PostgreSQL Source Code  git master
xlog.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * xlog.c
4  * PostgreSQL write-ahead log manager
5  *
6  * The Write-Ahead Log (WAL) functionality is split into several source
7  * files, in addition to this one:
8  *
9  * xloginsert.c - Functions for constructing WAL records
10  * xlogrecovery.c - WAL recovery and standby code
11  * xlogreader.c - Facility for reading WAL files and parsing WAL records
12  * xlogutils.c - Helper functions for WAL redo routines
13  *
14  * This file contains functions for coordinating database startup and
15  * checkpointing, and managing the write-ahead log buffers when the
16  * system is running.
17  *
18  * StartupXLOG() is the main entry point of the startup process. It
19  * coordinates database startup, performing WAL recovery, and the
20  * transition from WAL recovery into normal operations.
21  *
22  * XLogInsertRecord() inserts a WAL record into the WAL buffers. Most
23  * callers should not call this directly, but use the functions in
24  * xloginsert.c to construct the WAL record. XLogFlush() can be used
25  * to force the WAL to disk.
26  *
27  * In addition to those, there are many other functions for interrogating
28  * the current system state, and for starting/stopping backups.
29  *
30  *
31  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
32  * Portions Copyright (c) 1994, Regents of the University of California
33  *
34  * src/backend/access/transam/xlog.c
35  *
36  *-------------------------------------------------------------------------
37  */
38 
39 #include "postgres.h"
40 
41 #include <ctype.h>
42 #include <math.h>
43 #include <time.h>
44 #include <fcntl.h>
45 #include <sys/stat.h>
46 #include <sys/time.h>
47 #include <unistd.h>
48 
49 #include "access/clog.h"
50 #include "access/commit_ts.h"
51 #include "access/heaptoast.h"
52 #include "access/multixact.h"
53 #include "access/rewriteheap.h"
54 #include "access/subtrans.h"
55 #include "access/timeline.h"
56 #include "access/transam.h"
57 #include "access/twophase.h"
58 #include "access/xact.h"
59 #include "access/xlog_internal.h"
60 #include "access/xlogarchive.h"
61 #include "access/xloginsert.h"
62 #include "access/xlogreader.h"
63 #include "access/xlogrecovery.h"
64 #include "access/xlogutils.h"
65 #include "backup/basebackup.h"
66 #include "catalog/catversion.h"
67 #include "catalog/pg_control.h"
68 #include "catalog/pg_database.h"
70 #include "common/file_utils.h"
71 #include "executor/instrument.h"
72 #include "miscadmin.h"
73 #include "pg_trace.h"
74 #include "pgstat.h"
75 #include "port/atomics.h"
76 #include "port/pg_iovec.h"
77 #include "postmaster/bgwriter.h"
78 #include "postmaster/startup.h"
80 #include "postmaster/walwriter.h"
81 #include "replication/origin.h"
82 #include "replication/slot.h"
83 #include "replication/snapbuild.h"
85 #include "replication/walsender.h"
86 #include "storage/bufmgr.h"
87 #include "storage/fd.h"
88 #include "storage/ipc.h"
89 #include "storage/large_object.h"
90 #include "storage/latch.h"
91 #include "storage/predicate.h"
92 #include "storage/proc.h"
93 #include "storage/procarray.h"
94 #include "storage/reinit.h"
95 #include "storage/spin.h"
96 #include "storage/sync.h"
97 #include "utils/guc_hooks.h"
98 #include "utils/guc_tables.h"
99 #include "utils/injection_point.h"
100 #include "utils/memutils.h"
101 #include "utils/ps_status.h"
102 #include "utils/relmapper.h"
103 #include "utils/snapmgr.h"
104 #include "utils/timeout.h"
105 #include "utils/timestamp.h"
106 #include "utils/varlena.h"
107 
109 
110 /* timeline ID to be used when bootstrapping */
111 #define BootstrapTimeLineID 1
112 
113 /* User-settable parameters */
114 int max_wal_size_mb = 1024; /* 1 GB */
115 int min_wal_size_mb = 80; /* 80 MB */
117 int XLOGbuffers = -1;
120 char *XLogArchiveCommand = NULL;
121 bool EnableHotStandby = false;
122 bool fullPageWrites = true;
123 bool wal_log_hints = false;
127 bool wal_init_zero = true;
128 bool wal_recycle = true;
129 bool log_checkpoints = true;
132 int CommitDelay = 0; /* precommit delay in microseconds */
133 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
136 int wal_decode_buffer_size = 512 * 1024;
137 bool track_wal_io_timing = false;
138 
139 #ifdef WAL_DEBUG
140 bool XLOG_DEBUG = false;
141 #endif
142 
144 
145 /*
146  * Number of WAL insertion locks to use. A higher value allows more insertions
147  * to happen concurrently, but adds some CPU overhead to flushing the WAL,
148  * which needs to iterate all the locks.
149  */
150 #define NUM_XLOGINSERT_LOCKS 8
151 
152 /*
153  * Max distance from last checkpoint, before triggering a new xlog-based
154  * checkpoint.
155  */
157 
158 /* Estimated distance between checkpoints, in bytes */
159 static double CheckPointDistanceEstimate = 0;
160 static double PrevCheckPointDistance = 0;
161 
162 /*
163  * Track whether there were any deferred checks for custom resource managers
164  * specified in wal_consistency_checking.
165  */
167 
168 /*
169  * GUC support
170  */
172  {"fsync", WAL_SYNC_METHOD_FSYNC, false},
173 #ifdef HAVE_FSYNC_WRITETHROUGH
174  {"fsync_writethrough", WAL_SYNC_METHOD_FSYNC_WRITETHROUGH, false},
175 #endif
176  {"fdatasync", WAL_SYNC_METHOD_FDATASYNC, false},
177 #ifdef O_SYNC
178  {"open_sync", WAL_SYNC_METHOD_OPEN, false},
179 #endif
180 #ifdef O_DSYNC
181  {"open_datasync", WAL_SYNC_METHOD_OPEN_DSYNC, false},
182 #endif
183  {NULL, 0, false}
184 };
185 
186 
187 /*
188  * Although only "on", "off", and "always" are documented,
189  * we accept all the likely variants of "on" and "off".
190  */
191 const struct config_enum_entry archive_mode_options[] = {
192  {"always", ARCHIVE_MODE_ALWAYS, false},
193  {"on", ARCHIVE_MODE_ON, false},
194  {"off", ARCHIVE_MODE_OFF, false},
195  {"true", ARCHIVE_MODE_ON, true},
196  {"false", ARCHIVE_MODE_OFF, true},
197  {"yes", ARCHIVE_MODE_ON, true},
198  {"no", ARCHIVE_MODE_OFF, true},
199  {"1", ARCHIVE_MODE_ON, true},
200  {"0", ARCHIVE_MODE_OFF, true},
201  {NULL, 0, false}
202 };
203 
204 /*
205  * Statistics for current checkpoint are collected in this global struct.
206  * Because only the checkpointer or a stand-alone backend can perform
207  * checkpoints, this will be unused in normal backends.
208  */
210 
211 /*
212  * During recovery, lastFullPageWrites keeps track of full_page_writes that
213  * the replayed WAL records indicate. It's initialized with full_page_writes
214  * that the recovery starting checkpoint record indicates, and then updated
215  * each time XLOG_FPW_CHANGE record is replayed.
216  */
217 static bool lastFullPageWrites;
218 
219 /*
220  * Local copy of the state tracked by SharedRecoveryState in shared memory,
221  * It is false if SharedRecoveryState is RECOVERY_STATE_DONE. True actually
222  * means "not known, need to check the shared state".
223  */
224 static bool LocalRecoveryInProgress = true;
225 
226 /*
227  * Local state for XLogInsertAllowed():
228  * 1: unconditionally allowed to insert XLOG
229  * 0: unconditionally not allowed to insert XLOG
230  * -1: must check RecoveryInProgress(); disallow until it is false
231  * Most processes start with -1 and transition to 1 after seeing that recovery
232  * is not in progress. But we can also force the value for special cases.
233  * The coding in XLogInsertAllowed() depends on the first two of these states
234  * being numerically the same as bool true and false.
235  */
236 static int LocalXLogInsertAllowed = -1;
237 
238 /*
239  * ProcLastRecPtr points to the start of the last XLOG record inserted by the
240  * current backend. It is updated for all inserts. XactLastRecEnd points to
241  * end+1 of the last record, and is reset when we end a top-level transaction,
242  * or start a new one; so it can be used to tell if the current transaction has
243  * created any XLOG records.
244  *
245  * While in parallel mode, this may not be fully up to date. When committing,
246  * a transaction can assume this covers all xlog records written either by the
247  * user backend or by any parallel worker which was present at any point during
248  * the transaction. But when aborting, or when still in parallel mode, other
249  * parallel backends may have written WAL records at later LSNs than the value
250  * stored here. The parallel leader advances its own copy, when necessary,
251  * in WaitForParallelWorkersToFinish.
252  */
256 
257 /*
258  * RedoRecPtr is this backend's local copy of the REDO record pointer
259  * (which is almost but not quite the same as a pointer to the most recent
260  * CHECKPOINT record). We update this from the shared-memory copy,
261  * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
262  * hold an insertion lock). See XLogInsertRecord for details. We are also
263  * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
264  * see GetRedoRecPtr.
265  *
266  * NB: Code that uses this variable must be prepared not only for the
267  * possibility that it may be arbitrarily out of date, but also for the
268  * possibility that it might be set to InvalidXLogRecPtr. We used to
269  * initialize it as a side effect of the first call to RecoveryInProgress(),
270  * which meant that most code that might use it could assume that it had a
271  * real if perhaps stale value. That's no longer the case.
272  */
274 
275 /*
276  * doPageWrites is this backend's local copy of (fullPageWrites ||
277  * runningBackups > 0). It is used together with RedoRecPtr to decide whether
278  * a full-page image of a page need to be taken.
279  *
280  * NB: Initially this is false, and there's no guarantee that it will be
281  * initialized to any other value before it is first used. Any code that
282  * makes use of it must recheck the value after obtaining a WALInsertLock,
283  * and respond appropriately if it turns out that the previous value wasn't
284  * accurate.
285  */
286 static bool doPageWrites;
287 
288 /*----------
289  * Shared-memory data structures for XLOG control
290  *
291  * LogwrtRqst indicates a byte position that we need to write and/or fsync
292  * the log up to (all records before that point must be written or fsynced).
293  * The positions already written/fsynced are maintained in logWriteResult
294  * and logFlushResult using atomic access.
295  * In addition to the shared variable, each backend has a private copy of
296  * both in LogwrtResult, which is updated when convenient.
297  *
298  * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
299  * (protected by info_lck), but we don't need to cache any copies of it.
300  *
301  * info_lck is only held long enough to read/update the protected variables,
302  * so it's a plain spinlock. The other locks are held longer (potentially
303  * over I/O operations), so we use LWLocks for them. These locks are:
304  *
305  * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
306  * It is only held while initializing and changing the mapping. If the
307  * contents of the buffer being replaced haven't been written yet, the mapping
308  * lock is released while the write is done, and reacquired afterwards.
309  *
310  * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
311  * XLogFlush).
312  *
313  * ControlFileLock: must be held to read/update control file or create
314  * new log file.
315  *
316  *----------
317  */
318 
319 typedef struct XLogwrtRqst
320 {
321  XLogRecPtr Write; /* last byte + 1 to write out */
322  XLogRecPtr Flush; /* last byte + 1 to flush */
324 
325 typedef struct XLogwrtResult
326 {
327  XLogRecPtr Write; /* last byte + 1 written out */
328  XLogRecPtr Flush; /* last byte + 1 flushed */
330 
331 /*
332  * Inserting to WAL is protected by a small fixed number of WAL insertion
333  * locks. To insert to the WAL, you must hold one of the locks - it doesn't
334  * matter which one. To lock out other concurrent insertions, you must hold
335  * of them. Each WAL insertion lock consists of a lightweight lock, plus an
336  * indicator of how far the insertion has progressed (insertingAt).
337  *
338  * The insertingAt values are read when a process wants to flush WAL from
339  * the in-memory buffers to disk, to check that all the insertions to the
340  * region the process is about to write out have finished. You could simply
341  * wait for all currently in-progress insertions to finish, but the
342  * insertingAt indicator allows you to ignore insertions to later in the WAL,
343  * so that you only wait for the insertions that are modifying the buffers
344  * you're about to write out.
345  *
346  * This isn't just an optimization. If all the WAL buffers are dirty, an
347  * inserter that's holding a WAL insert lock might need to evict an old WAL
348  * buffer, which requires flushing the WAL. If it's possible for an inserter
349  * to block on another inserter unnecessarily, deadlock can arise when two
350  * inserters holding a WAL insert lock wait for each other to finish their
351  * insertion.
352  *
353  * Small WAL records that don't cross a page boundary never update the value,
354  * the WAL record is just copied to the page and the lock is released. But
355  * to avoid the deadlock-scenario explained above, the indicator is always
356  * updated before sleeping while holding an insertion lock.
357  *
358  * lastImportantAt contains the LSN of the last important WAL record inserted
359  * using a given lock. This value is used to detect if there has been
360  * important WAL activity since the last time some action, like a checkpoint,
361  * was performed - allowing to not repeat the action if not. The LSN is
362  * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
363  * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
364  * records. Tracking the WAL activity directly in WALInsertLock has the
365  * advantage of not needing any additional locks to update the value.
366  */
367 typedef struct
368 {
372 } WALInsertLock;
373 
374 /*
375  * All the WAL insertion locks are allocated as an array in shared memory. We
376  * force the array stride to be a power of 2, which saves a few cycles in
377  * indexing, but more importantly also ensures that individual slots don't
378  * cross cache line boundaries. (Of course, we have to also ensure that the
379  * array start address is suitably aligned.)
380  */
381 typedef union WALInsertLockPadded
382 {
386 
387 /*
388  * Session status of running backup, used for sanity checks in SQL-callable
389  * functions to start and stop backups.
390  */
392 
393 /*
394  * Shared state data for WAL insertion.
395  */
396 typedef struct XLogCtlInsert
397 {
398  slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
399 
400  /*
401  * CurrBytePos is the end of reserved WAL. The next record will be
402  * inserted at that position. PrevBytePos is the start position of the
403  * previously inserted (or rather, reserved) record - it is copied to the
404  * prev-link of the next record. These are stored as "usable byte
405  * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
406  */
407  uint64 CurrBytePos;
408  uint64 PrevBytePos;
409 
410  /*
411  * Make sure the above heavily-contended spinlock and byte positions are
412  * on their own cache line. In particular, the RedoRecPtr and full page
413  * write variables below should be on a different cache line. They are
414  * read on every WAL insertion, but updated rarely, and we don't want
415  * those reads to steal the cache line containing Curr/PrevBytePos.
416  */
418 
419  /*
420  * fullPageWrites is the authoritative value used by all backends to
421  * determine whether to write full-page image to WAL. This shared value,
422  * instead of the process-local fullPageWrites, is required because, when
423  * full_page_writes is changed by SIGHUP, we must WAL-log it before it
424  * actually affects WAL-logging by backends. Checkpointer sets at startup
425  * or after SIGHUP.
426  *
427  * To read these fields, you must hold an insertion lock. To modify them,
428  * you must hold ALL the locks.
429  */
430  XLogRecPtr RedoRecPtr; /* current redo point for insertions */
432 
433  /*
434  * runningBackups is a counter indicating the number of backups currently
435  * in progress. lastBackupStart is the latest checkpoint redo location
436  * used as a starting point for an online backup.
437  */
440 
441  /*
442  * WAL insertion locks.
443  */
446 
447 /*
448  * Total shared-memory state for XLOG.
449  */
450 typedef struct XLogCtlData
451 {
453 
454  /* Protected by info_lck: */
456  XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
457  FullTransactionId ckptFullXid; /* nextXid of latest checkpoint */
458  XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
459  XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
460 
461  XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG segment */
462 
463  /* Fake LSN counter, for unlogged relations. */
465 
466  /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
469 
470  /* These are accessed using atomics -- info_lck not needed */
471  pg_atomic_uint64 logInsertResult; /* last byte + 1 inserted to buffers */
472  pg_atomic_uint64 logWriteResult; /* last byte + 1 written out */
473  pg_atomic_uint64 logFlushResult; /* last byte + 1 flushed */
474 
475  /*
476  * Latest initialized page in the cache (last byte position + 1).
477  *
478  * To change the identity of a buffer (and InitializedUpTo), you need to
479  * hold WALBufMappingLock. To change the identity of a buffer that's
480  * still dirty, the old page needs to be written out first, and for that
481  * you need WALWriteLock, and you need to ensure that there are no
482  * in-progress insertions to the page by calling
483  * WaitXLogInsertionsToFinish().
484  */
486 
487  /*
488  * These values do not change after startup, although the pointed-to pages
489  * and xlblocks values certainly do. xlblocks values are protected by
490  * WALBufMappingLock.
491  */
492  char *pages; /* buffers for unwritten XLOG pages */
493  pg_atomic_uint64 *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
494  int XLogCacheBlck; /* highest allocated xlog buffer index */
495 
496  /*
497  * InsertTimeLineID is the timeline into which new WAL is being inserted
498  * and flushed. It is zero during recovery, and does not change once set.
499  *
500  * If we create a new timeline when the system was started up,
501  * PrevTimeLineID is the old timeline's ID that we forked off from.
502  * Otherwise it's equal to InsertTimeLineID.
503  */
506 
507  /*
508  * SharedRecoveryState indicates if we're still in crash or archive
509  * recovery. Protected by info_lck.
510  */
512 
513  /*
514  * InstallXLogFileSegmentActive indicates whether the checkpointer should
515  * arrange for future segments by recycling and/or PreallocXlogFiles().
516  * Protected by ControlFileLock. Only the startup process changes it. If
517  * true, anyone can use InstallXLogFileSegment(). If false, the startup
518  * process owns the exclusive right to install segments, by reading from
519  * the archive and possibly replacing existing files.
520  */
522 
523  /*
524  * WalWriterSleeping indicates whether the WAL writer is currently in
525  * low-power mode (and hence should be nudged if an async commit occurs).
526  * Protected by info_lck.
527  */
529 
530  /*
531  * During recovery, we keep a copy of the latest checkpoint record here.
532  * lastCheckPointRecPtr points to start of checkpoint record and
533  * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
534  * checkpointer when it wants to create a restartpoint.
535  *
536  * Protected by info_lck.
537  */
541 
542  /*
543  * lastFpwDisableRecPtr points to the start of the last replayed
544  * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
545  */
547 
548  slock_t info_lck; /* locks shared variables shown above */
550 
551 /*
552  * Classification of XLogRecordInsert operations.
553  */
554 typedef enum
555 {
560 
561 static XLogCtlData *XLogCtl = NULL;
562 
563 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
565 
566 /*
567  * We maintain an image of pg_control in shared memory.
568  */
570 
571 /*
572  * Calculate the amount of space left on the page after 'endptr'. Beware
573  * multiple evaluation!
574  */
575 #define INSERT_FREESPACE(endptr) \
576  (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
577 
578 /* Macro to advance to next buffer index. */
579 #define NextBufIdx(idx) \
580  (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
581 
582 /*
583  * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
584  * would hold if it was in cache, the page containing 'recptr'.
585  */
586 #define XLogRecPtrToBufIdx(recptr) \
587  (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
588 
589 /*
590  * These are the number of bytes in a WAL page usable for WAL data.
591  */
592 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
593 
594 /*
595  * Convert values of GUCs measured in megabytes to equiv. segment count.
596  * Rounds down.
597  */
598 #define ConvertToXSegs(x, segsize) XLogMBVarToSegs((x), (segsize))
599 
600 /* The number of bytes in a WAL segment usable for WAL data. */
602 
603 /*
604  * Private, possibly out-of-date copy of shared LogwrtResult.
605  * See discussion above.
606  */
607 static XLogwrtResult LogwrtResult = {0, 0};
608 
609 /*
610  * Update local copy of shared XLogCtl->log{Write,Flush}Result
611  *
612  * It's critical that Flush always trails Write, so the order of the reads is
613  * important, as is the barrier. See also XLogWrite.
614  */
615 #define RefreshXLogWriteResult(_target) \
616  do { \
617  _target.Flush = pg_atomic_read_u64(&XLogCtl->logFlushResult); \
618  pg_read_barrier(); \
619  _target.Write = pg_atomic_read_u64(&XLogCtl->logWriteResult); \
620  } while (0)
621 
622 /*
623  * openLogFile is -1 or a kernel FD for an open log file segment.
624  * openLogSegNo identifies the segment, and openLogTLI the corresponding TLI.
625  * These variables are only used to write the XLOG, and so will normally refer
626  * to the active segment.
627  *
628  * Note: call Reserve/ReleaseExternalFD to track consumption of this FD.
629  */
630 static int openLogFile = -1;
633 
634 /*
635  * Local copies of equivalent fields in the control file. When running
636  * crash recovery, LocalMinRecoveryPoint is set to InvalidXLogRecPtr as we
637  * expect to replay all the WAL available, and updateMinRecoveryPoint is
638  * switched to false to prevent any updates while replaying records.
639  * Those values are kept consistent as long as crash recovery runs.
