code it returned. regards, tom lane
On Mon, Aug 23, 2010 at 11:37 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> On Mon, Aug 23, 2010 at 17:09, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> I would be inclined to write this off as Windows randomness that's >>> unfixable on our end. We could recommend that people take a closer >>> look at what AV software they have installed and maybe try some other >>> one. > >> It may well be, but we can at least attempt to mitigate it, no? > > I'm not excited about a "mitigation" approach that introduces new > data-loss hazards of its very own. That doesn't meet the Less Evil > standard in my eyes. > > [ thinks for a bit... ] Although maybe it'd be all right to piggyback > on the dead-man-switch code that already exists in pmsignal.c. If the > child process hasn't got as far as doing MarkPostmasterChildActive, > then in principle it should be okay to assume it hasn't touched shared > memory. This really is independent of what exit code it returned. I'm confused. That seems like it would be LESS safe than the proposed approach of taking a mutex just before mapping shared memory. There is some finite amount of code that executes after shared memory is mapped and before MarkPostmasterChildActive executes; the advantage of the mutex is that it can be taken BEFORE shared memory is mapped. On the other hand, if you think it's safe enough, it would certainly be nice to use an existing mechanism rather than inventing something totally new. I agree that the exit code is irrelevant. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
From the users point of view, this could be a Windows or AV issue, but just stops Postgres service, does not affect or interfireon Windows stability or AV stability, instead it affect your product. So if you can improve the stability of theservice (and data integrity at the most) it could be a benefic for all.<br /><br />I've found the same behavior on Postgresservice when clossing MSTSC session without any AV installed, and after some months of Postgres crashes, administratorsinstalled Kaspersky for Servers AV, and crashes are still there.<br /><br /> Cristian.<br /><br /><br /><divclass="gmail_quote">2010/8/23 Tom Lane <span dir="ltr"><<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>></span><br/><blockquote class="gmail_quote" style="margin: 0pt 0pt0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">Magnus Hagander <<a href="mailto:magnus@hagander.net">magnus@hagander.net</a>>writes:<br /> > On Mon, Aug 23, 2010 at 17:09, Tom Lane <<ahref="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>> wrote:<br /></div><div class="im">>> I would be inclinedto write this off as Windows randomness that's<br /> >> unfixable on our end. We could recommend that peopletake a closer<br /> >> look at what AV software they have installed and maybe try some other<br /> >> one.<br/><br /> > It may well be, but we can at least attempt to mitigate it, no?<br /><br /></div>I'm not excited abouta "mitigation" approach that introduces new<br /> data-loss hazards of its very own. That doesn't meet the Less Evil<br/> standard in my eyes.<br /><br /> [ thinks for a bit... ] Although maybe it'd be all right to piggyback<br /> onthe dead-man-switch code that already exists in pmsignal.c. If the<br /> child process hasn't got as far as doing MarkPostmasterChildActive,<br/> then in principle it should be okay to assume it hasn't touched shared<br /> memory. Thisreally is independent of what exit code it returned.<br /><br /> regards, tom lane<br /></blockquote></div><br/>
Robert Haas wrote: > [moving to -hackers] > > On Thu, Aug 19, 2010 at 9:43 PM, Robert Haas <robertmhaas@gmail.com> wrote: > > I suspect this is the same problem as bug #4897, and probably also the > > same problem as this: > > http://archives.postgresql.org/pgsql-bugs/2009-08/msg00114.php > > > > and maybe also this and this: > > http://archives.postgresql.org/pgsql-bugs/2010-02/msg00179.php > > http://archives.postgresql.org/pgsql-admin/2009-05/msg00105.php > > > > Unfortunately, it seems that no one has been able to get a stack trace yet. > > Bruce pointed out yet another report of this problem to me: > > http://archives.postgresql.org/pgsql-general/2010-08/msg00550.php > > After some discussion with Magnus, I think what is going on here is > that the postmaster kicks off a new child process, which terminates > before it actually starts running our code, either in OS-supplied code > or some sort of "filter" like anti-spam or anti-virus software. It's > presumably NOT dying in our code because - at least AFAICS - we don't > exit(128) anywhere. One way we could possibly improve the situation > is to not treat this as a child crash - that is, don't do a > crash-and-restart cycle; just treat that backend as having done > elog(FATAL). The trick is that you need a reliable way to distinguish > between a regular child crash and an "early" child crash. Magnus > suggested perhaps we could create a mutex that the child grabs before > mapping shared memory; the postmaster could check whether the mutex > had been taken. If so, we handle the crash normally; if not, we just > chalk it up to experience and continue on. > > This isn't really a "fix" for the bug in the sense that the nicest > thing of all would be to prevent the child from exiting abnormally in > the first place. But it's far from clear that we can control that. This URL has some interesting details on our problem: http://stackoverflow.com/questions/139090/getexitcodeprocess-returns-128 Error code 128 is identified as: error code 128 RROR_WAIT_NO_CHILDREN 128 0x80 There are no childprocesses to wait for and the suggested cause is: Have a look at Desktop Heap memory.Essentially the desktop heap issue comes down to exhausted resources (egstarting too manyprocesses). When your app runs out of these resources,one of the symptoms is that you won't be able to start a new process,andthe call to CreateProcess will fail with code 128. My guess is that at the time of CreateProcess(), there is enough desktop heap memory, but at some later time, perhaps caused by a logout, there isn't and the process never gets started. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Tue, Aug 24, 2010 at 8:57 AM, Bruce Momjian <bruce@momjian.us> wrote: > Robert Haas wrote: >> [moving to -hackers] >> >> On Thu, Aug 19, 2010 at 9:43 PM, Robert Haas <robertmhaas@gmail.com> wrote: >> > I suspect this is the same problem as bug #4897, and probably also the >> > same problem as this: >> > http://archives.postgresql.org/pgsql-bugs/2009-08/msg00114.php >> > >> > and maybe also this and this: >> > http://archives.postgresql.org/pgsql-bugs/2010-02/msg00179.php >> > http://archives.postgresql.org/pgsql-admin/2009-05/msg00105.php >> > >> > Unfortunately, it seems that no one has been able to get a stack trace yet. >> >> Bruce pointed out yet another report of this problem to me: >> >> http://archives.postgresql.org/pgsql-general/2010-08/msg00550.php >> >> After some discussion with Magnus, I think what is going on here is >> that the postmaster kicks off a new child process, which terminates >> before it actually starts running our code, either in OS-supplied code >> or some sort of "filter" like anti-spam or anti-virus software. It's >> presumably NOT dying in our code because - at least AFAICS - we don't >> exit(128) anywhere. One way we could possibly improve the situation >> is to not treat this as a child crash - that is, don't do a >> crash-and-restart cycle; just treat that backend as having done >> elog(FATAL). The trick is that you need a reliable way to distinguish >> between a regular child crash and an "early" child crash. Magnus >> suggested perhaps we could create a mutex that the child grabs before >> mapping shared memory; the postmaster could check whether the mutex >> had been taken. If so, we handle the crash normally; if not, we just >> chalk it up to experience and continue on. >> >> This isn't really a "fix" for the bug in the sense that the nicest >> thing of all would be to prevent the child from exiting abnormally in >> the first place. But it's far from clear that we can control that. > > This URL has some interesting details on our problem: > > http://stackoverflow.com/questions/139090/getexitcodeprocess-returns-128 > > Error code 128 is identified as: > > error code 128 RROR_WAIT_NO_CHILDREN 128 0x80 There are no child > processes to wait for > > and the suggested cause is: > > Have a look at Desktop Heap memory. > > Essentially the desktop heap issue comes down to exhausted resources (eg > starting too many processes). When your app runs out of these resources, > one of the symptoms is that you won't be able to start a new process, > and the call to CreateProcess will fail with code 128. > > My guess is that at the time of CreateProcess(), there is enough desktop > heap memory, but at some later time, perhaps caused by a logout, there > isn't and the process never gets started. Yeah, that seems very plausible, although exactly how to verify I don't know. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas wrote: > >> This isn't really a "fix" for the bug in the sense that the nicest > >> thing of all would be to prevent the child from exiting abnormally in > >> the first place. ?But it's far from clear that we can control that. > > > > This URL has some interesting details on our problem: > > > > ? ? ? ?http://stackoverflow.com/questions/139090/getexitcodeprocess-returns-128 > > > > Error code 128 is identified as: > > > > ? ? ? ?error code 128 RROR_WAIT_NO_CHILDREN 128 0x80 There are no child > > ? ? ? ?processes to wait for > > > > and the suggested cause is: > > > > ? ? ? ?Have a look at Desktop Heap memory. > > > > ? ? ? ?Essentially the desktop heap issue comes down to exhausted resources (eg > > ? ? ? ?starting too many processes). When your app runs out of these resources, > > ? ? ? ?one of the symptoms is that you won't be able to start a new process, > > ? ? ? ?and the call to CreateProcess will fail with code 128. > > > > My guess is that at the time of CreateProcess(), there is enough desktop > > heap memory, but at some later time, perhaps caused by a logout, there > > isn't and the process never gets started. > > Yeah, that seems very plausible, although exactly how to verify I don't know. And here is confirmation from the Microsoft web site: http://support.microsoft.com/kb/156484 Cmd.exe, Perl.exe, or other console-mode applications may fail toinitialize properly and terminate prematurely when launchedby a serviceusing the CreateProcess() or CreateProcessAsUser() APIs. The callingprocess has no way of knowing thatthe launched console-mode applicationhas terminated prematurely.In some instances, calling GetExitCode() against thefailed processindicates the following exit code:128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for....Internet Information Server (IIS) may exhibit this problemintermittently when processing CGI or Perl scripts. In thiscase thebrowser returns the following error when executing CGI scripts: -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
Bruce Momjian <bruce@momjian.us> writes: > Robert Haas wrote: >> Yeah, that seems very plausible, although exactly how to verify I don't know. > And here is confirmation from the Microsoft web site: > In some instances, calling GetExitCode() against the failed process > indicates the following exit code: > 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. Given the existence of the deadman switch mechanism (which I hadn't remembered when this thread started), I'm coming around to the idea that we could just treat exit(128) as nonfatal on Windows. If for some reason the child hadn't died instantly at startup, the deadman switch would distinguish that from the case described here. regards, tom lane
Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > Robert Haas wrote: > >> Yeah, that seems very plausible, although exactly how to verify I don't know. > > > And here is confirmation from the Microsoft web site: > > > In some instances, calling GetExitCode() against the failed process > > indicates the following exit code: > > 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > Given the existence of the deadman switch mechanism (which I hadn't > remembered when this thread started), I'm coming around to the idea that > we could just treat exit(128) as nonfatal on Windows. If for some > reason the child hadn't died instantly at startup, the deadman switch > would distinguish that from the case described here. Agreed. My guess is that there is some kind of Win32 OS race condition in allocating desktop heap memory, and that sometimes with concurrent CreateProcess() calls, a process gets started but can't complete its creation. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
Tom Lane wrote: > Bruce Momjian <bruce@momjian.us> writes: > > Robert Haas wrote: > >> Yeah, that seems very plausible, although exactly how to verify I don't know. > > > And here is confirmation from the Microsoft web site: > > > In some instances, calling GetExitCode() against the failed process > > indicates the following exit code: > > 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > Given the existence of the deadman switch mechanism (which I hadn't > remembered when this thread started), I'm coming around to the idea that > we could just treat exit(128) as nonfatal on Windows. If for some > reason the child hadn't died instantly at startup, the deadman switch > would distinguish that from the case described here. Here is a more detailed explaination of the failure and its relation to desktop heap: http://kbalertz.com/Feedback.aspx?kbNumber=184802 -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Bruce Momjian <bruce@momjian.us> writes: >> Robert Haas wrote: >>> Yeah, that seems very plausible, although exactly how to verify I don't know. > >> And here is confirmation from the Microsoft web site: > >> In some instances, calling GetExitCode() against the failed process >> indicates the following exit code: >> 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > Given the existence of the deadman switch mechanism (which I hadn't > remembered when this thread started), I'm coming around to the idea that > we could just treat exit(128) as nonfatal on Windows. If for some > reason the child hadn't died instantly at startup, the deadman switch > would distinguish that from the case described here. Just because I had written it before you posted that, here's how the win32-specific-set-a-flag-when-we're-in-control thing would look. But if we're convinced that just ignoring error 128 is safe, then that's obviously a simpler patch.. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Вложения
Magnus Hagander wrote: > On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Bruce Momjian <bruce@momjian.us> writes: > >> Robert Haas wrote: > >>> Yeah, that seems very plausible, although exactly how to verify I don't know. > > > >> And here is confirmation from the Microsoft web site: > > > >> ? ? ? In some instances, calling GetExitCode() against the failed process > >> ? ? ? indicates the following exit code: > >> ? ? ? 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > > > Given the existence of the deadman switch mechanism (which I hadn't > > remembered when this thread started), I'm coming around to the idea that > > we could just treat exit(128) as nonfatal on Windows. ?If for some > > reason the child hadn't died instantly at startup, the deadman switch > > would distinguish that from the case described here. > > Just because I had written it before you posted that, here's how the > win32-specific-set-a-flag-when-we're-in-control thing would look. But > if we're convinced that just ignoring error 128 is safe, then that's > obviously a simpler patch.. Can we please link to one of those URLs I mentioned so we have definitive information on what is happening? I think the Microsoft URL is best: http://support.microsoft.com/kb/156484 -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Tue, Aug 24, 2010 at 21:14, Bruce Momjian <bruce@momjian.us> wrote: > Magnus Hagander wrote: >> On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> > Bruce Momjian <bruce@momjian.us> writes: >> >> Robert Haas wrote: >> >>> Yeah, that seems very plausible, although exactly how to verify I don't know. >> > >> >> And here is confirmation from the Microsoft web site: >> > >> >> ? ? ? In some instances, calling GetExitCode() against the failed process >> >> ? ? ? indicates the following exit code: >> >> ? ? ? 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. >> > >> > Given the existence of the deadman switch mechanism (which I hadn't >> > remembered when this thread started), I'm coming around to the idea that >> > we could just treat exit(128) as nonfatal on Windows. ?If for some >> > reason the child hadn't died instantly at startup, the deadman switch >> > would distinguish that from the case described here. >> >> Just because I had written it before you posted that, here's how the >> win32-specific-set-a-flag-when-we're-in-control thing would look. But >> if we're convinced that just ignoring error 128 is safe, then that's >> obviously a simpler patch.. > > Can we please link to one of those URLs I mentioned so we have > definitive information on what is happening? I think the Microsoft URL is > best: > > http://support.microsoft.com/kb/156484 That URL is specifically labeled to only be valid for NT4. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Tue, Aug 24, 2010 at 3:10 PM, Magnus Hagander <magnus@hagander.net> wrote: > On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Bruce Momjian <bruce@momjian.us> writes: >>> Robert Haas wrote: >>>> Yeah, that seems very plausible, although exactly how to verify I don't know. >> >>> And here is confirmation from the Microsoft web site: >> >>> In some instances, calling GetExitCode() against the failed process >>> indicates the following exit code: >>> 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. >> >> Given the existence of the deadman switch mechanism (which I hadn't >> remembered when this thread started), I'm coming around to the idea that >> we could just treat exit(128) as nonfatal on Windows. If for some >> reason the child hadn't died instantly at startup, the deadman switch >> would distinguish that from the case described here. > > Just because I had written it before you posted that, here's how the > win32-specific-set-a-flag-when-we're-in-control thing would look. But > if we're convinced that just ignoring error 128 is safe, then that's > obviously a simpler patch.. So, if we do this, what will happen to the client connection that was due to be handled by the backend being spawned? Is this going to lead to extra fds accumulating or any such thing? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
On Tue, Aug 24, 2010 at 21:39, Robert Haas <robertmhaas@gmail.com> wrote: > On Tue, Aug 24, 2010 at 3:10 PM, Magnus Hagander <magnus@hagander.net> wrote: >> On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> Bruce Momjian <bruce@momjian.us> writes: >>>> Robert Haas wrote: >>>>> Yeah, that seems very plausible, although exactly how to verify I don't know. >>> >>>> And here is confirmation from the Microsoft web site: >>> >>>> In some instances, calling GetExitCode() against the failed process >>>> indicates the following exit code: >>>> 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. >>> >>> Given the existence of the deadman switch mechanism (which I hadn't >>> remembered when this thread started), I'm coming around to the idea that >>> we could just treat exit(128) as nonfatal on Windows. If for some >>> reason the child hadn't died instantly at startup, the deadman switch >>> would distinguish that from the case described here. >> >> Just because I had written it before you posted that, here's how the >> win32-specific-set-a-flag-when-we're-in-control thing would look. But >> if we're convinced that just ignoring error 128 is safe, then that's >> obviously a simpler patch.. > > So, if we do this, what will happen to the client connection that was > due to be handled by the backend being spawned? Is this going to lead > to extra fds accumulating or any such thing? I don't see why. The process goes away, and with it goes all the handles. And the postmaster still closes all sockets and handles the same way it did before. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Tue, Aug 24, 2010 at 9:58 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Bruce Momjian <bruce@momjian.us> writes: >> Robert Haas wrote: >>> Yeah, that seems very plausible, although exactly how to verify I don't know. > >> And here is confirmation from the Microsoft web site: > >> In some instances, calling GetExitCode() against the failed process >> indicates the following exit code: >> 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > Given the existence of the deadman switch mechanism (which I hadn't > remembered when this thread started), I'm coming around to the idea that > we could just treat exit(128) as nonfatal on Windows. If for some > reason the child hadn't died instantly at startup, the deadman switch > would distinguish that from the case described here. So the options are: (1) If running on Windows and the exit code is 128 and the deadman switch is not engaged, don't crash-and-restart. (2) If running on Windows, create a mutex in the parent process and take it in the child; if the mutex has not been taken, don't crash-and-restart. There is some amount of user code (I'm not sure preceisely how much) that runs after shared memory is mapped and before the deadman switch is engaged. If we go with option #1, it would probably behoove us to try to minimize the amount of such code (at least in HEAD). There is probably not a great deal of danger that we could manage to scribble on shared memory and then exit normally (rather than via signal), never mind the need to exit with exactly 128. But "not a great deal" is not the same as "none". If we go with option #2, the principal danger seems to be that the code Magnus wrote will turn out to be less robust than we might hope; for example, it might not work on all versions of Windows, or be prone to some other installation-dependent mischief. Another question is how far either of these fixes could be back-patched. I believe the dead-man switch only exists as far back as 8.4, but the original commit message mentioned the possibility of eventually back-patching it further: Although this problem is of long standing, the lack of field complaints seems to mean it's not critical enough to riskback-patching; at least not till we get some more testing of this mechanism. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas <robertmhaas@gmail.com> writes: > There is some amount of user code (I'm not sure preceisely how much) > that runs after shared memory is mapped and before the deadman switch > is engaged. Er ... what would you define as "user code"? The deadman switch is engaged at the point where we create a PGPROC. Before that, it's entirely impossible to take either LWLocks or heavyweight locks, which means that practically any access to shared memory would be illegal anyway. If there's anything very interesting going on in that stretch, I'd be surprised. regards, tom lane
