1 /*-------------------------------------------------------------------------
4 * PostgreSQL transaction log manager
7 * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
10 * src/backend/access/transam/xlog.c
12 *-------------------------------------------------------------------------
25 #include "access/clog.h"
26 #include "access/commit_ts.h"
27 #include "access/multixact.h"
28 #include "access/rewriteheap.h"
29 #include "access/subtrans.h"
30 #include "access/timeline.h"
31 #include "access/transam.h"
32 #include "access/tuptoaster.h"
33 #include "access/twophase.h"
34 #include "access/xact.h"
35 #include "access/xlog_internal.h"
36 #include "access/xloginsert.h"
37 #include "access/xlogreader.h"
38 #include "access/xlogutils.h"
39 #include "catalog/catversion.h"
40 #include "catalog/pg_control.h"
41 #include "catalog/pg_database.h"
42 #include "commands/tablespace.h"
43 #include "miscadmin.h"
45 #include "port/atomics.h"
46 #include "postmaster/bgwriter.h"
47 #include "postmaster/walwriter.h"
48 #include "postmaster/startup.h"
49 #include "replication/basebackup.h"
50 #include "replication/logical.h"
51 #include "replication/slot.h"
52 #include "replication/origin.h"
53 #include "replication/snapbuild.h"
54 #include "replication/walreceiver.h"
55 #include "replication/walsender.h"
56 #include "storage/bufmgr.h"
57 #include "storage/fd.h"
58 #include "storage/ipc.h"
59 #include "storage/large_object.h"
60 #include "storage/latch.h"
61 #include "storage/pmsignal.h"
62 #include "storage/predicate.h"
63 #include "storage/proc.h"
64 #include "storage/procarray.h"
65 #include "storage/reinit.h"
66 #include "storage/smgr.h"
67 #include "storage/spin.h"
68 #include "utils/backend_random.h"
69 #include "utils/builtins.h"
70 #include "utils/guc.h"
71 #include "utils/memutils.h"
72 #include "utils/pg_lsn.h"
73 #include "utils/ps_status.h"
74 #include "utils/relmapper.h"
75 #include "utils/snapmgr.h"
76 #include "utils/timestamp.h"
79 extern uint32 bootstrap_data_checksum_version;
81 /* File path names (all relative to $PGDATA) */
82 #define RECOVERY_COMMAND_FILE "recovery.conf"
83 #define RECOVERY_COMMAND_DONE "recovery.done"
84 #define PROMOTE_SIGNAL_FILE "promote"
85 #define FALLBACK_PROMOTE_SIGNAL_FILE "fallback_promote"
88 /* User-settable parameters */
89 int max_wal_size = 64; /* 1 GB */
90 int min_wal_size = 5; /* 80 MB */
91 int wal_keep_segments = 0;
93 int XLogArchiveTimeout = 0;
94 int XLogArchiveMode = ARCHIVE_MODE_OFF;
95 char *XLogArchiveCommand = NULL;
96 bool EnableHotStandby = false;
97 bool fullPageWrites = true;
98 bool wal_log_hints = false;
99 bool wal_compression = false;
100 char *wal_consistency_checking_string = NULL;
101 bool *wal_consistency_checking = NULL;
102 bool log_checkpoints = false;
103 int sync_method = DEFAULT_SYNC_METHOD;
104 int wal_level = WAL_LEVEL_MINIMAL;
105 int CommitDelay = 0; /* precommit delay in microseconds */
106 int CommitSiblings = 5; /* # concurrent xacts needed to sleep */
107 int wal_retrieve_retry_interval = 5000;
110 bool XLOG_DEBUG = false;
114 * Number of WAL insertion locks to use. A higher value allows more insertions
115 * to happen concurrently, but adds some CPU overhead to flushing the WAL,
116 * which needs to iterate all the locks.
118 #define NUM_XLOGINSERT_LOCKS 8
121 * Max distance from last checkpoint, before triggering a new xlog-based
124 int CheckPointSegments;
126 /* Estimated distance between checkpoints, in bytes */
127 static double CheckPointDistanceEstimate = 0;
128 static double PrevCheckPointDistance = 0;
133 const struct config_enum_entry sync_method_options[] = {
134 {"fsync", SYNC_METHOD_FSYNC, false},
135 #ifdef HAVE_FSYNC_WRITETHROUGH
136 {"fsync_writethrough", SYNC_METHOD_FSYNC_WRITETHROUGH, false},
138 #ifdef HAVE_FDATASYNC
139 {"fdatasync", SYNC_METHOD_FDATASYNC, false},
141 #ifdef OPEN_SYNC_FLAG
142 {"open_sync", SYNC_METHOD_OPEN, false},
144 #ifdef OPEN_DATASYNC_FLAG
145 {"open_datasync", SYNC_METHOD_OPEN_DSYNC, false},
152 * Although only "on", "off", and "always" are documented,
153 * we accept all the likely variants of "on" and "off".
155 const struct config_enum_entry archive_mode_options[] = {
156 {"always", ARCHIVE_MODE_ALWAYS, false},
157 {"on", ARCHIVE_MODE_ON, false},
158 {"off", ARCHIVE_MODE_OFF, false},
159 {"true", ARCHIVE_MODE_ON, true},
160 {"false", ARCHIVE_MODE_OFF, true},
161 {"yes", ARCHIVE_MODE_ON, true},
162 {"no", ARCHIVE_MODE_OFF, true},
163 {"1", ARCHIVE_MODE_ON, true},
164 {"0", ARCHIVE_MODE_OFF, true},
169 * Statistics for current checkpoint are collected in this global struct.
170 * Because only the checkpointer or a stand-alone backend can perform
171 * checkpoints, this will be unused in normal backends.
173 CheckpointStatsData CheckpointStats;
176 * ThisTimeLineID will be same in all backends --- it identifies current
177 * WAL timeline for the database system.
179 TimeLineID ThisTimeLineID = 0;
182 * Are we doing recovery from XLOG?
184 * This is only ever true in the startup process; it should be read as meaning
185 * "this process is replaying WAL records", rather than "the system is in
186 * recovery mode". It should be examined primarily by functions that need
187 * to act differently when called from a WAL redo function (e.g., to skip WAL
188 * logging). To check whether the system is in recovery regardless of which
189 * process you're running in, use RecoveryInProgress() but only after shared
190 * memory startup and lock initialization.
192 bool InRecovery = false;
194 /* Are we in Hot Standby mode? Only valid in startup process, see xlog.h */
195 HotStandbyState standbyState = STANDBY_DISABLED;
197 static XLogRecPtr LastRec;
199 /* Local copy of WalRcv->receivedUpto */
200 static XLogRecPtr receivedUpto = 0;
201 static TimeLineID receiveTLI = 0;
204 * During recovery, lastFullPageWrites keeps track of full_page_writes that
205 * the replayed WAL records indicate. It's initialized with full_page_writes
206 * that the recovery starting checkpoint record indicates, and then updated
207 * each time XLOG_FPW_CHANGE record is replayed.
209 static bool lastFullPageWrites;
212 * Local copy of SharedRecoveryInProgress variable. True actually means "not
213 * known, need to check the shared state".
215 static bool LocalRecoveryInProgress = true;
218 * Local copy of SharedHotStandbyActive variable. False actually means "not
219 * known, need to check the shared state".
221 static bool LocalHotStandbyActive = false;
224 * Local state for XLogInsertAllowed():
225 * 1: unconditionally allowed to insert XLOG
226 * 0: unconditionally not allowed to insert XLOG
227 * -1: must check RecoveryInProgress(); disallow until it is false
228 * Most processes start with -1 and transition to 1 after seeing that recovery
229 * is not in progress. But we can also force the value for special cases.
230 * The coding in XLogInsertAllowed() depends on the first two of these states
231 * being numerically the same as bool true and false.
233 static int LocalXLogInsertAllowed = -1;
236 * When ArchiveRecoveryRequested is set, archive recovery was requested,
237 * ie. recovery.conf file was present. When InArchiveRecovery is set, we are
238 * currently recovering using offline XLOG archives. These variables are only
239 * valid in the startup process.
241 * When ArchiveRecoveryRequested is true, but InArchiveRecovery is false, we're
242 * currently performing crash recovery using only XLOG files in pg_wal, but
243 * will switch to using offline XLOG archives as soon as we reach the end of
246 bool ArchiveRecoveryRequested = false;
247 bool InArchiveRecovery = false;
249 /* Was the last xlog file restored from archive, or local? */
250 static bool restoredFromArchive = false;
252 /* Buffers dedicated to consistency checks of size BLCKSZ */
253 static char *replay_image_masked = NULL;
254 static char *master_image_masked = NULL;
256 /* options taken from recovery.conf for archive recovery */
257 char *recoveryRestoreCommand = NULL;
258 static char *recoveryEndCommand = NULL;
259 static char *archiveCleanupCommand = NULL;
260 static RecoveryTargetType recoveryTarget = RECOVERY_TARGET_UNSET;
261 static bool recoveryTargetInclusive = true;
262 static RecoveryTargetAction recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
263 static TransactionId recoveryTargetXid;
264 static TimestampTz recoveryTargetTime;
265 static char *recoveryTargetName;
266 static XLogRecPtr recoveryTargetLSN;
267 static int recovery_min_apply_delay = 0;
268 static TimestampTz recoveryDelayUntilTime;
270 /* options taken from recovery.conf for XLOG streaming */
271 static bool StandbyModeRequested = false;
272 static char *PrimaryConnInfo = NULL;
273 static char *PrimarySlotName = NULL;
274 static char *TriggerFile = NULL;
276 /* are we currently in standby mode? */
277 bool StandbyMode = false;
279 /* whether request for fast promotion has been made yet */
280 static bool fast_promote = false;
283 * if recoveryStopsBefore/After returns true, it saves information of the stop
286 static TransactionId recoveryStopXid;
287 static TimestampTz recoveryStopTime;
288 static XLogRecPtr recoveryStopLSN;
289 static char recoveryStopName[MAXFNAMELEN];
290 static bool recoveryStopAfter;
293 * During normal operation, the only timeline we care about is ThisTimeLineID.
294 * During recovery, however, things are more complicated. To simplify life
295 * for rmgr code, we keep ThisTimeLineID set to the "current" timeline as we
296 * scan through the WAL history (that is, it is the line that was active when
297 * the currently-scanned WAL record was generated). We also need these
300 * recoveryTargetTLI: the desired timeline that we want to end in.
302 * recoveryTargetIsLatest: was the requested target timeline 'latest'?
304 * expectedTLEs: a list of TimeLineHistoryEntries for recoveryTargetTLI and the timelines of
305 * its known parents, newest first (so recoveryTargetTLI is always the
306 * first list member). Only these TLIs are expected to be seen in the WAL
307 * segments we read, and indeed only these TLIs will be considered as
308 * candidate WAL files to open at all.
310 * curFileTLI: the TLI appearing in the name of the current input WAL file.
311 * (This is not necessarily the same as ThisTimeLineID, because we could
312 * be scanning data that was copied from an ancestor timeline when the current
313 * file was created.) During a sequential scan we do not allow this value
316 static TimeLineID recoveryTargetTLI;
317 static bool recoveryTargetIsLatest = false;
318 static List *expectedTLEs;
319 static TimeLineID curFileTLI;
322 * ProcLastRecPtr points to the start of the last XLOG record inserted by the
323 * current backend. It is updated for all inserts. XactLastRecEnd points to
324 * end+1 of the last record, and is reset when we end a top-level transaction,
325 * or start a new one; so it can be used to tell if the current transaction has
326 * created any XLOG records.
328 * While in parallel mode, this may not be fully up to date. When committing,
329 * a transaction can assume this covers all xlog records written either by the
330 * user backend or by any parallel worker which was present at any point during
331 * the transaction. But when aborting, or when still in parallel mode, other
332 * parallel backends may have written WAL records at later LSNs than the value
333 * stored here. The parallel leader advances its own copy, when necessary,
334 * in WaitForParallelWorkersToFinish.
336 XLogRecPtr ProcLastRecPtr = InvalidXLogRecPtr;
337 XLogRecPtr XactLastRecEnd = InvalidXLogRecPtr;
338 XLogRecPtr XactLastCommitEnd = InvalidXLogRecPtr;
341 * RedoRecPtr is this backend's local copy of the REDO record pointer
342 * (which is almost but not quite the same as a pointer to the most recent
343 * CHECKPOINT record). We update this from the shared-memory copy,
344 * XLogCtl->Insert.RedoRecPtr, whenever we can safely do so (ie, when we
345 * hold an insertion lock). See XLogInsertRecord for details. We are also
346 * allowed to update from XLogCtl->RedoRecPtr if we hold the info_lck;
347 * see GetRedoRecPtr. A freshly spawned backend obtains the value during
350 static XLogRecPtr RedoRecPtr;
353 * doPageWrites is this backend's local copy of (forcePageWrites ||
354 * fullPageWrites). It is used together with RedoRecPtr to decide whether
355 * a full-page image of a page need to be taken.
357 static bool doPageWrites;
359 /* Has the recovery code requested a walreceiver wakeup? */
360 static bool doRequestWalReceiverReply;
363 * RedoStartLSN points to the checkpoint's REDO location which is specified
364 * in a backup label file, backup history file or control file. In standby
365 * mode, XLOG streaming usually starts from the position where an invalid
366 * record was found. But if we fail to read even the initial checkpoint
367 * record, we use the REDO location instead of the checkpoint location as
368 * the start position of XLOG streaming. Otherwise we would have to jump
369 * backwards to the REDO location after reading the checkpoint record,
370 * because the REDO record can precede the checkpoint record.
372 static XLogRecPtr RedoStartLSN = InvalidXLogRecPtr;
375 * Shared-memory data structures for XLOG control
377 * LogwrtRqst indicates a byte position that we need to write and/or fsync
378 * the log up to (all records before that point must be written or fsynced).
379 * LogwrtResult indicates the byte positions we have already written/fsynced.
380 * These structs are identical but are declared separately to indicate their
381 * slightly different functions.
383 * To read XLogCtl->LogwrtResult, you must hold either info_lck or
384 * WALWriteLock. To update it, you need to hold both locks. The point of
385 * this arrangement is that the value can be examined by code that already
386 * holds WALWriteLock without needing to grab info_lck as well. In addition
387 * to the shared variable, each backend has a private copy of LogwrtResult,
388 * which is updated when convenient.
390 * The request bookkeeping is simpler: there is a shared XLogCtl->LogwrtRqst
391 * (protected by info_lck), but we don't need to cache any copies of it.
393 * info_lck is only held long enough to read/update the protected variables,
394 * so it's a plain spinlock. The other locks are held longer (potentially
395 * over I/O operations), so we use LWLocks for them. These locks are:
397 * WALBufMappingLock: must be held to replace a page in the WAL buffer cache.
398 * It is only held while initializing and changing the mapping. If the
399 * contents of the buffer being replaced haven't been written yet, the mapping
400 * lock is released while the write is done, and reacquired afterwards.
402 * WALWriteLock: must be held to write WAL buffers to disk (XLogWrite or
405 * ControlFileLock: must be held to read/update control file or create
408 * CheckpointLock: must be held to do a checkpoint or restartpoint (ensures
409 * only one checkpointer at a time; currently, with all checkpoints done by
410 * the checkpointer, this is just pro forma).
415 typedef struct XLogwrtRqst
417 XLogRecPtr Write; /* last byte + 1 to write out */
418 XLogRecPtr Flush; /* last byte + 1 to flush */
421 typedef struct XLogwrtResult
423 XLogRecPtr Write; /* last byte + 1 written out */
424 XLogRecPtr Flush; /* last byte + 1 flushed */
428 * Inserting to WAL is protected by a small fixed number of WAL insertion
429 * locks. To insert to the WAL, you must hold one of the locks - it doesn't
430 * matter which one. To lock out other concurrent insertions, you must hold
431 * of them. Each WAL insertion lock consists of a lightweight lock, plus an
432 * indicator of how far the insertion has progressed (insertingAt).
434 * The insertingAt values are read when a process wants to flush WAL from
435 * the in-memory buffers to disk, to check that all the insertions to the
436 * region the process is about to write out have finished. You could simply
437 * wait for all currently in-progress insertions to finish, but the
438 * insertingAt indicator allows you to ignore insertions to later in the WAL,
439 * so that you only wait for the insertions that are modifying the buffers
440 * you're about to write out.
442 * This isn't just an optimization. If all the WAL buffers are dirty, an
443 * inserter that's holding a WAL insert lock might need to evict an old WAL
444 * buffer, which requires flushing the WAL. If it's possible for an inserter
445 * to block on another inserter unnecessarily, deadlock can arise when two
446 * inserters holding a WAL insert lock wait for each other to finish their
449 * Small WAL records that don't cross a page boundary never update the value,
450 * the WAL record is just copied to the page and the lock is released. But
451 * to avoid the deadlock-scenario explained above, the indicator is always
452 * updated before sleeping while holding an insertion lock.
454 * lastImportantAt contains the LSN of the last important WAL record inserted
455 * using a given lock. This value is used to detect if there has been
456 * important WAL activity since the last time some action, like a checkpoint,
457 * was performed - allowing to not repeat the action if not. The LSN is
458 * updated for all insertions, unless the XLOG_MARK_UNIMPORTANT flag was
459 * set. lastImportantAt is never cleared, only overwritten by the LSN of newer
460 * records. Tracking the WAL activity directly in WALInsertLock has the
461 * advantage of not needing any additional locks to update the value.
466 XLogRecPtr insertingAt;
467 XLogRecPtr lastImportantAt;
471 * All the WAL insertion locks are allocated as an array in shared memory. We
472 * force the array stride to be a power of 2, which saves a few cycles in
473 * indexing, but more importantly also ensures that individual slots don't
474 * cross cache line boundaries. (Of course, we have to also ensure that the
475 * array start address is suitably aligned.)
477 typedef union WALInsertLockPadded
480 char pad[PG_CACHE_LINE_SIZE];
481 } WALInsertLockPadded;
484 * State of an exclusive backup, necessary to control concurrent activities
485 * across sessions when working on exclusive backups.
487 * EXCLUSIVE_BACKUP_NONE means that there is no exclusive backup actually
488 * running, to be more precise pg_start_backup() is not being executed for
489 * an exclusive backup and there is no exclusive backup in progress.
490 * EXCLUSIVE_BACKUP_STARTING means that pg_start_backup() is starting an
492 * EXCLUSIVE_BACKUP_IN_PROGRESS means that pg_start_backup() has finished
493 * running and an exclusive backup is in progress. pg_stop_backup() is
494 * needed to finish it.
495 * EXCLUSIVE_BACKUP_STOPPING means that pg_stop_backup() is stopping an
498 typedef enum ExclusiveBackupState
500 EXCLUSIVE_BACKUP_NONE = 0,
501 EXCLUSIVE_BACKUP_STARTING,
502 EXCLUSIVE_BACKUP_IN_PROGRESS,
503 EXCLUSIVE_BACKUP_STOPPING
504 } ExclusiveBackupState;
507 * Shared state data for WAL insertion.
509 typedef struct XLogCtlInsert
511 slock_t insertpos_lck; /* protects CurrBytePos and PrevBytePos */
514 * CurrBytePos is the end of reserved WAL. The next record will be
515 * inserted at that position. PrevBytePos is the start position of the
516 * previously inserted (or rather, reserved) record - it is copied to the
517 * prev-link of the next record. These are stored as "usable byte
518 * positions" rather than XLogRecPtrs (see XLogBytePosToRecPtr()).
524 * Make sure the above heavily-contended spinlock and byte positions are
525 * on their own cache line. In particular, the RedoRecPtr and full page
526 * write variables below should be on a different cache line. They are
527 * read on every WAL insertion, but updated rarely, and we don't want
528 * those reads to steal the cache line containing Curr/PrevBytePos.
530 char pad[PG_CACHE_LINE_SIZE];
533 * fullPageWrites is the master copy used by all backends to determine
534 * whether to write full-page to WAL, instead of using process-local one.
535 * This is required because, when full_page_writes is changed by SIGHUP,
536 * we must WAL-log it before it actually affects WAL-logging by backends.
537 * Checkpointer sets at startup or after SIGHUP.
539 * To read these fields, you must hold an insertion lock. To modify them,
540 * you must hold ALL the locks.
542 XLogRecPtr RedoRecPtr; /* current redo point for insertions */
543 bool forcePageWrites; /* forcing full-page writes for PITR? */
547 * exclusiveBackupState indicates the state of an exclusive backup
548 * (see comments of ExclusiveBackupState for more details).
549 * nonExclusiveBackups is a counter indicating the number of streaming
550 * base backups currently in progress. forcePageWrites is set to true
551 * when either of these is non-zero. lastBackupStart is the latest
552 * checkpoint redo location used as a starting point for an online
555 ExclusiveBackupState exclusiveBackupState;
556 int nonExclusiveBackups;
557 XLogRecPtr lastBackupStart;
560 * WAL insertion locks.
562 WALInsertLockPadded *WALInsertLocks;
566 * Total shared-memory state for XLOG.
568 typedef struct XLogCtlData
570 XLogCtlInsert Insert;
572 /* Protected by info_lck: */
573 XLogwrtRqst LogwrtRqst;
574 XLogRecPtr RedoRecPtr; /* a recent copy of Insert->RedoRecPtr */
575 uint32 ckptXidEpoch; /* nextXID & epoch of latest checkpoint */
576 TransactionId ckptXid;
577 XLogRecPtr asyncXactLSN; /* LSN of newest async commit/abort */
578 XLogRecPtr replicationSlotMinLSN; /* oldest LSN needed by any slot */
580 XLogSegNo lastRemovedSegNo; /* latest removed/recycled XLOG
583 /* Fake LSN counter, for unlogged relations. Protected by ulsn_lck. */
584 XLogRecPtr unloggedLSN;
587 /* Time and LSN of last xlog segment switch. Protected by WALWriteLock. */
588 pg_time_t lastSegSwitchTime;
589 XLogRecPtr lastSegSwitchLSN;
592 * Protected by info_lck and WALWriteLock (you must hold either lock to
593 * read it, but both to update)
595 XLogwrtResult LogwrtResult;
598 * Latest initialized page in the cache (last byte position + 1).
600 * To change the identity of a buffer (and InitializedUpTo), you need to
601 * hold WALBufMappingLock. To change the identity of a buffer that's
602 * still dirty, the old page needs to be written out first, and for that
603 * you need WALWriteLock, and you need to ensure that there are no
604 * in-progress insertions to the page by calling
605 * WaitXLogInsertionsToFinish().
607 XLogRecPtr InitializedUpTo;
610 * These values do not change after startup, although the pointed-to pages
611 * and xlblocks values certainly do. xlblock values are protected by
614 char *pages; /* buffers for unwritten XLOG pages */
615 XLogRecPtr *xlblocks; /* 1st byte ptr-s + XLOG_BLCKSZ */
616 int XLogCacheBlck; /* highest allocated xlog buffer index */
619 * Shared copy of ThisTimeLineID. Does not change after end-of-recovery.
620 * If we created a new timeline when the system was started up,
621 * PrevTimeLineID is the old timeline's ID that we forked off from.
622 * Otherwise it's equal to ThisTimeLineID.
624 TimeLineID ThisTimeLineID;
625 TimeLineID PrevTimeLineID;
628 * archiveCleanupCommand is read from recovery.conf but needs to be in
629 * shared memory so that the checkpointer process can access it.
631 char archiveCleanupCommand[MAXPGPATH];
634 * SharedRecoveryInProgress indicates if we're still in crash or archive
635 * recovery. Protected by info_lck.
637 bool SharedRecoveryInProgress;
640 * SharedHotStandbyActive indicates if we're still in crash or archive
641 * recovery. Protected by info_lck.
643 bool SharedHotStandbyActive;
646 * WalWriterSleeping indicates whether the WAL writer is currently in
647 * low-power mode (and hence should be nudged if an async commit occurs).
648 * Protected by info_lck.
650 bool WalWriterSleeping;
653 * recoveryWakeupLatch is used to wake up the startup process to continue
654 * WAL replay, if it is waiting for WAL to arrive or failover trigger file
657 Latch recoveryWakeupLatch;
660 * During recovery, we keep a copy of the latest checkpoint record here.
661 * lastCheckPointRecPtr points to start of checkpoint record and
662 * lastCheckPointEndPtr points to end+1 of checkpoint record. Used by the
663 * checkpointer when it wants to create a restartpoint.
665 * Protected by info_lck.
667 XLogRecPtr lastCheckPointRecPtr;
668 XLogRecPtr lastCheckPointEndPtr;
669 CheckPoint lastCheckPoint;
672 * lastReplayedEndRecPtr points to end+1 of the last record successfully
673 * replayed. When we're currently replaying a record, ie. in a redo
674 * function, replayEndRecPtr points to the end+1 of the record being
675 * replayed, otherwise it's equal to lastReplayedEndRecPtr.
677 XLogRecPtr lastReplayedEndRecPtr;
678 TimeLineID lastReplayedTLI;
679 XLogRecPtr replayEndRecPtr;
680 TimeLineID replayEndTLI;
681 /* timestamp of last COMMIT/ABORT record replayed (or being replayed) */
682 TimestampTz recoveryLastXTime;
685 * timestamp of when we started replaying the current chunk of WAL data,
686 * only relevant for replication or archive recovery
688 TimestampTz currentChunkStartTime;
689 /* Are we requested to pause recovery? */
693 * lastFpwDisableRecPtr points to the start of the last replayed
694 * XLOG_FPW_CHANGE record that instructs full_page_writes is disabled.
696 XLogRecPtr lastFpwDisableRecPtr;
698 slock_t info_lck; /* locks shared variables shown above */
701 static XLogCtlData *XLogCtl = NULL;
703 /* a private copy of XLogCtl->Insert.WALInsertLocks, for convenience */
704 static WALInsertLockPadded *WALInsertLocks = NULL;
707 * We maintain an image of pg_control in shared memory.
709 static ControlFileData *ControlFile = NULL;
712 * Calculate the amount of space left on the page after 'endptr'. Beware
713 * multiple evaluation!
715 #define INSERT_FREESPACE(endptr) \
716 (((endptr) % XLOG_BLCKSZ == 0) ? 0 : (XLOG_BLCKSZ - (endptr) % XLOG_BLCKSZ))
718 /* Macro to advance to next buffer index. */
719 #define NextBufIdx(idx) \
720 (((idx) == XLogCtl->XLogCacheBlck) ? 0 : ((idx) + 1))
723 * XLogRecPtrToBufIdx returns the index of the WAL buffer that holds, or
724 * would hold if it was in cache, the page containing 'recptr'.
726 #define XLogRecPtrToBufIdx(recptr) \
727 (((recptr) / XLOG_BLCKSZ) % (XLogCtl->XLogCacheBlck + 1))
730 * These are the number of bytes in a WAL page and segment usable for WAL data.
732 #define UsableBytesInPage (XLOG_BLCKSZ - SizeOfXLogShortPHD)
733 #define UsableBytesInSegment ((XLOG_SEG_SIZE / XLOG_BLCKSZ) * UsableBytesInPage - (SizeOfXLogLongPHD - SizeOfXLogShortPHD))
736 * Private, possibly out-of-date copy of shared LogwrtResult.
737 * See discussion above.
739 static XLogwrtResult LogwrtResult = {0, 0};
742 * Codes indicating where we got a WAL file from during recovery, or where
743 * to attempt to get one.
747 XLOG_FROM_ANY = 0, /* request to read WAL from any source */
748 XLOG_FROM_ARCHIVE, /* restored using restore_command */
749 XLOG_FROM_PG_WAL, /* existing file in pg_wal */
750 XLOG_FROM_STREAM /* streamed from master */
753 /* human-readable names for XLogSources, for debugging output */
754 static const char *xlogSourceNames[] = {"any", "archive", "pg_wal", "stream"};
757 * openLogFile is -1 or a kernel FD for an open log file segment.
758 * When it's open, openLogOff is the current seek offset in the file.
759 * openLogSegNo identifies the segment. These variables are only
760 * used to write the XLOG, and so will normally refer to the active segment.
762 static int openLogFile = -1;
763 static XLogSegNo openLogSegNo = 0;
764 static uint32 openLogOff = 0;
767 * These variables are used similarly to the ones above, but for reading
768 * the XLOG. Note, however, that readOff generally represents the offset
769 * of the page just read, not the seek position of the FD itself, which
770 * will be just past that page. readLen indicates how much of the current
771 * page has been read into readBuf, and readSource indicates where we got
772 * the currently open file from.
774 static int readFile = -1;
775 static XLogSegNo readSegNo = 0;
776 static uint32 readOff = 0;
777 static uint32 readLen = 0;
778 static XLogSource readSource = 0; /* XLOG_FROM_* code */
781 * Keeps track of which source we're currently reading from. This is
782 * different from readSource in that this is always set, even when we don't
783 * currently have a WAL file open. If lastSourceFailed is set, our last
784 * attempt to read from currentSource failed, and we should try another source
787 static XLogSource currentSource = 0; /* XLOG_FROM_* code */
788 static bool lastSourceFailed = false;
790 typedef struct XLogPageReadPrivate
793 bool fetching_ckpt; /* are we fetching a checkpoint record? */
795 } XLogPageReadPrivate;
798 * These variables track when we last obtained some WAL data to process,
799 * and where we got it from. (XLogReceiptSource is initially the same as
800 * readSource, but readSource gets reset to zero when we don't have data
801 * to process right now. It is also different from currentSource, which
802 * also changes when we try to read from a source and fail, while
803 * XLogReceiptSource tracks where we last successfully read some WAL.)
