PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogprefetcher.h"
63 #include "access/xlogreader.h"
64 #include "access/xlogrecovery.h"
65 #include "access/xlogutils.h"
66 #include "backup/basebackup.h"
67 #include "catalog/catversion.h"
68 #include "catalog/pg_control.h"
69 #include "catalog/pg_database.h"
71 #include "common/file_utils.h"
72 #include "executor/instrument.h"
73 #include "miscadmin.h"
74 #include "pg_trace.h"
75 #include "pgstat.h"
76 #include "port/atomics.h"
77 #include "port/pg_iovec.h"
78 #include "postmaster/bgwriter.h"
79 #include "postmaster/startup.h"
80 #include "postmaster/walwriter.h"
81 #include "replication/logical.h"
82 #include "replication/origin.h"
83 #include "replication/slot.h"
84 #include "replication/snapbuild.h"
86 #include "replication/walsender.h"
87 #include "storage/bufmgr.h"
88 #include "storage/fd.h"
89 #include "storage/ipc.h"
90 #include "storage/large_object.h"
91 #include "storage/latch.h"
92 #include "storage/pmsignal.h"
93 #include "storage/predicate.h"
94 #include "storage/proc.h"
95 #include "storage/procarray.h"
96 #include "storage/reinit.h"
97 #include "storage/smgr.h"
98 #include "storage/spin.h"
99 #include "storage/sync.h"
100 #include "utils/guc_hooks.h"
101 #include "utils/guc_tables.h"
102 #include "utils/memutils.h"
103 #include "utils/ps_status.h"
104 #include "utils/relmapper.h"
105 #include "utils/pg_rusage.h"
106 #include "utils/snapmgr.h"
107 #include "utils/timeout.h"
108 #include "utils/timestamp.h"
109 #include "utils/varlena.h"
110 
112 
113 /* timeline ID to be used when bootstrapping */
114 #define BootstrapTimeLineID 1
115 
116 /* User-settable parameters */
117 int max_wal_size_mb = 1024; /* 1 GB */
118 int min_wal_size_mb = 80; /* 80 MB */
120 int XLOGbuffers = -1;
123 char *XLogArchiveCommand = NULL;
124 bool EnableHotStandby = false;
125 bool fullPageWrites = true;
126 bool wal_log_hints = false;
130 bool wal_init_zero = true;
131 bool wal_recycle = true;
132 bool log_checkpoints = true;
135 int CommitDelay = 0; /* precommit delay in microseconds */
136 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
139 int wal_decode_buffer_size = 512 * 1024;
140 bool track_wal_io_timing = false;
141 
142 #ifdef WAL_DEBUG
143 bool XLOG_DEBUG = false;
144 #endif
145 
147 
148 /*
149  * Number of WAL insertion locks to use. A higher value allows more insertions
150  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
151  * which needs to iterate all the locks.
152  */
153 #define NUM_XLOGINSERT_LOCKS 8
154 
155 /*
156  * Max distance from last checkpoint, before triggering a new xlog-based
157  * checkpoint.
158  */
160 
161 /* Estimated distance between checkpoints, in bytes */
162 static double CheckPointDistanceEstimate = 0;
163 static double PrevCheckPointDistance = 0;
164 
165 /*
166  * Track whether there were any deferred checks for custom resource managers
167  * specified in wal_consistency_checking.
168  */
170 
171 /*
172  * GUC support
173  */
174 const struct config_enum_entry sync_method_options[] = {
175  {"fsync", SYNC_METHOD_FSYNC, false},
176 #ifdef HAVE_FSYNC_WRITETHROUGH
177  {"fsync_writethrough", SYNC_METHOD_FSYNC_WRITETHROUGH, false},
178 #endif
179  {"fdatasync", SYNC_METHOD_FDATASYNC, false},
180 #ifdef O_SYNC
181  {"open_sync", SYNC_METHOD_OPEN, false},
182 #endif
183 #ifdef O_DSYNC
184  {"open_datasync", SYNC_METHOD_OPEN_DSYNC, false},
185 #endif
186  {NULL, 0, false}
187 };
188 
189 
190 /*
191  * Although only "on", "off", and "always" are documented,
192  * we accept all the likely variants of "on" and "off".
193  */
194 const struct config_enum_entry archive_mode_options[] = {
195  {"always", ARCHIVE_MODE_ALWAYS, false},
196  {"on", ARCHIVE_MODE_ON, false},
197  {"off", ARCHIVE_MODE_OFF, false},
198  {"true", ARCHIVE_MODE_ON, true},
199  {"false", ARCHIVE_MODE_OFF, true},
200  {"yes", ARCHIVE_MODE_ON, true},
201  {"no", ARCHIVE_MODE_OFF, true},
202  {"1", ARCHIVE_MODE_ON, true},
203  {"0", ARCHIVE_MODE_OFF, true},
204  {NULL, 0, false}
205 };
206 
207 /*
208  * Statistics for current checkpoint are collected in this global struct.
209  * Because only the checkpointer or a stand-alone backend can perform
210  * checkpoints, this will be unused in normal backends.
211  */
213 
214 /*
215  * During recovery, lastFullPageWrites keeps track of full_page_writes that
216  * the replayed WAL records indicate. It's initialized with full_page_writes
217  * that the recovery starting checkpoint record indicates, and then updated
218  * each time XLOG_FPW_CHANGE record is replayed.
219  */
220 static bool lastFullPageWrites;
221 
222 /*
223  * Local copy of the state tracked by SharedRecoveryState in shared memory,
224  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
225  * means "not known, need to check the shared state".
226  */
227 static bool LocalRecoveryInProgress = true;
228 
229 /*
230  * Local state for XLogInsertAllowed():
231  * 1: unconditionally allowed to insert XLOG
232  * 0: unconditionally not allowed to insert XLOG
233  * -1: must check RecoveryInProgress(); disallow until it is false
234  * Most processes start with -1 and transition to 1 after seeing that recovery
235  * is not in progress. But we can also force the value for special cases.
236  * The coding in XLogInsertAllowed() depends on the first two of these states
237  * being numerically the same as bool true and false.
238  */
239 static int LocalXLogInsertAllowed = -1;
240 
241 /*
242  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
243  * current backend. It is updated for all inserts. XactLastRecEnd points to
244  * end+1 of the last record, and is reset when we end a top-level transaction,
245  * or start a new one; so it can be used to tell if the current transaction has
246  * created any XLOG records.
247  *
248  * While in parallel mode, this may not be fully up to date. When committing,
249  * a transaction can assume this covers all xlog records written either by the
250  * user backend or by any parallel worker which was present at any point during
251  * the transaction. But when aborting, or when still in parallel mode, other
252  * parallel backends may have written WAL records at later LSNs than the value
253  * stored here. The parallel leader advances its own copy, when necessary,
254  * in WaitForParallelWorkersToFinish.
255  */
259 
260 /*
261  * RedoRecPtr is this backend's local copy of the REDO record pointer
262  * (which is almost but not quite the same as a pointer to the most recent
263  * CHECKPOINT record). We update this from the shared-memory copy,
264  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
265  * hold an insertion lock). See XLogInsertRecord for details. We are also
266  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
267  * see GetRedoRecPtr.
268  *
269  * NB: Code that uses this variable must be prepared not only for the
270  * possibility that it may be arbitrarily out of date, but also for the
271  * possibility that it might be set to InvalidXLogRecPtr. We used to
272  * initialize it as a side effect of the first call to RecoveryInProgress(),
273  * which meant that most code that might use it could assume that it had a
274  * real if perhaps stale value. That's no longer the case.
275  */
277 
278 /*
279  * doPageWrites is this backend's local copy of (forcePageWrites ||
280  * fullPageWrites). It is used together with RedoRecPtr to decide whether
281  * a full-page image of a page need to be taken.
282  *
283  * NB: Initially this is false, and there's no guarantee that it will be
284  * initialized to any other value before it is first used. Any code that
285  * makes use of it must recheck the value after obtaining a WALInsertLock,
286  * and respond appropriately if it turns out that the previous value wasn't
287  * accurate.
288  */
289 static bool doPageWrites;
290 
291 /*----------
292  * Shared-memory data structures for XLOG control
293  *
294  * LogwrtRqst indicates a byte position that we need to write and/or fsync
295  * the log up to (all records before that point must be written or fsynced).
296  * LogwrtResult indicates the byte positions we have already written/fsynced.
297  * These structs are identical but are declared separately to indicate their
298  * slightly different functions.
299  *
300  * To read XLogCtl->LogwrtResult, you must hold either info_lck or
301  * WALWriteLock. To update it, you need to hold both locks. The point of
302  * this arrangement is that the value can be examined by code that already
303  * holds WALWriteLock without needing to grab info_lck as well. In addition
304  * to the shared variable, each backend has a private copy of LogwrtResult,
305  * which is updated when convenient.
306  *
307  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
308  * (protected by info_lck), but we don't need to cache any copies of it.
309  *
310  * info_lck is only held long enough to read/update the protected variables,
311  * so it's a plain spinlock. The other locks are held longer (potentially
312  * over I/O operations), so we use LWLocks for them. These locks are:
313  *
314  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
315  * It is only held while initializing and changing the mapping. If the
316  * contents of the buffer being replaced haven't been written yet, the mapping
317  * lock is released while the write is done, and reacquired afterwards.
318  *
319  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
320  * XLogFlush).
321  *
322  * ControlFileLock: must be held to read/update control file or create
323  * new log file.
324  *
325  *----------
326  */
327 
328 typedef struct XLogwrtRqst
329 {
330  XLogRecPtr Write; /* last byte + 1 to write out */
331  XLogRecPtr Flush; /* last byte + 1 to flush */
333 
334 typedef struct XLogwrtResult
335 {
336  XLogRecPtr Write; /* last byte + 1 written out */
337  XLogRecPtr Flush; /* last byte + 1 flushed */
339 
340 /*
341  * Inserting to WAL is protected by a small fixed number of WAL insertion
342  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
343  * matter which one. To lock out other concurrent insertions, you must hold
344  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
345  * indicator of how far the insertion has progressed (insertingAt).
346  *
347  * The insertingAt values are read when a process wants to flush WAL from
348  * the in-memory buffers to disk, to check that all the insertions to the
349  * region the process is about to write out have finished. You could simply
350  * wait for all currently in-progress insertions to finish, but the
351  * insertingAt indicator allows you to ignore insertions to later in the WAL,
352  * so that you only wait for the insertions that are modifying the buffers
353  * you're about to write out.
354  *
355  * This isn't just an optimization. If all the WAL buffers are dirty, an
356  * inserter that's holding a WAL insert lock might need to evict an old WAL
357  * buffer, which requires flushing the WAL. If it's possible for an inserter
358  * to block on another inserter unnecessarily, deadlock can arise when two
359  * inserters holding a WAL insert lock wait for each other to finish their
360  * insertion.
361  *
362  * Small WAL records that don't cross a page boundary never update the value,
363  * the WAL record is just copied to the page and the lock is released. But
364  * to avoid the deadlock-scenario explained above, the indicator is always
365  * updated before sleeping while holding an insertion lock.
366  *
367  * lastImportantAt contains the LSN of the last important WAL record inserted
368  * using a given lock. This value is used to detect if there has been
369  * important WAL activity since the last time some action, like a checkpoint,
370  * was performed - allowing to not repeat the action if not. The LSN is
371  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
372  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
373  * records. Tracking the WAL activity directly in WALInsertLock has the
374  * advantage of not needing any additional locks to update the value.
375  */
376 typedef struct
377 {
381 } WALInsertLock;
382 
383 /*
384  * All the WAL insertion locks are allocated as an array in shared memory. We
385  * force the array stride to be a power of 2, which saves a few cycles in
386  * indexing, but more importantly also ensures that individual slots don't
387  * cross cache line boundaries. (Of course, we have to also ensure that the
388  * array start address is suitably aligned.)
389  */
390 typedef union WALInsertLockPadded
391 {
395 
396 /*
397  * Session status of running backup, used for sanity checks in SQL-callable
398  * functions to start and stop backups.
399  */
401 
402 /*
403  * Shared state data for WAL insertion.
404  */
405 typedef struct XLogCtlInsert
406 {
407  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
408 
409  /*
410  * CurrBytePos is the end of reserved WAL. The next record will be
411  * inserted at that position. PrevBytePos is the start position of the
412  * previously inserted (or rather, reserved) record - it is copied to the
413  * prev-link of the next record. These are stored as "usable byte
414  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
415  */
416  uint64 CurrBytePos;
417  uint64 PrevBytePos;
418 
419  /*
420  * Make sure the above heavily-contended spinlock and byte positions are
421  * on their own cache line. In particular, the RedoRecPtr and full page
422  * write variables below should be on a different cache line. They are
423  * read on every WAL insertion, but updated rarely, and we don't want
424  * those reads to steal the cache line containing Curr/PrevBytePos.
425  */
427 
428  /*
429  * fullPageWrites is the authoritative value used by all backends to
430  * determine whether to write full-page image to WAL. This shared value,
431  * instead of the process-local fullPageWrites, is required because, when
432  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
433  * actually affects WAL-logging by backends. Checkpointer sets at startup
434  * or after SIGHUP.
435  *
436  * To read these fields, you must hold an insertion lock. To modify them,
437  * you must hold ALL the locks.
438  */
439  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
440  bool forcePageWrites; /* forcing full-page writes for PITR? */
442 
443  /*
444  * runningBackups is a counter indicating the number of backups currently
445  * in progress. forcePageWrites is set to true when runningBackups is
446  * non-zero. lastBackupStart is the latest checkpoint redo location used
447  * as a starting point for an online backup.
448  */
451 
452  /*
453  * WAL insertion locks.
454  */
457 
458 /*
459  * Total shared-memory state for XLOG.
460  */
461 typedef struct XLogCtlData
462 {
464 
465  /* Protected by info_lck: */
467  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
468  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
469  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
470  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
471 
472  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
473 
474  /* Fake LSN counter, for unlogged relations. Protected by ulsn_lck. */
477 
478  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
481 
482  /*
483  * Protected by info_lck and WALWriteLock (you must hold either lock to
484  * read it, but both to update)
485  */
487 
488  /*
489  * Latest initialized page in the cache (last byte position + 1).
490  *
491  * To change the identity of a buffer (and InitializedUpTo), you need to
492  * hold WALBufMappingLock. To change the identity of a buffer that's
493  * still dirty, the old page needs to be written out first, and for that
494  * you need WALWriteLock, and you need to ensure that there are no
495  * in-progress insertions to the page by calling
496  * WaitXLogInsertionsToFinish().
497  */
499 
500  /*
501  * These values do not change after startup, although the pointed-to pages
502  * and xlblocks values certainly do. xlblocks values are protected by
503  * WALBufMappingLock.
504  */
505  char *pages; /* buffers for unwritten XLOG pages */
506  XLogRecPtr *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
507  int XLogCacheBlck; /* highest allocated xlog buffer index */
508 
509  /*
510  * InsertTimeLineID is the timeline into which new WAL is being inserted
511  * and flushed. It is zero during recovery, and does not change once set.
512  *
513  * If we create a new timeline when the system was started up,
514  * PrevTimeLineID is the old timeline's ID that we forked off from.
515  * Otherwise it's equal to InsertTimeLineID.
516  */
519 
520  /*
521  * SharedRecoveryState indicates if we're still in crash or archive
522  * recovery. Protected by info_lck.
523  */
525 
526  /*
527  * InstallXLogFileSegmentActive indicates whether the checkpointer should
528  * arrange for future segments by recycling and/or PreallocXlogFiles().
529  * Protected by ControlFileLock. Only the startup process changes it. If
530  * true, anyone can use InstallXLogFileSegment(). If false, the startup
531  * process owns the exclusive right to install segments, by reading from
532  * the archive and possibly replacing existing files.
533  */
535 
536  /*
537  * WalWriterSleeping indicates whether the WAL writer is currently in
538  * low-power mode (and hence should be nudged if an async commit occurs).
539  * Protected by info_lck.
540  */
542 
543  /*
544  * During recovery, we keep a copy of the latest checkpoint record here.
545  * lastCheckPointRecPtr points to start of checkpoint record and
546  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
547  * checkpointer when it wants to create a restartpoint.
548  *
549  * Protected by info_lck.
550  */
554 
555  /*
556  * lastFpwDisableRecPtr points to the start of the last replayed
557  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
558  */
560 
561  slock_t info_lck; /* locks shared variables shown above */
563 
564 static XLogCtlData *XLogCtl = NULL;
565 
566 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
568 
569 /*
570  * We maintain an image of pg_control in shared memory.
571  */
573 
574 /*
575  * Calculate the amount of space left on the page after 'endptr'. Beware
576  * multiple evaluation!
577  */
578 #define INSERT_FREESPACE(endptr) \
579  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
580 
581 /* Macro to advance to next buffer index. */
582 #define NextBufIdx(idx) \
583  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
584 
585 /*
586  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
587  * would hold if it was in cache, the page containing 'recptr'.
588  */
589 #define XLogRecPtrToBufIdx(recptr) \
590  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
591 
592 /*
593  * These are the number of bytes in a WAL page usable for WAL data.
594  */
595 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
596 
597 /*
598  * Convert values of GUCs measured in megabytes to equiv. segment count.
599  * Rounds down.
600  */
601 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
602 
603 /* The number of bytes in a WAL segment usable for WAL data. */
605 
606 /*
607  * Private, possibly out-of-date copy of shared LogwrtResult.
608  * See discussion above.
609  */
610 static XLogwrtResult LogwrtResult = {0, 0};
611 
612 /*
613  * openLogFile is -1 or a kernel FD for an open log file segment.
614  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
615  * These variables are only used to write the XLOG, and so will normally refer
616  * to the active segment.
617  *
618  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
619  */
620 static int openLogFile = -1;
623 
624 /*
625  * Local copies of equivalent fields in the control file. When running
626  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
627  * expect to replay all the WAL available, and updateMinRecoveryPoint is
628  * switched to false to prevent any updates while replaying records.
629  * Those values are kept consistent as long as crash recovery runs.
630  */
633 static bool updateMinRecoveryPoint = true;
634 
635 /* For WALInsertLockAcquire/Release functions */
636 static int MyLockNo = 0;
637 static bool holdingAllLocks = false;
638 
639 #ifdef WAL_DEBUG
640 static MemoryContext walDebugCxt = NULL;
641 #endif
642 
643 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
644  XLogRecPtr EndOfLog,
645  TimeLineID newTLI);
646 static void CheckRequiredParameterValues(void);
647 static void XLogReportParameters(void);
648 static int LocalSetXLogInsertAllowed(void);
649 static void CreateEndOfRecoveryRecord(void);
651  XLogRecPtr pagePtr,
652  TimeLineID newTLI);
653 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
654 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
656 
657 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
658  bool opportunistic);
659 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
660 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
661  bool find_free, XLogSegNo max_segno,
662  TimeLineID tli);
663 static void XLogFileClose(void);
664 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
665 static void RemoveTempXlogFiles(void);
666 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
667  XLogRecPtr endptr, TimeLineID insertTLI);
668 static void RemoveXlogFile(const struct dirent *segment_de,
669  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
670  TimeLineID insertTLI);
671 static void UpdateLastRemovedPtr(char *filename);
672 static void ValidateXLOGDirectoryStructure(void);
673 static void CleanupBackupHistory(void);
674 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
675 static bool PerformRecoveryXLogAction(void);
676 static void InitControlFile(uint64 sysidentifier);
677 static void WriteControlFile(void);
678 static void ReadControlFile(void);
679 static void UpdateControlFile(void);
680 static char *str_time(pg_time_t tnow);
681 
682 static void pg_backup_start_callback(int code, Datum arg);
683 
684 static int get_sync_bit(int method);
685 
686 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
687  XLogRecData *rdata,
688  XLogRecPtr StartPos, XLogRecPtr EndPos,
689  TimeLineID tli);
690 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
691  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
692 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
693  XLogRecPtr *PrevPtr);
695 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
696 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
697 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
698 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
699 
700 static void WALInsertLockAcquire(void);
701 static void WALInsertLockAcquireExclusive(void);
702 static void WALInsertLockRelease(void);
703 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
704 
705 /*
706  * Insert an XLOG record represented by an already-constructed chain of data
707  * chunks. This is a low-level routine; to construct the WAL record header
708  * and data, use the higher-level routines in xloginsert.c.
709  *
710  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
711  * WAL record applies to, that were not included in the record as full page
712  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
713  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
714  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
715  * record is always inserted.
