PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogreader.h"
63 #include "access/xlogrecovery.h"
64 #include "access/xlogutils.h"
65 #include "backup/basebackup.h"
66 #include "catalog/catversion.h"
67 #include "catalog/pg_control.h"
68 #include "catalog/pg_database.h"
70 #include "common/file_utils.h"
71 #include "executor/instrument.h"
72 #include "miscadmin.h"
73 #include "pg_trace.h"
74 #include "pgstat.h"
75 #include "port/atomics.h"
76 #include "port/pg_iovec.h"
77 #include "postmaster/bgwriter.h"
78 #include "postmaster/startup.h"
80 #include "postmaster/walwriter.h"
81 #include "replication/origin.h"
82 #include "replication/slot.h"
83 #include "replication/snapbuild.h"
85 #include "replication/walsender.h"
86 #include "storage/bufmgr.h"
87 #include "storage/fd.h"
88 #include "storage/ipc.h"
89 #include "storage/large_object.h"
90 #include "storage/latch.h"
91 #include "storage/predicate.h"
92 #include "storage/proc.h"
93 #include "storage/procarray.h"
94 #include "storage/reinit.h"
95 #include "storage/spin.h"
96 #include "storage/sync.h"
97 #include "utils/guc_hooks.h"
98 #include "utils/guc_tables.h"
99 #include "utils/injection_point.h"
100 #include "utils/memutils.h"
101 #include "utils/ps_status.h"
102 #include "utils/relmapper.h"
103 #include "utils/snapmgr.h"
104 #include "utils/timeout.h"
105 #include "utils/timestamp.h"
106 #include "utils/varlena.h"
107 
108 /* timeline ID to be used when bootstrapping */
109 #define BootstrapTimeLineID 1
110 
111 /* User-settable parameters */
112 int max_wal_size_mb = 1024; /* 1 GB */
113 int min_wal_size_mb = 80; /* 80 MB */
115 int XLOGbuffers = -1;
118 char *XLogArchiveCommand = NULL;
119 bool EnableHotStandby = false;
120 bool fullPageWrites = true;
121 bool wal_log_hints = false;
125 bool wal_init_zero = true;
126 bool wal_recycle = true;
127 bool log_checkpoints = true;
130 int CommitDelay = 0; /* precommit delay in microseconds */
131 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
134 int wal_decode_buffer_size = 512 * 1024;
135 bool track_wal_io_timing = false;
136 
137 #ifdef WAL_DEBUG
138 bool XLOG_DEBUG = false;
139 #endif
140 
142 
143 /*
144  * Number of WAL insertion locks to use. A higher value allows more insertions
145  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
146  * which needs to iterate all the locks.
147  */
148 #define NUM_XLOGINSERT_LOCKS 8
149 
150 /*
151  * Max distance from last checkpoint, before triggering a new xlog-based
152  * checkpoint.
153  */
155 
156 /* Estimated distance between checkpoints, in bytes */
157 static double CheckPointDistanceEstimate = 0;
158 static double PrevCheckPointDistance = 0;
159 
160 /*
161  * Track whether there were any deferred checks for custom resource managers
162  * specified in wal_consistency_checking.
163  */
165 
166 /*
167  * GUC support
168  */
170  {"fsync", WAL_SYNC_METHOD_FSYNC, false},
171 #ifdef HAVE_FSYNC_WRITETHROUGH
172  {"fsync_writethrough", WAL_SYNC_METHOD_FSYNC_WRITETHROUGH, false},
173 #endif
174  {"fdatasync", WAL_SYNC_METHOD_FDATASYNC, false},
175 #ifdef O_SYNC
176  {"open_sync", WAL_SYNC_METHOD_OPEN, false},
177 #endif
178 #ifdef O_DSYNC
179  {"open_datasync", WAL_SYNC_METHOD_OPEN_DSYNC, false},
180 #endif
181  {NULL, 0, false}
182 };
183 
184 
185 /*
186  * Although only "on", "off", and "always" are documented,
187  * we accept all the likely variants of "on" and "off".
188  */
189 const struct config_enum_entry archive_mode_options[] = {
190  {"always", ARCHIVE_MODE_ALWAYS, false},
191  {"on", ARCHIVE_MODE_ON, false},
192  {"off", ARCHIVE_MODE_OFF, false},
193  {"true", ARCHIVE_MODE_ON, true},
194  {"false", ARCHIVE_MODE_OFF, true},
195  {"yes", ARCHIVE_MODE_ON, true},
196  {"no", ARCHIVE_MODE_OFF, true},
197  {"1", ARCHIVE_MODE_ON, true},
198  {"0", ARCHIVE_MODE_OFF, true},
199  {NULL, 0, false}
200 };
201 
202 /*
203  * Statistics for current checkpoint are collected in this global struct.
204  * Because only the checkpointer or a stand-alone backend can perform
205  * checkpoints, this will be unused in normal backends.
206  */
208 
209 /*
210  * During recovery, lastFullPageWrites keeps track of full_page_writes that
211  * the replayed WAL records indicate. It's initialized with full_page_writes
212  * that the recovery starting checkpoint record indicates, and then updated
213  * each time XLOG_FPW_CHANGE record is replayed.
214  */
215 static bool lastFullPageWrites;
216 
217 /*
218  * Local copy of the state tracked by SharedRecoveryState in shared memory,
219  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
220  * means "not known, need to check the shared state".
221  */
222 static bool LocalRecoveryInProgress = true;
223 
224 /*
225  * Local state for XLogInsertAllowed():
226  * 1: unconditionally allowed to insert XLOG
227  * 0: unconditionally not allowed to insert XLOG
228  * -1: must check RecoveryInProgress(); disallow until it is false
229  * Most processes start with -1 and transition to 1 after seeing that recovery
230  * is not in progress. But we can also force the value for special cases.
231  * The coding in XLogInsertAllowed() depends on the first two of these states
232  * being numerically the same as bool true and false.
233  */
234 static int LocalXLogInsertAllowed = -1;
235 
236 /*
237  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
238  * current backend. It is updated for all inserts. XactLastRecEnd points to
239  * end+1 of the last record, and is reset when we end a top-level transaction,
240  * or start a new one; so it can be used to tell if the current transaction has
241  * created any XLOG records.
242  *
243  * While in parallel mode, this may not be fully up to date. When committing,
244  * a transaction can assume this covers all xlog records written either by the
245  * user backend or by any parallel worker which was present at any point during
246  * the transaction. But when aborting, or when still in parallel mode, other
247  * parallel backends may have written WAL records at later LSNs than the value
248  * stored here. The parallel leader advances its own copy, when necessary,
249  * in WaitForParallelWorkersToFinish.
250  */
254 
255 /*
256  * RedoRecPtr is this backend's local copy of the REDO record pointer
257  * (which is almost but not quite the same as a pointer to the most recent
258  * CHECKPOINT record). We update this from the shared-memory copy,
259  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
260  * hold an insertion lock). See XLogInsertRecord for details. We are also
261  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
262  * see GetRedoRecPtr.
263  *
264  * NB: Code that uses this variable must be prepared not only for the
265  * possibility that it may be arbitrarily out of date, but also for the
266  * possibility that it might be set to InvalidXLogRecPtr. We used to
267  * initialize it as a side effect of the first call to RecoveryInProgress(),
268  * which meant that most code that might use it could assume that it had a
269  * real if perhaps stale value. That's no longer the case.
270  */
272 
273 /*
274  * doPageWrites is this backend's local copy of (fullPageWrites ||
275  * runningBackups > 0). It is used together with RedoRecPtr to decide whether
276  * a full-page image of a page need to be taken.
277  *
278  * NB: Initially this is false, and there's no guarantee that it will be
279  * initialized to any other value before it is first used. Any code that
280  * makes use of it must recheck the value after obtaining a WALInsertLock,
281  * and respond appropriately if it turns out that the previous value wasn't
282  * accurate.
283  */
284 static bool doPageWrites;
285 
286 /*----------
287  * Shared-memory data structures for XLOG control
288  *
289  * LogwrtRqst indicates a byte position that we need to write and/or fsync
290  * the log up to (all records before that point must be written or fsynced).
291  * The positions already written/fsynced are maintained in logWriteResult
292  * and logFlushResult using atomic access.
293  * In addition to the shared variable, each backend has a private copy of
294  * both in LogwrtResult, which is updated when convenient.
295  *
296  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
297  * (protected by info_lck), but we don't need to cache any copies of it.
298  *
299  * info_lck is only held long enough to read/update the protected variables,
300  * so it's a plain spinlock. The other locks are held longer (potentially
301  * over I/O operations), so we use LWLocks for them. These locks are:
302  *
303  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
304  * It is only held while initializing and changing the mapping. If the
305  * contents of the buffer being replaced haven't been written yet, the mapping
306  * lock is released while the write is done, and reacquired afterwards.
307  *
308  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
309  * XLogFlush).
310  *
311  * ControlFileLock: must be held to read/update control file or create
312  * new log file.
313  *
314  *----------
315  */
316 
317 typedef struct XLogwrtRqst
318 {
319  XLogRecPtr Write; /* last byte + 1 to write out */
320  XLogRecPtr Flush; /* last byte + 1 to flush */
322 
323 typedef struct XLogwrtResult
324 {
325  XLogRecPtr Write; /* last byte + 1 written out */
326  XLogRecPtr Flush; /* last byte + 1 flushed */
328 
329 /*
330  * Inserting to WAL is protected by a small fixed number of WAL insertion
331  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
332  * matter which one. To lock out other concurrent insertions, you must hold
333  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
334  * indicator of how far the insertion has progressed (insertingAt).
335  *
336  * The insertingAt values are read when a process wants to flush WAL from
337  * the in-memory buffers to disk, to check that all the insertions to the
338  * region the process is about to write out have finished. You could simply
339  * wait for all currently in-progress insertions to finish, but the
340  * insertingAt indicator allows you to ignore insertions to later in the WAL,
341  * so that you only wait for the insertions that are modifying the buffers
342  * you're about to write out.
343  *
344  * This isn't just an optimization. If all the WAL buffers are dirty, an
345  * inserter that's holding a WAL insert lock might need to evict an old WAL
346  * buffer, which requires flushing the WAL. If it's possible for an inserter
347  * to block on another inserter unnecessarily, deadlock can arise when two
348  * inserters holding a WAL insert lock wait for each other to finish their
349  * insertion.
350  *
351  * Small WAL records that don't cross a page boundary never update the value,
352  * the WAL record is just copied to the page and the lock is released. But
353  * to avoid the deadlock-scenario explained above, the indicator is always
354  * updated before sleeping while holding an insertion lock.
355  *
356  * lastImportantAt contains the LSN of the last important WAL record inserted
357  * using a given lock. This value is used to detect if there has been
358  * important WAL activity since the last time some action, like a checkpoint,
359  * was performed - allowing to not repeat the action if not. The LSN is
360  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
361  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
362  * records. Tracking the WAL activity directly in WALInsertLock has the
363  * advantage of not needing any additional locks to update the value.
364  */
365 typedef struct
366 {
370 } WALInsertLock;
371 
372 /*
373  * All the WAL insertion locks are allocated as an array in shared memory. We
374  * force the array stride to be a power of 2, which saves a few cycles in
375  * indexing, but more importantly also ensures that individual slots don't
376  * cross cache line boundaries. (Of course, we have to also ensure that the
377  * array start address is suitably aligned.)
378  */
379 typedef union WALInsertLockPadded
380 {
384 
385 /*
386  * Session status of running backup, used for sanity checks in SQL-callable
387  * functions to start and stop backups.
388  */
390 
391 /*
392  * Shared state data for WAL insertion.
393  */
394 typedef struct XLogCtlInsert
395 {
396  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
397 
398  /*
399  * CurrBytePos is the end of reserved WAL. The next record will be
400  * inserted at that position. PrevBytePos is the start position of the
401  * previously inserted (or rather, reserved) record - it is copied to the
402  * prev-link of the next record. These are stored as "usable byte
403  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
404  */
405  uint64 CurrBytePos;
406  uint64 PrevBytePos;
407 
408  /*
409  * Make sure the above heavily-contended spinlock and byte positions are
410  * on their own cache line. In particular, the RedoRecPtr and full page
411  * write variables below should be on a different cache line. They are
412  * read on every WAL insertion, but updated rarely, and we don't want
413  * those reads to steal the cache line containing Curr/PrevBytePos.
414  */
416 
417  /*
418  * fullPageWrites is the authoritative value used by all backends to
419  * determine whether to write full-page image to WAL. This shared value,
420  * instead of the process-local fullPageWrites, is required because, when
421  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
422  * actually affects WAL-logging by backends. Checkpointer sets at startup
423  * or after SIGHUP.
424  *
425  * To read these fields, you must hold an insertion lock. To modify them,
426  * you must hold ALL the locks.
427  */
428  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
430 
431  /*
432  * runningBackups is a counter indicating the number of backups currently
433  * in progress. lastBackupStart is the latest checkpoint redo location
434  * used as a starting point for an online backup.
435  */
438 
439  /*
440  * WAL insertion locks.
441  */
444 
445 /*
446  * Total shared-memory state for XLOG.
447  */
448 typedef struct XLogCtlData
449 {
451 
452  /* Protected by info_lck: */
454  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
455  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
456  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
457  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
458 
459  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
460 
461  /* Fake LSN counter, for unlogged relations. */
463 
464  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
467 
468  /* These are accessed using atomics -- info_lck not needed */
469  pg_atomic_uint64 logInsertResult; /* last byte + 1 inserted to buffers */
470  pg_atomic_uint64 logWriteResult; /* last byte + 1 written out */
471  pg_atomic_uint64 logFlushResult; /* last byte + 1 flushed */
472 
473  /*
474  * Latest initialized page in the cache (last byte position + 1).
475  *
476  * To change the identity of a buffer (and InitializedUpTo), you need to
477  * hold WALBufMappingLock. To change the identity of a buffer that's
478  * still dirty, the old page needs to be written out first, and for that
479  * you need WALWriteLock, and you need to ensure that there are no
480  * in-progress insertions to the page by calling
481  * WaitXLogInsertionsToFinish().
482  */
484 
485  /*
486  * These values do not change after startup, although the pointed-to pages
487  * and xlblocks values certainly do. xlblocks values are protected by
488  * WALBufMappingLock.
489  */
490  char *pages; /* buffers for unwritten XLOG pages */
491  pg_atomic_uint64 *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
492  int XLogCacheBlck; /* highest allocated xlog buffer index */
493 
494  /*
495  * InsertTimeLineID is the timeline into which new WAL is being inserted
496  * and flushed. It is zero during recovery, and does not change once set.
497  *
498  * If we create a new timeline when the system was started up,
499  * PrevTimeLineID is the old timeline's ID that we forked off from.
500  * Otherwise it's equal to InsertTimeLineID.
501  */
504 
505  /*
506  * SharedRecoveryState indicates if we're still in crash or archive
507  * recovery. Protected by info_lck.
508  */
510 
511  /*
512  * InstallXLogFileSegmentActive indicates whether the checkpointer should
513  * arrange for future segments by recycling and/or PreallocXlogFiles().
514  * Protected by ControlFileLock. Only the startup process changes it. If
515  * true, anyone can use InstallXLogFileSegment(). If false, the startup
516  * process owns the exclusive right to install segments, by reading from
517  * the archive and possibly replacing existing files.
518  */
520 
521  /*
522  * WalWriterSleeping indicates whether the WAL writer is currently in
523  * low-power mode (and hence should be nudged if an async commit occurs).
524  * Protected by info_lck.
525  */
527 
528  /*
529  * During recovery, we keep a copy of the latest checkpoint record here.
530  * lastCheckPointRecPtr points to start of checkpoint record and
531  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
532  * checkpointer when it wants to create a restartpoint.
533  *
534  * Protected by info_lck.
535  */
539 
540  /*
541  * lastFpwDisableRecPtr points to the start of the last replayed
542  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
543  */
545 
546  slock_t info_lck; /* locks shared variables shown above */
548 
549 /*
550  * Classification of XLogRecordInsert operations.
551  */
552 typedef enum
553 {
558 
559 static XLogCtlData *XLogCtl = NULL;
560 
561 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
563 
564 /*
565  * We maintain an image of pg_control in shared memory.
566  */
568 
569 /*
570  * Calculate the amount of space left on the page after 'endptr'. Beware
571  * multiple evaluation!
572  */
573 #define INSERT_FREESPACE(endptr) \
574  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
575 
576 /* Macro to advance to next buffer index. */
577 #define NextBufIdx(idx) \
578  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
579 
580 /*
581  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
582  * would hold if it was in cache, the page containing 'recptr'.
583  */
584 #define XLogRecPtrToBufIdx(recptr) \
585  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
586 
587 /*
588  * These are the number of bytes in a WAL page usable for WAL data.
589  */
590 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
591 
592 /*
593  * Convert values of GUCs measured in megabytes to equiv. segment count.
594  * Rounds down.
595  */
596 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
597 
598 /* The number of bytes in a WAL segment usable for WAL data. */
600 
601 /*
602  * Private, possibly out-of-date copy of shared LogwrtResult.
603  * See discussion above.
604  */
605 static XLogwrtResult LogwrtResult = {0, 0};
606 
607 /*
608  * Update local copy of shared XLogCtl->log{Write,Flush}Result
609  *
610  * It's critical that Flush always trails Write, so the order of the reads is
611  * important, as is the barrier. See also XLogWrite.
612  */
613 #define RefreshXLogWriteResult(_target) \
614  do { \
615  _target.Flush = pg_atomic_read_u64(&XLogCtl->logFlushResult); \
616  pg_read_barrier(); \
617  _target.Write = pg_atomic_read_u64(&XLogCtl->logWriteResult); \
618  } while (0)
619 
620 /*
621  * openLogFile is -1 or a kernel FD for an open log file segment.
622  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
623  * These variables are only used to write the XLOG, and so will normally refer
624  * to the active segment.
625  *
626  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
627  */
628 static int openLogFile = -1;
631 
632 /*
633  * Local copies of equivalent fields in the control file. When running
634  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
635  * expect to replay all the WAL available, and updateMinRecoveryPoint is
636  * switched to false to prevent any updates while replaying records.
637  * Those values are kept consistent as long as crash recovery runs.
638  */
641 static bool updateMinRecoveryPoint = true;
642 
643 /* For WALInsertLockAcquire/Release functions */
644 static int MyLockNo = 0;
645 static bool holdingAllLocks = false;
646 
647 #ifdef WAL_DEBUG
648 static MemoryContext walDebugCxt = NULL;
649 #endif
650 
651 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
652  XLogRecPtr EndOfLog,
653  TimeLineID newTLI);
654 static void CheckRequiredParameterValues(void);
655 static void XLogReportParameters(void);
656 static int LocalSetXLogInsertAllowed(void);
657 static void CreateEndOfRecoveryRecord(void);
659  XLogRecPtr pagePtr,
660  TimeLineID newTLI);
661 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
662 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
664 
665 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
666  bool opportunistic);
667 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
668 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
669  bool find_free, XLogSegNo max_segno,
670  TimeLineID tli);
671 static void XLogFileClose(void);
672 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
673 static void RemoveTempXlogFiles(void);
674 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
675  XLogRecPtr endptr, TimeLineID insertTLI);
676 static void RemoveXlogFile(const struct dirent *segment_de,
677  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
678  TimeLineID insertTLI);
679 static void UpdateLastRemovedPtr(char *filename);
680 static void ValidateXLOGDirectoryStructure(void);
681 static void CleanupBackupHistory(void);
682 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
683 static bool PerformRecoveryXLogAction(void);
684 static void InitControlFile(uint64 sysidentifier, uint32 data_checksum_version);
685 static void WriteControlFile(void);
686 static void ReadControlFile(void);
687 static void UpdateControlFile(void);
688 static char *str_time(pg_time_t tnow);
689 
690 static int get_sync_bit(int method);
691 
692 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
693  XLogRecData *rdata,
694  XLogRecPtr StartPos, XLogRecPtr EndPos,
695  TimeLineID tli);
696 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
697  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
698 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
699  XLogRecPtr *PrevPtr);
701 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
702 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
703 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
704 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
705 
706 static void WALInsertLockAcquire(void);
707 static void WALInsertLockAcquireExclusive(void);
708 static void WALInsertLockRelease(void);
709 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
710 
711 /*
712  * Insert an XLOG record represented by an already-constructed chain of data
713  * chunks. This is a low-level routine; to construct the WAL record header
714  * and data, use the higher-level routines in xloginsert.c.