On Tue, Aug 24, 2010 at 5:11 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> There is some amount of user code (I'm not sure preceisely how much) >> that runs after shared memory is mapped and before the deadman switch >> is engaged. > > Er ... what would you define as "user code"? Our code, as opposed to the failure-inducing boatload of crap injected by the operating system. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
On Tue, Aug 24, 2010 at 08:17:15PM -0400, Robert Haas wrote: > On Tue, Aug 24, 2010 at 5:11 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Robert Haas <robertmhaas@gmail.com> writes: > >> There is some amount of user code (I'm not sure preceisely how > >> much) that runs after shared memory is mapped and before the > >> deadman switch is engaged. > > > > Er ... what would you define as "user code"? > > Our code, as opposed to the failure-inducing boatload of crap > injected by the operating system. Don't hold back. Tell us how you *really* feel ;) Cheers, David (who thinks Robert's view of that platform may be a good deal too sunny) -- David Fetter <david@fetter.org> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: david.fetter@gmail.com iCal: webcal://www.tripit.com/feed/ical/people/david74/tripit.ics Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
On Tue, Aug 24, 2010 at 9:58 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Bruce Momjian <bruce@momjian.us> writes: >> Robert Haas wrote: >>> Yeah, that seems very plausible, although exactly how to verify I don't know. > >> And here is confirmation from the Microsoft web site: > >> In some instances, calling GetExitCode() against the failed process >> indicates the following exit code: >> 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > Given the existence of the deadman switch mechanism (which I hadn't > remembered when this thread started), I'm coming around to the idea that > we could just treat exit(128) as nonfatal on Windows. If for some > reason the child hadn't died instantly at startup, the deadman switch > would distinguish that from the case described here. So do you want to code this up? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas <robertmhaas@gmail.com> writes: > On Tue, Aug 24, 2010 at 9:58 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Given the existence of the deadman switch mechanism (which I hadn't >> remembered when this thread started), I'm coming around to the idea that >> we could just treat exit(128) as nonfatal on Windows. �If for some >> reason the child hadn't died instantly at startup, the deadman switch >> would distinguish that from the case described here. > So do you want to code this up? Who, me? I don't do Windows --- I'd have no way to test it. regards, tom lane
I still believe this "exit code 128" is related to pgAdmin opened during the clossing session on Remote Desktop. I have aWindows user login wich is not administrator just no privileged user, it cannot start/stop services, just monitoring. WithpgAdmin window opened inside my disconected session, as Administrator if I "close" the another disconnected session,Postgres exit with 128 code. <br /><br />Did you reproduce this behavior?<br /><br />Cristian.<br /><br /><div class="gmail_quote">2010/8/26Tom Lane <span dir="ltr"><<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>></span><br/><blockquote class="gmail_quote" style="margin: 0pt 0pt0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">Robert Haas <<a href="mailto:robertmhaas@gmail.com">robertmhaas@gmail.com</a>>writes:<br /></div><div class="im">> On Tue, Aug 24,2010 at 9:58 AM, Tom Lane <<a href="mailto:tgl@sss.pgh.pa.us">tgl@sss.pgh.pa.us</a>> wrote:<br /></div><div class="im">>>Given the existence of the deadman switch mechanism (which I hadn't<br /> >> remembered when thisthread started), I'm coming around to the idea that<br /> >> we could just treat exit(128) as nonfatal on Windows. If for some<br /> >> reason the child hadn't died instantly at startup, the deadman switch<br /> >>would distinguish that from the case described here.<br /><br /> > So do you want to code this up?<br /><br /></div>Who,me? I don't do Windows --- I'd have no way to test it.<br /><br /> regards, tom lane<br/></blockquote></div><br />
On Thu, Aug 26, 2010 at 22:59, Cristian Bittel <cbittel@gmail.com> wrote: > I still believe this "exit code 128" is related to pgAdmin opened during the > clossing session on Remote Desktop. I have a Windows user login wich is not > administrator just no privileged user, it cannot start/stop services, just > monitoring. With pgAdmin window opened inside my disconected session, as > Administrator if I "close" the another disconnected session, Postgres exit > with 128 code. If the closing of a session on the remote desktop can affect a *service* then frankly that sounds like a serious isolation bug in Windows itself. The postmaster grabs the handle of the process when it's started and waits on that - that should never be affected by something in a different session. I think it's more likely that Windows just looses track when you terminate a lot of processes at once, and randomly kills off something - or at least *indicates* that something has been killed off. > Did you reproduce this behavior? No, AFAIK nobody has managed to reproduce this behavior in any kind of consistent way. It's certainly been seen more than once in many places, but not consistently reproducible. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Sun, Aug 29, 2010 at 12:05 PM, Magnus Hagander <magnus@hagander.net> wrote: > On Thu, Aug 26, 2010 at 22:59, Cristian Bittel <cbittel@gmail.com> wrote: >> I still believe this "exit code 128" is related to pgAdmin opened during the >> clossing session on Remote Desktop. I have a Windows user login wich is not >> administrator just no privileged user, it cannot start/stop services, just >> monitoring. With pgAdmin window opened inside my disconected session, as >> Administrator if I "close" the another disconnected session, Postgres exit >> with 128 code. > > If the closing of a session on the remote desktop can affect a > *service* then frankly that sounds like a serious isolation bug in > Windows itself. The postmaster grabs the handle of the process when > it's started and waits on that - that should never be affected by > something in a different session. > > I think it's more likely that Windows just looses track when you > terminate a lot of processes at once, and randomly kills off something > - or at least *indicates* that something has been killed off. > >> Did you reproduce this behavior? > > No, AFAIK nobody has managed to reproduce this behavior in any kind of > consistent way. It's certainly been seen more than once in many > places, but not consistently reproducible. This behaviour, no - but desktop heap exhaustion is very easy to reproduce. That's because the heap usage is caused by user32.dll which uses a consistent amount with each process started, which is allocated as the process is created. When I was working on the issue a couple of years ago, it was entirely predictable - user32.dll allocates N bytes and as soon as N * numbackends exceeds the allocated heap size, we fall over. It shouldn't matter as desktop heap is allocated on a per-session basis, but are you logging on using the service account to run your admin tasks Cristian? If so, do you see the problem if you login interactively using a different account? -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Tue, Aug 31, 2010 at 3:40 PM, Cristian Bittel <cbittel@gmail.com> wrote: > To Dave's question, this behavior occurs on all Windows Server interactive > sessions, no matter if Administrators or underpriviledge users, but is > related to closing Windows interactive session while pgAdmin window is > opened and connected to service. Nobody logon to Windows using "postgres" > service user. Thanks Cristian. Can you reproduce the problem if you use psql instead of pgAdmin? Both use libpq to talk to the server, so if your theory is correct, I would expect to see the same crash. It's hard to see what would bring the server down though... -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
Dave Page wrote: > On Tue, Aug 31, 2010 at 3:40 PM, Cristian Bittel <cbittel@gmail.com> wrote: > > To Dave's question, this behavior occurs on all Windows Server interactive > > sessions, no matter if Administrators or underpriviledge users, but is > > related to closing Windows interactive session while pgAdmin window is > > opened and connected to service. Nobody logon to Windows using "postgres" > > service user. > > Thanks Cristian. > > Can you reproduce the problem if you use psql instead of pgAdmin? Both > use libpq to talk to the server, so if your theory is correct, I would > expect to see the same crash. It's hard to see what would bring the > server down though... We have already found that exceeding desktop heap might cause a CreateProcess to return success but later fail with a return code of 128, which causes a server restart. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Tue, Aug 31, 2010 at 4:27 PM, Bruce Momjian <bruce@momjian.us> wrote: > Dave Page wrote: >> On Tue, Aug 31, 2010 at 3:40 PM, Cristian Bittel <cbittel@gmail.com> wrote: >> > To Dave's question, this behavior occurs on all Windows Server interactive >> > sessions, no matter if Administrators or underpriviledge users, but is >> > related to closing Windows interactive session while pgAdmin window is >> > opened and connected to service. Nobody logon to Windows using "postgres" >> > service user. >> >> Thanks Cristian. >> >> Can you reproduce the problem if you use psql instead of pgAdmin? Both >> use libpq to talk to the server, so if your theory is correct, I would >> expect to see the same crash. It's hard to see what would bring the >> server down though... > > We have already found that exceeding desktop heap might cause a > CreateProcess to return success but later fail with a return code of > 128, which causes a server restart. That doesn't mean that this is desktop heap exhaustion though - just that it can cause the same effect. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
Dave Page wrote: > On Tue, Aug 31, 2010 at 4:27 PM, Bruce Momjian <bruce@momjian.us> wrote: > > Dave Page wrote: > >> On Tue, Aug 31, 2010 at 3:40 PM, Cristian Bittel <cbittel@gmail.com> wrote: > >> > To Dave's question, this behavior occurs on all Windows Server interactive > >> > sessions, no matter if Administrators or underpriviledge users, but is > >> > related to closing Windows interactive session while pgAdmin window is > >> > opened and connected to service. Nobody logon to Windows using "postgres" > >> > service user. > >> > >> Thanks Cristian. > >> > >> Can you reproduce the problem if you use psql instead of pgAdmin? Both > >> use libpq to talk to the server, so if your theory is correct, I would > >> expect to see the same crash. It's hard to see what would bring the > >> server down though... > > > > We have already found that exceeding desktop heap might cause a > > CreateProcess to return success but later fail with a return code of > > 128, which causes a server restart. > > That doesn't mean that this is desktop heap exhaustion though - just > that it can cause the same effect. Right, but it is the only possible server crash cause we have come up with so far. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
I am the "remote" support guy for a web developed application (Apache+PHP+Pg. Postgres is isolated on a server, Apache runs on another server), and installed at our client, our client is the Administrator user on Windows Server, I just have a limited privileges Windows user for monitoring. I have my own "support" superuser (not "postgres" user) for Postgres database to monitor the status, logs and to perform stats queries.