640  */
643 static bool updateMinRecoveryPoint = true;
644 
645 /* For WALInsertLockAcquire/Release functions */
646 static int MyLockNo = 0;
647 static bool holdingAllLocks = false;
648 
649 #ifdef WAL_DEBUG
650 static MemoryContext walDebugCxt = NULL;
651 #endif
652 
653 static void CleanupAfterArchiveRecovery(TimeLineID EndOfLogTLI,
654  XLogRecPtr EndOfLog,
655  TimeLineID newTLI);
656 static void CheckRequiredParameterValues(void);
657 static void XLogReportParameters(void);
658 static int LocalSetXLogInsertAllowed(void);
659 static void CreateEndOfRecoveryRecord(void);
661  XLogRecPtr pagePtr,
662  TimeLineID newTLI);
663 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
664 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
666 
667 static void AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli,
668  bool opportunistic);
669 static void XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible);
670 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
671  bool find_free, XLogSegNo max_segno,
672  TimeLineID tli);
673 static void XLogFileClose(void);
674 static void PreallocXlogFiles(XLogRecPtr endptr, TimeLineID tli);
675 static void RemoveTempXlogFiles(void);
676 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr lastredoptr,
677  XLogRecPtr endptr, TimeLineID insertTLI);
678 static void RemoveXlogFile(const struct dirent *segment_de,
679  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
680  TimeLineID insertTLI);
681 static void UpdateLastRemovedPtr(char *filename);
682 static void ValidateXLOGDirectoryStructure(void);
683 static void CleanupBackupHistory(void);
684 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
685 static bool PerformRecoveryXLogAction(void);
686 static void InitControlFile(uint64 sysidentifier);
687 static void WriteControlFile(void);
688 static void ReadControlFile(void);
689 static void UpdateControlFile(void);
690 static char *str_time(pg_time_t tnow);
691 
692 static int get_sync_bit(int method);
693 
694 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
695  XLogRecData *rdata,
696  XLogRecPtr StartPos, XLogRecPtr EndPos,
697  TimeLineID tli);
698 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
699  XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
700 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
701  XLogRecPtr *PrevPtr);
703 static char *GetXLogBuffer(XLogRecPtr ptr, TimeLineID tli);
704 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
705 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
706 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
707 
708 static void WALInsertLockAcquire(void);
709 static void WALInsertLockAcquireExclusive(void);
710 static void WALInsertLockRelease(void);
711 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
712 
713 /*
714  * Insert an XLOG record represented by an already-constructed chain of data
715  * chunks. This is a low-level routine; to construct the WAL record header
716  * and data, use the higher-level routines in xloginsert.c.
717  *
718  * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
719  * WAL record applies to, that were not included in the record as full page
720  * images. If fpw_lsn <= RedoRecPtr, the function does not perform the
721  * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
722  * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
723  * record is always inserted.
724  *
725  * 'flags' gives more in-depth control on the record being inserted. See
726  * XLogSetRecordFlags() for details.
727  *
728  * 'topxid_included' tells whether the top-transaction id is logged along with
729  * current subtransaction. See XLogRecordAssemble().
730  *
731  * The first XLogRecData in the chain must be for the record header, and its
732  * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
733  * xl_crc fields in the header, the rest of the header must already be filled
734  * by the caller.
735  *
736  * Returns XLOG pointer to end of record (beginning of next record).
737  * This can be used as LSN for data pages affected by the logged action.
738  * (LSN is the XLOG point up to which the XLOG must be flushed to disk
739  * before the data page can be written out. This implements the basic
740  * WAL rule "write the log before the data".)
741  */
744  XLogRecPtr fpw_lsn,
745  uint8 flags,
746  int num_fpi,
747  bool topxid_included)
748 {
750  pg_crc32c rdata_crc;
751  bool inserted;
752  XLogRecord *rechdr = (XLogRecord *) rdata->data;
753  uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
755  XLogRecPtr StartPos;
756  XLogRecPtr EndPos;
757  bool prevDoPageWrites = doPageWrites;
758  TimeLineID insertTLI;
759 
760  /* Does this record type require special handling? */
761  if (unlikely(rechdr->xl_rmid == RM_XLOG_ID))
762  {
763  if (info == XLOG_SWITCH)
764  class = WALINSERT_SPECIAL_SWITCH;
765  else if (info == XLOG_CHECKPOINT_REDO)
767  }
768 
769  /* we assume that all of the record header is in the first chunk */
770  Assert(rdata->len >= SizeOfXLogRecord);
771 
772  /* cross-check on whether we should be here or not */
773  if (!XLogInsertAllowed())
774  elog(ERROR, "cannot make new WAL entries during recovery");
775 
776  /*
777  * Given that we're not in recovery, InsertTimeLineID is set and can't
778  * change, so we can read it without a lock.
779  */
780  insertTLI = XLogCtl->InsertTimeLineID;
781 
782  /*----------
783  *
784  * We have now done all the preparatory work we can without holding a
785  * lock or modifying shared state. From here on, inserting the new WAL
786  * record to the shared WAL buffer cache is a two-step process:
787  *
788  * 1. Reserve the right amount of space from the WAL. The current head of
789  * reserved space is kept in Insert->CurrBytePos, and is protected by
790  * insertpos_lck.
791  *
792  * 2. Copy the record to the reserved WAL space. This involves finding the
793  * correct WAL buffer containing the reserved space, and copying the
794  * record in place. This can be done concurrently in multiple processes.
795  *
796  * To keep track of which insertions are still in-progress, each concurrent
797  * inserter acquires an insertion lock. In addition to just indicating that
798  * an insertion is in progress, the lock tells others how far the inserter
799  * has progressed. There is a small fixed number of insertion locks,
800  * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
801  * boundary, it updates the value stored in the lock to the how far it has
802  * inserted, to allow the previous buffer to be flushed.
803  *
804  * Holding onto an insertion lock also protects RedoRecPtr and
805  * fullPageWrites from changing until the insertion is finished.
806  *
807  * Step 2 can usually be done completely in parallel. If the required WAL
808  * page is not initialized yet, you have to grab WALBufMappingLock to
809  * initialize it, but the WAL writer tries to do that ahead of insertions
810  * to avoid that from happening in the critical path.
811  *
812  *----------
813  */
815 
816  if (likely(class == WALINSERT_NORMAL))
817  {
819 
820  /*
821  * Check to see if my copy of RedoRecPtr is out of date. If so, may
822  * have to go back and have the caller recompute everything. This can
823  * only happen just after a checkpoint, so it's better to be slow in
824  * this case and fast otherwise.
825  *
826  * Also check to see if fullPageWrites was just turned on or there's a
827  * running backup (which forces full-page writes); if we weren't
828  * already doing full-page writes then go back and recompute.
829  *
830  * If we aren't doing full-page writes then RedoRecPtr doesn't
831  * actually affect the contents of the XLOG record, so we'll update
832  * our local copy but not force a recomputation. (If doPageWrites was
833  * just turned off, we could recompute the record without full pages,
834  * but we choose not to bother.)
835  */
836  if (RedoRecPtr != Insert->RedoRecPtr)
837  {
838  Assert(RedoRecPtr < Insert->RedoRecPtr);
839  RedoRecPtr = Insert->RedoRecPtr;
840  }
841  doPageWrites = (Insert->fullPageWrites || Insert->runningBackups > 0);
842 
843  if (doPageWrites &&
844  (!prevDoPageWrites ||
845  (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr)))
846  {
847  /*
848  * Oops, some buffer now needs to be backed up that the caller
849  * didn't back up. Start over.
850  */
853  return InvalidXLogRecPtr;
854  }
855 
856  /*
857  * Reserve space for the record in the WAL. This also sets the xl_prev
858  * pointer.
859  */
860  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
861  &rechdr->xl_prev);
862 
863  /* Normal records are always inserted. */
864  inserted = true;
865  }
866  else if (class == WALINSERT_SPECIAL_SWITCH)
867  {
868  /*
869  * In order to insert an XLOG_SWITCH record, we need to hold all of
870  * the WAL insertion locks, not just one, so that no one else can
871  * begin inserting a record until we've figured out how much space
872  * remains in the current WAL segment and claimed all of it.
873  *
874  * Nonetheless, this case is simpler than the normal cases handled
875  * below, which must check for changes in doPageWrites and RedoRecPtr.
876  * Those checks are only needed for records that can contain buffer
877  * references, and an XLOG_SWITCH record never does.
878  */
879  Assert(fpw_lsn == InvalidXLogRecPtr);
881  inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
882  }
883  else
884  {
886 
887  /*
888  * We need to update both the local and shared copies of RedoRecPtr,
889  * which means that we need to hold all the WAL insertion locks.
890  * However, there can't be any buffer references, so as above, we need
891  * not check RedoRecPtr before inserting the record; we just need to
892  * update it afterwards.
893  */
894  Assert(fpw_lsn == InvalidXLogRecPtr);
896  ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
897  &rechdr->xl_prev);
898  RedoRecPtr = Insert->RedoRecPtr = StartPos;
899  inserted = true;
900  }
901 
902  if (inserted)
903  {
904  /*
905  * Now that xl_prev has been filled in, calculate CRC of the record
906  * header.
907  */
908  rdata_crc = rechdr->xl_crc;
909  COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
910  FIN_CRC32C(rdata_crc);
911  rechdr->xl_crc = rdata_crc;
912 
913  /*
914  * All the record data, including the header, is now ready to be
915  * inserted. Copy the record in the space reserved.
916  */
918  class == WALINSERT_SPECIAL_SWITCH, rdata,
919  StartPos, EndPos, insertTLI);
920 
921  /*
922  * Unless record is flagged as not important, update LSN of last
923  * important record in the current slot. When holding all locks, just
924  * update the first one.
925  */
926  if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
927  {
928  int lockno = holdingAllLocks ? 0 : MyLockNo;
929 
930  WALInsertLocks[lockno].l.lastImportantAt = StartPos;
931  }
932  }
933  else
934  {
935  /*
936  * This was an xlog-switch record, but the current insert location was
937  * already exactly at the beginning of a segment, so there was no need
938  * to do anything.
939  */
940  }
941 
942  /*
943  * Done! Let others know that we're finished.
944  */
946 
948 
950 
951  /*
952  * Mark top transaction id is logged (if needed) so that we should not try
953  * to log it again with the next WAL record in the current subtransaction.
954  */
955  if (topxid_included)
957 
958  /*
959  * Update shared LogwrtRqst.Write, if we crossed page boundary.
960  */
961  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
962  {
964  /* advance global request to include new block(s) */
965  if (XLogCtl->LogwrtRqst.Write < EndPos)
966  XLogCtl->LogwrtRqst.Write = EndPos;
969  }
970 
971  /*
972  * If this was an XLOG_SWITCH record, flush the record and the empty
973  * padding space that fills the rest of the segment, and perform
974  * end-of-segment actions (eg, notifying archiver).
975  */
976  if (class == WALINSERT_SPECIAL_SWITCH)
977  {
978  TRACE_POSTGRESQL_WAL_SWITCH();
979  XLogFlush(EndPos);
980 
981  /*
982  * Even though we reserved the rest of the segment for us, which is
983  * reflected in EndPos, we return a pointer to just the end of the
984  * xlog-switch record.
985  */
986  if (inserted)
987  {
988  EndPos = StartPos + SizeOfXLogRecord;
989  if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
990  {
991  uint64 offset = XLogSegmentOffset(EndPos, wal_segment_size);
992 
993  if (offset == EndPos % XLOG_BLCKSZ)
994  EndPos += SizeOfXLogLongPHD;
995  else
996  EndPos += SizeOfXLogShortPHD;
997  }
998  }
999  }
1000 
1001 #ifdef WAL_DEBUG
1002  if (XLOG_DEBUG)
1003  {
1004  static XLogReaderState *debug_reader = NULL;
1005  XLogRecord *record;
1006  DecodedXLogRecord *decoded;
1008  StringInfoData recordBuf;
1009  char *errormsg = NULL;
1010  MemoryContext oldCxt;
1011 
1012  oldCxt = MemoryContextSwitchTo(walDebugCxt);
1013 
1014  initStringInfo(&buf);
1015  appendStringInfo(&buf, "INSERT @ %X/%X: ", LSN_FORMAT_ARGS(EndPos));
1016 
1017  /*
1018  * We have to piece together the WAL record data from the XLogRecData
1019  * entries, so that we can pass it to the rm_desc function as one
1020  * contiguous chunk.
1021  */
1022  initStringInfo(&recordBuf);
1023  for (; rdata != NULL; rdata = rdata->next)
1024  appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
1025 
1026  /* We also need temporary space to decode the record. */
1027  record = (XLogRecord *) recordBuf.data;
1028  decoded = (DecodedXLogRecord *)
1030 
1031  if (!debug_reader)
1032  debug_reader = XLogReaderAllocate(wal_segment_size, NULL,
1033  XL_ROUTINE(.page_read = NULL,
1034  .segment_open = NULL,
1035  .segment_close = NULL),
1036  NULL);
1037  if (!debug_reader)
1038  {
1039  appendStringInfoString(&buf, "error decoding record: out of memory while allocating a WAL reading processor");
1040  }
1041  else if (!DecodeXLogRecord(debug_reader,
1042  decoded,
1043  record,
1044  EndPos,
1045  &errormsg))
1046  {
1047  appendStringInfo(&buf, "error decoding record: %s",
1048  errormsg ? errormsg : "no error message");
1049  }
1050  else
1051  {
1052  appendStringInfoString(&buf, " - ");
1053 
1054  debug_reader->record = decoded;
1055  xlog_outdesc(&buf, debug_reader);
1056  debug_reader->record = NULL;
1057  }
1058  elog(LOG, "%s", buf.data);
1059 
1060  pfree(decoded);
1061  pfree(buf.data);
1062  pfree(recordBuf.data);
1063  MemoryContextSwitchTo(oldCxt);
1064  }
1065 #endif
1066 
1067  /*
1068  * Update our global variables
1069  */
1070  ProcLastRecPtr = StartPos;
1071  XactLastRecEnd = EndPos;
1072 
1073  /* Report WAL traffic to the instrumentation. */
1074  if (inserted)
1075  {
1076  pgWalUsage.wal_bytes += rechdr->xl_tot_len;
1078  pgWalUsage.wal_fpi += num_fpi;
1079  }
1080 
1081  return EndPos;
1082 }
1083 
1084 /*
1085  * Reserves the right amount of space for a record of given size from the WAL.
1086  * *StartPos is set to the beginning of the reserved section, *EndPos to
1087  * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1088  * used to set the xl_prev of this record.
1089  *
1090  * This is the performance critical part of XLogInsert that must be serialized
1091  * across backends. The rest can happen mostly in parallel. Try to keep this
1092  * section as short as possible, insertpos_lck can be heavily contended on a
1093  * busy system.
1094  *
1095  * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1096  * where we actually copy the record to the reserved space.
1097  *
1098  * NB: Testing shows that XLogInsertRecord runs faster if this code is inlined;
1099  * however, because there are two call sites, the compiler is reluctant to
1100  * inline. We use pg_attribute_always_inline here to try to convince it.
1101  */
1102 static pg_attribute_always_inline void
1104  XLogRecPtr *PrevPtr)
1105 {
1107  uint64 startbytepos;
1108  uint64 endbytepos;
1109  uint64 prevbytepos;
1110 
1111  size = MAXALIGN(size);
1112 
1113  /* All (non xlog-switch) records should contain data. */
1115 
1116  /*
1117  * The duration the spinlock needs to be held is minimized by minimizing
1118  * the calculations that have to be done while holding the lock. The
1119  * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1120  * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1121  * page headers. The mapping between "usable" byte positions and physical
1122  * positions (XLogRecPtrs) can be done outside the locked region, and
1123  * because the usable byte position doesn't include any headers, reserving
1124  * X bytes from WAL is almost as simple as "CurrBytePos += X".
1125  */
1126  SpinLockAcquire(&Insert->insertpos_lck);
1127 
1128  startbytepos = Insert->CurrBytePos;
1129  endbytepos = startbytepos + size;
1130  prevbytepos = Insert->PrevBytePos;
1131  Insert->CurrBytePos = endbytepos;
1132  Insert->PrevBytePos = startbytepos;
1133 
1134  SpinLockRelease(&Insert->insertpos_lck);
1135 
1136  *StartPos = XLogBytePosToRecPtr(startbytepos);
1137  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1138  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1139 
1140  /*
1141  * Check that the conversions between "usable byte positions" and
1142  * XLogRecPtrs work consistently in both directions.
1143  */
1144  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1145  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1146  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1147 }
1148 
1149 /*
1150  * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1151  *
1152  * A log-switch record is handled slightly differently. The rest of the
1153  * segment will be reserved for this insertion, as indicated by the returned
1154  * *EndPos value. However, if we are already at the beginning of the current
1155  * segment, *StartPos and *EndPos are set to the current location without
1156  * reserving any space, and the function returns false.
1157 */
1158 static bool
1159 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1160 {
1162  uint64 startbytepos;
1163  uint64 endbytepos;
1164  uint64 prevbytepos;
1166  XLogRecPtr ptr;
1167  uint32 segleft;
1168 
1169  /*
1170  * These calculations are a bit heavy-weight to be done while holding a
1171  * spinlock, but since we're holding all the WAL insertion locks, there
1172  * are no other inserters competing for it. GetXLogInsertRecPtr() does
1173  * compete for it, but that's not called very frequently.
1174  */
1175  SpinLockAcquire(&Insert->insertpos_lck);
1176 
1177  startbytepos = Insert->CurrBytePos;
1178 
1179  ptr = XLogBytePosToEndRecPtr(startbytepos);
1180  if (XLogSegmentOffset(ptr, wal_segment_size) == 0)
1181  {
1182  SpinLockRelease(&Insert->insertpos_lck);
1183  *EndPos = *StartPos = ptr;
1184  return false;
1185  }
1186 
1187  endbytepos = startbytepos + size;
1188  prevbytepos = Insert->PrevBytePos;
1189 
1190  *StartPos = XLogBytePosToRecPtr(startbytepos);
1191  *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1192 
1193  segleft = wal_segment_size - XLogSegmentOffset(*EndPos, wal_segment_size);
1194  if (segleft != wal_segment_size)
1195  {
1196  /* consume the rest of the segment */
1197  *EndPos += segleft;
1198  endbytepos = XLogRecPtrToBytePos(*EndPos);
1199  }
1200  Insert->CurrBytePos = endbytepos;
1201  Insert->PrevBytePos = startbytepos;
1202 
1203  SpinLockRelease(&Insert->insertpos_lck);
1204 
1205  *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1206 
1207  Assert(XLogSegmentOffset(*EndPos, wal_segment_size) == 0);
1208  Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1209  Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1210  Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1211 
1212  return true;
1213 }
1214 
1215 /*
1216  * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1217  * area in the WAL.
1218  */
1219 static void
1220 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1221  XLogRecPtr StartPos, XLogRecPtr EndPos, TimeLineID tli)
1222 {
1223  char *currpos;
1224  int freespace;
1225  int written;
1226  XLogRecPtr CurrPos;
1227  XLogPageHeader pagehdr;
1228 
1229  /*
1230  * Get a pointer to the right place in the right WAL buffer to start
1231  * inserting to.
1232  */
1233  CurrPos = StartPos;
1234  currpos = GetXLogBuffer(CurrPos, tli);
1235  freespace = INSERT_FREESPACE(CurrPos);
1236 
1237  /*
1238  * there should be enough space for at least the first field (xl_tot_len)
1239  * on this page.
1240  */
1241  Assert(freespace >= sizeof(uint32));
1242 
1243  /* Copy record data */
1244  written = 0;
1245  while (rdata != NULL)
1246  {
1247  char *rdata_data = rdata->data;
1248  int rdata_len = rdata->len;
1249 
1250  while (rdata_len > freespace)
1251  {
1252  /*
1253  * Write what fits on this page, and continue on the next page.
1254  */
1255  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1256  memcpy(currpos, rdata_data, freespace);
1257  rdata_data += freespace;
1258  rdata_len -= freespace;
1259  written += freespace;
1260  CurrPos += freespace;
1261 
1262  /*
1263  * Get pointer to beginning of next page, and set the xlp_rem_len
1264  * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1265  *
1266  * It's safe to set the contrecord flag and xlp_rem_len without a
1267  * lock on the page. All the other flags were already set when the
1268  * page was initialized, in AdvanceXLInsertBuffer, and we're the
1269  * only backend that needs to set the contrecord flag.
1270  */
1271  currpos = GetXLogBuffer(CurrPos, tli);
1272  pagehdr = (XLogPageHeader) currpos;
1273  pagehdr->xlp_rem_len = write_len - written;
1274  pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1275 
1276  /* skip over the page header */
1277  if (XLogSegmentOffset(CurrPos, wal_segment_size) == 0)
1278  {
1279  CurrPos += SizeOfXLogLongPHD;
1280  currpos += SizeOfXLogLongPHD;
1281  }
1282  else
1283  {
1284  CurrPos += SizeOfXLogShortPHD;
1285  currpos += SizeOfXLogShortPHD;
1286  }
1287  freespace = INSERT_FREESPACE(CurrPos);
1288  }
1289 
1290  Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1291  memcpy(currpos, rdata_data, rdata_len);
1292  currpos += rdata_len;
1293  CurrPos += rdata_len;
1294  freespace -= rdata_len;
1295  written += rdata_len;
1296 
1297  rdata = rdata->next;
1298  }
1299  Assert(written == write_len);
1300 
1301  /*
1302  * If this was an xlog-switch, it's not enough to write the switch record,
1303  * we also have to consume all the remaining space in the WAL segment. We
1304  * have already reserved that space, but we need to actually fill it.
1305  */
1306  if (isLogSwitch && XLogSegmentOffset(CurrPos, wal_segment_size) != 0)
1307  {
1308  /* An xlog-switch record doesn't contain any data besides the header */
1309  Assert(write_len == SizeOfXLogRecord);
1310 
1311  /* Assert that we did reserve the right amount of space */
1312  Assert(XLogSegmentOffset(EndPos, wal_segment_size) == 0);
1313 
1314  /* Use up all the remaining space on the current page */
1315  CurrPos += freespace;
1316 
1317  /*
1318  * Cause all remaining pages in the segment to be flushed, leaving the
1319  * XLog position where it should be, at the start of the next segment.
1320  * We do this one page at a time, to make sure we don't deadlock
1321  * against ourselves if wal_buffers < wal_segment_size.
1322  */
1323  while (CurrPos < EndPos)
1324  {
1325  /*
1326  * The minimal action to flush the page would be to call
1327  * WALInsertLockUpdateInsertingAt(CurrPos) followed by
1328  * AdvanceXLInsertBuffer(...). The page would be left initialized
1329  * mostly to zeros, except for the page header (always the short
1330  * variant, as this is never a segment's first page).