716  *
717  * 'flags' gives more in-depth control on the record being inserted. See
718  * XLogSetRecordFlags() for details.
719  *
720  * 'topxid_included' tells whether the top-transaction id is logged along with
721  * current subtransaction. See XLogRecordAssemble().
722  *
723  * The first XLogRecData in the chain must be for the record header, and its
724  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
725  * xl_crc fields in the header, the rest of the header must already be filled
726  * by the caller.
727  *
728  * Returns XLOG pointer to end of record (beginning of next record).
729  * This can be used as LSN for data pages affected by the logged action.
730  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
731  * before the data page can be written out. This implements the basic
732  * WAL rule "write the log before the data".)
733  */
736  XLogRecPtr fpw_lsn,
737  uint8 flags,
738  int num_fpi,
739  bool topxid_included)
740 {
742  pg_crc32c rdata_crc;
743  bool inserted;
744  XLogRecord *rechdr = (XLogRecord *) rdata->data;
745  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
746  bool isLogSwitch = (rechdr->xl_rmid == RM_XLOG_ID &&
747  info == XLOG_SWITCH);
748  XLogRecPtr StartPos;
749  XLogRecPtr EndPos;
750  bool prevDoPageWrites = doPageWrites;
751  TimeLineID insertTLI;
752 
753  /* we assume that all of the record header is in the first chunk */
754  Assert(rdata->len >= SizeOfXLogRecord);
755 
756  /* cross-check on whether we should be here or not */
757  if (!XLogInsertAllowed())
758  elog(ERROR, "cannot make new WAL entries during recovery");
759 
760  /*
761  * Given that we're not in recovery, InsertTimeLineID is set and can't
762  * change, so we can read it without a lock.
763  */
764  insertTLI = XLogCtl->InsertTimeLineID;
765 
766  /*----------
767  *
768  * We have now done all the preparatory work we can without holding a
769  * lock or modifying shared state. From here on, inserting the new WAL
770  * record to the shared WAL buffer cache is a two-step process:
771  *
772  * 1. Reserve the right amount of space from the WAL. The current head of
773  * reserved space is kept in Insert->CurrBytePos, and is protected by
774  * insertpos_lck.
775  *
776  * 2. Copy the record to the reserved WAL space. This involves finding the
777  * correct WAL buffer containing the reserved space, and copying the
778  * record in place. This can be done concurrently in multiple processes.
779  *
780  * To keep track of which insertions are still in-progress, each concurrent
781  * inserter acquires an insertion lock. In addition to just indicating that
782  * an insertion is in progress, the lock tells others how far the inserter
783  * has progressed. There is a small fixed number of insertion locks,
784  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
785  * boundary, it updates the value stored in the lock to the how far it has
786  * inserted, to allow the previous buffer to be flushed.
787  *
788  * Holding onto an insertion lock also protects RedoRecPtr and
789  * fullPageWrites from changing until the insertion is finished.
790  *
791  * Step 2 can usually be done completely in parallel. If the required WAL
792  * page is not initialized yet, you have to grab WALBufMappingLock to
793  * initialize it, but the WAL writer tries to do that ahead of insertions
794  * to avoid that from happening in the critical path.
795  *
796  *----------
797  */
799  if (isLogSwitch)
801  else
803 
804  /*
805  * Check to see if my copy of RedoRecPtr is out of date. If so, may have
806  * to go back and have the caller recompute everything. This can only
807  * happen just after a checkpoint, so it's better to be slow in this case
808  * and fast otherwise.
809  *
810  * Also check to see if fullPageWrites or forcePageWrites was just turned
811  * on; if we weren't already doing full-page writes then go back and
812  * recompute.
813  *
814  * If we aren't doing full-page writes then RedoRecPtr doesn't actually
815  * affect the contents of the XLOG record, so we'll update our local copy
816  * but not force a recomputation. (If doPageWrites was just turned off,
817  * we could recompute the record without full pages, but we choose not to
818  * bother.)
819  */
820  if (RedoRecPtr != Insert->RedoRecPtr)
821  {
822  Assert(RedoRecPtr < Insert->RedoRecPtr);
823  RedoRecPtr = Insert->RedoRecPtr;
824  }
825  doPageWrites = (Insert->fullPageWrites || Insert->forcePageWrites);
826 
827  if (doPageWrites &&
828  (!prevDoPageWrites ||
829  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
830  {
831  /*
832  * Oops, some buffer now needs to be backed up that the caller didn't
833  * back up. Start over.
834  */
837  return InvalidXLogRecPtr;
838  }
839 
840  /*
841  * Reserve space for the record in the WAL. This also sets the xl_prev
842  * pointer.
843  */
844  if (isLogSwitch)
845  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
846  else
847  {
848  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
849  &rechdr->xl_prev);
850  inserted = true;
851  }
852 
853  if (inserted)
854  {
855  /*
856  * Now that xl_prev has been filled in, calculate CRC of the record
857  * header.
858  */
859  rdata_crc = rechdr->xl_crc;
860  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
861  FIN_CRC32C(rdata_crc);
862  rechdr->xl_crc = rdata_crc;
863 
864  /*
865  * All the record data, including the header, is now ready to be
866  * inserted. Copy the record in the space reserved.
867  */
868  CopyXLogRecordToWAL(rechdr->xl_tot_len, isLogSwitch, rdata,
869  StartPos, EndPos, insertTLI);
870 
871  /*
872  * Unless record is flagged as not important, update LSN of last
873  * important record in the current slot. When holding all locks, just
874  * update the first one.
875  */
876  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
877  {
878  int lockno = holdingAllLocks ? 0 : MyLockNo;
879 
880  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
881  }
882  }
883  else
884  {
885  /*
886  * This was an xlog-switch record, but the current insert location was
887  * already exactly at the beginning of a segment, so there was no need
888  * to do anything.
889  */
890  }
891 
892  /*
893  * Done! Let others know that we're finished.
894  */
896 
898 
900 
901  /*
902  * Mark top transaction id is logged (if needed) so that we should not try
903  * to log it again with the next WAL record in the current subtransaction.
904  */
905  if (topxid_included)
907 
908  /*
909  * Update shared LogwrtRqst.Write, if we crossed page boundary.
910  */
911  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
912  {
914  /* advance global request to include new block(s) */
915  if (XLogCtl->LogwrtRqst.Write < EndPos)
916  XLogCtl->LogwrtRqst.Write = EndPos;
917  /* update local result copy while I have the chance */
920  }
921 
922  /*
923  * If this was an XLOG_SWITCH record, flush the record and the empty
924  * padding space that fills the rest of the segment, and perform
925  * end-of-segment actions (eg, notifying archiver).
926  */
927  if (isLogSwitch)
928  {
929  TRACE_POSTGRESQL_WAL_SWITCH();
930  XLogFlush(EndPos);
931 
932  /*
933  * Even though we reserved the rest of the segment for us, which is
934  * reflected in EndPos, we return a pointer to just the end of the
935  * xlog-switch record.
936  */
937  if (inserted)
938  {
939  EndPos = StartPos + SizeOfXLogRecord;
940  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
941  {
942  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
943 
944  if (offset == EndPos % XLOG_BLCKSZ)
945  EndPos += SizeOfXLogLongPHD;
946  else
947  EndPos += SizeOfXLogShortPHD;
948  }
949  }
950  }
951 
952 #ifdef WAL_DEBUG
953  if (XLOG_DEBUG)
954  {
955  static XLogReaderState *debug_reader = NULL;
956  XLogRecord *record;
957  DecodedXLogRecord *decoded;
959  StringInfoData recordBuf;
960  char *errormsg = NULL;
961  MemoryContext oldCxt;
962 
963  oldCxt = MemoryContextSwitchTo(walDebugCxt);
964 
966  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
967 
968  /*
969  * We have to piece together the WAL record data from the XLogRecData
970  * entries, so that we can pass it to the rm_desc function as one
971  * contiguous chunk.
972  */
973  initStringInfo(&recordBuf);
974  for (; rdata != NULL; rdata = rdata->next)
975  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
976 
977  /* We also need temporary space to decode the record. */
978  record = (XLogRecord *) recordBuf.data;
979  decoded = (DecodedXLogRecord *)
981 
982  if (!debug_reader)
983  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
984  XL_ROUTINE(), NULL);
985 
986  if (!debug_reader)
987  {
988  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
989  }
990  else if (!DecodeXLogRecord(debug_reader,
991  decoded,
992  record,
993  EndPos,
994  &errormsg))
995  {
996  appendStringInfo(&buf, "error decoding record: %s",
997  errormsg ? errormsg : "no error message");
998  }
999  else
1000  {
1001  appendStringInfoString(&buf, " - ");
1002 
1003  debug_reader->record = decoded;
1004  xlog_outdesc(&buf, debug_reader);
1005  debug_reader->record = NULL;
1006  }
1007  elog(LOG, "%s", buf.data);
1008 
1009  pfree(decoded);
1010  pfree(buf.data);
1011  pfree(recordBuf.data);
1012  MemoryContextSwitchTo(oldCxt);
1013  }
1014 #endif
1015 
1016  /*
1017  * Update our global variables
1018  */
1019  ProcLastRecPtr = StartPos;
1020  XactLastRecEnd = EndPos;
1021 
1022  /* Report WAL traffic to the instrumentation. */
1023  if (inserted)
1024  {
1025  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1027  pgWalUsage.wal_fpi += num_fpi;
1028  }
1029 
1030  return EndPos;
1031 }
1032 
1033 /*
1034  * Reserves the right amount of space for a record of given size from the WAL.
1035  * *StartPos is set to the beginning of the reserved section, *EndPos to
1036  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1037  * used to set the xl_prev of this record.
1038  *
1039  * This is the performance critical part of XLogInsert that must be serialized
1040  * across backends. The rest can happen mostly in parallel. Try to keep this
1041  * section as short as possible, insertpos_lck can be heavily contended on a
1042  * busy system.
1043  *
1044  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1045  * where we actually copy the record to the reserved space.
1046  */
1047 static void
1048 ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos, XLogRecPtr *EndPos,
1049  XLogRecPtr *PrevPtr)
1050 {
1052  uint64 startbytepos;
1053  uint64 endbytepos;
1054  uint64 prevbytepos;
1055 
1056  size = MAXALIGN(size);
1057 
1058  /* All (non xlog-switch) records should contain data. */
1059  Assert(size > SizeOfXLogRecord);
1060 
1061  /*
1062  * The duration the spinlock needs to be held is minimized by minimizing
1063  * the calculations that have to be done while holding the lock. The
1064  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1065  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1066  * page headers. The mapping between "usable" byte positions and physical
1067  * positions (XLogRecPtrs) can be done outside the locked region, and
1068  * because the usable byte position doesn't include any headers, reserving
1069  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1070  */
1071  SpinLockAcquire(&Insert->insertpos_lck);
1072 
1073  startbytepos = Insert->CurrBytePos;
1074  endbytepos = startbytepos + size;
1075  prevbytepos = Insert->PrevBytePos;
1076  Insert->CurrBytePos = endbytepos;
1077  Insert->PrevBytePos = startbytepos;
1078 
1079  SpinLockRelease(&Insert->insertpos_lck);
1080 
1081  *StartPos = XLogBytePosToRecPtr(startbytepos);
1082  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1083  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1084 
1085  /*
1086  * Check that the conversions between "usable byte positions" and
1087  * XLogRecPtrs work consistently in both directions.
1088  */
1089  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1090  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1091  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1092 }
1093 
1094 /*
1095  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1096  *
1097  * A log-switch record is handled slightly differently. The rest of the
1098  * segment will be reserved for this insertion, as indicated by the returned
1099  * *EndPos value. However, if we are already at the beginning of the current
1100  * segment, *StartPos and *EndPos are set to the current location without
1101  * reserving any space, and the function returns false.
1102 */
1103 static bool
1104 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1105 {
1107  uint64 startbytepos;
1108  uint64 endbytepos;
1109  uint64 prevbytepos;
1111  XLogRecPtr ptr;
1112  uint32 segleft;
1113 
1114  /*
1115  * These calculations are a bit heavy-weight to be done while holding a
1116  * spinlock, but since we're holding all the WAL insertion locks, there
1117  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1118  * compete for it, but that's not called very frequently.
1119  */
1120  SpinLockAcquire(&Insert->insertpos_lck);
1121 
1122  startbytepos = Insert->CurrBytePos;
1123 
1124  ptr = XLogBytePosToEndRecPtr(startbytepos);
1125  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1126  {
1127  SpinLockRelease(&Insert->insertpos_lck);
1128  *EndPos = *StartPos = ptr;
1129  return false;
1130  }
1131 
1132  endbytepos = startbytepos + size;
1133  prevbytepos = Insert->PrevBytePos;
1134 
1135  *StartPos = XLogBytePosToRecPtr(startbytepos);
1136  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1137 
1138  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1139  if (segleft != wal_segment_size)
1140  {
1141  /* consume the rest of the segment */
1142  *EndPos += segleft;
1143  endbytepos = XLogRecPtrToBytePos(*EndPos);
1144  }
1145  Insert->CurrBytePos = endbytepos;
1146  Insert->PrevBytePos = startbytepos;
1147 
1148  SpinLockRelease(&Insert->insertpos_lck);
1149 
1150  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1151 
1152  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1153  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1154  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1155  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1156 
1157  return true;
1158 }
1159 
1160 /*
1161  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1162  * area in the WAL.
1163  */
1164 static void
1165 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1166  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1167 {
1168  char *currpos;
1169  int freespace;
1170  int written;
1171  XLogRecPtr CurrPos;
1172  XLogPageHeader pagehdr;
1173 
1174  /*
1175  * Get a pointer to the right place in the right WAL buffer to start
1176  * inserting to.
1177  */
1178  CurrPos = StartPos;
1179  currpos = GetXLogBuffer(CurrPos, tli);
1180  freespace = INSERT_FREESPACE(CurrPos);
1181 
1182  /*
1183  * there should be enough space for at least the first field (xl_tot_len)
1184  * on this page.
1185  */
1186  Assert(freespace >= sizeof(uint32));
1187 
1188  /* Copy record data */
1189  written = 0;
1190  while (rdata != NULL)
1191  {
1192  char *rdata_data = rdata->data;
1193  int rdata_len = rdata->len;
1194 
1195  while (rdata_len > freespace)
1196  {
1197  /*
1198  * Write what fits on this page, and continue on the next page.
1199  */
1200  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1201  memcpy(currpos, rdata_data, freespace);
1202  rdata_data += freespace;
1203  rdata_len -= freespace;
1204  written += freespace;
1205  CurrPos += freespace;
1206 
1207  /*
1208  * Get pointer to beginning of next page, and set the xlp_rem_len
1209  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1210  *
1211  * It's safe to set the contrecord flag and xlp_rem_len without a
1212  * lock on the page. All the other flags were already set when the
1213  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1214  * only backend that needs to set the contrecord flag.
1215  */
1216  currpos = GetXLogBuffer(CurrPos, tli);
1217  pagehdr = (XLogPageHeader) currpos;
1218  pagehdr->xlp_rem_len = write_len - written;
1219  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1220 
1221  /* skip over the page header */
1222  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1223  {
1224  CurrPos += SizeOfXLogLongPHD;
1225  currpos += SizeOfXLogLongPHD;
1226  }
1227  else
1228  {
1229  CurrPos += SizeOfXLogShortPHD;
1230  currpos += SizeOfXLogShortPHD;
1231  }
1232  freespace = INSERT_FREESPACE(CurrPos);
1233  }
1234 
1235  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1236  memcpy(currpos, rdata_data, rdata_len);
1237  currpos += rdata_len;
1238  CurrPos += rdata_len;
1239  freespace -= rdata_len;
1240  written += rdata_len;
1241 
1242  rdata = rdata->next;
1243  }
1244  Assert(written == write_len);
1245 
1246  /*
1247  * If this was an xlog-switch, it's not enough to write the switch record,
1248  * we also have to consume all the remaining space in the WAL segment. We
1249  * have already reserved that space, but we need to actually fill it.
1250  */
1251  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1252  {
1253  /* An xlog-switch record doesn't contain any data besides the header */
1254  Assert(write_len == SizeOfXLogRecord);
1255 
1256  /* Assert that we did reserve the right amount of space */
1257  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1258 
1259  /* Use up all the remaining space on the current page */
1260  CurrPos += freespace;
1261 
1262  /*
1263  * Cause all remaining pages in the segment to be flushed, leaving the
1264  * XLog position where it should be, at the start of the next segment.
1265  * We do this one page at a time, to make sure we don't deadlock
1266  * against ourselves if wal_buffers < wal_segment_size.
1267  */
1268  while (CurrPos < EndPos)
1269  {
1270  /*
1271  * The minimal action to flush the page would be to call
1272  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1273  * AdvanceXLInsertBuffer(...). The page would be left initialized
1274  * mostly to zeros, except for the page header (always the short
1275  * variant, as this is never a segment's first page).
1276  *
1277  * The large vistas of zeros are good for compressibility, but the
1278  * headers interrupting them every XLOG_BLCKSZ (with values that
1279  * differ from page to page) are not. The effect varies with
1280  * compression tool, but bzip2 for instance compresses about an
1281  * order of magnitude worse if those headers are left in place.
1282  *
1283  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1284  * called in heavily-loaded circumstances as well as this lightly-
1285  * loaded one) with variant behavior, we just use GetXLogBuffer
1286  * (which itself calls the two methods we need) to get the pointer
1287  * and zero most of the page. Then we just zero the page header.
1288  */
1289  currpos = GetXLogBuffer(CurrPos, tli);
1290  MemSet(currpos, 0, SizeOfXLogShortPHD);
1291 
1292  CurrPos += XLOG_BLCKSZ;
1293  }
1294  }
1295  else
1296  {
1297  /* Align the end position, so that the next record starts aligned */
1298  CurrPos = MAXALIGN64(CurrPos);
1299  }
1300 
1301  if (CurrPos != EndPos)
1302  elog(PANIC, "space reserved for WAL record does not match what was written");
1303 }
1304 
1305 /*
1306  * Acquire a WAL insertion lock, for inserting to WAL.
1307  */
1308 static void
1310 {
1311  bool immed;
1312 
1313  /*
1314  * It doesn't matter which of the WAL insertion locks we acquire, so try
1315  * the one we used last time. If the system isn't particularly busy, it's
1316  * a good bet that it's still available, and it's good to have some
1317  * affinity to a particular lock so that you don't unnecessarily bounce
1318  * cache lines between processes when there's no contention.
1319  *
1320  * If this is the first time through in this backend, pick a lock
1321  * (semi-)randomly. This allows the locks to be used evenly if you have a
1322  * lot of very short connections.
1323  */
1324  static int lockToTry = -1;
1325 
1326  if (lockToTry == -1)
1327  lockToTry = MyProc->pgprocno % NUM_XLOGINSERT_LOCKS;
1328  MyLockNo = lockToTry;
1329 
1330  /*
1331  * The insertingAt value is initially set to 0, as we don't know our
1332  * insert location yet.
1333  */
1335  if (!immed)
1336  {
1337  /*
1338  * If we couldn't get the lock immediately, try another lock next
1339  * time. On a system with more insertion locks than concurrent
1340  * inserters, this causes all the inserters to eventually migrate to a
1341  * lock that no-one else is using. On a system with more inserters
1342  * than locks, it still helps to distribute the inserters evenly
1343  * across the locks.
1344  */
1345  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1346  }
1347 }
1348 
1349 /*
1350  * Acquire all WAL insertion locks, to prevent other backends from inserting
1351  * to WAL.
1352  */
1353 static void
1355 {
1356  int i;
1357 
1358  /*
1359  * When holding all the locks, all but the last lock's insertingAt
1360  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1361  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1362  */
1363  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1364  {
1366  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1368  PG_UINT64_MAX);
1369  }
1370  /* Variable value reset to 0 at release */
1372 
1373  holdingAllLocks = true;
1374 }
1375 
1376 /*
1377  * Release our insertion lock (or locks, if we're holding them all).
1378  *
1379  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1380  * next time the lock is acquired.
1381  */
1382 static void
1384 {
1385  if (holdingAllLocks)
1386  {
1387  int i;
1388 
1389  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1392  0);
1393 
1394  holdingAllLocks = false;
1395  }
1396  else
1397  {
1400  0);
1401  }
1402 }
1403 
1404 /*
1405  * Update our insertingAt value, to let others know that we've finished
1406  * inserting up to that point.
