Incremental Update: Fix Race in ReplicationSlotRelease for Ephemeral Slots
Main Patch Committed
Fujii committed the original fix for the ephemeral slot race condition. He decided against including a regression test, stating the proposed injection-point test was "a bit too narrow" and not worth adding. This resolves the testing debate from the prior analysis in favor of Hou's position (tests of limited long-term value).
New Adjacent Bug Identified: drop_local_obsolete_slots
Xuneng Zhou identified a related race condition in drop_local_obsolete_slots() (used in logical replication slot synchronization). The same root cause applies: after ReplicationSlotDropAcquired(false) frees a slot's shared-memory cell, subsequent code continues to reference the now-freed cell. In this case, the post-drop code reads (rather than writes) from the slot — specifically for unlock operations and log messages.
Severity assessment by Zhou: Less severe than the original bug because reads don't corrupt other backends' slot state. However, it can still produce incorrect log messages and unlock operations that reference a completely different slot that has reused the same array cell.
Zhou provided both a reproduction via injection points and a fix patch. The fix captures necessary slot identity information (slot name, database OID) before the drop, so post-drop code uses local copies rather than dereferencing the freed shared-memory cell.
Fujii's Review Questions on the Adjacent Fix
Fujii raised two safety concerns about the proposed fix for drop_local_obsolete_slots:
-
Is reading
slot_databasebefore acquiring the database lock safe? The patch saveslocal_slot->data.databaseinto a local variable before certain lock acquisitions, raising ordering concerns. -
Is
local_sync_slot_required()safe to accesslocal_slotwithout holding a lock? This is a broader question about whether the existing code (pre-patch) already has an unprotected read problem on the slot pointer that could read stale/wrong data if another backend recycles the cell during the check.
These questions suggest potential scope expansion — the race window may be wider than Zhou's patch addresses.
Reproduction Confirmed
Zhou independently reproduced the original ephemeral slot bug using lldb on Mac, demonstrating that after ReplicationSlotDropAcquired(), the slot cell had already been reused by a completely different slot (test_slot_created, persistent, with active_proc = 126) — confirming the corruption scenario described in the prior analysis is real and observable.