805 static TimestampTz XLogReceiptTime = 0;
806 static XLogSource XLogReceiptSource = 0; /* XLOG_FROM_* code */
808 /* State information for XLOG reading */
809 static XLogRecPtr ReadRecPtr; /* start of last record read */
810 static XLogRecPtr EndRecPtr; /* end+1 of last record read */
812 static XLogRecPtr minRecoveryPoint; /* local copy of
813 * ControlFile->minRecoveryPoint */
814 static TimeLineID minRecoveryPointTLI;
815 static bool updateMinRecoveryPoint = true;
818 * Have we reached a consistent database state? In crash recovery, we have
819 * to replay all the WAL, so reachedConsistency is never set. During archive
820 * recovery, the database is consistent once minRecoveryPoint is reached.
822 bool reachedConsistency = false;
824 static bool InRedo = false;
826 /* Have we launched bgwriter during recovery? */
827 static bool bgwriterLaunched = false;
829 /* For WALInsertLockAcquire/Release functions */
830 static int MyLockNo = 0;
831 static bool holdingAllLocks = false;
834 static MemoryContext walDebugCxt = NULL;
837 static void readRecoveryCommandFile(void);
838 static void exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog);
839 static bool recoveryStopsBefore(XLogReaderState *record);
840 static bool recoveryStopsAfter(XLogReaderState *record);
841 static void recoveryPausesHere(void);
842 static bool recoveryApplyDelay(XLogReaderState *record);
843 static void SetLatestXTime(TimestampTz xtime);
844 static void SetCurrentChunkStartTime(TimestampTz xtime);
845 static void CheckRequiredParameterValues(void);
846 static void XLogReportParameters(void);
847 static void checkTimeLineSwitch(XLogRecPtr lsn, TimeLineID newTLI,
849 static void LocalSetXLogInsertAllowed(void);
850 static void CreateEndOfRecoveryRecord(void);
851 static void CheckPointGuts(XLogRecPtr checkPointRedo, int flags);
852 static void KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo);
853 static XLogRecPtr XLogGetReplicationSlotMinimumLSN(void);
855 static void AdvanceXLInsertBuffer(XLogRecPtr upto, bool opportunistic);
856 static bool XLogCheckpointNeeded(XLogSegNo new_segno);
857 static void XLogWrite(XLogwrtRqst WriteRqst, bool flexible);
858 static bool InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
859 bool find_free, XLogSegNo max_segno,
861 static int XLogFileRead(XLogSegNo segno, int emode, TimeLineID tli,
862 int source, bool notfoundOk);
863 static int XLogFileReadAnyTLI(XLogSegNo segno, int emode, int source);
864 static int XLogPageRead(XLogReaderState *xlogreader, XLogRecPtr targetPagePtr,
865 int reqLen, XLogRecPtr targetRecPtr, char *readBuf,
866 TimeLineID *readTLI);
867 static bool WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
868 bool fetching_ckpt, XLogRecPtr tliRecPtr);
869 static int emode_for_corrupt_record(int emode, XLogRecPtr RecPtr);
870 static void XLogFileClose(void);
871 static void PreallocXlogFiles(XLogRecPtr endptr);
872 static void RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr PriorRedoPtr, XLogRecPtr endptr);
873 static void RemoveXlogFile(const char *segname, XLogRecPtr PriorRedoPtr, XLogRecPtr endptr);
874 static void UpdateLastRemovedPtr(char *filename);
875 static void ValidateXLOGDirectoryStructure(void);
876 static void CleanupBackupHistory(void);
877 static void UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force);
878 static XLogRecord *ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr,
879 int emode, bool fetching_ckpt);
880 static void CheckRecoveryConsistency(void);
881 static XLogRecord *ReadCheckpointRecord(XLogReaderState *xlogreader,
882 XLogRecPtr RecPtr, int whichChkpti, bool report);
883 static bool rescanLatestTimeLine(void);
884 static void WriteControlFile(void);
885 static void ReadControlFile(void);
886 static char *str_time(pg_time_t tnow);
887 static bool CheckForStandbyTrigger(void);
890 static void xlog_outrec(StringInfo buf, XLogReaderState *record);
892 static void xlog_outdesc(StringInfo buf, XLogReaderState *record);
893 static void pg_start_backup_callback(int code, Datum arg);
894 static void pg_stop_backup_callback(int code, Datum arg);
895 static bool read_backup_label(XLogRecPtr *checkPointLoc,
896 bool *backupEndRequired, bool *backupFromStandby);
897 static bool read_tablespace_map(List **tablespaces);
899 static void rm_redo_error_callback(void *arg);
900 static int get_sync_bit(int method);
902 static void CopyXLogRecordToWAL(int write_len, bool isLogSwitch,
904 XLogRecPtr StartPos, XLogRecPtr EndPos);
905 static void ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos,
906 XLogRecPtr *EndPos, XLogRecPtr *PrevPtr);
907 static bool ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos,
908 XLogRecPtr *PrevPtr);
909 static XLogRecPtr WaitXLogInsertionsToFinish(XLogRecPtr upto);
910 static char *GetXLogBuffer(XLogRecPtr ptr);
911 static XLogRecPtr XLogBytePosToRecPtr(uint64 bytepos);
912 static XLogRecPtr XLogBytePosToEndRecPtr(uint64 bytepos);
913 static uint64 XLogRecPtrToBytePos(XLogRecPtr ptr);
914 static void checkXLogConsistency(XLogReaderState *record);
916 static void WALInsertLockAcquire(void);
917 static void WALInsertLockAcquireExclusive(void);
918 static void WALInsertLockRelease(void);
919 static void WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt);
922 * Insert an XLOG record represented by an already-constructed chain of data
923 * chunks. This is a low-level routine; to construct the WAL record header
924 * and data, use the higher-level routines in xloginsert.c.
926 * If 'fpw_lsn' is valid, it is the oldest LSN among the pages that this
927 * WAL record applies to, that were not included in the record as full page
928 * images. If fpw_lsn >= RedoRecPtr, the function does not perform the
929 * insertion and returns InvalidXLogRecPtr. The caller can then recalculate
930 * which pages need a full-page image, and retry. If fpw_lsn is invalid, the
931 * record is always inserted.
933 * 'flags' gives more in-depth control on the record being inserted. See
934 * XLogSetRecordFlags() for details.
936 * The first XLogRecData in the chain must be for the record header, and its
937 * data must be MAXALIGNed. XLogInsertRecord fills in the xl_prev and
938 * xl_crc fields in the header, the rest of the header must already be filled
941 * Returns XLOG pointer to end of record (beginning of next record).
942 * This can be used as LSN for data pages affected by the logged action.
943 * (LSN is the XLOG point up to which the XLOG must be flushed to disk
944 * before the data page can be written out. This implements the basic
945 * WAL rule "write the log before the data".)
948 XLogInsertRecord(XLogRecData *rdata,
952 XLogCtlInsert *Insert = &XLogCtl->Insert;
955 XLogRecord *rechdr = (XLogRecord *) rdata->data;
956 uint8 info = rechdr->xl_info & ~XLR_INFO_MASK;
957 bool isLogSwitch = (rechdr->xl_rmid == RM_XLOG_ID &&
958 info == XLOG_SWITCH);
962 /* we assume that all of the record header is in the first chunk */
963 Assert(rdata->len >= SizeOfXLogRecord);
965 /* cross-check on whether we should be here or not */
966 if (!XLogInsertAllowed())
967 elog(ERROR, "cannot make new WAL entries during recovery");
971 * We have now done all the preparatory work we can without holding a
972 * lock or modifying shared state. From here on, inserting the new WAL
973 * record to the shared WAL buffer cache is a two-step process:
975 * 1. Reserve the right amount of space from the WAL. The current head of
976 * reserved space is kept in Insert->CurrBytePos, and is protected by
979 * 2. Copy the record to the reserved WAL space. This involves finding the
980 * correct WAL buffer containing the reserved space, and copying the
981 * record in place. This can be done concurrently in multiple processes.
983 * To keep track of which insertions are still in-progress, each concurrent
984 * inserter acquires an insertion lock. In addition to just indicating that
985 * an insertion is in progress, the lock tells others how far the inserter
986 * has progressed. There is a small fixed number of insertion locks,
987 * determined by NUM_XLOGINSERT_LOCKS. When an inserter crosses a page
988 * boundary, it updates the value stored in the lock to the how far it has
989 * inserted, to allow the previous buffer to be flushed.
991 * Holding onto an insertion lock also protects RedoRecPtr and
992 * fullPageWrites from changing until the insertion is finished.
994 * Step 2 can usually be done completely in parallel. If the required WAL
995 * page is not initialized yet, you have to grab WALBufMappingLock to
996 * initialize it, but the WAL writer tries to do that ahead of insertions
997 * to avoid that from happening in the critical path.
1001 START_CRIT_SECTION();
1003 WALInsertLockAcquireExclusive();
1005 WALInsertLockAcquire();
1008 * Check to see if my copy of RedoRecPtr or doPageWrites is out of date.
1009 * If so, may have to go back and have the caller recompute everything.
1010 * This can only happen just after a checkpoint, so it's better to be slow
1011 * in this case and fast otherwise.
1013 * If we aren't doing full-page writes then RedoRecPtr doesn't actually
1014 * affect the contents of the XLOG record, so we'll update our local copy
1015 * but not force a recomputation. (If doPageWrites was just turned off,
1016 * we could recompute the record without full pages, but we choose not to
1019 if (RedoRecPtr != Insert->RedoRecPtr)
1021 Assert(RedoRecPtr < Insert->RedoRecPtr);
1022 RedoRecPtr = Insert->RedoRecPtr;
1024 doPageWrites = (Insert->fullPageWrites || Insert->forcePageWrites);
1026 if (fpw_lsn != InvalidXLogRecPtr && fpw_lsn <= RedoRecPtr && doPageWrites)
1029 * Oops, some buffer now needs to be backed up that the caller didn't
1030 * back up. Start over.
1032 WALInsertLockRelease();
1034 return InvalidXLogRecPtr;
1038 * Reserve space for the record in the WAL. This also sets the xl_prev
1042 inserted = ReserveXLogSwitch(&StartPos, &EndPos, &rechdr->xl_prev);
1045 ReserveXLogInsertLocation(rechdr->xl_tot_len, &StartPos, &EndPos,
1053 * Now that xl_prev has been filled in, calculate CRC of the record
1056 rdata_crc = rechdr->xl_crc;
1057 COMP_CRC32C(rdata_crc, rechdr, offsetof(XLogRecord, xl_crc));
1058 FIN_CRC32C(rdata_crc);
1059 rechdr->xl_crc = rdata_crc;
1062 * All the record data, including the header, is now ready to be
1063 * inserted. Copy the record in the space reserved.
1065 CopyXLogRecordToWAL(rechdr->xl_tot_len, isLogSwitch, rdata,
1069 * Unless record is flagged as not important, update LSN of last
1070 * important record in the current slot. When holding all locks, just
1071 * update the first one.
1073 if ((flags & XLOG_MARK_UNIMPORTANT) == 0)
1075 int lockno = holdingAllLocks ? 0 : MyLockNo;
1077 WALInsertLocks[lockno].l.lastImportantAt = StartPos;
1083 * This was an xlog-switch record, but the current insert location was
1084 * already exactly at the beginning of a segment, so there was no need
1090 * Done! Let others know that we're finished.
1092 WALInsertLockRelease();
1094 MarkCurrentTransactionIdLoggedIfAny();
1099 * Update shared LogwrtRqst.Write, if we crossed page boundary.
1101 if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
1103 SpinLockAcquire(&XLogCtl->info_lck);
1104 /* advance global request to include new block(s) */
1105 if (XLogCtl->LogwrtRqst.Write < EndPos)
1106 XLogCtl->LogwrtRqst.Write = EndPos;
1107 /* update local result copy while I have the chance */
1108 LogwrtResult = XLogCtl->LogwrtResult;
1109 SpinLockRelease(&XLogCtl->info_lck);
1113 * If this was an XLOG_SWITCH record, flush the record and the empty
1114 * padding space that fills the rest of the segment, and perform
1115 * end-of-segment actions (eg, notifying archiver).
1119 TRACE_POSTGRESQL_WAL_SWITCH();
1123 * Even though we reserved the rest of the segment for us, which is
1124 * reflected in EndPos, we return a pointer to just the end of the
1125 * xlog-switch record.
1129 EndPos = StartPos + SizeOfXLogRecord;
1130 if (StartPos / XLOG_BLCKSZ != EndPos / XLOG_BLCKSZ)
1132 if (EndPos % XLOG_SEG_SIZE == EndPos % XLOG_BLCKSZ)
1133 EndPos += SizeOfXLogLongPHD;
1135 EndPos += SizeOfXLogShortPHD;
1143 static XLogReaderState *debug_reader = NULL;
1145 StringInfoData recordBuf;
1146 char *errormsg = NULL;
1147 MemoryContext oldCxt;
1149 oldCxt = MemoryContextSwitchTo(walDebugCxt);
1151 initStringInfo(&buf);
1152 appendStringInfo(&buf, "INSERT @ %X/%X: ",
1153 (uint32) (EndPos >> 32), (uint32) EndPos);
1156 * We have to piece together the WAL record data from the XLogRecData
1157 * entries, so that we can pass it to the rm_desc function as one
1160 initStringInfo(&recordBuf);
1161 for (; rdata != NULL; rdata = rdata->next)
1162 appendBinaryStringInfo(&recordBuf, rdata->data, rdata->len);
1165 debug_reader = XLogReaderAllocate(NULL, NULL);
1169 appendStringInfoString(&buf, "error decoding record: out of memory");
1171 else if (!DecodeXLogRecord(debug_reader, (XLogRecord *) recordBuf.data,
1174 appendStringInfo(&buf, "error decoding record: %s",
1175 errormsg ? errormsg : "no error message");
1179 appendStringInfoString(&buf, " - ");
1180 xlog_outdesc(&buf, debug_reader);
1182 elog(LOG, "%s", buf.data);
1185 pfree(recordBuf.data);
1186 MemoryContextSwitchTo(oldCxt);
1191 * Update our global variables
1193 ProcLastRecPtr = StartPos;
1194 XactLastRecEnd = EndPos;
1200 * Reserves the right amount of space for a record of given size from the WAL.
1201 * *StartPos is set to the beginning of the reserved section, *EndPos to
1202 * its end+1. *PrevPtr is set to the beginning of the previous record; it is
1203 * used to set the xl_prev of this record.
1205 * This is the performance critical part of XLogInsert that must be serialized
1206 * across backends. The rest can happen mostly in parallel. Try to keep this
1207 * section as short as possible, insertpos_lck can be heavily contended on a
1210 * NB: The space calculation here must match the code in CopyXLogRecordToWAL,
1211 * where we actually copy the record to the reserved space.
1214 ReserveXLogInsertLocation(int size, XLogRecPtr *StartPos, XLogRecPtr *EndPos,
1215 XLogRecPtr *PrevPtr)
1217 XLogCtlInsert *Insert = &XLogCtl->Insert;
1218 uint64 startbytepos;
1222 size = MAXALIGN(size);
1224 /* All (non xlog-switch) records should contain data. */
1225 Assert(size > SizeOfXLogRecord);
1228 * The duration the spinlock needs to be held is minimized by minimizing
1229 * the calculations that have to be done while holding the lock. The
1230 * current tip of reserved WAL is kept in CurrBytePos, as a byte position
1231 * that only counts "usable" bytes in WAL, that is, it excludes all WAL
1232 * page headers. The mapping between "usable" byte positions and physical
1233 * positions (XLogRecPtrs) can be done outside the locked region, and
1234 * because the usable byte position doesn't include any headers, reserving
1235 * X bytes from WAL is almost as simple as "CurrBytePos += X".
1237 SpinLockAcquire(&Insert->insertpos_lck);
1239 startbytepos = Insert->CurrBytePos;
1240 endbytepos = startbytepos + size;
1241 prevbytepos = Insert->PrevBytePos;
1242 Insert->CurrBytePos = endbytepos;
1243 Insert->PrevBytePos = startbytepos;
1245 SpinLockRelease(&Insert->insertpos_lck);
1247 *StartPos = XLogBytePosToRecPtr(startbytepos);
1248 *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1249 *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1252 * Check that the conversions between "usable byte positions" and
1253 * XLogRecPtrs work consistently in both directions.
1255 Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1256 Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1257 Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1261 * Like ReserveXLogInsertLocation(), but for an xlog-switch record.
1263 * A log-switch record is handled slightly differently. The rest of the
1264 * segment will be reserved for this insertion, as indicated by the returned
1265 * *EndPos value. However, if we are already at the beginning of the current
1266 * segment, *StartPos and *EndPos are set to the current location without
1267 * reserving any space, and the function returns false.
1270 ReserveXLogSwitch(XLogRecPtr *StartPos, XLogRecPtr *EndPos, XLogRecPtr *PrevPtr)
1272 XLogCtlInsert *Insert = &XLogCtl->Insert;
1273 uint64 startbytepos;
1276 uint32 size = MAXALIGN(SizeOfXLogRecord);
1281 * These calculations are a bit heavy-weight to be done while holding a
1282 * spinlock, but since we're holding all the WAL insertion locks, there
1283 * are no other inserters competing for it. GetXLogInsertRecPtr() does
1284 * compete for it, but that's not called very frequently.
1286 SpinLockAcquire(&Insert->insertpos_lck);
1288 startbytepos = Insert->CurrBytePos;
1290 ptr = XLogBytePosToEndRecPtr(startbytepos);
1291 if (ptr % XLOG_SEG_SIZE == 0)
1293 SpinLockRelease(&Insert->insertpos_lck);
1294 *EndPos = *StartPos = ptr;
1298 endbytepos = startbytepos + size;
1299 prevbytepos = Insert->PrevBytePos;
1301 *StartPos = XLogBytePosToRecPtr(startbytepos);
1302 *EndPos = XLogBytePosToEndRecPtr(endbytepos);
1304 segleft = XLOG_SEG_SIZE - ((*EndPos) % XLOG_SEG_SIZE);
1305 if (segleft != XLOG_SEG_SIZE)
1307 /* consume the rest of the segment */
1309 endbytepos = XLogRecPtrToBytePos(*EndPos);
1311 Insert->CurrBytePos = endbytepos;
1312 Insert->PrevBytePos = startbytepos;
1314 SpinLockRelease(&Insert->insertpos_lck);
1316 *PrevPtr = XLogBytePosToRecPtr(prevbytepos);
1318 Assert((*EndPos) % XLOG_SEG_SIZE == 0);
1319 Assert(XLogRecPtrToBytePos(*EndPos) == endbytepos);
1320 Assert(XLogRecPtrToBytePos(*StartPos) == startbytepos);
1321 Assert(XLogRecPtrToBytePos(*PrevPtr) == prevbytepos);
1327 * Checks whether the current buffer page and backup page stored in the
1328 * WAL record are consistent or not. Before comparing the two pages, a
1329 * masking can be applied to the pages to ignore certain areas like hint bits,
1330 * unused space between pd_lower and pd_upper among other things. This
1331 * function should be called once WAL replay has been completed for a
1335 checkXLogConsistency(XLogReaderState *record)
1337 RmgrId rmid = XLogRecGetRmid(record);
1343 /* Records with no backup blocks have no need for consistency checks. */
1344 if (!XLogRecHasAnyBlockRefs(record))
1347 Assert((XLogRecGetInfo(record) & XLR_CHECK_CONSISTENCY) != 0);
1349 for (block_id = 0; block_id <= record->max_block_id; block_id++)
1354 if (!XLogRecGetBlockTag(record, block_id, &rnode, &forknum, &blkno))
1357 * WAL record doesn't contain a block reference with the given id.
1363 Assert(XLogRecHasBlockImage(record, block_id));
1365 if (XLogRecBlockImageApply(record, block_id))
1368 * WAL record has already applied the page, so bypass the
1369 * consistency check as that would result in comparing the full
1370 * page stored in the record with itself.
1376 * Read the contents from the current buffer and store it in a
1379 buf = XLogReadBufferExtended(rnode, forknum, blkno,
1381 if (!BufferIsValid(buf))
1384 LockBuffer(buf, BUFFER_LOCK_EXCLUSIVE);
1385 page = BufferGetPage(buf);
1388 * Take a copy of the local page where WAL has been applied to have a
1389 * comparison base before masking it...
1391 memcpy(replay_image_masked, page, BLCKSZ);
1393 /* No need for this page anymore now that a copy is in. */
1394 UnlockReleaseBuffer(buf);
1397 * If the block LSN is already ahead of this WAL record, we can't
1398 * expect contents to match. This can happen if recovery is restarted.
1400 if (PageGetLSN(replay_image_masked) > record->EndRecPtr)
1404 * Read the contents from the backup copy, stored in WAL record and
1405 * store it in a temporary page. There is no need to allocate a new
1406 * page here, a local buffer is fine to hold its contents and a mask
1407 * can be directly applied on it.
1409 if (!RestoreBlockImage(record, block_id, master_image_masked))
1410 elog(ERROR, "failed to restore block image");
1413 * If masking function is defined, mask both the master and replay
1416 if (RmgrTable[rmid].rm_mask != NULL)
1418 RmgrTable[rmid].rm_mask(replay_image_masked, blkno);
1419 RmgrTable[rmid].rm_mask(master_image_masked, blkno);
1422 /* Time to compare the master and replay images. */
1423 if (memcmp(replay_image_masked, master_image_masked, BLCKSZ) != 0)
1426 "inconsistent page found, rel %u/%u/%u, forknum %u, blkno %u",
1427 rnode.spcNode, rnode.dbNode, rnode.relNode,
1434 * Subroutine of XLogInsertRecord. Copies a WAL record to an already-reserved
1438 CopyXLogRecordToWAL(int write_len, bool isLogSwitch, XLogRecData *rdata,
1439 XLogRecPtr StartPos, XLogRecPtr EndPos)
1445 XLogPageHeader pagehdr;
1448 * Get a pointer to the right place in the right WAL buffer to start
1452 currpos = GetXLogBuffer(CurrPos);
1453 freespace = INSERT_FREESPACE(CurrPos);
1456 * there should be enough space for at least the first field (xl_tot_len)
1459 Assert(freespace >= sizeof(uint32));
1461 /* Copy record data */
1463 while (rdata != NULL)
1465 char *rdata_data = rdata->data;
1466 int rdata_len = rdata->len;
1468 while (rdata_len > freespace)
1471 * Write what fits on this page, and continue on the next page.
1473 Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || freespace == 0);
1474 memcpy(currpos, rdata_data, freespace);
1475 rdata_data += freespace;
1476 rdata_len -= freespace;
1477 written += freespace;
1478 CurrPos += freespace;
1481 * Get pointer to beginning of next page, and set the xlp_rem_len
1482 * in the page header. Set XLP_FIRST_IS_CONTRECORD.
1484 * It's safe to set the contrecord flag and xlp_rem_len without a
1485 * lock on the page. All the other flags were already set when the
1486 * page was initialized, in AdvanceXLInsertBuffer, and we're the
1487 * only backend that needs to set the contrecord flag.
1489 currpos = GetXLogBuffer(CurrPos);
1490 pagehdr = (XLogPageHeader) currpos;
1491 pagehdr->xlp_rem_len = write_len - written;
1492 pagehdr->xlp_info |= XLP_FIRST_IS_CONTRECORD;
1494 /* skip over the page header */
1495 if (CurrPos % XLogSegSize == 0)
1497 CurrPos += SizeOfXLogLongPHD;
1498 currpos += SizeOfXLogLongPHD;
1502 CurrPos += SizeOfXLogShortPHD;
1503 currpos += SizeOfXLogShortPHD;
1505 freespace = INSERT_FREESPACE(CurrPos);
1508 Assert(CurrPos % XLOG_BLCKSZ >= SizeOfXLogShortPHD || rdata_len == 0);
1509 memcpy(currpos, rdata_data, rdata_len);
1510 currpos += rdata_len;
1511 CurrPos += rdata_len;
1512 freespace -= rdata_len;
1513 written += rdata_len;
1515 rdata = rdata->next;
1517 Assert(written == write_len);
1520 * If this was an xlog-switch, it's not enough to write the switch record,
1521 * we also have to consume all the remaining space in the WAL segment. We
1522 * have already reserved it for us, but we still need to make sure it's
1523 * allocated and zeroed in the WAL buffers so that when the caller (or
1524 * someone else) does XLogWrite(), it can really write out all the zeros.
1526 if (isLogSwitch && CurrPos % XLOG_SEG_SIZE != 0)
1528 /* An xlog-switch record doesn't contain any data besides the header */
1529 Assert(write_len == SizeOfXLogRecord);
1532 * We do this one page at a time, to make sure we don't deadlock
1533 * against ourselves if wal_buffers < XLOG_SEG_SIZE.
1535 Assert(EndPos % XLogSegSize == 0);
1537 /* Use up all the remaining space on the first page */
1538 CurrPos += freespace;
1540 while (CurrPos < EndPos)
1542 /* initialize the next page (if not initialized already) */
1543 WALInsertLockUpdateInsertingAt(CurrPos);
1544 AdvanceXLInsertBuffer(CurrPos, false);
1545 CurrPos += XLOG_BLCKSZ;
1550 /* Align the end position, so that the next record starts aligned */
1551 CurrPos = MAXALIGN64(CurrPos);
1554 if (CurrPos != EndPos)
1555 elog(PANIC, "space reserved for WAL record does not match what was written");
1559 * Acquire a WAL insertion lock, for inserting to WAL.
1562 WALInsertLockAcquire(void)
1567 * It doesn't matter which of the WAL insertion locks we acquire, so try
1568 * the one we used last time. If the system isn't particularly busy, it's
1569 * a good bet that it's still available, and it's good to have some
1570 * affinity to a particular lock so that you don't unnecessarily bounce
1571 * cache lines between processes when there's no contention.
1573 * If this is the first time through in this backend, pick a lock
1574 * (semi-)randomly. This allows the locks to be used evenly if you have a
1575 * lot of very short connections.
1577 static int lockToTry = -1;
1579 if (lockToTry == -1)
1580 lockToTry = MyProc->pgprocno % NUM_XLOGINSERT_LOCKS;
1581 MyLockNo = lockToTry;
1584 * The insertingAt value is initially set to 0, as we don't know our
1585 * insert location yet.
1587 immed = LWLockAcquire(&WALInsertLocks[MyLockNo].l.lock, LW_EXCLUSIVE);
1591 * If we couldn't get the lock immediately, try another lock next
1592 * time. On a system with more insertion locks than concurrent
1593 * inserters, this causes all the inserters to eventually migrate to a
1594 * lock that no-one else is using. On a system with more inserters
1595 * than locks, it still helps to distribute the inserters evenly
1598 lockToTry = (lockToTry + 1) % NUM_XLOGINSERT_LOCKS;
1603 * Acquire all WAL insertion locks, to prevent other backends from inserting
1607 WALInsertLockAcquireExclusive(void)
1612 * When holding all the locks, all but the last lock's insertingAt
1613 * indicator is set to 0xFFFFFFFFFFFFFFFF, which is higher than any real
1614 * XLogRecPtr value, to make sure that no-one blocks waiting on those.
1616 for (i = 0; i < NUM_XLOGINSERT_LOCKS - 1; i++)
1618 LWLockAcquire(&WALInsertLocks[i].l.lock, LW_EXCLUSIVE);
1619 LWLockUpdateVar(&WALInsertLocks[i].l.lock,
1620 &WALInsertLocks[i].l.insertingAt,
1623 /* Variable value reset to 0 at release */
1624 LWLockAcquire(&WALInsertLocks[i].l.lock, LW_EXCLUSIVE);
1626 holdingAllLocks = true;
1630 * Release our insertion lock (or locks, if we're holding them all).
1632 * NB: Reset all variables to 0, so they cause LWLockWaitForVar to block the
1633 * next time the lock is acquired.
1636 WALInsertLockRelease(void)
1638 if (holdingAllLocks)
1642 for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1643 LWLockReleaseClearVar(&WALInsertLocks[i].l.lock,
1644 &WALInsertLocks[i].l.insertingAt,
1647 holdingAllLocks = false;
1651 LWLockReleaseClearVar(&WALInsertLocks[MyLockNo].l.lock,
1652 &WALInsertLocks[MyLockNo].l.insertingAt,
1658 * Update our insertingAt value, to let others know that we've finished
1659 * inserting up to that point.
1662 WALInsertLockUpdateInsertingAt(XLogRecPtr insertingAt)
1664 if (holdingAllLocks)
1667 * We use the last lock to mark our actual position, see comments in
1668 * WALInsertLockAcquireExclusive.
