PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogprefetcher.h"
63 #include "access/xlogreader.h"
64 #include "access/xlogrecovery.h"
65 #include "access/xlogutils.h"
66 #include "backup/basebackup.h"
67 #include "catalog/catversion.h"
68 #include "catalog/pg_control.h"
69 #include "catalog/pg_database.h"
71 #include "common/file_utils.h"
72 #include "executor/instrument.h"
73 #include "miscadmin.h"
74 #include "pg_trace.h"
75 #include "pgstat.h"
76 #include "port/atomics.h"
77 #include "port/pg_iovec.h"
78 #include "postmaster/bgwriter.h"
79 #include "postmaster/startup.h"
80 #include "postmaster/walwriter.h"
81 #include "replication/logical.h"
82 #include "replication/origin.h"
83 #include "replication/slot.h"
84 #include "replication/snapbuild.h"
86 #include "replication/walsender.h"
87 #include "storage/bufmgr.h"
88 #include "storage/fd.h"
89 #include "storage/ipc.h"
90 #include "storage/large_object.h"
91 #include "storage/latch.h"
92 #include "storage/pmsignal.h"
93 #include "storage/predicate.h"
94 #include "storage/proc.h"
95 #include "storage/procarray.h"
96 #include "storage/reinit.h"
97 #include "storage/smgr.h"
98 #include "storage/spin.h"
99 #include "storage/sync.h"
100 #include "utils/guc_hooks.h"
101 #include "utils/guc_tables.h"
102 #include "utils/memutils.h"
103 #include "utils/ps_status.h"
104 #include "utils/relmapper.h"
105 #include "utils/pg_rusage.h"
106 #include "utils/snapmgr.h"
107 #include "utils/timeout.h"
108 #include "utils/timestamp.h"
109 #include "utils/varlena.h"
110 
112 
113 /* timeline ID to be used when bootstrapping */
114 #define BootstrapTimeLineID 1
115 
116 /* User-settable parameters */
117 int max_wal_size_mb = 1024; /* 1 GB */
118 int min_wal_size_mb = 80; /* 80 MB */
120 int XLOGbuffers = -1;
123 char *XLogArchiveCommand = NULL;
124 bool EnableHotStandby = false;
125 bool fullPageWrites = true;
126 bool wal_log_hints = false;
130 bool wal_init_zero = true;
131 bool wal_recycle = true;
132 bool log_checkpoints = true;
135 int CommitDelay = 0; /* precommit delay in microseconds */
136 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
139 int wal_decode_buffer_size = 512 * 1024;
140 bool track_wal_io_timing = false;
141 
142 #ifdef WAL_DEBUG
143 bool XLOG_DEBUG = false;
144 #endif
145 
147 
148 /*
149  * Number of WAL insertion locks to use. A higher value allows more insertions
150  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
151  * which needs to iterate all the locks.
152  */
153 #define NUM_XLOGINSERT_LOCKS 8
154 
155 /*
156  * Max distance from last checkpoint, before triggering a new xlog-based
157  * checkpoint.
158  */
160 
161 /* Estimated distance between checkpoints, in bytes */
162 static double CheckPointDistanceEstimate = 0;
163 static double PrevCheckPointDistance = 0;
164 
165 /*
166  * Track whether there were any deferred checks for custom resource managers
167  * specified in wal_consistency_checking.
168  */
170 
171 /*
172  * GUC support
173  */
175  {"fsync", WAL_SYNC_METHOD_FSYNC, false},
176 #ifdef HAVE_FSYNC_WRITETHROUGH
177  {"fsync_writethrough", WAL_SYNC_METHOD_FSYNC_WRITETHROUGH, false},
178 #endif
179  {"fdatasync", WAL_SYNC_METHOD_FDATASYNC, false},
180 #ifdef O_SYNC
181  {"open_sync", WAL_SYNC_METHOD_OPEN, false},
182 #endif
183 #ifdef O_DSYNC
184  {"open_datasync", WAL_SYNC_METHOD_OPEN_DSYNC, false},
185 #endif
186  {NULL, 0, false}
187 };
188 
189 
190 /*
191  * Although only "on", "off", and "always" are documented,
192  * we accept all the likely variants of "on" and "off".
193  */
194 const struct config_enum_entry archive_mode_options[] = {
195  {"always", ARCHIVE_MODE_ALWAYS, false},
196  {"on", ARCHIVE_MODE_ON, false},
197  {"off", ARCHIVE_MODE_OFF, false},
198  {"true", ARCHIVE_MODE_ON, true},
199  {"false", ARCHIVE_MODE_OFF, true},
200  {"yes", ARCHIVE_MODE_ON, true},
201  {"no", ARCHIVE_MODE_OFF, true},
202  {"1", ARCHIVE_MODE_ON, true},
203  {"0", ARCHIVE_MODE_OFF, true},
204  {NULL, 0, false}
205 };
206 
207 /*
208  * Statistics for current checkpoint are collected in this global struct.
209  * Because only the checkpointer or a stand-alone backend can perform
210  * checkpoints, this will be unused in normal backends.
211  */
213 
214 /*
215  * During recovery, lastFullPageWrites keeps track of full_page_writes that
216  * the replayed WAL records indicate. It's initialized with full_page_writes
217  * that the recovery starting checkpoint record indicates, and then updated
218  * each time XLOG_FPW_CHANGE record is replayed.
219  */
220 static bool lastFullPageWrites;
221 
222 /*
223  * Local copy of the state tracked by SharedRecoveryState in shared memory,
224  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
225  * means "not known, need to check the shared state".
226  */
227 static bool LocalRecoveryInProgress = true;
228 
229 /*
230  * Local state for XLogInsertAllowed():
231  * 1: unconditionally allowed to insert XLOG
232  * 0: unconditionally not allowed to insert XLOG
233  * -1: must check RecoveryInProgress(); disallow until it is false
234  * Most processes start with -1 and transition to 1 after seeing that recovery
235  * is not in progress. But we can also force the value for special cases.
236  * The coding in XLogInsertAllowed() depends on the first two of these states
237  * being numerically the same as bool true and false.
238  */
239 static int LocalXLogInsertAllowed = -1;
240 
241 /*
242  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
243  * current backend. It is updated for all inserts. XactLastRecEnd points to
244  * end+1 of the last record, and is reset when we end a top-level transaction,
245  * or start a new one; so it can be used to tell if the current transaction has
246  * created any XLOG records.
247  *
248  * While in parallel mode, this may not be fully up to date. When committing,
249  * a transaction can assume this covers all xlog records written either by the
250  * user backend or by any parallel worker which was present at any point during
251  * the transaction. But when aborting, or when still in parallel mode, other
252  * parallel backends may have written WAL records at later LSNs than the value
253  * stored here. The parallel leader advances its own copy, when necessary,
254  * in WaitForParallelWorkersToFinish.
255  */
259 
260 /*
261  * RedoRecPtr is this backend's local copy of the REDO record pointer
262  * (which is almost but not quite the same as a pointer to the most recent
263  * CHECKPOINT record). We update this from the shared-memory copy,
264  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
265  * hold an insertion lock). See XLogInsertRecord for details. We are also
266  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
267  * see GetRedoRecPtr.
268  *
269  * NB: Code that uses this variable must be prepared not only for the
270  * possibility that it may be arbitrarily out of date, but also for the
271  * possibility that it might be set to InvalidXLogRecPtr. We used to
272  * initialize it as a side effect of the first call to RecoveryInProgress(),
273  * which meant that most code that might use it could assume that it had a
274  * real if perhaps stale value. That's no longer the case.
275  */
277 
278 /*
279  * doPageWrites is this backend's local copy of (fullPageWrites ||
280  * runningBackups > 0). It is used together with RedoRecPtr to decide whether
281  * a full-page image of a page need to be taken.
282  *
283  * NB: Initially this is false, and there's no guarantee that it will be
284  * initialized to any other value before it is first used. Any code that
285  * makes use of it must recheck the value after obtaining a WALInsertLock,
286  * and respond appropriately if it turns out that the previous value wasn't
287  * accurate.
288  */
289 static bool doPageWrites;
290 
291 /*----------
292  * Shared-memory data structures for XLOG control
293  *
294  * LogwrtRqst indicates a byte position that we need to write and/or fsync
295  * the log up to (all records before that point must be written or fsynced).
296  * LogwrtResult indicates the byte positions we have already written/fsynced.
297  * These structs are identical but are declared separately to indicate their
298  * slightly different functions.
299  *
300  * To read XLogCtl->LogwrtResult, you must hold either info_lck or
301  * WALWriteLock. To update it, you need to hold both locks. The point of
302  * this arrangement is that the value can be examined by code that already
303  * holds WALWriteLock without needing to grab info_lck as well. In addition
304  * to the shared variable, each backend has a private copy of LogwrtResult,
305  * which is updated when convenient.
306  *
307  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
308  * (protected by info_lck), but we don't need to cache any copies of it.
309  *
310  * info_lck is only held long enough to read/update the protected variables,
311  * so it's a plain spinlock. The other locks are held longer (potentially
312  * over I/O operations), so we use LWLocks for them. These locks are:
313  *
314  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
315  * It is only held while initializing and changing the mapping. If the
316  * contents of the buffer being replaced haven't been written yet, the mapping
317  * lock is released while the write is done, and reacquired afterwards.
318  *
319  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
320  * XLogFlush).
321  *
322  * ControlFileLock: must be held to read/update control file or create
323  * new log file.
324  *
325  *----------
326  */
327 
328 typedef struct XLogwrtRqst
329 {
330  XLogRecPtr Write; /* last byte + 1 to write out */
331  XLogRecPtr Flush; /* last byte + 1 to flush */
333 
334 typedef struct XLogwrtResult
335 {
336  XLogRecPtr Write; /* last byte + 1 written out */
337  XLogRecPtr Flush; /* last byte + 1 flushed */
339 
340 /*
341  * Inserting to WAL is protected by a small fixed number of WAL insertion
342  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
343  * matter which one. To lock out other concurrent insertions, you must hold
344  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
345  * indicator of how far the insertion has progressed (insertingAt).
346  *
347  * The insertingAt values are read when a process wants to flush WAL from
348  * the in-memory buffers to disk, to check that all the insertions to the
349  * region the process is about to write out have finished. You could simply
350  * wait for all currently in-progress insertions to finish, but the
351  * insertingAt indicator allows you to ignore insertions to later in the WAL,
352  * so that you only wait for the insertions that are modifying the buffers
353  * you're about to write out.
354  *
355  * This isn't just an optimization. If all the WAL buffers are dirty, an
356  * inserter that's holding a WAL insert lock might need to evict an old WAL
357  * buffer, which requires flushing the WAL. If it's possible for an inserter
358  * to block on another inserter unnecessarily, deadlock can arise when two
359  * inserters holding a WAL insert lock wait for each other to finish their
360  * insertion.
361  *
362  * Small WAL records that don't cross a page boundary never update the value,
363  * the WAL record is just copied to the page and the lock is released. But
364  * to avoid the deadlock-scenario explained above, the indicator is always
365  * updated before sleeping while holding an insertion lock.
366  *
367  * lastImportantAt contains the LSN of the last important WAL record inserted
368  * using a given lock. This value is used to detect if there has been
369  * important WAL activity since the last time some action, like a checkpoint,
370  * was performed - allowing to not repeat the action if not. The LSN is
371  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
372  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
373  * records. Tracking the WAL activity directly in WALInsertLock has the
374  * advantage of not needing any additional locks to update the value.
375  */
376 typedef struct
377 {
381 } WALInsertLock;
382 
383 /*
384  * All the WAL insertion locks are allocated as an array in shared memory. We
385  * force the array stride to be a power of 2, which saves a few cycles in
386  * indexing, but more importantly also ensures that individual slots don't
387  * cross cache line boundaries. (Of course, we have to also ensure that the
388  * array start address is suitably aligned.)
389  */
390 typedef union WALInsertLockPadded
391 {
395 
396 /*
397  * Session status of running backup, used for sanity checks in SQL-callable
398  * functions to start and stop backups.
399  */
401 
402 /*
403  * Shared state data for WAL insertion.
404  */
405 typedef struct XLogCtlInsert
406 {
407  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
408 
409  /*
410  * CurrBytePos is the end of reserved WAL. The next record will be
411  * inserted at that position. PrevBytePos is the start position of the
412  * previously inserted (or rather, reserved) record - it is copied to the
413  * prev-link of the next record. These are stored as "usable byte
414  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
415  */
416  uint64 CurrBytePos;
417  uint64 PrevBytePos;
418 
419  /*
420  * Make sure the above heavily-contended spinlock and byte positions are
421  * on their own cache line. In particular, the RedoRecPtr and full page
422  * write variables below should be on a different cache line. They are
423  * read on every WAL insertion, but updated rarely, and we don't want
424  * those reads to steal the cache line containing Curr/PrevBytePos.
425  */
427 
428  /*
429  * fullPageWrites is the authoritative value used by all backends to
430  * determine whether to write full-page image to WAL. This shared value,
431  * instead of the process-local fullPageWrites, is required because, when
432  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
433  * actually affects WAL-logging by backends. Checkpointer sets at startup
434  * or after SIGHUP.
435  *
436  * To read these fields, you must hold an insertion lock. To modify them,
437  * you must hold ALL the locks.
438  */
439  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
441 
442  /*
443  * runningBackups is a counter indicating the number of backups currently
444  * in progress. lastBackupStart is the latest checkpoint redo location
445  * used as a starting point for an online backup.
446  */
449 
450  /*
451  * WAL insertion locks.
452  */
455 
456 /*
457  * Total shared-memory state for XLOG.
458  */
459 typedef struct XLogCtlData
460 {
462 
463  /* Protected by info_lck: */
465  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
466  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
467  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
468  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
469 
470  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
471 
472  /* Fake LSN counter, for unlogged relations. Protected by ulsn_lck. */
475 
476  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
479 
480  /*
481  * Protected by info_lck and WALWriteLock (you must hold either lock to
482  * read it, but both to update)
483  */
485 
486  /*
487  * Latest initialized page in the cache (last byte position + 1).
488  *
489  * To change the identity of a buffer (and InitializedUpTo), you need to
490  * hold WALBufMappingLock. To change the identity of a buffer that's
491  * still dirty, the old page needs to be written out first, and for that
492  * you need WALWriteLock, and you need to ensure that there are no
493  * in-progress insertions to the page by calling
494  * WaitXLogInsertionsToFinish().
495  */
497 
498  /*
499  * These values do not change after startup, although the pointed-to pages
500  * and xlblocks values certainly do. xlblocks values are protected by
501  * WALBufMappingLock.
502  */
503  char *pages; /* buffers for unwritten XLOG pages */
504  XLogRecPtr *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
505  int XLogCacheBlck; /* highest allocated xlog buffer index */
506 
507  /*
508  * InsertTimeLineID is the timeline into which new WAL is being inserted
509  * and flushed. It is zero during recovery, and does not change once set.
510  *
511  * If we create a new timeline when the system was started up,
512  * PrevTimeLineID is the old timeline's ID that we forked off from.
513  * Otherwise it's equal to InsertTimeLineID.
514  */
517 
518  /*
519  * SharedRecoveryState indicates if we're still in crash or archive
520  * recovery. Protected by info_lck.
521  */
523 
524  /*
525  * InstallXLogFileSegmentActive indicates whether the checkpointer should
526  * arrange for future segments by recycling and/or PreallocXlogFiles().
527  * Protected by ControlFileLock. Only the startup process changes it. If
528  * true, anyone can use InstallXLogFileSegment(). If false, the startup
529  * process owns the exclusive right to install segments, by reading from
530  * the archive and possibly replacing existing files.
531  */
533 
534  /*
535  * WalWriterSleeping indicates whether the WAL writer is currently in
536  * low-power mode (and hence should be nudged if an async commit occurs).
537  * Protected by info_lck.
538  */
540 
541  /*
542  * During recovery, we keep a copy of the latest checkpoint record here.
543  * lastCheckPointRecPtr points to start of checkpoint record and
544  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
545  * checkpointer when it wants to create a restartpoint.
546  *
547  * Protected by info_lck.
548  */
552 
553  /*
554  * lastFpwDisableRecPtr points to the start of the last replayed
555  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
556  */
558 
559  slock_t info_lck; /* locks shared variables shown above */
561 
562 /*
563  * Classification of XLogRecordInsert operations.
564  */
565 typedef enum
566 {
571 
572 static XLogCtlData *XLogCtl = NULL;
573 
574 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
576 
577 /*
578  * We maintain an image of pg_control in shared memory.
579  */
581 
582 /*
583  * Calculate the amount of space left on the page after 'endptr'. Beware
584  * multiple evaluation!
585  */
586 #define INSERT_FREESPACE(endptr) \
587  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
588 
589 /* Macro to advance to next buffer index. */
590 #define NextBufIdx(idx) \
591  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
592 
593 /*
594  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
595  * would hold if it was in cache, the page containing 'recptr'.
596  */
597 #define XLogRecPtrToBufIdx(recptr) \
598  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
599 
600 /*
601  * These are the number of bytes in a WAL page usable for WAL data.
602  */
603 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
604 
605 /*
606  * Convert values of GUCs measured in megabytes to equiv. segment count.
607  * Rounds down.
608  */
609 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
610 
611 /* The number of bytes in a WAL segment usable for WAL data. */
613 
614 /*
615  * Private, possibly out-of-date copy of shared LogwrtResult.
616  * See discussion above.
617  */
618 static XLogwrtResult LogwrtResult = {0, 0};
619 
620 /*
621  * openLogFile is -1 or a kernel FD for an open log file segment.
622  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
623  * These variables are only used to write the XLOG, and so will normally refer
624  * to the active segment.
625  *
626  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
627  */
628 static int openLogFile = -1;
631 
632 /*
633  * Local copies of equivalent fields in the control file. When running
634  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
635  * expect to replay all the WAL available, and updateMinRecoveryPoint is
636  * switched to false to prevent any updates while replaying records.
637  * Those values are kept consistent as long as crash recovery runs.
638  */
641 static bool updateMinRecoveryPoint = true;
642 
643 /* For WALInsertLockAcquire/Release functions */
644 static int MyLockNo = 0;
645 static bool holdingAllLocks = false;
646 
647 #ifdef WAL_DEBUG
648 static MemoryContext walDebugCxt = NULL;
649 #endif
650 
651 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
652  XLogRecPtr EndOfLog,
653  TimeLineID newTLI);
654 static void CheckRequiredParameterValues(void);
655 static void XLogReportParameters(void);
656 static int LocalSetXLogInsertAllowed(void);
657 static void CreateEndOfRecoveryRecord(void);
659  XLogRecPtr pagePtr,
660  TimeLineID newTLI);
661 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
662 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
664 
665 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
666  bool opportunistic);
667 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
668 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
669  bool find_free, XLogSegNo max_segno,
670  TimeLineID tli);
671 static void XLogFileClose(void);
672 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
673 static void RemoveTempXlogFiles(void);
674 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
675  XLogRecPtr endptr, TimeLineID insertTLI);
676 static void RemoveXlogFile(const struct dirent *segment_de,
677  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
678  TimeLineID insertTLI);
679 static void UpdateLastRemovedPtr(char *filename);
680 static void ValidateXLOGDirectoryStructure(void);
681 static void CleanupBackupHistory(void);
682 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
683 static bool PerformRecoveryXLogAction(void);
684 static void InitControlFile(uint64 sysidentifier);
685 static void WriteControlFile(void);
686 static void ReadControlFile(void);
687 static void UpdateControlFile(void);
688 static char *str_time(pg_time_t tnow);
689 
690 static int get_sync_bit(int method);
691 
692 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
693  XLogRecData *rdata,
694  XLogRecPtr StartPos, XLogRecPtr EndPos,
695  TimeLineID tli);
696 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
697  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
698 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
699  XLogRecPtr *PrevPtr);
701 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
702 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
703 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
704 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
705 
706 static void WALInsertLockAcquire(void);
707 static void WALInsertLockAcquireExclusive(void);
708 static void WALInsertLockRelease(void);
709 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
710 
711 /*
712  * Insert an XLOG record represented by an already-constructed chain of data
713  * chunks. This is a low-level routine; to construct the WAL record header
714  * and data, use the higher-level routines in xloginsert.c.
715  *
716  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
717  * WAL record applies to, that were not included in the record as full page
718  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
719  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
720  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
721  * record is always inserted.