To Windows Server I just can login using remote desktop, my interactive user cannot start or stop the PostgreSQL service or other services, just Administrators users can do it.
From inside my underprivileged session on the Windows server I can open pgAdmin and connect to Postgres service. When I left the pgAdmin connected to Postgres service opened into the Windows session (session connected or disconnected) and I or someone else (Administrators) "close" my session, then is when PostgreSQL service crash. If inside the remote session I normally close pgAdmin using the "X" button or File>Exit or "Ctrl+Q", that not affect PostgreSQL service.
This is the major reason to think is pgAdmin.exe when forced shutdown by terminating Windows session which sends abnormal signal to PostgreSQL service.
Besides the abnormal signal that pgAdmin forced shutingdown could being send to PostgreSQL service, the service itself also could catch that behavior in any of the aproaches you are discussing for the service itself to ignore that signal.
To Dave's question, this behavior occurs on all Windows Server interactive sessions, no matter if Administrators or underpriviledge users, but is related to closing Windows interactive session while pgAdmin window is opened and connected to service. Nobody logon to Windows using "postgres" service user.
Regards,
Cristian.
To Windows Server I just can login using remote desktop, my interactive user cannot start or stop the PostgreSQL service or other services, just Administrators users can do it.
From inside my underprivileged session on the Windows server I can open pgAdmin and connect to Postgres service. When I left the pgAdmin connected to Postgres service opened into the Windows session (session connected or disconnected) and I or someone else (Administrators) "close" my session, then is when PostgreSQL service crash. If inside the remote session I normally close pgAdmin using the "X" button or File>Exit or "Ctrl+Q", that not affect PostgreSQL service.
This is the major reason to think is pgAdmin.exe when forced shutdown by terminating Windows session which sends abnormal signal to PostgreSQL service.
Besides the abnormal signal that pgAdmin forced shutingdown could being send to PostgreSQL service, the service itself also could catch that behavior in any of the aproaches you are discussing for the service itself to ignore that signal.
To Dave's question, this behavior occurs on all Windows Server interactive sessions, no matter if Administrators or underpriviledge users, but is related to closing Windows interactive session while pgAdmin window is opened and connected to service. Nobody logon to Windows using "postgres" service user.
Regards,
Cristian.
2010/8/31 Dave Page <dpage@pgadmin.org>
This behaviour, no - but desktop heap exhaustion is very easy toOn Sun, Aug 29, 2010 at 12:05 PM, Magnus Hagander <magnus@hagander.net> wrote:
> On Thu, Aug 26, 2010 at 22:59, Cristian Bittel <cbittel@gmail.com> wrote:
>> I still believe this "exit code 128" is related to pgAdmin opened during the
>> clossing session on Remote Desktop. I have a Windows user login wich is not
>> administrator just no privileged user, it cannot start/stop services, just
>> monitoring. With pgAdmin window opened inside my disconected session, as
>> Administrator if I "close" the another disconnected session, Postgres exit
>> with 128 code.
>
> If the closing of a session on the remote desktop can affect a
> *service* then frankly that sounds like a serious isolation bug in
> Windows itself. The postmaster grabs the handle of the process when
> it's started and waits on that - that should never be affected by
> something in a different session.
>
> I think it's more likely that Windows just looses track when you
> terminate a lot of processes at once, and randomly kills off something
> - or at least *indicates* that something has been killed off.
>
>> Did you reproduce this behavior?
>
> No, AFAIK nobody has managed to reproduce this behavior in any kind of
> consistent way. It's certainly been seen more than once in many
> places, but not consistently reproducible.
reproduce. That's because the heap usage is caused by user32.dll which
uses a consistent amount with each process started, which is allocated
as the process is created. When I was working on the issue a couple of
years ago, it was entirely predictable - user32.dll allocates N bytes
and as soon as N * numbackends exceeds the allocated heap size, we
fall over.
It shouldn't matter as desktop heap is allocated on a per-session
basis, but are you logging on using the service account to run your
admin tasks Cristian? If so, do you see the problem if you login
interactively using a different account?
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise Postgres Company
On Tue, Aug 31, 2010 at 4:35 PM, Bruce Momjian <bruce@momjian.us> wrote: > Dave Page wrote: >> On Tue, Aug 31, 2010 at 4:27 PM, Bruce Momjian <bruce@momjian.us> wrote: >> > We have already found that exceeding desktop heap might cause a >> > CreateProcess to return success but later fail with a return code of >> > 128, which causes a server restart. >> >> That doesn't mean that this is desktop heap exhaustion though - just >> that it can cause the same effect. > > Right, but it is the only possible server crash cause we have come up > with so far. Understood - I'm just unconvinced it's the cause - aside from the point I made earlier about heap exhaustion being very predictable and reproducible (which this issue apparently is not), when the server is run under the SCM, it creates a logon session for that service alone which has it's own heap allocation which is entirely independent of the allocation used by any interactive logon sessions. So unless there's a major isolation bug in Windows, any desktop heap usage in an interactive session for one user should have zero effect on a non-interactive session for another user. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
Dave Page wrote: > On Tue, Aug 31, 2010 at 4:35 PM, Bruce Momjian <bruce@momjian.us> wrote: > > Dave Page wrote: > >> On Tue, Aug 31, 2010 at 4:27 PM, Bruce Momjian <bruce@momjian.us> wrote: > >> > We have already found that exceeding desktop heap might cause a > >> > CreateProcess to return success but later fail with a return code of > >> > 128, which causes a server restart. > >> > >> That doesn't mean that this is desktop heap exhaustion though - just > >> that it can cause the same effect. > > > > Right, but it is the only possible server crash cause we have come up > > with so far. > > Understood - I'm just unconvinced it's the cause - aside from the > point I made earlier about heap exhaustion being very predictable and > reproducible (which this issue apparently is not), when the server is > run under the SCM, it creates a logon session for that service alone > which has it's own heap allocation which is entirely independent of > the allocation used by any interactive logon sessions. > > So unless there's a major isolation bug in Windows, any desktop heap > usage in an interactive session for one user should have zero effect > on a non-interactive session for another user. Well, the only description that we have ever heard that makes sense is some kind of heap exhaustion, perhaps triggered by a Windows bug that doesn't properly track heap allocations sometimes. Of course, the cause might be aliens, but we don't have any evidence of that either. :-| What we do know is that CreateProcess is returning success, and the child is exiting with 128 no_such_child, and that logging out can trigger it sometimes. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Wed, Sep 1, 2010 at 3:49 PM, Cristian Bittel <cbittel@gmail.com> wrote: > Maybe the issue, for the momtent, could be avoided modifying the shared heap > for sessions on Windows. But I don't really have idea how much to increase > or decrease the values. Try and error? But, inside the opened Windows > sessions nothing alerts of a heap exaust so could be unpredictable how much > to change the values until the next PostgreSQL service crash... > 32-bits: http://support.microsoft.com/kb/184802 > > There are several reports for another services with the same behavior > including exit code 128 and a workaround to increase the heap on old Windows > versions but the Exit Code 128 seems to apply to Windows 2003 Server x64 > also. And seems to be improved in Windows 2008 where heap is not fixed. > https://fogbugz.bitvise.com/default.asp?WinSSHD.1.12888.2 > http://support.microsoft.com/kb/824422 Given the unpredictability, if this is connected to desktop heap I don't think it's running out of per-session memory, so much as the system-wide heap (which, afaict, is fixed at 48MB). That might explain why a desktop session could affect other sessions. Is this a terminal server, with lots of interactive users? Can you check the heap usage using the desktop heap monitor: http://www.microsoft.com/downloads/details.aspx?familyid=5cfc9b74-97aa-4510-b4b9-b2dc98c8ed8b&displaylang=en -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
Maybe the issue, for the momtent, could be avoided modifying the shared heap for sessions on Windows. But I don't really have idea how much to increase or decrease the values. Try and error? But, inside the opened Windows sessions nothing alerts of a heap exaust so could be unpredictable how much to change the values until the next PostgreSQL service crash...
