PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogreader.h"
63 #include "access/xlogrecovery.h"
64 #include "access/xlogutils.h"
65 #include "backup/basebackup.h"
66 #include "catalog/catversion.h"
67 #include "catalog/pg_control.h"
68 #include "catalog/pg_database.h"
70 #include "common/file_utils.h"
71 #include "executor/instrument.h"
72 #include "miscadmin.h"
73 #include "pg_trace.h"
74 #include "pgstat.h"
75 #include "port/atomics.h"
76 #include "postmaster/bgwriter.h"
77 #include "postmaster/startup.h"
79 #include "postmaster/walwriter.h"
80 #include "replication/origin.h"
81 #include "replication/slot.h"
82 #include "replication/snapbuild.h"
84 #include "replication/walsender.h"
85 #include "storage/bufmgr.h"
86 #include "storage/fd.h"
87 #include "storage/ipc.h"
88 #include "storage/large_object.h"
89 #include "storage/latch.h"
90 #include "storage/predicate.h"
91 #include "storage/proc.h"
92 #include "storage/procarray.h"
93 #include "storage/reinit.h"
94 #include "storage/spin.h"
95 #include "storage/sync.h"
96 #include "utils/guc_hooks.h"
97 #include "utils/guc_tables.h"
98 #include "utils/injection_point.h"
99 #include "utils/ps_status.h"
100 #include "utils/relmapper.h"
101 #include "utils/snapmgr.h"
102 #include "utils/timeout.h"
103 #include "utils/timestamp.h"
104 #include "utils/varlena.h"
105 
106 #ifdef WAL_DEBUG
107 #include "utils/memutils.h"
108 #endif
109 
110 /* timeline ID to be used when bootstrapping */
111 #define BootstrapTimeLineID 1
112 
113 /* User-settable parameters */
114 int max_wal_size_mb = 1024; /* 1 GB */
115 int min_wal_size_mb = 80; /* 80 MB */
117 int XLOGbuffers = -1;
120 char *XLogArchiveCommand = NULL;
121 bool EnableHotStandby = false;
122 bool fullPageWrites = true;
123 bool wal_log_hints = false;
127 bool wal_init_zero = true;
128 bool wal_recycle = true;
129 bool log_checkpoints = true;
132 int CommitDelay = 0; /* precommit delay in microseconds */
133 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
136 int wal_decode_buffer_size = 512 * 1024;
137 bool track_wal_io_timing = false;
138 
139 #ifdef WAL_DEBUG
140 bool XLOG_DEBUG = false;
141 #endif
142 
144 
145 /*
146  * Number of WAL insertion locks to use. A higher value allows more insertions
147  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
148  * which needs to iterate all the locks.
149  */
150 #define NUM_XLOGINSERT_LOCKS 8
151 
152 /*
153  * Max distance from last checkpoint, before triggering a new xlog-based
154  * checkpoint.
155  */
157 
158 /* Estimated distance between checkpoints, in bytes */
159 static double CheckPointDistanceEstimate = 0;
160 static double PrevCheckPointDistance = 0;
161 
162 /*
163  * Track whether there were any deferred checks for custom resource managers
164  * specified in wal_consistency_checking.
165  */
167 
168 /*
169  * GUC support
170  */
172  {"fsync", WAL_SYNC_METHOD_FSYNC, false},
173 #ifdef HAVE_FSYNC_WRITETHROUGH
174  {"fsync_writethrough", WAL_SYNC_METHOD_FSYNC_WRITETHROUGH, false},
175 #endif
176  {"fdatasync", WAL_SYNC_METHOD_FDATASYNC, false},
177 #ifdef O_SYNC
178  {"open_sync", WAL_SYNC_METHOD_OPEN, false},
179 #endif
180 #ifdef O_DSYNC
181  {"open_datasync", WAL_SYNC_METHOD_OPEN_DSYNC, false},
182 #endif
183  {NULL, 0, false}
184 };
185 
186 
187 /*
188  * Although only "on", "off", and "always" are documented,
189  * we accept all the likely variants of "on" and "off".
190  */
191 const struct config_enum_entry archive_mode_options[] = {
192  {"always", ARCHIVE_MODE_ALWAYS, false},
193  {"on", ARCHIVE_MODE_ON, false},
194  {"off", ARCHIVE_MODE_OFF, false},
195  {"true", ARCHIVE_MODE_ON, true},
196  {"false", ARCHIVE_MODE_OFF, true},
197  {"yes", ARCHIVE_MODE_ON, true},
198  {"no", ARCHIVE_MODE_OFF, true},
199  {"1", ARCHIVE_MODE_ON, true},
200  {"0", ARCHIVE_MODE_OFF, true},
201  {NULL, 0, false}
202 };
203 
204 /*
205  * Statistics for current checkpoint are collected in this global struct.
206  * Because only the checkpointer or a stand-alone backend can perform
207  * checkpoints, this will be unused in normal backends.
208  */
210 
211 /*
212  * During recovery, lastFullPageWrites keeps track of full_page_writes that
213  * the replayed WAL records indicate. It's initialized with full_page_writes
214  * that the recovery starting checkpoint record indicates, and then updated
215  * each time XLOG_FPW_CHANGE record is replayed.
216  */
217 static bool lastFullPageWrites;
218 
219 /*
220  * Local copy of the state tracked by SharedRecoveryState in shared memory,
221  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
222  * means "not known, need to check the shared state".
223  */
224 static bool LocalRecoveryInProgress = true;
225 
226 /*
227  * Local state for XLogInsertAllowed():
228  * 1: unconditionally allowed to insert XLOG
229  * 0: unconditionally not allowed to insert XLOG
230  * -1: must check RecoveryInProgress(); disallow until it is false
231  * Most processes start with -1 and transition to 1 after seeing that recovery
232  * is not in progress. But we can also force the value for special cases.
233  * The coding in XLogInsertAllowed() depends on the first two of these states
234  * being numerically the same as bool true and false.
235  */
236 static int LocalXLogInsertAllowed = -1;
237 
238 /*
239  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
240  * current backend. It is updated for all inserts. XactLastRecEnd points to
241  * end+1 of the last record, and is reset when we end a top-level transaction,
242  * or start a new one; so it can be used to tell if the current transaction has
243  * created any XLOG records.
244  *
245  * While in parallel mode, this may not be fully up to date. When committing,
246  * a transaction can assume this covers all xlog records written either by the
247  * user backend or by any parallel worker which was present at any point during
248  * the transaction. But when aborting, or when still in parallel mode, other
249  * parallel backends may have written WAL records at later LSNs than the value
250  * stored here. The parallel leader advances its own copy, when necessary,
251  * in WaitForParallelWorkersToFinish.
252  */
256 
257 /*
258  * RedoRecPtr is this backend's local copy of the REDO record pointer
259  * (which is almost but not quite the same as a pointer to the most recent
260  * CHECKPOINT record). We update this from the shared-memory copy,
261  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
262  * hold an insertion lock). See XLogInsertRecord for details. We are also
263  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
264  * see GetRedoRecPtr.
265  *
266  * NB: Code that uses this variable must be prepared not only for the
267  * possibility that it may be arbitrarily out of date, but also for the
268  * possibility that it might be set to InvalidXLogRecPtr. We used to
269  * initialize it as a side effect of the first call to RecoveryInProgress(),
270  * which meant that most code that might use it could assume that it had a
271  * real if perhaps stale value. That's no longer the case.
272  */
274 
275 /*
276  * doPageWrites is this backend's local copy of (fullPageWrites ||
277  * runningBackups > 0). It is used together with RedoRecPtr to decide whether
278  * a full-page image of a page need to be taken.
279  *
280  * NB: Initially this is false, and there's no guarantee that it will be
281  * initialized to any other value before it is first used. Any code that
282  * makes use of it must recheck the value after obtaining a WALInsertLock,
283  * and respond appropriately if it turns out that the previous value wasn't
284  * accurate.
285  */
286 static bool doPageWrites;
287 
288 /*----------
289  * Shared-memory data structures for XLOG control
290  *
291  * LogwrtRqst indicates a byte position that we need to write and/or fsync
292  * the log up to (all records before that point must be written or fsynced).
293  * The positions already written/fsynced are maintained in logWriteResult
294  * and logFlushResult using atomic access.
295  * In addition to the shared variable, each backend has a private copy of
296  * both in LogwrtResult, which is updated when convenient.
297  *
298  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
299  * (protected by info_lck), but we don't need to cache any copies of it.
300  *
301  * info_lck is only held long enough to read/update the protected variables,
302  * so it's a plain spinlock. The other locks are held longer (potentially
303  * over I/O operations), so we use LWLocks for them. These locks are:
304  *
305  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
306  * It is only held while initializing and changing the mapping. If the
307  * contents of the buffer being replaced haven't been written yet, the mapping
308  * lock is released while the write is done, and reacquired afterwards.
309  *
310  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
311  * XLogFlush).
312  *
313  * ControlFileLock: must be held to read/update control file or create
314  * new log file.
315  *
316  *----------
317  */
318 
319 typedef struct XLogwrtRqst
320 {
321  XLogRecPtr Write; /* last byte + 1 to write out */
322  XLogRecPtr Flush; /* last byte + 1 to flush */
324 
325 typedef struct XLogwrtResult
326 {
327  XLogRecPtr Write; /* last byte + 1 written out */
328  XLogRecPtr Flush; /* last byte + 1 flushed */
330 
331 /*
332  * Inserting to WAL is protected by a small fixed number of WAL insertion
333  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
334  * matter which one. To lock out other concurrent insertions, you must hold
335  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
336  * indicator of how far the insertion has progressed (insertingAt).
337  *
338  * The insertingAt values are read when a process wants to flush WAL from
339  * the in-memory buffers to disk, to check that all the insertions to the
340  * region the process is about to write out have finished. You could simply
341  * wait for all currently in-progress insertions to finish, but the
342  * insertingAt indicator allows you to ignore insertions to later in the WAL,
343  * so that you only wait for the insertions that are modifying the buffers
344  * you're about to write out.
345  *
346  * This isn't just an optimization. If all the WAL buffers are dirty, an
347  * inserter that's holding a WAL insert lock might need to evict an old WAL
348  * buffer, which requires flushing the WAL. If it's possible for an inserter
349  * to block on another inserter unnecessarily, deadlock can arise when two
350  * inserters holding a WAL insert lock wait for each other to finish their
351  * insertion.
352  *
353  * Small WAL records that don't cross a page boundary never update the value,
354  * the WAL record is just copied to the page and the lock is released. But
355  * to avoid the deadlock-scenario explained above, the indicator is always
356  * updated before sleeping while holding an insertion lock.
357  *
358  * lastImportantAt contains the LSN of the last important WAL record inserted
359  * using a given lock. This value is used to detect if there has been
360  * important WAL activity since the last time some action, like a checkpoint,
361  * was performed - allowing to not repeat the action if not. The LSN is
362  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
363  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
364  * records. Tracking the WAL activity directly in WALInsertLock has the
365  * advantage of not needing any additional locks to update the value.
366  */
367 typedef struct
368 {
372 } WALInsertLock;
373 
374 /*
375  * All the WAL insertion locks are allocated as an array in shared memory. We
376  * force the array stride to be a power of 2, which saves a few cycles in
377  * indexing, but more importantly also ensures that individual slots don't
378  * cross cache line boundaries. (Of course, we have to also ensure that the
379  * array start address is suitably aligned.)
380  */
381 typedef union WALInsertLockPadded
382 {
386 
387 /*
388  * Session status of running backup, used for sanity checks in SQL-callable
389  * functions to start and stop backups.
390  */
392 
393 /*
394  * Shared state data for WAL insertion.
395  */
396 typedef struct XLogCtlInsert
397 {
398  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
399 
400  /*
401  * CurrBytePos is the end of reserved WAL. The next record will be
402  * inserted at that position. PrevBytePos is the start position of the
403  * previously inserted (or rather, reserved) record - it is copied to the
404  * prev-link of the next record. These are stored as "usable byte
405  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
406  */
407  uint64 CurrBytePos;
408  uint64 PrevBytePos;
409 
410  /*
411  * Make sure the above heavily-contended spinlock and byte positions are
412  * on their own cache line. In particular, the RedoRecPtr and full page
413  * write variables below should be on a different cache line. They are
414  * read on every WAL insertion, but updated rarely, and we don't want
415  * those reads to steal the cache line containing Curr/PrevBytePos.
416  */
418 
419  /*
420  * fullPageWrites is the authoritative value used by all backends to
421  * determine whether to write full-page image to WAL. This shared value,
422  * instead of the process-local fullPageWrites, is required because, when
423  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
424  * actually affects WAL-logging by backends. Checkpointer sets at startup
425  * or after SIGHUP.
426  *
427  * To read these fields, you must hold an insertion lock. To modify them,
428  * you must hold ALL the locks.
429  */
430  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
432 
433  /*
434  * runningBackups is a counter indicating the number of backups currently
435  * in progress. lastBackupStart is the latest checkpoint redo location
436  * used as a starting point for an online backup.
437  */
440 
441  /*
442  * WAL insertion locks.
443  */
446 
447 /*
448  * Total shared-memory state for XLOG.
449  */
450 typedef struct XLogCtlData
451 {
453 
454  /* Protected by info_lck: */
456  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
457  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
458  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
459  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
460 
461  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
462 
463  /* Fake LSN counter, for unlogged relations. */
465 
466  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
469 
470  /* These are accessed using atomics -- info_lck not needed */
471  pg_atomic_uint64 logInsertResult; /* last byte + 1 inserted to buffers */
472  pg_atomic_uint64 logWriteResult; /* last byte + 1 written out */
473  pg_atomic_uint64 logFlushResult; /* last byte + 1 flushed */
474 
475  /*
476  * Latest initialized page in the cache (last byte position + 1).
477  *
478  * To change the identity of a buffer (and InitializedUpTo), you need to
479  * hold WALBufMappingLock. To change the identity of a buffer that's
480  * still dirty, the old page needs to be written out first, and for that
481  * you need WALWriteLock, and you need to ensure that there are no
482  * in-progress insertions to the page by calling
483  * WaitXLogInsertionsToFinish().
484  */
486 
487  /*
488  * These values do not change after startup, although the pointed-to pages
489  * and xlblocks values certainly do. xlblocks values are protected by
490  * WALBufMappingLock.
491  */
492  char *pages; /* buffers for unwritten XLOG pages */
493  pg_atomic_uint64 *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
494  int XLogCacheBlck; /* highest allocated xlog buffer index */
495 
496  /*
497  * InsertTimeLineID is the timeline into which new WAL is being inserted
498  * and flushed. It is zero during recovery, and does not change once set.
499  *
500  * If we create a new timeline when the system was started up,
501  * PrevTimeLineID is the old timeline's ID that we forked off from.
502  * Otherwise it's equal to InsertTimeLineID.
503  *
504  * We set these fields while holding info_lck. Most that reads these
505  * values knows that recovery is no longer in progress and so can safely
506  * read the value without a lock, but code that could be run either during
507  * or after recovery can take info_lck while reading these values.
508  */
511 
512  /*
513  * SharedRecoveryState indicates if we're still in crash or archive
514  * recovery. Protected by info_lck.
515  */
517 
518  /*
519  * InstallXLogFileSegmentActive indicates whether the checkpointer should
520  * arrange for future segments by recycling and/or PreallocXlogFiles().
521  * Protected by ControlFileLock. Only the startup process changes it. If
522  * true, anyone can use InstallXLogFileSegment(). If false, the startup
523  * process owns the exclusive right to install segments, by reading from
524  * the archive and possibly replacing existing files.
525  */
527 
528  /*
529  * WalWriterSleeping indicates whether the WAL writer is currently in
530  * low-power mode (and hence should be nudged if an async commit occurs).
531  * Protected by info_lck.
532  */
534 
535  /*
536  * During recovery, we keep a copy of the latest checkpoint record here.
537  * lastCheckPointRecPtr points to start of checkpoint record and
538  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
539  * checkpointer when it wants to create a restartpoint.
540  *
541  * Protected by info_lck.
542  */
546 
547  /*
548  * lastFpwDisableRecPtr points to the start of the last replayed
549  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
550  */
552 
553  slock_t info_lck; /* locks shared variables shown above */
555 
556 /*
557  * Classification of XLogRecordInsert operations.
558  */
559 typedef enum
560 {
565 
566 static XLogCtlData *XLogCtl = NULL;
567 
568 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
570 
571 /*
572  * We maintain an image of pg_control in shared memory.
573  */
575 
576 /*
577  * Calculate the amount of space left on the page after 'endptr'. Beware
578  * multiple evaluation!
579  */
580 #define INSERT_FREESPACE(endptr) \
581  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
582 
583 /* Macro to advance to next buffer index. */
584 #define NextBufIdx(idx) \
585  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
586 
587 /*
588  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
589  * would hold if it was in cache, the page containing 'recptr'.
590  */
591 #define XLogRecPtrToBufIdx(recptr) \
592  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
593 
594 /*
595  * These are the number of bytes in a WAL page usable for WAL data.
596  */
597 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
598 
599 /*
600  * Convert values of GUCs measured in megabytes to equiv. segment count.
601  * Rounds down.
602  */
603 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
604 
605 /* The number of bytes in a WAL segment usable for WAL data. */
607 
608 /*
609  * Private, possibly out-of-date copy of shared LogwrtResult.
610  * See discussion above.
611  */
612 static XLogwrtResult LogwrtResult = {0, 0};
613 
614 /*
615  * Update local copy of shared XLogCtl->log{Write,Flush}Result
616  *
617  * It's critical that Flush always trails Write, so the order of the reads is
618  * important, as is the barrier. See also XLogWrite.
619  */
620 #define RefreshXLogWriteResult(_target) \
621  do { \
622  _target.Flush = pg_atomic_read_u64(&XLogCtl->logFlushResult); \
623  pg_read_barrier(); \
624  _target.Write = pg_atomic_read_u64(&XLogCtl->logWriteResult); \
625  } while (0)
626 
627 /*
628  * openLogFile is -1 or a kernel FD for an open log file segment.
629  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
630  * These variables are only used to write the XLOG, and so will normally refer
631  * to the active segment.
632  *
633  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
634  */
635 static int openLogFile = -1;
638 
639 /*
640  * Local copies of equivalent fields in the control file. When running
641  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
642  * expect to replay all the WAL available, and updateMinRecoveryPoint is
643  * switched to false to prevent any updates while replaying records.
644  * Those values are kept consistent as long as crash recovery runs.
645  */
648 static bool updateMinRecoveryPoint = true;
649 
650 /* For WALInsertLockAcquire/Release functions */
651 static int MyLockNo = 0;
652 static bool holdingAllLocks = false;
653 
654 #ifdef WAL_DEBUG
655 static MemoryContext walDebugCxt = NULL;
656 #endif
657 
658 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
659  XLogRecPtr EndOfLog,
660  TimeLineID newTLI);
661 static void CheckRequiredParameterValues(void);
662 static void XLogReportParameters(void);
663 static int LocalSetXLogInsertAllowed(void);
664 static void CreateEndOfRecoveryRecord(void);
666  XLogRecPtr pagePtr,
667  TimeLineID newTLI);
668 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
669 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
671 
672 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
673  bool opportunistic);
674 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
675 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
676  bool find_free, XLogSegNo max_segno,
677  TimeLineID tli);
678 static void XLogFileClose(void);
679 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
680 static void RemoveTempXlogFiles(void);
681 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
682  XLogRecPtr endptr, TimeLineID insertTLI);
683 static void RemoveXlogFile(const struct dirent *segment_de,
684  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
685  TimeLineID insertTLI);
686 static void UpdateLastRemovedPtr(char *filename);
687 static void ValidateXLOGDirectoryStructure(void);
688 static void CleanupBackupHistory(void);
689 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
690 static bool PerformRecoveryXLogAction(void);
691 static void InitControlFile(uint64 sysidentifier, uint32 data_checksum_version);
692 static void WriteControlFile(void);
693 static void ReadControlFile(void);
694 static void UpdateControlFile(void);
695 static char *str_time(pg_time_t tnow);
696 
697 static int get_sync_bit(int method);
698 
699 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
700  XLogRecData *rdata,
701  XLogRecPtr StartPos, XLogRecPtr EndPos,
702  TimeLineID tli);
703 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
704  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
705 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
706  XLogRecPtr *PrevPtr);
708 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
709 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
710 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
711 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
712 
713 static void WALInsertLockAcquire(void);
714 static void WALInsertLockAcquireExclusive(void);
715 static void WALInsertLockRelease(void);
716 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
717 
718 /*
719  * Insert an XLOG record represented by an already-constructed chain of data
720  * chunks. This is a low-level routine; to construct the WAL record header
721  * and data, use the higher-level routines in xloginsert.c.
