1 files changed, 21 insertions, 0 deletions

diff --git a/src/backend/pgxc/pool/poolmgr.c b/src/backend/pgxc/pool/poolmgr.c
index 6aa2922813..2152ed8e5d 100644
--- a/src/backend/pgxc/pool/poolmgr.c
+++ b/src/backend/pgxc/pool/poolmgr.c
@@ -259,6 +259,7 @@
 #include "pgxc/poolmgr.h"
 #include "pgxc/poolutils.h"
 #include "postmaster/postmaster.h"		/* For UnixSocketDir */
+#include "storage/ipc.h"
 #include "storage/procarray.h"
 #include "utils/varlena.h"
 
@@ -3485,7 +3486,27 @@ pooler_die(SIGNAL_ARGS)
 static void
 pooler_quickdie(SIGNAL_ARGS)
 {
+	sigaddset(&BlockSig, SIGQUIT);		/* prevent nested calls */
 	PG_SETMASK(&BlockSig);
+
+	/*
+	 * We DO NOT want to run proc_exit() callbacks -- we're here because
+	 * shared memory may be corrupted, so we don't want to try to clean up our
+	 * transaction.  Just nail the windows shut and get out of town.  Now that
+	 * there's an atexit callback to prevent third-party code from breaking
+	 * things by calling exit() directly, we have to reset the callbacks
+	 * explicitly to make this work as intended.
+	 */
+	on_exit_reset();
+
+	/*
+	 * Note we do exit(2) not exit(0).  This is to force the postmaster into a
+	 * system reset cycle if some idiot DBA sends a manual SIGQUIT to a random
+	 * backend.  This is necessary precisely because we don't clean up our
+	 * shared memory state.  (The "dead man switch" mechanism in pmsignal.c
+	 * should ensure the postmaster sees this as a crash, too, but no harm in
+	 * being doubly sure.)
+	 */
 	exit(2);
 }