722  *
723  * 'flags' gives more in-depth control on the record being inserted. See
724  * XLogSetRecordFlags() for details.
725  *
726  * 'topxid_included' tells whether the top-transaction id is logged along with
727  * current subtransaction. See XLogRecordAssemble().
728  *
729  * The first XLogRecData in the chain must be for the record header, and its
730  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
731  * xl_crc fields in the header, the rest of the header must already be filled
732  * by the caller.
733  *
734  * Returns XLOG pointer to end of record (beginning of next record).
735  * This can be used as LSN for data pages affected by the logged action.
736  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
737  * before the data page can be written out. This implements the basic
738  * WAL rule "write the log before the data".)
739  */
742  XLogRecPtr fpw_lsn,
743  uint8 flags,
744  int num_fpi,
745  bool topxid_included)
746 {
748  pg_crc32c rdata_crc;
749  bool inserted;
750  XLogRecord *rechdr = (XLogRecord *) rdata->data;
751  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
753  XLogRecPtr StartPos;
754  XLogRecPtr EndPos;
755  bool prevDoPageWrites = doPageWrites;
756  TimeLineID insertTLI;
757 
758  /* Does this record type require special handling? */
759  if (unlikely(rechdr->xl_rmid == RM_XLOG_ID))
760  {
761  if (info == XLOG_SWITCH)
762  class = WALINSERT_SPECIAL_SWITCH;
763  else if (info == XLOG_CHECKPOINT_REDO)
765  }
766 
767  /* we assume that all of the record header is in the first chunk */
768  Assert(rdata->len >= SizeOfXLogRecord);
769 
770  /* cross-check on whether we should be here or not */
771  if (!XLogInsertAllowed())
772  elog(ERROR, "cannot make new WAL entries during recovery");
773 
774  /*
775  * Given that we're not in recovery, InsertTimeLineID is set and can't
776  * change, so we can read it without a lock.
777  */
778  insertTLI = XLogCtl->InsertTimeLineID;
779 
780  /*----------
781  *
782  * We have now done all the preparatory work we can without holding a
783  * lock or modifying shared state. From here on, inserting the new WAL
784  * record to the shared WAL buffer cache is a two-step process:
785  *
786  * 1. Reserve the right amount of space from the WAL. The current head of
787  * reserved space is kept in Insert->CurrBytePos, and is protected by
788  * insertpos_lck.
789  *
790  * 2. Copy the record to the reserved WAL space. This involves finding the
791  * correct WAL buffer containing the reserved space, and copying the
792  * record in place. This can be done concurrently in multiple processes.
793  *
794  * To keep track of which insertions are still in-progress, each concurrent
795  * inserter acquires an insertion lock. In addition to just indicating that
796  * an insertion is in progress, the lock tells others how far the inserter
797  * has progressed. There is a small fixed number of insertion locks,
798  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
799  * boundary, it updates the value stored in the lock to the how far it has
800  * inserted, to allow the previous buffer to be flushed.
801  *
802  * Holding onto an insertion lock also protects RedoRecPtr and
803  * fullPageWrites from changing until the insertion is finished.
804  *
805  * Step 2 can usually be done completely in parallel. If the required WAL
806  * page is not initialized yet, you have to grab WALBufMappingLock to
807  * initialize it, but the WAL writer tries to do that ahead of insertions
808  * to avoid that from happening in the critical path.
809  *
810  *----------
811  */
813 
814  if (likely(class == WALINSERT_NORMAL))
815  {
817 
818  /*
819  * Check to see if my copy of RedoRecPtr is out of date. If so, may
820  * have to go back and have the caller recompute everything. This can
821  * only happen just after a checkpoint, so it's better to be slow in
822  * this case and fast otherwise.
823  *
824  * Also check to see if fullPageWrites was just turned on or there's a
825  * running backup (which forces full-page writes); if we weren't
826  * already doing full-page writes then go back and recompute.
827  *
828  * If we aren't doing full-page writes then RedoRecPtr doesn't
829  * actually affect the contents of the XLOG record, so we'll update
830  * our local copy but not force a recomputation. (If doPageWrites was
831  * just turned off, we could recompute the record without full pages,
832  * but we choose not to bother.)
833  */
834  if (RedoRecPtr != Insert->RedoRecPtr)
835  {
836  Assert(RedoRecPtr < Insert->RedoRecPtr);
837  RedoRecPtr = Insert->RedoRecPtr;
838  }
839  doPageWrites = (Insert->fullPageWrites || Insert->runningBackups > 0);
840 
841  if (doPageWrites &&
842  (!prevDoPageWrites ||
843  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
844  {
845  /*
846  * Oops, some buffer now needs to be backed up that the caller
847  * didn't back up. Start over.
848  */
851  return InvalidXLogRecPtr;
852  }
853 
854  /*
855  * Reserve space for the record in the WAL. This also sets the xl_prev
856  * pointer.
857  */
858  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
859  &rechdr->xl_prev);
860 
861  /* Normal records are always inserted. */
862  inserted = true;
863  }
864  else if (class == WALINSERT_SPECIAL_SWITCH)
865  {
866  /*
867  * In order to insert an XLOG_SWITCH record, we need to hold all of
868  * the WAL insertion locks, not just one, so that no one else can
869  * begin inserting a record until we've figured out how much space
870  * remains in the current WAL segment and claimed all of it.
871  *
872  * Nonetheless, this case is simpler than the normal cases handled
873  * below, which must check for changes in doPageWrites and RedoRecPtr.
874  * Those checks are only needed for records that can contain buffer
875  * references, and an XLOG_SWITCH record never does.
876  */
877  Assert(fpw_lsn == InvalidXLogRecPtr);
879  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
880  }
881  else
882  {
884 
885  /*
886  * We need to update both the local and shared copies of RedoRecPtr,
887  * which means that we need to hold all the WAL insertion locks.
888  * However, there can't be any buffer references, so as above, we need
889  * not check RedoRecPtr before inserting the record; we just need to
890  * update it afterwards.
891  */
892  Assert(fpw_lsn == InvalidXLogRecPtr);
894  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
895  &rechdr->xl_prev);
896  RedoRecPtr = Insert->RedoRecPtr = StartPos;
897  inserted = true;
898  }
899 
900  if (inserted)
901  {
902  /*
903  * Now that xl_prev has been filled in, calculate CRC of the record
904  * header.
905  */
906  rdata_crc = rechdr->xl_crc;
907  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
908  FIN_CRC32C(rdata_crc);
909  rechdr->xl_crc = rdata_crc;
910 
911  /*
912  * All the record data, including the header, is now ready to be
913  * inserted. Copy the record in the space reserved.
914  */
916  class == WALINSERT_SPECIAL_SWITCH, rdata,
917  StartPos, EndPos, insertTLI);
918 
919  /*
920  * Unless record is flagged as not important, update LSN of last
921  * important record in the current slot. When holding all locks, just
922  * update the first one.
923  */
924  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
925  {
926  int lockno = holdingAllLocks ? 0 : MyLockNo;
927 
928  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
929  }
930  }
931  else
932  {
933  /*
934  * This was an xlog-switch record, but the current insert location was
935  * already exactly at the beginning of a segment, so there was no need
936  * to do anything.
937  */
938  }
939 
940  /*
941  * Done! Let others know that we're finished.
942  */
944 
946 
948 
949  /*
950  * Mark top transaction id is logged (if needed) so that we should not try
951  * to log it again with the next WAL record in the current subtransaction.
952  */
953  if (topxid_included)
955 
956  /*
957  * Update shared LogwrtRqst.Write, if we crossed page boundary.
958  */
959  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
960  {
962  /* advance global request to include new block(s) */
963  if (XLogCtl->LogwrtRqst.Write < EndPos)
964  XLogCtl->LogwrtRqst.Write = EndPos;
965  /* update local result copy while I have the chance */
968  }
969 
970  /*
971  * If this was an XLOG_SWITCH record, flush the record and the empty
972  * padding space that fills the rest of the segment, and perform
973  * end-of-segment actions (eg, notifying archiver).
974  */
975  if (class == WALINSERT_SPECIAL_SWITCH)
976  {
977  TRACE_POSTGRESQL_WAL_SWITCH();
978  XLogFlush(EndPos);
979 
980  /*
981  * Even though we reserved the rest of the segment for us, which is
982  * reflected in EndPos, we return a pointer to just the end of the
983  * xlog-switch record.
984  */
985  if (inserted)
986  {
987  EndPos = StartPos + SizeOfXLogRecord;
988  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
989  {
990  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
991 
992  if (offset == EndPos % XLOG_BLCKSZ)
993  EndPos += SizeOfXLogLongPHD;
994  else
995  EndPos += SizeOfXLogShortPHD;
996  }
997  }
998  }
999 
1000 #ifdef WAL_DEBUG
1001  if (XLOG_DEBUG)
1002  {
1003  static XLogReaderState *debug_reader = NULL;
1004  XLogRecord *record;
1005  DecodedXLogRecord *decoded;
1007  StringInfoData recordBuf;
1008  char *errormsg = NULL;
1009  MemoryContext oldCxt;
1010 
1011  oldCxt = MemoryContextSwitchTo(walDebugCxt);
1012 
1013  initStringInfo(&buf);
1014  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
1015 
1016  /*
1017  * We have to piece together the WAL record data from the XLogRecData
1018  * entries, so that we can pass it to the rm_desc function as one
1019  * contiguous chunk.
1020  */
1021  initStringInfo(&recordBuf);
1022  for (; rdata != NULL; rdata = rdata->next)
1023  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
1024 
1025  /* We also need temporary space to decode the record. */
1026  record = (XLogRecord *) recordBuf.data;
1027  decoded = (DecodedXLogRecord *)
1029 
1030  if (!debug_reader)
1031  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
1032  XL_ROUTINE(), NULL);
1033 
1034  if (!debug_reader)
1035  {
1036  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
1037  }
1038  else if (!DecodeXLogRecord(debug_reader,
1039  decoded,
1040  record,
1041  EndPos,
1042  &errormsg))
1043  {
1044  appendStringInfo(&buf, "error decoding record: %s",
1045  errormsg ? errormsg : "no error message");
1046  }
1047  else
1048  {
1049  appendStringInfoString(&buf, " - ");
1050 
1051  debug_reader->record = decoded;
1052  xlog_outdesc(&buf, debug_reader);
1053  debug_reader->record = NULL;
1054  }
1055  elog(LOG, "%s", buf.data);
1056 
1057  pfree(decoded);
1058  pfree(buf.data);
1059  pfree(recordBuf.data);
1060  MemoryContextSwitchTo(oldCxt);
1061  }
1062 #endif
1063 
1064  /*
1065  * Update our global variables
1066  */
1067  ProcLastRecPtr = StartPos;
1068  XactLastRecEnd = EndPos;
1069 
1070  /* Report WAL traffic to the instrumentation. */
1071  if (inserted)
1072  {
1073  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1075  pgWalUsage.wal_fpi += num_fpi;
1076  }
1077 
1078  return EndPos;
1079 }
1080 
1081 /*
1082  * Reserves the right amount of space for a record of given size from the WAL.
1083  * *StartPos is set to the beginning of the reserved section, *EndPos to
1084  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1085  * used to set the xl_prev of this record.
1086  *
1087  * This is the performance critical part of XLogInsert that must be serialized
1088  * across backends. The rest can happen mostly in parallel. Try to keep this
1089  * section as short as possible, insertpos_lck can be heavily contended on a
1090  * busy system.
1091  *
1092  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1093  * where we actually copy the record to the reserved space.
1094  *
1095  * NB: Testing shows that XLogInsertRecord runs faster if this code is inlined;
1096  * however, because there are two call sites, the compiler is reluctant to
1097  * inline. We use pg_attribute_always_inline here to try to convince it.
1098  */
1099 static pg_attribute_always_inline void
1100 ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos, XLogRecPtr *EndPos,
1101  XLogRecPtr *PrevPtr)
1102 {
1104  uint64 startbytepos;
1105  uint64 endbytepos;
1106  uint64 prevbytepos;
1107 
1108  size = MAXALIGN(size);
1109 
1110  /* All (non xlog-switch) records should contain data. */
1111  Assert(size > SizeOfXLogRecord);
1112 
1113  /*
1114  * The duration the spinlock needs to be held is minimized by minimizing
1115  * the calculations that have to be done while holding the lock. The
1116  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1117  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1118  * page headers. The mapping between "usable" byte positions and physical
1119  * positions (XLogRecPtrs) can be done outside the locked region, and
1120  * because the usable byte position doesn't include any headers, reserving
1121  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1122  */
1123  SpinLockAcquire(&Insert->insertpos_lck);
1124 
1125  startbytepos = Insert->CurrBytePos;
1126  endbytepos = startbytepos + size;
1127  prevbytepos = Insert->PrevBytePos;
1128  Insert->CurrBytePos = endbytepos;
1129  Insert->PrevBytePos = startbytepos;
1130 
1131  SpinLockRelease(&Insert->insertpos_lck);
1132 
1133  *StartPos = XLogBytePosToRecPtr(startbytepos);
1134  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1135  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1136 
1137  /*
1138  * Check that the conversions between "usable byte positions" and
1139  * XLogRecPtrs work consistently in both directions.
1140  */
1141  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1142  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1143  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1144 }
1145 
1146 /*
1147  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1148  *
1149  * A log-switch record is handled slightly differently. The rest of the
1150  * segment will be reserved for this insertion, as indicated by the returned
1151  * *EndPos value. However, if we are already at the beginning of the current
1152  * segment, *StartPos and *EndPos are set to the current location without
1153  * reserving any space, and the function returns false.
1154 */
1155 static bool
1156 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1157 {
1159  uint64 startbytepos;
1160  uint64 endbytepos;
1161  uint64 prevbytepos;
1163  XLogRecPtr ptr;
1164  uint32 segleft;
1165 
1166  /*
1167  * These calculations are a bit heavy-weight to be done while holding a
1168  * spinlock, but since we're holding all the WAL insertion locks, there
1169  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1170  * compete for it, but that's not called very frequently.
1171  */
1172  SpinLockAcquire(&Insert->insertpos_lck);
1173 
1174  startbytepos = Insert->CurrBytePos;
1175 
1176  ptr = XLogBytePosToEndRecPtr(startbytepos);
1177  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1178  {
1179  SpinLockRelease(&Insert->insertpos_lck);
1180  *EndPos = *StartPos = ptr;
1181  return false;
1182  }
1183 
1184  endbytepos = startbytepos + size;
1185  prevbytepos = Insert->PrevBytePos;
1186 
1187  *StartPos = XLogBytePosToRecPtr(startbytepos);
1188  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1189 
1190  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1191  if (segleft != wal_segment_size)
1192  {
1193  /* consume the rest of the segment */
1194  *EndPos += segleft;
1195  endbytepos = XLogRecPtrToBytePos(*EndPos);
1196  }
1197  Insert->CurrBytePos = endbytepos;
1198  Insert->PrevBytePos = startbytepos;
1199 
1200  SpinLockRelease(&Insert->insertpos_lck);
1201 
1202  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1203 
1204  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1205  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1206  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1207  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1208 
1209  return true;
1210 }
1211 
1212 /*
1213  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1214  * area in the WAL.
1215  */
1216 static void
1217 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1218  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1219 {
1220  char *currpos;
1221  int freespace;
1222  int written;
1223  XLogRecPtr CurrPos;
1224  XLogPageHeader pagehdr;
1225 
1226  /*
1227  * Get a pointer to the right place in the right WAL buffer to start
1228  * inserting to.
1229  */
1230  CurrPos = StartPos;
1231  currpos = GetXLogBuffer(CurrPos, tli);
1232  freespace = INSERT_FREESPACE(CurrPos);
1233 
1234  /*
1235  * there should be enough space for at least the first field (xl_tot_len)
1236  * on this page.
1237  */
1238  Assert(freespace >= sizeof(uint32));
1239 
1240  /* Copy record data */
1241  written = 0;
1242  while (rdata != NULL)
1243  {
1244  char *rdata_data = rdata->data;
1245  int rdata_len = rdata->len;
1246 
1247  while (rdata_len > freespace)
1248  {
1249  /*
1250  * Write what fits on this page, and continue on the next page.
1251  */
1252  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1253  memcpy(currpos, rdata_data, freespace);
1254  rdata_data += freespace;
1255  rdata_len -= freespace;
1256  written += freespace;
1257  CurrPos += freespace;
1258 
1259  /*
1260  * Get pointer to beginning of next page, and set the xlp_rem_len
1261  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1262  *
1263  * It's safe to set the contrecord flag and xlp_rem_len without a
1264  * lock on the page. All the other flags were already set when the
1265  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1266  * only backend that needs to set the contrecord flag.
1267  */
1268  currpos = GetXLogBuffer(CurrPos, tli);
1269  pagehdr = (XLogPageHeader) currpos;
1270  pagehdr->xlp_rem_len = write_len - written;
1271  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1272 
1273  /* skip over the page header */
1274  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1275  {
1276  CurrPos += SizeOfXLogLongPHD;
1277  currpos += SizeOfXLogLongPHD;
1278  }
1279  else
1280  {
1281  CurrPos += SizeOfXLogShortPHD;
1282  currpos += SizeOfXLogShortPHD;
1283  }
1284  freespace = INSERT_FREESPACE(CurrPos);
1285  }
1286 
1287  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1288  memcpy(currpos, rdata_data, rdata_len);
1289  currpos += rdata_len;
1290  CurrPos += rdata_len;
1291  freespace -= rdata_len;
1292  written += rdata_len;
1293 
1294  rdata = rdata->next;
1295  }
1296  Assert(written == write_len);
1297 
1298  /*
1299  * If this was an xlog-switch, it's not enough to write the switch record,
1300  * we also have to consume all the remaining space in the WAL segment. We
1301  * have already reserved that space, but we need to actually fill it.
1302  */
1303  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1304  {
1305  /* An xlog-switch record doesn't contain any data besides the header */
1306  Assert(write_len == SizeOfXLogRecord);
1307 
1308  /* Assert that we did reserve the right amount of space */
1309  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1310 
1311  /* Use up all the remaining space on the current page */
1312  CurrPos += freespace;
1313 
1314  /*
1315  * Cause all remaining pages in the segment to be flushed, leaving the
1316  * XLog position where it should be, at the start of the next segment.
1317  * We do this one page at a time, to make sure we don't deadlock
1318  * against ourselves if wal_buffers < wal_segment_size.
1319  */
1320  while (CurrPos < EndPos)
1321  {
1322  /*
1323  * The minimal action to flush the page would be to call
1324  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1325  * AdvanceXLInsertBuffer(...). The page would be left initialized
1326  * mostly to zeros, except for the page header (always the short
1327  * variant, as this is never a segment's first page).
1328  *
1329  * The large vistas of zeros are good for compressibility, but the
1330  * headers interrupting them every XLOG_BLCKSZ (with values that
1331  * differ from page to page) are not. The effect varies with
1332  * compression tool, but bzip2 for instance compresses about an
1333  * order of magnitude worse if those headers are left in place.
1334  *
1335  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1336  * called in heavily-loaded circumstances as well as this lightly-
1337  * loaded one) with variant behavior, we just use GetXLogBuffer
1338  * (which itself calls the two methods we need) to get the pointer
1339  * and zero most of the page. Then we just zero the page header.
1340  */
1341  currpos = GetXLogBuffer(CurrPos, tli);
1342  MemSet(currpos, 0, SizeOfXLogShortPHD);
1343 
1344  CurrPos += XLOG_BLCKSZ;
1345  }
1346  }
1347  else
1348  {
1349  /* Align the end position, so that the next record starts aligned */
1350  CurrPos = MAXALIGN64(CurrPos);
1351  }
1352 
1353  if (CurrPos != EndPos)
1354  elog(PANIC, "space reserved for WAL record does not match what was written");
1355 }
1356 
1357 /*
1358  * Acquire a WAL insertion lock, for inserting to WAL.
1359  */
1360 static void
1362 {
1363  bool immed;
1364 
1365  /*
1366  * It doesn't matter which of the WAL insertion locks we acquire, so try
1367  * the one we used last time. If the system isn't particularly busy, it's
1368  * a good bet that it's still available, and it's good to have some
1369  * affinity to a particular lock so that you don't unnecessarily bounce
1370  * cache lines between processes when there's no contention.