722  *
723  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
724  * WAL record applies to, that were not included in the record as full page
725  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
726  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
727  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
728  * record is always inserted.
729  *
730  * 'flags' gives more in-depth control on the record being inserted. See
731  * XLogSetRecordFlags() for details.
732  *
733  * 'topxid_included' tells whether the top-transaction id is logged along with
734  * current subtransaction. See XLogRecordAssemble().
735  *
736  * The first XLogRecData in the chain must be for the record header, and its
737  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
738  * xl_crc fields in the header, the rest of the header must already be filled
739  * by the caller.
740  *
741  * Returns XLOG pointer to end of record (beginning of next record).
742  * This can be used as LSN for data pages affected by the logged action.
743  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
744  * before the data page can be written out. This implements the basic
745  * WAL rule "write the log before the data".)
746  */
749  XLogRecPtr fpw_lsn,
750  uint8 flags,
751  int num_fpi,
752  bool topxid_included)
753 {
755  pg_crc32c rdata_crc;
756  bool inserted;
757  XLogRecord *rechdr = (XLogRecord *) rdata->data;
758  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
760  XLogRecPtr StartPos;
761  XLogRecPtr EndPos;
762  bool prevDoPageWrites = doPageWrites;
763  TimeLineID insertTLI;
764 
765  /* Does this record type require special handling? */
766  if (unlikely(rechdr->xl_rmid == RM_XLOG_ID))
767  {
768  if (info == XLOG_SWITCH)
769  class = WALINSERT_SPECIAL_SWITCH;
770  else if (info == XLOG_CHECKPOINT_REDO)
772  }
773 
774  /* we assume that all of the record header is in the first chunk */
775  Assert(rdata->len >= SizeOfXLogRecord);
776 
777  /* cross-check on whether we should be here or not */
778  if (!XLogInsertAllowed())
779  elog(ERROR, "cannot make new WAL entries during recovery");
780 
781  /*
782  * Given that we're not in recovery, InsertTimeLineID is set and can't
783  * change, so we can read it without a lock.
784  */
785  insertTLI = XLogCtl->InsertTimeLineID;
786 
787  /*----------
788  *
789  * We have now done all the preparatory work we can without holding a
790  * lock or modifying shared state. From here on, inserting the new WAL
791  * record to the shared WAL buffer cache is a two-step process:
792  *
793  * 1. Reserve the right amount of space from the WAL. The current head of
794  * reserved space is kept in Insert->CurrBytePos, and is protected by
795  * insertpos_lck.
796  *
797  * 2. Copy the record to the reserved WAL space. This involves finding the
798  * correct WAL buffer containing the reserved space, and copying the
799  * record in place. This can be done concurrently in multiple processes.
800  *
801  * To keep track of which insertions are still in-progress, each concurrent
802  * inserter acquires an insertion lock. In addition to just indicating that
803  * an insertion is in progress, the lock tells others how far the inserter
804  * has progressed. There is a small fixed number of insertion locks,
805  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
806  * boundary, it updates the value stored in the lock to the how far it has
807  * inserted, to allow the previous buffer to be flushed.
808  *
809  * Holding onto an insertion lock also protects RedoRecPtr and
810  * fullPageWrites from changing until the insertion is finished.
811  *
812  * Step 2 can usually be done completely in parallel. If the required WAL
813  * page is not initialized yet, you have to grab WALBufMappingLock to
814  * initialize it, but the WAL writer tries to do that ahead of insertions
815  * to avoid that from happening in the critical path.
816  *
817  *----------
818  */
820 
821  if (likely(class == WALINSERT_NORMAL))
822  {
824 
825  /*
826  * Check to see if my copy of RedoRecPtr is out of date. If so, may
827  * have to go back and have the caller recompute everything. This can
828  * only happen just after a checkpoint, so it's better to be slow in
829  * this case and fast otherwise.
830  *
831  * Also check to see if fullPageWrites was just turned on or there's a
832  * running backup (which forces full-page writes); if we weren't
833  * already doing full-page writes then go back and recompute.
834  *
835  * If we aren't doing full-page writes then RedoRecPtr doesn't
836  * actually affect the contents of the XLOG record, so we'll update
837  * our local copy but not force a recomputation. (If doPageWrites was
838  * just turned off, we could recompute the record without full pages,
839  * but we choose not to bother.)
840  */
841  if (RedoRecPtr != Insert->RedoRecPtr)
842  {
843  Assert(RedoRecPtr < Insert->RedoRecPtr);
844  RedoRecPtr = Insert->RedoRecPtr;
845  }
846  doPageWrites = (Insert->fullPageWrites || Insert->runningBackups > 0);
847 
848  if (doPageWrites &&
849  (!prevDoPageWrites ||
850  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
851  {
852  /*
853  * Oops, some buffer now needs to be backed up that the caller
854  * didn't back up. Start over.
855  */
858  return InvalidXLogRecPtr;
859  }
860 
861  /*
862  * Reserve space for the record in the WAL. This also sets the xl_prev
863  * pointer.
864  */
865  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
866  &rechdr->xl_prev);
867 
868  /* Normal records are always inserted. */
869  inserted = true;
870  }
871  else if (class == WALINSERT_SPECIAL_SWITCH)
872  {
873  /*
874  * In order to insert an XLOG_SWITCH record, we need to hold all of
875  * the WAL insertion locks, not just one, so that no one else can
876  * begin inserting a record until we've figured out how much space
877  * remains in the current WAL segment and claimed all of it.
878  *
879  * Nonetheless, this case is simpler than the normal cases handled
880  * below, which must check for changes in doPageWrites and RedoRecPtr.
881  * Those checks are only needed for records that can contain buffer
882  * references, and an XLOG_SWITCH record never does.
883  */
884  Assert(fpw_lsn == InvalidXLogRecPtr);
886  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
887  }
888  else
889  {
891 
892  /*
893  * We need to update both the local and shared copies of RedoRecPtr,
894  * which means that we need to hold all the WAL insertion locks.
895  * However, there can't be any buffer references, so as above, we need
896  * not check RedoRecPtr before inserting the record; we just need to
897  * update it afterwards.
898  */
899  Assert(fpw_lsn == InvalidXLogRecPtr);
901  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
902  &rechdr->xl_prev);
903  RedoRecPtr = Insert->RedoRecPtr = StartPos;
904  inserted = true;
905  }
906 
907  if (inserted)
908  {
909  /*
910  * Now that xl_prev has been filled in, calculate CRC of the record
911  * header.
912  */
913  rdata_crc = rechdr->xl_crc;
914  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
915  FIN_CRC32C(rdata_crc);
916  rechdr->xl_crc = rdata_crc;
917 
918  /*
919  * All the record data, including the header, is now ready to be
920  * inserted. Copy the record in the space reserved.
921  */
923  class == WALINSERT_SPECIAL_SWITCH, rdata,
924  StartPos, EndPos, insertTLI);
925 
926  /*
927  * Unless record is flagged as not important, update LSN of last
928  * important record in the current slot. When holding all locks, just
929  * update the first one.
930  */
931  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
932  {
933  int lockno = holdingAllLocks ? 0 : MyLockNo;
934 
935  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
936  }
937  }
938  else
939  {
940  /*
941  * This was an xlog-switch record, but the current insert location was
942  * already exactly at the beginning of a segment, so there was no need
943  * to do anything.
944  */
945  }
946 
947  /*
948  * Done! Let others know that we're finished.
949  */
951 
953 
955 
956  /*
957  * Mark top transaction id is logged (if needed) so that we should not try
958  * to log it again with the next WAL record in the current subtransaction.
959  */
960  if (topxid_included)
962 
963  /*
964  * Update shared LogwrtRqst.Write, if we crossed page boundary.
965  */
966  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
967  {
969  /* advance global request to include new block(s) */
970  if (XLogCtl->LogwrtRqst.Write < EndPos)
971  XLogCtl->LogwrtRqst.Write = EndPos;
974  }
975 
976  /*
977  * If this was an XLOG_SWITCH record, flush the record and the empty
978  * padding space that fills the rest of the segment, and perform
979  * end-of-segment actions (eg, notifying archiver).
980  */
981  if (class == WALINSERT_SPECIAL_SWITCH)
982  {
983  TRACE_POSTGRESQL_WAL_SWITCH();
984  XLogFlush(EndPos);
985 
986  /*
987  * Even though we reserved the rest of the segment for us, which is
988  * reflected in EndPos, we return a pointer to just the end of the
989  * xlog-switch record.
990  */
991  if (inserted)
992  {
993  EndPos = StartPos + SizeOfXLogRecord;
994  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
995  {
996  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
997 
998  if (offset == EndPos % XLOG_BLCKSZ)
999  EndPos += SizeOfXLogLongPHD;
1000  else
1001  EndPos += SizeOfXLogShortPHD;
1002  }
1003  }
1004  }
1005 
1006 #ifdef WAL_DEBUG
1007  if (XLOG_DEBUG)
1008  {
1009  static XLogReaderState *debug_reader = NULL;
1010  XLogRecord *record;
1011  DecodedXLogRecord *decoded;
1013  StringInfoData recordBuf;
1014  char *errormsg = NULL;
1015  MemoryContext oldCxt;
1016 
1017  oldCxt = MemoryContextSwitchTo(walDebugCxt);
1018 
1019  initStringInfo(&buf);
1020  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
1021 
1022  /*
1023  * We have to piece together the WAL record data from the XLogRecData
1024  * entries, so that we can pass it to the rm_desc function as one
1025  * contiguous chunk.
1026  */
1027  initStringInfo(&recordBuf);
1028  for (; rdata != NULL; rdata = rdata->next)
1029  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
1030 
1031  /* We also need temporary space to decode the record. */
1032  record = (XLogRecord *) recordBuf.data;
1033  decoded = (DecodedXLogRecord *)
1035 
1036  if (!debug_reader)
1037  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
1038  XL_ROUTINE(.page_read = NULL,
1039  .segment_open = NULL,
1040  .segment_close = NULL),
1041  NULL);
1042  if (!debug_reader)
1043  {
1044  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
1045  }
1046  else if (!DecodeXLogRecord(debug_reader,
1047  decoded,
1048  record,
1049  EndPos,
1050  &errormsg))
1051  {
1052  appendStringInfo(&buf, "error decoding record: %s",
1053  errormsg ? errormsg : "no error message");
1054  }
1055  else
1056  {
1057  appendStringInfoString(&buf, " - ");
1058 
1059  debug_reader->record = decoded;
1060  xlog_outdesc(&buf, debug_reader);
1061  debug_reader->record = NULL;
1062  }
1063  elog(LOG, "%s", buf.data);
1064 
1065  pfree(decoded);
1066  pfree(buf.data);
1067  pfree(recordBuf.data);
1068  MemoryContextSwitchTo(oldCxt);
1069  }
1070 #endif
1071 
1072  /*
1073  * Update our global variables
1074  */
1075  ProcLastRecPtr = StartPos;
1076  XactLastRecEnd = EndPos;
1077 
1078  /* Report WAL traffic to the instrumentation. */
1079  if (inserted)
1080  {
1081  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1083  pgWalUsage.wal_fpi += num_fpi;
1084  }
1085 
1086  return EndPos;
1087 }
1088 
1089 /*
1090  * Reserves the right amount of space for a record of given size from the WAL.
1091  * *StartPos is set to the beginning of the reserved section, *EndPos to
1092  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1093  * used to set the xl_prev of this record.
1094  *
1095  * This is the performance critical part of XLogInsert that must be serialized
1096  * across backends. The rest can happen mostly in parallel. Try to keep this
1097  * section as short as possible, insertpos_lck can be heavily contended on a
1098  * busy system.
1099  *
1100  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1101  * where we actually copy the record to the reserved space.
1102  *
1103  * NB: Testing shows that XLogInsertRecord runs faster if this code is inlined;
1104  * however, because there are two call sites, the compiler is reluctant to
1105  * inline. We use pg_attribute_always_inline here to try to convince it.
1106  */
1107 static pg_attribute_always_inline void
1109  XLogRecPtr *PrevPtr)
1110 {
1112  uint64 startbytepos;
1113  uint64 endbytepos;
1114  uint64 prevbytepos;
1115 
1116  size = MAXALIGN(size);
1117 
1118  /* All (non xlog-switch) records should contain data. */
1120 
1121  /*
1122  * The duration the spinlock needs to be held is minimized by minimizing
1123  * the calculations that have to be done while holding the lock. The
1124  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1125  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1126  * page headers. The mapping between "usable" byte positions and physical
1127  * positions (XLogRecPtrs) can be done outside the locked region, and
1128  * because the usable byte position doesn't include any headers, reserving
1129  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1130  */
1131  SpinLockAcquire(&Insert->insertpos_lck);
1132 
1133  startbytepos = Insert->CurrBytePos;
1134  endbytepos = startbytepos + size;
1135  prevbytepos = Insert->PrevBytePos;
1136  Insert->CurrBytePos = endbytepos;
1137  Insert->PrevBytePos = startbytepos;
1138 
1139  SpinLockRelease(&Insert->insertpos_lck);
1140 
1141  *StartPos = XLogBytePosToRecPtr(startbytepos);
1142  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1143  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1144 
1145  /*
1146  * Check that the conversions between "usable byte positions" and
1147  * XLogRecPtrs work consistently in both directions.
1148  */
1149  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1150  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1151  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1152 }
1153 
1154 /*
1155  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1156  *
1157  * A log-switch record is handled slightly differently. The rest of the
1158  * segment will be reserved for this insertion, as indicated by the returned
1159  * *EndPos value. However, if we are already at the beginning of the current
1160  * segment, *StartPos and *EndPos are set to the current location without
1161  * reserving any space, and the function returns false.
1162 */
1163 static bool
1164 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1165 {
1167  uint64 startbytepos;
1168  uint64 endbytepos;
1169  uint64 prevbytepos;
1171  XLogRecPtr ptr;
1172  uint32 segleft;
1173 
1174  /*
1175  * These calculations are a bit heavy-weight to be done while holding a
1176  * spinlock, but since we're holding all the WAL insertion locks, there
1177  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1178  * compete for it, but that's not called very frequently.
1179  */
1180  SpinLockAcquire(&Insert->insertpos_lck);
1181 
1182  startbytepos = Insert->CurrBytePos;
1183 
1184  ptr = XLogBytePosToEndRecPtr(startbytepos);
1185  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1186  {
1187  SpinLockRelease(&Insert->insertpos_lck);
1188  *EndPos = *StartPos = ptr;
1189  return false;
1190  }
1191 
1192  endbytepos = startbytepos + size;
1193  prevbytepos = Insert->PrevBytePos;
1194 
1195  *StartPos = XLogBytePosToRecPtr(startbytepos);
1196  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1197 
1198  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1199  if (segleft != wal_segment_size)
1200  {
1201  /* consume the rest of the segment */
1202  *EndPos += segleft;
1203  endbytepos = XLogRecPtrToBytePos(*EndPos);
1204  }
1205  Insert->CurrBytePos = endbytepos;
1206  Insert->PrevBytePos = startbytepos;
1207 
1208  SpinLockRelease(&Insert->insertpos_lck);
1209 
1210  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1211 
1212  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1213  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1214  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1215  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1216 
1217  return true;
1218 }
1219 
1220 /*
1221  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1222  * area in the WAL.
1223  */
1224 static void
1225 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1226  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1227 {
1228  char *currpos;
1229  int freespace;
1230  int written;
1231  XLogRecPtr CurrPos;
1232  XLogPageHeader pagehdr;
1233 
1234  /*
1235  * Get a pointer to the right place in the right WAL buffer to start
1236  * inserting to.
1237  */
1238  CurrPos = StartPos;
1239  currpos = GetXLogBuffer(CurrPos, tli);
1240  freespace = INSERT_FREESPACE(CurrPos);
1241 
1242  /*
1243  * there should be enough space for at least the first field (xl_tot_len)
1244  * on this page.
1245  */
1246  Assert(freespace >= sizeof(uint32));
1247 
1248  /* Copy record data */
1249  written = 0;
1250  while (rdata != NULL)
1251  {
1252  const char *rdata_data = rdata->data;
1253  int rdata_len = rdata->len;
1254 
1255  while (rdata_len > freespace)
1256  {
1257  /*
1258  * Write what fits on this page, and continue on the next page.
1259  */
1260  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1261  memcpy(currpos, rdata_data, freespace);
1262  rdata_data += freespace;
1263  rdata_len -= freespace;
1264  written += freespace;
1265  CurrPos += freespace;
1266 
1267  /*
1268  * Get pointer to beginning of next page, and set the xlp_rem_len
1269  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1270  *
1271  * It's safe to set the contrecord flag and xlp_rem_len without a
1272  * lock on the page. All the other flags were already set when the
1273  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1274  * only backend that needs to set the contrecord flag.
1275  */
1276  currpos = GetXLogBuffer(CurrPos, tli);
1277  pagehdr = (XLogPageHeader) currpos;
1278  pagehdr->xlp_rem_len = write_len - written;
1279  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1280 
1281  /* skip over the page header */
1282  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1283  {
1284  CurrPos += SizeOfXLogLongPHD;
1285  currpos += SizeOfXLogLongPHD;
1286  }
1287  else
1288  {
1289  CurrPos += SizeOfXLogShortPHD;
1290  currpos += SizeOfXLogShortPHD;
1291  }
1292  freespace = INSERT_FREESPACE(CurrPos);
1293  }
1294 
1295  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1296  memcpy(currpos, rdata_data, rdata_len);
1297  currpos += rdata_len;
1298  CurrPos += rdata_len;
1299  freespace -= rdata_len;
1300  written += rdata_len;
1301 
1302  rdata = rdata->next;
1303  }
1304  Assert(written == write_len);
1305 
1306  /*
1307  * If this was an xlog-switch, it's not enough to write the switch record,
1308  * we also have to consume all the remaining space in the WAL segment. We
1309  * have already reserved that space, but we need to actually fill it.
1310  */
1311  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1312  {
1313  /* An xlog-switch record doesn't contain any data besides the header */
1314  Assert(write_len == SizeOfXLogRecord);
1315 
1316  /* Assert that we did reserve the right amount of space */
1317  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1318 
1319  /* Use up all the remaining space on the current page */
1320  CurrPos += freespace;
1321 
1322  /*
1323  * Cause all remaining pages in the segment to be flushed, leaving the
1324  * XLog position where it should be, at the start of the next segment.
1325  * We do this one page at a time, to make sure we don't deadlock
1326  * against ourselves if wal_buffers < wal_segment_size.
1327  */
1328  while (CurrPos < EndPos)
1329  {
1330  /*
1331  * The minimal action to flush the page would be to call
1332  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1333  * AdvanceXLInsertBuffer(...). The page would be left initialized
1334  * mostly to zeros, except for the page header (always the short
1335  * variant, as this is never a segment's first page).
1336  *
1337  * The large vistas of zeros are good for compressibility, but the
1338  * headers interrupting them every XLOG_BLCKSZ (with values that
1339  * differ from page to page) are not. The effect varies with
1340  * compression tool, but bzip2 for instance compresses about an
1341  * order of magnitude worse if those headers are left in place.
1342  *
1343  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1344  * called in heavily-loaded circumstances as well as this lightly-
1345  * loaded one) with variant behavior, we just use GetXLogBuffer
1346  * (which itself calls the two methods we need) to get the pointer
1347  * and zero most of the page. Then we just zero the page header.
1348  */
1349  currpos = GetXLogBuffer(CurrPos, tli);
1350  MemSet(currpos, 0, SizeOfXLogShortPHD);
1351 
1352  CurrPos += XLOG_BLCKSZ;
1353  }
1354  }
1355  else
1356  {
1357  /* Align the end position, so that the next record starts aligned */
1358  CurrPos = MAXALIGN64(CurrPos);
1359  }
1360 
1361  if (CurrPos != EndPos)
1362  ereport(PANIC,
1364  errmsg_internal("space reserved for WAL record does not match what was written"));
1365 }
1366 
1367 /*
1368  * Acquire a WAL insertion lock, for inserting to WAL.
