PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogprefetcher.h"
63 #include "access/xlogreader.h"
64 #include "access/xlogrecovery.h"
65 #include "access/xlogutils.h"
66 #include "backup/basebackup.h"
67 #include "catalog/catversion.h"
68 #include "catalog/pg_control.h"
69 #include "catalog/pg_database.h"
71 #include "common/file_utils.h"
72 #include "executor/instrument.h"
73 #include "miscadmin.h"
74 #include "pg_trace.h"
75 #include "pgstat.h"
76 #include "port/atomics.h"
77 #include "port/pg_iovec.h"
78 #include "postmaster/bgwriter.h"
79 #include "postmaster/startup.h"
80 #include "postmaster/walwriter.h"
81 #include "replication/logical.h"
82 #include "replication/origin.h"
83 #include "replication/slot.h"
84 #include "replication/snapbuild.h"
86 #include "replication/walsender.h"
87 #include "storage/bufmgr.h"
88 #include "storage/fd.h"
89 #include "storage/ipc.h"
90 #include "storage/large_object.h"
91 #include "storage/latch.h"
92 #include "storage/pmsignal.h"
93 #include "storage/predicate.h"
94 #include "storage/proc.h"
95 #include "storage/procarray.h"
96 #include "storage/reinit.h"
97 #include "storage/smgr.h"
98 #include "storage/spin.h"
99 #include "storage/sync.h"
100 #include "utils/guc_hooks.h"
101 #include "utils/guc_tables.h"
102 #include "utils/memutils.h"
103 #include "utils/ps_status.h"
104 #include "utils/relmapper.h"
105 #include "utils/pg_rusage.h"
106 #include "utils/snapmgr.h"
107 #include "utils/timeout.h"
108 #include "utils/timestamp.h"
109 #include "utils/varlena.h"
110 
112 
113 /* timeline ID to be used when bootstrapping */
114 #define BootstrapTimeLineID 1
115 
116 /* User-settable parameters */
117 int max_wal_size_mb = 1024; /* 1 GB */
118 int min_wal_size_mb = 80; /* 80 MB */
120 int XLOGbuffers = -1;
123 char *XLogArchiveCommand = NULL;
124 bool EnableHotStandby = false;
125 bool fullPageWrites = true;
126 bool wal_log_hints = false;
130 bool wal_init_zero = true;
131 bool wal_recycle = true;
132 bool log_checkpoints = true;
135 int CommitDelay = 0; /* precommit delay in microseconds */
136 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
139 int wal_decode_buffer_size = 512 * 1024;
140 bool track_wal_io_timing = false;
141 
142 #ifdef WAL_DEBUG
143 bool XLOG_DEBUG = false;
144 #endif
145 
147 
148 /*
149  * Number of WAL insertion locks to use. A higher value allows more insertions
150  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
151  * which needs to iterate all the locks.
152  */
153 #define NUM_XLOGINSERT_LOCKS 8
154 
155 /*
156  * Max distance from last checkpoint, before triggering a new xlog-based
157  * checkpoint.
158  */
160 
161 /* Estimated distance between checkpoints, in bytes */
162 static double CheckPointDistanceEstimate = 0;
163 static double PrevCheckPointDistance = 0;
164 
165 /*
166  * Track whether there were any deferred checks for custom resource managers
167  * specified in wal_consistency_checking.
168  */
170 
171 /*
172  * GUC support
173  */
174 const struct config_enum_entry sync_method_options[] = {
175  {"fsync", SYNC_METHOD_FSYNC, false},
176 #ifdef HAVE_FSYNC_WRITETHROUGH
177  {"fsync_writethrough", SYNC_METHOD_FSYNC_WRITETHROUGH, false},
178 #endif
179  {"fdatasync", SYNC_METHOD_FDATASYNC, false},
180 #ifdef O_SYNC
181  {"open_sync", SYNC_METHOD_OPEN, false},
182 #endif
183 #ifdef O_DSYNC
184  {"open_datasync", SYNC_METHOD_OPEN_DSYNC, false},
185 #endif
186  {NULL, 0, false}
187 };
188 
189 
190 /*
191  * Although only "on", "off", and "always" are documented,
192  * we accept all the likely variants of "on" and "off".
193  */
194 const struct config_enum_entry archive_mode_options[] = {
195  {"always", ARCHIVE_MODE_ALWAYS, false},
196  {"on", ARCHIVE_MODE_ON, false},
197  {"off", ARCHIVE_MODE_OFF, false},
198  {"true", ARCHIVE_MODE_ON, true},
199  {"false", ARCHIVE_MODE_OFF, true},
200  {"yes", ARCHIVE_MODE_ON, true},
201  {"no", ARCHIVE_MODE_OFF, true},
202  {"1", ARCHIVE_MODE_ON, true},
203  {"0", ARCHIVE_MODE_OFF, true},
204  {NULL, 0, false}
205 };
206 
207 /*
208  * Statistics for current checkpoint are collected in this global struct.
209  * Because only the checkpointer or a stand-alone backend can perform
210  * checkpoints, this will be unused in normal backends.
211  */
213 
214 /*
215  * During recovery, lastFullPageWrites keeps track of full_page_writes that
216  * the replayed WAL records indicate. It's initialized with full_page_writes
217  * that the recovery starting checkpoint record indicates, and then updated
218  * each time XLOG_FPW_CHANGE record is replayed.
219  */
220 static bool lastFullPageWrites;
221 
222 /*
223  * Local copy of the state tracked by SharedRecoveryState in shared memory,
224  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
225  * means "not known, need to check the shared state".
226  */
227 static bool LocalRecoveryInProgress = true;
228 
229 /*
230  * Local state for XLogInsertAllowed():
231  * 1: unconditionally allowed to insert XLOG
232  * 0: unconditionally not allowed to insert XLOG
233  * -1: must check RecoveryInProgress(); disallow until it is false
234  * Most processes start with -1 and transition to 1 after seeing that recovery
235  * is not in progress. But we can also force the value for special cases.
236  * The coding in XLogInsertAllowed() depends on the first two of these states
237  * being numerically the same as bool true and false.
238  */
239 static int LocalXLogInsertAllowed = -1;
240 
241 /*
242  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
243  * current backend. It is updated for all inserts. XactLastRecEnd points to
244  * end+1 of the last record, and is reset when we end a top-level transaction,
245  * or start a new one; so it can be used to tell if the current transaction has
246  * created any XLOG records.
247  *
248  * While in parallel mode, this may not be fully up to date. When committing,
249  * a transaction can assume this covers all xlog records written either by the
250  * user backend or by any parallel worker which was present at any point during
251  * the transaction. But when aborting, or when still in parallel mode, other
252  * parallel backends may have written WAL records at later LSNs than the value
253  * stored here. The parallel leader advances its own copy, when necessary,
254  * in WaitForParallelWorkersToFinish.
255  */
259 
260 /*
261  * RedoRecPtr is this backend's local copy of the REDO record pointer
262  * (which is almost but not quite the same as a pointer to the most recent
263  * CHECKPOINT record). We update this from the shared-memory copy,
264  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
265  * hold an insertion lock). See XLogInsertRecord for details. We are also
266  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
267  * see GetRedoRecPtr.
268  *
269  * NB: Code that uses this variable must be prepared not only for the
270  * possibility that it may be arbitrarily out of date, but also for the
271  * possibility that it might be set to InvalidXLogRecPtr. We used to
272  * initialize it as a side effect of the first call to RecoveryInProgress(),
273  * which meant that most code that might use it could assume that it had a
274  * real if perhaps stale value. That's no longer the case.
275  */
277 
278 /*
279  * doPageWrites is this backend's local copy of (fullPageWrites ||
280  * runningBackups > 0). It is used together with RedoRecPtr to decide whether
281  * a full-page image of a page need to be taken.
282  *
283  * NB: Initially this is false, and there's no guarantee that it will be
284  * initialized to any other value before it is first used. Any code that
285  * makes use of it must recheck the value after obtaining a WALInsertLock,
286  * and respond appropriately if it turns out that the previous value wasn't
287  * accurate.
288  */
289 static bool doPageWrites;
290 
291 /*----------
292  * Shared-memory data structures for XLOG control
293  *
294  * LogwrtRqst indicates a byte position that we need to write and/or fsync
295  * the log up to (all records before that point must be written or fsynced).
296  * LogwrtResult indicates the byte positions we have already written/fsynced.
297  * These structs are identical but are declared separately to indicate their
298  * slightly different functions.
299  *
300  * To read XLogCtl->LogwrtResult, you must hold either info_lck or
301  * WALWriteLock. To update it, you need to hold both locks. The point of
302  * this arrangement is that the value can be examined by code that already
303  * holds WALWriteLock without needing to grab info_lck as well. In addition
304  * to the shared variable, each backend has a private copy of LogwrtResult,
305  * which is updated when convenient.
306  *
307  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
308  * (protected by info_lck), but we don't need to cache any copies of it.
309  *
310  * info_lck is only held long enough to read/update the protected variables,
311  * so it's a plain spinlock. The other locks are held longer (potentially
312  * over I/O operations), so we use LWLocks for them. These locks are:
313  *
314  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
315  * It is only held while initializing and changing the mapping. If the
316  * contents of the buffer being replaced haven't been written yet, the mapping
317  * lock is released while the write is done, and reacquired afterwards.
318  *
319  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
320  * XLogFlush).
321  *
322  * ControlFileLock: must be held to read/update control file or create
323  * new log file.
324  *
325  *----------
326  */
327 
328 typedef struct XLogwrtRqst
329 {
330  XLogRecPtr Write; /* last byte + 1 to write out */
331  XLogRecPtr Flush; /* last byte + 1 to flush */
333 
334 typedef struct XLogwrtResult
335 {
336  XLogRecPtr Write; /* last byte + 1 written out */
337  XLogRecPtr Flush; /* last byte + 1 flushed */
339 
340 /*
341  * Inserting to WAL is protected by a small fixed number of WAL insertion
342  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
343  * matter which one. To lock out other concurrent insertions, you must hold
344  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
345  * indicator of how far the insertion has progressed (insertingAt).
346  *
347  * The insertingAt values are read when a process wants to flush WAL from
348  * the in-memory buffers to disk, to check that all the insertions to the
349  * region the process is about to write out have finished. You could simply
350  * wait for all currently in-progress insertions to finish, but the
351  * insertingAt indicator allows you to ignore insertions to later in the WAL,
352  * so that you only wait for the insertions that are modifying the buffers
353  * you're about to write out.
354  *
355  * This isn't just an optimization. If all the WAL buffers are dirty, an
356  * inserter that's holding a WAL insert lock might need to evict an old WAL
357  * buffer, which requires flushing the WAL. If it's possible for an inserter
358  * to block on another inserter unnecessarily, deadlock can arise when two
359  * inserters holding a WAL insert lock wait for each other to finish their
360  * insertion.
361  *
362  * Small WAL records that don't cross a page boundary never update the value,
363  * the WAL record is just copied to the page and the lock is released. But
364  * to avoid the deadlock-scenario explained above, the indicator is always
365  * updated before sleeping while holding an insertion lock.
366  *
367  * lastImportantAt contains the LSN of the last important WAL record inserted
368  * using a given lock. This value is used to detect if there has been
369  * important WAL activity since the last time some action, like a checkpoint,
370  * was performed - allowing to not repeat the action if not. The LSN is
371  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
372  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
373  * records. Tracking the WAL activity directly in WALInsertLock has the
374  * advantage of not needing any additional locks to update the value.
375  */
376 typedef struct
377 {
381 } WALInsertLock;
382 
383 /*
384  * All the WAL insertion locks are allocated as an array in shared memory. We
385  * force the array stride to be a power of 2, which saves a few cycles in
386  * indexing, but more importantly also ensures that individual slots don't
387  * cross cache line boundaries. (Of course, we have to also ensure that the
388  * array start address is suitably aligned.)
389  */
390 typedef union WALInsertLockPadded
391 {
395 
396 /*
397  * Session status of running backup, used for sanity checks in SQL-callable
398  * functions to start and stop backups.
399  */
401 
402 /*
403  * Shared state data for WAL insertion.
404  */
405 typedef struct XLogCtlInsert
406 {
407  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
408 
409  /*
410  * CurrBytePos is the end of reserved WAL. The next record will be
411  * inserted at that position. PrevBytePos is the start position of the
412  * previously inserted (or rather, reserved) record - it is copied to the
413  * prev-link of the next record. These are stored as "usable byte
414  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
415  */
416  uint64 CurrBytePos;
417  uint64 PrevBytePos;
418 
419  /*
420  * Make sure the above heavily-contended spinlock and byte positions are
421  * on their own cache line. In particular, the RedoRecPtr and full page
422  * write variables below should be on a different cache line. They are
423  * read on every WAL insertion, but updated rarely, and we don't want
424  * those reads to steal the cache line containing Curr/PrevBytePos.
425  */
427 
428  /*
429  * fullPageWrites is the authoritative value used by all backends to
430  * determine whether to write full-page image to WAL. This shared value,
431  * instead of the process-local fullPageWrites, is required because, when
432  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
433  * actually affects WAL-logging by backends. Checkpointer sets at startup
434  * or after SIGHUP.
435  *
436  * To read these fields, you must hold an insertion lock. To modify them,
437  * you must hold ALL the locks.
438  */
439  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
441 
442  /*
443  * runningBackups is a counter indicating the number of backups currently
444  * in progress. lastBackupStart is the latest checkpoint redo location
445  * used as a starting point for an online backup.
446  */
449 
450  /*
451  * WAL insertion locks.
452  */
455 
456 /*
457  * Total shared-memory state for XLOG.
458  */
459 typedef struct XLogCtlData
460 {
462 
463  /* Protected by info_lck: */
465  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
466  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
467  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
468  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
469 
470  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
471 
472  /* Fake LSN counter, for unlogged relations. Protected by ulsn_lck. */
475 
476  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
479 
480  /*
481  * Protected by info_lck and WALWriteLock (you must hold either lock to
482  * read it, but both to update)
483  */
485 
486  /*
487  * Latest initialized page in the cache (last byte position + 1).
488  *
489  * To change the identity of a buffer (and InitializedUpTo), you need to
490  * hold WALBufMappingLock. To change the identity of a buffer that's
491  * still dirty, the old page needs to be written out first, and for that
492  * you need WALWriteLock, and you need to ensure that there are no
493  * in-progress insertions to the page by calling
494  * WaitXLogInsertionsToFinish().
495  */
497 
498  /*
499  * These values do not change after startup, although the pointed-to pages
500  * and xlblocks values certainly do. xlblocks values are protected by
501  * WALBufMappingLock.
502  */
503  char *pages; /* buffers for unwritten XLOG pages */
504  XLogRecPtr *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
505  int XLogCacheBlck; /* highest allocated xlog buffer index */
506 
507  /*
508  * InsertTimeLineID is the timeline into which new WAL is being inserted
509  * and flushed. It is zero during recovery, and does not change once set.
510  *
511  * If we create a new timeline when the system was started up,
512  * PrevTimeLineID is the old timeline's ID that we forked off from.
513  * Otherwise it's equal to InsertTimeLineID.
514  */
517 
518  /*
519  * SharedRecoveryState indicates if we're still in crash or archive
520  * recovery. Protected by info_lck.
521  */
523 
524  /*
525  * InstallXLogFileSegmentActive indicates whether the checkpointer should
526  * arrange for future segments by recycling and/or PreallocXlogFiles().
527  * Protected by ControlFileLock. Only the startup process changes it. If
528  * true, anyone can use InstallXLogFileSegment(). If false, the startup
529  * process owns the exclusive right to install segments, by reading from
530  * the archive and possibly replacing existing files.
531  */
533 
534  /*
535  * WalWriterSleeping indicates whether the WAL writer is currently in
536  * low-power mode (and hence should be nudged if an async commit occurs).
537  * Protected by info_lck.
538  */
540 
541  /*
542  * During recovery, we keep a copy of the latest checkpoint record here.
543  * lastCheckPointRecPtr points to start of checkpoint record and
544  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
545  * checkpointer when it wants to create a restartpoint.
546  *
547  * Protected by info_lck.
548  */
552 
553  /*
554  * lastFpwDisableRecPtr points to the start of the last replayed
555  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
556  */
558 
559  slock_t info_lck; /* locks shared variables shown above */
561 
562 static XLogCtlData *XLogCtl = NULL;
563 
564 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
566 
567 /*
568  * We maintain an image of pg_control in shared memory.
569  */
571 
572 /*
573  * Calculate the amount of space left on the page after 'endptr'. Beware
574  * multiple evaluation!
575  */
576 #define INSERT_FREESPACE(endptr) \
577  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
578 
579 /* Macro to advance to next buffer index. */
580 #define NextBufIdx(idx) \
581  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
582 
583 /*
584  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
585  * would hold if it was in cache, the page containing 'recptr'.
586  */
587 #define XLogRecPtrToBufIdx(recptr) \
588  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
589 
590 /*
591  * These are the number of bytes in a WAL page usable for WAL data.
592  */
593 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
594 
595 /*
596  * Convert values of GUCs measured in megabytes to equiv. segment count.
597  * Rounds down.
598  */
599 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
600 
601 /* The number of bytes in a WAL segment usable for WAL data. */
603 
604 /*
605  * Private, possibly out-of-date copy of shared LogwrtResult.
606  * See discussion above.
607  */
608 static XLogwrtResult LogwrtResult = {0, 0};
609 
610 /*
611  * openLogFile is -1 or a kernel FD for an open log file segment.
612  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
613  * These variables are only used to write the XLOG, and so will normally refer
614  * to the active segment.
615  *
616  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
617  */
618 static int openLogFile = -1;
621 
622 /*
623  * Local copies of equivalent fields in the control file. When running
624  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
625  * expect to replay all the WAL available, and updateMinRecoveryPoint is
626  * switched to false to prevent any updates while replaying records.
627  * Those values are kept consistent as long as crash recovery runs.
628  */
631 static bool updateMinRecoveryPoint = true;
632 
633 /* For WALInsertLockAcquire/Release functions */
634 static int MyLockNo = 0;
635 static bool holdingAllLocks = false;
636 
637 #ifdef WAL_DEBUG
638 static MemoryContext walDebugCxt = NULL;
639 #endif
640 
641 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
642  XLogRecPtr EndOfLog,
643  TimeLineID newTLI);
644 static void CheckRequiredParameterValues(void);
645 static void XLogReportParameters(void);
646 static int LocalSetXLogInsertAllowed(void);
647 static void CreateEndOfRecoveryRecord(void);
649  XLogRecPtr pagePtr,
650  TimeLineID newTLI);
651 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
652 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
654 
655 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
656  bool opportunistic);
657 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
658 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
659  bool find_free, XLogSegNo max_segno,
660  TimeLineID tli);
661 static void XLogFileClose(void);
662 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
663 static void RemoveTempXlogFiles(void);
664 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
665  XLogRecPtr endptr, TimeLineID insertTLI);
666 static void RemoveXlogFile(const struct dirent *segment_de,
667  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
668  TimeLineID insertTLI);
669 static void UpdateLastRemovedPtr(char *filename);
670 static void ValidateXLOGDirectoryStructure(void);
671 static void CleanupBackupHistory(void);
672 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
673 static bool PerformRecoveryXLogAction(void);
674 static void InitControlFile(uint64 sysidentifier);
675 static void WriteControlFile(void);
676 static void ReadControlFile(void);
677 static void UpdateControlFile(void);
678 static char *str_time(pg_time_t tnow);
679 
680 static int get_sync_bit(int method);
681 
682 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
683  XLogRecData *rdata,
684  XLogRecPtr StartPos, XLogRecPtr EndPos,
685  TimeLineID tli);
686 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
687  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
688 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
689  XLogRecPtr *PrevPtr);
691 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
692 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
693 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
694 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
695 
696 static void WALInsertLockAcquire(void);
697 static void WALInsertLockAcquireExclusive(void);
698 static void WALInsertLockRelease(void);
699 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
700 
701 /*
702  * Insert an XLOG record represented by an already-constructed chain of data
703  * chunks. This is a low-level routine; to construct the WAL record header
704  * and data, use the higher-level routines in xloginsert.c.
705  *
706  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
707  * WAL record applies to, that were not included in the record as full page
708  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
709  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
710  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
711  * record is always inserted.
712  *
713  * 'flags' gives more in-depth control on the record being inserted. See
714  * XLogSetRecordFlags() for details.