1670 LWLockUpdateVar(&WALInsertLocks[NUM_XLOGINSERT_LOCKS - 1].l.lock,
1671 &WALInsertLocks[NUM_XLOGINSERT_LOCKS - 1].l.insertingAt,
1675 LWLockUpdateVar(&WALInsertLocks[MyLockNo].l.lock,
1676 &WALInsertLocks[MyLockNo].l.insertingAt,
1681 * Wait for any WAL insertions < upto to finish.
1683 * Returns the location of the oldest insertion that is still in-progress.
1684 * Any WAL prior to that point has been fully copied into WAL buffers, and
1685 * can be flushed out to disk. Because this waits for any insertions older
1686 * than 'upto' to finish, the return value is always >= 'upto'.
1688 * Note: When you are about to write out WAL, you must call this function
1689 * *before* acquiring WALWriteLock, to avoid deadlocks. This function might
1690 * need to wait for an insertion to finish (or at least advance to next
1691 * uninitialized page), and the inserter might need to evict an old WAL buffer
1692 * to make room for a new one, which in turn requires WALWriteLock.
1695 WaitXLogInsertionsToFinish(XLogRecPtr upto)
1698 XLogRecPtr reservedUpto;
1699 XLogRecPtr finishedUpto;
1700 XLogCtlInsert *Insert = &XLogCtl->Insert;
1704 elog(PANIC, "cannot wait without a PGPROC structure");
1706 /* Read the current insert position */
1707 SpinLockAcquire(&Insert->insertpos_lck);
1708 bytepos = Insert->CurrBytePos;
1709 SpinLockRelease(&Insert->insertpos_lck);
1710 reservedUpto = XLogBytePosToEndRecPtr(bytepos);
1713 * No-one should request to flush a piece of WAL that hasn't even been
1714 * reserved yet. However, it can happen if there is a block with a bogus
1715 * LSN on disk, for example. XLogFlush checks for that situation and
1716 * complains, but only after the flush. Here we just assume that to mean
1717 * that all WAL that has been reserved needs to be finished. In this
1718 * corner-case, the return value can be smaller than 'upto' argument.
1720 if (upto > reservedUpto)
1722 elog(LOG, "request to flush past end of generated WAL; request %X/%X, currpos %X/%X",
1723 (uint32) (upto >> 32), (uint32) upto,
1724 (uint32) (reservedUpto >> 32), (uint32) reservedUpto);
1725 upto = reservedUpto;
1729 * Loop through all the locks, sleeping on any in-progress insert older
1732 * finishedUpto is our return value, indicating the point upto which all
1733 * the WAL insertions have been finished. Initialize it to the head of
1734 * reserved WAL, and as we iterate through the insertion locks, back it
1735 * out for any insertion that's still in progress.
1737 finishedUpto = reservedUpto;
1738 for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
1740 XLogRecPtr insertingat = InvalidXLogRecPtr;
1745 * See if this insertion is in progress. LWLockWait will wait for
1746 * the lock to be released, or for the 'value' to be set by a
1747 * LWLockUpdateVar call. When a lock is initially acquired, its
1748 * value is 0 (InvalidXLogRecPtr), which means that we don't know
1749 * where it's inserting yet. We will have to wait for it. If
1750 * it's a small insertion, the record will most likely fit on the
1751 * same page and the inserter will release the lock without ever
1752 * calling LWLockUpdateVar. But if it has to sleep, it will
1753 * advertise the insertion point with LWLockUpdateVar before
1756 if (LWLockWaitForVar(&WALInsertLocks[i].l.lock,
1757 &WALInsertLocks[i].l.insertingAt,
1758 insertingat, &insertingat))
1760 /* the lock was free, so no insertion in progress */
1761 insertingat = InvalidXLogRecPtr;
1766 * This insertion is still in progress. Have to wait, unless the
1767 * inserter has proceeded past 'upto'.
1769 } while (insertingat < upto);
1771 if (insertingat != InvalidXLogRecPtr && insertingat < finishedUpto)
1772 finishedUpto = insertingat;
1774 return finishedUpto;
1778 * Get a pointer to the right location in the WAL buffer containing the
1781 * If the page is not initialized yet, it is initialized. That might require
1782 * evicting an old dirty buffer from the buffer cache, which means I/O.
1784 * The caller must ensure that the page containing the requested location
1785 * isn't evicted yet, and won't be evicted. The way to ensure that is to
1786 * hold onto a WAL insertion lock with the insertingAt position set to
1787 * something <= ptr. GetXLogBuffer() will update insertingAt if it needs
1788 * to evict an old page from the buffer. (This means that once you call
1789 * GetXLogBuffer() with a given 'ptr', you must not access anything before
1790 * that point anymore, and must not call GetXLogBuffer() with an older 'ptr'
1791 * later, because older buffers might be recycled already)
1794 GetXLogBuffer(XLogRecPtr ptr)
1798 static uint64 cachedPage = 0;
1799 static char *cachedPos = NULL;
1800 XLogRecPtr expectedEndPtr;
1803 * Fast path for the common case that we need to access again the same
1804 * page as last time.
1806 if (ptr / XLOG_BLCKSZ == cachedPage)
1808 Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1809 Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1810 return cachedPos + ptr % XLOG_BLCKSZ;
1814 * The XLog buffer cache is organized so that a page is always loaded to a
1815 * particular buffer. That way we can easily calculate the buffer a given
1816 * page must be loaded into, from the XLogRecPtr alone.
1818 idx = XLogRecPtrToBufIdx(ptr);
1821 * See what page is loaded in the buffer at the moment. It could be the
1822 * page we're looking for, or something older. It can't be anything newer
1823 * - that would imply the page we're looking for has already been written
1824 * out to disk and evicted, and the caller is responsible for making sure
1825 * that doesn't happen.
1827 * However, we don't hold a lock while we read the value. If someone has
1828 * just initialized the page, it's possible that we get a "torn read" of
1829 * the XLogRecPtr if 64-bit fetches are not atomic on this platform. In
1830 * that case we will see a bogus value. That's ok, we'll grab the mapping
1831 * lock (in AdvanceXLInsertBuffer) and retry if we see anything else than
1832 * the page we're looking for. But it means that when we do this unlocked
1833 * read, we might see a value that appears to be ahead of the page we're
1834 * looking for. Don't PANIC on that, until we've verified the value while
1837 expectedEndPtr = ptr;
1838 expectedEndPtr += XLOG_BLCKSZ - ptr % XLOG_BLCKSZ;
1840 endptr = XLogCtl->xlblocks[idx];
1841 if (expectedEndPtr != endptr)
1843 XLogRecPtr initializedUpto;
1846 * Before calling AdvanceXLInsertBuffer(), which can block, let others
1847 * know how far we're finished with inserting the record.
1849 * NB: If 'ptr' points to just after the page header, advertise a
1850 * position at the beginning of the page rather than 'ptr' itself. If
1851 * there are no other insertions running, someone might try to flush
1852 * up to our advertised location. If we advertised a position after
1853 * the page header, someone might try to flush the page header, even
1854 * though page might actually not be initialized yet. As the first
1855 * inserter on the page, we are effectively responsible for making
1856 * sure that it's initialized, before we let insertingAt to move past
1859 if (ptr % XLOG_BLCKSZ == SizeOfXLogShortPHD &&
1860 ptr % XLOG_SEG_SIZE > XLOG_BLCKSZ)
1861 initializedUpto = ptr - SizeOfXLogShortPHD;
1862 else if (ptr % XLOG_BLCKSZ == SizeOfXLogLongPHD &&
1863 ptr % XLOG_SEG_SIZE < XLOG_BLCKSZ)
1864 initializedUpto = ptr - SizeOfXLogLongPHD;
1866 initializedUpto = ptr;
1868 WALInsertLockUpdateInsertingAt(initializedUpto);
1870 AdvanceXLInsertBuffer(ptr, false);
1871 endptr = XLogCtl->xlblocks[idx];
1873 if (expectedEndPtr != endptr)
1874 elog(PANIC, "could not find WAL buffer for %X/%X",
1875 (uint32) (ptr >> 32), (uint32) ptr);
1880 * Make sure the initialization of the page is visible to us, and
1881 * won't arrive later to overwrite the WAL data we write on the page.
1883 pg_memory_barrier();
1887 * Found the buffer holding this page. Return a pointer to the right
1888 * offset within the page.
1890 cachedPage = ptr / XLOG_BLCKSZ;
1891 cachedPos = XLogCtl->pages + idx * (Size) XLOG_BLCKSZ;
1893 Assert(((XLogPageHeader) cachedPos)->xlp_magic == XLOG_PAGE_MAGIC);
1894 Assert(((XLogPageHeader) cachedPos)->xlp_pageaddr == ptr - (ptr % XLOG_BLCKSZ));
1896 return cachedPos + ptr % XLOG_BLCKSZ;
1900 * Converts a "usable byte position" to XLogRecPtr. A usable byte position
1901 * is the position starting from the beginning of WAL, excluding all WAL
1905 XLogBytePosToRecPtr(uint64 bytepos)
1913 fullsegs = bytepos / UsableBytesInSegment;
1914 bytesleft = bytepos % UsableBytesInSegment;
1916 if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1918 /* fits on first page of segment */
1919 seg_offset = bytesleft + SizeOfXLogLongPHD;
1923 /* account for the first page on segment with long header */
1924 seg_offset = XLOG_BLCKSZ;
1925 bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1927 fullpages = bytesleft / UsableBytesInPage;
1928 bytesleft = bytesleft % UsableBytesInPage;
1930 seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1933 XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, result);
1939 * Like XLogBytePosToRecPtr, but if the position is at a page boundary,
1940 * returns a pointer to the beginning of the page (ie. before page header),
1941 * not to where the first xlog record on that page would go to. This is used
1942 * when converting a pointer to the end of a record.
1945 XLogBytePosToEndRecPtr(uint64 bytepos)
1953 fullsegs = bytepos / UsableBytesInSegment;
1954 bytesleft = bytepos % UsableBytesInSegment;
1956 if (bytesleft < XLOG_BLCKSZ - SizeOfXLogLongPHD)
1958 /* fits on first page of segment */
1962 seg_offset = bytesleft + SizeOfXLogLongPHD;
1966 /* account for the first page on segment with long header */
1967 seg_offset = XLOG_BLCKSZ;
1968 bytesleft -= XLOG_BLCKSZ - SizeOfXLogLongPHD;
1970 fullpages = bytesleft / UsableBytesInPage;
1971 bytesleft = bytesleft % UsableBytesInPage;
1974 seg_offset += fullpages * XLOG_BLCKSZ + bytesleft;
1976 seg_offset += fullpages * XLOG_BLCKSZ + bytesleft + SizeOfXLogShortPHD;
1979 XLogSegNoOffsetToRecPtr(fullsegs, seg_offset, result);
1985 * Convert an XLogRecPtr to a "usable byte position".
1988 XLogRecPtrToBytePos(XLogRecPtr ptr)
1995 XLByteToSeg(ptr, fullsegs);
1997 fullpages = (ptr % XLOG_SEG_SIZE) / XLOG_BLCKSZ;
1998 offset = ptr % XLOG_BLCKSZ;
2002 result = fullsegs * UsableBytesInSegment;
2005 Assert(offset >= SizeOfXLogLongPHD);
2006 result += offset - SizeOfXLogLongPHD;
2011 result = fullsegs * UsableBytesInSegment +
2012 (XLOG_BLCKSZ - SizeOfXLogLongPHD) + /* account for first page */
2013 (fullpages - 1) * UsableBytesInPage; /* full pages */
2016 Assert(offset >= SizeOfXLogShortPHD);
2017 result += offset - SizeOfXLogShortPHD;
2025 * Initialize XLOG buffers, writing out old buffers if they still contain
2026 * unwritten data, upto the page containing 'upto'. Or if 'opportunistic' is
2027 * true, initialize as many pages as we can without having to write out
2028 * unwritten data. Any new pages are initialized to zeros, with pages headers
2029 * initialized properly.
2032 AdvanceXLInsertBuffer(XLogRecPtr upto, bool opportunistic)
2034 XLogCtlInsert *Insert = &XLogCtl->Insert;
2036 XLogRecPtr OldPageRqstPtr;
2037 XLogwrtRqst WriteRqst;
2038 XLogRecPtr NewPageEndPtr = InvalidXLogRecPtr;
2039 XLogRecPtr NewPageBeginPtr;
2040 XLogPageHeader NewPage;
2043 LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
2046 * Now that we have the lock, check if someone initialized the page
2049 while (upto >= XLogCtl->InitializedUpTo || opportunistic)
2051 nextidx = XLogRecPtrToBufIdx(XLogCtl->InitializedUpTo);
2054 * Get ending-offset of the buffer page we need to replace (this may
2055 * be zero if the buffer hasn't been used yet). Fall through if it's
2056 * already written out.
2058 OldPageRqstPtr = XLogCtl->xlblocks[nextidx];
2059 if (LogwrtResult.Write < OldPageRqstPtr)
2062 * Nope, got work to do. If we just want to pre-initialize as much
2063 * as we can without flushing, give up now.
2068 /* Before waiting, get info_lck and update LogwrtResult */
2069 SpinLockAcquire(&XLogCtl->info_lck);
2070 if (XLogCtl->LogwrtRqst.Write < OldPageRqstPtr)
2071 XLogCtl->LogwrtRqst.Write = OldPageRqstPtr;
2072 LogwrtResult = XLogCtl->LogwrtResult;
2073 SpinLockRelease(&XLogCtl->info_lck);
2076 * Now that we have an up-to-date LogwrtResult value, see if we
2077 * still need to write it or if someone else already did.
2079 if (LogwrtResult.Write < OldPageRqstPtr)
2082 * Must acquire write lock. Release WALBufMappingLock first,
2083 * to make sure that all insertions that we need to wait for
2084 * can finish (up to this same position). Otherwise we risk
2087 LWLockRelease(WALBufMappingLock);
2089 WaitXLogInsertionsToFinish(OldPageRqstPtr);
2091 LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
2093 LogwrtResult = XLogCtl->LogwrtResult;
2094 if (LogwrtResult.Write >= OldPageRqstPtr)
2096 /* OK, someone wrote it already */
2097 LWLockRelease(WALWriteLock);
2101 /* Have to write it ourselves */
2102 TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_START();
2103 WriteRqst.Write = OldPageRqstPtr;
2104 WriteRqst.Flush = 0;
2105 XLogWrite(WriteRqst, false);
2106 LWLockRelease(WALWriteLock);
2107 TRACE_POSTGRESQL_WAL_BUFFER_WRITE_DIRTY_DONE();
2109 /* Re-acquire WALBufMappingLock and retry */
2110 LWLockAcquire(WALBufMappingLock, LW_EXCLUSIVE);
2116 * Now the next buffer slot is free and we can set it up to be the
2119 NewPageBeginPtr = XLogCtl->InitializedUpTo;
2120 NewPageEndPtr = NewPageBeginPtr + XLOG_BLCKSZ;
2122 Assert(XLogRecPtrToBufIdx(NewPageBeginPtr) == nextidx);
2124 NewPage = (XLogPageHeader) (XLogCtl->pages + nextidx * (Size) XLOG_BLCKSZ);
2127 * Be sure to re-zero the buffer so that bytes beyond what we've
2128 * written will look like zeroes and not valid XLOG records...
2130 MemSet((char *) NewPage, 0, XLOG_BLCKSZ);
2133 * Fill the new page's header
2135 NewPage->xlp_magic = XLOG_PAGE_MAGIC;
2137 /* NewPage->xlp_info = 0; */ /* done by memset */
2138 NewPage->xlp_tli = ThisTimeLineID;
2139 NewPage->xlp_pageaddr = NewPageBeginPtr;
2141 /* NewPage->xlp_rem_len = 0; */ /* done by memset */
2144 * If online backup is not in progress, mark the header to indicate
2145 * that* WAL records beginning in this page have removable backup
2146 * blocks. This allows the WAL archiver to know whether it is safe to
2147 * compress archived WAL data by transforming full-block records into
2148 * the non-full-block format. It is sufficient to record this at the
2149 * page level because we force a page switch (in fact a segment
2150 * switch) when starting a backup, so the flag will be off before any
2151 * records can be written during the backup. At the end of a backup,
2152 * the last page will be marked as all unsafe when perhaps only part
2153 * is unsafe, but at worst the archiver would miss the opportunity to
2154 * compress a few records.
2156 if (!Insert->forcePageWrites)
2157 NewPage->xlp_info |= XLP_BKP_REMOVABLE;
2160 * If first page of an XLOG segment file, make it a long header.
2162 if ((NewPage->xlp_pageaddr % XLogSegSize) == 0)
2164 XLogLongPageHeader NewLongPage = (XLogLongPageHeader) NewPage;
2166 NewLongPage->xlp_sysid = ControlFile->system_identifier;
2167 NewLongPage->xlp_seg_size = XLogSegSize;
2168 NewLongPage->xlp_xlog_blcksz = XLOG_BLCKSZ;
2169 NewPage->xlp_info |= XLP_LONG_HEADER;
2173 * Make sure the initialization of the page becomes visible to others
2174 * before the xlblocks update. GetXLogBuffer() reads xlblocks without
2179 *((volatile XLogRecPtr *) &XLogCtl->xlblocks[nextidx]) = NewPageEndPtr;
2181 XLogCtl->InitializedUpTo = NewPageEndPtr;
2185 LWLockRelease(WALBufMappingLock);
2188 if (XLOG_DEBUG && npages > 0)
2190 elog(DEBUG1, "initialized %d pages, up to %X/%X",
2191 npages, (uint32) (NewPageEndPtr >> 32), (uint32) NewPageEndPtr);
2197 * Calculate CheckPointSegments based on max_wal_size and
2198 * checkpoint_completion_target.
2201 CalculateCheckpointSegments(void)
2206 * Calculate the distance at which to trigger a checkpoint, to avoid
2207 * exceeding max_wal_size. This is based on two assumptions:
2209 * a) we keep WAL for two checkpoint cycles, back to the "prev" checkpoint.
2210 * b) during checkpoint, we consume checkpoint_completion_target *
2211 * number of segments consumed between checkpoints.
2214 target = (double) max_wal_size / (2.0 + CheckPointCompletionTarget);
2217 CheckPointSegments = (int) target;
2219 if (CheckPointSegments < 1)
2220 CheckPointSegments = 1;
2224 assign_max_wal_size(int newval, void *extra)
2226 max_wal_size = newval;
2227 CalculateCheckpointSegments();
2231 assign_checkpoint_completion_target(double newval, void *extra)
2233 CheckPointCompletionTarget = newval;
2234 CalculateCheckpointSegments();
2238 * At a checkpoint, how many WAL segments to recycle as preallocated future
2239 * XLOG segments? Returns the highest segment that should be preallocated.
2242 XLOGfileslop(XLogRecPtr PriorRedoPtr)
2247 XLogSegNo recycleSegNo;
2250 * Calculate the segment numbers that min_wal_size and max_wal_size
2251 * correspond to. Always recycle enough segments to meet the minimum, and
2252 * remove enough segments to stay below the maximum.
2254 minSegNo = PriorRedoPtr / XLOG_SEG_SIZE + min_wal_size - 1;
2255 maxSegNo = PriorRedoPtr / XLOG_SEG_SIZE + max_wal_size - 1;
2258 * Between those limits, recycle enough segments to get us through to the
2259 * estimated end of next checkpoint.
2261 * To estimate where the next checkpoint will finish, assume that the
2262 * system runs steadily consuming CheckPointDistanceEstimate bytes between
2265 * The reason this calculation is done from the prior checkpoint, not the
2266 * one that just finished, is that this behaves better if some checkpoint
2267 * cycles are abnormally short, like if you perform a manual checkpoint
2268 * right after a timed one. The manual checkpoint will make almost a full
2269 * cycle's worth of WAL segments available for recycling, because the
2270 * segments from the prior's prior, fully-sized checkpoint cycle are no
2271 * longer needed. However, the next checkpoint will make only few segments
2272 * available for recycling, the ones generated between the timed
2273 * checkpoint and the manual one right after that. If at the manual
2274 * checkpoint we only retained enough segments to get us to the next timed
2275 * one, and removed the rest, then at the next checkpoint we would not
2276 * have enough segments around for recycling, to get us to the checkpoint
2277 * after that. Basing the calculations on the distance from the prior redo
2278 * pointer largely fixes that problem.
2280 distance = (2.0 + CheckPointCompletionTarget) * CheckPointDistanceEstimate;
2281 /* add 10% for good measure. */
2284 recycleSegNo = (XLogSegNo) ceil(((double) PriorRedoPtr + distance) / XLOG_SEG_SIZE);
2286 if (recycleSegNo < minSegNo)
2287 recycleSegNo = minSegNo;
2288 if (recycleSegNo > maxSegNo)
2289 recycleSegNo = maxSegNo;
2291 return recycleSegNo;
2295 * Check whether we've consumed enough xlog space that a checkpoint is needed.
2297 * new_segno indicates a log file that has just been filled up (or read
2298 * during recovery). We measure the distance from RedoRecPtr to new_segno
2299 * and see if that exceeds CheckPointSegments.
2301 * Note: it is caller's responsibility that RedoRecPtr is up-to-date.
2304 XLogCheckpointNeeded(XLogSegNo new_segno)
2306 XLogSegNo old_segno;
2308 XLByteToSeg(RedoRecPtr, old_segno);
2310 if (new_segno >= old_segno + (uint64) (CheckPointSegments - 1))
2316 * Write and/or fsync the log at least as far as WriteRqst indicates.
2318 * If flexible == TRUE, we don't have to write as far as WriteRqst, but
2319 * may stop at any convenient boundary (such as a cache or logfile boundary).
2320 * This option allows us to avoid uselessly issuing multiple writes when a
2321 * single one would do.
2323 * Must be called with WALWriteLock held. WaitXLogInsertionsToFinish(WriteRqst)
2324 * must be called before grabbing the lock, to make sure the data is ready to
2328 XLogWrite(XLogwrtRqst WriteRqst, bool flexible)
2331 bool last_iteration;
2339 /* We should always be inside a critical section here */
2340 Assert(CritSectionCount > 0);
2343 * Update local LogwrtResult (caller probably did this already, but...)
2345 LogwrtResult = XLogCtl->LogwrtResult;
2348 * Since successive pages in the xlog cache are consecutively allocated,
2349 * we can usually gather multiple pages together and issue just one
2350 * write() call. npages is the number of pages we have determined can be
2351 * written together; startidx is the cache block index of the first one,
2352 * and startoffset is the file offset at which it should go. The latter
2353 * two variables are only valid when npages > 0, but we must initialize
2354 * all of them to keep the compiler quiet.
2361 * Within the loop, curridx is the cache block index of the page to
2362 * consider writing. Begin at the buffer containing the next unwritten
2363 * page, or last partially written page.
2365 curridx = XLogRecPtrToBufIdx(LogwrtResult.Write);
2367 while (LogwrtResult.Write < WriteRqst.Write)
2370 * Make sure we're not ahead of the insert process. This could happen
2371 * if we're passed a bogus WriteRqst.Write that is past the end of the
2372 * last page that's been initialized by AdvanceXLInsertBuffer.
2374 XLogRecPtr EndPtr = XLogCtl->xlblocks[curridx];
2376 if (LogwrtResult.Write >= EndPtr)
2377 elog(PANIC, "xlog write request %X/%X is past end of log %X/%X",
2378 (uint32) (LogwrtResult.Write >> 32),
2379 (uint32) LogwrtResult.Write,
2380 (uint32) (EndPtr >> 32), (uint32) EndPtr);
2382 /* Advance LogwrtResult.Write to end of current buffer page */
2383 LogwrtResult.Write = EndPtr;
2384 ispartialpage = WriteRqst.Write < LogwrtResult.Write;
2386 if (!XLByteInPrevSeg(LogwrtResult.Write, openLogSegNo))
2389 * Switch to new logfile segment. We cannot have any pending
2390 * pages here (since we dump what we have at segment end).
2392 Assert(npages == 0);
2393 if (openLogFile >= 0)
2395 XLByteToPrevSeg(LogwrtResult.Write, openLogSegNo);
2397 /* create/use new log file */
2398 use_existent = true;
2399 openLogFile = XLogFileInit(openLogSegNo, &use_existent, true);
2403 /* Make sure we have the current logfile open */
2404 if (openLogFile < 0)
2406 XLByteToPrevSeg(LogwrtResult.Write, openLogSegNo);
2407 openLogFile = XLogFileOpen(openLogSegNo);
2411 /* Add current page to the set of pending pages-to-dump */
2414 /* first of group */
2416 startoffset = (LogwrtResult.Write - XLOG_BLCKSZ) % XLogSegSize;
2421 * Dump the set if this will be the last loop iteration, or if we are
2422 * at the last page of the cache area (since the next page won't be
2423 * contiguous in memory), or if we are at the end of the logfile
2426 last_iteration = WriteRqst.Write <= LogwrtResult.Write;
2428 finishing_seg = !ispartialpage &&
2429 (startoffset + npages * XLOG_BLCKSZ) >= XLogSegSize;
2431 if (last_iteration ||
2432 curridx == XLogCtl->XLogCacheBlck ||
2440 /* Need to seek in the file? */
2441 if (openLogOff != startoffset)
2443 if (lseek(openLogFile, (off_t) startoffset, SEEK_SET) < 0)
2445 (errcode_for_file_access(),
2446 errmsg("could not seek in log file %s to offset %u: %m",
2447 XLogFileNameP(ThisTimeLineID, openLogSegNo),
2449 openLogOff = startoffset;
2452 /* OK to write the page(s) */
2453 from = XLogCtl->pages + startidx * (Size) XLOG_BLCKSZ;
2454 nbytes = npages * (Size) XLOG_BLCKSZ;
2459 written = write(openLogFile, from, nleft);
2465 (errcode_for_file_access(),
2466 errmsg("could not write to log file %s "
2467 "at offset %u, length %zu: %m",
2468 XLogFileNameP(ThisTimeLineID, openLogSegNo),
2469 openLogOff, nbytes)));
2473 } while (nleft > 0);
2475 /* Update state for write */
2476 openLogOff += nbytes;
2480 * If we just wrote the whole last page of a logfile segment,
2481 * fsync the segment immediately. This avoids having to go back
2482 * and re-open prior segments when an fsync request comes along
2483 * later. Doing it here ensures that one and only one backend will
2484 * perform this fsync.
2486 * This is also the right place to notify the Archiver that the
2487 * segment is ready to copy to archival storage, and to update the
2488 * timer for archive_timeout, and to signal for a checkpoint if
2489 * too many logfile segments have been used since the last
2494 issue_xlog_fsync(openLogFile, openLogSegNo);
2496 /* signal that we need to wakeup walsenders later */
2497 WalSndWakeupRequest();
2499 LogwrtResult.Flush = LogwrtResult.Write; /* end of page */
2501 if (XLogArchivingActive())
2502 XLogArchiveNotifySeg(openLogSegNo);
2504 XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
2505 XLogCtl->lastSegSwitchLSN = LogwrtResult.Flush;
2508 * Request a checkpoint if we've consumed too much xlog since
2509 * the last one. For speed, we first check using the local
2510 * copy of RedoRecPtr, which might be out of date; if it looks
2511 * like a checkpoint is needed, forcibly update RedoRecPtr and
2514 if (IsUnderPostmaster && XLogCheckpointNeeded(openLogSegNo))
2516 (void) GetRedoRecPtr();
2517 if (XLogCheckpointNeeded(openLogSegNo))
2518 RequestCheckpoint(CHECKPOINT_CAUSE_XLOG);
2525 /* Only asked to write a partial page */
2526 LogwrtResult.Write = WriteRqst.Write;
2529 curridx = NextBufIdx(curridx);
2531 /* If flexible, break out of loop as soon as we wrote something */
2532 if (flexible && npages == 0)
2536 Assert(npages == 0);
2539 * If asked to flush, do so
2541 if (LogwrtResult.Flush < WriteRqst.Flush &&
2542 LogwrtResult.Flush < LogwrtResult.Write)
2546 * Could get here without iterating above loop, in which case we might
2547 * have no open file or the wrong one. However, we do not need to
2548 * fsync more than one file.
2550 if (sync_method != SYNC_METHOD_OPEN &&
2551 sync_method != SYNC_METHOD_OPEN_DSYNC)
2553 if (openLogFile >= 0 &&
2554 !XLByteInPrevSeg(LogwrtResult.Write, openLogSegNo))
2556 if (openLogFile < 0)
2558 XLByteToPrevSeg(LogwrtResult.Write, openLogSegNo);
2559 openLogFile = XLogFileOpen(openLogSegNo);
2563 issue_xlog_fsync(openLogFile, openLogSegNo);
2566 /* signal that we need to wakeup walsenders later */
2567 WalSndWakeupRequest();
2569 LogwrtResult.Flush = LogwrtResult.Write;
2573 * Update shared-memory status
2575 * We make sure that the shared 'request' values do not fall behind the
2576 * 'result' values. This is not absolutely essential, but it saves some
2577 * code in a couple of places.