1371  *
1372  * If this is the first time through in this backend, pick a lock
1373  * (semi-)randomly. This allows the locks to be used evenly if you have a
1374  * lot of very short connections.
1375  */
1376  static int lockToTry = -1;
1377 
1378  if (lockToTry == -1)
1379  lockToTry = MyProc->pgprocno % NUM_XLOGINSERT_LOCKS;
1380  MyLockNo = lockToTry;
1381 
1382  /*
1383  * The insertingAt value is initially set to 0, as we don't know our
1384  * insert location yet.
1385  */
1387  if (!immed)
1388  {
1389  /*
1390  * If we couldn't get the lock immediately, try another lock next
1391  * time. On a system with more insertion locks than concurrent
1392  * inserters, this causes all the inserters to eventually migrate to a
1393  * lock that no-one else is using. On a system with more inserters
1394  * than locks, it still helps to distribute the inserters evenly
1395  * across the locks.
1396  */
1397  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1398  }
1399 }
1400 
1401 /*
1402  * Acquire all WAL insertion locks, to prevent other backends from inserting
1403  * to WAL.
1404  */
1405 static void
1407 {
1408  int i;
1409 
1410  /*
1411  * When holding all the locks, all but the last lock's insertingAt
1412  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1413  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1414  */
1415  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1416  {
1418  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1420  PG_UINT64_MAX);
1421  }
1422  /* Variable value reset to 0 at release */
1424 
1425  holdingAllLocks = true;
1426 }
1427 
1428 /*
1429  * Release our insertion lock (or locks, if we're holding them all).
1430  *
1431  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1432  * next time the lock is acquired.
1433  */
1434 static void
1436 {
1437  if (holdingAllLocks)
1438  {
1439  int i;
1440 
1441  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1444  0);
1445 
1446  holdingAllLocks = false;
1447  }
1448  else
1449  {
1452  0);
1453  }
1454 }
1455 
1456 /*
1457  * Update our insertingAt value, to let others know that we've finished
1458  * inserting up to that point.
1459  */
1460 static void
1462 {
1463  if (holdingAllLocks)
1464  {
1465  /*
1466  * We use the last lock to mark our actual position, see comments in
1467  * WALInsertLockAcquireExclusive.
1468  */
1471  insertingAt);
1472  }
1473  else
1476  insertingAt);
1477 }
1478 
1479 /*
1480  * Wait for any WAL insertions < upto to finish.
1481  *
1482  * Returns the location of the oldest insertion that is still in-progress.
1483  * Any WAL prior to that point has been fully copied into WAL buffers, and
1484  * can be flushed out to disk. Because this waits for any insertions older
1485  * than 'upto' to finish, the return value is always >= 'upto'.
1486  *
1487  * Note: When you are about to write out WAL, you must call this function
1488  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1489  * need to wait for an insertion to finish (or at least advance to next
1490  * uninitialized page), and the inserter might need to evict an old WAL buffer
1491  * to make room for a new one, which in turn requires WALWriteLock.
1492  */
1493 static XLogRecPtr
1495 {
1496  uint64 bytepos;
1497  XLogRecPtr reservedUpto;
1498  XLogRecPtr finishedUpto;
1500  int i;
1501 
1502  if (MyProc == NULL)
1503  elog(PANIC, "cannot wait without a PGPROC structure");
1504 
1505  /* Read the current insert position */
1506  SpinLockAcquire(&Insert->insertpos_lck);
1507  bytepos = Insert->CurrBytePos;
1508  SpinLockRelease(&Insert->insertpos_lck);
1509  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1510 
1511  /*
1512  * No-one should request to flush a piece of WAL that hasn't even been
1513  * reserved yet. However, it can happen if there is a block with a bogus
1514  * LSN on disk, for example. XLogFlush checks for that situation and
1515  * complains, but only after the flush. Here we just assume that to mean
1516  * that all WAL that has been reserved needs to be finished. In this
1517  * corner-case, the return value can be smaller than 'upto' argument.
1518  */
1519  if (upto > reservedUpto)
1520  {
1521  ereport(LOG,
1522  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1523  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1524  upto = reservedUpto;
1525  }
1526 
1527  /*
1528  * Loop through all the locks, sleeping on any in-progress insert older
1529  * than 'upto'.
1530  *
1531  * finishedUpto is our return value, indicating the point upto which all
1532  * the WAL insertions have been finished. Initialize it to the head of
1533  * reserved WAL, and as we iterate through the insertion locks, back it
1534  * out for any insertion that's still in progress.
1535  */
1536  finishedUpto = reservedUpto;
1537  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1538  {
1539  XLogRecPtr insertingat = InvalidXLogRecPtr;
1540 
1541  do
1542  {
1543  /*
1544  * See if this insertion is in progress. LWLockWaitForVar will
1545  * wait for the lock to be released, or for the 'value' to be set
1546  * by a LWLockUpdateVar call. When a lock is initially acquired,
1547  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1548  * know where it's inserting yet. We will have to wait for it. If
1549  * it's a small insertion, the record will most likely fit on the
1550  * same page and the inserter will release the lock without ever
1551  * calling LWLockUpdateVar. But if it has to sleep, it will
1552  * advertise the insertion point with LWLockUpdateVar before
1553  * sleeping.
1554  *
1555  * In this loop we are only waiting for insertions that started
1556  * before WaitXLogInsertionsToFinish was called. The lack of
1557  * memory barriers in the loop means that we might see locks as
1558  * "unused" that have since become used. This is fine because
1559  * they only can be used for later insertions that we would not
1560  * want to wait on anyway. Not taking a lock to acquire the
1561  * current insertingAt value means that we might see older
1562  * insertingAt values. This is also fine, because if we read a
1563  * value too old, we will add ourselves to the wait queue, which
1564  * contains atomic operations.
1565  */
1566  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1568  insertingat, &insertingat))
1569  {
1570  /* the lock was free, so no insertion in progress */
1571  insertingat = InvalidXLogRecPtr;
1572  break;
1573  }
1574 
1575  /*
1576  * This insertion is still in progress. Have to wait, unless the
1577  * inserter has proceeded past 'upto'.
1578  */
1579  } while (insertingat < upto);
1580 
1581  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1582  finishedUpto = insertingat;
1583  }
1584  return finishedUpto;
1585 }
1586 
1587 /*
1588  * Get a pointer to the right location in the WAL buffer containing the
1589  * given XLogRecPtr.
1590  *
1591  * If the page is not initialized yet, it is initialized. That might require
1592  * evicting an old dirty buffer from the buffer cache, which means I/O.
1593  *
1594  * The caller must ensure that the page containing the requested location
1595  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1596  * hold onto a WAL insertion lock with the insertingAt position set to
1597  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1598  * to evict an old page from the buffer. (This means that once you call
1599  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1600  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1601  * later, because older buffers might be recycled already)
1602  */
1603 static char *
1605 {
1606  int idx;
1607  XLogRecPtr endptr;
1608  static uint64 cachedPage = 0;
1609  static char *cachedPos = NULL;
1610  XLogRecPtr expectedEndPtr;
1611 
1612  /*
1613  * Fast path for the common case that we need to access again the same
1614  * page as last time.
1615  */
1616  if (ptr / XLOG_BLCKSZ == cachedPage)
1617  {
1618  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1619  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1620  return cachedPos + ptr % XLOG_BLCKSZ;
1621  }
1622 
1623  /*
1624  * The XLog buffer cache is organized so that a page is always loaded to a
1625  * particular buffer. That way we can easily calculate the buffer a given
1626  * page must be loaded into, from the XLogRecPtr alone.
1627  */
1628  idx = XLogRecPtrToBufIdx(ptr);
1629 
1630  /*
1631  * See what page is loaded in the buffer at the moment. It could be the
1632  * page we're looking for, or something older. It can't be anything newer
1633  * - that would imply the page we're looking for has already been written
1634  * out to disk and evicted, and the caller is responsible for making sure
1635  * that doesn't happen.
1636  *
1637  * However, we don't hold a lock while we read the value. If someone has
1638  * just initialized the page, it's possible that we get a "torn read" of
1639  * the XLogRecPtr if 64-bit fetches are not atomic on this platform. In
1640  * that case we will see a bogus value. That's ok, we'll grab the mapping
1641  * lock (in AdvanceXLInsertBuffer) and retry if we see anything else than
1642  * the page we're looking for. But it means that when we do this unlocked
1643  * read, we might see a value that appears to be ahead of the page we're
1644  * looking for. Don't PANIC on that, until we've verified the value while
1645  * holding the lock.
1646  */
1647  expectedEndPtr = ptr;
1648  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1649 
1650  endptr = XLogCtl->xlblocks[idx];
1651  if (expectedEndPtr != endptr)
1652  {
1653  XLogRecPtr initializedUpto;
1654 
1655  /*
1656  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1657  * know how far we're finished with inserting the record.
1658  *
1659  * NB: If 'ptr' points to just after the page header, advertise a
1660  * position at the beginning of the page rather than 'ptr' itself. If
1661  * there are no other insertions running, someone might try to flush
1662  * up to our advertised location. If we advertised a position after
1663  * the page header, someone might try to flush the page header, even
1664  * though page might actually not be initialized yet. As the first
1665  * inserter on the page, we are effectively responsible for making
1666  * sure that it's initialized, before we let insertingAt to move past
1667  * the page header.
1668  */
1669  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1670  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1671  initializedUpto = ptr - SizeOfXLogShortPHD;
1672  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1673  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1674  initializedUpto = ptr - SizeOfXLogLongPHD;
1675  else
1676  initializedUpto = ptr;
1677 
1678  WALInsertLockUpdateInsertingAt(initializedUpto);
1679 
1680  AdvanceXLInsertBuffer(ptr, tli, false);
1681  endptr = XLogCtl->xlblocks[idx];
1682 
1683  if (expectedEndPtr != endptr)
1684  elog(PANIC, "could not find WAL buffer for %X/%X",
1685  LSN_FORMAT_ARGS(ptr));
1686  }
1687  else
1688  {
1689  /*
1690  * Make sure the initialization of the page is visible to us, and
1691  * won't arrive later to overwrite the WAL data we write on the page.
1692  */
1694  }
1695 
1696  /*
1697  * Found the buffer holding this page. Return a pointer to the right
1698  * offset within the page.
1699  */
1700  cachedPage = ptr / XLOG_BLCKSZ;
1701  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1702 
1703  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1704  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1705 
1706  return cachedPos + ptr % XLOG_BLCKSZ;
1707 }
1708 
1709 /*
1710  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1711  * is the position starting from the beginning of WAL, excluding all WAL
1712  * page headers.
1713  */
1714 static XLogRecPtr
1715 XLogBytePosToRecPtr(uint64 bytepos)
1716 {
1717  uint64 fullsegs;
1718  uint64 fullpages;
1719  uint64 bytesleft;
1720  uint32 seg_offset;
1721  XLogRecPtr result;
1722 
1723  fullsegs = bytepos / UsableBytesInSegment;
1724  bytesleft = bytepos % UsableBytesInSegment;
1725 
1726  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1727  {
1728  /* fits on first page of segment */
1729  seg_offset = bytesleft + SizeOfXLogLongPHD;
1730  }
1731  else
1732  {
1733  /* account for the first page on segment with long header */
1734  seg_offset = XLOG_BLCKSZ;
1735  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1736 
1737  fullpages = bytesleft / UsableBytesInPage;
1738  bytesleft = bytesleft % UsableBytesInPage;
1739 
1740  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1741  }
1742 
1743  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1744 
1745  return result;
1746 }
1747 
1748 /*
1749  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1750  * returns a pointer to the beginning of the page (ie. before page header),
1751  * not to where the first xlog record on that page would go to. This is used
1752  * when converting a pointer to the end of a record.
1753  */
1754 static XLogRecPtr
1755 XLogBytePosToEndRecPtr(uint64 bytepos)
1756 {
1757  uint64 fullsegs;
1758  uint64 fullpages;
1759  uint64 bytesleft;
1760  uint32 seg_offset;
1761  XLogRecPtr result;
1762 
1763  fullsegs = bytepos / UsableBytesInSegment;
1764  bytesleft = bytepos % UsableBytesInSegment;
1765 
1766  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1767  {
1768  /* fits on first page of segment */
1769  if (bytesleft == 0)
1770  seg_offset = 0;
1771  else
1772  seg_offset = bytesleft + SizeOfXLogLongPHD;
1773  }
1774  else
1775  {
1776  /* account for the first page on segment with long header */
1777  seg_offset = XLOG_BLCKSZ;
1778  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1779 
1780  fullpages = bytesleft / UsableBytesInPage;
1781  bytesleft = bytesleft % UsableBytesInPage;
1782 
1783  if (bytesleft == 0)
1784  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1785  else
1786  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1787  }
1788 
1789  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1790 
1791  return result;
1792 }
1793 
1794 /*
1795  * Convert an XLogRecPtr to a "usable byte position".
1796  */
1797 static uint64
1799 {
1800  uint64 fullsegs;
1801  uint32 fullpages;
1802  uint32 offset;
1803  uint64 result;
1804 
1805  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1806 
1807  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1808  offset = ptr % XLOG_BLCKSZ;
1809 
1810  if (fullpages == 0)
1811  {
1812  result = fullsegs * UsableBytesInSegment;
1813  if (offset > 0)
1814  {
1815  Assert(offset >= SizeOfXLogLongPHD);
1816  result += offset - SizeOfXLogLongPHD;
1817  }
1818  }
1819  else
1820  {
1821  result = fullsegs * UsableBytesInSegment +
1822  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1823  (fullpages - 1) * UsableBytesInPage; /* full pages */
1824  if (offset > 0)
1825  {
1826  Assert(offset >= SizeOfXLogShortPHD);
1827  result += offset - SizeOfXLogShortPHD;
1828  }
1829  }
1830 
1831  return result;
1832 }
1833 
1834 /*
1835  * Initialize XLOG buffers, writing out old buffers if they still contain
1836  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1837  * true, initialize as many pages as we can without having to write out
1838  * unwritten data. Any new pages are initialized to zeros, with pages headers
1839  * initialized properly.
1840  */
1841 static void
1842 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1843 {
1845  int nextidx;
1846  XLogRecPtr OldPageRqstPtr;
1847  XLogwrtRqst WriteRqst;
1848  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1849  XLogRecPtr NewPageBeginPtr;
1850  XLogPageHeader NewPage;
1851  int npages pg_attribute_unused() = 0;
1852 
1853  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1854 
1855  /*
1856  * Now that we have the lock, check if someone initialized the page
1857  * already.
1858  */
1859  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
1860  {
1862 
1863  /*
1864  * Get ending-offset of the buffer page we need to replace (this may
1865  * be zero if the buffer hasn't been used yet). Fall through if it's
1866  * already written out.
1867  */
1868  OldPageRqstPtr = XLogCtl->xlblocks[nextidx];
1869  if (LogwrtResult.Write < OldPageRqstPtr)
1870  {
1871  /*
1872  * Nope, got work to do. If we just want to pre-initialize as much
1873  * as we can without flushing, give up now.
1874  */
1875  if (opportunistic)
1876  break;
1877 
1878  /* Before waiting, get info_lck and update LogwrtResult */
1880  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
1881  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
1884 
1885  /*
1886  * Now that we have an up-to-date LogwrtResult value, see if we
1887  * still need to write it or if someone else already did.
1888  */
1889  if (LogwrtResult.Write < OldPageRqstPtr)
1890  {
1891  /*
1892  * Must acquire write lock. Release WALBufMappingLock first,
1893  * to make sure that all insertions that we need to wait for
1894  * can finish (up to this same position). Otherwise we risk
1895  * deadlock.
1896  */
1897  LWLockRelease(WALBufMappingLock);
1898 
1899  WaitXLogInsertionsToFinish(OldPageRqstPtr);
1900 
1901  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
1902 
1904  if (LogwrtResult.Write >= OldPageRqstPtr)
1905  {
1906  /* OK, someone wrote it already */
1907  LWLockRelease(WALWriteLock);
1908  }
1909  else
1910  {
1911  /* Have to write it ourselves */
1912  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
1913  WriteRqst.Write = OldPageRqstPtr;
1914  WriteRqst.Flush = 0;
1915  XLogWrite(WriteRqst, tli, false);
1916  LWLockRelease(WALWriteLock);
1918  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
1919  }
1920  /* Re-acquire WALBufMappingLock and retry */
1921  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1922  continue;
1923  }
1924  }
1925 
1926  /*
1927  * Now the next buffer slot is free and we can set it up to be the
1928  * next output page.
1929  */
1930  NewPageBeginPtr = XLogCtl->InitializedUpTo;
1931  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
1932 
1933  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
1934 
1935  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
1936 
1937  /*
1938  * Be sure to re-zero the buffer so that bytes beyond what we've
1939  * written will look like zeroes and not valid XLOG records...
1940  */
1941  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
1942 
1943  /*
1944  * Fill the new page's header
1945  */
1946  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
1947 
1948  /* NewPage->xlp_info = 0; */ /* done by memset */
1949  NewPage->xlp_tli = tli;
1950  NewPage->xlp_pageaddr = NewPageBeginPtr;
1951 
1952  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
1953 
1954  /*
1955  * If online backup is not in progress, mark the header to indicate
1956  * that WAL records beginning in this page have removable backup
1957  * blocks. This allows the WAL archiver to know whether it is safe to
1958  * compress archived WAL data by transforming full-block records into
1959  * the non-full-block format. It is sufficient to record this at the
1960  * page level because we force a page switch (in fact a segment
1961  * switch) when starting a backup, so the flag will be off before any
1962  * records can be written during the backup. At the end of a backup,
1963  * the last page will be marked as all unsafe when perhaps only part
1964  * is unsafe, but at worst the archiver would miss the opportunity to
1965  * compress a few records.
1966  */
1967  if (Insert->runningBackups == 0)
1968  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
1969 
1970  /*
1971  * If first page of an XLOG segment file, make it a long header.
1972  */
1973  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
1974  {
1975  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
1976 
1977  NewLongPage->xlp_sysid = ControlFile->system_identifier;
1978  NewLongPage->xlp_seg_size = wal_segment_size;
1979  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
1980  NewPage->xlp_info |= XLP_LONG_HEADER;
1981  }
1982 
1983  /*
1984  * Make sure the initialization of the page becomes visible to others
1985  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
1986  * holding a lock.
1987  */
1988  pg_write_barrier();
1989 
1990  *((volatile XLogRecPtr *) &XLogCtl->xlblocks[nextidx]) = NewPageEndPtr;
1991 
1992  XLogCtl->InitializedUpTo = NewPageEndPtr;
1993 
1994  npages++;
1995  }
1996  LWLockRelease(WALBufMappingLock);
1997 
1998 #ifdef WAL_DEBUG
1999  if (XLOG_DEBUG && npages > 0)
2000  {
2001  elog(DEBUG1, "initialized %d pages, up to %X/%X",
2002  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
2003  }
2004 #endif
2005 }
2006 
2007 /*
2008  * Calculate CheckPointSegments based on max_wal_size_mb and
2009  * checkpoint_completion_target.
2010  */
2011 static void
2013 {
2014  double target;
2015 
2016  /*-------
2017  * Calculate the distance at which to trigger a checkpoint, to avoid
2018  * exceeding max_wal_size_mb. This is based on two assumptions:
2019  *
2020  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
2021  * WAL for two checkpoint cycles to allow us to recover from the
2022  * secondary checkpoint if the first checkpoint failed, though we
2023  * only did this on the primary anyway, not on standby. Keeping just
2024  * one checkpoint simplifies processing and reduces disk space in
2025  * many smaller databases.)
2026  * b) during checkpoint, we consume checkpoint_completion_target *
2027  * number of segments consumed between checkpoints.
2028  *-------
2029  */
2030  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
2032 
2033  /* round down */
2034  CheckPointSegments = (int) target;
2035 
2036  if (CheckPointSegments < 1)
2037  CheckPointSegments = 1;
2038 }
2039 
2040 void
2041 assign_max_wal_size(int newval, void *extra)
2042 {
2045 }
2046 
2047 void
2049 {
2052 }
2053 
2054 bool
2056 {
2057  if (!IsValidWalSegSize(*newval))
2058  {
2059  GUC_check_errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.");
2060  return false;
2061  }
2062 
2063  return true;
2064 }
2065 
2066 /*
2067  * GUC check_hook for max_slot_wal_keep_size
2068  *
2069  * We don't allow the value of max_slot_wal_keep_size other than -1 during the
2070  * binary upgrade. See start_postmaster() in pg_upgrade for more details.
