Andrey Borodin <x4mmm(at)yandex-team(dot)ru> writes: > I think proper solution here would be to add GUC to disallow cancellation of synchronous replication.
This sounds entirely insane to me. There is no possibility that you can prevent a failure from occurring at this step.
> Three is still a problem when backend is not canceled, but terminated .
Exactly. If you don't have a fix that handles that case, you don't have anything. In fact, you've arguably made things worse, by increasing the temptation to terminate or "kill -9" the nonresponsive session.