715  *
716  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
717  * WAL record applies to, that were not included in the record as full page
718  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
719  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
720  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
721  * record is always inserted.
722  *
723  * 'flags' gives more in-depth control on the record being inserted. See
724  * XLogSetRecordFlags() for details.
725  *
726  * 'topxid_included' tells whether the top-transaction id is logged along with
727  * current subtransaction. See XLogRecordAssemble().
728  *
729  * The first XLogRecData in the chain must be for the record header, and its
730  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
731  * xl_crc fields in the header, the rest of the header must already be filled
732  * by the caller.
733  *
734  * Returns XLOG pointer to end of record (beginning of next record).
735  * This can be used as LSN for data pages affected by the logged action.
736  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
737  * before the data page can be written out. This implements the basic
738  * WAL rule "write the log before the data".)
739  */
742  XLogRecPtr fpw_lsn,
743  uint8 flags,
744  int num_fpi,
745  bool topxid_included)
746 {
748  pg_crc32c rdata_crc;
749  bool inserted;
750  XLogRecord *rechdr = (XLogRecord *) rdata->data;
751  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
753  XLogRecPtr StartPos;
754  XLogRecPtr EndPos;
755  bool prevDoPageWrites = doPageWrites;
756  TimeLineID insertTLI;
757 
758  /* Does this record type require special handling? */
759  if (unlikely(rechdr->xl_rmid == RM_XLOG_ID))
760  {
761  if (info == XLOG_SWITCH)
762  class = WALINSERT_SPECIAL_SWITCH;
763  else if (info == XLOG_CHECKPOINT_REDO)
765  }
766 
767  /* we assume that all of the record header is in the first chunk */
768  Assert(rdata->len >= SizeOfXLogRecord);
769 
770  /* cross-check on whether we should be here or not */
771  if (!XLogInsertAllowed())
772  elog(ERROR, "cannot make new WAL entries during recovery");
773 
774  /*
775  * Given that we're not in recovery, InsertTimeLineID is set and can't
776  * change, so we can read it without a lock.
777  */
778  insertTLI = XLogCtl->InsertTimeLineID;
779 
780  /*----------
781  *
782  * We have now done all the preparatory work we can without holding a
783  * lock or modifying shared state. From here on, inserting the new WAL
784  * record to the shared WAL buffer cache is a two-step process:
785  *
786  * 1. Reserve the right amount of space from the WAL. The current head of
787  * reserved space is kept in Insert->CurrBytePos, and is protected by
788  * insertpos_lck.
789  *
790  * 2. Copy the record to the reserved WAL space. This involves finding the
791  * correct WAL buffer containing the reserved space, and copying the
792  * record in place. This can be done concurrently in multiple processes.
793  *
794  * To keep track of which insertions are still in-progress, each concurrent
795  * inserter acquires an insertion lock. In addition to just indicating that
796  * an insertion is in progress, the lock tells others how far the inserter
797  * has progressed. There is a small fixed number of insertion locks,
798  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
799  * boundary, it updates the value stored in the lock to the how far it has
800  * inserted, to allow the previous buffer to be flushed.
801  *
802  * Holding onto an insertion lock also protects RedoRecPtr and
803  * fullPageWrites from changing until the insertion is finished.
804  *
805  * Step 2 can usually be done completely in parallel. If the required WAL
806  * page is not initialized yet, you have to grab WALBufMappingLock to
807  * initialize it, but the WAL writer tries to do that ahead of insertions
808  * to avoid that from happening in the critical path.
809  *
810  *----------
811  */
813 
814  if (likely(class == WALINSERT_NORMAL))
815  {
817 
818  /*
819  * Check to see if my copy of RedoRecPtr is out of date. If so, may
820  * have to go back and have the caller recompute everything. This can
821  * only happen just after a checkpoint, so it's better to be slow in
822  * this case and fast otherwise.
823  *
824  * Also check to see if fullPageWrites was just turned on or there's a
825  * running backup (which forces full-page writes); if we weren't
826  * already doing full-page writes then go back and recompute.
827  *
828  * If we aren't doing full-page writes then RedoRecPtr doesn't
829  * actually affect the contents of the XLOG record, so we'll update
830  * our local copy but not force a recomputation. (If doPageWrites was
831  * just turned off, we could recompute the record without full pages,
832  * but we choose not to bother.)
833  */
834  if (RedoRecPtr != Insert->RedoRecPtr)
835  {
836  Assert(RedoRecPtr < Insert->RedoRecPtr);
837  RedoRecPtr = Insert->RedoRecPtr;
838  }
839  doPageWrites = (Insert->fullPageWrites || Insert->runningBackups > 0);
840 
841  if (doPageWrites &&
842  (!prevDoPageWrites ||
843  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
844  {
845  /*
846  * Oops, some buffer now needs to be backed up that the caller
847  * didn't back up. Start over.
848  */
851  return InvalidXLogRecPtr;
852  }
853 
854  /*
855  * Reserve space for the record in the WAL. This also sets the xl_prev
856  * pointer.
857  */
858  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
859  &rechdr->xl_prev);
860 
861  /* Normal records are always inserted. */
862  inserted = true;
863  }
864  else if (class == WALINSERT_SPECIAL_SWITCH)
865  {
866  /*
867  * In order to insert an XLOG_SWITCH record, we need to hold all of
868  * the WAL insertion locks, not just one, so that no one else can
869  * begin inserting a record until we've figured out how much space
870  * remains in the current WAL segment and claimed all of it.
871  *
872  * Nonetheless, this case is simpler than the normal cases handled
873  * below, which must check for changes in doPageWrites and RedoRecPtr.
874  * Those checks are only needed for records that can contain buffer
875  * references, and an XLOG_SWITCH record never does.
876  */
877  Assert(fpw_lsn == InvalidXLogRecPtr);
879  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
880  }
881  else
882  {
884 
885  /*
886  * We need to update both the local and shared copies of RedoRecPtr,
887  * which means that we need to hold all the WAL insertion locks.
888  * However, there can't be any buffer references, so as above, we need
889  * not check RedoRecPtr before inserting the record; we just need to
890  * update it afterwards.
891  */
892  Assert(fpw_lsn == InvalidXLogRecPtr);
894  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
895  &rechdr->xl_prev);
896  RedoRecPtr = Insert->RedoRecPtr = StartPos;
897  inserted = true;
898  }
899 
900  if (inserted)
901  {
902  /*
903  * Now that xl_prev has been filled in, calculate CRC of the record
904  * header.
905  */
906  rdata_crc = rechdr->xl_crc;
907  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
908  FIN_CRC32C(rdata_crc);
909  rechdr->xl_crc = rdata_crc;
910 
911  /*
912  * All the record data, including the header, is now ready to be
913  * inserted. Copy the record in the space reserved.
914  */
916  class == WALINSERT_SPECIAL_SWITCH, rdata,
917  StartPos, EndPos, insertTLI);
918 
919  /*
920  * Unless record is flagged as not important, update LSN of last
921  * important record in the current slot. When holding all locks, just
922  * update the first one.
923  */
924  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
925  {
926  int lockno = holdingAllLocks ? 0 : MyLockNo;
927 
928  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
929  }
930  }
931  else
932  {
933  /*
934  * This was an xlog-switch record, but the current insert location was
935  * already exactly at the beginning of a segment, so there was no need
936  * to do anything.
937  */
938  }
939 
940  /*
941  * Done! Let others know that we're finished.
942  */
944 
946 
948 
949  /*
950  * Mark top transaction id is logged (if needed) so that we should not try
951  * to log it again with the next WAL record in the current subtransaction.
952  */
953  if (topxid_included)
955 
956  /*
957  * Update shared LogwrtRqst.Write, if we crossed page boundary.
958  */
959  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
960  {
962  /* advance global request to include new block(s) */
963  if (XLogCtl->LogwrtRqst.Write < EndPos)
964  XLogCtl->LogwrtRqst.Write = EndPos;
967  }
968 
969  /*
970  * If this was an XLOG_SWITCH record, flush the record and the empty
971  * padding space that fills the rest of the segment, and perform
972  * end-of-segment actions (eg, notifying archiver).
973  */
974  if (class == WALINSERT_SPECIAL_SWITCH)
975  {
976  TRACE_POSTGRESQL_WAL_SWITCH();
977  XLogFlush(EndPos);
978 
979  /*
980  * Even though we reserved the rest of the segment for us, which is
981  * reflected in EndPos, we return a pointer to just the end of the
982  * xlog-switch record.
983  */
984  if (inserted)
985  {
986  EndPos = StartPos + SizeOfXLogRecord;
987  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
988  {
989  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
990 
991  if (offset == EndPos % XLOG_BLCKSZ)
992  EndPos += SizeOfXLogLongPHD;
993  else
994  EndPos += SizeOfXLogShortPHD;
995  }
996  }
997  }
998 
999 #ifdef WAL_DEBUG
1000  if (XLOG_DEBUG)
1001  {
1002  static XLogReaderState *debug_reader = NULL;
1003  XLogRecord *record;
1004  DecodedXLogRecord *decoded;
1006  StringInfoData recordBuf;
1007  char *errormsg = NULL;
1008  MemoryContext oldCxt;
1009 
1010  oldCxt = MemoryContextSwitchTo(walDebugCxt);
1011 
1012  initStringInfo(&buf);
1013  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
1014 
1015  /*
1016  * We have to piece together the WAL record data from the XLogRecData
1017  * entries, so that we can pass it to the rm_desc function as one
1018  * contiguous chunk.
1019  */
1020  initStringInfo(&recordBuf);
1021  for (; rdata != NULL; rdata = rdata->next)
1022  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
1023 
1024  /* We also need temporary space to decode the record. */
1025  record = (XLogRecord *) recordBuf.data;
1026  decoded = (DecodedXLogRecord *)
1028 
1029  if (!debug_reader)
1030  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
1031  XL_ROUTINE(.page_read = NULL,
1032  .segment_open = NULL,
1033  .segment_close = NULL),
1034  NULL);
1035  if (!debug_reader)
1036  {
1037  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
1038  }
1039  else if (!DecodeXLogRecord(debug_reader,
1040  decoded,
1041  record,
1042  EndPos,
1043  &errormsg))
1044  {
1045  appendStringInfo(&buf, "error decoding record: %s",
1046  errormsg ? errormsg : "no error message");
1047  }
1048  else
1049  {
1050  appendStringInfoString(&buf, " - ");
1051 
1052  debug_reader->record = decoded;
1053  xlog_outdesc(&buf, debug_reader);
1054  debug_reader->record = NULL;
1055  }
1056  elog(LOG, "%s", buf.data);
1057 
1058  pfree(decoded);
1059  pfree(buf.data);
1060  pfree(recordBuf.data);
1061  MemoryContextSwitchTo(oldCxt);
1062  }
1063 #endif
1064 
1065  /*
1066  * Update our global variables
1067  */
1068  ProcLastRecPtr = StartPos;
1069  XactLastRecEnd = EndPos;
1070 
1071  /* Report WAL traffic to the instrumentation. */
1072  if (inserted)
1073  {
1074  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1076  pgWalUsage.wal_fpi += num_fpi;
1077  }
1078 
1079  return EndPos;
1080 }
1081 
1082 /*
1083  * Reserves the right amount of space for a record of given size from the WAL.
1084  * *StartPos is set to the beginning of the reserved section, *EndPos to
1085  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1086  * used to set the xl_prev of this record.
1087  *
1088  * This is the performance critical part of XLogInsert that must be serialized
1089  * across backends. The rest can happen mostly in parallel. Try to keep this
1090  * section as short as possible, insertpos_lck can be heavily contended on a
1091  * busy system.
1092  *
1093  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1094  * where we actually copy the record to the reserved space.
1095  *
1096  * NB: Testing shows that XLogInsertRecord runs faster if this code is inlined;
1097  * however, because there are two call sites, the compiler is reluctant to
1098  * inline. We use pg_attribute_always_inline here to try to convince it.
1099  */
1100 static pg_attribute_always_inline void
1102  XLogRecPtr *PrevPtr)
1103 {
1105  uint64 startbytepos;
1106  uint64 endbytepos;
1107  uint64 prevbytepos;
1108 
1109  size = MAXALIGN(size);
1110 
1111  /* All (non xlog-switch) records should contain data. */
1113 
1114  /*
1115  * The duration the spinlock needs to be held is minimized by minimizing
1116  * the calculations that have to be done while holding the lock. The
1117  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1118  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1119  * page headers. The mapping between "usable" byte positions and physical
1120  * positions (XLogRecPtrs) can be done outside the locked region, and
1121  * because the usable byte position doesn't include any headers, reserving
1122  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1123  */
1124  SpinLockAcquire(&Insert->insertpos_lck);
1125 
1126  startbytepos = Insert->CurrBytePos;
1127  endbytepos = startbytepos + size;
1128  prevbytepos = Insert->PrevBytePos;
1129  Insert->CurrBytePos = endbytepos;
1130  Insert->PrevBytePos = startbytepos;
1131 
1132  SpinLockRelease(&Insert->insertpos_lck);
1133 
1134  *StartPos = XLogBytePosToRecPtr(startbytepos);
1135  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1136  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1137 
1138  /*
1139  * Check that the conversions between "usable byte positions" and
1140  * XLogRecPtrs work consistently in both directions.
1141  */
1142  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1143  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1144  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1145 }
1146 
1147 /*
1148  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1149  *
1150  * A log-switch record is handled slightly differently. The rest of the
1151  * segment will be reserved for this insertion, as indicated by the returned
1152  * *EndPos value. However, if we are already at the beginning of the current
1153  * segment, *StartPos and *EndPos are set to the current location without
1154  * reserving any space, and the function returns false.
1155 */
1156 static bool
1157 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1158 {
1160  uint64 startbytepos;
1161  uint64 endbytepos;
1162  uint64 prevbytepos;
1164  XLogRecPtr ptr;
1165  uint32 segleft;
1166 
1167  /*
1168  * These calculations are a bit heavy-weight to be done while holding a
1169  * spinlock, but since we're holding all the WAL insertion locks, there
1170  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1171  * compete for it, but that's not called very frequently.
1172  */
1173  SpinLockAcquire(&Insert->insertpos_lck);
1174 
1175  startbytepos = Insert->CurrBytePos;
1176 
1177  ptr = XLogBytePosToEndRecPtr(startbytepos);
1178  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1179  {
1180  SpinLockRelease(&Insert->insertpos_lck);
1181  *EndPos = *StartPos = ptr;
1182  return false;
1183  }
1184 
1185  endbytepos = startbytepos + size;
1186  prevbytepos = Insert->PrevBytePos;
1187 
1188  *StartPos = XLogBytePosToRecPtr(startbytepos);
1189  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1190 
1191  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1192  if (segleft != wal_segment_size)
1193  {
1194  /* consume the rest of the segment */
1195  *EndPos += segleft;
1196  endbytepos = XLogRecPtrToBytePos(*EndPos);
1197  }
1198  Insert->CurrBytePos = endbytepos;
1199  Insert->PrevBytePos = startbytepos;
1200 
1201  SpinLockRelease(&Insert->insertpos_lck);
1202 
1203  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1204 
1205  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1206  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1207  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1208  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1209 
1210  return true;
1211 }
1212 
1213 /*
1214  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1215  * area in the WAL.
1216  */
1217 static void
1218 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1219  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1220 {
1221  char *currpos;
1222  int freespace;
1223  int written;
1224  XLogRecPtr CurrPos;
1225  XLogPageHeader pagehdr;
1226 
1227  /*
1228  * Get a pointer to the right place in the right WAL buffer to start
1229  * inserting to.
1230  */
1231  CurrPos = StartPos;
1232  currpos = GetXLogBuffer(CurrPos, tli);
1233  freespace = INSERT_FREESPACE(CurrPos);
1234 
1235  /*
1236  * there should be enough space for at least the first field (xl_tot_len)
1237  * on this page.
1238  */
1239  Assert(freespace >= sizeof(uint32));
1240 
1241  /* Copy record data */
1242  written = 0;
1243  while (rdata != NULL)
1244  {
1245  char *rdata_data = rdata->data;
1246  int rdata_len = rdata->len;
1247 
1248  while (rdata_len > freespace)
1249  {
1250  /*
1251  * Write what fits on this page, and continue on the next page.
1252  */
1253  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1254  memcpy(currpos, rdata_data, freespace);
1255  rdata_data += freespace;
1256  rdata_len -= freespace;
1257  written += freespace;
1258  CurrPos += freespace;
1259 
1260  /*
1261  * Get pointer to beginning of next page, and set the xlp_rem_len
1262  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1263  *
1264  * It's safe to set the contrecord flag and xlp_rem_len without a
1265  * lock on the page. All the other flags were already set when the
1266  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1267  * only backend that needs to set the contrecord flag.
1268  */
1269  currpos = GetXLogBuffer(CurrPos, tli);
1270  pagehdr = (XLogPageHeader) currpos;
1271  pagehdr->xlp_rem_len = write_len - written;
1272  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1273 
1274  /* skip over the page header */
1275  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1276  {
1277  CurrPos += SizeOfXLogLongPHD;
1278  currpos += SizeOfXLogLongPHD;
1279  }
1280  else
1281  {
1282  CurrPos += SizeOfXLogShortPHD;
1283  currpos += SizeOfXLogShortPHD;
1284  }
1285  freespace = INSERT_FREESPACE(CurrPos);
1286  }
1287 
1288  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1289  memcpy(currpos, rdata_data, rdata_len);
1290  currpos += rdata_len;
1291  CurrPos += rdata_len;
1292  freespace -= rdata_len;
1293  written += rdata_len;
1294 
1295  rdata = rdata->next;
1296  }
1297  Assert(written == write_len);
1298 
1299  /*
1300  * If this was an xlog-switch, it's not enough to write the switch record,
1301  * we also have to consume all the remaining space in the WAL segment. We
1302  * have already reserved that space, but we need to actually fill it.
1303  */
1304  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1305  {
1306  /* An xlog-switch record doesn't contain any data besides the header */
1307  Assert(write_len == SizeOfXLogRecord);
1308 
1309  /* Assert that we did reserve the right amount of space */
1310  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1311 
1312  /* Use up all the remaining space on the current page */
1313  CurrPos += freespace;
1314 
1315  /*
1316  * Cause all remaining pages in the segment to be flushed, leaving the
1317  * XLog position where it should be, at the start of the next segment.
1318  * We do this one page at a time, to make sure we don't deadlock
1319  * against ourselves if wal_buffers < wal_segment_size.
1320  */
1321  while (CurrPos < EndPos)
1322  {
1323  /*
1324  * The minimal action to flush the page would be to call
1325  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1326  * AdvanceXLInsertBuffer(...). The page would be left initialized
1327  * mostly to zeros, except for the page header (always the short
1328  * variant, as this is never a segment's first page).
1329  *
1330  * The large vistas of zeros are good for compressibility, but the
1331  * headers interrupting them every XLOG_BLCKSZ (with values that
1332  * differ from page to page) are not. The effect varies with
1333  * compression tool, but bzip2 for instance compresses about an
1334  * order of magnitude worse if those headers are left in place.
1335  *
1336  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1337  * called in heavily-loaded circumstances as well as this lightly-
1338  * loaded one) with variant behavior, we just use GetXLogBuffer
1339  * (which itself calls the two methods we need) to get the pointer
1340  * and zero most of the page. Then we just zero the page header.
1341  */
1342  currpos = GetXLogBuffer(CurrPos, tli);
1343  MemSet(currpos, 0, SizeOfXLogShortPHD);
1344 
1345  CurrPos += XLOG_BLCKSZ;
1346  }
1347  }
1348  else
1349  {
1350  /* Align the end position, so that the next record starts aligned */
1351  CurrPos = MAXALIGN64(CurrPos);
1352  }
1353 
1354  if (CurrPos != EndPos)
1355  ereport(PANIC,
1357  errmsg_internal("space reserved for WAL record does not match what was written"));
1358 }
1359 
1360 /*
1361  * Acquire a WAL insertion lock, for inserting to WAL.
