From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | Andres Freund <andres(at)anarazel(dot)de>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: OK, so culicidae is *still* broken |
Date: | 2017-05-20 12:26:33 |
Message-ID: | 20170520122633.GB828137@rfd.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Apr 15, 2017 at 02:30:18PM -0700, Andres Freund wrote:
> On 2017-04-15 17:24:54 -0400, Tom Lane wrote:
> > Andres Freund <andres(at)anarazel(dot)de> writes:
> > > On 2017-04-15 17:09:38 -0400, Tom Lane wrote:
> > >> Why doesn't Windows' ability to map the segment into the new process
> > >> before it executes take care of that?
> >
> > > Because of ASLR of the main executable (i.e. something like PIE).
> >
> > Not following. Are you saying that the main executable gets mapped into
> > the process address space immediately, but shared libraries are not?
At the time of the pgwin32_ReserveSharedMemoryRegion() call, the child process
contains only ntdll.dll and the executable.
> Without PIE/ASLR we can somewhat rely on pgwin32_ReserveSharedMemoryRegion
> to find the space that PGSharedMemoryCreate allocated still unoccupied.
I've never had access to a Windows system that can reproduce the fork
failures. My best theory is that antivirus or similar software injects an
additional DLL at that early stage.
> > I wonder whether we could work around that by just destroying the created
> > process and trying again if we get a collision. It'd be a tad
> > inefficient, but hopefully collisions wouldn't happen often enough to be a
> > big problem.
>
> That might work, although it's obviously not pretty.
I didn't like that idea when Michael proposed it in 2015. Since disabling
ASLR on the exe proved insufficient, I do like it now. It degrades nicely; if
something raises the collision rate from 1% to 10%, that just looks like fork
latency degrading.
> We could also just
> default to some out-of-the-way address for MapViewOfFileEx, that might
> also work.
Dave Vitek proposed that:
https://www.postgresql.org/message-id/flat/5046CAEB.4010600%40grammatech.com
I estimate more risk than retrying forks. There's no guarantee that a fixed
address helpful today won't make the collisions worse after the next Windows
security patch.
From | Date | Subject | |
---|---|---|---|
Next Message | Michael Paquier | 2017-05-20 12:40:57 | Re: Race conditions with WAL sender PID lookups |
Previous Message | Michael Paquier | 2017-05-20 12:19:10 | Making replication commands case-insensitive |