715  *
716  * 'topxid_included' tells whether the top-transaction id is logged along with
717  * current subtransaction. See XLogRecordAssemble().
718  *
719  * The first XLogRecData in the chain must be for the record header, and its
720  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
721  * xl_crc fields in the header, the rest of the header must already be filled
722  * by the caller.
723  *
724  * Returns XLOG pointer to end of record (beginning of next record).
725  * This can be used as LSN for data pages affected by the logged action.
726  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
727  * before the data page can be written out. This implements the basic
728  * WAL rule "write the log before the data".)
729  */
732  XLogRecPtr fpw_lsn,
733  uint8 flags,
734  int num_fpi,
735  bool topxid_included)
736 {
738  pg_crc32c rdata_crc;
739  bool inserted;
740  XLogRecord *rechdr = (XLogRecord *) rdata->data;
741  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
742  bool isLogSwitch = (rechdr->xl_rmid == RM_XLOG_ID &&
743  info == XLOG_SWITCH);
744  XLogRecPtr StartPos;
745  XLogRecPtr EndPos;
746  bool prevDoPageWrites = doPageWrites;
747  TimeLineID insertTLI;
748 
749  /* we assume that all of the record header is in the first chunk */
750  Assert(rdata->len >= SizeOfXLogRecord);
751 
752  /* cross-check on whether we should be here or not */
753  if (!XLogInsertAllowed())
754  elog(ERROR, "cannot make new WAL entries during recovery");
755 
756  /*
757  * Given that we're not in recovery, InsertTimeLineID is set and can't
758  * change, so we can read it without a lock.
759  */
760  insertTLI = XLogCtl->InsertTimeLineID;
761 
762  /*----------
763  *
764  * We have now done all the preparatory work we can without holding a
765  * lock or modifying shared state. From here on, inserting the new WAL
766  * record to the shared WAL buffer cache is a two-step process:
767  *
768  * 1. Reserve the right amount of space from the WAL. The current head of
769  * reserved space is kept in Insert->CurrBytePos, and is protected by
770  * insertpos_lck.
771  *
772  * 2. Copy the record to the reserved WAL space. This involves finding the
773  * correct WAL buffer containing the reserved space, and copying the
774  * record in place. This can be done concurrently in multiple processes.
775  *
776  * To keep track of which insertions are still in-progress, each concurrent
777  * inserter acquires an insertion lock. In addition to just indicating that
778  * an insertion is in progress, the lock tells others how far the inserter
779  * has progressed. There is a small fixed number of insertion locks,
780  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
781  * boundary, it updates the value stored in the lock to the how far it has
782  * inserted, to allow the previous buffer to be flushed.
783  *
784  * Holding onto an insertion lock also protects RedoRecPtr and
785  * fullPageWrites from changing until the insertion is finished.
786  *
787  * Step 2 can usually be done completely in parallel. If the required WAL
788  * page is not initialized yet, you have to grab WALBufMappingLock to
789  * initialize it, but the WAL writer tries to do that ahead of insertions
790  * to avoid that from happening in the critical path.
791  *
792  *----------
793  */
795  if (isLogSwitch)
797  else
799 
800  /*
801  * Check to see if my copy of RedoRecPtr is out of date. If so, may have
802  * to go back and have the caller recompute everything. This can only
803  * happen just after a checkpoint, so it's better to be slow in this case
804  * and fast otherwise.
805  *
806  * Also check to see if fullPageWrites was just turned on or there's a
807  * running backup (which forces full-page writes); if we weren't already
808  * doing full-page writes then go back and recompute.
809  *
810  * If we aren't doing full-page writes then RedoRecPtr doesn't actually
811  * affect the contents of the XLOG record, so we'll update our local copy
812  * but not force a recomputation. (If doPageWrites was just turned off,
813  * we could recompute the record without full pages, but we choose not to
814  * bother.)
815  */
816  if (RedoRecPtr != Insert->RedoRecPtr)
817  {
818  Assert(RedoRecPtr < Insert->RedoRecPtr);
819  RedoRecPtr = Insert->RedoRecPtr;
820  }
821  doPageWrites = (Insert->fullPageWrites || Insert->runningBackups > 0);
822 
823  if (doPageWrites &&
824  (!prevDoPageWrites ||
825  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
826  {
827  /*
828  * Oops, some buffer now needs to be backed up that the caller didn't
829  * back up. Start over.
830  */
833  return InvalidXLogRecPtr;
834  }
835 
836  /*
837  * Reserve space for the record in the WAL. This also sets the xl_prev
838  * pointer.
839  */
840  if (isLogSwitch)
841  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
842  else
843  {
844  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
845  &rechdr->xl_prev);
846  inserted = true;
847  }
848 
849  if (inserted)
850  {
851  /*
852  * Now that xl_prev has been filled in, calculate CRC of the record
853  * header.
854  */
855  rdata_crc = rechdr->xl_crc;
856  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
857  FIN_CRC32C(rdata_crc);
858  rechdr->xl_crc = rdata_crc;
859 
860  /*
861  * All the record data, including the header, is now ready to be
862  * inserted. Copy the record in the space reserved.
863  */
864  CopyXLogRecordToWAL(rechdr->xl_tot_len, isLogSwitch, rdata,
865  StartPos, EndPos, insertTLI);
866 
867  /*
868  * Unless record is flagged as not important, update LSN of last
869  * important record in the current slot. When holding all locks, just
870  * update the first one.
871  */
872  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
873  {
874  int lockno = holdingAllLocks ? 0 : MyLockNo;
875 
876  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
877  }
878  }
879  else
880  {
881  /*
882  * This was an xlog-switch record, but the current insert location was
883  * already exactly at the beginning of a segment, so there was no need
884  * to do anything.
885  */
886  }
887 
888  /*
889  * Done! Let others know that we're finished.
890  */
892 
894 
896 
897  /*
898  * Mark top transaction id is logged (if needed) so that we should not try
899  * to log it again with the next WAL record in the current subtransaction.
900  */
901  if (topxid_included)
903 
904  /*
905  * Update shared LogwrtRqst.Write, if we crossed page boundary.
906  */
907  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
908  {
910  /* advance global request to include new block(s) */
911  if (XLogCtl->LogwrtRqst.Write < EndPos)
912  XLogCtl->LogwrtRqst.Write = EndPos;
913  /* update local result copy while I have the chance */
916  }
917 
918  /*
919  * If this was an XLOG_SWITCH record, flush the record and the empty
920  * padding space that fills the rest of the segment, and perform
921  * end-of-segment actions (eg, notifying archiver).
922  */
923  if (isLogSwitch)
924  {
925  TRACE_POSTGRESQL_WAL_SWITCH();
926  XLogFlush(EndPos);
927 
928  /*
929  * Even though we reserved the rest of the segment for us, which is
930  * reflected in EndPos, we return a pointer to just the end of the
931  * xlog-switch record.
932  */
933  if (inserted)
934  {
935  EndPos = StartPos + SizeOfXLogRecord;
936  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
937  {
938  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
939 
940  if (offset == EndPos % XLOG_BLCKSZ)
941  EndPos += SizeOfXLogLongPHD;
942  else
943  EndPos += SizeOfXLogShortPHD;
944  }
945  }
946  }
947 
948 #ifdef WAL_DEBUG
949  if (XLOG_DEBUG)
950  {
951  static XLogReaderState *debug_reader = NULL;
952  XLogRecord *record;
953  DecodedXLogRecord *decoded;
955  StringInfoData recordBuf;
956  char *errormsg = NULL;
957  MemoryContext oldCxt;
958 
959  oldCxt = MemoryContextSwitchTo(walDebugCxt);
960 
962  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
963 
964  /*
965  * We have to piece together the WAL record data from the XLogRecData
966  * entries, so that we can pass it to the rm_desc function as one
967  * contiguous chunk.
968  */
969  initStringInfo(&recordBuf);
970  for (; rdata != NULL; rdata = rdata->next)
971  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
972 
973  /* We also need temporary space to decode the record. */
974  record = (XLogRecord *) recordBuf.data;
975  decoded = (DecodedXLogRecord *)
977 
978  if (!debug_reader)
979  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
980  XL_ROUTINE(), NULL);
981 
982  if (!debug_reader)
983  {
984  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
985  }
986  else if (!DecodeXLogRecord(debug_reader,
987  decoded,
988  record,
989  EndPos,
990  &errormsg))
991  {
992  appendStringInfo(&buf, "error decoding record: %s",
993  errormsg ? errormsg : "no error message");
994  }
995  else
996  {
997  appendStringInfoString(&buf, " - ");
998 
999  debug_reader->record = decoded;
1000  xlog_outdesc(&buf, debug_reader);
1001  debug_reader->record = NULL;
1002  }
1003  elog(LOG, "%s", buf.data);
1004 
1005  pfree(decoded);
1006  pfree(buf.data);
1007  pfree(recordBuf.data);
1008  MemoryContextSwitchTo(oldCxt);
1009  }
1010 #endif
1011 
1012  /*
1013  * Update our global variables
1014  */
1015  ProcLastRecPtr = StartPos;
1016  XactLastRecEnd = EndPos;
1017 
1018  /* Report WAL traffic to the instrumentation. */
1019  if (inserted)
1020  {
1021  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1023  pgWalUsage.wal_fpi += num_fpi;
1024  }
1025 
1026  return EndPos;
1027 }
1028 
1029 /*
1030  * Reserves the right amount of space for a record of given size from the WAL.
1031  * *StartPos is set to the beginning of the reserved section, *EndPos to
1032  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1033  * used to set the xl_prev of this record.
1034  *
1035  * This is the performance critical part of XLogInsert that must be serialized
1036  * across backends. The rest can happen mostly in parallel. Try to keep this
1037  * section as short as possible, insertpos_lck can be heavily contended on a
1038  * busy system.
1039  *
1040  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1041  * where we actually copy the record to the reserved space.
1042  */
1043 static void
1044 ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos, XLogRecPtr *EndPos,
1045  XLogRecPtr *PrevPtr)
1046 {
1048  uint64 startbytepos;
1049  uint64 endbytepos;
1050  uint64 prevbytepos;
1051 
1052  size = MAXALIGN(size);
1053 
1054  /* All (non xlog-switch) records should contain data. */
1055  Assert(size > SizeOfXLogRecord);
1056 
1057  /*
1058  * The duration the spinlock needs to be held is minimized by minimizing
1059  * the calculations that have to be done while holding the lock. The
1060  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1061  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1062  * page headers. The mapping between "usable" byte positions and physical
1063  * positions (XLogRecPtrs) can be done outside the locked region, and
1064  * because the usable byte position doesn't include any headers, reserving
1065  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1066  */
1067  SpinLockAcquire(&Insert->insertpos_lck);
1068 
1069  startbytepos = Insert->CurrBytePos;
1070  endbytepos = startbytepos + size;
1071  prevbytepos = Insert->PrevBytePos;
1072  Insert->CurrBytePos = endbytepos;
1073  Insert->PrevBytePos = startbytepos;
1074 
1075  SpinLockRelease(&Insert->insertpos_lck);
1076 
1077  *StartPos = XLogBytePosToRecPtr(startbytepos);
1078  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1079  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1080 
1081  /*
1082  * Check that the conversions between "usable byte positions" and
1083  * XLogRecPtrs work consistently in both directions.
1084  */
1085  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1086  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1087  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1088 }
1089 
1090 /*
1091  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1092  *
1093  * A log-switch record is handled slightly differently. The rest of the
1094  * segment will be reserved for this insertion, as indicated by the returned
1095  * *EndPos value. However, if we are already at the beginning of the current
1096  * segment, *StartPos and *EndPos are set to the current location without
1097  * reserving any space, and the function returns false.
1098 */
1099 static bool
1100 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1101 {
1103  uint64 startbytepos;
1104  uint64 endbytepos;
1105  uint64 prevbytepos;
1107  XLogRecPtr ptr;
1108  uint32 segleft;
1109 
1110  /*
1111  * These calculations are a bit heavy-weight to be done while holding a
1112  * spinlock, but since we're holding all the WAL insertion locks, there
1113  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1114  * compete for it, but that's not called very frequently.
1115  */
1116  SpinLockAcquire(&Insert->insertpos_lck);
1117 
1118  startbytepos = Insert->CurrBytePos;
1119 
1120  ptr = XLogBytePosToEndRecPtr(startbytepos);
1121  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1122  {
1123  SpinLockRelease(&Insert->insertpos_lck);
1124  *EndPos = *StartPos = ptr;
1125  return false;
1126  }
1127 
1128  endbytepos = startbytepos + size;
1129  prevbytepos = Insert->PrevBytePos;
1130 
1131  *StartPos = XLogBytePosToRecPtr(startbytepos);
1132  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1133 
1134  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1135  if (segleft != wal_segment_size)
1136  {
1137  /* consume the rest of the segment */
1138  *EndPos += segleft;
1139  endbytepos = XLogRecPtrToBytePos(*EndPos);
1140  }
1141  Insert->CurrBytePos = endbytepos;
1142  Insert->PrevBytePos = startbytepos;
1143 
1144  SpinLockRelease(&Insert->insertpos_lck);
1145 
1146  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1147 
1148  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1149  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1150  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1151  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1152 
1153  return true;
1154 }
1155 
1156 /*
1157  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1158  * area in the WAL.
1159  */
1160 static void
1161 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1162  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1163 {
1164  char *currpos;
1165  int freespace;
1166  int written;
1167  XLogRecPtr CurrPos;
1168  XLogPageHeader pagehdr;
1169 
1170  /*
1171  * Get a pointer to the right place in the right WAL buffer to start
1172  * inserting to.
1173  */
1174  CurrPos = StartPos;
1175  currpos = GetXLogBuffer(CurrPos, tli);
1176  freespace = INSERT_FREESPACE(CurrPos);
1177 
1178  /*
1179  * there should be enough space for at least the first field (xl_tot_len)
1180  * on this page.
1181  */
1182  Assert(freespace >= sizeof(uint32));
1183 
1184  /* Copy record data */
1185  written = 0;
1186  while (rdata != NULL)
1187  {
1188  char *rdata_data = rdata->data;
1189  int rdata_len = rdata->len;
1190 
1191  while (rdata_len > freespace)
1192  {
1193  /*
1194  * Write what fits on this page, and continue on the next page.
1195  */
1196  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1197  memcpy(currpos, rdata_data, freespace);
1198  rdata_data += freespace;
1199  rdata_len -= freespace;
1200  written += freespace;
1201  CurrPos += freespace;
1202 
1203  /*
1204  * Get pointer to beginning of next page, and set the xlp_rem_len
1205  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1206  *
1207  * It's safe to set the contrecord flag and xlp_rem_len without a
1208  * lock on the page. All the other flags were already set when the
1209  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1210  * only backend that needs to set the contrecord flag.
1211  */
1212  currpos = GetXLogBuffer(CurrPos, tli);
1213  pagehdr = (XLogPageHeader) currpos;
1214  pagehdr->xlp_rem_len = write_len - written;
1215  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1216 
1217  /* skip over the page header */
1218  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1219  {
1220  CurrPos += SizeOfXLogLongPHD;
1221  currpos += SizeOfXLogLongPHD;
1222  }
1223  else
1224  {
1225  CurrPos += SizeOfXLogShortPHD;
1226  currpos += SizeOfXLogShortPHD;
1227  }
1228  freespace = INSERT_FREESPACE(CurrPos);
1229  }
1230 
1231  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1232  memcpy(currpos, rdata_data, rdata_len);
1233  currpos += rdata_len;
1234  CurrPos += rdata_len;
1235  freespace -= rdata_len;
1236  written += rdata_len;
1237 
1238  rdata = rdata->next;
1239  }
1240  Assert(written == write_len);
1241 
1242  /*
1243  * If this was an xlog-switch, it's not enough to write the switch record,
1244  * we also have to consume all the remaining space in the WAL segment. We
1245  * have already reserved that space, but we need to actually fill it.
1246  */
1247  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1248  {
1249  /* An xlog-switch record doesn't contain any data besides the header */
1250  Assert(write_len == SizeOfXLogRecord);
1251 
1252  /* Assert that we did reserve the right amount of space */
1253  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1254 
1255  /* Use up all the remaining space on the current page */
1256  CurrPos += freespace;
1257 
1258  /*
1259  * Cause all remaining pages in the segment to be flushed, leaving the
1260  * XLog position where it should be, at the start of the next segment.
1261  * We do this one page at a time, to make sure we don't deadlock
1262  * against ourselves if wal_buffers < wal_segment_size.
1263  */
1264  while (CurrPos < EndPos)
1265  {
1266  /*
1267  * The minimal action to flush the page would be to call
1268  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1269  * AdvanceXLInsertBuffer(...). The page would be left initialized
1270  * mostly to zeros, except for the page header (always the short
1271  * variant, as this is never a segment's first page).
1272  *
1273  * The large vistas of zeros are good for compressibility, but the
1274  * headers interrupting them every XLOG_BLCKSZ (with values that
1275  * differ from page to page) are not. The effect varies with
1276  * compression tool, but bzip2 for instance compresses about an
1277  * order of magnitude worse if those headers are left in place.
1278  *
1279  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1280  * called in heavily-loaded circumstances as well as this lightly-
1281  * loaded one) with variant behavior, we just use GetXLogBuffer
1282  * (which itself calls the two methods we need) to get the pointer
1283  * and zero most of the page. Then we just zero the page header.
1284  */
1285  currpos = GetXLogBuffer(CurrPos, tli);
1286  MemSet(currpos, 0, SizeOfXLogShortPHD);
1287 
1288  CurrPos += XLOG_BLCKSZ;
1289  }
1290  }
1291  else
1292  {
1293  /* Align the end position, so that the next record starts aligned */
1294  CurrPos = MAXALIGN64(CurrPos);
1295  }
1296 
1297  if (CurrPos != EndPos)
1298  elog(PANIC, "space reserved for WAL record does not match what was written");
1299 }
1300 
1301 /*
1302  * Acquire a WAL insertion lock, for inserting to WAL.
1303  */
1304 static void
1306 {
1307  bool immed;
1308 
1309  /*
1310  * It doesn't matter which of the WAL insertion locks we acquire, so try
1311  * the one we used last time. If the system isn't particularly busy, it's
1312  * a good bet that it's still available, and it's good to have some
1313  * affinity to a particular lock so that you don't unnecessarily bounce
1314  * cache lines between processes when there's no contention.
1315  *
1316  * If this is the first time through in this backend, pick a lock
1317  * (semi-)randomly. This allows the locks to be used evenly if you have a
1318  * lot of very short connections.
1319  */
1320  static int lockToTry = -1;
1321 
1322  if (lockToTry == -1)
1323  lockToTry = MyProc->pgprocno % NUM_XLOGINSERT_LOCKS;
1324  MyLockNo = lockToTry;
1325 
1326  /*
1327  * The insertingAt value is initially set to 0, as we don't know our
1328  * insert location yet.
1329  */
1331  if (!immed)
1332  {
1333  /*
1334  * If we couldn't get the lock immediately, try another lock next
1335  * time. On a system with more insertion locks than concurrent
1336  * inserters, this causes all the inserters to eventually migrate to a
1337  * lock that no-one else is using. On a system with more inserters
1338  * than locks, it still helps to distribute the inserters evenly
1339  * across the locks.
1340  */
1341  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1342  }
1343 }
1344 
1345 /*
1346  * Acquire all WAL insertion locks, to prevent other backends from inserting
1347  * to WAL.
1348  */
1349 static void
1351 {
1352  int i;
1353 
1354  /*
1355  * When holding all the locks, all but the last lock's insertingAt
1356  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1357  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1358  */
1359  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1360  {
1362  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1364  PG_UINT64_MAX);
1365  }
1366  /* Variable value reset to 0 at release */
1368 
1369  holdingAllLocks = true;
1370 }
1371 
1372 /*
1373  * Release our insertion lock (or locks, if we're holding them all).
1374  *
1375  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1376  * next time the lock is acquired.
1377  */
1378 static void
1380 {
1381  if (holdingAllLocks)
1382  {
1383  int i;
1384 
1385  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1388  0);
1389 
1390  holdingAllLocks = false;
1391  }
1392  else
1393  {
1396  0);
1397  }
1398 }
1399 
1400 /*
1401  * Update our insertingAt value, to let others know that we've finished
1402  * inserting up to that point.
1403  */
1404 static void
1406 {
1407  if (holdingAllLocks)
1408  {
1409  /*
1410  * We use the last lock to mark our actual position, see comments in
1411  * WALInsertLockAcquireExclusive.