1369  */
1370 static void
1372 {
1373  bool immed;
1374 
1375  /*
1376  * It doesn't matter which of the WAL insertion locks we acquire, so try
1377  * the one we used last time. If the system isn't particularly busy, it's
1378  * a good bet that it's still available, and it's good to have some
1379  * affinity to a particular lock so that you don't unnecessarily bounce
1380  * cache lines between processes when there's no contention.
1381  *
1382  * If this is the first time through in this backend, pick a lock
1383  * (semi-)randomly. This allows the locks to be used evenly if you have a
1384  * lot of very short connections.
1385  */
1386  static int lockToTry = -1;
1387 
1388  if (lockToTry == -1)
1389  lockToTry = MyProcNumber % NUM_XLOGINSERT_LOCKS;
1390  MyLockNo = lockToTry;
1391 
1392  /*
1393  * The insertingAt value is initially set to 0, as we don't know our
1394  * insert location yet.
1395  */
1397  if (!immed)
1398  {
1399  /*
1400  * If we couldn't get the lock immediately, try another lock next
1401  * time. On a system with more insertion locks than concurrent
1402  * inserters, this causes all the inserters to eventually migrate to a
1403  * lock that no-one else is using. On a system with more inserters
1404  * than locks, it still helps to distribute the inserters evenly
1405  * across the locks.
1406  */
1407  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1408  }
1409 }
1410 
1411 /*
1412  * Acquire all WAL insertion locks, to prevent other backends from inserting
1413  * to WAL.
1414  */
1415 static void
1417 {
1418  int i;
1419 
1420  /*
1421  * When holding all the locks, all but the last lock's insertingAt
1422  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1423  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1424  */
1425  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1426  {
1428  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1430  PG_UINT64_MAX);
1431  }
1432  /* Variable value reset to 0 at release */
1434 
1435  holdingAllLocks = true;
1436 }
1437 
1438 /*
1439  * Release our insertion lock (or locks, if we're holding them all).
1440  *
1441  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1442  * next time the lock is acquired.
1443  */
1444 static void
1446 {
1447  if (holdingAllLocks)
1448  {
1449  int i;
1450 
1451  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1454  0);
1455 
1456  holdingAllLocks = false;
1457  }
1458  else
1459  {
1462  0);
1463  }
1464 }
1465 
1466 /*
1467  * Update our insertingAt value, to let others know that we've finished
1468  * inserting up to that point.
1469  */
1470 static void
1472 {
1473  if (holdingAllLocks)
1474  {
1475  /*
1476  * We use the last lock to mark our actual position, see comments in
1477  * WALInsertLockAcquireExclusive.
1478  */
1481  insertingAt);
1482  }
1483  else
1486  insertingAt);
1487 }
1488 
1489 /*
1490  * Wait for any WAL insertions < upto to finish.
1491  *
1492  * Returns the location of the oldest insertion that is still in-progress.
1493  * Any WAL prior to that point has been fully copied into WAL buffers, and
1494  * can be flushed out to disk. Because this waits for any insertions older
1495  * than 'upto' to finish, the return value is always >= 'upto'.
1496  *
1497  * Note: When you are about to write out WAL, you must call this function
1498  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1499  * need to wait for an insertion to finish (or at least advance to next
1500  * uninitialized page), and the inserter might need to evict an old WAL buffer
1501  * to make room for a new one, which in turn requires WALWriteLock.
1502  */
1503 static XLogRecPtr
1505 {
1506  uint64 bytepos;
1507  XLogRecPtr inserted;
1508  XLogRecPtr reservedUpto;
1509  XLogRecPtr finishedUpto;
1511  int i;
1512 
1513  if (MyProc == NULL)
1514  elog(PANIC, "cannot wait without a PGPROC structure");
1515 
1516  /*
1517  * Check if there's any work to do. Use a barrier to ensure we get the
1518  * freshest value.
1519  */
1521  if (upto <= inserted)
1522  return inserted;
1523 
1524  /* Read the current insert position */
1525  SpinLockAcquire(&Insert->insertpos_lck);
1526  bytepos = Insert->CurrBytePos;
1527  SpinLockRelease(&Insert->insertpos_lck);
1528  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1529 
1530  /*
1531  * No-one should request to flush a piece of WAL that hasn't even been
1532  * reserved yet. However, it can happen if there is a block with a bogus
1533  * LSN on disk, for example. XLogFlush checks for that situation and
1534  * complains, but only after the flush. Here we just assume that to mean
1535  * that all WAL that has been reserved needs to be finished. In this
1536  * corner-case, the return value can be smaller than 'upto' argument.
1537  */
1538  if (upto > reservedUpto)
1539  {
1540  ereport(LOG,
1541  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1542  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1543  upto = reservedUpto;
1544  }
1545 
1546  /*
1547  * Loop through all the locks, sleeping on any in-progress insert older
1548  * than 'upto'.
1549  *
1550  * finishedUpto is our return value, indicating the point upto which all
1551  * the WAL insertions have been finished. Initialize it to the head of
1552  * reserved WAL, and as we iterate through the insertion locks, back it
1553  * out for any insertion that's still in progress.
1554  */
1555  finishedUpto = reservedUpto;
1556  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1557  {
1558  XLogRecPtr insertingat = InvalidXLogRecPtr;
1559 
1560  do
1561  {
1562  /*
1563  * See if this insertion is in progress. LWLockWaitForVar will
1564  * wait for the lock to be released, or for the 'value' to be set
1565  * by a LWLockUpdateVar call. When a lock is initially acquired,
1566  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1567  * know where it's inserting yet. We will have to wait for it. If
1568  * it's a small insertion, the record will most likely fit on the
1569  * same page and the inserter will release the lock without ever
1570  * calling LWLockUpdateVar. But if it has to sleep, it will
1571  * advertise the insertion point with LWLockUpdateVar before
1572  * sleeping.
1573  *
1574  * In this loop we are only waiting for insertions that started
1575  * before WaitXLogInsertionsToFinish was called. The lack of
1576  * memory barriers in the loop means that we might see locks as
1577  * "unused" that have since become used. This is fine because
1578  * they only can be used for later insertions that we would not
1579  * want to wait on anyway. Not taking a lock to acquire the
1580  * current insertingAt value means that we might see older
1581  * insertingAt values. This is also fine, because if we read a
1582  * value too old, we will add ourselves to the wait queue, which
1583  * contains atomic operations.
1584  */
1585  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1587  insertingat, &insertingat))
1588  {
1589  /* the lock was free, so no insertion in progress */
1590  insertingat = InvalidXLogRecPtr;
1591  break;
1592  }
1593 
1594  /*
1595  * This insertion is still in progress. Have to wait, unless the
1596  * inserter has proceeded past 'upto'.
1597  */
1598  } while (insertingat < upto);
1599 
1600  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1601  finishedUpto = insertingat;
1602  }
1603 
1604  /*
1605  * Advance the limit we know to have been inserted and return the freshest
1606  * value we know of, which might be beyond what we requested if somebody
1607  * is concurrently doing this with an 'upto' pointer ahead of us.
1608  */
1610  finishedUpto);
1611 
1612  return finishedUpto;
1613 }
1614 
1615 /*
1616  * Get a pointer to the right location in the WAL buffer containing the
1617  * given XLogRecPtr.
1618  *
1619  * If the page is not initialized yet, it is initialized. That might require
1620  * evicting an old dirty buffer from the buffer cache, which means I/O.
1621  *
1622  * The caller must ensure that the page containing the requested location
1623  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1624  * hold onto a WAL insertion lock with the insertingAt position set to
1625  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1626  * to evict an old page from the buffer. (This means that once you call
1627  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1628  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1629  * later, because older buffers might be recycled already)
1630  */
1631 static char *
1633 {
1634  int idx;
1635  XLogRecPtr endptr;
1636  static uint64 cachedPage = 0;
1637  static char *cachedPos = NULL;
1638  XLogRecPtr expectedEndPtr;
1639 
1640  /*
1641  * Fast path for the common case that we need to access again the same
1642  * page as last time.
1643  */
1644  if (ptr / XLOG_BLCKSZ == cachedPage)
1645  {
1646  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1647  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1648  return cachedPos + ptr % XLOG_BLCKSZ;
1649  }
1650 
1651  /*
1652  * The XLog buffer cache is organized so that a page is always loaded to a
1653  * particular buffer. That way we can easily calculate the buffer a given
1654  * page must be loaded into, from the XLogRecPtr alone.
1655  */
1656  idx = XLogRecPtrToBufIdx(ptr);
1657 
1658  /*
1659  * See what page is loaded in the buffer at the moment. It could be the
1660  * page we're looking for, or something older. It can't be anything newer
1661  * - that would imply the page we're looking for has already been written
1662  * out to disk and evicted, and the caller is responsible for making sure
1663  * that doesn't happen.
1664  *
1665  * We don't hold a lock while we read the value. If someone is just about
1666  * to initialize or has just initialized the page, it's possible that we
1667  * get InvalidXLogRecPtr. That's ok, we'll grab the mapping lock (in
1668  * AdvanceXLInsertBuffer) and retry if we see anything other than the page
1669  * we're looking for.
1670  */
1671  expectedEndPtr = ptr;
1672  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1673 
1674  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1675  if (expectedEndPtr != endptr)
1676  {
1677  XLogRecPtr initializedUpto;
1678 
1679  /*
1680  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1681  * know how far we're finished with inserting the record.
1682  *
1683  * NB: If 'ptr' points to just after the page header, advertise a
1684  * position at the beginning of the page rather than 'ptr' itself. If
1685  * there are no other insertions running, someone might try to flush
1686  * up to our advertised location. If we advertised a position after
1687  * the page header, someone might try to flush the page header, even
1688  * though page might actually not be initialized yet. As the first
1689  * inserter on the page, we are effectively responsible for making
1690  * sure that it's initialized, before we let insertingAt to move past
1691  * the page header.
1692  */
1693  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1694  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1695  initializedUpto = ptr - SizeOfXLogShortPHD;
1696  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1697  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1698  initializedUpto = ptr - SizeOfXLogLongPHD;
1699  else
1700  initializedUpto = ptr;
1701 
1702  WALInsertLockUpdateInsertingAt(initializedUpto);
1703 
1704  AdvanceXLInsertBuffer(ptr, tli, false);
1705  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1706 
1707  if (expectedEndPtr != endptr)
1708  elog(PANIC, "could not find WAL buffer for %X/%X",
1709  LSN_FORMAT_ARGS(ptr));
1710  }
1711  else
1712  {
1713  /*
1714  * Make sure the initialization of the page is visible to us, and
1715  * won't arrive later to overwrite the WAL data we write on the page.
1716  */
1718  }
1719 
1720  /*
1721  * Found the buffer holding this page. Return a pointer to the right
1722  * offset within the page.
1723  */
1724  cachedPage = ptr / XLOG_BLCKSZ;
1725  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1726 
1727  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1728  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1729 
1730  return cachedPos + ptr % XLOG_BLCKSZ;
1731 }
1732 
1733 /*
1734  * Read WAL data directly from WAL buffers, if available. Returns the number
1735  * of bytes read successfully.
1736  *
1737  * Fewer than 'count' bytes may be read if some of the requested WAL data has
1738  * already been evicted.
1739  *
1740  * No locks are taken.
1741  *
1742  * Caller should ensure that it reads no further than LogwrtResult.Write
1743  * (which should have been updated by the caller when determining how far to
1744  * read). The 'tli' argument is only used as a convenient safety check so that
1745  * callers do not read from WAL buffers on a historical timeline.
1746  */
1747 Size
1748 WALReadFromBuffers(char *dstbuf, XLogRecPtr startptr, Size count,
1749  TimeLineID tli)
1750 {
1751  char *pdst = dstbuf;
1752  XLogRecPtr recptr = startptr;
1753  XLogRecPtr inserted;
1754  Size nbytes = count;
1755 
1756  if (RecoveryInProgress() || tli != GetWALInsertionTimeLine())
1757  return 0;
1758 
1759  Assert(!XLogRecPtrIsInvalid(startptr));
1760 
1761  /*
1762  * Caller should ensure that the requested data has been inserted into WAL
1763  * buffers before we try to read it.
1764  */
1766  if (startptr + count > inserted)
1767  ereport(ERROR,
1768  errmsg("cannot read past end of generated WAL: requested %X/%X, current position %X/%X",
1769  LSN_FORMAT_ARGS(startptr + count),
1770  LSN_FORMAT_ARGS(inserted)));
1771 
1772  /*
1773  * Loop through the buffers without a lock. For each buffer, atomically
1774  * read and verify the end pointer, then copy the data out, and finally
1775  * re-read and re-verify the end pointer.
1776  *
1777  * Once a page is evicted, it never returns to the WAL buffers, so if the
1778  * end pointer matches the expected end pointer before and after we copy
1779  * the data, then the right page must have been present during the data
1780  * copy. Read barriers are necessary to ensure that the data copy actually
1781  * happens between the two verification steps.
1782  *
1783  * If either verification fails, we simply terminate the loop and return
1784  * with the data that had been already copied out successfully.
1785  */
1786  while (nbytes > 0)
1787  {
1788  uint32 offset = recptr % XLOG_BLCKSZ;
1789  int idx = XLogRecPtrToBufIdx(recptr);
1790  XLogRecPtr expectedEndPtr;
1791  XLogRecPtr endptr;
1792  const char *page;
1793  const char *psrc;
1794  Size npagebytes;
1795 
1796  /*
1797  * Calculate the end pointer we expect in the xlblocks array if the
1798  * correct page is present.
1799  */
1800  expectedEndPtr = recptr + (XLOG_BLCKSZ - offset);
1801 
1802  /*
1803  * First verification step: check that the correct page is present in
1804  * the WAL buffers.
1805  */
1806  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1807  if (expectedEndPtr != endptr)
1808  break;
1809 
1810  /*
1811  * The correct page is present (or was at the time the endptr was
1812  * read; must re-verify later). Calculate pointer to source data and
1813  * determine how much data to read from this page.
1814  */
1815  page = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1816  psrc = page + offset;
1817  npagebytes = Min(nbytes, XLOG_BLCKSZ - offset);
1818 
1819  /*
1820  * Ensure that the data copy and the first verification step are not
1821  * reordered.
1822  */
1823  pg_read_barrier();
1824 
1825  /* data copy */
1826  memcpy(pdst, psrc, npagebytes);
1827 
1828  /*
1829  * Ensure that the data copy and the second verification step are not
1830  * reordered.
1831  */
1832  pg_read_barrier();
1833 
1834  /*
1835  * Second verification step: check that the page we read from wasn't
1836  * evicted while we were copying the data.
1837  */
1838  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1839  if (expectedEndPtr != endptr)
1840  break;
1841 
1842  pdst += npagebytes;
1843  recptr += npagebytes;
1844  nbytes -= npagebytes;
1845  }
1846 
1847  Assert(pdst - dstbuf <= count);
1848 
1849  return pdst - dstbuf;
1850 }
1851 
1852 /*
1853  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1854  * is the position starting from the beginning of WAL, excluding all WAL
1855  * page headers.
1856  */
1857 static XLogRecPtr
1858 XLogBytePosToRecPtr(uint64 bytepos)
1859 {
1860  uint64 fullsegs;
1861  uint64 fullpages;
1862  uint64 bytesleft;
1863  uint32 seg_offset;
1864  XLogRecPtr result;
1865 
1866  fullsegs = bytepos / UsableBytesInSegment;
1867  bytesleft = bytepos % UsableBytesInSegment;
1868 
1869  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1870  {
1871  /* fits on first page of segment */
1872  seg_offset = bytesleft + SizeOfXLogLongPHD;
1873  }
1874  else
1875  {
1876  /* account for the first page on segment with long header */
1877  seg_offset = XLOG_BLCKSZ;
1878  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1879 
1880  fullpages = bytesleft / UsableBytesInPage;
1881  bytesleft = bytesleft % UsableBytesInPage;
1882 
1883  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1884  }
1885 
1886  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1887 
1888  return result;
1889 }
1890 
1891 /*
1892  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1893  * returns a pointer to the beginning of the page (ie. before page header),
1894  * not to where the first xlog record on that page would go to. This is used
1895  * when converting a pointer to the end of a record.
1896  */
1897 static XLogRecPtr
1898 XLogBytePosToEndRecPtr(uint64 bytepos)
1899 {
1900  uint64 fullsegs;
1901  uint64 fullpages;
1902  uint64 bytesleft;
1903  uint32 seg_offset;
1904  XLogRecPtr result;
1905 
1906  fullsegs = bytepos / UsableBytesInSegment;
1907  bytesleft = bytepos % UsableBytesInSegment;
1908 
1909  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1910  {
1911  /* fits on first page of segment */
1912  if (bytesleft == 0)
1913  seg_offset = 0;
1914  else
1915  seg_offset = bytesleft + SizeOfXLogLongPHD;
1916  }
1917  else
1918  {
1919  /* account for the first page on segment with long header */
1920  seg_offset = XLOG_BLCKSZ;
1921  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1922 
1923  fullpages = bytesleft / UsableBytesInPage;
1924  bytesleft = bytesleft % UsableBytesInPage;
1925 
1926  if (bytesleft == 0)
1927  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1928  else
1929  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1930  }
1931 
1932  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1933 
1934  return result;
1935 }
1936 
1937 /*
1938  * Convert an XLogRecPtr to a "usable byte position".
1939  */
1940 static uint64
1942 {
1943  uint64 fullsegs;
1944  uint32 fullpages;
1945  uint32 offset;
1946  uint64 result;
1947 
1948  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1949 
1950  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1951  offset = ptr % XLOG_BLCKSZ;
1952 
1953  if (fullpages == 0)
1954  {
1955  result = fullsegs * UsableBytesInSegment;
1956  if (offset > 0)
1957  {
1958  Assert(offset >= SizeOfXLogLongPHD);
1959  result += offset - SizeOfXLogLongPHD;
1960  }
1961  }
1962  else
1963  {
1964  result = fullsegs * UsableBytesInSegment +
1965  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1966  (fullpages - 1) * UsableBytesInPage; /* full pages */
1967  if (offset > 0)
1968  {
1969  Assert(offset >= SizeOfXLogShortPHD);
1970  result += offset - SizeOfXLogShortPHD;
1971  }
1972  }
1973 
1974  return result;
1975 }
1976 
1977 /*
1978  * Initialize XLOG buffers, writing out old buffers if they still contain
1979  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1980  * true, initialize as many pages as we can without having to write out
1981  * unwritten data. Any new pages are initialized to zeros, with pages headers
1982  * initialized properly.
1983  */
1984 static void
1985 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1986 {
1988  int nextidx;
1989  XLogRecPtr OldPageRqstPtr;
1990  XLogwrtRqst WriteRqst;
1991  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1992  XLogRecPtr NewPageBeginPtr;
1993  XLogPageHeader NewPage;
1994  int npages pg_attribute_unused() = 0;
1995 
1996  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1997 
1998  /*
1999  * Now that we have the lock, check if someone initialized the page
2000  * already.
2001  */
2002  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
2003  {
2005 
2006  /*
2007  * Get ending-offset of the buffer page we need to replace (this may
2008  * be zero if the buffer hasn't been used yet). Fall through if it's
2009  * already written out.
2010  */
2011  OldPageRqstPtr = pg_atomic_read_u64(&XLogCtl->xlblocks[nextidx]);
2012  if (LogwrtResult.Write < OldPageRqstPtr)
2013  {
2014  /*
2015  * Nope, got work to do. If we just want to pre-initialize as much
2016  * as we can without flushing, give up now.
2017  */
2018  if (opportunistic)
2019  break;
2020 
2021  /* Advance shared memory write request position */
2023  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
2024  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
2026 
2027  /*
2028  * Acquire an up-to-date LogwrtResult value and see if we still
2029  * need to write it or if someone else already did.
2030  */
2032  if (LogwrtResult.Write < OldPageRqstPtr)
2033  {
2034  /*
2035  * Must acquire write lock. Release WALBufMappingLock first,
2036  * to make sure that all insertions that we need to wait for
2037  * can finish (up to this same position). Otherwise we risk
2038  * deadlock.