1362  */
1363 static void
1365 {
1366  bool immed;
1367 
1368  /*
1369  * It doesn't matter which of the WAL insertion locks we acquire, so try
1370  * the one we used last time. If the system isn't particularly busy, it's
1371  * a good bet that it's still available, and it's good to have some
1372  * affinity to a particular lock so that you don't unnecessarily bounce
1373  * cache lines between processes when there's no contention.
1374  *
1375  * If this is the first time through in this backend, pick a lock
1376  * (semi-)randomly. This allows the locks to be used evenly if you have a
1377  * lot of very short connections.
1378  */
1379  static int lockToTry = -1;
1380 
1381  if (lockToTry == -1)
1382  lockToTry = MyProcNumber % NUM_XLOGINSERT_LOCKS;
1383  MyLockNo = lockToTry;
1384 
1385  /*
1386  * The insertingAt value is initially set to 0, as we don't know our
1387  * insert location yet.
1388  */
1390  if (!immed)
1391  {
1392  /*
1393  * If we couldn't get the lock immediately, try another lock next
1394  * time. On a system with more insertion locks than concurrent
1395  * inserters, this causes all the inserters to eventually migrate to a
1396  * lock that no-one else is using. On a system with more inserters
1397  * than locks, it still helps to distribute the inserters evenly
1398  * across the locks.
1399  */
1400  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1401  }
1402 }
1403 
1404 /*
1405  * Acquire all WAL insertion locks, to prevent other backends from inserting
1406  * to WAL.
1407  */
1408 static void
1410 {
1411  int i;
1412 
1413  /*
1414  * When holding all the locks, all but the last lock's insertingAt
1415  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1416  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1417  */
1418  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1419  {
1421  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1423  PG_UINT64_MAX);
1424  }
1425  /* Variable value reset to 0 at release */
1427 
1428  holdingAllLocks = true;
1429 }
1430 
1431 /*
1432  * Release our insertion lock (or locks, if we're holding them all).
1433  *
1434  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1435  * next time the lock is acquired.
1436  */
1437 static void
1439 {
1440  if (holdingAllLocks)
1441  {
1442  int i;
1443 
1444  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1447  0);
1448 
1449  holdingAllLocks = false;
1450  }
1451  else
1452  {
1455  0);
1456  }
1457 }
1458 
1459 /*
1460  * Update our insertingAt value, to let others know that we've finished
1461  * inserting up to that point.
1462  */
1463 static void
1465 {
1466  if (holdingAllLocks)
1467  {
1468  /*
1469  * We use the last lock to mark our actual position, see comments in
1470  * WALInsertLockAcquireExclusive.
1471  */
1474  insertingAt);
1475  }
1476  else
1479  insertingAt);
1480 }
1481 
1482 /*
1483  * Wait for any WAL insertions < upto to finish.
1484  *
1485  * Returns the location of the oldest insertion that is still in-progress.
1486  * Any WAL prior to that point has been fully copied into WAL buffers, and
1487  * can be flushed out to disk. Because this waits for any insertions older
1488  * than 'upto' to finish, the return value is always >= 'upto'.
1489  *
1490  * Note: When you are about to write out WAL, you must call this function
1491  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1492  * need to wait for an insertion to finish (or at least advance to next
1493  * uninitialized page), and the inserter might need to evict an old WAL buffer
1494  * to make room for a new one, which in turn requires WALWriteLock.
1495  */
1496 static XLogRecPtr
1498 {
1499  uint64 bytepos;
1500  XLogRecPtr inserted;
1501  XLogRecPtr reservedUpto;
1502  XLogRecPtr finishedUpto;
1504  int i;
1505 
1506  if (MyProc == NULL)
1507  elog(PANIC, "cannot wait without a PGPROC structure");
1508 
1509  /*
1510  * Check if there's any work to do. Use a barrier to ensure we get the
1511  * freshest value.
1512  */
1514  if (upto <= inserted)
1515  return inserted;
1516 
1517  /* Read the current insert position */
1518  SpinLockAcquire(&Insert->insertpos_lck);
1519  bytepos = Insert->CurrBytePos;
1520  SpinLockRelease(&Insert->insertpos_lck);
1521  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1522 
1523  /*
1524  * No-one should request to flush a piece of WAL that hasn't even been
1525  * reserved yet. However, it can happen if there is a block with a bogus
1526  * LSN on disk, for example. XLogFlush checks for that situation and
1527  * complains, but only after the flush. Here we just assume that to mean
1528  * that all WAL that has been reserved needs to be finished. In this
1529  * corner-case, the return value can be smaller than 'upto' argument.
1530  */
1531  if (upto > reservedUpto)
1532  {
1533  ereport(LOG,
1534  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1535  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1536  upto = reservedUpto;
1537  }
1538 
1539  /*
1540  * Loop through all the locks, sleeping on any in-progress insert older
1541  * than 'upto'.
1542  *
1543  * finishedUpto is our return value, indicating the point upto which all
1544  * the WAL insertions have been finished. Initialize it to the head of
1545  * reserved WAL, and as we iterate through the insertion locks, back it
1546  * out for any insertion that's still in progress.
1547  */
1548  finishedUpto = reservedUpto;
1549  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1550  {
1551  XLogRecPtr insertingat = InvalidXLogRecPtr;
1552 
1553  do
1554  {
1555  /*
1556  * See if this insertion is in progress. LWLockWaitForVar will
1557  * wait for the lock to be released, or for the 'value' to be set
1558  * by a LWLockUpdateVar call. When a lock is initially acquired,
1559  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1560  * know where it's inserting yet. We will have to wait for it. If
1561  * it's a small insertion, the record will most likely fit on the
1562  * same page and the inserter will release the lock without ever
1563  * calling LWLockUpdateVar. But if it has to sleep, it will
1564  * advertise the insertion point with LWLockUpdateVar before
1565  * sleeping.
1566  *
1567  * In this loop we are only waiting for insertions that started
1568  * before WaitXLogInsertionsToFinish was called. The lack of
1569  * memory barriers in the loop means that we might see locks as
1570  * "unused" that have since become used. This is fine because
1571  * they only can be used for later insertions that we would not
1572  * want to wait on anyway. Not taking a lock to acquire the
1573  * current insertingAt value means that we might see older
1574  * insertingAt values. This is also fine, because if we read a
1575  * value too old, we will add ourselves to the wait queue, which
1576  * contains atomic operations.
1577  */
1578  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1580  insertingat, &insertingat))
1581  {
1582  /* the lock was free, so no insertion in progress */
1583  insertingat = InvalidXLogRecPtr;
1584  break;
1585  }
1586 
1587  /*
1588  * This insertion is still in progress. Have to wait, unless the
1589  * inserter has proceeded past 'upto'.
1590  */
1591  } while (insertingat < upto);
1592 
1593  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1594  finishedUpto = insertingat;
1595  }
1596 
1597  /*
1598  * Advance the limit we know to have been inserted and return the freshest
1599  * value we know of, which might be beyond what we requested if somebody
1600  * is concurrently doing this with an 'upto' pointer ahead of us.
1601  */
1603  finishedUpto);
1604 
1605  return finishedUpto;
1606 }
1607 
1608 /*
1609  * Get a pointer to the right location in the WAL buffer containing the
1610  * given XLogRecPtr.
1611  *
1612  * If the page is not initialized yet, it is initialized. That might require
1613  * evicting an old dirty buffer from the buffer cache, which means I/O.
1614  *
1615  * The caller must ensure that the page containing the requested location
1616  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1617  * hold onto a WAL insertion lock with the insertingAt position set to
1618  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1619  * to evict an old page from the buffer. (This means that once you call
1620  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1621  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1622  * later, because older buffers might be recycled already)
1623  */
1624 static char *
1626 {
1627  int idx;
1628  XLogRecPtr endptr;
1629  static uint64 cachedPage = 0;
1630  static char *cachedPos = NULL;
1631  XLogRecPtr expectedEndPtr;
1632 
1633  /*
1634  * Fast path for the common case that we need to access again the same
1635  * page as last time.
1636  */
1637  if (ptr / XLOG_BLCKSZ == cachedPage)
1638  {
1639  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1640  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1641  return cachedPos + ptr % XLOG_BLCKSZ;
1642  }
1643 
1644  /*
1645  * The XLog buffer cache is organized so that a page is always loaded to a
1646  * particular buffer. That way we can easily calculate the buffer a given
1647  * page must be loaded into, from the XLogRecPtr alone.
1648  */
1649  idx = XLogRecPtrToBufIdx(ptr);
1650 
1651  /*
1652  * See what page is loaded in the buffer at the moment. It could be the
1653  * page we're looking for, or something older. It can't be anything newer
1654  * - that would imply the page we're looking for has already been written
1655  * out to disk and evicted, and the caller is responsible for making sure
1656  * that doesn't happen.
1657  *
1658  * We don't hold a lock while we read the value. If someone is just about
1659  * to initialize or has just initialized the page, it's possible that we
1660  * get InvalidXLogRecPtr. That's ok, we'll grab the mapping lock (in
1661  * AdvanceXLInsertBuffer) and retry if we see anything other than the page
1662  * we're looking for.
1663  */
1664  expectedEndPtr = ptr;
1665  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1666 
1667  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1668  if (expectedEndPtr != endptr)
1669  {
1670  XLogRecPtr initializedUpto;
1671 
1672  /*
1673  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1674  * know how far we're finished with inserting the record.
1675  *
1676  * NB: If 'ptr' points to just after the page header, advertise a
1677  * position at the beginning of the page rather than 'ptr' itself. If
1678  * there are no other insertions running, someone might try to flush
1679  * up to our advertised location. If we advertised a position after
1680  * the page header, someone might try to flush the page header, even
1681  * though page might actually not be initialized yet. As the first
1682  * inserter on the page, we are effectively responsible for making
1683  * sure that it's initialized, before we let insertingAt to move past
1684  * the page header.
1685  */
1686  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1687  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1688  initializedUpto = ptr - SizeOfXLogShortPHD;
1689  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1690  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1691  initializedUpto = ptr - SizeOfXLogLongPHD;
1692  else
1693  initializedUpto = ptr;
1694 
1695  WALInsertLockUpdateInsertingAt(initializedUpto);
1696 
1697  AdvanceXLInsertBuffer(ptr, tli, false);
1698  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1699 
1700  if (expectedEndPtr != endptr)
1701  elog(PANIC, "could not find WAL buffer for %X/%X",
1702  LSN_FORMAT_ARGS(ptr));
1703  }
1704  else
1705  {
1706  /*
1707  * Make sure the initialization of the page is visible to us, and
1708  * won't arrive later to overwrite the WAL data we write on the page.
1709  */
1711  }
1712 
1713  /*
1714  * Found the buffer holding this page. Return a pointer to the right
1715  * offset within the page.
1716  */
1717  cachedPage = ptr / XLOG_BLCKSZ;
1718  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1719 
1720  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1721  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1722 
1723  return cachedPos + ptr % XLOG_BLCKSZ;
1724 }
1725 
1726 /*
1727  * Read WAL data directly from WAL buffers, if available. Returns the number
1728  * of bytes read successfully.
1729  *
1730  * Fewer than 'count' bytes may be read if some of the requested WAL data has
1731  * already been evicted.
1732  *
1733  * No locks are taken.
1734  *
1735  * Caller should ensure that it reads no further than LogwrtResult.Write
1736  * (which should have been updated by the caller when determining how far to
1737  * read). The 'tli' argument is only used as a convenient safety check so that
1738  * callers do not read from WAL buffers on a historical timeline.
1739  */
1740 Size
1741 WALReadFromBuffers(char *dstbuf, XLogRecPtr startptr, Size count,
1742  TimeLineID tli)
1743 {
1744  char *pdst = dstbuf;
1745  XLogRecPtr recptr = startptr;
1746  XLogRecPtr inserted;
1747  Size nbytes = count;
1748 
1749  if (RecoveryInProgress() || tli != GetWALInsertionTimeLine())
1750  return 0;
1751 
1752  Assert(!XLogRecPtrIsInvalid(startptr));
1753 
1754  /*
1755  * Caller should ensure that the requested data has been inserted into WAL
1756  * buffers before we try to read it.
1757  */
1759  if (startptr + count > inserted)
1760  ereport(ERROR,
1761  errmsg("cannot read past end of generated WAL: requested %X/%X, current position %X/%X",
1762  LSN_FORMAT_ARGS(startptr + count),
1763  LSN_FORMAT_ARGS(inserted)));
1764 
1765  /*
1766  * Loop through the buffers without a lock. For each buffer, atomically
1767  * read and verify the end pointer, then copy the data out, and finally
1768  * re-read and re-verify the end pointer.
1769  *
1770  * Once a page is evicted, it never returns to the WAL buffers, so if the
1771  * end pointer matches the expected end pointer before and after we copy
1772  * the data, then the right page must have been present during the data
1773  * copy. Read barriers are necessary to ensure that the data copy actually
1774  * happens between the two verification steps.
1775  *
1776  * If either verification fails, we simply terminate the loop and return
1777  * with the data that had been already copied out successfully.
1778  */
1779  while (nbytes > 0)
1780  {
1781  uint32 offset = recptr % XLOG_BLCKSZ;
1782  int idx = XLogRecPtrToBufIdx(recptr);
1783  XLogRecPtr expectedEndPtr;
1784  XLogRecPtr endptr;
1785  const char *page;
1786  const char *psrc;
1787  Size npagebytes;
1788 
1789  /*
1790  * Calculate the end pointer we expect in the xlblocks array if the
1791  * correct page is present.
1792  */
1793  expectedEndPtr = recptr + (XLOG_BLCKSZ - offset);
1794 
1795  /*
1796  * First verification step: check that the correct page is present in
1797  * the WAL buffers.
1798  */
1799  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1800  if (expectedEndPtr != endptr)
1801  break;
1802 
1803  /*
1804  * The correct page is present (or was at the time the endptr was
1805  * read; must re-verify later). Calculate pointer to source data and
1806  * determine how much data to read from this page.
1807  */
1808  page = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1809  psrc = page + offset;
1810  npagebytes = Min(nbytes, XLOG_BLCKSZ - offset);
1811 
1812  /*
1813  * Ensure that the data copy and the first verification step are not
1814  * reordered.
1815  */
1816  pg_read_barrier();
1817 
1818  /* data copy */
1819  memcpy(pdst, psrc, npagebytes);
1820 
1821  /*
1822  * Ensure that the data copy and the second verification step are not
1823  * reordered.
1824  */
1825  pg_read_barrier();
1826 
1827  /*
1828  * Second verification step: check that the page we read from wasn't
1829  * evicted while we were copying the data.
1830  */
1831  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1832  if (expectedEndPtr != endptr)
1833  break;
1834 
1835  pdst += npagebytes;
1836  recptr += npagebytes;
1837  nbytes -= npagebytes;
1838  }
1839 
1840  Assert(pdst - dstbuf <= count);
1841 
1842  return pdst - dstbuf;
1843 }
1844 
1845 /*
1846  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1847  * is the position starting from the beginning of WAL, excluding all WAL
1848  * page headers.
1849  */
1850 static XLogRecPtr
1851 XLogBytePosToRecPtr(uint64 bytepos)
1852 {
1853  uint64 fullsegs;
1854  uint64 fullpages;
1855  uint64 bytesleft;
1856  uint32 seg_offset;
1857  XLogRecPtr result;
1858 
1859  fullsegs = bytepos / UsableBytesInSegment;
1860  bytesleft = bytepos % UsableBytesInSegment;
1861 
1862  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1863  {
1864  /* fits on first page of segment */
1865  seg_offset = bytesleft + SizeOfXLogLongPHD;
1866  }
1867  else
1868  {
1869  /* account for the first page on segment with long header */
1870  seg_offset = XLOG_BLCKSZ;
1871  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1872 
1873  fullpages = bytesleft / UsableBytesInPage;
1874  bytesleft = bytesleft % UsableBytesInPage;
1875 
1876  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1877  }
1878 
1879  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1880 
1881  return result;
1882 }
1883 
1884 /*
1885  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1886  * returns a pointer to the beginning of the page (ie. before page header),
1887  * not to where the first xlog record on that page would go to. This is used
1888  * when converting a pointer to the end of a record.
1889  */
1890 static XLogRecPtr
1891 XLogBytePosToEndRecPtr(uint64 bytepos)
1892 {
1893  uint64 fullsegs;
1894  uint64 fullpages;
1895  uint64 bytesleft;
1896  uint32 seg_offset;
1897  XLogRecPtr result;
1898 
1899  fullsegs = bytepos / UsableBytesInSegment;
1900  bytesleft = bytepos % UsableBytesInSegment;
1901 
1902  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1903  {
1904  /* fits on first page of segment */
1905  if (bytesleft == 0)
1906  seg_offset = 0;
1907  else
1908  seg_offset = bytesleft + SizeOfXLogLongPHD;
1909  }
1910  else
1911  {
1912  /* account for the first page on segment with long header */
1913  seg_offset = XLOG_BLCKSZ;
1914  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1915 
1916  fullpages = bytesleft / UsableBytesInPage;
1917  bytesleft = bytesleft % UsableBytesInPage;
1918 
1919  if (bytesleft == 0)
1920  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1921  else
1922  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1923  }
1924 
1925  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1926 
1927  return result;
1928 }
1929 
1930 /*
1931  * Convert an XLogRecPtr to a "usable byte position".
1932  */
1933 static uint64
1935 {
1936  uint64 fullsegs;
1937  uint32 fullpages;
1938  uint32 offset;
1939  uint64 result;
1940 
1941  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1942 
1943  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1944  offset = ptr % XLOG_BLCKSZ;
1945 
1946  if (fullpages == 0)
1947  {
1948  result = fullsegs * UsableBytesInSegment;
1949  if (offset > 0)
1950  {
1951  Assert(offset >= SizeOfXLogLongPHD);
1952  result += offset - SizeOfXLogLongPHD;
1953  }
1954  }
1955  else
1956  {
1957  result = fullsegs * UsableBytesInSegment +
1958  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1959  (fullpages - 1) * UsableBytesInPage; /* full pages */
1960  if (offset > 0)
1961  {
1962  Assert(offset >= SizeOfXLogShortPHD);
1963  result += offset - SizeOfXLogShortPHD;
1964  }
1965  }
1966 
1967  return result;
1968 }
1969 
1970 /*
1971  * Initialize XLOG buffers, writing out old buffers if they still contain
1972  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1973  * true, initialize as many pages as we can without having to write out
1974  * unwritten data. Any new pages are initialized to zeros, with pages headers
1975  * initialized properly.
1976  */
1977 static void
1978 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1979 {
1981  int nextidx;
1982  XLogRecPtr OldPageRqstPtr;
1983  XLogwrtRqst WriteRqst;
1984  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1985  XLogRecPtr NewPageBeginPtr;
1986  XLogPageHeader NewPage;
1987  int npages pg_attribute_unused() = 0;
1988 
1989  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1990 
1991  /*
1992  * Now that we have the lock, check if someone initialized the page
1993  * already.
1994  */
1995  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
1996  {
1998 
1999  /*
2000  * Get ending-offset of the buffer page we need to replace (this may
2001  * be zero if the buffer hasn't been used yet). Fall through if it's
2002  * already written out.
2003  */
2004  OldPageRqstPtr = pg_atomic_read_u64(&XLogCtl->xlblocks[nextidx]);
2005  if (LogwrtResult.Write < OldPageRqstPtr)
2006  {
2007  /*
2008  * Nope, got work to do. If we just want to pre-initialize as much
2009  * as we can without flushing, give up now.
2010  */
2011  if (opportunistic)
2012  break;
2013 
2014  /* Advance shared memory write request position */
2016  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
2017  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
2019 
2020  /*
2021  * Acquire an up-to-date LogwrtResult value and see if we still
2022  * need to write it or if someone else already did.
