PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogprefetcher.h"
63 #include "access/xlogreader.h"
64 #include "access/xlogrecovery.h"
65 #include "access/xlogutils.h"
66 #include "catalog/catversion.h"
67 #include "catalog/pg_control.h"
68 #include "catalog/pg_database.h"
70 #include "common/file_utils.h"
71 #include "executor/instrument.h"
72 #include "miscadmin.h"
73 #include "pg_trace.h"
74 #include "pgstat.h"
75 #include "port/atomics.h"
76 #include "port/pg_iovec.h"
77 #include "postmaster/bgwriter.h"
78 #include "postmaster/startup.h"
79 #include "postmaster/walwriter.h"
80 #include "replication/basebackup.h"
81 #include "replication/logical.h"
82 #include "replication/origin.h"
83 #include "replication/slot.h"
84 #include "replication/snapbuild.h"
86 #include "replication/walsender.h"
87 #include "storage/bufmgr.h"
88 #include "storage/fd.h"
89 #include "storage/ipc.h"
90 #include "storage/large_object.h"
91 #include "storage/latch.h"
92 #include "storage/pmsignal.h"
93 #include "storage/predicate.h"
94 #include "storage/proc.h"
95 #include "storage/procarray.h"
96 #include "storage/reinit.h"
97 #include "storage/smgr.h"
98 #include "storage/spin.h"
99 #include "storage/sync.h"
100 #include "utils/guc.h"
101 #include "utils/memutils.h"
102 #include "utils/ps_status.h"
103 #include "utils/relmapper.h"
104 #include "utils/pg_rusage.h"
105 #include "utils/snapmgr.h"
106 #include "utils/timeout.h"
107 #include "utils/timestamp.h"
108 
110 
111 /* timeline ID to be used when bootstrapping */
112 #define BootstrapTimeLineID 1
113 
114 /* User-settable parameters */
115 int max_wal_size_mb = 1024; /* 1 GB */
116 int min_wal_size_mb = 80; /* 80 MB */
118 int XLOGbuffers = -1;
121 char *XLogArchiveCommand = NULL;
122 bool EnableHotStandby = false;
123 bool fullPageWrites = true;
124 bool wal_log_hints = false;
128 bool wal_init_zero = true;
129 bool wal_recycle = true;
130 bool log_checkpoints = true;
133 int CommitDelay = 0; /* precommit delay in microseconds */
134 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
137 int wal_decode_buffer_size = 512 * 1024;
138 bool track_wal_io_timing = false;
139 
140 #ifdef WAL_DEBUG
141 bool XLOG_DEBUG = false;
142 #endif
143 
145 
146 /*
147  * Number of WAL insertion locks to use. A higher value allows more insertions
148  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
149  * which needs to iterate all the locks.
150  */
151 #define NUM_XLOGINSERT_LOCKS 8
152 
153 /*
154  * Max distance from last checkpoint, before triggering a new xlog-based
155  * checkpoint.
156  */
158 
159 /* Estimated distance between checkpoints, in bytes */
160 static double CheckPointDistanceEstimate = 0;
161 static double PrevCheckPointDistance = 0;
162 
163 /*
164  * GUC support
165  */
166 const struct config_enum_entry sync_method_options[] = {
167  {"fsync", SYNC_METHOD_FSYNC, false},
168 #ifdef HAVE_FSYNC_WRITETHROUGH
169  {"fsync_writethrough", SYNC_METHOD_FSYNC_WRITETHROUGH, false},
170 #endif
171 #ifdef HAVE_FDATASYNC
172  {"fdatasync", SYNC_METHOD_FDATASYNC, false},
173 #endif
174 #ifdef OPEN_SYNC_FLAG
175  {"open_sync", SYNC_METHOD_OPEN, false},
176 #endif
177 #ifdef OPEN_DATASYNC_FLAG
178  {"open_datasync", SYNC_METHOD_OPEN_DSYNC, false},
179 #endif
180  {NULL, 0, false}
181 };
182 
183 
184 /*
185  * Although only "on", "off", and "always" are documented,
186  * we accept all the likely variants of "on" and "off".
187  */
188 const struct config_enum_entry archive_mode_options[] = {
189  {"always", ARCHIVE_MODE_ALWAYS, false},
190  {"on", ARCHIVE_MODE_ON, false},
191  {"off", ARCHIVE_MODE_OFF, false},
192  {"true", ARCHIVE_MODE_ON, true},
193  {"false", ARCHIVE_MODE_OFF, true},
194  {"yes", ARCHIVE_MODE_ON, true},
195  {"no", ARCHIVE_MODE_OFF, true},
196  {"1", ARCHIVE_MODE_ON, true},
197  {"0", ARCHIVE_MODE_OFF, true},
198  {NULL, 0, false}
199 };
200 
201 /*
202  * Statistics for current checkpoint are collected in this global struct.
203  * Because only the checkpointer or a stand-alone backend can perform
204  * checkpoints, this will be unused in normal backends.
205  */
207 
208 /*
209  * During recovery, lastFullPageWrites keeps track of full_page_writes that
210  * the replayed WAL records indicate. It's initialized with full_page_writes
211  * that the recovery starting checkpoint record indicates, and then updated
212  * each time XLOG_FPW_CHANGE record is replayed.
213  */
214 static bool lastFullPageWrites;
215 
216 /*
217  * Local copy of the state tracked by SharedRecoveryState in shared memory,
218  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
219  * means "not known, need to check the shared state".
220  */
221 static bool LocalRecoveryInProgress = true;
222 
223 /*
224  * Local state for XLogInsertAllowed():
225  * 1: unconditionally allowed to insert XLOG
226  * 0: unconditionally not allowed to insert XLOG
227  * -1: must check RecoveryInProgress(); disallow until it is false
228  * Most processes start with -1 and transition to 1 after seeing that recovery
229  * is not in progress. But we can also force the value for special cases.
230  * The coding in XLogInsertAllowed() depends on the first two of these states
231  * being numerically the same as bool true and false.
232  */
233 static int LocalXLogInsertAllowed = -1;
234 
235 /*
236  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
237  * current backend. It is updated for all inserts. XactLastRecEnd points to
238  * end+1 of the last record, and is reset when we end a top-level transaction,
239  * or start a new one; so it can be used to tell if the current transaction has
240  * created any XLOG records.
241  *
242  * While in parallel mode, this may not be fully up to date. When committing,
243  * a transaction can assume this covers all xlog records written either by the
244  * user backend or by any parallel worker which was present at any point during
245  * the transaction. But when aborting, or when still in parallel mode, other
246  * parallel backends may have written WAL records at later LSNs than the value
247  * stored here. The parallel leader advances its own copy, when necessary,
248  * in WaitForParallelWorkersToFinish.
249  */
253 
254 /*
255  * RedoRecPtr is this backend's local copy of the REDO record pointer
256  * (which is almost but not quite the same as a pointer to the most recent
257  * CHECKPOINT record). We update this from the shared-memory copy,
258  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
259  * hold an insertion lock). See XLogInsertRecord for details. We are also
260  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
261  * see GetRedoRecPtr.
262  *
263  * NB: Code that uses this variable must be prepared not only for the
264  * possibility that it may be arbitrarily out of date, but also for the
265  * possibility that it might be set to InvalidXLogRecPtr. We used to
266  * initialize it as a side effect of the first call to RecoveryInProgress(),
267  * which meant that most code that might use it could assume that it had a
268  * real if perhaps stale value. That's no longer the case.
269  */
271 
272 /*
273  * doPageWrites is this backend's local copy of (forcePageWrites ||
274  * fullPageWrites). It is used together with RedoRecPtr to decide whether
275  * a full-page image of a page need to be taken.
276  *
277  * NB: Initially this is false, and there's no guarantee that it will be
278  * initialized to any other value before it is first used. Any code that
279  * makes use of it must recheck the value after obtaining a WALInsertLock,
280  * and respond appropriately if it turns out that the previous value wasn't
281  * accurate.
282  */
283 static bool doPageWrites;
284 
285 /*----------
286  * Shared-memory data structures for XLOG control
287  *
288  * LogwrtRqst indicates a byte position that we need to write and/or fsync
289  * the log up to (all records before that point must be written or fsynced).
290  * LogwrtResult indicates the byte positions we have already written/fsynced.
291  * These structs are identical but are declared separately to indicate their
292  * slightly different functions.
293  *
294  * To read XLogCtl->LogwrtResult, you must hold either info_lck or
295  * WALWriteLock. To update it, you need to hold both locks. The point of
296  * this arrangement is that the value can be examined by code that already
297  * holds WALWriteLock without needing to grab info_lck as well. In addition
298  * to the shared variable, each backend has a private copy of LogwrtResult,
299  * which is updated when convenient.
300  *
301  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
302  * (protected by info_lck), but we don't need to cache any copies of it.
303  *
304  * info_lck is only held long enough to read/update the protected variables,
305  * so it's a plain spinlock. The other locks are held longer (potentially
306  * over I/O operations), so we use LWLocks for them. These locks are:
307  *
308  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
309  * It is only held while initializing and changing the mapping. If the
310  * contents of the buffer being replaced haven't been written yet, the mapping
311  * lock is released while the write is done, and reacquired afterwards.
312  *
313  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
314  * XLogFlush).
315  *
316  * ControlFileLock: must be held to read/update control file or create
317  * new log file.
318  *
319  *----------
320  */
321 
322 typedef struct XLogwrtRqst
323 {
324  XLogRecPtr Write; /* last byte + 1 to write out */
325  XLogRecPtr Flush; /* last byte + 1 to flush */
327 
328 typedef struct XLogwrtResult
329 {
330  XLogRecPtr Write; /* last byte + 1 written out */
331  XLogRecPtr Flush; /* last byte + 1 flushed */
333 
334 /*
335  * Inserting to WAL is protected by a small fixed number of WAL insertion
336  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
337  * matter which one. To lock out other concurrent insertions, you must hold
338  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
339  * indicator of how far the insertion has progressed (insertingAt).
340  *
341  * The insertingAt values are read when a process wants to flush WAL from
342  * the in-memory buffers to disk, to check that all the insertions to the
343  * region the process is about to write out have finished. You could simply
344  * wait for all currently in-progress insertions to finish, but the
345  * insertingAt indicator allows you to ignore insertions to later in the WAL,
346  * so that you only wait for the insertions that are modifying the buffers
347  * you're about to write out.
348  *
349  * This isn't just an optimization. If all the WAL buffers are dirty, an
350  * inserter that's holding a WAL insert lock might need to evict an old WAL
351  * buffer, which requires flushing the WAL. If it's possible for an inserter
352  * to block on another inserter unnecessarily, deadlock can arise when two
353  * inserters holding a WAL insert lock wait for each other to finish their
354  * insertion.
355  *
356  * Small WAL records that don't cross a page boundary never update the value,
357  * the WAL record is just copied to the page and the lock is released. But
358  * to avoid the deadlock-scenario explained above, the indicator is always
359  * updated before sleeping while holding an insertion lock.
360  *
361  * lastImportantAt contains the LSN of the last important WAL record inserted
362  * using a given lock. This value is used to detect if there has been
363  * important WAL activity since the last time some action, like a checkpoint,
364  * was performed - allowing to not repeat the action if not. The LSN is
365  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
366  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
367  * records. Tracking the WAL activity directly in WALInsertLock has the
368  * advantage of not needing any additional locks to update the value.
369  */
370 typedef struct
371 {
375 } WALInsertLock;
376 
377 /*
378  * All the WAL insertion locks are allocated as an array in shared memory. We
379  * force the array stride to be a power of 2, which saves a few cycles in
380  * indexing, but more importantly also ensures that individual slots don't
381  * cross cache line boundaries. (Of course, we have to also ensure that the
382  * array start address is suitably aligned.)
383  */
384 typedef union WALInsertLockPadded
385 {
389 
390 /*
391  * Session status of running backup, used for sanity checks in SQL-callable
392  * functions to start and stop backups.
393  */
395 
396 /*
397  * Shared state data for WAL insertion.
398  */
399 typedef struct XLogCtlInsert
400 {
401  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
402 
403  /*
404  * CurrBytePos is the end of reserved WAL. The next record will be
405  * inserted at that position. PrevBytePos is the start position of the
406  * previously inserted (or rather, reserved) record - it is copied to the
407  * prev-link of the next record. These are stored as "usable byte
408  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
409  */
410  uint64 CurrBytePos;
411  uint64 PrevBytePos;
412 
413  /*
414  * Make sure the above heavily-contended spinlock and byte positions are
415  * on their own cache line. In particular, the RedoRecPtr and full page
416  * write variables below should be on a different cache line. They are
417  * read on every WAL insertion, but updated rarely, and we don't want
418  * those reads to steal the cache line containing Curr/PrevBytePos.
419  */
421 
422  /*
423  * fullPageWrites is the authoritative value used by all backends to
424  * determine whether to write full-page image to WAL. This shared value,
425  * instead of the process-local fullPageWrites, is required because, when
426  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
427  * actually affects WAL-logging by backends. Checkpointer sets at startup
428  * or after SIGHUP.
429  *
430  * To read these fields, you must hold an insertion lock. To modify them,
431  * you must hold ALL the locks.
432  */
433  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
434  bool forcePageWrites; /* forcing full-page writes for PITR? */
436 
437  /*
438  * runningBackups is a counter indicating the number of backups currently
439  * in progress. forcePageWrites is set to true when runningBackups is
440  * non-zero. lastBackupStart is the latest checkpoint redo location used
441  * as a starting point for an online backup.
442  */
445 
446  /*
447  * WAL insertion locks.
448  */
451 
452 /*
453  * Total shared-memory state for XLOG.
454  */
455 typedef struct XLogCtlData
456 {
458 
459  /* Protected by info_lck: */
461  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
462  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
463  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
464  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
465 
466  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
467 
468  /* Fake LSN counter, for unlogged relations. Protected by ulsn_lck. */
471 
472  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
475 
476  /*
477  * Protected by info_lck and WALWriteLock (you must hold either lock to
478  * read it, but both to update)
479  */
481 
482  /*
483  * Latest initialized page in the cache (last byte position + 1).
484  *
485  * To change the identity of a buffer (and InitializedUpTo), you need to
486  * hold WALBufMappingLock. To change the identity of a buffer that's
487  * still dirty, the old page needs to be written out first, and for that
488  * you need WALWriteLock, and you need to ensure that there are no
489  * in-progress insertions to the page by calling
490  * WaitXLogInsertionsToFinish().
491  */
493 
494  /*
495  * These values do not change after startup, although the pointed-to pages
496  * and xlblocks values certainly do. xlblocks values are protected by
497  * WALBufMappingLock.
498  */
499  char *pages; /* buffers for unwritten XLOG pages */
500  XLogRecPtr *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
501  int XLogCacheBlck; /* highest allocated xlog buffer index */
502 
503  /*
504  * InsertTimeLineID is the timeline into which new WAL is being inserted
505  * and flushed. It is zero during recovery, and does not change once set.
506  *
507  * If we create a new timeline when the system was started up,
508  * PrevTimeLineID is the old timeline's ID that we forked off from.
509  * Otherwise it's equal to InsertTimeLineID.
510  */
513 
514  /*
515  * SharedRecoveryState indicates if we're still in crash or archive
516  * recovery. Protected by info_lck.
517  */
519 
520  /*
521  * InstallXLogFileSegmentActive indicates whether the checkpointer should
522  * arrange for future segments by recycling and/or PreallocXlogFiles().
523  * Protected by ControlFileLock. Only the startup process changes it. If
524  * true, anyone can use InstallXLogFileSegment(). If false, the startup
525  * process owns the exclusive right to install segments, by reading from
526  * the archive and possibly replacing existing files.
527  */
529 
530  /*
531  * WalWriterSleeping indicates whether the WAL writer is currently in
532  * low-power mode (and hence should be nudged if an async commit occurs).
533  * Protected by info_lck.
534  */
536 
537  /*
538  * During recovery, we keep a copy of the latest checkpoint record here.
539  * lastCheckPointRecPtr points to start of checkpoint record and
540  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
541  * checkpointer when it wants to create a restartpoint.
542  *
543  * Protected by info_lck.
544  */
548 
549  /*
550  * lastFpwDisableRecPtr points to the start of the last replayed
551  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
552  */
554 
555  slock_t info_lck; /* locks shared variables shown above */
557 
558 static XLogCtlData *XLogCtl = NULL;
559 
560 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
562 
563 /*
564  * We maintain an image of pg_control in shared memory.
565  */
567 
568 /*
569  * Calculate the amount of space left on the page after 'endptr'. Beware
570  * multiple evaluation!
571  */
572 #define INSERT_FREESPACE(endptr) \
573  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
574 
575 /* Macro to advance to next buffer index. */
576 #define NextBufIdx(idx) \
577  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
578 
579 /*
580  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
581  * would hold if it was in cache, the page containing 'recptr'.
582  */
583 #define XLogRecPtrToBufIdx(recptr) \
584  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
585 
586 /*
587  * These are the number of bytes in a WAL page usable for WAL data.
588  */
589 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
590 
591 /*
592  * Convert values of GUCs measured in megabytes to equiv. segment count.
593  * Rounds down.
594  */
595 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
596 
597 /* The number of bytes in a WAL segment usable for WAL data. */
599 
600 /*
601  * Private, possibly out-of-date copy of shared LogwrtResult.
602  * See discussion above.
603  */
604 static XLogwrtResult LogwrtResult = {0, 0};
605 
606 /*
607  * openLogFile is -1 or a kernel FD for an open log file segment.
608  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
609  * These variables are only used to write the XLOG, and so will normally refer
610  * to the active segment.
611  *
612  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
613  */
614 static int openLogFile = -1;
617 
618 /*
619  * Local copies of equivalent fields in the control file. When running
620  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
621  * expect to replay all the WAL available, and updateMinRecoveryPoint is
622  * switched to false to prevent any updates while replaying records.
623  * Those values are kept consistent as long as crash recovery runs.
624  */
627 static bool updateMinRecoveryPoint = true;
628 
629 /* For WALInsertLockAcquire/Release functions */
630 static int MyLockNo = 0;
631 static bool holdingAllLocks = false;
632 
633 #ifdef WAL_DEBUG
634 static MemoryContext walDebugCxt = NULL;
635 #endif
636 
637 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
638  XLogRecPtr EndOfLog,
639  TimeLineID newTLI);
640 static void CheckRequiredParameterValues(void);
641 static void XLogReportParameters(void);
642 static int LocalSetXLogInsertAllowed(void);
643 static void CreateEndOfRecoveryRecord(void);
646  TimeLineID newTLI);
647 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
648 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
650 
651 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
652  bool opportunistic);
653 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
654 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
655  bool find_free, XLogSegNo max_segno,
656  TimeLineID tli);
657 static void XLogFileClose(void);
658 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
659 static void RemoveTempXlogFiles(void);
660 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
661  XLogRecPtr endptr, TimeLineID insertTLI);
662 static void RemoveXlogFile(const char *segname, XLogSegNo recycleSegNo,
663  XLogSegNo *endlogSegNo, TimeLineID insertTLI);
664 static void UpdateLastRemovedPtr(char *filename);
665 static void ValidateXLOGDirectoryStructure(void);
666 static void CleanupBackupHistory(void);
667 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
668 static bool PerformRecoveryXLogAction(void);
669 static void InitControlFile(uint64 sysidentifier);
670 static void WriteControlFile(void);
671 static void ReadControlFile(void);
672 static void UpdateControlFile(void);
673 static char *str_time(pg_time_t tnow);
674 
675 static void pg_backup_start_callback(int code, Datum arg);
676 
677 static int get_sync_bit(int method);
678 
679 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
680  XLogRecData *rdata,
681  XLogRecPtr StartPos, XLogRecPtr EndPos,
682  TimeLineID tli);
683 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
684  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
685 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
686  XLogRecPtr *PrevPtr);
688 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
689 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
690 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
691 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
692 
693 static void WALInsertLockAcquire(void);
694 static void WALInsertLockAcquireExclusive(void);
695 static void WALInsertLockRelease(void);
696 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
697 
698 /*
699  * Insert an XLOG record represented by an already-constructed chain of data
700  * chunks. This is a low-level routine; to construct the WAL record header
701  * and data, use the higher-level routines in xloginsert.c.
702  *
703  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
704  * WAL record applies to, that were not included in the record as full page
705  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
706  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
707  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
708  * record is always inserted.
709  *
710  * 'flags' gives more in-depth control on the record being inserted. See
711  * XLogSetRecordFlags() for details.