1407  */
1408 static void
1410 {
1411  if (holdingAllLocks)
1412  {
1413  /*
1414  * We use the last lock to mark our actual position, see comments in
1415  * WALInsertLockAcquireExclusive.
1416  */
1419  insertingAt);
1420  }
1421  else
1424  insertingAt);
1425 }
1426 
1427 /*
1428  * Wait for any WAL insertions < upto to finish.
1429  *
1430  * Returns the location of the oldest insertion that is still in-progress.
1431  * Any WAL prior to that point has been fully copied into WAL buffers, and
1432  * can be flushed out to disk. Because this waits for any insertions older
1433  * than 'upto' to finish, the return value is always >= 'upto'.
1434  *
1435  * Note: When you are about to write out WAL, you must call this function
1436  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1437  * need to wait for an insertion to finish (or at least advance to next
1438  * uninitialized page), and the inserter might need to evict an old WAL buffer
1439  * to make room for a new one, which in turn requires WALWriteLock.
1440  */
1441 static XLogRecPtr
1443 {
1444  uint64 bytepos;
1445  XLogRecPtr reservedUpto;
1446  XLogRecPtr finishedUpto;
1448  int i;
1449 
1450  if (MyProc == NULL)
1451  elog(PANIC, "cannot wait without a PGPROC structure");
1452 
1453  /* Read the current insert position */
1454  SpinLockAcquire(&Insert->insertpos_lck);
1455  bytepos = Insert->CurrBytePos;
1456  SpinLockRelease(&Insert->insertpos_lck);
1457  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1458 
1459  /*
1460  * No-one should request to flush a piece of WAL that hasn't even been
1461  * reserved yet. However, it can happen if there is a block with a bogus
1462  * LSN on disk, for example. XLogFlush checks for that situation and
1463  * complains, but only after the flush. Here we just assume that to mean
1464  * that all WAL that has been reserved needs to be finished. In this
1465  * corner-case, the return value can be smaller than 'upto' argument.
1466  */
1467  if (upto > reservedUpto)
1468  {
1469  ereport(LOG,
1470  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1471  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1472  upto = reservedUpto;
1473  }
1474 
1475  /*
1476  * Loop through all the locks, sleeping on any in-progress insert older
1477  * than 'upto'.
1478  *
1479  * finishedUpto is our return value, indicating the point upto which all
1480  * the WAL insertions have been finished. Initialize it to the head of
1481  * reserved WAL, and as we iterate through the insertion locks, back it
1482  * out for any insertion that's still in progress.
1483  */
1484  finishedUpto = reservedUpto;
1485  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1486  {
1487  XLogRecPtr insertingat = InvalidXLogRecPtr;
1488 
1489  do
1490  {
1491  /*
1492  * See if this insertion is in progress. LWLockWaitForVar will
1493  * wait for the lock to be released, or for the 'value' to be set
1494  * by a LWLockUpdateVar call. When a lock is initially acquired,
1495  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1496  * know where it's inserting yet. We will have to wait for it. If
1497  * it's a small insertion, the record will most likely fit on the
1498  * same page and the inserter will release the lock without ever
1499  * calling LWLockUpdateVar. But if it has to sleep, it will
1500  * advertise the insertion point with LWLockUpdateVar before
1501  * sleeping.
1502  */
1503  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1505  insertingat, &insertingat))
1506  {
1507  /* the lock was free, so no insertion in progress */
1508  insertingat = InvalidXLogRecPtr;
1509  break;
1510  }
1511 
1512  /*
1513  * This insertion is still in progress. Have to wait, unless the
1514  * inserter has proceeded past 'upto'.
1515  */
1516  } while (insertingat < upto);
1517 
1518  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1519  finishedUpto = insertingat;
1520  }
1521  return finishedUpto;
1522 }
1523 
1524 /*
1525  * Get a pointer to the right location in the WAL buffer containing the
1526  * given XLogRecPtr.
1527  *
1528  * If the page is not initialized yet, it is initialized. That might require
1529  * evicting an old dirty buffer from the buffer cache, which means I/O.
1530  *
1531  * The caller must ensure that the page containing the requested location
1532  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1533  * hold onto a WAL insertion lock with the insertingAt position set to
1534  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1535  * to evict an old page from the buffer. (This means that once you call
1536  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1537  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1538  * later, because older buffers might be recycled already)
1539  */
1540 static char *
1542 {
1543  int idx;
1544  XLogRecPtr endptr;
1545  static uint64 cachedPage = 0;
1546  static char *cachedPos = NULL;
1547  XLogRecPtr expectedEndPtr;
1548 
1549  /*
1550  * Fast path for the common case that we need to access again the same
1551  * page as last time.
1552  */
1553  if (ptr / XLOG_BLCKSZ == cachedPage)
1554  {
1555  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1556  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1557  return cachedPos + ptr % XLOG_BLCKSZ;
1558  }
1559 
1560  /*
1561  * The XLog buffer cache is organized so that a page is always loaded to a
1562  * particular buffer. That way we can easily calculate the buffer a given
1563  * page must be loaded into, from the XLogRecPtr alone.
1564  */
1565  idx = XLogRecPtrToBufIdx(ptr);
1566 
1567  /*
1568  * See what page is loaded in the buffer at the moment. It could be the
1569  * page we're looking for, or something older. It can't be anything newer
1570  * - that would imply the page we're looking for has already been written
1571  * out to disk and evicted, and the caller is responsible for making sure
1572  * that doesn't happen.
1573  *
1574  * However, we don't hold a lock while we read the value. If someone has
1575  * just initialized the page, it's possible that we get a "torn read" of
1576  * the XLogRecPtr if 64-bit fetches are not atomic on this platform. In
1577  * that case we will see a bogus value. That's ok, we'll grab the mapping
1578  * lock (in AdvanceXLInsertBuffer) and retry if we see anything else than
1579  * the page we're looking for. But it means that when we do this unlocked
1580  * read, we might see a value that appears to be ahead of the page we're
1581  * looking for. Don't PANIC on that, until we've verified the value while
1582  * holding the lock.
1583  */
1584  expectedEndPtr = ptr;
1585  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1586 
1587  endptr = XLogCtl->xlblocks[idx];
1588  if (expectedEndPtr != endptr)
1589  {
1590  XLogRecPtr initializedUpto;
1591 
1592  /*
1593  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1594  * know how far we're finished with inserting the record.
1595  *
1596  * NB: If 'ptr' points to just after the page header, advertise a
1597  * position at the beginning of the page rather than 'ptr' itself. If
1598  * there are no other insertions running, someone might try to flush
1599  * up to our advertised location. If we advertised a position after
1600  * the page header, someone might try to flush the page header, even
1601  * though page might actually not be initialized yet. As the first
1602  * inserter on the page, we are effectively responsible for making
1603  * sure that it's initialized, before we let insertingAt to move past
1604  * the page header.
1605  */
1606  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1607  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1608  initializedUpto = ptr - SizeOfXLogShortPHD;
1609  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1610  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1611  initializedUpto = ptr - SizeOfXLogLongPHD;
1612  else
1613  initializedUpto = ptr;
1614 
1615  WALInsertLockUpdateInsertingAt(initializedUpto);
1616 
1617  AdvanceXLInsertBuffer(ptr, tli, false);
1618  endptr = XLogCtl->xlblocks[idx];
1619 
1620  if (expectedEndPtr != endptr)
1621  elog(PANIC, "could not find WAL buffer for %X/%X",
1622  LSN_FORMAT_ARGS(ptr));
1623  }
1624  else
1625  {
1626  /*
1627  * Make sure the initialization of the page is visible to us, and
1628  * won't arrive later to overwrite the WAL data we write on the page.
1629  */
1631  }
1632 
1633  /*
1634  * Found the buffer holding this page. Return a pointer to the right
1635  * offset within the page.
1636  */
1637  cachedPage = ptr / XLOG_BLCKSZ;
1638  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1639 
1640  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1641  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1642 
1643  return cachedPos + ptr % XLOG_BLCKSZ;
1644 }
1645 
1646 /*
1647  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1648  * is the position starting from the beginning of WAL, excluding all WAL
1649  * page headers.
1650  */
1651 static XLogRecPtr
1652 XLogBytePosToRecPtr(uint64 bytepos)
1653 {
1654  uint64 fullsegs;
1655  uint64 fullpages;
1656  uint64 bytesleft;
1657  uint32 seg_offset;
1658  XLogRecPtr result;
1659 
1660  fullsegs = bytepos / UsableBytesInSegment;
1661  bytesleft = bytepos % UsableBytesInSegment;
1662 
1663  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1664  {
1665  /* fits on first page of segment */
1666  seg_offset = bytesleft + SizeOfXLogLongPHD;
1667  }
1668  else
1669  {
1670  /* account for the first page on segment with long header */
1671  seg_offset = XLOG_BLCKSZ;
1672  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1673 
1674  fullpages = bytesleft / UsableBytesInPage;
1675  bytesleft = bytesleft % UsableBytesInPage;
1676 
1677  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1678  }
1679 
1680  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1681 
1682  return result;
1683 }
1684 
1685 /*
1686  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1687  * returns a pointer to the beginning of the page (ie. before page header),
1688  * not to where the first xlog record on that page would go to. This is used
1689  * when converting a pointer to the end of a record.
1690  */
1691 static XLogRecPtr
1692 XLogBytePosToEndRecPtr(uint64 bytepos)
1693 {
1694  uint64 fullsegs;
1695  uint64 fullpages;
1696  uint64 bytesleft;
1697  uint32 seg_offset;
1698  XLogRecPtr result;
1699 
1700  fullsegs = bytepos / UsableBytesInSegment;
1701  bytesleft = bytepos % UsableBytesInSegment;
1702 
1703  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1704  {
1705  /* fits on first page of segment */
1706  if (bytesleft == 0)
1707  seg_offset = 0;
1708  else
1709  seg_offset = bytesleft + SizeOfXLogLongPHD;
1710  }
1711  else
1712  {
1713  /* account for the first page on segment with long header */
1714  seg_offset = XLOG_BLCKSZ;
1715  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1716 
1717  fullpages = bytesleft / UsableBytesInPage;
1718  bytesleft = bytesleft % UsableBytesInPage;
1719 
1720  if (bytesleft == 0)
1721  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1722  else
1723  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1724  }
1725 
1726  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1727 
1728  return result;
1729 }
1730 
1731 /*
1732  * Convert an XLogRecPtr to a "usable byte position".
1733  */
1734 static uint64
1736 {
1737  uint64 fullsegs;
1738  uint32 fullpages;
1739  uint32 offset;
1740  uint64 result;
1741 
1742  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1743 
1744  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1745  offset = ptr % XLOG_BLCKSZ;
1746 
1747  if (fullpages == 0)
1748  {
1749  result = fullsegs * UsableBytesInSegment;
1750  if (offset > 0)
1751  {
1752  Assert(offset >= SizeOfXLogLongPHD);
1753  result += offset - SizeOfXLogLongPHD;
1754  }
1755  }
1756  else
1757  {
1758  result = fullsegs * UsableBytesInSegment +
1759  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1760  (fullpages - 1) * UsableBytesInPage; /* full pages */
1761  if (offset > 0)
1762  {
1763  Assert(offset >= SizeOfXLogShortPHD);
1764  result += offset - SizeOfXLogShortPHD;
1765  }
1766  }
1767 
1768  return result;
1769 }
1770 
1771 /*
1772  * Initialize XLOG buffers, writing out old buffers if they still contain
1773  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1774  * true, initialize as many pages as we can without having to write out
1775  * unwritten data. Any new pages are initialized to zeros, with pages headers
1776  * initialized properly.
1777  */
1778 static void
1779 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1780 {
1782  int nextidx;
1783  XLogRecPtr OldPageRqstPtr;
1784  XLogwrtRqst WriteRqst;
1785  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1786  XLogRecPtr NewPageBeginPtr;
1787  XLogPageHeader NewPage;
1788  int npages pg_attribute_unused() = 0;
1789 
1790  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1791 
1792  /*
1793  * Now that we have the lock, check if someone initialized the page
1794  * already.
1795  */
1796  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
1797  {
1799 
1800  /*
1801  * Get ending-offset of the buffer page we need to replace (this may
1802  * be zero if the buffer hasn't been used yet). Fall through if it's
1803  * already written out.
1804  */
1805  OldPageRqstPtr = XLogCtl->xlblocks[nextidx];
1806  if (LogwrtResult.Write < OldPageRqstPtr)
1807  {
1808  /*
1809  * Nope, got work to do. If we just want to pre-initialize as much
1810  * as we can without flushing, give up now.
1811  */
1812  if (opportunistic)
1813  break;
1814 
1815  /* Before waiting, get info_lck and update LogwrtResult */
1817  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
1818  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
1821 
1822  /*
1823  * Now that we have an up-to-date LogwrtResult value, see if we
1824  * still need to write it or if someone else already did.
1825  */
1826  if (LogwrtResult.Write < OldPageRqstPtr)
1827  {
1828  /*
1829  * Must acquire write lock. Release WALBufMappingLock first,
1830  * to make sure that all insertions that we need to wait for
1831  * can finish (up to this same position). Otherwise we risk
1832  * deadlock.
1833  */
1834  LWLockRelease(WALBufMappingLock);
1835 
1836  WaitXLogInsertionsToFinish(OldPageRqstPtr);
1837 
1838  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
1839 
1841  if (LogwrtResult.Write >= OldPageRqstPtr)
1842  {
1843  /* OK, someone wrote it already */
1844  LWLockRelease(WALWriteLock);
1845  }
1846  else
1847  {
1848  /* Have to write it ourselves */
1849  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
1850  WriteRqst.Write = OldPageRqstPtr;
1851  WriteRqst.Flush = 0;
1852  XLogWrite(WriteRqst, tli, false);
1853  LWLockRelease(WALWriteLock);
1855  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
1856  }
1857  /* Re-acquire WALBufMappingLock and retry */
1858  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1859  continue;
1860  }
1861  }
1862 
1863  /*
1864  * Now the next buffer slot is free and we can set it up to be the
1865  * next output page.
1866  */
1867  NewPageBeginPtr = XLogCtl->InitializedUpTo;
1868  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
1869 
1870  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
1871 
1872  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
1873 
1874  /*
1875  * Be sure to re-zero the buffer so that bytes beyond what we've
1876  * written will look like zeroes and not valid XLOG records...
1877  */
1878  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
1879 
1880  /*
1881  * Fill the new page's header
1882  */
1883  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
1884 
1885  /* NewPage->xlp_info = 0; */ /* done by memset */
1886  NewPage->xlp_tli = tli;
1887  NewPage->xlp_pageaddr = NewPageBeginPtr;
1888 
1889  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
1890 
1891  /*
1892  * If online backup is not in progress, mark the header to indicate
1893  * that WAL records beginning in this page have removable backup
1894  * blocks. This allows the WAL archiver to know whether it is safe to
1895  * compress archived WAL data by transforming full-block records into
1896  * the non-full-block format. It is sufficient to record this at the
1897  * page level because we force a page switch (in fact a segment
1898  * switch) when starting a backup, so the flag will be off before any
1899  * records can be written during the backup. At the end of a backup,
1900  * the last page will be marked as all unsafe when perhaps only part
1901  * is unsafe, but at worst the archiver would miss the opportunity to
1902  * compress a few records.
1903  */
1904  if (!Insert->forcePageWrites)
1905  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
1906 
1907  /*
1908  * If first page of an XLOG segment file, make it a long header.
1909  */
1910  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
1911  {
1912  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
1913 
1914  NewLongPage->xlp_sysid = ControlFile->system_identifier;
1915  NewLongPage->xlp_seg_size = wal_segment_size;
1916  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
1917  NewPage->xlp_info |= XLP_LONG_HEADER;
1918  }
1919 
1920  /*
1921  * Make sure the initialization of the page becomes visible to others
1922  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
1923  * holding a lock.
1924  */
1925  pg_write_barrier();
1926 
1927  *((volatile XLogRecPtr *) &XLogCtl->xlblocks[nextidx]) = NewPageEndPtr;
1928 
1929  XLogCtl->InitializedUpTo = NewPageEndPtr;
1930 
1931  npages++;
1932  }
1933  LWLockRelease(WALBufMappingLock);
1934 
1935 #ifdef WAL_DEBUG
1936  if (XLOG_DEBUG && npages > 0)
1937  {
1938  elog(DEBUG1, "initialized %d pages, up to %X/%X",
1939  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
1940  }
1941 #endif
1942 }
1943 
1944 /*
1945  * Calculate CheckPointSegments based on max_wal_size_mb and
1946  * checkpoint_completion_target.
1947  */
1948 static void
1950 {
1951  double target;
1952 
1953  /*-------
1954  * Calculate the distance at which to trigger a checkpoint, to avoid
1955  * exceeding max_wal_size_mb. This is based on two assumptions:
1956  *
1957  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
1958  * WAL for two checkpoint cycles to allow us to recover from the
1959  * secondary checkpoint if the first checkpoint failed, though we
1960  * only did this on the primary anyway, not on standby. Keeping just
1961  * one checkpoint simplifies processing and reduces disk space in
1962  * many smaller databases.)
1963  * b) during checkpoint, we consume checkpoint_completion_target *
1964  * number of segments consumed between checkpoints.
1965  *-------
1966  */
1967  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
1969 
1970  /* round down */
1971  CheckPointSegments = (int) target;
1972 
1973  if (CheckPointSegments < 1)
1974  CheckPointSegments = 1;
1975 }
1976 
1977 void
1978 assign_max_wal_size(int newval, void *extra)
1979 {
1982 }
1983 
1984 void
1986 {
1989 }
1990 
1991 /*
1992  * At a checkpoint, how many WAL segments to recycle as preallocated future
1993  * XLOG segments? Returns the highest segment that should be preallocated.
1994  */
1995 static XLogSegNo
1997 {
1998  XLogSegNo minSegNo;
1999  XLogSegNo maxSegNo;
2000  double distance;
2001  XLogSegNo recycleSegNo;
2002 
2003  /*
2004  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
2005  * correspond to. Always recycle enough segments to meet the minimum, and
2006  * remove enough segments to stay below the maximum.
2007  */
2008  minSegNo = lastredoptr / wal_segment_size +
2010  maxSegNo = lastredoptr / wal_segment_size +
2012 
2013  /*
2014  * Between those limits, recycle enough segments to get us through to the
2015  * estimated end of next checkpoint.
2016  *
2017  * To estimate where the next checkpoint will finish, assume that the
2018  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2019  * every checkpoint.
2020  */
2022  /* add 10% for good measure. */
2023  distance *= 1.10;
2024 
2025  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2027 
2028  if (recycleSegNo < minSegNo)
2029  recycleSegNo = minSegNo;
2030  if (recycleSegNo > maxSegNo)
2031  recycleSegNo = maxSegNo;
2032 
2033  return recycleSegNo;
2034 }
2035 
2036 /*
2037  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2038  *
2039  * new_segno indicates a log file that has just been filled up (or read
2040  * during recovery). We measure the distance from RedoRecPtr to new_segno
2041  * and see if that exceeds CheckPointSegments.
2042  *
2043  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2044  */
2045 bool
2047 {
2048  XLogSegNo old_segno;
2049 
2051 
2052  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2053  return true;
2054  return false;
2055 }
2056 
2057 /*
2058  * Write and/or fsync the log at least as far as WriteRqst indicates.
2059  *
2060  * If flexible == true, we don't have to write as far as WriteRqst, but
2061  * may stop at any convenient boundary (such as a cache or logfile boundary).
2062  * This option allows us to avoid uselessly issuing multiple writes when a
2063  * single one would do.
2064  *
2065  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2066  * must be called before grabbing the lock, to make sure the data is ready to
2067  * write.
2068  */
2069 static void
2070 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2071 {
2072  bool ispartialpage;
2073  bool last_iteration;
2074  bool finishing_seg;
2075  int curridx;
2076  int npages;
2077  int startidx;
2078  uint32 startoffset;
2079 
2080  /* We should always be inside a critical section here */
2081  Assert(CritSectionCount > 0);
2082 
2083  /*
2084  * Update local LogwrtResult (caller probably did this already, but...)
2085  */
2087 
2088  /*
2089  * Since successive pages in the xlog cache are consecutively allocated,
2090  * we can usually gather multiple pages together and issue just one
2091  * write() call. npages is the number of pages we have determined can be
2092  * written together; startidx is the cache block index of the first one,
2093  * and startoffset is the file offset at which it should go. The latter
2094  * two variables are only valid when npages > 0, but we must initialize
2095  * all of them to keep the compiler quiet.