2580 SpinLockAcquire(&XLogCtl->info_lck);
2581 XLogCtl->LogwrtResult = LogwrtResult;
2582 if (XLogCtl->LogwrtRqst.Write < LogwrtResult.Write)
2583 XLogCtl->LogwrtRqst.Write = LogwrtResult.Write;
2584 if (XLogCtl->LogwrtRqst.Flush < LogwrtResult.Flush)
2585 XLogCtl->LogwrtRqst.Flush = LogwrtResult.Flush;
2586 SpinLockRelease(&XLogCtl->info_lck);
2591 * Record the LSN for an asynchronous transaction commit/abort
2592 * and nudge the WALWriter if there is work for it to do.
2593 * (This should not be called for synchronous commits.)
2596 XLogSetAsyncXactLSN(XLogRecPtr asyncXactLSN)
2598 XLogRecPtr WriteRqstPtr = asyncXactLSN;
2601 SpinLockAcquire(&XLogCtl->info_lck);
2602 LogwrtResult = XLogCtl->LogwrtResult;
2603 sleeping = XLogCtl->WalWriterSleeping;
2604 if (XLogCtl->asyncXactLSN < asyncXactLSN)
2605 XLogCtl->asyncXactLSN = asyncXactLSN;
2606 SpinLockRelease(&XLogCtl->info_lck);
2609 * If the WALWriter is sleeping, we should kick it to make it come out of
2610 * low-power mode. Otherwise, determine whether there's a full page of
2611 * WAL available to write.
2615 /* back off to last completed page boundary */
2616 WriteRqstPtr -= WriteRqstPtr % XLOG_BLCKSZ;
2618 /* if we have already flushed that far, we're done */
2619 if (WriteRqstPtr <= LogwrtResult.Flush)
2624 * Nudge the WALWriter: it has a full page of WAL to write, or we want it
2625 * to come out of low-power mode so that this async commit will reach disk
2626 * within the expected amount of time.
2628 if (ProcGlobal->walwriterLatch)
2629 SetLatch(ProcGlobal->walwriterLatch);
2633 * Record the LSN up to which we can remove WAL because it's not required by
2634 * any replication slot.
2637 XLogSetReplicationSlotMinimumLSN(XLogRecPtr lsn)
2639 SpinLockAcquire(&XLogCtl->info_lck);
2640 XLogCtl->replicationSlotMinLSN = lsn;
2641 SpinLockRelease(&XLogCtl->info_lck);
2646 * Return the oldest LSN we must retain to satisfy the needs of some
2650 XLogGetReplicationSlotMinimumLSN(void)
2654 SpinLockAcquire(&XLogCtl->info_lck);
2655 retval = XLogCtl->replicationSlotMinLSN;
2656 SpinLockRelease(&XLogCtl->info_lck);
2662 * Advance minRecoveryPoint in control file.
2664 * If we crash during recovery, we must reach this point again before the
2665 * database is consistent.
2667 * If 'force' is true, 'lsn' argument is ignored. Otherwise, minRecoveryPoint
2668 * is only updated if it's not already greater than or equal to 'lsn'.
2671 UpdateMinRecoveryPoint(XLogRecPtr lsn, bool force)
2673 /* Quick check using our local copy of the variable */
2674 if (!updateMinRecoveryPoint || (!force && lsn <= minRecoveryPoint))
2677 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
2679 /* update local copy */
2680 minRecoveryPoint = ControlFile->minRecoveryPoint;
2681 minRecoveryPointTLI = ControlFile->minRecoveryPointTLI;
2684 * An invalid minRecoveryPoint means that we need to recover all the WAL,
2685 * i.e., we're doing crash recovery. We never modify the control file's
2686 * value in that case, so we can short-circuit future checks here too.
2688 if (minRecoveryPoint == 0)
2689 updateMinRecoveryPoint = false;
2690 else if (force || minRecoveryPoint < lsn)
2692 XLogRecPtr newMinRecoveryPoint;
2693 TimeLineID newMinRecoveryPointTLI;
2696 * To avoid having to update the control file too often, we update it
2697 * all the way to the last record being replayed, even though 'lsn'
2698 * would suffice for correctness. This also allows the 'force' case
2699 * to not need a valid 'lsn' value.
2701 * Another important reason for doing it this way is that the passed
2702 * 'lsn' value could be bogus, i.e., past the end of available WAL, if
2703 * the caller got it from a corrupted heap page. Accepting such a
2704 * value as the min recovery point would prevent us from coming up at
2705 * all. Instead, we just log a warning and continue with recovery.
2706 * (See also the comments about corrupt LSNs in XLogFlush.)
2708 SpinLockAcquire(&XLogCtl->info_lck);
2709 newMinRecoveryPoint = XLogCtl->replayEndRecPtr;
2710 newMinRecoveryPointTLI = XLogCtl->replayEndTLI;
2711 SpinLockRelease(&XLogCtl->info_lck);
2713 if (!force && newMinRecoveryPoint < lsn)
2715 "xlog min recovery request %X/%X is past current point %X/%X",
2716 (uint32) (lsn >> 32), (uint32) lsn,
2717 (uint32) (newMinRecoveryPoint >> 32),
2718 (uint32) newMinRecoveryPoint);
2720 /* update control file */
2721 if (ControlFile->minRecoveryPoint < newMinRecoveryPoint)
2723 ControlFile->minRecoveryPoint = newMinRecoveryPoint;
2724 ControlFile->minRecoveryPointTLI = newMinRecoveryPointTLI;
2725 UpdateControlFile();
2726 minRecoveryPoint = newMinRecoveryPoint;
2727 minRecoveryPointTLI = newMinRecoveryPointTLI;
2730 (errmsg("updated min recovery point to %X/%X on timeline %u",
2731 (uint32) (minRecoveryPoint >> 32),
2732 (uint32) minRecoveryPoint,
2733 newMinRecoveryPointTLI)));
2736 LWLockRelease(ControlFileLock);
2740 * Ensure that all XLOG data through the given position is flushed to disk.
2742 * NOTE: this differs from XLogWrite mainly in that the WALWriteLock is not
2743 * already held, and we try to avoid acquiring it if possible.
2746 XLogFlush(XLogRecPtr record)
2748 XLogRecPtr WriteRqstPtr;
2749 XLogwrtRqst WriteRqst;
2752 * During REDO, we are reading not writing WAL. Therefore, instead of
2753 * trying to flush the WAL, we should update minRecoveryPoint instead. We
2754 * test XLogInsertAllowed(), not InRecovery, because we need checkpointer
2755 * to act this way too, and because when it tries to write the
2756 * end-of-recovery checkpoint, it should indeed flush.
2758 if (!XLogInsertAllowed())
2760 UpdateMinRecoveryPoint(record, false);
2764 /* Quick exit if already known flushed */
2765 if (record <= LogwrtResult.Flush)
2770 elog(LOG, "xlog flush request %X/%X; write %X/%X; flush %X/%X",
2771 (uint32) (record >> 32), (uint32) record,
2772 (uint32) (LogwrtResult.Write >> 32), (uint32) LogwrtResult.Write,
2773 (uint32) (LogwrtResult.Flush >> 32), (uint32) LogwrtResult.Flush);
2776 START_CRIT_SECTION();
2779 * Since fsync is usually a horribly expensive operation, we try to
2780 * piggyback as much data as we can on each fsync: if we see any more data
2781 * entered into the xlog buffer, we'll write and fsync that too, so that
2782 * the final value of LogwrtResult.Flush is as large as possible. This
2783 * gives us some chance of avoiding another fsync immediately after.
2786 /* initialize to given target; may increase below */
2787 WriteRqstPtr = record;
2790 * Now wait until we get the write lock, or someone else does the flush
2795 XLogRecPtr insertpos;
2797 /* read LogwrtResult and update local state */
2798 SpinLockAcquire(&XLogCtl->info_lck);
2799 if (WriteRqstPtr < XLogCtl->LogwrtRqst.Write)
2800 WriteRqstPtr = XLogCtl->LogwrtRqst.Write;
2801 LogwrtResult = XLogCtl->LogwrtResult;
2802 SpinLockRelease(&XLogCtl->info_lck);
2805 if (record <= LogwrtResult.Flush)
2809 * Before actually performing the write, wait for all in-flight
2810 * insertions to the pages we're about to write to finish.
2812 insertpos = WaitXLogInsertionsToFinish(WriteRqstPtr);
2815 * Try to get the write lock. If we can't get it immediately, wait
2816 * until it's released, and recheck if we still need to do the flush
2817 * or if the backend that held the lock did it for us already. This
2818 * helps to maintain a good rate of group committing when the system
2819 * is bottlenecked by the speed of fsyncing.
2821 if (!LWLockAcquireOrWait(WALWriteLock, LW_EXCLUSIVE))
2824 * The lock is now free, but we didn't acquire it yet. Before we
2825 * do, loop back to check if someone else flushed the record for
2831 /* Got the lock; recheck whether request is satisfied */
2832 LogwrtResult = XLogCtl->LogwrtResult;
2833 if (record <= LogwrtResult.Flush)
2835 LWLockRelease(WALWriteLock);
2840 * Sleep before flush! By adding a delay here, we may give further
2841 * backends the opportunity to join the backlog of group commit
2842 * followers; this can significantly improve transaction throughput,
2843 * at the risk of increasing transaction latency.
2845 * We do not sleep if enableFsync is not turned on, nor if there are
2846 * fewer than CommitSiblings other backends with active transactions.
2848 if (CommitDelay > 0 && enableFsync &&
2849 MinimumActiveBackends(CommitSiblings))
2851 pg_usleep(CommitDelay);
2854 * Re-check how far we can now flush the WAL. It's generally not
2855 * safe to call WaitXLogInsertionsToFinish while holding
2856 * WALWriteLock, because an in-progress insertion might need to
2857 * also grab WALWriteLock to make progress. But we know that all
2858 * the insertions up to insertpos have already finished, because
2859 * that's what the earlier WaitXLogInsertionsToFinish() returned.
2860 * We're only calling it again to allow insertpos to be moved
2861 * further forward, not to actually wait for anyone.
2863 insertpos = WaitXLogInsertionsToFinish(insertpos);
2866 /* try to write/flush later additions to XLOG as well */
2867 WriteRqst.Write = insertpos;
2868 WriteRqst.Flush = insertpos;
2870 XLogWrite(WriteRqst, false);
2872 LWLockRelease(WALWriteLock);
2879 /* wake up walsenders now that we've released heavily contended locks */
2880 WalSndWakeupProcessRequests();
2883 * If we still haven't flushed to the request point then we have a
2884 * problem; most likely, the requested flush point is past end of XLOG.
2885 * This has been seen to occur when a disk page has a corrupted LSN.
2887 * Formerly we treated this as a PANIC condition, but that hurts the
2888 * system's robustness rather than helping it: we do not want to take down
2889 * the whole system due to corruption on one data page. In particular, if
2890 * the bad page is encountered again during recovery then we would be
2891 * unable to restart the database at all! (This scenario actually
2892 * happened in the field several times with 7.1 releases.) As of 8.4, bad
2893 * LSNs encountered during recovery are UpdateMinRecoveryPoint's problem;
2894 * the only time we can reach here during recovery is while flushing the
2895 * end-of-recovery checkpoint record, and we don't expect that to have a
2898 * Note that for calls from xact.c, the ERROR will be promoted to PANIC
2899 * since xact.c calls this routine inside a critical section. However,
2900 * calls from bufmgr.c are not within critical sections and so we will not
2901 * force a restart for a bad LSN on a data page.
2903 if (LogwrtResult.Flush < record)
2905 "xlog flush request %X/%X is not satisfied --- flushed only to %X/%X",
2906 (uint32) (record >> 32), (uint32) record,
2907 (uint32) (LogwrtResult.Flush >> 32), (uint32) LogwrtResult.Flush);
2911 * Write & flush xlog, but without specifying exactly where to.
2913 * We normally write only completed blocks; but if there is nothing to do on
2914 * that basis, we check for unwritten async commits in the current incomplete
2915 * block, and write through the latest one of those. Thus, if async commits
2916 * are not being used, we will write complete blocks only.
2918 * If, based on the above, there's anything to write we do so immediately. But
2919 * to avoid calling fsync, fdatasync et. al. at a rate that'd impact
2920 * concurrent IO, we only flush WAL every wal_writer_delay ms, or if there's
2921 * more than wal_writer_flush_after unflushed blocks.
2923 * We can guarantee that async commits reach disk after at most three
2924 * wal_writer_delay cycles. (When flushing complete blocks, we allow XLogWrite
2925 * to write "flexibly", meaning it can stop at the end of the buffer ring;
2926 * this makes a difference only with very high load or long wal_writer_delay,
2927 * but imposes one extra cycle for the worst case for async commits.)
2929 * This routine is invoked periodically by the background walwriter process.
2931 * Returns TRUE if there was any work to do, even if we skipped flushing due
2932 * to wal_writer_delay/wal_writer_flush_after.
2935 XLogBackgroundFlush(void)
2937 XLogwrtRqst WriteRqst;
2938 bool flexible = true;
2939 static TimestampTz lastflush;
2943 /* XLOG doesn't need flushing during recovery */
2944 if (RecoveryInProgress())
2947 /* read LogwrtResult and update local state */
2948 SpinLockAcquire(&XLogCtl->info_lck);
2949 LogwrtResult = XLogCtl->LogwrtResult;
2950 WriteRqst = XLogCtl->LogwrtRqst;
2951 SpinLockRelease(&XLogCtl->info_lck);
2953 /* back off to last completed page boundary */
2954 WriteRqst.Write -= WriteRqst.Write % XLOG_BLCKSZ;
2956 /* if we have already flushed that far, consider async commit records */
2957 if (WriteRqst.Write <= LogwrtResult.Flush)
2959 SpinLockAcquire(&XLogCtl->info_lck);
2960 WriteRqst.Write = XLogCtl->asyncXactLSN;
2961 SpinLockRelease(&XLogCtl->info_lck);
2962 flexible = false; /* ensure it all gets written */
2966 * If already known flushed, we're done. Just need to check if we are
2967 * holding an open file handle to a logfile that's no longer in use,
2968 * preventing the file from being deleted.
2970 if (WriteRqst.Write <= LogwrtResult.Flush)
2972 if (openLogFile >= 0)
2974 if (!XLByteInPrevSeg(LogwrtResult.Write, openLogSegNo))
2983 * Determine how far to flush WAL, based on the wal_writer_delay and
2984 * wal_writer_flush_after GUCs.
2986 now = GetCurrentTimestamp();
2988 WriteRqst.Write / XLOG_BLCKSZ - LogwrtResult.Flush / XLOG_BLCKSZ;
2990 if (WalWriterFlushAfter == 0 || lastflush == 0)
2992 /* first call, or block based limits disabled */
2993 WriteRqst.Flush = WriteRqst.Write;
2996 else if (TimestampDifferenceExceeds(lastflush, now, WalWriterDelay))
2999 * Flush the writes at least every WalWriteDelay ms. This is important
3000 * to bound the amount of time it takes for an asynchronous commit to
3003 WriteRqst.Flush = WriteRqst.Write;
3006 else if (flushbytes >= WalWriterFlushAfter)
3008 /* exceeded wal_writer_flush_after blocks, flush */
3009 WriteRqst.Flush = WriteRqst.Write;
3014 /* no flushing, this time round */
3015 WriteRqst.Flush = 0;
3020 elog(LOG, "xlog bg flush request write %X/%X; flush: %X/%X, current is write %X/%X; flush %X/%X",
3021 (uint32) (WriteRqst.Write >> 32), (uint32) WriteRqst.Write,
3022 (uint32) (WriteRqst.Flush >> 32), (uint32) WriteRqst.Flush,
3023 (uint32) (LogwrtResult.Write >> 32), (uint32) LogwrtResult.Write,
3024 (uint32) (LogwrtResult.Flush >> 32), (uint32) LogwrtResult.Flush);
3027 START_CRIT_SECTION();
3029 /* now wait for any in-progress insertions to finish and get write lock */
3030 WaitXLogInsertionsToFinish(WriteRqst.Write);
3031 LWLockAcquire(WALWriteLock, LW_EXCLUSIVE);
3032 LogwrtResult = XLogCtl->LogwrtResult;
3033 if (WriteRqst.Write > LogwrtResult.Write ||
3034 WriteRqst.Flush > LogwrtResult.Flush)
3036 XLogWrite(WriteRqst, flexible);
3038 LWLockRelease(WALWriteLock);
3042 /* wake up walsenders now that we've released heavily contended locks */
3043 WalSndWakeupProcessRequests();
3046 * Great, done. To take some work off the critical path, try to initialize
3047 * as many of the no-longer-needed WAL buffers for future use as we can.
3049 AdvanceXLInsertBuffer(InvalidXLogRecPtr, true);
3052 * If we determined that we need to write data, but somebody else
3053 * wrote/flushed already, it should be considered as being active, to
3054 * avoid hibernating too early.
3060 * Test whether XLOG data has been flushed up to (at least) the given position.
3062 * Returns true if a flush is still needed. (It may be that someone else
3063 * is already in process of flushing that far, however.)
3066 XLogNeedsFlush(XLogRecPtr record)
3069 * During recovery, we don't flush WAL but update minRecoveryPoint
3070 * instead. So "needs flush" is taken to mean whether minRecoveryPoint
3071 * would need to be updated.
3073 if (RecoveryInProgress())
3075 /* Quick exit if already known updated */
3076 if (record <= minRecoveryPoint || !updateMinRecoveryPoint)
3080 * Update local copy of minRecoveryPoint. But if the lock is busy,
3081 * just return a conservative guess.
3083 if (!LWLockConditionalAcquire(ControlFileLock, LW_SHARED))
3085 minRecoveryPoint = ControlFile->minRecoveryPoint;
3086 minRecoveryPointTLI = ControlFile->minRecoveryPointTLI;
3087 LWLockRelease(ControlFileLock);
3090 * An invalid minRecoveryPoint means that we need to recover all the
3091 * WAL, i.e., we're doing crash recovery. We never modify the control
3092 * file's value in that case, so we can short-circuit future checks
3095 if (minRecoveryPoint == 0)
3096 updateMinRecoveryPoint = false;
3099 if (record <= minRecoveryPoint || !updateMinRecoveryPoint)
3105 /* Quick exit if already known flushed */
3106 if (record <= LogwrtResult.Flush)
3109 /* read LogwrtResult and update local state */
3110 SpinLockAcquire(&XLogCtl->info_lck);
3111 LogwrtResult = XLogCtl->LogwrtResult;
3112 SpinLockRelease(&XLogCtl->info_lck);
3115 if (record <= LogwrtResult.Flush)
3122 * Create a new XLOG file segment, or open a pre-existing one.
3124 * log, seg: identify segment to be created/opened.
3126 * *use_existent: if TRUE, OK to use a pre-existing file (else, any
3127 * pre-existing file will be deleted). On return, TRUE if a pre-existing
3130 * use_lock: if TRUE, acquire ControlFileLock while moving file into
3131 * place. This should be TRUE except during bootstrap log creation. The
3132 * caller must *not* hold the lock at call.
3134 * Returns FD of opened file.
3136 * Note: errors here are ERROR not PANIC because we might or might not be
3137 * inside a critical section (eg, during checkpoint there is no reason to
3138 * take down the system on failure). They will promote to PANIC if we are
3139 * in a critical section.
3142 XLogFileInit(XLogSegNo logsegno, bool *use_existent, bool use_lock)
3144 char path[MAXPGPATH];
3145 char tmppath[MAXPGPATH];
3146 char zbuffer_raw[XLOG_BLCKSZ + MAXIMUM_ALIGNOF];
3148 XLogSegNo installed_segno;
3149 XLogSegNo max_segno;
3153 XLogFilePath(path, ThisTimeLineID, logsegno);
3156 * Try to use existent file (checkpoint maker may have created it already)
3160 fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method),
3164 if (errno != ENOENT)
3166 (errcode_for_file_access(),
3167 errmsg("could not open file \"%s\": %m", path)));
3174 * Initialize an empty (all zeroes) segment. NOTE: it is possible that
3175 * another process is doing the same thing. If so, we will end up
3176 * pre-creating an extra log segment. That seems OK, and better than
3177 * holding the lock throughout this lengthy process.
3179 elog(DEBUG2, "creating and filling new WAL file");
3181 snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3185 /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3186 fd = BasicOpenFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY,
3190 (errcode_for_file_access(),
3191 errmsg("could not create file \"%s\": %m", tmppath)));
3194 * Zero-fill the file. We have to do this the hard way to ensure that all
3195 * the file space has really been allocated --- on platforms that allow
3196 * "holes" in files, just seeking to the end doesn't allocate intermediate
3197 * space. This way, we know that we have all the space and (after the
3198 * fsync below) that all the indirect blocks are down on disk. Therefore,
3199 * fdatasync(2) or O_DSYNC will be sufficient to sync future writes to the
3202 * Note: ensure the buffer is reasonably well-aligned; this may save a few
3203 * cycles transferring data to the kernel.
3205 zbuffer = (char *) MAXALIGN(zbuffer_raw);
3206 memset(zbuffer, 0, XLOG_BLCKSZ);
3207 for (nbytes = 0; nbytes < XLogSegSize; nbytes += XLOG_BLCKSZ)
3210 if ((int) write(fd, zbuffer, XLOG_BLCKSZ) != (int) XLOG_BLCKSZ)
3212 int save_errno = errno;
3215 * If we fail to make the file, delete it to release disk space
3221 /* if write didn't set errno, assume problem is no disk space */
3222 errno = save_errno ? save_errno : ENOSPC;
3225 (errcode_for_file_access(),
3226 errmsg("could not write to file \"%s\": %m", tmppath)));
3230 if (pg_fsync(fd) != 0)
3234 (errcode_for_file_access(),
3235 errmsg("could not fsync file \"%s\": %m", tmppath)));
3240 (errcode_for_file_access(),
3241 errmsg("could not close file \"%s\": %m", tmppath)));
3244 * Now move the segment into place with its final name.
3246 * If caller didn't want to use a pre-existing file, get rid of any
3247 * pre-existing file. Otherwise, cope with possibility that someone else
3248 * has created the file while we were filling ours: if so, use ours to
3249 * pre-create a future log segment.
3251 installed_segno = logsegno;
3254 * XXX: What should we use as max_segno? We used to use XLOGfileslop when
3255 * that was a constant, but that was always a bit dubious: normally, at a
3256 * checkpoint, XLOGfileslop was the offset from the checkpoint record, but
3257 * here, it was the offset from the insert location. We can't do the
3258 * normal XLOGfileslop calculation here because we don't have access to
3259 * the prior checkpoint's redo location. So somewhat arbitrarily, just use
3260 * CheckPointSegments.
3262 max_segno = logsegno + CheckPointSegments;
3263 if (!InstallXLogFileSegment(&installed_segno, tmppath,
3264 *use_existent, max_segno,
3268 * No need for any more future segments, or InstallXLogFileSegment()
3269 * failed to rename the file into place. If the rename failed, opening
3270 * the file below will fail.
3275 /* Set flag to tell caller there was no existent file */
3276 *use_existent = false;
3278 /* Now open original target segment (might not be file I just made) */
3279 fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method),
3283 (errcode_for_file_access(),
3284 errmsg("could not open file \"%s\": %m", path)));
3286 elog(DEBUG2, "done creating and filling new WAL file");
3292 * Create a new XLOG file segment by copying a pre-existing one.
3294 * destsegno: identify segment to be created.
3296 * srcTLI, srcsegno: identify segment to be copied (could be from
3297 * a different timeline)
3299 * upto: how much of the source file to copy (the rest is filled with
3302 * Currently this is only used during recovery, and so there are no locking
3303 * considerations. But we should be just as tense as XLogFileInit to avoid
3304 * emplacing a bogus file.
3307 XLogFileCopy(XLogSegNo destsegno, TimeLineID srcTLI, XLogSegNo srcsegno,
3310 char path[MAXPGPATH];
3311 char tmppath[MAXPGPATH];
3312 char buffer[XLOG_BLCKSZ];
3318 * Open the source file
3320 XLogFilePath(path, srcTLI, srcsegno);
3321 srcfd = OpenTransientFile(path, O_RDONLY | PG_BINARY, 0);
3324 (errcode_for_file_access(),
3325 errmsg("could not open file \"%s\": %m", path)));
3328 * Copy into a temp file name.
3330 snprintf(tmppath, MAXPGPATH, XLOGDIR "/xlogtemp.%d", (int) getpid());
3334 /* do not use get_sync_bit() here --- want to fsync only at end of fill */
3335 fd = OpenTransientFile(tmppath, O_RDWR | O_CREAT | O_EXCL | PG_BINARY,
3339 (errcode_for_file_access(),
3340 errmsg("could not create file \"%s\": %m", tmppath)));
3343 * Do the data copying.
3345 for (nbytes = 0; nbytes < XLogSegSize; nbytes += sizeof(buffer))
3349 nread = upto - nbytes;
3352 * The part that is not read from the source file is filled with
3355 if (nread < sizeof(buffer))
3356 memset(buffer, 0, sizeof(buffer));
3360 if (nread > sizeof(buffer))
3361 nread = sizeof(buffer);
3363 if (read(srcfd, buffer, nread) != nread)
3367 (errcode_for_file_access(),
3368 errmsg("could not read file \"%s\": %m",
3372 (errmsg("not enough data in file \"%s\"",
3377 if ((int) write(fd, buffer, sizeof(buffer)) != (int) sizeof(buffer))
3379 int save_errno = errno;
3382 * If we fail to make the file, delete it to release disk space
3385 /* if write didn't set errno, assume problem is no disk space */
3386 errno = save_errno ? save_errno : ENOSPC;
3389 (errcode_for_file_access(),
3390 errmsg("could not write to file \"%s\": %m", tmppath)));
3394 if (pg_fsync(fd) != 0)
3396 (errcode_for_file_access(),
3397 errmsg("could not fsync file \"%s\": %m", tmppath)));
3399 if (CloseTransientFile(fd))
3401 (errcode_for_file_access(),
3402 errmsg("could not close file \"%s\": %m", tmppath)));
3404 CloseTransientFile(srcfd);
3407 * Now move the segment into place with its final name.
3409 if (!InstallXLogFileSegment(&destsegno, tmppath, false, 0, false))
3410 elog(ERROR, "InstallXLogFileSegment should not have failed");
3414 * Install a new XLOG segment file as a current or future log segment.
3416 * This is used both to install a newly-created segment (which has a temp
3417 * filename while it's being created) and to recycle an old segment.
3419 * *segno: identify segment to install as (or first possible target).
3420 * When find_free is TRUE, this is modified on return to indicate the
3421 * actual installation location or last segment searched.
3423 * tmppath: initial name of file to install. It will be renamed into place.
3425 * find_free: if TRUE, install the new segment at the first empty segno
3426 * number at or after the passed numbers. If FALSE, install the new segment
3427 * exactly where specified, deleting any existing segment file there.
3429 * max_segno: maximum segment number to install the new file as. Fail if no
3430 * free slot is found between *segno and max_segno. (Ignored when find_free
3433 * use_lock: if TRUE, acquire ControlFileLock while moving file into
3434 * place. This should be TRUE except during bootstrap log creation. The
3435 * caller must *not* hold the lock at call.
3437 * Returns TRUE if the file was installed successfully. FALSE indicates that
3438 * max_segno limit was exceeded, or an error occurred while renaming the
3442 InstallXLogFileSegment(XLogSegNo *segno, char *tmppath,
3443 bool find_free, XLogSegNo max_segno,
3446 char path[MAXPGPATH];
3447 struct stat stat_buf;
3449 XLogFilePath(path, ThisTimeLineID, *segno);
3452 * We want to be sure that only one process does this at a time.
3455 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
3459 /* Force installation: get rid of any pre-existing segment file */
3464 /* Find a free slot to put it in */
3465 while (stat(path, &stat_buf) == 0)
3467 if ((*segno) >= max_segno)
3469 /* Failed to find a free slot within specified range */
3471 LWLockRelease(ControlFileLock);
3475 XLogFilePath(path, ThisTimeLineID, *segno);
3480 * Perform the rename using link if available, paranoidly trying to avoid
3481 * overwriting an existing file (there shouldn't be one).
3483 if (durable_link_or_rename(tmppath, path, LOG) != 0)
3486 LWLockRelease(ControlFileLock);
3487 /* durable_link_or_rename already emitted log message */
3492 LWLockRelease(ControlFileLock);
3498 * Open a pre-existing logfile segment for writing.
3501 XLogFileOpen(XLogSegNo segno)
3503 char path[MAXPGPATH];
3506 XLogFilePath(path, ThisTimeLineID, segno);
3508 fd = BasicOpenFile(path, O_RDWR | PG_BINARY | get_sync_bit(sync_method),
3512 (errcode_for_file_access(),
3513 errmsg("could not open transaction log file \"%s\": %m", path)));
3519 * Open a logfile segment for reading (during recovery).
3521 * If source == XLOG_FROM_ARCHIVE, the segment is retrieved from archive.
3522 * Otherwise, it's assumed to be already available in pg_wal.