1412  */
1415  insertingAt);
1416  }
1417  else
1420  insertingAt);
1421 }
1422 
1423 /*
1424  * Wait for any WAL insertions < upto to finish.
1425  *
1426  * Returns the location of the oldest insertion that is still in-progress.
1427  * Any WAL prior to that point has been fully copied into WAL buffers, and
1428  * can be flushed out to disk. Because this waits for any insertions older
1429  * than 'upto' to finish, the return value is always >= 'upto'.
1430  *
1431  * Note: When you are about to write out WAL, you must call this function
1432  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1433  * need to wait for an insertion to finish (or at least advance to next
1434  * uninitialized page), and the inserter might need to evict an old WAL buffer
1435  * to make room for a new one, which in turn requires WALWriteLock.
1436  */
1437 static XLogRecPtr
1439 {
1440  uint64 bytepos;
1441  XLogRecPtr reservedUpto;
1442  XLogRecPtr finishedUpto;
1444  int i;
1445 
1446  if (MyProc == NULL)
1447  elog(PANIC, "cannot wait without a PGPROC structure");
1448 
1449  /* Read the current insert position */
1450  SpinLockAcquire(&Insert->insertpos_lck);
1451  bytepos = Insert->CurrBytePos;
1452  SpinLockRelease(&Insert->insertpos_lck);
1453  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1454 
1455  /*
1456  * No-one should request to flush a piece of WAL that hasn't even been
1457  * reserved yet. However, it can happen if there is a block with a bogus
1458  * LSN on disk, for example. XLogFlush checks for that situation and
1459  * complains, but only after the flush. Here we just assume that to mean
1460  * that all WAL that has been reserved needs to be finished. In this
1461  * corner-case, the return value can be smaller than 'upto' argument.
1462  */
1463  if (upto > reservedUpto)
1464  {
1465  ereport(LOG,
1466  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1467  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1468  upto = reservedUpto;
1469  }
1470 
1471  /*
1472  * Loop through all the locks, sleeping on any in-progress insert older
1473  * than 'upto'.
1474  *
1475  * finishedUpto is our return value, indicating the point upto which all
1476  * the WAL insertions have been finished. Initialize it to the head of
1477  * reserved WAL, and as we iterate through the insertion locks, back it
1478  * out for any insertion that's still in progress.
1479  */
1480  finishedUpto = reservedUpto;
1481  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1482  {
1483  XLogRecPtr insertingat = InvalidXLogRecPtr;
1484 
1485  do
1486  {
1487  /*
1488  * See if this insertion is in progress. LWLockWaitForVar will
1489  * wait for the lock to be released, or for the 'value' to be set
1490  * by a LWLockUpdateVar call. When a lock is initially acquired,
1491  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1492  * know where it's inserting yet. We will have to wait for it. If
1493  * it's a small insertion, the record will most likely fit on the
1494  * same page and the inserter will release the lock without ever
1495  * calling LWLockUpdateVar. But if it has to sleep, it will
1496  * advertise the insertion point with LWLockUpdateVar before
1497  * sleeping.
1498  */
1499  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1501  insertingat, &insertingat))
1502  {
1503  /* the lock was free, so no insertion in progress */
1504  insertingat = InvalidXLogRecPtr;
1505  break;
1506  }
1507 
1508  /*
1509  * This insertion is still in progress. Have to wait, unless the
1510  * inserter has proceeded past 'upto'.
1511  */
1512  } while (insertingat < upto);
1513 
1514  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1515  finishedUpto = insertingat;
1516  }
1517  return finishedUpto;
1518 }
1519 
1520 /*
1521  * Get a pointer to the right location in the WAL buffer containing the
1522  * given XLogRecPtr.
1523  *
1524  * If the page is not initialized yet, it is initialized. That might require
1525  * evicting an old dirty buffer from the buffer cache, which means I/O.
1526  *
1527  * The caller must ensure that the page containing the requested location
1528  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1529  * hold onto a WAL insertion lock with the insertingAt position set to
1530  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1531  * to evict an old page from the buffer. (This means that once you call
1532  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1533  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1534  * later, because older buffers might be recycled already)
1535  */
1536 static char *
1538 {
1539  int idx;
1540  XLogRecPtr endptr;
1541  static uint64 cachedPage = 0;
1542  static char *cachedPos = NULL;
1543  XLogRecPtr expectedEndPtr;
1544 
1545  /*
1546  * Fast path for the common case that we need to access again the same
1547  * page as last time.
1548  */
1549  if (ptr / XLOG_BLCKSZ == cachedPage)
1550  {
1551  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1552  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1553  return cachedPos + ptr % XLOG_BLCKSZ;
1554  }
1555 
1556  /*
1557  * The XLog buffer cache is organized so that a page is always loaded to a
1558  * particular buffer. That way we can easily calculate the buffer a given
1559  * page must be loaded into, from the XLogRecPtr alone.
1560  */
1561  idx = XLogRecPtrToBufIdx(ptr);
1562 
1563  /*
1564  * See what page is loaded in the buffer at the moment. It could be the
1565  * page we're looking for, or something older. It can't be anything newer
1566  * - that would imply the page we're looking for has already been written
1567  * out to disk and evicted, and the caller is responsible for making sure
1568  * that doesn't happen.
1569  *
1570  * However, we don't hold a lock while we read the value. If someone has
1571  * just initialized the page, it's possible that we get a "torn read" of
1572  * the XLogRecPtr if 64-bit fetches are not atomic on this platform. In
1573  * that case we will see a bogus value. That's ok, we'll grab the mapping
1574  * lock (in AdvanceXLInsertBuffer) and retry if we see anything else than
1575  * the page we're looking for. But it means that when we do this unlocked
1576  * read, we might see a value that appears to be ahead of the page we're
1577  * looking for. Don't PANIC on that, until we've verified the value while
1578  * holding the lock.
1579  */
1580  expectedEndPtr = ptr;
1581  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1582 
1583  endptr = XLogCtl->xlblocks[idx];
1584  if (expectedEndPtr != endptr)
1585  {
1586  XLogRecPtr initializedUpto;
1587 
1588  /*
1589  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1590  * know how far we're finished with inserting the record.
1591  *
1592  * NB: If 'ptr' points to just after the page header, advertise a
1593  * position at the beginning of the page rather than 'ptr' itself. If
1594  * there are no other insertions running, someone might try to flush
1595  * up to our advertised location. If we advertised a position after
1596  * the page header, someone might try to flush the page header, even
1597  * though page might actually not be initialized yet. As the first
1598  * inserter on the page, we are effectively responsible for making
1599  * sure that it's initialized, before we let insertingAt to move past
1600  * the page header.
1601  */
1602  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1603  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1604  initializedUpto = ptr - SizeOfXLogShortPHD;
1605  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1606  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1607  initializedUpto = ptr - SizeOfXLogLongPHD;
1608  else
1609  initializedUpto = ptr;
1610 
1611  WALInsertLockUpdateInsertingAt(initializedUpto);
1612 
1613  AdvanceXLInsertBuffer(ptr, tli, false);
1614  endptr = XLogCtl->xlblocks[idx];
1615 
1616  if (expectedEndPtr != endptr)
1617  elog(PANIC, "could not find WAL buffer for %X/%X",
1618  LSN_FORMAT_ARGS(ptr));
1619  }
1620  else
1621  {
1622  /*
1623  * Make sure the initialization of the page is visible to us, and
1624  * won't arrive later to overwrite the WAL data we write on the page.
1625  */
1627  }
1628 
1629  /*
1630  * Found the buffer holding this page. Return a pointer to the right
1631  * offset within the page.
1632  */
1633  cachedPage = ptr / XLOG_BLCKSZ;
1634  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1635 
1636  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1637  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1638 
1639  return cachedPos + ptr % XLOG_BLCKSZ;
1640 }
1641 
1642 /*
1643  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1644  * is the position starting from the beginning of WAL, excluding all WAL
1645  * page headers.
1646  */
1647 static XLogRecPtr
1648 XLogBytePosToRecPtr(uint64 bytepos)
1649 {
1650  uint64 fullsegs;
1651  uint64 fullpages;
1652  uint64 bytesleft;
1653  uint32 seg_offset;
1654  XLogRecPtr result;
1655 
1656  fullsegs = bytepos / UsableBytesInSegment;
1657  bytesleft = bytepos % UsableBytesInSegment;
1658 
1659  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1660  {
1661  /* fits on first page of segment */
1662  seg_offset = bytesleft + SizeOfXLogLongPHD;
1663  }
1664  else
1665  {
1666  /* account for the first page on segment with long header */
1667  seg_offset = XLOG_BLCKSZ;
1668  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1669 
1670  fullpages = bytesleft / UsableBytesInPage;
1671  bytesleft = bytesleft % UsableBytesInPage;
1672 
1673  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1674  }
1675 
1676  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1677 
1678  return result;
1679 }
1680 
1681 /*
1682  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1683  * returns a pointer to the beginning of the page (ie. before page header),
1684  * not to where the first xlog record on that page would go to. This is used
1685  * when converting a pointer to the end of a record.
1686  */
1687 static XLogRecPtr
1688 XLogBytePosToEndRecPtr(uint64 bytepos)
1689 {
1690  uint64 fullsegs;
1691  uint64 fullpages;
1692  uint64 bytesleft;
1693  uint32 seg_offset;
1694  XLogRecPtr result;
1695 
1696  fullsegs = bytepos / UsableBytesInSegment;
1697  bytesleft = bytepos % UsableBytesInSegment;
1698 
1699  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1700  {
1701  /* fits on first page of segment */
1702  if (bytesleft == 0)
1703  seg_offset = 0;
1704  else
1705  seg_offset = bytesleft + SizeOfXLogLongPHD;
1706  }
1707  else
1708  {
1709  /* account for the first page on segment with long header */
1710  seg_offset = XLOG_BLCKSZ;
1711  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1712 
1713  fullpages = bytesleft / UsableBytesInPage;
1714  bytesleft = bytesleft % UsableBytesInPage;
1715 
1716  if (bytesleft == 0)
1717  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1718  else
1719  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1720  }
1721 
1722  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1723 
1724  return result;
1725 }
1726 
1727 /*
1728  * Convert an XLogRecPtr to a "usable byte position".
1729  */
1730 static uint64
1732 {
1733  uint64 fullsegs;
1734  uint32 fullpages;
1735  uint32 offset;
1736  uint64 result;
1737 
1738  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1739 
1740  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1741  offset = ptr % XLOG_BLCKSZ;
1742 
1743  if (fullpages == 0)
1744  {
1745  result = fullsegs * UsableBytesInSegment;
1746  if (offset > 0)
1747  {
1748  Assert(offset >= SizeOfXLogLongPHD);
1749  result += offset - SizeOfXLogLongPHD;
1750  }
1751  }
1752  else
1753  {
1754  result = fullsegs * UsableBytesInSegment +
1755  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1756  (fullpages - 1) * UsableBytesInPage; /* full pages */
1757  if (offset > 0)
1758  {
1759  Assert(offset >= SizeOfXLogShortPHD);
1760  result += offset - SizeOfXLogShortPHD;
1761  }
1762  }
1763 
1764  return result;
1765 }
1766 
1767 /*
1768  * Initialize XLOG buffers, writing out old buffers if they still contain
1769  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1770  * true, initialize as many pages as we can without having to write out
1771  * unwritten data. Any new pages are initialized to zeros, with pages headers
1772  * initialized properly.
1773  */
1774 static void
1775 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1776 {
1778  int nextidx;
1779  XLogRecPtr OldPageRqstPtr;
1780  XLogwrtRqst WriteRqst;
1781  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1782  XLogRecPtr NewPageBeginPtr;
1783  XLogPageHeader NewPage;
1784  int npages pg_attribute_unused() = 0;
1785 
1786  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1787 
1788  /*
1789  * Now that we have the lock, check if someone initialized the page
1790  * already.
1791  */
1792  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
1793  {
1795 
1796  /*
1797  * Get ending-offset of the buffer page we need to replace (this may
1798  * be zero if the buffer hasn't been used yet). Fall through if it's
1799  * already written out.
1800  */
1801  OldPageRqstPtr = XLogCtl->xlblocks[nextidx];
1802  if (LogwrtResult.Write < OldPageRqstPtr)
1803  {
1804  /*
1805  * Nope, got work to do. If we just want to pre-initialize as much
1806  * as we can without flushing, give up now.
1807  */
1808  if (opportunistic)
1809  break;
1810 
1811  /* Before waiting, get info_lck and update LogwrtResult */
1813  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
1814  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
1817 
1818  /*
1819  * Now that we have an up-to-date LogwrtResult value, see if we
1820  * still need to write it or if someone else already did.
1821  */
1822  if (LogwrtResult.Write < OldPageRqstPtr)
1823  {
1824  /*
1825  * Must acquire write lock. Release WALBufMappingLock first,
1826  * to make sure that all insertions that we need to wait for
1827  * can finish (up to this same position). Otherwise we risk
1828  * deadlock.
1829  */
1830  LWLockRelease(WALBufMappingLock);
1831 
1832  WaitXLogInsertionsToFinish(OldPageRqstPtr);
1833 
1834  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
1835 
1837  if (LogwrtResult.Write >= OldPageRqstPtr)
1838  {
1839  /* OK, someone wrote it already */
1840  LWLockRelease(WALWriteLock);
1841  }
1842  else
1843  {
1844  /* Have to write it ourselves */
1845  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
1846  WriteRqst.Write = OldPageRqstPtr;
1847  WriteRqst.Flush = 0;
1848  XLogWrite(WriteRqst, tli, false);
1849  LWLockRelease(WALWriteLock);
1851  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
1852  }
1853  /* Re-acquire WALBufMappingLock and retry */
1854  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1855  continue;
1856  }
1857  }
1858 
1859  /*
1860  * Now the next buffer slot is free and we can set it up to be the
1861  * next output page.
1862  */
1863  NewPageBeginPtr = XLogCtl->InitializedUpTo;
1864  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
1865 
1866  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
1867 
1868  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
1869 
1870  /*
1871  * Be sure to re-zero the buffer so that bytes beyond what we've
1872  * written will look like zeroes and not valid XLOG records...
1873  */
1874  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
1875 
1876  /*
1877  * Fill the new page's header
1878  */
1879  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
1880 
1881  /* NewPage->xlp_info = 0; */ /* done by memset */
1882  NewPage->xlp_tli = tli;
1883  NewPage->xlp_pageaddr = NewPageBeginPtr;
1884 
1885  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
1886 
1887  /*
1888  * If online backup is not in progress, mark the header to indicate
1889  * that WAL records beginning in this page have removable backup
1890  * blocks. This allows the WAL archiver to know whether it is safe to
1891  * compress archived WAL data by transforming full-block records into
1892  * the non-full-block format. It is sufficient to record this at the
1893  * page level because we force a page switch (in fact a segment
1894  * switch) when starting a backup, so the flag will be off before any
1895  * records can be written during the backup. At the end of a backup,
1896  * the last page will be marked as all unsafe when perhaps only part
1897  * is unsafe, but at worst the archiver would miss the opportunity to
1898  * compress a few records.
1899  */
1900  if (Insert->runningBackups == 0)
1901  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
1902 
1903  /*
1904  * If first page of an XLOG segment file, make it a long header.
1905  */
1906  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
1907  {
1908  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
1909 
1910  NewLongPage->xlp_sysid = ControlFile->system_identifier;
1911  NewLongPage->xlp_seg_size = wal_segment_size;
1912  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
1913  NewPage->xlp_info |= XLP_LONG_HEADER;
1914  }
1915 
1916  /*
1917  * Make sure the initialization of the page becomes visible to others
1918  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
1919  * holding a lock.
1920  */
1921  pg_write_barrier();
1922 
1923  *((volatile XLogRecPtr *) &XLogCtl->xlblocks[nextidx]) = NewPageEndPtr;
1924 
1925  XLogCtl->InitializedUpTo = NewPageEndPtr;
1926 
1927  npages++;
1928  }
1929  LWLockRelease(WALBufMappingLock);
1930 
1931 #ifdef WAL_DEBUG
1932  if (XLOG_DEBUG && npages > 0)
1933  {
1934  elog(DEBUG1, "initialized %d pages, up to %X/%X",
1935  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
1936  }
1937 #endif
1938 }
1939 
1940 /*
1941  * Calculate CheckPointSegments based on max_wal_size_mb and
1942  * checkpoint_completion_target.
1943  */
1944 static void
1946 {
1947  double target;
1948 
1949  /*-------
1950  * Calculate the distance at which to trigger a checkpoint, to avoid
1951  * exceeding max_wal_size_mb. This is based on two assumptions:
1952  *
1953  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
1954  * WAL for two checkpoint cycles to allow us to recover from the
1955  * secondary checkpoint if the first checkpoint failed, though we
1956  * only did this on the primary anyway, not on standby. Keeping just
1957  * one checkpoint simplifies processing and reduces disk space in
1958  * many smaller databases.)
1959  * b) during checkpoint, we consume checkpoint_completion_target *
1960  * number of segments consumed between checkpoints.
1961  *-------
1962  */
1963  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
1965 
1966  /* round down */
1967  CheckPointSegments = (int) target;
1968 
1969  if (CheckPointSegments < 1)
1970  CheckPointSegments = 1;
1971 }
1972 
1973 void
1974 assign_max_wal_size(int newval, void *extra)
1975 {
1978 }
1979 
1980 void
1982 {
1985 }
1986 
1987 /*
1988  * At a checkpoint, how many WAL segments to recycle as preallocated future
1989  * XLOG segments? Returns the highest segment that should be preallocated.
1990  */
1991 static XLogSegNo
1993 {
1994  XLogSegNo minSegNo;
1995  XLogSegNo maxSegNo;
1996  double distance;
1997  XLogSegNo recycleSegNo;
1998 
1999  /*
2000  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
2001  * correspond to. Always recycle enough segments to meet the minimum, and
2002  * remove enough segments to stay below the maximum.
2003  */
2004  minSegNo = lastredoptr / wal_segment_size +
2006  maxSegNo = lastredoptr / wal_segment_size +
2008 
2009  /*
2010  * Between those limits, recycle enough segments to get us through to the
2011  * estimated end of next checkpoint.
2012  *
2013  * To estimate where the next checkpoint will finish, assume that the
2014  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2015  * every checkpoint.
2016  */
2018  /* add 10% for good measure. */
2019  distance *= 1.10;
2020 
2021  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2023 
2024  if (recycleSegNo < minSegNo)
2025  recycleSegNo = minSegNo;
2026  if (recycleSegNo > maxSegNo)
2027  recycleSegNo = maxSegNo;
2028 
2029  return recycleSegNo;
2030 }
2031 
2032 /*
2033  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2034  *
2035  * new_segno indicates a log file that has just been filled up (or read
2036  * during recovery). We measure the distance from RedoRecPtr to new_segno
2037  * and see if that exceeds CheckPointSegments.
2038  *
2039  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2040  */
2041 bool
2043 {
2044  XLogSegNo old_segno;
2045 
2047 
2048  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2049  return true;
2050  return false;
2051 }
2052 
2053 /*
2054  * Write and/or fsync the log at least as far as WriteRqst indicates.
2055  *
2056  * If flexible == true, we don't have to write as far as WriteRqst, but
2057  * may stop at any convenient boundary (such as a cache or logfile boundary).
2058  * This option allows us to avoid uselessly issuing multiple writes when a
2059  * single one would do.
2060  *
2061  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2062  * must be called before grabbing the lock, to make sure the data is ready to
2063  * write.
2064  */
2065 static void
2066 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2067 {
2068  bool ispartialpage;
2069  bool last_iteration;
2070  bool finishing_seg;
2071  int curridx;
2072  int npages;
2073  int startidx;
2074  uint32 startoffset;
2075 
2076  /* We should always be inside a critical section here */
2077  Assert(CritSectionCount > 0);
2078 
2079  /*
2080  * Update local LogwrtResult (caller probably did this already, but...)
2081  */
2083 
2084  /*
2085  * Since successive pages in the xlog cache are consecutively allocated,
2086  * we can usually gather multiple pages together and issue just one
2087  * write() call. npages is the number of pages we have determined can be
2088  * written together; startidx is the cache block index of the first one,
2089  * and startoffset is the file offset at which it should go. The latter
2090  * two variables are only valid when npages > 0, but we must initialize
2091  * all of them to keep the compiler quiet.