2039  */
2040  LWLockRelease(WALBufMappingLock);
2041 
2042  WaitXLogInsertionsToFinish(OldPageRqstPtr);
2043 
2044  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2045 
2047  if (LogwrtResult.Write >= OldPageRqstPtr)
2048  {
2049  /* OK, someone wrote it already */
2050  LWLockRelease(WALWriteLock);
2051  }
2052  else
2053  {
2054  /* Have to write it ourselves */
2055  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
2056  WriteRqst.Write = OldPageRqstPtr;
2057  WriteRqst.Flush = 0;
2058  XLogWrite(WriteRqst, tli, false);
2059  LWLockRelease(WALWriteLock);
2061  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
2062  }
2063  /* Re-acquire WALBufMappingLock and retry */
2064  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
2065  continue;
2066  }
2067  }
2068 
2069  /*
2070  * Now the next buffer slot is free and we can set it up to be the
2071  * next output page.
2072  */
2073  NewPageBeginPtr = XLogCtl->InitializedUpTo;
2074  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
2075 
2076  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
2077 
2078  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
2079 
2080  /*
2081  * Mark the xlblock with InvalidXLogRecPtr and issue a write barrier
2082  * before initializing. Otherwise, the old page may be partially
2083  * zeroed but look valid.
2084  */
2086  pg_write_barrier();
2087 
2088  /*
2089  * Be sure to re-zero the buffer so that bytes beyond what we've
2090  * written will look like zeroes and not valid XLOG records...
2091  */
2092  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
2093 
2094  /*
2095  * Fill the new page's header
2096  */
2097  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
2098 
2099  /* NewPage->xlp_info = 0; */ /* done by memset */
2100  NewPage->xlp_tli = tli;
2101  NewPage->xlp_pageaddr = NewPageBeginPtr;
2102 
2103  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
2104 
2105  /*
2106  * If online backup is not in progress, mark the header to indicate
2107  * that WAL records beginning in this page have removable backup
2108  * blocks. This allows the WAL archiver to know whether it is safe to
2109  * compress archived WAL data by transforming full-block records into
2110  * the non-full-block format. It is sufficient to record this at the
2111  * page level because we force a page switch (in fact a segment
2112  * switch) when starting a backup, so the flag will be off before any
2113  * records can be written during the backup. At the end of a backup,
2114  * the last page will be marked as all unsafe when perhaps only part
2115  * is unsafe, but at worst the archiver would miss the opportunity to
2116  * compress a few records.
2117  */
2118  if (Insert->runningBackups == 0)
2119  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
2120 
2121  /*
2122  * If first page of an XLOG segment file, make it a long header.
2123  */
2124  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
2125  {
2126  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
2127 
2128  NewLongPage->xlp_sysid = ControlFile->system_identifier;
2129  NewLongPage->xlp_seg_size = wal_segment_size;
2130  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
2131  NewPage->xlp_info |= XLP_LONG_HEADER;
2132  }
2133 
2134  /*
2135  * Make sure the initialization of the page becomes visible to others
2136  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
2137  * holding a lock.
2138  */
2139  pg_write_barrier();
2140 
2141  pg_atomic_write_u64(&XLogCtl->xlblocks[nextidx], NewPageEndPtr);
2142  XLogCtl->InitializedUpTo = NewPageEndPtr;
2143 
2144  npages++;
2145  }
2146  LWLockRelease(WALBufMappingLock);
2147 
2148 #ifdef WAL_DEBUG
2149  if (XLOG_DEBUG && npages > 0)
2150  {
2151  elog(DEBUG1, "initialized %d pages, up to %X/%X",
2152  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
2153  }
2154 #endif
2155 }
2156 
2157 /*
2158  * Calculate CheckPointSegments based on max_wal_size_mb and
2159  * checkpoint_completion_target.
2160  */
2161 static void
2163 {
2164  double target;
2165 
2166  /*-------
2167  * Calculate the distance at which to trigger a checkpoint, to avoid
2168  * exceeding max_wal_size_mb. This is based on two assumptions:
2169  *
2170  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
2171  * WAL for two checkpoint cycles to allow us to recover from the
2172  * secondary checkpoint if the first checkpoint failed, though we
2173  * only did this on the primary anyway, not on standby. Keeping just
2174  * one checkpoint simplifies processing and reduces disk space in
2175  * many smaller databases.)
2176  * b) during checkpoint, we consume checkpoint_completion_target *
2177  * number of segments consumed between checkpoints.
2178  *-------
2179  */
2180  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
2182 
2183  /* round down */
2184  CheckPointSegments = (int) target;
2185 
2186  if (CheckPointSegments < 1)
2187  CheckPointSegments = 1;
2188 }
2189 
2190 void
2191 assign_max_wal_size(int newval, void *extra)
2192 {
2195 }
2196 
2197 void
2199 {
2202 }
2203 
2204 bool
2206 {
2207  if (!IsValidWalSegSize(*newval))
2208  {
2209  GUC_check_errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.");
2210  return false;
2211  }
2212 
2213  return true;
2214 }
2215 
2216 /*
2217  * GUC check_hook for max_slot_wal_keep_size
2218  *
2219  * We don't allow the value of max_slot_wal_keep_size other than -1 during the
2220  * binary upgrade. See start_postmaster() in pg_upgrade for more details.
2221  */
2222 bool
2224 {
2225  if (IsBinaryUpgrade && *newval != -1)
2226  {
2227  GUC_check_errdetail("\"%s\" must be set to -1 during binary upgrade mode.",
2228  "max_slot_wal_keep_size");
2229  return false;
2230  }
2231 
2232  return true;
2233 }
2234 
2235 /*
2236  * At a checkpoint, how many WAL segments to recycle as preallocated future
2237  * XLOG segments? Returns the highest segment that should be preallocated.
2238  */
2239 static XLogSegNo
2241 {
2242  XLogSegNo minSegNo;
2243  XLogSegNo maxSegNo;
2244  double distance;
2245  XLogSegNo recycleSegNo;
2246 
2247  /*
2248  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
2249  * correspond to. Always recycle enough segments to meet the minimum, and
2250  * remove enough segments to stay below the maximum.
2251  */
2252  minSegNo = lastredoptr / wal_segment_size +
2254  maxSegNo = lastredoptr / wal_segment_size +
2256 
2257  /*
2258  * Between those limits, recycle enough segments to get us through to the
2259  * estimated end of next checkpoint.
2260  *
2261  * To estimate where the next checkpoint will finish, assume that the
2262  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2263  * every checkpoint.
2264  */
2266  /* add 10% for good measure. */
2267  distance *= 1.10;
2268 
2269  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2271 
2272  if (recycleSegNo < minSegNo)
2273  recycleSegNo = minSegNo;
2274  if (recycleSegNo > maxSegNo)
2275  recycleSegNo = maxSegNo;
2276 
2277  return recycleSegNo;
2278 }
2279 
2280 /*
2281  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2282  *
2283  * new_segno indicates a log file that has just been filled up (or read
2284  * during recovery). We measure the distance from RedoRecPtr to new_segno
2285  * and see if that exceeds CheckPointSegments.
2286  *
2287  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2288  */
2289 bool
2291 {
2292  XLogSegNo old_segno;
2293 
2295 
2296  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2297  return true;
2298  return false;
2299 }
2300 
2301 /*
2302  * Write and/or fsync the log at least as far as WriteRqst indicates.
2303  *
2304  * If flexible == true, we don't have to write as far as WriteRqst, but
2305  * may stop at any convenient boundary (such as a cache or logfile boundary).
2306  * This option allows us to avoid uselessly issuing multiple writes when a
2307  * single one would do.
2308  *
2309  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2310  * must be called before grabbing the lock, to make sure the data is ready to
2311  * write.
2312  */
2313 static void
2314 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2315 {
2316  bool ispartialpage;
2317  bool last_iteration;
2318  bool finishing_seg;
2319  int curridx;
2320  int npages;
2321  int startidx;
2322  uint32 startoffset;
2323 
2324  /* We should always be inside a critical section here */
2325  Assert(CritSectionCount > 0);
2326 
2327  /*
2328  * Update local LogwrtResult (caller probably did this already, but...)
2329  */
2331 
2332  /*
2333  * Since successive pages in the xlog cache are consecutively allocated,
2334  * we can usually gather multiple pages together and issue just one
2335  * write() call. npages is the number of pages we have determined can be
2336  * written together; startidx is the cache block index of the first one,
2337  * and startoffset is the file offset at which it should go. The latter
2338  * two variables are only valid when npages > 0, but we must initialize
2339  * all of them to keep the compiler quiet.
2340  */
2341  npages = 0;
2342  startidx = 0;
2343  startoffset = 0;
2344 
2345  /*
2346  * Within the loop, curridx is the cache block index of the page to
2347  * consider writing. Begin at the buffer containing the next unwritten
2348  * page, or last partially written page.
2349  */
2351 
2352  while (LogwrtResult.Write < WriteRqst.Write)
2353  {
2354  /*
2355  * Make sure we're not ahead of the insert process. This could happen
2356  * if we're passed a bogus WriteRqst.Write that is past the end of the
2357  * last page that's been initialized by AdvanceXLInsertBuffer.
2358  */
2359  XLogRecPtr EndPtr = pg_atomic_read_u64(&XLogCtl->xlblocks[curridx]);
2360 
2361  if (LogwrtResult.Write >= EndPtr)
2362  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2364  LSN_FORMAT_ARGS(EndPtr));
2365 
2366  /* Advance LogwrtResult.Write to end of current buffer page */
2367  LogwrtResult.Write = EndPtr;
2368  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2369 
2372  {
2373  /*
2374  * Switch to new logfile segment. We cannot have any pending
2375  * pages here (since we dump what we have at segment end).
2376  */
2377  Assert(npages == 0);
2378  if (openLogFile >= 0)
2379  XLogFileClose();
2382  openLogTLI = tli;
2383 
2384  /* create/use new log file */
2387  }
2388 
2389  /* Make sure we have the current logfile open */
2390  if (openLogFile < 0)
2391  {
2394  openLogTLI = tli;
2397  }
2398 
2399  /* Add current page to the set of pending pages-to-dump */
2400  if (npages == 0)
2401  {
2402  /* first of group */
2403  startidx = curridx;
2404  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2406  }
2407  npages++;
2408 
2409  /*
2410  * Dump the set if this will be the last loop iteration, or if we are
2411  * at the last page of the cache area (since the next page won't be
2412  * contiguous in memory), or if we are at the end of the logfile
2413  * segment.
2414  */
2415  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2416 
2417  finishing_seg = !ispartialpage &&
2418  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2419 
2420  if (last_iteration ||
2421  curridx == XLogCtl->XLogCacheBlck ||
2422  finishing_seg)
2423  {
2424  char *from;
2425  Size nbytes;
2426  Size nleft;
2427  ssize_t written;
2428  instr_time start;
2429 
2430  /* OK to write the page(s) */
2431  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2432  nbytes = npages * (Size) XLOG_BLCKSZ;
2433  nleft = nbytes;
2434  do
2435  {
2436  errno = 0;
2437 
2438  /* Measure I/O timing to write WAL data */
2439  if (track_wal_io_timing)
2441  else
2443 
2444  pgstat_report_wait_start(WAIT_EVENT_WAL_WRITE);
2445  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2447 
2448  /*
2449  * Increment the I/O timing and the number of times WAL data
2450  * were written out to disk.
2451  */
2452  if (track_wal_io_timing)
2453  {
2454  instr_time end;
2455 
2458  }
2459 
2461 
2462  if (written <= 0)
2463  {
2464  char xlogfname[MAXFNAMELEN];
2465  int save_errno;
2466 
2467  if (errno == EINTR)
2468  continue;
2469 
2470  save_errno = errno;
2471  XLogFileName(xlogfname, tli, openLogSegNo,
2473  errno = save_errno;
2474  ereport(PANIC,
2476  errmsg("could not write to log file \"%s\" at offset %u, length %zu: %m",
2477  xlogfname, startoffset, nleft)));
2478  }
2479  nleft -= written;
2480  from += written;
2481  startoffset += written;
2482  } while (nleft > 0);
2483 
2484  npages = 0;
2485 
2486  /*
2487  * If we just wrote the whole last page of a logfile segment,
2488  * fsync the segment immediately. This avoids having to go back
2489  * and re-open prior segments when an fsync request comes along
2490  * later. Doing it here ensures that one and only one backend will
2491  * perform this fsync.
2492  *
2493  * This is also the right place to notify the Archiver that the
2494  * segment is ready to copy to archival storage, and to update the
2495  * timer for archive_timeout, and to signal for a checkpoint if
2496  * too many logfile segments have been used since the last
2497  * checkpoint.
2498  */
2499  if (finishing_seg)
2500  {
2502 
2503  /* signal that we need to wakeup walsenders later */
2505 
2506  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2507 
2508  if (XLogArchivingActive())
2510 
2511  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2513 
2514  /*
2515  * Request a checkpoint if we've consumed too much xlog since
2516  * the last one. For speed, we first check using the local
2517  * copy of RedoRecPtr, which might be out of date; if it looks
2518  * like a checkpoint is needed, forcibly update RedoRecPtr and
2519  * recheck.
2520  */
2522  {
2523  (void) GetRedoRecPtr();
2526  }
2527  }
2528  }
2529 
2530  if (ispartialpage)
2531  {
2532  /* Only asked to write a partial page */
2533  LogwrtResult.Write = WriteRqst.Write;
2534  break;
2535  }
2536  curridx = NextBufIdx(curridx);
2537 
2538  /* If flexible, break out of loop as soon as we wrote something */
2539  if (flexible && npages == 0)
2540  break;
2541  }
2542 
2543  Assert(npages == 0);
2544 
2545  /*
2546  * If asked to flush, do so
2547  */
2548  if (LogwrtResult.Flush < WriteRqst.Flush &&
2550  {
2551  /*
2552  * Could get here without iterating above loop, in which case we might
2553  * have no open file or the wrong one. However, we do not need to
2554  * fsync more than one file.
2555  */
2558  {
2559  if (openLogFile >= 0 &&
2562  XLogFileClose();
2563  if (openLogFile < 0)
2564  {
2567  openLogTLI = tli;
2570  }
2571 
2573  }
2574 
2575  /* signal that we need to wakeup walsenders later */
2577 
2579  }
2580 
2581  /*
2582  * Update shared-memory status
2583  *
2584  * We make sure that the shared 'request' values do not fall behind the
2585  * 'result' values. This is not absolutely essential, but it saves some
2586  * code in a couple of places.
2587  */
2594 
2595  /*
2596  * We write Write first, bar, then Flush. When reading, the opposite must
2597  * be done (with a matching barrier in between), so that we always see a
2598  * Flush value that trails behind the Write value seen.
2599  */
2601  pg_write_barrier();
2603 
2604 #ifdef USE_ASSERT_CHECKING
2605  {
2606  XLogRecPtr Flush;
2607  XLogRecPtr Write;
2609 
2611  pg_read_barrier();
2613  pg_read_barrier();
2615 
2616  /* WAL written to disk is always ahead of WAL flushed */
2617  Assert(Write >= Flush);
2618 
2619  /* WAL inserted to buffers is always ahead of WAL written */
2620  Assert(Insert >= Write);
2621  }
2622 #endif
2623 }
2624 
2625 /*
2626  * Record the LSN for an asynchronous transaction commit/abort
2627  * and nudge the WALWriter if there is work for it to do.
2628  * (This should not be called for synchronous commits.)
2629  */
2630 void
2632 {
2633  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2634  bool sleeping;
2635  bool wakeup = false;
2636  XLogRecPtr prevAsyncXactLSN;
2637 
2639  sleeping = XLogCtl->WalWriterSleeping;
2640  prevAsyncXactLSN = XLogCtl->asyncXactLSN;
2641  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2642  XLogCtl->asyncXactLSN = asyncXactLSN;
2644 
2645  /*
2646  * If somebody else already called this function with a more aggressive
2647  * LSN, they will have done what we needed (and perhaps more).
2648  */
2649  if (asyncXactLSN <= prevAsyncXactLSN)
2650  return;
2651 
2652  /*
2653  * If the WALWriter is sleeping, kick it to make it come out of low-power
2654  * mode, so that this async commit will reach disk within the expected
2655  * amount of time. Otherwise, determine whether it has enough WAL
2656  * available to flush, the same way that XLogBackgroundFlush() does.
2657  */
2658  if (sleeping)
2659  wakeup = true;
2660  else
2661  {
2662  int flushblocks;
2663 
2665 
2666  flushblocks =
2667  WriteRqstPtr / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2668 
2669  if (WalWriterFlushAfter == 0 || flushblocks >= WalWriterFlushAfter)
2670  wakeup = true;
2671  }
2672 
2673  if (wakeup)
2674  {
2675  volatile PROC_HDR *procglobal = ProcGlobal;
2676  ProcNumber walwriterProc = procglobal->walwriterProc;
2677 
2678  if (walwriterProc != INVALID_PROC_NUMBER)
2679  SetLatch(&GetPGProcByNumber(walwriterProc)->procLatch);
2680  }
2681 }
2682 
2683 /*
2684  * Record the LSN up to which we can remove WAL because it's not required by
2685  * any replication slot.
2686  */
2687 void
2689 {
2693 }
2694 
2695 
2696 /*
2697  * Return the oldest LSN we must retain to satisfy the needs of some
2698  * replication slot.
2699  */
2700 static XLogRecPtr
2702 {
2703  XLogRecPtr retval;
2704 
2706  retval = XLogCtl->replicationSlotMinLSN;
2708 
2709  return retval;
2710 }
2711 
2712 /*
2713  * Advance minRecoveryPoint in control file.
2714  *
2715  * If we crash during recovery, we must reach this point again before the
2716  * database is consistent.
2717  *
2718  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2719  * is only updated if it's not already greater than or equal to 'lsn'.
2720  */
2721 static void
2723 {
2724  /* Quick check using our local copy of the variable */
2725  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2726  return;
2727 
2728  /*
2729  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2730  * i.e., we're doing crash recovery. We never modify the control file's
2731  * value in that case, so we can short-circuit future checks here too. The
2732  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2733  * updated until crash recovery finishes. We only do this for the startup
2734  * process as it should not update its own reference of minRecoveryPoint
2735  * until it has finished crash recovery to make sure that all WAL
2736  * available is replayed in this case. This also saves from extra locks
2737  * taken on the control file from the startup process.
2738  */
2740  {
2741  updateMinRecoveryPoint = false;
2742  return;
2743  }
2744 
2745  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2746 
2747  /* update local copy */
2750 
2752  updateMinRecoveryPoint = false;
2753  else if (force || LocalMinRecoveryPoint < lsn)
2754  {
2755  XLogRecPtr newMinRecoveryPoint;
2756  TimeLineID newMinRecoveryPointTLI;
2757 
2758  /*
2759  * To avoid having to update the control file too often, we update it
2760  * all the way to the last record being replayed, even though 'lsn'
2761  * would suffice for correctness. This also allows the 'force' case
2762  * to not need a valid 'lsn' value.
2763  *
2764  * Another important reason for doing it this way is that the passed
2765  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2766  * the caller got it from a corrupted heap page. Accepting such a
2767  * value as the min recovery point would prevent us from coming up at
2768  * all. Instead, we just log a warning and continue with recovery.
2769  * (See also the comments about corrupt LSNs in XLogFlush.)
2770  */
2771  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2772  if (!force && newMinRecoveryPoint < lsn)
2773  elog(WARNING,
2774  "xlog min recovery request %X/%X is past current point %X/%X",
2775  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2776 
2777  /* update control file */
2778  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2779  {
2780  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2781  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2783  LocalMinRecoveryPoint = newMinRecoveryPoint;
2784  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2785 
2786  ereport(DEBUG2,
2787  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2788  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2789  newMinRecoveryPointTLI)));
2790  }
2791  }
2792  LWLockRelease(ControlFileLock);
2793 }
2794 
2795 /*
2796  * Ensure that all XLOG data through the given position is flushed to disk.
2797  *
2798  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2799  * already held, and we try to avoid acquiring it if possible.
2800  */
2801 void
2803 {
2804  XLogRecPtr WriteRqstPtr;
2805  XLogwrtRqst WriteRqst;
2806  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2807 
2808  /*
2809  * During REDO, we are reading not writing WAL. Therefore, instead of
2810  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2811  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2812  * to act this way too, and because when it tries to write the
2813  * end-of-recovery checkpoint, it should indeed flush.