2071  */
2072 bool
2074 {
2075  if (IsBinaryUpgrade && *newval != -1)
2076  {
2077  GUC_check_errdetail("\"%s\" must be set to -1 during binary upgrade mode.",
2078  "max_slot_wal_keep_size");
2079  return false;
2080  }
2081 
2082  return true;
2083 }
2084 
2085 /*
2086  * At a checkpoint, how many WAL segments to recycle as preallocated future
2087  * XLOG segments? Returns the highest segment that should be preallocated.
2088  */
2089 static XLogSegNo
2091 {
2092  XLogSegNo minSegNo;
2093  XLogSegNo maxSegNo;
2094  double distance;
2095  XLogSegNo recycleSegNo;
2096 
2097  /*
2098  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
2099  * correspond to. Always recycle enough segments to meet the minimum, and
2100  * remove enough segments to stay below the maximum.
2101  */
2102  minSegNo = lastredoptr / wal_segment_size +
2104  maxSegNo = lastredoptr / wal_segment_size +
2106 
2107  /*
2108  * Between those limits, recycle enough segments to get us through to the
2109  * estimated end of next checkpoint.
2110  *
2111  * To estimate where the next checkpoint will finish, assume that the
2112  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2113  * every checkpoint.
2114  */
2116  /* add 10% for good measure. */
2117  distance *= 1.10;
2118 
2119  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2121 
2122  if (recycleSegNo < minSegNo)
2123  recycleSegNo = minSegNo;
2124  if (recycleSegNo > maxSegNo)
2125  recycleSegNo = maxSegNo;
2126 
2127  return recycleSegNo;
2128 }
2129 
2130 /*
2131  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2132  *
2133  * new_segno indicates a log file that has just been filled up (or read
2134  * during recovery). We measure the distance from RedoRecPtr to new_segno
2135  * and see if that exceeds CheckPointSegments.
2136  *
2137  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2138  */
2139 bool
2141 {
2142  XLogSegNo old_segno;
2143 
2145 
2146  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2147  return true;
2148  return false;
2149 }
2150 
2151 /*
2152  * Write and/or fsync the log at least as far as WriteRqst indicates.
2153  *
2154  * If flexible == true, we don't have to write as far as WriteRqst, but
2155  * may stop at any convenient boundary (such as a cache or logfile boundary).
2156  * This option allows us to avoid uselessly issuing multiple writes when a
2157  * single one would do.
2158  *
2159  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2160  * must be called before grabbing the lock, to make sure the data is ready to
2161  * write.
2162  */
2163 static void
2164 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2165 {
2166  bool ispartialpage;
2167  bool last_iteration;
2168  bool finishing_seg;
2169  int curridx;
2170  int npages;
2171  int startidx;
2172  uint32 startoffset;
2173 
2174  /* We should always be inside a critical section here */
2175  Assert(CritSectionCount > 0);
2176 
2177  /*
2178  * Update local LogwrtResult (caller probably did this already, but...)
2179  */
2181 
2182  /*
2183  * Since successive pages in the xlog cache are consecutively allocated,
2184  * we can usually gather multiple pages together and issue just one
2185  * write() call. npages is the number of pages we have determined can be
2186  * written together; startidx is the cache block index of the first one,
2187  * and startoffset is the file offset at which it should go. The latter
2188  * two variables are only valid when npages > 0, but we must initialize
2189  * all of them to keep the compiler quiet.
2190  */
2191  npages = 0;
2192  startidx = 0;
2193  startoffset = 0;
2194 
2195  /*
2196  * Within the loop, curridx is the cache block index of the page to
2197  * consider writing. Begin at the buffer containing the next unwritten
2198  * page, or last partially written page.
2199  */
2201 
2202  while (LogwrtResult.Write < WriteRqst.Write)
2203  {
2204  /*
2205  * Make sure we're not ahead of the insert process. This could happen
2206  * if we're passed a bogus WriteRqst.Write that is past the end of the
2207  * last page that's been initialized by AdvanceXLInsertBuffer.
2208  */
2209  XLogRecPtr EndPtr = XLogCtl->xlblocks[curridx];
2210 
2211  if (LogwrtResult.Write >= EndPtr)
2212  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2214  LSN_FORMAT_ARGS(EndPtr));
2215 
2216  /* Advance LogwrtResult.Write to end of current buffer page */
2217  LogwrtResult.Write = EndPtr;
2218  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2219 
2222  {
2223  /*
2224  * Switch to new logfile segment. We cannot have any pending
2225  * pages here (since we dump what we have at segment end).
2226  */
2227  Assert(npages == 0);
2228  if (openLogFile >= 0)
2229  XLogFileClose();
2232  openLogTLI = tli;
2233 
2234  /* create/use new log file */
2237  }
2238 
2239  /* Make sure we have the current logfile open */
2240  if (openLogFile < 0)
2241  {
2244  openLogTLI = tli;
2247  }
2248 
2249  /* Add current page to the set of pending pages-to-dump */
2250  if (npages == 0)
2251  {
2252  /* first of group */
2253  startidx = curridx;
2254  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2256  }
2257  npages++;
2258 
2259  /*
2260  * Dump the set if this will be the last loop iteration, or if we are
2261  * at the last page of the cache area (since the next page won't be
2262  * contiguous in memory), or if we are at the end of the logfile
2263  * segment.
2264  */
2265  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2266 
2267  finishing_seg = !ispartialpage &&
2268  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2269 
2270  if (last_iteration ||
2271  curridx == XLogCtl->XLogCacheBlck ||
2272  finishing_seg)
2273  {
2274  char *from;
2275  Size nbytes;
2276  Size nleft;
2277  int written;
2278  instr_time start;
2279 
2280  /* OK to write the page(s) */
2281  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2282  nbytes = npages * (Size) XLOG_BLCKSZ;
2283  nleft = nbytes;
2284  do
2285  {
2286  errno = 0;
2287 
2288  /* Measure I/O timing to write WAL data */
2289  if (track_wal_io_timing)
2290  INSTR_TIME_SET_CURRENT(start);
2291  else
2292  INSTR_TIME_SET_ZERO(start);
2293 
2294  pgstat_report_wait_start(WAIT_EVENT_WAL_WRITE);
2295  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2297 
2298  /*
2299  * Increment the I/O timing and the number of times WAL data
2300  * were written out to disk.
2301  */
2302  if (track_wal_io_timing)
2303  {
2304  instr_time end;
2305 
2308  }
2309 
2311 
2312  if (written <= 0)
2313  {
2314  char xlogfname[MAXFNAMELEN];
2315  int save_errno;
2316 
2317  if (errno == EINTR)
2318  continue;
2319 
2320  save_errno = errno;
2321  XLogFileName(xlogfname, tli, openLogSegNo,
2323  errno = save_errno;
2324  ereport(PANIC,
2326  errmsg("could not write to log file \"%s\" at offset %u, length %zu: %m",
2327  xlogfname, startoffset, nleft)));
2328  }
2329  nleft -= written;
2330  from += written;
2331  startoffset += written;
2332  } while (nleft > 0);
2333 
2334  npages = 0;
2335 
2336  /*
2337  * If we just wrote the whole last page of a logfile segment,
2338  * fsync the segment immediately. This avoids having to go back
2339  * and re-open prior segments when an fsync request comes along
2340  * later. Doing it here ensures that one and only one backend will
2341  * perform this fsync.
2342  *
2343  * This is also the right place to notify the Archiver that the
2344  * segment is ready to copy to archival storage, and to update the
2345  * timer for archive_timeout, and to signal for a checkpoint if
2346  * too many logfile segments have been used since the last
2347  * checkpoint.
2348  */
2349  if (finishing_seg)
2350  {
2352 
2353  /* signal that we need to wakeup walsenders later */
2355 
2356  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2357 
2358  if (XLogArchivingActive())
2360 
2361  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2363 
2364  /*
2365  * Request a checkpoint if we've consumed too much xlog since
2366  * the last one. For speed, we first check using the local
2367  * copy of RedoRecPtr, which might be out of date; if it looks
2368  * like a checkpoint is needed, forcibly update RedoRecPtr and
2369  * recheck.
2370  */
2372  {
2373  (void) GetRedoRecPtr();
2376  }
2377  }
2378  }
2379 
2380  if (ispartialpage)
2381  {
2382  /* Only asked to write a partial page */
2383  LogwrtResult.Write = WriteRqst.Write;
2384  break;
2385  }
2386  curridx = NextBufIdx(curridx);
2387 
2388  /* If flexible, break out of loop as soon as we wrote something */
2389  if (flexible && npages == 0)
2390  break;
2391  }
2392 
2393  Assert(npages == 0);
2394 
2395  /*
2396  * If asked to flush, do so
2397  */
2398  if (LogwrtResult.Flush < WriteRqst.Flush &&
2400  {
2401  /*
2402  * Could get here without iterating above loop, in which case we might
2403  * have no open file or the wrong one. However, we do not need to
2404  * fsync more than one file.
2405  */
2408  {
2409  if (openLogFile >= 0 &&
2412  XLogFileClose();
2413  if (openLogFile < 0)
2414  {
2417  openLogTLI = tli;
2420  }
2421 
2423  }
2424 
2425  /* signal that we need to wakeup walsenders later */
2427 
2429  }
2430 
2431  /*
2432  * Update shared-memory status
2433  *
2434  * We make sure that the shared 'request' values do not fall behind the
2435  * 'result' values. This is not absolutely essential, but it saves some
2436  * code in a couple of places.
2437  */
2438  {
2446  }
2447 }
2448 
2449 /*
2450  * Record the LSN for an asynchronous transaction commit/abort
2451  * and nudge the WALWriter if there is work for it to do.
2452  * (This should not be called for synchronous commits.)
2453  */
2454 void
2456 {
2457  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2458  bool sleeping;
2459  bool wakeup = false;
2460  XLogRecPtr prevAsyncXactLSN;
2461 
2464  sleeping = XLogCtl->WalWriterSleeping;
2465  prevAsyncXactLSN = XLogCtl->asyncXactLSN;
2466  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2467  XLogCtl->asyncXactLSN = asyncXactLSN;
2469 
2470  /*
2471  * If somebody else already called this function with a more aggressive
2472  * LSN, they will have done what we needed (and perhaps more).
2473  */
2474  if (asyncXactLSN <= prevAsyncXactLSN)
2475  return;
2476 
2477  /*
2478  * If the WALWriter is sleeping, kick it to make it come out of low-power
2479  * mode, so that this async commit will reach disk within the expected
2480  * amount of time. Otherwise, determine whether it has enough WAL
2481  * available to flush, the same way that XLogBackgroundFlush() does.
2482  */
2483  if (sleeping)
2484  wakeup = true;
2485  else
2486  {
2487  int flushblocks;
2488 
2489  flushblocks =
2490  WriteRqstPtr / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2491 
2492  if (WalWriterFlushAfter == 0 || flushblocks >= WalWriterFlushAfter)
2493  wakeup = true;
2494  }
2495 
2498 }
2499 
2500 /*
2501  * Record the LSN up to which we can remove WAL because it's not required by
2502  * any replication slot.
2503  */
2504 void
2506 {
2510 }
2511 
2512 
2513 /*
2514  * Return the oldest LSN we must retain to satisfy the needs of some
2515  * replication slot.
2516  */
2517 static XLogRecPtr
2519 {
2520  XLogRecPtr retval;
2521 
2523  retval = XLogCtl->replicationSlotMinLSN;
2525 
2526  return retval;
2527 }
2528 
2529 /*
2530  * Advance minRecoveryPoint in control file.
2531  *
2532  * If we crash during recovery, we must reach this point again before the
2533  * database is consistent.
2534  *
2535  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2536  * is only updated if it's not already greater than or equal to 'lsn'.
2537  */
2538 static void
2540 {
2541  /* Quick check using our local copy of the variable */
2542  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2543  return;
2544 
2545  /*
2546  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2547  * i.e., we're doing crash recovery. We never modify the control file's
2548  * value in that case, so we can short-circuit future checks here too. The
2549  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2550  * updated until crash recovery finishes. We only do this for the startup
2551  * process as it should not update its own reference of minRecoveryPoint
2552  * until it has finished crash recovery to make sure that all WAL
2553  * available is replayed in this case. This also saves from extra locks
2554  * taken on the control file from the startup process.
2555  */
2557  {
2558  updateMinRecoveryPoint = false;
2559  return;
2560  }
2561 
2562  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2563 
2564  /* update local copy */
2567 
2569  updateMinRecoveryPoint = false;
2570  else if (force || LocalMinRecoveryPoint < lsn)
2571  {
2572  XLogRecPtr newMinRecoveryPoint;
2573  TimeLineID newMinRecoveryPointTLI;
2574 
2575  /*
2576  * To avoid having to update the control file too often, we update it
2577  * all the way to the last record being replayed, even though 'lsn'
2578  * would suffice for correctness. This also allows the 'force' case
2579  * to not need a valid 'lsn' value.
2580  *
2581  * Another important reason for doing it this way is that the passed
2582  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2583  * the caller got it from a corrupted heap page. Accepting such a
2584  * value as the min recovery point would prevent us from coming up at
2585  * all. Instead, we just log a warning and continue with recovery.
2586  * (See also the comments about corrupt LSNs in XLogFlush.)
2587  */
2588  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2589  if (!force && newMinRecoveryPoint < lsn)
2590  elog(WARNING,
2591  "xlog min recovery request %X/%X is past current point %X/%X",
2592  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2593 
2594  /* update control file */
2595  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2596  {
2597  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2598  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2600  LocalMinRecoveryPoint = newMinRecoveryPoint;
2601  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2602 
2603  ereport(DEBUG2,
2604  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2605  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2606  newMinRecoveryPointTLI)));
2607  }
2608  }
2609  LWLockRelease(ControlFileLock);
2610 }
2611 
2612 /*
2613  * Ensure that all XLOG data through the given position is flushed to disk.
2614  *
2615  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2616  * already held, and we try to avoid acquiring it if possible.
2617  */
2618 void
2620 {
2621  XLogRecPtr WriteRqstPtr;
2622  XLogwrtRqst WriteRqst;
2623  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2624 
2625  /*
2626  * During REDO, we are reading not writing WAL. Therefore, instead of
2627  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2628  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2629  * to act this way too, and because when it tries to write the
2630  * end-of-recovery checkpoint, it should indeed flush.
2631  */
2632  if (!XLogInsertAllowed())
2633  {
2634  UpdateMinRecoveryPoint(record, false);
2635  return;
2636  }
2637 
2638  /* Quick exit if already known flushed */
2639  if (record <= LogwrtResult.Flush)
2640  return;
2641 
2642 #ifdef WAL_DEBUG
2643  if (XLOG_DEBUG)
2644  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2645  LSN_FORMAT_ARGS(record),
2648 #endif
2649 
2651 
2652  /*
2653  * Since fsync is usually a horribly expensive operation, we try to
2654  * piggyback as much data as we can on each fsync: if we see any more data
2655  * entered into the xlog buffer, we'll write and fsync that too, so that
2656  * the final value of LogwrtResult.Flush is as large as possible. This
2657  * gives us some chance of avoiding another fsync immediately after.
2658  */
2659 
2660  /* initialize to given target; may increase below */
2661  WriteRqstPtr = record;
2662 
2663  /*
2664  * Now wait until we get the write lock, or someone else does the flush
2665  * for us.
2666  */
2667  for (;;)
2668  {
2669  XLogRecPtr insertpos;
2670 
2671  /* read LogwrtResult and update local state */
2673  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2674  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2677 
2678  /* done already? */
2679  if (record <= LogwrtResult.Flush)
2680  break;
2681 
2682  /*
2683  * Before actually performing the write, wait for all in-flight
2684  * insertions to the pages we're about to write to finish.
2685  */
2686  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2687 
2688  /*
2689  * Try to get the write lock. If we can't get it immediately, wait
2690  * until it's released, and recheck if we still need to do the flush
2691  * or if the backend that held the lock did it for us already. This
2692  * helps to maintain a good rate of group committing when the system
2693  * is bottlenecked by the speed of fsyncing.
2694  */
2695  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2696  {
2697  /*
2698  * The lock is now free, but we didn't acquire it yet. Before we
2699  * do, loop back to check if someone else flushed the record for
2700  * us already.
2701  */
2702  continue;
2703  }
2704 
2705  /* Got the lock; recheck whether request is satisfied */
2707  if (record <= LogwrtResult.Flush)
2708  {
2709  LWLockRelease(WALWriteLock);
2710  break;
2711  }
2712 
2713  /*
2714  * Sleep before flush! By adding a delay here, we may give further
2715  * backends the opportunity to join the backlog of group commit
2716  * followers; this can significantly improve transaction throughput,
2717  * at the risk of increasing transaction latency.
2718  *
2719  * We do not sleep if enableFsync is not turned on, nor if there are
2720  * fewer than CommitSiblings other backends with active transactions.
2721  */
2722  if (CommitDelay > 0 && enableFsync &&
2724  {
2726 
2727  /*
2728  * Re-check how far we can now flush the WAL. It's generally not
2729  * safe to call WaitXLogInsertionsToFinish while holding
2730  * WALWriteLock, because an in-progress insertion might need to
2731  * also grab WALWriteLock to make progress. But we know that all
2732  * the insertions up to insertpos have already finished, because
2733  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2734  * We're only calling it again to allow insertpos to be moved
2735  * further forward, not to actually wait for anyone.
2736  */
2737  insertpos = WaitXLogInsertionsToFinish(insertpos);
2738  }
2739 
2740  /* try to write/flush later additions to XLOG as well */
2741  WriteRqst.Write = insertpos;
2742  WriteRqst.Flush = insertpos;
2743 
2744  XLogWrite(WriteRqst, insertTLI, false);
2745 
2746  LWLockRelease(WALWriteLock);
2747  /* done */
2748  break;
2749  }
2750 
2751  END_CRIT_SECTION();
2752 
2753  /* wake up walsenders now that we've released heavily contended locks */
2755 
2756  /*
2757  * If we still haven't flushed to the request point then we have a
2758  * problem; most likely, the requested flush point is past end of XLOG.
2759  * This has been seen to occur when a disk page has a corrupted LSN.
2760  *
2761  * Formerly we treated this as a PANIC condition, but that hurts the
2762  * system's robustness rather than helping it: we do not want to take down
2763  * the whole system due to corruption on one data page. In particular, if
2764  * the bad page is encountered again during recovery then we would be
2765  * unable to restart the database at all! (This scenario actually
2766  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2767  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2768  * the only time we can reach here during recovery is while flushing the
2769  * end-of-recovery checkpoint record, and we don't expect that to have a
2770  * bad LSN.
2771  *
2772  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2773  * since xact.c calls this routine inside a critical section. However,
2774  * calls from bufmgr.c are not within critical sections and so we will not
2775  * force a restart for a bad LSN on a data page.
2776  */
2777  if (LogwrtResult.Flush < record)
2778  elog(ERROR,
2779  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2780  LSN_FORMAT_ARGS(record),
2782 }
2783 
2784 /*
2785  * Write & flush xlog, but without specifying exactly where to.
2786  *
2787  * We normally write only completed blocks; but if there is nothing to do on
2788  * that basis, we check for unwritten async commits in the current incomplete
2789  * block, and write through the latest one of those. Thus, if async commits
2790  * are not being used, we will write complete blocks only.
2791  *
2792  * If, based on the above, there's anything to write we do so immediately. But
2793  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2794  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2795  * more than wal_writer_flush_after unflushed blocks.
2796  *
2797  * We can guarantee that async commits reach disk after at most three
2798  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2799  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2800  * this makes a difference only with very high load or long wal_writer_delay,
2801  * but imposes one extra cycle for the worst case for async commits.)
2802  *
2803  * This routine is invoked periodically by the background walwriter process.
2804  *
2805  * Returns true if there was any work to do, even if we skipped flushing due
2806  * to wal_writer_delay/wal_writer_flush_after.
2807  */
2808 bool
2810 {
2811  XLogwrtRqst WriteRqst;
2812  bool flexible = true;
2813  static TimestampTz lastflush;
2814  TimestampTz now;
2815  int flushblocks;
2816  TimeLineID insertTLI;
2817 
2818  /* XLOG doesn't need flushing during recovery */
2819  if (RecoveryInProgress())
2820  return false;
2821 
2822  /*
2823  * Since we're not in recovery, InsertTimeLineID is set and can't change,
2824  * so we can read it without a lock.