2096  */
2097  npages = 0;
2098  startidx = 0;
2099  startoffset = 0;
2100 
2101  /*
2102  * Within the loop, curridx is the cache block index of the page to
2103  * consider writing. Begin at the buffer containing the next unwritten
2104  * page, or last partially written page.
2105  */
2107 
2108  while (LogwrtResult.Write < WriteRqst.Write)
2109  {
2110  /*
2111  * Make sure we're not ahead of the insert process. This could happen
2112  * if we're passed a bogus WriteRqst.Write that is past the end of the
2113  * last page that's been initialized by AdvanceXLInsertBuffer.
2114  */
2115  XLogRecPtr EndPtr = XLogCtl->xlblocks[curridx];
2116 
2117  if (LogwrtResult.Write >= EndPtr)
2118  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2120  LSN_FORMAT_ARGS(EndPtr));
2121 
2122  /* Advance LogwrtResult.Write to end of current buffer page */
2123  LogwrtResult.Write = EndPtr;
2124  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2125 
2128  {
2129  /*
2130  * Switch to new logfile segment. We cannot have any pending
2131  * pages here (since we dump what we have at segment end).
2132  */
2133  Assert(npages == 0);
2134  if (openLogFile >= 0)
2135  XLogFileClose();
2138  openLogTLI = tli;
2139 
2140  /* create/use new log file */
2143  }
2144 
2145  /* Make sure we have the current logfile open */
2146  if (openLogFile < 0)
2147  {
2150  openLogTLI = tli;
2153  }
2154 
2155  /* Add current page to the set of pending pages-to-dump */
2156  if (npages == 0)
2157  {
2158  /* first of group */
2159  startidx = curridx;
2160  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2162  }
2163  npages++;
2164 
2165  /*
2166  * Dump the set if this will be the last loop iteration, or if we are
2167  * at the last page of the cache area (since the next page won't be
2168  * contiguous in memory), or if we are at the end of the logfile
2169  * segment.
2170  */
2171  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2172 
2173  finishing_seg = !ispartialpage &&
2174  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2175 
2176  if (last_iteration ||
2177  curridx == XLogCtl->XLogCacheBlck ||
2178  finishing_seg)
2179  {
2180  char *from;
2181  Size nbytes;
2182  Size nleft;
2183  int written;
2184  instr_time start;
2185 
2186  /* OK to write the page(s) */
2187  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2188  nbytes = npages * (Size) XLOG_BLCKSZ;
2189  nleft = nbytes;
2190  do
2191  {
2192  errno = 0;
2193 
2194  /* Measure I/O timing to write WAL data */
2195  if (track_wal_io_timing)
2196  INSTR_TIME_SET_CURRENT(start);
2197 
2199  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2201 
2202  /*
2203  * Increment the I/O timing and the number of times WAL data
2204  * were written out to disk.
2205  */
2206  if (track_wal_io_timing)
2207  {
2209 
2211  INSTR_TIME_SUBTRACT(duration, start);
2213  }
2214 
2216 
2217  if (written <= 0)
2218  {
2219  char xlogfname[MAXFNAMELEN];
2220  int save_errno;
2221 
2222  if (errno == EINTR)
2223  continue;
2224 
2225  save_errno = errno;
2226  XLogFileName(xlogfname, tli, openLogSegNo,
2228  errno = save_errno;
2229  ereport(PANIC,
2231  errmsg("could not write to log file %s "
2232  "at offset %u, length %zu: %m",
2233  xlogfname, startoffset, nleft)));
2234  }
2235  nleft -= written;
2236  from += written;
2237  startoffset += written;
2238  } while (nleft > 0);
2239 
2240  npages = 0;
2241 
2242  /*
2243  * If we just wrote the whole last page of a logfile segment,
2244  * fsync the segment immediately. This avoids having to go back
2245  * and re-open prior segments when an fsync request comes along
2246  * later. Doing it here ensures that one and only one backend will
2247  * perform this fsync.
2248  *
2249  * This is also the right place to notify the Archiver that the
2250  * segment is ready to copy to archival storage, and to update the
2251  * timer for archive_timeout, and to signal for a checkpoint if
2252  * too many logfile segments have been used since the last
2253  * checkpoint.
2254  */
2255  if (finishing_seg)
2256  {
2258 
2259  /* signal that we need to wakeup walsenders later */
2261 
2262  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2263 
2264  if (XLogArchivingActive())
2266 
2267  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2269 
2270  /*
2271  * Request a checkpoint if we've consumed too much xlog since
2272  * the last one. For speed, we first check using the local
2273  * copy of RedoRecPtr, which might be out of date; if it looks
2274  * like a checkpoint is needed, forcibly update RedoRecPtr and
2275  * recheck.
2276  */
2278  {
2279  (void) GetRedoRecPtr();
2282  }
2283  }
2284  }
2285 
2286  if (ispartialpage)
2287  {
2288  /* Only asked to write a partial page */
2289  LogwrtResult.Write = WriteRqst.Write;
2290  break;
2291  }
2292  curridx = NextBufIdx(curridx);
2293 
2294  /* If flexible, break out of loop as soon as we wrote something */
2295  if (flexible && npages == 0)
2296  break;
2297  }
2298 
2299  Assert(npages == 0);
2300 
2301  /*
2302  * If asked to flush, do so
2303  */
2304  if (LogwrtResult.Flush < WriteRqst.Flush &&
2306  {
2307  /*
2308  * Could get here without iterating above loop, in which case we might
2309  * have no open file or the wrong one. However, we do not need to
2310  * fsync more than one file.
2311  */
2312  if (sync_method != SYNC_METHOD_OPEN &&
2314  {
2315  if (openLogFile >= 0 &&
2318  XLogFileClose();
2319  if (openLogFile < 0)
2320  {
2323  openLogTLI = tli;
2326  }
2327 
2329  }
2330 
2331  /* signal that we need to wakeup walsenders later */
2333 
2335  }
2336 
2337  /*
2338  * Update shared-memory status
2339  *
2340  * We make sure that the shared 'request' values do not fall behind the
2341  * 'result' values. This is not absolutely essential, but it saves some
2342  * code in a couple of places.
2343  */
2344  {
2352  }
2353 }
2354 
2355 /*
2356  * Record the LSN for an asynchronous transaction commit/abort
2357  * and nudge the WALWriter if there is work for it to do.
2358  * (This should not be called for synchronous commits.)
2359  */
2360 void
2362 {
2363  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2364  bool sleeping;
2365 
2368  sleeping = XLogCtl->WalWriterSleeping;
2369  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2370  XLogCtl->asyncXactLSN = asyncXactLSN;
2372 
2373  /*
2374  * If the WALWriter is sleeping, we should kick it to make it come out of
2375  * low-power mode. Otherwise, determine whether there's a full page of
2376  * WAL available to write.
2377  */
2378  if (!sleeping)
2379  {
2380  /* back off to last completed page boundary */
2381  WriteRqstPtr -= WriteRqstPtr % XLOG_BLCKSZ;
2382 
2383  /* if we have already flushed that far, we're done */
2384  if (WriteRqstPtr <= LogwrtResult.Flush)
2385  return;
2386  }
2387 
2388  /*
2389  * Nudge the WALWriter: it has a full page of WAL to write, or we want it
2390  * to come out of low-power mode so that this async commit will reach disk
2391  * within the expected amount of time.
2392  */
2395 }
2396 
2397 /*
2398  * Record the LSN up to which we can remove WAL because it's not required by
2399  * any replication slot.
2400  */
2401 void
2403 {
2407 }
2408 
2409 
2410 /*
2411  * Return the oldest LSN we must retain to satisfy the needs of some
2412  * replication slot.
2413  */
2414 static XLogRecPtr
2416 {
2417  XLogRecPtr retval;
2418 
2420  retval = XLogCtl->replicationSlotMinLSN;
2422 
2423  return retval;
2424 }
2425 
2426 /*
2427  * Advance minRecoveryPoint in control file.
2428  *
2429  * If we crash during recovery, we must reach this point again before the
2430  * database is consistent.
2431  *
2432  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2433  * is only updated if it's not already greater than or equal to 'lsn'.
2434  */
2435 static void
2437 {
2438  /* Quick check using our local copy of the variable */
2439  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2440  return;
2441 
2442  /*
2443  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2444  * i.e., we're doing crash recovery. We never modify the control file's
2445  * value in that case, so we can short-circuit future checks here too. The
2446  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2447  * updated until crash recovery finishes. We only do this for the startup
2448  * process as it should not update its own reference of minRecoveryPoint
2449  * until it has finished crash recovery to make sure that all WAL
2450  * available is replayed in this case. This also saves from extra locks
2451  * taken on the control file from the startup process.
2452  */
2454  {
2455  updateMinRecoveryPoint = false;
2456  return;
2457  }
2458 
2459  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2460 
2461  /* update local copy */
2464 
2466  updateMinRecoveryPoint = false;
2467  else if (force || LocalMinRecoveryPoint < lsn)
2468  {
2469  XLogRecPtr newMinRecoveryPoint;
2470  TimeLineID newMinRecoveryPointTLI;
2471 
2472  /*
2473  * To avoid having to update the control file too often, we update it
2474  * all the way to the last record being replayed, even though 'lsn'
2475  * would suffice for correctness. This also allows the 'force' case
2476  * to not need a valid 'lsn' value.
2477  *
2478  * Another important reason for doing it this way is that the passed
2479  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2480  * the caller got it from a corrupted heap page. Accepting such a
2481  * value as the min recovery point would prevent us from coming up at
2482  * all. Instead, we just log a warning and continue with recovery.
2483  * (See also the comments about corrupt LSNs in XLogFlush.)
2484  */
2485  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2486  if (!force && newMinRecoveryPoint < lsn)
2487  elog(WARNING,
2488  "xlog min recovery request %X/%X is past current point %X/%X",
2489  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2490 
2491  /* update control file */
2492  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2493  {
2494  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2495  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2497  LocalMinRecoveryPoint = newMinRecoveryPoint;
2498  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2499 
2500  ereport(DEBUG2,
2501  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2502  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2503  newMinRecoveryPointTLI)));
2504  }
2505  }
2506  LWLockRelease(ControlFileLock);
2507 }
2508 
2509 /*
2510  * Ensure that all XLOG data through the given position is flushed to disk.
2511  *
2512  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2513  * already held, and we try to avoid acquiring it if possible.
2514  */
2515 void
2517 {
2518  XLogRecPtr WriteRqstPtr;
2519  XLogwrtRqst WriteRqst;
2520  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2521 
2522  /*
2523  * During REDO, we are reading not writing WAL. Therefore, instead of
2524  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2525  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2526  * to act this way too, and because when it tries to write the
2527  * end-of-recovery checkpoint, it should indeed flush.
2528  */
2529  if (!XLogInsertAllowed())
2530  {
2531  UpdateMinRecoveryPoint(record, false);
2532  return;
2533  }
2534 
2535  /* Quick exit if already known flushed */
2536  if (record <= LogwrtResult.Flush)
2537  return;
2538 
2539 #ifdef WAL_DEBUG
2540  if (XLOG_DEBUG)
2541  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2542  LSN_FORMAT_ARGS(record),
2545 #endif
2546 
2548 
2549  /*
2550  * Since fsync is usually a horribly expensive operation, we try to
2551  * piggyback as much data as we can on each fsync: if we see any more data
2552  * entered into the xlog buffer, we'll write and fsync that too, so that
2553  * the final value of LogwrtResult.Flush is as large as possible. This
2554  * gives us some chance of avoiding another fsync immediately after.
2555  */
2556 
2557  /* initialize to given target; may increase below */
2558  WriteRqstPtr = record;
2559 
2560  /*
2561  * Now wait until we get the write lock, or someone else does the flush
2562  * for us.
2563  */
2564  for (;;)
2565  {
2566  XLogRecPtr insertpos;
2567 
2568  /* read LogwrtResult and update local state */
2570  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2571  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2574 
2575  /* done already? */
2576  if (record <= LogwrtResult.Flush)
2577  break;
2578 
2579  /*
2580  * Before actually performing the write, wait for all in-flight
2581  * insertions to the pages we're about to write to finish.
2582  */
2583  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2584 
2585  /*
2586  * Try to get the write lock. If we can't get it immediately, wait
2587  * until it's released, and recheck if we still need to do the flush
2588  * or if the backend that held the lock did it for us already. This
2589  * helps to maintain a good rate of group committing when the system
2590  * is bottlenecked by the speed of fsyncing.
2591  */
2592  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2593  {
2594  /*
2595  * The lock is now free, but we didn't acquire it yet. Before we
2596  * do, loop back to check if someone else flushed the record for
2597  * us already.
2598  */
2599  continue;
2600  }
2601 
2602  /* Got the lock; recheck whether request is satisfied */
2604  if (record <= LogwrtResult.Flush)
2605  {
2606  LWLockRelease(WALWriteLock);
2607  break;
2608  }
2609 
2610  /*
2611  * Sleep before flush! By adding a delay here, we may give further
2612  * backends the opportunity to join the backlog of group commit
2613  * followers; this can significantly improve transaction throughput,
2614  * at the risk of increasing transaction latency.
2615  *
2616  * We do not sleep if enableFsync is not turned on, nor if there are
2617  * fewer than CommitSiblings other backends with active transactions.
2618  */
2619  if (CommitDelay > 0 && enableFsync &&
2621  {
2623 
2624  /*
2625  * Re-check how far we can now flush the WAL. It's generally not
2626  * safe to call WaitXLogInsertionsToFinish while holding
2627  * WALWriteLock, because an in-progress insertion might need to
2628  * also grab WALWriteLock to make progress. But we know that all
2629  * the insertions up to insertpos have already finished, because
2630  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2631  * We're only calling it again to allow insertpos to be moved
2632  * further forward, not to actually wait for anyone.
2633  */
2634  insertpos = WaitXLogInsertionsToFinish(insertpos);
2635  }
2636 
2637  /* try to write/flush later additions to XLOG as well */
2638  WriteRqst.Write = insertpos;
2639  WriteRqst.Flush = insertpos;
2640 
2641  XLogWrite(WriteRqst, insertTLI, false);
2642 
2643  LWLockRelease(WALWriteLock);
2644  /* done */
2645  break;
2646  }
2647 
2648  END_CRIT_SECTION();
2649 
2650  /* wake up walsenders now that we've released heavily contended locks */
2652 
2653  /*
2654  * If we still haven't flushed to the request point then we have a
2655  * problem; most likely, the requested flush point is past end of XLOG.
2656  * This has been seen to occur when a disk page has a corrupted LSN.
2657  *
2658  * Formerly we treated this as a PANIC condition, but that hurts the
2659  * system's robustness rather than helping it: we do not want to take down
2660  * the whole system due to corruption on one data page. In particular, if
2661  * the bad page is encountered again during recovery then we would be
2662  * unable to restart the database at all! (This scenario actually
2663  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2664  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2665  * the only time we can reach here during recovery is while flushing the
2666  * end-of-recovery checkpoint record, and we don't expect that to have a
2667  * bad LSN.
2668  *
2669  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2670  * since xact.c calls this routine inside a critical section. However,
2671  * calls from bufmgr.c are not within critical sections and so we will not
2672  * force a restart for a bad LSN on a data page.
2673  */
2674  if (LogwrtResult.Flush < record)
2675  elog(ERROR,
2676  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2677  LSN_FORMAT_ARGS(record),
2679 }
2680 
2681 /*
2682  * Write & flush xlog, but without specifying exactly where to.
2683  *
2684  * We normally write only completed blocks; but if there is nothing to do on
2685  * that basis, we check for unwritten async commits in the current incomplete
2686  * block, and write through the latest one of those. Thus, if async commits
2687  * are not being used, we will write complete blocks only.
2688  *
2689  * If, based on the above, there's anything to write we do so immediately. But
2690  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2691  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2692  * more than wal_writer_flush_after unflushed blocks.
2693  *
2694  * We can guarantee that async commits reach disk after at most three
2695  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2696  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2697  * this makes a difference only with very high load or long wal_writer_delay,
2698  * but imposes one extra cycle for the worst case for async commits.)
2699  *
2700  * This routine is invoked periodically by the background walwriter process.
2701  *
2702  * Returns true if there was any work to do, even if we skipped flushing due
2703  * to wal_writer_delay/wal_writer_flush_after.
2704  */
2705 bool
2707 {
2708  XLogwrtRqst WriteRqst;
2709  bool flexible = true;
2710  static TimestampTz lastflush;
2711  TimestampTz now;
2712  int flushbytes;
2713  TimeLineID insertTLI;
2714 
2715  /* XLOG doesn't need flushing during recovery */
2716  if (RecoveryInProgress())
2717  return false;
2718 
2719  /*
2720  * Since we're not in recovery, InsertTimeLineID is set and can't change,
2721  * so we can read it without a lock.
2722  */
2723  insertTLI = XLogCtl->InsertTimeLineID;
2724 
2725  /* read LogwrtResult and update local state */
2728  WriteRqst = XLogCtl->LogwrtRqst;
2730 
2731  /* back off to last completed page boundary */
2732  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
2733 
2734  /* if we have already flushed that far, consider async commit records */
2735  if (WriteRqst.Write <= LogwrtResult.Flush)
2736  {
2738  WriteRqst.Write = XLogCtl->asyncXactLSN;
2740  flexible = false; /* ensure it all gets written */
2741  }
2742 
2743  /*
2744  * If already known flushed, we're done. Just need to check if we are
2745  * holding an open file handle to a logfile that's no longer in use,
2746  * preventing the file from being deleted.
2747  */
2748  if (WriteRqst.Write <= LogwrtResult.Flush)
2749  {
2750  if (openLogFile >= 0)
2751  {
2754  {
2755  XLogFileClose();
2756  }
2757  }
2758  return false;
2759  }
2760 
2761  /*
2762  * Determine how far to flush WAL, based on the wal_writer_delay and
2763  * wal_writer_flush_after GUCs.
2764  */
2766  flushbytes =
2767  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2768 
2769  if (WalWriterFlushAfter == 0 || lastflush == 0)
2770  {
2771  /* first call, or block based limits disabled */
2772  WriteRqst.Flush = WriteRqst.Write;
2773  lastflush = now;
2774  }
2775  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
2776  {
2777  /*
2778  * Flush the writes at least every WalWriterDelay ms. This is
2779  * important to bound the amount of time it takes for an asynchronous
2780  * commit to hit disk.
2781  */
2782  WriteRqst.Flush = WriteRqst.Write;
2783  lastflush = now;
2784  }
2785  else if (flushbytes >= WalWriterFlushAfter)
2786  {
2787  /* exceeded wal_writer_flush_after blocks, flush */
2788  WriteRqst.Flush = WriteRqst.Write;
2789  lastflush = now;
2790  }
2791  else
2792  {
2793  /* no flushing, this time round */
2794  WriteRqst.Flush = 0;
2795  }
2796 
2797 #ifdef WAL_DEBUG
2798  if (XLOG_DEBUG)
2799  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
2800  LSN_FORMAT_ARGS(WriteRqst.Write),
2801  LSN_FORMAT_ARGS(WriteRqst.Flush),
2804 #endif
2805 
2807 
2808  /* now wait for any in-progress insertions to finish and get write lock */
2809  WaitXLogInsertionsToFinish(WriteRqst.Write);
2810  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2812  if (WriteRqst.Write > LogwrtResult.Write ||
2813  WriteRqst.Flush > LogwrtResult.Flush)
2814  {
2815  XLogWrite(WriteRqst, insertTLI, flexible);
2816  }
2817  LWLockRelease(WALWriteLock);
2818 
2819  END_CRIT_SECTION();
2820 
2821  /* wake up walsenders now that we've released heavily contended locks */
2823 
2824  /*
2825  * Great, done. To take some work off the critical path, try to initialize
2826  * as many of the no-longer-needed WAL buffers for future use as we can.
2827  */
2828  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
2829 
2830  /*
2831  * If we determined that we need to write data, but somebody else
2832  * wrote/flushed already, it should be considered as being active, to
2833  * avoid hibernating too early.
2834  */
2835  return true;
2836 }
2837 
2838 /*
2839  * Test whether XLOG data has been flushed up to (at least) the given position.
2840  *
2841  * Returns true if a flush is still needed. (It may be that someone else
2842  * is already in process of flushing that far, however.)