712  *
713  * 'topxid_included' tells whether the top-transaction id is logged along with
714  * current subtransaction. See XLogRecordAssemble().
715  *
716  * The first XLogRecData in the chain must be for the record header, and its
717  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
718  * xl_crc fields in the header, the rest of the header must already be filled
719  * by the caller.
720  *
721  * Returns XLOG pointer to end of record (beginning of next record).
722  * This can be used as LSN for data pages affected by the logged action.
723  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
724  * before the data page can be written out. This implements the basic
725  * WAL rule "write the log before the data".)
726  */
729  XLogRecPtr fpw_lsn,
730  uint8 flags,
731  int num_fpi,
732  bool topxid_included)
733 {
735  pg_crc32c rdata_crc;
736  bool inserted;
737  XLogRecord *rechdr = (XLogRecord *) rdata->data;
738  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
739  bool isLogSwitch = (rechdr->xl_rmid == RM_XLOG_ID &&
740  info == XLOG_SWITCH);
741  XLogRecPtr StartPos;
742  XLogRecPtr EndPos;
743  bool prevDoPageWrites = doPageWrites;
744  TimeLineID insertTLI;
745 
746  /* we assume that all of the record header is in the first chunk */
747  Assert(rdata->len >= SizeOfXLogRecord);
748 
749  /* cross-check on whether we should be here or not */
750  if (!XLogInsertAllowed())
751  elog(ERROR, "cannot make new WAL entries during recovery");
752 
753  /*
754  * Given that we're not in recovery, InsertTimeLineID is set and can't
755  * change, so we can read it without a lock.
756  */
757  insertTLI = XLogCtl->InsertTimeLineID;
758 
759  /*----------
760  *
761  * We have now done all the preparatory work we can without holding a
762  * lock or modifying shared state. From here on, inserting the new WAL
763  * record to the shared WAL buffer cache is a two-step process:
764  *
765  * 1. Reserve the right amount of space from the WAL. The current head of
766  * reserved space is kept in Insert->CurrBytePos, and is protected by
767  * insertpos_lck.
768  *
769  * 2. Copy the record to the reserved WAL space. This involves finding the
770  * correct WAL buffer containing the reserved space, and copying the
771  * record in place. This can be done concurrently in multiple processes.
772  *
773  * To keep track of which insertions are still in-progress, each concurrent
774  * inserter acquires an insertion lock. In addition to just indicating that
775  * an insertion is in progress, the lock tells others how far the inserter
776  * has progressed. There is a small fixed number of insertion locks,
777  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
778  * boundary, it updates the value stored in the lock to the how far it has
779  * inserted, to allow the previous buffer to be flushed.
780  *
781  * Holding onto an insertion lock also protects RedoRecPtr and
782  * fullPageWrites from changing until the insertion is finished.
783  *
784  * Step 2 can usually be done completely in parallel. If the required WAL
785  * page is not initialized yet, you have to grab WALBufMappingLock to
786  * initialize it, but the WAL writer tries to do that ahead of insertions
787  * to avoid that from happening in the critical path.
788  *
789  *----------
790  */
792  if (isLogSwitch)
794  else
796 
797  /*
798  * Check to see if my copy of RedoRecPtr is out of date. If so, may have
799  * to go back and have the caller recompute everything. This can only
800  * happen just after a checkpoint, so it's better to be slow in this case
801  * and fast otherwise.
802  *
803  * Also check to see if fullPageWrites or forcePageWrites was just turned
804  * on; if we weren't already doing full-page writes then go back and
805  * recompute.
806  *
807  * If we aren't doing full-page writes then RedoRecPtr doesn't actually
808  * affect the contents of the XLOG record, so we'll update our local copy
809  * but not force a recomputation. (If doPageWrites was just turned off,
810  * we could recompute the record without full pages, but we choose not to
811  * bother.)
812  */
813  if (RedoRecPtr != Insert->RedoRecPtr)
814  {
815  Assert(RedoRecPtr < Insert->RedoRecPtr);
816  RedoRecPtr = Insert->RedoRecPtr;
817  }
818  doPageWrites = (Insert->fullPageWrites || Insert->forcePageWrites);
819 
820  if (doPageWrites &&
821  (!prevDoPageWrites ||
822  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
823  {
824  /*
825  * Oops, some buffer now needs to be backed up that the caller didn't
826  * back up. Start over.
827  */
830  return InvalidXLogRecPtr;
831  }
832 
833  /*
834  * Reserve space for the record in the WAL. This also sets the xl_prev
835  * pointer.
836  */
837  if (isLogSwitch)
838  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
839  else
840  {
841  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
842  &rechdr->xl_prev);
843  inserted = true;
844  }
845 
846  if (inserted)
847  {
848  /*
849  * Now that xl_prev has been filled in, calculate CRC of the record
850  * header.
851  */
852  rdata_crc = rechdr->xl_crc;
853  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
854  FIN_CRC32C(rdata_crc);
855  rechdr->xl_crc = rdata_crc;
856 
857  /*
858  * All the record data, including the header, is now ready to be
859  * inserted. Copy the record in the space reserved.
860  */
861  CopyXLogRecordToWAL(rechdr->xl_tot_len, isLogSwitch, rdata,
862  StartPos, EndPos, insertTLI);
863 
864  /*
865  * Unless record is flagged as not important, update LSN of last
866  * important record in the current slot. When holding all locks, just
867  * update the first one.
868  */
869  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
870  {
871  int lockno = holdingAllLocks ? 0 : MyLockNo;
872 
873  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
874  }
875  }
876  else
877  {
878  /*
879  * This was an xlog-switch record, but the current insert location was
880  * already exactly at the beginning of a segment, so there was no need
881  * to do anything.
882  */
883  }
884 
885  /*
886  * Done! Let others know that we're finished.
887  */
889 
891 
893 
894  /*
895  * Mark top transaction id is logged (if needed) so that we should not try
896  * to log it again with the next WAL record in the current subtransaction.
897  */
898  if (topxid_included)
900 
901  /*
902  * Update shared LogwrtRqst.Write, if we crossed page boundary.
903  */
904  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
905  {
907  /* advance global request to include new block(s) */
908  if (XLogCtl->LogwrtRqst.Write < EndPos)
909  XLogCtl->LogwrtRqst.Write = EndPos;
910  /* update local result copy while I have the chance */
913  }
914 
915  /*
916  * If this was an XLOG_SWITCH record, flush the record and the empty
917  * padding space that fills the rest of the segment, and perform
918  * end-of-segment actions (eg, notifying archiver).
919  */
920  if (isLogSwitch)
921  {
922  TRACE_POSTGRESQL_WAL_SWITCH();
923  XLogFlush(EndPos);
924 
925  /*
926  * Even though we reserved the rest of the segment for us, which is
927  * reflected in EndPos, we return a pointer to just the end of the
928  * xlog-switch record.
929  */
930  if (inserted)
931  {
932  EndPos = StartPos + SizeOfXLogRecord;
933  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
934  {
935  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
936 
937  if (offset == EndPos % XLOG_BLCKSZ)
938  EndPos += SizeOfXLogLongPHD;
939  else
940  EndPos += SizeOfXLogShortPHD;
941  }
942  }
943  }
944 
945 #ifdef WAL_DEBUG
946  if (XLOG_DEBUG)
947  {
948  static XLogReaderState *debug_reader = NULL;
949  XLogRecord *record;
950  DecodedXLogRecord *decoded;
952  StringInfoData recordBuf;
953  char *errormsg = NULL;
954  MemoryContext oldCxt;
955 
956  oldCxt = MemoryContextSwitchTo(walDebugCxt);
957 
959  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
960 
961  /*
962  * We have to piece together the WAL record data from the XLogRecData
963  * entries, so that we can pass it to the rm_desc function as one
964  * contiguous chunk.
965  */
966  initStringInfo(&recordBuf);
967  for (; rdata != NULL; rdata = rdata->next)
968  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
969 
970  /* We also need temporary space to decode the record. */
971  record = (XLogRecord *) recordBuf.data;
972  decoded = (DecodedXLogRecord *)
974 
975  if (!debug_reader)
976  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
977  XL_ROUTINE(), NULL);
978 
979  if (!debug_reader)
980  {
981  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
982  }
983  else if (!DecodeXLogRecord(debug_reader,
984  decoded,
985  record,
986  EndPos,
987  &errormsg))
988  {
989  appendStringInfo(&buf, "error decoding record: %s",
990  errormsg ? errormsg : "no error message");
991  }
992  else
993  {
994  appendStringInfoString(&buf, " - ");
995 
996  debug_reader->record = decoded;
997  xlog_outdesc(&buf, debug_reader);
998  debug_reader->record = NULL;
999  }
1000  elog(LOG, "%s", buf.data);
1001 
1002  pfree(decoded);
1003  pfree(buf.data);
1004  pfree(recordBuf.data);
1005  MemoryContextSwitchTo(oldCxt);
1006  }
1007 #endif
1008 
1009  /*
1010  * Update our global variables
1011  */
1012  ProcLastRecPtr = StartPos;
1013  XactLastRecEnd = EndPos;
1014 
1015  /* Report WAL traffic to the instrumentation. */
1016  if (inserted)
1017  {
1018  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1020  pgWalUsage.wal_fpi += num_fpi;
1021  }
1022 
1023  return EndPos;
1024 }
1025 
1026 /*
1027  * Reserves the right amount of space for a record of given size from the WAL.
1028  * *StartPos is set to the beginning of the reserved section, *EndPos to
1029  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1030  * used to set the xl_prev of this record.
1031  *
1032  * This is the performance critical part of XLogInsert that must be serialized
1033  * across backends. The rest can happen mostly in parallel. Try to keep this
1034  * section as short as possible, insertpos_lck can be heavily contended on a
1035  * busy system.
1036  *
1037  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1038  * where we actually copy the record to the reserved space.
1039  */
1040 static void
1041 ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos, XLogRecPtr *EndPos,
1042  XLogRecPtr *PrevPtr)
1043 {
1045  uint64 startbytepos;
1046  uint64 endbytepos;
1047  uint64 prevbytepos;
1048 
1049  size = MAXALIGN(size);
1050 
1051  /* All (non xlog-switch) records should contain data. */
1052  Assert(size > SizeOfXLogRecord);
1053 
1054  /*
1055  * The duration the spinlock needs to be held is minimized by minimizing
1056  * the calculations that have to be done while holding the lock. The
1057  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1058  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1059  * page headers. The mapping between "usable" byte positions and physical
1060  * positions (XLogRecPtrs) can be done outside the locked region, and
1061  * because the usable byte position doesn't include any headers, reserving
1062  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1063  */
1064  SpinLockAcquire(&Insert->insertpos_lck);
1065 
1066  startbytepos = Insert->CurrBytePos;
1067  endbytepos = startbytepos + size;
1068  prevbytepos = Insert->PrevBytePos;
1069  Insert->CurrBytePos = endbytepos;
1070  Insert->PrevBytePos = startbytepos;
1071 
1072  SpinLockRelease(&Insert->insertpos_lck);
1073 
1074  *StartPos = XLogBytePosToRecPtr(startbytepos);
1075  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1076  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1077 
1078  /*
1079  * Check that the conversions between "usable byte positions" and
1080  * XLogRecPtrs work consistently in both directions.
1081  */
1082  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1083  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1084  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1085 }
1086 
1087 /*
1088  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1089  *
1090  * A log-switch record is handled slightly differently. The rest of the
1091  * segment will be reserved for this insertion, as indicated by the returned
1092  * *EndPos value. However, if we are already at the beginning of the current
1093  * segment, *StartPos and *EndPos are set to the current location without
1094  * reserving any space, and the function returns false.
1095 */
1096 static bool
1097 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1098 {
1100  uint64 startbytepos;
1101  uint64 endbytepos;
1102  uint64 prevbytepos;
1104  XLogRecPtr ptr;
1105  uint32 segleft;
1106 
1107  /*
1108  * These calculations are a bit heavy-weight to be done while holding a
1109  * spinlock, but since we're holding all the WAL insertion locks, there
1110  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1111  * compete for it, but that's not called very frequently.
1112  */
1113  SpinLockAcquire(&Insert->insertpos_lck);
1114 
1115  startbytepos = Insert->CurrBytePos;
1116 
1117  ptr = XLogBytePosToEndRecPtr(startbytepos);
1118  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1119  {
1120  SpinLockRelease(&Insert->insertpos_lck);
1121  *EndPos = *StartPos = ptr;
1122  return false;
1123  }
1124 
1125  endbytepos = startbytepos + size;
1126  prevbytepos = Insert->PrevBytePos;
1127 
1128  *StartPos = XLogBytePosToRecPtr(startbytepos);
1129  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1130 
1131  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1132  if (segleft != wal_segment_size)
1133  {
1134  /* consume the rest of the segment */
1135  *EndPos += segleft;
1136  endbytepos = XLogRecPtrToBytePos(*EndPos);
1137  }
1138  Insert->CurrBytePos = endbytepos;
1139  Insert->PrevBytePos = startbytepos;
1140 
1141  SpinLockRelease(&Insert->insertpos_lck);
1142 
1143  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1144 
1145  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1146  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1147  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1148  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1149 
1150  return true;
1151 }
1152 
1153 /*
1154  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1155  * area in the WAL.
1156  */
1157 static void
1158 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1159  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1160 {
1161  char *currpos;
1162  int freespace;
1163  int written;
1164  XLogRecPtr CurrPos;
1165  XLogPageHeader pagehdr;
1166 
1167  /*
1168  * Get a pointer to the right place in the right WAL buffer to start
1169  * inserting to.
1170  */
1171  CurrPos = StartPos;
1172  currpos = GetXLogBuffer(CurrPos, tli);
1173  freespace = INSERT_FREESPACE(CurrPos);
1174 
1175  /*
1176  * there should be enough space for at least the first field (xl_tot_len)
1177  * on this page.
1178  */
1179  Assert(freespace >= sizeof(uint32));
1180 
1181  /* Copy record data */
1182  written = 0;
1183  while (rdata != NULL)
1184  {
1185  char *rdata_data = rdata->data;
1186  int rdata_len = rdata->len;
1187 
1188  while (rdata_len > freespace)
1189  {
1190  /*
1191  * Write what fits on this page, and continue on the next page.
1192  */
1193  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1194  memcpy(currpos, rdata_data, freespace);
1195  rdata_data += freespace;
1196  rdata_len -= freespace;
1197  written += freespace;
1198  CurrPos += freespace;
1199 
1200  /*
1201  * Get pointer to beginning of next page, and set the xlp_rem_len
1202  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1203  *
1204  * It's safe to set the contrecord flag and xlp_rem_len without a
1205  * lock on the page. All the other flags were already set when the
1206  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1207  * only backend that needs to set the contrecord flag.
1208  */
1209  currpos = GetXLogBuffer(CurrPos, tli);
1210  pagehdr = (XLogPageHeader) currpos;
1211  pagehdr->xlp_rem_len = write_len - written;
1212  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1213 
1214  /* skip over the page header */
1215  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1216  {
1217  CurrPos += SizeOfXLogLongPHD;
1218  currpos += SizeOfXLogLongPHD;
1219  }
1220  else
1221  {
1222  CurrPos += SizeOfXLogShortPHD;
1223  currpos += SizeOfXLogShortPHD;
1224  }
1225  freespace = INSERT_FREESPACE(CurrPos);
1226  }
1227 
1228  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1229  memcpy(currpos, rdata_data, rdata_len);
1230  currpos += rdata_len;
1231  CurrPos += rdata_len;
1232  freespace -= rdata_len;
1233  written += rdata_len;
1234 
1235  rdata = rdata->next;
1236  }
1237  Assert(written == write_len);
1238 
1239  /*
1240  * If this was an xlog-switch, it's not enough to write the switch record,
1241  * we also have to consume all the remaining space in the WAL segment. We
1242  * have already reserved that space, but we need to actually fill it.
1243  */
1244  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1245  {
1246  /* An xlog-switch record doesn't contain any data besides the header */
1247  Assert(write_len == SizeOfXLogRecord);
1248 
1249  /* Assert that we did reserve the right amount of space */
1250  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1251 
1252  /* Use up all the remaining space on the current page */
1253  CurrPos += freespace;
1254 
1255  /*
1256  * Cause all remaining pages in the segment to be flushed, leaving the
1257  * XLog position where it should be, at the start of the next segment.
1258  * We do this one page at a time, to make sure we don't deadlock
1259  * against ourselves if wal_buffers < wal_segment_size.
1260  */
1261  while (CurrPos < EndPos)
1262  {
1263  /*
1264  * The minimal action to flush the page would be to call
1265  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1266  * AdvanceXLInsertBuffer(...). The page would be left initialized
1267  * mostly to zeros, except for the page header (always the short
1268  * variant, as this is never a segment's first page).
1269  *
1270  * The large vistas of zeros are good for compressibility, but the
1271  * headers interrupting them every XLOG_BLCKSZ (with values that
1272  * differ from page to page) are not. The effect varies with
1273  * compression tool, but bzip2 for instance compresses about an
1274  * order of magnitude worse if those headers are left in place.
1275  *
1276  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1277  * called in heavily-loaded circumstances as well as this lightly-
1278  * loaded one) with variant behavior, we just use GetXLogBuffer
1279  * (which itself calls the two methods we need) to get the pointer
1280  * and zero most of the page. Then we just zero the page header.
1281  */
1282  currpos = GetXLogBuffer(CurrPos, tli);
1283  MemSet(currpos, 0, SizeOfXLogShortPHD);
1284 
1285  CurrPos += XLOG_BLCKSZ;
1286  }
1287  }
1288  else
1289  {
1290  /* Align the end position, so that the next record starts aligned */
1291  CurrPos = MAXALIGN64(CurrPos);
1292  }
1293 
1294  if (CurrPos != EndPos)
1295  elog(PANIC, "space reserved for WAL record does not match what was written");
1296 }
1297 
1298 /*
1299  * Acquire a WAL insertion lock, for inserting to WAL.
1300  */
1301 static void
1303 {
1304  bool immed;
1305 
1306  /*
1307  * It doesn't matter which of the WAL insertion locks we acquire, so try
1308  * the one we used last time. If the system isn't particularly busy, it's
1309  * a good bet that it's still available, and it's good to have some
1310  * affinity to a particular lock so that you don't unnecessarily bounce
1311  * cache lines between processes when there's no contention.
1312  *
1313  * If this is the first time through in this backend, pick a lock
1314  * (semi-)randomly. This allows the locks to be used evenly if you have a
1315  * lot of very short connections.
1316  */
1317  static int lockToTry = -1;
1318 
1319  if (lockToTry == -1)
1320  lockToTry = MyProc->pgprocno % NUM_XLOGINSERT_LOCKS;
1321  MyLockNo = lockToTry;
1322 
1323  /*
1324  * The insertingAt value is initially set to 0, as we don't know our
1325  * insert location yet.
1326  */
1328  if (!immed)
1329  {
1330  /*
1331  * If we couldn't get the lock immediately, try another lock next
1332  * time. On a system with more insertion locks than concurrent
1333  * inserters, this causes all the inserters to eventually migrate to a
1334  * lock that no-one else is using. On a system with more inserters
1335  * than locks, it still helps to distribute the inserters evenly
1336  * across the locks.
1337  */
1338  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1339  }
1340 }
1341 
1342 /*
1343  * Acquire all WAL insertion locks, to prevent other backends from inserting
1344  * to WAL.
1345  */
1346 static void
1348 {
1349  int i;
1350 
1351  /*
1352  * When holding all the locks, all but the last lock's insertingAt
1353  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1354  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1355  */
1356  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1357  {
1359  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1361  PG_UINT64_MAX);
1362  }
1363  /* Variable value reset to 0 at release */
1365 
1366  holdingAllLocks = true;
1367 }
1368 
1369 /*
1370  * Release our insertion lock (or locks, if we're holding them all).
1371  *
1372  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1373  * next time the lock is acquired.
1374  */
1375 static void
1377 {
1378  if (holdingAllLocks)
1379  {
1380  int i;
1381 
1382  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1385  0);
1386 
1387  holdingAllLocks = false;
1388  }
1389  else
1390  {
1393  0);
1394  }
1395 }
1396 
1397 /*
1398  * Update our insertingAt value, to let others know that we've finished
1399  * inserting up to that point.
1400  */
1401 static void
1403 {
1404  if (holdingAllLocks)
1405  {
1406  /*
1407  * We use the last lock to mark our actual position, see comments in
1408  * WALInsertLockAcquireExclusive.