2023  */
2025  if (LogwrtResult.Write < OldPageRqstPtr)
2026  {
2027  /*
2028  * Must acquire write lock. Release WALBufMappingLock first,
2029  * to make sure that all insertions that we need to wait for
2030  * can finish (up to this same position). Otherwise we risk
2031  * deadlock.
2032  */
2033  LWLockRelease(WALBufMappingLock);
2034 
2035  WaitXLogInsertionsToFinish(OldPageRqstPtr);
2036 
2037  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2038 
2040  if (LogwrtResult.Write >= OldPageRqstPtr)
2041  {
2042  /* OK, someone wrote it already */
2043  LWLockRelease(WALWriteLock);
2044  }
2045  else
2046  {
2047  /* Have to write it ourselves */
2048  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
2049  WriteRqst.Write = OldPageRqstPtr;
2050  WriteRqst.Flush = 0;
2051  XLogWrite(WriteRqst, tli, false);
2052  LWLockRelease(WALWriteLock);
2054  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
2055  }
2056  /* Re-acquire WALBufMappingLock and retry */
2057  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
2058  continue;
2059  }
2060  }
2061 
2062  /*
2063  * Now the next buffer slot is free and we can set it up to be the
2064  * next output page.
2065  */
2066  NewPageBeginPtr = XLogCtl->InitializedUpTo;
2067  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
2068 
2069  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
2070 
2071  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
2072 
2073  /*
2074  * Mark the xlblock with InvalidXLogRecPtr and issue a write barrier
2075  * before initializing. Otherwise, the old page may be partially
2076  * zeroed but look valid.
2077  */
2079  pg_write_barrier();
2080 
2081  /*
2082  * Be sure to re-zero the buffer so that bytes beyond what we've
2083  * written will look like zeroes and not valid XLOG records...
2084  */
2085  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
2086 
2087  /*
2088  * Fill the new page's header
2089  */
2090  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
2091 
2092  /* NewPage->xlp_info = 0; */ /* done by memset */
2093  NewPage->xlp_tli = tli;
2094  NewPage->xlp_pageaddr = NewPageBeginPtr;
2095 
2096  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
2097 
2098  /*
2099  * If online backup is not in progress, mark the header to indicate
2100  * that WAL records beginning in this page have removable backup
2101  * blocks. This allows the WAL archiver to know whether it is safe to
2102  * compress archived WAL data by transforming full-block records into
2103  * the non-full-block format. It is sufficient to record this at the
2104  * page level because we force a page switch (in fact a segment
2105  * switch) when starting a backup, so the flag will be off before any
2106  * records can be written during the backup. At the end of a backup,
2107  * the last page will be marked as all unsafe when perhaps only part
2108  * is unsafe, but at worst the archiver would miss the opportunity to
2109  * compress a few records.
2110  */
2111  if (Insert->runningBackups == 0)
2112  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
2113 
2114  /*
2115  * If first page of an XLOG segment file, make it a long header.
2116  */
2117  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
2118  {
2119  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
2120 
2121  NewLongPage->xlp_sysid = ControlFile->system_identifier;
2122  NewLongPage->xlp_seg_size = wal_segment_size;
2123  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
2124  NewPage->xlp_info |= XLP_LONG_HEADER;
2125  }
2126 
2127  /*
2128  * Make sure the initialization of the page becomes visible to others
2129  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
2130  * holding a lock.
2131  */
2132  pg_write_barrier();
2133 
2134  pg_atomic_write_u64(&XLogCtl->xlblocks[nextidx], NewPageEndPtr);
2135  XLogCtl->InitializedUpTo = NewPageEndPtr;
2136 
2137  npages++;
2138  }
2139  LWLockRelease(WALBufMappingLock);
2140 
2141 #ifdef WAL_DEBUG
2142  if (XLOG_DEBUG && npages > 0)
2143  {
2144  elog(DEBUG1, "initialized %d pages, up to %X/%X",
2145  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
2146  }
2147 #endif
2148 }
2149 
2150 /*
2151  * Calculate CheckPointSegments based on max_wal_size_mb and
2152  * checkpoint_completion_target.
2153  */
2154 static void
2156 {
2157  double target;
2158 
2159  /*-------
2160  * Calculate the distance at which to trigger a checkpoint, to avoid
2161  * exceeding max_wal_size_mb. This is based on two assumptions:
2162  *
2163  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
2164  * WAL for two checkpoint cycles to allow us to recover from the
2165  * secondary checkpoint if the first checkpoint failed, though we
2166  * only did this on the primary anyway, not on standby. Keeping just
2167  * one checkpoint simplifies processing and reduces disk space in
2168  * many smaller databases.)
2169  * b) during checkpoint, we consume checkpoint_completion_target *
2170  * number of segments consumed between checkpoints.
2171  *-------
2172  */
2173  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
2175 
2176  /* round down */
2177  CheckPointSegments = (int) target;
2178 
2179  if (CheckPointSegments < 1)
2180  CheckPointSegments = 1;
2181 }
2182 
2183 void
2184 assign_max_wal_size(int newval, void *extra)
2185 {
2188 }
2189 
2190 void
2192 {
2195 }
2196 
2197 bool
2199 {
2200  if (!IsValidWalSegSize(*newval))
2201  {
2202  GUC_check_errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.");
2203  return false;
2204  }
2205 
2206  return true;
2207 }
2208 
2209 /*
2210  * GUC check_hook for max_slot_wal_keep_size
2211  *
2212  * We don't allow the value of max_slot_wal_keep_size other than -1 during the
2213  * binary upgrade. See start_postmaster() in pg_upgrade for more details.
2214  */
2215 bool
2217 {
2218  if (IsBinaryUpgrade && *newval != -1)
2219  {
2220  GUC_check_errdetail("\"%s\" must be set to -1 during binary upgrade mode.",
2221  "max_slot_wal_keep_size");
2222  return false;
2223  }
2224 
2225  return true;
2226 }
2227 
2228 /*
2229  * At a checkpoint, how many WAL segments to recycle as preallocated future
2230  * XLOG segments? Returns the highest segment that should be preallocated.
2231  */
2232 static XLogSegNo
2234 {
2235  XLogSegNo minSegNo;
2236  XLogSegNo maxSegNo;
2237  double distance;
2238  XLogSegNo recycleSegNo;
2239 
2240  /*
2241  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
2242  * correspond to. Always recycle enough segments to meet the minimum, and
2243  * remove enough segments to stay below the maximum.
2244  */
2245  minSegNo = lastredoptr / wal_segment_size +
2247  maxSegNo = lastredoptr / wal_segment_size +
2249 
2250  /*
2251  * Between those limits, recycle enough segments to get us through to the
2252  * estimated end of next checkpoint.
2253  *
2254  * To estimate where the next checkpoint will finish, assume that the
2255  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2256  * every checkpoint.
2257  */
2259  /* add 10% for good measure. */
2260  distance *= 1.10;
2261 
2262  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2264 
2265  if (recycleSegNo < minSegNo)
2266  recycleSegNo = minSegNo;
2267  if (recycleSegNo > maxSegNo)
2268  recycleSegNo = maxSegNo;
2269 
2270  return recycleSegNo;
2271 }
2272 
2273 /*
2274  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2275  *
2276  * new_segno indicates a log file that has just been filled up (or read
2277  * during recovery). We measure the distance from RedoRecPtr to new_segno
2278  * and see if that exceeds CheckPointSegments.
2279  *
2280  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2281  */
2282 bool
2284 {
2285  XLogSegNo old_segno;
2286 
2288 
2289  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2290  return true;
2291  return false;
2292 }
2293 
2294 /*
2295  * Write and/or fsync the log at least as far as WriteRqst indicates.
2296  *
2297  * If flexible == true, we don't have to write as far as WriteRqst, but
2298  * may stop at any convenient boundary (such as a cache or logfile boundary).
2299  * This option allows us to avoid uselessly issuing multiple writes when a
2300  * single one would do.
2301  *
2302  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2303  * must be called before grabbing the lock, to make sure the data is ready to
2304  * write.
2305  */
2306 static void
2307 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2308 {
2309  bool ispartialpage;
2310  bool last_iteration;
2311  bool finishing_seg;
2312  int curridx;
2313  int npages;
2314  int startidx;
2315  uint32 startoffset;
2316 
2317  /* We should always be inside a critical section here */
2318  Assert(CritSectionCount > 0);
2319 
2320  /*
2321  * Update local LogwrtResult (caller probably did this already, but...)
2322  */
2324 
2325  /*
2326  * Since successive pages in the xlog cache are consecutively allocated,
2327  * we can usually gather multiple pages together and issue just one
2328  * write() call. npages is the number of pages we have determined can be
2329  * written together; startidx is the cache block index of the first one,
2330  * and startoffset is the file offset at which it should go. The latter
2331  * two variables are only valid when npages > 0, but we must initialize
2332  * all of them to keep the compiler quiet.
2333  */
2334  npages = 0;
2335  startidx = 0;
2336  startoffset = 0;
2337 
2338  /*
2339  * Within the loop, curridx is the cache block index of the page to
2340  * consider writing. Begin at the buffer containing the next unwritten
2341  * page, or last partially written page.
2342  */
2344 
2345  while (LogwrtResult.Write < WriteRqst.Write)
2346  {
2347  /*
2348  * Make sure we're not ahead of the insert process. This could happen
2349  * if we're passed a bogus WriteRqst.Write that is past the end of the
2350  * last page that's been initialized by AdvanceXLInsertBuffer.
2351  */
2352  XLogRecPtr EndPtr = pg_atomic_read_u64(&XLogCtl->xlblocks[curridx]);
2353 
2354  if (LogwrtResult.Write >= EndPtr)
2355  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2357  LSN_FORMAT_ARGS(EndPtr));
2358 
2359  /* Advance LogwrtResult.Write to end of current buffer page */
2360  LogwrtResult.Write = EndPtr;
2361  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2362 
2365  {
2366  /*
2367  * Switch to new logfile segment. We cannot have any pending
2368  * pages here (since we dump what we have at segment end).
2369  */
2370  Assert(npages == 0);
2371  if (openLogFile >= 0)
2372  XLogFileClose();
2375  openLogTLI = tli;
2376 
2377  /* create/use new log file */
2380  }
2381 
2382  /* Make sure we have the current logfile open */
2383  if (openLogFile < 0)
2384  {
2387  openLogTLI = tli;
2390  }
2391 
2392  /* Add current page to the set of pending pages-to-dump */
2393  if (npages == 0)
2394  {
2395  /* first of group */
2396  startidx = curridx;
2397  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2399  }
2400  npages++;
2401 
2402  /*
2403  * Dump the set if this will be the last loop iteration, or if we are
2404  * at the last page of the cache area (since the next page won't be
2405  * contiguous in memory), or if we are at the end of the logfile
2406  * segment.
2407  */
2408  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2409 
2410  finishing_seg = !ispartialpage &&
2411  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2412 
2413  if (last_iteration ||
2414  curridx == XLogCtl->XLogCacheBlck ||
2415  finishing_seg)
2416  {
2417  char *from;
2418  Size nbytes;
2419  Size nleft;
2420  ssize_t written;
2421  instr_time start;
2422 
2423  /* OK to write the page(s) */
2424  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2425  nbytes = npages * (Size) XLOG_BLCKSZ;
2426  nleft = nbytes;
2427  do
2428  {
2429  errno = 0;
2430 
2431  /* Measure I/O timing to write WAL data */
2432  if (track_wal_io_timing)
2434  else
2436 
2437  pgstat_report_wait_start(WAIT_EVENT_WAL_WRITE);
2438  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2440 
2441  /*
2442  * Increment the I/O timing and the number of times WAL data
2443  * were written out to disk.
2444  */
2445  if (track_wal_io_timing)
2446  {
2447  instr_time end;
2448 
2451  }
2452 
2454 
2455  if (written <= 0)
2456  {
2457  char xlogfname[MAXFNAMELEN];
2458  int save_errno;
2459 
2460  if (errno == EINTR)
2461  continue;
2462 
2463  save_errno = errno;
2464  XLogFileName(xlogfname, tli, openLogSegNo,
2466  errno = save_errno;
2467  ereport(PANIC,
2469  errmsg("could not write to log file \"%s\" at offset %u, length %zu: %m",
2470  xlogfname, startoffset, nleft)));
2471  }
2472  nleft -= written;
2473  from += written;
2474  startoffset += written;
2475  } while (nleft > 0);
2476 
2477  npages = 0;
2478 
2479  /*
2480  * If we just wrote the whole last page of a logfile segment,
2481  * fsync the segment immediately. This avoids having to go back
2482  * and re-open prior segments when an fsync request comes along
2483  * later. Doing it here ensures that one and only one backend will
2484  * perform this fsync.
2485  *
2486  * This is also the right place to notify the Archiver that the
2487  * segment is ready to copy to archival storage, and to update the
2488  * timer for archive_timeout, and to signal for a checkpoint if
2489  * too many logfile segments have been used since the last
2490  * checkpoint.
2491  */
2492  if (finishing_seg)
2493  {
2495 
2496  /* signal that we need to wakeup walsenders later */
2498 
2499  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2500 
2501  if (XLogArchivingActive())
2503 
2504  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2506 
2507  /*
2508  * Request a checkpoint if we've consumed too much xlog since
2509  * the last one. For speed, we first check using the local
2510  * copy of RedoRecPtr, which might be out of date; if it looks
2511  * like a checkpoint is needed, forcibly update RedoRecPtr and
2512  * recheck.
2513  */
2515  {
2516  (void) GetRedoRecPtr();
2519  }
2520  }
2521  }
2522 
2523  if (ispartialpage)
2524  {
2525  /* Only asked to write a partial page */
2526  LogwrtResult.Write = WriteRqst.Write;
2527  break;
2528  }
2529  curridx = NextBufIdx(curridx);
2530 
2531  /* If flexible, break out of loop as soon as we wrote something */
2532  if (flexible && npages == 0)
2533  break;
2534  }
2535 
2536  Assert(npages == 0);
2537 
2538  /*
2539  * If asked to flush, do so
2540  */
2541  if (LogwrtResult.Flush < WriteRqst.Flush &&
2543  {
2544  /*
2545  * Could get here without iterating above loop, in which case we might
2546  * have no open file or the wrong one. However, we do not need to
2547  * fsync more than one file.
2548  */
2551  {
2552  if (openLogFile >= 0 &&
2555  XLogFileClose();
2556  if (openLogFile < 0)
2557  {
2560  openLogTLI = tli;
2563  }
2564 
2566  }
2567 
2568  /* signal that we need to wakeup walsenders later */
2570 
2572  }
2573 
2574  /*
2575  * Update shared-memory status
2576  *
2577  * We make sure that the shared 'request' values do not fall behind the
2578  * 'result' values. This is not absolutely essential, but it saves some
2579  * code in a couple of places.
2580  */
2587 
2588  /*
2589  * We write Write first, bar, then Flush. When reading, the opposite must
2590  * be done (with a matching barrier in between), so that we always see a
2591  * Flush value that trails behind the Write value seen.
2592  */
2594  pg_write_barrier();
2596 
2597 #ifdef USE_ASSERT_CHECKING
2598  {
2599  XLogRecPtr Flush;
2600  XLogRecPtr Write;
2602 
2604  pg_read_barrier();
2606  pg_read_barrier();
2608 
2609  /* WAL written to disk is always ahead of WAL flushed */
2610  Assert(Write >= Flush);
2611 
2612  /* WAL inserted to buffers is always ahead of WAL written */
2613  Assert(Insert >= Write);
2614  }
2615 #endif
2616 }
2617 
2618 /*
2619  * Record the LSN for an asynchronous transaction commit/abort
2620  * and nudge the WALWriter if there is work for it to do.
2621  * (This should not be called for synchronous commits.)
2622  */
2623 void
2625 {
2626  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2627  bool sleeping;
2628  bool wakeup = false;
2629  XLogRecPtr prevAsyncXactLSN;
2630 
2632  sleeping = XLogCtl->WalWriterSleeping;
2633  prevAsyncXactLSN = XLogCtl->asyncXactLSN;
2634  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2635  XLogCtl->asyncXactLSN = asyncXactLSN;
2637 
2638  /*
2639  * If somebody else already called this function with a more aggressive
2640  * LSN, they will have done what we needed (and perhaps more).
2641  */
2642  if (asyncXactLSN <= prevAsyncXactLSN)
2643  return;
2644 
2645  /*
2646  * If the WALWriter is sleeping, kick it to make it come out of low-power
2647  * mode, so that this async commit will reach disk within the expected
2648  * amount of time. Otherwise, determine whether it has enough WAL
2649  * available to flush, the same way that XLogBackgroundFlush() does.
2650  */
2651  if (sleeping)
2652  wakeup = true;
2653  else
2654  {
2655  int flushblocks;
2656 
2658 
2659  flushblocks =
2660  WriteRqstPtr / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2661 
2662  if (WalWriterFlushAfter == 0 || flushblocks >= WalWriterFlushAfter)
2663  wakeup = true;
2664  }
2665 
2668 }
2669 
2670 /*
2671  * Record the LSN up to which we can remove WAL because it's not required by
2672  * any replication slot.
2673  */
2674 void
2676 {
2680 }
2681 
2682 
2683 /*
2684  * Return the oldest LSN we must retain to satisfy the needs of some
2685  * replication slot.
2686  */
2687 static XLogRecPtr
2689 {
2690  XLogRecPtr retval;
2691 
2693  retval = XLogCtl->replicationSlotMinLSN;
2695 
2696  return retval;
2697 }
2698 
2699 /*
2700  * Advance minRecoveryPoint in control file.
2701  *
2702  * If we crash during recovery, we must reach this point again before the
2703  * database is consistent.
2704  *
2705  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2706  * is only updated if it's not already greater than or equal to 'lsn'.
2707  */
2708 static void
2710 {
2711  /* Quick check using our local copy of the variable */
2712  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2713  return;
2714 
2715  /*
2716  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2717  * i.e., we're doing crash recovery. We never modify the control file's
2718  * value in that case, so we can short-circuit future checks here too. The
2719  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2720  * updated until crash recovery finishes. We only do this for the startup
2721  * process as it should not update its own reference of minRecoveryPoint
2722  * until it has finished crash recovery to make sure that all WAL
2723  * available is replayed in this case. This also saves from extra locks
2724  * taken on the control file from the startup process.
2725  */
2727  {
2728  updateMinRecoveryPoint = false;
2729  return;
2730  }
2731 
2732  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2733 
2734  /* update local copy */
2737 
2739  updateMinRecoveryPoint = false;
2740  else if (force || LocalMinRecoveryPoint < lsn)
2741  {
2742  XLogRecPtr newMinRecoveryPoint;
2743  TimeLineID newMinRecoveryPointTLI;
2744 
2745  /*
2746  * To avoid having to update the control file too often, we update it
2747  * all the way to the last record being replayed, even though 'lsn'
2748  * would suffice for correctness. This also allows the 'force' case
2749  * to not need a valid 'lsn' value.
2750  *
2751  * Another important reason for doing it this way is that the passed
2752  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2753  * the caller got it from a corrupted heap page. Accepting such a
2754  * value as the min recovery point would prevent us from coming up at
2755  * all. Instead, we just log a warning and continue with recovery.
2756  * (See also the comments about corrupt LSNs in XLogFlush.)
2757  */
2758  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2759  if (!force && newMinRecoveryPoint < lsn)
2760  elog(WARNING,
2761  "xlog min recovery request %X/%X is past current point %X/%X",
2762  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2763 
2764  /* update control file */
2765  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2766  {
2767  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2768  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2770  LocalMinRecoveryPoint = newMinRecoveryPoint;
2771  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2772 
2773  ereport(DEBUG2,
2774  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2775  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2776  newMinRecoveryPointTLI)));
2777  }
2778  }
2779  LWLockRelease(ControlFileLock);
2780 }
2781 
2782 /*
2783  * Ensure that all XLOG data through the given position is flushed to disk.
2784  *
2785  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2786  * already held, and we try to avoid acquiring it if possible.
2787  */
2788 void
2790 {
2791  XLogRecPtr WriteRqstPtr;
2792  XLogwrtRqst WriteRqst;
2793  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2794 
2795  /*
2796  * During REDO, we are reading not writing WAL. Therefore, instead of
2797  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2798  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2799  * to act this way too, and because when it tries to write the
2800  * end-of-recovery checkpoint, it should indeed flush.