2814  */
2815  if (!XLogInsertAllowed())
2816  {
2817  UpdateMinRecoveryPoint(record, false);
2818  return;
2819  }
2820 
2821  /* Quick exit if already known flushed */
2822  if (record <= LogwrtResult.Flush)
2823  return;
2824 
2825 #ifdef WAL_DEBUG
2826  if (XLOG_DEBUG)
2827  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2828  LSN_FORMAT_ARGS(record),
2831 #endif
2832 
2834 
2835  /*
2836  * Since fsync is usually a horribly expensive operation, we try to
2837  * piggyback as much data as we can on each fsync: if we see any more data
2838  * entered into the xlog buffer, we'll write and fsync that too, so that
2839  * the final value of LogwrtResult.Flush is as large as possible. This
2840  * gives us some chance of avoiding another fsync immediately after.
2841  */
2842 
2843  /* initialize to given target; may increase below */
2844  WriteRqstPtr = record;
2845 
2846  /*
2847  * Now wait until we get the write lock, or someone else does the flush
2848  * for us.
2849  */
2850  for (;;)
2851  {
2852  XLogRecPtr insertpos;
2853 
2854  /* done already? */
2856  if (record <= LogwrtResult.Flush)
2857  break;
2858 
2859  /*
2860  * Before actually performing the write, wait for all in-flight
2861  * insertions to the pages we're about to write to finish.
2862  */
2864  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2865  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2867  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2868 
2869  /*
2870  * Try to get the write lock. If we can't get it immediately, wait
2871  * until it's released, and recheck if we still need to do the flush
2872  * or if the backend that held the lock did it for us already. This
2873  * helps to maintain a good rate of group committing when the system
2874  * is bottlenecked by the speed of fsyncing.
2875  */
2876  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2877  {
2878  /*
2879  * The lock is now free, but we didn't acquire it yet. Before we
2880  * do, loop back to check if someone else flushed the record for
2881  * us already.
2882  */
2883  continue;
2884  }
2885 
2886  /* Got the lock; recheck whether request is satisfied */
2888  if (record <= LogwrtResult.Flush)
2889  {
2890  LWLockRelease(WALWriteLock);
2891  break;
2892  }
2893 
2894  /*
2895  * Sleep before flush! By adding a delay here, we may give further
2896  * backends the opportunity to join the backlog of group commit
2897  * followers; this can significantly improve transaction throughput,
2898  * at the risk of increasing transaction latency.
2899  *
2900  * We do not sleep if enableFsync is not turned on, nor if there are
2901  * fewer than CommitSiblings other backends with active transactions.
2902  */
2903  if (CommitDelay > 0 && enableFsync &&
2905  {
2907 
2908  /*
2909  * Re-check how far we can now flush the WAL. It's generally not
2910  * safe to call WaitXLogInsertionsToFinish while holding
2911  * WALWriteLock, because an in-progress insertion might need to
2912  * also grab WALWriteLock to make progress. But we know that all
2913  * the insertions up to insertpos have already finished, because
2914  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2915  * We're only calling it again to allow insertpos to be moved
2916  * further forward, not to actually wait for anyone.
2917  */
2918  insertpos = WaitXLogInsertionsToFinish(insertpos);
2919  }
2920 
2921  /* try to write/flush later additions to XLOG as well */
2922  WriteRqst.Write = insertpos;
2923  WriteRqst.Flush = insertpos;
2924 
2925  XLogWrite(WriteRqst, insertTLI, false);
2926 
2927  LWLockRelease(WALWriteLock);
2928  /* done */
2929  break;
2930  }
2931 
2932  END_CRIT_SECTION();
2933 
2934  /* wake up walsenders now that we've released heavily contended locks */
2936 
2937  /*
2938  * If we still haven't flushed to the request point then we have a
2939  * problem; most likely, the requested flush point is past end of XLOG.
2940  * This has been seen to occur when a disk page has a corrupted LSN.
2941  *
2942  * Formerly we treated this as a PANIC condition, but that hurts the
2943  * system's robustness rather than helping it: we do not want to take down
2944  * the whole system due to corruption on one data page. In particular, if
2945  * the bad page is encountered again during recovery then we would be
2946  * unable to restart the database at all! (This scenario actually
2947  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2948  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2949  * the only time we can reach here during recovery is while flushing the
2950  * end-of-recovery checkpoint record, and we don't expect that to have a
2951  * bad LSN.
2952  *
2953  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2954  * since xact.c calls this routine inside a critical section. However,
2955  * calls from bufmgr.c are not within critical sections and so we will not
2956  * force a restart for a bad LSN on a data page.
2957  */
2958  if (LogwrtResult.Flush < record)
2959  elog(ERROR,
2960  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2961  LSN_FORMAT_ARGS(record),
2963 }
2964 
2965 /*
2966  * Write & flush xlog, but without specifying exactly where to.
2967  *
2968  * We normally write only completed blocks; but if there is nothing to do on
2969  * that basis, we check for unwritten async commits in the current incomplete
2970  * block, and write through the latest one of those. Thus, if async commits
2971  * are not being used, we will write complete blocks only.
2972  *
2973  * If, based on the above, there's anything to write we do so immediately. But
2974  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2975  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2976  * more than wal_writer_flush_after unflushed blocks.
2977  *
2978  * We can guarantee that async commits reach disk after at most three
2979  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2980  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2981  * this makes a difference only with very high load or long wal_writer_delay,
2982  * but imposes one extra cycle for the worst case for async commits.)
2983  *
2984  * This routine is invoked periodically by the background walwriter process.
2985  *
2986  * Returns true if there was any work to do, even if we skipped flushing due
2987  * to wal_writer_delay/wal_writer_flush_after.
2988  */
2989 bool
2991 {
2992  XLogwrtRqst WriteRqst;
2993  bool flexible = true;
2994  static TimestampTz lastflush;
2995  TimestampTz now;
2996  int flushblocks;
2997  TimeLineID insertTLI;
2998 
2999  /* XLOG doesn't need flushing during recovery */
3000  if (RecoveryInProgress())
3001  return false;
3002 
3003  /*
3004  * Since we're not in recovery, InsertTimeLineID is set and can't change,
3005  * so we can read it without a lock.
3006  */
3007  insertTLI = XLogCtl->InsertTimeLineID;
3008 
3009  /* read updated LogwrtRqst */
3011  WriteRqst = XLogCtl->LogwrtRqst;
3013 
3014  /* back off to last completed page boundary */
3015  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
3016 
3017  /* if we have already flushed that far, consider async commit records */
3019  if (WriteRqst.Write <= LogwrtResult.Flush)
3020  {
3022  WriteRqst.Write = XLogCtl->asyncXactLSN;
3024  flexible = false; /* ensure it all gets written */
3025  }
3026 
3027  /*
3028  * If already known flushed, we're done. Just need to check if we are
3029  * holding an open file handle to a logfile that's no longer in use,
3030  * preventing the file from being deleted.
3031  */
3032  if (WriteRqst.Write <= LogwrtResult.Flush)
3033  {
3034  if (openLogFile >= 0)
3035  {
3038  {
3039  XLogFileClose();
3040  }
3041  }
3042  return false;
3043  }
3044 
3045  /*
3046  * Determine how far to flush WAL, based on the wal_writer_delay and
3047  * wal_writer_flush_after GUCs.
3048  *
3049  * Note that XLogSetAsyncXactLSN() performs similar calculation based on
3050  * wal_writer_flush_after, to decide when to wake us up. Make sure the
3051  * logic is the same in both places if you change this.
3052  */
3054  flushblocks =
3055  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
3056 
3057  if (WalWriterFlushAfter == 0 || lastflush == 0)
3058  {
3059  /* first call, or block based limits disabled */
3060  WriteRqst.Flush = WriteRqst.Write;
3061  lastflush = now;
3062  }
3063  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
3064  {
3065  /*
3066  * Flush the writes at least every WalWriterDelay ms. This is
3067  * important to bound the amount of time it takes for an asynchronous
3068  * commit to hit disk.
3069  */
3070  WriteRqst.Flush = WriteRqst.Write;
3071  lastflush = now;
3072  }
3073  else if (flushblocks >= WalWriterFlushAfter)
3074  {
3075  /* exceeded wal_writer_flush_after blocks, flush */
3076  WriteRqst.Flush = WriteRqst.Write;
3077  lastflush = now;
3078  }
3079  else
3080  {
3081  /* no flushing, this time round */
3082  WriteRqst.Flush = 0;
3083  }
3084 
3085 #ifdef WAL_DEBUG
3086  if (XLOG_DEBUG)
3087  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
3088  LSN_FORMAT_ARGS(WriteRqst.Write),
3089  LSN_FORMAT_ARGS(WriteRqst.Flush),
3092 #endif
3093 
3095 
3096  /* now wait for any in-progress insertions to finish and get write lock */
3097  WaitXLogInsertionsToFinish(WriteRqst.Write);
3098  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
3100  if (WriteRqst.Write > LogwrtResult.Write ||
3101  WriteRqst.Flush > LogwrtResult.Flush)
3102  {
3103  XLogWrite(WriteRqst, insertTLI, flexible);
3104  }
3105  LWLockRelease(WALWriteLock);
3106 
3107  END_CRIT_SECTION();
3108 
3109  /* wake up walsenders now that we've released heavily contended locks */
3111 
3112  /*
3113  * Great, done. To take some work off the critical path, try to initialize
3114  * as many of the no-longer-needed WAL buffers for future use as we can.
3115  */
3116  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
3117 
3118  /*
3119  * If we determined that we need to write data, but somebody else
3120  * wrote/flushed already, it should be considered as being active, to
3121  * avoid hibernating too early.
3122  */
3123  return true;
3124 }
3125 
3126 /*
3127  * Test whether XLOG data has been flushed up to (at least) the given position.
3128  *
3129  * Returns true if a flush is still needed. (It may be that someone else
3130  * is already in process of flushing that far, however.)
3131  */
3132 bool
3134 {
3135  /*
3136  * During recovery, we don't flush WAL but update minRecoveryPoint
3137  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
3138  * would need to be updated.
3139  */
3140  if (RecoveryInProgress())
3141  {
3142  /*
3143  * An invalid minRecoveryPoint means that we need to recover all the
3144  * WAL, i.e., we're doing crash recovery. We never modify the control
3145  * file's value in that case, so we can short-circuit future checks
3146  * here too. This triggers a quick exit path for the startup process,
3147  * which cannot update its local copy of minRecoveryPoint as long as
3148  * it has not replayed all WAL available when doing crash recovery.
3149  */
3151  updateMinRecoveryPoint = false;
3152 
3153  /* Quick exit if already known to be updated or cannot be updated */
3155  return false;
3156 
3157  /*
3158  * Update local copy of minRecoveryPoint. But if the lock is busy,
3159  * just return a conservative guess.
3160  */
3161  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
3162  return true;
3165  LWLockRelease(ControlFileLock);
3166 
3167  /*
3168  * Check minRecoveryPoint for any other process than the startup
3169  * process doing crash recovery, which should not update the control
3170  * file value if crash recovery is still running.
3171  */
3173  updateMinRecoveryPoint = false;
3174 
3175  /* check again */
3177  return false;
3178  else
3179  return true;
3180  }
3181 
3182  /* Quick exit if already known flushed */
3183  if (record <= LogwrtResult.Flush)
3184  return false;
3185 
3186  /* read LogwrtResult and update local state */
3188 
3189  /* check again */
3190  if (record <= LogwrtResult.Flush)
3191  return false;
3192 
3193  return true;
3194 }
3195 
3196 /*
3197  * Try to make a given XLOG file segment exist.
3198  *
3199  * logsegno: identify segment.
3200  *
3201  * *added: on return, true if this call raised the number of extant segments.
3202  *
3203  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
3204  *
3205  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
3206  * wanting an open segment should attempt to open "path", which usually will
3207  * succeed. (This is weird, but it's efficient for the callers.)
3208  */
3209 static int
3211  bool *added, char *path)
3212 {
3213  char tmppath[MAXPGPATH];
3214  XLogSegNo installed_segno;
3215  XLogSegNo max_segno;
3216  int fd;
3217  int save_errno;
3218  int open_flags = O_RDWR | O_CREAT | O_EXCL | PG_BINARY;
3219 
3220  Assert(logtli != 0);
3221 
3222  XLogFilePath(path, logtli, logsegno, wal_segment_size);
3223 
3224  /*
3225  * Try to use existent file (checkpoint maker may have created it already)
3226  */
3227  *added = false;
3228  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3230  if (fd < 0)
3231  {
3232  if (errno != ENOENT)
3233  ereport(ERROR,
3235  errmsg("could not open file \"%s\": %m", path)));
3236  }
3237  else
3238  return fd;
3239 
3240  /*
3241  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
3242  * another process is doing the same thing. If so, we will end up
3243  * pre-creating an extra log segment. That seems OK, and better than
3244  * holding the lock throughout this lengthy process.
3245  */
3246  elog(DEBUG2, "creating and filling new WAL file");
3247 
3248  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3249 
3250  unlink(tmppath);
3251 
3253  open_flags |= PG_O_DIRECT;
3254 
3255  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3256  fd = BasicOpenFile(tmppath, open_flags);
3257  if (fd < 0)
3258  ereport(ERROR,
3260  errmsg("could not create file \"%s\": %m", tmppath)));
3261 
3262  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_WRITE);
3263  save_errno = 0;
3264  if (wal_init_zero)
3265  {
3266  ssize_t rc;
3267 
3268  /*
3269  * Zero-fill the file. With this setting, we do this the hard way to
3270  * ensure that all the file space has really been allocated. On
3271  * platforms that allow "holes" in files, just seeking to the end
3272  * doesn't allocate intermediate space. This way, we know that we
3273  * have all the space and (after the fsync below) that all the
3274  * indirect blocks are down on disk. Therefore, fdatasync(2) or
3275  * O_DSYNC will be sufficient to sync future writes to the log file.
3276  */
3278 
3279  if (rc < 0)
3280  save_errno = errno;
3281  }
3282  else
3283  {
3284  /*
3285  * Otherwise, seeking to the end and writing a solitary byte is
3286  * enough.
3287  */
3288  errno = 0;
3289  if (pg_pwrite(fd, "\0", 1, wal_segment_size - 1) != 1)
3290  {
3291  /* if write didn't set errno, assume no disk space */
3292  save_errno = errno ? errno : ENOSPC;
3293  }
3294  }
3296 
3297  if (save_errno)
3298  {
3299  /*
3300  * If we fail to make the file, delete it to release disk space
3301  */
3302  unlink(tmppath);
3303 
3304  close(fd);
3305 
3306  errno = save_errno;
3307 
3308  ereport(ERROR,
3310  errmsg("could not write to file \"%s\": %m", tmppath)));
3311  }
3312 
3313  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_SYNC);
3314  if (pg_fsync(fd) != 0)
3315  {
3316  save_errno = errno;
3317  close(fd);
3318  errno = save_errno;
3319  ereport(ERROR,
3321  errmsg("could not fsync file \"%s\": %m", tmppath)));
3322  }
3324 
3325  if (close(fd) != 0)
3326  ereport(ERROR,
3328  errmsg("could not close file \"%s\": %m", tmppath)));
3329 
3330  /*
3331  * Now move the segment into place with its final name. Cope with
3332  * possibility that someone else has created the file while we were
3333  * filling ours: if so, use ours to pre-create a future log segment.
3334  */
3335  installed_segno = logsegno;
3336 
3337  /*
3338  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3339  * that was a constant, but that was always a bit dubious: normally, at a
3340  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3341  * here, it was the offset from the insert location. We can't do the
3342  * normal XLOGfileslop calculation here because we don't have access to
3343  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3344  * CheckPointSegments.
3345  */
3346  max_segno = logsegno + CheckPointSegments;
3347  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3348  logtli))
3349  {
3350  *added = true;
3351  elog(DEBUG2, "done creating and filling new WAL file");
3352  }
3353  else
3354  {
3355  /*
3356  * No need for any more future segments, or InstallXLogFileSegment()
3357  * failed to rename the file into place. If the rename failed, a
3358  * caller opening the file may fail.
3359  */
3360  unlink(tmppath);
3361  elog(DEBUG2, "abandoned new WAL file");
3362  }
3363 
3364  return -1;
3365 }
3366 
3367 /*
3368  * Create a new XLOG file segment, or open a pre-existing one.
3369  *
3370  * logsegno: identify segment to be created/opened.
3371  *
3372  * Returns FD of opened file.
3373  *
3374  * Note: errors here are ERROR not PANIC because we might or might not be
3375  * inside a critical section (eg, during checkpoint there is no reason to
3376  * take down the system on failure). They will promote to PANIC if we are
3377  * in a critical section.
3378  */
3379 int
3381 {
3382  bool ignore_added;
3383  char path[MAXPGPATH];
3384  int fd;
3385 
3386  Assert(logtli != 0);
3387 
3388  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3389  if (fd >= 0)
3390  return fd;
3391 
3392  /* Now open original target segment (might not be file I just made) */
3393  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3395  if (fd < 0)
3396  ereport(ERROR,
3398  errmsg("could not open file \"%s\": %m", path)));
3399  return fd;
3400 }
3401 
3402 /*
3403  * Create a new XLOG file segment by copying a pre-existing one.
3404  *
3405  * destsegno: identify segment to be created.
3406  *
3407  * srcTLI, srcsegno: identify segment to be copied (could be from
3408  * a different timeline)
3409  *
3410  * upto: how much of the source file to copy (the rest is filled with
3411  * zeros)
3412  *
3413  * Currently this is only used during recovery, and so there are no locking
3414  * considerations. But we should be just as tense as XLogFileInit to avoid
3415  * emplacing a bogus file.
3416  */
3417 static void
3418 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3419  TimeLineID srcTLI, XLogSegNo srcsegno,
3420  int upto)
3421 {
3422  char path[MAXPGPATH];
3423  char tmppath[MAXPGPATH];
3424  PGAlignedXLogBlock buffer;
3425  int srcfd;
3426  int fd;
3427  int nbytes;
3428 
3429  /*
3430  * Open the source file
3431  */
3432  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3433  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3434  if (srcfd < 0)
3435  ereport(ERROR,
3437  errmsg("could not open file \"%s\": %m", path)));
3438 
3439  /*
3440  * Copy into a temp file name.
3441  */
3442  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3443 
3444  unlink(tmppath);
3445 
3446  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3447  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3448  if (fd < 0)
3449  ereport(ERROR,
3451  errmsg("could not create file \"%s\": %m", tmppath)));
3452 
3453  /*
3454  * Do the data copying.
3455  */
3456  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3457  {
3458  int nread;
3459 
3460  nread = upto - nbytes;
3461 
3462  /*
3463  * The part that is not read from the source file is filled with
3464  * zeros.
3465  */
3466  if (nread < sizeof(buffer))
3467  memset(buffer.data, 0, sizeof(buffer));
3468 
3469  if (nread > 0)
3470  {
3471  int r;
3472 
3473  if (nread > sizeof(buffer))
3474  nread = sizeof(buffer);
3475  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_READ);
3476  r = read(srcfd, buffer.data, nread);
3477  if (r != nread)
3478  {
3479  if (r < 0)
3480  ereport(ERROR,
3482  errmsg("could not read file \"%s\": %m",
3483  path)));
3484  else
3485  ereport(ERROR,
3487  errmsg("could not read file \"%s\": read %d of %zu",
3488  path, r, (Size) nread)));
3489  }
3491  }
3492  errno = 0;
3493  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_WRITE);
3494  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3495  {
3496  int save_errno = errno;
3497 
3498  /*
3499  * If we fail to make the file, delete it to release disk space
3500  */
3501  unlink(tmppath);
3502  /* if write didn't set errno, assume problem is no disk space */
3503  errno = save_errno ? save_errno : ENOSPC;
3504 
3505  ereport(ERROR,
3507  errmsg("could not write to file \"%s\": %m", tmppath)));
3508  }
3510  }
3511 
3512  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_SYNC);
3513  if (pg_fsync(fd) != 0)
3516  errmsg("could not fsync file \"%s\": %m", tmppath)));
3518 
3519  if (CloseTransientFile(fd) != 0)
3520  ereport(ERROR,
3522  errmsg("could not close file \"%s\": %m", tmppath)));
3523 
3524  if (CloseTransientFile(srcfd) != 0)
3525  ereport(ERROR,
3527  errmsg("could not close file \"%s\": %m", path)));
3528 
3529  /*
3530  * Now move the segment into place with its final name.