1409  */
1412  insertingAt);
1413  }
1414  else
1417  insertingAt);
1418 }
1419 
1420 /*
1421  * Wait for any WAL insertions < upto to finish.
1422  *
1423  * Returns the location of the oldest insertion that is still in-progress.
1424  * Any WAL prior to that point has been fully copied into WAL buffers, and
1425  * can be flushed out to disk. Because this waits for any insertions older
1426  * than 'upto' to finish, the return value is always >= 'upto'.
1427  *
1428  * Note: When you are about to write out WAL, you must call this function
1429  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1430  * need to wait for an insertion to finish (or at least advance to next
1431  * uninitialized page), and the inserter might need to evict an old WAL buffer
1432  * to make room for a new one, which in turn requires WALWriteLock.
1433  */
1434 static XLogRecPtr
1436 {
1437  uint64 bytepos;
1438  XLogRecPtr reservedUpto;
1439  XLogRecPtr finishedUpto;
1441  int i;
1442 
1443  if (MyProc == NULL)
1444  elog(PANIC, "cannot wait without a PGPROC structure");
1445 
1446  /* Read the current insert position */
1447  SpinLockAcquire(&Insert->insertpos_lck);
1448  bytepos = Insert->CurrBytePos;
1449  SpinLockRelease(&Insert->insertpos_lck);
1450  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1451 
1452  /*
1453  * No-one should request to flush a piece of WAL that hasn't even been
1454  * reserved yet. However, it can happen if there is a block with a bogus
1455  * LSN on disk, for example. XLogFlush checks for that situation and
1456  * complains, but only after the flush. Here we just assume that to mean
1457  * that all WAL that has been reserved needs to be finished. In this
1458  * corner-case, the return value can be smaller than 'upto' argument.
1459  */
1460  if (upto > reservedUpto)
1461  {
1462  ereport(LOG,
1463  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1464  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1465  upto = reservedUpto;
1466  }
1467 
1468  /*
1469  * Loop through all the locks, sleeping on any in-progress insert older
1470  * than 'upto'.
1471  *
1472  * finishedUpto is our return value, indicating the point upto which all
1473  * the WAL insertions have been finished. Initialize it to the head of
1474  * reserved WAL, and as we iterate through the insertion locks, back it
1475  * out for any insertion that's still in progress.
1476  */
1477  finishedUpto = reservedUpto;
1478  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1479  {
1480  XLogRecPtr insertingat = InvalidXLogRecPtr;
1481 
1482  do
1483  {
1484  /*
1485  * See if this insertion is in progress. LWLockWaitForVar will
1486  * wait for the lock to be released, or for the 'value' to be set
1487  * by a LWLockUpdateVar call. When a lock is initially acquired,
1488  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1489  * know where it's inserting yet. We will have to wait for it. If
1490  * it's a small insertion, the record will most likely fit on the
1491  * same page and the inserter will release the lock without ever
1492  * calling LWLockUpdateVar. But if it has to sleep, it will
1493  * advertise the insertion point with LWLockUpdateVar before
1494  * sleeping.
1495  */
1496  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1498  insertingat, &insertingat))
1499  {
1500  /* the lock was free, so no insertion in progress */
1501  insertingat = InvalidXLogRecPtr;
1502  break;
1503  }
1504 
1505  /*
1506  * This insertion is still in progress. Have to wait, unless the
1507  * inserter has proceeded past 'upto'.
1508  */
1509  } while (insertingat < upto);
1510 
1511  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1512  finishedUpto = insertingat;
1513  }
1514  return finishedUpto;
1515 }
1516 
1517 /*
1518  * Get a pointer to the right location in the WAL buffer containing the
1519  * given XLogRecPtr.
1520  *
1521  * If the page is not initialized yet, it is initialized. That might require
1522  * evicting an old dirty buffer from the buffer cache, which means I/O.
1523  *
1524  * The caller must ensure that the page containing the requested location
1525  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1526  * hold onto a WAL insertion lock with the insertingAt position set to
1527  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1528  * to evict an old page from the buffer. (This means that once you call
1529  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1530  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1531  * later, because older buffers might be recycled already)
1532  */
1533 static char *
1535 {
1536  int idx;
1537  XLogRecPtr endptr;
1538  static uint64 cachedPage = 0;
1539  static char *cachedPos = NULL;
1540  XLogRecPtr expectedEndPtr;
1541 
1542  /*
1543  * Fast path for the common case that we need to access again the same
1544  * page as last time.
1545  */
1546  if (ptr / XLOG_BLCKSZ == cachedPage)
1547  {
1548  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1549  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1550  return cachedPos + ptr % XLOG_BLCKSZ;
1551  }
1552 
1553  /*
1554  * The XLog buffer cache is organized so that a page is always loaded to a
1555  * particular buffer. That way we can easily calculate the buffer a given
1556  * page must be loaded into, from the XLogRecPtr alone.
1557  */
1558  idx = XLogRecPtrToBufIdx(ptr);
1559 
1560  /*
1561  * See what page is loaded in the buffer at the moment. It could be the
1562  * page we're looking for, or something older. It can't be anything newer
1563  * - that would imply the page we're looking for has already been written
1564  * out to disk and evicted, and the caller is responsible for making sure
1565  * that doesn't happen.
1566  *
1567  * However, we don't hold a lock while we read the value. If someone has
1568  * just initialized the page, it's possible that we get a "torn read" of
1569  * the XLogRecPtr if 64-bit fetches are not atomic on this platform. In
1570  * that case we will see a bogus value. That's ok, we'll grab the mapping
1571  * lock (in AdvanceXLInsertBuffer) and retry if we see anything else than
1572  * the page we're looking for. But it means that when we do this unlocked
1573  * read, we might see a value that appears to be ahead of the page we're
1574  * looking for. Don't PANIC on that, until we've verified the value while
1575  * holding the lock.
1576  */
1577  expectedEndPtr = ptr;
1578  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1579 
1580  endptr = XLogCtl->xlblocks[idx];
1581  if (expectedEndPtr != endptr)
1582  {
1583  XLogRecPtr initializedUpto;
1584 
1585  /*
1586  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1587  * know how far we're finished with inserting the record.
1588  *
1589  * NB: If 'ptr' points to just after the page header, advertise a
1590  * position at the beginning of the page rather than 'ptr' itself. If
1591  * there are no other insertions running, someone might try to flush
1592  * up to our advertised location. If we advertised a position after
1593  * the page header, someone might try to flush the page header, even
1594  * though page might actually not be initialized yet. As the first
1595  * inserter on the page, we are effectively responsible for making
1596  * sure that it's initialized, before we let insertingAt to move past
1597  * the page header.
1598  */
1599  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1600  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1601  initializedUpto = ptr - SizeOfXLogShortPHD;
1602  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1603  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1604  initializedUpto = ptr - SizeOfXLogLongPHD;
1605  else
1606  initializedUpto = ptr;
1607 
1608  WALInsertLockUpdateInsertingAt(initializedUpto);
1609 
1610  AdvanceXLInsertBuffer(ptr, tli, false);
1611  endptr = XLogCtl->xlblocks[idx];
1612 
1613  if (expectedEndPtr != endptr)
1614  elog(PANIC, "could not find WAL buffer for %X/%X",
1615  LSN_FORMAT_ARGS(ptr));
1616  }
1617  else
1618  {
1619  /*
1620  * Make sure the initialization of the page is visible to us, and
1621  * won't arrive later to overwrite the WAL data we write on the page.
1622  */
1624  }
1625 
1626  /*
1627  * Found the buffer holding this page. Return a pointer to the right
1628  * offset within the page.
1629  */
1630  cachedPage = ptr / XLOG_BLCKSZ;
1631  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1632 
1633  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1634  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1635 
1636  return cachedPos + ptr % XLOG_BLCKSZ;
1637 }
1638 
1639 /*
1640  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1641  * is the position starting from the beginning of WAL, excluding all WAL
1642  * page headers.
1643  */
1644 static XLogRecPtr
1645 XLogBytePosToRecPtr(uint64 bytepos)
1646 {
1647  uint64 fullsegs;
1648  uint64 fullpages;
1649  uint64 bytesleft;
1650  uint32 seg_offset;
1651  XLogRecPtr result;
1652 
1653  fullsegs = bytepos / UsableBytesInSegment;
1654  bytesleft = bytepos % UsableBytesInSegment;
1655 
1656  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1657  {
1658  /* fits on first page of segment */
1659  seg_offset = bytesleft + SizeOfXLogLongPHD;
1660  }
1661  else
1662  {
1663  /* account for the first page on segment with long header */
1664  seg_offset = XLOG_BLCKSZ;
1665  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1666 
1667  fullpages = bytesleft / UsableBytesInPage;
1668  bytesleft = bytesleft % UsableBytesInPage;
1669 
1670  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1671  }
1672 
1673  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1674 
1675  return result;
1676 }
1677 
1678 /*
1679  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1680  * returns a pointer to the beginning of the page (ie. before page header),
1681  * not to where the first xlog record on that page would go to. This is used
1682  * when converting a pointer to the end of a record.
1683  */
1684 static XLogRecPtr
1685 XLogBytePosToEndRecPtr(uint64 bytepos)
1686 {
1687  uint64 fullsegs;
1688  uint64 fullpages;
1689  uint64 bytesleft;
1690  uint32 seg_offset;
1691  XLogRecPtr result;
1692 
1693  fullsegs = bytepos / UsableBytesInSegment;
1694  bytesleft = bytepos % UsableBytesInSegment;
1695 
1696  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1697  {
1698  /* fits on first page of segment */
1699  if (bytesleft == 0)
1700  seg_offset = 0;
1701  else
1702  seg_offset = bytesleft + SizeOfXLogLongPHD;
1703  }
1704  else
1705  {
1706  /* account for the first page on segment with long header */
1707  seg_offset = XLOG_BLCKSZ;
1708  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1709 
1710  fullpages = bytesleft / UsableBytesInPage;
1711  bytesleft = bytesleft % UsableBytesInPage;
1712 
1713  if (bytesleft == 0)
1714  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1715  else
1716  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1717  }
1718 
1719  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1720 
1721  return result;
1722 }
1723 
1724 /*
1725  * Convert an XLogRecPtr to a "usable byte position".
1726  */
1727 static uint64
1729 {
1730  uint64 fullsegs;
1731  uint32 fullpages;
1732  uint32 offset;
1733  uint64 result;
1734 
1735  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1736 
1737  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1738  offset = ptr % XLOG_BLCKSZ;
1739 
1740  if (fullpages == 0)
1741  {
1742  result = fullsegs * UsableBytesInSegment;
1743  if (offset > 0)
1744  {
1745  Assert(offset >= SizeOfXLogLongPHD);
1746  result += offset - SizeOfXLogLongPHD;
1747  }
1748  }
1749  else
1750  {
1751  result = fullsegs * UsableBytesInSegment +
1752  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1753  (fullpages - 1) * UsableBytesInPage; /* full pages */
1754  if (offset > 0)
1755  {
1756  Assert(offset >= SizeOfXLogShortPHD);
1757  result += offset - SizeOfXLogShortPHD;
1758  }
1759  }
1760 
1761  return result;
1762 }
1763 
1764 /*
1765  * Initialize XLOG buffers, writing out old buffers if they still contain
1766  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1767  * true, initialize as many pages as we can without having to write out
1768  * unwritten data. Any new pages are initialized to zeros, with pages headers
1769  * initialized properly.
1770  */
1771 static void
1772 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1773 {
1775  int nextidx;
1776  XLogRecPtr OldPageRqstPtr;
1777  XLogwrtRqst WriteRqst;
1778  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1779  XLogRecPtr NewPageBeginPtr;
1780  XLogPageHeader NewPage;
1781  int npages = 0;
1782 
1783  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1784 
1785  /*
1786  * Now that we have the lock, check if someone initialized the page
1787  * already.
1788  */
1789  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
1790  {
1792 
1793  /*
1794  * Get ending-offset of the buffer page we need to replace (this may
1795  * be zero if the buffer hasn't been used yet). Fall through if it's
1796  * already written out.
1797  */
1798  OldPageRqstPtr = XLogCtl->xlblocks[nextidx];
1799  if (LogwrtResult.Write < OldPageRqstPtr)
1800  {
1801  /*
1802  * Nope, got work to do. If we just want to pre-initialize as much
1803  * as we can without flushing, give up now.
1804  */
1805  if (opportunistic)
1806  break;
1807 
1808  /* Before waiting, get info_lck and update LogwrtResult */
1810  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
1811  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
1814 
1815  /*
1816  * Now that we have an up-to-date LogwrtResult value, see if we
1817  * still need to write it or if someone else already did.
1818  */
1819  if (LogwrtResult.Write < OldPageRqstPtr)
1820  {
1821  /*
1822  * Must acquire write lock. Release WALBufMappingLock first,
1823  * to make sure that all insertions that we need to wait for
1824  * can finish (up to this same position). Otherwise we risk
1825  * deadlock.
1826  */
1827  LWLockRelease(WALBufMappingLock);
1828 
1829  WaitXLogInsertionsToFinish(OldPageRqstPtr);
1830 
1831  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
1832 
1834  if (LogwrtResult.Write >= OldPageRqstPtr)
1835  {
1836  /* OK, someone wrote it already */
1837  LWLockRelease(WALWriteLock);
1838  }
1839  else
1840  {
1841  /* Have to write it ourselves */
1842  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
1843  WriteRqst.Write = OldPageRqstPtr;
1844  WriteRqst.Flush = 0;
1845  XLogWrite(WriteRqst, tli, false);
1846  LWLockRelease(WALWriteLock);
1848  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
1849  }
1850  /* Re-acquire WALBufMappingLock and retry */
1851  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1852  continue;
1853  }
1854  }
1855 
1856  /*
1857  * Now the next buffer slot is free and we can set it up to be the
1858  * next output page.
1859  */
1860  NewPageBeginPtr = XLogCtl->InitializedUpTo;
1861  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
1862 
1863  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
1864 
1865  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
1866 
1867  /*
1868  * Be sure to re-zero the buffer so that bytes beyond what we've
1869  * written will look like zeroes and not valid XLOG records...
1870  */
1871  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
1872 
1873  /*
1874  * Fill the new page's header
1875  */
1876  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
1877 
1878  /* NewPage->xlp_info = 0; */ /* done by memset */
1879  NewPage->xlp_tli = tli;
1880  NewPage->xlp_pageaddr = NewPageBeginPtr;
1881 
1882  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
1883 
1884  /*
1885  * If online backup is not in progress, mark the header to indicate
1886  * that WAL records beginning in this page have removable backup
1887  * blocks. This allows the WAL archiver to know whether it is safe to
1888  * compress archived WAL data by transforming full-block records into
1889  * the non-full-block format. It is sufficient to record this at the
1890  * page level because we force a page switch (in fact a segment
1891  * switch) when starting a backup, so the flag will be off before any
1892  * records can be written during the backup. At the end of a backup,
1893  * the last page will be marked as all unsafe when perhaps only part
1894  * is unsafe, but at worst the archiver would miss the opportunity to
1895  * compress a few records.
1896  */
1897  if (!Insert->forcePageWrites)
1898  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
1899 
1900  /*
1901  * If first page of an XLOG segment file, make it a long header.
1902  */
1903  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
1904  {
1905  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
1906 
1907  NewLongPage->xlp_sysid = ControlFile->system_identifier;
1908  NewLongPage->xlp_seg_size = wal_segment_size;
1909  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
1910  NewPage->xlp_info |= XLP_LONG_HEADER;
1911  }
1912 
1913  /*
1914  * Make sure the initialization of the page becomes visible to others
1915  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
1916  * holding a lock.
1917  */
1918  pg_write_barrier();
1919 
1920  *((volatile XLogRecPtr *) &XLogCtl->xlblocks[nextidx]) = NewPageEndPtr;
1921 
1922  XLogCtl->InitializedUpTo = NewPageEndPtr;
1923 
1924  npages++;
1925  }
1926  LWLockRelease(WALBufMappingLock);
1927 
1928 #ifdef WAL_DEBUG
1929  if (XLOG_DEBUG && npages > 0)
1930  {
1931  elog(DEBUG1, "initialized %d pages, up to %X/%X",
1932  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
1933  }
1934 #endif
1935 }
1936 
1937 /*
1938  * Calculate CheckPointSegments based on max_wal_size_mb and
1939  * checkpoint_completion_target.
1940  */
1941 static void
1943 {
1944  double target;
1945 
1946  /*-------
1947  * Calculate the distance at which to trigger a checkpoint, to avoid
1948  * exceeding max_wal_size_mb. This is based on two assumptions:
1949  *
1950  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
1951  * WAL for two checkpoint cycles to allow us to recover from the
1952  * secondary checkpoint if the first checkpoint failed, though we
1953  * only did this on the primary anyway, not on standby. Keeping just
1954  * one checkpoint simplifies processing and reduces disk space in
1955  * many smaller databases.)
1956  * b) during checkpoint, we consume checkpoint_completion_target *
1957  * number of segments consumed between checkpoints.
1958  *-------
1959  */
1960  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
1962 
1963  /* round down */
1964  CheckPointSegments = (int) target;
1965 
1966  if (CheckPointSegments < 1)
1967  CheckPointSegments = 1;
1968 }
1969 
1970 void
1971 assign_max_wal_size(int newval, void *extra)
1972 {
1975 }
1976 
1977 void
1979 {
1982 }
1983 
1984 /*
1985  * At a checkpoint, how many WAL segments to recycle as preallocated future
1986  * XLOG segments? Returns the highest segment that should be preallocated.
1987  */
1988 static XLogSegNo
1990 {
1991  XLogSegNo minSegNo;
1992  XLogSegNo maxSegNo;
1993  double distance;
1994  XLogSegNo recycleSegNo;
1995 
1996  /*
1997  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
1998  * correspond to. Always recycle enough segments to meet the minimum, and
1999  * remove enough segments to stay below the maximum.
2000  */
2001  minSegNo = lastredoptr / wal_segment_size +
2003  maxSegNo = lastredoptr / wal_segment_size +
2005 
2006  /*
2007  * Between those limits, recycle enough segments to get us through to the
2008  * estimated end of next checkpoint.
2009  *
2010  * To estimate where the next checkpoint will finish, assume that the
2011  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2012  * every checkpoint.
2013  */
2015  /* add 10% for good measure. */
2016  distance *= 1.10;
2017 
2018  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2020 
2021  if (recycleSegNo < minSegNo)
2022  recycleSegNo = minSegNo;
2023  if (recycleSegNo > maxSegNo)
2024  recycleSegNo = maxSegNo;
2025 
2026  return recycleSegNo;
2027 }
2028 
2029 /*
2030  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2031  *
2032  * new_segno indicates a log file that has just been filled up (or read
2033  * during recovery). We measure the distance from RedoRecPtr to new_segno
2034  * and see if that exceeds CheckPointSegments.
2035  *
2036  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2037  */
2038 bool
2040 {
2041  XLogSegNo old_segno;
2042 
2044 
2045  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2046  return true;
2047  return false;
2048 }
2049 
2050 /*
2051  * Write and/or fsync the log at least as far as WriteRqst indicates.
2052  *
2053  * If flexible == true, we don't have to write as far as WriteRqst, but
2054  * may stop at any convenient boundary (such as a cache or logfile boundary).
2055  * This option allows us to avoid uselessly issuing multiple writes when a
2056  * single one would do.
2057  *
2058  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2059  * must be called before grabbing the lock, to make sure the data is ready to
2060  * write.
2061  */
2062 static void
2063 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2064 {
2065  bool ispartialpage;
2066  bool last_iteration;
2067  bool finishing_seg;
2068  int curridx;
2069  int npages;
2070  int startidx;
2071  uint32 startoffset;
2072 
2073  /* We should always be inside a critical section here */
2074  Assert(CritSectionCount > 0);
2075 
2076  /*
2077  * Update local LogwrtResult (caller probably did this already, but...)
2078  */
2080 
2081  /*
2082  * Since successive pages in the xlog cache are consecutively allocated,
2083  * we can usually gather multiple pages together and issue just one
2084  * write() call. npages is the number of pages we have determined can be
2085  * written together; startidx is the cache block index of the first one,
2086  * and startoffset is the file offset at which it should go. The latter
2087  * two variables are only valid when npages > 0, but we must initialize
2088  * all of them to keep the compiler quiet.