32-bits: http://support.microsoft.com/kb/184802
There are several reports for another services with the same behavior including exit code 128 and a workaround to increase the heap on old Windows versions but the Exit Code 128 seems to apply to Windows 2003 Server x64 also. And seems to be improved in Windows 2008 where heap is not fixed.
https://fogbugz.bitvise.com/default.asp?WinSSHD.1.12888.2
http://support.microsoft.com/kb/824422
32-bits: http://support.microsoft.com/kb/184802
There are several reports for another services with the same behavior including exit code 128 and a workaround to increase the heap on old Windows versions but the Exit Code 128 seems to apply to Windows 2003 Server x64 also. And seems to be improved in Windows 2008 where heap is not fixed.
https://fogbugz.bitvise.com/default.asp?WinSSHD.1.12888.2
http://support.microsoft.com/kb/824422
2010/8/31 Bruce Momjian <bruce@momjian.us>
Dave Page wrote:Well, the only description that we have ever heard that makes sense is
> On Tue, Aug 31, 2010 at 4:35 PM, Bruce Momjian <bruce@momjian.us> wrote:
> > Dave Page wrote:
> >> On Tue, Aug 31, 2010 at 4:27 PM, Bruce Momjian <bruce@momjian.us> wrote:
> >> > We have already found that exceeding desktop heap might cause a
> >> > CreateProcess to return success but later fail with a return code of
> >> > 128, which causes a server restart.
> >>
> >> That doesn't mean that this is desktop heap exhaustion though - just
> >> that it can cause the same effect.
> >
> > Right, but it is the only possible server crash cause we have come up
> > with so far.
>
> Understood - I'm just unconvinced it's the cause - aside from the
> point I made earlier about heap exhaustion being very predictable and
> reproducible (which this issue apparently is not), when the server is
> run under the SCM, it creates a logon session for that service alone
> which has it's own heap allocation which is entirely independent of
> the allocation used by any interactive logon sessions.
>
> So unless there's a major isolation bug in Windows, any desktop heap
> usage in an interactive session for one user should have zero effect
> on a non-interactive session for another user.
some kind of heap exhaustion, perhaps triggered by a Windows bug that
doesn't properly track heap allocations sometimes.
Of course, the cause might be aliens, but we don't have any evidence of
that either. :-|
What we do know is that CreateProcess is returning success, and the
child is exiting with 128 no_such_child, and that logging out can
trigger it sometimes.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ It's impossible for everything to be true. +
On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Bruce Momjian <bruce@momjian.us> writes: >> Robert Haas wrote: >>> Yeah, that seems very plausible, although exactly how to verify I don't know. > >> And here is confirmation from the Microsoft web site: > >> In some instances, calling GetExitCode() against the failed process >> indicates the following exit code: >> 128L ERROR_WAIT_NO_CHILDREN - There are no child processes to wait for. > > Given the existence of the deadman switch mechanism (which I hadn't > remembered when this thread started), I'm coming around to the idea that > we could just treat exit(128) as nonfatal on Windows. If for some > reason the child hadn't died instantly at startup, the deadman switch > would distinguish that from the case described here. Just to be clear, do you mean something as simple as this? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Вложения
Magnus Hagander <magnus@hagander.net> writes: > On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Given the existence of the deadman switch mechanism (which I hadn't >> remembered when this thread started), I'm coming around to the idea that >> we could just treat exit(128) as nonfatal on Windows. �If for some >> reason the child hadn't died instantly at startup, the deadman switch >> would distinguish that from the case described here. > Just to be clear, do you mean something as simple as this? That seems like a rather klugy place and way to insert the fix. One complaint about it is that the notice won't get logged nicely. It'd be better if the main reaper() code was responsible for ignoring 128 so that it could log the fact that it'd done so in the regular postmaster log. Another issue is that "nonfatal" doesn't mean "successful". In particular, if this happened for the startup process, or probably some other cases, taking the exit code as 0 would cause seriously wrong things to happen. On balance I think I'd suggest an #ifdef WIN32 in CleanupBackend that made it accept 128 as a "normal exit" case. That would allow normal processing to continue only when this happens to a regular backend, which is probably sufficient for the purpose. regards, tom lane
On Thu, Sep 9, 2010 at 19:48, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> On Tue, Aug 24, 2010 at 15:58, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> Given the existence of the deadman switch mechanism (which I hadn't >>> remembered when this thread started), I'm coming around to the idea that >>> we could just treat exit(128) as nonfatal on Windows. If for some >>> reason the child hadn't died instantly at startup, the deadman switch >>> would distinguish that from the case described here. > >> Just to be clear, do you mean something as simple as this? > > That seems like a rather klugy place and way to insert the fix. One > complaint about it is that the notice won't get logged nicely. It'd be > better if the main reaper() code was responsible for ignoring 128 so > that it could log the fact that it'd done so in the regular postmaster > log. Agreed - I just wanted to throw it in somewhere for testing. Should've mentioned htat. > Another issue is that "nonfatal" doesn't mean "successful". In > particular, if this happened for the startup process, or probably some > other cases, taking the exit code as 0 would cause seriously wrong > things to happen. > > On balance I think I'd suggest an #ifdef WIN32 in CleanupBackend that > made it accept 128 as a "normal exit" case. That would allow normal > processing to continue only when this happens to a regular backend, > which is probably sufficient for the purpose. Seems reasonable. I'll whack it around for that - see attached. Dave has a reasonably reproducible test environment. Unforunately it's on 8.3, so this patch will be completely unsafe there (it doesn't have the deadman switch). But hopefully it can be used to see it fixes this problem (while introducing others)h -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Вложения
Magnus Hagander <magnus@hagander.net> writes: > On Thu, Sep 9, 2010 at 19:48, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> On balance I think I'd suggest an #ifdef WIN32 in CleanupBackend that >> made it accept 128 as a "normal exit" case. > Seems reasonable. I'll whack it around for that - see attached. Hm, still doesn't log, which I think it should, even for testing purposes (how will you know the case occurred?). Maybe like this: /* * If a backend dies in an ugly way then we must signal all other backends * to quickdie. If exit status is zero (normal)or one (FATAL exit), we * assume everything is all right and proceed to remove the backend from * the active backendlist. + * + * On Windows, also treat ERROR_WAIT_NO_CHILDREN (128) as a nonfatal + * case, since that sometimes happens under load. */ +#ifdef WIN32 + if (exitstatus == ERROR_WAIT_NO_CHILDREN) + { + LogChildExit(LOG, _("server process"), pid, exitstatus); + exitstatus = 0; + } +#endif +if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus)){ HandleChildCrash(pid, exitstatus, _("server process")); return;} > Dave has a reasonably reproducible test environment. Unforunately it's > on 8.3, so this patch will be completely unsafe there (it doesn't have > the deadman switch). But hopefully it can be used to see it fixes this > problem (while introducing others)h Sounds like a plan. We're not so worried about this case that we'd want to backport the deadman switch into 8.3 or 8.2 to have a fix there, are we? regards, tom lane
On Thu, Sep 9, 2010 at 2:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > We're not so worried about this case that we'd want to backport the > deadman switch into 8.3 or 8.2 to have a fix there, are we? I think we should consider backporting the deadman switch to 8.3 and 8.2. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas <robertmhaas@gmail.com> writes: > On Thu, Sep 9, 2010 at 2:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> We're not so worried about this case that we'd want to backport the >> deadman switch into 8.3 or 8.2 to have a fix there, are we? > I think we should consider backporting the deadman switch to 8.3 and 8.2. [ raised eyebrow... ] Weren't you the one just lecturing me about minimizing changes in back branches? That was a fairly large patch, and I *don't* want to back-port it. The thrust of my question was more along the lines of whether we should look for a different solution to the current problem, so that we would have something that could be back-ported into 8.2 and 8.3. Personally I'm satisfied with only fixing it in 8.4 and up, but then again I don't use Windows. regards, tom lane