2092  */
2093  npages = 0;
2094  startidx = 0;
2095  startoffset = 0;
2096 
2097  /*
2098  * Within the loop, curridx is the cache block index of the page to
2099  * consider writing. Begin at the buffer containing the next unwritten
2100  * page, or last partially written page.
2101  */
2103 
2104  while (LogwrtResult.Write < WriteRqst.Write)
2105  {
2106  /*
2107  * Make sure we're not ahead of the insert process. This could happen
2108  * if we're passed a bogus WriteRqst.Write that is past the end of the
2109  * last page that's been initialized by AdvanceXLInsertBuffer.
2110  */
2111  XLogRecPtr EndPtr = XLogCtl->xlblocks[curridx];
2112 
2113  if (LogwrtResult.Write >= EndPtr)
2114  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2116  LSN_FORMAT_ARGS(EndPtr));
2117 
2118  /* Advance LogwrtResult.Write to end of current buffer page */
2119  LogwrtResult.Write = EndPtr;
2120  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2121 
2124  {
2125  /*
2126  * Switch to new logfile segment. We cannot have any pending
2127  * pages here (since we dump what we have at segment end).
2128  */
2129  Assert(npages == 0);
2130  if (openLogFile >= 0)
2131  XLogFileClose();
2134  openLogTLI = tli;
2135 
2136  /* create/use new log file */
2139  }
2140 
2141  /* Make sure we have the current logfile open */
2142  if (openLogFile < 0)
2143  {
2146  openLogTLI = tli;
2149  }
2150 
2151  /* Add current page to the set of pending pages-to-dump */
2152  if (npages == 0)
2153  {
2154  /* first of group */
2155  startidx = curridx;
2156  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2158  }
2159  npages++;
2160 
2161  /*
2162  * Dump the set if this will be the last loop iteration, or if we are
2163  * at the last page of the cache area (since the next page won't be
2164  * contiguous in memory), or if we are at the end of the logfile
2165  * segment.
2166  */
2167  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2168 
2169  finishing_seg = !ispartialpage &&
2170  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2171 
2172  if (last_iteration ||
2173  curridx == XLogCtl->XLogCacheBlck ||
2174  finishing_seg)
2175  {
2176  char *from;
2177  Size nbytes;
2178  Size nleft;
2179  int written;
2180  instr_time start;
2181 
2182  /* OK to write the page(s) */
2183  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2184  nbytes = npages * (Size) XLOG_BLCKSZ;
2185  nleft = nbytes;
2186  do
2187  {
2188  errno = 0;
2189 
2190  /* Measure I/O timing to write WAL data */
2191  if (track_wal_io_timing)
2192  INSTR_TIME_SET_CURRENT(start);
2193  else
2194  INSTR_TIME_SET_ZERO(start);
2195 
2197  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2199 
2200  /*
2201  * Increment the I/O timing and the number of times WAL data
2202  * were written out to disk.
2203  */
2204  if (track_wal_io_timing)
2205  {
2207 
2209  INSTR_TIME_SUBTRACT(duration, start);
2211  }
2212 
2214 
2215  if (written <= 0)
2216  {
2217  char xlogfname[MAXFNAMELEN];
2218  int save_errno;
2219 
2220  if (errno == EINTR)
2221  continue;
2222 
2223  save_errno = errno;
2224  XLogFileName(xlogfname, tli, openLogSegNo,
2226  errno = save_errno;
2227  ereport(PANIC,
2229  errmsg("could not write to log file %s "
2230  "at offset %u, length %zu: %m",
2231  xlogfname, startoffset, nleft)));
2232  }
2233  nleft -= written;
2234  from += written;
2235  startoffset += written;
2236  } while (nleft > 0);
2237 
2238  npages = 0;
2239 
2240  /*
2241  * If we just wrote the whole last page of a logfile segment,
2242  * fsync the segment immediately. This avoids having to go back
2243  * and re-open prior segments when an fsync request comes along
2244  * later. Doing it here ensures that one and only one backend will
2245  * perform this fsync.
2246  *
2247  * This is also the right place to notify the Archiver that the
2248  * segment is ready to copy to archival storage, and to update the
2249  * timer for archive_timeout, and to signal for a checkpoint if
2250  * too many logfile segments have been used since the last
2251  * checkpoint.
2252  */
2253  if (finishing_seg)
2254  {
2256 
2257  /* signal that we need to wakeup walsenders later */
2259 
2260  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2261 
2262  if (XLogArchivingActive())
2264 
2265  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2267 
2268  /*
2269  * Request a checkpoint if we've consumed too much xlog since
2270  * the last one. For speed, we first check using the local
2271  * copy of RedoRecPtr, which might be out of date; if it looks
2272  * like a checkpoint is needed, forcibly update RedoRecPtr and
2273  * recheck.
2274  */
2276  {
2277  (void) GetRedoRecPtr();
2280  }
2281  }
2282  }
2283 
2284  if (ispartialpage)
2285  {
2286  /* Only asked to write a partial page */
2287  LogwrtResult.Write = WriteRqst.Write;
2288  break;
2289  }
2290  curridx = NextBufIdx(curridx);
2291 
2292  /* If flexible, break out of loop as soon as we wrote something */
2293  if (flexible && npages == 0)
2294  break;
2295  }
2296 
2297  Assert(npages == 0);
2298 
2299  /*
2300  * If asked to flush, do so
2301  */
2302  if (LogwrtResult.Flush < WriteRqst.Flush &&
2304  {
2305  /*
2306  * Could get here without iterating above loop, in which case we might
2307  * have no open file or the wrong one. However, we do not need to
2308  * fsync more than one file.
2309  */
2310  if (sync_method != SYNC_METHOD_OPEN &&
2312  {
2313  if (openLogFile >= 0 &&
2316  XLogFileClose();
2317  if (openLogFile < 0)
2318  {
2321  openLogTLI = tli;
2324  }
2325 
2327  }
2328 
2329  /* signal that we need to wakeup walsenders later */
2331 
2333  }
2334 
2335  /*
2336  * Update shared-memory status
2337  *
2338  * We make sure that the shared 'request' values do not fall behind the
2339  * 'result' values. This is not absolutely essential, but it saves some
2340  * code in a couple of places.
2341  */
2342  {
2350  }
2351 }
2352 
2353 /*
2354  * Record the LSN for an asynchronous transaction commit/abort
2355  * and nudge the WALWriter if there is work for it to do.
2356  * (This should not be called for synchronous commits.)
2357  */
2358 void
2360 {
2361  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2362  bool sleeping;
2363 
2366  sleeping = XLogCtl->WalWriterSleeping;
2367  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2368  XLogCtl->asyncXactLSN = asyncXactLSN;
2370 
2371  /*
2372  * If the WALWriter is sleeping, we should kick it to make it come out of
2373  * low-power mode. Otherwise, determine whether there's a full page of
2374  * WAL available to write.
2375  */
2376  if (!sleeping)
2377  {
2378  /* back off to last completed page boundary */
2379  WriteRqstPtr -= WriteRqstPtr % XLOG_BLCKSZ;
2380 
2381  /* if we have already flushed that far, we're done */
2382  if (WriteRqstPtr <= LogwrtResult.Flush)
2383  return;
2384  }
2385 
2386  /*
2387  * Nudge the WALWriter: it has a full page of WAL to write, or we want it
2388  * to come out of low-power mode so that this async commit will reach disk
2389  * within the expected amount of time.
2390  */
2393 }
2394 
2395 /*
2396  * Record the LSN up to which we can remove WAL because it's not required by
2397  * any replication slot.
2398  */
2399 void
2401 {
2405 }
2406 
2407 
2408 /*
2409  * Return the oldest LSN we must retain to satisfy the needs of some
2410  * replication slot.
2411  */
2412 static XLogRecPtr
2414 {
2415  XLogRecPtr retval;
2416 
2418  retval = XLogCtl->replicationSlotMinLSN;
2420 
2421  return retval;
2422 }
2423 
2424 /*
2425  * Advance minRecoveryPoint in control file.
2426  *
2427  * If we crash during recovery, we must reach this point again before the
2428  * database is consistent.
2429  *
2430  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2431  * is only updated if it's not already greater than or equal to 'lsn'.
2432  */
2433 static void
2435 {
2436  /* Quick check using our local copy of the variable */
2437  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2438  return;
2439 
2440  /*
2441  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2442  * i.e., we're doing crash recovery. We never modify the control file's
2443  * value in that case, so we can short-circuit future checks here too. The
2444  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2445  * updated until crash recovery finishes. We only do this for the startup
2446  * process as it should not update its own reference of minRecoveryPoint
2447  * until it has finished crash recovery to make sure that all WAL
2448  * available is replayed in this case. This also saves from extra locks
2449  * taken on the control file from the startup process.
2450  */
2452  {
2453  updateMinRecoveryPoint = false;
2454  return;
2455  }
2456 
2457  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2458 
2459  /* update local copy */
2462 
2464  updateMinRecoveryPoint = false;
2465  else if (force || LocalMinRecoveryPoint < lsn)
2466  {
2467  XLogRecPtr newMinRecoveryPoint;
2468  TimeLineID newMinRecoveryPointTLI;
2469 
2470  /*
2471  * To avoid having to update the control file too often, we update it
2472  * all the way to the last record being replayed, even though 'lsn'
2473  * would suffice for correctness. This also allows the 'force' case
2474  * to not need a valid 'lsn' value.
2475  *
2476  * Another important reason for doing it this way is that the passed
2477  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2478  * the caller got it from a corrupted heap page. Accepting such a
2479  * value as the min recovery point would prevent us from coming up at
2480  * all. Instead, we just log a warning and continue with recovery.
2481  * (See also the comments about corrupt LSNs in XLogFlush.)
2482  */
2483  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2484  if (!force && newMinRecoveryPoint < lsn)
2485  elog(WARNING,
2486  "xlog min recovery request %X/%X is past current point %X/%X",
2487  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2488 
2489  /* update control file */
2490  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2491  {
2492  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2493  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2495  LocalMinRecoveryPoint = newMinRecoveryPoint;
2496  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2497 
2498  ereport(DEBUG2,
2499  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2500  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2501  newMinRecoveryPointTLI)));
2502  }
2503  }
2504  LWLockRelease(ControlFileLock);
2505 }
2506 
2507 /*
2508  * Ensure that all XLOG data through the given position is flushed to disk.
2509  *
2510  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2511  * already held, and we try to avoid acquiring it if possible.
2512  */
2513 void
2515 {
2516  XLogRecPtr WriteRqstPtr;
2517  XLogwrtRqst WriteRqst;
2518  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2519 
2520  /*
2521  * During REDO, we are reading not writing WAL. Therefore, instead of
2522  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2523  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2524  * to act this way too, and because when it tries to write the
2525  * end-of-recovery checkpoint, it should indeed flush.
2526  */
2527  if (!XLogInsertAllowed())
2528  {
2529  UpdateMinRecoveryPoint(record, false);
2530  return;
2531  }
2532 
2533  /* Quick exit if already known flushed */
2534  if (record <= LogwrtResult.Flush)
2535  return;
2536 
2537 #ifdef WAL_DEBUG
2538  if (XLOG_DEBUG)
2539  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2540  LSN_FORMAT_ARGS(record),
2543 #endif
2544 
2546 
2547  /*
2548  * Since fsync is usually a horribly expensive operation, we try to
2549  * piggyback as much data as we can on each fsync: if we see any more data
2550  * entered into the xlog buffer, we'll write and fsync that too, so that
2551  * the final value of LogwrtResult.Flush is as large as possible. This
2552  * gives us some chance of avoiding another fsync immediately after.
2553  */
2554 
2555  /* initialize to given target; may increase below */
2556  WriteRqstPtr = record;
2557 
2558  /*
2559  * Now wait until we get the write lock, or someone else does the flush
2560  * for us.
2561  */
2562  for (;;)
2563  {
2564  XLogRecPtr insertpos;
2565 
2566  /* read LogwrtResult and update local state */
2568  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2569  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2572 
2573  /* done already? */
2574  if (record <= LogwrtResult.Flush)
2575  break;
2576 
2577  /*
2578  * Before actually performing the write, wait for all in-flight
2579  * insertions to the pages we're about to write to finish.
2580  */
2581  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2582 
2583  /*
2584  * Try to get the write lock. If we can't get it immediately, wait
2585  * until it's released, and recheck if we still need to do the flush
2586  * or if the backend that held the lock did it for us already. This
2587  * helps to maintain a good rate of group committing when the system
2588  * is bottlenecked by the speed of fsyncing.
2589  */
2590  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2591  {
2592  /*
2593  * The lock is now free, but we didn't acquire it yet. Before we
2594  * do, loop back to check if someone else flushed the record for
2595  * us already.
2596  */
2597  continue;
2598  }
2599 
2600  /* Got the lock; recheck whether request is satisfied */
2602  if (record <= LogwrtResult.Flush)
2603  {
2604  LWLockRelease(WALWriteLock);
2605  break;
2606  }
2607 
2608  /*
2609  * Sleep before flush! By adding a delay here, we may give further
2610  * backends the opportunity to join the backlog of group commit
2611  * followers; this can significantly improve transaction throughput,
2612  * at the risk of increasing transaction latency.
2613  *
2614  * We do not sleep if enableFsync is not turned on, nor if there are
2615  * fewer than CommitSiblings other backends with active transactions.
2616  */
2617  if (CommitDelay > 0 && enableFsync &&
2619  {
2621 
2622  /*
2623  * Re-check how far we can now flush the WAL. It's generally not
2624  * safe to call WaitXLogInsertionsToFinish while holding
2625  * WALWriteLock, because an in-progress insertion might need to
2626  * also grab WALWriteLock to make progress. But we know that all
2627  * the insertions up to insertpos have already finished, because
2628  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2629  * We're only calling it again to allow insertpos to be moved
2630  * further forward, not to actually wait for anyone.
2631  */
2632  insertpos = WaitXLogInsertionsToFinish(insertpos);
2633  }
2634 
2635  /* try to write/flush later additions to XLOG as well */
2636  WriteRqst.Write = insertpos;
2637  WriteRqst.Flush = insertpos;
2638 
2639  XLogWrite(WriteRqst, insertTLI, false);
2640 
2641  LWLockRelease(WALWriteLock);
2642  /* done */
2643  break;
2644  }
2645 
2646  END_CRIT_SECTION();
2647 
2648  /* wake up walsenders now that we've released heavily contended locks */
2650 
2651  /*
2652  * If we still haven't flushed to the request point then we have a
2653  * problem; most likely, the requested flush point is past end of XLOG.
2654  * This has been seen to occur when a disk page has a corrupted LSN.
2655  *
2656  * Formerly we treated this as a PANIC condition, but that hurts the
2657  * system's robustness rather than helping it: we do not want to take down
2658  * the whole system due to corruption on one data page. In particular, if
2659  * the bad page is encountered again during recovery then we would be
2660  * unable to restart the database at all! (This scenario actually
2661  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2662  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2663  * the only time we can reach here during recovery is while flushing the
2664  * end-of-recovery checkpoint record, and we don't expect that to have a
2665  * bad LSN.
2666  *
2667  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2668  * since xact.c calls this routine inside a critical section. However,
2669  * calls from bufmgr.c are not within critical sections and so we will not
2670  * force a restart for a bad LSN on a data page.
2671  */
2672  if (LogwrtResult.Flush < record)
2673  elog(ERROR,
2674  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2675  LSN_FORMAT_ARGS(record),
2677 }
2678 
2679 /*
2680  * Write & flush xlog, but without specifying exactly where to.
2681  *
2682  * We normally write only completed blocks; but if there is nothing to do on
2683  * that basis, we check for unwritten async commits in the current incomplete
2684  * block, and write through the latest one of those. Thus, if async commits
2685  * are not being used, we will write complete blocks only.
2686  *
2687  * If, based on the above, there's anything to write we do so immediately. But
2688  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2689  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2690  * more than wal_writer_flush_after unflushed blocks.
2691  *
2692  * We can guarantee that async commits reach disk after at most three
2693  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2694  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2695  * this makes a difference only with very high load or long wal_writer_delay,
2696  * but imposes one extra cycle for the worst case for async commits.)
2697  *
2698  * This routine is invoked periodically by the background walwriter process.
2699  *
2700  * Returns true if there was any work to do, even if we skipped flushing due
2701  * to wal_writer_delay/wal_writer_flush_after.
2702  */
2703 bool
2705 {
2706  XLogwrtRqst WriteRqst;
2707  bool flexible = true;
2708  static TimestampTz lastflush;
2709  TimestampTz now;
2710  int flushbytes;
2711  TimeLineID insertTLI;
2712 
2713  /* XLOG doesn't need flushing during recovery */
2714  if (RecoveryInProgress())
2715  return false;
2716 
2717  /*
2718  * Since we're not in recovery, InsertTimeLineID is set and can't change,
2719  * so we can read it without a lock.
2720  */
2721  insertTLI = XLogCtl->InsertTimeLineID;
2722 
2723  /* read LogwrtResult and update local state */
2726  WriteRqst = XLogCtl->LogwrtRqst;
2728 
2729  /* back off to last completed page boundary */
2730  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
2731 
2732  /* if we have already flushed that far, consider async commit records */
2733  if (WriteRqst.Write <= LogwrtResult.Flush)
2734  {
2736  WriteRqst.Write = XLogCtl->asyncXactLSN;
2738  flexible = false; /* ensure it all gets written */
2739  }
2740 
2741  /*
2742  * If already known flushed, we're done. Just need to check if we are
2743  * holding an open file handle to a logfile that's no longer in use,
2744  * preventing the file from being deleted.
2745  */
2746  if (WriteRqst.Write <= LogwrtResult.Flush)
2747  {
2748  if (openLogFile >= 0)
2749  {
2752  {
2753  XLogFileClose();
2754  }
2755  }
2756  return false;
2757  }
2758 
2759  /*
2760  * Determine how far to flush WAL, based on the wal_writer_delay and
2761  * wal_writer_flush_after GUCs.
2762  */
2764  flushbytes =
2765  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2766 
2767  if (WalWriterFlushAfter == 0 || lastflush == 0)
2768  {
2769  /* first call, or block based limits disabled */
2770  WriteRqst.Flush = WriteRqst.Write;
2771  lastflush = now;
2772  }
2773  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
2774  {
2775  /*
2776  * Flush the writes at least every WalWriterDelay ms. This is
2777  * important to bound the amount of time it takes for an asynchronous
2778  * commit to hit disk.
2779  */
2780  WriteRqst.Flush = WriteRqst.Write;
2781  lastflush = now;
2782  }
2783  else if (flushbytes >= WalWriterFlushAfter)
2784  {
2785  /* exceeded wal_writer_flush_after blocks, flush */
2786  WriteRqst.Flush = WriteRqst.Write;
2787  lastflush = now;
2788  }
2789  else
2790  {
2791  /* no flushing, this time round */
2792  WriteRqst.Flush = 0;
2793  }
2794 
2795 #ifdef WAL_DEBUG
2796  if (XLOG_DEBUG)
2797  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
2798  LSN_FORMAT_ARGS(WriteRqst.Write),
2799  LSN_FORMAT_ARGS(WriteRqst.Flush),
2802 #endif
2803 
2805 
2806  /* now wait for any in-progress insertions to finish and get write lock */
2807  WaitXLogInsertionsToFinish(WriteRqst.Write);
2808  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2810  if (WriteRqst.Write > LogwrtResult.Write ||
2811  WriteRqst.Flush > LogwrtResult.Flush)
2812  {
2813  XLogWrite(WriteRqst, insertTLI, flexible);
2814  }
2815  LWLockRelease(WALWriteLock);
2816 
2817  END_CRIT_SECTION();
2818 
2819  /* wake up walsenders now that we've released heavily contended locks */
2821 
2822  /*
2823  * Great, done. To take some work off the critical path, try to initialize
2824  * as many of the no-longer-needed WAL buffers for future use as we can.
2825  */
2826  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
2827 
2828  /*
2829  * If we determined that we need to write data, but somebody else
2830  * wrote/flushed already, it should be considered as being active, to
2831  * avoid hibernating too early.
2832  */
2833  return true;
2834 }
2835 
2836 /*
2837  * Test whether XLOG data has been flushed up to (at least) the given position.
2838  *
2839  * Returns true if a flush is still needed. (It may be that someone else
2840  * is already in process of flushing that far, however.)
2841  */
2842 bool
2844 {
2845  /*
2846  * During recovery, we don't flush WAL but update minRecoveryPoint
2847  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
2848  * would need to be updated.