1331  *
1332  * The large vistas of zeros are good for compressibility, but the
1333  * headers interrupting them every XLOG_BLCKSZ (with values that
1334  * differ from page to page) are not. The effect varies with
1335  * compression tool, but bzip2 for instance compresses about an
1336  * order of magnitude worse if those headers are left in place.
1337  *
1338  * Rather than complicating AdvanceXLInsertBuffer itself (which is
1339  * called in heavily-loaded circumstances as well as this lightly-
1340  * loaded one) with variant behavior, we just use GetXLogBuffer
1341  * (which itself calls the two methods we need) to get the pointer
1342  * and zero most of the page. Then we just zero the page header.
1343  */
1344  currpos = GetXLogBuffer(CurrPos, tli);
1345  MemSet(currpos, 0, SizeOfXLogShortPHD);
1346 
1347  CurrPos += XLOG_BLCKSZ;
1348  }
1349  }
1350  else
1351  {
1352  /* Align the end position, so that the next record starts aligned */
1353  CurrPos = MAXALIGN64(CurrPos);
1354  }
1355 
1356  if (CurrPos != EndPos)
1357  ereport(PANIC,
1359  errmsg_internal("space reserved for WAL record does not match what was written"));
1360 }
1361 
1362 /*
1363  * Acquire a WAL insertion lock, for inserting to WAL.
1364  */
1365 static void
1367 {
1368  bool immed;
1369 
1370  /*
1371  * It doesn't matter which of the WAL insertion locks we acquire, so try
1372  * the one we used last time. If the system isn't particularly busy, it's
1373  * a good bet that it's still available, and it's good to have some
1374  * affinity to a particular lock so that you don't unnecessarily bounce
1375  * cache lines between processes when there's no contention.
1376  *
1377  * If this is the first time through in this backend, pick a lock
1378  * (semi-)randomly. This allows the locks to be used evenly if you have a
1379  * lot of very short connections.
1380  */
1381  static int lockToTry = -1;
1382 
1383  if (lockToTry == -1)
1384  lockToTry = MyProcNumber % NUM_XLOGINSERT_LOCKS;
1385  MyLockNo = lockToTry;
1386 
1387  /*
1388  * The insertingAt value is initially set to 0, as we don't know our
1389  * insert location yet.
1390  */
1392  if (!immed)
1393  {
1394  /*
1395  * If we couldn't get the lock immediately, try another lock next
1396  * time. On a system with more insertion locks than concurrent
1397  * inserters, this causes all the inserters to eventually migrate to a
1398  * lock that no-one else is using. On a system with more inserters
1399  * than locks, it still helps to distribute the inserters evenly
1400  * across the locks.
1401  */
1402  lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1403  }
1404 }
1405 
1406 /*
1407  * Acquire all WAL insertion locks, to prevent other backends from inserting
1408  * to WAL.
1409  */
1410 static void
1412 {
1413  int i;
1414 
1415  /*
1416  * When holding all the locks, all but the last lock's insertingAt
1417  * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1418  * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1419  */
1420  for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1421  {
1423  LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1425  PG_UINT64_MAX);
1426  }
1427  /* Variable value reset to 0 at release */
1429 
1430  holdingAllLocks = true;
1431 }
1432 
1433 /*
1434  * Release our insertion lock (or locks, if we're holding them all).
1435  *
1436  * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1437  * next time the lock is acquired.
1438  */
1439 static void
1441 {
1442  if (holdingAllLocks)
1443  {
1444  int i;
1445 
1446  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1449  0);
1450 
1451  holdingAllLocks = false;
1452  }
1453  else
1454  {
1457  0);
1458  }
1459 }
1460 
1461 /*
1462  * Update our insertingAt value, to let others know that we've finished
1463  * inserting up to that point.
1464  */
1465 static void
1467 {
1468  if (holdingAllLocks)
1469  {
1470  /*
1471  * We use the last lock to mark our actual position, see comments in
1472  * WALInsertLockAcquireExclusive.
1473  */
1476  insertingAt);
1477  }
1478  else
1481  insertingAt);
1482 }
1483 
1484 /*
1485  * Wait for any WAL insertions < upto to finish.
1486  *
1487  * Returns the location of the oldest insertion that is still in-progress.
1488  * Any WAL prior to that point has been fully copied into WAL buffers, and
1489  * can be flushed out to disk. Because this waits for any insertions older
1490  * than 'upto' to finish, the return value is always >= 'upto'.
1491  *
1492  * Note: When you are about to write out WAL, you must call this function
1493  * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1494  * need to wait for an insertion to finish (or at least advance to next
1495  * uninitialized page), and the inserter might need to evict an old WAL buffer
1496  * to make room for a new one, which in turn requires WALWriteLock.
1497  */
1498 static XLogRecPtr
1500 {
1501  uint64 bytepos;
1502  XLogRecPtr inserted;
1503  XLogRecPtr reservedUpto;
1504  XLogRecPtr finishedUpto;
1506  int i;
1507 
1508  if (MyProc == NULL)
1509  elog(PANIC, "cannot wait without a PGPROC structure");
1510 
1511  /*
1512  * Check if there's any work to do. Use a barrier to ensure we get the
1513  * freshest value.
1514  */
1516  if (upto <= inserted)
1517  return inserted;
1518 
1519  /* Read the current insert position */
1520  SpinLockAcquire(&Insert->insertpos_lck);
1521  bytepos = Insert->CurrBytePos;
1522  SpinLockRelease(&Insert->insertpos_lck);
1523  reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1524 
1525  /*
1526  * No-one should request to flush a piece of WAL that hasn't even been
1527  * reserved yet. However, it can happen if there is a block with a bogus
1528  * LSN on disk, for example. XLogFlush checks for that situation and
1529  * complains, but only after the flush. Here we just assume that to mean
1530  * that all WAL that has been reserved needs to be finished. In this
1531  * corner-case, the return value can be smaller than 'upto' argument.
1532  */
1533  if (upto > reservedUpto)
1534  {
1535  ereport(LOG,
1536  (errmsg("request to flush past end of generated WAL; request %X/%X, current position %X/%X",
1537  LSN_FORMAT_ARGS(upto), LSN_FORMAT_ARGS(reservedUpto))));
1538  upto = reservedUpto;
1539  }
1540 
1541  /*
1542  * Loop through all the locks, sleeping on any in-progress insert older
1543  * than 'upto'.
1544  *
1545  * finishedUpto is our return value, indicating the point upto which all
1546  * the WAL insertions have been finished. Initialize it to the head of
1547  * reserved WAL, and as we iterate through the insertion locks, back it
1548  * out for any insertion that's still in progress.
1549  */
1550  finishedUpto = reservedUpto;
1551  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1552  {
1553  XLogRecPtr insertingat = InvalidXLogRecPtr;
1554 
1555  do
1556  {
1557  /*
1558  * See if this insertion is in progress. LWLockWaitForVar will
1559  * wait for the lock to be released, or for the 'value' to be set
1560  * by a LWLockUpdateVar call. When a lock is initially acquired,
1561  * its value is 0 (InvalidXLogRecPtr), which means that we don't
1562  * know where it's inserting yet. We will have to wait for it. If
1563  * it's a small insertion, the record will most likely fit on the
1564  * same page and the inserter will release the lock without ever
1565  * calling LWLockUpdateVar. But if it has to sleep, it will
1566  * advertise the insertion point with LWLockUpdateVar before
1567  * sleeping.
1568  *
1569  * In this loop we are only waiting for insertions that started
1570  * before WaitXLogInsertionsToFinish was called. The lack of
1571  * memory barriers in the loop means that we might see locks as
1572  * "unused" that have since become used. This is fine because
1573  * they only can be used for later insertions that we would not
1574  * want to wait on anyway. Not taking a lock to acquire the
1575  * current insertingAt value means that we might see older
1576  * insertingAt values. This is also fine, because if we read a
1577  * value too old, we will add ourselves to the wait queue, which
1578  * contains atomic operations.
1579  */
1580  if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1582  insertingat, &insertingat))
1583  {
1584  /* the lock was free, so no insertion in progress */
1585  insertingat = InvalidXLogRecPtr;
1586  break;
1587  }
1588 
1589  /*
1590  * This insertion is still in progress. Have to wait, unless the
1591  * inserter has proceeded past 'upto'.
1592  */
1593  } while (insertingat < upto);
1594 
1595  if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1596  finishedUpto = insertingat;
1597  }
1598 
1599  /*
1600  * Advance the limit we know to have been inserted and return the freshest
1601  * value we know of, which might be beyond what we requested if somebody
1602  * is concurrently doing this with an 'upto' pointer ahead of us.
1603  */
1605  finishedUpto);
1606 
1607  return finishedUpto;
1608 }
1609 
1610 /*
1611  * Get a pointer to the right location in the WAL buffer containing the
1612  * given XLogRecPtr.
1613  *
1614  * If the page is not initialized yet, it is initialized. That might require
1615  * evicting an old dirty buffer from the buffer cache, which means I/O.
1616  *
1617  * The caller must ensure that the page containing the requested location
1618  * isn't evicted yet, and won't be evicted. The way to ensure that is to
1619  * hold onto a WAL insertion lock with the insertingAt position set to
1620  * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1621  * to evict an old page from the buffer. (This means that once you call
1622  * GetXLogBuffer() with a given 'ptr', you must not access anything before
1623  * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1624  * later, because older buffers might be recycled already)
1625  */
1626 static char *
1628 {
1629  int idx;
1630  XLogRecPtr endptr;
1631  static uint64 cachedPage = 0;
1632  static char *cachedPos = NULL;
1633  XLogRecPtr expectedEndPtr;
1634 
1635  /*
1636  * Fast path for the common case that we need to access again the same
1637  * page as last time.
1638  */
1639  if (ptr / XLOG_BLCKSZ == cachedPage)
1640  {
1641  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1642  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1643  return cachedPos + ptr % XLOG_BLCKSZ;
1644  }
1645 
1646  /*
1647  * The XLog buffer cache is organized so that a page is always loaded to a
1648  * particular buffer. That way we can easily calculate the buffer a given
1649  * page must be loaded into, from the XLogRecPtr alone.
1650  */
1651  idx = XLogRecPtrToBufIdx(ptr);
1652 
1653  /*
1654  * See what page is loaded in the buffer at the moment. It could be the
1655  * page we're looking for, or something older. It can't be anything newer
1656  * - that would imply the page we're looking for has already been written
1657  * out to disk and evicted, and the caller is responsible for making sure
1658  * that doesn't happen.
1659  *
1660  * We don't hold a lock while we read the value. If someone is just about
1661  * to initialize or has just initialized the page, it's possible that we
1662  * get InvalidXLogRecPtr. That's ok, we'll grab the mapping lock (in
1663  * AdvanceXLInsertBuffer) and retry if we see anything other than the page
1664  * we're looking for.
1665  */
1666  expectedEndPtr = ptr;
1667  expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1668 
1669  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1670  if (expectedEndPtr != endptr)
1671  {
1672  XLogRecPtr initializedUpto;
1673 
1674  /*
1675  * Before calling AdvanceXLInsertBuffer(), which can block, let others
1676  * know how far we're finished with inserting the record.
1677  *
1678  * NB: If 'ptr' points to just after the page header, advertise a
1679  * position at the beginning of the page rather than 'ptr' itself. If
1680  * there are no other insertions running, someone might try to flush
1681  * up to our advertised location. If we advertised a position after
1682  * the page header, someone might try to flush the page header, even
1683  * though page might actually not be initialized yet. As the first
1684  * inserter on the page, we are effectively responsible for making
1685  * sure that it's initialized, before we let insertingAt to move past
1686  * the page header.
1687  */
1688  if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1689  XLogSegmentOffset(ptr, wal_segment_size) > XLOG_BLCKSZ)
1690  initializedUpto = ptr - SizeOfXLogShortPHD;
1691  else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1692  XLogSegmentOffset(ptr, wal_segment_size) < XLOG_BLCKSZ)
1693  initializedUpto = ptr - SizeOfXLogLongPHD;
1694  else
1695  initializedUpto = ptr;
1696 
1697  WALInsertLockUpdateInsertingAt(initializedUpto);
1698 
1699  AdvanceXLInsertBuffer(ptr, tli, false);
1700  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1701 
1702  if (expectedEndPtr != endptr)
1703  elog(PANIC, "could not find WAL buffer for %X/%X",
1704  LSN_FORMAT_ARGS(ptr));
1705  }
1706  else
1707  {
1708  /*
1709  * Make sure the initialization of the page is visible to us, and
1710  * won't arrive later to overwrite the WAL data we write on the page.
1711  */
1713  }
1714 
1715  /*
1716  * Found the buffer holding this page. Return a pointer to the right
1717  * offset within the page.
1718  */
1719  cachedPage = ptr / XLOG_BLCKSZ;
1720  cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1721 
1722  Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1723  Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1724 
1725  return cachedPos + ptr % XLOG_BLCKSZ;
1726 }
1727 
1728 /*
1729  * Read WAL data directly from WAL buffers, if available. Returns the number
1730  * of bytes read successfully.
1731  *
1732  * Fewer than 'count' bytes may be read if some of the requested WAL data has
1733  * already been evicted.
1734  *
1735  * No locks are taken.
1736  *
1737  * Caller should ensure that it reads no further than LogwrtResult.Write
1738  * (which should have been updated by the caller when determining how far to
1739  * read). The 'tli' argument is only used as a convenient safety check so that
1740  * callers do not read from WAL buffers on a historical timeline.
1741  */
1742 Size
1743 WALReadFromBuffers(char *dstbuf, XLogRecPtr startptr, Size count,
1744  TimeLineID tli)
1745 {
1746  char *pdst = dstbuf;
1747  XLogRecPtr recptr = startptr;
1748  XLogRecPtr inserted;
1749  Size nbytes = count;
1750 
1751  if (RecoveryInProgress() || tli != GetWALInsertionTimeLine())
1752  return 0;
1753 
1754  Assert(!XLogRecPtrIsInvalid(startptr));
1755 
1756  /*
1757  * Caller should ensure that the requested data has been inserted into WAL
1758  * buffers before we try to read it.
1759  */
1761  if (startptr + count > inserted)
1762  ereport(ERROR,
1763  errmsg("cannot read past end of generated WAL: requested %X/%X, current position %X/%X",
1764  LSN_FORMAT_ARGS(startptr + count),
1765  LSN_FORMAT_ARGS(inserted)));
1766 
1767  /*
1768  * Loop through the buffers without a lock. For each buffer, atomically
1769  * read and verify the end pointer, then copy the data out, and finally
1770  * re-read and re-verify the end pointer.
1771  *
1772  * Once a page is evicted, it never returns to the WAL buffers, so if the
1773  * end pointer matches the expected end pointer before and after we copy
1774  * the data, then the right page must have been present during the data
1775  * copy. Read barriers are necessary to ensure that the data copy actually
1776  * happens between the two verification steps.
1777  *
1778  * If either verification fails, we simply terminate the loop and return
1779  * with the data that had been already copied out successfully.
1780  */
1781  while (nbytes > 0)
1782  {
1783  uint32 offset = recptr % XLOG_BLCKSZ;
1784  int idx = XLogRecPtrToBufIdx(recptr);
1785  XLogRecPtr expectedEndPtr;
1786  XLogRecPtr endptr;
1787  const char *page;
1788  const char *psrc;
1789  Size npagebytes;
1790 
1791  /*
1792  * Calculate the end pointer we expect in the xlblocks array if the
1793  * correct page is present.
1794  */
1795  expectedEndPtr = recptr + (XLOG_BLCKSZ - offset);
1796 
1797  /*
1798  * First verification step: check that the correct page is present in
1799  * the WAL buffers.
1800  */
1801  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1802  if (expectedEndPtr != endptr)
1803  break;
1804 
1805  /*
1806  * The correct page is present (or was at the time the endptr was
1807  * read; must re-verify later). Calculate pointer to source data and
1808  * determine how much data to read from this page.
1809  */
1810  page = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1811  psrc = page + offset;
1812  npagebytes = Min(nbytes, XLOG_BLCKSZ - offset);
1813 
1814  /*
1815  * Ensure that the data copy and the first verification step are not
1816  * reordered.
1817  */
1818  pg_read_barrier();
1819 
1820  /* data copy */
1821  memcpy(pdst, psrc, npagebytes);
1822 
1823  /*
1824  * Ensure that the data copy and the second verification step are not
1825  * reordered.
1826  */
1827  pg_read_barrier();
1828 
1829  /*
1830  * Second verification step: check that the page we read from wasn't
1831  * evicted while we were copying the data.
1832  */
1833  endptr = pg_atomic_read_u64(&XLogCtl->xlblocks[idx]);
1834  if (expectedEndPtr != endptr)
1835  break;
1836 
1837  pdst += npagebytes;
1838  recptr += npagebytes;
1839  nbytes -= npagebytes;
1840  }
1841 
1842  Assert(pdst - dstbuf <= count);
1843 
1844  return pdst - dstbuf;
1845 }
1846 
1847 /*
1848  * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1849  * is the position starting from the beginning of WAL, excluding all WAL
1850  * page headers.
1851  */
1852 static XLogRecPtr
1853 XLogBytePosToRecPtr(uint64 bytepos)
1854 {
1855  uint64 fullsegs;
1856  uint64 fullpages;
1857  uint64 bytesleft;
1858  uint32 seg_offset;
1859  XLogRecPtr result;
1860 
1861  fullsegs = bytepos / UsableBytesInSegment;
1862  bytesleft = bytepos % UsableBytesInSegment;
1863 
1864  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1865  {
1866  /* fits on first page of segment */
1867  seg_offset = bytesleft + SizeOfXLogLongPHD;
1868  }
1869  else
1870  {
1871  /* account for the first page on segment with long header */
1872  seg_offset = XLOG_BLCKSZ;
1873  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1874 
1875  fullpages = bytesleft / UsableBytesInPage;
1876  bytesleft = bytesleft % UsableBytesInPage;
1877 
1878  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1879  }
1880 
1881  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1882 
1883  return result;
1884 }
1885 
1886 /*
1887  * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1888  * returns a pointer to the beginning of the page (ie. before page header),
1889  * not to where the first xlog record on that page would go to. This is used
1890  * when converting a pointer to the end of a record.
1891  */
1892 static XLogRecPtr
1893 XLogBytePosToEndRecPtr(uint64 bytepos)
1894 {
1895  uint64 fullsegs;
1896  uint64 fullpages;
1897  uint64 bytesleft;
1898  uint32 seg_offset;
1899  XLogRecPtr result;
1900 
1901  fullsegs = bytepos / UsableBytesInSegment;
1902  bytesleft = bytepos % UsableBytesInSegment;
1903 
1904  if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1905  {
1906  /* fits on first page of segment */
1907  if (bytesleft == 0)
1908  seg_offset = 0;
1909  else
1910  seg_offset = bytesleft + SizeOfXLogLongPHD;
1911  }
1912  else
1913  {
1914  /* account for the first page on segment with long header */
1915  seg_offset = XLOG_BLCKSZ;
1916  bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1917 
1918  fullpages = bytesleft / UsableBytesInPage;
1919  bytesleft = bytesleft % UsableBytesInPage;
1920 
1921  if (bytesleft == 0)
1922  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1923  else
1924  seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1925  }
1926 
1927  XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, wal_segment_size, result);
1928 
1929  return result;
1930 }
1931 
1932 /*
1933  * Convert an XLogRecPtr to a "usable byte position".
1934  */
1935 static uint64
1937 {
1938  uint64 fullsegs;
1939  uint32 fullpages;
1940  uint32 offset;
1941  uint64 result;
1942 
1943  XLByteToSeg(ptr, fullsegs, wal_segment_size);
1944 
1945  fullpages = (XLogSegmentOffset(ptr, wal_segment_size)) / XLOG_BLCKSZ;
1946  offset = ptr % XLOG_BLCKSZ;
1947 
1948  if (fullpages == 0)
1949  {
1950  result = fullsegs * UsableBytesInSegment;
1951  if (offset > 0)
1952  {
1953  Assert(offset >= SizeOfXLogLongPHD);
1954  result += offset - SizeOfXLogLongPHD;
1955  }
1956  }
1957  else
1958  {
1959  result = fullsegs * UsableBytesInSegment +
1960  (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
1961  (fullpages - 1) * UsableBytesInPage; /* full pages */
1962  if (offset > 0)
1963  {
1964  Assert(offset >= SizeOfXLogShortPHD);
1965  result += offset - SizeOfXLogShortPHD;
1966  }
1967  }
1968 
1969  return result;
1970 }
1971 
1972 /*
1973  * Initialize XLOG buffers, writing out old buffers if they still contain
1974  * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
1975  * true, initialize as many pages as we can without having to write out
1976  * unwritten data. Any new pages are initialized to zeros, with pages headers
1977  * initialized properly.
1978  */
1979 static void
1980 AdvanceXLInsertBuffer(XLogRecPtr upto, TimeLineID tli, bool opportunistic)
1981 {
1983  int nextidx;
1984  XLogRecPtr OldPageRqstPtr;
1985  XLogwrtRqst WriteRqst;
1986  XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
1987  XLogRecPtr NewPageBeginPtr;
1988  XLogPageHeader NewPage;
1989  int npages pg_attribute_unused() = 0;
1990 
1991  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
1992 
1993  /*
1994  * Now that we have the lock, check if someone initialized the page
1995  * already.
1996  */
1997  while (upto >= XLogCtl->InitializedUpTo || opportunistic)
1998  {
2000 
2001  /*
2002  * Get ending-offset of the buffer page we need to replace (this may
2003  * be zero if the buffer hasn't been used yet). Fall through if it's
2004  * already written out.