2801  */
2802  if (!XLogInsertAllowed())
2803  {
2804  UpdateMinRecoveryPoint(record, false);
2805  return;
2806  }
2807 
2808  /* Quick exit if already known flushed */
2809  if (record <= LogwrtResult.Flush)
2810  return;
2811 
2812 #ifdef WAL_DEBUG
2813  if (XLOG_DEBUG)
2814  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2815  LSN_FORMAT_ARGS(record),
2818 #endif
2819 
2821 
2822  /*
2823  * Since fsync is usually a horribly expensive operation, we try to
2824  * piggyback as much data as we can on each fsync: if we see any more data
2825  * entered into the xlog buffer, we'll write and fsync that too, so that
2826  * the final value of LogwrtResult.Flush is as large as possible. This
2827  * gives us some chance of avoiding another fsync immediately after.
2828  */
2829 
2830  /* initialize to given target; may increase below */
2831  WriteRqstPtr = record;
2832 
2833  /*
2834  * Now wait until we get the write lock, or someone else does the flush
2835  * for us.
2836  */
2837  for (;;)
2838  {
2839  XLogRecPtr insertpos;
2840 
2841  /* done already? */
2843  if (record <= LogwrtResult.Flush)
2844  break;
2845 
2846  /*
2847  * Before actually performing the write, wait for all in-flight
2848  * insertions to the pages we're about to write to finish.
2849  */
2851  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2852  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2854  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2855 
2856  /*
2857  * Try to get the write lock. If we can't get it immediately, wait
2858  * until it's released, and recheck if we still need to do the flush
2859  * or if the backend that held the lock did it for us already. This
2860  * helps to maintain a good rate of group committing when the system
2861  * is bottlenecked by the speed of fsyncing.
2862  */
2863  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2864  {
2865  /*
2866  * The lock is now free, but we didn't acquire it yet. Before we
2867  * do, loop back to check if someone else flushed the record for
2868  * us already.
2869  */
2870  continue;
2871  }
2872 
2873  /* Got the lock; recheck whether request is satisfied */
2875  if (record <= LogwrtResult.Flush)
2876  {
2877  LWLockRelease(WALWriteLock);
2878  break;
2879  }
2880 
2881  /*
2882  * Sleep before flush! By adding a delay here, we may give further
2883  * backends the opportunity to join the backlog of group commit
2884  * followers; this can significantly improve transaction throughput,
2885  * at the risk of increasing transaction latency.
2886  *
2887  * We do not sleep if enableFsync is not turned on, nor if there are
2888  * fewer than CommitSiblings other backends with active transactions.
2889  */
2890  if (CommitDelay > 0 && enableFsync &&
2892  {
2894 
2895  /*
2896  * Re-check how far we can now flush the WAL. It's generally not
2897  * safe to call WaitXLogInsertionsToFinish while holding
2898  * WALWriteLock, because an in-progress insertion might need to
2899  * also grab WALWriteLock to make progress. But we know that all
2900  * the insertions up to insertpos have already finished, because
2901  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2902  * We're only calling it again to allow insertpos to be moved
2903  * further forward, not to actually wait for anyone.
2904  */
2905  insertpos = WaitXLogInsertionsToFinish(insertpos);
2906  }
2907 
2908  /* try to write/flush later additions to XLOG as well */
2909  WriteRqst.Write = insertpos;
2910  WriteRqst.Flush = insertpos;
2911 
2912  XLogWrite(WriteRqst, insertTLI, false);
2913 
2914  LWLockRelease(WALWriteLock);
2915  /* done */
2916  break;
2917  }
2918 
2919  END_CRIT_SECTION();
2920 
2921  /* wake up walsenders now that we've released heavily contended locks */
2923 
2924  /*
2925  * If we still haven't flushed to the request point then we have a
2926  * problem; most likely, the requested flush point is past end of XLOG.
2927  * This has been seen to occur when a disk page has a corrupted LSN.
2928  *
2929  * Formerly we treated this as a PANIC condition, but that hurts the
2930  * system's robustness rather than helping it: we do not want to take down
2931  * the whole system due to corruption on one data page. In particular, if
2932  * the bad page is encountered again during recovery then we would be
2933  * unable to restart the database at all! (This scenario actually
2934  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2935  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2936  * the only time we can reach here during recovery is while flushing the
2937  * end-of-recovery checkpoint record, and we don't expect that to have a
2938  * bad LSN.
2939  *
2940  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2941  * since xact.c calls this routine inside a critical section. However,
2942  * calls from bufmgr.c are not within critical sections and so we will not
2943  * force a restart for a bad LSN on a data page.
2944  */
2945  if (LogwrtResult.Flush < record)
2946  elog(ERROR,
2947  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2948  LSN_FORMAT_ARGS(record),
2950 }
2951 
2952 /*
2953  * Write & flush xlog, but without specifying exactly where to.
2954  *
2955  * We normally write only completed blocks; but if there is nothing to do on
2956  * that basis, we check for unwritten async commits in the current incomplete
2957  * block, and write through the latest one of those. Thus, if async commits
2958  * are not being used, we will write complete blocks only.
2959  *
2960  * If, based on the above, there's anything to write we do so immediately. But
2961  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2962  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2963  * more than wal_writer_flush_after unflushed blocks.
2964  *
2965  * We can guarantee that async commits reach disk after at most three
2966  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2967  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2968  * this makes a difference only with very high load or long wal_writer_delay,
2969  * but imposes one extra cycle for the worst case for async commits.)
2970  *
2971  * This routine is invoked periodically by the background walwriter process.
2972  *
2973  * Returns true if there was any work to do, even if we skipped flushing due
2974  * to wal_writer_delay/wal_writer_flush_after.
2975  */
2976 bool
2978 {
2979  XLogwrtRqst WriteRqst;
2980  bool flexible = true;
2981  static TimestampTz lastflush;
2982  TimestampTz now;
2983  int flushblocks;
2984  TimeLineID insertTLI;
2985 
2986  /* XLOG doesn't need flushing during recovery */
2987  if (RecoveryInProgress())
2988  return false;
2989 
2990  /*
2991  * Since we're not in recovery, InsertTimeLineID is set and can't change,
2992  * so we can read it without a lock.
2993  */
2994  insertTLI = XLogCtl->InsertTimeLineID;
2995 
2996  /* read updated LogwrtRqst */
2998  WriteRqst = XLogCtl->LogwrtRqst;
3000 
3001  /* back off to last completed page boundary */
3002  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
3003 
3004  /* if we have already flushed that far, consider async commit records */
3006  if (WriteRqst.Write <= LogwrtResult.Flush)
3007  {
3009  WriteRqst.Write = XLogCtl->asyncXactLSN;
3011  flexible = false; /* ensure it all gets written */
3012  }
3013 
3014  /*
3015  * If already known flushed, we're done. Just need to check if we are
3016  * holding an open file handle to a logfile that's no longer in use,
3017  * preventing the file from being deleted.
3018  */
3019  if (WriteRqst.Write <= LogwrtResult.Flush)
3020  {
3021  if (openLogFile >= 0)
3022  {
3025  {
3026  XLogFileClose();
3027  }
3028  }
3029  return false;
3030  }
3031 
3032  /*
3033  * Determine how far to flush WAL, based on the wal_writer_delay and
3034  * wal_writer_flush_after GUCs.
3035  *
3036  * Note that XLogSetAsyncXactLSN() performs similar calculation based on
3037  * wal_writer_flush_after, to decide when to wake us up. Make sure the
3038  * logic is the same in both places if you change this.
3039  */
3041  flushblocks =
3042  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
3043 
3044  if (WalWriterFlushAfter == 0 || lastflush == 0)
3045  {
3046  /* first call, or block based limits disabled */
3047  WriteRqst.Flush = WriteRqst.Write;
3048  lastflush = now;
3049  }
3050  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
3051  {
3052  /*
3053  * Flush the writes at least every WalWriterDelay ms. This is
3054  * important to bound the amount of time it takes for an asynchronous
3055  * commit to hit disk.
3056  */
3057  WriteRqst.Flush = WriteRqst.Write;
3058  lastflush = now;
3059  }
3060  else if (flushblocks >= WalWriterFlushAfter)
3061  {
3062  /* exceeded wal_writer_flush_after blocks, flush */
3063  WriteRqst.Flush = WriteRqst.Write;
3064  lastflush = now;
3065  }
3066  else
3067  {
3068  /* no flushing, this time round */
3069  WriteRqst.Flush = 0;
3070  }
3071 
3072 #ifdef WAL_DEBUG
3073  if (XLOG_DEBUG)
3074  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
3075  LSN_FORMAT_ARGS(WriteRqst.Write),
3076  LSN_FORMAT_ARGS(WriteRqst.Flush),
3079 #endif
3080 
3082 
3083  /* now wait for any in-progress insertions to finish and get write lock */
3084  WaitXLogInsertionsToFinish(WriteRqst.Write);
3085  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
3087  if (WriteRqst.Write > LogwrtResult.Write ||
3088  WriteRqst.Flush > LogwrtResult.Flush)
3089  {
3090  XLogWrite(WriteRqst, insertTLI, flexible);
3091  }
3092  LWLockRelease(WALWriteLock);
3093 
3094  END_CRIT_SECTION();
3095 
3096  /* wake up walsenders now that we've released heavily contended locks */
3098 
3099  /*
3100  * Great, done. To take some work off the critical path, try to initialize
3101  * as many of the no-longer-needed WAL buffers for future use as we can.
3102  */
3103  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
3104 
3105  /*
3106  * If we determined that we need to write data, but somebody else
3107  * wrote/flushed already, it should be considered as being active, to
3108  * avoid hibernating too early.
3109  */
3110  return true;
3111 }
3112 
3113 /*
3114  * Test whether XLOG data has been flushed up to (at least) the given position.
3115  *
3116  * Returns true if a flush is still needed. (It may be that someone else
3117  * is already in process of flushing that far, however.)
3118  */
3119 bool
3121 {
3122  /*
3123  * During recovery, we don't flush WAL but update minRecoveryPoint
3124  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
3125  * would need to be updated.
3126  */
3127  if (RecoveryInProgress())
3128  {
3129  /*
3130  * An invalid minRecoveryPoint means that we need to recover all the
3131  * WAL, i.e., we're doing crash recovery. We never modify the control
3132  * file's value in that case, so we can short-circuit future checks
3133  * here too. This triggers a quick exit path for the startup process,
3134  * which cannot update its local copy of minRecoveryPoint as long as
3135  * it has not replayed all WAL available when doing crash recovery.
3136  */
3138  updateMinRecoveryPoint = false;
3139 
3140  /* Quick exit if already known to be updated or cannot be updated */
3142  return false;
3143 
3144  /*
3145  * Update local copy of minRecoveryPoint. But if the lock is busy,
3146  * just return a conservative guess.
3147  */
3148  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
3149  return true;
3152  LWLockRelease(ControlFileLock);
3153 
3154  /*
3155  * Check minRecoveryPoint for any other process than the startup
3156  * process doing crash recovery, which should not update the control
3157  * file value if crash recovery is still running.
3158  */
3160  updateMinRecoveryPoint = false;
3161 
3162  /* check again */
3164  return false;
3165  else
3166  return true;
3167  }
3168 
3169  /* Quick exit if already known flushed */
3170  if (record <= LogwrtResult.Flush)
3171  return false;
3172 
3173  /* read LogwrtResult and update local state */
3175 
3176  /* check again */
3177  if (record <= LogwrtResult.Flush)
3178  return false;
3179 
3180  return true;
3181 }
3182 
3183 /*
3184  * Try to make a given XLOG file segment exist.
3185  *
3186  * logsegno: identify segment.
3187  *
3188  * *added: on return, true if this call raised the number of extant segments.
3189  *
3190  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
3191  *
3192  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
3193  * wanting an open segment should attempt to open "path", which usually will
3194  * succeed. (This is weird, but it's efficient for the callers.)
3195  */
3196 static int
3198  bool *added, char *path)
3199 {
3200  char tmppath[MAXPGPATH];
3201  XLogSegNo installed_segno;
3202  XLogSegNo max_segno;
3203  int fd;
3204  int save_errno;
3205  int open_flags = O_RDWR | O_CREAT | O_EXCL | PG_BINARY;
3206 
3207  Assert(logtli != 0);
3208 
3209  XLogFilePath(path, logtli, logsegno, wal_segment_size);
3210 
3211  /*
3212  * Try to use existent file (checkpoint maker may have created it already)
3213  */
3214  *added = false;
3215  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3217  if (fd < 0)
3218  {
3219  if (errno != ENOENT)
3220  ereport(ERROR,
3222  errmsg("could not open file \"%s\": %m", path)));
3223  }
3224  else
3225  return fd;
3226 
3227  /*
3228  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
3229  * another process is doing the same thing. If so, we will end up
3230  * pre-creating an extra log segment. That seems OK, and better than
3231  * holding the lock throughout this lengthy process.
3232  */
3233  elog(DEBUG2, "creating and filling new WAL file");
3234 
3235  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3236 
3237  unlink(tmppath);
3238 
3240  open_flags |= PG_O_DIRECT;
3241 
3242  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3243  fd = BasicOpenFile(tmppath, open_flags);
3244  if (fd < 0)
3245  ereport(ERROR,
3247  errmsg("could not create file \"%s\": %m", tmppath)));
3248 
3249  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_WRITE);
3250  save_errno = 0;
3251  if (wal_init_zero)
3252  {
3253  ssize_t rc;
3254 
3255  /*
3256  * Zero-fill the file. With this setting, we do this the hard way to
3257  * ensure that all the file space has really been allocated. On
3258  * platforms that allow "holes" in files, just seeking to the end
3259  * doesn't allocate intermediate space. This way, we know that we
3260  * have all the space and (after the fsync below) that all the
3261  * indirect blocks are down on disk. Therefore, fdatasync(2) or
3262  * O_DSYNC will be sufficient to sync future writes to the log file.
3263  */
3265 
3266  if (rc < 0)
3267  save_errno = errno;
3268  }
3269  else
3270  {
3271  /*
3272  * Otherwise, seeking to the end and writing a solitary byte is
3273  * enough.
3274  */
3275  errno = 0;
3276  if (pg_pwrite(fd, "\0", 1, wal_segment_size - 1) != 1)
3277  {
3278  /* if write didn't set errno, assume no disk space */
3279  save_errno = errno ? errno : ENOSPC;
3280  }
3281  }
3283 
3284  if (save_errno)
3285  {
3286  /*
3287  * If we fail to make the file, delete it to release disk space
3288  */
3289  unlink(tmppath);
3290 
3291  close(fd);
3292 
3293  errno = save_errno;
3294 
3295  ereport(ERROR,
3297  errmsg("could not write to file \"%s\": %m", tmppath)));
3298  }
3299 
3300  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_SYNC);
3301  if (pg_fsync(fd) != 0)
3302  {
3303  save_errno = errno;
3304  close(fd);
3305  errno = save_errno;
3306  ereport(ERROR,
3308  errmsg("could not fsync file \"%s\": %m", tmppath)));
3309  }
3311 
3312  if (close(fd) != 0)
3313  ereport(ERROR,
3315  errmsg("could not close file \"%s\": %m", tmppath)));
3316 
3317  /*
3318  * Now move the segment into place with its final name. Cope with
3319  * possibility that someone else has created the file while we were
3320  * filling ours: if so, use ours to pre-create a future log segment.
3321  */
3322  installed_segno = logsegno;
3323 
3324  /*
3325  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3326  * that was a constant, but that was always a bit dubious: normally, at a
3327  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3328  * here, it was the offset from the insert location. We can't do the
3329  * normal XLOGfileslop calculation here because we don't have access to
3330  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3331  * CheckPointSegments.
3332  */
3333  max_segno = logsegno + CheckPointSegments;
3334  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3335  logtli))
3336  {
3337  *added = true;
3338  elog(DEBUG2, "done creating and filling new WAL file");
3339  }
3340  else
3341  {
3342  /*
3343  * No need for any more future segments, or InstallXLogFileSegment()
3344  * failed to rename the file into place. If the rename failed, a
3345  * caller opening the file may fail.
3346  */
3347  unlink(tmppath);
3348  elog(DEBUG2, "abandoned new WAL file");
3349  }
3350 
3351  return -1;
3352 }
3353 
3354 /*
3355  * Create a new XLOG file segment, or open a pre-existing one.
3356  *
3357  * logsegno: identify segment to be created/opened.
3358  *
3359  * Returns FD of opened file.
3360  *
3361  * Note: errors here are ERROR not PANIC because we might or might not be
3362  * inside a critical section (eg, during checkpoint there is no reason to
3363  * take down the system on failure). They will promote to PANIC if we are
3364  * in a critical section.
3365  */
3366 int
3368 {
3369  bool ignore_added;
3370  char path[MAXPGPATH];
3371  int fd;
3372 
3373  Assert(logtli != 0);
3374 
3375  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3376  if (fd >= 0)
3377  return fd;
3378 
3379  /* Now open original target segment (might not be file I just made) */
3380  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3382  if (fd < 0)
3383  ereport(ERROR,
3385  errmsg("could not open file \"%s\": %m", path)));
3386  return fd;
3387 }
3388 
3389 /*
3390  * Create a new XLOG file segment by copying a pre-existing one.
3391  *
3392  * destsegno: identify segment to be created.
3393  *
3394  * srcTLI, srcsegno: identify segment to be copied (could be from
3395  * a different timeline)
3396  *
3397  * upto: how much of the source file to copy (the rest is filled with
3398  * zeros)
3399  *
3400  * Currently this is only used during recovery, and so there are no locking
3401  * considerations. But we should be just as tense as XLogFileInit to avoid
3402  * emplacing a bogus file.
3403  */
3404 static void
3405 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3406  TimeLineID srcTLI, XLogSegNo srcsegno,
3407  int upto)
3408 {
3409  char path[MAXPGPATH];
3410  char tmppath[MAXPGPATH];
3411  PGAlignedXLogBlock buffer;
3412  int srcfd;
3413  int fd;
3414  int nbytes;
3415 
3416  /*
3417  * Open the source file
3418  */
3419  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3420  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3421  if (srcfd < 0)
3422  ereport(ERROR,
3424  errmsg("could not open file \"%s\": %m", path)));
3425 
3426  /*
3427  * Copy into a temp file name.
3428  */
3429  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3430 
3431  unlink(tmppath);
3432 
3433  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3434  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3435  if (fd < 0)
3436  ereport(ERROR,
3438  errmsg("could not create file \"%s\": %m", tmppath)));
3439 
3440  /*
3441  * Do the data copying.
3442  */
3443  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3444  {
3445  int nread;
3446 
3447  nread = upto - nbytes;
3448 
3449  /*
3450  * The part that is not read from the source file is filled with
3451  * zeros.
3452  */
3453  if (nread < sizeof(buffer))
3454  memset(buffer.data, 0, sizeof(buffer));
3455 
3456  if (nread > 0)
3457  {
3458  int r;
3459 
3460  if (nread > sizeof(buffer))
3461  nread = sizeof(buffer);
3462  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_READ);
3463  r = read(srcfd, buffer.data, nread);
3464  if (r != nread)
3465  {
3466  if (r < 0)
3467  ereport(ERROR,
3469  errmsg("could not read file \"%s\": %m",
3470  path)));
3471  else
3472  ereport(ERROR,
3474  errmsg("could not read file \"%s\": read %d of %zu",
3475  path, r, (Size) nread)));
3476  }
3478  }
3479  errno = 0;
3480  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_WRITE);
3481  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3482  {
3483  int save_errno = errno;
3484 
3485  /*
3486  * If we fail to make the file, delete it to release disk space
3487  */
3488  unlink(tmppath);
3489  /* if write didn't set errno, assume problem is no disk space */
3490  errno = save_errno ? save_errno : ENOSPC;
3491 
3492  ereport(ERROR,
3494  errmsg("could not write to file \"%s\": %m", tmppath)));
3495  }
3497  }
3498 
3499  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_SYNC);
3500  if (pg_fsync(fd) != 0)
3503  errmsg("could not fsync file \"%s\": %m", tmppath)));
3505 
3506  if (CloseTransientFile(fd) != 0)
3507  ereport(ERROR,
3509  errmsg("could not close file \"%s\": %m", tmppath)));
3510 
3511  if (CloseTransientFile(srcfd) != 0)
3512  ereport(ERROR,
3514  errmsg("could not close file \"%s\": %m", path)));
3515 
3516  /*
3517  * Now move the segment into place with its final name.