2825  */
2826  insertTLI = XLogCtl->InsertTimeLineID;
2827 
2828  /* read LogwrtResult and update local state */
2831  WriteRqst = XLogCtl->LogwrtRqst;
2833 
2834  /* back off to last completed page boundary */
2835  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
2836 
2837  /* if we have already flushed that far, consider async commit records */
2838  if (WriteRqst.Write <= LogwrtResult.Flush)
2839  {
2841  WriteRqst.Write = XLogCtl->asyncXactLSN;
2843  flexible = false; /* ensure it all gets written */
2844  }
2845 
2846  /*
2847  * If already known flushed, we're done. Just need to check if we are
2848  * holding an open file handle to a logfile that's no longer in use,
2849  * preventing the file from being deleted.
2850  */
2851  if (WriteRqst.Write <= LogwrtResult.Flush)
2852  {
2853  if (openLogFile >= 0)
2854  {
2857  {
2858  XLogFileClose();
2859  }
2860  }
2861  return false;
2862  }
2863 
2864  /*
2865  * Determine how far to flush WAL, based on the wal_writer_delay and
2866  * wal_writer_flush_after GUCs.
2867  *
2868  * Note that XLogSetAsyncXactLSN() performs similar calculation based on
2869  * wal_writer_flush_after, to decide when to wake us up. Make sure the
2870  * logic is the same in both places if you change this.
2871  */
2873  flushblocks =
2874  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2875 
2876  if (WalWriterFlushAfter == 0 || lastflush == 0)
2877  {
2878  /* first call, or block based limits disabled */
2879  WriteRqst.Flush = WriteRqst.Write;
2880  lastflush = now;
2881  }
2882  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
2883  {
2884  /*
2885  * Flush the writes at least every WalWriterDelay ms. This is
2886  * important to bound the amount of time it takes for an asynchronous
2887  * commit to hit disk.
2888  */
2889  WriteRqst.Flush = WriteRqst.Write;
2890  lastflush = now;
2891  }
2892  else if (flushblocks >= WalWriterFlushAfter)
2893  {
2894  /* exceeded wal_writer_flush_after blocks, flush */
2895  WriteRqst.Flush = WriteRqst.Write;
2896  lastflush = now;
2897  }
2898  else
2899  {
2900  /* no flushing, this time round */
2901  WriteRqst.Flush = 0;
2902  }
2903 
2904 #ifdef WAL_DEBUG
2905  if (XLOG_DEBUG)
2906  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
2907  LSN_FORMAT_ARGS(WriteRqst.Write),
2908  LSN_FORMAT_ARGS(WriteRqst.Flush),
2911 #endif
2912 
2914 
2915  /* now wait for any in-progress insertions to finish and get write lock */
2916  WaitXLogInsertionsToFinish(WriteRqst.Write);
2917  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2919  if (WriteRqst.Write > LogwrtResult.Write ||
2920  WriteRqst.Flush > LogwrtResult.Flush)
2921  {
2922  XLogWrite(WriteRqst, insertTLI, flexible);
2923  }
2924  LWLockRelease(WALWriteLock);
2925 
2926  END_CRIT_SECTION();
2927 
2928  /* wake up walsenders now that we've released heavily contended locks */
2930 
2931  /*
2932  * Great, done. To take some work off the critical path, try to initialize
2933  * as many of the no-longer-needed WAL buffers for future use as we can.
2934  */
2935  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
2936 
2937  /*
2938  * If we determined that we need to write data, but somebody else
2939  * wrote/flushed already, it should be considered as being active, to
2940  * avoid hibernating too early.
2941  */
2942  return true;
2943 }
2944 
2945 /*
2946  * Test whether XLOG data has been flushed up to (at least) the given position.
2947  *
2948  * Returns true if a flush is still needed. (It may be that someone else
2949  * is already in process of flushing that far, however.)
2950  */
2951 bool
2953 {
2954  /*
2955  * During recovery, we don't flush WAL but update minRecoveryPoint
2956  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
2957  * would need to be updated.
2958  */
2959  if (RecoveryInProgress())
2960  {
2961  /*
2962  * An invalid minRecoveryPoint means that we need to recover all the
2963  * WAL, i.e., we're doing crash recovery. We never modify the control
2964  * file's value in that case, so we can short-circuit future checks
2965  * here too. This triggers a quick exit path for the startup process,
2966  * which cannot update its local copy of minRecoveryPoint as long as
2967  * it has not replayed all WAL available when doing crash recovery.
2968  */
2970  updateMinRecoveryPoint = false;
2971 
2972  /* Quick exit if already known to be updated or cannot be updated */
2974  return false;
2975 
2976  /*
2977  * Update local copy of minRecoveryPoint. But if the lock is busy,
2978  * just return a conservative guess.
2979  */
2980  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
2981  return true;
2984  LWLockRelease(ControlFileLock);
2985 
2986  /*
2987  * Check minRecoveryPoint for any other process than the startup
2988  * process doing crash recovery, which should not update the control
2989  * file value if crash recovery is still running.
2990  */
2992  updateMinRecoveryPoint = false;
2993 
2994  /* check again */
2996  return false;
2997  else
2998  return true;
2999  }
3000 
3001  /* Quick exit if already known flushed */
3002  if (record <= LogwrtResult.Flush)
3003  return false;
3004 
3005  /* read LogwrtResult and update local state */
3009 
3010  /* check again */
3011  if (record <= LogwrtResult.Flush)
3012  return false;
3013 
3014  return true;
3015 }
3016 
3017 /*
3018  * Try to make a given XLOG file segment exist.
3019  *
3020  * logsegno: identify segment.
3021  *
3022  * *added: on return, true if this call raised the number of extant segments.
3023  *
3024  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
3025  *
3026  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
3027  * wanting an open segment should attempt to open "path", which usually will
3028  * succeed. (This is weird, but it's efficient for the callers.)
3029  */
3030 static int
3032  bool *added, char *path)
3033 {
3034  char tmppath[MAXPGPATH];
3035  XLogSegNo installed_segno;
3036  XLogSegNo max_segno;
3037  int fd;
3038  int save_errno;
3039  int open_flags = O_RDWR | O_CREAT | O_EXCL | PG_BINARY;
3040 
3041  Assert(logtli != 0);
3042 
3043  XLogFilePath(path, logtli, logsegno, wal_segment_size);
3044 
3045  /*
3046  * Try to use existent file (checkpoint maker may have created it already)
3047  */
3048  *added = false;
3049  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3051  if (fd < 0)
3052  {
3053  if (errno != ENOENT)
3054  ereport(ERROR,
3056  errmsg("could not open file \"%s\": %m", path)));
3057  }
3058  else
3059  return fd;
3060 
3061  /*
3062  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
3063  * another process is doing the same thing. If so, we will end up
3064  * pre-creating an extra log segment. That seems OK, and better than
3065  * holding the lock throughout this lengthy process.
3066  */
3067  elog(DEBUG2, "creating and filling new WAL file");
3068 
3069  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3070 
3071  unlink(tmppath);
3072 
3074  open_flags |= PG_O_DIRECT;
3075 
3076  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3077  fd = BasicOpenFile(tmppath, open_flags);
3078  if (fd < 0)
3079  ereport(ERROR,
3081  errmsg("could not create file \"%s\": %m", tmppath)));
3082 
3083  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_WRITE);
3084  save_errno = 0;
3085  if (wal_init_zero)
3086  {
3087  ssize_t rc;
3088 
3089  /*
3090  * Zero-fill the file. With this setting, we do this the hard way to
3091  * ensure that all the file space has really been allocated. On
3092  * platforms that allow "holes" in files, just seeking to the end
3093  * doesn't allocate intermediate space. This way, we know that we
3094  * have all the space and (after the fsync below) that all the
3095  * indirect blocks are down on disk. Therefore, fdatasync(2) or
3096  * O_DSYNC will be sufficient to sync future writes to the log file.
3097  */
3099 
3100  if (rc < 0)
3101  save_errno = errno;
3102  }
3103  else
3104  {
3105  /*
3106  * Otherwise, seeking to the end and writing a solitary byte is
3107  * enough.
3108  */
3109  errno = 0;
3110  if (pg_pwrite(fd, "\0", 1, wal_segment_size - 1) != 1)
3111  {
3112  /* if write didn't set errno, assume no disk space */
3113  save_errno = errno ? errno : ENOSPC;
3114  }
3115  }
3117 
3118  if (save_errno)
3119  {
3120  /*
3121  * If we fail to make the file, delete it to release disk space
3122  */
3123  unlink(tmppath);
3124 
3125  close(fd);
3126 
3127  errno = save_errno;
3128 
3129  ereport(ERROR,
3131  errmsg("could not write to file \"%s\": %m", tmppath)));
3132  }
3133 
3134  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_SYNC);
3135  if (pg_fsync(fd) != 0)
3136  {
3137  save_errno = errno;
3138  close(fd);
3139  errno = save_errno;
3140  ereport(ERROR,
3142  errmsg("could not fsync file \"%s\": %m", tmppath)));
3143  }
3145 
3146  if (close(fd) != 0)
3147  ereport(ERROR,
3149  errmsg("could not close file \"%s\": %m", tmppath)));
3150 
3151  /*
3152  * Now move the segment into place with its final name. Cope with
3153  * possibility that someone else has created the file while we were
3154  * filling ours: if so, use ours to pre-create a future log segment.
3155  */
3156  installed_segno = logsegno;
3157 
3158  /*
3159  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3160  * that was a constant, but that was always a bit dubious: normally, at a
3161  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3162  * here, it was the offset from the insert location. We can't do the
3163  * normal XLOGfileslop calculation here because we don't have access to
3164  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3165  * CheckPointSegments.
3166  */
3167  max_segno = logsegno + CheckPointSegments;
3168  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3169  logtli))
3170  {
3171  *added = true;
3172  elog(DEBUG2, "done creating and filling new WAL file");
3173  }
3174  else
3175  {
3176  /*
3177  * No need for any more future segments, or InstallXLogFileSegment()
3178  * failed to rename the file into place. If the rename failed, a
3179  * caller opening the file may fail.
3180  */
3181  unlink(tmppath);
3182  elog(DEBUG2, "abandoned new WAL file");
3183  }
3184 
3185  return -1;
3186 }
3187 
3188 /*
3189  * Create a new XLOG file segment, or open a pre-existing one.
3190  *
3191  * logsegno: identify segment to be created/opened.
3192  *
3193  * Returns FD of opened file.
3194  *
3195  * Note: errors here are ERROR not PANIC because we might or might not be
3196  * inside a critical section (eg, during checkpoint there is no reason to
3197  * take down the system on failure). They will promote to PANIC if we are
3198  * in a critical section.
3199  */
3200 int
3202 {
3203  bool ignore_added;
3204  char path[MAXPGPATH];
3205  int fd;
3206 
3207  Assert(logtli != 0);
3208 
3209  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3210  if (fd >= 0)
3211  return fd;
3212 
3213  /* Now open original target segment (might not be file I just made) */
3214  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3216  if (fd < 0)
3217  ereport(ERROR,
3219  errmsg("could not open file \"%s\": %m", path)));
3220  return fd;
3221 }
3222 
3223 /*
3224  * Create a new XLOG file segment by copying a pre-existing one.
3225  *
3226  * destsegno: identify segment to be created.
3227  *
3228  * srcTLI, srcsegno: identify segment to be copied (could be from
3229  * a different timeline)
3230  *
3231  * upto: how much of the source file to copy (the rest is filled with
3232  * zeros)
3233  *
3234  * Currently this is only used during recovery, and so there are no locking
3235  * considerations. But we should be just as tense as XLogFileInit to avoid
3236  * emplacing a bogus file.
3237  */
3238 static void
3239 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3240  TimeLineID srcTLI, XLogSegNo srcsegno,
3241  int upto)
3242 {
3243  char path[MAXPGPATH];
3244  char tmppath[MAXPGPATH];
3245  PGAlignedXLogBlock buffer;
3246  int srcfd;
3247  int fd;
3248  int nbytes;
3249 
3250  /*
3251  * Open the source file
3252  */
3253  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3254  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3255  if (srcfd < 0)
3256  ereport(ERROR,
3258  errmsg("could not open file \"%s\": %m", path)));
3259 
3260  /*
3261  * Copy into a temp file name.
3262  */
3263  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3264 
3265  unlink(tmppath);
3266 
3267  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3268  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3269  if (fd < 0)
3270  ereport(ERROR,
3272  errmsg("could not create file \"%s\": %m", tmppath)));
3273 
3274  /*
3275  * Do the data copying.
3276  */
3277  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3278  {
3279  int nread;
3280 
3281  nread = upto - nbytes;
3282 
3283  /*
3284  * The part that is not read from the source file is filled with
3285  * zeros.
3286  */
3287  if (nread < sizeof(buffer))
3288  memset(buffer.data, 0, sizeof(buffer));
3289 
3290  if (nread > 0)
3291  {
3292  int r;
3293 
3294  if (nread > sizeof(buffer))
3295  nread = sizeof(buffer);
3296  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_READ);
3297  r = read(srcfd, buffer.data, nread);
3298  if (r != nread)
3299  {
3300  if (r < 0)
3301  ereport(ERROR,
3303  errmsg("could not read file \"%s\": %m",
3304  path)));
3305  else
3306  ereport(ERROR,
3308  errmsg("could not read file \"%s\": read %d of %zu",
3309  path, r, (Size) nread)));
3310  }
3312  }
3313  errno = 0;
3314  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_WRITE);
3315  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3316  {
3317  int save_errno = errno;
3318 
3319  /*
3320  * If we fail to make the file, delete it to release disk space
3321  */
3322  unlink(tmppath);
3323  /* if write didn't set errno, assume problem is no disk space */
3324  errno = save_errno ? save_errno : ENOSPC;
3325 
3326  ereport(ERROR,
3328  errmsg("could not write to file \"%s\": %m", tmppath)));
3329  }
3331  }
3332 
3333  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_SYNC);
3334  if (pg_fsync(fd) != 0)
3337  errmsg("could not fsync file \"%s\": %m", tmppath)));
3339 
3340  if (CloseTransientFile(fd) != 0)
3341  ereport(ERROR,
3343  errmsg("could not close file \"%s\": %m", tmppath)));
3344 
3345  if (CloseTransientFile(srcfd) != 0)
3346  ereport(ERROR,
3348  errmsg("could not close file \"%s\": %m", path)));
3349 
3350  /*
3351  * Now move the segment into place with its final name.
3352  */
3353  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3354  elog(ERROR, "InstallXLogFileSegment should not have failed");
3355 }
3356 
3357 /*
3358  * Install a new XLOG segment file as a current or future log segment.
3359  *
3360  * This is used both to install a newly-created segment (which has a temp
3361  * filename while it's being created) and to recycle an old segment.
3362  *
3363  * *segno: identify segment to install as (or first possible target).
3364  * When find_free is true, this is modified on return to indicate the
3365  * actual installation location or last segment searched.
3366  *
3367  * tmppath: initial name of file to install. It will be renamed into place.
3368  *
3369  * find_free: if true, install the new segment at the first empty segno
3370  * number at or after the passed numbers. If false, install the new segment
3371  * exactly where specified, deleting any existing segment file there.
3372  *
3373  * max_segno: maximum segment number to install the new file as. Fail if no
3374  * free slot is found between *segno and max_segno. (Ignored when find_free
3375  * is false.)
3376  *
3377  * tli: The timeline on which the new segment should be installed.
3378  *
3379  * Returns true if the file was installed successfully. false indicates that
3380  * max_segno limit was exceeded, the startup process has disabled this
3381  * function for now, or an error occurred while renaming the file into place.
3382  */
3383 static bool
3384 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3385  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3386 {
3387  char path[MAXPGPATH];
3388  struct stat stat_buf;
3389 
3390  Assert(tli != 0);
3391 
3392  XLogFilePath(path, tli, *segno, wal_segment_size);
3393 
3394  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3396  {
3397  LWLockRelease(ControlFileLock);
3398  return false;
3399  }
3400 
3401  if (!find_free)
3402  {
3403  /* Force installation: get rid of any pre-existing segment file */
3404  durable_unlink(path, DEBUG1);
3405  }
3406  else
3407  {
3408  /* Find a free slot to put it in */
3409  while (stat(path, &stat_buf) == 0)
3410  {
3411  if ((*segno) >= max_segno)
3412  {
3413  /* Failed to find a free slot within specified range */
3414  LWLockRelease(ControlFileLock);
3415  return false;
3416  }
3417  (*segno)++;
3418  XLogFilePath(path, tli, *segno, wal_segment_size);
3419  }
3420  }
3421 
3422  Assert(access(path, F_OK) != 0 && errno == ENOENT);
3423  if (durable_rename(tmppath, path, LOG) != 0)
3424  {
3425  LWLockRelease(ControlFileLock);
3426  /* durable_rename already emitted log message */
3427  return false;
3428  }
3429 
3430  LWLockRelease(ControlFileLock);
3431 
3432  return true;
3433 }
3434 
3435 /*
3436  * Open a pre-existing logfile segment for writing.
3437  */
3438 int
3440 {
3441  char path[MAXPGPATH];
3442  int fd;
3443 
3444  XLogFilePath(path, tli, segno, wal_segment_size);
3445 
3446  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3448  if (fd < 0)
3449  ereport(PANIC,
3451  errmsg("could not open file \"%s\": %m", path)));
3452 
3453  return fd;
3454 }
3455 
3456 /*
3457  * Close the current logfile segment for writing.
3458  */
3459 static void
3461 {
3462  Assert(openLogFile >= 0);
3463 
3464  /*
3465  * WAL segment files will not be re-read in normal operation, so we advise
3466  * the OS to release any cached pages. But do not do so if WAL archiving
3467  * or streaming is active, because archiver and walsender process could
3468  * use the cache to read the WAL segment.
3469  */
3470 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3471  if (!XLogIsNeeded() && (io_direct_flags & IO_DIRECT_WAL) == 0)
3472  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3473 #endif
3474 
3475  if (close(openLogFile) != 0)
3476  {
3477  char xlogfname[MAXFNAMELEN];
3478  int save_errno = errno;
3479 
3481  errno = save_errno;
3482  ereport(PANIC,
3484  errmsg("could not close file \"%s\": %m", xlogfname)));
3485  }
3486 
3487  openLogFile = -1;
3489 }
3490 
3491 /*
3492  * Preallocate log files beyond the specified log endpoint.
3493  *
3494  * XXX this is currently extremely conservative, since it forces only one
3495  * future log segment to exist, and even that only if we are 75% done with
3496  * the current one. This is only appropriate for very low-WAL-volume systems.
3497  * High-volume systems will be OK once they've built up a sufficient set of
3498  * recycled log segments, but the startup transient is likely to include
3499  * a lot of segment creations by foreground processes, which is not so good.
3500  *
3501  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3502  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3503  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3504  * initiated the present checkpoint and an ERROR ends this function, the
3505  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3506  * not worth contorting more functions to use caller-specified elevel values.
3507  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3508  * reporting and resource reclamation.)
3509  */
3510 static void
3512 {
3513  XLogSegNo _logSegNo;
3514  int lf;
3515  bool added;
3516  char path[MAXPGPATH];
3517  uint64 offset;
3518 
3520  return; /* unlocked check says no */
3521 
3522  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3523  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3524  if (offset >= (uint32) (0.75 * wal_segment_size))
3525  {
3526  _logSegNo++;
3527  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3528  if (lf >= 0)
3529  close(lf);
3530  if (added)
3532  }
3533 }
3534 
3535 /*
3536  * Throws an error if the given log segment has already been removed or
3537  * recycled. The caller should only pass a segment that it knows to have
3538  * existed while the server has been running, as this function always
3539  * succeeds if no WAL segments have been removed since startup.
3540  * 'tli' is only used in the error message.
3541  *
3542  * Note: this function guarantees to keep errno unchanged on return.
3543  * This supports callers that use this to possibly deliver a better
3544  * error message about a missing file, while still being able to throw
3545  * a normal file-access error afterwards, if this does return.
