Re: Race condition in InvalidateObsoleteReplicationSlots()

Hi,

On 2022-02-22 17:48:55 -0800, Andres Freund wrote:
> I think the minor changes might unfortunately have introduced a race? Before
> the patch just used ConditionVariableSleep(), but now it also has a
> ConditionVariablePrepareToSleep(). Without re-checking the sleep condition
> until
> /* Wait until the slot is released. */
> ConditionVariableSleep(&s->active_cv,
> WAIT_EVENT_REPLICATION_SLOT_DROP);
>
> which directly violates what ConditionVariablePrepareToSleep() documents:
>
> * This can optionally be called before entering a test/sleep loop.
> * Doing so is more efficient if we'll need to sleep at least once.
> * However, if the first test of the exit condition is likely to succeed,
> * it's more efficient to omit the ConditionVariablePrepareToSleep call.
> * See comments in ConditionVariableSleep for more detail.
> *
> * Caution: "before entering the loop" means you *must* test the exit
> * condition between calling ConditionVariablePrepareToSleep and calling
> * ConditionVariableSleep. If that is inconvenient, omit calling
> * ConditionVariablePrepareToSleep.
>
>
> Afaics this means we can potentially sleep forever if the prior owner of the
> slot releases it before the ConditionVariablePrepareToSleep().
>
> There's a comment that's mentioning this danger:
>
> /*
> * Prepare the sleep on the slot's condition variable before
> * releasing the lock, to close a possible race condition if the
> * slot is released before the sleep below.
> */
> ConditionVariablePrepareToSleep(&s->active_cv);
>
> LWLockRelease(ReplicationSlotControlLock);
>
> but afaics that is bogus, because releasing a slot doesn't take
> ReplicationSlotControlLock. That just protects against the slot being dropped,
> not against it being released.
>
> We can ConditionVariablePrepareToSleep() here, but we'd have to it earlier,
> before the checks at the start of the while loop.

Not at the start of the while loop, outside of the while loop. Doing it in the
loop body doesn't make sense, even if it's at the top. Each
ConditionVariablePrepareToSleep() will unregister itself:

/*
* If some other sleep is already prepared, cancel it; this is necessary
* because we have just one static variable tracking the prepared sleep,
* and also only one cvWaitLink in our PGPROC. It's okay to do this
* because whenever control does return to the other test-and-sleep loop,
* its ConditionVariableSleep call will just re-establish that sleep as
* the prepared one.
*/
if (cv_sleep_target != NULL)
ConditionVariableCancelSleep();

The intended use is documented in this comment:

* This should be called in a predicate loop that tests for a specific exit
* condition and otherwise sleeps, like so:
*
* ConditionVariablePrepareToSleep(cv); // optional
* while (condition for which we are waiting is not true)
* ConditionVariableSleep(cv, wait_event_info);
* ConditionVariableCancelSleep();

Greetings,

Andres Freund