2089  */
2090  npages = 0;
2091  startidx = 0;
2092  startoffset = 0;
2093 
2094  /*
2095  * Within the loop, curridx is the cache block index of the page to
2096  * consider writing. Begin at the buffer containing the next unwritten
2097  * page, or last partially written page.
2098  */
2100 
2101  while (LogwrtResult.Write < WriteRqst.Write)
2102  {
2103  /*
2104  * Make sure we're not ahead of the insert process. This could happen
2105  * if we're passed a bogus WriteRqst.Write that is past the end of the
2106  * last page that's been initialized by AdvanceXLInsertBuffer.
2107  */
2108  XLogRecPtr EndPtr = XLogCtl->xlblocks[curridx];
2109 
2110  if (LogwrtResult.Write >= EndPtr)
2111  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2113  LSN_FORMAT_ARGS(EndPtr));
2114 
2115  /* Advance LogwrtResult.Write to end of current buffer page */
2116  LogwrtResult.Write = EndPtr;
2117  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2118 
2121  {
2122  /*
2123  * Switch to new logfile segment. We cannot have any pending
2124  * pages here (since we dump what we have at segment end).
2125  */
2126  Assert(npages == 0);
2127  if (openLogFile >= 0)
2128  XLogFileClose();
2131  openLogTLI = tli;
2132 
2133  /* create/use new log file */
2136  }
2137 
2138  /* Make sure we have the current logfile open */
2139  if (openLogFile < 0)
2140  {
2143  openLogTLI = tli;
2146  }
2147 
2148  /* Add current page to the set of pending pages-to-dump */
2149  if (npages == 0)
2150  {
2151  /* first of group */
2152  startidx = curridx;
2153  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2155  }
2156  npages++;
2157 
2158  /*
2159  * Dump the set if this will be the last loop iteration, or if we are
2160  * at the last page of the cache area (since the next page won't be
2161  * contiguous in memory), or if we are at the end of the logfile
2162  * segment.
2163  */
2164  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2165 
2166  finishing_seg = !ispartialpage &&
2167  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2168 
2169  if (last_iteration ||
2170  curridx == XLogCtl->XLogCacheBlck ||
2171  finishing_seg)
2172  {
2173  char *from;
2174  Size nbytes;
2175  Size nleft;
2176  int written;
2177  instr_time start;
2178 
2179  /* OK to write the page(s) */
2180  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2181  nbytes = npages * (Size) XLOG_BLCKSZ;
2182  nleft = nbytes;
2183  do
2184  {
2185  errno = 0;
2186 
2187  /* Measure I/O timing to write WAL data */
2188  if (track_wal_io_timing)
2189  INSTR_TIME_SET_CURRENT(start);
2190 
2192  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2194 
2195  /*
2196  * Increment the I/O timing and the number of times WAL data
2197  * were written out to disk.
2198  */
2199  if (track_wal_io_timing)
2200  {
2202 
2204  INSTR_TIME_SUBTRACT(duration, start);
2206  }
2207 
2209 
2210  if (written <= 0)
2211  {
2212  char xlogfname[MAXFNAMELEN];
2213  int save_errno;
2214 
2215  if (errno == EINTR)
2216  continue;
2217 
2218  save_errno = errno;
2219  XLogFileName(xlogfname, tli, openLogSegNo,
2221  errno = save_errno;
2222  ereport(PANIC,
2224  errmsg("could not write to log file %s "
2225  "at offset %u, length %zu: %m",
2226  xlogfname, startoffset, nleft)));
2227  }
2228  nleft -= written;
2229  from += written;
2230  startoffset += written;
2231  } while (nleft > 0);
2232 
2233  npages = 0;
2234 
2235  /*
2236  * If we just wrote the whole last page of a logfile segment,
2237  * fsync the segment immediately. This avoids having to go back
2238  * and re-open prior segments when an fsync request comes along
2239  * later. Doing it here ensures that one and only one backend will
2240  * perform this fsync.
2241  *
2242  * This is also the right place to notify the Archiver that the
2243  * segment is ready to copy to archival storage, and to update the
2244  * timer for archive_timeout, and to signal for a checkpoint if
2245  * too many logfile segments have been used since the last
2246  * checkpoint.
2247  */
2248  if (finishing_seg)
2249  {
2251 
2252  /* signal that we need to wakeup walsenders later */
2254 
2255  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2256 
2257  if (XLogArchivingActive())
2259 
2260  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2262 
2263  /*
2264  * Request a checkpoint if we've consumed too much xlog since
2265  * the last one. For speed, we first check using the local
2266  * copy of RedoRecPtr, which might be out of date; if it looks
2267  * like a checkpoint is needed, forcibly update RedoRecPtr and
2268  * recheck.
2269  */
2271  {
2272  (void) GetRedoRecPtr();
2275  }
2276  }
2277  }
2278 
2279  if (ispartialpage)
2280  {
2281  /* Only asked to write a partial page */
2282  LogwrtResult.Write = WriteRqst.Write;
2283  break;
2284  }
2285  curridx = NextBufIdx(curridx);
2286 
2287  /* If flexible, break out of loop as soon as we wrote something */
2288  if (flexible && npages == 0)
2289  break;
2290  }
2291 
2292  Assert(npages == 0);
2293 
2294  /*
2295  * If asked to flush, do so
2296  */
2297  if (LogwrtResult.Flush < WriteRqst.Flush &&
2299  {
2300  /*
2301  * Could get here without iterating above loop, in which case we might
2302  * have no open file or the wrong one. However, we do not need to
2303  * fsync more than one file.
2304  */
2305  if (sync_method != SYNC_METHOD_OPEN &&
2307  {
2308  if (openLogFile >= 0 &&
2311  XLogFileClose();
2312  if (openLogFile < 0)
2313  {
2316  openLogTLI = tli;
2319  }
2320 
2322  }
2323 
2324  /* signal that we need to wakeup walsenders later */
2326 
2328  }
2329 
2330  /*
2331  * Update shared-memory status
2332  *
2333  * We make sure that the shared 'request' values do not fall behind the
2334  * 'result' values. This is not absolutely essential, but it saves some
2335  * code in a couple of places.
2336  */
2337  {
2345  }
2346 }
2347 
2348 /*
2349  * Record the LSN for an asynchronous transaction commit/abort
2350  * and nudge the WALWriter if there is work for it to do.
2351  * (This should not be called for synchronous commits.)
2352  */
2353 void
2355 {
2356  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2357  bool sleeping;
2358 
2361  sleeping = XLogCtl->WalWriterSleeping;
2362  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2363  XLogCtl->asyncXactLSN = asyncXactLSN;
2365 
2366  /*
2367  * If the WALWriter is sleeping, we should kick it to make it come out of
2368  * low-power mode. Otherwise, determine whether there's a full page of
2369  * WAL available to write.
2370  */
2371  if (!sleeping)
2372  {
2373  /* back off to last completed page boundary */
2374  WriteRqstPtr -= WriteRqstPtr % XLOG_BLCKSZ;
2375 
2376  /* if we have already flushed that far, we're done */
2377  if (WriteRqstPtr <= LogwrtResult.Flush)
2378  return;
2379  }
2380 
2381  /*
2382  * Nudge the WALWriter: it has a full page of WAL to write, or we want it
2383  * to come out of low-power mode so that this async commit will reach disk
2384  * within the expected amount of time.
2385  */
2388 }
2389 
2390 /*
2391  * Record the LSN up to which we can remove WAL because it's not required by
2392  * any replication slot.
2393  */
2394 void
2396 {
2400 }
2401 
2402 
2403 /*
2404  * Return the oldest LSN we must retain to satisfy the needs of some
2405  * replication slot.
2406  */
2407 static XLogRecPtr
2409 {
2410  XLogRecPtr retval;
2411 
2413  retval = XLogCtl->replicationSlotMinLSN;
2415 
2416  return retval;
2417 }
2418 
2419 /*
2420  * Advance minRecoveryPoint in control file.
2421  *
2422  * If we crash during recovery, we must reach this point again before the
2423  * database is consistent.
2424  *
2425  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2426  * is only updated if it's not already greater than or equal to 'lsn'.
2427  */
2428 static void
2430 {
2431  /* Quick check using our local copy of the variable */
2432  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2433  return;
2434 
2435  /*
2436  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2437  * i.e., we're doing crash recovery. We never modify the control file's
2438  * value in that case, so we can short-circuit future checks here too. The
2439  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2440  * updated until crash recovery finishes. We only do this for the startup
2441  * process as it should not update its own reference of minRecoveryPoint
2442  * until it has finished crash recovery to make sure that all WAL
2443  * available is replayed in this case. This also saves from extra locks
2444  * taken on the control file from the startup process.
2445  */
2447  {
2448  updateMinRecoveryPoint = false;
2449  return;
2450  }
2451 
2452  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2453 
2454  /* update local copy */
2457 
2459  updateMinRecoveryPoint = false;
2460  else if (force || LocalMinRecoveryPoint < lsn)
2461  {
2462  XLogRecPtr newMinRecoveryPoint;
2463  TimeLineID newMinRecoveryPointTLI;
2464 
2465  /*
2466  * To avoid having to update the control file too often, we update it
2467  * all the way to the last record being replayed, even though 'lsn'
2468  * would suffice for correctness. This also allows the 'force' case
2469  * to not need a valid 'lsn' value.
2470  *
2471  * Another important reason for doing it this way is that the passed
2472  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2473  * the caller got it from a corrupted heap page. Accepting such a
2474  * value as the min recovery point would prevent us from coming up at
2475  * all. Instead, we just log a warning and continue with recovery.
2476  * (See also the comments about corrupt LSNs in XLogFlush.)
2477  */
2478  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2479  if (!force && newMinRecoveryPoint < lsn)
2480  elog(WARNING,
2481  "xlog min recovery request %X/%X is past current point %X/%X",
2482  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2483 
2484  /* update control file */
2485  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2486  {
2487  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2488  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2490  LocalMinRecoveryPoint = newMinRecoveryPoint;
2491  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2492 
2493  ereport(DEBUG2,
2494  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2495  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2496  newMinRecoveryPointTLI)));
2497  }
2498  }
2499  LWLockRelease(ControlFileLock);
2500 }
2501 
2502 /*
2503  * Ensure that all XLOG data through the given position is flushed to disk.
2504  *
2505  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2506  * already held, and we try to avoid acquiring it if possible.
2507  */
2508 void
2510 {
2511  XLogRecPtr WriteRqstPtr;
2512  XLogwrtRqst WriteRqst;
2513  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2514 
2515  /*
2516  * During REDO, we are reading not writing WAL. Therefore, instead of
2517  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2518  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2519  * to act this way too, and because when it tries to write the
2520  * end-of-recovery checkpoint, it should indeed flush.
2521  */
2522  if (!XLogInsertAllowed())
2523  {
2524  UpdateMinRecoveryPoint(record, false);
2525  return;
2526  }
2527 
2528  /* Quick exit if already known flushed */
2529  if (record <= LogwrtResult.Flush)
2530  return;
2531 
2532 #ifdef WAL_DEBUG
2533  if (XLOG_DEBUG)
2534  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2535  LSN_FORMAT_ARGS(record),
2538 #endif
2539 
2541 
2542  /*
2543  * Since fsync is usually a horribly expensive operation, we try to
2544  * piggyback as much data as we can on each fsync: if we see any more data
2545  * entered into the xlog buffer, we'll write and fsync that too, so that
2546  * the final value of LogwrtResult.Flush is as large as possible. This
2547  * gives us some chance of avoiding another fsync immediately after.
2548  */
2549 
2550  /* initialize to given target; may increase below */
2551  WriteRqstPtr = record;
2552 
2553  /*
2554  * Now wait until we get the write lock, or someone else does the flush
2555  * for us.
2556  */
2557  for (;;)
2558  {
2559  XLogRecPtr insertpos;
2560 
2561  /* read LogwrtResult and update local state */
2563  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2564  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2567 
2568  /* done already? */
2569  if (record <= LogwrtResult.Flush)
2570  break;
2571 
2572  /*
2573  * Before actually performing the write, wait for all in-flight
2574  * insertions to the pages we're about to write to finish.
2575  */
2576  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2577 
2578  /*
2579  * Try to get the write lock. If we can't get it immediately, wait
2580  * until it's released, and recheck if we still need to do the flush
2581  * or if the backend that held the lock did it for us already. This
2582  * helps to maintain a good rate of group committing when the system
2583  * is bottlenecked by the speed of fsyncing.
2584  */
2585  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2586  {
2587  /*
2588  * The lock is now free, but we didn't acquire it yet. Before we
2589  * do, loop back to check if someone else flushed the record for
2590  * us already.
2591  */
2592  continue;
2593  }
2594 
2595  /* Got the lock; recheck whether request is satisfied */
2597  if (record <= LogwrtResult.Flush)
2598  {
2599  LWLockRelease(WALWriteLock);
2600  break;
2601  }
2602 
2603  /*
2604  * Sleep before flush! By adding a delay here, we may give further
2605  * backends the opportunity to join the backlog of group commit
2606  * followers; this can significantly improve transaction throughput,
2607  * at the risk of increasing transaction latency.
2608  *
2609  * We do not sleep if enableFsync is not turned on, nor if there are
2610  * fewer than CommitSiblings other backends with active transactions.
2611  */
2612  if (CommitDelay > 0 && enableFsync &&
2614  {
2616 
2617  /*
2618  * Re-check how far we can now flush the WAL. It's generally not
2619  * safe to call WaitXLogInsertionsToFinish while holding
2620  * WALWriteLock, because an in-progress insertion might need to
2621  * also grab WALWriteLock to make progress. But we know that all
2622  * the insertions up to insertpos have already finished, because
2623  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2624  * We're only calling it again to allow insertpos to be moved
2625  * further forward, not to actually wait for anyone.
2626  */
2627  insertpos = WaitXLogInsertionsToFinish(insertpos);
2628  }
2629 
2630  /* try to write/flush later additions to XLOG as well */
2631  WriteRqst.Write = insertpos;
2632  WriteRqst.Flush = insertpos;
2633 
2634  XLogWrite(WriteRqst, insertTLI, false);
2635 
2636  LWLockRelease(WALWriteLock);
2637  /* done */
2638  break;
2639  }
2640 
2641  END_CRIT_SECTION();
2642 
2643  /* wake up walsenders now that we've released heavily contended locks */
2645 
2646  /*
2647  * If we still haven't flushed to the request point then we have a
2648  * problem; most likely, the requested flush point is past end of XLOG.
2649  * This has been seen to occur when a disk page has a corrupted LSN.
2650  *
2651  * Formerly we treated this as a PANIC condition, but that hurts the
2652  * system's robustness rather than helping it: we do not want to take down
2653  * the whole system due to corruption on one data page. In particular, if
2654  * the bad page is encountered again during recovery then we would be
2655  * unable to restart the database at all! (This scenario actually
2656  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2657  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2658  * the only time we can reach here during recovery is while flushing the
2659  * end-of-recovery checkpoint record, and we don't expect that to have a
2660  * bad LSN.
2661  *
2662  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2663  * since xact.c calls this routine inside a critical section. However,
2664  * calls from bufmgr.c are not within critical sections and so we will not
2665  * force a restart for a bad LSN on a data page.
2666  */
2667  if (LogwrtResult.Flush < record)
2668  elog(ERROR,
2669  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2670  LSN_FORMAT_ARGS(record),
2672 }
2673 
2674 /*
2675  * Write & flush xlog, but without specifying exactly where to.
2676  *
2677  * We normally write only completed blocks; but if there is nothing to do on
2678  * that basis, we check for unwritten async commits in the current incomplete
2679  * block, and write through the latest one of those. Thus, if async commits
2680  * are not being used, we will write complete blocks only.
2681  *
2682  * If, based on the above, there's anything to write we do so immediately. But
2683  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2684  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2685  * more than wal_writer_flush_after unflushed blocks.
2686  *
2687  * We can guarantee that async commits reach disk after at most three
2688  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2689  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2690  * this makes a difference only with very high load or long wal_writer_delay,
2691  * but imposes one extra cycle for the worst case for async commits.)
2692  *
2693  * This routine is invoked periodically by the background walwriter process.
2694  *
2695  * Returns true if there was any work to do, even if we skipped flushing due
2696  * to wal_writer_delay/wal_writer_flush_after.
2697  */
2698 bool
2700 {
2701  XLogwrtRqst WriteRqst;
2702  bool flexible = true;
2703  static TimestampTz lastflush;
2704  TimestampTz now;
2705  int flushbytes;
2706  TimeLineID insertTLI;
2707 
2708  /* XLOG doesn't need flushing during recovery */
2709  if (RecoveryInProgress())
2710  return false;
2711 
2712  /*
2713  * Since we're not in recovery, InsertTimeLineID is set and can't change,
2714  * so we can read it without a lock.
2715  */
2716  insertTLI = XLogCtl->InsertTimeLineID;
2717 
2718  /* read LogwrtResult and update local state */
2721  WriteRqst = XLogCtl->LogwrtRqst;
2723 
2724  /* back off to last completed page boundary */
2725  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
2726 
2727  /* if we have already flushed that far, consider async commit records */
2728  if (WriteRqst.Write <= LogwrtResult.Flush)
2729  {
2731  WriteRqst.Write = XLogCtl->asyncXactLSN;
2733  flexible = false; /* ensure it all gets written */
2734  }
2735 
2736  /*
2737  * If already known flushed, we're done. Just need to check if we are
2738  * holding an open file handle to a logfile that's no longer in use,
2739  * preventing the file from being deleted.
2740  */
2741  if (WriteRqst.Write <= LogwrtResult.Flush)
2742  {
2743  if (openLogFile >= 0)
2744  {
2747  {
2748  XLogFileClose();
2749  }
2750  }
2751  return false;
2752  }
2753 
2754  /*
2755  * Determine how far to flush WAL, based on the wal_writer_delay and
2756  * wal_writer_flush_after GUCs.
2757  */
2759  flushbytes =
2760  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2761 
2762  if (WalWriterFlushAfter == 0 || lastflush == 0)
2763  {
2764  /* first call, or block based limits disabled */
2765  WriteRqst.Flush = WriteRqst.Write;
2766  lastflush = now;
2767  }
2768  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
2769  {
2770  /*
2771  * Flush the writes at least every WalWriterDelay ms. This is
2772  * important to bound the amount of time it takes for an asynchronous
2773  * commit to hit disk.
2774  */
2775  WriteRqst.Flush = WriteRqst.Write;
2776  lastflush = now;
2777  }
2778  else if (flushbytes >= WalWriterFlushAfter)
2779  {
2780  /* exceeded wal_writer_flush_after blocks, flush */
2781  WriteRqst.Flush = WriteRqst.Write;
2782  lastflush = now;
2783  }
2784  else
2785  {
2786  /* no flushing, this time round */
2787  WriteRqst.Flush = 0;
2788  }
2789 
2790 #ifdef WAL_DEBUG
2791  if (XLOG_DEBUG)
2792  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
2793  LSN_FORMAT_ARGS(WriteRqst.Write),
2794  LSN_FORMAT_ARGS(WriteRqst.Flush),
2797 #endif
2798 
2800 
2801  /* now wait for any in-progress insertions to finish and get write lock */
2802  WaitXLogInsertionsToFinish(WriteRqst.Write);
2803  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2805  if (WriteRqst.Write > LogwrtResult.Write ||
2806  WriteRqst.Flush > LogwrtResult.Flush)
2807  {
2808  XLogWrite(WriteRqst, insertTLI, flexible);
2809  }
2810  LWLockRelease(WALWriteLock);
2811 
2812  END_CRIT_SECTION();
2813 
2814  /* wake up walsenders now that we've released heavily contended locks */
2816 
2817  /*
2818  * Great, done. To take some work off the critical path, try to initialize
2819  * as many of the no-longer-needed WAL buffers for future use as we can.
2820  */
2821  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
2822 
2823  /*
2824  * If we determined that we need to write data, but somebody else
2825  * wrote/flushed already, it should be considered as being active, to
2826  * avoid hibernating too early.
2827  */
2828  return true;
2829 }
2830 
2831 /*
2832  * Test whether XLOG data has been flushed up to (at least) the given position.
2833  *
2834  * Returns true if a flush is still needed. (It may be that someone else
2835  * is already in process of flushing that far, however.)
2836  */
2837 bool
2839 {
2840  /*
2841  * During recovery, we don't flush WAL but update minRecoveryPoint
2842  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
2843  * would need to be updated.