3518  */
3519  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3520  elog(ERROR, "InstallXLogFileSegment should not have failed");
3521 }
3522 
3523 /*
3524  * Install a new XLOG segment file as a current or future log segment.
3525  *
3526  * This is used both to install a newly-created segment (which has a temp
3527  * filename while it's being created) and to recycle an old segment.
3528  *
3529  * *segno: identify segment to install as (or first possible target).
3530  * When find_free is true, this is modified on return to indicate the
3531  * actual installation location or last segment searched.
3532  *
3533  * tmppath: initial name of file to install. It will be renamed into place.
3534  *
3535  * find_free: if true, install the new segment at the first empty segno
3536  * number at or after the passed numbers. If false, install the new segment
3537  * exactly where specified, deleting any existing segment file there.
3538  *
3539  * max_segno: maximum segment number to install the new file as. Fail if no
3540  * free slot is found between *segno and max_segno. (Ignored when find_free
3541  * is false.)
3542  *
3543  * tli: The timeline on which the new segment should be installed.
3544  *
3545  * Returns true if the file was installed successfully. false indicates that
3546  * max_segno limit was exceeded, the startup process has disabled this
3547  * function for now, or an error occurred while renaming the file into place.
3548  */
3549 static bool
3550 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3551  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3552 {
3553  char path[MAXPGPATH];
3554  struct stat stat_buf;
3555 
3556  Assert(tli != 0);
3557 
3558  XLogFilePath(path, tli, *segno, wal_segment_size);
3559 
3560  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3562  {
3563  LWLockRelease(ControlFileLock);
3564  return false;
3565  }
3566 
3567  if (!find_free)
3568  {
3569  /* Force installation: get rid of any pre-existing segment file */
3570  durable_unlink(path, DEBUG1);
3571  }
3572  else
3573  {
3574  /* Find a free slot to put it in */
3575  while (stat(path, &stat_buf) == 0)
3576  {
3577  if ((*segno) >= max_segno)
3578  {
3579  /* Failed to find a free slot within specified range */
3580  LWLockRelease(ControlFileLock);
3581  return false;
3582  }
3583  (*segno)++;
3584  XLogFilePath(path, tli, *segno, wal_segment_size);
3585  }
3586  }
3587 
3588  Assert(access(path, F_OK) != 0 && errno == ENOENT);
3589  if (durable_rename(tmppath, path, LOG) != 0)
3590  {
3591  LWLockRelease(ControlFileLock);
3592  /* durable_rename already emitted log message */
3593  return false;
3594  }
3595 
3596  LWLockRelease(ControlFileLock);
3597 
3598  return true;
3599 }
3600 
3601 /*
3602  * Open a pre-existing logfile segment for writing.
3603  */
3604 int
3606 {
3607  char path[MAXPGPATH];
3608  int fd;
3609 
3610  XLogFilePath(path, tli, segno, wal_segment_size);
3611 
3612  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3614  if (fd < 0)
3615  ereport(PANIC,
3617  errmsg("could not open file \"%s\": %m", path)));
3618 
3619  return fd;
3620 }
3621 
3622 /*
3623  * Close the current logfile segment for writing.
3624  */
3625 static void
3627 {
3628  Assert(openLogFile >= 0);
3629 
3630  /*
3631  * WAL segment files will not be re-read in normal operation, so we advise
3632  * the OS to release any cached pages. But do not do so if WAL archiving
3633  * or streaming is active, because archiver and walsender process could
3634  * use the cache to read the WAL segment.
3635  */
3636 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3637  if (!XLogIsNeeded() && (io_direct_flags & IO_DIRECT_WAL) == 0)
3638  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3639 #endif
3640 
3641  if (close(openLogFile) != 0)
3642  {
3643  char xlogfname[MAXFNAMELEN];
3644  int save_errno = errno;
3645 
3647  errno = save_errno;
3648  ereport(PANIC,
3650  errmsg("could not close file \"%s\": %m", xlogfname)));
3651  }
3652 
3653  openLogFile = -1;
3655 }
3656 
3657 /*
3658  * Preallocate log files beyond the specified log endpoint.
3659  *
3660  * XXX this is currently extremely conservative, since it forces only one
3661  * future log segment to exist, and even that only if we are 75% done with
3662  * the current one. This is only appropriate for very low-WAL-volume systems.
3663  * High-volume systems will be OK once they've built up a sufficient set of
3664  * recycled log segments, but the startup transient is likely to include
3665  * a lot of segment creations by foreground processes, which is not so good.
3666  *
3667  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3668  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3669  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3670  * initiated the present checkpoint and an ERROR ends this function, the
3671  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3672  * not worth contorting more functions to use caller-specified elevel values.
3673  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3674  * reporting and resource reclamation.)
3675  */
3676 static void
3678 {
3679  XLogSegNo _logSegNo;
3680  int lf;
3681  bool added;
3682  char path[MAXPGPATH];
3683  uint64 offset;
3684 
3686  return; /* unlocked check says no */
3687 
3688  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3689  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3690  if (offset >= (uint32) (0.75 * wal_segment_size))
3691  {
3692  _logSegNo++;
3693  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3694  if (lf >= 0)
3695  close(lf);
3696  if (added)
3698  }
3699 }
3700 
3701 /*
3702  * Throws an error if the given log segment has already been removed or
3703  * recycled. The caller should only pass a segment that it knows to have
3704  * existed while the server has been running, as this function always
3705  * succeeds if no WAL segments have been removed since startup.
3706  * 'tli' is only used in the error message.
3707  *
3708  * Note: this function guarantees to keep errno unchanged on return.
3709  * This supports callers that use this to possibly deliver a better
3710  * error message about a missing file, while still being able to throw
3711  * a normal file-access error afterwards, if this does return.
3712  */
3713 void
3715 {
3716  int save_errno = errno;
3717  XLogSegNo lastRemovedSegNo;
3718 
3720  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3722 
3723  if (segno <= lastRemovedSegNo)
3724  {
3725  char filename[MAXFNAMELEN];
3726 
3727  XLogFileName(filename, tli, segno, wal_segment_size);
3728  errno = save_errno;
3729  ereport(ERROR,
3731  errmsg("requested WAL segment %s has already been removed",
3732  filename)));
3733  }
3734  errno = save_errno;
3735 }
3736 
3737 /*
3738  * Return the last WAL segment removed, or 0 if no segment has been removed
3739  * since startup.
3740  *
3741  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3742  * with that.
3743  */
3744 XLogSegNo
3746 {
3747  XLogSegNo lastRemovedSegNo;
3748 
3750  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3752 
3753  return lastRemovedSegNo;
3754 }
3755 
3756 /*
3757  * Return the oldest WAL segment on the given TLI that still exists in
3758  * XLOGDIR, or 0 if none.
3759  */
3760 XLogSegNo
3762 {
3763  DIR *xldir;
3764  struct dirent *xlde;
3765  XLogSegNo oldest_segno = 0;
3766 
3767  xldir = AllocateDir(XLOGDIR);
3768  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3769  {
3770  TimeLineID file_tli;
3771  XLogSegNo file_segno;
3772 
3773  /* Ignore files that are not XLOG segments. */
3774  if (!IsXLogFileName(xlde->d_name))
3775  continue;
3776 
3777  /* Parse filename to get TLI and segno. */
3778  XLogFromFileName(xlde->d_name, &file_tli, &file_segno,
3780 
3781  /* Ignore anything that's not from the TLI of interest. */
3782  if (tli != file_tli)
3783  continue;
3784 
3785  /* If it's the oldest so far, update oldest_segno. */
3786  if (oldest_segno == 0 || file_segno < oldest_segno)
3787  oldest_segno = file_segno;
3788  }
3789 
3790  FreeDir(xldir);
3791  return oldest_segno;
3792 }
3793 
3794 /*
3795  * Update the last removed segno pointer in shared memory, to reflect that the
3796  * given XLOG file has been removed.
3797  */
3798 static void
3800 {
3801  uint32 tli;
3802  XLogSegNo segno;
3803 
3804  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3805 
3807  if (segno > XLogCtl->lastRemovedSegNo)
3808  XLogCtl->lastRemovedSegNo = segno;
3810 }
3811 
3812 /*
3813  * Remove all temporary log files in pg_wal
3814  *
3815  * This is called at the beginning of recovery after a previous crash,
3816  * at a point where no other processes write fresh WAL data.
3817  */
3818 static void
3820 {
3821  DIR *xldir;
3822  struct dirent *xlde;
3823 
3824  elog(DEBUG2, "removing all temporary WAL segments");
3825 
3826  xldir = AllocateDir(XLOGDIR);
3827  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3828  {
3829  char path[MAXPGPATH];
3830 
3831  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3832  continue;
3833 
3834  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3835  unlink(path);
3836  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3837  }
3838  FreeDir(xldir);
3839 }
3840 
3841 /*
3842  * Recycle or remove all log files older or equal to passed segno.
3843  *
3844  * endptr is current (or recent) end of xlog, and lastredoptr is the
3845  * redo pointer of the last checkpoint. These are used to determine
3846  * whether we want to recycle rather than delete no-longer-wanted log files.
3847  *
3848  * insertTLI is the current timeline for XLOG insertion. Any recycled
3849  * segments should be reused for this timeline.
3850  */
3851 static void
3853  TimeLineID insertTLI)
3854 {
3855  DIR *xldir;
3856  struct dirent *xlde;
3857  char lastoff[MAXFNAMELEN];
3858  XLogSegNo endlogSegNo;
3859  XLogSegNo recycleSegNo;
3860 
3861  /* Initialize info about where to try to recycle to */
3862  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3863  recycleSegNo = XLOGfileslop(lastredoptr);
3864 
3865  /*
3866  * Construct a filename of the last segment to be kept. The timeline ID
3867  * doesn't matter, we ignore that in the comparison. (During recovery,
3868  * InsertTimeLineID isn't set, so we can't use that.)
3869  */
3870  XLogFileName(lastoff, 0, segno, wal_segment_size);
3871 
3872  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3873  lastoff);
3874 
3875  xldir = AllocateDir(XLOGDIR);
3876 
3877  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3878  {
3879  /* Ignore files that are not XLOG segments */
3880  if (!IsXLogFileName(xlde->d_name) &&
3881  !IsPartialXLogFileName(xlde->d_name))
3882  continue;
3883 
3884  /*
3885  * We ignore the timeline part of the XLOG segment identifiers in
3886  * deciding whether a segment is still needed. This ensures that we
3887  * won't prematurely remove a segment from a parent timeline. We could
3888  * probably be a little more proactive about removing segments of
3889  * non-parent timelines, but that would be a whole lot more
3890  * complicated.
3891  *
3892  * We use the alphanumeric sorting property of the filenames to decide
3893  * which ones are earlier than the lastoff segment.
3894  */
3895  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3896  {
3897  if (XLogArchiveCheckDone(xlde->d_name))
3898  {
3899  /* Update the last removed location in shared memory first */
3901 
3902  RemoveXlogFile(xlde, recycleSegNo, &endlogSegNo, insertTLI);
3903  }
3904  }
3905  }
3906 
3907  FreeDir(xldir);
3908 }
3909 
3910 /*
3911  * Recycle or remove WAL files that are not part of the given timeline's
3912  * history.
3913  *
3914  * This is called during recovery, whenever we switch to follow a new
3915  * timeline, and at the end of recovery when we create a new timeline. We
3916  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3917  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3918  * that we haven't used yet, and contain garbage. If we just leave them in
3919  * pg_wal, they will eventually be archived, and we can't let that happen.
3920  * Files that belong to our timeline history are valid, because we have
3921  * successfully replayed them, but from others we can't be sure.
3922  *
3923  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3924  * and 'newTLI' is the new timeline we switch to.
3925  */
3926 void
3928 {
3929  DIR *xldir;
3930  struct dirent *xlde;
3931  char switchseg[MAXFNAMELEN];
3932  XLogSegNo endLogSegNo;
3933  XLogSegNo switchLogSegNo;
3934  XLogSegNo recycleSegNo;
3935 
3936  /*
3937  * Initialize info about where to begin the work. This will recycle,
3938  * somewhat arbitrarily, 10 future segments.
3939  */
3940  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3941  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3942  recycleSegNo = endLogSegNo + 10;
3943 
3944  /*
3945  * Construct a filename of the last segment to be kept.
3946  */
3947  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3948 
3949  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3950  switchseg);
3951 
3952  xldir = AllocateDir(XLOGDIR);
3953 
3954  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3955  {
3956  /* Ignore files that are not XLOG segments */
3957  if (!IsXLogFileName(xlde->d_name))
3958  continue;
3959 
3960  /*
3961  * Remove files that are on a timeline older than the new one we're
3962  * switching to, but with a segment number >= the first segment on the
3963  * new timeline.
3964  */
3965  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3966  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3967  {
3968  /*
3969  * If the file has already been marked as .ready, however, don't
3970  * remove it yet. It should be OK to remove it - files that are
3971  * not part of our timeline history are not required for recovery
3972  * - but seems safer to let them be archived and removed later.
3973  */
3974  if (!XLogArchiveIsReady(xlde->d_name))
3975  RemoveXlogFile(xlde, recycleSegNo, &endLogSegNo, newTLI);
3976  }
3977  }
3978 
3979  FreeDir(xldir);
3980 }
3981 
3982 /*
3983  * Recycle or remove a log file that's no longer needed.
3984  *
3985  * segment_de is the dirent structure of the segment to recycle or remove.
3986  * recycleSegNo is the segment number to recycle up to. endlogSegNo is
3987  * the segment number of the current (or recent) end of WAL.
3988  *
3989  * endlogSegNo gets incremented if the segment is recycled so as it is not
3990  * checked again with future callers of this function.
3991  *
3992  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
3993  * should be used for this timeline.
3994  */
3995 static void
3996 RemoveXlogFile(const struct dirent *segment_de,
3997  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
3998  TimeLineID insertTLI)
3999 {
4000  char path[MAXPGPATH];
4001 #ifdef WIN32
4002  char newpath[MAXPGPATH];
4003 #endif
4004  const char *segname = segment_de->d_name;
4005 
4006  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
4007 
4008  /*
4009  * Before deleting the file, see if it can be recycled as a future log
4010  * segment. Only recycle normal files, because we don't want to recycle
4011  * symbolic links pointing to a separate archive directory.
4012  */
4013  if (wal_recycle &&
4014  *endlogSegNo <= recycleSegNo &&
4015  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
4016  get_dirent_type(path, segment_de, false, DEBUG2) == PGFILETYPE_REG &&
4017  InstallXLogFileSegment(endlogSegNo, path,
4018  true, recycleSegNo, insertTLI))
4019  {
4020  ereport(DEBUG2,
4021  (errmsg_internal("recycled write-ahead log file \"%s\"",
4022  segname)));
4024  /* Needn't recheck that slot on future iterations */
4025  (*endlogSegNo)++;
4026  }
4027  else
4028  {
4029  /* No need for any more future segments, or recycling failed ... */
4030  int rc;
4031 
4032  ereport(DEBUG2,
4033  (errmsg_internal("removing write-ahead log file \"%s\"",
4034  segname)));
4035 
4036 #ifdef WIN32
4037 
4038  /*
4039  * On Windows, if another process (e.g another backend) holds the file
4040  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
4041  * will still show up in directory listing until the last handle is
4042  * closed. To avoid confusing the lingering deleted file for a live
4043  * WAL file that needs to be archived, rename it before deleting it.
4044  *
4045  * If another process holds the file open without FILE_SHARE_DELETE
4046  * flag, rename will fail. We'll try again at the next checkpoint.
4047  */
4048  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
4049  if (rename(path, newpath) != 0)
4050  {
4051  ereport(LOG,
4053  errmsg("could not rename file \"%s\": %m",
4054  path)));
4055  return;
4056  }
4057  rc = durable_unlink(newpath, LOG);
4058 #else
4059  rc = durable_unlink(path, LOG);
4060 #endif
4061  if (rc != 0)
4062  {
4063  /* Message already logged by durable_unlink() */
4064  return;
4065  }
4067  }
4068 
4069  XLogArchiveCleanup(segname);
4070 }
4071 
4072 /*
4073  * Verify whether pg_wal, pg_wal/archive_status, and pg_wal/summaries exist.
4074  * If the latter do not exist, recreate them.
4075  *
4076  * It is not the goal of this function to verify the contents of these
4077  * directories, but to help in cases where someone has performed a cluster
4078  * copy for PITR purposes but omitted pg_wal from the copy.
4079  *
4080  * We could also recreate pg_wal if it doesn't exist, but a deliberate
4081  * policy decision was made not to. It is fairly common for pg_wal to be
4082  * a symlink, and if that was the DBA's intent then automatically making a
4083  * plain directory would result in degraded performance with no notice.
4084  */
4085 static void
4087 {
4088  char path[MAXPGPATH];
4089  struct stat stat_buf;
4090 
4091  /* Check for pg_wal; if it doesn't exist, error out */
4092  if (stat(XLOGDIR, &stat_buf) != 0 ||
4093  !S_ISDIR(stat_buf.st_mode))
4094  ereport(FATAL,
4096  errmsg("required WAL directory \"%s\" does not exist",
4097  XLOGDIR)));
4098 
4099  /* Check for archive_status */
4100  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
4101  if (stat(path, &stat_buf) == 0)
4102  {
4103  /* Check for weird cases where it exists but isn't a directory */
4104  if (!S_ISDIR(stat_buf.st_mode))
4105  ereport(FATAL,
4107  errmsg("required WAL directory \"%s\" does not exist",
4108  path)));
4109  }
4110  else
4111  {
4112  ereport(LOG,
4113  (errmsg("creating missing WAL directory \"%s\"", path)));
4114  if (MakePGDirectory(path) < 0)
4115  ereport(FATAL,
4117  errmsg("could not create missing directory \"%s\": %m",
4118  path)));
4119  }
4120 
4121  /* Check for summaries */
4122  snprintf(path, MAXPGPATH, XLOGDIR "/summaries");
4123  if (stat(path, &stat_buf) == 0)
4124  {
4125  /* Check for weird cases where it exists but isn't a directory */
4126  if (!S_ISDIR(stat_buf.st_mode))
4127  ereport(FATAL,
4128  (errmsg("required WAL directory \"%s\" does not exist",
4129  path)));
4130  }
4131  else
4132  {
4133  ereport(LOG,
4134  (errmsg("creating missing WAL directory \"%s\"", path)));
4135  if (MakePGDirectory(path) < 0)
4136  ereport(FATAL,
4137  (errmsg("could not create missing directory \"%s\": %m",
4138  path)));
4139  }
4140 }
4141 
4142 /*
4143  * Remove previous backup history files. This also retries creation of
4144  * .ready files for any backup history files for which XLogArchiveNotify
4145  * failed earlier.
4146  */
4147 static void
4149 {
4150  DIR *xldir;
4151  struct dirent *xlde;
4152  char path[MAXPGPATH + sizeof(XLOGDIR)];
4153 
4154  xldir = AllocateDir(XLOGDIR);
4155 
4156  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
4157  {
4158  if (IsBackupHistoryFileName(xlde->d_name))
4159  {
4160  if (XLogArchiveCheckDone(xlde->d_name))
4161  {
4162  elog(DEBUG2, "removing WAL backup history file \"%s\"",
4163  xlde->d_name);
4164  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
4165  unlink(path);
4166  XLogArchiveCleanup(xlde->d_name);
4167  }
4168  }
4169  }
4170 
4171  FreeDir(xldir);
4172 }
4173 
4174 /*
4175  * I/O routines for pg_control
4176  *
4177  * *ControlFile is a buffer in shared memory that holds an image of the
4178  * contents of pg_control. WriteControlFile() initializes pg_control
4179  * given a preloaded buffer, ReadControlFile() loads the buffer from
4180  * the pg_control file (during postmaster or standalone-backend startup),
4181  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
4182  * InitControlFile() fills the buffer with initial values.
