[hamandcheese]

> If the PostgreSQL backend is cancelled while waiting to acknowledge replication (as a result of packet cancellation due to client timeout or backend failure) transaction changes become visible for other backends. Such changes are not yet replicated and may be lost in case of standby promotion.

This sounds like the two generals problem, which has no solution. But I may be misunderstanding.

[wmf]

"[The two generals problem] said that you can't achieve consensus (both safety and liveness at the same time), they did not say you have to sacrifice safety under message-losses or asynchrony conditions. So Paxos preserves safety under all conditions and achieves liveness when conditions improve outside the impossibility realm (less message losses, some timing assumptions start to hold)." http://muratbuffalo.blogspot.com/2010/10/paxos-taught.html

[gmokki]

Wouldn't the simple fix be to delay backend (= one connection) closing until all pending replication it initiated is finished?

That still leaves actual crashes, which would need to use the shared memory to store the list of pending replications before the recovery of transactions is finished.