2844  */
2845  if (RecoveryInProgress())
2846  {
2847  /*
2848  * An invalid minRecoveryPoint means that we need to recover all the
2849  * WAL, i.e., we're doing crash recovery. We never modify the control
2850  * file's value in that case, so we can short-circuit future checks
2851  * here too. This triggers a quick exit path for the startup process,
2852  * which cannot update its local copy of minRecoveryPoint as long as
2853  * it has not replayed all WAL available when doing crash recovery.
2854  */
2856  updateMinRecoveryPoint = false;
2857 
2858  /* Quick exit if already known to be updated or cannot be updated */
2860  return false;
2861 
2862  /*
2863  * Update local copy of minRecoveryPoint. But if the lock is busy,
2864  * just return a conservative guess.
2865  */
2866  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
2867  return true;
2870  LWLockRelease(ControlFileLock);
2871 
2872  /*
2873  * Check minRecoveryPoint for any other process than the startup
2874  * process doing crash recovery, which should not update the control
2875  * file value if crash recovery is still running.
2876  */
2878  updateMinRecoveryPoint = false;
2879 
2880  /* check again */
2882  return false;
2883  else
2884  return true;
2885  }
2886 
2887  /* Quick exit if already known flushed */
2888  if (record <= LogwrtResult.Flush)
2889  return false;
2890 
2891  /* read LogwrtResult and update local state */
2895 
2896  /* check again */
2897  if (record <= LogwrtResult.Flush)
2898  return false;
2899 
2900  return true;
2901 }
2902 
2903 /*
2904  * Try to make a given XLOG file segment exist.
2905  *
2906  * logsegno: identify segment.
2907  *
2908  * *added: on return, true if this call raised the number of extant segments.
2909  *
2910  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
2911  *
2912  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
2913  * wanting an open segment should attempt to open "path", which usually will
2914  * succeed. (This is weird, but it's efficient for the callers.)
2915  */
2916 static int
2918  bool *added, char *path)
2919 {
2920  char tmppath[MAXPGPATH];
2921  PGAlignedXLogBlock zbuffer;
2922  XLogSegNo installed_segno;
2923  XLogSegNo max_segno;
2924  int fd;
2925  int save_errno;
2926 
2927  Assert(logtli != 0);
2928 
2929  XLogFilePath(path, logtli, logsegno, wal_segment_size);
2930 
2931  /*
2932  * Try to use existent file (checkpoint maker may have created it already)
2933  */
2934  *added = false;
2935  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
2936  if (fd < 0)
2937  {
2938  if (errno != ENOENT)
2939  ereport(ERROR,
2941  errmsg("could not open file \"%s\": %m", path)));
2942  }
2943  else
2944  return fd;
2945 
2946  /*
2947  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
2948  * another process is doing the same thing. If so, we will end up
2949  * pre-creating an extra log segment. That seems OK, and better than
2950  * holding the lock throughout this lengthy process.
2951  */
2952  elog(DEBUG2, "creating and filling new WAL file");
2953 
2954  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
2955 
2956  unlink(tmppath);
2957 
2958  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
2959  fd = BasicOpenFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
2960  if (fd < 0)
2961  ereport(ERROR,
2963  errmsg("could not create file \"%s\": %m", tmppath)));
2964 
2965  memset(zbuffer.data, 0, XLOG_BLCKSZ);
2966 
2968  save_errno = 0;
2969  if (wal_init_zero)
2970  {
2971  struct iovec iov[PG_IOV_MAX];
2972  int blocks;
2973 
2974  /*
2975  * Zero-fill the file. With this setting, we do this the hard way to
2976  * ensure that all the file space has really been allocated. On
2977  * platforms that allow "holes" in files, just seeking to the end
2978  * doesn't allocate intermediate space. This way, we know that we
2979  * have all the space and (after the fsync below) that all the
2980  * indirect blocks are down on disk. Therefore, fdatasync(2) or
2981  * O_DSYNC will be sufficient to sync future writes to the log file.
2982  */
2983 
2984  /* Prepare to write out a lot of copies of our zero buffer at once. */
2985  for (int i = 0; i < lengthof(iov); ++i)
2986  {
2987  iov[i].iov_base = zbuffer.data;
2988  iov[i].iov_len = XLOG_BLCKSZ;
2989  }
2990 
2991  /* Loop, writing as many blocks as we can for each system call. */
2992  blocks = wal_segment_size / XLOG_BLCKSZ;
2993  for (int i = 0; i < blocks;)
2994  {
2995  int iovcnt = Min(blocks - i, lengthof(iov));
2996  off_t offset = i * XLOG_BLCKSZ;
2997 
2998  if (pg_pwritev_with_retry(fd, iov, iovcnt, offset) < 0)
2999  {
3000  save_errno = errno;
3001  break;
3002  }
3003 
3004  i += iovcnt;
3005  }
3006  }
3007  else
3008  {
3009  /*
3010  * Otherwise, seeking to the end and writing a solitary byte is
3011  * enough.
3012  */
3013  errno = 0;
3014  if (pg_pwrite(fd, zbuffer.data, 1, wal_segment_size - 1) != 1)
3015  {
3016  /* if write didn't set errno, assume no disk space */
3017  save_errno = errno ? errno : ENOSPC;
3018  }
3019  }
3021 
3022  if (save_errno)
3023  {
3024  /*
3025  * If we fail to make the file, delete it to release disk space
3026  */
3027  unlink(tmppath);
3028 
3029  close(fd);
3030 
3031  errno = save_errno;
3032 
3033  ereport(ERROR,
3035  errmsg("could not write to file \"%s\": %m", tmppath)));
3036  }
3037 
3039  if (pg_fsync(fd) != 0)
3040  {
3041  int save_errno = errno;
3042 
3043  close(fd);
3044  errno = save_errno;
3045  ereport(ERROR,
3047  errmsg("could not fsync file \"%s\": %m", tmppath)));
3048  }
3050 
3051  if (close(fd) != 0)
3052  ereport(ERROR,
3054  errmsg("could not close file \"%s\": %m", tmppath)));
3055 
3056  /*
3057  * Now move the segment into place with its final name. Cope with
3058  * possibility that someone else has created the file while we were
3059  * filling ours: if so, use ours to pre-create a future log segment.
3060  */
3061  installed_segno = logsegno;
3062 
3063  /*
3064  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3065  * that was a constant, but that was always a bit dubious: normally, at a
3066  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3067  * here, it was the offset from the insert location. We can't do the
3068  * normal XLOGfileslop calculation here because we don't have access to
3069  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3070  * CheckPointSegments.
3071  */
3072  max_segno = logsegno + CheckPointSegments;
3073  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3074  logtli))
3075  {
3076  *added = true;
3077  elog(DEBUG2, "done creating and filling new WAL file");
3078  }
3079  else
3080  {
3081  /*
3082  * No need for any more future segments, or InstallXLogFileSegment()
3083  * failed to rename the file into place. If the rename failed, a
3084  * caller opening the file may fail.
3085  */
3086  unlink(tmppath);
3087  elog(DEBUG2, "abandoned new WAL file");
3088  }
3089 
3090  return -1;
3091 }
3092 
3093 /*
3094  * Create a new XLOG file segment, or open a pre-existing one.
3095  *
3096  * logsegno: identify segment to be created/opened.
3097  *
3098  * Returns FD of opened file.
3099  *
3100  * Note: errors here are ERROR not PANIC because we might or might not be
3101  * inside a critical section (eg, during checkpoint there is no reason to
3102  * take down the system on failure). They will promote to PANIC if we are
3103  * in a critical section.
3104  */
3105 int
3107 {
3108  bool ignore_added;
3109  char path[MAXPGPATH];
3110  int fd;
3111 
3112  Assert(logtli != 0);
3113 
3114  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3115  if (fd >= 0)
3116  return fd;
3117 
3118  /* Now open original target segment (might not be file I just made) */
3119  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
3120  if (fd < 0)
3121  ereport(ERROR,
3123  errmsg("could not open file \"%s\": %m", path)));
3124  return fd;
3125 }
3126 
3127 /*
3128  * Create a new XLOG file segment by copying a pre-existing one.
3129  *
3130  * destsegno: identify segment to be created.
3131  *
3132  * srcTLI, srcsegno: identify segment to be copied (could be from
3133  * a different timeline)
3134  *
3135  * upto: how much of the source file to copy (the rest is filled with
3136  * zeros)
3137  *
3138  * Currently this is only used during recovery, and so there are no locking
3139  * considerations. But we should be just as tense as XLogFileInit to avoid
3140  * emplacing a bogus file.
3141  */
3142 static void
3143 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3144  TimeLineID srcTLI, XLogSegNo srcsegno,
3145  int upto)
3146 {
3147  char path[MAXPGPATH];
3148  char tmppath[MAXPGPATH];
3149  PGAlignedXLogBlock buffer;
3150  int srcfd;
3151  int fd;
3152  int nbytes;
3153 
3154  /*
3155  * Open the source file
3156  */
3157  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3158  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3159  if (srcfd < 0)
3160  ereport(ERROR,
3162  errmsg("could not open file \"%s\": %m", path)));
3163 
3164  /*
3165  * Copy into a temp file name.
3166  */
3167  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3168 
3169  unlink(tmppath);
3170 
3171  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3172  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3173  if (fd < 0)
3174  ereport(ERROR,
3176  errmsg("could not create file \"%s\": %m", tmppath)));
3177 
3178  /*
3179  * Do the data copying.
3180  */
3181  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3182  {
3183  int nread;
3184 
3185  nread = upto - nbytes;
3186 
3187  /*
3188  * The part that is not read from the source file is filled with
3189  * zeros.
3190  */
3191  if (nread < sizeof(buffer))
3192  memset(buffer.data, 0, sizeof(buffer));
3193 
3194  if (nread > 0)
3195  {
3196  int r;
3197 
3198  if (nread > sizeof(buffer))
3199  nread = sizeof(buffer);
3201  r = read(srcfd, buffer.data, nread);
3202  if (r != nread)
3203  {
3204  if (r < 0)
3205  ereport(ERROR,
3207  errmsg("could not read file \"%s\": %m",
3208  path)));
3209  else
3210  ereport(ERROR,
3212  errmsg("could not read file \"%s\": read %d of %zu",
3213  path, r, (Size) nread)));
3214  }
3216  }
3217  errno = 0;
3219  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3220  {
3221  int save_errno = errno;
3222 
3223  /*
3224  * If we fail to make the file, delete it to release disk space
3225  */
3226  unlink(tmppath);
3227  /* if write didn't set errno, assume problem is no disk space */
3228  errno = save_errno ? save_errno : ENOSPC;
3229 
3230  ereport(ERROR,
3232  errmsg("could not write to file \"%s\": %m", tmppath)));
3233  }
3235  }
3236 
3238  if (pg_fsync(fd) != 0)
3241  errmsg("could not fsync file \"%s\": %m", tmppath)));
3243 
3244  if (CloseTransientFile(fd) != 0)
3245  ereport(ERROR,
3247  errmsg("could not close file \"%s\": %m", tmppath)));
3248 
3249  if (CloseTransientFile(srcfd) != 0)
3250  ereport(ERROR,
3252  errmsg("could not close file \"%s\": %m", path)));
3253 
3254  /*
3255  * Now move the segment into place with its final name.
3256  */
3257  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3258  elog(ERROR, "InstallXLogFileSegment should not have failed");
3259 }
3260 
3261 /*
3262  * Install a new XLOG segment file as a current or future log segment.
3263  *
3264  * This is used both to install a newly-created segment (which has a temp
3265  * filename while it's being created) and to recycle an old segment.
3266  *
3267  * *segno: identify segment to install as (or first possible target).
3268  * When find_free is true, this is modified on return to indicate the
3269  * actual installation location or last segment searched.
3270  *
3271  * tmppath: initial name of file to install. It will be renamed into place.
3272  *
3273  * find_free: if true, install the new segment at the first empty segno
3274  * number at or after the passed numbers. If false, install the new segment
3275  * exactly where specified, deleting any existing segment file there.
3276  *
3277  * max_segno: maximum segment number to install the new file as. Fail if no
3278  * free slot is found between *segno and max_segno. (Ignored when find_free
3279  * is false.)
3280  *
3281  * tli: The timeline on which the new segment should be installed.
3282  *
3283  * Returns true if the file was installed successfully. false indicates that
3284  * max_segno limit was exceeded, the startup process has disabled this
3285  * function for now, or an error occurred while renaming the file into place.
3286  */
3287 static bool
3288 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3289  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3290 {
3291  char path[MAXPGPATH];
3292  struct stat stat_buf;
3293 
3294  Assert(tli != 0);
3295 
3296  XLogFilePath(path, tli, *segno, wal_segment_size);
3297 
3298  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3300  {
3301  LWLockRelease(ControlFileLock);
3302  return false;
3303  }
3304 
3305  if (!find_free)
3306  {
3307  /* Force installation: get rid of any pre-existing segment file */
3308  durable_unlink(path, DEBUG1);
3309  }
3310  else
3311  {
3312  /* Find a free slot to put it in */
3313  while (stat(path, &stat_buf) == 0)
3314  {
3315  if ((*segno) >= max_segno)
3316  {
3317  /* Failed to find a free slot within specified range */
3318  LWLockRelease(ControlFileLock);
3319  return false;
3320  }
3321  (*segno)++;
3322  XLogFilePath(path, tli, *segno, wal_segment_size);
3323  }
3324  }
3325 
3326  /*
3327  * Perform the rename using link if available, paranoidly trying to avoid
3328  * overwriting an existing file (there shouldn't be one).
3329  */
3330  if (durable_rename_excl(tmppath, path, LOG) != 0)
3331  {
3332  LWLockRelease(ControlFileLock);
3333  /* durable_rename_excl already emitted log message */
3334  return false;
3335  }
3336 
3337  LWLockRelease(ControlFileLock);
3338 
3339  return true;
3340 }
3341 
3342 /*
3343  * Open a pre-existing logfile segment for writing.
3344  */
3345 int
3347 {
3348  char path[MAXPGPATH];
3349  int fd;
3350 
3351  XLogFilePath(path, tli, segno, wal_segment_size);
3352 
3353  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method));
3354  if (fd < 0)
3355  ereport(PANIC,
3357  errmsg("could not open file \"%s\": %m", path)));
3358 
3359  return fd;
3360 }
3361 
3362 /*
3363  * Close the current logfile segment for writing.
3364  */
3365 static void
3367 {
3368  Assert(openLogFile >= 0);
3369 
3370  /*
3371  * WAL segment files will not be re-read in normal operation, so we advise
3372  * the OS to release any cached pages. But do not do so if WAL archiving
3373  * or streaming is active, because archiver and walsender process could
3374  * use the cache to read the WAL segment.
3375  */
3376 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3377  if (!XLogIsNeeded())
3378  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3379 #endif
3380 
3381  if (close(openLogFile) != 0)
3382  {
3383  char xlogfname[MAXFNAMELEN];
3384  int save_errno = errno;
3385 
3387  errno = save_errno;
3388  ereport(PANIC,
3390  errmsg("could not close file \"%s\": %m", xlogfname)));
3391  }
3392 
3393  openLogFile = -1;
3395 }
3396 
3397 /*
3398  * Preallocate log files beyond the specified log endpoint.
3399  *
3400  * XXX this is currently extremely conservative, since it forces only one
3401  * future log segment to exist, and even that only if we are 75% done with
3402  * the current one. This is only appropriate for very low-WAL-volume systems.
3403  * High-volume systems will be OK once they've built up a sufficient set of
3404  * recycled log segments, but the startup transient is likely to include
3405  * a lot of segment creations by foreground processes, which is not so good.
3406  *
3407  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3408  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3409  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3410  * initiated the present checkpoint and an ERROR ends this function, the
3411  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3412  * not worth contorting more functions to use caller-specified elevel values.
3413  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3414  * reporting and resource reclamation.)
3415  */
3416 static void
3418 {
3419  XLogSegNo _logSegNo;
3420  int lf;
3421  bool added;
3422  char path[MAXPGPATH];
3423  uint64 offset;
3424 
3426  return; /* unlocked check says no */
3427 
3428  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3429  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3430  if (offset >= (uint32) (0.75 * wal_segment_size))
3431  {
3432  _logSegNo++;
3433  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3434  if (lf >= 0)
3435  close(lf);
3436  if (added)
3438  }
3439 }
3440 
3441 /*
3442  * Throws an error if the given log segment has already been removed or
3443  * recycled. The caller should only pass a segment that it knows to have
3444  * existed while the server has been running, as this function always
3445  * succeeds if no WAL segments have been removed since startup.
3446  * 'tli' is only used in the error message.
3447  *
3448  * Note: this function guarantees to keep errno unchanged on return.
3449  * This supports callers that use this to possibly deliver a better
3450  * error message about a missing file, while still being able to throw
3451  * a normal file-access error afterwards, if this does return.
3452  */
3453 void
3455 {
3456  int save_errno = errno;
3457  XLogSegNo lastRemovedSegNo;
3458 
3460  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3462 
3463  if (segno <= lastRemovedSegNo)
3464  {
3465  char filename[MAXFNAMELEN];
3466 
3467  XLogFileName(filename, tli, segno, wal_segment_size);
3468  errno = save_errno;
3469  ereport(ERROR,
3471  errmsg("requested WAL segment %s has already been removed",
3472  filename)));
3473  }
3474  errno = save_errno;
3475 }
3476 
3477 /*
3478  * Return the last WAL segment removed, or 0 if no segment has been removed
3479  * since startup.
3480  *
3481  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3482  * with that.
3483  */
3484 XLogSegNo
3486 {
3487  XLogSegNo lastRemovedSegNo;
3488 
3490  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3492 
3493  return lastRemovedSegNo;
3494 }
3495 
3496 
3497 /*
3498  * Update the last removed segno pointer in shared memory, to reflect that the
3499  * given XLOG file has been removed.
3500  */
3501 static void
3503 {
3504  uint32 tli;
3505  XLogSegNo segno;
3506 
3507  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3508 
3510  if (segno > XLogCtl->lastRemovedSegNo)
3511  XLogCtl->lastRemovedSegNo = segno;
3513 }
3514 
3515 /*
3516  * Remove all temporary log files in pg_wal
3517  *
3518  * This is called at the beginning of recovery after a previous crash,
3519  * at a point where no other processes write fresh WAL data.
3520  */
3521 static void
3523 {
3524  DIR *xldir;
3525  struct dirent *xlde;
3526 
3527  elog(DEBUG2, "removing all temporary WAL segments");
3528 
3529  xldir = AllocateDir(XLOGDIR);
3530  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3531  {
3532  char path[MAXPGPATH];
3533 
3534  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3535  continue;
3536 
3537  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3538  unlink(path);
3539  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3540  }
3541  FreeDir(xldir);
3542 }
3543 
3544 /*
3545  * Recycle or remove all log files older or equal to passed segno.
3546  *
3547  * endptr is current (or recent) end of xlog, and lastredoptr is the
3548  * redo pointer of the last checkpoint. These are used to determine
3549  * whether we want to recycle rather than delete no-longer-wanted log files.
3550  *
3551  * insertTLI is the current timeline for XLOG insertion. Any recycled
3552  * segments should be reused for this timeline.
3553  */
3554 static void
3556  TimeLineID insertTLI)
3557 {
3558  DIR *xldir;
3559  struct dirent *xlde;
3560  char lastoff[MAXFNAMELEN];
3561  XLogSegNo endlogSegNo;
3562  XLogSegNo recycleSegNo;
3563 
3564  /* Initialize info about where to try to recycle to */
3565  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3566  recycleSegNo = XLOGfileslop(lastredoptr);
3567 
3568  /*
3569  * Construct a filename of the last segment to be kept. The timeline ID
3570  * doesn't matter, we ignore that in the comparison. (During recovery,
3571  * InsertTimeLineID isn't set, so we can't use that.)
3572  */
3573  XLogFileName(lastoff, 0, segno, wal_segment_size);
3574 
3575  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3576  lastoff);
3577 
3578  xldir = AllocateDir(XLOGDIR);
3579 
3580  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3581  {
3582  /* Ignore files that are not XLOG segments */
3583  if (!IsXLogFileName(xlde->d_name) &&
3584  !IsPartialXLogFileName(xlde->d_name))
3585  continue;
3586 
3587  /*
3588  * We ignore the timeline part of the XLOG segment identifiers in
3589  * deciding whether a segment is still needed. This ensures that we
3590  * won't prematurely remove a segment from a parent timeline. We could
3591  * probably be a little more proactive about removing segments of
3592  * non-parent timelines, but that would be a whole lot more
3593  * complicated.