2843  */
2844 bool
2846 {
2847  /*
2848  * During recovery, we don't flush WAL but update minRecoveryPoint
2849  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
2850  * would need to be updated.
2851  */
2852  if (RecoveryInProgress())
2853  {
2854  /*
2855  * An invalid minRecoveryPoint means that we need to recover all the
2856  * WAL, i.e., we're doing crash recovery. We never modify the control
2857  * file's value in that case, so we can short-circuit future checks
2858  * here too. This triggers a quick exit path for the startup process,
2859  * which cannot update its local copy of minRecoveryPoint as long as
2860  * it has not replayed all WAL available when doing crash recovery.
2861  */
2863  updateMinRecoveryPoint = false;
2864 
2865  /* Quick exit if already known to be updated or cannot be updated */
2867  return false;
2868 
2869  /*
2870  * Update local copy of minRecoveryPoint. But if the lock is busy,
2871  * just return a conservative guess.
2872  */
2873  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
2874  return true;
2877  LWLockRelease(ControlFileLock);
2878 
2879  /*
2880  * Check minRecoveryPoint for any other process than the startup
2881  * process doing crash recovery, which should not update the control
2882  * file value if crash recovery is still running.
2883  */
2885  updateMinRecoveryPoint = false;
2886 
2887  /* check again */
2889  return false;
2890  else
2891  return true;
2892  }
2893 
2894  /* Quick exit if already known flushed */
2895  if (record <= LogwrtResult.Flush)
2896  return false;
2897 
2898  /* read LogwrtResult and update local state */
2902 
2903  /* check again */
2904  if (record <= LogwrtResult.Flush)
2905  return false;
2906 
2907  return true;
2908 }
2909 
2910 /*
2911  * Try to make a given XLOG file segment exist.
2912  *
2913  * logsegno: identify segment.
2914  *
2915  * *added: on return, true if this call raised the number of extant segments.
2916  *
2917  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
2918  *
2919  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
2920  * wanting an open segment should attempt to open "path", which usually will
2921  * succeed. (This is weird, but it's efficient for the callers.)
2922  */
2923 static int
2925  bool *added, char *path)
2926 {
2927  char tmppath[MAXPGPATH];
2928  PGAlignedXLogBlock zbuffer;
2929  XLogSegNo installed_segno;
2930  XLogSegNo max_segno;
2931  int fd;
2932  int save_errno;
2933 
2934  Assert(logtli != 0);
2935 
2936  XLogFilePath(path, logtli, logsegno, wal_segment_size);
2937 
2938  /*
2939  * Try to use existent file (checkpoint maker may have created it already)
2940  */
2941  *added = false;
2942  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
2943  if (fd < 0)
2944  {
2945  if (errno != ENOENT)
2946  ereport(ERROR,
2948  errmsg("could not open file \"%s\": %m", path)));
2949  }
2950  else
2951  return fd;
2952 
2953  /*
2954  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
2955  * another process is doing the same thing. If so, we will end up
2956  * pre-creating an extra log segment. That seems OK, and better than
2957  * holding the lock throughout this lengthy process.
2958  */
2959  elog(DEBUG2, "creating and filling new WAL file");
2960 
2961  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
2962 
2963  unlink(tmppath);
2964 
2965  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
2966  fd = BasicOpenFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
2967  if (fd < 0)
2968  ereport(ERROR,
2970  errmsg("could not create file \"%s\": %m", tmppath)));
2971 
2972  memset(zbuffer.data, 0, XLOG_BLCKSZ);
2973 
2975  save_errno = 0;
2976  if (wal_init_zero)
2977  {
2978  struct iovec iov[PG_IOV_MAX];
2979  int blocks;
2980 
2981  /*
2982  * Zero-fill the file. With this setting, we do this the hard way to
2983  * ensure that all the file space has really been allocated. On
2984  * platforms that allow "holes" in files, just seeking to the end
2985  * doesn't allocate intermediate space. This way, we know that we
2986  * have all the space and (after the fsync below) that all the
2987  * indirect blocks are down on disk. Therefore, fdatasync(2) or
2988  * O_DSYNC will be sufficient to sync future writes to the log file.
2989  */
2990 
2991  /* Prepare to write out a lot of copies of our zero buffer at once. */
2992  for (int i = 0; i < lengthof(iov); ++i)
2993  {
2994  iov[i].iov_base = zbuffer.data;
2995  iov[i].iov_len = XLOG_BLCKSZ;
2996  }
2997 
2998  /* Loop, writing as many blocks as we can for each system call. */
2999  blocks = wal_segment_size / XLOG_BLCKSZ;
3000  for (int i = 0; i < blocks;)
3001  {
3002  int iovcnt = Min(blocks - i, lengthof(iov));
3003  off_t offset = i * XLOG_BLCKSZ;
3004 
3005  if (pg_pwritev_with_retry(fd, iov, iovcnt, offset) < 0)
3006  {
3007  save_errno = errno;
3008  break;
3009  }
3010 
3011  i += iovcnt;
3012  }
3013  }
3014  else
3015  {
3016  /*
3017  * Otherwise, seeking to the end and writing a solitary byte is
3018  * enough.
3019  */
3020  errno = 0;
3021  if (pg_pwrite(fd, zbuffer.data, 1, wal_segment_size - 1) != 1)
3022  {
3023  /* if write didn't set errno, assume no disk space */
3024  save_errno = errno ? errno : ENOSPC;
3025  }
3026  }
3028 
3029  if (save_errno)
3030  {
3031  /*
3032  * If we fail to make the file, delete it to release disk space
3033  */
3034  unlink(tmppath);
3035 
3036  close(fd);
3037 
3038  errno = save_errno;
3039 
3040  ereport(ERROR,
3042  errmsg("could not write to file \"%s\": %m", tmppath)));
3043  }
3044 
3046  if (pg_fsync(fd) != 0)
3047  {
3048  save_errno = errno;
3049  close(fd);
3050  errno = save_errno;
3051  ereport(ERROR,
3053  errmsg("could not fsync file \"%s\": %m", tmppath)));
3054  }
3056 
3057  if (close(fd) != 0)
3058  ereport(ERROR,
3060  errmsg("could not close file \"%s\": %m", tmppath)));
3061 
3062  /*
3063  * Now move the segment into place with its final name. Cope with
3064  * possibility that someone else has created the file while we were
3065  * filling ours: if so, use ours to pre-create a future log segment.
3066  */
3067  installed_segno = logsegno;
3068 
3069  /*
3070  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3071  * that was a constant, but that was always a bit dubious: normally, at a
3072  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3073  * here, it was the offset from the insert location. We can't do the
3074  * normal XLOGfileslop calculation here because we don't have access to
3075  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3076  * CheckPointSegments.
3077  */
3078  max_segno = logsegno + CheckPointSegments;
3079  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3080  logtli))
3081  {
3082  *added = true;
3083  elog(DEBUG2, "done creating and filling new WAL file");
3084  }
3085  else
3086  {
3087  /*
3088  * No need for any more future segments, or InstallXLogFileSegment()
3089  * failed to rename the file into place. If the rename failed, a
3090  * caller opening the file may fail.
3091  */
3092  unlink(tmppath);
3093  elog(DEBUG2, "abandoned new WAL file");
3094  }
3095 
3096  return -1;
3097 }
3098 
3099 /*
3100  * Create a new XLOG file segment, or open a pre-existing one.
3101  *
3102  * logsegno: identify segment to be created/opened.
3103  *
3104  * Returns FD of opened file.
3105  *
3106  * Note: errors here are ERROR not PANIC because we might or might not be
3107  * inside a critical section (eg, during checkpoint there is no reason to
3108  * take down the system on failure). They will promote to PANIC if we are
3109  * in a critical section.
3110  */
3111 int
3113 {
3114  bool ignore_added;
3115  char path[MAXPGPATH];
3116  int fd;
3117 
3118  Assert(logtli != 0);
3119 
3120  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3121  if (fd >= 0)
3122  return fd;
3123 
3124  /* Now open original target segment (might not be file I just made) */
3125  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
3126  if (fd < 0)
3127  ereport(ERROR,
3129  errmsg("could not open file \"%s\": %m", path)));
3130  return fd;
3131 }
3132 
3133 /*
3134  * Create a new XLOG file segment by copying a pre-existing one.
3135  *
3136  * destsegno: identify segment to be created.
3137  *
3138  * srcTLI, srcsegno: identify segment to be copied (could be from
3139  * a different timeline)
3140  *
3141  * upto: how much of the source file to copy (the rest is filled with
3142  * zeros)
3143  *
3144  * Currently this is only used during recovery, and so there are no locking
3145  * considerations. But we should be just as tense as XLogFileInit to avoid
3146  * emplacing a bogus file.
3147  */
3148 static void
3149 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3150  TimeLineID srcTLI, XLogSegNo srcsegno,
3151  int upto)
3152 {
3153  char path[MAXPGPATH];
3154  char tmppath[MAXPGPATH];
3155  PGAlignedXLogBlock buffer;
3156  int srcfd;
3157  int fd;
3158  int nbytes;
3159 
3160  /*
3161  * Open the source file
3162  */
3163  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3164  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3165  if (srcfd < 0)
3166  ereport(ERROR,
3168  errmsg("could not open file \"%s\": %m", path)));
3169 
3170  /*
3171  * Copy into a temp file name.
3172  */
3173  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3174 
3175  unlink(tmppath);
3176 
3177  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3178  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3179  if (fd < 0)
3180  ereport(ERROR,
3182  errmsg("could not create file \"%s\": %m", tmppath)));
3183 
3184  /*
3185  * Do the data copying.
3186  */
3187  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3188  {
3189  int nread;
3190 
3191  nread = upto - nbytes;
3192 
3193  /*
3194  * The part that is not read from the source file is filled with
3195  * zeros.
3196  */
3197  if (nread < sizeof(buffer))
3198  memset(buffer.data, 0, sizeof(buffer));
3199 
3200  if (nread > 0)
3201  {
3202  int r;
3203 
3204  if (nread > sizeof(buffer))
3205  nread = sizeof(buffer);
3207  r = read(srcfd, buffer.data, nread);
3208  if (r != nread)
3209  {
3210  if (r < 0)
3211  ereport(ERROR,
3213  errmsg("could not read file \"%s\": %m",
3214  path)));
3215  else
3216  ereport(ERROR,
3218  errmsg("could not read file \"%s\": read %d of %zu",
3219  path, r, (Size) nread)));
3220  }
3222  }
3223  errno = 0;
3225  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3226  {
3227  int save_errno = errno;
3228 
3229  /*
3230  * If we fail to make the file, delete it to release disk space
3231  */
3232  unlink(tmppath);
3233  /* if write didn't set errno, assume problem is no disk space */
3234  errno = save_errno ? save_errno : ENOSPC;
3235 
3236  ereport(ERROR,
3238  errmsg("could not write to file \"%s\": %m", tmppath)));
3239  }
3241  }
3242 
3244  if (pg_fsync(fd) != 0)
3247  errmsg("could not fsync file \"%s\": %m", tmppath)));
3249 
3250  if (CloseTransientFile(fd) != 0)
3251  ereport(ERROR,
3253  errmsg("could not close file \"%s\": %m", tmppath)));
3254 
3255  if (CloseTransientFile(srcfd) != 0)
3256  ereport(ERROR,
3258  errmsg("could not close file \"%s\": %m", path)));
3259 
3260  /*
3261  * Now move the segment into place with its final name.
3262  */
3263  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3264  elog(ERROR, "InstallXLogFileSegment should not have failed");
3265 }
3266 
3267 /*
3268  * Install a new XLOG segment file as a current or future log segment.
3269  *
3270  * This is used both to install a newly-created segment (which has a temp
3271  * filename while it's being created) and to recycle an old segment.
3272  *
3273  * *segno: identify segment to install as (or first possible target).
3274  * When find_free is true, this is modified on return to indicate the
3275  * actual installation location or last segment searched.
3276  *
3277  * tmppath: initial name of file to install. It will be renamed into place.
3278  *
3279  * find_free: if true, install the new segment at the first empty segno
3280  * number at or after the passed numbers. If false, install the new segment
3281  * exactly where specified, deleting any existing segment file there.
3282  *
3283  * max_segno: maximum segment number to install the new file as. Fail if no
3284  * free slot is found between *segno and max_segno. (Ignored when find_free
3285  * is false.)
3286  *
3287  * tli: The timeline on which the new segment should be installed.
3288  *
3289  * Returns true if the file was installed successfully. false indicates that
3290  * max_segno limit was exceeded, the startup process has disabled this
3291  * function for now, or an error occurred while renaming the file into place.
3292  */
3293 static bool
3294 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3295  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3296 {
3297  char path[MAXPGPATH];
3298  struct stat stat_buf;
3299 
3300  Assert(tli != 0);
3301 
3302  XLogFilePath(path, tli, *segno, wal_segment_size);
3303 
3304  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3306  {
3307  LWLockRelease(ControlFileLock);
3308  return false;
3309  }
3310 
3311  if (!find_free)
3312  {
3313  /* Force installation: get rid of any pre-existing segment file */
3314  durable_unlink(path, DEBUG1);
3315  }
3316  else
3317  {
3318  /* Find a free slot to put it in */
3319  while (stat(path, &stat_buf) == 0)
3320  {
3321  if ((*segno) >= max_segno)
3322  {
3323  /* Failed to find a free slot within specified range */
3324  LWLockRelease(ControlFileLock);
3325  return false;
3326  }
3327  (*segno)++;
3328  XLogFilePath(path, tli, *segno, wal_segment_size);
3329  }
3330  }
3331 
3332  Assert(access(path, F_OK) != 0 && errno == ENOENT);
3333  if (durable_rename(tmppath, path, LOG) != 0)
3334  {
3335  LWLockRelease(ControlFileLock);
3336  /* durable_rename already emitted log message */
3337  return false;
3338  }
3339 
3340  LWLockRelease(ControlFileLock);
3341 
3342  return true;
3343 }
3344 
3345 /*
3346  * Open a pre-existing logfile segment for writing.
3347  */
3348 int
3350 {
3351  char path[MAXPGPATH];
3352  int fd;
3353 
3354  XLogFilePath(path, tli, segno, wal_segment_size);
3355 
3356  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
3357  if (fd < 0)
3358  ereport(PANIC,
3360  errmsg("could not open file \"%s\": %m", path)));
3361 
3362  return fd;
3363 }
3364 
3365 /*
3366  * Close the current logfile segment for writing.
3367  */
3368 static void
3370 {
3371  Assert(openLogFile >= 0);
3372 
3373  /*
3374  * WAL segment files will not be re-read in normal operation, so we advise
3375  * the OS to release any cached pages. But do not do so if WAL archiving
3376  * or streaming is active, because archiver and walsender process could
3377  * use the cache to read the WAL segment.
3378  */
3379 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3380  if (!XLogIsNeeded())
3381  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3382 #endif
3383 
3384  if (close(openLogFile) != 0)
3385  {
3386  char xlogfname[MAXFNAMELEN];
3387  int save_errno = errno;
3388 
3390  errno = save_errno;
3391  ereport(PANIC,
3393  errmsg("could not close file \"%s\": %m", xlogfname)));
3394  }
3395 
3396  openLogFile = -1;
3398 }
3399 
3400 /*
3401  * Preallocate log files beyond the specified log endpoint.
3402  *
3403  * XXX this is currently extremely conservative, since it forces only one
3404  * future log segment to exist, and even that only if we are 75% done with
3405  * the current one. This is only appropriate for very low-WAL-volume systems.
3406  * High-volume systems will be OK once they've built up a sufficient set of
3407  * recycled log segments, but the startup transient is likely to include
3408  * a lot of segment creations by foreground processes, which is not so good.
3409  *
3410  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3411  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3412  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3413  * initiated the present checkpoint and an ERROR ends this function, the
3414  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3415  * not worth contorting more functions to use caller-specified elevel values.
3416  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3417  * reporting and resource reclamation.)
3418  */
3419 static void
3421 {
3422  XLogSegNo _logSegNo;
3423  int lf;
3424  bool added;
3425  char path[MAXPGPATH];
3426  uint64 offset;
3427 
3429  return; /* unlocked check says no */
3430 
3431  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3432  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3433  if (offset >= (uint32) (0.75 * wal_segment_size))
3434  {
3435  _logSegNo++;
3436  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3437  if (lf >= 0)
3438  close(lf);
3439  if (added)
3441  }
3442 }
3443 
3444 /*
3445  * Throws an error if the given log segment has already been removed or
3446  * recycled. The caller should only pass a segment that it knows to have
3447  * existed while the server has been running, as this function always
3448  * succeeds if no WAL segments have been removed since startup.
3449  * 'tli' is only used in the error message.
3450  *
3451  * Note: this function guarantees to keep errno unchanged on return.
3452  * This supports callers that use this to possibly deliver a better
3453  * error message about a missing file, while still being able to throw
3454  * a normal file-access error afterwards, if this does return.
3455  */
3456 void
3458 {
3459  int save_errno = errno;
3460  XLogSegNo lastRemovedSegNo;
3461 
3463  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3465 
3466  if (segno <= lastRemovedSegNo)
3467  {
3468  char filename[MAXFNAMELEN];
3469 
3470  XLogFileName(filename, tli, segno, wal_segment_size);
3471  errno = save_errno;
3472  ereport(ERROR,
3474  errmsg("requested WAL segment %s has already been removed",
3475  filename)));
3476  }
3477  errno = save_errno;
3478 }
3479 
3480 /*
3481  * Return the last WAL segment removed, or 0 if no segment has been removed
3482  * since startup.
3483  *
3484  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3485  * with that.
3486  */
3487 XLogSegNo
3489 {
3490  XLogSegNo lastRemovedSegNo;
3491 
3493  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3495 
3496  return lastRemovedSegNo;
3497 }
3498 
3499 
3500 /*
3501  * Update the last removed segno pointer in shared memory, to reflect that the
3502  * given XLOG file has been removed.
3503  */
3504 static void
3506 {
3507  uint32 tli;
3508  XLogSegNo segno;
3509 
3510  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3511 
3513  if (segno > XLogCtl->lastRemovedSegNo)
3514  XLogCtl->lastRemovedSegNo = segno;
3516 }
3517 
3518 /*
3519  * Remove all temporary log files in pg_wal
3520  *
3521  * This is called at the beginning of recovery after a previous crash,
3522  * at a point where no other processes write fresh WAL data.
3523  */
3524 static void
3526 {
3527  DIR *xldir;
3528  struct dirent *xlde;
3529 
3530  elog(DEBUG2, "removing all temporary WAL segments");
3531 
3532  xldir = AllocateDir(XLOGDIR);
3533  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3534  {
3535  char path[MAXPGPATH];
3536 
3537  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3538  continue;
3539 
3540  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3541  unlink(path);
3542  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3543  }
3544  FreeDir(xldir);
3545 }
3546 
3547 /*
3548  * Recycle or remove all log files older or equal to passed segno.
3549  *
3550  * endptr is current (or recent) end of xlog, and lastredoptr is the
3551  * redo pointer of the last checkpoint. These are used to determine
3552  * whether we want to recycle rather than delete no-longer-wanted log files.
3553  *
3554  * insertTLI is the current timeline for XLOG insertion. Any recycled
3555  * segments should be reused for this timeline.
3556  */
3557 static void
3559  TimeLineID insertTLI)
3560 {
3561  DIR *xldir;
3562  struct dirent *xlde;
3563  char lastoff[MAXFNAMELEN];
3564  XLogSegNo endlogSegNo;
3565  XLogSegNo recycleSegNo;
3566 
3567  /* Initialize info about where to try to recycle to */
3568  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3569  recycleSegNo = XLOGfileslop(lastredoptr);
3570 
3571  /*
3572  * Construct a filename of the last segment to be kept. The timeline ID
3573  * doesn't matter, we ignore that in the comparison. (During recovery,
3574  * InsertTimeLineID isn't set, so we can't use that.)
3575  */
3576  XLogFileName(lastoff, 0, segno, wal_segment_size);
3577 
3578  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3579  lastoff);
3580 
3581  xldir = AllocateDir(XLOGDIR);
3582 
3583  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3584  {
3585  /* Ignore files that are not XLOG segments */
3586  if (!IsXLogFileName(xlde->d_name) &&
3587  !IsPartialXLogFileName(xlde->d_name))
3588  continue;
3589 
3590  /*
3591  * We ignore the timeline part of the XLOG segment identifiers in
3592  * deciding whether a segment is still needed. This ensures that we
3593  * won't prematurely remove a segment from a parent timeline. We could
3594  * probably be a little more proactive about removing segments of
3595  * non-parent timelines, but that would be a whole lot more
3596  * complicated.