On Thu, Sep 9, 2010 at 21:00, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> On Thu, Sep 9, 2010 at 2:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> We're not so worried about this case that we'd want to backport the >>> deadman switch into 8.3 or 8.2 to have a fix there, are we? > >> I think we should consider backporting the deadman switch to 8.3 and 8.2. > > [ raised eyebrow... ] Weren't you the one just lecturing me about > minimizing changes in back branches? > > That was a fairly large patch, and I *don't* want to back-port it. > The thrust of my question was more along the lines of whether we should > look for a different solution to the current problem, so that we would > have something that could be back-ported into 8.2 and 8.3. Personally > I'm satisfied with only fixing it in 8.4 and up, but then again I don't > use Windows. Once we've shown that it works, I think we should look at doing something for <= 8.3 as well. How about something along the line of y previous patch (with the event) for 8.2 and 8.3, and then this simplified one for 8.4+? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Magnus Hagander <magnus@hagander.net> writes: > On Thu, Sep 9, 2010 at 21:00, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> The thrust of my question was more along the lines of whether we should >> look for a different solution to the current problem, so that we would >> have something that could be back-ported into 8.2 and 8.3. �Personally >> I'm satisfied with only fixing it in 8.4 and up, but then again I don't >> use Windows. > Once we've shown that it works, I think we should look at doing > something for <= 8.3 as well. > How about something along the line of y previous patch (with the > event) for 8.2 and 8.3, and then this simplified one for 8.4+? Actually, I was just wondering how much we really need the dead-man switch for this patch. If we don't have it, then what we risk is that exit(128) will be taken as successful exit when it shouldn't be. But how likely is it that such a call will ever be made? I think accepting that small risk might be reasonable in the old branches. It's not like the other possible fixes are zero-risk in themselves; especially not patches that are only meant for the old branches and will never get testing in HEAD. regards, tom lane
On Thu, Sep 9, 2010 at 3:00 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> On Thu, Sep 9, 2010 at 2:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> We're not so worried about this case that we'd want to backport the >>> deadman switch into 8.3 or 8.2 to have a fix there, are we? > >> I think we should consider backporting the deadman switch to 8.3 and 8.2. > > [ raised eyebrow... ] Weren't you the one just lecturing me about > minimizing changes in back branches? They call me Professor Haas? I believe the specific nature of my complaint was that we should only back-patch important bug or security fixes. I think that there is credible argument that unnecessary database PANICs fall into that category and wonky whitespace in the ps output does not. YMMV, of course. > That was a fairly large patch, and I *don't* want to back-port it. > The thrust of my question was more along the lines of whether we should > look for a different solution to the current problem, so that we would > have something that could be back-ported into 8.2 and 8.3. Personally > I'm satisfied with only fixing it in 8.4 and up, but then again I don't > use Windows. I'm a bit surprised that you don't think this is back-patchable material, considering the last paragraph of the commit message, which seems to imply that you at least gave the matter some brief consideration before deciding against it: Although this problem is of long standing, the lack of field complaints seems to mean it's not critical enough to riskback-patching; at least not till we get some more testing of this mechanism. We certainly now have MANY documented field complaints at least of the exit-128-on-Windows problem, if not the more general backend-exits-without-going-through-the-normal-cleanup-path problem. Having said that, I'd be just as happy to go back to Magnus's original solution, which didn't depend on the dead-man switch anyway. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas <robertmhaas@gmail.com> writes: > We certainly now have MANY documented field complaints at least of the > exit-128-on-Windows problem, if not the more general > backend-exits-without-going-through-the-normal-cleanup-path problem. Right, which is why I still don't care to risk back-porting a fix for the latter. regards, tom lane
On Thu, Sep 9, 2010 at 3:28 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> We certainly now have MANY documented field complaints at least of the >> exit-128-on-Windows problem, if not the more general >> backend-exits-without-going-through-the-normal-cleanup-path problem. > > Right, which is why I still don't care to risk back-porting a fix for > the latter. It's hard to say what the safest option is, I think. There seem to be basically three proposals on the table: 1. Back-port the dead-man switch, and ignore exit 128. 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. 3. Revert to Magnus's original solution. Each of these has advantages and disadvantages. The advantage of #1 is that it is safer than #2, and that is usually something we prize fairly highly. The disadvantage of #1 is that it involves back-porting the dead-man switch, but on the flip side that code has been out in the field for over a year now in 8.4, and AFAIK we haven't any trouble with it. Solution #3 should be approximately as safe as solution #1, and has the advantage of touching less code in the back branches, but on the other hand it is also NEW code. So I think it's arguable which is the best solution. I think I like option #2 least as among those choices, but it's a tough call. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
Robert Haas <robertmhaas@gmail.com> writes: > It's hard to say what the safest option is, I think. There seem to be > basically three proposals on the table: > 1. Back-port the dead-man switch, and ignore exit 128. > 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. > 3. Revert to Magnus's original solution. > Each of these has advantages and disadvantages. The advantage of #1 > is that it is safer than #2, and that is usually something we prize > fairly highly. The disadvantage of #1 is that it involves > back-porting the dead-man switch, but on the flip side that code has > been out in the field for over a year now in 8.4, and AFAIK we haven't > any trouble with it. Solution #3 should be approximately as safe as > solution #1, and has the advantage of touching less code in the back > branches, but on the other hand it is also NEW code. So I think it's > arguable which is the best solution. I think I like option #2 least > as among those choices, but it's a tough call. Well, I don't want to use Magnus' original solution in 8.4 or up, so I don't like #3 much: it's not only new code but code which would get very limited testing. And I don't believe that the risk of unexpected use of exit(128) is large enough to make #1 preferable to #2. YMMV. regards, tom lane
On Thu, Sep 9, 2010 at 22:09, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> It's hard to say what the safest option is, I think. There seem to be >> basically three proposals on the table: > >> 1. Back-port the dead-man switch, and ignore exit 128. >> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >> 3. Revert to Magnus's original solution. > >> Each of these has advantages and disadvantages. The advantage of #1 >> is that it is safer than #2, and that is usually something we prize >> fairly highly. The disadvantage of #1 is that it involves >> back-porting the dead-man switch, but on the flip side that code has >> been out in the field for over a year now in 8.4, and AFAIK we haven't >> any trouble with it. Solution #3 should be approximately as safe as >> solution #1, and has the advantage of touching less code in the back >> branches, but on the other hand it is also NEW code. So I think it's >> arguable which is the best solution. I think I like option #2 least >> as among those choices, but it's a tough call. > > Well, I don't want to use Magnus' original solution in 8.4 or up, > so I don't like #3 much: it's not only new code but code which would > get very limited testing. And I don't believe that the risk of > unexpected use of exit(128) is large enough to make #1 preferable to #2. > YMMV. I agree on option #3 not being good - that'd basically be dead-end code in backbranches only, and it's significantly different. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Robert Haas wrote: > On Thu, Sep 9, 2010 at 3:28 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Robert Haas <robertmhaas@gmail.com> writes: > >> We certainly now have MANY documented field complaints at least of the > >> exit-128-on-Windows problem, if not the more general > >> backend-exits-without-going-through-the-normal-cleanup-path problem. > > > > Right, which is why I still don't care to risk back-porting a fix for > > the latter. > > It's hard to say what the safest option is, I think. There seem to be > basically three proposals on the table: > > 1. Back-port the dead-man switch, and ignore exit 128. > 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. > 3. Revert to Magnus's original solution. > > Each of these has advantages and disadvantages. The advantage of #1 > is that it is safer than #2, and that is usually something we prize > fairly highly. The disadvantage of #1 is that it involves > back-porting the dead-man switch, but on the flip side that code has > been out in the field for over a year now in 8.4, and AFAIK we haven't > any trouble with it. Solution #3 should be approximately as safe as > solution #1, and has the advantage of touching less code in the back > branches, but on the other hand it is also NEW code. So I think it's > arguable which is the best solution. I think I like option #2 least > as among those choices, but it's a tough call. Well, the dead-man timer is for all platforms, while the 128 return failure is Win32-only, so I don't see why applying the dead-man timer makes sense when it might destabalize all platforms, when the bug is just on Win32, and I don't think using defines to make the dead-man timer Win32-only makes sense. I think we have clear enough evidence that 128 on Win32 means no-such-child and we can be sure the child never got started on that platform. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Thu, Sep 9, 2010 at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> On Thu, Sep 9, 2010 at 19:48, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> On balance I think I'd suggest an #ifdef WIN32 in CleanupBackend that >>> made it accept 128 as a "normal exit" case. > >> Seems reasonable. I'll whack it around for that - see attached. > > Hm, still doesn't log, which I think it should, even for testing > purposes (how will you know the case occurred?). Maybe like this: Agreed, that's better. >> Dave has a reasonably reproducible test environment. Unforunately it's >> on 8.3, so this patch will be completely unsafe there (it doesn't have >> the deadman switch). But hopefully it can be used to see it fixes this >> problem (while introducing others)h > > Sounds like a plan. Patch is with dave for testing now :-) -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Fri, Sep 10, 2010 at 03:12, Bruce Momjian <bruce@momjian.us> wrote: > Robert Haas wrote: >> On Thu, Sep 9, 2010 at 3:28 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> > Robert Haas <robertmhaas@gmail.com> writes: >> >> We certainly now have MANY documented field complaints at least of the >> >> exit-128-on-Windows problem, if not the more general >> >> backend-exits-without-going-through-the-normal-cleanup-path problem. >> > >> > Right, which is why I still don't care to risk back-porting a fix for >> > the latter. >> >> It's hard to say what the safest option is, I think. There seem to be >> basically three proposals on the table: >> >> 1. Back-port the dead-man switch, and ignore exit 128. >> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >> 3. Revert to Magnus's original solution. >> >> Each of these has advantages and disadvantages. The advantage of #1 >> is that it is safer than #2, and that is usually something we prize >> fairly highly. The disadvantage of #1 is that it involves >> back-porting the dead-man switch, but on the flip side that code has >> been out in the field for over a year now in 8.4, and AFAIK we haven't >> any trouble with it. Solution #3 should be approximately as safe as >> solution #1, and has the advantage of touching less code in the back >> branches, but on the other hand it is also NEW code. So I think it's >> arguable which is the best solution. I think I like option #2 least >> as among those choices, but it's a tough call. > > Well, the dead-man timer is for all platforms, while the 128 return > failure is Win32-only, so I don't see why applying the dead-man timer > makes sense when it might destabalize all platforms, when the bug is > just on Win32, and I don't think using defines to make the dead-man > timer Win32-only makes sense. Yes, that's the problem, really. > I think we have clear enough evidence that 128 on Win32 means > no-such-child and we can be sure the child never got started on that > platform. We have evidence that 128 occurs in this case. I don't think we have evidence that there is no other case when this can happen, and we need to investigate that some further to be *sure*. We can safely say that *we* never do exit(128). What if a third party library does it? Or the operating system itself? For the OS we can check it, but do we care about third party libraries? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Magnus Hagander wrote: > > I think we have clear enough evidence that 128 on Win32 means > > no-such-child and we can be sure the child never got started on that > > platform. > > We have evidence that 128 occurs in this case. I don't think we have > evidence that there is no other case when this can happen, and we need > to investigate that some further to be *sure*. > > We can safely say that *we* never do exit(128). What if a third party > library does it? Or the operating system itself? For the OS we can > check it, but do we care about third party libraries? Good question. Unix wait() splits apart the return code so you can tell which part is the process exit code and which part is extra: WEXITSTATUS(status) If WIFEXITED(status) is true, evaluates to the low-order 8 bits of the argumentpassed to _exit(2) or exit(3) by the child. but we don't have that split on Win32 so you are right that anything could return 128 from the process. Of course, it could also return exit(0) too, but would hope that nothing does that as an error return. I am not sure how clear it is on Win32 that 128 is a special return code. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
On Fri, Sep 10, 2010 at 1:45 PM, Bruce Momjian <bruce@momjian.us> wrote: > > I am not sure how clear it is on Win32 that 128 is a special return > code. I asked Microsoft platform support (roughly) that question. Here's the response: ===== From NTSTATUS.H // // The success status codes 128 - 191 are reserved for wait completion // status with an abandoned mutant object. // #define STATUS_ABANDONED ((NTSTATUS)0x00000080L) // // MessageId: STATUS_ABANDONED_WAIT_0 // // MessageText: // // STATUS_ABANDONED_WAIT_0 // #define STATUS_ABANDONED_WAIT_0 ((NTSTATUS)0x00000080L) // winnt I believe what you are seeing is an abandoned wait on a mutant which is the same as a mutex. Therefore this error will be set whenever a mutex is abandoned. Per Concurrent Programming on Windows An abandoned mutex is a mutex kernel object that was not correctly released before its owning thread terminated. This can happen for any number of reasons. He goes on to discuss the case of a thread waiting on a global mutex that will get this error when it is awakened from a wait and the mutex had been abandoned by the previous owner. This is a difficult situation to recover from as you are not sure about the shared state that was being protected by the mutex. It Therefore I cannot give you specific areas where this will happen. Of course when systems are low on resources or they are completely depleted (100% CPU) things will stop working ===== -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Wed, Sep 15, 2010 at 4:03 AM, Dave Page <dpage@pgadmin.org> wrote: > Therefore I cannot give you specific areas where this will happen. Of > course when systems are low on resources or they are completely > depleted (100% CPU) things will stop working Of course. As we all know, degrading gracefully under load is an unachievable goal. Anyway, this more or less confirms what I was kind of suspecting all along: it's hopeless to try to avoid these exit(128) events, so we just need to look for ways to minimize the impact as much as possible (i.e. avoid a database PANIC where possible). -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company
On Wed, Sep 15, 2010 at 19:25, Robert Haas <robertmhaas@gmail.com> wrote: > On Wed, Sep 15, 2010 at 4:03 AM, Dave Page <dpage@pgadmin.org> wrote: >> Therefore I cannot give you specific areas where this will happen. Of >> course when systems are low on resources or they are completely >> depleted (100% CPU) things will stop working > > Of course. As we all know, degrading gracefully under load is an > unachievable goal. > > Anyway, this more or less confirms what I was kind of suspecting all > along: it's hopeless to try to avoid these exit(128) events, so we > just need to look for ways to minimize the impact as much as possible > (i.e. avoid a database PANIC where possible). So, it's been tested by at leasdt one EDB customer with success. Do we want to sneak this in before we release 9.0.0? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
Dave Page wrote: > On Fri, Sep 10, 2010 at 1:45 PM, Bruce Momjian <bruce@momjian.us> wrote: > > > > I am not sure how clear it is on Win32 that 128 is a special return > > code. > > I asked Microsoft platform support (roughly) that question. Here's the response: I assume we are going to summarize this in a C comment when we ignore 128 return codes. Can we assume all the mutexes will be cleaned up from a 128-exit? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +
Magnus Hagander <magnus@hagander.net> writes: > So, it's been tested by at leasdt one EDB customer with success. > Do we want to sneak this in before we release 9.0.0? I think we had consensus on applying the simple fix as far back as we have the deadman switch code. If you can get it done in the next few hours, go ahead. regards, tom lane
Bruce Momjian <bruce@momjian.us> writes: > Can we assume all the mutexes will be cleaned up from a 128-exit? In the deadman-switch case I think we're safe enough. I'm not convinced at the moment that ignoring the error would be safe without that. regards, tom lane
On Thu, Sep 16, 2010 at 19:30, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Magnus Hagander <magnus@hagander.net> writes: >> So, it's been tested by at leasdt one EDB customer with success. > >> Do we want to sneak this in before we release 9.0.0? > > I think we had consensus on applying the simple fix as far back as we > have the deadman switch code. If you can get it done in the next > few hours, go ahead. Done. Anybody with a win32 buildfarm member - if you can give it a kick to make sure it does a run ASAP, please do so. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On 09/16/2010 04:37 PM, Magnus Hagander wrote: > On Thu, Sep 16, 2010 at 19:30, Tom Lane<tgl@sss.pgh.pa.us> wrote: >> Magnus Hagander<magnus@hagander.net> writes: >>> So, it's been tested by at leasdt one EDB customer with success. >>> Do we want to sneak this in before we release 9.0.0? >> I think we had consensus on applying the simple fix as far back as we >> have the deadman switch code. If you can get it done in the next >> few hours, go ahead. > Done. > > Anybody with a win32 buildfarm member - if you can give it a kick to > make sure it does a run ASAP, please do so. > > OK, I have started MSVC/9.0 (red_bat) running. cheers andrew
On 09/16/2010 05:29 PM, Andrew Dunstan wrote: > > > On 09/16/2010 04:37 PM, Magnus Hagander wrote: >> On Thu, Sep 16, 2010 at 19:30, Tom Lane<tgl@sss.pgh.pa.us> wrote: >>> Magnus Hagander<magnus@hagander.net> writes: >>>> So, it's been tested by at leasdt one EDB customer with success. >>>> Do we want to sneak this in before we release 9.0.0? >>> I think we had consensus on applying the simple fix as far back as we >>> have the deadman switch code. If you can get it done in the next >>> few hours, go ahead. >> Done. >> >> Anybody with a win32 buildfarm member - if you can give it a kick to >> make sure it does a run ASAP, please do so. >> >> > > OK, I have started MSVC/9.0 (red_bat) running. > > Looks like we're green on 9.0 for both MinGW and MSVC. cheers andrew
