Re: VM corruption on standby

Hi,

On 2025-08-19 23:47:21 -0400, Tom Lane wrote:
> Thomas Munro <thomas(dot)munro(at)gmail(dot)com> writes:
> > On Wed, Aug 20, 2025 at 7:50 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> I'm inclined to think that we do want to prohibit WaitEventSetWait
> >> inside a critical section --- it just seems like a bad idea all
> >> around, even without considering this specific failure mode.
>
> > FWIW aio/README.md describes a case where we'd need to wait for an IO,
> > which might involve a CV to wait for an IO worker to do something, in
> > order to start writing WAL, which is in a CS.
>
> Hm. It still makes me mighty uncomfortable, because the point of a
> critical section is "crash the database if anything goes wrong during
> this bit". Waiting for another process --- or thread --- greatly
> increases the scope of ways for things to go wrong. So I'm not
> exactly convinced that this aspect of the AIO architecture is
> well-thought-out.

I don't see the alternative:

1) Some IO is done in critical sections (e.g. WAL writes / flushes)

2) Sometimes we need to wait for already started IO in critical sections
(also WAL)

3) With some ways of doing AIO the IO is offloaded to other processes, and
thus waiting for the IO to complete always requires waiting for another
process

How could we avoid the need to wait for another process in criticial sections
given these points?

Greetings,

Andres Freund