3594  *
3595  * We use the alphanumeric sorting property of the filenames to decide
3596  * which ones are earlier than the lastoff segment.
3597  */
3598  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3599  {
3600  if (XLogArchiveCheckDone(xlde->d_name))
3601  {
3602  /* Update the last removed location in shared memory first */
3604 
3605  RemoveXlogFile(xlde->d_name, recycleSegNo, &endlogSegNo,
3606  insertTLI);
3607  }
3608  }
3609  }
3610 
3611  FreeDir(xldir);
3612 }
3613 
3614 /*
3615  * Remove WAL files that are not part of the given timeline's history.
3616  *
3617  * This is called during recovery, whenever we switch to follow a new
3618  * timeline, and at the end of recovery when we create a new timeline. We
3619  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3620  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3621  * that we haven't used yet, and contain garbage. If we just leave them in
3622  * pg_wal, they will eventually be archived, and we can't let that happen.
3623  * Files that belong to our timeline history are valid, because we have
3624  * successfully replayed them, but from others we can't be sure.
3625  *
3626  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3627  * and 'newTLI' is the new timeline we switch to.
3628  */
3629 void
3631 {
3632  DIR *xldir;
3633  struct dirent *xlde;
3634  char switchseg[MAXFNAMELEN];
3635  XLogSegNo endLogSegNo;
3636  XLogSegNo switchLogSegNo;
3637  XLogSegNo recycleSegNo;
3638 
3639  /*
3640  * Initialize info about where to begin the work. This will recycle,
3641  * somewhat arbitrarily, 10 future segments.
3642  */
3643  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3644  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3645  recycleSegNo = endLogSegNo + 10;
3646 
3647  /*
3648  * Construct a filename of the last segment to be kept.
3649  */
3650  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3651 
3652  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3653  switchseg);
3654 
3655  xldir = AllocateDir(XLOGDIR);
3656 
3657  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3658  {
3659  /* Ignore files that are not XLOG segments */
3660  if (!IsXLogFileName(xlde->d_name))
3661  continue;
3662 
3663  /*
3664  * Remove files that are on a timeline older than the new one we're
3665  * switching to, but with a segment number >= the first segment on the
3666  * new timeline.
3667  */
3668  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3669  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3670  {
3671  /*
3672  * If the file has already been marked as .ready, however, don't
3673  * remove it yet. It should be OK to remove it - files that are
3674  * not part of our timeline history are not required for recovery
3675  * - but seems safer to let them be archived and removed later.
3676  */
3677  if (!XLogArchiveIsReady(xlde->d_name))
3678  RemoveXlogFile(xlde->d_name, recycleSegNo, &endLogSegNo,
3679  newTLI);
3680  }
3681  }
3682 
3683  FreeDir(xldir);
3684 }
3685 
3686 /*
3687  * Recycle or remove a log file that's no longer needed.
3688  *
3689  * segname is the name of the segment to recycle or remove. recycleSegNo
3690  * is the segment number to recycle up to. endlogSegNo is the segment
3691  * number of the current (or recent) end of WAL.
3692  *
3693  * endlogSegNo gets incremented if the segment is recycled so as it is not
3694  * checked again with future callers of this function.
3695  *
3696  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
3697  * should be used for this timeline.
3698  */
3699 static void
3700 RemoveXlogFile(const char *segname, XLogSegNo recycleSegNo,
3701  XLogSegNo *endlogSegNo, TimeLineID insertTLI)
3702 {
3703  char path[MAXPGPATH];
3704 #ifdef WIN32
3705  char newpath[MAXPGPATH];
3706 #endif
3707  struct stat statbuf;
3708 
3709  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
3710 
3711  /*
3712  * Before deleting the file, see if it can be recycled as a future log
3713  * segment. Only recycle normal files, because we don't want to recycle
3714  * symbolic links pointing to a separate archive directory.
3715  */
3716  if (wal_recycle &&
3717  *endlogSegNo <= recycleSegNo &&
3718  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
3719  lstat(path, &statbuf) == 0 && S_ISREG(statbuf.st_mode) &&
3720  InstallXLogFileSegment(endlogSegNo, path,
3721  true, recycleSegNo, insertTLI))
3722  {
3723  ereport(DEBUG2,
3724  (errmsg_internal("recycled write-ahead log file \"%s\"",
3725  segname)));
3727  /* Needn't recheck that slot on future iterations */
3728  (*endlogSegNo)++;
3729  }
3730  else
3731  {
3732  /* No need for any more future segments, or recycling failed ... */
3733  int rc;
3734 
3735  ereport(DEBUG2,
3736  (errmsg_internal("removing write-ahead log file \"%s\"",
3737  segname)));
3738 
3739 #ifdef WIN32
3740 
3741  /*
3742  * On Windows, if another process (e.g another backend) holds the file
3743  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
3744  * will still show up in directory listing until the last handle is
3745  * closed. To avoid confusing the lingering deleted file for a live
3746  * WAL file that needs to be archived, rename it before deleting it.
3747  *
3748  * If another process holds the file open without FILE_SHARE_DELETE
3749  * flag, rename will fail. We'll try again at the next checkpoint.
3750  */
3751  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
3752  if (rename(path, newpath) != 0)
3753  {
3754  ereport(LOG,
3756  errmsg("could not rename file \"%s\": %m",
3757  path)));
3758  return;
3759  }
3760  rc = durable_unlink(newpath, LOG);
3761 #else
3762  rc = durable_unlink(path, LOG);
3763 #endif
3764  if (rc != 0)
3765  {
3766  /* Message already logged by durable_unlink() */
3767  return;
3768  }
3770  }
3771 
3772  XLogArchiveCleanup(segname);
3773 }
3774 
3775 /*
3776  * Verify whether pg_wal and pg_wal/archive_status exist.
3777  * If the latter does not exist, recreate it.
3778  *
3779  * It is not the goal of this function to verify the contents of these
3780  * directories, but to help in cases where someone has performed a cluster
3781  * copy for PITR purposes but omitted pg_wal from the copy.
3782  *
3783  * We could also recreate pg_wal if it doesn't exist, but a deliberate
3784  * policy decision was made not to. It is fairly common for pg_wal to be
3785  * a symlink, and if that was the DBA's intent then automatically making a
3786  * plain directory would result in degraded performance with no notice.
3787  */
3788 static void
3790 {
3791  char path[MAXPGPATH];
3792  struct stat stat_buf;
3793 
3794  /* Check for pg_wal; if it doesn't exist, error out */
3795  if (stat(XLOGDIR, &stat_buf) != 0 ||
3796  !S_ISDIR(stat_buf.st_mode))
3797  ereport(FATAL,
3798  (errmsg("required WAL directory \"%s\" does not exist",
3799  XLOGDIR)));
3800 
3801  /* Check for archive_status */
3802  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
3803  if (stat(path, &stat_buf) == 0)
3804  {
3805  /* Check for weird cases where it exists but isn't a directory */
3806  if (!S_ISDIR(stat_buf.st_mode))
3807  ereport(FATAL,
3808  (errmsg("required WAL directory \"%s\" does not exist",
3809  path)));
3810  }
3811  else
3812  {
3813  ereport(LOG,
3814  (errmsg("creating missing WAL directory \"%s\"", path)));
3815  if (MakePGDirectory(path) < 0)
3816  ereport(FATAL,
3817  (errmsg("could not create missing directory \"%s\": %m",
3818  path)));
3819  }
3820 }
3821 
3822 /*
3823  * Remove previous backup history files. This also retries creation of
3824  * .ready files for any backup history files for which XLogArchiveNotify
3825  * failed earlier.
3826  */
3827 static void
3829 {
3830  DIR *xldir;
3831  struct dirent *xlde;
3832  char path[MAXPGPATH + sizeof(XLOGDIR)];
3833 
3834  xldir = AllocateDir(XLOGDIR);
3835 
3836  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3837  {
3838  if (IsBackupHistoryFileName(xlde->d_name))
3839  {
3840  if (XLogArchiveCheckDone(xlde->d_name))
3841  {
3842  elog(DEBUG2, "removing WAL backup history file \"%s\"",
3843  xlde->d_name);
3844  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
3845  unlink(path);
3846  XLogArchiveCleanup(xlde->d_name);
3847  }
3848  }
3849  }
3850 
3851  FreeDir(xldir);
3852 }
3853 
3854 /*
3855  * I/O routines for pg_control
3856  *
3857  * *ControlFile is a buffer in shared memory that holds an image of the
3858  * contents of pg_control. WriteControlFile() initializes pg_control
3859  * given a preloaded buffer, ReadControlFile() loads the buffer from
3860  * the pg_control file (during postmaster or standalone-backend startup),
3861  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
3862  * InitControlFile() fills the buffer with initial values.
3863  *
3864  * For simplicity, WriteControlFile() initializes the fields of pg_control
3865  * that are related to checking backend/database compatibility, and
3866  * ReadControlFile() verifies they are correct. We could split out the
3867  * I/O and compatibility-check functions, but there seems no need currently.
3868  */
3869 
3870 static void
3871 InitControlFile(uint64 sysidentifier)
3872 {
3873  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
3874 
3875  /*
3876  * Generate a random nonce. This is used for authentication requests that
3877  * will fail because the user does not exist. The nonce is used to create
3878  * a genuine-looking password challenge for the non-existent user, in lieu
3879  * of an actual stored password.
3880  */
3881  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
3882  ereport(PANIC,
3883  (errcode(ERRCODE_INTERNAL_ERROR),
3884  errmsg("could not generate secret authorization token")));
3885 
3886  memset(ControlFile, 0, sizeof(ControlFileData));
3887  /* Initialize pg_control status fields */
3888  ControlFile->system_identifier = sysidentifier;
3889  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
3892 
3893  /* Set important parameter values for use when replaying WAL */
3903 }
3904 
3905 static void
3907 {
3908  int fd;
3909  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
3910 
3911  /*
3912  * Ensure that the size of the pg_control data structure is sane. See the
3913  * comments for these symbols in pg_control.h.
3914  */
3916  "pg_control is too large for atomic disk writes");
3918  "sizeof(ControlFileData) exceeds PG_CONTROL_FILE_SIZE");
3919 
3920  /*
3921  * Initialize version and compatibility-check fields
3922  */
3925 
3926  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
3928 
3929  ControlFile->blcksz = BLCKSZ;
3930  ControlFile->relseg_size = RELSEG_SIZE;
3931  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
3933 
3936 
3939 
3941 
3942  /* Contents are protected with a CRC */
3945  (char *) ControlFile,
3948 
3949  /*
3950  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
3951  * the excess over sizeof(ControlFileData). This reduces the odds of
3952  * premature-EOF errors when reading pg_control. We'll still fail when we
3953  * check the contents of the file, but hopefully with a more specific
3954  * error than "couldn't read pg_control".
3955  */
3956  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
3957  memcpy(buffer, ControlFile, sizeof(ControlFileData));
3958 
3960  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3961  if (fd < 0)
3962  ereport(PANIC,
3964  errmsg("could not create file \"%s\": %m",
3965  XLOG_CONTROL_FILE)));
3966 
3967  errno = 0;
3970  {
3971  /* if write didn't set errno, assume problem is no disk space */
3972  if (errno == 0)
3973  errno = ENOSPC;
3974  ereport(PANIC,
3976  errmsg("could not write to file \"%s\": %m",
3977  XLOG_CONTROL_FILE)));
3978  }
3980 
3982  if (pg_fsync(fd) != 0)
3983  ereport(PANIC,
3985  errmsg("could not fsync file \"%s\": %m",
3986  XLOG_CONTROL_FILE)));
3988 
3989  if (close(fd) != 0)
3990  ereport(PANIC,
3992  errmsg("could not close file \"%s\": %m",
3993  XLOG_CONTROL_FILE)));
3994 }
3995 
3996 static void
3998 {
3999  pg_crc32c crc;
4000  int fd;
4001  static char wal_segsz_str[20];
4002  int r;
4003 
4004  /*
4005  * Read data...
4006  */
4008  O_RDWR | PG_BINARY);
4009  if (fd < 0)
4010  ereport(PANIC,
4012  errmsg("could not open file \"%s\": %m",
4013  XLOG_CONTROL_FILE)));
4014 
4016  r = read(fd, ControlFile, sizeof(ControlFileData));
4017  if (r != sizeof(ControlFileData))
4018  {
4019  if (r < 0)
4020  ereport(PANIC,
4022  errmsg("could not read file \"%s\": %m",
4023  XLOG_CONTROL_FILE)));
4024  else
4025  ereport(PANIC,
4027  errmsg("could not read file \"%s\": read %d of %zu",
4028  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
4029  }
4031 
4032  close(fd);
4033 
4034  /*
4035  * Check for expected pg_control format version. If this is wrong, the
4036  * CRC check will likely fail because we'll be checking the wrong number
4037  * of bytes. Complaining about wrong version will probably be more
4038  * enlightening than complaining about wrong CRC.
4039  */
4040 
4042  ereport(FATAL,
4043  (errmsg("database files are incompatible with server"),
4044  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4045  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4048  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4049 
4051  ereport(FATAL,
4052  (errmsg("database files are incompatible with server"),
4053  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4054  " but the server was compiled with PG_CONTROL_VERSION %d.",
4056  errhint("It looks like you need to initdb.")));
4057 
4058  /* Now check the CRC. */
4059  INIT_CRC32C(crc);
4060  COMP_CRC32C(crc,
4061  (char *) ControlFile,
4063  FIN_CRC32C(crc);
4064 
4065  if (!EQ_CRC32C(crc, ControlFile->crc))
4066  ereport(FATAL,
4067  (errmsg("incorrect checksum in control file")));
4068 
4069  /*
4070  * Do compatibility checking immediately. If the database isn't
4071  * compatible with the backend executable, we want to abort before we can
4072  * possibly do any damage.
4073  */
4075  ereport(FATAL,
4076  (errmsg("database files are incompatible with server"),
4077  errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4078  " but the server was compiled with CATALOG_VERSION_NO %d.",
4080  errhint("It looks like you need to initdb.")));
4081  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4082  ereport(FATAL,
4083  (errmsg("database files are incompatible with server"),
4084  errdetail("The database cluster was initialized with MAXALIGN %d,"
4085  " but the server was compiled with MAXALIGN %d.",
4086  ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4087  errhint("It looks like you need to initdb.")));
4089  ereport(FATAL,
4090  (errmsg("database files are incompatible with server"),
4091  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4092  errhint("It looks like you need to initdb.")));
4093  if (ControlFile->blcksz != BLCKSZ)
4094  ereport(FATAL,
4095  (errmsg("database files are incompatible with server"),
4096  errdetail("The database cluster was initialized with BLCKSZ %d,"
4097  " but the server was compiled with BLCKSZ %d.",
4098  ControlFile->blcksz, BLCKSZ),
4099  errhint("It looks like you need to recompile or initdb.")));
4100  if (ControlFile->relseg_size != RELSEG_SIZE)
4101  ereport(FATAL,
4102  (errmsg("database files are incompatible with server"),
4103  errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4104  " but the server was compiled with RELSEG_SIZE %d.",
4105  ControlFile->relseg_size, RELSEG_SIZE),
4106  errhint("It looks like you need to recompile or initdb.")));
4107  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4108  ereport(FATAL,
4109  (errmsg("database files are incompatible with server"),
4110  errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4111  " but the server was compiled with XLOG_BLCKSZ %d.",
4112  ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4113  errhint("It looks like you need to recompile or initdb.")));
4115  ereport(FATAL,
4116  (errmsg("database files are incompatible with server"),
4117  errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4118  " but the server was compiled with NAMEDATALEN %d.",
4120  errhint("It looks like you need to recompile or initdb.")));
4122  ereport(FATAL,
4123  (errmsg("database files are incompatible with server"),
4124  errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4125  " but the server was compiled with INDEX_MAX_KEYS %d.",
4127  errhint("It looks like you need to recompile or initdb.")));
4129  ereport(FATAL,
4130  (errmsg("database files are incompatible with server"),
4131  errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4132  " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4134  errhint("It looks like you need to recompile or initdb.")));
4136  ereport(FATAL,
4137  (errmsg("database files are incompatible with server"),
4138  errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4139  " but the server was compiled with LOBLKSIZE %d.",
4140  ControlFile->loblksize, (int) LOBLKSIZE),
4141  errhint("It looks like you need to recompile or initdb.")));
4142 
4143 #ifdef USE_FLOAT8_BYVAL
4144  if (ControlFile->float8ByVal != true)
4145  ereport(FATAL,
4146  (errmsg("database files are incompatible with server"),
4147  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4148  " but the server was compiled with USE_FLOAT8_BYVAL."),
4149  errhint("It looks like you need to recompile or initdb.")));
4150 #else
4151  if (ControlFile->float8ByVal != false)
4152  ereport(FATAL,
4153  (errmsg("database files are incompatible with server"),
4154  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4155  " but the server was compiled without USE_FLOAT8_BYVAL."),
4156  errhint("It looks like you need to recompile or initdb.")));
4157 #endif
4158 
4160 
4162  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4163  errmsg_plural("WAL segment size must be a power of two between 1 MB and 1 GB, but the control file specifies %d byte",
4164  "WAL segment size must be a power of two between 1 MB and 1 GB, but the control file specifies %d bytes",
4166  wal_segment_size)));
4167 
4168  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4169  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4170  PGC_S_OVERRIDE);
4171 
4172  /* check and update variables dependent on wal_segment_size */
4174  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4175  errmsg("\"min_wal_size\" must be at least twice \"wal_segment_size\"")));
4176 
4178  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4179  errmsg("\"max_wal_size\" must be at least twice \"wal_segment_size\"")));
4180 
4182  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4184 
4186 
4187  /* Make the initdb settings visible as GUC variables, too */
4188  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4190 }
4191 
4192 /*
4193  * Utility wrapper to update the control file. Note that the control
4194  * file gets flushed.
4195  */
4196 static void
4198 {
4200 }
4201 
4202 /*
4203  * Returns the unique system identifier from control file.
4204  */
4205 uint64
4207 {
4208  Assert(ControlFile != NULL);
4210 }
4211 
4212 /*
4213  * Returns the random nonce from control file.
4214  */
4215 char *
4217 {
4218  Assert(ControlFile != NULL);
4220 }
4221 
4222 /*
4223  * Are checksums enabled for data pages?
4224  */
4225 bool
4227 {
4228  Assert(ControlFile != NULL);
4229  return (ControlFile->data_checksum_version > 0);
4230 }
4231 
4232 /*
4233  * Returns a fake LSN for unlogged relations.
4234  *
4235  * Each call generates an LSN that is greater than any previous value
4236  * returned. The current counter value is saved and restored across clean
4237  * shutdowns, but like unlogged relations, does not survive a crash. This can
4238  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4239  * LSN-like increasing sequence of numbers without writing any WAL.
4240  */
4241 XLogRecPtr
4243 {
4244  XLogRecPtr nextUnloggedLSN;
4245 
4246  /* increment the unloggedLSN counter, need SpinLock */
4248  nextUnloggedLSN = XLogCtl->unloggedLSN++;
4250 
4251  return nextUnloggedLSN;
4252 }
4253 
4254 /*
4255  * Auto-tune the number of XLOG buffers.
4256  *
4257  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4258  * a maximum of one XLOG segment (there is little reason to think that more
4259  * is helpful, at least so long as we force an fsync when switching log files)
4260  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4261  * 9.1, when auto-tuning was added).
4262  *
4263  * This should not be called until NBuffers has received its final value.
4264  */
4265 static int
4267 {
4268  int xbuffers;
4269 
4270  xbuffers = NBuffers / 32;
4271  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4272  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4273  if (xbuffers < 8)
4274  xbuffers = 8;
4275  return xbuffers;
4276 }
4277 
4278 /*
4279  * GUC check_hook for wal_buffers
4280  */
4281 bool
4283 {
4284  /*
4285  * -1 indicates a request for auto-tune.
4286  */
4287  if (*newval == -1)
4288  {
4289  /*
4290  * If we haven't yet changed the boot_val default of -1, just let it
4291  * be. We'll fix it when XLOGShmemSize is called.
4292  */
4293  if (XLOGbuffers == -1)
4294  return true;
4295 
4296  /* Otherwise, substitute the auto-tune value */
4298  }
4299 
4300  /*
4301  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4302  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4303  * the case, we just silently treat such values as a request for the
4304  * minimum. (We could throw an error instead, but that doesn't seem very
4305  * helpful.)