3597  *
3598  * We use the alphanumeric sorting property of the filenames to decide
3599  * which ones are earlier than the lastoff segment.
3600  */
3601  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3602  {
3603  if (XLogArchiveCheckDone(xlde->d_name))
3604  {
3605  /* Update the last removed location in shared memory first */
3607 
3608  RemoveXlogFile(xlde, recycleSegNo, &endlogSegNo, insertTLI);
3609  }
3610  }
3611  }
3612 
3613  FreeDir(xldir);
3614 }
3615 
3616 /*
3617  * Remove WAL files that are not part of the given timeline's history.
3618  *
3619  * This is called during recovery, whenever we switch to follow a new
3620  * timeline, and at the end of recovery when we create a new timeline. We
3621  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3622  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3623  * that we haven't used yet, and contain garbage. If we just leave them in
3624  * pg_wal, they will eventually be archived, and we can't let that happen.
3625  * Files that belong to our timeline history are valid, because we have
3626  * successfully replayed them, but from others we can't be sure.
3627  *
3628  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3629  * and 'newTLI' is the new timeline we switch to.
3630  */
3631 void
3633 {
3634  DIR *xldir;
3635  struct dirent *xlde;
3636  char switchseg[MAXFNAMELEN];
3637  XLogSegNo endLogSegNo;
3638  XLogSegNo switchLogSegNo;
3639  XLogSegNo recycleSegNo;
3640 
3641  /*
3642  * Initialize info about where to begin the work. This will recycle,
3643  * somewhat arbitrarily, 10 future segments.
3644  */
3645  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3646  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3647  recycleSegNo = endLogSegNo + 10;
3648 
3649  /*
3650  * Construct a filename of the last segment to be kept.
3651  */
3652  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3653 
3654  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3655  switchseg);
3656 
3657  xldir = AllocateDir(XLOGDIR);
3658 
3659  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3660  {
3661  /* Ignore files that are not XLOG segments */
3662  if (!IsXLogFileName(xlde->d_name))
3663  continue;
3664 
3665  /*
3666  * Remove files that are on a timeline older than the new one we're
3667  * switching to, but with a segment number >= the first segment on the
3668  * new timeline.
3669  */
3670  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3671  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3672  {
3673  /*
3674  * If the file has already been marked as .ready, however, don't
3675  * remove it yet. It should be OK to remove it - files that are
3676  * not part of our timeline history are not required for recovery
3677  * - but seems safer to let them be archived and removed later.
3678  */
3679  if (!XLogArchiveIsReady(xlde->d_name))
3680  RemoveXlogFile(xlde, recycleSegNo, &endLogSegNo, newTLI);
3681  }
3682  }
3683 
3684  FreeDir(xldir);
3685 }
3686 
3687 /*
3688  * Recycle or remove a log file that's no longer needed.
3689  *
3690  * segment_de is the dirent structure of the segment to recycle or remove.
3691  * recycleSegNo is the segment number to recycle up to. endlogSegNo is
3692  * the segment number of the current (or recent) end of WAL.
3693  *
3694  * endlogSegNo gets incremented if the segment is recycled so as it is not
3695  * checked again with future callers of this function.
3696  *
3697  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
3698  * should be used for this timeline.
3699  */
3700 static void
3701 RemoveXlogFile(const struct dirent *segment_de,
3702  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
3703  TimeLineID insertTLI)
3704 {
3705  char path[MAXPGPATH];
3706 #ifdef WIN32
3707  char newpath[MAXPGPATH];
3708 #endif
3709  const char *segname = segment_de->d_name;
3710 
3711  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
3712 
3713  /*
3714  * Before deleting the file, see if it can be recycled as a future log
3715  * segment. Only recycle normal files, because we don't want to recycle
3716  * symbolic links pointing to a separate archive directory.
3717  */
3718  if (wal_recycle &&
3719  *endlogSegNo <= recycleSegNo &&
3720  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
3721  get_dirent_type(path, segment_de, false, DEBUG2) == PGFILETYPE_REG &&
3722  InstallXLogFileSegment(endlogSegNo, path,
3723  true, recycleSegNo, insertTLI))
3724  {
3725  ereport(DEBUG2,
3726  (errmsg_internal("recycled write-ahead log file \"%s\"",
3727  segname)));
3729  /* Needn't recheck that slot on future iterations */
3730  (*endlogSegNo)++;
3731  }
3732  else
3733  {
3734  /* No need for any more future segments, or recycling failed ... */
3735  int rc;
3736 
3737  ereport(DEBUG2,
3738  (errmsg_internal("removing write-ahead log file \"%s\"",
3739  segname)));
3740 
3741 #ifdef WIN32
3742 
3743  /*
3744  * On Windows, if another process (e.g another backend) holds the file
3745  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
3746  * will still show up in directory listing until the last handle is
3747  * closed. To avoid confusing the lingering deleted file for a live
3748  * WAL file that needs to be archived, rename it before deleting it.
3749  *
3750  * If another process holds the file open without FILE_SHARE_DELETE
3751  * flag, rename will fail. We'll try again at the next checkpoint.
3752  */
3753  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
3754  if (rename(path, newpath) != 0)
3755  {
3756  ereport(LOG,
3758  errmsg("could not rename file \"%s\": %m",
3759  path)));
3760  return;
3761  }
3762  rc = durable_unlink(newpath, LOG);
3763 #else
3764  rc = durable_unlink(path, LOG);
3765 #endif
3766  if (rc != 0)
3767  {
3768  /* Message already logged by durable_unlink() */
3769  return;
3770  }
3772  }
3773 
3774  XLogArchiveCleanup(segname);
3775 }
3776 
3777 /*
3778  * Verify whether pg_wal and pg_wal/archive_status exist.
3779  * If the latter does not exist, recreate it.
3780  *
3781  * It is not the goal of this function to verify the contents of these
3782  * directories, but to help in cases where someone has performed a cluster
3783  * copy for PITR purposes but omitted pg_wal from the copy.
3784  *
3785  * We could also recreate pg_wal if it doesn't exist, but a deliberate
3786  * policy decision was made not to. It is fairly common for pg_wal to be
3787  * a symlink, and if that was the DBA's intent then automatically making a
3788  * plain directory would result in degraded performance with no notice.
3789  */
3790 static void
3792 {
3793  char path[MAXPGPATH];
3794  struct stat stat_buf;
3795 
3796  /* Check for pg_wal; if it doesn't exist, error out */
3797  if (stat(XLOGDIR, &stat_buf) != 0 ||
3798  !S_ISDIR(stat_buf.st_mode))
3799  ereport(FATAL,
3800  (errmsg("required WAL directory \"%s\" does not exist",
3801  XLOGDIR)));
3802 
3803  /* Check for archive_status */
3804  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
3805  if (stat(path, &stat_buf) == 0)
3806  {
3807  /* Check for weird cases where it exists but isn't a directory */
3808  if (!S_ISDIR(stat_buf.st_mode))
3809  ereport(FATAL,
3810  (errmsg("required WAL directory \"%s\" does not exist",
3811  path)));
3812  }
3813  else
3814  {
3815  ereport(LOG,
3816  (errmsg("creating missing WAL directory \"%s\"", path)));
3817  if (MakePGDirectory(path) < 0)
3818  ereport(FATAL,
3819  (errmsg("could not create missing directory \"%s\": %m",
3820  path)));
3821  }
3822 }
3823 
3824 /*
3825  * Remove previous backup history files. This also retries creation of
3826  * .ready files for any backup history files for which XLogArchiveNotify
3827  * failed earlier.
3828  */
3829 static void
3831 {
3832  DIR *xldir;
3833  struct dirent *xlde;
3834  char path[MAXPGPATH + sizeof(XLOGDIR)];
3835 
3836  xldir = AllocateDir(XLOGDIR);
3837 
3838  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3839  {
3840  if (IsBackupHistoryFileName(xlde->d_name))
3841  {
3842  if (XLogArchiveCheckDone(xlde->d_name))
3843  {
3844  elog(DEBUG2, "removing WAL backup history file \"%s\"",
3845  xlde->d_name);
3846  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
3847  unlink(path);
3848  XLogArchiveCleanup(xlde->d_name);
3849  }
3850  }
3851  }
3852 
3853  FreeDir(xldir);
3854 }
3855 
3856 /*
3857  * I/O routines for pg_control
3858  *
3859  * *ControlFile is a buffer in shared memory that holds an image of the
3860  * contents of pg_control. WriteControlFile() initializes pg_control
3861  * given a preloaded buffer, ReadControlFile() loads the buffer from
3862  * the pg_control file (during postmaster or standalone-backend startup),
3863  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
3864  * InitControlFile() fills the buffer with initial values.
3865  *
3866  * For simplicity, WriteControlFile() initializes the fields of pg_control
3867  * that are related to checking backend/database compatibility, and
3868  * ReadControlFile() verifies they are correct. We could split out the
3869  * I/O and compatibility-check functions, but there seems no need currently.
3870  */
3871 
3872 static void
3873 InitControlFile(uint64 sysidentifier)
3874 {
3875  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
3876 
3877  /*
3878  * Generate a random nonce. This is used for authentication requests that
3879  * will fail because the user does not exist. The nonce is used to create
3880  * a genuine-looking password challenge for the non-existent user, in lieu
3881  * of an actual stored password.
3882  */
3883  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
3884  ereport(PANIC,
3885  (errcode(ERRCODE_INTERNAL_ERROR),
3886  errmsg("could not generate secret authorization token")));
3887 
3888  memset(ControlFile, 0, sizeof(ControlFileData));
3889  /* Initialize pg_control status fields */
3890  ControlFile->system_identifier = sysidentifier;
3891  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
3894 
3895  /* Set important parameter values for use when replaying WAL */
3905 }
3906 
3907 static void
3909 {
3910  int fd;
3911  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
3912 
3913  /*
3914  * Ensure that the size of the pg_control data structure is sane. See the
3915  * comments for these symbols in pg_control.h.
3916  */
3918  "pg_control is too large for atomic disk writes");
3920  "sizeof(ControlFileData) exceeds PG_CONTROL_FILE_SIZE");
3921 
3922  /*
3923  * Initialize version and compatibility-check fields
3924  */
3927 
3928  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
3930 
3931  ControlFile->blcksz = BLCKSZ;
3932  ControlFile->relseg_size = RELSEG_SIZE;
3933  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
3935 
3938 
3941 
3943 
3944  /* Contents are protected with a CRC */
3947  (char *) ControlFile,
3948  offsetof(ControlFileData, crc));
3950 
3951  /*
3952  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
3953  * the excess over sizeof(ControlFileData). This reduces the odds of
3954  * premature-EOF errors when reading pg_control. We'll still fail when we
3955  * check the contents of the file, but hopefully with a more specific
3956  * error than "couldn't read pg_control".
3957  */
3958  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
3959  memcpy(buffer, ControlFile, sizeof(ControlFileData));
3960 
3962  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3963  if (fd < 0)
3964  ereport(PANIC,
3966  errmsg("could not create file \"%s\": %m",
3967  XLOG_CONTROL_FILE)));
3968 
3969  errno = 0;
3972  {
3973  /* if write didn't set errno, assume problem is no disk space */
3974  if (errno == 0)
3975  errno = ENOSPC;
3976  ereport(PANIC,
3978  errmsg("could not write to file \"%s\": %m",
3979  XLOG_CONTROL_FILE)));
3980  }
3982 
3984  if (pg_fsync(fd) != 0)
3985  ereport(PANIC,
3987  errmsg("could not fsync file \"%s\": %m",
3988  XLOG_CONTROL_FILE)));
3990 
3991  if (close(fd) != 0)
3992  ereport(PANIC,
3994  errmsg("could not close file \"%s\": %m",
3995  XLOG_CONTROL_FILE)));
3996 }
3997 
3998 static void
4000 {
4001  pg_crc32c crc;
4002  int fd;
4003  static char wal_segsz_str[20];
4004  int r;
4005 
4006  /*
4007  * Read data...
4008  */
4010  O_RDWR | PG_BINARY);
4011  if (fd < 0)
4012  ereport(PANIC,
4014  errmsg("could not open file \"%s\": %m",
4015  XLOG_CONTROL_FILE)));
4016 
4018  r = read(fd, ControlFile, sizeof(ControlFileData));
4019  if (r != sizeof(ControlFileData))
4020  {
4021  if (r < 0)
4022  ereport(PANIC,
4024  errmsg("could not read file \"%s\": %m",
4025  XLOG_CONTROL_FILE)));
4026  else
4027  ereport(PANIC,
4029  errmsg("could not read file \"%s\": read %d of %zu",
4030  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
4031  }
4033 
4034  close(fd);
4035 
4036  /*
4037  * Check for expected pg_control format version. If this is wrong, the
4038  * CRC check will likely fail because we'll be checking the wrong number
4039  * of bytes. Complaining about wrong version will probably be more
4040  * enlightening than complaining about wrong CRC.
4041  */
4042 
4044  ereport(FATAL,
4045  (errmsg("database files are incompatible with server"),
4046  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4047  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4050  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4051 
4053  ereport(FATAL,
4054  (errmsg("database files are incompatible with server"),
4055  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4056  " but the server was compiled with PG_CONTROL_VERSION %d.",
4058  errhint("It looks like you need to initdb.")));
4059 
4060  /* Now check the CRC. */
4061  INIT_CRC32C(crc);
4062  COMP_CRC32C(crc,
4063  (char *) ControlFile,
4064  offsetof(ControlFileData, crc));
4065  FIN_CRC32C(crc);
4066 
4067  if (!EQ_CRC32C(crc, ControlFile->crc))
4068  ereport(FATAL,
4069  (errmsg("incorrect checksum in control file")));
4070 
4071  /*
4072  * Do compatibility checking immediately. If the database isn't
4073  * compatible with the backend executable, we want to abort before we can
4074  * possibly do any damage.
4075  */
4077  ereport(FATAL,
4078  (errmsg("database files are incompatible with server"),
4079  errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4080  " but the server was compiled with CATALOG_VERSION_NO %d.",
4082  errhint("It looks like you need to initdb.")));
4083  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4084  ereport(FATAL,
4085  (errmsg("database files are incompatible with server"),
4086  errdetail("The database cluster was initialized with MAXALIGN %d,"
4087  " but the server was compiled with MAXALIGN %d.",
4088  ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4089  errhint("It looks like you need to initdb.")));
4091  ereport(FATAL,
4092  (errmsg("database files are incompatible with server"),
4093  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4094  errhint("It looks like you need to initdb.")));
4095  if (ControlFile->blcksz != BLCKSZ)
4096  ereport(FATAL,
4097  (errmsg("database files are incompatible with server"),
4098  errdetail("The database cluster was initialized with BLCKSZ %d,"
4099  " but the server was compiled with BLCKSZ %d.",
4100  ControlFile->blcksz, BLCKSZ),
4101  errhint("It looks like you need to recompile or initdb.")));
4102  if (ControlFile->relseg_size != RELSEG_SIZE)
4103  ereport(FATAL,
4104  (errmsg("database files are incompatible with server"),
4105  errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4106  " but the server was compiled with RELSEG_SIZE %d.",
4107  ControlFile->relseg_size, RELSEG_SIZE),
4108  errhint("It looks like you need to recompile or initdb.")));
4109  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4110  ereport(FATAL,
4111  (errmsg("database files are incompatible with server"),
4112  errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4113  " but the server was compiled with XLOG_BLCKSZ %d.",
4114  ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4115  errhint("It looks like you need to recompile or initdb.")));
4117  ereport(FATAL,
4118  (errmsg("database files are incompatible with server"),
4119  errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4120  " but the server was compiled with NAMEDATALEN %d.",
4122  errhint("It looks like you need to recompile or initdb.")));
4124  ereport(FATAL,
4125  (errmsg("database files are incompatible with server"),
4126  errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4127  " but the server was compiled with INDEX_MAX_KEYS %d.",
4129  errhint("It looks like you need to recompile or initdb.")));
4131  ereport(FATAL,
4132  (errmsg("database files are incompatible with server"),
4133  errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4134  " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4136  errhint("It looks like you need to recompile or initdb.")));
4138  ereport(FATAL,
4139  (errmsg("database files are incompatible with server"),
4140  errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4141  " but the server was compiled with LOBLKSIZE %d.",
4142  ControlFile->loblksize, (int) LOBLKSIZE),
4143  errhint("It looks like you need to recompile or initdb.")));
4144 
4145 #ifdef USE_FLOAT8_BYVAL
4146  if (ControlFile->float8ByVal != true)
4147  ereport(FATAL,
4148  (errmsg("database files are incompatible with server"),
4149  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4150  " but the server was compiled with USE_FLOAT8_BYVAL."),
4151  errhint("It looks like you need to recompile or initdb.")));
4152 #else
4153  if (ControlFile->float8ByVal != false)
4154  ereport(FATAL,
4155  (errmsg("database files are incompatible with server"),
4156  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4157  " but the server was compiled without USE_FLOAT8_BYVAL."),
4158  errhint("It looks like you need to recompile or initdb.")));
4159 #endif
4160 
4162 
4164  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4165  errmsg_plural("WAL segment size must be a power of two between 1 MB and 1 GB, but the control file specifies %d byte",
4166  "WAL segment size must be a power of two between 1 MB and 1 GB, but the control file specifies %d bytes",
4168  wal_segment_size)));
4169 
4170  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4171  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4173 
4174  /* check and update variables dependent on wal_segment_size */
4176  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4177  errmsg("\"min_wal_size\" must be at least twice \"wal_segment_size\"")));
4178 
4180  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4181  errmsg("\"max_wal_size\" must be at least twice \"wal_segment_size\"")));
4182 
4184  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4186 
4188 
4189  /* Make the initdb settings visible as GUC variables, too */
4190  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4192 }
4193 
4194 /*
4195  * Utility wrapper to update the control file. Note that the control
4196  * file gets flushed.
4197  */
4198 static void
4200 {
4202 }
4203 
4204 /*
4205  * Returns the unique system identifier from control file.
4206  */
4207 uint64
4209 {
4210  Assert(ControlFile != NULL);
4212 }
4213 
4214 /*
4215  * Returns the random nonce from control file.
4216  */
4217 char *
4219 {
4220  Assert(ControlFile != NULL);
4222 }
4223 
4224 /*
4225  * Are checksums enabled for data pages?
4226  */
4227 bool
4229 {
4230  Assert(ControlFile != NULL);
4231  return (ControlFile->data_checksum_version > 0);
4232 }
4233 
4234 /*
4235  * Returns a fake LSN for unlogged relations.
4236  *
4237  * Each call generates an LSN that is greater than any previous value
4238  * returned. The current counter value is saved and restored across clean
4239  * shutdowns, but like unlogged relations, does not survive a crash. This can
4240  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4241  * LSN-like increasing sequence of numbers without writing any WAL.
4242  */
4243 XLogRecPtr
4245 {
4246  XLogRecPtr nextUnloggedLSN;
4247 
4248  /* increment the unloggedLSN counter, need SpinLock */
4250  nextUnloggedLSN = XLogCtl->unloggedLSN++;
4252 
4253  return nextUnloggedLSN;
4254 }
4255 
4256 /*
4257  * Auto-tune the number of XLOG buffers.
4258  *
4259  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4260  * a maximum of one XLOG segment (there is little reason to think that more
4261  * is helpful, at least so long as we force an fsync when switching log files)
4262  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4263  * 9.1, when auto-tuning was added).
4264  *
4265  * This should not be called until NBuffers has received its final value.
4266  */
4267 static int
4269 {
4270  int xbuffers;
4271 
4272  xbuffers = NBuffers / 32;
4273  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4274  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4275  if (xbuffers < 8)
4276  xbuffers = 8;
4277  return xbuffers;
4278 }
4279 
4280 /*
4281  * GUC check_hook for wal_buffers
4282  */
4283 bool
4285 {
4286  /*
4287  * -1 indicates a request for auto-tune.
4288  */
4289  if (*newval == -1)
4290  {
4291  /*
4292  * If we haven't yet changed the boot_val default of -1, just let it
4293  * be. We'll fix it when XLOGShmemSize is called.