2849  */
2850  if (RecoveryInProgress())
2851  {
2852  /*
2853  * An invalid minRecoveryPoint means that we need to recover all the
2854  * WAL, i.e., we're doing crash recovery. We never modify the control
2855  * file's value in that case, so we can short-circuit future checks
2856  * here too. This triggers a quick exit path for the startup process,
2857  * which cannot update its local copy of minRecoveryPoint as long as
2858  * it has not replayed all WAL available when doing crash recovery.
2859  */
2861  updateMinRecoveryPoint = false;
2862 
2863  /* Quick exit if already known to be updated or cannot be updated */
2865  return false;
2866 
2867  /*
2868  * Update local copy of minRecoveryPoint. But if the lock is busy,
2869  * just return a conservative guess.
2870  */
2871  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
2872  return true;
2875  LWLockRelease(ControlFileLock);
2876 
2877  /*
2878  * Check minRecoveryPoint for any other process than the startup
2879  * process doing crash recovery, which should not update the control
2880  * file value if crash recovery is still running.
2881  */
2883  updateMinRecoveryPoint = false;
2884 
2885  /* check again */
2887  return false;
2888  else
2889  return true;
2890  }
2891 
2892  /* Quick exit if already known flushed */
2893  if (record <= LogwrtResult.Flush)
2894  return false;
2895 
2896  /* read LogwrtResult and update local state */
2900 
2901  /* check again */
2902  if (record <= LogwrtResult.Flush)
2903  return false;
2904 
2905  return true;
2906 }
2907 
2908 /*
2909  * Try to make a given XLOG file segment exist.
2910  *
2911  * logsegno: identify segment.
2912  *
2913  * *added: on return, true if this call raised the number of extant segments.
2914  *
2915  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
2916  *
2917  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
2918  * wanting an open segment should attempt to open "path", which usually will
2919  * succeed. (This is weird, but it's efficient for the callers.)
2920  */
2921 static int
2923  bool *added, char *path)
2924 {
2925  char tmppath[MAXPGPATH];
2926  XLogSegNo installed_segno;
2927  XLogSegNo max_segno;
2928  int fd;
2929  int save_errno;
2930 
2931  Assert(logtli != 0);
2932 
2933  XLogFilePath(path, logtli, logsegno, wal_segment_size);
2934 
2935  /*
2936  * Try to use existent file (checkpoint maker may have created it already)
2937  */
2938  *added = false;
2939  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
2940  if (fd < 0)
2941  {
2942  if (errno != ENOENT)
2943  ereport(ERROR,
2945  errmsg("could not open file \"%s\": %m", path)));
2946  }
2947  else
2948  return fd;
2949 
2950  /*
2951  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
2952  * another process is doing the same thing. If so, we will end up
2953  * pre-creating an extra log segment. That seems OK, and better than
2954  * holding the lock throughout this lengthy process.
2955  */
2956  elog(DEBUG2, "creating and filling new WAL file");
2957 
2958  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
2959 
2960  unlink(tmppath);
2961 
2962  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
2963  fd = BasicOpenFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
2964  if (fd < 0)
2965  ereport(ERROR,
2967  errmsg("could not create file \"%s\": %m", tmppath)));
2968 
2970  save_errno = 0;
2971  if (wal_init_zero)
2972  {
2973  ssize_t rc;
2974 
2975  /*
2976  * Zero-fill the file. With this setting, we do this the hard way to
2977  * ensure that all the file space has really been allocated. On
2978  * platforms that allow "holes" in files, just seeking to the end
2979  * doesn't allocate intermediate space. This way, we know that we
2980  * have all the space and (after the fsync below) that all the
2981  * indirect blocks are down on disk. Therefore, fdatasync(2) or
2982  * O_DSYNC will be sufficient to sync future writes to the log file.
2983  */
2985 
2986  if (rc < 0)
2987  save_errno = errno;
2988  }
2989  else
2990  {
2991  /*
2992  * Otherwise, seeking to the end and writing a solitary byte is
2993  * enough.
2994  */
2995  errno = 0;
2996  if (pg_pwrite(fd, "\0", 1, wal_segment_size - 1) != 1)
2997  {
2998  /* if write didn't set errno, assume no disk space */
2999  save_errno = errno ? errno : ENOSPC;
3000  }
3001  }
3003 
3004  if (save_errno)
3005  {
3006  /*
3007  * If we fail to make the file, delete it to release disk space
3008  */
3009  unlink(tmppath);
3010 
3011  close(fd);
3012 
3013  errno = save_errno;
3014 
3015  ereport(ERROR,
3017  errmsg("could not write to file \"%s\": %m", tmppath)));
3018  }
3019 
3021  if (pg_fsync(fd) != 0)
3022  {
3023  save_errno = errno;
3024  close(fd);
3025  errno = save_errno;
3026  ereport(ERROR,
3028  errmsg("could not fsync file \"%s\": %m", tmppath)));
3029  }
3031 
3032  if (close(fd) != 0)
3033  ereport(ERROR,
3035  errmsg("could not close file \"%s\": %m", tmppath)));
3036 
3037  /*
3038  * Now move the segment into place with its final name. Cope with
3039  * possibility that someone else has created the file while we were
3040  * filling ours: if so, use ours to pre-create a future log segment.
3041  */
3042  installed_segno = logsegno;
3043 
3044  /*
3045  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3046  * that was a constant, but that was always a bit dubious: normally, at a
3047  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3048  * here, it was the offset from the insert location. We can't do the
3049  * normal XLOGfileslop calculation here because we don't have access to
3050  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3051  * CheckPointSegments.
3052  */
3053  max_segno = logsegno + CheckPointSegments;
3054  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3055  logtli))
3056  {
3057  *added = true;
3058  elog(DEBUG2, "done creating and filling new WAL file");
3059  }
3060  else
3061  {
3062  /*
3063  * No need for any more future segments, or InstallXLogFileSegment()
3064  * failed to rename the file into place. If the rename failed, a
3065  * caller opening the file may fail.
3066  */
3067  unlink(tmppath);
3068  elog(DEBUG2, "abandoned new WAL file");
3069  }
3070 
3071  return -1;
3072 }
3073 
3074 /*
3075  * Create a new XLOG file segment, or open a pre-existing one.
3076  *
3077  * logsegno: identify segment to be created/opened.
3078  *
3079  * Returns FD of opened file.
3080  *
3081  * Note: errors here are ERROR not PANIC because we might or might not be
3082  * inside a critical section (eg, during checkpoint there is no reason to
3083  * take down the system on failure). They will promote to PANIC if we are
3084  * in a critical section.
3085  */
3086 int
3088 {
3089  bool ignore_added;
3090  char path[MAXPGPATH];
3091  int fd;
3092 
3093  Assert(logtli != 0);
3094 
3095  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3096  if (fd >= 0)
3097  return fd;
3098 
3099  /* Now open original target segment (might not be file I just made) */
3100  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
3101  if (fd < 0)
3102  ereport(ERROR,
3104  errmsg("could not open file \"%s\": %m", path)));
3105  return fd;
3106 }
3107 
3108 /*
3109  * Create a new XLOG file segment by copying a pre-existing one.
3110  *
3111  * destsegno: identify segment to be created.
3112  *
3113  * srcTLI, srcsegno: identify segment to be copied (could be from
3114  * a different timeline)
3115  *
3116  * upto: how much of the source file to copy (the rest is filled with
3117  * zeros)
3118  *
3119  * Currently this is only used during recovery, and so there are no locking
3120  * considerations. But we should be just as tense as XLogFileInit to avoid
3121  * emplacing a bogus file.
3122  */
3123 static void
3124 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3125  TimeLineID srcTLI, XLogSegNo srcsegno,
3126  int upto)
3127 {
3128  char path[MAXPGPATH];
3129  char tmppath[MAXPGPATH];
3130  PGAlignedXLogBlock buffer;
3131  int srcfd;
3132  int fd;
3133  int nbytes;
3134 
3135  /*
3136  * Open the source file
3137  */
3138  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3139  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3140  if (srcfd < 0)
3141  ereport(ERROR,
3143  errmsg("could not open file \"%s\": %m", path)));
3144 
3145  /*
3146  * Copy into a temp file name.
3147  */
3148  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3149 
3150  unlink(tmppath);
3151 
3152  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3153  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3154  if (fd < 0)
3155  ereport(ERROR,
3157  errmsg("could not create file \"%s\": %m", tmppath)));
3158 
3159  /*
3160  * Do the data copying.
3161  */
3162  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3163  {
3164  int nread;
3165 
3166  nread = upto - nbytes;
3167 
3168  /*
3169  * The part that is not read from the source file is filled with
3170  * zeros.
3171  */
3172  if (nread < sizeof(buffer))
3173  memset(buffer.data, 0, sizeof(buffer));
3174 
3175  if (nread > 0)
3176  {
3177  int r;
3178 
3179  if (nread > sizeof(buffer))
3180  nread = sizeof(buffer);
3182  r = read(srcfd, buffer.data, nread);
3183  if (r != nread)
3184  {
3185  if (r < 0)
3186  ereport(ERROR,
3188  errmsg("could not read file \"%s\": %m",
3189  path)));
3190  else
3191  ereport(ERROR,
3193  errmsg("could not read file \"%s\": read %d of %zu",
3194  path, r, (Size) nread)));
3195  }
3197  }
3198  errno = 0;
3200  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3201  {
3202  int save_errno = errno;
3203 
3204  /*
3205  * If we fail to make the file, delete it to release disk space
3206  */
3207  unlink(tmppath);
3208  /* if write didn't set errno, assume problem is no disk space */
3209  errno = save_errno ? save_errno : ENOSPC;
3210 
3211  ereport(ERROR,
3213  errmsg("could not write to file \"%s\": %m", tmppath)));
3214  }
3216  }
3217 
3219  if (pg_fsync(fd) != 0)
3222  errmsg("could not fsync file \"%s\": %m", tmppath)));
3224 
3225  if (CloseTransientFile(fd) != 0)
3226  ereport(ERROR,
3228  errmsg("could not close file \"%s\": %m", tmppath)));
3229 
3230  if (CloseTransientFile(srcfd) != 0)
3231  ereport(ERROR,
3233  errmsg("could not close file \"%s\": %m", path)));
3234 
3235  /*
3236  * Now move the segment into place with its final name.
3237  */
3238  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3239  elog(ERROR, "InstallXLogFileSegment should not have failed");
3240 }
3241 
3242 /*
3243  * Install a new XLOG segment file as a current or future log segment.
3244  *
3245  * This is used both to install a newly-created segment (which has a temp
3246  * filename while it's being created) and to recycle an old segment.
3247  *
3248  * *segno: identify segment to install as (or first possible target).
3249  * When find_free is true, this is modified on return to indicate the
3250  * actual installation location or last segment searched.
3251  *
3252  * tmppath: initial name of file to install. It will be renamed into place.
3253  *
3254  * find_free: if true, install the new segment at the first empty segno
3255  * number at or after the passed numbers. If false, install the new segment
3256  * exactly where specified, deleting any existing segment file there.
3257  *
3258  * max_segno: maximum segment number to install the new file as. Fail if no
3259  * free slot is found between *segno and max_segno. (Ignored when find_free
3260  * is false.)
3261  *
3262  * tli: The timeline on which the new segment should be installed.
3263  *
3264  * Returns true if the file was installed successfully. false indicates that
3265  * max_segno limit was exceeded, the startup process has disabled this
3266  * function for now, or an error occurred while renaming the file into place.
3267  */
3268 static bool
3269 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3270  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3271 {
3272  char path[MAXPGPATH];
3273  struct stat stat_buf;
3274 
3275  Assert(tli != 0);
3276 
3277  XLogFilePath(path, tli, *segno, wal_segment_size);
3278 
3279  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3281  {
3282  LWLockRelease(ControlFileLock);
3283  return false;
3284  }
3285 
3286  if (!find_free)
3287  {
3288  /* Force installation: get rid of any pre-existing segment file */
3289  durable_unlink(path, DEBUG1);
3290  }
3291  else
3292  {
3293  /* Find a free slot to put it in */
3294  while (stat(path, &stat_buf) == 0)
3295  {
3296  if ((*segno) >= max_segno)
3297  {
3298  /* Failed to find a free slot within specified range */
3299  LWLockRelease(ControlFileLock);
3300  return false;
3301  }
3302  (*segno)++;
3303  XLogFilePath(path, tli, *segno, wal_segment_size);
3304  }
3305  }
3306 
3307  Assert(access(path, F_OK) != 0 && errno == ENOENT);
3308  if (durable_rename(tmppath, path, LOG) != 0)
3309  {
3310  LWLockRelease(ControlFileLock);
3311  /* durable_rename already emitted log message */
3312  return false;
3313  }
3314 
3315  LWLockRelease(ControlFileLock);
3316 
3317  return true;
3318 }
3319 
3320 /*
3321  * Open a pre-existing logfile segment for writing.
3322  */
3323 int
3325 {
3326  char path[MAXPGPATH];
3327  int fd;
3328 
3329  XLogFilePath(path, tli, segno, wal_segment_size);
3330 
3331  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
3332  if (fd < 0)
3333  ereport(PANIC,
3335  errmsg("could not open file \"%s\": %m", path)));
3336 
3337  return fd;
3338 }
3339 
3340 /*
3341  * Close the current logfile segment for writing.
3342  */
3343 static void
3345 {
3346  Assert(openLogFile >= 0);
3347 
3348  /*
3349  * WAL segment files will not be re-read in normal operation, so we advise
3350  * the OS to release any cached pages. But do not do so if WAL archiving
3351  * or streaming is active, because archiver and walsender process could
3352  * use the cache to read the WAL segment.
3353  */
3354 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3355  if (!XLogIsNeeded())
3356  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3357 #endif
3358 
3359  if (close(openLogFile) != 0)
3360  {
3361  char xlogfname[MAXFNAMELEN];
3362  int save_errno = errno;
3363 
3365  errno = save_errno;
3366  ereport(PANIC,
3368  errmsg("could not close file \"%s\": %m", xlogfname)));
3369  }
3370 
3371  openLogFile = -1;
3373 }
3374 
3375 /*
3376  * Preallocate log files beyond the specified log endpoint.
3377  *
3378  * XXX this is currently extremely conservative, since it forces only one
3379  * future log segment to exist, and even that only if we are 75% done with
3380  * the current one. This is only appropriate for very low-WAL-volume systems.
3381  * High-volume systems will be OK once they've built up a sufficient set of
3382  * recycled log segments, but the startup transient is likely to include
3383  * a lot of segment creations by foreground processes, which is not so good.
3384  *
3385  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3386  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3387  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3388  * initiated the present checkpoint and an ERROR ends this function, the
3389  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3390  * not worth contorting more functions to use caller-specified elevel values.
3391  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3392  * reporting and resource reclamation.)
3393  */
3394 static void
3396 {
3397  XLogSegNo _logSegNo;
3398  int lf;
3399  bool added;
3400  char path[MAXPGPATH];
3401  uint64 offset;
3402 
3404  return; /* unlocked check says no */
3405 
3406  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3407  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3408  if (offset >= (uint32) (0.75 * wal_segment_size))
3409  {
3410  _logSegNo++;
3411  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3412  if (lf >= 0)
3413  close(lf);
3414  if (added)
3416  }
3417 }
3418 
3419 /*
3420  * Throws an error if the given log segment has already been removed or
3421  * recycled. The caller should only pass a segment that it knows to have
3422  * existed while the server has been running, as this function always
3423  * succeeds if no WAL segments have been removed since startup.
3424  * 'tli' is only used in the error message.
3425  *
3426  * Note: this function guarantees to keep errno unchanged on return.
3427  * This supports callers that use this to possibly deliver a better
3428  * error message about a missing file, while still being able to throw
3429  * a normal file-access error afterwards, if this does return.
3430  */
3431 void
3433 {
3434  int save_errno = errno;
3435  XLogSegNo lastRemovedSegNo;
3436 
3438  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3440 
3441  if (segno <= lastRemovedSegNo)
3442  {
3443  char filename[MAXFNAMELEN];
3444 
3445  XLogFileName(filename, tli, segno, wal_segment_size);
3446  errno = save_errno;
3447  ereport(ERROR,
3449  errmsg("requested WAL segment %s has already been removed",
3450  filename)));
3451  }
3452  errno = save_errno;
3453 }
3454 
3455 /*
3456  * Return the last WAL segment removed, or 0 if no segment has been removed
3457  * since startup.
3458  *
3459  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3460  * with that.
3461  */
3462 XLogSegNo
3464 {
3465  XLogSegNo lastRemovedSegNo;
3466 
3468  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3470 
3471  return lastRemovedSegNo;
3472 }
3473 
3474 
3475 /*
3476  * Update the last removed segno pointer in shared memory, to reflect that the
3477  * given XLOG file has been removed.
3478  */
3479 static void
3481 {
3482  uint32 tli;
3483  XLogSegNo segno;
3484 
3485  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3486 
3488  if (segno > XLogCtl->lastRemovedSegNo)
3489  XLogCtl->lastRemovedSegNo = segno;
3491 }
3492 
3493 /*
3494  * Remove all temporary log files in pg_wal
3495  *
3496  * This is called at the beginning of recovery after a previous crash,
3497  * at a point where no other processes write fresh WAL data.
3498  */
3499 static void
3501 {
3502  DIR *xldir;
3503  struct dirent *xlde;
3504 
3505  elog(DEBUG2, "removing all temporary WAL segments");
3506 
3507  xldir = AllocateDir(XLOGDIR);
3508  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3509  {
3510  char path[MAXPGPATH];
3511 
3512  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3513  continue;
3514 
3515  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3516  unlink(path);
3517  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3518  }
3519  FreeDir(xldir);
3520 }
3521 
3522 /*
3523  * Recycle or remove all log files older or equal to passed segno.
3524  *
3525  * endptr is current (or recent) end of xlog, and lastredoptr is the
3526  * redo pointer of the last checkpoint. These are used to determine
3527  * whether we want to recycle rather than delete no-longer-wanted log files.
3528  *
3529  * insertTLI is the current timeline for XLOG insertion. Any recycled
3530  * segments should be reused for this timeline.
3531  */
3532 static void
3534  TimeLineID insertTLI)
3535 {
3536  DIR *xldir;
3537  struct dirent *xlde;
3538  char lastoff[MAXFNAMELEN];
3539  XLogSegNo endlogSegNo;
3540  XLogSegNo recycleSegNo;
3541 
3542  /* Initialize info about where to try to recycle to */
3543  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3544  recycleSegNo = XLOGfileslop(lastredoptr);
3545 
3546  /*
3547  * Construct a filename of the last segment to be kept. The timeline ID
3548  * doesn't matter, we ignore that in the comparison. (During recovery,
3549  * InsertTimeLineID isn't set, so we can't use that.)
3550  */
3551  XLogFileName(lastoff, 0, segno, wal_segment_size);
3552 
3553  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3554  lastoff);
3555 
3556  xldir = AllocateDir(XLOGDIR);
3557 
3558  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3559  {
3560  /* Ignore files that are not XLOG segments */
3561  if (!IsXLogFileName(xlde->d_name) &&
3562  !IsPartialXLogFileName(xlde->d_name))
3563  continue;
3564 
3565  /*
3566  * We ignore the timeline part of the XLOG segment identifiers in
3567  * deciding whether a segment is still needed. This ensures that we
3568  * won't prematurely remove a segment from a parent timeline. We could
3569  * probably be a little more proactive about removing segments of
3570  * non-parent timelines, but that would be a whole lot more
3571  * complicated.
3572  *
3573  * We use the alphanumeric sorting property of the filenames to decide
3574  * which ones are earlier than the lastoff segment.
3575  */
3576  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3577  {
3578  if (XLogArchiveCheckDone(xlde->d_name))
3579  {
3580  /* Update the last removed location in shared memory first */
3582 
3583  RemoveXlogFile(xlde, recycleSegNo, &endlogSegNo, insertTLI);
3584  }
3585  }
3586  }
3587 
3588  FreeDir(xldir);
3589 }
3590 
3591 /*
3592  * Remove WAL files that are not part of the given timeline's history.
3593  *
3594  * This is called during recovery, whenever we switch to follow a new
3595  * timeline, and at the end of recovery when we create a new timeline. We
3596  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3597  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3598  * that we haven't used yet, and contain garbage. If we just leave them in
3599  * pg_wal, they will eventually be archived, and we can't let that happen.