3531  */
3532  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3533  elog(ERROR, "InstallXLogFileSegment should not have failed");
3534 }
3535 
3536 /*
3537  * Install a new XLOG segment file as a current or future log segment.
3538  *
3539  * This is used both to install a newly-created segment (which has a temp
3540  * filename while it's being created) and to recycle an old segment.
3541  *
3542  * *segno: identify segment to install as (or first possible target).
3543  * When find_free is true, this is modified on return to indicate the
3544  * actual installation location or last segment searched.
3545  *
3546  * tmppath: initial name of file to install. It will be renamed into place.
3547  *
3548  * find_free: if true, install the new segment at the first empty segno
3549  * number at or after the passed numbers. If false, install the new segment
3550  * exactly where specified, deleting any existing segment file there.
3551  *
3552  * max_segno: maximum segment number to install the new file as. Fail if no
3553  * free slot is found between *segno and max_segno. (Ignored when find_free
3554  * is false.)
3555  *
3556  * tli: The timeline on which the new segment should be installed.
3557  *
3558  * Returns true if the file was installed successfully. false indicates that
3559  * max_segno limit was exceeded, the startup process has disabled this
3560  * function for now, or an error occurred while renaming the file into place.
3561  */
3562 static bool
3563 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3564  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3565 {
3566  char path[MAXPGPATH];
3567  struct stat stat_buf;
3568 
3569  Assert(tli != 0);
3570 
3571  XLogFilePath(path, tli, *segno, wal_segment_size);
3572 
3573  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3575  {
3576  LWLockRelease(ControlFileLock);
3577  return false;
3578  }
3579 
3580  if (!find_free)
3581  {
3582  /* Force installation: get rid of any pre-existing segment file */
3583  durable_unlink(path, DEBUG1);
3584  }
3585  else
3586  {
3587  /* Find a free slot to put it in */
3588  while (stat(path, &stat_buf) == 0)
3589  {
3590  if ((*segno) >= max_segno)
3591  {
3592  /* Failed to find a free slot within specified range */
3593  LWLockRelease(ControlFileLock);
3594  return false;
3595  }
3596  (*segno)++;
3597  XLogFilePath(path, tli, *segno, wal_segment_size);
3598  }
3599  }
3600 
3601  Assert(access(path, F_OK) != 0 && errno == ENOENT);
3602  if (durable_rename(tmppath, path, LOG) != 0)
3603  {
3604  LWLockRelease(ControlFileLock);
3605  /* durable_rename already emitted log message */
3606  return false;
3607  }
3608 
3609  LWLockRelease(ControlFileLock);
3610 
3611  return true;
3612 }
3613 
3614 /*
3615  * Open a pre-existing logfile segment for writing.
3616  */
3617 int
3619 {
3620  char path[MAXPGPATH];
3621  int fd;
3622 
3623  XLogFilePath(path, tli, segno, wal_segment_size);
3624 
3625  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3627  if (fd < 0)
3628  ereport(PANIC,
3630  errmsg("could not open file \"%s\": %m", path)));
3631 
3632  return fd;
3633 }
3634 
3635 /*
3636  * Close the current logfile segment for writing.
3637  */
3638 static void
3640 {
3641  Assert(openLogFile >= 0);
3642 
3643  /*
3644  * WAL segment files will not be re-read in normal operation, so we advise
3645  * the OS to release any cached pages. But do not do so if WAL archiving
3646  * or streaming is active, because archiver and walsender process could
3647  * use the cache to read the WAL segment.
3648  */
3649 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3650  if (!XLogIsNeeded() && (io_direct_flags & IO_DIRECT_WAL) == 0)
3651  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3652 #endif
3653 
3654  if (close(openLogFile) != 0)
3655  {
3656  char xlogfname[MAXFNAMELEN];
3657  int save_errno = errno;
3658 
3660  errno = save_errno;
3661  ereport(PANIC,
3663  errmsg("could not close file \"%s\": %m", xlogfname)));
3664  }
3665 
3666  openLogFile = -1;
3668 }
3669 
3670 /*
3671  * Preallocate log files beyond the specified log endpoint.
3672  *
3673  * XXX this is currently extremely conservative, since it forces only one
3674  * future log segment to exist, and even that only if we are 75% done with
3675  * the current one. This is only appropriate for very low-WAL-volume systems.
3676  * High-volume systems will be OK once they've built up a sufficient set of
3677  * recycled log segments, but the startup transient is likely to include
3678  * a lot of segment creations by foreground processes, which is not so good.
3679  *
3680  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3681  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3682  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3683  * initiated the present checkpoint and an ERROR ends this function, the
3684  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3685  * not worth contorting more functions to use caller-specified elevel values.
3686  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3687  * reporting and resource reclamation.)
3688  */
3689 static void
3691 {
3692  XLogSegNo _logSegNo;
3693  int lf;
3694  bool added;
3695  char path[MAXPGPATH];
3696  uint64 offset;
3697 
3699  return; /* unlocked check says no */
3700 
3701  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3702  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3703  if (offset >= (uint32) (0.75 * wal_segment_size))
3704  {
3705  _logSegNo++;
3706  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3707  if (lf >= 0)
3708  close(lf);
3709  if (added)
3711  }
3712 }
3713 
3714 /*
3715  * Throws an error if the given log segment has already been removed or
3716  * recycled. The caller should only pass a segment that it knows to have
3717  * existed while the server has been running, as this function always
3718  * succeeds if no WAL segments have been removed since startup.
3719  * 'tli' is only used in the error message.
3720  *
3721  * Note: this function guarantees to keep errno unchanged on return.
3722  * This supports callers that use this to possibly deliver a better
3723  * error message about a missing file, while still being able to throw
3724  * a normal file-access error afterwards, if this does return.
3725  */
3726 void
3728 {
3729  int save_errno = errno;
3730  XLogSegNo lastRemovedSegNo;
3731 
3733  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3735 
3736  if (segno <= lastRemovedSegNo)
3737  {
3738  char filename[MAXFNAMELEN];
3739 
3740  XLogFileName(filename, tli, segno, wal_segment_size);
3741  errno = save_errno;
3742  ereport(ERROR,
3744  errmsg("requested WAL segment %s has already been removed",
3745  filename)));
3746  }
3747  errno = save_errno;
3748 }
3749 
3750 /*
3751  * Return the last WAL segment removed, or 0 if no segment has been removed
3752  * since startup.
3753  *
3754  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3755  * with that.
3756  */
3757 XLogSegNo
3759 {
3760  XLogSegNo lastRemovedSegNo;
3761 
3763  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3765 
3766  return lastRemovedSegNo;
3767 }
3768 
3769 /*
3770  * Return the oldest WAL segment on the given TLI that still exists in
3771  * XLOGDIR, or 0 if none.
3772  */
3773 XLogSegNo
3775 {
3776  DIR *xldir;
3777  struct dirent *xlde;
3778  XLogSegNo oldest_segno = 0;
3779 
3780  xldir = AllocateDir(XLOGDIR);
3781  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3782  {
3783  TimeLineID file_tli;
3784  XLogSegNo file_segno;
3785 
3786  /* Ignore files that are not XLOG segments. */
3787  if (!IsXLogFileName(xlde->d_name))
3788  continue;
3789 
3790  /* Parse filename to get TLI and segno. */
3791  XLogFromFileName(xlde->d_name, &file_tli, &file_segno,
3793 
3794  /* Ignore anything that's not from the TLI of interest. */
3795  if (tli != file_tli)
3796  continue;
3797 
3798  /* If it's the oldest so far, update oldest_segno. */
3799  if (oldest_segno == 0 || file_segno < oldest_segno)
3800  oldest_segno = file_segno;
3801  }
3802 
3803  FreeDir(xldir);
3804  return oldest_segno;
3805 }
3806 
3807 /*
3808  * Update the last removed segno pointer in shared memory, to reflect that the
3809  * given XLOG file has been removed.
3810  */
3811 static void
3813 {
3814  uint32 tli;
3815  XLogSegNo segno;
3816 
3817  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3818 
3820  if (segno > XLogCtl->lastRemovedSegNo)
3821  XLogCtl->lastRemovedSegNo = segno;
3823 }
3824 
3825 /*
3826  * Remove all temporary log files in pg_wal
3827  *
3828  * This is called at the beginning of recovery after a previous crash,
3829  * at a point where no other processes write fresh WAL data.
3830  */
3831 static void
3833 {
3834  DIR *xldir;
3835  struct dirent *xlde;
3836 
3837  elog(DEBUG2, "removing all temporary WAL segments");
3838 
3839  xldir = AllocateDir(XLOGDIR);
3840  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3841  {
3842  char path[MAXPGPATH];
3843 
3844  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3845  continue;
3846 
3847  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3848  unlink(path);
3849  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3850  }
3851  FreeDir(xldir);
3852 }
3853 
3854 /*
3855  * Recycle or remove all log files older or equal to passed segno.
3856  *
3857  * endptr is current (or recent) end of xlog, and lastredoptr is the
3858  * redo pointer of the last checkpoint. These are used to determine
3859  * whether we want to recycle rather than delete no-longer-wanted log files.
3860  *
3861  * insertTLI is the current timeline for XLOG insertion. Any recycled
3862  * segments should be reused for this timeline.
3863  */
3864 static void
3866  TimeLineID insertTLI)
3867 {
3868  DIR *xldir;
3869  struct dirent *xlde;
3870  char lastoff[MAXFNAMELEN];
3871  XLogSegNo endlogSegNo;
3872  XLogSegNo recycleSegNo;
3873 
3874  /* Initialize info about where to try to recycle to */
3875  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3876  recycleSegNo = XLOGfileslop(lastredoptr);
3877 
3878  /*
3879  * Construct a filename of the last segment to be kept. The timeline ID
3880  * doesn't matter, we ignore that in the comparison. (During recovery,
3881  * InsertTimeLineID isn't set, so we can't use that.)
3882  */
3883  XLogFileName(lastoff, 0, segno, wal_segment_size);
3884 
3885  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3886  lastoff);
3887 
3888  xldir = AllocateDir(XLOGDIR);
3889 
3890  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3891  {
3892  /* Ignore files that are not XLOG segments */
3893  if (!IsXLogFileName(xlde->d_name) &&
3894  !IsPartialXLogFileName(xlde->d_name))
3895  continue;
3896 
3897  /*
3898  * We ignore the timeline part of the XLOG segment identifiers in
3899  * deciding whether a segment is still needed. This ensures that we
3900  * won't prematurely remove a segment from a parent timeline. We could
3901  * probably be a little more proactive about removing segments of
3902  * non-parent timelines, but that would be a whole lot more
3903  * complicated.
3904  *
3905  * We use the alphanumeric sorting property of the filenames to decide
3906  * which ones are earlier than the lastoff segment.
3907  */
3908  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3909  {
3910  if (XLogArchiveCheckDone(xlde->d_name))
3911  {
3912  /* Update the last removed location in shared memory first */
3914 
3915  RemoveXlogFile(xlde, recycleSegNo, &endlogSegNo, insertTLI);
3916  }
3917  }
3918  }
3919 
3920  FreeDir(xldir);
3921 }
3922 
3923 /*
3924  * Recycle or remove WAL files that are not part of the given timeline's
3925  * history.
3926  *
3927  * This is called during recovery, whenever we switch to follow a new
3928  * timeline, and at the end of recovery when we create a new timeline. We
3929  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3930  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3931  * that we haven't used yet, and contain garbage. If we just leave them in
3932  * pg_wal, they will eventually be archived, and we can't let that happen.
3933  * Files that belong to our timeline history are valid, because we have
3934  * successfully replayed them, but from others we can't be sure.
3935  *
3936  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3937  * and 'newTLI' is the new timeline we switch to.
3938  */
3939 void
3941 {
3942  DIR *xldir;
3943  struct dirent *xlde;
3944  char switchseg[MAXFNAMELEN];
3945  XLogSegNo endLogSegNo;
3946  XLogSegNo switchLogSegNo;
3947  XLogSegNo recycleSegNo;
3948 
3949  /*
3950  * Initialize info about where to begin the work. This will recycle,
3951  * somewhat arbitrarily, 10 future segments.
3952  */
3953  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3954  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3955  recycleSegNo = endLogSegNo + 10;
3956 
3957  /*
3958  * Construct a filename of the last segment to be kept.
3959  */
3960  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3961 
3962  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3963  switchseg);
3964 
3965  xldir = AllocateDir(XLOGDIR);
3966 
3967  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3968  {
3969  /* Ignore files that are not XLOG segments */
3970  if (!IsXLogFileName(xlde->d_name))
3971  continue;
3972 
3973  /*
3974  * Remove files that are on a timeline older than the new one we're
3975  * switching to, but with a segment number >= the first segment on the
3976  * new timeline.
3977  */
3978  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3979  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3980  {
3981  /*
3982  * If the file has already been marked as .ready, however, don't
3983  * remove it yet. It should be OK to remove it - files that are
3984  * not part of our timeline history are not required for recovery
3985  * - but seems safer to let them be archived and removed later.
3986  */
3987  if (!XLogArchiveIsReady(xlde->d_name))
3988  RemoveXlogFile(xlde, recycleSegNo, &endLogSegNo, newTLI);
3989  }
3990  }
3991 
3992  FreeDir(xldir);
3993 }
3994 
3995 /*
3996  * Recycle or remove a log file that's no longer needed.
3997  *
3998  * segment_de is the dirent structure of the segment to recycle or remove.
3999  * recycleSegNo is the segment number to recycle up to. endlogSegNo is
4000  * the segment number of the current (or recent) end of WAL.
4001  *
4002  * endlogSegNo gets incremented if the segment is recycled so as it is not
4003  * checked again with future callers of this function.
4004  *
4005  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
4006  * should be used for this timeline.
4007  */
4008 static void
4009 RemoveXlogFile(const struct dirent *segment_de,
4010  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
4011  TimeLineID insertTLI)
4012 {
4013  char path[MAXPGPATH];
4014 #ifdef WIN32
4015  char newpath[MAXPGPATH];
4016 #endif
4017  const char *segname = segment_de->d_name;
4018 
4019  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
4020 
4021  /*
4022  * Before deleting the file, see if it can be recycled as a future log
4023  * segment. Only recycle normal files, because we don't want to recycle
4024  * symbolic links pointing to a separate archive directory.
4025  */
4026  if (wal_recycle &&
4027  *endlogSegNo <= recycleSegNo &&
4028  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
4029  get_dirent_type(path, segment_de, false, DEBUG2) == PGFILETYPE_REG &&
4030  InstallXLogFileSegment(endlogSegNo, path,
4031  true, recycleSegNo, insertTLI))
4032  {
4033  ereport(DEBUG2,
4034  (errmsg_internal("recycled write-ahead log file \"%s\"",
4035  segname)));
4037  /* Needn't recheck that slot on future iterations */
4038  (*endlogSegNo)++;
4039  }
4040  else
4041  {
4042  /* No need for any more future segments, or recycling failed ... */
4043  int rc;
4044 
4045  ereport(DEBUG2,
4046  (errmsg_internal("removing write-ahead log file \"%s\"",
4047  segname)));
4048 
4049 #ifdef WIN32
4050 
4051  /*
4052  * On Windows, if another process (e.g another backend) holds the file
4053  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
4054  * will still show up in directory listing until the last handle is
4055  * closed. To avoid confusing the lingering deleted file for a live
4056  * WAL file that needs to be archived, rename it before deleting it.
4057  *
4058  * If another process holds the file open without FILE_SHARE_DELETE
4059  * flag, rename will fail. We'll try again at the next checkpoint.
4060  */
4061  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
4062  if (rename(path, newpath) != 0)
4063  {
4064  ereport(LOG,
4066  errmsg("could not rename file \"%s\": %m",
4067  path)));
4068  return;
4069  }
4070  rc = durable_unlink(newpath, LOG);
4071 #else
4072  rc = durable_unlink(path, LOG);
4073 #endif
4074  if (rc != 0)
4075  {
4076  /* Message already logged by durable_unlink() */
4077  return;
4078  }
4080  }
4081 
4082  XLogArchiveCleanup(segname);
4083 }
4084 
4085 /*
4086  * Verify whether pg_wal, pg_wal/archive_status, and pg_wal/summaries exist.
4087  * If the latter do not exist, recreate them.
4088  *
4089  * It is not the goal of this function to verify the contents of these
4090  * directories, but to help in cases where someone has performed a cluster
4091  * copy for PITR purposes but omitted pg_wal from the copy.
4092  *
4093  * We could also recreate pg_wal if it doesn't exist, but a deliberate
4094  * policy decision was made not to. It is fairly common for pg_wal to be
4095  * a symlink, and if that was the DBA's intent then automatically making a
4096  * plain directory would result in degraded performance with no notice.
4097  */
4098 static void
4100 {
4101  char path[MAXPGPATH];
4102  struct stat stat_buf;
4103 
4104  /* Check for pg_wal; if it doesn't exist, error out */
4105  if (stat(XLOGDIR, &stat_buf) != 0 ||
4106  !S_ISDIR(stat_buf.st_mode))
4107  ereport(FATAL,
4109  errmsg("required WAL directory \"%s\" does not exist",
4110  XLOGDIR)));
4111 
4112  /* Check for archive_status */
4113  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
4114  if (stat(path, &stat_buf) == 0)
4115  {
4116  /* Check for weird cases where it exists but isn't a directory */
4117  if (!S_ISDIR(stat_buf.st_mode))
4118  ereport(FATAL,
4120  errmsg("required WAL directory \"%s\" does not exist",
4121  path)));
4122  }
4123  else
4124  {
4125  ereport(LOG,
4126  (errmsg("creating missing WAL directory \"%s\"", path)));
4127  if (MakePGDirectory(path) < 0)
4128  ereport(FATAL,
4130  errmsg("could not create missing directory \"%s\": %m",
4131  path)));
4132  }
4133 
4134  /* Check for summaries */
4135  snprintf(path, MAXPGPATH, XLOGDIR "/summaries");
4136  if (stat(path, &stat_buf) == 0)
4137  {
4138  /* Check for weird cases where it exists but isn't a directory */
4139  if (!S_ISDIR(stat_buf.st_mode))
4140  ereport(FATAL,
4141  (errmsg("required WAL directory \"%s\" does not exist",
4142  path)));
4143  }
4144  else
4145  {
4146  ereport(LOG,
4147  (errmsg("creating missing WAL directory \"%s\"", path)));
4148  if (MakePGDirectory(path) < 0)
4149  ereport(FATAL,
4150  (errmsg("could not create missing directory \"%s\": %m",
4151  path)));
4152  }
4153 }
4154 
4155 /*
4156  * Remove previous backup history files. This also retries creation of
4157  * .ready files for any backup history files for which XLogArchiveNotify
4158  * failed earlier.
4159  */
4160 static void
4162 {
4163  DIR *xldir;
4164  struct dirent *xlde;
4165  char path[MAXPGPATH + sizeof(XLOGDIR)];
4166 
4167  xldir = AllocateDir(XLOGDIR);
4168 
4169  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
4170  {
4171  if (IsBackupHistoryFileName(xlde->d_name))
4172  {
4173  if (XLogArchiveCheckDone(xlde->d_name))
4174  {
4175  elog(DEBUG2, "removing WAL backup history file \"%s\"",
4176  xlde->d_name);
4177  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
4178  unlink(path);
4179  XLogArchiveCleanup(xlde->d_name);
4180  }
4181  }
4182  }
4183 
4184  FreeDir(xldir);
4185 }
4186 
4187 /*
4188  * I/O routines for pg_control
4189  *
4190  * *ControlFile is a buffer in shared memory that holds an image of the
4191  * contents of pg_control. WriteControlFile() initializes pg_control
4192  * given a preloaded buffer, ReadControlFile() loads the buffer from
4193  * the pg_control file (during postmaster or standalone-backend startup),
4194  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
4195  * InitControlFile() fills the buffer with initial values.
4196  *
4197  * For simplicity, WriteControlFile() initializes the fields of pg_control
4198  * that are related to checking backend/database compatibility, and
4199  * ReadControlFile() verifies they are correct. We could split out the
4200  * I/O and compatibility-check functions, but there seems no need currently.
4201  */
4202 
4203 static void
4204 InitControlFile(uint64 sysidentifier, uint32 data_checksum_version)
4205 {
4206  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
4207 
4208  /*
4209  * Generate a random nonce. This is used for authentication requests that
4210  * will fail because the user does not exist. The nonce is used to create
4211  * a genuine-looking password challenge for the non-existent user, in lieu
4212  * of an actual stored password.