4306  */
4307  if (*newval < 4)
4308  *newval = 4;
4309 
4310  return true;
4311 }
4312 
4313 /*
4314  * Read the control file, set respective GUCs.
4315  *
4316  * This is to be called during startup, including a crash recovery cycle,
4317  * unless in bootstrap mode, where no control file yet exists. As there's no
4318  * usable shared memory yet (its sizing can depend on the contents of the
4319  * control file!), first store the contents in local memory. XLOGShmemInit()
4320  * will then copy it to shared memory later.
4321  *
4322  * reset just controls whether previous contents are to be expected (in the
4323  * reset case, there's a dangling pointer into old shared memory), or not.
4324  */
4325 void
4327 {
4328  Assert(reset || ControlFile == NULL);
4329  ControlFile = palloc(sizeof(ControlFileData));
4330  ReadControlFile();
4331 }
4332 
4333 /*
4334  * Initialization of shared memory for XLOG
4335  */
4336 Size
4338 {
4339  Size size;
4340 
4341  /*
4342  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4343  * This isn't an amazingly clean place to do this, but we must wait till
4344  * NBuffers has received its final value, and must do it before using the
4345  * value of XLOGbuffers to do anything important.
4346  */
4347  if (XLOGbuffers == -1)
4348  {
4349  char buf[32];
4350 
4351  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4353  }
4354  Assert(XLOGbuffers > 0);
4355 
4356  /* XLogCtl */
4357  size = sizeof(XLogCtlData);
4358 
4359  /* WAL insertion locks, plus alignment */
4360  size = add_size(size, mul_size(sizeof(WALInsertLockPadded), NUM_XLOGINSERT_LOCKS + 1));
4361  /* xlblocks array */
4362  size = add_size(size, mul_size(sizeof(XLogRecPtr), XLOGbuffers));
4363  /* extra alignment padding for XLOG I/O buffers */
4364  size = add_size(size, XLOG_BLCKSZ);
4365  /* and the buffers themselves */
4366  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4367 
4368  /*
4369  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4370  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4371  * routine again below to compute the actual allocation size.
4372  */
4373 
4374  return size;
4375 }
4376 
4377 void
4379 {
4380  bool foundCFile,
4381  foundXLog;
4382  char *allocptr;
4383  int i;
4384  ControlFileData *localControlFile;
4385 
4386 #ifdef WAL_DEBUG
4387 
4388  /*
4389  * Create a memory context for WAL debugging that's exempt from the normal
4390  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4391  * an allocation fails, but wal_debug is not for production use anyway.
4392  */
4393  if (walDebugCxt == NULL)
4394  {
4396  "WAL Debug",
4398  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4399  }
4400 #endif
4401 
4402 
4403  XLogCtl = (XLogCtlData *)
4404  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4405 
4406  localControlFile = ControlFile;
4408  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4409 
4410  if (foundCFile || foundXLog)
4411  {
4412  /* both should be present or neither */
4413  Assert(foundCFile && foundXLog);
4414 
4415  /* Initialize local copy of WALInsertLocks */
4417 
4418  if (localControlFile)
4419  pfree(localControlFile);
4420  return;
4421  }
4422  memset(XLogCtl, 0, sizeof(XLogCtlData));
4423 
4424  /*
4425  * Already have read control file locally, unless in bootstrap mode. Move
4426  * contents into shared memory.
4427  */
4428  if (localControlFile)
4429  {
4430  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4431  pfree(localControlFile);
4432  }
4433 
4434  /*
4435  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4436  * multiple of the alignment for same, so no extra alignment padding is
4437  * needed here.
4438  */
4439  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4440  XLogCtl->xlblocks = (XLogRecPtr *) allocptr;
4441  memset(XLogCtl->xlblocks, 0, sizeof(XLogRecPtr) * XLOGbuffers);
4442  allocptr += sizeof(XLogRecPtr) * XLOGbuffers;
4443 
4444 
4445  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4446  allocptr += sizeof(WALInsertLockPadded) -
4447  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4449  (WALInsertLockPadded *) allocptr;
4450  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4451 
4452  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4453  {
4457  }
4458 
4459  /*
4460  * Align the start of the page buffers to a full xlog block size boundary.
4461  * This simplifies some calculations in XLOG insertion. It is also
4462  * required for O_DIRECT.
4463  */
4464  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4465  XLogCtl->pages = allocptr;
4466  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4467 
4468  /*
4469  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4470  * in additional info.)
4471  */
4475  XLogCtl->WalWriterSleeping = false;
4476 
4480 }
4481 
4482 /*
4483  * This func must be called ONCE on system install. It creates pg_control
4484  * and the initial XLOG segment.
4485  */
4486 void
4488 {
4489  CheckPoint checkPoint;
4490  char *buffer;
4491  XLogPageHeader page;
4492  XLogLongPageHeader longpage;
4493  XLogRecord *record;
4494  char *recptr;
4495  uint64 sysidentifier;
4496  struct timeval tv;
4497  pg_crc32c crc;
4498 
4499  /* allow ordinary WAL segment creation, like StartupXLOG() would */
4500  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
4502  LWLockRelease(ControlFileLock);
4503 
4504  /*
4505  * Select a hopefully-unique system identifier code for this installation.
4506  * We use the result of gettimeofday(), including the fractional seconds
4507  * field, as being about as unique as we can easily get. (Think not to
4508  * use random(), since it hasn't been seeded and there's no portable way
4509  * to seed it other than the system clock value...) The upper half of the
4510  * uint64 value is just the tv_sec part, while the lower half contains the
4511  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
4512  * PID for a little extra uniqueness. A person knowing this encoding can
4513  * determine the initialization time of the installation, which could
4514  * perhaps be useful sometimes.
4515  */
4516  gettimeofday(&tv, NULL);
4517  sysidentifier = ((uint64) tv.tv_sec) << 32;
4518  sysidentifier |= ((uint64) tv.tv_usec) << 12;
4519  sysidentifier |= getpid() & 0xFFF;
4520 
4521  /* page buffer must be aligned suitably for O_DIRECT */
4522  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
4523  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
4524  memset(page, 0, XLOG_BLCKSZ);
4525 
4526  /*
4527  * Set up information for the initial checkpoint record
4528  *
4529  * The initial checkpoint record is written to the beginning of the WAL
4530  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
4531  * used, so that we can use 0/0 to mean "before any valid WAL segment".
4532  */
4533  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
4534  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
4535  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
4536  checkPoint.fullPageWrites = fullPageWrites;
4537  checkPoint.nextXid =
4539  checkPoint.nextOid = FirstGenbkiObjectId;
4540  checkPoint.nextMulti = FirstMultiXactId;
4541  checkPoint.nextMultiOffset = 0;
4542  checkPoint.oldestXid = FirstNormalTransactionId;
4543  checkPoint.oldestXidDB = Template1DbOid;
4544  checkPoint.oldestMulti = FirstMultiXactId;
4545  checkPoint.oldestMultiDB = Template1DbOid;
4548  checkPoint.time = (pg_time_t) time(NULL);
4550 
4551  ShmemVariableCache->nextXid = checkPoint.nextXid;
4552  ShmemVariableCache->nextOid = checkPoint.nextOid;
4554  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
4555  AdvanceOldestClogXid(checkPoint.oldestXid);
4556  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
4557  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
4559 
4560  /* Set up the XLOG page header */
4561  page->xlp_magic = XLOG_PAGE_MAGIC;
4562  page->xlp_info = XLP_LONG_HEADER;
4563  page->xlp_tli = BootstrapTimeLineID;
4565  longpage = (XLogLongPageHeader) page;
4566  longpage->xlp_sysid = sysidentifier;
4567  longpage->xlp_seg_size = wal_segment_size;
4568  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
4569 
4570  /* Insert the initial checkpoint record */
4571  recptr = ((char *) page + SizeOfXLogLongPHD);
4572  record = (XLogRecord *) recptr;
4573  record->xl_prev = 0;
4574  record->xl_xid = InvalidTransactionId;
4575  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
4577  record->xl_rmid = RM_XLOG_ID;
4578  recptr += SizeOfXLogRecord;
4579  /* fill the XLogRecordDataHeaderShort struct */
4580  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
4581  *(recptr++) = sizeof(checkPoint);
4582  memcpy(recptr, &checkPoint, sizeof(checkPoint));
4583  recptr += sizeof(checkPoint);
4584  Assert(recptr - (char *) record == record->xl_tot_len);
4585 
4586  INIT_CRC32C(crc);
4587  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
4588  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
4589  FIN_CRC32C(crc);
4590  record->xl_crc = crc;
4591 
4592  /* Create first XLOG segment file */
4595 
4596  /*
4597  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
4598  * close the file again in a moment.
4599  */
4600 
4601  /* Write the first page with the initial record */
4602  errno = 0;
4604  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
4605  {
4606  /* if write didn't set errno, assume problem is no disk space */
4607  if (errno == 0)
4608  errno = ENOSPC;
4609  ereport(PANIC,
4611  errmsg("could not write bootstrap write-ahead log file: %m")));
4612  }
4614 
4616  if (pg_fsync(openLogFile) != 0)
4617  ereport(PANIC,
4619  errmsg("could not fsync bootstrap write-ahead log file: %m")));
4621 
4622  if (close(openLogFile) != 0)
4623  ereport(PANIC,
4625  errmsg("could not close bootstrap write-ahead log file: %m")));
4626 
4627  openLogFile = -1;
4628 
4629  /* Now create pg_control */
4630  InitControlFile(sysidentifier);
4631  ControlFile->time = checkPoint.time;
4632  ControlFile->checkPoint = checkPoint.redo;
4633  ControlFile->checkPointCopy = checkPoint;
4634 
4635  /* some additional ControlFile fields are set in WriteControlFile() */
4636  WriteControlFile();
4637 
4638  /* Bootstrap the commit log, too */
4639  BootStrapCLOG();
4643 
4644  pfree(buffer);
4645 
4646  /*
4647  * Force control file to be read - in contrast to normal processing we'd
4648  * otherwise never run the checks and GUC related initializations therein.
4649  */
4650  ReadControlFile();
4651 }
4652 
4653 static char *
4655 {
4656  static char buf[128];
4657 
4658  pg_strftime(buf, sizeof(buf),
4659  "%Y-%m-%d %H:%M:%S %Z",
4660  pg_localtime(&tnow, log_timezone));
4661 
4662  return buf;
4663 }
4664 
4665 /*
4666  * Initialize the first WAL segment on new timeline.
4667  */
4668 static void
4670 {
4671  char xlogfname[MAXFNAMELEN];
4672  XLogSegNo endLogSegNo;
4673  XLogSegNo startLogSegNo;
4674 
4675  /* we always switch to a new timeline after archive recovery */
4676  Assert(endTLI != newTLI);
4677 
4678  /*
4679  * Update min recovery point one last time.
4680  */
4682 
4683  /*
4684  * Calculate the last segment on the old timeline, and the first segment
4685  * on the new timeline. If the switch happens in the middle of a segment,
4686  * they are the same, but if the switch happens exactly at a segment
4687  * boundary, startLogSegNo will be endLogSegNo + 1.
4688  */
4689  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
4690  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
4691 
4692  /*
4693  * Initialize the starting WAL segment for the new timeline. If the switch
4694  * happens in the middle of a segment, copy data from the last WAL segment
4695  * of the old timeline up to the switch point, to the starting WAL segment
4696  * on the new timeline.
4697  */
4698  if (endLogSegNo == startLogSegNo)
4699  {
4700  /*
4701  * Make a copy of the file on the new timeline.
4702  *
4703  * Writing WAL isn't allowed yet, so there are no locking
4704  * considerations. But we should be just as tense as XLogFileInit to
4705  * avoid emplacing a bogus file.
4706  */
4707  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
4708  XLogSegmentOffset(endOfLog, wal_segment_size));
4709  }
4710  else
4711  {
4712  /*
4713  * The switch happened at a segment boundary, so just create the next
4714  * segment on the new timeline.
4715  */
4716  int fd;
4717 
4718  fd = XLogFileInit(startLogSegNo, newTLI);
4719 
4720  if (close(fd) != 0)
4721  {
4722  char xlogfname[MAXFNAMELEN];
4723  int save_errno = errno;
4724 
4725  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4726  errno = save_errno;
4727  ereport(ERROR,
4729  errmsg("could not close file \"%s\": %m", xlogfname)));
4730  }
4731  }
4732 
4733  /*
4734  * Let's just make real sure there are not .ready or .done flags posted
4735  * for the new segment.
4736  */
4737  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4738  XLogArchiveCleanup(xlogfname);
4739 }
4740 
4741 /*
4742  * Perform cleanup actions at the conclusion of archive recovery.
4743  */
4744 static void
4746  TimeLineID newTLI)
4747 {
4748  /*
4749  * Execute the recovery_end_command, if any.
4750  */
4751  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
4753  "recovery_end_command",
4754  true,
4756 
4757  /*
4758  * We switched to a new timeline. Clean up segments on the old timeline.
4759  *
4760  * If there are any higher-numbered segments on the old timeline, remove
4761  * them. They might contain valid WAL, but they might also be
4762  * pre-allocated files containing garbage. In any case, they are not part
4763  * of the new timeline's history so we don't need them.
4764  */
4765  RemoveNonParentXlogFiles(EndOfLog, newTLI);
4766 
4767  /*
4768  * If the switch happened in the middle of a segment, what to do with the
4769  * last, partial segment on the old timeline? If we don't archive it, and
4770  * the server that created the WAL never archives it either (e.g. because
4771  * it was hit by a meteor), it will never make it to the archive. That's
4772  * OK from our point of view, because the new segment that we created with
4773  * the new TLI contains all the WAL from the old timeline up to the switch
4774  * point. But if you later try to do PITR to the "missing" WAL on the old
4775  * timeline, recovery won't find it in the archive. It's physically
4776  * present in the new file with new TLI, but recovery won't look there
4777  * when it's recovering to the older timeline. On the other hand, if we
4778  * archive the partial segment, and the original server on that timeline
4779  * is still running and archives the completed version of the same segment
4780  * later, it will fail. (We used to do that in 9.4 and below, and it
4781  * caused such problems).
4782  *
4783  * As a compromise, we rename the last segment with the .partial suffix,
4784  * and archive it. Archive recovery will never try to read .partial
4785  * segments, so they will normally go unused. But in the odd PITR case,
4786  * the administrator can copy them manually to the pg_wal directory
4787  * (removing the suffix). They can be useful in debugging, too.
4788  *
4789  * If a .done or .ready file already exists for the old timeline, however,
4790  * we had already determined that the segment is complete, so we can let
4791  * it be archived normally. (In particular, if it was restored from the
4792  * archive to begin with, it's expected to have a .done file).
4793  */
4794  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
4796  {
4797  char origfname[MAXFNAMELEN];
4798  XLogSegNo endLogSegNo;
4799 
4800  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
4801  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
4802 
4803  if (!XLogArchiveIsReadyOrDone(origfname))
4804  {
4805  char origpath[MAXPGPATH];
4806  char partialfname[MAXFNAMELEN];
4807  char partialpath[MAXPGPATH];
4808 
4809  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
4810  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
4811  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
4812 
4813  /*
4814  * Make sure there's no .done or .ready file for the .partial
4815  * file.
4816  */
4817  XLogArchiveCleanup(partialfname);
4818 
4819  durable_rename(origpath, partialpath, ERROR);
4820  XLogArchiveNotify(partialfname);
4821  }
4822  }
4823 }
4824 
4825 /*
4826  * Check to see if required parameters are set high enough on this server
4827  * for various aspects of recovery operation.
4828  *
4829  * Note that all the parameters which this function tests need to be
4830  * listed in Administrator's Overview section in high-availability.sgml.
4831  * If you change them, don't forget to update the list.
4832  */
4833 static void
4835 {
4836  /*
4837  * For archive recovery, the WAL must be generated with at least 'replica'
4838  * wal_level.
4839  */
4841  {
4842  ereport(FATAL,
4843  (errmsg("WAL was generated with wal_level=minimal, cannot continue recovering"),
4844  errdetail("This happens if you temporarily set wal_level=minimal on the server."),
4845  errhint("Use a backup taken after setting wal_level to higher than minimal.")));
4846  }
4847 
4848  /*
4849  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
4850  * must have at least as many backend slots as the primary.
4851  */
4853  {
4854  /* We ignore autovacuum_max_workers when we make this test. */
4855  RecoveryRequiresIntParameter("max_connections",
4858  RecoveryRequiresIntParameter("max_worker_processes",
4861  RecoveryRequiresIntParameter("max_wal_senders",
4864  RecoveryRequiresIntParameter("max_prepared_transactions",
4867  RecoveryRequiresIntParameter("max_locks_per_transaction",
4870  }
4871 }
4872 
4873 /*
4874  * This must be called ONCE during postmaster or standalone-backend startup
4875  */
4876 void
4878 {
4880  CheckPoint checkPoint;
4881  bool wasShutdown;
4882  bool didCrash;
4883  bool haveTblspcMap;
4884  bool haveBackupLabel;
4885  XLogRecPtr EndOfLog;
4886  TimeLineID EndOfLogTLI;
4887  TimeLineID newTLI;
4888  bool performedWalRecovery;
4889  EndOfWalRecoveryInfo *endOfRecoveryInfo;
4892  TransactionId oldestActiveXID;
4893  bool promoted = false;
4894 
4895  /*
4896  * We should have an aux process resource owner to use, and we should not
4897  * be in a transaction that's installed some other resowner.
4898  */
4900  Assert(CurrentResourceOwner == NULL ||
4903 
4904  /*
4905  * Check that contents look valid.
4906  */
4908  ereport(FATAL,
4909  (errmsg("control file contains invalid checkpoint location")));
4910 
4911  switch (ControlFile->state)
4912  {
4913  case DB_SHUTDOWNED:
4914 
4915  /*
4916  * This is the expected case, so don't be chatty in standalone
4917  * mode
4918  */
4920  (errmsg("database system was shut down at %s",
4921  str_time(ControlFile->time))));
4922  break;
4923 
4925  ereport(LOG,
4926  (errmsg("database system was shut down in recovery at %s",
4927  str_time(ControlFile->time))));
4928  break;
4929 
4930  case DB_SHUTDOWNING:
4931  ereport(LOG,
4932  (errmsg("database system shutdown was interrupted; last known up at %s",
4933  str_time(ControlFile->time))));
4934  break;
4935 
4936  case DB_IN_CRASH_RECOVERY:
4937  ereport(LOG,
4938  (errmsg("database system was interrupted while in recovery at %s",
4940  errhint("This probably means that some data is corrupted and"
4941  " you will have to use the last backup for recovery.")));
4942  break;
4943 
4945  ereport(LOG,
4946  (errmsg("database system was interrupted while in recovery at log time %s",
4948  errhint("If this has occurred more than once some data might be corrupted"
4949  " and you might need to choose an earlier recovery target.")));
4950  break;
4951 
4952  case DB_IN_PRODUCTION:
4953  ereport(LOG,
4954  (errmsg("database system was interrupted; last known up at %s",
4955  str_time(ControlFile->time))));
4956  break;
4957 
4958  default:
4959  ereport(FATAL,
4960  (errmsg("control file contains invalid database cluster state")));
4961  }
4962 
4963  /* This is just to allow attaching to startup process with a debugger */
4964 #ifdef XLOG_REPLAY_DELAY
4966  pg_usleep(60000000L);
4967 #endif
4968 
4969  /*
4970  * Verify that pg_wal and pg_wal/archive_status exist. In cases where
4971  * someone has performed a copy for PITR, these directories may have been
4972  * excluded and need to be re-created.
4973  */
4975 
4976  /* Set up timeout handler needed to report startup progress. */
4980 
4981  /*----------
4982  * If we previously crashed, perform a couple of actions:
4983  *
4984  * - The pg_wal directory may still include some temporary WAL segments
4985  * used when creating a new segment, so perform some clean up to not
4986  * bloat this path. This is done first as there is no point to sync
4987  * this temporary data.
4988  *
4989  * - There might be data which we had written, intending to fsync it, but
4990  * which we had not actually fsync'd yet. Therefore, a power failure in
4991  * the near future might cause earlier unflushed writes to be lost, even
4992  * though more recent data written to disk from here on would be
4993  * persisted. To avoid that, fsync the entire data directory.
4994  */
4995  if (ControlFile->state != DB_SHUTDOWNED &&
4997  {
5000  didCrash = true;
5001  }
5002  else
5003  didCrash = false;
5004 
5005  /*
5006  * Prepare for WAL recovery if needed.