2005  */
2006  OldPageRqstPtr = pg_atomic_read_u64(&XLogCtl->xlblocks[nextidx]);
2007  if (LogwrtResult.Write < OldPageRqstPtr)
2008  {
2009  /*
2010  * Nope, got work to do. If we just want to pre-initialize as much
2011  * as we can without flushing, give up now.
2012  */
2013  if (opportunistic)
2014  break;
2015 
2016  /* Advance shared memory write request position */
2018  if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
2019  XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
2021 
2022  /*
2023  * Acquire an up-to-date LogwrtResult value and see if we still
2024  * need to write it or if someone else already did.
2025  */
2027  if (LogwrtResult.Write < OldPageRqstPtr)
2028  {
2029  /*
2030  * Must acquire write lock. Release WALBufMappingLock first,
2031  * to make sure that all insertions that we need to wait for
2032  * can finish (up to this same position). Otherwise we risk
2033  * deadlock.
2034  */
2035  LWLockRelease(WALBufMappingLock);
2036 
2037  WaitXLogInsertionsToFinish(OldPageRqstPtr);
2038 
2039  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2040 
2042  if (LogwrtResult.Write >= OldPageRqstPtr)
2043  {
2044  /* OK, someone wrote it already */
2045  LWLockRelease(WALWriteLock);
2046  }
2047  else
2048  {
2049  /* Have to write it ourselves */
2050  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
2051  WriteRqst.Write = OldPageRqstPtr;
2052  WriteRqst.Flush = 0;
2053  XLogWrite(WriteRqst, tli, false);
2054  LWLockRelease(WALWriteLock);
2056  TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
2057  }
2058  /* Re-acquire WALBufMappingLock and retry */
2059  LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
2060  continue;
2061  }
2062  }
2063 
2064  /*
2065  * Now the next buffer slot is free and we can set it up to be the
2066  * next output page.
2067  */
2068  NewPageBeginPtr = XLogCtl->InitializedUpTo;
2069  NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
2070 
2071  Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
2072 
2073  NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
2074 
2075  /*
2076  * Mark the xlblock with InvalidXLogRecPtr and issue a write barrier
2077  * before initializing. Otherwise, the old page may be partially
2078  * zeroed but look valid.
2079  */
2081  pg_write_barrier();
2082 
2083  /*
2084  * Be sure to re-zero the buffer so that bytes beyond what we've
2085  * written will look like zeroes and not valid XLOG records...
2086  */
2087  MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
2088 
2089  /*
2090  * Fill the new page's header
2091  */
2092  NewPage->xlp_magic = XLOG_PAGE_MAGIC;
2093 
2094  /* NewPage->xlp_info = 0; */ /* done by memset */
2095  NewPage->xlp_tli = tli;
2096  NewPage->xlp_pageaddr = NewPageBeginPtr;
2097 
2098  /* NewPage->xlp_rem_len = 0; */ /* done by memset */
2099 
2100  /*
2101  * If online backup is not in progress, mark the header to indicate
2102  * that WAL records beginning in this page have removable backup
2103  * blocks. This allows the WAL archiver to know whether it is safe to
2104  * compress archived WAL data by transforming full-block records into
2105  * the non-full-block format. It is sufficient to record this at the
2106  * page level because we force a page switch (in fact a segment
2107  * switch) when starting a backup, so the flag will be off before any
2108  * records can be written during the backup. At the end of a backup,
2109  * the last page will be marked as all unsafe when perhaps only part
2110  * is unsafe, but at worst the archiver would miss the opportunity to
2111  * compress a few records.
2112  */
2113  if (Insert->runningBackups == 0)
2114  NewPage->xlp_info |= XLP_BKP_REMOVABLE;
2115 
2116  /*
2117  * If first page of an XLOG segment file, make it a long header.
2118  */
2119  if ((XLogSegmentOffset(NewPage->xlp_pageaddr, wal_segment_size)) == 0)
2120  {
2121  XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
2122 
2123  NewLongPage->xlp_sysid = ControlFile->system_identifier;
2124  NewLongPage->xlp_seg_size = wal_segment_size;
2125  NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
2126  NewPage->xlp_info |= XLP_LONG_HEADER;
2127  }
2128 
2129  /*
2130  * Make sure the initialization of the page becomes visible to others
2131  * before the xlblocks update. GetXLogBuffer() reads xlblocks without
2132  * holding a lock.
2133  */
2134  pg_write_barrier();
2135 
2136  pg_atomic_write_u64(&XLogCtl->xlblocks[nextidx], NewPageEndPtr);
2137  XLogCtl->InitializedUpTo = NewPageEndPtr;
2138 
2139  npages++;
2140  }
2141  LWLockRelease(WALBufMappingLock);
2142 
2143 #ifdef WAL_DEBUG
2144  if (XLOG_DEBUG && npages > 0)
2145  {
2146  elog(DEBUG1, "initialized %d pages, up to %X/%X",
2147  npages, LSN_FORMAT_ARGS(NewPageEndPtr));
2148  }
2149 #endif
2150 }
2151 
2152 /*
2153  * Calculate CheckPointSegments based on max_wal_size_mb and
2154  * checkpoint_completion_target.
2155  */
2156 static void
2158 {
2159  double target;
2160 
2161  /*-------
2162  * Calculate the distance at which to trigger a checkpoint, to avoid
2163  * exceeding max_wal_size_mb. This is based on two assumptions:
2164  *
2165  * a) we keep WAL for only one checkpoint cycle (prior to PG11 we kept
2166  * WAL for two checkpoint cycles to allow us to recover from the
2167  * secondary checkpoint if the first checkpoint failed, though we
2168  * only did this on the primary anyway, not on standby. Keeping just
2169  * one checkpoint simplifies processing and reduces disk space in
2170  * many smaller databases.)
2171  * b) during checkpoint, we consume checkpoint_completion_target *
2172  * number of segments consumed between checkpoints.
2173  *-------
2174  */
2175  target = (double) ConvertToXSegs(max_wal_size_mb, wal_segment_size) /
2177 
2178  /* round down */
2179  CheckPointSegments = (int) target;
2180 
2181  if (CheckPointSegments < 1)
2182  CheckPointSegments = 1;
2183 }
2184 
2185 void
2186 assign_max_wal_size(int newval, void *extra)
2187 {
2190 }
2191 
2192 void
2194 {
2197 }
2198 
2199 bool
2201 {
2202  if (!IsValidWalSegSize(*newval))
2203  {
2204  GUC_check_errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.");
2205  return false;
2206  }
2207 
2208  return true;
2209 }
2210 
2211 /*
2212  * GUC check_hook for max_slot_wal_keep_size
2213  *
2214  * We don't allow the value of max_slot_wal_keep_size other than -1 during the
2215  * binary upgrade. See start_postmaster() in pg_upgrade for more details.
2216  */
2217 bool
2219 {
2220  if (IsBinaryUpgrade && *newval != -1)
2221  {
2222  GUC_check_errdetail("\"%s\" must be set to -1 during binary upgrade mode.",
2223  "max_slot_wal_keep_size");
2224  return false;
2225  }
2226 
2227  return true;
2228 }
2229 
2230 /*
2231  * At a checkpoint, how many WAL segments to recycle as preallocated future
2232  * XLOG segments? Returns the highest segment that should be preallocated.
2233  */
2234 static XLogSegNo
2236 {
2237  XLogSegNo minSegNo;
2238  XLogSegNo maxSegNo;
2239  double distance;
2240  XLogSegNo recycleSegNo;
2241 
2242  /*
2243  * Calculate the segment numbers that min_wal_size_mb and max_wal_size_mb
2244  * correspond to. Always recycle enough segments to meet the minimum, and
2245  * remove enough segments to stay below the maximum.
2246  */
2247  minSegNo = lastredoptr / wal_segment_size +
2249  maxSegNo = lastredoptr / wal_segment_size +
2251 
2252  /*
2253  * Between those limits, recycle enough segments to get us through to the
2254  * estimated end of next checkpoint.
2255  *
2256  * To estimate where the next checkpoint will finish, assume that the
2257  * system runs steadily consuming CheckPointDistanceEstimate bytes between
2258  * every checkpoint.
2259  */
2261  /* add 10% for good measure. */
2262  distance *= 1.10;
2263 
2264  recycleSegNo = (XLogSegNo) ceil(((double) lastredoptr + distance) /
2266 
2267  if (recycleSegNo < minSegNo)
2268  recycleSegNo = minSegNo;
2269  if (recycleSegNo > maxSegNo)
2270  recycleSegNo = maxSegNo;
2271 
2272  return recycleSegNo;
2273 }
2274 
2275 /*
2276  * Check whether we've consumed enough xlog space that a checkpoint is needed.
2277  *
2278  * new_segno indicates a log file that has just been filled up (or read
2279  * during recovery). We measure the distance from RedoRecPtr to new_segno
2280  * and see if that exceeds CheckPointSegments.
2281  *
2282  * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2283  */
2284 bool
2286 {
2287  XLogSegNo old_segno;
2288 
2290 
2291  if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2292  return true;
2293  return false;
2294 }
2295 
2296 /*
2297  * Write and/or fsync the log at least as far as WriteRqst indicates.
2298  *
2299  * If flexible == true, we don't have to write as far as WriteRqst, but
2300  * may stop at any convenient boundary (such as a cache or logfile boundary).
2301  * This option allows us to avoid uselessly issuing multiple writes when a
2302  * single one would do.
2303  *
2304  * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2305  * must be called before grabbing the lock, to make sure the data is ready to
2306  * write.
2307  */
2308 static void
2309 XLogWrite(XLogwrtRqst WriteRqst, TimeLineID tli, bool flexible)
2310 {
2311  bool ispartialpage;
2312  bool last_iteration;
2313  bool finishing_seg;
2314  int curridx;
2315  int npages;
2316  int startidx;
2317  uint32 startoffset;
2318 
2319  /* We should always be inside a critical section here */
2320  Assert(CritSectionCount > 0);
2321 
2322  /*
2323  * Update local LogwrtResult (caller probably did this already, but...)
2324  */
2326 
2327  /*
2328  * Since successive pages in the xlog cache are consecutively allocated,
2329  * we can usually gather multiple pages together and issue just one
2330  * write() call. npages is the number of pages we have determined can be
2331  * written together; startidx is the cache block index of the first one,
2332  * and startoffset is the file offset at which it should go. The latter
2333  * two variables are only valid when npages > 0, but we must initialize
2334  * all of them to keep the compiler quiet.
2335  */
2336  npages = 0;
2337  startidx = 0;
2338  startoffset = 0;
2339 
2340  /*
2341  * Within the loop, curridx is the cache block index of the page to
2342  * consider writing. Begin at the buffer containing the next unwritten
2343  * page, or last partially written page.
2344  */
2346 
2347  while (LogwrtResult.Write < WriteRqst.Write)
2348  {
2349  /*
2350  * Make sure we're not ahead of the insert process. This could happen
2351  * if we're passed a bogus WriteRqst.Write that is past the end of the
2352  * last page that's been initialized by AdvanceXLInsertBuffer.
2353  */
2354  XLogRecPtr EndPtr = pg_atomic_read_u64(&XLogCtl->xlblocks[curridx]);
2355 
2356  if (LogwrtResult.Write >= EndPtr)
2357  elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2359  LSN_FORMAT_ARGS(EndPtr));
2360 
2361  /* Advance LogwrtResult.Write to end of current buffer page */
2362  LogwrtResult.Write = EndPtr;
2363  ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2364 
2367  {
2368  /*
2369  * Switch to new logfile segment. We cannot have any pending
2370  * pages here (since we dump what we have at segment end).
2371  */
2372  Assert(npages == 0);
2373  if (openLogFile >= 0)
2374  XLogFileClose();
2377  openLogTLI = tli;
2378 
2379  /* create/use new log file */
2382  }
2383 
2384  /* Make sure we have the current logfile open */
2385  if (openLogFile < 0)
2386  {
2389  openLogTLI = tli;
2392  }
2393 
2394  /* Add current page to the set of pending pages-to-dump */
2395  if (npages == 0)
2396  {
2397  /* first of group */
2398  startidx = curridx;
2399  startoffset = XLogSegmentOffset(LogwrtResult.Write - XLOG_BLCKSZ,
2401  }
2402  npages++;
2403 
2404  /*
2405  * Dump the set if this will be the last loop iteration, or if we are
2406  * at the last page of the cache area (since the next page won't be
2407  * contiguous in memory), or if we are at the end of the logfile
2408  * segment.
2409  */
2410  last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2411 
2412  finishing_seg = !ispartialpage &&
2413  (startoffset + npages * XLOG_BLCKSZ) >= wal_segment_size;
2414 
2415  if (last_iteration ||
2416  curridx == XLogCtl->XLogCacheBlck ||
2417  finishing_seg)
2418  {
2419  char *from;
2420  Size nbytes;
2421  Size nleft;
2422  ssize_t written;
2423  instr_time start;
2424 
2425  /* OK to write the page(s) */
2426  from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2427  nbytes = npages * (Size) XLOG_BLCKSZ;
2428  nleft = nbytes;
2429  do
2430  {
2431  errno = 0;
2432 
2433  /* Measure I/O timing to write WAL data */
2434  if (track_wal_io_timing)
2436  else
2438 
2439  pgstat_report_wait_start(WAIT_EVENT_WAL_WRITE);
2440  written = pg_pwrite(openLogFile, from, nleft, startoffset);
2442 
2443  /*
2444  * Increment the I/O timing and the number of times WAL data
2445  * were written out to disk.
2446  */
2447  if (track_wal_io_timing)
2448  {
2449  instr_time end;
2450 
2453  }
2454 
2456 
2457  if (written <= 0)
2458  {
2459  char xlogfname[MAXFNAMELEN];
2460  int save_errno;
2461 
2462  if (errno == EINTR)
2463  continue;
2464 
2465  save_errno = errno;
2466  XLogFileName(xlogfname, tli, openLogSegNo,
2468  errno = save_errno;
2469  ereport(PANIC,
2471  errmsg("could not write to log file \"%s\" at offset %u, length %zu: %m",
2472  xlogfname, startoffset, nleft)));
2473  }
2474  nleft -= written;
2475  from += written;
2476  startoffset += written;
2477  } while (nleft > 0);
2478 
2479  npages = 0;
2480 
2481  /*
2482  * If we just wrote the whole last page of a logfile segment,
2483  * fsync the segment immediately. This avoids having to go back
2484  * and re-open prior segments when an fsync request comes along
2485  * later. Doing it here ensures that one and only one backend will
2486  * perform this fsync.
2487  *
2488  * This is also the right place to notify the Archiver that the
2489  * segment is ready to copy to archival storage, and to update the
2490  * timer for archive_timeout, and to signal for a checkpoint if
2491  * too many logfile segments have been used since the last
2492  * checkpoint.
2493  */
2494  if (finishing_seg)
2495  {
2497 
2498  /* signal that we need to wakeup walsenders later */
2500 
2501  LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2502 
2503  if (XLogArchivingActive())
2505 
2506  XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2508 
2509  /*
2510  * Request a checkpoint if we've consumed too much xlog since
2511  * the last one. For speed, we first check using the local
2512  * copy of RedoRecPtr, which might be out of date; if it looks
2513  * like a checkpoint is needed, forcibly update RedoRecPtr and
2514  * recheck.
2515  */
2517  {
2518  (void) GetRedoRecPtr();
2521  }
2522  }
2523  }
2524 
2525  if (ispartialpage)
2526  {
2527  /* Only asked to write a partial page */
2528  LogwrtResult.Write = WriteRqst.Write;
2529  break;
2530  }
2531  curridx = NextBufIdx(curridx);
2532 
2533  /* If flexible, break out of loop as soon as we wrote something */
2534  if (flexible && npages == 0)
2535  break;
2536  }
2537 
2538  Assert(npages == 0);
2539 
2540  /*
2541  * If asked to flush, do so
2542  */
2543  if (LogwrtResult.Flush < WriteRqst.Flush &&
2545  {
2546  /*
2547  * Could get here without iterating above loop, in which case we might
2548  * have no open file or the wrong one. However, we do not need to
2549  * fsync more than one file.
2550  */
2553  {
2554  if (openLogFile >= 0 &&
2557  XLogFileClose();
2558  if (openLogFile < 0)
2559  {
2562  openLogTLI = tli;
2565  }
2566 
2568  }
2569 
2570  /* signal that we need to wakeup walsenders later */
2572 
2574  }
2575 
2576  /*
2577  * Update shared-memory status
2578  *
2579  * We make sure that the shared 'request' values do not fall behind the
2580  * 'result' values. This is not absolutely essential, but it saves some
2581  * code in a couple of places.
2582  */
2589 
2590  /*
2591  * We write Write first, bar, then Flush. When reading, the opposite must
2592  * be done (with a matching barrier in between), so that we always see a
2593  * Flush value that trails behind the Write value seen.
2594  */
2596  pg_write_barrier();
2598 
2599 #ifdef USE_ASSERT_CHECKING
2600  {
2601  XLogRecPtr Flush;
2602  XLogRecPtr Write;
2604 
2606  pg_read_barrier();
2608  pg_read_barrier();
2610 
2611  /* WAL written to disk is always ahead of WAL flushed */
2612  Assert(Write >= Flush);
2613 
2614  /* WAL inserted to buffers is always ahead of WAL written */
2615  Assert(Insert >= Write);
2616  }
2617 #endif
2618 }
2619 
2620 /*
2621  * Record the LSN for an asynchronous transaction commit/abort
2622  * and nudge the WALWriter if there is work for it to do.
2623  * (This should not be called for synchronous commits.)
2624  */
2625 void
2627 {
2628  XLogRecPtr WriteRqstPtr = asyncXactLSN;
2629  bool sleeping;
2630  bool wakeup = false;
2631  XLogRecPtr prevAsyncXactLSN;
2632 
2634  sleeping = XLogCtl->WalWriterSleeping;
2635  prevAsyncXactLSN = XLogCtl->asyncXactLSN;
2636  if (XLogCtl->asyncXactLSN < asyncXactLSN)
2637  XLogCtl->asyncXactLSN = asyncXactLSN;
2639 
2640  /*
2641  * If somebody else already called this function with a more aggressive
2642  * LSN, they will have done what we needed (and perhaps more).
2643  */
2644  if (asyncXactLSN <= prevAsyncXactLSN)
2645  return;
2646 
2647  /*
2648  * If the WALWriter is sleeping, kick it to make it come out of low-power
2649  * mode, so that this async commit will reach disk within the expected
2650  * amount of time. Otherwise, determine whether it has enough WAL
2651  * available to flush, the same way that XLogBackgroundFlush() does.
2652  */
2653  if (sleeping)
2654  wakeup = true;
2655  else
2656  {
2657  int flushblocks;
2658 
2660 
2661  flushblocks =
2662  WriteRqstPtr / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2663 
2664  if (WalWriterFlushAfter == 0 || flushblocks >= WalWriterFlushAfter)
2665  wakeup = true;
2666  }
2667 
2670 }
2671 
2672 /*
2673  * Record the LSN up to which we can remove WAL because it's not required by
2674  * any replication slot.
2675  */
2676 void
2678 {
2682 }
2683 
2684 
2685 /*
2686  * Return the oldest LSN we must retain to satisfy the needs of some
2687  * replication slot.
2688  */
2689 static XLogRecPtr
2691 {
2692  XLogRecPtr retval;
2693 
2695  retval = XLogCtl->replicationSlotMinLSN;
2697 
2698  return retval;
2699 }
2700 
2701 /*
2702  * Advance minRecoveryPoint in control file.
2703  *
2704  * If we crash during recovery, we must reach this point again before the
2705  * database is consistent.
2706  *
2707  * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2708  * is only updated if it's not already greater than or equal to 'lsn'.
2709  */
2710 static void
2712 {
2713  /* Quick check using our local copy of the variable */
2714  if (!updateMinRecoveryPoint || (!force && lsn <= LocalMinRecoveryPoint))
2715  return;
2716 
2717  /*
2718  * An invalid minRecoveryPoint means that we need to recover all the WAL,
2719  * i.e., we're doing crash recovery. We never modify the control file's
2720  * value in that case, so we can short-circuit future checks here too. The
2721  * local values of minRecoveryPoint and minRecoveryPointTLI should not be
2722  * updated until crash recovery finishes. We only do this for the startup
2723  * process as it should not update its own reference of minRecoveryPoint
2724  * until it has finished crash recovery to make sure that all WAL
2725  * available is replayed in this case. This also saves from extra locks
2726  * taken on the control file from the startup process.
2727  */
2729  {
2730  updateMinRecoveryPoint = false;
2731  return;
2732  }
2733 
2734  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2735 
2736  /* update local copy */
2739 
2741  updateMinRecoveryPoint = false;
2742  else if (force || LocalMinRecoveryPoint < lsn)
2743  {
2744  XLogRecPtr newMinRecoveryPoint;
2745  TimeLineID newMinRecoveryPointTLI;
2746 
2747  /*
2748  * To avoid having to update the control file too often, we update it
2749  * all the way to the last record being replayed, even though 'lsn'
2750  * would suffice for correctness. This also allows the 'force' case
2751  * to not need a valid 'lsn' value.
2752  *
2753  * Another important reason for doing it this way is that the passed
2754  * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2755  * the caller got it from a corrupted heap page. Accepting such a
2756  * value as the min recovery point would prevent us from coming up at
2757  * all. Instead, we just log a warning and continue with recovery.
2758  * (See also the comments about corrupt LSNs in XLogFlush.)
2759  */
2760  newMinRecoveryPoint = GetCurrentReplayRecPtr(&newMinRecoveryPointTLI);
2761  if (!force && newMinRecoveryPoint < lsn)
2762  elog(WARNING,
2763  "xlog min recovery request %X/%X is past current point %X/%X",
2764  LSN_FORMAT_ARGS(lsn), LSN_FORMAT_ARGS(newMinRecoveryPoint));
2765 
2766  /* update control file */
2767  if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2768  {
2769  ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2770  ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2772  LocalMinRecoveryPoint = newMinRecoveryPoint;
2773  LocalMinRecoveryPointTLI = newMinRecoveryPointTLI;
2774 
2775  ereport(DEBUG2,
2776  (errmsg_internal("updated min recovery point to %X/%X on timeline %u",
2777  LSN_FORMAT_ARGS(newMinRecoveryPoint),
2778  newMinRecoveryPointTLI)));
2779  }
2780  }
2781  LWLockRelease(ControlFileLock);
2782 }
2783 
2784 /*
2785  * Ensure that all XLOG data through the given position is flushed to disk.