4294  */
4295  if (XLOGbuffers == -1)
4296  return true;
4297 
4298  /* Otherwise, substitute the auto-tune value */
4300  }
4301 
4302  /*
4303  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4304  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4305  * the case, we just silently treat such values as a request for the
4306  * minimum. (We could throw an error instead, but that doesn't seem very
4307  * helpful.)
4308  */
4309  if (*newval < 4)
4310  *newval = 4;
4311 
4312  return true;
4313 }
4314 
4315 /*
4316  * GUC check_hook for wal_consistency_checking
4317  */
4318 bool
4320 {
4321  char *rawstring;
4322  List *elemlist;
4323  ListCell *l;
4324  bool newwalconsistency[RM_MAX_ID + 1];
4325 
4326  /* Initialize the array */
4327  MemSet(newwalconsistency, 0, (RM_MAX_ID + 1) * sizeof(bool));
4328 
4329  /* Need a modifiable copy of string */
4330  rawstring = pstrdup(*newval);
4331 
4332  /* Parse string into list of identifiers */
4333  if (!SplitIdentifierString(rawstring, ',', &elemlist))
4334  {
4335  /* syntax error in list */
4336  GUC_check_errdetail("List syntax is invalid.");
4337  pfree(rawstring);
4338  list_free(elemlist);
4339  return false;
4340  }
4341 
4342  foreach(l, elemlist)
4343  {
4344  char *tok = (char *) lfirst(l);
4345  int rmid;
4346 
4347  /* Check for 'all'. */
4348  if (pg_strcasecmp(tok, "all") == 0)
4349  {
4350  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4351  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL)
4352  newwalconsistency[rmid] = true;
4353  }
4354  else
4355  {
4356  /* Check if the token matches any known resource manager. */
4357  bool found = false;
4358 
4359  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4360  {
4361  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL &&
4362  pg_strcasecmp(tok, GetRmgr(rmid).rm_name) == 0)
4363  {
4364  newwalconsistency[rmid] = true;
4365  found = true;
4366  break;
4367  }
4368  }
4369  if (!found)
4370  {
4371  /*
4372  * During startup, it might be a not-yet-loaded custom
4373  * resource manager. Defer checking until
4374  * InitializeWalConsistencyChecking().
4375  */
4377  {
4379  }
4380  else
4381  {
4382  GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
4383  pfree(rawstring);
4384  list_free(elemlist);
4385  return false;
4386  }
4387  }
4388  }
4389  }
4390 
4391  pfree(rawstring);
4392  list_free(elemlist);
4393 
4394  /* assign new value */
4395  *extra = guc_malloc(ERROR, (RM_MAX_ID + 1) * sizeof(bool));
4396  memcpy(*extra, newwalconsistency, (RM_MAX_ID + 1) * sizeof(bool));
4397  return true;
4398 }
4399 
4400 /*
4401  * GUC assign_hook for wal_consistency_checking
4402  */
4403 void
4404 assign_wal_consistency_checking(const char *newval, void *extra)
4405 {
4406  /*
4407  * If some checks were deferred, it's possible that the checks will fail
4408  * later during InitializeWalConsistencyChecking(). But in that case, the
4409  * postmaster will exit anyway, so it's safe to proceed with the
4410  * assignment.
4411  *
4412  * Any built-in resource managers specified are assigned immediately,
4413  * which affects WAL created before shared_preload_libraries are
4414  * processed. Any custom resource managers specified won't be assigned
4415  * until after shared_preload_libraries are processed, but that's OK
4416  * because WAL for a custom resource manager can't be written before the
4417  * module is loaded anyway.
4418  */
4419  wal_consistency_checking = extra;
4420 }
4421 
4422 /*
4423  * InitializeWalConsistencyChecking: run after loading custom resource managers
4424  *
4425  * If any unknown resource managers were specified in the
4426  * wal_consistency_checking GUC, processing was deferred. Now that
4427  * shared_preload_libraries have been loaded, process wal_consistency_checking
4428  * again.
4429  */
4430 void
4432 {
4434 
4436  {
4437  struct config_generic *guc;
4438 
4439  guc = find_option("wal_consistency_checking", false, false, ERROR);
4440 
4442 
4443  set_config_option_ext("wal_consistency_checking",
4445  guc->scontext, guc->source, guc->srole,
4446  GUC_ACTION_SET, true, ERROR, false);
4447 
4448  /* checking should not be deferred again */
4450  }
4451 }
4452 
4453 /*
4454  * GUC show_hook for archive_command
4455  */
4456 const char *
4458 {
4459  if (XLogArchivingActive())
4460  return XLogArchiveCommand;
4461  else
4462  return "(disabled)";
4463 }
4464 
4465 /*
4466  * GUC show_hook for in_hot_standby
4467  */
4468 const char *
4470 {
4471  /*
4472  * We display the actual state based on shared memory, so that this GUC
4473  * reports up-to-date state if examined intra-query. The underlying
4474  * variable (in_hot_standby_guc) changes only when we transmit a new value
4475  * to the client.
4476  */
4477  return RecoveryInProgress() ? "on" : "off";
4478 }
4479 
4480 
4481 /*
4482  * Read the control file, set respective GUCs.
4483  *
4484  * This is to be called during startup, including a crash recovery cycle,
4485  * unless in bootstrap mode, where no control file yet exists. As there's no
4486  * usable shared memory yet (its sizing can depend on the contents of the
4487  * control file!), first store the contents in local memory. XLOGShmemInit()
4488  * will then copy it to shared memory later.
4489  *
4490  * reset just controls whether previous contents are to be expected (in the
4491  * reset case, there's a dangling pointer into old shared memory), or not.
4492  */
4493 void
4495 {
4496  Assert(reset || ControlFile == NULL);
4497  ControlFile = palloc(sizeof(ControlFileData));
4498  ReadControlFile();
4499 }
4500 
4501 /*
4502  * Initialization of shared memory for XLOG
4503  */
4504 Size
4506 {
4507  Size size;
4508 
4509  /*
4510  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4511  * This isn't an amazingly clean place to do this, but we must wait till
4512  * NBuffers has received its final value, and must do it before using the
4513  * value of XLOGbuffers to do anything important.
4514  *
4515  * We prefer to report this value's source as PGC_S_DYNAMIC_DEFAULT.
4516  * However, if the DBA explicitly set wal_buffers = -1 in the config file,
4517  * then PGC_S_DYNAMIC_DEFAULT will fail to override that and we must force
4518  * the matter with PGC_S_OVERRIDE.
4519  */
4520  if (XLOGbuffers == -1)
4521  {
4522  char buf[32];
4523 
4524  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4525  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4527  if (XLOGbuffers == -1) /* failed to apply it? */
4528  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4529  PGC_S_OVERRIDE);
4530  }
4531  Assert(XLOGbuffers > 0);
4532 
4533  /* XLogCtl */
4534  size = sizeof(XLogCtlData);
4535 
4536  /* WAL insertion locks, plus alignment */
4537  size = add_size(size, mul_size(sizeof(WALInsertLockPadded), NUM_XLOGINSERT_LOCKS + 1));
4538  /* xlblocks array */
4539  size = add_size(size, mul_size(sizeof(XLogRecPtr), XLOGbuffers));
4540  /* extra alignment padding for XLOG I/O buffers */
4541  size = add_size(size, XLOG_BLCKSZ);
4542  /* and the buffers themselves */
4543  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4544 
4545  /*
4546  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4547  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4548  * routine again below to compute the actual allocation size.
4549  */
4550 
4551  return size;
4552 }
4553 
4554 void
4556 {
4557  bool foundCFile,
4558  foundXLog;
4559  char *allocptr;
4560  int i;
4561  ControlFileData *localControlFile;
4562 
4563 #ifdef WAL_DEBUG
4564 
4565  /*
4566  * Create a memory context for WAL debugging that's exempt from the normal
4567  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4568  * an allocation fails, but wal_debug is not for production use anyway.
4569  */
4570  if (walDebugCxt == NULL)
4571  {
4573  "WAL Debug",
4575  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4576  }
4577 #endif
4578 
4579 
4580  XLogCtl = (XLogCtlData *)
4581  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4582 
4583  localControlFile = ControlFile;
4585  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4586 
4587  if (foundCFile || foundXLog)
4588  {
4589  /* both should be present or neither */
4590  Assert(foundCFile && foundXLog);
4591 
4592  /* Initialize local copy of WALInsertLocks */
4594 
4595  if (localControlFile)
4596  pfree(localControlFile);
4597  return;
4598  }
4599  memset(XLogCtl, 0, sizeof(XLogCtlData));
4600 
4601  /*
4602  * Already have read control file locally, unless in bootstrap mode. Move
4603  * contents into shared memory.
4604  */
4605  if (localControlFile)
4606  {
4607  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4608  pfree(localControlFile);
4609  }
4610 
4611  /*
4612  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4613  * multiple of the alignment for same, so no extra alignment padding is
4614  * needed here.
4615  */
4616  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4617  XLogCtl->xlblocks = (XLogRecPtr *) allocptr;
4618  memset(XLogCtl->xlblocks, 0, sizeof(XLogRecPtr) * XLOGbuffers);
4619  allocptr += sizeof(XLogRecPtr) * XLOGbuffers;
4620 
4621 
4622  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4623  allocptr += sizeof(WALInsertLockPadded) -
4624  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4626  (WALInsertLockPadded *) allocptr;
4627  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4628 
4629  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4630  {
4634  }
4635 
4636  /*
4637  * Align the start of the page buffers to a full xlog block size boundary.
4638  * This simplifies some calculations in XLOG insertion. It is also
4639  * required for O_DIRECT.
4640  */
4641  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4642  XLogCtl->pages = allocptr;
4643  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4644 
4645  /*
4646  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4647  * in additional info.)
4648  */
4652  XLogCtl->WalWriterSleeping = false;
4653 
4657 }
4658 
4659 /*
4660  * This func must be called ONCE on system install. It creates pg_control
4661  * and the initial XLOG segment.
4662  */
4663 void
4665 {
4666  CheckPoint checkPoint;
4667  char *buffer;
4668  XLogPageHeader page;
4669  XLogLongPageHeader longpage;
4670  XLogRecord *record;
4671  char *recptr;
4672  uint64 sysidentifier;
4673  struct timeval tv;
4674  pg_crc32c crc;
4675 
4676  /* allow ordinary WAL segment creation, like StartupXLOG() would */
4678 
4679  /*
4680  * Select a hopefully-unique system identifier code for this installation.
4681  * We use the result of gettimeofday(), including the fractional seconds
4682  * field, as being about as unique as we can easily get. (Think not to
4683  * use random(), since it hasn't been seeded and there's no portable way
4684  * to seed it other than the system clock value...) The upper half of the
4685  * uint64 value is just the tv_sec part, while the lower half contains the
4686  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
4687  * PID for a little extra uniqueness. A person knowing this encoding can
4688  * determine the initialization time of the installation, which could
4689  * perhaps be useful sometimes.
4690  */
4691  gettimeofday(&tv, NULL);
4692  sysidentifier = ((uint64) tv.tv_sec) << 32;
4693  sysidentifier |= ((uint64) tv.tv_usec) << 12;
4694  sysidentifier |= getpid() & 0xFFF;
4695 
4696  /* page buffer must be aligned suitably for O_DIRECT */
4697  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
4698  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
4699  memset(page, 0, XLOG_BLCKSZ);
4700 
4701  /*
4702  * Set up information for the initial checkpoint record
4703  *
4704  * The initial checkpoint record is written to the beginning of the WAL
4705  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
4706  * used, so that we can use 0/0 to mean "before any valid WAL segment".
4707  */
4708  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
4709  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
4710  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
4711  checkPoint.fullPageWrites = fullPageWrites;
4712  checkPoint.nextXid =
4714  checkPoint.nextOid = FirstGenbkiObjectId;
4715  checkPoint.nextMulti = FirstMultiXactId;
4716  checkPoint.nextMultiOffset = 0;
4717  checkPoint.oldestXid = FirstNormalTransactionId;
4718  checkPoint.oldestXidDB = Template1DbOid;
4719  checkPoint.oldestMulti = FirstMultiXactId;
4720  checkPoint.oldestMultiDB = Template1DbOid;
4723  checkPoint.time = (pg_time_t) time(NULL);
4725 
4726  ShmemVariableCache->nextXid = checkPoint.nextXid;
4727  ShmemVariableCache->nextOid = checkPoint.nextOid;
4729  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
4730  AdvanceOldestClogXid(checkPoint.oldestXid);
4731  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
4732  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
4734 
4735  /* Set up the XLOG page header */
4736  page->xlp_magic = XLOG_PAGE_MAGIC;
4737  page->xlp_info = XLP_LONG_HEADER;
4738  page->xlp_tli = BootstrapTimeLineID;
4740  longpage = (XLogLongPageHeader) page;
4741  longpage->xlp_sysid = sysidentifier;
4742  longpage->xlp_seg_size = wal_segment_size;
4743  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
4744 
4745  /* Insert the initial checkpoint record */
4746  recptr = ((char *) page + SizeOfXLogLongPHD);
4747  record = (XLogRecord *) recptr;
4748  record->xl_prev = 0;
4749  record->xl_xid = InvalidTransactionId;
4750  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
4752  record->xl_rmid = RM_XLOG_ID;
4753  recptr += SizeOfXLogRecord;
4754  /* fill the XLogRecordDataHeaderShort struct */
4755  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
4756  *(recptr++) = sizeof(checkPoint);
4757  memcpy(recptr, &checkPoint, sizeof(checkPoint));
4758  recptr += sizeof(checkPoint);
4759  Assert(recptr - (char *) record == record->xl_tot_len);
4760 
4761  INIT_CRC32C(crc);
4762  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
4763  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
4764  FIN_CRC32C(crc);
4765  record->xl_crc = crc;
4766 
4767  /* Create first XLOG segment file */
4770 
4771  /*
4772  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
4773  * close the file again in a moment.
4774  */
4775 
4776  /* Write the first page with the initial record */
4777  errno = 0;
4779  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
4780  {
4781  /* if write didn't set errno, assume problem is no disk space */
4782  if (errno == 0)
4783  errno = ENOSPC;
4784  ereport(PANIC,
4786  errmsg("could not write bootstrap write-ahead log file: %m")));
4787  }
4789 
4791  if (pg_fsync(openLogFile) != 0)
4792  ereport(PANIC,
4794  errmsg("could not fsync bootstrap write-ahead log file: %m")));
4796 
4797  if (close(openLogFile) != 0)
4798  ereport(PANIC,
4800  errmsg("could not close bootstrap write-ahead log file: %m")));
4801 
4802  openLogFile = -1;
4803 
4804  /* Now create pg_control */
4805  InitControlFile(sysidentifier);
4806  ControlFile->time = checkPoint.time;
4807  ControlFile->checkPoint = checkPoint.redo;
4808  ControlFile->checkPointCopy = checkPoint;
4809 
4810  /* some additional ControlFile fields are set in WriteControlFile() */
4811  WriteControlFile();
4812 
4813  /* Bootstrap the commit log, too */
4814  BootStrapCLOG();
4818 
4819  pfree(buffer);
4820 
4821  /*
4822  * Force control file to be read - in contrast to normal processing we'd
4823  * otherwise never run the checks and GUC related initializations therein.
4824  */
4825  ReadControlFile();
4826 }
4827 
4828 static char *
4830 {
4831  static char buf[128];
4832 
4833  pg_strftime(buf, sizeof(buf),
4834  "%Y-%m-%d %H:%M:%S %Z",
4835  pg_localtime(&tnow, log_timezone));
4836 
4837  return buf;
4838 }
4839 
4840 /*
4841  * Initialize the first WAL segment on new timeline.
4842  */
4843 static void
4845 {
4846  char xlogfname[MAXFNAMELEN];
4847  XLogSegNo endLogSegNo;
4848  XLogSegNo startLogSegNo;
4849 
4850  /* we always switch to a new timeline after archive recovery */
4851  Assert(endTLI != newTLI);
4852 
4853  /*
4854  * Update min recovery point one last time.
4855  */
4857 
4858  /*
4859  * Calculate the last segment on the old timeline, and the first segment
4860  * on the new timeline. If the switch happens in the middle of a segment,
4861  * they are the same, but if the switch happens exactly at a segment
4862  * boundary, startLogSegNo will be endLogSegNo + 1.
4863  */
4864  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
4865  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
4866 
4867  /*
4868  * Initialize the starting WAL segment for the new timeline. If the switch
4869  * happens in the middle of a segment, copy data from the last WAL segment
4870  * of the old timeline up to the switch point, to the starting WAL segment
4871  * on the new timeline.
4872  */
4873  if (endLogSegNo == startLogSegNo)
4874  {
4875  /*
4876  * Make a copy of the file on the new timeline.
4877  *
4878  * Writing WAL isn't allowed yet, so there are no locking
4879  * considerations. But we should be just as tense as XLogFileInit to
4880  * avoid emplacing a bogus file.
4881  */
4882  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
4883  XLogSegmentOffset(endOfLog, wal_segment_size));
4884  }
4885  else
4886  {
4887  /*
4888  * The switch happened at a segment boundary, so just create the next
4889  * segment on the new timeline.
4890  */
4891  int fd;
4892 
4893  fd = XLogFileInit(startLogSegNo, newTLI);
4894 
4895  if (close(fd) != 0)
4896  {
4897  int save_errno = errno;
4898 
4899  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4900  errno = save_errno;
4901  ereport(ERROR,
4903  errmsg("could not close file \"%s\": %m", xlogfname)));
4904  }
4905  }
4906 
4907  /*
4908  * Let's just make real sure there are not .ready or .done flags posted
4909  * for the new segment.
4910  */
4911  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4912  XLogArchiveCleanup(xlogfname);
4913 }
4914 
4915 /*
4916  * Perform cleanup actions at the conclusion of archive recovery.
4917  */
4918 static void
4920  TimeLineID newTLI)
4921 {
4922  /*
4923  * Execute the recovery_end_command, if any.
4924  */
4925  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
4927  "recovery_end_command",
4928  true,
4930 
4931  /*
4932  * We switched to a new timeline. Clean up segments on the old timeline.
4933  *
4934  * If there are any higher-numbered segments on the old timeline, remove
4935  * them. They might contain valid WAL, but they might also be
4936  * pre-allocated files containing garbage. In any case, they are not part
4937  * of the new timeline's history so we don't need them.
4938  */
4939  RemoveNonParentXlogFiles(EndOfLog, newTLI);
4940 
4941  /*
4942  * If the switch happened in the middle of a segment, what to do with the
4943  * last, partial segment on the old timeline? If we don't archive it, and
4944  * the server that created the WAL never archives it either (e.g. because
4945  * it was hit by a meteor), it will never make it to the archive. That's
4946  * OK from our point of view, because the new segment that we created with
4947  * the new TLI contains all the WAL from the old timeline up to the switch
4948  * point. But if you later try to do PITR to the "missing" WAL on the old
4949  * timeline, recovery won't find it in the archive. It's physically
4950  * present in the new file with new TLI, but recovery won't look there
4951  * when it's recovering to the older timeline. On the other hand, if we
4952  * archive the partial segment, and the original server on that timeline
4953  * is still running and archives the completed version of the same segment
4954  * later, it will fail. (We used to do that in 9.4 and below, and it
4955  * caused such problems).
4956  *
4957  * As a compromise, we rename the last segment with the .partial suffix,
4958  * and archive it. Archive recovery will never try to read .partial
4959  * segments, so they will normally go unused. But in the odd PITR case,
4960  * the administrator can copy them manually to the pg_wal directory
4961  * (removing the suffix). They can be useful in debugging, too.
4962  *
4963  * If a .done or .ready file already exists for the old timeline, however,
4964  * we had already determined that the segment is complete, so we can let
4965  * it be archived normally. (In particular, if it was restored from the
4966  * archive to begin with, it's expected to have a .done file).
4967  */
4968  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
4970  {
4971  char origfname[MAXFNAMELEN];
4972  XLogSegNo endLogSegNo;
4973 
4974  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
4975  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
4976 
4977  if (!XLogArchiveIsReadyOrDone(origfname))
4978  {
4979  char origpath[MAXPGPATH];
4980  char partialfname[MAXFNAMELEN];
4981  char partialpath[MAXPGPATH];
4982 
4983  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
4984  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
4985  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
4986 
4987  /*
4988  * Make sure there's no .done or .ready file for the .partial
4989  * file.