5007  *
5008  * InitWalRecovery analyzes the control file and the backup label file, if
5009  * any. It updates the in-memory ControlFile buffer according to the
5010  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5011  * It also applies the tablespace map file, if any.
5012  */
5013  InitWalRecovery(ControlFile, &wasShutdown,
5014  &haveBackupLabel, &haveTblspcMap);
5015  checkPoint = ControlFile->checkPointCopy;
5016 
5017  /* initialize shared memory variables from the checkpoint record */
5018  ShmemVariableCache->nextXid = checkPoint.nextXid;
5019  ShmemVariableCache->nextOid = checkPoint.nextOid;
5021  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5022  AdvanceOldestClogXid(checkPoint.oldestXid);
5023  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5024  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5026  checkPoint.newestCommitTsXid);
5027  XLogCtl->ckptFullXid = checkPoint.nextXid;
5028 
5029  /*
5030  * Clear out any old relcache cache files. This is *necessary* if we do
5031  * any WAL replay, since that would probably result in the cache files
5032  * being out of sync with database reality. In theory we could leave them
5033  * in place if the database had been cleanly shut down, but it seems
5034  * safest to just remove them always and let them be rebuilt during the
5035  * first backend startup. These files needs to be removed from all
5036  * directories including pg_tblspc, however the symlinks are created only
5037  * after reading tablespace_map file in case of archive recovery from
5038  * backup, so needs to clear old relcache files here after creating
5039  * symlinks.
5040  */
5042 
5043  /*
5044  * Initialize replication slots, before there's a chance to remove
5045  * required resources.
5046  */
5048 
5049  /*
5050  * Startup logical state, needs to be setup now so we have proper data
5051  * during crash recovery.
5052  */
5054 
5055  /*
5056  * Startup CLOG. This must be done after ShmemVariableCache->nextXid has
5057  * been initialized and before we accept connections or begin WAL replay.
5058  */
5059  StartupCLOG();
5060 
5061  /*
5062  * Startup MultiXact. We need to do this early to be able to replay
5063  * truncations.
5064  */
5065  StartupMultiXact();
5066 
5067  /*
5068  * Ditto for commit timestamps. Activate the facility if the setting is
5069  * enabled in the control file, as there should be no tracking of commit
5070  * timestamps done when the setting was disabled. This facility can be
5071  * started or stopped when replaying a XLOG_PARAMETER_CHANGE record.
5072  */
5074  StartupCommitTs();
5075 
5076  /*
5077  * Recover knowledge about replay progress of known replication partners.
5078  */
5080 
5081  /*
5082  * Initialize unlogged LSN. On a clean shutdown, it's restored from the
5083  * control file. On recovery, all unlogged relations are blown away, so
5084  * the unlogged LSN counter can be reset too.
5085  */
5088  else
5090 
5091  /*
5092  * Copy any missing timeline history files between 'now' and the recovery
5093  * target timeline from archive to pg_wal. While we don't need those files
5094  * ourselves - the history file of the recovery target timeline covers all
5095  * the previous timelines in the history too - a cascading standby server
5096  * might be interested in them. Or, if you archive the WAL from this
5097  * server to a different archive than the primary, it'd be good for all
5098  * the history files to get archived there after failover, so that you can
5099  * use one of the old timelines as a PITR target. Timeline history files
5100  * are small, so it's better to copy them unnecessarily than not copy them
5101  * and regret later.
5102  */
5104 
5105  /*
5106  * Before running in recovery, scan pg_twophase and fill in its status to
5107  * be able to work on entries generated by redo. Doing a scan before
5108  * taking any recovery action has the merit to discard any 2PC files that
5109  * are newer than the first record to replay, saving from any conflicts at
5110  * replay. This avoids as well any subsequent scans when doing recovery
5111  * of the on-disk two-phase data.
5112  */
5114 
5115  /*
5116  * When starting with crash recovery, reset pgstat data - it might not be
5117  * valid. Otherwise restore pgstat data. It's safe to do this here,
5118  * because postmaster will not yet have started any other processes.
5119  *
5120  * NB: Restoring replication slot stats relies on slot state to have
5121  * already been restored from disk.
5122  *
5123  * TODO: With a bit of extra work we could just start with a pgstat file
5124  * associated with the checkpoint redo location we're starting from.
5125  */
5126  if (didCrash)
5128  else
5130 
5131  lastFullPageWrites = checkPoint.fullPageWrites;
5132 
5135 
5136  /* REDO */
5137  if (InRecovery)
5138  {
5139  /* Initialize state for RecoveryInProgress() */
5141  if (InArchiveRecovery)
5143  else
5146 
5147  /*
5148  * Update pg_control to show that we are recovering and to show the
5149  * selected checkpoint as the place we are starting from. We also mark
5150  * pg_control with any minimum recovery stop point obtained from a
5151  * backup history file.
5152  *
5153  * No need to hold ControlFileLock yet, we aren't up far enough.
5154  */
5156 
5157  /*
5158  * If there was a backup label file, it's done its job and the info
5159  * has now been propagated into pg_control. We must get rid of the
5160  * label file so that if we crash during recovery, we'll pick up at
5161  * the latest recovery restartpoint instead of going all the way back
5162  * to the backup start point. It seems prudent though to just rename
5163  * the file out of the way rather than delete it completely.
5164  */
5165  if (haveBackupLabel)
5166  {
5167  unlink(BACKUP_LABEL_OLD);
5169  }
5170 
5171  /*
5172  * If there was a tablespace_map file, it's done its job and the
5173  * symlinks have been created. We must get rid of the map file so
5174  * that if we crash during recovery, we don't create symlinks again.
5175  * It seems prudent though to just rename the file out of the way
5176  * rather than delete it completely.
5177  */
5178  if (haveTblspcMap)
5179  {
5180  unlink(TABLESPACE_MAP_OLD);
5182  }
5183 
5184  /*
5185  * Initialize our local copy of minRecoveryPoint. When doing crash
5186  * recovery we want to replay up to the end of WAL. Particularly, in
5187  * the case of a promoted standby minRecoveryPoint value in the
5188  * control file is only updated after the first checkpoint. However,
5189  * if the instance crashes before the first post-recovery checkpoint
5190  * is completed then recovery will use a stale location causing the
5191  * startup process to think that there are still invalid page
5192  * references when checking for data consistency.
5193  */
5194  if (InArchiveRecovery)
5195  {
5198  }
5199  else
5200  {
5203  }
5204 
5205  /* Check that the GUCs used to generate the WAL allow recovery */
5207 
5208  /*
5209  * We're in recovery, so unlogged relations may be trashed and must be
5210  * reset. This should be done BEFORE allowing Hot Standby
5211  * connections, so that read-only backends don't try to read whatever
5212  * garbage is left over from before.
5213  */
5215 
5216  /*
5217  * Likewise, delete any saved transaction snapshot files that got left
5218  * behind by crashed backends.
5219  */
5221 
5222  /*
5223  * Initialize for Hot Standby, if enabled. We won't let backends in
5224  * yet, not until we've reached the min recovery point specified in
5225  * control file and we've established a recovery snapshot from a
5226  * running-xacts WAL record.
5227  */
5229  {
5230  TransactionId *xids;
5231  int nxids;
5232 
5233  ereport(DEBUG1,
5234  (errmsg_internal("initializing for hot standby")));
5235 
5237 
5238  if (wasShutdown)
5239  oldestActiveXID = PrescanPreparedTransactions(&xids, &nxids);
5240  else
5241  oldestActiveXID = checkPoint.oldestActiveXid;
5242  Assert(TransactionIdIsValid(oldestActiveXID));
5243 
5244  /* Tell procarray about the range of xids it has to deal with */
5246 
5247  /*
5248  * Startup subtrans only. CLOG, MultiXact and commit timestamp
5249  * have already been started up and other SLRUs are not maintained
5250  * during recovery and need not be started yet.
5251  */
5252  StartupSUBTRANS(oldestActiveXID);
5253 
5254  /*
5255  * If we're beginning at a shutdown checkpoint, we know that
5256  * nothing was running on the primary at this point. So fake-up an
5257  * empty running-xacts record and use that here and now. Recover
5258  * additional standby state for prepared transactions.
5259  */
5260  if (wasShutdown)
5261  {
5262  RunningTransactionsData running;
5263  TransactionId latestCompletedXid;
5264 
5265  /*
5266  * Construct a RunningTransactions snapshot representing a
5267  * shut down server, with only prepared transactions still
5268  * alive. We're never overflowed at this point because all
5269  * subxids are listed with their parent prepared transactions.
5270  */
5271  running.xcnt = nxids;
5272  running.subxcnt = 0;
5273  running.subxid_overflow = false;
5274  running.nextXid = XidFromFullTransactionId(checkPoint.nextXid);
5275  running.oldestRunningXid = oldestActiveXID;
5276  latestCompletedXid = XidFromFullTransactionId(checkPoint.nextXid);
5277  TransactionIdRetreat(latestCompletedXid);
5278  Assert(TransactionIdIsNormal(latestCompletedXid));
5279  running.latestCompletedXid = latestCompletedXid;
5280  running.xids = xids;
5281 
5282  ProcArrayApplyRecoveryInfo(&running);
5283 
5285  }
5286  }
5287 
5288  /*
5289  * We're all set for replaying the WAL now. Do it.
5290  */
5292  performedWalRecovery = true;
5293  }
5294  else
5295  performedWalRecovery = false;
5296 
5297  /*
5298  * Finish WAL recovery.
5299  */
5300  endOfRecoveryInfo = FinishWalRecovery();
5301  EndOfLog = endOfRecoveryInfo->endOfLog;
5302  EndOfLogTLI = endOfRecoveryInfo->endOfLogTLI;
5303  abortedRecPtr = endOfRecoveryInfo->abortedRecPtr;
5304  missingContrecPtr = endOfRecoveryInfo->missingContrecPtr;
5305 
5306  /*
5307  * When recovering from a backup (we are in recovery, and archive recovery
5308  * was requested), complain if we did not roll forward far enough to reach
5309  * the point where the database is consistent. For regular online
5310  * backup-from-primary, that means reaching the end-of-backup WAL record
5311  * (at which point we reset backupStartPoint to be Invalid), for
5312  * backup-from-replica (which can't inject records into the WAL stream),
5313  * that point is when we reach the minRecoveryPoint in pg_control (which
5314  * we purposefully copy last when backing up from a replica). For
5315  * pg_rewind (which creates a backup_label with a method of "pg_rewind")
5316  * or snapshot-style backups (which don't), backupEndRequired will be set
5317  * to false.
5318  *
5319  * Note: it is indeed okay to look at the local variable
5320  * LocalMinRecoveryPoint here, even though ControlFile->minRecoveryPoint
5321  * might be further ahead --- ControlFile->minRecoveryPoint cannot have
5322  * been advanced beyond the WAL we processed.
5323  */
5324  if (InRecovery &&
5325  (EndOfLog < LocalMinRecoveryPoint ||
5327  {
5328  /*
5329  * Ran off end of WAL before reaching end-of-backup WAL record, or
5330  * minRecoveryPoint. That's a bad sign, indicating that you tried to
5331  * recover from an online backup but never called pg_backup_stop(), or
5332  * you didn't archive all the WAL needed.
5333  */
5335  {
5337  ereport(FATAL,
5338  (errmsg("WAL ends before end of online backup"),
5339  errhint("All WAL generated while online backup was taken must be available at recovery.")));
5340  else
5341  ereport(FATAL,
5342  (errmsg("WAL ends before consistent recovery point")));
5343  }
5344  }
5345 
5346  /*
5347  * Reset unlogged relations to the contents of their INIT fork. This is
5348  * done AFTER recovery is complete so as to include any unlogged relations
5349  * created during recovery, but BEFORE recovery is marked as having
5350  * completed successfully. Otherwise we'd not retry if any of the post
5351  * end-of-recovery steps fail.
5352  */
5353  if (InRecovery)
5355 
5356  /*
5357  * Pre-scan prepared transactions to find out the range of XIDs present.
5358  * This information is not quite needed yet, but it is positioned here so
5359  * as potential problems are detected before any on-disk change is done.
5360  */
5361  oldestActiveXID = PrescanPreparedTransactions(NULL, NULL);
5362 
5363  /*
5364  * Allow ordinary WAL segment creation before possibly switching to a new
5365  * timeline, which creates a new segment, and after the last ReadRecord().
5366  */
5367  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
5369  LWLockRelease(ControlFileLock);
5370 
5371  /*
5372  * Consider whether we need to assign a new timeline ID.
5373  *
5374  * If we did archive recovery, we always assign a new ID. This handles a
5375  * couple of issues. If we stopped short of the end of WAL during
5376  * recovery, then we are clearly generating a new timeline and must assign
5377  * it a unique new ID. Even if we ran to the end, modifying the current
5378  * last segment is problematic because it may result in trying to
5379  * overwrite an already-archived copy of that segment, and we encourage
5380  * DBAs to make their archive_commands reject that. We can dodge the
5381  * problem by making the new active segment have a new timeline ID.
5382  *
5383  * In a normal crash recovery, we can just extend the timeline we were in.
5384  */
5385  newTLI = endOfRecoveryInfo->lastRecTLI;
5387  {
5388  newTLI = findNewestTimeLine(recoveryTargetTLI) + 1;
5389  ereport(LOG,
5390  (errmsg("selected new timeline ID: %u", newTLI)));
5391 
5392  /*
5393  * Make a writable copy of the last WAL segment. (Note that we also
5394  * have a copy of the last block of the old WAL in
5395  * endOfRecovery->lastPage; we will use that below.)
5396  */
5397  XLogInitNewTimeline(EndOfLogTLI, EndOfLog, newTLI);
5398 
5399  /*
5400  * Remove the signal files out of the way, so that we don't
5401  * accidentally re-enter archive recovery mode in a subsequent crash.
5402  */
5403  if (endOfRecoveryInfo->standby_signal_file_found)
5405 
5406  if (endOfRecoveryInfo->recovery_signal_file_found)
5408 
5409  /*
5410  * Write the timeline history file, and have it archived. After this
5411  * point (or rather, as soon as the file is archived), the timeline
5412  * will appear as "taken" in the WAL archive and to any standby
5413  * servers. If we crash before actually switching to the new
5414  * timeline, standby servers will nevertheless think that we switched
5415  * to the new timeline, and will try to connect to the new timeline.
5416  * To minimize the window for that, try to do as little as possible
5417  * between here and writing the end-of-recovery record.
5418  */
5420  EndOfLog, endOfRecoveryInfo->recoveryStopReason);
5421 
5422  ereport(LOG,
5423  (errmsg("archive recovery complete")));
5424  }
5425 
5426  /* Save the selected TimeLineID in shared memory, too */
5427  XLogCtl->InsertTimeLineID = newTLI;
5428  XLogCtl->PrevTimeLineID = endOfRecoveryInfo->lastRecTLI;
5429 
5430  /*
5431  * Actually, if WAL ended in an incomplete record, skip the parts that
5432  * made it through and start writing after the portion that persisted.
5433  * (It's critical to first write an OVERWRITE_CONTRECORD message, which
5434  * we'll do as soon as we're open for writing new WAL.)
5435  */
5437  {
5439  EndOfLog = missingContrecPtr;
5440  }
5441 
5442  /*
5443  * Prepare to write WAL starting at EndOfLog location, and init xlog
5444  * buffer cache using the block containing the last record from the
5445  * previous incarnation.
5446  */
5447  Insert = &XLogCtl->Insert;
5448  Insert->PrevBytePos = XLogRecPtrToBytePos(endOfRecoveryInfo->lastRec);
5449  Insert->CurrBytePos = XLogRecPtrToBytePos(EndOfLog);
5450 
5451  /*
5452  * Tricky point here: lastPage contains the *last* block that the LastRec
5453  * record spans, not the one it starts in. The last block is indeed the
5454  * one we want to use.
5455  */
5456  if (EndOfLog % XLOG_BLCKSZ != 0)
5457  {
5458  char *page;
5459  int len;
5460  int firstIdx;
5461 
5462  firstIdx = XLogRecPtrToBufIdx(EndOfLog);
5463  len = EndOfLog - endOfRecoveryInfo->lastPageBeginPtr;
5464  Assert(len < XLOG_BLCKSZ);
5465 
5466  /* Copy the valid part of the last block, and zero the rest */
5467  page = &XLogCtl->pages[firstIdx * XLOG_BLCKSZ];
5468  memcpy(page, endOfRecoveryInfo->lastPage, len);
5469  memset(page + len, 0, XLOG_BLCKSZ - len);
5470 
5471  XLogCtl->xlblocks[firstIdx] = endOfRecoveryInfo->lastPageBeginPtr + XLOG_BLCKSZ;
5472  XLogCtl->InitializedUpTo = endOfRecoveryInfo->lastPageBeginPtr + XLOG_BLCKSZ;
5473  }
5474  else
5475  {
5476  /*
5477  * There is no partial block to copy. Just set InitializedUpTo, and
5478  * let the first attempt to insert a log record to initialize the next
5479  * buffer.
5480  */
5481  XLogCtl->InitializedUpTo = EndOfLog;
5482  }
5483 
5484  LogwrtResult.Write = LogwrtResult.Flush = EndOfLog;
5485 
5487 
5488  XLogCtl->LogwrtRqst.Write = EndOfLog;
5489  XLogCtl->LogwrtRqst.Flush = EndOfLog;
5490 
5491  /*
5492  * Preallocate additional log files, if wanted.
5493  */
5494  PreallocXlogFiles(EndOfLog, newTLI);
5495 
5496  /*
5497  * Okay, we're officially UP.
5498  */
5499  InRecovery = false;
5500 
5501  /* start the archive_timeout timer and LSN running */
5502  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
5503  XLogCtl->lastSegSwitchLSN = EndOfLog;
5504 
5505  /* also initialize latestCompletedXid, to nextXid - 1 */
5506  LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE);
5509  LWLockRelease(ProcArrayLock);
5510 
5511  /*
5512  * Start up subtrans, if not already done for hot standby. (commit
5513  * timestamps are started below, if necessary.)
5514  */
5516  StartupSUBTRANS(oldestActiveXID);
5517 
5518  /*
5519  * Perform end of recovery actions for any SLRUs that need it.
5520  */
5521  TrimCLOG();
5522  TrimMultiXact();
5523 
5524  /* Reload shared-memory state for prepared transactions */
5526 
5527  /* Shut down xlogreader */
5529 
5530  /* Enable WAL writes for this backend only. */
5532 
5533  /* If necessary, write overwrite-contrecord before doing anything else */
5535  {
5538  }
5539 
5540  /*
5541  * Update full_page_writes in shared memory and write an XLOG_FPW_CHANGE
5542  * record before resource manager writes cleanup WAL records or checkpoint
5543  * record is written.
5544  */
5545  Insert->fullPageWrites = lastFullPageWrites;
5547 
5548  /*
5549  * Emit checkpoint or end-of-recovery record in XLOG, if required.
5550  */
5551  if (performedWalRecovery)
5552  promoted = PerformRecoveryXLogAction();
5553 
5554  /*
5555  * If any of the critical GUCs have changed, log them before we allow
5556  * backends to write WAL.
5557  */
5559 
5560  /* If this is archive recovery, perform post-recovery cleanup actions. */
5562  CleanupAfterArchiveRecovery(EndOfLogTLI, EndOfLog, newTLI);
5563 
5564  /*
5565  * Local WAL inserts enabled, so it's time to finish initialization of
5566  * commit timestamp.
5567  */
5569 
5570  /*
5571  * All done with end-of-recovery actions.
5572  *
5573  * Now allow backends to write WAL and update the control file status in
5574  * consequence. SharedRecoveryState, that controls if backends can write
5575  * WAL, is updated while holding ControlFileLock to prevent other backends
5576  * to look at an inconsistent state of the control file in shared memory.
5577  * There is still a small window during which backends can write WAL and
5578  * the control file is still referring to a system not in DB_IN_PRODUCTION
5579  * state while looking at the on-disk control file.
5580  *
5581  * Also, we use info_lck to update SharedRecoveryState to ensure that
5582  * there are no race conditions concerning visibility of other recent
5583  * updates to shared memory.
5584  */
5585  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
5587 
5591 
5593  LWLockRelease(ControlFileLock);
5594 
5595  /*
5596  * Shutdown the recovery environment. This must occur after
5597  * RecoverPreparedTransactions() (see notes in lock_twophase_recover())