3546  */
3547 void
3549 {
3550  int save_errno = errno;
3551  XLogSegNo lastRemovedSegNo;
3552 
3554  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3556 
3557  if (segno <= lastRemovedSegNo)
3558  {
3559  char filename[MAXFNAMELEN];
3560 
3561  XLogFileName(filename, tli, segno, wal_segment_size);
3562  errno = save_errno;
3563  ereport(ERROR,
3565  errmsg("requested WAL segment %s has already been removed",
3566  filename)));
3567  }
3568  errno = save_errno;
3569 }
3570 
3571 /*
3572  * Return the last WAL segment removed, or 0 if no segment has been removed
3573  * since startup.
3574  *
3575  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3576  * with that.
3577  */
3578 XLogSegNo
3580 {
3581  XLogSegNo lastRemovedSegNo;
3582 
3584  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3586 
3587  return lastRemovedSegNo;
3588 }
3589 
3590 
3591 /*
3592  * Update the last removed segno pointer in shared memory, to reflect that the
3593  * given XLOG file has been removed.
3594  */
3595 static void
3597 {
3598  uint32 tli;
3599  XLogSegNo segno;
3600 
3601  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3602 
3604  if (segno > XLogCtl->lastRemovedSegNo)
3605  XLogCtl->lastRemovedSegNo = segno;
3607 }
3608 
3609 /*
3610  * Remove all temporary log files in pg_wal
3611  *
3612  * This is called at the beginning of recovery after a previous crash,
3613  * at a point where no other processes write fresh WAL data.
3614  */
3615 static void
3617 {
3618  DIR *xldir;
3619  struct dirent *xlde;
3620 
3621  elog(DEBUG2, "removing all temporary WAL segments");
3622 
3623  xldir = AllocateDir(XLOGDIR);
3624  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3625  {
3626  char path[MAXPGPATH];
3627 
3628  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3629  continue;
3630 
3631  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3632  unlink(path);
3633  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3634  }
3635  FreeDir(xldir);
3636 }
3637 
3638 /*
3639  * Recycle or remove all log files older or equal to passed segno.
3640  *
3641  * endptr is current (or recent) end of xlog, and lastredoptr is the
3642  * redo pointer of the last checkpoint. These are used to determine
3643  * whether we want to recycle rather than delete no-longer-wanted log files.
3644  *
3645  * insertTLI is the current timeline for XLOG insertion. Any recycled
3646  * segments should be reused for this timeline.
3647  */
3648 static void
3650  TimeLineID insertTLI)
3651 {
3652  DIR *xldir;
3653  struct dirent *xlde;
3654  char lastoff[MAXFNAMELEN];
3655  XLogSegNo endlogSegNo;
3656  XLogSegNo recycleSegNo;
3657 
3658  /* Initialize info about where to try to recycle to */
3659  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3660  recycleSegNo = XLOGfileslop(lastredoptr);
3661 
3662  /*
3663  * Construct a filename of the last segment to be kept. The timeline ID
3664  * doesn't matter, we ignore that in the comparison. (During recovery,
3665  * InsertTimeLineID isn't set, so we can't use that.)
3666  */
3667  XLogFileName(lastoff, 0, segno, wal_segment_size);
3668 
3669  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3670  lastoff);
3671 
3672  xldir = AllocateDir(XLOGDIR);
3673 
3674  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3675  {
3676  /* Ignore files that are not XLOG segments */
3677  if (!IsXLogFileName(xlde->d_name) &&
3678  !IsPartialXLogFileName(xlde->d_name))
3679  continue;
3680 
3681  /*
3682  * We ignore the timeline part of the XLOG segment identifiers in
3683  * deciding whether a segment is still needed. This ensures that we
3684  * won't prematurely remove a segment from a parent timeline. We could
3685  * probably be a little more proactive about removing segments of
3686  * non-parent timelines, but that would be a whole lot more
3687  * complicated.
3688  *
3689  * We use the alphanumeric sorting property of the filenames to decide
3690  * which ones are earlier than the lastoff segment.
3691  */
3692  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3693  {
3694  if (XLogArchiveCheckDone(xlde->d_name))
3695  {
3696  /* Update the last removed location in shared memory first */
3698 
3699  RemoveXlogFile(xlde, recycleSegNo, &endlogSegNo, insertTLI);
3700  }
3701  }
3702  }
3703 
3704  FreeDir(xldir);
3705 }
3706 
3707 /*
3708  * Recycle or remove WAL files that are not part of the given timeline's
3709  * history.
3710  *
3711  * This is called during recovery, whenever we switch to follow a new
3712  * timeline, and at the end of recovery when we create a new timeline. We
3713  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3714  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3715  * that we haven't used yet, and contain garbage. If we just leave them in
3716  * pg_wal, they will eventually be archived, and we can't let that happen.
3717  * Files that belong to our timeline history are valid, because we have
3718  * successfully replayed them, but from others we can't be sure.
3719  *
3720  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3721  * and 'newTLI' is the new timeline we switch to.
3722  */
3723 void
3725 {
3726  DIR *xldir;
3727  struct dirent *xlde;
3728  char switchseg[MAXFNAMELEN];
3729  XLogSegNo endLogSegNo;
3730  XLogSegNo switchLogSegNo;
3731  XLogSegNo recycleSegNo;
3732 
3733  /*
3734  * Initialize info about where to begin the work. This will recycle,
3735  * somewhat arbitrarily, 10 future segments.
3736  */
3737  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3738  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3739  recycleSegNo = endLogSegNo + 10;
3740 
3741  /*
3742  * Construct a filename of the last segment to be kept.
3743  */
3744  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3745 
3746  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3747  switchseg);
3748 
3749  xldir = AllocateDir(XLOGDIR);
3750 
3751  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3752  {
3753  /* Ignore files that are not XLOG segments */
3754  if (!IsXLogFileName(xlde->d_name))
3755  continue;
3756 
3757  /*
3758  * Remove files that are on a timeline older than the new one we're
3759  * switching to, but with a segment number >= the first segment on the
3760  * new timeline.
3761  */
3762  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3763  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3764  {
3765  /*
3766  * If the file has already been marked as .ready, however, don't
3767  * remove it yet. It should be OK to remove it - files that are
3768  * not part of our timeline history are not required for recovery
3769  * - but seems safer to let them be archived and removed later.
3770  */
3771  if (!XLogArchiveIsReady(xlde->d_name))
3772  RemoveXlogFile(xlde, recycleSegNo, &endLogSegNo, newTLI);
3773  }
3774  }
3775 
3776  FreeDir(xldir);
3777 }
3778 
3779 /*
3780  * Recycle or remove a log file that's no longer needed.
3781  *
3782  * segment_de is the dirent structure of the segment to recycle or remove.
3783  * recycleSegNo is the segment number to recycle up to. endlogSegNo is
3784  * the segment number of the current (or recent) end of WAL.
3785  *
3786  * endlogSegNo gets incremented if the segment is recycled so as it is not
3787  * checked again with future callers of this function.
3788  *
3789  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
3790  * should be used for this timeline.
3791  */
3792 static void
3793 RemoveXlogFile(const struct dirent *segment_de,
3794  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
3795  TimeLineID insertTLI)
3796 {
3797  char path[MAXPGPATH];
3798 #ifdef WIN32
3799  char newpath[MAXPGPATH];
3800 #endif
3801  const char *segname = segment_de->d_name;
3802 
3803  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
3804 
3805  /*
3806  * Before deleting the file, see if it can be recycled as a future log
3807  * segment. Only recycle normal files, because we don't want to recycle
3808  * symbolic links pointing to a separate archive directory.
3809  */
3810  if (wal_recycle &&
3811  *endlogSegNo <= recycleSegNo &&
3812  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
3813  get_dirent_type(path, segment_de, false, DEBUG2) == PGFILETYPE_REG &&
3814  InstallXLogFileSegment(endlogSegNo, path,
3815  true, recycleSegNo, insertTLI))
3816  {
3817  ereport(DEBUG2,
3818  (errmsg_internal("recycled write-ahead log file \"%s\"",
3819  segname)));
3821  /* Needn't recheck that slot on future iterations */
3822  (*endlogSegNo)++;
3823  }
3824  else
3825  {
3826  /* No need for any more future segments, or recycling failed ... */
3827  int rc;
3828 
3829  ereport(DEBUG2,
3830  (errmsg_internal("removing write-ahead log file \"%s\"",
3831  segname)));
3832 
3833 #ifdef WIN32
3834 
3835  /*
3836  * On Windows, if another process (e.g another backend) holds the file
3837  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
3838  * will still show up in directory listing until the last handle is
3839  * closed. To avoid confusing the lingering deleted file for a live
3840  * WAL file that needs to be archived, rename it before deleting it.
3841  *
3842  * If another process holds the file open without FILE_SHARE_DELETE
3843  * flag, rename will fail. We'll try again at the next checkpoint.
3844  */
3845  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
3846  if (rename(path, newpath) != 0)
3847  {
3848  ereport(LOG,
3850  errmsg("could not rename file \"%s\": %m",
3851  path)));
3852  return;
3853  }
3854  rc = durable_unlink(newpath, LOG);
3855 #else
3856  rc = durable_unlink(path, LOG);
3857 #endif
3858  if (rc != 0)
3859  {
3860  /* Message already logged by durable_unlink() */
3861  return;
3862  }
3864  }
3865 
3866  XLogArchiveCleanup(segname);
3867 }
3868 
3869 /*
3870  * Verify whether pg_wal and pg_wal/archive_status exist.
3871  * If the latter does not exist, recreate it.
3872  *
3873  * It is not the goal of this function to verify the contents of these
3874  * directories, but to help in cases where someone has performed a cluster
3875  * copy for PITR purposes but omitted pg_wal from the copy.
3876  *
3877  * We could also recreate pg_wal if it doesn't exist, but a deliberate
3878  * policy decision was made not to. It is fairly common for pg_wal to be
3879  * a symlink, and if that was the DBA's intent then automatically making a
3880  * plain directory would result in degraded performance with no notice.
3881  */
3882 static void
3884 {
3885  char path[MAXPGPATH];
3886  struct stat stat_buf;
3887 
3888  /* Check for pg_wal; if it doesn't exist, error out */
3889  if (stat(XLOGDIR, &stat_buf) != 0 ||
3890  !S_ISDIR(stat_buf.st_mode))
3891  ereport(FATAL,
3892  (errmsg("required WAL directory \"%s\" does not exist",
3893  XLOGDIR)));
3894 
3895  /* Check for archive_status */
3896  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
3897  if (stat(path, &stat_buf) == 0)
3898  {
3899  /* Check for weird cases where it exists but isn't a directory */
3900  if (!S_ISDIR(stat_buf.st_mode))
3901  ereport(FATAL,
3902  (errmsg("required WAL directory \"%s\" does not exist",
3903  path)));
3904  }
3905  else
3906  {
3907  ereport(LOG,
3908  (errmsg("creating missing WAL directory \"%s\"", path)));
3909  if (MakePGDirectory(path) < 0)
3910  ereport(FATAL,
3911  (errmsg("could not create missing directory \"%s\": %m",
3912  path)));
3913  }
3914 }
3915 
3916 /*
3917  * Remove previous backup history files. This also retries creation of
3918  * .ready files for any backup history files for which XLogArchiveNotify
3919  * failed earlier.
3920  */
3921 static void
3923 {
3924  DIR *xldir;
3925  struct dirent *xlde;
3926  char path[MAXPGPATH + sizeof(XLOGDIR)];
3927 
3928  xldir = AllocateDir(XLOGDIR);
3929 
3930  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3931  {
3932  if (IsBackupHistoryFileName(xlde->d_name))
3933  {
3934  if (XLogArchiveCheckDone(xlde->d_name))
3935  {
3936  elog(DEBUG2, "removing WAL backup history file \"%s\"",
3937  xlde->d_name);
3938  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
3939  unlink(path);
3940  XLogArchiveCleanup(xlde->d_name);
3941  }
3942  }
3943  }
3944 
3945  FreeDir(xldir);
3946 }
3947 
3948 /*
3949  * I/O routines for pg_control
3950  *
3951  * *ControlFile is a buffer in shared memory that holds an image of the
3952  * contents of pg_control. WriteControlFile() initializes pg_control
3953  * given a preloaded buffer, ReadControlFile() loads the buffer from
3954  * the pg_control file (during postmaster or standalone-backend startup),
3955  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
3956  * InitControlFile() fills the buffer with initial values.
3957  *
3958  * For simplicity, WriteControlFile() initializes the fields of pg_control
3959  * that are related to checking backend/database compatibility, and
3960  * ReadControlFile() verifies they are correct. We could split out the
3961  * I/O and compatibility-check functions, but there seems no need currently.
3962  */
3963 
3964 static void
3965 InitControlFile(uint64 sysidentifier)
3966 {
3967  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
3968 
3969  /*
3970  * Generate a random nonce. This is used for authentication requests that
3971  * will fail because the user does not exist. The nonce is used to create
3972  * a genuine-looking password challenge for the non-existent user, in lieu
3973  * of an actual stored password.
3974  */
3975  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
3976  ereport(PANIC,
3977  (errcode(ERRCODE_INTERNAL_ERROR),
3978  errmsg("could not generate secret authorization token")));
3979 
3980  memset(ControlFile, 0, sizeof(ControlFileData));
3981  /* Initialize pg_control status fields */
3982  ControlFile->system_identifier = sysidentifier;
3983  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
3986 
3987  /* Set important parameter values for use when replaying WAL */
3997 }
3998 
3999 static void
4001 {
4002  int fd;
4003  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
4004 
4005  /*
4006  * Initialize version and compatibility-check fields
4007  */
4010 
4011  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
4013 
4014  ControlFile->blcksz = BLCKSZ;
4015  ControlFile->relseg_size = RELSEG_SIZE;
4016  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
4018 
4021 
4024 
4026 
4027  /* Contents are protected with a CRC */
4030  (char *) ControlFile,
4031  offsetof(ControlFileData, crc));
4033 
4034  /*
4035  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
4036  * the excess over sizeof(ControlFileData). This reduces the odds of
4037  * premature-EOF errors when reading pg_control. We'll still fail when we
4038  * check the contents of the file, but hopefully with a more specific
4039  * error than "couldn't read pg_control".
4040  */
4041  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
4042  memcpy(buffer, ControlFile, sizeof(ControlFileData));
4043 
4045  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
4046  if (fd < 0)
4047  ereport(PANIC,
4049  errmsg("could not create file \"%s\": %m",
4050  XLOG_CONTROL_FILE)));
4051 
4052  errno = 0;
4053  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_WRITE);
4055  {
4056  /* if write didn't set errno, assume problem is no disk space */
4057  if (errno == 0)
4058  errno = ENOSPC;
4059  ereport(PANIC,
4061  errmsg("could not write to file \"%s\": %m",
4062  XLOG_CONTROL_FILE)));
4063  }
4065 
4066  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_SYNC);
4067  if (pg_fsync(fd) != 0)
4068  ereport(PANIC,
4070  errmsg("could not fsync file \"%s\": %m",
4071  XLOG_CONTROL_FILE)));
4073 
4074  if (close(fd) != 0)
4075  ereport(PANIC,
4077  errmsg("could not close file \"%s\": %m",
4078  XLOG_CONTROL_FILE)));
4079 }
4080 
4081 static void
4083 {
4084  pg_crc32c crc;
4085  int fd;
4086  static char wal_segsz_str[20];
4087  int r;
4088 
4089  /*
4090  * Read data...
4091  */
4093  O_RDWR | PG_BINARY);
4094  if (fd < 0)
4095  ereport(PANIC,
4097  errmsg("could not open file \"%s\": %m",
4098  XLOG_CONTROL_FILE)));
4099 
4100  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_READ);
4101  r = read(fd, ControlFile, sizeof(ControlFileData));
4102  if (r != sizeof(ControlFileData))
4103  {
4104  if (r < 0)
4105  ereport(PANIC,
4107  errmsg("could not read file \"%s\": %m",
4108  XLOG_CONTROL_FILE)));
4109  else
4110  ereport(PANIC,
4112  errmsg("could not read file \"%s\": read %d of %zu",
4113  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
4114  }
4116 
4117  close(fd);
4118 
4119  /*
4120  * Check for expected pg_control format version. If this is wrong, the
4121  * CRC check will likely fail because we'll be checking the wrong number
4122  * of bytes. Complaining about wrong version will probably be more
4123  * enlightening than complaining about wrong CRC.
4124  */
4125 
4127  ereport(FATAL,
4128  (errmsg("database files are incompatible with server"),
4129  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4130  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4133  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4134 
4136  ereport(FATAL,
4137  (errmsg("database files are incompatible with server"),
4138  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4139  " but the server was compiled with PG_CONTROL_VERSION %d.",
4141  errhint("It looks like you need to initdb.")));
4142 
4143  /* Now check the CRC. */
4144  INIT_CRC32C(crc);
4145  COMP_CRC32C(crc,
4146  (char *) ControlFile,
4147  offsetof(ControlFileData, crc));
4148  FIN_CRC32C(crc);
4149 
4150  if (!EQ_CRC32C(crc, ControlFile->crc))
4151  ereport(FATAL,
4152  (errmsg("incorrect checksum in control file")));
4153 
4154  /*
4155  * Do compatibility checking immediately. If the database isn't
4156  * compatible with the backend executable, we want to abort before we can
4157  * possibly do any damage.
4158  */
4160  ereport(FATAL,
4161  (errmsg("database files are incompatible with server"),
4162  errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4163  " but the server was compiled with CATALOG_VERSION_NO %d.",
4165  errhint("It looks like you need to initdb.")));
4166  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4167  ereport(FATAL,
4168  (errmsg("database files are incompatible with server"),
4169  errdetail("The database cluster was initialized with MAXALIGN %d,"
4170  " but the server was compiled with MAXALIGN %d.",
4171  ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4172  errhint("It looks like you need to initdb.")));
4174  ereport(FATAL,
4175  (errmsg("database files are incompatible with server"),
4176  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4177  errhint("It looks like you need to initdb.")));
4178  if (ControlFile->blcksz != BLCKSZ)
4179  ereport(FATAL,
4180  (errmsg("database files are incompatible with server"),
4181  errdetail("The database cluster was initialized with BLCKSZ %d,"
4182  " but the server was compiled with BLCKSZ %d.",
4183  ControlFile->blcksz, BLCKSZ),
4184  errhint("It looks like you need to recompile or initdb.")));
4185  if (ControlFile->relseg_size != RELSEG_SIZE)
4186  ereport(FATAL,
4187  (errmsg("database files are incompatible with server"),
4188  errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4189  " but the server was compiled with RELSEG_SIZE %d.",
4190  ControlFile->relseg_size, RELSEG_SIZE),
4191  errhint("It looks like you need to recompile or initdb.")));
4192  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4193  ereport(FATAL,
4194  (errmsg("database files are incompatible with server"),
4195  errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4196  " but the server was compiled with XLOG_BLCKSZ %d.",
4197  ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4198  errhint("It looks like you need to recompile or initdb.")));
4200  ereport(FATAL,
4201  (errmsg("database files are incompatible with server"),
4202  errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4203  " but the server was compiled with NAMEDATALEN %d.",
4205  errhint("It looks like you need to recompile or initdb.")));
4207  ereport(FATAL,
4208  (errmsg("database files are incompatible with server"),
4209  errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4210  " but the server was compiled with INDEX_MAX_KEYS %d.",
4212  errhint("It looks like you need to recompile or initdb.")));
4214  ereport(FATAL,
4215  (errmsg("database files are incompatible with server"),
4216  errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4217  " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4219  errhint("It looks like you need to recompile or initdb.")));
4221  ereport(FATAL,
4222  (errmsg("database files are incompatible with server"),
4223  errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4224  " but the server was compiled with LOBLKSIZE %d.",
4225  ControlFile->loblksize, (int) LOBLKSIZE),
4226  errhint("It looks like you need to recompile or initdb.")));
4227 
4228 #ifdef USE_FLOAT8_BYVAL
4229  if (ControlFile->float8ByVal != true)
4230  ereport(FATAL,
4231  (errmsg("database files are incompatible with server"),
4232  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4233  " but the server was compiled with USE_FLOAT8_BYVAL."),
4234  errhint("It looks like you need to recompile or initdb.")));
4235 #else
4236  if (ControlFile->float8ByVal != false)
4237  ereport(FATAL,
4238  (errmsg("database files are incompatible with server"),
4239  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4240  " but the server was compiled without USE_FLOAT8_BYVAL."),
4241  errhint("It looks like you need to recompile or initdb.")));
4242 #endif
4243 
4245 
4247  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4248  errmsg_plural("invalid WAL segment size in control file (%d byte)",
4249  "invalid WAL segment size in control file (%d bytes)",
4252  errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.")));
4253 
4254  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4255  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4257 
4258  /* check and update variables dependent on wal_segment_size */
4260  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4261  errmsg("\"min_wal_size\" must be at least twice \"wal_segment_size\"")));
4262 
4264  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4265  errmsg("\"max_wal_size\" must be at least twice \"wal_segment_size\"")));
4266 
4268  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4270 
4272 
4273  /* Make the initdb settings visible as GUC variables, too */
4274  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4276 }
4277 
4278 /*
4279  * Utility wrapper to update the control file. Note that the control
4280  * file gets flushed.