3600  * Files that belong to our timeline history are valid, because we have
3601  * successfully replayed them, but from others we can't be sure.
3602  *
3603  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3604  * and 'newTLI' is the new timeline we switch to.
3605  */
3606 void
3608 {
3609  DIR *xldir;
3610  struct dirent *xlde;
3611  char switchseg[MAXFNAMELEN];
3612  XLogSegNo endLogSegNo;
3613  XLogSegNo switchLogSegNo;
3614  XLogSegNo recycleSegNo;
3615 
3616  /*
3617  * Initialize info about where to begin the work. This will recycle,
3618  * somewhat arbitrarily, 10 future segments.
3619  */
3620  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3621  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3622  recycleSegNo = endLogSegNo + 10;
3623 
3624  /*
3625  * Construct a filename of the last segment to be kept.
3626  */
3627  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3628 
3629  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3630  switchseg);
3631 
3632  xldir = AllocateDir(XLOGDIR);
3633 
3634  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3635  {
3636  /* Ignore files that are not XLOG segments */
3637  if (!IsXLogFileName(xlde->d_name))
3638  continue;
3639 
3640  /*
3641  * Remove files that are on a timeline older than the new one we're
3642  * switching to, but with a segment number >= the first segment on the
3643  * new timeline.
3644  */
3645  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3646  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3647  {
3648  /*
3649  * If the file has already been marked as .ready, however, don't
3650  * remove it yet. It should be OK to remove it - files that are
3651  * not part of our timeline history are not required for recovery
3652  * - but seems safer to let them be archived and removed later.
3653  */
3654  if (!XLogArchiveIsReady(xlde->d_name))
3655  RemoveXlogFile(xlde, recycleSegNo, &endLogSegNo, newTLI);
3656  }
3657  }
3658 
3659  FreeDir(xldir);
3660 }
3661 
3662 /*
3663  * Recycle or remove a log file that's no longer needed.
3664  *
3665  * segment_de is the dirent structure of the segment to recycle or remove.
3666  * recycleSegNo is the segment number to recycle up to. endlogSegNo is
3667  * the segment number of the current (or recent) end of WAL.
3668  *
3669  * endlogSegNo gets incremented if the segment is recycled so as it is not
3670  * checked again with future callers of this function.
3671  *
3672  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
3673  * should be used for this timeline.
3674  */
3675 static void
3676 RemoveXlogFile(const struct dirent *segment_de,
3677  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
3678  TimeLineID insertTLI)
3679 {
3680  char path[MAXPGPATH];
3681 #ifdef WIN32
3682  char newpath[MAXPGPATH];
3683 #endif
3684  const char *segname = segment_de->d_name;
3685 
3686  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
3687 
3688  /*
3689  * Before deleting the file, see if it can be recycled as a future log
3690  * segment. Only recycle normal files, because we don't want to recycle
3691  * symbolic links pointing to a separate archive directory.
3692  */
3693  if (wal_recycle &&
3694  *endlogSegNo <= recycleSegNo &&
3695  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
3696  get_dirent_type(path, segment_de, false, DEBUG2) == PGFILETYPE_REG &&
3697  InstallXLogFileSegment(endlogSegNo, path,
3698  true, recycleSegNo, insertTLI))
3699  {
3700  ereport(DEBUG2,
3701  (errmsg_internal("recycled write-ahead log file \"%s\"",
3702  segname)));
3704  /* Needn't recheck that slot on future iterations */
3705  (*endlogSegNo)++;
3706  }
3707  else
3708  {
3709  /* No need for any more future segments, or recycling failed ... */
3710  int rc;
3711 
3712  ereport(DEBUG2,
3713  (errmsg_internal("removing write-ahead log file \"%s\"",
3714  segname)));
3715 
3716 #ifdef WIN32
3717 
3718  /*
3719  * On Windows, if another process (e.g another backend) holds the file
3720  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
3721  * will still show up in directory listing until the last handle is
3722  * closed. To avoid confusing the lingering deleted file for a live
3723  * WAL file that needs to be archived, rename it before deleting it.
3724  *
3725  * If another process holds the file open without FILE_SHARE_DELETE
3726  * flag, rename will fail. We'll try again at the next checkpoint.
3727  */
3728  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
3729  if (rename(path, newpath) != 0)
3730  {
3731  ereport(LOG,
3733  errmsg("could not rename file \"%s\": %m",
3734  path)));
3735  return;
3736  }
3737  rc = durable_unlink(newpath, LOG);
3738 #else
3739  rc = durable_unlink(path, LOG);
3740 #endif
3741  if (rc != 0)
3742  {
3743  /* Message already logged by durable_unlink() */
3744  return;
3745  }
3747  }
3748 
3749  XLogArchiveCleanup(segname);
3750 }
3751 
3752 /*
3753  * Verify whether pg_wal and pg_wal/archive_status exist.
3754  * If the latter does not exist, recreate it.
3755  *
3756  * It is not the goal of this function to verify the contents of these
3757  * directories, but to help in cases where someone has performed a cluster
3758  * copy for PITR purposes but omitted pg_wal from the copy.
3759  *
3760  * We could also recreate pg_wal if it doesn't exist, but a deliberate
3761  * policy decision was made not to. It is fairly common for pg_wal to be
3762  * a symlink, and if that was the DBA's intent then automatically making a
3763  * plain directory would result in degraded performance with no notice.
3764  */
3765 static void
3767 {
3768  char path[MAXPGPATH];
3769  struct stat stat_buf;
3770 
3771  /* Check for pg_wal; if it doesn't exist, error out */
3772  if (stat(XLOGDIR, &stat_buf) != 0 ||
3773  !S_ISDIR(stat_buf.st_mode))
3774  ereport(FATAL,
3775  (errmsg("required WAL directory \"%s\" does not exist",
3776  XLOGDIR)));
3777 
3778  /* Check for archive_status */
3779  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
3780  if (stat(path, &stat_buf) == 0)
3781  {
3782  /* Check for weird cases where it exists but isn't a directory */
3783  if (!S_ISDIR(stat_buf.st_mode))
3784  ereport(FATAL,
3785  (errmsg("required WAL directory \"%s\" does not exist",
3786  path)));
3787  }
3788  else
3789  {
3790  ereport(LOG,
3791  (errmsg("creating missing WAL directory \"%s\"", path)));
3792  if (MakePGDirectory(path) < 0)
3793  ereport(FATAL,
3794  (errmsg("could not create missing directory \"%s\": %m",
3795  path)));
3796  }
3797 }
3798 
3799 /*
3800  * Remove previous backup history files. This also retries creation of
3801  * .ready files for any backup history files for which XLogArchiveNotify
3802  * failed earlier.
3803  */
3804 static void
3806 {
3807  DIR *xldir;
3808  struct dirent *xlde;
3809  char path[MAXPGPATH + sizeof(XLOGDIR)];
3810 
3811  xldir = AllocateDir(XLOGDIR);
3812 
3813  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3814  {
3815  if (IsBackupHistoryFileName(xlde->d_name))
3816  {
3817  if (XLogArchiveCheckDone(xlde->d_name))
3818  {
3819  elog(DEBUG2, "removing WAL backup history file \"%s\"",
3820  xlde->d_name);
3821  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
3822  unlink(path);
3823  XLogArchiveCleanup(xlde->d_name);
3824  }
3825  }
3826  }
3827 
3828  FreeDir(xldir);
3829 }
3830 
3831 /*
3832  * I/O routines for pg_control
3833  *
3834  * *ControlFile is a buffer in shared memory that holds an image of the
3835  * contents of pg_control. WriteControlFile() initializes pg_control
3836  * given a preloaded buffer, ReadControlFile() loads the buffer from
3837  * the pg_control file (during postmaster or standalone-backend startup),
3838  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
3839  * InitControlFile() fills the buffer with initial values.
3840  *
3841  * For simplicity, WriteControlFile() initializes the fields of pg_control
3842  * that are related to checking backend/database compatibility, and
3843  * ReadControlFile() verifies they are correct. We could split out the
3844  * I/O and compatibility-check functions, but there seems no need currently.
3845  */
3846 
3847 static void
3848 InitControlFile(uint64 sysidentifier)
3849 {
3850  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
3851 
3852  /*
3853  * Generate a random nonce. This is used for authentication requests that
3854  * will fail because the user does not exist. The nonce is used to create
3855  * a genuine-looking password challenge for the non-existent user, in lieu
3856  * of an actual stored password.
3857  */
3858  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
3859  ereport(PANIC,
3860  (errcode(ERRCODE_INTERNAL_ERROR),
3861  errmsg("could not generate secret authorization token")));
3862 
3863  memset(ControlFile, 0, sizeof(ControlFileData));
3864  /* Initialize pg_control status fields */
3865  ControlFile->system_identifier = sysidentifier;
3866  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
3869 
3870  /* Set important parameter values for use when replaying WAL */
3880 }
3881 
3882 static void
3884 {
3885  int fd;
3886  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
3887 
3888  /*
3889  * Initialize version and compatibility-check fields
3890  */
3893 
3894  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
3896 
3897  ControlFile->blcksz = BLCKSZ;
3898  ControlFile->relseg_size = RELSEG_SIZE;
3899  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
3901 
3904 
3907 
3909 
3910  /* Contents are protected with a CRC */
3913  (char *) ControlFile,
3914  offsetof(ControlFileData, crc));
3916 
3917  /*
3918  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
3919  * the excess over sizeof(ControlFileData). This reduces the odds of
3920  * premature-EOF errors when reading pg_control. We'll still fail when we
3921  * check the contents of the file, but hopefully with a more specific
3922  * error than "couldn't read pg_control".
3923  */
3924  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
3925  memcpy(buffer, ControlFile, sizeof(ControlFileData));
3926 
3928  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3929  if (fd < 0)
3930  ereport(PANIC,
3932  errmsg("could not create file \"%s\": %m",
3933  XLOG_CONTROL_FILE)));
3934 
3935  errno = 0;
3938  {
3939  /* if write didn't set errno, assume problem is no disk space */
3940  if (errno == 0)
3941  errno = ENOSPC;
3942  ereport(PANIC,
3944  errmsg("could not write to file \"%s\": %m",
3945  XLOG_CONTROL_FILE)));
3946  }
3948 
3950  if (pg_fsync(fd) != 0)
3951  ereport(PANIC,
3953  errmsg("could not fsync file \"%s\": %m",
3954  XLOG_CONTROL_FILE)));
3956 
3957  if (close(fd) != 0)
3958  ereport(PANIC,
3960  errmsg("could not close file \"%s\": %m",
3961  XLOG_CONTROL_FILE)));
3962 }
3963 
3964 static void
3966 {
3967  pg_crc32c crc;
3968  int fd;
3969  static char wal_segsz_str[20];
3970  int r;
3971 
3972  /*
3973  * Read data...
3974  */
3976  O_RDWR | PG_BINARY);
3977  if (fd < 0)
3978  ereport(PANIC,
3980  errmsg("could not open file \"%s\": %m",
3981  XLOG_CONTROL_FILE)));
3982 
3984  r = read(fd, ControlFile, sizeof(ControlFileData));
3985  if (r != sizeof(ControlFileData))
3986  {
3987  if (r < 0)
3988  ereport(PANIC,
3990  errmsg("could not read file \"%s\": %m",
3991  XLOG_CONTROL_FILE)));
3992  else
3993  ereport(PANIC,
3995  errmsg("could not read file \"%s\": read %d of %zu",
3996  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
3997  }
3999 
4000  close(fd);
4001 
4002  /*
4003  * Check for expected pg_control format version. If this is wrong, the
4004  * CRC check will likely fail because we'll be checking the wrong number
4005  * of bytes. Complaining about wrong version will probably be more
4006  * enlightening than complaining about wrong CRC.
4007  */
4008 
4010  ereport(FATAL,
4011  (errmsg("database files are incompatible with server"),
4012  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4013  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4016  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4017 
4019  ereport(FATAL,
4020  (errmsg("database files are incompatible with server"),
4021  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4022  " but the server was compiled with PG_CONTROL_VERSION %d.",
4024  errhint("It looks like you need to initdb.")));
4025 
4026  /* Now check the CRC. */
4027  INIT_CRC32C(crc);
4028  COMP_CRC32C(crc,
4029  (char *) ControlFile,
4030  offsetof(ControlFileData, crc));
4031  FIN_CRC32C(crc);
4032 
4033  if (!EQ_CRC32C(crc, ControlFile->crc))
4034  ereport(FATAL,
4035  (errmsg("incorrect checksum in control file")));
4036 
4037  /*
4038  * Do compatibility checking immediately. If the database isn't
4039  * compatible with the backend executable, we want to abort before we can
4040  * possibly do any damage.
4041  */
4043  ereport(FATAL,
4044  (errmsg("database files are incompatible with server"),
4045  errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4046  " but the server was compiled with CATALOG_VERSION_NO %d.",
4048  errhint("It looks like you need to initdb.")));
4049  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4050  ereport(FATAL,
4051  (errmsg("database files are incompatible with server"),
4052  errdetail("The database cluster was initialized with MAXALIGN %d,"
4053  " but the server was compiled with MAXALIGN %d.",
4054  ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4055  errhint("It looks like you need to initdb.")));
4057  ereport(FATAL,
4058  (errmsg("database files are incompatible with server"),
4059  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4060  errhint("It looks like you need to initdb.")));
4061  if (ControlFile->blcksz != BLCKSZ)
4062  ereport(FATAL,
4063  (errmsg("database files are incompatible with server"),
4064  errdetail("The database cluster was initialized with BLCKSZ %d,"
4065  " but the server was compiled with BLCKSZ %d.",
4066  ControlFile->blcksz, BLCKSZ),
4067  errhint("It looks like you need to recompile or initdb.")));
4068  if (ControlFile->relseg_size != RELSEG_SIZE)
4069  ereport(FATAL,
4070  (errmsg("database files are incompatible with server"),
4071  errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4072  " but the server was compiled with RELSEG_SIZE %d.",
4073  ControlFile->relseg_size, RELSEG_SIZE),
4074  errhint("It looks like you need to recompile or initdb.")));
4075  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4076  ereport(FATAL,
4077  (errmsg("database files are incompatible with server"),
4078  errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4079  " but the server was compiled with XLOG_BLCKSZ %d.",
4080  ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4081  errhint("It looks like you need to recompile or initdb.")));
4083  ereport(FATAL,
4084  (errmsg("database files are incompatible with server"),
4085  errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4086  " but the server was compiled with NAMEDATALEN %d.",
4088  errhint("It looks like you need to recompile or initdb.")));
4090  ereport(FATAL,
4091  (errmsg("database files are incompatible with server"),
4092  errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4093  " but the server was compiled with INDEX_MAX_KEYS %d.",
4095  errhint("It looks like you need to recompile or initdb.")));
4097  ereport(FATAL,
4098  (errmsg("database files are incompatible with server"),
4099  errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4100  " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4102  errhint("It looks like you need to recompile or initdb.")));
4104  ereport(FATAL,
4105  (errmsg("database files are incompatible with server"),
4106  errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4107  " but the server was compiled with LOBLKSIZE %d.",
4108  ControlFile->loblksize, (int) LOBLKSIZE),
4109  errhint("It looks like you need to recompile or initdb.")));
4110 
4111 #ifdef USE_FLOAT8_BYVAL
4112  if (ControlFile->float8ByVal != true)
4113  ereport(FATAL,
4114  (errmsg("database files are incompatible with server"),
4115  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4116  " but the server was compiled with USE_FLOAT8_BYVAL."),
4117  errhint("It looks like you need to recompile or initdb.")));
4118 #else
4119  if (ControlFile->float8ByVal != false)
4120  ereport(FATAL,
4121  (errmsg("database files are incompatible with server"),
4122  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4123  " but the server was compiled without USE_FLOAT8_BYVAL."),
4124  errhint("It looks like you need to recompile or initdb.")));
4125 #endif
4126 
4128 
4130  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4131  errmsg_plural("WAL segment size must be a power of two between 1 MB and 1 GB, but the control file specifies %d byte",
4132  "WAL segment size must be a power of two between 1 MB and 1 GB, but the control file specifies %d bytes",
4134  wal_segment_size)));
4135 
4136  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4137  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4139 
4140  /* check and update variables dependent on wal_segment_size */
4142  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4143  errmsg("\"min_wal_size\" must be at least twice \"wal_segment_size\"")));
4144 
4146  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4147  errmsg("\"max_wal_size\" must be at least twice \"wal_segment_size\"")));
4148 
4150  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4152 
4154 
4155  /* Make the initdb settings visible as GUC variables, too */
4156  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4158 }
4159 
4160 /*
4161  * Utility wrapper to update the control file. Note that the control
4162  * file gets flushed.
4163  */
4164 static void
4166 {
4168 }
4169 
4170 /*
4171  * Returns the unique system identifier from control file.
4172  */
4173 uint64
4175 {
4176  Assert(ControlFile != NULL);
4178 }
4179 
4180 /*
4181  * Returns the random nonce from control file.
4182  */
4183 char *
4185 {
4186  Assert(ControlFile != NULL);
4188 }
4189 
4190 /*
4191  * Are checksums enabled for data pages?
4192  */
4193 bool
4195 {
4196  Assert(ControlFile != NULL);
4197  return (ControlFile->data_checksum_version > 0);
4198 }
4199 
4200 /*
4201  * Returns a fake LSN for unlogged relations.
4202  *
4203  * Each call generates an LSN that is greater than any previous value
4204  * returned. The current counter value is saved and restored across clean
4205  * shutdowns, but like unlogged relations, does not survive a crash. This can
4206  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4207  * LSN-like increasing sequence of numbers without writing any WAL.
4208  */
4209 XLogRecPtr
4211 {
4212  XLogRecPtr nextUnloggedLSN;
4213 
4214  /* increment the unloggedLSN counter, need SpinLock */
4216  nextUnloggedLSN = XLogCtl->unloggedLSN++;
4218 
4219  return nextUnloggedLSN;
4220 }
4221 
4222 /*
4223  * Auto-tune the number of XLOG buffers.
4224  *
4225  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4226  * a maximum of one XLOG segment (there is little reason to think that more
4227  * is helpful, at least so long as we force an fsync when switching log files)
4228  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4229  * 9.1, when auto-tuning was added).
4230  *
4231  * This should not be called until NBuffers has received its final value.
4232  */
4233 static int
4235 {
4236  int xbuffers;
4237 
4238  xbuffers = NBuffers / 32;
4239  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4240  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4241  if (xbuffers < 8)
4242  xbuffers = 8;
4243  return xbuffers;
4244 }
4245 
4246 /*
4247  * GUC check_hook for wal_buffers
4248  */
4249 bool
4251 {
4252  /*
4253  * -1 indicates a request for auto-tune.
4254  */
4255  if (*newval == -1)
4256  {
4257  /*
4258  * If we haven't yet changed the boot_val default of -1, just let it
4259  * be. We'll fix it when XLOGShmemSize is called.
4260  */
4261  if (XLOGbuffers == -1)
4262  return true;
4263 
4264  /* Otherwise, substitute the auto-tune value */
4266  }
4267 
4268  /*
4269  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4270  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4271  * the case, we just silently treat such values as a request for the
4272  * minimum. (We could throw an error instead, but that doesn't seem very
4273  * helpful.)
4274  */
4275  if (*newval < 4)
4276  *newval = 4;
4277 
4278  return true;
4279 }
4280 
4281 /*
4282  * GUC check_hook for wal_consistency_checking
4283  */
4284 bool
4286 {
4287  char *rawstring;
4288  List *elemlist;
4289  ListCell *l;
4290  bool newwalconsistency[RM_MAX_ID + 1];
4291 
4292  /* Initialize the array */
4293  MemSet(newwalconsistency, 0, (RM_MAX_ID + 1) * sizeof(bool));
4294 
4295  /* Need a modifiable copy of string */
4296  rawstring = pstrdup(*newval);
4297 
4298  /* Parse string into list of identifiers */
4299  if (!SplitIdentifierString(rawstring, ',', &elemlist))
4300  {
4301  /* syntax error in list */
4302  GUC_check_errdetail("List syntax is invalid.");
4303  pfree(rawstring);
4304  list_free(elemlist);
4305  return false;
4306  }
4307 
4308  foreach(l, elemlist)
4309  {
4310  char *tok = (char *) lfirst(l);
4311  int rmid;
4312 
4313  /* Check for 'all'. */
4314  if (pg_strcasecmp(tok, "all") == 0)
4315  {
4316  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4317  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL)
4318  newwalconsistency[rmid] = true;
4319  }
4320  else
4321  {
4322  /* Check if the token matches any known resource manager. */
4323  bool found = false;
4324 
4325  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4326  {
4327  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL &&
4328  pg_strcasecmp(tok, GetRmgr(rmid).rm_name) == 0)
4329  {
4330  newwalconsistency[rmid] = true;
4331  found = true;
4332  break;
4333  }
4334  }
4335  if (!found)
4336  {
4337  /*
4338  * During startup, it might be a not-yet-loaded custom
4339  * resource manager. Defer checking until
4340  * InitializeWalConsistencyChecking().