4183  *
4184  * For simplicity, WriteControlFile() initializes the fields of pg_control
4185  * that are related to checking backend/database compatibility, and
4186  * ReadControlFile() verifies they are correct. We could split out the
4187  * I/O and compatibility-check functions, but there seems no need currently.
4188  */
4189 
4190 static void
4191 InitControlFile(uint64 sysidentifier, uint32 data_checksum_version)
4192 {
4193  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
4194 
4195  /*
4196  * Generate a random nonce. This is used for authentication requests that
4197  * will fail because the user does not exist. The nonce is used to create
4198  * a genuine-looking password challenge for the non-existent user, in lieu
4199  * of an actual stored password.
4200  */
4201  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
4202  ereport(PANIC,
4203  (errcode(ERRCODE_INTERNAL_ERROR),
4204  errmsg("could not generate secret authorization token")));
4205 
4206  memset(ControlFile, 0, sizeof(ControlFileData));
4207  /* Initialize pg_control status fields */
4208  ControlFile->system_identifier = sysidentifier;
4209  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
4212 
4213  /* Set important parameter values for use when replaying WAL */
4222  ControlFile->data_checksum_version = data_checksum_version;
4223 }
4224 
4225 static void
4227 {
4228  int fd;
4229  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
4230 
4231  /*
4232  * Initialize version and compatibility-check fields
4233  */
4236 
4237  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
4239 
4240  ControlFile->blcksz = BLCKSZ;
4241  ControlFile->relseg_size = RELSEG_SIZE;
4242  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
4244 
4247 
4250 
4252 
4253  /* Contents are protected with a CRC */
4256  (char *) ControlFile,
4257  offsetof(ControlFileData, crc));
4259 
4260  /*
4261  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
4262  * the excess over sizeof(ControlFileData). This reduces the odds of
4263  * premature-EOF errors when reading pg_control. We'll still fail when we
4264  * check the contents of the file, but hopefully with a more specific
4265  * error than "couldn't read pg_control".
4266  */
4267  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
4268  memcpy(buffer, ControlFile, sizeof(ControlFileData));
4269 
4271  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
4272  if (fd < 0)
4273  ereport(PANIC,
4275  errmsg("could not create file \"%s\": %m",
4276  XLOG_CONTROL_FILE)));
4277 
4278  errno = 0;
4279  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_WRITE);
4281  {
4282  /* if write didn't set errno, assume problem is no disk space */
4283  if (errno == 0)
4284  errno = ENOSPC;
4285  ereport(PANIC,
4287  errmsg("could not write to file \"%s\": %m",
4288  XLOG_CONTROL_FILE)));
4289  }
4291 
4292  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_SYNC);
4293  if (pg_fsync(fd) != 0)
4294  ereport(PANIC,
4296  errmsg("could not fsync file \"%s\": %m",
4297  XLOG_CONTROL_FILE)));
4299 
4300  if (close(fd) != 0)
4301  ereport(PANIC,
4303  errmsg("could not close file \"%s\": %m",
4304  XLOG_CONTROL_FILE)));
4305 }
4306 
4307 static void
4309 {
4310  pg_crc32c crc;
4311  int fd;
4312  static char wal_segsz_str[20];
4313  int r;
4314 
4315  /*
4316  * Read data...
4317  */
4319  O_RDWR | PG_BINARY);
4320  if (fd < 0)
4321  ereport(PANIC,
4323  errmsg("could not open file \"%s\": %m",
4324  XLOG_CONTROL_FILE)));
4325 
4326  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_READ);
4327  r = read(fd, ControlFile, sizeof(ControlFileData));
4328  if (r != sizeof(ControlFileData))
4329  {
4330  if (r < 0)
4331  ereport(PANIC,
4333  errmsg("could not read file \"%s\": %m",
4334  XLOG_CONTROL_FILE)));
4335  else
4336  ereport(PANIC,
4338  errmsg("could not read file \"%s\": read %d of %zu",
4339  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
4340  }
4342 
4343  close(fd);
4344 
4345  /*
4346  * Check for expected pg_control format version. If this is wrong, the
4347  * CRC check will likely fail because we'll be checking the wrong number
4348  * of bytes. Complaining about wrong version will probably be more
4349  * enlightening than complaining about wrong CRC.
4350  */
4351 
4353  ereport(FATAL,
4354  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4355  errmsg("database files are incompatible with server"),
4356  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4357  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4360  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4361 
4363  ereport(FATAL,
4364  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4365  errmsg("database files are incompatible with server"),
4366  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4367  " but the server was compiled with PG_CONTROL_VERSION %d.",
4369  errhint("It looks like you need to initdb.")));
4370 
4371  /* Now check the CRC. */
4372  INIT_CRC32C(crc);
4373  COMP_CRC32C(crc,
4374  (char *) ControlFile,
4375  offsetof(ControlFileData, crc));
4376  FIN_CRC32C(crc);
4377 
4378  if (!EQ_CRC32C(crc, ControlFile->crc))
4379  ereport(FATAL,
4380  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4381  errmsg("incorrect checksum in control file")));
4382 
4383  /*
4384  * Do compatibility checking immediately. If the database isn't
4385  * compatible with the backend executable, we want to abort before we can
4386  * possibly do any damage.
4387  */
4389  ereport(FATAL,
4390  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4391  errmsg("database files are incompatible with server"),
4392  errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4393  " but the server was compiled with CATALOG_VERSION_NO %d.",
4395  errhint("It looks like you need to initdb.")));
4396  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4397  ereport(FATAL,
4398  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4399  errmsg("database files are incompatible with server"),
4400  errdetail("The database cluster was initialized with MAXALIGN %d,"
4401  " but the server was compiled with MAXALIGN %d.",
4402  ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4403  errhint("It looks like you need to initdb.")));
4405  ereport(FATAL,
4406  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4407  errmsg("database files are incompatible with server"),
4408  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4409  errhint("It looks like you need to initdb.")));
4410  if (ControlFile->blcksz != BLCKSZ)
4411  ereport(FATAL,
4412  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4413  errmsg("database files are incompatible with server"),
4414  errdetail("The database cluster was initialized with BLCKSZ %d,"
4415  " but the server was compiled with BLCKSZ %d.",
4416  ControlFile->blcksz, BLCKSZ),
4417  errhint("It looks like you need to recompile or initdb.")));
4418  if (ControlFile->relseg_size != RELSEG_SIZE)
4419  ereport(FATAL,
4420  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4421  errmsg("database files are incompatible with server"),
4422  errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4423  " but the server was compiled with RELSEG_SIZE %d.",
4424  ControlFile->relseg_size, RELSEG_SIZE),
4425  errhint("It looks like you need to recompile or initdb.")));
4426  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4427  ereport(FATAL,
4428  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4429  errmsg("database files are incompatible with server"),
4430  errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4431  " but the server was compiled with XLOG_BLCKSZ %d.",
4432  ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4433  errhint("It looks like you need to recompile or initdb.")));
4435  ereport(FATAL,
4436  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4437  errmsg("database files are incompatible with server"),
4438  errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4439  " but the server was compiled with NAMEDATALEN %d.",
4441  errhint("It looks like you need to recompile or initdb.")));
4443  ereport(FATAL,
4444  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4445  errmsg("database files are incompatible with server"),
4446  errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4447  " but the server was compiled with INDEX_MAX_KEYS %d.",
4449  errhint("It looks like you need to recompile or initdb.")));
4451  ereport(FATAL,
4452  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4453  errmsg("database files are incompatible with server"),
4454  errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4455  " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4457  errhint("It looks like you need to recompile or initdb.")));
4459  ereport(FATAL,
4460  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4461  errmsg("database files are incompatible with server"),
4462  errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4463  " but the server was compiled with LOBLKSIZE %d.",
4464  ControlFile->loblksize, (int) LOBLKSIZE),
4465  errhint("It looks like you need to recompile or initdb.")));
4466 
4467 #ifdef USE_FLOAT8_BYVAL
4468  if (ControlFile->float8ByVal != true)
4469  ereport(FATAL,
4470  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4471  errmsg("database files are incompatible with server"),
4472  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4473  " but the server was compiled with USE_FLOAT8_BYVAL."),
4474  errhint("It looks like you need to recompile or initdb.")));
4475 #else
4476  if (ControlFile->float8ByVal != false)
4477  ereport(FATAL,
4478  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4479  errmsg("database files are incompatible with server"),
4480  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4481  " but the server was compiled without USE_FLOAT8_BYVAL."),
4482  errhint("It looks like you need to recompile or initdb.")));
4483 #endif
4484 
4486 
4488  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4489  errmsg_plural("invalid WAL segment size in control file (%d byte)",
4490  "invalid WAL segment size in control file (%d bytes)",
4493  errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.")));
4494 
4495  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4496  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4498 
4499  /* check and update variables dependent on wal_segment_size */
4501  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4502  errmsg("\"min_wal_size\" must be at least twice \"wal_segment_size\"")));
4503 
4505  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4506  errmsg("\"max_wal_size\" must be at least twice \"wal_segment_size\"")));
4507 
4509  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4511 
4513 
4514  /* Make the initdb settings visible as GUC variables, too */
4515  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4517 }
4518 
4519 /*
4520  * Utility wrapper to update the control file. Note that the control
4521  * file gets flushed.
4522  */
4523 static void
4525 {
4527 }
4528 
4529 /*
4530  * Returns the unique system identifier from control file.
4531  */
4532 uint64
4534 {
4535  Assert(ControlFile != NULL);
4537 }
4538 
4539 /*
4540  * Returns the random nonce from control file.
4541  */
4542 char *
4544 {
4545  Assert(ControlFile != NULL);
4547 }
4548 
4549 /*
4550  * Are checksums enabled for data pages?
4551  */
4552 bool
4554 {
4555  Assert(ControlFile != NULL);
4556  return (ControlFile->data_checksum_version > 0);
4557 }
4558 
4559 /*
4560  * Returns a fake LSN for unlogged relations.
4561  *
4562  * Each call generates an LSN that is greater than any previous value
4563  * returned. The current counter value is saved and restored across clean
4564  * shutdowns, but like unlogged relations, does not survive a crash. This can
4565  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4566  * LSN-like increasing sequence of numbers without writing any WAL.
4567  */
4568 XLogRecPtr
4570 {
4572 }
4573 
4574 /*
4575  * Auto-tune the number of XLOG buffers.
4576  *
4577  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4578  * a maximum of one XLOG segment (there is little reason to think that more
4579  * is helpful, at least so long as we force an fsync when switching log files)
4580  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4581  * 9.1, when auto-tuning was added).
4582  *
4583  * This should not be called until NBuffers has received its final value.
4584  */
4585 static int
4587 {
4588  int xbuffers;
4589 
4590  xbuffers = NBuffers / 32;
4591  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4592  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4593  if (xbuffers < 8)
4594  xbuffers = 8;
4595  return xbuffers;
4596 }
4597 
4598 /*
4599  * GUC check_hook for wal_buffers
4600  */
4601 bool
4603 {
4604  /*
4605  * -1 indicates a request for auto-tune.
4606  */
4607  if (*newval == -1)
4608  {
4609  /*
4610  * If we haven't yet changed the boot_val default of -1, just let it
4611  * be. We'll fix it when XLOGShmemSize is called.
4612  */
4613  if (XLOGbuffers == -1)
4614  return true;
4615 
4616  /* Otherwise, substitute the auto-tune value */
4618  }
4619 
4620  /*
4621  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4622  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4623  * the case, we just silently treat such values as a request for the
4624  * minimum. (We could throw an error instead, but that doesn't seem very
4625  * helpful.)
4626  */
4627  if (*newval < 4)
4628  *newval = 4;
4629 
4630  return true;
4631 }
4632 
4633 /*
4634  * GUC check_hook for wal_consistency_checking
4635  */
4636 bool
4638 {
4639  char *rawstring;
4640  List *elemlist;
4641  ListCell *l;
4642  bool newwalconsistency[RM_MAX_ID + 1];
4643 
4644  /* Initialize the array */
4645  MemSet(newwalconsistency, 0, (RM_MAX_ID + 1) * sizeof(bool));
4646 
4647  /* Need a modifiable copy of string */
4648  rawstring = pstrdup(*newval);
4649 
4650  /* Parse string into list of identifiers */
4651  if (!SplitIdentifierString(rawstring, ',', &elemlist))
4652  {
4653  /* syntax error in list */
4654  GUC_check_errdetail("List syntax is invalid.");
4655  pfree(rawstring);
4656  list_free(elemlist);
4657  return false;
4658  }
4659 
4660  foreach(l, elemlist)
4661  {
4662  char *tok = (char *) lfirst(l);
4663  int rmid;
4664 
4665  /* Check for 'all'. */
4666  if (pg_strcasecmp(tok, "all") == 0)
4667  {
4668  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4669  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL)
4670  newwalconsistency[rmid] = true;
4671  }
4672  else
4673  {
4674  /* Check if the token matches any known resource manager. */
4675  bool found = false;
4676 
4677  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4678  {
4679  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL &&
4680  pg_strcasecmp(tok, GetRmgr(rmid).rm_name) == 0)
4681  {
4682  newwalconsistency[rmid] = true;
4683  found = true;
4684  break;
4685  }
4686  }
4687  if (!found)
4688  {
4689  /*
4690  * During startup, it might be a not-yet-loaded custom
4691  * resource manager. Defer checking until
4692  * InitializeWalConsistencyChecking().
4693  */
4695  {
4697  }
4698  else
4699  {
4700  GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
4701  pfree(rawstring);
4702  list_free(elemlist);
4703  return false;
4704  }
4705  }
4706  }
4707  }
4708 
4709  pfree(rawstring);
4710  list_free(elemlist);
4711 
4712  /* assign new value */
4713  *extra = guc_malloc(ERROR, (RM_MAX_ID + 1) * sizeof(bool));
4714  memcpy(*extra, newwalconsistency, (RM_MAX_ID + 1) * sizeof(bool));
4715  return true;
4716 }
4717 
4718 /*
4719  * GUC assign_hook for wal_consistency_checking
4720  */
4721 void
4722 assign_wal_consistency_checking(const char *newval, void *extra)
4723 {
4724  /*
4725  * If some checks were deferred, it's possible that the checks will fail
4726  * later during InitializeWalConsistencyChecking(). But in that case, the
4727  * postmaster will exit anyway, so it's safe to proceed with the
4728  * assignment.
4729  *
4730  * Any built-in resource managers specified are assigned immediately,
4731  * which affects WAL created before shared_preload_libraries are
4732  * processed. Any custom resource managers specified won't be assigned
4733  * until after shared_preload_libraries are processed, but that's OK
4734  * because WAL for a custom resource manager can't be written before the
4735  * module is loaded anyway.
4736  */
4737  wal_consistency_checking = extra;
4738 }
4739 
4740 /*
4741  * InitializeWalConsistencyChecking: run after loading custom resource managers
4742  *
4743  * If any unknown resource managers were specified in the
4744  * wal_consistency_checking GUC, processing was deferred. Now that
4745  * shared_preload_libraries have been loaded, process wal_consistency_checking
4746  * again.
4747  */
4748 void
4750 {
4752 
4754  {
4755  struct config_generic *guc;
4756 
4757  guc = find_option("wal_consistency_checking", false, false, ERROR);
4758 
4760 
4761  set_config_option_ext("wal_consistency_checking",
4763  guc->scontext, guc->source, guc->srole,
4764  GUC_ACTION_SET, true, ERROR, false);
4765 
4766  /* checking should not be deferred again */
4768  }
4769 }
4770 
4771 /*
4772  * GUC show_hook for archive_command
4773  */
4774 const char *
4776 {
4777  if (XLogArchivingActive())
4778  return XLogArchiveCommand;
4779  else
4780  return "(disabled)";
4781 }
4782 
4783 /*
4784  * GUC show_hook for in_hot_standby
4785  */
4786 const char *
4788 {
4789  /*
4790  * We display the actual state based on shared memory, so that this GUC
4791  * reports up-to-date state if examined intra-query. The underlying
4792  * variable (in_hot_standby_guc) changes only when we transmit a new value
4793  * to the client.
4794  */
4795  return RecoveryInProgress() ? "on" : "off";
4796 }
4797 
4798 /*
4799  * Read the control file, set respective GUCs.
4800  *
4801  * This is to be called during startup, including a crash recovery cycle,
4802  * unless in bootstrap mode, where no control file yet exists. As there's no
4803  * usable shared memory yet (its sizing can depend on the contents of the
4804  * control file!), first store the contents in local memory. XLOGShmemInit()
4805  * will then copy it to shared memory later.
4806  *
4807  * reset just controls whether previous contents are to be expected (in the
4808  * reset case, there's a dangling pointer into old shared memory), or not.
4809  */
4810 void
4812 {
4813  Assert(reset || ControlFile == NULL);
4814  ControlFile = palloc(sizeof(ControlFileData));
4815  ReadControlFile();
4816 }
4817 
4818 /*
4819  * Get the wal_level from the control file. For a standby, this value should be
4820  * considered as its active wal_level, because it may be different from what
4821  * was originally configured on standby.
4822  */
4823 WalLevel
4825 {
4826  return ControlFile->wal_level;
4827 }
4828 
4829 /*
4830  * Initialization of shared memory for XLOG
4831  */
4832 Size
4834 {
4835  Size size;
4836 
4837  /*
4838  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4839  * This isn't an amazingly clean place to do this, but we must wait till
4840  * NBuffers has received its final value, and must do it before using the
4841  * value of XLOGbuffers to do anything important.
4842  *
4843  * We prefer to report this value's source as PGC_S_DYNAMIC_DEFAULT.
4844  * However, if the DBA explicitly set wal_buffers = -1 in the config file,
4845  * then PGC_S_DYNAMIC_DEFAULT will fail to override that and we must force
4846  * the matter with PGC_S_OVERRIDE.
4847  */
4848  if (XLOGbuffers == -1)
4849  {
4850  char buf[32];
4851 
4852  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4853  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4855  if (XLOGbuffers == -1) /* failed to apply it? */
4856  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4857  PGC_S_OVERRIDE);
4858  }
4859  Assert(XLOGbuffers > 0);
4860 
4861  /* XLogCtl */
4862  size = sizeof(XLogCtlData);
4863 
4864  /* WAL insertion locks, plus alignment */
4866  /* xlblocks array */
4868  /* extra alignment padding for XLOG I/O buffers */
4869  size = add_size(size, Max(XLOG_BLCKSZ, PG_IO_ALIGN_SIZE));
4870  /* and the buffers themselves */
4871  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4872 
4873  /*
4874  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4875  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4876  * routine again below to compute the actual allocation size.
4877  */
4878 
4879  return size;
4880 }
4881 
4882 void
4884 {
4885  bool foundCFile,
4886  foundXLog;
4887  char *allocptr;
4888  int i;
4889  ControlFileData *localControlFile;
4890 
4891 #ifdef WAL_DEBUG
4892 
4893  /*
4894  * Create a memory context for WAL debugging that's exempt from the normal
4895  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4896  * an allocation fails, but wal_debug is not for production use anyway.
4897  */
4898  if (walDebugCxt == NULL)
4899  {
4901  "WAL Debug",
4903  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4904  }
4905 #endif
4906 
4907 
4908  XLogCtl = (XLogCtlData *)
4909  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4910 
4911  localControlFile = ControlFile;
4913  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4914 
4915  if (foundCFile || foundXLog)
4916  {
4917  /* both should be present or neither */
4918  Assert(foundCFile && foundXLog);
4919 
4920  /* Initialize local copy of WALInsertLocks */
4922 
4923  if (localControlFile)
4924  pfree(localControlFile);
4925  return;
4926  }
4927  memset(XLogCtl, 0, sizeof(XLogCtlData));
4928 
4929  /*
4930  * Already have read control file locally, unless in bootstrap mode. Move
4931  * contents into shared memory.
4932  */
4933  if (localControlFile)
4934  {
4935  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4936  pfree(localControlFile);
4937  }
4938 
4939  /*
4940  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4941  * multiple of the alignment for same, so no extra alignment padding is
4942  * needed here.