2786  *
2787  * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2788  * already held, and we try to avoid acquiring it if possible.
2789  */
2790 void
2792 {
2793  XLogRecPtr WriteRqstPtr;
2794  XLogwrtRqst WriteRqst;
2795  TimeLineID insertTLI = XLogCtl->InsertTimeLineID;
2796 
2797  /*
2798  * During REDO, we are reading not writing WAL. Therefore, instead of
2799  * trying to flush the WAL, we should update minRecoveryPoint instead. We
2800  * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2801  * to act this way too, and because when it tries to write the
2802  * end-of-recovery checkpoint, it should indeed flush.
2803  */
2804  if (!XLogInsertAllowed())
2805  {
2806  UpdateMinRecoveryPoint(record, false);
2807  return;
2808  }
2809 
2810  /* Quick exit if already known flushed */
2811  if (record <= LogwrtResult.Flush)
2812  return;
2813 
2814 #ifdef WAL_DEBUG
2815  if (XLOG_DEBUG)
2816  elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2817  LSN_FORMAT_ARGS(record),
2820 #endif
2821 
2823 
2824  /*
2825  * Since fsync is usually a horribly expensive operation, we try to
2826  * piggyback as much data as we can on each fsync: if we see any more data
2827  * entered into the xlog buffer, we'll write and fsync that too, so that
2828  * the final value of LogwrtResult.Flush is as large as possible. This
2829  * gives us some chance of avoiding another fsync immediately after.
2830  */
2831 
2832  /* initialize to given target; may increase below */
2833  WriteRqstPtr = record;
2834 
2835  /*
2836  * Now wait until we get the write lock, or someone else does the flush
2837  * for us.
2838  */
2839  for (;;)
2840  {
2841  XLogRecPtr insertpos;
2842 
2843  /* done already? */
2845  if (record <= LogwrtResult.Flush)
2846  break;
2847 
2848  /*
2849  * Before actually performing the write, wait for all in-flight
2850  * insertions to the pages we're about to write to finish.
2851  */
2853  if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2854  WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2856  insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2857 
2858  /*
2859  * Try to get the write lock. If we can't get it immediately, wait
2860  * until it's released, and recheck if we still need to do the flush
2861  * or if the backend that held the lock did it for us already. This
2862  * helps to maintain a good rate of group committing when the system
2863  * is bottlenecked by the speed of fsyncing.
2864  */
2865  if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2866  {
2867  /*
2868  * The lock is now free, but we didn't acquire it yet. Before we
2869  * do, loop back to check if someone else flushed the record for
2870  * us already.
2871  */
2872  continue;
2873  }
2874 
2875  /* Got the lock; recheck whether request is satisfied */
2877  if (record <= LogwrtResult.Flush)
2878  {
2879  LWLockRelease(WALWriteLock);
2880  break;
2881  }
2882 
2883  /*
2884  * Sleep before flush! By adding a delay here, we may give further
2885  * backends the opportunity to join the backlog of group commit
2886  * followers; this can significantly improve transaction throughput,
2887  * at the risk of increasing transaction latency.
2888  *
2889  * We do not sleep if enableFsync is not turned on, nor if there are
2890  * fewer than CommitSiblings other backends with active transactions.
2891  */
2892  if (CommitDelay > 0 && enableFsync &&
2894  {
2896 
2897  /*
2898  * Re-check how far we can now flush the WAL. It's generally not
2899  * safe to call WaitXLogInsertionsToFinish while holding
2900  * WALWriteLock, because an in-progress insertion might need to
2901  * also grab WALWriteLock to make progress. But we know that all
2902  * the insertions up to insertpos have already finished, because
2903  * that's what the earlier WaitXLogInsertionsToFinish() returned.
2904  * We're only calling it again to allow insertpos to be moved
2905  * further forward, not to actually wait for anyone.
2906  */
2907  insertpos = WaitXLogInsertionsToFinish(insertpos);
2908  }
2909 
2910  /* try to write/flush later additions to XLOG as well */
2911  WriteRqst.Write = insertpos;
2912  WriteRqst.Flush = insertpos;
2913 
2914  XLogWrite(WriteRqst, insertTLI, false);
2915 
2916  LWLockRelease(WALWriteLock);
2917  /* done */
2918  break;
2919  }
2920 
2921  END_CRIT_SECTION();
2922 
2923  /* wake up walsenders now that we've released heavily contended locks */
2925 
2926  /*
2927  * If we still haven't flushed to the request point then we have a
2928  * problem; most likely, the requested flush point is past end of XLOG.
2929  * This has been seen to occur when a disk page has a corrupted LSN.
2930  *
2931  * Formerly we treated this as a PANIC condition, but that hurts the
2932  * system's robustness rather than helping it: we do not want to take down
2933  * the whole system due to corruption on one data page. In particular, if
2934  * the bad page is encountered again during recovery then we would be
2935  * unable to restart the database at all! (This scenario actually
2936  * happened in the field several times with 7.1 releases.) As of 8.4, bad
2937  * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2938  * the only time we can reach here during recovery is while flushing the
2939  * end-of-recovery checkpoint record, and we don't expect that to have a
2940  * bad LSN.
2941  *
2942  * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2943  * since xact.c calls this routine inside a critical section. However,
2944  * calls from bufmgr.c are not within critical sections and so we will not
2945  * force a restart for a bad LSN on a data page.
2946  */
2947  if (LogwrtResult.Flush < record)
2948  elog(ERROR,
2949  "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2950  LSN_FORMAT_ARGS(record),
2952 }
2953 
2954 /*
2955  * Write & flush xlog, but without specifying exactly where to.
2956  *
2957  * We normally write only completed blocks; but if there is nothing to do on
2958  * that basis, we check for unwritten async commits in the current incomplete
2959  * block, and write through the latest one of those. Thus, if async commits
2960  * are not being used, we will write complete blocks only.
2961  *
2962  * If, based on the above, there's anything to write we do so immediately. But
2963  * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2964  * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2965  * more than wal_writer_flush_after unflushed blocks.
2966  *
2967  * We can guarantee that async commits reach disk after at most three
2968  * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2969  * to write "flexibly", meaning it can stop at the end of the buffer ring;
2970  * this makes a difference only with very high load or long wal_writer_delay,
2971  * but imposes one extra cycle for the worst case for async commits.)
2972  *
2973  * This routine is invoked periodically by the background walwriter process.
2974  *
2975  * Returns true if there was any work to do, even if we skipped flushing due
2976  * to wal_writer_delay/wal_writer_flush_after.
2977  */
2978 bool
2980 {
2981  XLogwrtRqst WriteRqst;
2982  bool flexible = true;
2983  static TimestampTz lastflush;
2984  TimestampTz now;
2985  int flushblocks;
2986  TimeLineID insertTLI;
2987 
2988  /* XLOG doesn't need flushing during recovery */
2989  if (RecoveryInProgress())
2990  return false;
2991 
2992  /*
2993  * Since we're not in recovery, InsertTimeLineID is set and can't change,
2994  * so we can read it without a lock.
2995  */
2996  insertTLI = XLogCtl->InsertTimeLineID;
2997 
2998  /* read updated LogwrtRqst */
3000  WriteRqst = XLogCtl->LogwrtRqst;
3002 
3003  /* back off to last completed page boundary */
3004  WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
3005 
3006  /* if we have already flushed that far, consider async commit records */
3008  if (WriteRqst.Write <= LogwrtResult.Flush)
3009  {
3011  WriteRqst.Write = XLogCtl->asyncXactLSN;
3013  flexible = false; /* ensure it all gets written */
3014  }
3015 
3016  /*
3017  * If already known flushed, we're done. Just need to check if we are
3018  * holding an open file handle to a logfile that's no longer in use,
3019  * preventing the file from being deleted.
3020  */
3021  if (WriteRqst.Write <= LogwrtResult.Flush)
3022  {
3023  if (openLogFile >= 0)
3024  {
3027  {
3028  XLogFileClose();
3029  }
3030  }
3031  return false;
3032  }
3033 
3034  /*
3035  * Determine how far to flush WAL, based on the wal_writer_delay and
3036  * wal_writer_flush_after GUCs.
3037  *
3038  * Note that XLogSetAsyncXactLSN() performs similar calculation based on
3039  * wal_writer_flush_after, to decide when to wake us up. Make sure the
3040  * logic is the same in both places if you change this.
3041  */
3043  flushblocks =
3044  WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
3045 
3046  if (WalWriterFlushAfter == 0 || lastflush == 0)
3047  {
3048  /* first call, or block based limits disabled */
3049  WriteRqst.Flush = WriteRqst.Write;
3050  lastflush = now;
3051  }
3052  else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
3053  {
3054  /*
3055  * Flush the writes at least every WalWriterDelay ms. This is
3056  * important to bound the amount of time it takes for an asynchronous
3057  * commit to hit disk.
3058  */
3059  WriteRqst.Flush = WriteRqst.Write;
3060  lastflush = now;
3061  }
3062  else if (flushblocks >= WalWriterFlushAfter)
3063  {
3064  /* exceeded wal_writer_flush_after blocks, flush */
3065  WriteRqst.Flush = WriteRqst.Write;
3066  lastflush = now;
3067  }
3068  else
3069  {
3070  /* no flushing, this time round */
3071  WriteRqst.Flush = 0;
3072  }
3073 
3074 #ifdef WAL_DEBUG
3075  if (XLOG_DEBUG)
3076  elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
3077  LSN_FORMAT_ARGS(WriteRqst.Write),
3078  LSN_FORMAT_ARGS(WriteRqst.Flush),
3081 #endif
3082 
3084 
3085  /* now wait for any in-progress insertions to finish and get write lock */
3086  WaitXLogInsertionsToFinish(WriteRqst.Write);
3087  LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
3089  if (WriteRqst.Write > LogwrtResult.Write ||
3090  WriteRqst.Flush > LogwrtResult.Flush)
3091  {
3092  XLogWrite(WriteRqst, insertTLI, flexible);
3093  }
3094  LWLockRelease(WALWriteLock);
3095 
3096  END_CRIT_SECTION();
3097 
3098  /* wake up walsenders now that we've released heavily contended locks */
3100 
3101  /*
3102  * Great, done. To take some work off the critical path, try to initialize
3103  * as many of the no-longer-needed WAL buffers for future use as we can.
3104  */
3105  AdvanceXLInsertBuffer(InvalidXLogRecPtr, insertTLI, true);
3106 
3107  /*
3108  * If we determined that we need to write data, but somebody else
3109  * wrote/flushed already, it should be considered as being active, to
3110  * avoid hibernating too early.
3111  */
3112  return true;
3113 }
3114 
3115 /*
3116  * Test whether XLOG data has been flushed up to (at least) the given position.
3117  *
3118  * Returns true if a flush is still needed. (It may be that someone else
3119  * is already in process of flushing that far, however.)
3120  */
3121 bool
3123 {
3124  /*
3125  * During recovery, we don't flush WAL but update minRecoveryPoint
3126  * instead. So "needs flush" is taken to mean whether minRecoveryPoint
3127  * would need to be updated.
3128  */
3129  if (RecoveryInProgress())
3130  {
3131  /*
3132  * An invalid minRecoveryPoint means that we need to recover all the
3133  * WAL, i.e., we're doing crash recovery. We never modify the control
3134  * file's value in that case, so we can short-circuit future checks
3135  * here too. This triggers a quick exit path for the startup process,
3136  * which cannot update its local copy of minRecoveryPoint as long as
3137  * it has not replayed all WAL available when doing crash recovery.
3138  */
3140  updateMinRecoveryPoint = false;
3141 
3142  /* Quick exit if already known to be updated or cannot be updated */
3144  return false;
3145 
3146  /*
3147  * Update local copy of minRecoveryPoint. But if the lock is busy,
3148  * just return a conservative guess.
3149  */
3150  if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
3151  return true;
3154  LWLockRelease(ControlFileLock);
3155 
3156  /*
3157  * Check minRecoveryPoint for any other process than the startup
3158  * process doing crash recovery, which should not update the control
3159  * file value if crash recovery is still running.
3160  */
3162  updateMinRecoveryPoint = false;
3163 
3164  /* check again */
3166  return false;
3167  else
3168  return true;
3169  }
3170 
3171  /* Quick exit if already known flushed */
3172  if (record <= LogwrtResult.Flush)
3173  return false;
3174 
3175  /* read LogwrtResult and update local state */
3177 
3178  /* check again */
3179  if (record <= LogwrtResult.Flush)
3180  return false;
3181 
3182  return true;
3183 }
3184 
3185 /*
3186  * Try to make a given XLOG file segment exist.
3187  *
3188  * logsegno: identify segment.
3189  *
3190  * *added: on return, true if this call raised the number of extant segments.
3191  *
3192  * path: on return, this char[MAXPGPATH] has the path to the logsegno file.
3193  *
3194  * Returns -1 or FD of opened file. A -1 here is not an error; a caller
3195  * wanting an open segment should attempt to open "path", which usually will
3196  * succeed. (This is weird, but it's efficient for the callers.)
3197  */
3198 static int
3200  bool *added, char *path)
3201 {
3202  char tmppath[MAXPGPATH];
3203  XLogSegNo installed_segno;
3204  XLogSegNo max_segno;
3205  int fd;
3206  int save_errno;
3207  int open_flags = O_RDWR | O_CREAT | O_EXCL | PG_BINARY;
3208 
3209  Assert(logtli != 0);
3210 
3211  XLogFilePath(path, logtli, logsegno, wal_segment_size);
3212 
3213  /*
3214  * Try to use existent file (checkpoint maker may have created it already)
3215  */
3216  *added = false;
3217  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3219  if (fd < 0)
3220  {
3221  if (errno != ENOENT)
3222  ereport(ERROR,
3224  errmsg("could not open file \"%s\": %m", path)));
3225  }
3226  else
3227  return fd;
3228 
3229  /*
3230  * Initialize an empty (all zeroes) segment. NOTE: it is possible that
3231  * another process is doing the same thing. If so, we will end up
3232  * pre-creating an extra log segment. That seems OK, and better than
3233  * holding the lock throughout this lengthy process.
3234  */
3235  elog(DEBUG2, "creating and filling new WAL file");
3236 
3237  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3238 
3239  unlink(tmppath);
3240 
3242  open_flags |= PG_O_DIRECT;
3243 
3244  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3245  fd = BasicOpenFile(tmppath, open_flags);
3246  if (fd < 0)
3247  ereport(ERROR,
3249  errmsg("could not create file \"%s\": %m", tmppath)));
3250 
3251  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_WRITE);
3252  save_errno = 0;
3253  if (wal_init_zero)
3254  {
3255  ssize_t rc;
3256 
3257  /*
3258  * Zero-fill the file. With this setting, we do this the hard way to
3259  * ensure that all the file space has really been allocated. On
3260  * platforms that allow "holes" in files, just seeking to the end
3261  * doesn't allocate intermediate space. This way, we know that we
3262  * have all the space and (after the fsync below) that all the
3263  * indirect blocks are down on disk. Therefore, fdatasync(2) or
3264  * O_DSYNC will be sufficient to sync future writes to the log file.
3265  */
3267 
3268  if (rc < 0)
3269  save_errno = errno;
3270  }
3271  else
3272  {
3273  /*
3274  * Otherwise, seeking to the end and writing a solitary byte is
3275  * enough.
3276  */
3277  errno = 0;
3278  if (pg_pwrite(fd, "\0", 1, wal_segment_size - 1) != 1)
3279  {
3280  /* if write didn't set errno, assume no disk space */
3281  save_errno = errno ? errno : ENOSPC;
3282  }
3283  }
3285 
3286  if (save_errno)
3287  {
3288  /*
3289  * If we fail to make the file, delete it to release disk space
3290  */
3291  unlink(tmppath);
3292 
3293  close(fd);
3294 
3295  errno = save_errno;
3296 
3297  ereport(ERROR,
3299  errmsg("could not write to file \"%s\": %m", tmppath)));
3300  }
3301 
3302  pgstat_report_wait_start(WAIT_EVENT_WAL_INIT_SYNC);
3303  if (pg_fsync(fd) != 0)
3304  {
3305  save_errno = errno;
3306  close(fd);
3307  errno = save_errno;
3308  ereport(ERROR,
3310  errmsg("could not fsync file \"%s\": %m", tmppath)));
3311  }
3313 
3314  if (close(fd) != 0)
3315  ereport(ERROR,
3317  errmsg("could not close file \"%s\": %m", tmppath)));
3318 
3319  /*
3320  * Now move the segment into place with its final name. Cope with
3321  * possibility that someone else has created the file while we were
3322  * filling ours: if so, use ours to pre-create a future log segment.
3323  */
3324  installed_segno = logsegno;
3325 
3326  /*
3327  * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3328  * that was a constant, but that was always a bit dubious: normally, at a
3329  * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3330  * here, it was the offset from the insert location. We can't do the
3331  * normal XLOGfileslop calculation here because we don't have access to
3332  * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3333  * CheckPointSegments.
3334  */
3335  max_segno = logsegno + CheckPointSegments;
3336  if (InstallXLogFileSegment(&installed_segno, tmppath, true, max_segno,
3337  logtli))
3338  {
3339  *added = true;
3340  elog(DEBUG2, "done creating and filling new WAL file");
3341  }
3342  else
3343  {
3344  /*
3345  * No need for any more future segments, or InstallXLogFileSegment()
3346  * failed to rename the file into place. If the rename failed, a
3347  * caller opening the file may fail.
3348  */
3349  unlink(tmppath);
3350  elog(DEBUG2, "abandoned new WAL file");
3351  }
3352 
3353  return -1;
3354 }
3355 
3356 /*
3357  * Create a new XLOG file segment, or open a pre-existing one.
3358  *
3359  * logsegno: identify segment to be created/opened.
3360  *
3361  * Returns FD of opened file.
3362  *
3363  * Note: errors here are ERROR not PANIC because we might or might not be
3364  * inside a critical section (eg, during checkpoint there is no reason to
3365  * take down the system on failure). They will promote to PANIC if we are
3366  * in a critical section.
3367  */
3368 int
3370 {
3371  bool ignore_added;
3372  char path[MAXPGPATH];
3373  int fd;
3374 
3375  Assert(logtli != 0);
3376 
3377  fd = XLogFileInitInternal(logsegno, logtli, &ignore_added, path);
3378  if (fd >= 0)
3379  return fd;
3380 
3381  /* Now open original target segment (might not be file I just made) */
3382  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3384  if (fd < 0)
3385  ereport(ERROR,
3387  errmsg("could not open file \"%s\": %m", path)));
3388  return fd;
3389 }
3390 
3391 /*
3392  * Create a new XLOG file segment by copying a pre-existing one.
3393  *
3394  * destsegno: identify segment to be created.
3395  *
3396  * srcTLI, srcsegno: identify segment to be copied (could be from
3397  * a different timeline)
3398  *
3399  * upto: how much of the source file to copy (the rest is filled with
3400  * zeros)
3401  *
3402  * Currently this is only used during recovery, and so there are no locking
3403  * considerations. But we should be just as tense as XLogFileInit to avoid
3404  * emplacing a bogus file.
3405  */
3406 static void
3407 XLogFileCopy(TimeLineID destTLI, XLogSegNo destsegno,
3408  TimeLineID srcTLI, XLogSegNo srcsegno,
3409  int upto)
3410 {
3411  char path[MAXPGPATH];
3412  char tmppath[MAXPGPATH];
3413  PGAlignedXLogBlock buffer;
3414  int srcfd;
3415  int fd;
3416  int nbytes;
3417 
3418  /*
3419  * Open the source file
3420  */
3421  XLogFilePath(path, srcTLI, srcsegno, wal_segment_size);
3422  srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY);
3423  if (srcfd < 0)
3424  ereport(ERROR,
3426  errmsg("could not open file \"%s\": %m", path)));
3427 
3428  /*
3429  * Copy into a temp file name.
3430  */
3431  snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3432 
3433  unlink(tmppath);
3434 
3435  /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3436  fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
3437  if (fd < 0)
3438  ereport(ERROR,
3440  errmsg("could not create file \"%s\": %m", tmppath)));
3441 
3442  /*
3443  * Do the data copying.
3444  */
3445  for (nbytes = 0; nbytes < wal_segment_size; nbytes += sizeof(buffer))
3446  {
3447  int nread;
3448 
3449  nread = upto - nbytes;
3450 
3451  /*
3452  * The part that is not read from the source file is filled with
3453  * zeros.
3454  */
3455  if (nread < sizeof(buffer))
3456  memset(buffer.data, 0, sizeof(buffer));
3457 
3458  if (nread > 0)
3459  {
3460  int r;
3461 
3462  if (nread > sizeof(buffer))
3463  nread = sizeof(buffer);
3464  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_READ);
3465  r = read(srcfd, buffer.data, nread);
3466  if (r != nread)
3467  {
3468  if (r < 0)
3469  ereport(ERROR,
3471  errmsg("could not read file \"%s\": %m",
3472  path)));
3473  else
3474  ereport(ERROR,
3476  errmsg("could not read file \"%s\": read %d of %zu",
3477  path, r, (Size) nread)));
3478  }
3480  }
3481  errno = 0;
3482  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_WRITE);
3483  if ((int) write(fd, buffer.data, sizeof(buffer)) != (int) sizeof(buffer))
3484  {
3485  int save_errno = errno;
3486 
3487  /*
3488  * If we fail to make the file, delete it to release disk space
3489  */
3490  unlink(tmppath);
3491  /* if write didn't set errno, assume problem is no disk space */
3492  errno = save_errno ? save_errno : ENOSPC;
3493 
3494  ereport(ERROR,
3496  errmsg("could not write to file \"%s\": %m", tmppath)));
3497  }
3499  }
3500 
3501  pgstat_report_wait_start(WAIT_EVENT_WAL_COPY_SYNC);
3502  if (pg_fsync(fd) != 0)
3505  errmsg("could not fsync file \"%s\": %m", tmppath)));
3507 
3508  if (CloseTransientFile(fd) != 0)
3509  ereport(ERROR,
3511  errmsg("could not close file \"%s\": %m", tmppath)));
3512 
3513  if (CloseTransientFile(srcfd) != 0)
3514  ereport(ERROR,
3516  errmsg("could not close file \"%s\": %m", path)));
3517 
3518  /*
3519  * Now move the segment into place with its final name.