4281  */
4282 static void
4284 {
4286 }
4287 
4288 /*
4289  * Returns the unique system identifier from control file.
4290  */
4291 uint64
4293 {
4294  Assert(ControlFile != NULL);
4296 }
4297 
4298 /*
4299  * Returns the random nonce from control file.
4300  */
4301 char *
4303 {
4304  Assert(ControlFile != NULL);
4306 }
4307 
4308 /*
4309  * Are checksums enabled for data pages?
4310  */
4311 bool
4313 {
4314  Assert(ControlFile != NULL);
4315  return (ControlFile->data_checksum_version > 0);
4316 }
4317 
4318 /*
4319  * Returns a fake LSN for unlogged relations.
4320  *
4321  * Each call generates an LSN that is greater than any previous value
4322  * returned. The current counter value is saved and restored across clean
4323  * shutdowns, but like unlogged relations, does not survive a crash. This can
4324  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4325  * LSN-like increasing sequence of numbers without writing any WAL.
4326  */
4327 XLogRecPtr
4329 {
4330  XLogRecPtr nextUnloggedLSN;
4331 
4332  /* increment the unloggedLSN counter, need SpinLock */
4334  nextUnloggedLSN = XLogCtl->unloggedLSN++;
4336 
4337  return nextUnloggedLSN;
4338 }
4339 
4340 /*
4341  * Auto-tune the number of XLOG buffers.
4342  *
4343  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4344  * a maximum of one XLOG segment (there is little reason to think that more
4345  * is helpful, at least so long as we force an fsync when switching log files)
4346  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4347  * 9.1, when auto-tuning was added).
4348  *
4349  * This should not be called until NBuffers has received its final value.
4350  */
4351 static int
4353 {
4354  int xbuffers;
4355 
4356  xbuffers = NBuffers / 32;
4357  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4358  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4359  if (xbuffers < 8)
4360  xbuffers = 8;
4361  return xbuffers;
4362 }
4363 
4364 /*
4365  * GUC check_hook for wal_buffers
4366  */
4367 bool
4369 {
4370  /*
4371  * -1 indicates a request for auto-tune.
4372  */
4373  if (*newval == -1)
4374  {
4375  /*
4376  * If we haven't yet changed the boot_val default of -1, just let it
4377  * be. We'll fix it when XLOGShmemSize is called.
4378  */
4379  if (XLOGbuffers == -1)
4380  return true;
4381 
4382  /* Otherwise, substitute the auto-tune value */
4384  }
4385 
4386  /*
4387  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4388  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4389  * the case, we just silently treat such values as a request for the
4390  * minimum. (We could throw an error instead, but that doesn't seem very
4391  * helpful.)
4392  */
4393  if (*newval < 4)
4394  *newval = 4;
4395 
4396  return true;
4397 }
4398 
4399 /*
4400  * GUC check_hook for wal_consistency_checking
4401  */
4402 bool
4404 {
4405  char *rawstring;
4406  List *elemlist;
4407  ListCell *l;
4408  bool newwalconsistency[RM_MAX_ID + 1];
4409 
4410  /* Initialize the array */
4411  MemSet(newwalconsistency, 0, (RM_MAX_ID + 1) * sizeof(bool));
4412 
4413  /* Need a modifiable copy of string */
4414  rawstring = pstrdup(*newval);
4415 
4416  /* Parse string into list of identifiers */
4417  if (!SplitIdentifierString(rawstring, ',', &elemlist))
4418  {
4419  /* syntax error in list */
4420  GUC_check_errdetail("List syntax is invalid.");
4421  pfree(rawstring);
4422  list_free(elemlist);
4423  return false;
4424  }
4425 
4426  foreach(l, elemlist)
4427  {
4428  char *tok = (char *) lfirst(l);
4429  int rmid;
4430 
4431  /* Check for 'all'. */
4432  if (pg_strcasecmp(tok, "all") == 0)
4433  {
4434  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4435  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL)
4436  newwalconsistency[rmid] = true;
4437  }
4438  else
4439  {
4440  /* Check if the token matches any known resource manager. */
4441  bool found = false;
4442 
4443  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4444  {
4445  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL &&
4446  pg_strcasecmp(tok, GetRmgr(rmid).rm_name) == 0)
4447  {
4448  newwalconsistency[rmid] = true;
4449  found = true;
4450  break;
4451  }
4452  }
4453  if (!found)
4454  {
4455  /*
4456  * During startup, it might be a not-yet-loaded custom
4457  * resource manager. Defer checking until
4458  * InitializeWalConsistencyChecking().
4459  */
4461  {
4463  }
4464  else
4465  {
4466  GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
4467  pfree(rawstring);
4468  list_free(elemlist);
4469  return false;
4470  }
4471  }
4472  }
4473  }
4474 
4475  pfree(rawstring);
4476  list_free(elemlist);
4477 
4478  /* assign new value */
4479  *extra = guc_malloc(ERROR, (RM_MAX_ID + 1) * sizeof(bool));
4480  memcpy(*extra, newwalconsistency, (RM_MAX_ID + 1) * sizeof(bool));
4481  return true;
4482 }
4483 
4484 /*
4485  * GUC assign_hook for wal_consistency_checking
4486  */
4487 void
4488 assign_wal_consistency_checking(const char *newval, void *extra)
4489 {
4490  /*
4491  * If some checks were deferred, it's possible that the checks will fail
4492  * later during InitializeWalConsistencyChecking(). But in that case, the
4493  * postmaster will exit anyway, so it's safe to proceed with the
4494  * assignment.
4495  *
4496  * Any built-in resource managers specified are assigned immediately,
4497  * which affects WAL created before shared_preload_libraries are
4498  * processed. Any custom resource managers specified won't be assigned
4499  * until after shared_preload_libraries are processed, but that's OK
4500  * because WAL for a custom resource manager can't be written before the
4501  * module is loaded anyway.
4502  */
4503  wal_consistency_checking = extra;
4504 }
4505 
4506 /*
4507  * InitializeWalConsistencyChecking: run after loading custom resource managers
4508  *
4509  * If any unknown resource managers were specified in the
4510  * wal_consistency_checking GUC, processing was deferred. Now that
4511  * shared_preload_libraries have been loaded, process wal_consistency_checking
4512  * again.
4513  */
4514 void
4516 {
4518 
4520  {
4521  struct config_generic *guc;
4522 
4523  guc = find_option("wal_consistency_checking", false, false, ERROR);
4524 
4526 
4527  set_config_option_ext("wal_consistency_checking",
4529  guc->scontext, guc->source, guc->srole,
4530  GUC_ACTION_SET, true, ERROR, false);
4531 
4532  /* checking should not be deferred again */
4534  }
4535 }
4536 
4537 /*
4538  * GUC show_hook for archive_command
4539  */
4540 const char *
4542 {
4543  if (XLogArchivingActive())
4544  return XLogArchiveCommand;
4545  else
4546  return "(disabled)";
4547 }
4548 
4549 /*
4550  * GUC show_hook for in_hot_standby
4551  */
4552 const char *
4554 {
4555  /*
4556  * We display the actual state based on shared memory, so that this GUC
4557  * reports up-to-date state if examined intra-query. The underlying
4558  * variable (in_hot_standby_guc) changes only when we transmit a new value
4559  * to the client.
4560  */
4561  return RecoveryInProgress() ? "on" : "off";
4562 }
4563 
4564 /*
4565  * Read the control file, set respective GUCs.
4566  *
4567  * This is to be called during startup, including a crash recovery cycle,
4568  * unless in bootstrap mode, where no control file yet exists. As there's no
4569  * usable shared memory yet (its sizing can depend on the contents of the
4570  * control file!), first store the contents in local memory. XLOGShmemInit()
4571  * will then copy it to shared memory later.
4572  *
4573  * reset just controls whether previous contents are to be expected (in the
4574  * reset case, there's a dangling pointer into old shared memory), or not.
4575  */
4576 void
4578 {
4579  Assert(reset || ControlFile == NULL);
4580  ControlFile = palloc(sizeof(ControlFileData));
4581  ReadControlFile();
4582 }
4583 
4584 /*
4585  * Get the wal_level from the control file. For a standby, this value should be
4586  * considered as its active wal_level, because it may be different from what
4587  * was originally configured on standby.
4588  */
4589 WalLevel
4591 {
4592  return ControlFile->wal_level;
4593 }
4594 
4595 /*
4596  * Initialization of shared memory for XLOG
4597  */
4598 Size
4600 {
4601  Size size;
4602 
4603  /*
4604  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4605  * This isn't an amazingly clean place to do this, but we must wait till
4606  * NBuffers has received its final value, and must do it before using the
4607  * value of XLOGbuffers to do anything important.
4608  *
4609  * We prefer to report this value's source as PGC_S_DYNAMIC_DEFAULT.
4610  * However, if the DBA explicitly set wal_buffers = -1 in the config file,
4611  * then PGC_S_DYNAMIC_DEFAULT will fail to override that and we must force
4612  * the matter with PGC_S_OVERRIDE.
4613  */
4614  if (XLOGbuffers == -1)
4615  {
4616  char buf[32];
4617 
4618  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4619  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4621  if (XLOGbuffers == -1) /* failed to apply it? */
4622  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4623  PGC_S_OVERRIDE);
4624  }
4625  Assert(XLOGbuffers > 0);
4626 
4627  /* XLogCtl */
4628  size = sizeof(XLogCtlData);
4629 
4630  /* WAL insertion locks, plus alignment */
4631  size = add_size(size, mul_size(sizeof(WALInsertLockPadded), NUM_XLOGINSERT_LOCKS + 1));
4632  /* xlblocks array */
4633  size = add_size(size, mul_size(sizeof(XLogRecPtr), XLOGbuffers));
4634  /* extra alignment padding for XLOG I/O buffers */
4635  size = add_size(size, Max(XLOG_BLCKSZ, PG_IO_ALIGN_SIZE));
4636  /* and the buffers themselves */
4637  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4638 
4639  /*
4640  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4641  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4642  * routine again below to compute the actual allocation size.
4643  */
4644 
4645  return size;
4646 }
4647 
4648 void
4650 {
4651  bool foundCFile,
4652  foundXLog;
4653  char *allocptr;
4654  int i;
4655  ControlFileData *localControlFile;
4656 
4657 #ifdef WAL_DEBUG
4658 
4659  /*
4660  * Create a memory context for WAL debugging that's exempt from the normal
4661  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4662  * an allocation fails, but wal_debug is not for production use anyway.
4663  */
4664  if (walDebugCxt == NULL)
4665  {
4667  "WAL Debug",
4669  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4670  }
4671 #endif
4672 
4673 
4674  XLogCtl = (XLogCtlData *)
4675  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4676 
4677  localControlFile = ControlFile;
4679  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4680 
4681  if (foundCFile || foundXLog)
4682  {
4683  /* both should be present or neither */
4684  Assert(foundCFile && foundXLog);
4685 
4686  /* Initialize local copy of WALInsertLocks */
4688 
4689  if (localControlFile)
4690  pfree(localControlFile);
4691  return;
4692  }
4693  memset(XLogCtl, 0, sizeof(XLogCtlData));
4694 
4695  /*
4696  * Already have read control file locally, unless in bootstrap mode. Move
4697  * contents into shared memory.
4698  */
4699  if (localControlFile)
4700  {
4701  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4702  pfree(localControlFile);
4703  }
4704 
4705  /*
4706  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4707  * multiple of the alignment for same, so no extra alignment padding is
4708  * needed here.
4709  */
4710  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4711  XLogCtl->xlblocks = (XLogRecPtr *) allocptr;
4712  memset(XLogCtl->xlblocks, 0, sizeof(XLogRecPtr) * XLOGbuffers);
4713  allocptr += sizeof(XLogRecPtr) * XLOGbuffers;
4714 
4715 
4716  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4717  allocptr += sizeof(WALInsertLockPadded) -
4718  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4720  (WALInsertLockPadded *) allocptr;
4721  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4722 
4723  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4724  {
4728  }
4729 
4730  /*
4731  * Align the start of the page buffers to a full xlog block size boundary.
4732  * This simplifies some calculations in XLOG insertion. It is also
4733  * required for O_DIRECT.
4734  */
4735  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4736  XLogCtl->pages = allocptr;
4737  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4738 
4739  /*
4740  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4741  * in additional info.)
4742  */
4746  XLogCtl->WalWriterSleeping = false;
4747 
4751 }
4752 
4753 /*
4754  * This func must be called ONCE on system install. It creates pg_control
4755  * and the initial XLOG segment.
4756  */
4757 void
4759 {
4760  CheckPoint checkPoint;
4761  char *buffer;
4762  XLogPageHeader page;
4763  XLogLongPageHeader longpage;
4764  XLogRecord *record;
4765  char *recptr;
4766  uint64 sysidentifier;
4767  struct timeval tv;
4768  pg_crc32c crc;
4769 
4770  /* allow ordinary WAL segment creation, like StartupXLOG() would */
4772 
4773  /*
4774  * Select a hopefully-unique system identifier code for this installation.
4775  * We use the result of gettimeofday(), including the fractional seconds
4776  * field, as being about as unique as we can easily get. (Think not to
4777  * use random(), since it hasn't been seeded and there's no portable way
4778  * to seed it other than the system clock value...) The upper half of the
4779  * uint64 value is just the tv_sec part, while the lower half contains the
4780  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
4781  * PID for a little extra uniqueness. A person knowing this encoding can
4782  * determine the initialization time of the installation, which could
4783  * perhaps be useful sometimes.
4784  */
4785  gettimeofday(&tv, NULL);
4786  sysidentifier = ((uint64) tv.tv_sec) << 32;
4787  sysidentifier |= ((uint64) tv.tv_usec) << 12;
4788  sysidentifier |= getpid() & 0xFFF;
4789 
4790  /* page buffer must be aligned suitably for O_DIRECT */
4791  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
4792  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
4793  memset(page, 0, XLOG_BLCKSZ);
4794 
4795  /*
4796  * Set up information for the initial checkpoint record
4797  *
4798  * The initial checkpoint record is written to the beginning of the WAL
4799  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
4800  * used, so that we can use 0/0 to mean "before any valid WAL segment".
4801  */
4802  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
4803  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
4804  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
4805  checkPoint.fullPageWrites = fullPageWrites;
4806  checkPoint.nextXid =
4808  checkPoint.nextOid = FirstGenbkiObjectId;
4809  checkPoint.nextMulti = FirstMultiXactId;
4810  checkPoint.nextMultiOffset = 0;
4811  checkPoint.oldestXid = FirstNormalTransactionId;
4812  checkPoint.oldestXidDB = Template1DbOid;
4813  checkPoint.oldestMulti = FirstMultiXactId;
4814  checkPoint.oldestMultiDB = Template1DbOid;
4817  checkPoint.time = (pg_time_t) time(NULL);
4819 
4820  ShmemVariableCache->nextXid = checkPoint.nextXid;
4821  ShmemVariableCache->nextOid = checkPoint.nextOid;
4823  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
4824  AdvanceOldestClogXid(checkPoint.oldestXid);
4825  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
4826  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
4828 
4829  /* Set up the XLOG page header */
4830  page->xlp_magic = XLOG_PAGE_MAGIC;
4831  page->xlp_info = XLP_LONG_HEADER;
4832  page->xlp_tli = BootstrapTimeLineID;
4834  longpage = (XLogLongPageHeader) page;
4835  longpage->xlp_sysid = sysidentifier;
4836  longpage->xlp_seg_size = wal_segment_size;
4837  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
4838 
4839  /* Insert the initial checkpoint record */
4840  recptr = ((char *) page + SizeOfXLogLongPHD);
4841  record = (XLogRecord *) recptr;
4842  record->xl_prev = 0;
4843  record->xl_xid = InvalidTransactionId;
4844  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
4846  record->xl_rmid = RM_XLOG_ID;
4847  recptr += SizeOfXLogRecord;
4848  /* fill the XLogRecordDataHeaderShort struct */
4849  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
4850  *(recptr++) = sizeof(checkPoint);
4851  memcpy(recptr, &checkPoint, sizeof(checkPoint));
4852  recptr += sizeof(checkPoint);
4853  Assert(recptr - (char *) record == record->xl_tot_len);
4854 
4855  INIT_CRC32C(crc);
4856  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
4857  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
4858  FIN_CRC32C(crc);
4859  record->xl_crc = crc;
4860 
4861  /* Create first XLOG segment file */
4864 
4865  /*
4866  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
4867  * close the file again in a moment.
4868  */
4869 
4870  /* Write the first page with the initial record */
4871  errno = 0;
4872  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_WRITE);
4873  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
4874  {
4875  /* if write didn't set errno, assume problem is no disk space */
4876  if (errno == 0)
4877  errno = ENOSPC;
4878  ereport(PANIC,
4880  errmsg("could not write bootstrap write-ahead log file: %m")));
4881  }
4883 
4884  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_SYNC);
4885  if (pg_fsync(openLogFile) != 0)
4886  ereport(PANIC,
4888  errmsg("could not fsync bootstrap write-ahead log file: %m")));
4890 
4891  if (close(openLogFile) != 0)
4892  ereport(PANIC,
4894  errmsg("could not close bootstrap write-ahead log file: %m")));
4895 
4896  openLogFile = -1;
4897 
4898  /* Now create pg_control */
4899  InitControlFile(sysidentifier);
4900  ControlFile->time = checkPoint.time;
4901  ControlFile->checkPoint = checkPoint.redo;
4902  ControlFile->checkPointCopy = checkPoint;
4903 
4904  /* some additional ControlFile fields are set in WriteControlFile() */
4905  WriteControlFile();
4906 
4907  /* Bootstrap the commit log, too */
4908  BootStrapCLOG();
4912 
4913  pfree(buffer);
4914 
4915  /*
4916  * Force control file to be read - in contrast to normal processing we'd
4917  * otherwise never run the checks and GUC related initializations therein.
4918  */
4919  ReadControlFile();
4920 }
4921 
4922 static char *
4924 {
4925  static char buf[128];
4926 
4927  pg_strftime(buf, sizeof(buf),
4928  "%Y-%m-%d %H:%M:%S %Z",
4929  pg_localtime(&tnow, log_timezone));
4930 
4931  return buf;
4932 }
4933 
4934 /*
4935  * Initialize the first WAL segment on new timeline.
4936  */
4937 static void
4939 {
4940  char xlogfname[MAXFNAMELEN];
4941  XLogSegNo endLogSegNo;
4942  XLogSegNo startLogSegNo;
4943 
4944  /* we always switch to a new timeline after archive recovery */
4945  Assert(endTLI != newTLI);
4946 
4947  /*
4948  * Update min recovery point one last time.
4949  */
4951 
4952  /*
4953  * Calculate the last segment on the old timeline, and the first segment
4954  * on the new timeline. If the switch happens in the middle of a segment,
4955  * they are the same, but if the switch happens exactly at a segment
4956  * boundary, startLogSegNo will be endLogSegNo + 1.
4957  */
4958  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
4959  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
4960 
4961  /*
4962  * Initialize the starting WAL segment for the new timeline. If the switch
4963  * happens in the middle of a segment, copy data from the last WAL segment
4964  * of the old timeline up to the switch point, to the starting WAL segment
4965  * on the new timeline.
4966  */
4967  if (endLogSegNo == startLogSegNo)
4968  {
4969  /*
4970  * Make a copy of the file on the new timeline.
4971  *
4972  * Writing WAL isn't allowed yet, so there are no locking
4973  * considerations. But we should be just as tense as XLogFileInit to
4974  * avoid emplacing a bogus file.