4213  */
4214  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
4215  ereport(PANIC,
4216  (errcode(ERRCODE_INTERNAL_ERROR),
4217  errmsg("could not generate secret authorization token")));
4218 
4219  memset(ControlFile, 0, sizeof(ControlFileData));
4220  /* Initialize pg_control status fields */
4221  ControlFile->system_identifier = sysidentifier;
4222  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
4225 
4226  /* Set important parameter values for use when replaying WAL */
4235  ControlFile->data_checksum_version = data_checksum_version;
4236 }
4237 
4238 static void
4240 {
4241  int fd;
4242  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
4243 
4244  /*
4245  * Initialize version and compatibility-check fields
4246  */
4249 
4250  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
4252 
4253  ControlFile->blcksz = BLCKSZ;
4254  ControlFile->relseg_size = RELSEG_SIZE;
4255  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
4257 
4260 
4263 
4265 
4266  /* Contents are protected with a CRC */
4269  (char *) ControlFile,
4270  offsetof(ControlFileData, crc));
4272 
4273  /*
4274  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
4275  * the excess over sizeof(ControlFileData). This reduces the odds of
4276  * premature-EOF errors when reading pg_control. We'll still fail when we
4277  * check the contents of the file, but hopefully with a more specific
4278  * error than "couldn't read pg_control".
4279  */
4280  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
4281  memcpy(buffer, ControlFile, sizeof(ControlFileData));
4282 
4284  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
4285  if (fd < 0)
4286  ereport(PANIC,
4288  errmsg("could not create file \"%s\": %m",
4289  XLOG_CONTROL_FILE)));
4290 
4291  errno = 0;
4292  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_WRITE);
4294  {
4295  /* if write didn't set errno, assume problem is no disk space */
4296  if (errno == 0)
4297  errno = ENOSPC;
4298  ereport(PANIC,
4300  errmsg("could not write to file \"%s\": %m",
4301  XLOG_CONTROL_FILE)));
4302  }
4304 
4305  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_SYNC);
4306  if (pg_fsync(fd) != 0)
4307  ereport(PANIC,
4309  errmsg("could not fsync file \"%s\": %m",
4310  XLOG_CONTROL_FILE)));
4312 
4313  if (close(fd) != 0)
4314  ereport(PANIC,
4316  errmsg("could not close file \"%s\": %m",
4317  XLOG_CONTROL_FILE)));
4318 }
4319 
4320 static void
4322 {
4323  pg_crc32c crc;
4324  int fd;
4325  char wal_segsz_str[20];
4326  int r;
4327 
4328  /*
4329  * Read data...
4330  */
4332  O_RDWR | PG_BINARY);
4333  if (fd < 0)
4334  ereport(PANIC,
4336  errmsg("could not open file \"%s\": %m",
4337  XLOG_CONTROL_FILE)));
4338 
4339  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_READ);
4340  r = read(fd, ControlFile, sizeof(ControlFileData));
4341  if (r != sizeof(ControlFileData))
4342  {
4343  if (r < 0)
4344  ereport(PANIC,
4346  errmsg("could not read file \"%s\": %m",
4347  XLOG_CONTROL_FILE)));
4348  else
4349  ereport(PANIC,
4351  errmsg("could not read file \"%s\": read %d of %zu",
4352  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
4353  }
4355 
4356  close(fd);
4357 
4358  /*
4359  * Check for expected pg_control format version. If this is wrong, the
4360  * CRC check will likely fail because we'll be checking the wrong number
4361  * of bytes. Complaining about wrong version will probably be more
4362  * enlightening than complaining about wrong CRC.
4363  */
4364 
4366  ereport(FATAL,
4367  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4368  errmsg("database files are incompatible with server"),
4369  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4370  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4373  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4374 
4376  ereport(FATAL,
4377  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4378  errmsg("database files are incompatible with server"),
4379  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4380  " but the server was compiled with PG_CONTROL_VERSION %d.",
4382  errhint("It looks like you need to initdb.")));
4383 
4384  /* Now check the CRC. */
4385  INIT_CRC32C(crc);
4386  COMP_CRC32C(crc,
4387  (char *) ControlFile,
4388  offsetof(ControlFileData, crc));
4389  FIN_CRC32C(crc);
4390 
4391  if (!EQ_CRC32C(crc, ControlFile->crc))
4392  ereport(FATAL,
4393  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4394  errmsg("incorrect checksum in control file")));
4395 
4396  /*
4397  * Do compatibility checking immediately. If the database isn't
4398  * compatible with the backend executable, we want to abort before we can
4399  * possibly do any damage.
4400  */
4402  ereport(FATAL,
4403  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4404  errmsg("database files are incompatible with server"),
4405  /* translator: %s is a variable name and %d is its value */
4406  errdetail("The database cluster was initialized with %s %d,"
4407  " but the server was compiled with %s %d.",
4408  "CATALOG_VERSION_NO", ControlFile->catalog_version_no,
4409  "CATALOG_VERSION_NO", CATALOG_VERSION_NO),
4410  errhint("It looks like you need to initdb.")));
4411  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4412  ereport(FATAL,
4413  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4414  errmsg("database files are incompatible with server"),
4415  /* translator: %s is a variable name and %d is its value */
4416  errdetail("The database cluster was initialized with %s %d,"
4417  " but the server was compiled with %s %d.",
4418  "MAXALIGN", ControlFile->maxAlign,
4419  "MAXALIGN", MAXIMUM_ALIGNOF),
4420  errhint("It looks like you need to initdb.")));
4422  ereport(FATAL,
4423  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4424  errmsg("database files are incompatible with server"),
4425  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4426  errhint("It looks like you need to initdb.")));
4427  if (ControlFile->blcksz != BLCKSZ)
4428  ereport(FATAL,
4429  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4430  errmsg("database files are incompatible with server"),
4431  /* translator: %s is a variable name and %d is its value */
4432  errdetail("The database cluster was initialized with %s %d,"
4433  " but the server was compiled with %s %d.",
4434  "BLCKSZ", ControlFile->blcksz,
4435  "BLCKSZ", BLCKSZ),
4436  errhint("It looks like you need to recompile or initdb.")));
4437  if (ControlFile->relseg_size != RELSEG_SIZE)
4438  ereport(FATAL,
4439  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4440  errmsg("database files are incompatible with server"),
4441  /* translator: %s is a variable name and %d is its value */
4442  errdetail("The database cluster was initialized with %s %d,"
4443  " but the server was compiled with %s %d.",
4444  "RELSEG_SIZE", ControlFile->relseg_size,
4445  "RELSEG_SIZE", RELSEG_SIZE),
4446  errhint("It looks like you need to recompile or initdb.")));
4447  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4448  ereport(FATAL,
4449  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4450  errmsg("database files are incompatible with server"),
4451  /* translator: %s is a variable name and %d is its value */
4452  errdetail("The database cluster was initialized with %s %d,"
4453  " but the server was compiled with %s %d.",
4454  "XLOG_BLCKSZ", ControlFile->xlog_blcksz,
4455  "XLOG_BLCKSZ", XLOG_BLCKSZ),
4456  errhint("It looks like you need to recompile or initdb.")));
4458  ereport(FATAL,
4459  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4460  errmsg("database files are incompatible with server"),
4461  /* translator: %s is a variable name and %d is its value */
4462  errdetail("The database cluster was initialized with %s %d,"
4463  " but the server was compiled with %s %d.",
4464  "NAMEDATALEN", ControlFile->nameDataLen,
4465  "NAMEDATALEN", NAMEDATALEN),
4466  errhint("It looks like you need to recompile or initdb.")));
4468  ereport(FATAL,
4469  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4470  errmsg("database files are incompatible with server"),
4471  /* translator: %s is a variable name and %d is its value */
4472  errdetail("The database cluster was initialized with %s %d,"
4473  " but the server was compiled with %s %d.",
4474  "INDEX_MAX_KEYS", ControlFile->indexMaxKeys,
4475  "INDEX_MAX_KEYS", INDEX_MAX_KEYS),
4476  errhint("It looks like you need to recompile or initdb.")));
4478  ereport(FATAL,
4479  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4480  errmsg("database files are incompatible with server"),
4481  /* translator: %s is a variable name and %d is its value */
4482  errdetail("The database cluster was initialized with %s %d,"
4483  " but the server was compiled with %s %d.",
4484  "TOAST_MAX_CHUNK_SIZE", ControlFile->toast_max_chunk_size,
4485  "TOAST_MAX_CHUNK_SIZE", (int) TOAST_MAX_CHUNK_SIZE),
4486  errhint("It looks like you need to recompile or initdb.")));
4488  ereport(FATAL,
4489  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4490  errmsg("database files are incompatible with server"),
4491  /* translator: %s is a variable name and %d is its value */
4492  errdetail("The database cluster was initialized with %s %d,"
4493  " but the server was compiled with %s %d.",
4494  "LOBLKSIZE", ControlFile->loblksize,
4495  "LOBLKSIZE", (int) LOBLKSIZE),
4496  errhint("It looks like you need to recompile or initdb.")));
4497 
4498 #ifdef USE_FLOAT8_BYVAL
4499  if (ControlFile->float8ByVal != true)
4500  ereport(FATAL,
4501  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4502  errmsg("database files are incompatible with server"),
4503  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4504  " but the server was compiled with USE_FLOAT8_BYVAL."),
4505  errhint("It looks like you need to recompile or initdb.")));
4506 #else
4507  if (ControlFile->float8ByVal != false)
4508  ereport(FATAL,
4509  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4510  errmsg("database files are incompatible with server"),
4511  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4512  " but the server was compiled without USE_FLOAT8_BYVAL."),
4513  errhint("It looks like you need to recompile or initdb.")));
4514 #endif
4515 
4517 
4519  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4520  errmsg_plural("invalid WAL segment size in control file (%d byte)",
4521  "invalid WAL segment size in control file (%d bytes)",
4524  errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.")));
4525 
4526  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4527  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4529 
4530  /* check and update variables dependent on wal_segment_size */
4532  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4533  /* translator: both %s are GUC names */
4534  errmsg("\"%s\" must be at least twice \"%s\"",
4535  "min_wal_size", "wal_segment_size")));
4536 
4538  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4539  /* translator: both %s are GUC names */
4540  errmsg("\"%s\" must be at least twice \"%s\"",
4541  "max_wal_size", "wal_segment_size")));
4542 
4544  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4546 
4548 
4549  /* Make the initdb settings visible as GUC variables, too */
4550  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4552 }
4553 
4554 /*
4555  * Utility wrapper to update the control file. Note that the control
4556  * file gets flushed.
4557  */
4558 static void
4560 {
4562 }
4563 
4564 /*
4565  * Returns the unique system identifier from control file.
4566  */
4567 uint64
4569 {
4570  Assert(ControlFile != NULL);
4572 }
4573 
4574 /*
4575  * Returns the random nonce from control file.
4576  */
4577 char *
4579 {
4580  Assert(ControlFile != NULL);
4582 }
4583 
4584 /*
4585  * Are checksums enabled for data pages?
4586  */
4587 bool
4589 {
4590  Assert(ControlFile != NULL);
4591  return (ControlFile->data_checksum_version > 0);
4592 }
4593 
4594 /*
4595  * Returns a fake LSN for unlogged relations.
4596  *
4597  * Each call generates an LSN that is greater than any previous value
4598  * returned. The current counter value is saved and restored across clean
4599  * shutdowns, but like unlogged relations, does not survive a crash. This can
4600  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4601  * LSN-like increasing sequence of numbers without writing any WAL.
4602  */
4603 XLogRecPtr
4605 {
4607 }
4608 
4609 /*
4610  * Auto-tune the number of XLOG buffers.
4611  *
4612  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4613  * a maximum of one XLOG segment (there is little reason to think that more
4614  * is helpful, at least so long as we force an fsync when switching log files)
4615  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4616  * 9.1, when auto-tuning was added).
4617  *
4618  * This should not be called until NBuffers has received its final value.
4619  */
4620 static int
4622 {
4623  int xbuffers;
4624 
4625  xbuffers = NBuffers / 32;
4626  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4627  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4628  if (xbuffers < 8)
4629  xbuffers = 8;
4630  return xbuffers;
4631 }
4632 
4633 /*
4634  * GUC check_hook for wal_buffers
4635  */
4636 bool
4638 {
4639  /*
4640  * -1 indicates a request for auto-tune.
4641  */
4642  if (*newval == -1)
4643  {
4644  /*
4645  * If we haven't yet changed the boot_val default of -1, just let it
4646  * be. We'll fix it when XLOGShmemSize is called.
4647  */
4648  if (XLOGbuffers == -1)
4649  return true;
4650 
4651  /* Otherwise, substitute the auto-tune value */
4653  }
4654 
4655  /*
4656  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4657  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4658  * the case, we just silently treat such values as a request for the
4659  * minimum. (We could throw an error instead, but that doesn't seem very
4660  * helpful.)
4661  */
4662  if (*newval < 4)
4663  *newval = 4;
4664 
4665  return true;
4666 }
4667 
4668 /*
4669  * GUC check_hook for wal_consistency_checking
4670  */
4671 bool
4673 {
4674  char *rawstring;
4675  List *elemlist;
4676  ListCell *l;
4677  bool newwalconsistency[RM_MAX_ID + 1];
4678 
4679  /* Initialize the array */
4680  MemSet(newwalconsistency, 0, (RM_MAX_ID + 1) * sizeof(bool));
4681 
4682  /* Need a modifiable copy of string */
4683  rawstring = pstrdup(*newval);
4684 
4685  /* Parse string into list of identifiers */
4686  if (!SplitIdentifierString(rawstring, ',', &elemlist))
4687  {
4688  /* syntax error in list */
4689  GUC_check_errdetail("List syntax is invalid.");
4690  pfree(rawstring);
4691  list_free(elemlist);
4692  return false;
4693  }
4694 
4695  foreach(l, elemlist)
4696  {
4697  char *tok = (char *) lfirst(l);
4698  int rmid;
4699 
4700  /* Check for 'all'. */
4701  if (pg_strcasecmp(tok, "all") == 0)
4702  {
4703  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4704  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL)
4705  newwalconsistency[rmid] = true;
4706  }
4707  else
4708  {
4709  /* Check if the token matches any known resource manager. */
4710  bool found = false;
4711 
4712  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4713  {
4714  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL &&
4715  pg_strcasecmp(tok, GetRmgr(rmid).rm_name) == 0)
4716  {
4717  newwalconsistency[rmid] = true;
4718  found = true;
4719  break;
4720  }
4721  }
4722  if (!found)
4723  {
4724  /*
4725  * During startup, it might be a not-yet-loaded custom
4726  * resource manager. Defer checking until
4727  * InitializeWalConsistencyChecking().
4728  */
4730  {
4732  }
4733  else
4734  {
4735  GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
4736  pfree(rawstring);
4737  list_free(elemlist);
4738  return false;
4739  }
4740  }
4741  }
4742  }
4743 
4744  pfree(rawstring);
4745  list_free(elemlist);
4746 
4747  /* assign new value */
4748  *extra = guc_malloc(ERROR, (RM_MAX_ID + 1) * sizeof(bool));
4749  memcpy(*extra, newwalconsistency, (RM_MAX_ID + 1) * sizeof(bool));
4750  return true;
4751 }
4752 
4753 /*
4754  * GUC assign_hook for wal_consistency_checking
4755  */
4756 void
4757 assign_wal_consistency_checking(const char *newval, void *extra)
4758 {
4759  /*
4760  * If some checks were deferred, it's possible that the checks will fail
4761  * later during InitializeWalConsistencyChecking(). But in that case, the
4762  * postmaster will exit anyway, so it's safe to proceed with the
4763  * assignment.
4764  *
4765  * Any built-in resource managers specified are assigned immediately,
4766  * which affects WAL created before shared_preload_libraries are
4767  * processed. Any custom resource managers specified won't be assigned
4768  * until after shared_preload_libraries are processed, but that's OK
4769  * because WAL for a custom resource manager can't be written before the
4770  * module is loaded anyway.
4771  */
4772  wal_consistency_checking = extra;
4773 }
4774 
4775 /*
4776  * InitializeWalConsistencyChecking: run after loading custom resource managers
4777  *
4778  * If any unknown resource managers were specified in the
4779  * wal_consistency_checking GUC, processing was deferred. Now that
4780  * shared_preload_libraries have been loaded, process wal_consistency_checking
4781  * again.
4782  */
4783 void
4785 {
4787 
4789  {
4790  struct config_generic *guc;
4791 
4792  guc = find_option("wal_consistency_checking", false, false, ERROR);
4793 
4795 
4796  set_config_option_ext("wal_consistency_checking",
4798  guc->scontext, guc->source, guc->srole,
4799  GUC_ACTION_SET, true, ERROR, false);
4800 
4801  /* checking should not be deferred again */
4803  }
4804 }
4805 
4806 /*
4807  * GUC show_hook for archive_command
4808  */
4809 const char *
4811 {
4812  if (XLogArchivingActive())
4813  return XLogArchiveCommand;
4814  else
4815  return "(disabled)";
4816 }
4817 
4818 /*
4819  * GUC show_hook for in_hot_standby
4820  */
4821 const char *
4823 {
4824  /*
4825  * We display the actual state based on shared memory, so that this GUC
4826  * reports up-to-date state if examined intra-query. The underlying
4827  * variable (in_hot_standby_guc) changes only when we transmit a new value
4828  * to the client.
4829  */
4830  return RecoveryInProgress() ? "on" : "off";
4831 }
4832 
4833 /*
4834  * Read the control file, set respective GUCs.
4835  *
4836  * This is to be called during startup, including a crash recovery cycle,
4837  * unless in bootstrap mode, where no control file yet exists. As there's no
4838  * usable shared memory yet (its sizing can depend on the contents of the
4839  * control file!), first store the contents in local memory. XLOGShmemInit()
4840  * will then copy it to shared memory later.
4841  *
4842  * reset just controls whether previous contents are to be expected (in the
4843  * reset case, there's a dangling pointer into old shared memory), or not.
4844  */
4845 void
4847 {
4848  Assert(reset || ControlFile == NULL);
4849  ControlFile = palloc(sizeof(ControlFileData));
4850  ReadControlFile();
4851 }
4852 
4853 /*
4854  * Get the wal_level from the control file. For a standby, this value should be
4855  * considered as its active wal_level, because it may be different from what
4856  * was originally configured on standby.
4857  */
4858 WalLevel
4860 {
4861  return ControlFile->wal_level;
4862 }
4863 
4864 /*
4865  * Initialization of shared memory for XLOG
4866  */
4867 Size
4869 {
4870  Size size;
4871 
4872  /*
4873  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4874  * This isn't an amazingly clean place to do this, but we must wait till
4875  * NBuffers has received its final value, and must do it before using the
4876  * value of XLOGbuffers to do anything important.
4877  *
4878  * We prefer to report this value's source as PGC_S_DYNAMIC_DEFAULT.
4879  * However, if the DBA explicitly set wal_buffers = -1 in the config file,
4880  * then PGC_S_DYNAMIC_DEFAULT will fail to override that and we must force
4881  * the matter with PGC_S_OVERRIDE.
4882  */
4883  if (XLOGbuffers == -1)
4884  {
4885  char buf[32];
4886 
4887  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4888  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4890  if (XLOGbuffers == -1) /* failed to apply it? */
4891  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4892  PGC_S_OVERRIDE);
4893  }
4894  Assert(XLOGbuffers > 0);
4895 
4896  /* XLogCtl */
4897  size = sizeof(XLogCtlData);
4898 
4899  /* WAL insertion locks, plus alignment */
4901  /* xlblocks array */
4903  /* extra alignment padding for XLOG I/O buffers */
4904  size = add_size(size, Max(XLOG_BLCKSZ, PG_IO_ALIGN_SIZE));
4905  /* and the buffers themselves */
4906  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4907 
4908  /*
4909  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4910  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4911  * routine again below to compute the actual allocation size.
4912  */
4913 
4914  return size;
4915 }
4916 
4917 void
4919 {
4920  bool foundCFile,
4921  foundXLog;
4922  char *allocptr;
4923  int i;
4924  ControlFileData *localControlFile;
4925 
4926 #ifdef WAL_DEBUG
4927 
4928  /*
4929  * Create a memory context for WAL debugging that's exempt from the normal
4930  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4931  * an allocation fails, but wal_debug is not for production use anyway.