3520  */
3521  if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, destTLI))
3522  elog(ERROR, "InstallXLogFileSegment should not have failed");
3523 }
3524 
3525 /*
3526  * Install a new XLOG segment file as a current or future log segment.
3527  *
3528  * This is used both to install a newly-created segment (which has a temp
3529  * filename while it's being created) and to recycle an old segment.
3530  *
3531  * *segno: identify segment to install as (or first possible target).
3532  * When find_free is true, this is modified on return to indicate the
3533  * actual installation location or last segment searched.
3534  *
3535  * tmppath: initial name of file to install. It will be renamed into place.
3536  *
3537  * find_free: if true, install the new segment at the first empty segno
3538  * number at or after the passed numbers. If false, install the new segment
3539  * exactly where specified, deleting any existing segment file there.
3540  *
3541  * max_segno: maximum segment number to install the new file as. Fail if no
3542  * free slot is found between *segno and max_segno. (Ignored when find_free
3543  * is false.)
3544  *
3545  * tli: The timeline on which the new segment should be installed.
3546  *
3547  * Returns true if the file was installed successfully. false indicates that
3548  * max_segno limit was exceeded, the startup process has disabled this
3549  * function for now, or an error occurred while renaming the file into place.
3550  */
3551 static bool
3552 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3553  bool find_free, XLogSegNo max_segno, TimeLineID tli)
3554 {
3555  char path[MAXPGPATH];
3556  struct stat stat_buf;
3557 
3558  Assert(tli != 0);
3559 
3560  XLogFilePath(path, tli, *segno, wal_segment_size);
3561 
3562  LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3564  {
3565  LWLockRelease(ControlFileLock);
3566  return false;
3567  }
3568 
3569  if (!find_free)
3570  {
3571  /* Force installation: get rid of any pre-existing segment file */
3572  durable_unlink(path, DEBUG1);
3573  }
3574  else
3575  {
3576  /* Find a free slot to put it in */
3577  while (stat(path, &stat_buf) == 0)
3578  {
3579  if ((*segno) >= max_segno)
3580  {
3581  /* Failed to find a free slot within specified range */
3582  LWLockRelease(ControlFileLock);
3583  return false;
3584  }
3585  (*segno)++;
3586  XLogFilePath(path, tli, *segno, wal_segment_size);
3587  }
3588  }
3589 
3590  Assert(access(path, F_OK) != 0 && errno == ENOENT);
3591  if (durable_rename(tmppath, path, LOG) != 0)
3592  {
3593  LWLockRelease(ControlFileLock);
3594  /* durable_rename already emitted log message */
3595  return false;
3596  }
3597 
3598  LWLockRelease(ControlFileLock);
3599 
3600  return true;
3601 }
3602 
3603 /*
3604  * Open a pre-existing logfile segment for writing.
3605  */
3606 int
3608 {
3609  char path[MAXPGPATH];
3610  int fd;
3611 
3612  XLogFilePath(path, tli, segno, wal_segment_size);
3613 
3614  fd = BasicOpenFile(path, O_RDWR | PG_BINARY | O_CLOEXEC |
3616  if (fd < 0)
3617  ereport(PANIC,
3619  errmsg("could not open file \"%s\": %m", path)));
3620 
3621  return fd;
3622 }
3623 
3624 /*
3625  * Close the current logfile segment for writing.
3626  */
3627 static void
3629 {
3630  Assert(openLogFile >= 0);
3631 
3632  /*
3633  * WAL segment files will not be re-read in normal operation, so we advise
3634  * the OS to release any cached pages. But do not do so if WAL archiving
3635  * or streaming is active, because archiver and walsender process could
3636  * use the cache to read the WAL segment.
3637  */
3638 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3639  if (!XLogIsNeeded() && (io_direct_flags & IO_DIRECT_WAL) == 0)
3640  (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3641 #endif
3642 
3643  if (close(openLogFile) != 0)
3644  {
3645  char xlogfname[MAXFNAMELEN];
3646  int save_errno = errno;
3647 
3649  errno = save_errno;
3650  ereport(PANIC,
3652  errmsg("could not close file \"%s\": %m", xlogfname)));
3653  }
3654 
3655  openLogFile = -1;
3657 }
3658 
3659 /*
3660  * Preallocate log files beyond the specified log endpoint.
3661  *
3662  * XXX this is currently extremely conservative, since it forces only one
3663  * future log segment to exist, and even that only if we are 75% done with
3664  * the current one. This is only appropriate for very low-WAL-volume systems.
3665  * High-volume systems will be OK once they've built up a sufficient set of
3666  * recycled log segments, but the startup transient is likely to include
3667  * a lot of segment creations by foreground processes, which is not so good.
3668  *
3669  * XLogFileInitInternal() can ereport(ERROR). All known causes indicate big
3670  * trouble; for example, a full filesystem is one cause. The checkpoint WAL
3671  * and/or ControlFile updates already completed. If a RequestCheckpoint()
3672  * initiated the present checkpoint and an ERROR ends this function, the
3673  * command that called RequestCheckpoint() fails. That's not ideal, but it's
3674  * not worth contorting more functions to use caller-specified elevel values.
3675  * (With or without RequestCheckpoint(), an ERROR forestalls some inessential
3676  * reporting and resource reclamation.)
3677  */
3678 static void
3680 {
3681  XLogSegNo _logSegNo;
3682  int lf;
3683  bool added;
3684  char path[MAXPGPATH];
3685  uint64 offset;
3686 
3688  return; /* unlocked check says no */
3689 
3690  XLByteToPrevSeg(endptr, _logSegNo, wal_segment_size);
3691  offset = XLogSegmentOffset(endptr - 1, wal_segment_size);
3692  if (offset >= (uint32) (0.75 * wal_segment_size))
3693  {
3694  _logSegNo++;
3695  lf = XLogFileInitInternal(_logSegNo, tli, &added, path);
3696  if (lf >= 0)
3697  close(lf);
3698  if (added)
3700  }
3701 }
3702 
3703 /*
3704  * Throws an error if the given log segment has already been removed or
3705  * recycled. The caller should only pass a segment that it knows to have
3706  * existed while the server has been running, as this function always
3707  * succeeds if no WAL segments have been removed since startup.
3708  * 'tli' is only used in the error message.
3709  *
3710  * Note: this function guarantees to keep errno unchanged on return.
3711  * This supports callers that use this to possibly deliver a better
3712  * error message about a missing file, while still being able to throw
3713  * a normal file-access error afterwards, if this does return.
3714  */
3715 void
3717 {
3718  int save_errno = errno;
3719  XLogSegNo lastRemovedSegNo;
3720 
3722  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3724 
3725  if (segno <= lastRemovedSegNo)
3726  {
3727  char filename[MAXFNAMELEN];
3728 
3729  XLogFileName(filename, tli, segno, wal_segment_size);
3730  errno = save_errno;
3731  ereport(ERROR,
3733  errmsg("requested WAL segment %s has already been removed",
3734  filename)));
3735  }
3736  errno = save_errno;
3737 }
3738 
3739 /*
3740  * Return the last WAL segment removed, or 0 if no segment has been removed
3741  * since startup.
3742  *
3743  * NB: the result can be out of date arbitrarily fast, the caller has to deal
3744  * with that.
3745  */
3746 XLogSegNo
3748 {
3749  XLogSegNo lastRemovedSegNo;
3750 
3752  lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3754 
3755  return lastRemovedSegNo;
3756 }
3757 
3758 /*
3759  * Return the oldest WAL segment on the given TLI that still exists in
3760  * XLOGDIR, or 0 if none.
3761  */
3762 XLogSegNo
3764 {
3765  DIR *xldir;
3766  struct dirent *xlde;
3767  XLogSegNo oldest_segno = 0;
3768 
3769  xldir = AllocateDir(XLOGDIR);
3770  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3771  {
3772  TimeLineID file_tli;
3773  XLogSegNo file_segno;
3774 
3775  /* Ignore files that are not XLOG segments. */
3776  if (!IsXLogFileName(xlde->d_name))
3777  continue;
3778 
3779  /* Parse filename to get TLI and segno. */
3780  XLogFromFileName(xlde->d_name, &file_tli, &file_segno,
3782 
3783  /* Ignore anything that's not from the TLI of interest. */
3784  if (tli != file_tli)
3785  continue;
3786 
3787  /* If it's the oldest so far, update oldest_segno. */
3788  if (oldest_segno == 0 || file_segno < oldest_segno)
3789  oldest_segno = file_segno;
3790  }
3791 
3792  FreeDir(xldir);
3793  return oldest_segno;
3794 }
3795 
3796 /*
3797  * Update the last removed segno pointer in shared memory, to reflect that the
3798  * given XLOG file has been removed.
3799  */
3800 static void
3802 {
3803  uint32 tli;
3804  XLogSegNo segno;
3805 
3806  XLogFromFileName(filename, &tli, &segno, wal_segment_size);
3807 
3809  if (segno > XLogCtl->lastRemovedSegNo)
3810  XLogCtl->lastRemovedSegNo = segno;
3812 }
3813 
3814 /*
3815  * Remove all temporary log files in pg_wal
3816  *
3817  * This is called at the beginning of recovery after a previous crash,
3818  * at a point where no other processes write fresh WAL data.
3819  */
3820 static void
3822 {
3823  DIR *xldir;
3824  struct dirent *xlde;
3825 
3826  elog(DEBUG2, "removing all temporary WAL segments");
3827 
3828  xldir = AllocateDir(XLOGDIR);
3829  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3830  {
3831  char path[MAXPGPATH];
3832 
3833  if (strncmp(xlde->d_name, "xlogtemp.", 9) != 0)
3834  continue;
3835 
3836  snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
3837  unlink(path);
3838  elog(DEBUG2, "removed temporary WAL segment \"%s\"", path);
3839  }
3840  FreeDir(xldir);
3841 }
3842 
3843 /*
3844  * Recycle or remove all log files older or equal to passed segno.
3845  *
3846  * endptr is current (or recent) end of xlog, and lastredoptr is the
3847  * redo pointer of the last checkpoint. These are used to determine
3848  * whether we want to recycle rather than delete no-longer-wanted log files.
3849  *
3850  * insertTLI is the current timeline for XLOG insertion. Any recycled
3851  * segments should be reused for this timeline.
3852  */
3853 static void
3855  TimeLineID insertTLI)
3856 {
3857  DIR *xldir;
3858  struct dirent *xlde;
3859  char lastoff[MAXFNAMELEN];
3860  XLogSegNo endlogSegNo;
3861  XLogSegNo recycleSegNo;
3862 
3863  /* Initialize info about where to try to recycle to */
3864  XLByteToSeg(endptr, endlogSegNo, wal_segment_size);
3865  recycleSegNo = XLOGfileslop(lastredoptr);
3866 
3867  /*
3868  * Construct a filename of the last segment to be kept. The timeline ID
3869  * doesn't matter, we ignore that in the comparison. (During recovery,
3870  * InsertTimeLineID isn't set, so we can't use that.)
3871  */
3872  XLogFileName(lastoff, 0, segno, wal_segment_size);
3873 
3874  elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3875  lastoff);
3876 
3877  xldir = AllocateDir(XLOGDIR);
3878 
3879  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3880  {
3881  /* Ignore files that are not XLOG segments */
3882  if (!IsXLogFileName(xlde->d_name) &&
3883  !IsPartialXLogFileName(xlde->d_name))
3884  continue;
3885 
3886  /*
3887  * We ignore the timeline part of the XLOG segment identifiers in
3888  * deciding whether a segment is still needed. This ensures that we
3889  * won't prematurely remove a segment from a parent timeline. We could
3890  * probably be a little more proactive about removing segments of
3891  * non-parent timelines, but that would be a whole lot more
3892  * complicated.
3893  *
3894  * We use the alphanumeric sorting property of the filenames to decide
3895  * which ones are earlier than the lastoff segment.
3896  */
3897  if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3898  {
3899  if (XLogArchiveCheckDone(xlde->d_name))
3900  {
3901  /* Update the last removed location in shared memory first */
3903 
3904  RemoveXlogFile(xlde, recycleSegNo, &endlogSegNo, insertTLI);
3905  }
3906  }
3907  }
3908 
3909  FreeDir(xldir);
3910 }
3911 
3912 /*
3913  * Recycle or remove WAL files that are not part of the given timeline's
3914  * history.
3915  *
3916  * This is called during recovery, whenever we switch to follow a new
3917  * timeline, and at the end of recovery when we create a new timeline. We
3918  * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3919  * might be leftover pre-allocated or recycled WAL segments on the old timeline
3920  * that we haven't used yet, and contain garbage. If we just leave them in
3921  * pg_wal, they will eventually be archived, and we can't let that happen.
3922  * Files that belong to our timeline history are valid, because we have
3923  * successfully replayed them, but from others we can't be sure.
3924  *
3925  * 'switchpoint' is the current point in WAL where we switch to new timeline,
3926  * and 'newTLI' is the new timeline we switch to.
3927  */
3928 void
3930 {
3931  DIR *xldir;
3932  struct dirent *xlde;
3933  char switchseg[MAXFNAMELEN];
3934  XLogSegNo endLogSegNo;
3935  XLogSegNo switchLogSegNo;
3936  XLogSegNo recycleSegNo;
3937 
3938  /*
3939  * Initialize info about where to begin the work. This will recycle,
3940  * somewhat arbitrarily, 10 future segments.
3941  */
3942  XLByteToPrevSeg(switchpoint, switchLogSegNo, wal_segment_size);
3943  XLByteToSeg(switchpoint, endLogSegNo, wal_segment_size);
3944  recycleSegNo = endLogSegNo + 10;
3945 
3946  /*
3947  * Construct a filename of the last segment to be kept.
3948  */
3949  XLogFileName(switchseg, newTLI, switchLogSegNo, wal_segment_size);
3950 
3951  elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3952  switchseg);
3953 
3954  xldir = AllocateDir(XLOGDIR);
3955 
3956  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3957  {
3958  /* Ignore files that are not XLOG segments */
3959  if (!IsXLogFileName(xlde->d_name))
3960  continue;
3961 
3962  /*
3963  * Remove files that are on a timeline older than the new one we're
3964  * switching to, but with a segment number >= the first segment on the
3965  * new timeline.
3966  */
3967  if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3968  strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3969  {
3970  /*
3971  * If the file has already been marked as .ready, however, don't
3972  * remove it yet. It should be OK to remove it - files that are
3973  * not part of our timeline history are not required for recovery
3974  * - but seems safer to let them be archived and removed later.
3975  */
3976  if (!XLogArchiveIsReady(xlde->d_name))
3977  RemoveXlogFile(xlde, recycleSegNo, &endLogSegNo, newTLI);
3978  }
3979  }
3980 
3981  FreeDir(xldir);
3982 }
3983 
3984 /*
3985  * Recycle or remove a log file that's no longer needed.
3986  *
3987  * segment_de is the dirent structure of the segment to recycle or remove.
3988  * recycleSegNo is the segment number to recycle up to. endlogSegNo is
3989  * the segment number of the current (or recent) end of WAL.
3990  *
3991  * endlogSegNo gets incremented if the segment is recycled so as it is not
3992  * checked again with future callers of this function.
3993  *
3994  * insertTLI is the current timeline for XLOG insertion. Any recycled segments
3995  * should be used for this timeline.
3996  */
3997 static void
3998 RemoveXlogFile(const struct dirent *segment_de,
3999  XLogSegNo recycleSegNo, XLogSegNo *endlogSegNo,
4000  TimeLineID insertTLI)
4001 {
4002  char path[MAXPGPATH];
4003 #ifdef WIN32
4004  char newpath[MAXPGPATH];
4005 #endif
4006  const char *segname = segment_de->d_name;
4007 
4008  snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
4009 
4010  /*
4011  * Before deleting the file, see if it can be recycled as a future log
4012  * segment. Only recycle normal files, because we don't want to recycle
4013  * symbolic links pointing to a separate archive directory.
4014  */
4015  if (wal_recycle &&
4016  *endlogSegNo <= recycleSegNo &&
4017  XLogCtl->InstallXLogFileSegmentActive && /* callee rechecks this */
4018  get_dirent_type(path, segment_de, false, DEBUG2) == PGFILETYPE_REG &&
4019  InstallXLogFileSegment(endlogSegNo, path,
4020  true, recycleSegNo, insertTLI))
4021  {
4022  ereport(DEBUG2,
4023  (errmsg_internal("recycled write-ahead log file \"%s\"",
4024  segname)));
4026  /* Needn't recheck that slot on future iterations */
4027  (*endlogSegNo)++;
4028  }
4029  else
4030  {
4031  /* No need for any more future segments, or recycling failed ... */
4032  int rc;
4033 
4034  ereport(DEBUG2,
4035  (errmsg_internal("removing write-ahead log file \"%s\"",
4036  segname)));
4037 
4038 #ifdef WIN32
4039 
4040  /*
4041  * On Windows, if another process (e.g another backend) holds the file
4042  * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
4043  * will still show up in directory listing until the last handle is
4044  * closed. To avoid confusing the lingering deleted file for a live
4045  * WAL file that needs to be archived, rename it before deleting it.
4046  *
4047  * If another process holds the file open without FILE_SHARE_DELETE
4048  * flag, rename will fail. We'll try again at the next checkpoint.
4049  */
4050  snprintf(newpath, MAXPGPATH, "%s.deleted", path);
4051  if (rename(path, newpath) != 0)
4052  {
4053  ereport(LOG,
4055  errmsg("could not rename file \"%s\": %m",
4056  path)));
4057  return;
4058  }
4059  rc = durable_unlink(newpath, LOG);
4060 #else
4061  rc = durable_unlink(path, LOG);
4062 #endif
4063  if (rc != 0)
4064  {
4065  /* Message already logged by durable_unlink() */
4066  return;
4067  }
4069  }
4070 
4071  XLogArchiveCleanup(segname);
4072 }
4073 
4074 /*
4075  * Verify whether pg_wal, pg_wal/archive_status, and pg_wal/summaries exist.
4076  * If the latter do not exist, recreate them.
4077  *
4078  * It is not the goal of this function to verify the contents of these
4079  * directories, but to help in cases where someone has performed a cluster
4080  * copy for PITR purposes but omitted pg_wal from the copy.
4081  *
4082  * We could also recreate pg_wal if it doesn't exist, but a deliberate
4083  * policy decision was made not to. It is fairly common for pg_wal to be
4084  * a symlink, and if that was the DBA's intent then automatically making a
4085  * plain directory would result in degraded performance with no notice.
4086  */
4087 static void
4089 {
4090  char path[MAXPGPATH];
4091  struct stat stat_buf;
4092 
4093  /* Check for pg_wal; if it doesn't exist, error out */
4094  if (stat(XLOGDIR, &stat_buf) != 0 ||
4095  !S_ISDIR(stat_buf.st_mode))
4096  ereport(FATAL,
4098  errmsg("required WAL directory \"%s\" does not exist",
4099  XLOGDIR)));
4100 
4101  /* Check for archive_status */
4102  snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
4103  if (stat(path, &stat_buf) == 0)
4104  {
4105  /* Check for weird cases where it exists but isn't a directory */
4106  if (!S_ISDIR(stat_buf.st_mode))
4107  ereport(FATAL,
4109  errmsg("required WAL directory \"%s\" does not exist",
4110  path)));
4111  }
4112  else
4113  {
4114  ereport(LOG,
4115  (errmsg("creating missing WAL directory \"%s\"", path)));
4116  if (MakePGDirectory(path) < 0)
4117  ereport(FATAL,
4119  errmsg("could not create missing directory \"%s\": %m",
4120  path)));
4121  }
4122 
4123  /* Check for summaries */
4124  snprintf(path, MAXPGPATH, XLOGDIR "/summaries");
4125  if (stat(path, &stat_buf) == 0)
4126  {
4127  /* Check for weird cases where it exists but isn't a directory */
4128  if (!S_ISDIR(stat_buf.st_mode))
4129  ereport(FATAL,
4130  (errmsg("required WAL directory \"%s\" does not exist",
4131  path)));
4132  }
4133  else
4134  {
4135  ereport(LOG,
4136  (errmsg("creating missing WAL directory \"%s\"", path)));
4137  if (MakePGDirectory(path) < 0)
4138  ereport(FATAL,
4139  (errmsg("could not create missing directory \"%s\": %m",
4140  path)));
4141  }
4142 }
4143 
4144 /*
4145  * Remove previous backup history files. This also retries creation of
4146  * .ready files for any backup history files for which XLogArchiveNotify
4147  * failed earlier.
4148  */
4149 static void
4151 {
4152  DIR *xldir;
4153  struct dirent *xlde;
4154  char path[MAXPGPATH + sizeof(XLOGDIR)];
4155 
4156  xldir = AllocateDir(XLOGDIR);
4157 
4158  while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
4159  {
4160  if (IsBackupHistoryFileName(xlde->d_name))
4161  {
4162  if (XLogArchiveCheckDone(xlde->d_name))
4163  {
4164  elog(DEBUG2, "removing WAL backup history file \"%s\"",
4165  xlde->d_name);
4166  snprintf(path, sizeof(path), XLOGDIR "/%s", xlde->d_name);
4167  unlink(path);
4168  XLogArchiveCleanup(xlde->d_name);
4169  }
4170  }
4171  }
4172 
4173  FreeDir(xldir);
4174 }
4175 
4176 /*
4177  * I/O routines for pg_control
4178  *
4179  * *ControlFile is a buffer in shared memory that holds an image of the
4180  * contents of pg_control. WriteControlFile() initializes pg_control
4181  * given a preloaded buffer, ReadControlFile() loads the buffer from
4182  * the pg_control file (during postmaster or standalone-backend startup),
4183  * and UpdateControlFile() rewrites pg_control after we modify xlog state.