4990  */
4991  XLogArchiveCleanup(partialfname);
4992 
4993  durable_rename(origpath, partialpath, ERROR);
4994  XLogArchiveNotify(partialfname);
4995  }
4996  }
4997 }
4998 
4999 /*
5000  * Check to see if required parameters are set high enough on this server
5001  * for various aspects of recovery operation.
5002  *
5003  * Note that all the parameters which this function tests need to be
5004  * listed in Administrator's Overview section in high-availability.sgml.
5005  * If you change them, don't forget to update the list.
5006  */
5007 static void
5009 {
5010  /*
5011  * For archive recovery, the WAL must be generated with at least 'replica'
5012  * wal_level.
5013  */
5015  {
5016  ereport(FATAL,
5017  (errmsg("WAL was generated with wal_level=minimal, cannot continue recovering"),
5018  errdetail("This happens if you temporarily set wal_level=minimal on the server."),
5019  errhint("Use a backup taken after setting wal_level to higher than minimal.")));
5020  }
5021 
5022  /*
5023  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
5024  * must have at least as many backend slots as the primary.
5025  */
5027  {
5028  /* We ignore autovacuum_max_workers when we make this test. */
5029  RecoveryRequiresIntParameter("max_connections",
5032  RecoveryRequiresIntParameter("max_worker_processes",
5035  RecoveryRequiresIntParameter("max_wal_senders",
5038  RecoveryRequiresIntParameter("max_prepared_transactions",
5041  RecoveryRequiresIntParameter("max_locks_per_transaction",
5044  }
5045 }
5046 
5047 /*
5048  * This must be called ONCE during postmaster or standalone-backend startup
5049  */
5050 void
5052 {
5054  CheckPoint checkPoint;
5055  bool wasShutdown;
5056  bool didCrash;
5057  bool haveTblspcMap;
5058  bool haveBackupLabel;
5059  XLogRecPtr EndOfLog;
5060  TimeLineID EndOfLogTLI;
5061  TimeLineID newTLI;
5062  bool performedWalRecovery;
5063  EndOfWalRecoveryInfo *endOfRecoveryInfo;
5066  TransactionId oldestActiveXID;
5067  bool promoted = false;
5068 
5069  /*
5070  * We should have an aux process resource owner to use, and we should not
5071  * be in a transaction that's installed some other resowner.
5072  */
5074  Assert(CurrentResourceOwner == NULL ||
5077 
5078  /*
5079  * Check that contents look valid.
5080  */
5082  ereport(FATAL,
5083  (errmsg("control file contains invalid checkpoint location")));
5084 
5085  switch (ControlFile->state)
5086  {
5087  case DB_SHUTDOWNED:
5088 
5089  /*
5090  * This is the expected case, so don't be chatty in standalone
5091  * mode
5092  */
5094  (errmsg("database system was shut down at %s",
5095  str_time(ControlFile->time))));
5096  break;
5097 
5099  ereport(LOG,
5100  (errmsg("database system was shut down in recovery at %s",
5101  str_time(ControlFile->time))));
5102  break;
5103 
5104  case DB_SHUTDOWNING:
5105  ereport(LOG,
5106  (errmsg("database system shutdown was interrupted; last known up at %s",
5107  str_time(ControlFile->time))));
5108  break;
5109 
5110  case DB_IN_CRASH_RECOVERY:
5111  ereport(LOG,
5112  (errmsg("database system was interrupted while in recovery at %s",
5114  errhint("This probably means that some data is corrupted and"
5115  " you will have to use the last backup for recovery.")));
5116  break;
5117 
5119  ereport(LOG,
5120  (errmsg("database system was interrupted while in recovery at log time %s",
5122  errhint("If this has occurred more than once some data might be corrupted"
5123  " and you might need to choose an earlier recovery target.")));
5124  break;
5125 
5126  case DB_IN_PRODUCTION:
5127  ereport(LOG,
5128  (errmsg("database system was interrupted; last known up at %s",
5129  str_time(ControlFile->time))));
5130  break;
5131 
5132  default:
5133  ereport(FATAL,
5134  (errmsg("control file contains invalid database cluster state")));
5135  }
5136 
5137  /* This is just to allow attaching to startup process with a debugger */
5138 #ifdef XLOG_REPLAY_DELAY
5140  pg_usleep(60000000L);
5141 #endif
5142 
5143  /*
5144  * Verify that pg_wal and pg_wal/archive_status exist. In cases where
5145  * someone has performed a copy for PITR, these directories may have been
5146  * excluded and need to be re-created.
5147  */
5149 
5150  /* Set up timeout handler needed to report startup progress. */
5154 
5155  /*----------
5156  * If we previously crashed, perform a couple of actions:
5157  *
5158  * - The pg_wal directory may still include some temporary WAL segments
5159  * used when creating a new segment, so perform some clean up to not
5160  * bloat this path. This is done first as there is no point to sync
5161  * this temporary data.
5162  *
5163  * - There might be data which we had written, intending to fsync it, but
5164  * which we had not actually fsync'd yet. Therefore, a power failure in
5165  * the near future might cause earlier unflushed writes to be lost, even
5166  * though more recent data written to disk from here on would be
5167  * persisted. To avoid that, fsync the entire data directory.
5168  */
5169  if (ControlFile->state != DB_SHUTDOWNED &&
5171  {
5174  didCrash = true;
5175  }
5176  else
5177  didCrash = false;
5178 
5179  /*
5180  * Prepare for WAL recovery if needed.
5181  *
5182  * InitWalRecovery analyzes the control file and the backup label file, if
5183  * any. It updates the in-memory ControlFile buffer according to the
5184  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5185  * It also applies the tablespace map file, if any.
5186  */
5187  InitWalRecovery(ControlFile, &wasShutdown,
5188  &haveBackupLabel, &haveTblspcMap);
5189  checkPoint = ControlFile->checkPointCopy;
5190 
5191  /* initialize shared memory variables from the checkpoint record */
5192  ShmemVariableCache->nextXid = checkPoint.nextXid;
5193  ShmemVariableCache->nextOid = checkPoint.nextOid;
5195  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5196  AdvanceOldestClogXid(checkPoint.oldestXid);
5197  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5198  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5200  checkPoint.newestCommitTsXid);
5201  XLogCtl->ckptFullXid = checkPoint.nextXid;
5202 
5203  /*
5204  * Clear out any old relcache cache files. This is *necessary* if we do
5205  * any WAL replay, since that would probably result in the cache files
5206  * being out of sync with database reality. In theory we could leave them
5207  * in place if the database had been cleanly shut down, but it seems
5208  * safest to just remove them always and let them be rebuilt during the
5209  * first backend startup. These files needs to be removed from all
5210  * directories including pg_tblspc, however the symlinks are created only
5211  * after reading tablespace_map file in case of archive recovery from
5212  * backup, so needs to clear old relcache files here after creating
5213  * symlinks.
5214  */
5216 
5217  /*
5218  * Initialize replication slots, before there's a chance to remove
5219  * required resources.
5220  */
5222 
5223  /*
5224  * Startup logical state, needs to be setup now so we have proper data
5225  * during crash recovery.
5226  */
5228 
5229  /*
5230  * Startup CLOG. This must be done after ShmemVariableCache->nextXid has
5231  * been initialized and before we accept connections or begin WAL replay.
5232  */
5233  StartupCLOG();
5234 
5235  /*
5236  * Startup MultiXact. We need to do this early to be able to replay
5237  * truncations.
5238  */
5239  StartupMultiXact();
5240 
5241  /*
5242  * Ditto for commit timestamps. Activate the facility if the setting is
5243  * enabled in the control file, as there should be no tracking of commit
5244  * timestamps done when the setting was disabled. This facility can be
5245  * started or stopped when replaying a XLOG_PARAMETER_CHANGE record.
5246  */
5248  StartupCommitTs();
5249 
5250  /*
5251  * Recover knowledge about replay progress of known replication partners.
5252  */
5254 
5255  /*
5256  * Initialize unlogged LSN. On a clean shutdown, it's restored from the
5257  * control file. On recovery, all unlogged relations are blown away, so
5258  * the unlogged LSN counter can be reset too.
5259  */
5262  else
5264 
5265  /*
5266  * Copy any missing timeline history files between 'now' and the recovery
5267  * target timeline from archive to pg_wal. While we don't need those files
5268  * ourselves - the history file of the recovery target timeline covers all
5269  * the previous timelines in the history too - a cascading standby server
5270  * might be interested in them. Or, if you archive the WAL from this
5271  * server to a different archive than the primary, it'd be good for all
5272  * the history files to get archived there after failover, so that you can
5273  * use one of the old timelines as a PITR target. Timeline history files
5274  * are small, so it's better to copy them unnecessarily than not copy them
5275  * and regret later.
5276  */
5278 
5279  /*
5280  * Before running in recovery, scan pg_twophase and fill in its status to
5281  * be able to work on entries generated by redo. Doing a scan before
5282  * taking any recovery action has the merit to discard any 2PC files that
5283  * are newer than the first record to replay, saving from any conflicts at
5284  * replay. This avoids as well any subsequent scans when doing recovery
5285  * of the on-disk two-phase data.
5286  */
5288 
5289  /*
5290  * When starting with crash recovery, reset pgstat data - it might not be
5291  * valid. Otherwise restore pgstat data. It's safe to do this here,
5292  * because postmaster will not yet have started any other processes.
5293  *
5294  * NB: Restoring replication slot stats relies on slot state to have
5295  * already been restored from disk.
5296  *
5297  * TODO: With a bit of extra work we could just start with a pgstat file
5298  * associated with the checkpoint redo location we're starting from.
5299  */
5300  if (didCrash)
5302  else
5304 
5305  lastFullPageWrites = checkPoint.fullPageWrites;
5306 
5309 
5310  /* REDO */
5311  if (InRecovery)
5312  {
5313  /* Initialize state for RecoveryInProgress() */
5315  if (InArchiveRecovery)
5317  else
5320 
5321  /*
5322  * Update pg_control to show that we are recovering and to show the
5323  * selected checkpoint as the place we are starting from. We also mark
5324  * pg_control with any minimum recovery stop point obtained from a
5325  * backup history file.
5326  *
5327  * No need to hold ControlFileLock yet, we aren't up far enough.
5328  */
5330 
5331  /*
5332  * If there was a backup label file, it's done its job and the info
5333  * has now been propagated into pg_control. We must get rid of the
5334  * label file so that if we crash during recovery, we'll pick up at
5335  * the latest recovery restartpoint instead of going all the way back
5336  * to the backup start point. It seems prudent though to just rename
5337  * the file out of the way rather than delete it completely.
5338  */
5339  if (haveBackupLabel)
5340  {
5341  unlink(BACKUP_LABEL_OLD);
5343  }
5344 
5345  /*
5346  * If there was a tablespace_map file, it's done its job and the
5347  * symlinks have been created. We must get rid of the map file so
5348  * that if we crash during recovery, we don't create symlinks again.
5349  * It seems prudent though to just rename the file out of the way
5350  * rather than delete it completely.
5351  */
5352  if (haveTblspcMap)
5353  {
5354  unlink(TABLESPACE_MAP_OLD);
5356  }
5357 
5358  /*
5359  * Initialize our local copy of minRecoveryPoint. When doing crash
5360  * recovery we want to replay up to the end of WAL. Particularly, in
5361  * the case of a promoted standby minRecoveryPoint value in the
5362  * control file is only updated after the first checkpoint. However,
5363  * if the instance crashes before the first post-recovery checkpoint
5364  * is completed then recovery will use a stale location causing the
5365  * startup process to think that there are still invalid page
5366  * references when checking for data consistency.
5367  */
5368  if (InArchiveRecovery)
5369  {
5372  }
5373  else
5374  {
5377  }
5378 
5379  /* Check that the GUCs used to generate the WAL allow recovery */
5381 
5382  /*
5383  * We're in recovery, so unlogged relations may be trashed and must be
5384  * reset. This should be done BEFORE allowing Hot Standby
5385  * connections, so that read-only backends don't try to read whatever
5386  * garbage is left over from before.
5387  */
5389 
5390  /*
5391  * Likewise, delete any saved transaction snapshot files that got left
5392  * behind by crashed backends.
5393  */
5395 
5396  /*
5397  * Initialize for Hot Standby, if enabled. We won't let backends in
5398  * yet, not until we've reached the min recovery point specified in
5399  * control file and we've established a recovery snapshot from a
5400  * running-xacts WAL record.
5401  */
5403  {
5404  TransactionId *xids;
5405  int nxids;
5406 
5407  ereport(DEBUG1,
5408  (errmsg_internal("initializing for hot standby")));
5409 
5411 
5412  if (wasShutdown)
5413  oldestActiveXID = PrescanPreparedTransactions(&xids, &nxids);
5414  else
5415  oldestActiveXID = checkPoint.oldestActiveXid;
5416  Assert(TransactionIdIsValid(oldestActiveXID));
5417 
5418  /* Tell procarray about the range of xids it has to deal with */
5420 
5421  /*
5422  * Startup subtrans only. CLOG, MultiXact and commit timestamp
5423  * have already been started up and other SLRUs are not maintained
5424  * during recovery and need not be started yet.
5425  */
5426  StartupSUBTRANS(oldestActiveXID);
5427 
5428  /*
5429  * If we're beginning at a shutdown checkpoint, we know that
5430  * nothing was running on the primary at this point. So fake-up an
5431  * empty running-xacts record and use that here and now. Recover
5432  * additional standby state for prepared transactions.
5433  */
5434  if (wasShutdown)
5435  {
5436  RunningTransactionsData running;
5437  TransactionId latestCompletedXid;
5438 
5439  /*
5440  * Construct a RunningTransactions snapshot representing a
5441  * shut down server, with only prepared transactions still
5442  * alive. We're never overflowed at this point because all
5443  * subxids are listed with their parent prepared transactions.
5444  */
5445  running.xcnt = nxids;
5446  running.subxcnt = 0;
5447  running.subxid_overflow = false;
5448  running.nextXid = XidFromFullTransactionId(checkPoint.nextXid);
5449  running.oldestRunningXid = oldestActiveXID;
5450  latestCompletedXid = XidFromFullTransactionId(checkPoint.nextXid);
5451  TransactionIdRetreat(latestCompletedXid);
5452  Assert(TransactionIdIsNormal(latestCompletedXid));
5453  running.latestCompletedXid = latestCompletedXid;
5454  running.xids = xids;
5455 
5456  ProcArrayApplyRecoveryInfo(&running);
5457 
5459  }
5460  }
5461 
5462  /*
5463  * We're all set for replaying the WAL now. Do it.
5464  */
5466  performedWalRecovery = true;
5467  }
5468  else
5469  performedWalRecovery = false;
5470 
5471  /*
5472  * Finish WAL recovery.
5473  */
5474  endOfRecoveryInfo = FinishWalRecovery();
5475  EndOfLog = endOfRecoveryInfo->endOfLog;
5476  EndOfLogTLI = endOfRecoveryInfo->endOfLogTLI;
5477  abortedRecPtr = endOfRecoveryInfo->abortedRecPtr;
5478  missingContrecPtr = endOfRecoveryInfo->missingContrecPtr;
5479 
5480  /*
5481  * Reset ps status display, so as no information related to recovery
5482  * shows up.
5483  */
5484  set_ps_display("");
5485 
5486  /*
5487  * When recovering from a backup (we are in recovery, and archive recovery
5488  * was requested), complain if we did not roll forward far enough to reach
5489  * the point where the database is consistent. For regular online
5490  * backup-from-primary, that means reaching the end-of-backup WAL record
5491  * (at which point we reset backupStartPoint to be Invalid), for
5492  * backup-from-replica (which can't inject records into the WAL stream),
5493  * that point is when we reach the minRecoveryPoint in pg_control (which
5494  * we purposefully copy last when backing up from a replica). For
5495  * pg_rewind (which creates a backup_label with a method of "pg_rewind")
5496  * or snapshot-style backups (which don't), backupEndRequired will be set
5497  * to false.
5498  *
5499  * Note: it is indeed okay to look at the local variable
5500  * LocalMinRecoveryPoint here, even though ControlFile->minRecoveryPoint
5501  * might be further ahead --- ControlFile->minRecoveryPoint cannot have
5502  * been advanced beyond the WAL we processed.
5503  */
5504  if (InRecovery &&
5505  (EndOfLog < LocalMinRecoveryPoint ||
5507  {
5508  /*
5509  * Ran off end of WAL before reaching end-of-backup WAL record, or
5510  * minRecoveryPoint. That's a bad sign, indicating that you tried to
5511  * recover from an online backup but never called pg_backup_stop(), or
5512  * you didn't archive all the WAL needed.
5513  */
5515  {
5517  ereport(FATAL,
5518  (errmsg("WAL ends before end of online backup"),
5519  errhint("All WAL generated while online backup was taken must be available at recovery.")));
5520  else
5521  ereport(FATAL,
5522  (errmsg("WAL ends before consistent recovery point")));
5523  }
5524  }
5525 
5526  /*
5527  * Reset unlogged relations to the contents of their INIT fork. This is
5528  * done AFTER recovery is complete so as to include any unlogged relations
5529  * created during recovery, but BEFORE recovery is marked as having
5530  * completed successfully. Otherwise we'd not retry if any of the post
5531  * end-of-recovery steps fail.
5532  */
5533  if (InRecovery)
5535 
5536  /*
5537  * Pre-scan prepared transactions to find out the range of XIDs present.
5538  * This information is not quite needed yet, but it is positioned here so
5539  * as potential problems are detected before any on-disk change is done.
5540  */
5541  oldestActiveXID = PrescanPreparedTransactions(NULL, NULL);
5542 
5543  /*
5544  * Allow ordinary WAL segment creation before possibly switching to a new
5545  * timeline, which creates a new segment, and after the last ReadRecord().
5546  */
5548 
5549  /*
5550  * Consider whether we need to assign a new timeline ID.
5551  *
5552  * If we did archive recovery, we always assign a new ID. This handles a
5553  * couple of issues. If we stopped short of the end of WAL during
5554  * recovery, then we are clearly generating a new timeline and must assign
5555  * it a unique new ID. Even if we ran to the end, modifying the current
5556  * last segment is problematic because it may result in trying to
5557  * overwrite an already-archived copy of that segment, and we encourage
5558  * DBAs to make their archive_commands reject that. We can dodge the
5559  * problem by making the new active segment have a new timeline ID.
5560  *
5561  * In a normal crash recovery, we can just extend the timeline we were in.
5562  */
5563  newTLI = endOfRecoveryInfo->lastRecTLI;
5565  {
5566  newTLI = findNewestTimeLine(recoveryTargetTLI) + 1;
5567  ereport(LOG,
5568  (errmsg("selected new timeline ID: %u", newTLI)));
5569 
5570  /*
5571  * Make a writable copy of the last WAL segment. (Note that we also
5572  * have a copy of the last block of the old WAL in
5573  * endOfRecovery->lastPage; we will use that below.)
5574  */
5575  XLogInitNewTimeline(EndOfLogTLI, EndOfLog, newTLI);
5576 
5577  /*
5578  * Remove the signal files out of the way, so that we don't
5579  * accidentally re-enter archive recovery mode in a subsequent crash.
5580  */
5581  if (endOfRecoveryInfo->standby_signal_file_found)
5583 
5584  if (endOfRecoveryInfo->recovery_signal_file_found)
5586 
5587  /*
5588  * Write the timeline history file, and have it archived. After this
5589  * point (or rather, as soon as the file is archived), the timeline
5590  * will appear as "taken" in the WAL archive and to any standby
5591  * servers. If we crash before actually switching to the new
5592  * timeline, standby servers will nevertheless think that we switched
5593  * to the new timeline, and will try to connect to the new timeline.
5594  * To minimize the window for that, try to do as little as possible
5595  * between here and writing the end-of-recovery record.
5596  */
5598  EndOfLog, endOfRecoveryInfo->recoveryStopReason);
5599 
5600  ereport(LOG,
5601  (errmsg("archive recovery complete")));
5602  }
5603 
5604  /* Save the selected TimeLineID in shared memory, too */
5605  XLogCtl->InsertTimeLineID = newTLI;
5606  XLogCtl->PrevTimeLineID = endOfRecoveryInfo->lastRecTLI;
5607 
5608  /*
5609  * Actually, if WAL ended in an incomplete record, skip the parts that
5610  * made it through and start writing after the portion that persisted.
5611  * (It's critical to first write an OVERWRITE_CONTRECORD message, which
5612  * we'll do as soon as we're open for writing new WAL.)
5613  */
5615