4341  */
4343  {
4345  }
4346  else
4347  {
4348  GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
4349  pfree(rawstring);
4350  list_free(elemlist);
4351  return false;
4352  }
4353  }
4354  }
4355  }
4356 
4357  pfree(rawstring);
4358  list_free(elemlist);
4359 
4360  /* assign new value */
4361  *extra = guc_malloc(ERROR, (RM_MAX_ID + 1) * sizeof(bool));
4362  memcpy(*extra, newwalconsistency, (RM_MAX_ID + 1) * sizeof(bool));
4363  return true;
4364 }
4365 
4366 /*
4367  * GUC assign_hook for wal_consistency_checking
4368  */
4369 void
4370 assign_wal_consistency_checking(const char *newval, void *extra)
4371 {
4372  /*
4373  * If some checks were deferred, it's possible that the checks will fail
4374  * later during InitializeWalConsistencyChecking(). But in that case, the
4375  * postmaster will exit anyway, so it's safe to proceed with the
4376  * assignment.
4377  *
4378  * Any built-in resource managers specified are assigned immediately,
4379  * which affects WAL created before shared_preload_libraries are
4380  * processed. Any custom resource managers specified won't be assigned
4381  * until after shared_preload_libraries are processed, but that's OK
4382  * because WAL for a custom resource manager can't be written before the
4383  * module is loaded anyway.
4384  */
4385  wal_consistency_checking = extra;
4386 }
4387 
4388 /*
4389  * InitializeWalConsistencyChecking: run after loading custom resource managers
4390  *
4391  * If any unknown resource managers were specified in the
4392  * wal_consistency_checking GUC, processing was deferred. Now that
4393  * shared_preload_libraries have been loaded, process wal_consistency_checking
4394  * again.
4395  */
4396 void
4398 {
4400 
4402  {
4403  struct config_generic *guc;
4404 
4405  guc = find_option("wal_consistency_checking", false, false, ERROR);
4406 
4408 
4409  set_config_option_ext("wal_consistency_checking",
4411  guc->scontext, guc->source, guc->srole,
4412  GUC_ACTION_SET, true, ERROR, false);
4413 
4414  /* checking should not be deferred again */
4416  }
4417 }
4418 
4419 /*
4420  * GUC show_hook for archive_command
4421  */
4422 const char *
4424 {
4425  if (XLogArchivingActive())
4426  return XLogArchiveCommand;
4427  else
4428  return "(disabled)";
4429 }
4430 
4431 /*
4432  * GUC show_hook for in_hot_standby
4433  */
4434 const char *
4436 {
4437  /*
4438  * We display the actual state based on shared memory, so that this GUC
4439  * reports up-to-date state if examined intra-query. The underlying
4440  * variable (in_hot_standby_guc) changes only when we transmit a new value
4441  * to the client.
4442  */
4443  return RecoveryInProgress() ? "on" : "off";
4444 }
4445 
4446 
4447 /*
4448  * Read the control file, set respective GUCs.
4449  *
4450  * This is to be called during startup, including a crash recovery cycle,
4451  * unless in bootstrap mode, where no control file yet exists. As there's no
4452  * usable shared memory yet (its sizing can depend on the contents of the
4453  * control file!), first store the contents in local memory. XLOGShmemInit()
4454  * will then copy it to shared memory later.
4455  *
4456  * reset just controls whether previous contents are to be expected (in the
4457  * reset case, there's a dangling pointer into old shared memory), or not.
4458  */
4459 void
4461 {
4462  Assert(reset || ControlFile == NULL);
4463  ControlFile = palloc(sizeof(ControlFileData));
4464  ReadControlFile();
4465 }
4466 
4467 /*
4468  * Initialization of shared memory for XLOG
4469  */
4470 Size
4472 {
4473  Size size;
4474 
4475  /*
4476  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4477  * This isn't an amazingly clean place to do this, but we must wait till
4478  * NBuffers has received its final value, and must do it before using the
4479  * value of XLOGbuffers to do anything important.
4480  *
4481  * We prefer to report this value's source as PGC_S_DYNAMIC_DEFAULT.
4482  * However, if the DBA explicitly set wal_buffers = -1 in the config file,
4483  * then PGC_S_DYNAMIC_DEFAULT will fail to override that and we must force
4484  * the matter with PGC_S_OVERRIDE.
4485  */
4486  if (XLOGbuffers == -1)
4487  {
4488  char buf[32];
4489 
4490  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4491  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4493  if (XLOGbuffers == -1) /* failed to apply it? */
4494  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4495  PGC_S_OVERRIDE);
4496  }
4497  Assert(XLOGbuffers > 0);
4498 
4499  /* XLogCtl */
4500  size = sizeof(XLogCtlData);
4501 
4502  /* WAL insertion locks, plus alignment */
4503  size = add_size(size, mul_size(sizeof(WALInsertLockPadded), NUM_XLOGINSERT_LOCKS + 1));
4504  /* xlblocks array */
4505  size = add_size(size, mul_size(sizeof(XLogRecPtr), XLOGbuffers));
4506  /* extra alignment padding for XLOG I/O buffers */
4507  size = add_size(size, XLOG_BLCKSZ);
4508  /* and the buffers themselves */
4509  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4510 
4511  /*
4512  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4513  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4514  * routine again below to compute the actual allocation size.
4515  */
4516 
4517  return size;
4518 }
4519 
4520 void
4522 {
4523  bool foundCFile,
4524  foundXLog;
4525  char *allocptr;
4526  int i;
4527  ControlFileData *localControlFile;
4528 
4529 #ifdef WAL_DEBUG
4530 
4531  /*
4532  * Create a memory context for WAL debugging that's exempt from the normal
4533  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4534  * an allocation fails, but wal_debug is not for production use anyway.
4535  */
4536  if (walDebugCxt == NULL)
4537  {
4539  "WAL Debug",
4541  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4542  }
4543 #endif
4544 
4545 
4546  XLogCtl = (XLogCtlData *)
4547  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4548 
4549  localControlFile = ControlFile;
4551  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4552 
4553  if (foundCFile || foundXLog)
4554  {
4555  /* both should be present or neither */
4556  Assert(foundCFile && foundXLog);
4557 
4558  /* Initialize local copy of WALInsertLocks */
4560 
4561  if (localControlFile)
4562  pfree(localControlFile);
4563  return;
4564  }
4565  memset(XLogCtl, 0, sizeof(XLogCtlData));
4566 
4567  /*
4568  * Already have read control file locally, unless in bootstrap mode. Move
4569  * contents into shared memory.
4570  */
4571  if (localControlFile)
4572  {
4573  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4574  pfree(localControlFile);
4575  }
4576 
4577  /*
4578  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4579  * multiple of the alignment for same, so no extra alignment padding is
4580  * needed here.
4581  */
4582  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4583  XLogCtl->xlblocks = (XLogRecPtr *) allocptr;
4584  memset(XLogCtl->xlblocks, 0, sizeof(XLogRecPtr) * XLOGbuffers);
4585  allocptr += sizeof(XLogRecPtr) * XLOGbuffers;
4586 
4587 
4588  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4589  allocptr += sizeof(WALInsertLockPadded) -
4590  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4592  (WALInsertLockPadded *) allocptr;
4593  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4594 
4595  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4596  {
4600  }
4601 
4602  /*
4603  * Align the start of the page buffers to a full xlog block size boundary.
4604  * This simplifies some calculations in XLOG insertion. It is also
4605  * required for O_DIRECT.
4606  */
4607  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4608  XLogCtl->pages = allocptr;
4609  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4610 
4611  /*
4612  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4613  * in additional info.)
4614  */
4618  XLogCtl->WalWriterSleeping = false;
4619 
4623 }
4624 
4625 /*
4626  * This func must be called ONCE on system install. It creates pg_control
4627  * and the initial XLOG segment.
4628  */
4629 void
4631 {
4632  CheckPoint checkPoint;
4633  char *buffer;
4634  XLogPageHeader page;
4635  XLogLongPageHeader longpage;
4636  XLogRecord *record;
4637  char *recptr;
4638  uint64 sysidentifier;
4639  struct timeval tv;
4640  pg_crc32c crc;
4641 
4642  /* allow ordinary WAL segment creation, like StartupXLOG() would */
4644 
4645  /*
4646  * Select a hopefully-unique system identifier code for this installation.
4647  * We use the result of gettimeofday(), including the fractional seconds
4648  * field, as being about as unique as we can easily get. (Think not to
4649  * use random(), since it hasn't been seeded and there's no portable way
4650  * to seed it other than the system clock value...) The upper half of the
4651  * uint64 value is just the tv_sec part, while the lower half contains the
4652  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
4653  * PID for a little extra uniqueness. A person knowing this encoding can
4654  * determine the initialization time of the installation, which could
4655  * perhaps be useful sometimes.
4656  */
4657  gettimeofday(&tv, NULL);
4658  sysidentifier = ((uint64) tv.tv_sec) << 32;
4659  sysidentifier |= ((uint64) tv.tv_usec) << 12;
4660  sysidentifier |= getpid() & 0xFFF;
4661 
4662  /* page buffer must be aligned suitably for O_DIRECT */
4663  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
4664  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
4665  memset(page, 0, XLOG_BLCKSZ);
4666 
4667  /*
4668  * Set up information for the initial checkpoint record
4669  *
4670  * The initial checkpoint record is written to the beginning of the WAL
4671  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
4672  * used, so that we can use 0/0 to mean "before any valid WAL segment".
4673  */
4674  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
4675  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
4676  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
4677  checkPoint.fullPageWrites = fullPageWrites;
4678  checkPoint.nextXid =
4680  checkPoint.nextOid = FirstGenbkiObjectId;
4681  checkPoint.nextMulti = FirstMultiXactId;
4682  checkPoint.nextMultiOffset = 0;
4683  checkPoint.oldestXid = FirstNormalTransactionId;
4684  checkPoint.oldestXidDB = Template1DbOid;
4685  checkPoint.oldestMulti = FirstMultiXactId;
4686  checkPoint.oldestMultiDB = Template1DbOid;
4689  checkPoint.time = (pg_time_t) time(NULL);
4691 
4692  ShmemVariableCache->nextXid = checkPoint.nextXid;
4693  ShmemVariableCache->nextOid = checkPoint.nextOid;
4695  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
4696  AdvanceOldestClogXid(checkPoint.oldestXid);
4697  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
4698  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
4700 
4701  /* Set up the XLOG page header */
4702  page->xlp_magic = XLOG_PAGE_MAGIC;
4703  page->xlp_info = XLP_LONG_HEADER;
4704  page->xlp_tli = BootstrapTimeLineID;
4706  longpage = (XLogLongPageHeader) page;
4707  longpage->xlp_sysid = sysidentifier;
4708  longpage->xlp_seg_size = wal_segment_size;
4709  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
4710 
4711  /* Insert the initial checkpoint record */
4712  recptr = ((char *) page + SizeOfXLogLongPHD);
4713  record = (XLogRecord *) recptr;
4714  record->xl_prev = 0;
4715  record->xl_xid = InvalidTransactionId;
4716  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
4718  record->xl_rmid = RM_XLOG_ID;
4719  recptr += SizeOfXLogRecord;
4720  /* fill the XLogRecordDataHeaderShort struct */
4721  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
4722  *(recptr++) = sizeof(checkPoint);
4723  memcpy(recptr, &checkPoint, sizeof(checkPoint));
4724  recptr += sizeof(checkPoint);
4725  Assert(recptr - (char *) record == record->xl_tot_len);
4726 
4727  INIT_CRC32C(crc);
4728  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
4729  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
4730  FIN_CRC32C(crc);
4731  record->xl_crc = crc;
4732 
4733  /* Create first XLOG segment file */
4736 
4737  /*
4738  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
4739  * close the file again in a moment.
4740  */
4741 
4742  /* Write the first page with the initial record */
4743  errno = 0;
4745  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
4746  {
4747  /* if write didn't set errno, assume problem is no disk space */
4748  if (errno == 0)
4749  errno = ENOSPC;
4750  ereport(PANIC,
4752  errmsg("could not write bootstrap write-ahead log file: %m")));
4753  }
4755 
4757  if (pg_fsync(openLogFile) != 0)
4758  ereport(PANIC,
4760  errmsg("could not fsync bootstrap write-ahead log file: %m")));
4762 
4763  if (close(openLogFile) != 0)
4764  ereport(PANIC,
4766  errmsg("could not close bootstrap write-ahead log file: %m")));
4767 
4768  openLogFile = -1;
4769 
4770  /* Now create pg_control */
4771  InitControlFile(sysidentifier);
4772  ControlFile->time = checkPoint.time;
4773  ControlFile->checkPoint = checkPoint.redo;
4774  ControlFile->checkPointCopy = checkPoint;
4775 
4776  /* some additional ControlFile fields are set in WriteControlFile() */
4777  WriteControlFile();
4778 
4779  /* Bootstrap the commit log, too */
4780  BootStrapCLOG();
4784 
4785  pfree(buffer);
4786 
4787  /*
4788  * Force control file to be read - in contrast to normal processing we'd
4789  * otherwise never run the checks and GUC related initializations therein.
4790  */
4791  ReadControlFile();
4792 }
4793 
4794 static char *
4796 {
4797  static char buf[128];
4798 
4799  pg_strftime(buf, sizeof(buf),
4800  "%Y-%m-%d %H:%M:%S %Z",
4801  pg_localtime(&tnow, log_timezone));
4802 
4803  return buf;
4804 }
4805 
4806 /*
4807  * Initialize the first WAL segment on new timeline.
4808  */
4809 static void
4811 {
4812  char xlogfname[MAXFNAMELEN];
4813  XLogSegNo endLogSegNo;
4814  XLogSegNo startLogSegNo;
4815 
4816  /* we always switch to a new timeline after archive recovery */
4817  Assert(endTLI != newTLI);
4818 
4819  /*
4820  * Update min recovery point one last time.
4821  */
4823 
4824  /*
4825  * Calculate the last segment on the old timeline, and the first segment
4826  * on the new timeline. If the switch happens in the middle of a segment,
4827  * they are the same, but if the switch happens exactly at a segment
4828  * boundary, startLogSegNo will be endLogSegNo + 1.
4829  */
4830  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
4831  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
4832 
4833  /*
4834  * Initialize the starting WAL segment for the new timeline. If the switch
4835  * happens in the middle of a segment, copy data from the last WAL segment
4836  * of the old timeline up to the switch point, to the starting WAL segment
4837  * on the new timeline.
4838  */
4839  if (endLogSegNo == startLogSegNo)
4840  {
4841  /*
4842  * Make a copy of the file on the new timeline.
4843  *
4844  * Writing WAL isn't allowed yet, so there are no locking
4845  * considerations. But we should be just as tense as XLogFileInit to
4846  * avoid emplacing a bogus file.
4847  */
4848  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
4849  XLogSegmentOffset(endOfLog, wal_segment_size));
4850  }
4851  else
4852  {
4853  /*
4854  * The switch happened at a segment boundary, so just create the next
4855  * segment on the new timeline.
4856  */
4857  int fd;
4858 
4859  fd = XLogFileInit(startLogSegNo, newTLI);
4860 
4861  if (close(fd) != 0)
4862  {
4863  int save_errno = errno;
4864 
4865  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4866  errno = save_errno;
4867  ereport(ERROR,
4869  errmsg("could not close file \"%s\": %m", xlogfname)));
4870  }
4871  }
4872 
4873  /*
4874  * Let's just make real sure there are not .ready or .done flags posted
4875  * for the new segment.
4876  */
4877  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4878  XLogArchiveCleanup(xlogfname);
4879 }
4880 
4881 /*
4882  * Perform cleanup actions at the conclusion of archive recovery.
4883  */
4884 static void
4886  TimeLineID newTLI)
4887 {
4888  /*
4889  * Execute the recovery_end_command, if any.
4890  */
4891  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
4893  "recovery_end_command",
4894  true,
4896 
4897  /*
4898  * We switched to a new timeline. Clean up segments on the old timeline.
4899  *
4900  * If there are any higher-numbered segments on the old timeline, remove
4901  * them. They might contain valid WAL, but they might also be
4902  * pre-allocated files containing garbage. In any case, they are not part
4903  * of the new timeline's history so we don't need them.
4904  */
4905  RemoveNonParentXlogFiles(EndOfLog, newTLI);
4906 
4907  /*
4908  * If the switch happened in the middle of a segment, what to do with the
4909  * last, partial segment on the old timeline? If we don't archive it, and
4910  * the server that created the WAL never archives it either (e.g. because
4911  * it was hit by a meteor), it will never make it to the archive. That's
4912  * OK from our point of view, because the new segment that we created with
4913  * the new TLI contains all the WAL from the old timeline up to the switch
4914  * point. But if you later try to do PITR to the "missing" WAL on the old
4915  * timeline, recovery won't find it in the archive. It's physically
4916  * present in the new file with new TLI, but recovery won't look there
4917  * when it's recovering to the older timeline. On the other hand, if we
4918  * archive the partial segment, and the original server on that timeline
4919  * is still running and archives the completed version of the same segment
4920  * later, it will fail. (We used to do that in 9.4 and below, and it
4921  * caused such problems).
4922  *
4923  * As a compromise, we rename the last segment with the .partial suffix,
4924  * and archive it. Archive recovery will never try to read .partial
4925  * segments, so they will normally go unused. But in the odd PITR case,
4926  * the administrator can copy them manually to the pg_wal directory
4927  * (removing the suffix). They can be useful in debugging, too.
4928  *
4929  * If a .done or .ready file already exists for the old timeline, however,
4930  * we had already determined that the segment is complete, so we can let
4931  * it be archived normally. (In particular, if it was restored from the
4932  * archive to begin with, it's expected to have a .done file).
4933  */
4934  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
4936  {
4937  char origfname[MAXFNAMELEN];
4938  XLogSegNo endLogSegNo;
4939 
4940  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
4941  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
4942 
4943  if (!XLogArchiveIsReadyOrDone(origfname))
4944  {
4945  char origpath[MAXPGPATH];
4946  char partialfname[MAXFNAMELEN];
4947  char partialpath[MAXPGPATH];
4948 
4949  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
4950  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
4951  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
4952 
4953  /*
4954  * Make sure there's no .done or .ready file for the .partial
4955  * file.
4956  */
4957  XLogArchiveCleanup(partialfname);
4958 
4959  durable_rename(origpath, partialpath, ERROR);
4960  XLogArchiveNotify(partialfname);
4961  }
4962  }
4963 }
4964 
4965 /*
4966  * Check to see if required parameters are set high enough on this server
4967  * for various aspects of recovery operation.
4968  *
4969  * Note that all the parameters which this function tests need to be
4970  * listed in Administrator's Overview section in high-availability.sgml.
4971  * If you change them, don't forget to update the list.
4972  */
4973 static void
4975 {
4976  /*
4977  * For archive recovery, the WAL must be generated with at least 'replica'
4978  * wal_level.
4979  */
4981  {
4982  ereport(FATAL,
4983  (errmsg("WAL was generated with wal_level=minimal, cannot continue recovering"),
4984  errdetail("This happens if you temporarily set wal_level=minimal on the server."),
4985  errhint("Use a backup taken after setting wal_level to higher than minimal.")));
4986  }
4987 
4988  /*
4989  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
4990  * must have at least as many backend slots as the primary.