4932  */
4933  if (walDebugCxt == NULL)
4934  {
4936  "WAL Debug",
4938  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4939  }
4940 #endif
4941 
4942 
4943  XLogCtl = (XLogCtlData *)
4944  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4945 
4946  localControlFile = ControlFile;
4948  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4949 
4950  if (foundCFile || foundXLog)
4951  {
4952  /* both should be present or neither */
4953  Assert(foundCFile && foundXLog);
4954 
4955  /* Initialize local copy of WALInsertLocks */
4957 
4958  if (localControlFile)
4959  pfree(localControlFile);
4960  return;
4961  }
4962  memset(XLogCtl, 0, sizeof(XLogCtlData));
4963 
4964  /*
4965  * Already have read control file locally, unless in bootstrap mode. Move
4966  * contents into shared memory.
4967  */
4968  if (localControlFile)
4969  {
4970  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4971  pfree(localControlFile);
4972  }
4973 
4974  /*
4975  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4976  * multiple of the alignment for same, so no extra alignment padding is
4977  * needed here.
4978  */
4979  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4980  XLogCtl->xlblocks = (pg_atomic_uint64 *) allocptr;
4981  allocptr += sizeof(pg_atomic_uint64) * XLOGbuffers;
4982 
4983  for (i = 0; i < XLOGbuffers; i++)
4984  {
4986  }
4987 
4988  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4989  allocptr += sizeof(WALInsertLockPadded) -
4990  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4992  (WALInsertLockPadded *) allocptr;
4993  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4994 
4995  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4996  {
5000  }
5001 
5002  /*
5003  * Align the start of the page buffers to a full xlog block size boundary.
5004  * This simplifies some calculations in XLOG insertion. It is also
5005  * required for O_DIRECT.
5006  */
5007  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
5008  XLogCtl->pages = allocptr;
5009  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
5010 
5011  /*
5012  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
5013  * in additional info.)
5014  */
5018  XLogCtl->WalWriterSleeping = false;
5019 
5026 }
5027 
5028 /*
5029  * This func must be called ONCE on system install. It creates pg_control
5030  * and the initial XLOG segment.
5031  */
5032 void
5033 BootStrapXLOG(uint32 data_checksum_version)
5034 {
5035  CheckPoint checkPoint;
5036  char *buffer;
5037  XLogPageHeader page;
5038  XLogLongPageHeader longpage;
5039  XLogRecord *record;
5040  char *recptr;
5041  uint64 sysidentifier;
5042  struct timeval tv;
5043  pg_crc32c crc;
5044 
5045  /* allow ordinary WAL segment creation, like StartupXLOG() would */
5047 
5048  /*
5049  * Select a hopefully-unique system identifier code for this installation.
5050  * We use the result of gettimeofday(), including the fractional seconds
5051  * field, as being about as unique as we can easily get. (Think not to
5052  * use random(), since it hasn't been seeded and there's no portable way
5053  * to seed it other than the system clock value...) The upper half of the
5054  * uint64 value is just the tv_sec part, while the lower half contains the
5055  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
5056  * PID for a little extra uniqueness. A person knowing this encoding can
5057  * determine the initialization time of the installation, which could
5058  * perhaps be useful sometimes.
5059  */
5060  gettimeofday(&tv, NULL);
5061  sysidentifier = ((uint64) tv.tv_sec) << 32;
5062  sysidentifier |= ((uint64) tv.tv_usec) << 12;
5063  sysidentifier |= getpid() & 0xFFF;
5064 
5065  /* page buffer must be aligned suitably for O_DIRECT */
5066  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
5067  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
5068  memset(page, 0, XLOG_BLCKSZ);
5069 
5070  /*
5071  * Set up information for the initial checkpoint record
5072  *
5073  * The initial checkpoint record is written to the beginning of the WAL
5074  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
5075  * used, so that we can use 0/0 to mean "before any valid WAL segment".
5076  */
5077  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
5078  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
5079  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
5080  checkPoint.fullPageWrites = fullPageWrites;
5081  checkPoint.wal_level = wal_level;
5082  checkPoint.nextXid =
5084  checkPoint.nextOid = FirstGenbkiObjectId;
5085  checkPoint.nextMulti = FirstMultiXactId;
5086  checkPoint.nextMultiOffset = 0;
5087  checkPoint.oldestXid = FirstNormalTransactionId;
5088  checkPoint.oldestXidDB = Template1DbOid;
5089  checkPoint.oldestMulti = FirstMultiXactId;
5090  checkPoint.oldestMultiDB = Template1DbOid;
5093  checkPoint.time = (pg_time_t) time(NULL);
5095 
5096  TransamVariables->nextXid = checkPoint.nextXid;
5097  TransamVariables->nextOid = checkPoint.nextOid;
5099  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5100  AdvanceOldestClogXid(checkPoint.oldestXid);
5101  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5102  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5104 
5105  /* Set up the XLOG page header */
5106  page->xlp_magic = XLOG_PAGE_MAGIC;
5107  page->xlp_info = XLP_LONG_HEADER;
5108  page->xlp_tli = BootstrapTimeLineID;
5110  longpage = (XLogLongPageHeader) page;
5111  longpage->xlp_sysid = sysidentifier;
5112  longpage->xlp_seg_size = wal_segment_size;
5113  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
5114 
5115  /* Insert the initial checkpoint record */
5116  recptr = ((char *) page + SizeOfXLogLongPHD);
5117  record = (XLogRecord *) recptr;
5118  record->xl_prev = 0;
5119  record->xl_xid = InvalidTransactionId;
5120  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
5122  record->xl_rmid = RM_XLOG_ID;
5123  recptr += SizeOfXLogRecord;
5124  /* fill the XLogRecordDataHeaderShort struct */
5125  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
5126  *(recptr++) = sizeof(checkPoint);
5127  memcpy(recptr, &checkPoint, sizeof(checkPoint));
5128  recptr += sizeof(checkPoint);
5129  Assert(recptr - (char *) record == record->xl_tot_len);
5130 
5131  INIT_CRC32C(crc);
5132  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
5133  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
5134  FIN_CRC32C(crc);
5135  record->xl_crc = crc;
5136 
5137  /* Create first XLOG segment file */
5140 
5141  /*
5142  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
5143  * close the file again in a moment.
5144  */
5145 
5146  /* Write the first page with the initial record */
5147  errno = 0;
5148  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_WRITE);
5149  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
5150  {
5151  /* if write didn't set errno, assume problem is no disk space */
5152  if (errno == 0)
5153  errno = ENOSPC;
5154  ereport(PANIC,
5156  errmsg("could not write bootstrap write-ahead log file: %m")));
5157  }
5159 
5160  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_SYNC);
5161  if (pg_fsync(openLogFile) != 0)
5162  ereport(PANIC,
5164  errmsg("could not fsync bootstrap write-ahead log file: %m")));
5166 
5167  if (close(openLogFile) != 0)
5168  ereport(PANIC,
5170  errmsg("could not close bootstrap write-ahead log file: %m")));
5171 
5172  openLogFile = -1;
5173 
5174  /* Now create pg_control */
5175  InitControlFile(sysidentifier, data_checksum_version);
5176  ControlFile->time = checkPoint.time;
5177  ControlFile->checkPoint = checkPoint.redo;
5178  ControlFile->checkPointCopy = checkPoint;
5179 
5180  /* some additional ControlFile fields are set in WriteControlFile() */
5181  WriteControlFile();
5182 
5183  /* Bootstrap the commit log, too */
5184  BootStrapCLOG();
5188 
5189  pfree(buffer);
5190 
5191  /*
5192  * Force control file to be read - in contrast to normal processing we'd
5193  * otherwise never run the checks and GUC related initializations therein.
5194  */
5195  ReadControlFile();
5196 }
5197 
5198 static char *
5200 {
5201  char *buf = palloc(128);
5202 
5203  pg_strftime(buf, 128,
5204  "%Y-%m-%d %H:%M:%S %Z",
5205  pg_localtime(&tnow, log_timezone));
5206 
5207  return buf;
5208 }
5209 
5210 /*
5211  * Initialize the first WAL segment on new timeline.
5212  */
5213 static void
5215 {
5216  char xlogfname[MAXFNAMELEN];
5217  XLogSegNo endLogSegNo;
5218  XLogSegNo startLogSegNo;
5219 
5220  /* we always switch to a new timeline after archive recovery */
5221  Assert(endTLI != newTLI);
5222 
5223  /*
5224  * Update min recovery point one last time.
5225  */
5227 
5228  /*
5229  * Calculate the last segment on the old timeline, and the first segment
5230  * on the new timeline. If the switch happens in the middle of a segment,
5231  * they are the same, but if the switch happens exactly at a segment
5232  * boundary, startLogSegNo will be endLogSegNo + 1.
5233  */
5234  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
5235  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
5236 
5237  /*
5238  * Initialize the starting WAL segment for the new timeline. If the switch
5239  * happens in the middle of a segment, copy data from the last WAL segment
5240  * of the old timeline up to the switch point, to the starting WAL segment
5241  * on the new timeline.
5242  */
5243  if (endLogSegNo == startLogSegNo)
5244  {
5245  /*
5246  * Make a copy of the file on the new timeline.
5247  *
5248  * Writing WAL isn't allowed yet, so there are no locking
5249  * considerations. But we should be just as tense as XLogFileInit to
5250  * avoid emplacing a bogus file.
5251  */
5252  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
5253  XLogSegmentOffset(endOfLog, wal_segment_size));
5254  }
5255  else
5256  {
5257  /*
5258  * The switch happened at a segment boundary, so just create the next
5259  * segment on the new timeline.
5260  */
5261  int fd;
5262 
5263  fd = XLogFileInit(startLogSegNo, newTLI);
5264 
5265  if (close(fd) != 0)
5266  {
5267  int save_errno = errno;
5268 
5269  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5270  errno = save_errno;
5271  ereport(ERROR,
5273  errmsg("could not close file \"%s\": %m", xlogfname)));
5274  }
5275  }
5276 
5277  /*
5278  * Let's just make real sure there are not .ready or .done flags posted
5279  * for the new segment.
5280  */
5281  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5282  XLogArchiveCleanup(xlogfname);
5283 }
5284 
5285 /*
5286  * Perform cleanup actions at the conclusion of archive recovery.
5287  */
5288 static void
5290  TimeLineID newTLI)
5291 {
5292  /*
5293  * Execute the recovery_end_command, if any.
5294  */
5295  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
5297  "recovery_end_command",
5298  true,
5299  WAIT_EVENT_RECOVERY_END_COMMAND);
5300 
5301  /*
5302  * We switched to a new timeline. Clean up segments on the old timeline.
5303  *
5304  * If there are any higher-numbered segments on the old timeline, remove
5305  * them. They might contain valid WAL, but they might also be
5306  * pre-allocated files containing garbage. In any case, they are not part
5307  * of the new timeline's history so we don't need them.
5308  */
5309  RemoveNonParentXlogFiles(EndOfLog, newTLI);
5310 
5311  /*
5312  * If the switch happened in the middle of a segment, what to do with the
5313  * last, partial segment on the old timeline? If we don't archive it, and
5314  * the server that created the WAL never archives it either (e.g. because
5315  * it was hit by a meteor), it will never make it to the archive. That's
5316  * OK from our point of view, because the new segment that we created with
5317  * the new TLI contains all the WAL from the old timeline up to the switch
5318  * point. But if you later try to do PITR to the "missing" WAL on the old
5319  * timeline, recovery won't find it in the archive. It's physically
5320  * present in the new file with new TLI, but recovery won't look there
5321  * when it's recovering to the older timeline. On the other hand, if we
5322  * archive the partial segment, and the original server on that timeline
5323  * is still running and archives the completed version of the same segment
5324  * later, it will fail. (We used to do that in 9.4 and below, and it
5325  * caused such problems).
5326  *
5327  * As a compromise, we rename the last segment with the .partial suffix,
5328  * and archive it. Archive recovery will never try to read .partial
5329  * segments, so they will normally go unused. But in the odd PITR case,
5330  * the administrator can copy them manually to the pg_wal directory
5331  * (removing the suffix). They can be useful in debugging, too.
5332  *
5333  * If a .done or .ready file already exists for the old timeline, however,
5334  * we had already determined that the segment is complete, so we can let
5335  * it be archived normally. (In particular, if it was restored from the
5336  * archive to begin with, it's expected to have a .done file).
5337  */
5338  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
5340  {
5341  char origfname[MAXFNAMELEN];
5342  XLogSegNo endLogSegNo;
5343 
5344  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
5345  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
5346 
5347  if (!XLogArchiveIsReadyOrDone(origfname))
5348  {
5349  char origpath[MAXPGPATH];
5350  char partialfname[MAXFNAMELEN];
5351  char partialpath[MAXPGPATH];
5352 
5353  /*
5354  * If we're summarizing WAL, we can't rename the partial file
5355  * until the summarizer finishes with it, else it will fail.
5356  */
5357  if (summarize_wal)
5358  WaitForWalSummarization(EndOfLog);
5359 
5360  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
5361  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
5362  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
5363 
5364  /*
5365  * Make sure there's no .done or .ready file for the .partial
5366  * file.
5367  */
5368  XLogArchiveCleanup(partialfname);
5369 
5370  durable_rename(origpath, partialpath, ERROR);
5371  XLogArchiveNotify(partialfname);
5372  }
5373  }
5374 }
5375 
5376 /*
5377  * Check to see if required parameters are set high enough on this server
5378  * for various aspects of recovery operation.
5379  *
5380  * Note that all the parameters which this function tests need to be
5381  * listed in Administrator's Overview section in high-availability.sgml.
5382  * If you change them, don't forget to update the list.
5383  */
5384 static void
5386 {
5387  /*
5388  * For archive recovery, the WAL must be generated with at least 'replica'
5389  * wal_level.
5390  */
5392  {
5393  ereport(FATAL,
5394  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
5395  errmsg("WAL was generated with \"wal_level=minimal\", cannot continue recovering"),
5396  errdetail("This happens if you temporarily set \"wal_level=minimal\" on the server."),
5397  errhint("Use a backup taken after setting \"wal_level\" to higher than \"minimal\".")));
5398  }
5399 
5400  /*
5401  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
5402  * must have at least as many backend slots as the primary.
5403  */
5405  {
5406  /* We ignore autovacuum_max_workers when we make this test. */
5407  RecoveryRequiresIntParameter("max_connections",
5410  RecoveryRequiresIntParameter("max_worker_processes",
5413  RecoveryRequiresIntParameter("max_wal_senders",
5416  RecoveryRequiresIntParameter("max_prepared_transactions",
5419  RecoveryRequiresIntParameter("max_locks_per_transaction",
5422  }
5423 }
5424 
5425 /*
5426  * This must be called ONCE during postmaster or standalone-backend startup
5427  */
5428 void
5430 {
5432  CheckPoint checkPoint;
5433  bool wasShutdown;
5434  bool didCrash;
5435  bool haveTblspcMap;
5436  bool haveBackupLabel;
5437  XLogRecPtr EndOfLog;
5438  TimeLineID EndOfLogTLI;
5439  TimeLineID newTLI;
5440  bool performedWalRecovery;
5441  EndOfWalRecoveryInfo *endOfRecoveryInfo;
5444  TransactionId oldestActiveXID;
5445  bool promoted = false;
5446 
5447  /*
5448  * We should have an aux process resource owner to use, and we should not
5449  * be in a transaction that's installed some other resowner.
5450  */
5452  Assert(CurrentResourceOwner == NULL ||
5455 
5456  /*
5457  * Check that contents look valid.
5458  */
5460  ereport(FATAL,
5462  errmsg("control file contains invalid checkpoint location")));
5463 
5464  switch (ControlFile->state)
5465  {
5466  case DB_SHUTDOWNED:
5467 
5468  /*
5469  * This is the expected case, so don't be chatty in standalone
5470  * mode
5471  */
5473  (errmsg("database system was shut down at %s",
5474  str_time(ControlFile->time))));
5475  break;
5476 
5478  ereport(LOG,
5479  (errmsg("database system was shut down in recovery at %s",
5480  str_time(ControlFile->time))));
5481  break;
5482 
5483  case DB_SHUTDOWNING:
5484  ereport(LOG,
5485  (errmsg("database system shutdown was interrupted; last known up at %s",
5486  str_time(ControlFile->time))));
5487  break;
5488 
5489  case DB_IN_CRASH_RECOVERY:
5490  ereport(LOG,
5491  (errmsg("database system was interrupted while in recovery at %s",
5493  errhint("This probably means that some data is corrupted and"
5494  " you will have to use the last backup for recovery.")));
5495  break;
5496 
5498  ereport(LOG,
5499  (errmsg("database system was interrupted while in recovery at log time %s",
5501  errhint("If this has occurred more than once some data might be corrupted"
5502  " and you might need to choose an earlier recovery target.")));
5503  break;
5504 
5505  case DB_IN_PRODUCTION:
5506  ereport(LOG,
5507  (errmsg("database system was interrupted; last known up at %s",
5508  str_time(ControlFile->time))));
5509  break;
5510 
5511  default:
5512  ereport(FATAL,
5514  errmsg("control file contains invalid database cluster state")));
5515  }
5516 
5517  /* This is just to allow attaching to startup process with a debugger */
5518 #ifdef XLOG_REPLAY_DELAY
5520  pg_usleep(60000000L);
5521 #endif
5522 
5523  /*
5524  * Verify that pg_wal, pg_wal/archive_status, and pg_wal/summaries exist.
5525  * In cases where someone has performed a copy for PITR, these directories
5526  * may have been excluded and need to be re-created.
5527  */
5529 
5530  /* Set up timeout handler needed to report startup progress. */
5534 
5535  /*----------
5536  * If we previously crashed, perform a couple of actions:
5537  *
5538  * - The pg_wal directory may still include some temporary WAL segments
5539  * used when creating a new segment, so perform some clean up to not
5540  * bloat this path. This is done first as there is no point to sync
5541  * this temporary data.
5542  *
5543  * - There might be data which we had written, intending to fsync it, but
5544  * which we had not actually fsync'd yet. Therefore, a power failure in
5545  * the near future might cause earlier unflushed writes to be lost, even
5546  * though more recent data written to disk from here on would be
5547  * persisted. To avoid that, fsync the entire data directory.
5548  */
5549  if (ControlFile->state != DB_SHUTDOWNED &&
5551  {
5554  didCrash = true;
5555  }
5556  else
5557  didCrash = false;
5558 
5559  /*
5560  * Prepare for WAL recovery if needed.
5561  *
5562  * InitWalRecovery analyzes the control file and the backup label file, if
5563  * any. It updates the in-memory ControlFile buffer according to the
5564  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5565  * It also applies the tablespace map file, if any.
5566  */
5567  InitWalRecovery(ControlFile, &wasShutdown,
5568  &haveBackupLabel, &haveTblspcMap);
5569  checkPoint = ControlFile->checkPointCopy;
5570 
5571  /* initialize shared memory variables from the checkpoint record */
5572  TransamVariables->nextXid = checkPoint.nextXid;
5573  TransamVariables->nextOid = checkPoint.nextOid;
5575  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5576  AdvanceOldestClogXid(checkPoint.oldestXid);
5577  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5578  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5580  checkPoint.newestCommitTsXid);
5581  XLogCtl->ckptFullXid = checkPoint.nextXid;
5582 
5583  /*
5584  * Clear out any old relcache cache files. This is *necessary* if we do
5585  * any WAL replay, since that would probably result in the cache files
5586  * being out of sync with database reality. In theory we could leave them
5587  * in place if the database had been cleanly shut down, but it seems
5588  * safest to just remove them always and let them be rebuilt during the
5589  * first backend startup. These files needs to be removed from all
5590  * directories including pg_tblspc, however the symlinks are created only
5591  * after reading tablespace_map file in case of archive recovery from
5592  * backup, so needs to clear old relcache files here after creating
5593  * symlinks.
5594  */
5596 
5597  /*
5598  * Initialize replication slots, before there's a chance to remove
5599  * required resources.
5600  */
5602 
5603  /*
5604  * Startup logical state, needs to be setup now so we have proper data
5605  * during crash recovery.
5606  */
5608 
5609  /*
5610  * Startup CLOG. This must be done after TransamVariables->nextXid has
5611  * been initialized and before we accept connections or begin WAL replay.