Andrew Dunstan <andrew@dunslane.net> writes: > Looks like we're green on 9.0 for both MinGW and MSVC. Would you kick brown_bat too so we can check the cygwin case? regards, tom lane
On 09/16/2010 08:50 PM, Tom Lane wrote: > Andrew Dunstan<andrew@dunslane.net> writes: >> Looks like we're green on 9.0 for both MinGW and MSVC. > Would you kick brown_bat too so we can check the cygwin case? Done. Looks fine. cheers andrew
On Thu, Sep 9, 2010 at 9:09 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Robert Haas <robertmhaas@gmail.com> writes: >> It's hard to say what the safest option is, I think. There seem to be >> basically three proposals on the table: > >> 1. Back-port the dead-man switch, and ignore exit 128. >> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >> 3. Revert to Magnus's original solution. > >> Each of these has advantages and disadvantages. The advantage of #1 >> is that it is safer than #2, and that is usually something we prize >> fairly highly. The disadvantage of #1 is that it involves >> back-porting the dead-man switch, but on the flip side that code has >> been out in the field for over a year now in 8.4, and AFAIK we haven't >> any trouble with it. Solution #3 should be approximately as safe as >> solution #1, and has the advantage of touching less code in the back >> branches, but on the other hand it is also NEW code. So I think it's >> arguable which is the best solution. I think I like option #2 least >> as among those choices, but it's a tough call. > > Well, I don't want to use Magnus' original solution in 8.4 or up, > so I don't like #3 much: it's not only new code but code which would > get very limited testing. And I don't believe that the risk of > unexpected use of exit(128) is large enough to make #1 preferable to #2. > YMMV. So, can we go with #2 for the next point releases of <= 8.3? I understand that our customer who has been testing that approach hasn't seen any unexpected side-effects. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Mon, Sep 27, 2010 at 14:34, Dave Page <dpage@pgadmin.org> wrote: > On Thu, Sep 9, 2010 at 9:09 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Robert Haas <robertmhaas@gmail.com> writes: >>> It's hard to say what the safest option is, I think. There seem to be >>> basically three proposals on the table: >> >>> 1. Back-port the dead-man switch, and ignore exit 128. >>> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >>> 3. Revert to Magnus's original solution. >> >>> Each of these has advantages and disadvantages. The advantage of #1 >>> is that it is safer than #2, and that is usually something we prize >>> fairly highly. The disadvantage of #1 is that it involves >>> back-porting the dead-man switch, but on the flip side that code has >>> been out in the field for over a year now in 8.4, and AFAIK we haven't >>> any trouble with it. Solution #3 should be approximately as safe as >>> solution #1, and has the advantage of touching less code in the back >>> branches, but on the other hand it is also NEW code. So I think it's >>> arguable which is the best solution. I think I like option #2 least >>> as among those choices, but it's a tough call. >> >> Well, I don't want to use Magnus' original solution in 8.4 or up, >> so I don't like #3 much: it's not only new code but code which would >> get very limited testing. And I don't believe that the risk of >> unexpected use of exit(128) is large enough to make #1 preferable to #2. >> YMMV. > > So, can we go with #2 for the next point releases of <= 8.3? I > understand that our customer who has been testing that approach hasn't > seen any unexpected side-effects. Do we feel this is safe enough? Also, just to be clear - they tested the "ignore 128 only" patch? Or did they test the patch that also had some global events implementing a "win32-only deadman switch"? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Mon, Sep 27, 2010 at 14:34, Dave Page <dpage@pgadmin.org> wrote: > On Thu, Sep 9, 2010 at 9:09 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >> Robert Haas <robertmhaas@gmail.com> writes: >>> It's hard to say what the safest option is, I think. There seem to be >>> basically three proposals on the table: >> >>> 1. Back-port the dead-man switch, and ignore exit 128. >>> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >>> 3. Revert to Magnus's original solution. >> >>> Each of these has advantages and disadvantages. The advantage of #1 >>> is that it is safer than #2, and that is usually something we prize >>> fairly highly. The disadvantage of #1 is that it involves >>> back-porting the dead-man switch, but on the flip side that code has >>> been out in the field for over a year now in 8.4, and AFAIK we haven't >>> any trouble with it. Solution #3 should be approximately as safe as >>> solution #1, and has the advantage of touching less code in the back >>> branches, but on the other hand it is also NEW code. So I think it's >>> arguable which is the best solution. I think I like option #2 least >>> as among those choices, but it's a tough call. >> >> Well, I don't want to use Magnus' original solution in 8.4 or up, >> so I don't like #3 much: it's not only new code but code which would >> get very limited testing. And I don't believe that the risk of >> unexpected use of exit(128) is large enough to make #1 preferable to #2. >> YMMV. > > So, can we go with #2 for the next point releases of <= 8.3? I > understand that our customer who has been testing that approach hasn't > seen any unexpected side-effects. Do we feel this is safe enough? Also, just to be clear - they tested the "ignore 128 only" patch? Or did they test the patch that also had some global events implementing a "win32-only deadman switch"? -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
On Wed, Sep 29, 2010 at 2:45 PM, Magnus Hagander <magnus@hagander.net> wrote: > On Mon, Sep 27, 2010 at 14:34, Dave Page <dpage@pgadmin.org> wrote: >> On Thu, Sep 9, 2010 at 9:09 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> Robert Haas <robertmhaas@gmail.com> writes: >>>> It's hard to say what the safest option is, I think. There seem to be >>>> basically three proposals on the table: >>> >>>> 1. Back-port the dead-man switch, and ignore exit 128. >>>> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >>>> 3. Revert to Magnus's original solution. >>> >>>> Each of these has advantages and disadvantages. The advantage of #1 >>>> is that it is safer than #2, and that is usually something we prize >>>> fairly highly. The disadvantage of #1 is that it involves >>>> back-porting the dead-man switch, but on the flip side that code has >>>> been out in the field for over a year now in 8.4, and AFAIK we haven't >>>> any trouble with it. Solution #3 should be approximately as safe as >>>> solution #1, and has the advantage of touching less code in the back >>>> branches, but on the other hand it is also NEW code. So I think it's >>>> arguable which is the best solution. I think I like option #2 least >>>> as among those choices, but it's a tough call. >>> >>> Well, I don't want to use Magnus' original solution in 8.4 or up, >>> so I don't like #3 much: it's not only new code but code which would >>> get very limited testing. And I don't believe that the risk of >>> unexpected use of exit(128) is large enough to make #1 preferable to #2. >>> YMMV. >> >> So, can we go with #2 for the next point releases of <= 8.3? I >> understand that our customer who has been testing that approach hasn't >> seen any unexpected side-effects. > > Do we feel this is safe enough? I've yet to hear of a way a process can exit with a 128 that seems like it could happen in our code. > Also, just to be clear - they tested the "ignore 128 only" patch? Yes. -- Dave Page Blog: http://pgsnake.blogspot.com Twitter: @pgsnake EnterpriseDB UK: http://www.enterprisedb.com The Enterprise Postgres Company
On Wed, Sep 29, 2010 at 15:54, Dave Page <dpage@pgadmin.org> wrote: > On Wed, Sep 29, 2010 at 2:45 PM, Magnus Hagander <magnus@hagander.net> wrote: >> On Mon, Sep 27, 2010 at 14:34, Dave Page <dpage@pgadmin.org> wrote: >>> On Thu, Sep 9, 2010 at 9:09 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: >>>> Robert Haas <robertmhaas@gmail.com> writes: >>>>> It's hard to say what the safest option is, I think. There seem to be >>>>> basically three proposals on the table: >>>> >>>>> 1. Back-port the dead-man switch, and ignore exit 128. >>>>> 2. Don't back-port the dead-man switch, but ignore exit 128 anyway. >>>>> 3. Revert to Magnus's original solution. >>>> >>>>> Each of these has advantages and disadvantages. The advantage of #1 >>>>> is that it is safer than #2, and that is usually something we prize >>>>> fairly highly. The disadvantage of #1 is that it involves >>>>> back-porting the dead-man switch, but on the flip side that code has >>>>> been out in the field for over a year now in 8.4, and AFAIK we haven't >>>>> any trouble with it. Solution #3 should be approximately as safe as >>>>> solution #1, and has the advantage of touching less code in the back >>>>> branches, but on the other hand it is also NEW code. So I think it's >>>>> arguable which is the best solution. I think I like option #2 least >>>>> as among those choices, but it's a tough call. >>>> >>>> Well, I don't want to use Magnus' original solution in 8.4 or up, >>>> so I don't like #3 much: it's not only new code but code which would >>>> get very limited testing. And I don't believe that the risk of >>>> unexpected use of exit(128) is large enough to make #1 preferable to #2. >>>> YMMV. >>> >>> So, can we go with #2 for the next point releases of <= 8.3? I >>> understand that our customer who has been testing that approach hasn't >>> seen any unexpected side-effects. >> >> Do we feel this is safe enough? > > I've yet to hear of a way a process can exit with a 128 that seems > like it could happen in our code. > >> Also, just to be clear - they tested the "ignore 128 only" patch? > > Yes. Ok, applied. Please verify that it matches your expectations :D -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/