4943  */
4944  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4945  XLogCtl->xlblocks = (pg_atomic_uint64 *) allocptr;
4946  allocptr += sizeof(pg_atomic_uint64) * XLOGbuffers;
4947 
4948  for (i = 0; i < XLOGbuffers; i++)
4949  {
4951  }
4952 
4953  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4954  allocptr += sizeof(WALInsertLockPadded) -
4955  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4957  (WALInsertLockPadded *) allocptr;
4958  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4959 
4960  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4961  {
4965  }
4966 
4967  /*
4968  * Align the start of the page buffers to a full xlog block size boundary.
4969  * This simplifies some calculations in XLOG insertion. It is also
4970  * required for O_DIRECT.
4971  */
4972  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4973  XLogCtl->pages = allocptr;
4974  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4975 
4976  /*
4977  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4978  * in additional info.)
4979  */
4983  XLogCtl->WalWriterSleeping = false;
4984 
4991 }
4992 
4993 /*
4994  * This func must be called ONCE on system install. It creates pg_control
4995  * and the initial XLOG segment.
4996  */
4997 void
4998 BootStrapXLOG(uint32 data_checksum_version)
4999 {
5000  CheckPoint checkPoint;
5001  char *buffer;
5002  XLogPageHeader page;
5003  XLogLongPageHeader longpage;
5004  XLogRecord *record;
5005  char *recptr;
5006  uint64 sysidentifier;
5007  struct timeval tv;
5008  pg_crc32c crc;
5009 
5010  /* allow ordinary WAL segment creation, like StartupXLOG() would */
5012 
5013  /*
5014  * Select a hopefully-unique system identifier code for this installation.
5015  * We use the result of gettimeofday(), including the fractional seconds
5016  * field, as being about as unique as we can easily get. (Think not to
5017  * use random(), since it hasn't been seeded and there's no portable way
5018  * to seed it other than the system clock value...) The upper half of the
5019  * uint64 value is just the tv_sec part, while the lower half contains the
5020  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
5021  * PID for a little extra uniqueness. A person knowing this encoding can
5022  * determine the initialization time of the installation, which could
5023  * perhaps be useful sometimes.
5024  */
5025  gettimeofday(&tv, NULL);
5026  sysidentifier = ((uint64) tv.tv_sec) << 32;
5027  sysidentifier |= ((uint64) tv.tv_usec) << 12;
5028  sysidentifier |= getpid() & 0xFFF;
5029 
5030  /* page buffer must be aligned suitably for O_DIRECT */
5031  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
5032  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
5033  memset(page, 0, XLOG_BLCKSZ);
5034 
5035  /*
5036  * Set up information for the initial checkpoint record
5037  *
5038  * The initial checkpoint record is written to the beginning of the WAL
5039  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
5040  * used, so that we can use 0/0 to mean "before any valid WAL segment".
5041  */
5042  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
5043  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
5044  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
5045  checkPoint.fullPageWrites = fullPageWrites;
5046  checkPoint.wal_level = wal_level;
5047  checkPoint.nextXid =
5049  checkPoint.nextOid = FirstGenbkiObjectId;
5050  checkPoint.nextMulti = FirstMultiXactId;
5051  checkPoint.nextMultiOffset = 0;
5052  checkPoint.oldestXid = FirstNormalTransactionId;
5053  checkPoint.oldestXidDB = Template1DbOid;
5054  checkPoint.oldestMulti = FirstMultiXactId;
5055  checkPoint.oldestMultiDB = Template1DbOid;
5058  checkPoint.time = (pg_time_t) time(NULL);
5060 
5061  TransamVariables->nextXid = checkPoint.nextXid;
5062  TransamVariables->nextOid = checkPoint.nextOid;
5064  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5065  AdvanceOldestClogXid(checkPoint.oldestXid);
5066  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5067  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5069 
5070  /* Set up the XLOG page header */
5071  page->xlp_magic = XLOG_PAGE_MAGIC;
5072  page->xlp_info = XLP_LONG_HEADER;
5073  page->xlp_tli = BootstrapTimeLineID;
5075  longpage = (XLogLongPageHeader) page;
5076  longpage->xlp_sysid = sysidentifier;
5077  longpage->xlp_seg_size = wal_segment_size;
5078  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
5079 
5080  /* Insert the initial checkpoint record */
5081  recptr = ((char *) page + SizeOfXLogLongPHD);
5082  record = (XLogRecord *) recptr;
5083  record->xl_prev = 0;
5084  record->xl_xid = InvalidTransactionId;
5085  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
5087  record->xl_rmid = RM_XLOG_ID;
5088  recptr += SizeOfXLogRecord;
5089  /* fill the XLogRecordDataHeaderShort struct */
5090  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
5091  *(recptr++) = sizeof(checkPoint);
5092  memcpy(recptr, &checkPoint, sizeof(checkPoint));
5093  recptr += sizeof(checkPoint);
5094  Assert(recptr - (char *) record == record->xl_tot_len);
5095 
5096  INIT_CRC32C(crc);
5097  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
5098  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
5099  FIN_CRC32C(crc);
5100  record->xl_crc = crc;
5101 
5102  /* Create first XLOG segment file */
5105 
5106  /*
5107  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
5108  * close the file again in a moment.
5109  */
5110 
5111  /* Write the first page with the initial record */
5112  errno = 0;
5113  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_WRITE);
5114  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
5115  {
5116  /* if write didn't set errno, assume problem is no disk space */
5117  if (errno == 0)
5118  errno = ENOSPC;
5119  ereport(PANIC,
5121  errmsg("could not write bootstrap write-ahead log file: %m")));
5122  }
5124 
5125  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_SYNC);
5126  if (pg_fsync(openLogFile) != 0)
5127  ereport(PANIC,
5129  errmsg("could not fsync bootstrap write-ahead log file: %m")));
5131 
5132  if (close(openLogFile) != 0)
5133  ereport(PANIC,
5135  errmsg("could not close bootstrap write-ahead log file: %m")));
5136 
5137  openLogFile = -1;
5138 
5139  /* Now create pg_control */
5140  InitControlFile(sysidentifier, data_checksum_version);
5141  ControlFile->time = checkPoint.time;
5142  ControlFile->checkPoint = checkPoint.redo;
5143  ControlFile->checkPointCopy = checkPoint;
5144 
5145  /* some additional ControlFile fields are set in WriteControlFile() */
5146  WriteControlFile();
5147 
5148  /* Bootstrap the commit log, too */
5149  BootStrapCLOG();
5153 
5154  pfree(buffer);
5155 
5156  /*
5157  * Force control file to be read - in contrast to normal processing we'd
5158  * otherwise never run the checks and GUC related initializations therein.
5159  */
5160  ReadControlFile();
5161 }
5162 
5163 static char *
5165 {
5166  static char buf[128];
5167 
5168  pg_strftime(buf, sizeof(buf),
5169  "%Y-%m-%d %H:%M:%S %Z",
5170  pg_localtime(&tnow, log_timezone));
5171 
5172  return buf;
5173 }
5174 
5175 /*
5176  * Initialize the first WAL segment on new timeline.
5177  */
5178 static void
5180 {
5181  char xlogfname[MAXFNAMELEN];
5182  XLogSegNo endLogSegNo;
5183  XLogSegNo startLogSegNo;
5184 
5185  /* we always switch to a new timeline after archive recovery */
5186  Assert(endTLI != newTLI);
5187 
5188  /*
5189  * Update min recovery point one last time.
5190  */
5192 
5193  /*
5194  * Calculate the last segment on the old timeline, and the first segment
5195  * on the new timeline. If the switch happens in the middle of a segment,
5196  * they are the same, but if the switch happens exactly at a segment
5197  * boundary, startLogSegNo will be endLogSegNo + 1.
5198  */
5199  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
5200  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
5201 
5202  /*
5203  * Initialize the starting WAL segment for the new timeline. If the switch
5204  * happens in the middle of a segment, copy data from the last WAL segment
5205  * of the old timeline up to the switch point, to the starting WAL segment
5206  * on the new timeline.
5207  */
5208  if (endLogSegNo == startLogSegNo)
5209  {
5210  /*
5211  * Make a copy of the file on the new timeline.
5212  *
5213  * Writing WAL isn't allowed yet, so there are no locking
5214  * considerations. But we should be just as tense as XLogFileInit to
5215  * avoid emplacing a bogus file.
5216  */
5217  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
5218  XLogSegmentOffset(endOfLog, wal_segment_size));
5219  }
5220  else
5221  {
5222  /*
5223  * The switch happened at a segment boundary, so just create the next
5224  * segment on the new timeline.
5225  */
5226  int fd;
5227 
5228  fd = XLogFileInit(startLogSegNo, newTLI);
5229 
5230  if (close(fd) != 0)
5231  {
5232  int save_errno = errno;
5233 
5234  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5235  errno = save_errno;
5236  ereport(ERROR,
5238  errmsg("could not close file \"%s\": %m", xlogfname)));
5239  }
5240  }
5241 
5242  /*
5243  * Let's just make real sure there are not .ready or .done flags posted
5244  * for the new segment.
5245  */
5246  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5247  XLogArchiveCleanup(xlogfname);
5248 }
5249 
5250 /*
5251  * Perform cleanup actions at the conclusion of archive recovery.
5252  */
5253 static void
5255  TimeLineID newTLI)
5256 {
5257  /*
5258  * Execute the recovery_end_command, if any.
5259  */
5260  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
5262  "recovery_end_command",
5263  true,
5264  WAIT_EVENT_RECOVERY_END_COMMAND);
5265 
5266  /*
5267  * We switched to a new timeline. Clean up segments on the old timeline.
5268  *
5269  * If there are any higher-numbered segments on the old timeline, remove
5270  * them. They might contain valid WAL, but they might also be
5271  * pre-allocated files containing garbage. In any case, they are not part
5272  * of the new timeline's history so we don't need them.
5273  */
5274  RemoveNonParentXlogFiles(EndOfLog, newTLI);
5275 
5276  /*
5277  * If the switch happened in the middle of a segment, what to do with the
5278  * last, partial segment on the old timeline? If we don't archive it, and
5279  * the server that created the WAL never archives it either (e.g. because
5280  * it was hit by a meteor), it will never make it to the archive. That's
5281  * OK from our point of view, because the new segment that we created with
5282  * the new TLI contains all the WAL from the old timeline up to the switch
5283  * point. But if you later try to do PITR to the "missing" WAL on the old
5284  * timeline, recovery won't find it in the archive. It's physically
5285  * present in the new file with new TLI, but recovery won't look there
5286  * when it's recovering to the older timeline. On the other hand, if we
5287  * archive the partial segment, and the original server on that timeline
5288  * is still running and archives the completed version of the same segment
5289  * later, it will fail. (We used to do that in 9.4 and below, and it
5290  * caused such problems).
5291  *
5292  * As a compromise, we rename the last segment with the .partial suffix,
5293  * and archive it. Archive recovery will never try to read .partial
5294  * segments, so they will normally go unused. But in the odd PITR case,
5295  * the administrator can copy them manually to the pg_wal directory
5296  * (removing the suffix). They can be useful in debugging, too.
5297  *
5298  * If a .done or .ready file already exists for the old timeline, however,
5299  * we had already determined that the segment is complete, so we can let
5300  * it be archived normally. (In particular, if it was restored from the
5301  * archive to begin with, it's expected to have a .done file).
5302  */
5303  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
5305  {
5306  char origfname[MAXFNAMELEN];
5307  XLogSegNo endLogSegNo;
5308 
5309  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
5310  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
5311 
5312  if (!XLogArchiveIsReadyOrDone(origfname))
5313  {
5314  char origpath[MAXPGPATH];
5315  char partialfname[MAXFNAMELEN];
5316  char partialpath[MAXPGPATH];
5317 
5318  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
5319  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
5320  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
5321 
5322  /*
5323  * Make sure there's no .done or .ready file for the .partial
5324  * file.
5325  */
5326  XLogArchiveCleanup(partialfname);
5327 
5328  durable_rename(origpath, partialpath, ERROR);
5329  XLogArchiveNotify(partialfname);
5330  }
5331  }
5332 }
5333 
5334 /*
5335  * Check to see if required parameters are set high enough on this server
5336  * for various aspects of recovery operation.
5337  *
5338  * Note that all the parameters which this function tests need to be
5339  * listed in Administrator's Overview section in high-availability.sgml.
5340  * If you change them, don't forget to update the list.
5341  */
5342 static void
5344 {
5345  /*
5346  * For archive recovery, the WAL must be generated with at least 'replica'
5347  * wal_level.
5348  */
5350  {
5351  ereport(FATAL,
5352  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
5353  errmsg("WAL was generated with \"wal_level=minimal\", cannot continue recovering"),
5354  errdetail("This happens if you temporarily set \"wal_level=minimal\" on the server."),
5355  errhint("Use a backup taken after setting \"wal_level\" to higher than \"minimal\".")));
5356  }
5357 
5358  /*
5359  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
5360  * must have at least as many backend slots as the primary.
5361  */
5363  {
5364  /* We ignore autovacuum_max_workers when we make this test. */
5365  RecoveryRequiresIntParameter("max_connections",
5368  RecoveryRequiresIntParameter("max_worker_processes",
5371  RecoveryRequiresIntParameter("max_wal_senders",
5374  RecoveryRequiresIntParameter("max_prepared_transactions",
5377  RecoveryRequiresIntParameter("max_locks_per_transaction",
5380  }
5381 }
5382 
5383 /*
5384  * This must be called ONCE during postmaster or standalone-backend startup
5385  */
5386 void
5388 {
5390  CheckPoint checkPoint;
5391  bool wasShutdown;
5392  bool didCrash;
5393  bool haveTblspcMap;
5394  bool haveBackupLabel;
5395  XLogRecPtr EndOfLog;
5396  TimeLineID EndOfLogTLI;
5397  TimeLineID newTLI;
5398  bool performedWalRecovery;
5399  EndOfWalRecoveryInfo *endOfRecoveryInfo;
5402  TransactionId oldestActiveXID;
5403  bool promoted = false;
5404 
5405  /*
5406  * We should have an aux process resource owner to use, and we should not
5407  * be in a transaction that's installed some other resowner.
5408  */
5410  Assert(CurrentResourceOwner == NULL ||
5413 
5414  /*
5415  * Check that contents look valid.
5416  */
5418  ereport(FATAL,
5420  errmsg("control file contains invalid checkpoint location")));
5421 
5422  switch (ControlFile->state)
5423  {
5424  case DB_SHUTDOWNED:
5425 
5426  /*
5427  * This is the expected case, so don't be chatty in standalone
5428  * mode
5429  */
5431  (errmsg("database system was shut down at %s",
5432  str_time(ControlFile->time))));
5433  break;
5434 
5436  ereport(LOG,
5437  (errmsg("database system was shut down in recovery at %s",
5438  str_time(ControlFile->time))));
5439  break;
5440 
5441  case DB_SHUTDOWNING:
5442  ereport(LOG,
5443  (errmsg("database system shutdown was interrupted; last known up at %s",
5444  str_time(ControlFile->time))));
5445  break;
5446 
5447  case DB_IN_CRASH_RECOVERY:
5448  ereport(LOG,
5449  (errmsg("database system was interrupted while in recovery at %s",
5451  errhint("This probably means that some data is corrupted and"
5452  " you will have to use the last backup for recovery.")));
5453  break;
5454 
5456  ereport(LOG,
5457  (errmsg("database system was interrupted while in recovery at log time %s",
5459  errhint("If this has occurred more than once some data might be corrupted"
5460  " and you might need to choose an earlier recovery target.")));
5461  break;
5462 
5463  case DB_IN_PRODUCTION:
5464  ereport(LOG,
5465  (errmsg("database system was interrupted; last known up at %s",
5466  str_time(ControlFile->time))));
5467  break;
5468 
5469  default:
5470  ereport(FATAL,
5472  errmsg("control file contains invalid database cluster state")));
5473  }
5474 
5475  /* This is just to allow attaching to startup process with a debugger */
5476 #ifdef XLOG_REPLAY_DELAY
5478  pg_usleep(60000000L);
5479 #endif
5480 
5481  /*
5482  * Verify that pg_wal, pg_wal/archive_status, and pg_wal/summaries exist.
5483  * In cases where someone has performed a copy for PITR, these directories
5484  * may have been excluded and need to be re-created.
5485  */
5487 
5488  /* Set up timeout handler needed to report startup progress. */
5492 
5493  /*----------
5494  * If we previously crashed, perform a couple of actions:
5495  *
5496  * - The pg_wal directory may still include some temporary WAL segments
5497  * used when creating a new segment, so perform some clean up to not
5498  * bloat this path. This is done first as there is no point to sync
5499  * this temporary data.
5500  *
5501  * - There might be data which we had written, intending to fsync it, but
5502  * which we had not actually fsync'd yet. Therefore, a power failure in
5503  * the near future might cause earlier unflushed writes to be lost, even
5504  * though more recent data written to disk from here on would be
5505  * persisted. To avoid that, fsync the entire data directory.
5506  */
5507  if (ControlFile->state != DB_SHUTDOWNED &&
5509  {
5512  didCrash = true;
5513  }
5514  else
5515  didCrash = false;
5516 
5517  /*
5518  * Prepare for WAL recovery if needed.
5519  *
5520  * InitWalRecovery analyzes the control file and the backup label file, if
5521  * any. It updates the in-memory ControlFile buffer according to the
5522  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5523  * It also applies the tablespace map file, if any.
5524  */
5525  InitWalRecovery(ControlFile, &wasShutdown,
5526  &haveBackupLabel, &haveTblspcMap);
5527  checkPoint = ControlFile->checkPointCopy;
5528 
5529  /* initialize shared memory variables from the checkpoint record */
5530  TransamVariables->nextXid = checkPoint.nextXid;
5531  TransamVariables->nextOid = checkPoint.nextOid;
5533  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5534  AdvanceOldestClogXid(checkPoint.oldestXid);
5535  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5536  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5538  checkPoint.newestCommitTsXid);
5539  XLogCtl->ckptFullXid = checkPoint.nextXid;
5540 
5541  /*
5542  * Clear out any old relcache cache files. This is *necessary* if we do
5543  * any WAL replay, since that would probably result in the cache files
5544  * being out of sync with database reality. In theory we could leave them
5545  * in place if the database had been cleanly shut down, but it seems
5546  * safest to just remove them always and let them be rebuilt during the
5547  * first backend startup. These files needs to be removed from all
5548  * directories including pg_tblspc, however the symlinks are created only
5549  * after reading tablespace_map file in case of archive recovery from
5550  * backup, so needs to clear old relcache files here after creating
5551  * symlinks.
5552  */
5554 
5555  /*
5556  * Initialize replication slots, before there's a chance to remove
5557  * required resources.
5558  */
5560 
5561  /*
5562  * Startup logical state, needs to be setup now so we have proper data
5563  * during crash recovery.
5564  */
5566 
5567  /*
5568  * Startup CLOG. This must be done after TransamVariables->nextXid has
5569  * been initialized and before we accept connections or begin WAL replay.
5570  */
5571  StartupCLOG();
5572 
5573  /*
5574  * Startup MultiXact. We need to do this early to be able to replay
5575  * truncations.
5576  */
5577  StartupMultiXact();
5578 
5579  /*
5580  * Ditto for commit timestamps. Activate the facility if the setting is
5581  * enabled in the control file, as there should be no tracking of commit
5582  * timestamps done when the setting was disabled. This facility can be
5583  * started or stopped when replaying a XLOG_PARAMETER_CHANGE record.
5584  */
5586  StartupCommitTs();
5587 
5588  /*
5589  * Recover knowledge about replay progress of known replication partners.
5590  */
5592 
5593  /*
5594  * Initialize unlogged LSN. On a clean shutdown, it's restored from the
5595  * control file. On recovery, all unlogged relations are blown away, so
5596  * the unlogged LSN counter can be reset too.
5597  */
5601  else
5604 
5605  /*
5606  * Copy any missing timeline history files between 'now' and the recovery
5607  * target timeline from archive to pg_wal. While we don't need those files
5608  * ourselves - the history file of the recovery target timeline covers all
5609  * the previous timelines