4991  */
4993  {
4994  /* We ignore autovacuum_max_workers when we make this test. */
4995  RecoveryRequiresIntParameter("max_connections",
4998  RecoveryRequiresIntParameter("max_worker_processes",
5001  RecoveryRequiresIntParameter("max_wal_senders",
5004  RecoveryRequiresIntParameter("max_prepared_transactions",
5007  RecoveryRequiresIntParameter("max_locks_per_transaction",
5010  }
5011 }
5012 
5013 /*
5014  * This must be called ONCE during postmaster or standalone-backend startup
5015  */
5016 void
5018 {
5020  CheckPoint checkPoint;
5021  bool wasShutdown;
5022  bool didCrash;
5023  bool haveTblspcMap;
5024  bool haveBackupLabel;
5025  XLogRecPtr EndOfLog;
5026  TimeLineID EndOfLogTLI;
5027  TimeLineID newTLI;
5028  bool performedWalRecovery;
5029  EndOfWalRecoveryInfo *endOfRecoveryInfo;
5032  TransactionId oldestActiveXID;
5033  bool promoted = false;
5034 
5035  /*
5036  * We should have an aux process resource owner to use, and we should not
5037  * be in a transaction that's installed some other resowner.
5038  */
5040  Assert(CurrentResourceOwner == NULL ||
5043 
5044  /*
5045  * Check that contents look valid.
5046  */
5048  ereport(FATAL,
5049  (errmsg("control file contains invalid checkpoint location")));
5050 
5051  switch (ControlFile->state)
5052  {
5053  case DB_SHUTDOWNED:
5054 
5055  /*
5056  * This is the expected case, so don't be chatty in standalone
5057  * mode
5058  */
5060  (errmsg("database system was shut down at %s",
5061  str_time(ControlFile->time))));
5062  break;
5063 
5065  ereport(LOG,
5066  (errmsg("database system was shut down in recovery at %s",
5067  str_time(ControlFile->time))));
5068  break;
5069 
5070  case DB_SHUTDOWNING:
5071  ereport(LOG,
5072  (errmsg("database system shutdown was interrupted; last known up at %s",
5073  str_time(ControlFile->time))));
5074  break;
5075 
5076  case DB_IN_CRASH_RECOVERY:
5077  ereport(LOG,
5078  (errmsg("database system was interrupted while in recovery at %s",
5080  errhint("This probably means that some data is corrupted and"
5081  " you will have to use the last backup for recovery.")));
5082  break;
5083 
5085  ereport(LOG,
5086  (errmsg("database system was interrupted while in recovery at log time %s",
5088  errhint("If this has occurred more than once some data might be corrupted"
5089  " and you might need to choose an earlier recovery target.")));
5090  break;
5091 
5092  case DB_IN_PRODUCTION:
5093  ereport(LOG,
5094  (errmsg("database system was interrupted; last known up at %s",
5095  str_time(ControlFile->time))));
5096  break;
5097 
5098  default:
5099  ereport(FATAL,
5100  (errmsg("control file contains invalid database cluster state")));
5101  }
5102 
5103  /* This is just to allow attaching to startup process with a debugger */
5104 #ifdef XLOG_REPLAY_DELAY
5106  pg_usleep(60000000L);
5107 #endif
5108 
5109  /*
5110  * Verify that pg_wal and pg_wal/archive_status exist. In cases where
5111  * someone has performed a copy for PITR, these directories may have been
5112  * excluded and need to be re-created.
5113  */
5115 
5116  /* Set up timeout handler needed to report startup progress. */
5120 
5121  /*----------
5122  * If we previously crashed, perform a couple of actions:
5123  *
5124  * - The pg_wal directory may still include some temporary WAL segments
5125  * used when creating a new segment, so perform some clean up to not
5126  * bloat this path. This is done first as there is no point to sync
5127  * this temporary data.
5128  *
5129  * - There might be data which we had written, intending to fsync it, but
5130  * which we had not actually fsync'd yet. Therefore, a power failure in
5131  * the near future might cause earlier unflushed writes to be lost, even
5132  * though more recent data written to disk from here on would be
5133  * persisted. To avoid that, fsync the entire data directory.
5134  */
5135  if (ControlFile->state != DB_SHUTDOWNED &&
5137  {
5140  didCrash = true;
5141  }
5142  else
5143  didCrash = false;
5144 
5145  /*
5146  * Prepare for WAL recovery if needed.
5147  *
5148  * InitWalRecovery analyzes the control file and the backup label file, if
5149  * any. It updates the in-memory ControlFile buffer according to the
5150  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5151  * It also applies the tablespace map file, if any.
5152  */
5153  InitWalRecovery(ControlFile, &wasShutdown,
5154  &haveBackupLabel, &haveTblspcMap);
5155  checkPoint = ControlFile->checkPointCopy;
5156 
5157  /* initialize shared memory variables from the checkpoint record */
5158  ShmemVariableCache->nextXid = checkPoint.nextXid;
5159  ShmemVariableCache->nextOid = checkPoint.nextOid;
5161  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5162  AdvanceOldestClogXid(checkPoint.oldestXid);
5163  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5164  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5166  checkPoint.newestCommitTsXid);
5167  XLogCtl->ckptFullXid = checkPoint.nextXid;
5168 
5169  /*
5170  * Clear out any old relcache cache files. This is *necessary* if we do
5171  * any WAL replay, since that would probably result in the cache files
5172  * being out of sync with database reality. In theory we could leave them
5173  * in place if the database had been cleanly shut down, but it seems
5174  * safest to just remove them always and let them be rebuilt during the
5175  * first backend startup. These files needs to be removed from all
5176  * directories including pg_tblspc, however the symlinks are created only
5177  * after reading tablespace_map file in case of archive recovery from
5178  * backup, so needs to clear old relcache files here after creating
5179  * symlinks.
5180  */
5182 
5183  /*
5184  * Initialize replication slots, before there's a chance to remove
5185  * required resources.
5186  */
5188 
5189  /*
5190  * Startup logical state, needs to be setup now so we have proper data
5191  * during crash recovery.
5192  */
5194 
5195  /*
5196  * Startup CLOG. This must be done after ShmemVariableCache->nextXid has
5197  * been initialized and before we accept connections or begin WAL replay.
5198  */
5199  StartupCLOG();
5200 
5201  /*
5202  * Startup MultiXact. We need to do this early to be able to replay
5203  * truncations.
5204  */
5205  StartupMultiXact();
5206 
5207  /*
5208  * Ditto for commit timestamps. Activate the facility if the setting is
5209  * enabled in the control file, as there should be no tracking of commit
5210  * timestamps done when the setting was disabled. This facility can be
5211  * started or stopped when replaying a XLOG_PARAMETER_CHANGE record.
5212  */
5214  StartupCommitTs();
5215 
5216  /*
5217  * Recover knowledge about replay progress of known replication partners.
5218  */
5220 
5221  /*
5222  * Initialize unlogged LSN. On a clean shutdown, it's restored from the
5223  * control file. On recovery, all unlogged relations are blown away, so
5224  * the unlogged LSN counter can be reset too.
5225  */
5228  else
5230 
5231  /*
5232  * Copy any missing timeline history files between 'now' and the recovery
5233  * target timeline from archive to pg_wal. While we don't need those files
5234  * ourselves - the history file of the recovery target timeline covers all
5235  * the previous timelines in the history too - a cascading standby server
5236  * might be interested in them. Or, if you archive the WAL from this
5237  * server to a different archive than the primary, it'd be good for all
5238  * the history files to get archived there after failover, so that you can
5239  * use one of the old timelines as a PITR target. Timeline history files
5240  * are small, so it's better to copy them unnecessarily than not copy them
5241  * and regret later.
5242  */
5244 
5245  /*
5246  * Before running in recovery, scan pg_twophase and fill in its status to
5247  * be able to work on entries generated by redo. Doing a scan before
5248  * taking any recovery action has the merit to discard any 2PC files that
5249  * are newer than the first record to replay, saving from any conflicts at
5250  * replay. This avoids as well any subsequent scans when doing recovery
5251  * of the on-disk two-phase data.
5252  */
5254 
5255  /*
5256  * When starting with crash recovery, reset pgstat data - it might not be
5257  * valid. Otherwise restore pgstat data. It's safe to do this here,
5258  * because postmaster will not yet have started any other processes.
5259  *
5260  * NB: Restoring replication slot stats relies on slot state to have
5261  * already been restored from disk.
5262  *
5263  * TODO: With a bit of extra work we could just start with a pgstat file
5264  * associated with the checkpoint redo location we're starting from.
5265  */
5266  if (didCrash)
5268  else
5270 
5271  lastFullPageWrites = checkPoint.fullPageWrites;
5272 
5275 
5276  /* REDO */
5277  if (InRecovery)
5278  {
5279  /* Initialize state for RecoveryInProgress() */
5281  if (InArchiveRecovery)
5283  else
5286 
5287  /*
5288  * Update pg_control to show that we are recovering and to show the
5289  * selected checkpoint as the place we are starting from. We also mark
5290  * pg_control with any minimum recovery stop point obtained from a
5291  * backup history file.
5292  *
5293  * No need to hold ControlFileLock yet, we aren't up far enough.
5294  */
5296 
5297  /*
5298  * If there was a backup label file, it's done its job and the info
5299  * has now been propagated into pg_control. We must get rid of the
5300  * label file so that if we crash during recovery, we'll pick up at
5301  * the latest recovery restartpoint instead of going all the way back
5302  * to the backup start point. It seems prudent though to just rename
5303  * the file out of the way rather than delete it completely.
5304  */
5305  if (haveBackupLabel)
5306  {
5307  unlink(BACKUP_LABEL_OLD);
5309  }
5310 
5311  /*
5312  * If there was a tablespace_map file, it's done its job and the
5313  * symlinks have been created. We must get rid of the map file so
5314  * that if we crash during recovery, we don't create symlinks again.
5315  * It seems prudent though to just rename the file out of the way
5316  * rather than delete it completely.
5317  */
5318  if (haveTblspcMap)
5319  {
5320  unlink(TABLESPACE_MAP_OLD);
5322  }
5323 
5324  /*
5325  * Initialize our local copy of minRecoveryPoint. When doing crash
5326  * recovery we want to replay up to the end of WAL. Particularly, in
5327  * the case of a promoted standby minRecoveryPoint value in the
5328  * control file is only updated after the first checkpoint. However,
5329  * if the instance crashes before the first post-recovery checkpoint
5330  * is completed then recovery will use a stale location causing the
5331  * startup process to think that there are still invalid page
5332  * references when checking for data consistency.
5333  */
5334  if (InArchiveRecovery)
5335  {
5338  }
5339  else
5340  {
5343  }
5344 
5345  /* Check that the GUCs used to generate the WAL allow recovery */
5347 
5348  /*
5349  * We're in recovery, so unlogged relations may be trashed and must be
5350  * reset. This should be done BEFORE allowing Hot Standby
5351  * connections, so that read-only backends don't try to read whatever
5352  * garbage is left over from before.
5353  */
5355 
5356  /*
5357  * Likewise, delete any saved transaction snapshot files that got left
5358  * behind by crashed backends.
5359  */
5361 
5362  /*
5363  * Initialize for Hot Standby, if enabled. We won't let backends in
5364  * yet, not until we've reached the min recovery point specified in
5365  * control file and we've established a recovery snapshot from a
5366  * running-xacts WAL record.
5367  */
5369  {
5370  TransactionId *xids;
5371  int nxids;
5372 
5373  ereport(DEBUG1,
5374  (errmsg_internal("initializing for hot standby")));
5375 
5377 
5378  if (wasShutdown)
5379  oldestActiveXID = PrescanPreparedTransactions(&xids, &nxids);
5380  else
5381  oldestActiveXID = checkPoint.oldestActiveXid;
5382  Assert(TransactionIdIsValid(oldestActiveXID));
5383 
5384  /* Tell procarray about the range of xids it has to deal with */
5386 
5387  /*
5388  * Startup subtrans only. CLOG, MultiXact and commit timestamp
5389  * have already been started up and other SLRUs are not maintained
5390  * during recovery and need not be started yet.
5391  */
5392  StartupSUBTRANS(oldestActiveXID);
5393 
5394  /*
5395  * If we're beginning at a shutdown checkpoint, we know that
5396  * nothing was running on the primary at this point. So fake-up an
5397  * empty running-xacts record and use that here and now. Recover
5398  * additional standby state for prepared transactions.
5399  */
5400  if (wasShutdown)
5401  {
5402  RunningTransactionsData running;
5403  TransactionId latestCompletedXid;
5404 
5405  /*
5406  * Construct a RunningTransactions snapshot representing a
5407  * shut down server, with only prepared transactions still
5408  * alive. We're never overflowed at this point because all
5409  * subxids are listed with their parent prepared transactions.
5410  */
5411  running.xcnt = nxids;
5412  running.subxcnt = 0;
5413  running.subxid_overflow = false;
5414  running.nextXid = XidFromFullTransactionId(checkPoint.nextXid);
5415  running.oldestRunningXid = oldestActiveXID;
5416  latestCompletedXid = XidFromFullTransactionId(checkPoint.nextXid);
5417  TransactionIdRetreat(latestCompletedXid);
5418  Assert(TransactionIdIsNormal(latestCompletedXid));
5419  running.latestCompletedXid = latestCompletedXid;
5420  running.xids = xids;
5421 
5422  ProcArrayApplyRecoveryInfo(&running);
5423 
5425  }
5426  }
5427 
5428  /*
5429  * We're all set for replaying the WAL now. Do it.
5430  */
5432  performedWalRecovery = true;
5433  }
5434  else
5435  performedWalRecovery = false;
5436 
5437  /*
5438  * Finish WAL recovery.
5439  */
5440  endOfRecoveryInfo = FinishWalRecovery();
5441  EndOfLog = endOfRecoveryInfo->endOfLog;
5442  EndOfLogTLI = endOfRecoveryInfo->endOfLogTLI;
5443  abortedRecPtr = endOfRecoveryInfo->abortedRecPtr;
5444  missingContrecPtr = endOfRecoveryInfo->missingContrecPtr;
5445 
5446  /*
5447  * Reset ps status display, so as no information related to recovery
5448  * shows up.
5449  */
5450  set_ps_display("");
5451 
5452  /*
5453  * When recovering from a backup (we are in recovery, and archive recovery
5454  * was requested), complain if we did not roll forward far enough to reach
5455  * the point where the database is consistent. For regular online
5456  * backup-from-primary, that means reaching the end-of-backup WAL record
5457  * (at which point we reset backupStartPoint to be Invalid), for
5458  * backup-from-replica (which can't inject records into the WAL stream),
5459  * that point is when we reach the minRecoveryPoint in pg_control (which
5460  * we purposefully copy last when backing up from a replica). For
5461  * pg_rewind (which creates a backup_label with a method of "pg_rewind")
5462  * or snapshot-style backups (which don't), backupEndRequired will be set
5463  * to false.
5464  *
5465  * Note: it is indeed okay to look at the local variable
5466  * LocalMinRecoveryPoint here, even though ControlFile->minRecoveryPoint
5467  * might be further ahead --- ControlFile->minRecoveryPoint cannot have
5468  * been advanced beyond the WAL we processed.
5469  */
5470  if (InRecovery &&
5471  (EndOfLog < LocalMinRecoveryPoint ||
5473  {
5474  /*
5475  * Ran off end of WAL before reaching end-of-backup WAL record, or
5476  * minRecoveryPoint. That's a bad sign, indicating that you tried to
5477  * recover from an online backup but never called pg_backup_stop(), or
5478  * you didn't archive all the WAL needed.
5479  */
5481  {
5483  ereport(FATAL,
5484  (errmsg("WAL ends before end of online backup"),
5485  errhint("All WAL generated while online backup was taken must be available at recovery.")));
5486  else
5487  ereport(FATAL,
5488  (errmsg("WAL ends before consistent recovery point")));
5489  }
5490  }
5491 
5492  /*
5493  * Reset unlogged relations to the contents of their INIT fork. This is
5494  * done AFTER recovery is complete so as to include any unlogged relations
5495  * created during recovery, but BEFORE recovery is marked as having
5496  * completed successfully. Otherwise we'd not retry if any of the post
5497  * end-of-recovery steps fail.
5498  */
5499  if (InRecovery)
5501 
5502  /*
5503  * Pre-scan prepared transactions to find out the range of XIDs present.
5504  * This information is not quite needed yet, but it is positioned here so
5505  * as potential problems are detected before any on-disk change is done.
5506  */
5507  oldestActiveXID = PrescanPreparedTransactions(NULL, NULL);
5508 
5509  /*
5510  * Allow ordinary WAL segment creation before possibly switching to a new
5511  * timeline, which creates a new segment, and after the last ReadRecord().
5512  */
5514 
5515  /*
5516  * Consider whether we need to assign a new timeline ID.
5517  *
5518  * If we did archive recovery, we always assign a new ID. This handles a
5519  * couple of issues. If we stopped short of the end of WAL during
5520  * recovery, then we are clearly generating a new timeline and must assign
5521  * it a unique new ID. Even if we ran to the end, modifying the current
5522  * last segment is problematic because it may result in trying to
5523  * overwrite an already-archived copy of that segment, and we encourage
5524  * DBAs to make their archive_commands reject that. We can dodge the
5525  * problem by making the new active segment have a new timeline ID.
5526  *
5527  * In a normal crash recovery, we can just extend the timeline we were in.
5528  */
5529  newTLI = endOfRecoveryInfo->lastRecTLI;
5531  {
5532  newTLI = findNewestTimeLine(recoveryTargetTLI) + 1;
5533  ereport(LOG,
5534  (errmsg("selected new timeline ID: %u", newTLI)));
5535 
5536  /*
5537  * Make a writable copy of the last WAL segment. (Note that we also
5538  * have a copy of the last block of the old WAL in
5539  * endOfRecovery->lastPage; we will use that below.)
5540  */
5541  XLogInitNewTimeline(EndOfLogTLI, EndOfLog, newTLI);
5542 
5543  /*
5544  * Remove the signal files out of the way, so that we don't
5545  * accidentally re-enter archive recovery mode in a subsequent crash.
5546  */
5547  if (endOfRecoveryInfo->standby_signal_file_found)
5549 
5550  if (endOfRecoveryInfo->recovery_signal_file_found)
5552 
5553  /*
5554  * Write the timeline history file, and have it archived. After this
5555  * point (or rather, as soon as the file is archived), the timeline
5556  * will appear as "taken" in the WAL archive and to any standby
5557  * servers. If we crash before actually switching to the new
5558  * timeline, standby servers will nevertheless think that we switched
5559  * to the new timeline, and will try to connect to the new timeline.
5560  * To minimize the window for that, try to do as little as possible
5561  * between here and writing the end-of-recovery record.
5562  */
5564  EndOfLog, endOfRecoveryInfo->recoveryStopReason);
5565 
5566  ereport(LOG,
5567  (errmsg("archive recovery complete")));
5568  }
5569 
5570  /* Save the selected TimeLineID in shared memory, too */
5571  XLogCtl->InsertTimeLineID = newTLI;
5572  XLogCtl->PrevTimeLineID = endOfRecoveryInfo->lastRecTLI;
5573 
5574  /*
5575  * Actually, if WAL ended in an incomplete record, skip the parts that
5576  * made it through and start writing after the portion that persisted.
5577  * (It's critical to first write an OVERWRITE_CONTRECORD message, which
5578  * we'll do as soon as we're open for writing new WAL.)
5579  */
5581  {
5582  /*
5583  * We should only have a missingContrecPtr if we're not switching to
5584  * a new timeline. When a timeline switch occurs, WAL is copied from
5585  * the old timeline to the new only up to the end of the last complete
5586  * record, so there can't be an incomplete WAL record that we need to
5587  * disregard.
5588  */
5589  Assert(newTLI == endOfRecoveryInfo->lastRecTLI);
5591  EndOfLog = missingContrecPtr;
5592  }
5593 
5594  /*
5595  * Prepare to write WAL starting at EndOfLog location, and init xlog
5596  * buffer cache using the block containing the last record from the
5597  * previous incarnation.
5598  */
5599  Insert = &XLogCtl->Insert;
5600  Insert->PrevBytePos = XLogRecPtrToBytePos(endOfRecoveryInfo->lastRec);
5601  Insert->CurrBytePos = XLogRecPtrToBytePos(EndOfLog);
5602 
5603  /*
5604  * Tricky point here: lastPage contains the *last* block that the LastRec
5605  * record spans, not the one it starts in. The last block is indeed the
5606  * one we want to use.
5607  */
5608  if (EndOfLog % XLOG_BLCKSZ != 0)
5609  {
5610  char *page;
5611  int len;
5612  int firstIdx;
5613 
5614  firstIdx = XLogRecPtrToBufIdx(EndOfLog);
5615  len = EndOfLog - endOfRecoveryInfo->lastPageBeginPtr;
5616  Assert(len < XLOG_BLCKSZ);
5617 
5618  /* Copy the valid part of the last block, and zero the rest */
5619  page = &