4184  * InitControlFile() fills the buffer with initial values.
4185  *
4186  * For simplicity, WriteControlFile() initializes the fields of pg_control
4187  * that are related to checking backend/database compatibility, and
4188  * ReadControlFile() verifies they are correct. We could split out the
4189  * I/O and compatibility-check functions, but there seems no need currently.
4190  */
4191 
4192 static void
4193 InitControlFile(uint64 sysidentifier)
4194 {
4195  char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
4196 
4197  /*
4198  * Generate a random nonce. This is used for authentication requests that
4199  * will fail because the user does not exist. The nonce is used to create
4200  * a genuine-looking password challenge for the non-existent user, in lieu
4201  * of an actual stored password.
4202  */
4203  if (!pg_strong_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
4204  ereport(PANIC,
4205  (errcode(ERRCODE_INTERNAL_ERROR),
4206  errmsg("could not generate secret authorization token")));
4207 
4208  memset(ControlFile, 0, sizeof(ControlFileData));
4209  /* Initialize pg_control status fields */
4210  ControlFile->system_identifier = sysidentifier;
4211  memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
4214 
4215  /* Set important parameter values for use when replaying WAL */
4225 }
4226 
4227 static void
4229 {
4230  int fd;
4231  char buffer[PG_CONTROL_FILE_SIZE]; /* need not be aligned */
4232 
4233  /*
4234  * Initialize version and compatibility-check fields
4235  */
4238 
4239  ControlFile->maxAlign = MAXIMUM_ALIGNOF;
4241 
4242  ControlFile->blcksz = BLCKSZ;
4243  ControlFile->relseg_size = RELSEG_SIZE;
4244  ControlFile->xlog_blcksz = XLOG_BLCKSZ;
4246 
4249 
4252 
4254 
4255  /* Contents are protected with a CRC */
4258  (char *) ControlFile,
4259  offsetof(ControlFileData, crc));
4261 
4262  /*
4263  * We write out PG_CONTROL_FILE_SIZE bytes into pg_control, zero-padding
4264  * the excess over sizeof(ControlFileData). This reduces the odds of
4265  * premature-EOF errors when reading pg_control. We'll still fail when we
4266  * check the contents of the file, but hopefully with a more specific
4267  * error than "couldn't read pg_control".
4268  */
4269  memset(buffer, 0, PG_CONTROL_FILE_SIZE);
4270  memcpy(buffer, ControlFile, sizeof(ControlFileData));
4271 
4273  O_RDWR | O_CREAT | O_EXCL | PG_BINARY);
4274  if (fd < 0)
4275  ereport(PANIC,
4277  errmsg("could not create file \"%s\": %m",
4278  XLOG_CONTROL_FILE)));
4279 
4280  errno = 0;
4281  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_WRITE);
4283  {
4284  /* if write didn't set errno, assume problem is no disk space */
4285  if (errno == 0)
4286  errno = ENOSPC;
4287  ereport(PANIC,
4289  errmsg("could not write to file \"%s\": %m",
4290  XLOG_CONTROL_FILE)));
4291  }
4293 
4294  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_SYNC);
4295  if (pg_fsync(fd) != 0)
4296  ereport(PANIC,
4298  errmsg("could not fsync file \"%s\": %m",
4299  XLOG_CONTROL_FILE)));
4301 
4302  if (close(fd) != 0)
4303  ereport(PANIC,
4305  errmsg("could not close file \"%s\": %m",
4306  XLOG_CONTROL_FILE)));
4307 }
4308 
4309 static void
4311 {
4312  pg_crc32c crc;
4313  int fd;
4314  static char wal_segsz_str[20];
4315  int r;
4316 
4317  /*
4318  * Read data...
4319  */
4321  O_RDWR | PG_BINARY);
4322  if (fd < 0)
4323  ereport(PANIC,
4325  errmsg("could not open file \"%s\": %m",
4326  XLOG_CONTROL_FILE)));
4327 
4328  pgstat_report_wait_start(WAIT_EVENT_CONTROL_FILE_READ);
4329  r = read(fd, ControlFile, sizeof(ControlFileData));
4330  if (r != sizeof(ControlFileData))
4331  {
4332  if (r < 0)
4333  ereport(PANIC,
4335  errmsg("could not read file \"%s\": %m",
4336  XLOG_CONTROL_FILE)));
4337  else
4338  ereport(PANIC,
4340  errmsg("could not read file \"%s\": read %d of %zu",
4341  XLOG_CONTROL_FILE, r, sizeof(ControlFileData))));
4342  }
4344 
4345  close(fd);
4346 
4347  /*
4348  * Check for expected pg_control format version. If this is wrong, the
4349  * CRC check will likely fail because we'll be checking the wrong number
4350  * of bytes. Complaining about wrong version will probably be more
4351  * enlightening than complaining about wrong CRC.
4352  */
4353 
4355  ereport(FATAL,
4356  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4357  errmsg("database files are incompatible with server"),
4358  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4359  " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4362  errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4363 
4365  ereport(FATAL,
4366  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4367  errmsg("database files are incompatible with server"),
4368  errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4369  " but the server was compiled with PG_CONTROL_VERSION %d.",
4371  errhint("It looks like you need to initdb.")));
4372 
4373  /* Now check the CRC. */
4374  INIT_CRC32C(crc);
4375  COMP_CRC32C(crc,
4376  (char *) ControlFile,
4377  offsetof(ControlFileData, crc));
4378  FIN_CRC32C(crc);
4379 
4380  if (!EQ_CRC32C(crc, ControlFile->crc))
4381  ereport(FATAL,
4382  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4383  errmsg("incorrect checksum in control file")));
4384 
4385  /*
4386  * Do compatibility checking immediately. If the database isn't
4387  * compatible with the backend executable, we want to abort before we can
4388  * possibly do any damage.
4389  */
4391  ereport(FATAL,
4392  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4393  errmsg("database files are incompatible with server"),
4394  errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4395  " but the server was compiled with CATALOG_VERSION_NO %d.",
4397  errhint("It looks like you need to initdb.")));
4398  if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4399  ereport(FATAL,
4400  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4401  errmsg("database files are incompatible with server"),
4402  errdetail("The database cluster was initialized with MAXALIGN %d,"
4403  " but the server was compiled with MAXALIGN %d.",
4404  ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4405  errhint("It looks like you need to initdb.")));
4407  ereport(FATAL,
4408  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4409  errmsg("database files are incompatible with server"),
4410  errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4411  errhint("It looks like you need to initdb.")));
4412  if (ControlFile->blcksz != BLCKSZ)
4413  ereport(FATAL,
4414  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4415  errmsg("database files are incompatible with server"),
4416  errdetail("The database cluster was initialized with BLCKSZ %d,"
4417  " but the server was compiled with BLCKSZ %d.",
4418  ControlFile->blcksz, BLCKSZ),
4419  errhint("It looks like you need to recompile or initdb.")));
4420  if (ControlFile->relseg_size != RELSEG_SIZE)
4421  ereport(FATAL,
4422  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4423  errmsg("database files are incompatible with server"),
4424  errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4425  " but the server was compiled with RELSEG_SIZE %d.",
4426  ControlFile->relseg_size, RELSEG_SIZE),
4427  errhint("It looks like you need to recompile or initdb.")));
4428  if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4429  ereport(FATAL,
4430  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4431  errmsg("database files are incompatible with server"),
4432  errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4433  " but the server was compiled with XLOG_BLCKSZ %d.",
4434  ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4435  errhint("It looks like you need to recompile or initdb.")));
4437  ereport(FATAL,
4438  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4439  errmsg("database files are incompatible with server"),
4440  errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4441  " but the server was compiled with NAMEDATALEN %d.",
4443  errhint("It looks like you need to recompile or initdb.")));
4445  ereport(FATAL,
4446  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4447  errmsg("database files are incompatible with server"),
4448  errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4449  " but the server was compiled with INDEX_MAX_KEYS %d.",
4451  errhint("It looks like you need to recompile or initdb.")));
4453  ereport(FATAL,
4454  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4455  errmsg("database files are incompatible with server"),
4456  errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4457  " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4459  errhint("It looks like you need to recompile or initdb.")));
4461  ereport(FATAL,
4462  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4463  errmsg("database files are incompatible with server"),
4464  errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4465  " but the server was compiled with LOBLKSIZE %d.",
4466  ControlFile->loblksize, (int) LOBLKSIZE),
4467  errhint("It looks like you need to recompile or initdb.")));
4468 
4469 #ifdef USE_FLOAT8_BYVAL
4470  if (ControlFile->float8ByVal != true)
4471  ereport(FATAL,
4472  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4473  errmsg("database files are incompatible with server"),
4474  errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4475  " but the server was compiled with USE_FLOAT8_BYVAL."),
4476  errhint("It looks like you need to recompile or initdb.")));
4477 #else
4478  if (ControlFile->float8ByVal != false)
4479  ereport(FATAL,
4480  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
4481  errmsg("database files are incompatible with server"),
4482  errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4483  " but the server was compiled without USE_FLOAT8_BYVAL."),
4484  errhint("It looks like you need to recompile or initdb.")));
4485 #endif
4486 
4488 
4490  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4491  errmsg_plural("invalid WAL segment size in control file (%d byte)",
4492  "invalid WAL segment size in control file (%d bytes)",
4495  errdetail("The WAL segment size must be a power of two between 1 MB and 1 GB.")));
4496 
4497  snprintf(wal_segsz_str, sizeof(wal_segsz_str), "%d", wal_segment_size);
4498  SetConfigOption("wal_segment_size", wal_segsz_str, PGC_INTERNAL,
4500 
4501  /* check and update variables dependent on wal_segment_size */
4503  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4504  errmsg("min_wal_size must be at least twice wal_segment_size")));
4505 
4507  ereport(ERROR, (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
4508  errmsg("max_wal_size must be at least twice wal_segment_size")));
4509 
4511  (wal_segment_size / XLOG_BLCKSZ * UsableBytesInPage) -
4513 
4515 
4516  /* Make the initdb settings visible as GUC variables, too */
4517  SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4519 }
4520 
4521 /*
4522  * Utility wrapper to update the control file. Note that the control
4523  * file gets flushed.
4524  */
4525 static void
4527 {
4529 }
4530 
4531 /*
4532  * Returns the unique system identifier from control file.
4533  */
4534 uint64
4536 {
4537  Assert(ControlFile != NULL);
4539 }
4540 
4541 /*
4542  * Returns the random nonce from control file.
4543  */
4544 char *
4546 {
4547  Assert(ControlFile != NULL);
4549 }
4550 
4551 /*
4552  * Are checksums enabled for data pages?
4553  */
4554 bool
4556 {
4557  Assert(ControlFile != NULL);
4558  return (ControlFile->data_checksum_version > 0);
4559 }
4560 
4561 /*
4562  * Returns a fake LSN for unlogged relations.
4563  *
4564  * Each call generates an LSN that is greater than any previous value
4565  * returned. The current counter value is saved and restored across clean
4566  * shutdowns, but like unlogged relations, does not survive a crash. This can
4567  * be used in lieu of real LSN values returned by XLogInsert, if you need an
4568  * LSN-like increasing sequence of numbers without writing any WAL.
4569  */
4570 XLogRecPtr
4572 {
4574 }
4575 
4576 /*
4577  * Auto-tune the number of XLOG buffers.
4578  *
4579  * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4580  * a maximum of one XLOG segment (there is little reason to think that more
4581  * is helpful, at least so long as we force an fsync when switching log files)
4582  * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4583  * 9.1, when auto-tuning was added).
4584  *
4585  * This should not be called until NBuffers has received its final value.
4586  */
4587 static int
4589 {
4590  int xbuffers;
4591 
4592  xbuffers = NBuffers / 32;
4593  if (xbuffers > (wal_segment_size / XLOG_BLCKSZ))
4594  xbuffers = (wal_segment_size / XLOG_BLCKSZ);
4595  if (xbuffers < 8)
4596  xbuffers = 8;
4597  return xbuffers;
4598 }
4599 
4600 /*
4601  * GUC check_hook for wal_buffers
4602  */
4603 bool
4605 {
4606  /*
4607  * -1 indicates a request for auto-tune.
4608  */
4609  if (*newval == -1)
4610  {
4611  /*
4612  * If we haven't yet changed the boot_val default of -1, just let it
4613  * be. We'll fix it when XLOGShmemSize is called.
4614  */
4615  if (XLOGbuffers == -1)
4616  return true;
4617 
4618  /* Otherwise, substitute the auto-tune value */
4620  }
4621 
4622  /*
4623  * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4624  * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4625  * the case, we just silently treat such values as a request for the
4626  * minimum. (We could throw an error instead, but that doesn't seem very
4627  * helpful.)
4628  */
4629  if (*newval < 4)
4630  *newval = 4;
4631 
4632  return true;
4633 }
4634 
4635 /*
4636  * GUC check_hook for wal_consistency_checking
4637  */
4638 bool
4640 {
4641  char *rawstring;
4642  List *elemlist;
4643  ListCell *l;
4644  bool newwalconsistency[RM_MAX_ID + 1];
4645 
4646  /* Initialize the array */
4647  MemSet(newwalconsistency, 0, (RM_MAX_ID + 1) * sizeof(bool));
4648 
4649  /* Need a modifiable copy of string */
4650  rawstring = pstrdup(*newval);
4651 
4652  /* Parse string into list of identifiers */
4653  if (!SplitIdentifierString(rawstring, ',', &elemlist))
4654  {
4655  /* syntax error in list */
4656  GUC_check_errdetail("List syntax is invalid.");
4657  pfree(rawstring);
4658  list_free(elemlist);
4659  return false;
4660  }
4661 
4662  foreach(l, elemlist)
4663  {
4664  char *tok = (char *) lfirst(l);
4665  int rmid;
4666 
4667  /* Check for 'all'. */
4668  if (pg_strcasecmp(tok, "all") == 0)
4669  {
4670  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4671  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL)
4672  newwalconsistency[rmid] = true;
4673  }
4674  else
4675  {
4676  /* Check if the token matches any known resource manager. */
4677  bool found = false;
4678 
4679  for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
4680  {
4681  if (RmgrIdExists(rmid) && GetRmgr(rmid).rm_mask != NULL &&
4682  pg_strcasecmp(tok, GetRmgr(rmid).rm_name) == 0)
4683  {
4684  newwalconsistency[rmid] = true;
4685  found = true;
4686  break;
4687  }
4688  }
4689  if (!found)
4690  {
4691  /*
4692  * During startup, it might be a not-yet-loaded custom
4693  * resource manager. Defer checking until
4694  * InitializeWalConsistencyChecking().
4695  */
4697  {
4699  }
4700  else
4701  {
4702  GUC_check_errdetail("Unrecognized key word: \"%s\".", tok);
4703  pfree(rawstring);
4704  list_free(elemlist);
4705  return false;
4706  }
4707  }
4708  }
4709  }
4710 
4711  pfree(rawstring);
4712  list_free(elemlist);
4713 
4714  /* assign new value */
4715  *extra = guc_malloc(ERROR, (RM_MAX_ID + 1) * sizeof(bool));
4716  memcpy(*extra, newwalconsistency, (RM_MAX_ID + 1) * sizeof(bool));
4717  return true;
4718 }
4719 
4720 /*
4721  * GUC assign_hook for wal_consistency_checking
4722  */
4723 void
4724 assign_wal_consistency_checking(const char *newval, void *extra)
4725 {
4726  /*
4727  * If some checks were deferred, it's possible that the checks will fail
4728  * later during InitializeWalConsistencyChecking(). But in that case, the
4729  * postmaster will exit anyway, so it's safe to proceed with the
4730  * assignment.
4731  *
4732  * Any built-in resource managers specified are assigned immediately,
4733  * which affects WAL created before shared_preload_libraries are
4734  * processed. Any custom resource managers specified won't be assigned
4735  * until after shared_preload_libraries are processed, but that's OK
4736  * because WAL for a custom resource manager can't be written before the
4737  * module is loaded anyway.
4738  */
4739  wal_consistency_checking = extra;
4740 }
4741 
4742 /*
4743  * InitializeWalConsistencyChecking: run after loading custom resource managers
4744  *
4745  * If any unknown resource managers were specified in the
4746  * wal_consistency_checking GUC, processing was deferred. Now that
4747  * shared_preload_libraries have been loaded, process wal_consistency_checking
4748  * again.
4749  */
4750 void
4752 {
4754 
4756  {
4757  struct config_generic *guc;
4758 
4759  guc = find_option("wal_consistency_checking", false, false, ERROR);
4760 
4762 
4763  set_config_option_ext("wal_consistency_checking",
4765  guc->scontext, guc->source, guc->srole,
4766  GUC_ACTION_SET, true, ERROR, false);
4767 
4768  /* checking should not be deferred again */
4770  }
4771 }
4772 
4773 /*
4774  * GUC show_hook for archive_command
4775  */
4776 const char *
4778 {
4779  if (XLogArchivingActive())
4780  return XLogArchiveCommand;
4781  else
4782  return "(disabled)";
4783 }
4784 
4785 /*
4786  * GUC show_hook for in_hot_standby
4787  */
4788 const char *
4790 {
4791  /*
4792  * We display the actual state based on shared memory, so that this GUC
4793  * reports up-to-date state if examined intra-query. The underlying
4794  * variable (in_hot_standby_guc) changes only when we transmit a new value
4795  * to the client.
4796  */
4797  return RecoveryInProgress() ? "on" : "off";
4798 }
4799 
4800 /*
4801  * Read the control file, set respective GUCs.
4802  *
4803  * This is to be called during startup, including a crash recovery cycle,
4804  * unless in bootstrap mode, where no control file yet exists. As there's no
4805  * usable shared memory yet (its sizing can depend on the contents of the
4806  * control file!), first store the contents in local memory. XLOGShmemInit()
4807  * will then copy it to shared memory later.
4808  *
4809  * reset just controls whether previous contents are to be expected (in the
4810  * reset case, there's a dangling pointer into old shared memory), or not.
4811  */
4812 void
4814 {
4815  Assert(reset || ControlFile == NULL);
4816  ControlFile = palloc(sizeof(ControlFileData));
4817  ReadControlFile();
4818 }
4819 
4820 /*
4821  * Get the wal_level from the control file. For a standby, this value should be
4822  * considered as its active wal_level, because it may be different from what
4823  * was originally configured on standby.
4824  */
4825 WalLevel
4827 {
4828  return ControlFile->wal_level;
4829 }
4830 
4831 /*
4832  * Initialization of shared memory for XLOG
4833  */
4834 Size
4836 {
4837  Size size;
4838 
4839  /*
4840  * If the value of wal_buffers is -1, use the preferred auto-tune value.
4841  * This isn't an amazingly clean place to do this, but we must wait till
4842  * NBuffers has received its final value, and must do it before using the
4843  * value of XLOGbuffers to do anything important.
4844  *
4845  * We prefer to report this value's source as PGC_S_DYNAMIC_DEFAULT.
4846  * However, if the DBA explicitly set wal_buffers = -1 in the config file,
4847  * then PGC_S_DYNAMIC_DEFAULT will fail to override that and we must force
4848  * the matter with PGC_S_OVERRIDE.
4849  */
4850  if (XLOGbuffers == -1)
4851  {
4852  char buf[32];
4853 
4854  snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4855  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4857  if (XLOGbuffers == -1) /* failed to apply it? */
4858  SetConfigOption("wal_buffers", buf, PGC_POSTMASTER,
4859  PGC_S_OVERRIDE);
4860  }
4861  Assert(XLOGbuffers > 0);
4862 
4863  /* XLogCtl */
4864  size = sizeof(XLogCtlData);
4865 
4866  /* WAL insertion locks, plus alignment */
4868  /* xlblocks array */
4870  /* extra alignment padding for XLOG I/O buffers */
4871  size = add_size(size, Max(XLOG_BLCKSZ, PG_IO_ALIGN_SIZE));
4872  /* and the buffers themselves */
4873  size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4874 
4875  /*
4876  * Note: we don't count ControlFileData, it comes out of the "slop factor"
4877  * added by CreateSharedMemoryAndSemaphores. This lets us use this
4878  * routine again below to compute the actual allocation size.
4879  */
4880 
4881  return size;
4882 }
4883 
4884 void
4886 {
4887  bool foundCFile,
4888  foundXLog;
4889  char *allocptr;
4890  int i;
4891  ControlFileData *localControlFile;
4892 
4893 #ifdef WAL_DEBUG
4894 
4895  /*
4896  * Create a memory context for WAL debugging that's exempt from the normal
4897  * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4898  * an allocation fails, but wal_debug is not for production use anyway.
4899  */
4900  if (walDebugCxt == NULL)
4901  {
4903  "WAL Debug",
4905  MemoryContextAllowInCriticalSection(walDebugCxt, true);
4906  }
4907 #endif
4908 
4909 
4910  XLogCtl = (XLogCtlData *)
4911  ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4912 
4913  localControlFile = ControlFile;
4915  ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4916 
4917  if (foundCFile || foundXLog)
4918  {
4919  /* both should be present or neither */
4920  Assert(foundCFile && foundXLog);
4921 
4922  /* Initialize local copy of WALInsertLocks */
4924 
4925  if (localControlFile)
4926  pfree(localControlFile);
4927  return;
4928  }
4929  memset(XLogCtl, 0, sizeof(XLogCtlData));
4930 
4931  /*
4932  * Already have read control file locally, unless in bootstrap mode. Move
4933  * contents into shared memory.