3525 XLogFileRead(XLogSegNo segno, int emode, TimeLineID tli,
3526 int source, bool notfoundOk)
3528 char xlogfname[MAXFNAMELEN];
3529 char activitymsg[MAXFNAMELEN + 16];
3530 char path[MAXPGPATH];
3533 XLogFileName(xlogfname, tli, segno);
3537 case XLOG_FROM_ARCHIVE:
3538 /* Report recovery progress in PS display */
3539 snprintf(activitymsg, sizeof(activitymsg), "waiting for %s",
3541 set_ps_display(activitymsg, false);
3543 restoredFromArchive = RestoreArchivedFile(path, xlogfname,
3547 if (!restoredFromArchive)
3551 case XLOG_FROM_PG_WAL:
3552 case XLOG_FROM_STREAM:
3553 XLogFilePath(path, tli, segno);
3554 restoredFromArchive = false;
3558 elog(ERROR, "invalid XLogFileRead source %d", source);
3562 * If the segment was fetched from archival storage, replace the existing
3563 * xlog segment (if any) with the archival version.
3565 if (source == XLOG_FROM_ARCHIVE)
3567 KeepFileRestoredFromArchive(path, xlogfname);
3570 * Set path to point at the new file in pg_wal.
3572 snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlogfname);
3575 fd = BasicOpenFile(path, O_RDONLY | PG_BINARY, 0);
3581 /* Report recovery progress in PS display */
3582 snprintf(activitymsg, sizeof(activitymsg), "recovering %s",
3584 set_ps_display(activitymsg, false);
3586 /* Track source of data in assorted state variables */
3587 readSource = source;
3588 XLogReceiptSource = source;
3589 /* In FROM_STREAM case, caller tracks receipt time, not me */
3590 if (source != XLOG_FROM_STREAM)
3591 XLogReceiptTime = GetCurrentTimestamp();
3595 if (errno != ENOENT || !notfoundOk) /* unexpected failure? */
3597 (errcode_for_file_access(),
3598 errmsg("could not open file \"%s\": %m", path)));
3603 * Open a logfile segment for reading (during recovery).
3605 * This version searches for the segment with any TLI listed in expectedTLEs.
3608 XLogFileReadAnyTLI(XLogSegNo segno, int emode, int source)
3610 char path[MAXPGPATH];
3616 * Loop looking for a suitable timeline ID: we might need to read any of
3617 * the timelines listed in expectedTLEs.
3619 * We expect curFileTLI on entry to be the TLI of the preceding file in
3620 * sequence, or 0 if there was no predecessor. We do not allow curFileTLI
3621 * to go backwards; this prevents us from picking up the wrong file when a
3622 * parent timeline extends to higher segment numbers than the child we
3625 * If we haven't read the timeline history file yet, read it now, so that
3626 * we know which TLIs to scan. We don't save the list in expectedTLEs,
3627 * however, unless we actually find a valid segment. That way if there is
3628 * neither a timeline history file nor a WAL segment in the archive, and
3629 * streaming replication is set up, we'll read the timeline history file
3630 * streamed from the master when we start streaming, instead of recovering
3631 * with a dummy history generated here.
3634 tles = expectedTLEs;
3636 tles = readTimeLineHistory(recoveryTargetTLI);
3640 TimeLineID tli = ((TimeLineHistoryEntry *) lfirst(cell))->tli;
3642 if (tli < curFileTLI)
3643 break; /* don't bother looking at too-old TLIs */
3645 if (source == XLOG_FROM_ANY || source == XLOG_FROM_ARCHIVE)
3647 fd = XLogFileRead(segno, emode, tli,
3648 XLOG_FROM_ARCHIVE, true);
3651 elog(DEBUG1, "got WAL segment from archive");
3653 expectedTLEs = tles;
3658 if (source == XLOG_FROM_ANY || source == XLOG_FROM_PG_WAL)
3660 fd = XLogFileRead(segno, emode, tli,
3661 XLOG_FROM_PG_WAL, true);
3665 expectedTLEs = tles;
3671 /* Couldn't find it. For simplicity, complain about front timeline */
3672 XLogFilePath(path, recoveryTargetTLI, segno);
3675 (errcode_for_file_access(),
3676 errmsg("could not open file \"%s\": %m", path)));
3681 * Close the current logfile segment for writing.
3686 Assert(openLogFile >= 0);
3689 * WAL segment files will not be re-read in normal operation, so we advise
3690 * the OS to release any cached pages. But do not do so if WAL archiving
3691 * or streaming is active, because archiver and walsender process could
3692 * use the cache to read the WAL segment.
3694 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
3695 if (!XLogIsNeeded())
3696 (void) posix_fadvise(openLogFile, 0, 0, POSIX_FADV_DONTNEED);
3699 if (close(openLogFile))
3701 (errcode_for_file_access(),
3702 errmsg("could not close log file %s: %m",
3703 XLogFileNameP(ThisTimeLineID, openLogSegNo))));
3708 * Preallocate log files beyond the specified log endpoint.
3710 * XXX this is currently extremely conservative, since it forces only one
3711 * future log segment to exist, and even that only if we are 75% done with
3712 * the current one. This is only appropriate for very low-WAL-volume systems.
3713 * High-volume systems will be OK once they've built up a sufficient set of
3714 * recycled log segments, but the startup transient is likely to include
3715 * a lot of segment creations by foreground processes, which is not so good.
3718 PreallocXlogFiles(XLogRecPtr endptr)
3720 XLogSegNo _logSegNo;
3724 XLByteToPrevSeg(endptr, _logSegNo);
3725 if ((endptr - 1) % XLogSegSize >= (uint32) (0.75 * XLogSegSize))
3728 use_existent = true;
3729 lf = XLogFileInit(_logSegNo, &use_existent, true);
3732 CheckpointStats.ckpt_segs_added++;
3737 * Throws an error if the given log segment has already been removed or
3738 * recycled. The caller should only pass a segment that it knows to have
3739 * existed while the server has been running, as this function always
3740 * succeeds if no WAL segments have been removed since startup.
3741 * 'tli' is only used in the error message.
3744 CheckXLogRemoved(XLogSegNo segno, TimeLineID tli)
3746 XLogSegNo lastRemovedSegNo;
3748 SpinLockAcquire(&XLogCtl->info_lck);
3749 lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3750 SpinLockRelease(&XLogCtl->info_lck);
3752 if (segno <= lastRemovedSegNo)
3754 char filename[MAXFNAMELEN];
3756 XLogFileName(filename, tli, segno);
3758 (errcode_for_file_access(),
3759 errmsg("requested WAL segment %s has already been removed",
3765 * Return the last WAL segment removed, or 0 if no segment has been removed
3768 * NB: the result can be out of date arbitrarily fast, the caller has to deal
3772 XLogGetLastRemovedSegno(void)
3774 XLogSegNo lastRemovedSegNo;
3776 SpinLockAcquire(&XLogCtl->info_lck);
3777 lastRemovedSegNo = XLogCtl->lastRemovedSegNo;
3778 SpinLockRelease(&XLogCtl->info_lck);
3780 return lastRemovedSegNo;
3784 * Update the last removed segno pointer in shared memory, to reflect
3785 * that the given XLOG file has been removed.
3788 UpdateLastRemovedPtr(char *filename)
3793 XLogFromFileName(filename, &tli, &segno);
3795 SpinLockAcquire(&XLogCtl->info_lck);
3796 if (segno > XLogCtl->lastRemovedSegNo)
3797 XLogCtl->lastRemovedSegNo = segno;
3798 SpinLockRelease(&XLogCtl->info_lck);
3802 * Recycle or remove all log files older or equal to passed segno.
3804 * endptr is current (or recent) end of xlog, and PriorRedoRecPtr is the
3805 * redo pointer of the previous checkpoint. These are used to determine
3806 * whether we want to recycle rather than delete no-longer-wanted log files.
3809 RemoveOldXlogFiles(XLogSegNo segno, XLogRecPtr PriorRedoPtr, XLogRecPtr endptr)
3812 struct dirent *xlde;
3813 char lastoff[MAXFNAMELEN];
3815 xldir = AllocateDir(XLOGDIR);
3818 (errcode_for_file_access(),
3819 errmsg("could not open transaction log directory \"%s\": %m",
3823 * Construct a filename of the last segment to be kept. The timeline ID
3824 * doesn't matter, we ignore that in the comparison. (During recovery,
3825 * ThisTimeLineID isn't set, so we can't use that.)
3827 XLogFileName(lastoff, 0, segno);
3829 elog(DEBUG2, "attempting to remove WAL segments older than log file %s",
3832 while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3834 /* Ignore files that are not XLOG segments */
3835 if (!IsXLogFileName(xlde->d_name) &&
3836 !IsPartialXLogFileName(xlde->d_name))
3840 * We ignore the timeline part of the XLOG segment identifiers in
3841 * deciding whether a segment is still needed. This ensures that we
3842 * won't prematurely remove a segment from a parent timeline. We could
3843 * probably be a little more proactive about removing segments of
3844 * non-parent timelines, but that would be a whole lot more
3847 * We use the alphanumeric sorting property of the filenames to decide
3848 * which ones are earlier than the lastoff segment.
3850 if (strcmp(xlde->d_name + 8, lastoff + 8) <= 0)
3852 if (XLogArchiveCheckDone(xlde->d_name))
3854 /* Update the last removed location in shared memory first */
3855 UpdateLastRemovedPtr(xlde->d_name);
3857 RemoveXlogFile(xlde->d_name, PriorRedoPtr, endptr);
3866 * Remove WAL files that are not part of the given timeline's history.
3868 * This is called during recovery, whenever we switch to follow a new
3869 * timeline, and at the end of recovery when we create a new timeline. We
3870 * wouldn't otherwise care about extra WAL files lying in pg_wal, but they
3871 * might be leftover pre-allocated or recycled WAL segments on the old timeline
3872 * that we haven't used yet, and contain garbage. If we just leave them in
3873 * pg_wal, they will eventually be archived, and we can't let that happen.
3874 * Files that belong to our timeline history are valid, because we have
3875 * successfully replayed them, but from others we can't be sure.
3877 * 'switchpoint' is the current point in WAL where we switch to new timeline,
3878 * and 'newTLI' is the new timeline we switch to.
3881 RemoveNonParentXlogFiles(XLogRecPtr switchpoint, TimeLineID newTLI)
3884 struct dirent *xlde;
3885 char switchseg[MAXFNAMELEN];
3886 XLogSegNo endLogSegNo;
3888 XLByteToPrevSeg(switchpoint, endLogSegNo);
3890 xldir = AllocateDir(XLOGDIR);
3893 (errcode_for_file_access(),
3894 errmsg("could not open transaction log directory \"%s\": %m",
3898 * Construct a filename of the last segment to be kept.
3900 XLogFileName(switchseg, newTLI, endLogSegNo);
3902 elog(DEBUG2, "attempting to remove WAL segments newer than log file %s",
3905 while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
3907 /* Ignore files that are not XLOG segments */
3908 if (!IsXLogFileName(xlde->d_name))
3912 * Remove files that are on a timeline older than the new one we're
3913 * switching to, but with a segment number >= the first segment on the
3916 if (strncmp(xlde->d_name, switchseg, 8) < 0 &&
3917 strcmp(xlde->d_name + 8, switchseg + 8) > 0)
3920 * If the file has already been marked as .ready, however, don't
3921 * remove it yet. It should be OK to remove it - files that are
3922 * not part of our timeline history are not required for recovery
3923 * - but seems safer to let them be archived and removed later.
3925 if (!XLogArchiveIsReady(xlde->d_name))
3926 RemoveXlogFile(xlde->d_name, InvalidXLogRecPtr, switchpoint);
3934 * Recycle or remove a log file that's no longer needed.
3936 * endptr is current (or recent) end of xlog, and PriorRedoRecPtr is the
3937 * redo pointer of the previous checkpoint. These are used to determine
3938 * whether we want to recycle rather than delete no-longer-wanted log files.
3939 * If PriorRedoRecPtr is not known, pass invalid, and the function will
3940 * recycle, somewhat arbitrarily, 10 future segments.
3943 RemoveXlogFile(const char *segname, XLogRecPtr PriorRedoPtr, XLogRecPtr endptr)
3945 char path[MAXPGPATH];
3947 char newpath[MAXPGPATH];
3949 struct stat statbuf;
3950 XLogSegNo endlogSegNo;
3951 XLogSegNo recycleSegNo;
3954 * Initialize info about where to try to recycle to.
3956 XLByteToPrevSeg(endptr, endlogSegNo);
3957 if (PriorRedoPtr == InvalidXLogRecPtr)
3958 recycleSegNo = endlogSegNo + 10;
3960 recycleSegNo = XLOGfileslop(PriorRedoPtr);
3962 snprintf(path, MAXPGPATH, XLOGDIR "/%s", segname);
3965 * Before deleting the file, see if it can be recycled as a future log
3966 * segment. Only recycle normal files, pg_standby for example can create
3967 * symbolic links pointing to a separate archive directory.
3969 if (endlogSegNo <= recycleSegNo &&
3970 lstat(path, &statbuf) == 0 && S_ISREG(statbuf.st_mode) &&
3971 InstallXLogFileSegment(&endlogSegNo, path,
3972 true, recycleSegNo, true))
3975 (errmsg("recycled transaction log file \"%s\"",
3977 CheckpointStats.ckpt_segs_recycled++;
3978 /* Needn't recheck that slot on future iterations */
3983 /* No need for any more future segments... */
3987 (errmsg("removing transaction log file \"%s\"",
3993 * On Windows, if another process (e.g another backend) holds the file
3994 * open in FILE_SHARE_DELETE mode, unlink will succeed, but the file
3995 * will still show up in directory listing until the last handle is
3996 * closed. To avoid confusing the lingering deleted file for a live
3997 * WAL file that needs to be archived, rename it before deleting it.
3999 * If another process holds the file open without FILE_SHARE_DELETE
4000 * flag, rename will fail. We'll try again at the next checkpoint.
4002 snprintf(newpath, MAXPGPATH, "%s.deleted", path);
4003 if (rename(path, newpath) != 0)
4006 (errcode_for_file_access(),
4007 errmsg("could not rename old transaction log file \"%s\": %m",
4011 rc = unlink(newpath);
4018 (errcode_for_file_access(),
4019 errmsg("could not remove old transaction log file \"%s\": %m",
4023 CheckpointStats.ckpt_segs_removed++;
4026 XLogArchiveCleanup(segname);
4030 * Verify whether pg_wal and pg_wal/archive_status exist.
4031 * If the latter does not exist, recreate it.
4033 * It is not the goal of this function to verify the contents of these
4034 * directories, but to help in cases where someone has performed a cluster
4035 * copy for PITR purposes but omitted pg_wal from the copy.
4037 * We could also recreate pg_wal if it doesn't exist, but a deliberate
4038 * policy decision was made not to. It is fairly common for pg_wal to be
4039 * a symlink, and if that was the DBA's intent then automatically making a
4040 * plain directory would result in degraded performance with no notice.
4043 ValidateXLOGDirectoryStructure(void)
4045 char path[MAXPGPATH];
4046 struct stat stat_buf;
4048 /* Check for pg_wal; if it doesn't exist, error out */
4049 if (stat(XLOGDIR, &stat_buf) != 0 ||
4050 !S_ISDIR(stat_buf.st_mode))
4052 (errmsg("required WAL directory \"%s\" does not exist",
4055 /* Check for archive_status */
4056 snprintf(path, MAXPGPATH, XLOGDIR "/archive_status");
4057 if (stat(path, &stat_buf) == 0)
4059 /* Check for weird cases where it exists but isn't a directory */
4060 if (!S_ISDIR(stat_buf.st_mode))
4062 (errmsg("required WAL directory \"%s\" does not exist",
4068 (errmsg("creating missing WAL directory \"%s\"", path)));
4069 if (mkdir(path, S_IRWXU) < 0)
4071 (errmsg("could not create missing directory \"%s\": %m",
4077 * Remove previous backup history files. This also retries creation of
4078 * .ready files for any backup history files for which XLogArchiveNotify
4082 CleanupBackupHistory(void)
4085 struct dirent *xlde;
4086 char path[MAXPGPATH];
4088 xldir = AllocateDir(XLOGDIR);
4091 (errcode_for_file_access(),
4092 errmsg("could not open transaction log directory \"%s\": %m",
4095 while ((xlde = ReadDir(xldir, XLOGDIR)) != NULL)
4097 if (IsBackupHistoryFileName(xlde->d_name))
4099 if (XLogArchiveCheckDone(xlde->d_name))
4102 (errmsg("removing transaction log backup history file \"%s\"",
4104 snprintf(path, MAXPGPATH, XLOGDIR "/%s", xlde->d_name);
4106 XLogArchiveCleanup(xlde->d_name);
4115 * Attempt to read an XLOG record.
4117 * If RecPtr is not NULL, try to read a record at that position. Otherwise
4118 * try to read a record just after the last one previously read.
4120 * If no valid record is available, returns NULL, or fails if emode is PANIC.
4121 * (emode must be either PANIC, LOG). In standby mode, retries until a valid
4122 * record is available.
4124 * The record is copied into readRecordBuf, so that on successful return,
4125 * the returned record pointer always points there.
4128 ReadRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr, int emode,
4132 XLogPageReadPrivate *private = (XLogPageReadPrivate *) xlogreader->private_data;
4134 /* Pass through parameters to XLogPageRead */
4135 private->fetching_ckpt = fetching_ckpt;
4136 private->emode = emode;
4137 private->randAccess = (RecPtr != InvalidXLogRecPtr);
4139 /* This is the first attempt to read this page. */
4140 lastSourceFailed = false;
4146 record = XLogReadRecord(xlogreader, RecPtr, &errormsg);
4147 ReadRecPtr = xlogreader->ReadRecPtr;
4148 EndRecPtr = xlogreader->EndRecPtr;
4158 * We only end up here without a message when XLogPageRead()
4159 * failed - in that case we already logged something. In
4160 * StandbyMode that only happens if we have been triggered, so we
4161 * shouldn't loop anymore in that case.
4164 ereport(emode_for_corrupt_record(emode,
4165 RecPtr ? RecPtr : EndRecPtr),
4166 (errmsg_internal("%s", errormsg) /* already translated */ ));
4170 * Check page TLI is one of the expected values.
4172 else if (!tliInHistory(xlogreader->latestPageTLI, expectedTLEs))
4174 char fname[MAXFNAMELEN];
4178 XLByteToSeg(xlogreader->latestPagePtr, segno);
4179 offset = xlogreader->latestPagePtr % XLogSegSize;
4180 XLogFileName(fname, xlogreader->readPageTLI, segno);
4181 ereport(emode_for_corrupt_record(emode,
4182 RecPtr ? RecPtr : EndRecPtr),
4183 (errmsg("unexpected timeline ID %u in log segment %s, offset %u",
4184 xlogreader->latestPageTLI,
4192 /* Great, got a record */
4197 /* No valid record available from this source */
4198 lastSourceFailed = true;
4201 * If archive recovery was requested, but we were still doing
4202 * crash recovery, switch to archive recovery and retry using the
4203 * offline archive. We have now replayed all the valid WAL in
4204 * pg_wal, so we are presumably now consistent.
4206 * We require that there's at least some valid WAL present in
4207 * pg_wal, however (!fetch_ckpt). We could recover using the WAL
4208 * from the archive, even if pg_wal is completely empty, but we'd
4209 * have no idea how far we'd have to replay to reach consistency.
4210 * So err on the safe side and give up.
4212 if (!InArchiveRecovery && ArchiveRecoveryRequested &&
4216 (errmsg_internal("reached end of WAL in pg_wal, entering archive recovery")));
4217 InArchiveRecovery = true;
4218 if (StandbyModeRequested)
4221 /* initialize minRecoveryPoint to this record */
4222 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
4223 ControlFile->state = DB_IN_ARCHIVE_RECOVERY;
4224 if (ControlFile->minRecoveryPoint < EndRecPtr)
4226 ControlFile->minRecoveryPoint = EndRecPtr;
4227 ControlFile->minRecoveryPointTLI = ThisTimeLineID;
4229 /* update local copy */
4230 minRecoveryPoint = ControlFile->minRecoveryPoint;
4231 minRecoveryPointTLI = ControlFile->minRecoveryPointTLI;
4233 UpdateControlFile();
4234 LWLockRelease(ControlFileLock);
4236 CheckRecoveryConsistency();
4239 * Before we retry, reset lastSourceFailed and currentSource
4240 * so that we will check the archive next.
4242 lastSourceFailed = false;
4248 /* In standby mode, loop back to retry. Otherwise, give up. */
4249 if (StandbyMode && !CheckForStandbyTrigger())
4258 * Scan for new timelines that might have appeared in the archive since we
4261 * If there are any, the function changes recovery target TLI to the latest
4262 * one and returns 'true'.
4265 rescanLatestTimeLine(void)
4267 List *newExpectedTLEs;
4270 TimeLineID newtarget;
4271 TimeLineID oldtarget = recoveryTargetTLI;
4272 TimeLineHistoryEntry *currentTle = NULL;
4274 newtarget = findNewestTimeLine(recoveryTargetTLI);
4275 if (newtarget == recoveryTargetTLI)
4277 /* No new timelines found */
4282 * Determine the list of expected TLIs for the new TLI
4285 newExpectedTLEs = readTimeLineHistory(newtarget);
4288 * If the current timeline is not part of the history of the new timeline,
4289 * we cannot proceed to it.
4292 foreach(cell, newExpectedTLEs)
4294 currentTle = (TimeLineHistoryEntry *) lfirst(cell);
4296 if (currentTle->tli == recoveryTargetTLI)
4305 (errmsg("new timeline %u is not a child of database system timeline %u",
4312 * The current timeline was found in the history file, but check that the
4313 * next timeline was forked off from it *after* the current recovery
4316 if (currentTle->end < EndRecPtr)
4319 (errmsg("new timeline %u forked off current database system timeline %u before current recovery point %X/%X",
4322 (uint32) (EndRecPtr >> 32), (uint32) EndRecPtr)));
4326 /* The new timeline history seems valid. Switch target */
4327 recoveryTargetTLI = newtarget;
4328 list_free_deep(expectedTLEs);
4329 expectedTLEs = newExpectedTLEs;
4332 * As in StartupXLOG(), try to ensure we have all the history files
4333 * between the old target and new target in pg_wal.
4335 restoreTimeLineHistoryFiles(oldtarget + 1, newtarget);
4338 (errmsg("new target timeline is %u",
4339 recoveryTargetTLI)));
4345 * I/O routines for pg_control
4347 * *ControlFile is a buffer in shared memory that holds an image of the
4348 * contents of pg_control. WriteControlFile() initializes pg_control
4349 * given a preloaded buffer, ReadControlFile() loads the buffer from
4350 * the pg_control file (during postmaster or standalone-backend startup),
4351 * and UpdateControlFile() rewrites pg_control after we modify xlog state.
4353 * For simplicity, WriteControlFile() initializes the fields of pg_control
4354 * that are related to checking backend/database compatibility, and
4355 * ReadControlFile() verifies they are correct. We could split out the
4356 * I/O and compatibility-check functions, but there seems no need currently.
4359 WriteControlFile(void)
4362 char buffer[PG_CONTROL_SIZE]; /* need not be aligned */
4365 * Initialize version and compatibility-check fields
4367 ControlFile->pg_control_version = PG_CONTROL_VERSION;
4368 ControlFile->catalog_version_no = CATALOG_VERSION_NO;
4370 ControlFile->maxAlign = MAXIMUM_ALIGNOF;
4371 ControlFile->floatFormat = FLOATFORMAT_VALUE;
4373 ControlFile->blcksz = BLCKSZ;
4374 ControlFile->relseg_size = RELSEG_SIZE;
4375 ControlFile->xlog_blcksz = XLOG_BLCKSZ;
4376 ControlFile->xlog_seg_size = XLOG_SEG_SIZE;
4378 ControlFile->nameDataLen = NAMEDATALEN;
4379 ControlFile->indexMaxKeys = INDEX_MAX_KEYS;
4381 ControlFile->toast_max_chunk_size = TOAST_MAX_CHUNK_SIZE;
4382 ControlFile->loblksize = LOBLKSIZE;
4384 ControlFile->float4ByVal = FLOAT4PASSBYVAL;
4385 ControlFile->float8ByVal = FLOAT8PASSBYVAL;
4387 /* Contents are protected with a CRC */
4388 INIT_CRC32C(ControlFile->crc);
4389 COMP_CRC32C(ControlFile->crc,
4390 (char *) ControlFile,
4391 offsetof(ControlFileData, crc));
4392 FIN_CRC32C(ControlFile->crc);
4395 * We write out PG_CONTROL_SIZE bytes into pg_control, zero-padding the
4396 * excess over sizeof(ControlFileData). This reduces the odds of
4397 * premature-EOF errors when reading pg_control. We'll still fail when we
4398 * check the contents of the file, but hopefully with a more specific
4399 * error than "couldn't read pg_control".
4401 if (sizeof(ControlFileData) > PG_CONTROL_SIZE)
4402 elog(PANIC, "sizeof(ControlFileData) is larger than PG_CONTROL_SIZE; fix either one");
4404 memset(buffer, 0, PG_CONTROL_SIZE);
4405 memcpy(buffer, ControlFile, sizeof(ControlFileData));
4407 fd = BasicOpenFile(XLOG_CONTROL_FILE,
4408 O_RDWR | O_CREAT | O_EXCL | PG_BINARY,
4412 (errcode_for_file_access(),
4413 errmsg("could not create control file \"%s\": %m",
4414 XLOG_CONTROL_FILE)));
4417 if (write(fd, buffer, PG_CONTROL_SIZE) != PG_CONTROL_SIZE)
4419 /* if write didn't set errno, assume problem is no disk space */
4423 (errcode_for_file_access(),
4424 errmsg("could not write to control file: %m")));
4427 if (pg_fsync(fd) != 0)
4429 (errcode_for_file_access(),
4430 errmsg("could not fsync control file: %m")));
4434 (errcode_for_file_access(),
4435 errmsg("could not close control file: %m")));
4439 ReadControlFile(void)
4447 fd = BasicOpenFile(XLOG_CONTROL_FILE,
4452 (errcode_for_file_access(),
4453 errmsg("could not open control file \"%s\": %m",
4454 XLOG_CONTROL_FILE)));
4456 if (read(fd, ControlFile, sizeof(ControlFileData)) != sizeof(ControlFileData))
4458 (errcode_for_file_access(),
4459 errmsg("could not read from control file: %m")));
4464 * Check for expected pg_control format version. If this is wrong, the
4465 * CRC check will likely fail because we'll be checking the wrong number
4466 * of bytes. Complaining about wrong version will probably be more
4467 * enlightening than complaining about wrong CRC.
4470 if (ControlFile->pg_control_version != PG_CONTROL_VERSION && ControlFile->pg_control_version % 65536 == 0 && ControlFile->pg_control_version / 65536 != 0)
4472 (errmsg("database files are incompatible with server"),
4473 errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d (0x%08x),"
4474 " but the server was compiled with PG_CONTROL_VERSION %d (0x%08x).",
4475 ControlFile->pg_control_version, ControlFile->pg_control_version,
4476 PG_CONTROL_VERSION, PG_CONTROL_VERSION),
4477 errhint("This could be a problem of mismatched byte ordering. It looks like you need to initdb.")));
4479 if (ControlFile->pg_control_version != PG_CONTROL_VERSION)
4481 (errmsg("database files are incompatible with server"),
4482 errdetail("The database cluster was initialized with PG_CONTROL_VERSION %d,"
4483 " but the server was compiled with PG_CONTROL_VERSION %d.",
4484 ControlFile->pg_control_version, PG_CONTROL_VERSION),
4485 errhint("It looks like you need to initdb.")));
4487 /* Now check the CRC. */
4490 (char *) ControlFile,
4491 offsetof(ControlFileData, crc));
4494 if (!EQ_CRC32C(crc, ControlFile->crc))
4496 (errmsg("incorrect checksum in control file")));
4499 * Do compatibility checking immediately. If the database isn't
4500 * compatible with the backend executable, we want to abort before we can
4501 * possibly do any damage.
