From 3b50bb697121de96d03deffcd65ed5859de86558 Mon Sep 17 00:00:00 2001 From: Siri Hansen Date: Fri, 7 Sep 2018 12:16:00 +0200 Subject: [supervisor] Add warning about race condition ERL-724: "During a 'gentle' shutdown, supervisors unlink from their children before sending shutdown signals to them. This can lead to a race condition in supervision trees, when the timeout for gentle shutdown of a parent supervisor expires and it kills a child supervisor that has just unlinked from a child of its own, leaving the child supervisor's own child still running after its supervisor is killed." This commit adds a warning about this in the documentation. --- system/doc/design_principles/sup_princ.xml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'system') diff --git a/system/doc/design_principles/sup_princ.xml b/system/doc/design_principles/sup_princ.xml index 06ca44a9f6..a2e0d95408 100644 --- a/system/doc/design_principles/sup_princ.xml +++ b/system/doc/design_principles/sup_princ.xml @@ -312,12 +312,17 @@ child_spec() = #{id => child_id(), % mandatory signal back. If no exit signal is received within the specified time, the child process is unconditionally terminated using exit(Child, kill). - If the child process is another supervisor, it is to be + If the child process is another supervisor, it must be set to infinity to give the subtree enough time to shut down. It is also allowed to set it to infinity, - if the child process is a worker. See the warning below: + if the child process is a worker. See the warning below: +

Setting the shutdown time to anything other + than infinity for a child of type supervisor + can cause a race condition where the child in question + unlinks its own children, but fails to terminate them + before it is killed.

Be careful when setting the shutdown time to infinity when the child process is a worker. Because, in this situation, the termination of the supervision tree depends on the -- cgit v1.2.3