4934  */
4935  if (localControlFile)
4936  {
4937  memcpy(ControlFile, localControlFile, sizeof(ControlFileData));
4938  pfree(localControlFile);
4939  }
4940 
4941  /*
4942  * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4943  * multiple of the alignment for same, so no extra alignment padding is
4944  * needed here.
4945  */
4946  allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4947  XLogCtl->xlblocks = (pg_atomic_uint64 *) allocptr;
4948  allocptr += sizeof(pg_atomic_uint64) * XLOGbuffers;
4949 
4950  for (i = 0; i < XLOGbuffers; i++)
4951  {
4953  }
4954 
4955  /* WAL insertion locks. Ensure they're aligned to the full padded size */
4956  allocptr += sizeof(WALInsertLockPadded) -
4957  ((uintptr_t) allocptr) % sizeof(WALInsertLockPadded);
4959  (WALInsertLockPadded *) allocptr;
4960  allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4961 
4962  for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4963  {
4967  }
4968 
4969  /*
4970  * Align the start of the page buffers to a full xlog block size boundary.
4971  * This simplifies some calculations in XLOG insertion. It is also
4972  * required for O_DIRECT.
4973  */
4974  allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4975  XLogCtl->pages = allocptr;
4976  memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4977 
4978  /*
4979  * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4980  * in additional info.)
4981  */
4985  XLogCtl->WalWriterSleeping = false;
4986 
4993 }
4994 
4995 /*
4996  * This func must be called ONCE on system install. It creates pg_control
4997  * and the initial XLOG segment.
4998  */
4999 void
5001 {
5002  CheckPoint checkPoint;
5003  char *buffer;
5004  XLogPageHeader page;
5005  XLogLongPageHeader longpage;
5006  XLogRecord *record;
5007  char *recptr;
5008  uint64 sysidentifier;
5009  struct timeval tv;
5010  pg_crc32c crc;
5011 
5012  /* allow ordinary WAL segment creation, like StartupXLOG() would */
5014 
5015  /*
5016  * Select a hopefully-unique system identifier code for this installation.
5017  * We use the result of gettimeofday(), including the fractional seconds
5018  * field, as being about as unique as we can easily get. (Think not to
5019  * use random(), since it hasn't been seeded and there's no portable way
5020  * to seed it other than the system clock value...) The upper half of the
5021  * uint64 value is just the tv_sec part, while the lower half contains the
5022  * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
5023  * PID for a little extra uniqueness. A person knowing this encoding can
5024  * determine the initialization time of the installation, which could
5025  * perhaps be useful sometimes.
5026  */
5027  gettimeofday(&tv, NULL);
5028  sysidentifier = ((uint64) tv.tv_sec) << 32;
5029  sysidentifier |= ((uint64) tv.tv_usec) << 12;
5030  sysidentifier |= getpid() & 0xFFF;
5031 
5032  /* page buffer must be aligned suitably for O_DIRECT */
5033  buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
5034  page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
5035  memset(page, 0, XLOG_BLCKSZ);
5036 
5037  /*
5038  * Set up information for the initial checkpoint record
5039  *
5040  * The initial checkpoint record is written to the beginning of the WAL
5041  * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
5042  * used, so that we can use 0/0 to mean "before any valid WAL segment".
5043  */
5044  checkPoint.redo = wal_segment_size + SizeOfXLogLongPHD;
5045  checkPoint.ThisTimeLineID = BootstrapTimeLineID;
5046  checkPoint.PrevTimeLineID = BootstrapTimeLineID;
5047  checkPoint.fullPageWrites = fullPageWrites;
5048  checkPoint.nextXid =
5050  checkPoint.nextOid = FirstGenbkiObjectId;
5051  checkPoint.nextMulti = FirstMultiXactId;
5052  checkPoint.nextMultiOffset = 0;
5053  checkPoint.oldestXid = FirstNormalTransactionId;
5054  checkPoint.oldestXidDB = Template1DbOid;
5055  checkPoint.oldestMulti = FirstMultiXactId;
5056  checkPoint.oldestMultiDB = Template1DbOid;
5059  checkPoint.time = (pg_time_t) time(NULL);
5061 
5062  TransamVariables->nextXid = checkPoint.nextXid;
5063  TransamVariables->nextOid = checkPoint.nextOid;
5065  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5066  AdvanceOldestClogXid(checkPoint.oldestXid);
5067  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5068  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5070 
5071  /* Set up the XLOG page header */
5072  page->xlp_magic = XLOG_PAGE_MAGIC;
5073  page->xlp_info = XLP_LONG_HEADER;
5074  page->xlp_tli = BootstrapTimeLineID;
5076  longpage = (XLogLongPageHeader) page;
5077  longpage->xlp_sysid = sysidentifier;
5078  longpage->xlp_seg_size = wal_segment_size;
5079  longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
5080 
5081  /* Insert the initial checkpoint record */
5082  recptr = ((char *) page + SizeOfXLogLongPHD);
5083  record = (XLogRecord *) recptr;
5084  record->xl_prev = 0;
5085  record->xl_xid = InvalidTransactionId;
5086  record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
5088  record->xl_rmid = RM_XLOG_ID;
5089  recptr += SizeOfXLogRecord;
5090  /* fill the XLogRecordDataHeaderShort struct */
5091  *(recptr++) = (char) XLR_BLOCK_ID_DATA_SHORT;
5092  *(recptr++) = sizeof(checkPoint);
5093  memcpy(recptr, &checkPoint, sizeof(checkPoint));
5094  recptr += sizeof(checkPoint);
5095  Assert(recptr - (char *) record == record->xl_tot_len);
5096 
5097  INIT_CRC32C(crc);
5098  COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
5099  COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
5100  FIN_CRC32C(crc);
5101  record->xl_crc = crc;
5102 
5103  /* Create first XLOG segment file */
5106 
5107  /*
5108  * We needn't bother with Reserve/ReleaseExternalFD here, since we'll
5109  * close the file again in a moment.
5110  */
5111 
5112  /* Write the first page with the initial record */
5113  errno = 0;
5114  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_WRITE);
5115  if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
5116  {
5117  /* if write didn't set errno, assume problem is no disk space */
5118  if (errno == 0)
5119  errno = ENOSPC;
5120  ereport(PANIC,
5122  errmsg("could not write bootstrap write-ahead log file: %m")));
5123  }
5125 
5126  pgstat_report_wait_start(WAIT_EVENT_WAL_BOOTSTRAP_SYNC);
5127  if (pg_fsync(openLogFile) != 0)
5128  ereport(PANIC,
5130  errmsg("could not fsync bootstrap write-ahead log file: %m")));
5132 
5133  if (close(openLogFile) != 0)
5134  ereport(PANIC,
5136  errmsg("could not close bootstrap write-ahead log file: %m")));
5137 
5138  openLogFile = -1;
5139 
5140  /* Now create pg_control */
5141  InitControlFile(sysidentifier);
5142  ControlFile->time = checkPoint.time;
5143  ControlFile->checkPoint = checkPoint.redo;
5144  ControlFile->checkPointCopy = checkPoint;
5145 
5146  /* some additional ControlFile fields are set in WriteControlFile() */
5147  WriteControlFile();
5148 
5149  /* Bootstrap the commit log, too */
5150  BootStrapCLOG();
5154 
5155  pfree(buffer);
5156 
5157  /*
5158  * Force control file to be read - in contrast to normal processing we'd
5159  * otherwise never run the checks and GUC related initializations therein.
5160  */
5161  ReadControlFile();
5162 }
5163 
5164 static char *
5166 {
5167  static char buf[128];
5168 
5169  pg_strftime(buf, sizeof(buf),
5170  "%Y-%m-%d %H:%M:%S %Z",
5171  pg_localtime(&tnow, log_timezone));
5172 
5173  return buf;
5174 }
5175 
5176 /*
5177  * Initialize the first WAL segment on new timeline.
5178  */
5179 static void
5181 {
5182  char xlogfname[MAXFNAMELEN];
5183  XLogSegNo endLogSegNo;
5184  XLogSegNo startLogSegNo;
5185 
5186  /* we always switch to a new timeline after archive recovery */
5187  Assert(endTLI != newTLI);
5188 
5189  /*
5190  * Update min recovery point one last time.
5191  */
5193 
5194  /*
5195  * Calculate the last segment on the old timeline, and the first segment
5196  * on the new timeline. If the switch happens in the middle of a segment,
5197  * they are the same, but if the switch happens exactly at a segment
5198  * boundary, startLogSegNo will be endLogSegNo + 1.
5199  */
5200  XLByteToPrevSeg(endOfLog, endLogSegNo, wal_segment_size);
5201  XLByteToSeg(endOfLog, startLogSegNo, wal_segment_size);
5202 
5203  /*
5204  * Initialize the starting WAL segment for the new timeline. If the switch
5205  * happens in the middle of a segment, copy data from the last WAL segment
5206  * of the old timeline up to the switch point, to the starting WAL segment
5207  * on the new timeline.
5208  */
5209  if (endLogSegNo == startLogSegNo)
5210  {
5211  /*
5212  * Make a copy of the file on the new timeline.
5213  *
5214  * Writing WAL isn't allowed yet, so there are no locking
5215  * considerations. But we should be just as tense as XLogFileInit to
5216  * avoid emplacing a bogus file.
5217  */
5218  XLogFileCopy(newTLI, endLogSegNo, endTLI, endLogSegNo,
5219  XLogSegmentOffset(endOfLog, wal_segment_size));
5220  }
5221  else
5222  {
5223  /*
5224  * The switch happened at a segment boundary, so just create the next
5225  * segment on the new timeline.
5226  */
5227  int fd;
5228 
5229  fd = XLogFileInit(startLogSegNo, newTLI);
5230 
5231  if (close(fd) != 0)
5232  {
5233  int save_errno = errno;
5234 
5235  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5236  errno = save_errno;
5237  ereport(ERROR,
5239  errmsg("could not close file \"%s\": %m", xlogfname)));
5240  }
5241  }
5242 
5243  /*
5244  * Let's just make real sure there are not .ready or .done flags posted
5245  * for the new segment.
5246  */
5247  XLogFileName(xlogfname, newTLI, startLogSegNo, wal_segment_size);
5248  XLogArchiveCleanup(xlogfname);
5249 }
5250 
5251 /*
5252  * Perform cleanup actions at the conclusion of archive recovery.
5253  */
5254 static void
5256  TimeLineID newTLI)
5257 {
5258  /*
5259  * Execute the recovery_end_command, if any.
5260  */
5261  if (recoveryEndCommand && strcmp(recoveryEndCommand, "") != 0)
5263  "recovery_end_command",
5264  true,
5265  WAIT_EVENT_RECOVERY_END_COMMAND);
5266 
5267  /*
5268  * We switched to a new timeline. Clean up segments on the old timeline.
5269  *
5270  * If there are any higher-numbered segments on the old timeline, remove
5271  * them. They might contain valid WAL, but they might also be
5272  * pre-allocated files containing garbage. In any case, they are not part
5273  * of the new timeline's history so we don't need them.
5274  */
5275  RemoveNonParentXlogFiles(EndOfLog, newTLI);
5276 
5277  /*
5278  * If the switch happened in the middle of a segment, what to do with the
5279  * last, partial segment on the old timeline? If we don't archive it, and
5280  * the server that created the WAL never archives it either (e.g. because
5281  * it was hit by a meteor), it will never make it to the archive. That's
5282  * OK from our point of view, because the new segment that we created with
5283  * the new TLI contains all the WAL from the old timeline up to the switch
5284  * point. But if you later try to do PITR to the "missing" WAL on the old
5285  * timeline, recovery won't find it in the archive. It's physically
5286  * present in the new file with new TLI, but recovery won't look there
5287  * when it's recovering to the older timeline. On the other hand, if we
5288  * archive the partial segment, and the original server on that timeline
5289  * is still running and archives the completed version of the same segment
5290  * later, it will fail. (We used to do that in 9.4 and below, and it
5291  * caused such problems).
5292  *
5293  * As a compromise, we rename the last segment with the .partial suffix,
5294  * and archive it. Archive recovery will never try to read .partial
5295  * segments, so they will normally go unused. But in the odd PITR case,
5296  * the administrator can copy them manually to the pg_wal directory
5297  * (removing the suffix). They can be useful in debugging, too.
5298  *
5299  * If a .done or .ready file already exists for the old timeline, however,
5300  * we had already determined that the segment is complete, so we can let
5301  * it be archived normally. (In particular, if it was restored from the
5302  * archive to begin with, it's expected to have a .done file).
5303  */
5304  if (XLogSegmentOffset(EndOfLog, wal_segment_size) != 0 &&
5306  {
5307  char origfname[MAXFNAMELEN];
5308  XLogSegNo endLogSegNo;
5309 
5310  XLByteToPrevSeg(EndOfLog, endLogSegNo, wal_segment_size);
5311  XLogFileName(origfname, EndOfLogTLI, endLogSegNo, wal_segment_size);
5312 
5313  if (!XLogArchiveIsReadyOrDone(origfname))
5314  {
5315  char origpath[MAXPGPATH];
5316  char partialfname[MAXFNAMELEN];
5317  char partialpath[MAXPGPATH];
5318 
5319  XLogFilePath(origpath, EndOfLogTLI, endLogSegNo, wal_segment_size);
5320  snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
5321  snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
5322 
5323  /*
5324  * Make sure there's no .done or .ready file for the .partial
5325  * file.
5326  */
5327  XLogArchiveCleanup(partialfname);
5328 
5329  durable_rename(origpath, partialpath, ERROR);
5330  XLogArchiveNotify(partialfname);
5331  }
5332  }
5333 }
5334 
5335 /*
5336  * Check to see if required parameters are set high enough on this server
5337  * for various aspects of recovery operation.
5338  *
5339  * Note that all the parameters which this function tests need to be
5340  * listed in Administrator's Overview section in high-availability.sgml.
5341  * If you change them, don't forget to update the list.
5342  */
5343 static void
5345 {
5346  /*
5347  * For archive recovery, the WAL must be generated with at least 'replica'
5348  * wal_level.
5349  */
5351  {
5352  ereport(FATAL,
5353  (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
5354  errmsg("WAL was generated with wal_level=minimal, cannot continue recovering"),
5355  errdetail("This happens if you temporarily set wal_level=minimal on the server."),
5356  errhint("Use a backup taken after setting wal_level to higher than minimal.")));
5357  }
5358 
5359  /*
5360  * For Hot Standby, the WAL must be generated with 'replica' mode, and we
5361  * must have at least as many backend slots as the primary.
5362  */
5364  {
5365  /* We ignore autovacuum_max_workers when we make this test. */
5366  RecoveryRequiresIntParameter("max_connections",
5369  RecoveryRequiresIntParameter("max_worker_processes",
5372  RecoveryRequiresIntParameter("max_wal_senders",
5375  RecoveryRequiresIntParameter("max_prepared_transactions",
5378  RecoveryRequiresIntParameter("max_locks_per_transaction",
5381  }
5382 }
5383 
5384 /*
5385  * This must be called ONCE during postmaster or standalone-backend startup
5386  */
5387 void
5389 {
5391  CheckPoint checkPoint;
5392  bool wasShutdown;
5393  bool didCrash;
5394  bool haveTblspcMap;
5395  bool haveBackupLabel;
5396  XLogRecPtr EndOfLog;
5397  TimeLineID EndOfLogTLI;
5398  TimeLineID newTLI;
5399  bool performedWalRecovery;
5400  EndOfWalRecoveryInfo *endOfRecoveryInfo;
5403  TransactionId oldestActiveXID;
5404  bool promoted = false;
5405 
5406  /*
5407  * We should have an aux process resource owner to use, and we should not
5408  * be in a transaction that's installed some other resowner.
5409  */
5411  Assert(CurrentResourceOwner == NULL ||
5414 
5415  /*
5416  * Check that contents look valid.
5417  */
5419  ereport(FATAL,
5421  errmsg("control file contains invalid checkpoint location")));
5422 
5423  switch (ControlFile->state)
5424  {
5425  case DB_SHUTDOWNED:
5426 
5427  /*
5428  * This is the expected case, so don't be chatty in standalone
5429  * mode
5430  */
5432  (errmsg("database system was shut down at %s",
5433  str_time(ControlFile->time))));
5434  break;
5435 
5437  ereport(LOG,
5438  (errmsg("database system was shut down in recovery at %s",
5439  str_time(ControlFile->time))));
5440  break;
5441 
5442  case DB_SHUTDOWNING:
5443  ereport(LOG,
5444  (errmsg("database system shutdown was interrupted; last known up at %s",
5445  str_time(ControlFile->time))));
5446  break;
5447 
5448  case DB_IN_CRASH_RECOVERY:
5449  ereport(LOG,
5450  (errmsg("database system was interrupted while in recovery at %s",
5452  errhint("This probably means that some data is corrupted and"
5453  " you will have to use the last backup for recovery.")));
5454  break;
5455 
5457  ereport(LOG,
5458  (errmsg("database system was interrupted while in recovery at log time %s",
5460  errhint("If this has occurred more than once some data might be corrupted"
5461  " and you might need to choose an earlier recovery target.")));
5462  break;
5463 
5464  case DB_IN_PRODUCTION:
5465  ereport(LOG,
5466  (errmsg("database system was interrupted; last known up at %s",
5467  str_time(ControlFile->time))));
5468  break;
5469 
5470  default:
5471  ereport(FATAL,
5473  errmsg("control file contains invalid database cluster state")));
5474  }
5475 
5476  /* This is just to allow attaching to startup process with a debugger */
5477 #ifdef XLOG_REPLAY_DELAY
5479  pg_usleep(60000000L);
5480 #endif
5481 
5482  /*
5483  * Verify that pg_wal, pg_wal/archive_status, and pg_wal/summaries exist.
5484  * In cases where someone has performed a copy for PITR, these directories
5485  * may have been excluded and need to be re-created.
5486  */
5488 
5489  /* Set up timeout handler needed to report startup progress. */
5493 
5494  /*----------
5495  * If we previously crashed, perform a couple of actions:
5496  *
5497  * - The pg_wal directory may still include some temporary WAL segments
5498  * used when creating a new segment, so perform some clean up to not
5499  * bloat this path. This is done first as there is no point to sync
5500  * this temporary data.
5501  *
5502  * - There might be data which we had written, intending to fsync it, but
5503  * which we had not actually fsync'd yet. Therefore, a power failure in
5504  * the near future might cause earlier unflushed writes to be lost, even
5505  * though more recent data written to disk from here on would be
5506  * persisted. To avoid that, fsync the entire data directory.
5507  */
5508  if (ControlFile->state != DB_SHUTDOWNED &&
5510  {
5513  didCrash = true;
5514  }
5515  else
5516  didCrash = false;
5517 
5518  /*
5519  * Prepare for WAL recovery if needed.
5520  *
5521  * InitWalRecovery analyzes the control file and the backup label file, if
5522  * any. It updates the in-memory ControlFile buffer according to the
5523  * starting checkpoint, and sets InRecovery and ArchiveRecoveryRequested.
5524  * It also applies the tablespace map file, if any.
5525  */
5526  InitWalRecovery(ControlFile, &wasShutdown,
5527  &haveBackupLabel, &haveTblspcMap);
5528  checkPoint = ControlFile->checkPointCopy;
5529 
5530  /* initialize shared memory variables from the checkpoint record */
5531  TransamVariables->nextXid = checkPoint.nextXid;
5532  TransamVariables->nextOid = checkPoint.nextOid;
5534  MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
5535  AdvanceOldestClogXid(checkPoint.oldestXid);
5536  SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
5537  SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
5539  checkPoint.newestCommitTsXid);
5540  XLogCtl->ckptFullXid = checkPoint.nextXid;
5541 
5542  /*
5543  * Clear out any old relcache cache files. This is *necessary* if we do
5544  * any WAL replay, since that would probably result in the cache files
5545  * being out of sync with database reality. In theory we could leave them
5546  * in place if the database had been cleanly shut down, but it seems
5547  * safest to just remove them always and let them be rebuilt during the
5548  * first backend startup. These files needs to be removed from all
5549  * directories including pg_tblspc, however the symlinks are created only
5550  * after reading tablespace_map file in case of archive recovery from
5551  * backup, so needs to clear old relcache files here after creating
5552  * symlinks.
5553  */
5555 
5556  /*
5557  * Initialize replication slots, before there's a chance to remove
5558  * required resources.
5559  */
5561 
5562  /*
5563  * Startup logical state, needs to be setup now so we have proper data
5564  * during crash recovery.
5565  */
5567 
5568  /*
5569  * Startup CLOG. This must be done after TransamVariables->nextXid has
5570  * been initialized and before we accept connections or begin WAL replay.
5571  */
5572  StartupCLOG();
5573 
5574  /*
5575  * Startup MultiXact. We need to do this early to be able to replay
5576  * truncations.
5577  */
5578  StartupMultiXact();
5579 
5580  /*
5581  * Ditto for commit timestamps. Activate the facility if the setting is
5582  * enabled in the control file, as there should be no tracking of commit
5583  * timestamps done when the setting was disabled. This facility can be
5584  * started or stopped when replaying a XLOG_PARAMETER_CHANGE record.
5585  */
5587  StartupCommitTs();
5588 
5589  /*
5590  * Recover knowledge about replay progress of known replication partners.
5591  */
5593 
5594  /*
5595  * Initialize unlogged LSN. On a clean shutdown, it's restored from the
5596  * control file. On recovery, all unlogged relations are blown away, so
5597  * the unlogged LSN counter can be reset too.
5598  */
5602  else
5605 
5606  /*
5607  * Copy any missing timeline history files between 'now' and the recovery
5608  * target timeline from archive to pg_wal. While we don't need those files
5609  * ourselves - the history file of the recovery target timeline covers all
5610  * the previous timelines in the history too - a cascading standby server
5611  * might be interested in them. Or, i