4975  */
4976  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
4977  XLogSegmentOffset(endOfLog, wal_segment_size));
4978  }
4979  else
4980  {
4981  /*
4982  * The switch happened at a segment boundary, so just create the next
4983  * segment on the new timeline.
4984  */
4985  int fd;
4986 
4987  fd = XLogFileInit(startLogSegNo, newTLI);
4988 
4989  if (close(fd) != 0)
4990  {
4991  int save_errno = errno;
4992 
4993  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
4994  errno = save_errno;
4995  ereport(ERROR,
4997  errmsg("could not close file \"%s\": %m", xlogfname)));
4998  }
4999  }
5000 
5001  /*
5002  * Let's just make real sure there are not .ready or .done flags posted
5003  * for the new segment.
5004  */
5005  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5006  XLogArchiveCleanup(xlogfname);
5007 }
5008 
5009 /*
5010  * Perform cleanup actions at the conclusion of archive recovery.
5011  */
5012 static void
5014  TimeLineID newTLI)
5015 {
5016  /*
5017  * Execute the recovery_end_command, if any.
5018  */
5019  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
5021  "recovery_end_command",
5022  true,
5023  WAIT_EVENT_RECOVERY_END_COMMAND);
5024 
5025  /*
5026  * We switched to a new timeline. Clean up segments on the old timeline.
5027  *
5028  * If there are any higher-numbered segments on the old timeline, remove
5029  * them. They might contain valid WAL, but they might also be
5030  * pre-allocated files containing garbage. In any case, they are not part
5031  * of the new timeline's history so we don't need them.
5032  */
5033  RemoveNonParentXlogFiles(EndOfLog, newTLI);
5034 
5035  /*
5036  * If the switch happened in the middle of a segment, what to do with the
5037  * last, partial segment on the old timeline? If we don't archive it, and
5038  * the server that created the WAL never archives it either (e.g. because
5039  * it was hit by a meteor), it will never make it to the archive. That's
5040  * OK from our point of view, because the new segment that we created with
5041  * the new TLI contains all the WAL from the old timeline up to the switch
5042  * point. But if you later try to do PITR to the "missing" WAL on the old
5043  * timeline, recovery won't find it in the archive. It's physically
5044  * present in the new file with new TLI, but recovery won't look there
5045  * when it's recovering to the older timeline. On the other hand, if we
5046  * archive the partial segment, and the original server on that timeline
5047  * is still running and archives the completed version of the same segment
5048  * later, it will fail. (We used to do that in 9.4 and below, and it
5049  * caused such problems).
5050  *
5051  * As a compromise, we rename the last segment with the .partial suffix,
5052  * and archive it. Archive recovery will never try to read .partial
5053  * segments, so they will normally go unused. But in the odd PITR case,
5054  * the administrator can copy them manually to the pg_wal directory
5055  * (removing the suffix). They can be useful in debugging, too.
5056  *
5057  * If a .done or .ready file already exists for the old timeline, however,
5058  * we had already determined that the segment is complete, so we can let
5059  * it be archived normally. (In particular, if it was restored from the
5060  * archive to begin with, it's expected to have a .done file).
5061  */
5062  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
5064  {
5065  char origfname[MAXFNAMELEN];
5066  XLogSegNo endLogSegNo;
5067 
5068  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
5069  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
5070 
5071  if (!XLogArchiveIsReadyOrDone(origfname))
5072  {
5073  char origpath[MAXPGPATH];
5074  char partialfname[MAXFNAMELEN];
5075  char partialpath[MAXPGPATH];
5076 
5077  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
5078  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
5079  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
5080 
5081  /*
5082  * Make sure there's no .done or .ready file for the .partial
5083  * file.
5084  */
5085  XLogArchiveCleanup(partialfname);
5086 
5087  durable_rename(origpath, partialpath, ERROR);
5088  XLogArchiveNotify(partialfname);
5089  }
5090  }
5091 }
5092 
5093 /*
5094  * Check to see if required parameters are set high enough on this server
5095  * for various aspects of recovery operation.
5096  *
5097  * Note that all the parameters which this function tests need to be
5098  * listed in Administrator's Overview section in high-availability.sgml.
5099  * If you change them, don't forget to update the list.
5100  */
5101 static void
5103 {
5104  /*
5105  * For archive recovery, the WAL must be generated with at least 'replica'
5106  * wal_level.
5107  */
5109  {
5110  ereport(FATAL,
5111  (errmsg("WAL was generated with wal_level=minimal, cannot continue recovering"),
5112  errdetail("This happens if you temporarily set wal_level=minimal on the server."),
5113  errhint("Use a backup taken after setting wal_level to higher than minimal.")));
5114  }
5115 
5116  /*
5117  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
5118  * must have at least as many backend slots as the primary.
5119  */
5121  {
5122  /* We ignore autovacuum_max_workers when we make this test. */
5123  RecoveryRequiresIntParameter("max_connections",
5126  RecoveryRequiresIntParameter("max_worker_processes",
5129  RecoveryRequiresIntParameter("max_wal_senders",
5132  RecoveryRequiresIntParameter("max_prepared_transactions",
5135  RecoveryRequiresIntParameter("max_locks_per_transaction",
5138  }
5139 }
5140 
5141 /*
5142  * This must be called ONCE during postmaster or standalone-backend startup
5143  */
5144 void
5146 {
5148  CheckPoint checkPoint;
5149  bool wasShutdown;
5150  bool didCrash;
5151  bool haveTblspcMap;
5152  bool haveBackupLabel;
5153  XLogRecPtr EndOfLog;
5154  TimeLineID EndOfLogTLI;
5155  TimeLineID newTLI;
5156  bool performedWalRecovery;
5157  EndOfWalRecoveryInfo *endOfRecoveryInfo;
5160  TransactionId oldestActiveXID;
5161  bool promoted = false;
5162 
5163  /*
5164  * We should have an aux process resource owner to use, and we should not
5165  * be in a transaction that's installed some other resowner.
5166  */
5168  Assert(CurrentResourceOwner == NULL ||
5171 
5172  /*
5173  * Check that contents look valid.
5174  */
5176  ereport(FATAL,
5177  (errmsg("control file contains invalid checkpoint location")));
5178 
5179  switch (ControlFile->state)
5180  {
5181  case DB_SHUTDOWNED:
5182 
5183  /*
5184  * This is the expected case, so don't be chatty in standalone
5185  * mode
5186  */
5188  (errmsg("database system was shut down at %s",
5189  str_time(ControlFile->time))));
5190  break;
5191 
5193  ereport(LOG,
5194  (errmsg("database system was shut down in recovery at %s",
5195  str_time(ControlFile->time))));
5196  break;
5197 
5198  case DB_SHUTDOWNING:
5199  ereport(LOG,
5200  (errmsg("database system shutdown was interrupted; last known up at %s",
5201  str_time(ControlFile->time))));
5202  break;
5203 
5204  case DB_IN_CRASH_RECOVERY:
5205  ereport(LOG,
5206  (errmsg("database system was interrupted while in recovery at %s",
5208  errhint("This probably means that some data is corrupted and"
5209  " you will have to use the last backup for recovery.")));
5210  break;
5211 
5213  ereport(LOG,
5214  (errmsg("database system was interrupted while in recovery at log time %s",
5216  errhint("If this has occurred more than once some data might be corrupted"
5217  " and you might need to choose an earlier recovery target.")));
5218  break;
5219 
5220  case DB_IN_PRODUCTION:
5221  ereport(LOG,
5222  (errmsg("database system was interrupted; last known up at %s",
5223  str_time(ControlFile->time))));
5224  break;
5225 
5226  default:
5227  ereport(FATAL,
5228  (errmsg("control file contains invalid database cluster state")));
5229  }
5230 
5231  /* This is just to allow attaching to startup process with a debugger */
5232 #ifdef XLOG_REPLAY_DELAY
5234  pg_usleep(60000000L);
5235 #endif
5236 
5237  /*
5238  * Verify that pg_wal and pg_wal/archive_status exist. In cases where
5239  * someone has performed a copy for PITR, these directories may have been
5240  * excluded and need to be re-created.
5241  */
5243 
5244  /* Set up timeout handler needed to report startup progress. */
5248 
5249  /*----------
5250  * If we previously crashed, perform a couple of actions:
5251  *
5252  * - The pg_wal directory may still include some temporary WAL segments
5253  * used when creating a new segment, so perform some clean up to not
5254  * bloat this path. This is done first as there is no point to sync
5255  * this temporary data.
5256  *
5257  * - There might be data which we had written, intending to fsync it, but
5258  * which we had not actually fsync'd yet. Therefore, a power failure in
5259  * the near future might cause earlier unflushed writes to be lost, even
5260  * though more recent data written to disk from here on would be
5261  * persisted. To avoid that, fsync the entire data directory.
5262  */
5263  if (ControlFile->state != DB_SHUTDOWNED &&
5265  {
5268  didCrash = true;
5269  }
5270  else
5271  didCrash = false;
5272 
5273  /*
5274  * Prepare for WAL recovery if needed.
5275  *
5276  * InitWalRecovery analyzes the control file and the backup label file, if
5277  * any. It updates the in-memory ControlFile buffer according to the
5278  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5279  * It also applies the tablespace map file, if any.
5280  */
5281  InitWalRecovery(ControlFile, &wasShutdown,
5282  &haveBackupLabel, &haveTblspcMap);
5283  checkPoint = ControlFile->checkPointCopy;
5284 
5285  /* initialize shared memory variables from the checkpoint record */
5286  ShmemVariableCache->nextXid = checkPoint.nextXid;
5287  ShmemVariableCache->nextOid = checkPoint.nextOid;
5289  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5290  AdvanceOldestClogXid(checkPoint.oldestXid);
5291  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5292  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5294  checkPoint.newestCommitTsXid);
5295  XLogCtl->ckptFullXid = checkPoint.nextXid;
5296 
5297  /*
5298  * Clear out any old relcache cache files. This is *necessary* if we do
5299  * any WAL replay, since that would probably result in the cache files
5300  * being out of sync with database reality. In theory we could leave them
5301  * in place if the database had been cleanly shut down, but it seems
5302  * safest to just remove them always and let them be rebuilt during the
5303  * first backend startup. These files needs to be removed from all
5304  * directories including pg_tblspc, however the symlinks are created only
5305  * after reading tablespace_map file in case of archive recovery from
5306  * backup, so needs to clear old relcache files here after creating
5307  * symlinks.
5308  */
5310 
5311  /*
5312  * Initialize replication slots, before there's a chance to remove
5313  * required resources.
5314  */
5316 
5317  /*
5318  * Startup logical state, needs to be setup now so we have proper data
5319  * during crash recovery.
5320  */
5322 
5323  /*
5324  * Startup CLOG. This must be done after ShmemVariableCache->nextXid has
5325  * been initialized and before we accept connections or begin WAL replay.
5326  */
5327  StartupCLOG();
5328 
5329  /*
5330  * Startup MultiXact. We need to do this early to be able to replay
5331  * truncations.
5332  */
5333  StartupMultiXact();
5334 
5335  /*
5336  * Ditto for commit timestamps. Activate the facility if the setting is
5337  * enabled in the control file, as there should be no tracking of commit
5338  * timestamps done when the setting was disabled. This facility can be
5339  * started or stopped when replaying a XLOG_PARAMETER_CHANGE record.
5340  */
5342  StartupCommitTs();
5343 
5344  /*
5345  * Recover knowledge about replay progress of known replication partners.
5346  */
5348 
5349  /*
5350  * Initialize unlogged LSN. On a clean shutdown, it's restored from the
5351  * control file. On recovery, all unlogged relations are blown away, so
5352  * the unlogged LSN counter can be reset too.
5353  */
5356  else
5358 
5359  /*
5360  * Copy any missing timeline history files between 'now' and the recovery
5361  * target timeline from archive to pg_wal. While we don't need those files
5362  * ourselves - the history file of the recovery target timeline covers all
5363  * the previous timelines in the history too - a cascading standby server
5364  * might be interested in them. Or, if you archive the WAL from this
5365  * server to a different archive than the primary, it'd be good for all
5366  * the history files to get archived there after failover, so that you can
5367  * use one of the old timelines as a PITR target. Timeline history files
5368  * are small, so it's better to copy them unnecessarily than not copy them
5369  * and regret later.
5370  */
5372 
5373  /*
5374  * Before running in recovery, scan pg_twophase and fill in its status to
5375  * be able to work on entries generated by redo. Doing a scan before
5376  * taking any recovery action has the merit to discard any 2PC files that
5377  * are newer than the first record to replay, saving from any conflicts at
5378  * replay. This avoids as well any subsequent scans when doing recovery
5379  * of the on-disk two-phase data.
5380  */
5382 
5383  /*
5384  * When starting with crash recovery, reset pgstat data - it might not be
5385  * valid. Otherwise restore pgstat data. It's safe to do this here,
5386  * because postmaster will not yet have started any other processes.
5387  *
5388  * NB: Restoring replication slot stats relies on slot state to have
5389  * already been restored from disk.
5390  *
5391  * TODO: With a bit of extra work we could just start with a pgstat file
5392  * associated with the checkpoint redo location we're starting from.
5393  */
5394  if (didCrash)
5396  else
5398 
5399  lastFullPageWrites = checkPoint.fullPageWrites;
5400 
5403 
5404  /* REDO */
5405  if (InRecovery)
5406  {
5407  /* Initialize state for RecoveryInProgress() */
5409  if (InArchiveRecovery)
5411  else
5414 
5415  /*
5416  * Update pg_control to show that we are recovering and to show the
5417  * selected checkpoint as the place we are starting from. We also mark
5418  * pg_control with any minimum recovery stop point obtained from a
5419  * backup history file.
5420  *
5421  * No need to hold ControlFileLock yet, we aren't up far enough.
5422  */
5424 
5425  /*
5426  * If there was a backup label file, it's done its job and the info
5427  * has now been propagated into pg_control. We must get rid of the
5428  * label file so that if we crash during recovery, we'll pick up at
5429  * the latest recovery restartpoint instead of going all the way back
5430  * to the backup start point. It seems prudent though to just rename
5431  * the file out of the way rather than delete it completely.
5432  */
5433  if (haveBackupLabel)
5434  {
5435  unlink(BACKUP_LABEL_OLD);
5437  }
5438 
5439  /*
5440  * If there was a tablespace_map file, it's done its job and the
5441  * symlinks have been created. We must get rid of the map file so
5442  * that if we crash during recovery, we don't create symlinks again.
5443  * It seems prudent though to just rename the file out of the way
5444  * rather than delete it completely.
5445  */
5446  if (haveTblspcMap)
5447  {
5448  unlink(TABLESPACE_MAP_OLD);
5450  }
5451 
5452  /*
5453  * Initialize our local copy of minRecoveryPoint. When doing crash
5454  * recovery we want to replay up to the end of WAL. Particularly, in
5455  * the case of a promoted standby minRecoveryPoint value in the
5456  * control file is only updated after the first checkpoint. However,
5457  * if the instance crashes before the first post-recovery checkpoint
5458  * is completed then recovery will use a stale location causing the
5459  * startup process to think that there are still invalid page
5460  * references when checking for data consistency.
5461  */
5462  if (InArchiveRecovery)
5463  {
5466  }
5467  else
5468  {
5471  }
5472 
5473  /* Check that the GUCs used to generate the WAL allow recovery */
5475 
5476  /*
5477  * We're in recovery, so unlogged relations may be trashed and must be
5478  * reset. This should be done BEFORE allowing Hot Standby
5479  * connections, so that read-only backends don't try to read whatever
5480  * garbage is left over from before.
5481  */
5483 
5484  /*
5485  * Likewise, delete any saved transaction snapshot files that got left
5486  * behind by crashed backends.
5487  */
5489 
5490  /*
5491  * Initialize for Hot Standby, if enabled. We won't let backends in
5492  * yet, not until we've reached the min recovery point specified in
5493  * control file and we've established a recovery snapshot from a
5494  * running-xacts WAL record.
5495  */
5497  {
5498  TransactionId *xids;
5499  int nxids;
5500 
5501  ereport(DEBUG1,
5502  (errmsg_internal("initializing for hot standby")));
5503 
5505 
5506  if (wasShutdown)
5507  oldestActiveXID = PrescanPreparedTransactions(&xids, &nxids);
5508  else
5509  oldestActiveXID = checkPoint.oldestActiveXid;
5510  Assert(TransactionIdIsValid(oldestActiveXID));
5511 
5512  /* Tell procarray about the range of xids it has to deal with */
5514 
5515  /*
5516  * Startup subtrans only. CLOG, MultiXact and commit timestamp
5517  * have already been started up and other SLRUs are not maintained
5518  * during recovery and need not be started yet.
5519  */
5520  StartupSUBTRANS(oldestActiveXID);
5521 
5522  /*
5523  * If we're beginning at a shutdown checkpoint, we know that
5524  * nothing was running on the primary at this point. So fake-up an
5525  * empty running-xacts record and use that here and now. Recover
5526  * additional standby state for prepared transactions.
5527  */
5528  if (wasShutdown)
5529  {
5530  RunningTransactionsData running;
5531  TransactionId latestCompletedXid;
5532 
5533  /*
5534  * Construct a RunningTransactions snapshot representing a
5535  * shut down server, with only prepared transactions still
5536  * alive. We're never overflowed at this point because all
5537  * subxids are listed with their parent prepared transactions.
5538  */
5539  running.xcnt = nxids;
5540  running.subxcnt = 0;
5541  running.subxid_overflow = false;
5542  running.nextXid = XidFromFullTransactionId(checkPoint.nextXid);
5543  running.oldestRunningXid = oldestActiveXID;
5544  latestCompletedXid = XidFromFullTransactionId(checkPoint.nextXid);
5545  TransactionIdRetreat(latestCompletedXid);
5546  Assert(TransactionIdIsNormal(latestCompletedXid));
5547  running.latestCompletedXid = latestCompletedXid;
5548  running.xids = xids;
5549 
5550  ProcArrayApplyRecoveryInfo(&running);
5551 
5553  }
5554  }
5555 
5556  /*
5557  * We're all set for replaying the WAL now. Do it.
5558  */
5560  performedWalRecovery = true;
5561  }
5562  else
5563  performedWalRecovery = false;
5564 
5565  /*
5566  * Finish WAL recovery.
5567  */
5568  endOfRecoveryInfo = FinishWalRecovery();
5569  EndOfLog = endOfRecoveryInfo->endOfLog;
5570  EndOfLogTLI = endOfRecoveryInfo->endOfLogTLI;
5571  abortedRecPtr = endOfRecoveryInfo->abortedRecPtr;
5572  missingContrecPtr = endOfRecoveryInfo->missingContrecPtr;
5573 
5574  /*
5575  * Reset ps status display, so as no information related to recovery shows
5576  * up.
5577  */
5578  set_ps_display("");
5579 
5580  /*
5581  * When recovering from a backup (we are in recovery, and archive recovery
5582  * was requested), complain if we did not roll forward far enough to reach
5583  * the point where the database is consistent. For regular online
5584  * backup-from-primary, that means reaching the end-of-backup WAL record
5585  * (at which point we reset backupStartPoint to be Invalid), for
5586  * backup-from-replica (which can't inject records into the WAL stream),
5587  * that point is when we reach the minRecoveryPoint in pg_control (which
5588  * we purposefully copy last when backing up from a replica). For
5589  * pg_rewind (which creates a backup_label with a method of "pg_rewind")
5590  * or snapshot-style backups (which don't), backupEndRequired will be set
5591  * to false.
5592  *
5593  * Note: it is indeed okay to look at the local variable
5594  * LocalMinRecoveryPoint here, even though ControlFile->minRecoveryPoint
5595  * might be further ahead --- ControlFile->minRecoveryPoint cannot have
5596  * been advanced beyond the WAL we processed.
5597  */
5598  if (InRecovery &&
5599  (EndOfLog < LocalMinRecoveryPoint ||
5601  {
5602  /*
5603  * Ran off end of WAL before reaching end-of-backup WAL record, or
5604  * minRecoveryPoint. That's a bad sign, indicating that you tried to
5605  * recover from an online backup but never called pg_backup_stop(), or
5606  * you didn't archive all the WAL needed.
5607  */
5609  {
5611  ereport(FATAL,
5612  (errmsg("WAL ends before end of online backup"),
5613  errhint("All WAL generated while online backup was taken must be available at recovery.")));
5614  else
5615  ereport(FATAL,
5616  (errmsg("WAL ends before consistent recovery point")));</