4503 if (ControlFile->catalog_version_no != CATALOG_VERSION_NO)
4505 (errmsg("database files are incompatible with server"),
4506 errdetail("The database cluster was initialized with CATALOG_VERSION_NO %d,"
4507 " but the server was compiled with CATALOG_VERSION_NO %d.",
4508 ControlFile->catalog_version_no, CATALOG_VERSION_NO),
4509 errhint("It looks like you need to initdb.")));
4510 if (ControlFile->maxAlign != MAXIMUM_ALIGNOF)
4512 (errmsg("database files are incompatible with server"),
4513 errdetail("The database cluster was initialized with MAXALIGN %d,"
4514 " but the server was compiled with MAXALIGN %d.",
4515 ControlFile->maxAlign, MAXIMUM_ALIGNOF),
4516 errhint("It looks like you need to initdb.")));
4517 if (ControlFile->floatFormat != FLOATFORMAT_VALUE)
4519 (errmsg("database files are incompatible with server"),
4520 errdetail("The database cluster appears to use a different floating-point number format than the server executable."),
4521 errhint("It looks like you need to initdb.")));
4522 if (ControlFile->blcksz != BLCKSZ)
4524 (errmsg("database files are incompatible with server"),
4525 errdetail("The database cluster was initialized with BLCKSZ %d,"
4526 " but the server was compiled with BLCKSZ %d.",
4527 ControlFile->blcksz, BLCKSZ),
4528 errhint("It looks like you need to recompile or initdb.")));
4529 if (ControlFile->relseg_size != RELSEG_SIZE)
4531 (errmsg("database files are incompatible with server"),
4532 errdetail("The database cluster was initialized with RELSEG_SIZE %d,"
4533 " but the server was compiled with RELSEG_SIZE %d.",
4534 ControlFile->relseg_size, RELSEG_SIZE),
4535 errhint("It looks like you need to recompile or initdb.")));
4536 if (ControlFile->xlog_blcksz != XLOG_BLCKSZ)
4538 (errmsg("database files are incompatible with server"),
4539 errdetail("The database cluster was initialized with XLOG_BLCKSZ %d,"
4540 " but the server was compiled with XLOG_BLCKSZ %d.",
4541 ControlFile->xlog_blcksz, XLOG_BLCKSZ),
4542 errhint("It looks like you need to recompile or initdb.")));
4543 if (ControlFile->xlog_seg_size != XLOG_SEG_SIZE)
4545 (errmsg("database files are incompatible with server"),
4546 errdetail("The database cluster was initialized with XLOG_SEG_SIZE %d,"
4547 " but the server was compiled with XLOG_SEG_SIZE %d.",
4548 ControlFile->xlog_seg_size, XLOG_SEG_SIZE),
4549 errhint("It looks like you need to recompile or initdb.")));
4550 if (ControlFile->nameDataLen != NAMEDATALEN)
4552 (errmsg("database files are incompatible with server"),
4553 errdetail("The database cluster was initialized with NAMEDATALEN %d,"
4554 " but the server was compiled with NAMEDATALEN %d.",
4555 ControlFile->nameDataLen, NAMEDATALEN),
4556 errhint("It looks like you need to recompile or initdb.")));
4557 if (ControlFile->indexMaxKeys != INDEX_MAX_KEYS)
4559 (errmsg("database files are incompatible with server"),
4560 errdetail("The database cluster was initialized with INDEX_MAX_KEYS %d,"
4561 " but the server was compiled with INDEX_MAX_KEYS %d.",
4562 ControlFile->indexMaxKeys, INDEX_MAX_KEYS),
4563 errhint("It looks like you need to recompile or initdb.")));
4564 if (ControlFile->toast_max_chunk_size != TOAST_MAX_CHUNK_SIZE)
4566 (errmsg("database files are incompatible with server"),
4567 errdetail("The database cluster was initialized with TOAST_MAX_CHUNK_SIZE %d,"
4568 " but the server was compiled with TOAST_MAX_CHUNK_SIZE %d.",
4569 ControlFile->toast_max_chunk_size, (int) TOAST_MAX_CHUNK_SIZE),
4570 errhint("It looks like you need to recompile or initdb.")));
4571 if (ControlFile->loblksize != LOBLKSIZE)
4573 (errmsg("database files are incompatible with server"),
4574 errdetail("The database cluster was initialized with LOBLKSIZE %d,"
4575 " but the server was compiled with LOBLKSIZE %d.",
4576 ControlFile->loblksize, (int) LOBLKSIZE),
4577 errhint("It looks like you need to recompile or initdb.")));
4579 #ifdef USE_FLOAT4_BYVAL
4580 if (ControlFile->float4ByVal != true)
4582 (errmsg("database files are incompatible with server"),
4583 errdetail("The database cluster was initialized without USE_FLOAT4_BYVAL"
4584 " but the server was compiled with USE_FLOAT4_BYVAL."),
4585 errhint("It looks like you need to recompile or initdb.")));
4587 if (ControlFile->float4ByVal != false)
4589 (errmsg("database files are incompatible with server"),
4590 errdetail("The database cluster was initialized with USE_FLOAT4_BYVAL"
4591 " but the server was compiled without USE_FLOAT4_BYVAL."),
4592 errhint("It looks like you need to recompile or initdb.")));
4595 #ifdef USE_FLOAT8_BYVAL
4596 if (ControlFile->float8ByVal != true)
4598 (errmsg("database files are incompatible with server"),
4599 errdetail("The database cluster was initialized without USE_FLOAT8_BYVAL"
4600 " but the server was compiled with USE_FLOAT8_BYVAL."),
4601 errhint("It looks like you need to recompile or initdb.")));
4603 if (ControlFile->float8ByVal != false)
4605 (errmsg("database files are incompatible with server"),
4606 errdetail("The database cluster was initialized with USE_FLOAT8_BYVAL"
4607 " but the server was compiled without USE_FLOAT8_BYVAL."),
4608 errhint("It looks like you need to recompile or initdb.")));
4611 /* Make the initdb settings visible as GUC variables, too */
4612 SetConfigOption("data_checksums", DataChecksumsEnabled() ? "yes" : "no",
4613 PGC_INTERNAL, PGC_S_OVERRIDE);
4617 UpdateControlFile(void)
4621 INIT_CRC32C(ControlFile->crc);
4622 COMP_CRC32C(ControlFile->crc,
4623 (char *) ControlFile,
4624 offsetof(ControlFileData, crc));
4625 FIN_CRC32C(ControlFile->crc);
4627 fd = BasicOpenFile(XLOG_CONTROL_FILE,
4632 (errcode_for_file_access(),
4633 errmsg("could not open control file \"%s\": %m",
4634 XLOG_CONTROL_FILE)));
4637 if (write(fd, ControlFile, sizeof(ControlFileData)) != sizeof(ControlFileData))
4639 /* if write didn't set errno, assume problem is no disk space */
4643 (errcode_for_file_access(),
4644 errmsg("could not write to control file: %m")));
4647 if (pg_fsync(fd) != 0)
4649 (errcode_for_file_access(),
4650 errmsg("could not fsync control file: %m")));
4654 (errcode_for_file_access(),
4655 errmsg("could not close control file: %m")));
4659 * Returns the unique system identifier from control file.
4662 GetSystemIdentifier(void)
4664 Assert(ControlFile != NULL);
4665 return ControlFile->system_identifier;
4669 * Returns the random nonce from control file.
4672 GetMockAuthenticationNonce(void)
4674 Assert(ControlFile != NULL);
4675 return ControlFile->mock_authentication_nonce;
4679 * Are checksums enabled for data pages?
4682 DataChecksumsEnabled(void)
4684 Assert(ControlFile != NULL);
4685 return (ControlFile->data_checksum_version > 0);
4689 * Returns a fake LSN for unlogged relations.
4691 * Each call generates an LSN that is greater than any previous value
4692 * returned. The current counter value is saved and restored across clean
4693 * shutdowns, but like unlogged relations, does not survive a crash. This can
4694 * be used in lieu of real LSN values returned by XLogInsert, if you need an
4695 * LSN-like increasing sequence of numbers without writing any WAL.
4698 GetFakeLSNForUnloggedRel(void)
4700 XLogRecPtr nextUnloggedLSN;
4702 /* increment the unloggedLSN counter, need SpinLock */
4703 SpinLockAcquire(&XLogCtl->ulsn_lck);
4704 nextUnloggedLSN = XLogCtl->unloggedLSN++;
4705 SpinLockRelease(&XLogCtl->ulsn_lck);
4707 return nextUnloggedLSN;
4711 * Auto-tune the number of XLOG buffers.
4713 * The preferred setting for wal_buffers is about 3% of shared_buffers, with
4714 * a maximum of one XLOG segment (there is little reason to think that more
4715 * is helpful, at least so long as we force an fsync when switching log files)
4716 * and a minimum of 8 blocks (which was the default value prior to PostgreSQL
4717 * 9.1, when auto-tuning was added).
4719 * This should not be called until NBuffers has received its final value.
4722 XLOGChooseNumBuffers(void)
4726 xbuffers = NBuffers / 32;
4727 if (xbuffers > XLOG_SEG_SIZE / XLOG_BLCKSZ)
4728 xbuffers = XLOG_SEG_SIZE / XLOG_BLCKSZ;
4735 * GUC check_hook for wal_buffers
4738 check_wal_buffers(int *newval, void **extra, GucSource source)
4741 * -1 indicates a request for auto-tune.
4746 * If we haven't yet changed the boot_val default of -1, just let it
4747 * be. We'll fix it when XLOGShmemSize is called.
4749 if (XLOGbuffers == -1)
4752 /* Otherwise, substitute the auto-tune value */
4753 *newval = XLOGChooseNumBuffers();
4757 * We clamp manually-set values to at least 4 blocks. Prior to PostgreSQL
4758 * 9.1, a minimum of 4 was enforced by guc.c, but since that is no longer
4759 * the case, we just silently treat such values as a request for the
4760 * minimum. (We could throw an error instead, but that doesn't seem very
4770 * Initialization of shared memory for XLOG
4778 * If the value of wal_buffers is -1, use the preferred auto-tune value.
4779 * This isn't an amazingly clean place to do this, but we must wait till
4780 * NBuffers has received its final value, and must do it before using the
4781 * value of XLOGbuffers to do anything important.
4783 if (XLOGbuffers == -1)
4787 snprintf(buf, sizeof(buf), "%d", XLOGChooseNumBuffers());
4788 SetConfigOption("wal_buffers", buf, PGC_POSTMASTER, PGC_S_OVERRIDE);
4790 Assert(XLOGbuffers > 0);
4793 size = sizeof(XLogCtlData);
4795 /* WAL insertion locks, plus alignment */
4796 size = add_size(size, mul_size(sizeof(WALInsertLockPadded), NUM_XLOGINSERT_LOCKS + 1));
4797 /* xlblocks array */
4798 size = add_size(size, mul_size(sizeof(XLogRecPtr), XLOGbuffers));
4799 /* extra alignment padding for XLOG I/O buffers */
4800 size = add_size(size, XLOG_BLCKSZ);
4801 /* and the buffers themselves */
4802 size = add_size(size, mul_size(XLOG_BLCKSZ, XLOGbuffers));
4805 * Note: we don't count ControlFileData, it comes out of the "slop factor"
4806 * added by CreateSharedMemoryAndSemaphores. This lets us use this
4807 * routine again below to compute the actual allocation size.
4824 * Create a memory context for WAL debugging that's exempt from the normal
4825 * "no pallocs in critical section" rule. Yes, that can lead to a PANIC if
4826 * an allocation fails, but wal_debug is not for production use anyway.
4828 if (walDebugCxt == NULL)
4830 walDebugCxt = AllocSetContextCreate(TopMemoryContext,
4832 ALLOCSET_DEFAULT_SIZES);
4833 MemoryContextAllowInCriticalSection(walDebugCxt, true);
4837 ControlFile = (ControlFileData *)
4838 ShmemInitStruct("Control File", sizeof(ControlFileData), &foundCFile);
4839 XLogCtl = (XLogCtlData *)
4840 ShmemInitStruct("XLOG Ctl", XLOGShmemSize(), &foundXLog);
4842 if (foundCFile || foundXLog)
4844 /* both should be present or neither */
4845 Assert(foundCFile && foundXLog);
4847 /* Initialize local copy of WALInsertLocks and register the tranche */
4848 WALInsertLocks = XLogCtl->Insert.WALInsertLocks;
4849 LWLockRegisterTranche(LWTRANCHE_WAL_INSERT,
4853 memset(XLogCtl, 0, sizeof(XLogCtlData));
4856 * Since XLogCtlData contains XLogRecPtr fields, its sizeof should be a
4857 * multiple of the alignment for same, so no extra alignment padding is
4860 allocptr = ((char *) XLogCtl) + sizeof(XLogCtlData);
4861 XLogCtl->xlblocks = (XLogRecPtr *) allocptr;
4862 memset(XLogCtl->xlblocks, 0, sizeof(XLogRecPtr) * XLOGbuffers);
4863 allocptr += sizeof(XLogRecPtr) * XLOGbuffers;
4866 /* WAL insertion locks. Ensure they're aligned to the full padded size */
4867 allocptr += sizeof(WALInsertLockPadded) -
4868 ((uintptr_t) allocptr) %sizeof(WALInsertLockPadded);
4869 WALInsertLocks = XLogCtl->Insert.WALInsertLocks =
4870 (WALInsertLockPadded *) allocptr;
4871 allocptr += sizeof(WALInsertLockPadded) * NUM_XLOGINSERT_LOCKS;
4873 LWLockRegisterTranche(LWTRANCHE_WAL_INSERT, "wal_insert");
4874 for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
4876 LWLockInitialize(&WALInsertLocks[i].l.lock, LWTRANCHE_WAL_INSERT);
4877 WALInsertLocks[i].l.insertingAt = InvalidXLogRecPtr;
4878 WALInsertLocks[i].l.lastImportantAt = InvalidXLogRecPtr;
4882 * Align the start of the page buffers to a full xlog block size boundary.
4883 * This simplifies some calculations in XLOG insertion. It is also
4884 * required for O_DIRECT.
4886 allocptr = (char *) TYPEALIGN(XLOG_BLCKSZ, allocptr);
4887 XLogCtl->pages = allocptr;
4888 memset(XLogCtl->pages, 0, (Size) XLOG_BLCKSZ * XLOGbuffers);
4891 * Do basic initialization of XLogCtl shared data. (StartupXLOG will fill
4892 * in additional info.)
4894 XLogCtl->XLogCacheBlck = XLOGbuffers - 1;
4895 XLogCtl->SharedRecoveryInProgress = true;
4896 XLogCtl->SharedHotStandbyActive = false;
4897 XLogCtl->WalWriterSleeping = false;
4899 SpinLockInit(&XLogCtl->Insert.insertpos_lck);
4900 SpinLockInit(&XLogCtl->info_lck);
4901 SpinLockInit(&XLogCtl->ulsn_lck);
4902 InitSharedLatch(&XLogCtl->recoveryWakeupLatch);
4905 * If we are not in bootstrap mode, pg_control should already exist. Read
4906 * and validate it immediately (see comments in ReadControlFile() for the
4909 if (!IsBootstrapProcessingMode())
4914 * This func must be called ONCE on system install. It creates pg_control
4915 * and the initial XLOG segment.
4920 CheckPoint checkPoint;
4922 XLogPageHeader page;
4923 XLogLongPageHeader longpage;
4927 uint64 sysidentifier;
4928 char mock_auth_nonce[MOCK_AUTH_NONCE_LEN];
4933 * Select a hopefully-unique system identifier code for this installation.
4934 * We use the result of gettimeofday(), including the fractional seconds
4935 * field, as being about as unique as we can easily get. (Think not to
4936 * use random(), since it hasn't been seeded and there's no portable way
4937 * to seed it other than the system clock value...) The upper half of the
4938 * uint64 value is just the tv_sec part, while the lower half contains the
4939 * tv_usec part (which must fit in 20 bits), plus 12 bits from our current
4940 * PID for a little extra uniqueness. A person knowing this encoding can
4941 * determine the initialization time of the installation, which could
4942 * perhaps be useful sometimes.
4944 gettimeofday(&tv, NULL);
4945 sysidentifier = ((uint64) tv.tv_sec) << 32;
4946 sysidentifier |= ((uint64) tv.tv_usec) << 12;
4947 sysidentifier |= getpid() & 0xFFF;
4950 * Generate a random nonce. This is used for authentication requests
4951 * that will fail because the user does not exist. The nonce is used to
4952 * create a genuine-looking password challenge for the non-existent user,
4953 * in lieu of an actual stored password.
4955 if (!pg_backend_random(mock_auth_nonce, MOCK_AUTH_NONCE_LEN))
4957 (errcode(ERRCODE_INTERNAL_ERROR),
4958 errmsg("could not generation secret authorization token")));
4960 /* First timeline ID is always 1 */
4963 /* page buffer must be aligned suitably for O_DIRECT */
4964 buffer = (char *) palloc(XLOG_BLCKSZ + XLOG_BLCKSZ);
4965 page = (XLogPageHeader) TYPEALIGN(XLOG_BLCKSZ, buffer);
4966 memset(page, 0, XLOG_BLCKSZ);
4969 * Set up information for the initial checkpoint record
4971 * The initial checkpoint record is written to the beginning of the WAL
4972 * segment with logid=0 logseg=1. The very first WAL segment, 0/0, is not
4973 * used, so that we can use 0/0 to mean "before any valid WAL segment".
4975 checkPoint.redo = XLogSegSize + SizeOfXLogLongPHD;
4976 checkPoint.ThisTimeLineID = ThisTimeLineID;
4977 checkPoint.PrevTimeLineID = ThisTimeLineID;
4978 checkPoint.fullPageWrites = fullPageWrites;
4979 checkPoint.nextXidEpoch = 0;
4980 checkPoint.nextXid = FirstNormalTransactionId;
4981 checkPoint.nextOid = FirstBootstrapObjectId;
4982 checkPoint.nextMulti = FirstMultiXactId;
4983 checkPoint.nextMultiOffset = 0;
4984 checkPoint.oldestXid = FirstNormalTransactionId;
4985 checkPoint.oldestXidDB = TemplateDbOid;
4986 checkPoint.oldestMulti = FirstMultiXactId;
4987 checkPoint.oldestMultiDB = TemplateDbOid;
4988 checkPoint.oldestCommitTsXid = InvalidTransactionId;
4989 checkPoint.newestCommitTsXid = InvalidTransactionId;
4990 checkPoint.time = (pg_time_t) time(NULL);
4991 checkPoint.oldestActiveXid = InvalidTransactionId;
4993 ShmemVariableCache->nextXid = checkPoint.nextXid;
4994 ShmemVariableCache->nextOid = checkPoint.nextOid;
4995 ShmemVariableCache->oidCount = 0;
4996 MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
4997 SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
4998 SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
4999 SetCommitTsLimit(InvalidTransactionId, InvalidTransactionId);
5001 /* Set up the XLOG page header */
5002 page->xlp_magic = XLOG_PAGE_MAGIC;
5003 page->xlp_info = XLP_LONG_HEADER;
5004 page->xlp_tli = ThisTimeLineID;
5005 page->xlp_pageaddr = XLogSegSize;
5006 longpage = (XLogLongPageHeader) page;
5007 longpage->xlp_sysid = sysidentifier;
5008 longpage->xlp_seg_size = XLogSegSize;
5009 longpage->xlp_xlog_blcksz = XLOG_BLCKSZ;
5011 /* Insert the initial checkpoint record */
5012 recptr = ((char *) page + SizeOfXLogLongPHD);
5013 record = (XLogRecord *) recptr;
5014 record->xl_prev = 0;
5015 record->xl_xid = InvalidTransactionId;
5016 record->xl_tot_len = SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(checkPoint);
5017 record->xl_info = XLOG_CHECKPOINT_SHUTDOWN;
5018 record->xl_rmid = RM_XLOG_ID;
5019 recptr += SizeOfXLogRecord;
5020 /* fill the XLogRecordDataHeaderShort struct */
5021 *(recptr++) = XLR_BLOCK_ID_DATA_SHORT;
5022 *(recptr++) = sizeof(checkPoint);
5023 memcpy(recptr, &checkPoint, sizeof(checkPoint));
5024 recptr += sizeof(checkPoint);
5025 Assert(recptr - (char *) record == record->xl_tot_len);
5028 COMP_CRC32C(crc, ((char *) record) + SizeOfXLogRecord, record->xl_tot_len - SizeOfXLogRecord);
5029 COMP_CRC32C(crc, (char *) record, offsetof(XLogRecord, xl_crc));
5031 record->xl_crc = crc;
5033 /* Create first XLOG segment file */
5034 use_existent = false;
5035 openLogFile = XLogFileInit(1, &use_existent, false);
5037 /* Write the first page with the initial record */
5039 if (write(openLogFile, page, XLOG_BLCKSZ) != XLOG_BLCKSZ)
5041 /* if write didn't set errno, assume problem is no disk space */
5045 (errcode_for_file_access(),
5046 errmsg("could not write bootstrap transaction log file: %m")));
5049 if (pg_fsync(openLogFile) != 0)
5051 (errcode_for_file_access(),
5052 errmsg("could not fsync bootstrap transaction log file: %m")));
5054 if (close(openLogFile))
5056 (errcode_for_file_access(),
5057 errmsg("could not close bootstrap transaction log file: %m")));
5061 /* Now create pg_control */
5063 memset(ControlFile, 0, sizeof(ControlFileData));
5064 /* Initialize pg_control status fields */
5065 ControlFile->system_identifier = sysidentifier;
5066 memcpy(ControlFile->mock_authentication_nonce, mock_auth_nonce, MOCK_AUTH_NONCE_LEN);
5067 ControlFile->state = DB_SHUTDOWNED;
5068 ControlFile->time = checkPoint.time;
5069 ControlFile->checkPoint = checkPoint.redo;
5070 ControlFile->checkPointCopy = checkPoint;
5071 ControlFile->unloggedLSN = 1;
5073 /* Set important parameter values for use when replaying WAL */
5074 ControlFile->MaxConnections = MaxConnections;
5075 ControlFile->max_worker_processes = max_worker_processes;
5076 ControlFile->max_prepared_xacts = max_prepared_xacts;
5077 ControlFile->max_locks_per_xact = max_locks_per_xact;
5078 ControlFile->wal_level = wal_level;
5079 ControlFile->wal_log_hints = wal_log_hints;
5080 ControlFile->track_commit_timestamp = track_commit_timestamp;
5081 ControlFile->data_checksum_version = bootstrap_data_checksum_version;
5083 /* some additional ControlFile fields are set in WriteControlFile() */
5087 /* Bootstrap the commit log, too */
5089 BootStrapCommitTs();
5090 BootStrapSUBTRANS();
5091 BootStrapMultiXact();
5097 str_time(pg_time_t tnow)
5099 static char buf[128];
5101 pg_strftime(buf, sizeof(buf),
5102 "%Y-%m-%d %H:%M:%S %Z",
5103 pg_localtime(&tnow, log_timezone));
5109 * See if there is a recovery command file (recovery.conf), and if so
5110 * read in parameters for archive recovery and XLOG streaming.
5112 * The file is parsed using the main configuration parser.
5115 readRecoveryCommandFile(void)
5118 TimeLineID rtli = 0;
5119 bool rtliGiven = false;
5120 ConfigVariable *item,
5123 bool recoveryTargetActionSet = false;
5126 fd = AllocateFile(RECOVERY_COMMAND_FILE, "r");
5129 if (errno == ENOENT)
5130 return; /* not there, so no archive recovery */
5132 (errcode_for_file_access(),
5133 errmsg("could not open recovery command file \"%s\": %m",
5134 RECOVERY_COMMAND_FILE)));
5138 * Since we're asking ParseConfigFp() to report errors as FATAL, there's
5139 * no need to check the return value.
5141 (void) ParseConfigFp(fd, RECOVERY_COMMAND_FILE, 0, FATAL, &head, &tail);
5145 for (item = head; item; item = item->next)
5147 if (strcmp(item->name, "restore_command") == 0)
5149 recoveryRestoreCommand = pstrdup(item->value);
5151 (errmsg_internal("restore_command = '%s'",
5152 recoveryRestoreCommand)));
5154 else if (strcmp(item->name, "recovery_end_command") == 0)
5156 recoveryEndCommand = pstrdup(item->value);
5158 (errmsg_internal("recovery_end_command = '%s'",
5159 recoveryEndCommand)));
5161 else if (strcmp(item->name, "archive_cleanup_command") == 0)
5163 archiveCleanupCommand = pstrdup(item->value);
5165 (errmsg_internal("archive_cleanup_command = '%s'",
5166 archiveCleanupCommand)));
5168 else if (strcmp(item->name, "recovery_target_action") == 0)
5170 if (strcmp(item->value, "pause") == 0)
5171 recoveryTargetAction = RECOVERY_TARGET_ACTION_PAUSE;
5172 else if (strcmp(item->value, "promote") == 0)
5173 recoveryTargetAction = RECOVERY_TARGET_ACTION_PROMOTE;
5174 else if (strcmp(item->value, "shutdown") == 0)
5175 recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
5178 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5179 errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
5180 "recovery_target_action",
5182 errhint("Valid values are \"pause\", \"promote\", and \"shutdown\".")));
5185 (errmsg_internal("recovery_target_action = '%s'",
5188 recoveryTargetActionSet = true;
5190 else if (strcmp(item->name, "recovery_target_timeline") == 0)
5193 if (strcmp(item->value, "latest") == 0)
5198 rtli = (TimeLineID) strtoul(item->value, NULL, 0);
5199 if (errno == EINVAL || errno == ERANGE)
5201 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5202 errmsg("recovery_target_timeline is not a valid number: \"%s\"",
5207 (errmsg_internal("recovery_target_timeline = %u", rtli)));
5210 (errmsg_internal("recovery_target_timeline = latest")));
5212 else if (strcmp(item->name, "recovery_target_xid") == 0)
5215 recoveryTargetXid = (TransactionId) strtoul(item->value, NULL, 0);
5216 if (errno == EINVAL || errno == ERANGE)
5218 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5219 errmsg("recovery_target_xid is not a valid number: \"%s\"",
5222 (errmsg_internal("recovery_target_xid = %u",
5223 recoveryTargetXid)));
5224 recoveryTarget = RECOVERY_TARGET_XID;
5226 else if (strcmp(item->name, "recovery_target_time") == 0)
5228 recoveryTarget = RECOVERY_TARGET_TIME;
5231 * Convert the time string given by the user to TimestampTz form.
5233 recoveryTargetTime =
5234 DatumGetTimestampTz(DirectFunctionCall3(timestamptz_in,
5235 CStringGetDatum(item->value),
5236 ObjectIdGetDatum(InvalidOid),
5237 Int32GetDatum(-1)));
5239 (errmsg_internal("recovery_target_time = '%s'",
5240 timestamptz_to_str(recoveryTargetTime))));
5242 else if (strcmp(item->name, "recovery_target_name") == 0)
5244 recoveryTarget = RECOVERY_TARGET_NAME;
5246 recoveryTargetName = pstrdup(item->value);
5247 if (strlen(recoveryTargetName) >= MAXFNAMELEN)
5249 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5250 errmsg("recovery_target_name is too long (maximum %d characters)",
5254 (errmsg_internal("recovery_target_name = '%s'",
5255 recoveryTargetName)));
5257 else if (strcmp(item->name, "recovery_target_lsn") == 0)
5259 recoveryTarget = RECOVERY_TARGET_LSN;
5262 * Convert the LSN string given by the user to XLogRecPtr form.
5265 DatumGetLSN(DirectFunctionCall3(pg_lsn_in,
5266 CStringGetDatum(item->value),
5267 ObjectIdGetDatum(InvalidOid),
5268 Int32GetDatum(-1)));
5270 (errmsg_internal("recovery_target_lsn = '%X/%X'",
5271 (uint32) (recoveryTargetLSN >> 32),
5272 (uint32) recoveryTargetLSN)));
5274 else if (strcmp(item->name, "recovery_target") == 0)
5276 if (strcmp(item->value, "immediate") == 0)
5277 recoveryTarget = RECOVERY_TARGET_IMMEDIATE;
5280 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5281 errmsg("invalid value for recovery parameter \"%s\": \"%s\"",
5284 errhint("The only allowed value is \"immediate\".")));
5286 (errmsg_internal("recovery_target = '%s'",
5289 else if (strcmp(item->name, "recovery_target_inclusive") == 0)
5292 * does nothing if a recovery_target is not also set
5294 if (!parse_bool(item->value, &recoveryTargetInclusive))
5296 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5297 errmsg("parameter \"%s\" requires a Boolean value",
5298 "recovery_target_inclusive")));
5300 (errmsg_internal("recovery_target_inclusive = %s",
5303 else if (strcmp(item->name, "standby_mode") == 0)
5305 if (!parse_bool(item->value, &StandbyModeRequested))
5307 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5308 errmsg("parameter \"%s\" requires a Boolean value",
5311 (errmsg_internal("standby_mode = '%s'", item->value)));
5313 else if (strcmp(item->name, "primary_conninfo") == 0)
5315 PrimaryConnInfo = pstrdup(item->value);
5317 (errmsg_internal("primary_conninfo = '%s'",
5320 else if (strcmp(item->name, "primary_slot_name") == 0)
5322 ReplicationSlotValidateName(item->value, ERROR);
5323 PrimarySlotName = pstrdup(item->value);
5325 (errmsg_internal("primary_slot_name = '%s'",
5328 else if (strcmp(item->name, "trigger_file") == 0)
5330 TriggerFile = pstrdup(item->value);
5332 (errmsg_internal("trigger_file = '%s'",
5335 else if (strcmp(item->name, "recovery_min_apply_delay") == 0)
5337 const char *hintmsg;
5339 if (!parse_int(item->value, &recovery_min_apply_delay, GUC_UNIT_MS,
5342 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5343 errmsg("parameter \"%s\" requires a temporal value",
5344 "recovery_min_apply_delay"),
5345 hintmsg ? errhint("%s", _(hintmsg)) : 0));
5347 (errmsg_internal("recovery_min_apply_delay = '%s'", item->value)));
5351 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5352 errmsg("unrecognized recovery parameter \"%s\"",
5357 * Check for compulsory parameters
5359 if (StandbyModeRequested)
5361 if (PrimaryConnInfo == NULL && recoveryRestoreCommand == NULL)
5363 (errmsg("recovery command file \"%s\" specified neither primary_conninfo nor restore_command",
5364 RECOVERY_COMMAND_FILE),
5365 errhint("The database server will regularly poll the pg_wal subdirectory to check for files placed there.")));
5369 if (recoveryRestoreCommand == NULL)
5371 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5372 errmsg("recovery command file \"%s\" must specify restore_command when standby mode is not enabled",
5373 RECOVERY_COMMAND_FILE)));
5377 * Override any inconsistent requests. Not that this is a change of
5378 * behaviour in 9.5; prior to this we simply ignored a request to pause if
5379 * hot_standby = off, which was surprising behaviour.
5381 if (recoveryTargetAction == RECOVERY_TARGET_ACTION_PAUSE &&
5382 recoveryTargetActionSet &&
5384 recoveryTargetAction = RECOVERY_TARGET_ACTION_SHUTDOWN;
5387 * We don't support standby_mode in standalone backends; that requires
5388 * other processes such as the WAL receiver to be alive.
5390 if (StandbyModeRequested && !IsUnderPostmaster)
5392 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
5393 errmsg("standby mode is not supported by single-user servers")));
5395 /* Enable fetching from archive recovery area */
5396 ArchiveRecoveryRequested = true;
5399 * If user specified recovery_target_timeline, validate it or compute the
5400 * "latest" value. We can't do this until after we've gotten the restore
5401 * command and set InArchiveRecovery, because we need to fetch timeline
5402 * history files from the archive.
5408 /* Timeline 1 does not have a history file, all else should */
5409 if (rtli != 1 && !existsTimeLineHistory(rtli))
5411 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
5412 errmsg("recovery target timeline %u does not exist",
5414 recoveryTargetTLI = rtli;
5415 recoveryTargetIsLatest = false;
5419 /* We start the "latest" search from pg_control's timeline */
5420 recoveryTargetTLI = findNewestTimeLine(recoveryTargetTLI);
5421 recoveryTargetIsLatest = true;
5425 FreeConfigVariables(head);
5429 * Exit archive-recovery state
5432 exitArchiveRecovery(TimeLineID endTLI, XLogRecPtr endOfLog)
5434 char recoveryPath[MAXPGPATH];
5435 char xlogfname[MAXFNAMELEN];
5436 XLogSegNo endLogSegNo;
5437 XLogSegNo startLogSegNo;
5439 /* we always switch to a new timeline after archive recovery */
5440 Assert(endTLI != ThisTimeLineID);
5443 * We are no longer in archive recovery state.
5445 InArchiveRecovery = false;
5448 * Update min recovery point one last time.
5450 UpdateMinRecoveryPoint(InvalidXLogRecPtr, true);
5453 * If the ending log segment is still open, close it (to avoid problems on
5454 * Windows with trying to rename or delete an open file).
5463 * Calculate the last segment on the old timeline, and the first segment
5464 * on the new timeline. If the switch happens in the middle of a segment,
5465 * they are the same, but if the switch happens exactly at a segment
5466 * boundary, startLogSegNo will be endLogSegNo + 1.
5468 XLByteToPrevSeg(endOfLog, endLogSegNo);
5469 XLByteToSeg(endOfLog, startLogSegNo);
5472 * Initialize the starting WAL segment for the new timeline. If the switch
5473 * happens in the middle of a segment, copy data from the last WAL segment
5474 * of the old timeline up to the switch point, to the starting WAL segment
5475 * on the new timeline.
5477 if (endLogSegNo == startLogSegNo)
5480 * Make a copy of the file on the new timeline.
5482 * Writing WAL isn't allowed yet, so there are no locking
5483 * considerations. But we should be just as tense as XLogFileInit to
5484 * avoid emplacing a bogus file.
5486 XLogFileCopy(endLogSegNo, endTLI, endLogSegNo,
5487 endOfLog % XLOG_SEG_SIZE);
5492 * The switch happened at a segment boundary, so just create the next
5493 * segment on the new timeline.
5495 bool use_existent = true;
5498 fd = XLogFileInit(startLogSegNo, &use_existent, true);
5502 (errcode_for_file_access(),
5503 errmsg("could not close log file %s: %m",
5504 XLogFileNameP(ThisTimeLineID, startLogSegNo))));
5508 * Let's just make real sure there are not .ready or .done flags posted
5509 * for the new segment.
5511 XLogFileName(xlogfname, ThisTimeLineID, startLogSegNo);
5512 XLogArchiveCleanup(xlogfname);
5515 * Since there might be a partial WAL segment named RECOVERYXLOG, get rid
5518 snprintf(recoveryPath, MAXPGPATH, XLOGDIR "/RECOVERYXLOG");
5519 unlink(recoveryPath); /* ignore any error */
5521 /* Get rid of any remaining recovered timeline-history file, too */
5522 snprintf(recoveryPath, MAXPGPATH, XLOGDIR "/RECOVERYHISTORY");
5523 unlink(recoveryPath); /* ignore any error */
5526 * Rename the config file out of the way, so that we don't accidentally
5527 * re-enter archive recovery mode in a subsequent crash.
5529 unlink(RECOVERY_COMMAND_DONE);
5530 durable_rename(RECOVERY_COMMAND_FILE, RECOVERY_COMMAND_DONE, FATAL);
5533 (errmsg("archive recovery complete")));
5537 * Extract timestamp from WAL record.
5539 * If the record contains a timestamp, returns true, and saves the timestamp
5540 * in *recordXtime. If the record type has no timestamp, returns false.
5541 * Currently, only transaction commit/abort records and restore points contain
5545 getRecordTimestamp(XLogReaderState *record, TimestampTz *recordXtime)
5547 uint8 info = XLogRecGetInfo(record) & ~XLR_INFO_MASK;
5548 uint8 xact_info = info & XLOG_XACT_OPMASK;
5549 uint8 rmid = XLogRecGetRmid(record);
5551 if (rmid == RM_XLOG_ID && info == XLOG_RESTORE_POINT)
5553 *recordXtime = ((xl_restore_point *) XLogRecGetData(record))->rp_time;
5556 if (rmid == RM_XACT_ID && (xact_info == XLOG_XACT_COMMIT ||
5557 xact_info == XLOG_XACT_COMMIT_PREPARED))
5559 *recordXtime = ((xl_xact_commit *) XLogRecGetData(record))->xact_time;
5562 if (rmid == RM_XACT_ID && (xact_info == XLOG_XACT_ABORT ||
5563 xact_info == XLOG_XACT_ABORT_PREPARED))
5565 *recordXtime = ((xl_xact_abort *) XLogRecGetData(record))->xact_time;
5572 * For point-in-time recovery, this function decides whether we want to
5573 * stop applying the XLOG before the current record.
5575 * Returns TRUE if we are stopping, FALSE otherwise. If stopping, some
5576 * information is saved in recoveryStopXid et al for use in annotating the
5577 * new timeline's history file.
5580 recoveryStopsBefore(XLogReaderState *record)
5582 bool stopsHere = false;
5585 TimestampTz recordXtime = 0;
5586 TransactionId recordXid;
5588 /* Check if we should stop as soon as reaching consistency */
5589 if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
5592 (errmsg("recovery stopping after reaching consistency")));
5594 recoveryStopAfter = false;
5595 recoveryStopXid = InvalidTransactionId;
5596 recoveryStopLSN = InvalidXLogRecPtr;
5597 recoveryStopTime = 0;
5598 recoveryStopName[0] = '\0';
5602 /* Check if target LSN has been reached */
5603 if (recoveryTarget == RECOVERY_TARGET_LSN &&
5604 !recoveryTargetInclusive &&
5605 record->ReadRecPtr >= recoveryTargetLSN)
5607 recoveryStopAfter = false;
5608 recoveryStopXid = InvalidTransactionId;
5609 recoveryStopLSN = record->ReadRecPtr;
5610 recoveryStopTime = 0;
5611 recoveryStopName[0] = '\0';
5613 (errmsg("recovery stopping before WAL position (LSN) \"%X/%X\"",
5614 (uint32) (recoveryStopLSN >> 32),
5615 (uint32) recoveryStopLSN)));
5619 /* Otherwise we only consider stopping before COMMIT or ABORT records. */
5620 if (XLogRecGetRmid(record) != RM_XACT_ID)
5623 xact_info = XLogRecGetInfo(record) & XLOG_XACT_OPMASK;
5625 if (xact_info == XLOG_XACT_COMMIT)
5628 recordXid = XLogRecGetXid(record);
5630 else if (xact_info == XLOG_XACT_COMMIT_PREPARED)
5632 xl_xact_commit *xlrec = (xl_xact_commit *) XLogRecGetData(record);
5633 xl_xact_parsed_commit parsed;
5636 ParseCommitRecord(XLogRecGetInfo(record),
5639 recordXid = parsed.twophase_xid;
5641 else if (xact_info == XLOG_XACT_ABORT)
5644 recordXid = XLogRecGetXid(record);
5646 else if (xact_info == XLOG_XACT_ABORT_PREPARED)
5648 xl_xact_abort *xlrec = (xl_xact_abort *) XLogRecGetData(record);
5649 xl_xact_parsed_abort parsed;
5652 ParseAbortRecord(XLogRecGetInfo(record),
5655 recordXid = parsed.twophase_xid;
5660 if (recoveryTarget == RECOVERY_TARGET_XID && !recoveryTargetInclusive)
5663 * There can be only one transaction end record with this exact
5666 * when testing for an xid, we MUST test for equality only, since
5667 * transactions are numbered in the order they start, not the order
5668 * they complete. A higher numbered xid will complete before you about
5669 * 50% of the time...
5671 stopsHere = (recordXid == recoveryTargetXid);
5674 if (recoveryTarget == RECOVERY_TARGET_TIME &&
5675 getRecordTimestamp(record, &recordXtime))
5678 * There can be many transactions that share the same commit time, so
5679 * we stop after the last one, if we are inclusive, or stop at the
5680 * first one if we are exclusive
5682 if (recoveryTargetInclusive)
5683 stopsHere = (recordXtime > recoveryTargetTime);
5685 stopsHere = (recordXtime >= recoveryTargetTime);
5690 recoveryStopAfter = false;
5691 recoveryStopXid = recordXid;
5692 recoveryStopTime = recordXtime;
5693 recoveryStopLSN = InvalidXLogRecPtr;
5694 recoveryStopName[0] = '\0';
5699 (errmsg("recovery stopping before commit of transaction %u, time %s",
5701 timestamptz_to_str(recoveryStopTime))));
5706 (errmsg("recovery stopping before abort of transaction %u, time %s",
5708 timestamptz_to_str(recoveryStopTime))));
5716 * Same as recoveryStopsBefore, but called after applying the record.
5718 * We also track the timestamp of the latest applied COMMIT/ABORT
5719 * record in XLogCtl->recoveryLastXTime.
5722 recoveryStopsAfter(XLogReaderState *record)
5727 TimestampTz recordXtime;
5729 info = XLogRecGetInfo(record) & ~XLR_INFO_MASK;
5730 rmid = XLogRecGetRmid(record);
5733 * There can be many restore points that share the same name; we stop at
5736 if (recoveryTarget == RECOVERY_TARGET_NAME &&
5737 rmid == RM_XLOG_ID && info == XLOG_RESTORE_POINT)
5739 xl_restore_point *recordRestorePointData;
5741 recordRestorePointData = (xl_restore_point *) XLogRecGetData(record);
5743 if (strcmp(recordRestorePointData->rp_name, recoveryTargetName) == 0)
5745 recoveryStopAfter = true;
5746 recoveryStopXid = InvalidTransactionId;
5747 recoveryStopLSN = InvalidXLogRecPtr;
5748 (void) getRecordTimestamp(record, &recoveryStopTime);
5749 strlcpy(recoveryStopName, recordRestorePointData->rp_name, MAXFNAMELEN);
5752 (errmsg("recovery stopping at restore point \"%s\", time %s",
5754 timestamptz_to_str(recoveryStopTime))));
5759 /* Check if the target LSN has been reached */
5760 if (recoveryTarget == RECOVERY_TARGET_LSN &&
5761 recoveryTargetInclusive &&
5762 record->ReadRecPtr >= recoveryTargetLSN)
5764 recoveryStopAfter = true;
5765 recoveryStopXid = InvalidTransactionId;
5766 recoveryStopLSN = record->ReadRecPtr;
5767 recoveryStopTime = 0;
5768 recoveryStopName[0] = '\0';
5770 (errmsg("recovery stopping after WAL position (LSN) \"%X/%X\"",
5771 (uint32) (recoveryStopLSN >> 32),
5772 (uint32) recoveryStopLSN)));
5776 if (rmid != RM_XACT_ID)
5779 xact_info = info & XLOG_XACT_OPMASK;
5781 if (xact_info == XLOG_XACT_COMMIT ||
5782 xact_info == XLOG_XACT_COMMIT_PREPARED ||
5783 xact_info == XLOG_XACT_ABORT ||
5784 xact_info == XLOG_XACT_ABORT_PREPARED)
5786 TransactionId recordXid;
5788 /* Update the last applied transaction timestamp */
5789 if (getRecordTimestamp(record, &recordXtime))
5790 SetLatestXTime(recordXtime);
5792 /* Extract the XID of the committed/aborted transaction */
5793 if (xact_info == XLOG_XACT_COMMIT_PREPARED)
5795 xl_xact_commit *xlrec = (xl_xact_commit *) XLogRecGetData(record);
5796 xl_xact_parsed_commit parsed;
5798 ParseCommitRecord(XLogRecGetInfo(record),
5801 recordXid = parsed.twophase_xid;
5803 else if (xact_info == XLOG_XACT_ABORT_PREPARED)
5805 xl_xact_abort *xlrec = (xl_xact_abort *) XLogRecGetData(record);
5806 xl_xact_parsed_abort parsed;
5808 ParseAbortRecord(XLogRecGetInfo(record),
5811 recordXid = parsed.twophase_xid;
5814 recordXid = XLogRecGetXid(record);
5817 * There can be only one transaction end record with this exact
5820 * when testing for an xid, we MUST test for equality only, since
5821 * transactions are numbered in the order they start, not the order
5822 * they complete. A higher numbered xid will complete before you about
5823 * 50% of the time...
5825 if (recoveryTarget == RECOVERY_TARGET_XID && recoveryTargetInclusive &&
5826 recordXid == recoveryTargetXid)
5828 recoveryStopAfter = true;
5829 recoveryStopXid = recordXid;
5830 recoveryStopTime = recordXtime;
5831 recoveryStopLSN = InvalidXLogRecPtr;
5832 recoveryStopName[0] = '\0';
5834 if (xact_info == XLOG_XACT_COMMIT ||
5835 xact_info == XLOG_XACT_COMMIT_PREPARED)
5838 (errmsg("recovery stopping after commit of transaction %u, time %s",
5840 timestamptz_to_str(recoveryStopTime))));
5842 else if (xact_info == XLOG_XACT_ABORT ||
5843 xact_info == XLOG_XACT_ABORT_PREPARED)
5846 (errmsg("recovery stopping after abort of transaction %u, time %s",
5848 timestamptz_to_str(recoveryStopTime))));
5854 /* Check if we should stop as soon as reaching consistency */
5855 if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE && reachedConsistency)
5858 (errmsg("recovery stopping after reaching consistency")));
5860 recoveryStopAfter = true;
5861 recoveryStopXid = InvalidTransactionId;
5862 recoveryStopTime = 0;
5863 recoveryStopLSN = InvalidXLogRecPtr;
5864 recoveryStopName[0] = '\0';
5872 * Wait until shared recoveryPause flag is cleared.
5874 * XXX Could also be done with shared latch, avoiding the pg_usleep loop.
5875 * Probably not worth the trouble though. This state shouldn't be one that
5876 * anyone cares about server power consumption in.
5879 recoveryPausesHere(void)
5881 /* Don't pause unless users can connect! */
5882 if (!LocalHotStandbyActive)
5886 (errmsg("recovery has paused"),
5887 errhint("Execute pg_wal_replay_resume() to continue.")));
5889 while (RecoveryIsPaused())
5891 pg_usleep(1000000L); /* 1000 ms */
5892 HandleStartupProcInterrupts();
5897 RecoveryIsPaused(void)
5901 SpinLockAcquire(&XLogCtl->info_lck);
5902 recoveryPause = XLogCtl->recoveryPause;
5903 SpinLockRelease(&XLogCtl->info_lck);
5905 return recoveryPause;
5909 SetRecoveryPause(bool recoveryPause)
5911 SpinLockAcquire(&XLogCtl->info_lck);
5912 XLogCtl->recoveryPause = recoveryPause;
5913 SpinLockRelease(&XLogCtl->info_lck);
5917 * When recovery_min_apply_delay is set, we wait long enough to make sure
5918 * certain record types are applied at least that interval behind the master.
5920 * Returns true if we waited.
5922 * Note that the delay is calculated between the WAL record log time and
5923 * the current time on standby. We would prefer to keep track of when this
5924 * standby received each WAL record, which would allow a more consistent
5925 * approach and one not affected by time synchronisation issues, but that
5926 * is significantly more effort and complexity for little actual gain in
5930 recoveryApplyDelay(XLogReaderState *record)
5937 /* nothing to do if no delay configured */
5938 if (recovery_min_apply_delay <= 0)
5941 /* no delay is applied on a database not yet consistent */
5942 if (!reachedConsistency)
5946 * Is it a COMMIT record?
5948 * We deliberately choose not to delay aborts since they have no effect on
5949 * MVCC. We already allow replay of records that don't have a timestamp,
5950 * so there is already opportunity for issues caused by early conflicts on
5953 if (XLogRecGetRmid(record) != RM_XACT_ID)
5956 xact_info = XLogRecGetInfo(record) & XLOG_XACT_OPMASK;
5958 if (xact_info != XLOG_XACT_COMMIT &&
5959 xact_info != XLOG_XACT_COMMIT_PREPARED)
5962 if (!getRecordTimestamp(record, &xtime))
5965 recoveryDelayUntilTime =
5966 TimestampTzPlusMilliseconds(xtime, recovery_min_apply_delay);
5969 * Exit without arming the latch if it's already past time to apply this
5972 TimestampDifference(GetCurrentTimestamp(), recoveryDelayUntilTime,
5974 if (secs <= 0 && microsecs <= 0)
5979 ResetLatch(&XLogCtl->recoveryWakeupLatch);
5981 /* might change the trigger file's location */
5982 HandleStartupProcInterrupts();
5984 if (CheckForStandbyTrigger())
5988 * Wait for difference between GetCurrentTimestamp() and
5989 * recoveryDelayUntilTime
5991 TimestampDifference(GetCurrentTimestamp(), recoveryDelayUntilTime,
5994 /* NB: We're ignoring waits below min_apply_delay's resolution. */
5995 if (secs <= 0 && microsecs / 1000 <= 0)
5998 elog(DEBUG2, "recovery apply delay %ld seconds, %d milliseconds",
5999 secs, microsecs / 1000);
6001 WaitLatch(&XLogCtl->recoveryWakeupLatch,
6002 WL_LATCH_SET | WL_TIMEOUT | WL_POSTMASTER_DEATH,
6003 secs * 1000L + microsecs / 1000,
6004 WAIT_EVENT_RECOVERY_APPLY_DELAY);
6010 * Save timestamp of latest processed commit/abort record.
6012 * We keep this in XLogCtl, not a simple static variable, so that it can be
6013 * seen by processes other than the startup process. Note in particular
6014 * that CreateRestartPoint is executed in the checkpointer.
6017 SetLatestXTime(TimestampTz xtime)
6019 SpinLockAcquire(&XLogCtl->info_lck);
6020 XLogCtl->recoveryLastXTime = xtime;
6021 SpinLockRelease(&XLogCtl->info_lck);
6025 * Fetch timestamp of latest processed commit/abort record.
6028 GetLatestXTime(void)
6032 SpinLockAcquire(&XLogCtl->info_lck);
6033 xtime = XLogCtl->recoveryLastXTime;
6034 SpinLockRelease(&XLogCtl->info_lck);
6040 * Save timestamp of the next chunk of WAL records to apply.
6042 * We keep this in XLogCtl, not a simple static variable, so that it can be
6043 * seen by all backends.
6046 SetCurrentChunkStartTime(TimestampTz xtime)
6048 SpinLockAcquire(&XLogCtl->info_lck);
6049 XLogCtl->currentChunkStartTime = xtime;
6050 SpinLockRelease(&XLogCtl->info_lck);
6054 * Fetch timestamp of latest processed commit/abort record.
6055 * Startup process maintains an accurate local copy in XLogReceiptTime
6058 GetCurrentChunkReplayStartTime(void)
6062 SpinLockAcquire(&XLogCtl->info_lck);
6063 xtime = XLogCtl->currentChunkStartTime;
6064 SpinLockRelease(&XLogCtl->info_lck);
6070 * Returns time of receipt of current chunk of XLOG data, as well as
6071 * whether it was received from streaming replication or from archives.
6074 GetXLogReceiptTime(TimestampTz *rtime, bool *fromStream)
6077 * This must be executed in the startup process, since we don't export the
6078 * relevant state to shared memory.
6082 *rtime = XLogReceiptTime;
6083 *fromStream = (XLogReceiptSource == XLOG_FROM_STREAM);
6087 * Note that text field supplied is a parameter name and does not require
6090 #define RecoveryRequiresIntParameter(param_name, currValue, minValue) \
6092 if ((currValue) < (minValue)) \
6094 (errcode(ERRCODE_INVALID_PARAMETER_VALUE), \
6095 errmsg("hot standby is not possible because " \
6096 "%s = %d is a lower setting than on the master server " \
6097 "(its value was %d)", \
6104 * Check to see if required parameters are set high enough on this server
6105 * for various aspects of recovery operation.
6107 * Note that all the parameters which this function tests need to be
6108 * listed in Administrator's Overview section in high-availability.sgml.
6109 * If you change them, don't forget to update the list.
6112 CheckRequiredParameterValues(void)
6115 * For archive recovery, the WAL must be generated with at least 'replica'
6118 if (ArchiveRecoveryRequested && ControlFile->wal_level == WAL_LEVEL_MINIMAL)
6121 (errmsg("WAL was generated with wal_level=minimal, data may be missing"),
6122 errhint("This happens if you temporarily set wal_level=minimal without taking a new base backup.")));
6126 * For Hot Standby, the WAL must be generated with 'replica' mode, and we
6127 * must have at least as many backend slots as the primary.
6129 if (ArchiveRecoveryRequested && EnableHotStandby)
6131 if (ControlFile->wal_level < WAL_LEVEL_REPLICA)
6133 (errmsg("hot standby is not possible because wal_level was not set to \"replica\" or higher on the master server"),
6134 errhint("Either set wal_level to \"replica\" on the master, or turn off hot_standby here.")));
6136 /* We ignore autovacuum_max_workers when we make this test. */
6137 RecoveryRequiresIntParameter("max_connections",
6139 ControlFile->MaxConnections);
6140 RecoveryRequiresIntParameter("max_worker_processes",
6141 max_worker_processes,
6142 ControlFile->max_worker_processes);
6143 RecoveryRequiresIntParameter("max_prepared_transactions",
6145 ControlFile->max_prepared_xacts);
6146 RecoveryRequiresIntParameter("max_locks_per_transaction",
6148 ControlFile->max_locks_per_xact);
6153 * This must be called ONCE during postmaster or standalone-backend startup
6158 XLogCtlInsert *Insert;
6159 CheckPoint checkPoint;
6161 bool reachedStopPoint = false;
6162 bool haveBackupLabel = false;
6163 bool haveTblspcMap = false;
6167 TimeLineID EndOfLogTLI;
6168 TimeLineID PrevTimeLineID;
6170 TransactionId oldestActiveXID;
6171 bool backupEndRequired = false;
6172 bool backupFromStandby = false;
6173 DBState dbstate_at_startup;
6174 XLogReaderState *xlogreader;
6175 XLogPageReadPrivate private;
6176 bool fast_promoted = false;
6180 * Read control file and check XLOG status looks valid.
6182 * Note: in most control paths, *ControlFile is already valid and we need
6183 * not do ReadControlFile() here, but might as well do it to be sure.
6187 if (ControlFile->state < DB_SHUTDOWNED ||
6188 ControlFile->state > DB_IN_PRODUCTION ||
6189 !XRecOffIsValid(ControlFile->checkPoint))
6191 (errmsg("control file contains invalid data")));
6193 if (ControlFile->state == DB_SHUTDOWNED)
6195 /* This is the expected case, so don't be chatty in standalone mode */
6196 ereport(IsPostmasterEnvironment ? LOG : NOTICE,
6197 (errmsg("database system was shut down at %s",
6198 str_time(ControlFile->time))));
6200 else if (ControlFile->state == DB_SHUTDOWNED_IN_RECOVERY)
6202 (errmsg("database system was shut down in recovery at %s",
6203 str_time(ControlFile->time))));
6204 else if (ControlFile->state == DB_SHUTDOWNING)
6206 (errmsg("database system shutdown was interrupted; last known up at %s",
6207 str_time(ControlFile->time))));
6208 else if (ControlFile->state == DB_IN_CRASH_RECOVERY)
6210 (errmsg("database system was interrupted while in recovery at %s",
6211 str_time(ControlFile->time)),
6212 errhint("This probably means that some data is corrupted and"
6213 " you will have to use the last backup for recovery.")));
6214 else if (ControlFile->state == DB_IN_ARCHIVE_RECOVERY)
6216 (errmsg("database system was interrupted while in recovery at log time %s",
6217 str_time(ControlFile->checkPointCopy.time)),
6218 errhint("If this has occurred more than once some data might be corrupted"
6219 " and you might need to choose an earlier recovery target.")));
6220 else if (ControlFile->state == DB_IN_PRODUCTION)
6222 (errmsg("database system was interrupted; last known up at %s",
6223 str_time(ControlFile->time))));
6225 /* This is just to allow attaching to startup process with a debugger */
6226 #ifdef XLOG_REPLAY_DELAY
6227 if (ControlFile->state != DB_SHUTDOWNED)
6228 pg_usleep(60000000L);
6232 * Verify that pg_wal and pg_wal/archive_status exist. In cases where
6233 * someone has performed a copy for PITR, these directories may have been
6234 * excluded and need to be re-created.
6236 ValidateXLOGDirectoryStructure();
6239 * If we previously crashed, there might be data which we had written,
6240 * intending to fsync it, but which we had not actually fsync'd yet.
6241 * Therefore, a power failure in the near future might cause earlier
6242 * unflushed writes to be lost, even though more recent data written to
6243 * disk from here on would be persisted. To avoid that, fsync the entire
6246 if (ControlFile->state != DB_SHUTDOWNED &&
6247 ControlFile->state != DB_SHUTDOWNED_IN_RECOVERY)
6248 SyncDataDirectory();
6251 * Initialize on the assumption we want to recover to the latest timeline
6252 * that's active according to pg_control.
6254 if (ControlFile->minRecoveryPointTLI >
6255 ControlFile->checkPointCopy.ThisTimeLineID)
6256 recoveryTargetTLI = ControlFile->minRecoveryPointTLI;
6258 recoveryTargetTLI = ControlFile->checkPointCopy.ThisTimeLineID;
6261 * Check for recovery control file, and if so set up state for offline
6264 readRecoveryCommandFile();
6267 * Save archive_cleanup_command in shared memory so that other processes
6270 strlcpy(XLogCtl->archiveCleanupCommand,
6271 archiveCleanupCommand ? archiveCleanupCommand : "",
6272 sizeof(XLogCtl->archiveCleanupCommand));
6274 if (ArchiveRecoveryRequested)
6276 if (StandbyModeRequested)
6278 (errmsg("entering standby mode")));
6279 else if (recoveryTarget == RECOVERY_TARGET_XID)
6281 (errmsg("starting point-in-time recovery to XID %u",
6282 recoveryTargetXid)));
6283 else if (recoveryTarget == RECOVERY_TARGET_TIME)
6285 (errmsg("starting point-in-time recovery to %s",
6286 timestamptz_to_str(recoveryTargetTime))));
6287 else if (recoveryTarget == RECOVERY_TARGET_NAME)
6289 (errmsg("starting point-in-time recovery to \"%s\"",
6290 recoveryTargetName)));
6291 else if (recoveryTarget == RECOVERY_TARGET_LSN)
6293 (errmsg("starting point-in-time recovery to WAL position (LSN) \"%X/%X\"",
6294 (uint32) (recoveryTargetLSN >> 32),
6295 (uint32) recoveryTargetLSN)));
6296 else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
6298 (errmsg("starting point-in-time recovery to earliest consistent point")));
6301 (errmsg("starting archive recovery")));
6305 * Take ownership of the wakeup latch if we're going to sleep during
6308 if (StandbyModeRequested)
6309 OwnLatch(&XLogCtl->recoveryWakeupLatch);
6311 /* Set up XLOG reader facility */
6312 MemSet(&private, 0, sizeof(XLogPageReadPrivate));
6313 xlogreader = XLogReaderAllocate(&XLogPageRead, &private);
6316 (errcode(ERRCODE_OUT_OF_MEMORY),
6317 errmsg("out of memory"),
6318 errdetail("Failed while allocating a WAL reading processor.")));
6319 xlogreader->system_identifier = ControlFile->system_identifier;
6322 * Allocate pages dedicated to WAL consistency checks, those had better
6325 replay_image_masked = (char *) palloc(BLCKSZ);
6326 master_image_masked = (char *) palloc(BLCKSZ);
6328 if (read_backup_label(&checkPointLoc, &backupEndRequired,
6329 &backupFromStandby))
6331 List *tablespaces = NIL;
6334 * Archive recovery was requested, and thanks to the backup label
6335 * file, we know how far we need to replay to reach consistency. Enter
6336 * archive recovery directly.
6338 InArchiveRecovery = true;
6339 if (StandbyModeRequested)
6343 * When a backup_label file is present, we want to roll forward from
6344 * the checkpoint it identifies, rather than using pg_control.
6346 record = ReadCheckpointRecord(xlogreader, checkPointLoc, 0, true);
6349 memcpy(&checkPoint, XLogRecGetData(xlogreader), sizeof(CheckPoint));
6350 wasShutdown = ((record->xl_info & ~XLR_INFO_MASK) == XLOG_CHECKPOINT_SHUTDOWN);
6352 (errmsg("checkpoint record is at %X/%X",
6353 (uint32) (checkPointLoc >> 32), (uint32) checkPointLoc)));
6354 InRecovery = true; /* force recovery even if SHUTDOWNED */
6357 * Make sure that REDO location exists. This may not be the case
6358 * if there was a crash during an online backup, which left a
6359 * backup_label around that references a WAL segment that's
6360 * already been archived.
6362 if (checkPoint.redo < checkPointLoc)
6364 if (!ReadRecord(xlogreader, checkPoint.redo, LOG, false))
6366 (errmsg("could not find redo location referenced by checkpoint record"),
6367 errhint("If you are not restoring from a backup, try removing the file \"%s/backup_label\".", DataDir)));
6373 (errmsg("could not locate required checkpoint record"),
6374 errhint("If you are not restoring from a backup, try removing the file \"%s/backup_label\".", DataDir)));
6375 wasShutdown = false; /* keep compiler quiet */
6378 /* read the tablespace_map file if present and create symlinks. */
6379 if (read_tablespace_map(&tablespaces))
6383 foreach(lc, tablespaces)
6385 tablespaceinfo *ti = lfirst(lc);
6388 linkloc = psprintf("pg_tblspc/%s", ti->oid);
6391 * Remove the existing symlink if any and Create the symlink
6394 remove_tablespace_symlink(linkloc);
6396 if (symlink(ti->path, linkloc) < 0)
6398 (errcode_for_file_access(),
6399 errmsg("could not create symbolic link \"%s\": %m",
6407 /* set flag to delete it later */
6408 haveTblspcMap = true;
6411 /* set flag to delete it later */
6412 haveBackupLabel = true;
6417 * If tablespace_map file is present without backup_label file, there
6418 * is no use of such file. There is no harm in retaining it, but it
6419 * is better to get rid of the map file so that we don't have any
6420 * redundant file in data directory and it will avoid any sort of
6421 * confusion. It seems prudent though to just rename the file out of
6422 * the way rather than delete it completely, also we ignore any error
6423 * that occurs in rename operation as even if map file is present
6424 * without backup_label file, it is harmless.
6426 if (stat(TABLESPACE_MAP, &st) == 0)
6428 unlink(TABLESPACE_MAP_OLD);
6429 if (durable_rename(TABLESPACE_MAP, TABLESPACE_MAP_OLD, DEBUG1) == 0)
6431 (errmsg("ignoring file \"%s\" because no file \"%s\" exists",
6432 TABLESPACE_MAP, BACKUP_LABEL_FILE),
6433 errdetail("File \"%s\" was renamed to \"%s\".",
6434 TABLESPACE_MAP, TABLESPACE_MAP_OLD)));
6437 (errmsg("ignoring file \"%s\" because no file \"%s\" exists",
6438 TABLESPACE_MAP, BACKUP_LABEL_FILE),
6439 errdetail("Could not rename file \"%s\" to \"%s\": %m.",
6440 TABLESPACE_MAP, TABLESPACE_MAP_OLD)));
6444 * It's possible that archive recovery was requested, but we don't
6445 * know how far we need to replay the WAL before we reach consistency.
6446 * This can happen for example if a base backup is taken from a
6447 * running server using an atomic filesystem snapshot, without calling
6448 * pg_start/stop_backup. Or if you just kill a running master server
6449 * and put it into archive recovery by creating a recovery.conf file.
6451 * Our strategy in that case is to perform crash recovery first,
6452 * replaying all the WAL present in pg_wal, and only enter archive
6453 * recovery after that.
6455 * But usually we already know how far we need to replay the WAL (up
6456 * to minRecoveryPoint, up to backupEndPoint, or until we see an
6457 * end-of-backup record), and we can enter archive recovery directly.
6459 if (ArchiveRecoveryRequested &&
6460 (ControlFile->minRecoveryPoint != InvalidXLogRecPtr ||
6461 ControlFile->backupEndRequired ||
6462 ControlFile->backupEndPoint != InvalidXLogRecPtr ||
6463 ControlFile->state == DB_SHUTDOWNED))
6465 InArchiveRecovery = true;
6466 if (StandbyModeRequested)
6471 * Get the last valid checkpoint record. If the latest one according
6472 * to pg_control is broken, try the next-to-last one.
6474 checkPointLoc = ControlFile->checkPoint;
6475 RedoStartLSN = ControlFile->checkPointCopy.redo;
6476 record = ReadCheckpointRecord(xlogreader, checkPointLoc, 1, true);
6480 (errmsg("checkpoint record is at %X/%X",
6481 (uint32) (checkPointLoc >> 32), (uint32) checkPointLoc)));
6483 else if (StandbyMode)
6486 * The last valid checkpoint record required for a streaming
6487 * recovery exists in neither standby nor the primary.
6490 (errmsg("could not locate a valid checkpoint record")));
6494 checkPointLoc = ControlFile->prevCheckPoint;
6495 record = ReadCheckpointRecord(xlogreader, checkPointLoc, 2, true);
6499 (errmsg("using previous checkpoint record at %X/%X",
6500 (uint32) (checkPointLoc >> 32), (uint32) checkPointLoc)));
6501 InRecovery = true; /* force recovery even if SHUTDOWNED */
6505 (errmsg("could not locate a valid checkpoint record")));
6507 memcpy(&checkPoint, XLogRecGetData(xlogreader), sizeof(CheckPoint));
6508 wasShutdown = ((record->xl_info & ~XLR_INFO_MASK) == XLOG_CHECKPOINT_SHUTDOWN);
6512 * Clear out any old relcache cache files. This is *necessary* if we do
6513 * any WAL replay, since that would probably result in the cache files
6514 * being out of sync with database reality. In theory we could leave them
6515 * in place if the database had been cleanly shut down, but it seems
6516 * safest to just remove them always and let them be rebuilt during the
6517 * first backend startup. These files needs to be removed from all
6518 * directories including pg_tblspc, however the symlinks are created only
6519 * after reading tablespace_map file in case of archive recovery from
6520 * backup, so needs to clear old relcache files here after creating
6523 RelationCacheInitFileRemove();
6526 * If the location of the checkpoint record is not on the expected
6527 * timeline in the history of the requested timeline, we cannot proceed:
6528 * the backup is not part of the history of the requested timeline.
6530 Assert(expectedTLEs); /* was initialized by reading checkpoint
6532 if (tliOfPointInHistory(checkPointLoc, expectedTLEs) !=
6533 checkPoint.ThisTimeLineID)
6535 XLogRecPtr switchpoint;
6538 * tliSwitchPoint will throw an error if the checkpoint's timeline is
6539 * not in expectedTLEs at all.
6541 switchpoint = tliSwitchPoint(ControlFile->checkPointCopy.ThisTimeLineID, expectedTLEs, NULL);
6543 (errmsg("requested timeline %u is not a child of this server's history",
6545 errdetail("Latest checkpoint is at %X/%X on timeline %u, but in the history of the requested timeline, the server forked off from that timeline at %X/%X.",
6546 (uint32) (ControlFile->checkPoint >> 32),
6547 (uint32) ControlFile->checkPoint,
6548 ControlFile->checkPointCopy.ThisTimeLineID,
6549 (uint32) (switchpoint >> 32),
6550 (uint32) switchpoint)));
6554 * The min recovery point should be part of the requested timeline's
6557 if (!XLogRecPtrIsInvalid(ControlFile->minRecoveryPoint) &&
6558 tliOfPointInHistory(ControlFile->minRecoveryPoint - 1, expectedTLEs) !=
6559 ControlFile->minRecoveryPointTLI)
6561 (errmsg("requested timeline %u does not contain minimum recovery point %X/%X on timeline %u",
6563 (uint32) (ControlFile->minRecoveryPoint >> 32),
6564 (uint32) ControlFile->minRecoveryPoint,
6565 ControlFile->minRecoveryPointTLI)));
6567 LastRec = RecPtr = checkPointLoc;
6570 (errmsg_internal("redo record is at %X/%X; shutdown %s",
6571 (uint32) (checkPoint.redo >> 32), (uint32) checkPoint.redo,
6572 wasShutdown ? "TRUE" : "FALSE")));
6574 (errmsg_internal("next transaction ID: %u:%u; next OID: %u",
6575 checkPoint.nextXidEpoch, checkPoint.nextXid,
6576 checkPoint.nextOid)));
6578 (errmsg_internal("next MultiXactId: %u; next MultiXactOffset: %u",
6579 checkPoint.nextMulti, checkPoint.nextMultiOffset)));
6581 (errmsg_internal("oldest unfrozen transaction ID: %u, in database %u",
6582 checkPoint.oldestXid, checkPoint.oldestXidDB)));
6584 (errmsg_internal("oldest MultiXactId: %u, in database %u",
6585 checkPoint.oldestMulti, checkPoint.oldestMultiDB)));
6587 (errmsg_internal("commit timestamp Xid oldest/newest: %u/%u",
6588 checkPoint.oldestCommitTsXid,
6589 checkPoint.newestCommitTsXid)));
6590 if (!TransactionIdIsNormal(checkPoint.nextXid))
6592 (errmsg("invalid next transaction ID")));
6594 /* initialize shared memory variables from the checkpoint record */
6595 ShmemVariableCache->nextXid = checkPoint.nextXid;
6596 ShmemVariableCache->nextOid = checkPoint.nextOid;
6597 ShmemVariableCache->oidCount = 0;
6598 MultiXactSetNextMXact(checkPoint.nextMulti, checkPoint.nextMultiOffset);
6599 SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
6600 SetMultiXactIdLimit(checkPoint.oldestMulti, checkPoint.oldestMultiDB, true);
6601 SetCommitTsLimit(checkPoint.oldestCommitTsXid,
6602 checkPoint.newestCommitTsXid);
6603 XLogCtl->ckptXidEpoch = checkPoint.nextXidEpoch;
6604 XLogCtl->ckptXid = checkPoint.nextXid;
6607 * Initialize replication slots, before there's a chance to remove
6608 * required resources.
6610 StartupReplicationSlots();
6613 * Startup logical state, needs to be setup now so we have proper data
6614 * during crash recovery.
6616 StartupReorderBuffer();
6619 * Startup MultiXact. We need to do this early to be able to replay
6625 * Ditto commit timestamps. In a standby, we do it if setting is enabled
6626 * in ControlFile; in a master we base the decision on the GUC itself.
6628 if (ArchiveRecoveryRequested ?
6629 ControlFile->track_commit_timestamp : track_commit_timestamp)
6633 * Recover knowledge about replay progress of known replication partners.
6635 StartupReplicationOrigin();
6638 * Initialize unlogged LSN. On a clean shutdown, it's restored from the
6639 * control file. On recovery, all unlogged relations are blown away, so
6640 * the unlogged LSN counter can be reset too.
6642 if (ControlFile->state == DB_SHUTDOWNED)
6643 XLogCtl->unloggedLSN = ControlFile->unloggedLSN;
6645 XLogCtl->unloggedLSN = 1;
6648 * We must replay WAL entries using the same TimeLineID they were created
6649 * under, so temporarily adopt the TLI indicated by the checkpoint (see
6650 * also xlog_redo()).
6652 ThisTimeLineID = checkPoint.ThisTimeLineID;
6655 * Copy any missing timeline history files between 'now' and the recovery
6656 * target timeline from archive to pg_wal. While we don't need those
6657 * files ourselves - the history file of the recovery target timeline
6658 * covers all the previous timelines in the history too - a cascading
6659 * standby server might be interested in them. Or, if you archive the WAL
6660 * from this server to a different archive than the master, it'd be good
6661 * for all the history files to get archived there after failover, so that
6662 * you can use one of the old timelines as a PITR target. Timeline history
6663 * files are small, so it's better to copy them unnecessarily than not
6664 * copy them and regret later.
6666 restoreTimeLineHistoryFiles(ThisTimeLineID, recoveryTargetTLI);
6668 lastFullPageWrites = checkPoint.fullPageWrites;
6670 RedoRecPtr = XLogCtl->RedoRecPtr = XLogCtl->Insert.RedoRecPtr = checkPoint.redo;
6671 doPageWrites = lastFullPageWrites;
6673 if (RecPtr < checkPoint.redo)
6675 (errmsg("invalid redo in checkpoint record")));
6678 * Check whether we need to force recovery from WAL. If it appears to
6679 * have been a clean shutdown and we did not have a recovery.conf file,
6680 * then assume no recovery needed.
6682 if (checkPoint.redo < RecPtr)
6686 (errmsg("invalid redo record in shutdown checkpoint")));
6689 else if (ControlFile->state != DB_SHUTDOWNED)
6691 else if (ArchiveRecoveryRequested)
6693 /* force recovery due to presence of recovery.conf */
6703 * Update pg_control to show that we are recovering and to show the
6704 * selected checkpoint as the place we are starting from. We also mark
6705 * pg_control with any minimum recovery stop point obtained from a
6706 * backup history file.
6708 dbstate_at_startup = ControlFile->state;
6709 if (InArchiveRecovery)
6710 ControlFile->state = DB_IN_ARCHIVE_RECOVERY;
6714 (errmsg("database system was not properly shut down; "
6715 "automatic recovery in progress")));
6716 if (recoveryTargetTLI > ControlFile->checkPointCopy.ThisTimeLineID)
6718 (errmsg("crash recovery starts in timeline %u "
6719 "and has target timeline %u",
6720 ControlFile->checkPointCopy.ThisTimeLineID,
6721 recoveryTargetTLI)));
6722 ControlFile->state = DB_IN_CRASH_RECOVERY;
6724 ControlFile->prevCheckPoint = ControlFile->checkPoint;
6725 ControlFile->checkPoint = checkPointLoc;
6726 ControlFile->checkPointCopy = checkPoint;
6727 if (InArchiveRecovery)
6729 /* initialize minRecoveryPoint if not set yet */
6730 if (ControlFile->minRecoveryPoint < checkPoint.redo)
6732 ControlFile->minRecoveryPoint = checkPoint.redo;
6733 ControlFile->minRecoveryPointTLI = checkPoint.ThisTimeLineID;
6738 * Set backupStartPoint if we're starting recovery from a base backup.
6740 * Also set backupEndPoint and use minRecoveryPoint as the backup end
6741 * location if we're starting recovery from a base backup which was
6742 * taken from a standby. In this case, the database system status in
6743 * pg_control must indicate that the database was already in recovery.
6744 * Usually that will be DB_IN_ARCHIVE_RECOVERY but also can be
6745 * DB_SHUTDOWNED_IN_RECOVERY if recovery previously was interrupted
6746 * before reaching this point; e.g. because restore_command or
6747 * primary_conninfo were faulty.
6749 * Any other state indicates that the backup somehow became corrupted
6750 * and we can't sensibly continue with recovery.
6752 if (haveBackupLabel)
6754 ControlFile->backupStartPoint = checkPoint.redo;
6755 ControlFile->backupEndRequired = backupEndRequired;
6757 if (backupFromStandby)
6759 if (dbstate_at_startup != DB_IN_ARCHIVE_RECOVERY &&
6760 dbstate_at_startup != DB_SHUTDOWNED_IN_RECOVERY)
6762 (errmsg("backup_label contains data inconsistent with control file"),
6763 errhint("This means that the backup is corrupted and you will "
6764 "have to use another backup for recovery.")));
6765 ControlFile->backupEndPoint = ControlFile->minRecoveryPoint;
6768 ControlFile->time = (pg_time_t) time(NULL);
6769 /* No need to hold ControlFileLock yet, we aren't up far enough */
6770 UpdateControlFile();
6772 /* initialize our local copy of minRecoveryPoint */
6773 minRecoveryPoint = ControlFile->minRecoveryPoint;
6774 minRecoveryPointTLI = ControlFile->minRecoveryPointTLI;
6777 * Reset pgstat data, because it may be invalid after recovery.
6782 * If there was a backup label file, it's done its job and the info
6783 * has now been propagated into pg_control. We must get rid of the
6784 * label file so that if we crash during recovery, we'll pick up at
6785 * the latest recovery restartpoint instead of going all the way back
6786 * to the backup start point. It seems prudent though to just rename
6787 * the file out of the way rather than delete it completely.
6789 if (haveBackupLabel)
6791 unlink(BACKUP_LABEL_OLD);
6792 durable_rename(BACKUP_LABEL_FILE, BACKUP_LABEL_OLD, FATAL);
6796 * If there was a tablespace_map file, it's done its job and the
6797 * symlinks have been created. We must get rid of the map file so
6798 * that if we crash during recovery, we don't create symlinks again.
6799 * It seems prudent though to just rename the file out of the way
6800 * rather than delete it completely.
6804 unlink(TABLESPACE_MAP_OLD);
6805 durable_rename(TABLESPACE_MAP, TABLESPACE_MAP_OLD, FATAL);
6808 /* Check that the GUCs used to generate the WAL allow recovery */
6809 CheckRequiredParameterValues();
6812 * We're in recovery, so unlogged relations may be trashed and must be
6813 * reset. This should be done BEFORE allowing Hot Standby
6814 * connections, so that read-only backends don't try to read whatever
6815 * garbage is left over from before.
6817 ResetUnloggedRelations(UNLOGGED_RELATION_CLEANUP);
6820 * Likewise, delete any saved transaction snapshot files that got left
6821 * behind by crashed backends.
6823 DeleteAllExportedSnapshotFiles();
6826 * Initialize for Hot Standby, if enabled. We won't let backends in
6827 * yet, not until we've reached the min recovery point specified in
6828 * control file and we've established a recovery snapshot from a
6829 * running-xacts WAL record.
6831 if (ArchiveRecoveryRequested && EnableHotStandby)
6833 TransactionId *xids;
6837 (errmsg("initializing for hot standby")));
6839 InitRecoveryTransactionEnvironment();
6842 oldestActiveXID = PrescanPreparedTransactions(&xids, &nxids);
6844 oldestActiveXID = checkPoint.oldestActiveXid;
6845 Assert(TransactionIdIsValid(oldestActiveXID));
6847 /* Tell procarray about the range of xids it has to deal with */
6848 ProcArrayInitRecovery(ShmemVariableCache->nextXid);
6851 * Startup commit log and subtrans only. MultiXact and commit
6852 * timestamp have already been started up and other SLRUs are not
6853 * maintained during recovery and need not be started yet.
6856 StartupSUBTRANS(oldestActiveXID);
6859 * If we're beginning at a shutdown checkpoint, we know that
6860 * nothing was running on the master at this point. So fake-up an
6861 * empty running-xacts record and use that here and now. Recover
6862 * additional standby state for prepared transactions.
6866 RunningTransactionsData running;
6867 TransactionId latestCompletedXid;
6870 * Construct a RunningTransactions snapshot representing a
6871 * shut down server, with only prepared transactions still
6872 * alive. We're never overflowed at this point because all
6873 * subxids are listed with their parent prepared transactions.
6875 running.xcnt = nxids;
6876 running.subxcnt = 0;
6877 running.subxid_overflow = false;
6878 running.nextXid = checkPoint.nextXid;
6879 running.oldestRunningXid = oldestActiveXID;
6880 latestCompletedXid = checkPoint.nextXid;
6881 TransactionIdRetreat(latestCompletedXid);
6882 Assert(TransactionIdIsNormal(latestCompletedXid));
6883 running.latestCompletedXid = latestCompletedXid;
6884 running.xids = xids;
6886 ProcArrayApplyRecoveryInfo(&running);
6888 StandbyRecoverPreparedTransactions(false);
6892 /* Initialize resource managers */
6893 for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
6895 if (RmgrTable[rmid].rm_startup != NULL)
6896 RmgrTable[rmid].rm_startup();
6900 * Initialize shared variables for tracking progress of WAL replay, as
6901 * if we had just replayed the record before the REDO location (or the
6902 * checkpoint record itself, if it's a shutdown checkpoint).
6904 SpinLockAcquire(&XLogCtl->info_lck);
6905 if (checkPoint.redo < RecPtr)
6906 XLogCtl->replayEndRecPtr = checkPoint.redo;
6908 XLogCtl->replayEndRecPtr = EndRecPtr;
6909 XLogCtl->replayEndTLI = ThisTimeLineID;
6910 XLogCtl->lastReplayedEndRecPtr = XLogCtl->replayEndRecPtr;
6911 XLogCtl->lastReplayedTLI = XLogCtl->replayEndTLI;
6912 XLogCtl->recoveryLastXTime = 0;
6913 XLogCtl->currentChunkStartTime = 0;
6914 XLogCtl->recoveryPause = false;
6915 SpinLockRelease(&XLogCtl->info_lck);
6917 /* Also ensure XLogReceiptTime has a sane value */
6918 XLogReceiptTime = GetCurrentTimestamp();
6921 * Let postmaster know we've started redo now, so that it can launch
6922 * checkpointer to perform restartpoints. We don't bother during
6923 * crash recovery as restartpoints can only be performed during
6924 * archive recovery. And we'd like to keep crash recovery simple, to
6925 * avoid introducing bugs that could affect you when recovering after
6928 * After this point, we can no longer assume that we're the only
6929 * process in addition to postmaster! Also, fsync requests are
6930 * subsequently to be handled by the checkpointer, not locally.
6932 if (ArchiveRecoveryRequested && IsUnderPostmaster)
6934 PublishStartupProcessInformation();
6935 SetForwardFsyncRequests();
6936 SendPostmasterSignal(PMSIGNAL_RECOVERY_STARTED);
6937 bgwriterLaunched = true;
6941 * Allow read-only connections immediately if we're consistent
6944 CheckRecoveryConsistency();
6947 * Find the first record that logically follows the checkpoint --- it
6948 * might physically precede it, though.
6950 if (checkPoint.redo < RecPtr)
6952 /* back up to find the record */
6953 record = ReadRecord(xlogreader, checkPoint.redo, PANIC, false);
6957 /* just have to read next record after CheckPoint */
6958 record = ReadRecord(xlogreader, InvalidXLogRecPtr, LOG, false);
6963 ErrorContextCallback errcallback;
6969 (errmsg("redo starts at %X/%X",
6970 (uint32) (ReadRecPtr >> 32), (uint32) ReadRecPtr)));
6973 * main redo apply loop
6977 bool switchedTLI = false;
6981 (rmid == RM_XACT_ID && trace_recovery_messages <= DEBUG2) ||
6982 (rmid != RM_XACT_ID && trace_recovery_messages <= DEBUG3))
6986 initStringInfo(&buf);
6987 appendStringInfo(&buf, "REDO @ %X/%X; LSN %X/%X: ",
6988 (uint32) (ReadRecPtr >> 32), (uint32) ReadRecPtr,
6989 (uint32) (EndRecPtr >> 32), (uint32) EndRecPtr);
6990 xlog_outrec(&buf, xlogreader);
6991 appendStringInfoString(&buf, " - ");
6992 xlog_outdesc(&buf, xlogreader);
6993 elog(LOG, "%s", buf.data);
6998 /* Handle interrupt signals of startup process */
6999 HandleStartupProcInterrupts();
7002 * Pause WAL replay, if requested by a hot-standby session via
7003 * SetRecoveryPause().
7005 * Note that we intentionally don't take the info_lck spinlock
7006 * here. We might therefore read a slightly stale value of
7007 * the recoveryPause flag, but it can't be very stale (no
7008 * worse than the last spinlock we did acquire). Since a
7009 * pause request is a pretty asynchronous thing anyway,
7010 * possibly responding to it one WAL record later than we
7011 * otherwise would is a minor issue, so it doesn't seem worth
7012 * adding another spinlock cycle to prevent that.
7014 if (((volatile XLogCtlData *) XLogCtl)->recoveryPause)
7015 recoveryPausesHere();
7018 * Have we reached our recovery target?
7020 if (recoveryStopsBefore(xlogreader))
7022 reachedStopPoint = true; /* see below */
7027 * If we've been asked to lag the master, wait on latch until
7028 * enough time has passed.
7030 if (recoveryApplyDelay(xlogreader))
7033 * We test for paused recovery again here. If user sets
7034 * delayed apply, it may be because they expect to pause
7035 * recovery in case of problems, so we must test again
7036 * here otherwise pausing during the delay-wait wouldn't
7039 if (((volatile XLogCtlData *) XLogCtl)->recoveryPause)
7040 recoveryPausesHere();
7043 /* Setup error traceback support for ereport() */
7044 errcallback.callback = rm_redo_error_callback;
7045 errcallback.arg = (void *) xlogreader;
7046 errcallback.previous = error_context_stack;
7047 error_context_stack = &errcallback;
7050 * ShmemVariableCache->nextXid must be beyond record's xid.
7052 * We don't expect anyone else to modify nextXid, hence we
7053 * don't need to hold a lock while examining it. We still
7054 * acquire the lock to modify it, though.
7056 if (TransactionIdFollowsOrEquals(record->xl_xid,
7057 ShmemVariableCache->nextXid))
7059 LWLockAcquire(XidGenLock, LW_EXCLUSIVE);
7060 ShmemVariableCache->nextXid = record->xl_xid;
7061 TransactionIdAdvance(ShmemVariableCache->nextXid);
7062 LWLockRelease(XidGenLock);
7066 * Before replaying this record, check if this record causes
7067 * the current timeline to change. The record is already
7068 * considered to be part of the new timeline, so we update
7069 * ThisTimeLineID before replaying it. That's important so
7070 * that replayEndTLI, which is recorded as the minimum
7071 * recovery point's TLI if recovery stops after this record,
7074 if (record->xl_rmid == RM_XLOG_ID)
7076 TimeLineID newTLI = ThisTimeLineID;
7077 TimeLineID prevTLI = ThisTimeLineID;
7078 uint8 info = record->xl_info & ~XLR_INFO_MASK;
7080 if (info == XLOG_CHECKPOINT_SHUTDOWN)
7082 CheckPoint checkPoint;
7084 memcpy(&checkPoint, XLogRecGetData(xlogreader), sizeof(CheckPoint));
7085 newTLI = checkPoint.ThisTimeLineID;
7086 prevTLI = checkPoint.PrevTimeLineID;
7088 else if (info == XLOG_END_OF_RECOVERY)
7090 xl_end_of_recovery xlrec;
7092 memcpy(&xlrec, XLogRecGetData(xlogreader), sizeof(xl_end_of_recovery));
7093 newTLI = xlrec.ThisTimeLineID;
7094 prevTLI = xlrec.PrevTimeLineID;
7097 if (newTLI != ThisTimeLineID)
7099 /* Check that it's OK to switch to this TLI */
7100 checkTimeLineSwitch(EndRecPtr, newTLI, prevTLI);
7102 /* Following WAL records should be run with new TLI */
7103 ThisTimeLineID = newTLI;
7109 * Update shared replayEndRecPtr before replaying this record,
7110 * so that XLogFlush will update minRecoveryPoint correctly.
7112 SpinLockAcquire(&XLogCtl->info_lck);
7113 XLogCtl->replayEndRecPtr = EndRecPtr;
7114 XLogCtl->replayEndTLI = ThisTimeLineID;
7115 SpinLockRelease(&XLogCtl->info_lck);
7118 * If we are attempting to enter Hot Standby mode, process
7121 if (standbyState >= STANDBY_INITIALIZED &&
7122 TransactionIdIsValid(record->xl_xid))
7123 RecordKnownAssignedTransactionIds(record->xl_xid);
7125 /* Now apply the WAL record itself */
7126 RmgrTable[record->xl_rmid].rm_redo(xlogreader);
7129 * After redo, check whether the backup pages associated with
7130 * the WAL record are consistent with the existing pages. This
7131 * check is done only if consistency check is enabled for this
7134 if ((record->xl_info & XLR_CHECK_CONSISTENCY) != 0)
7135 checkXLogConsistency(xlogreader);
7137 /* Pop the error context stack */
7138 error_context_stack = errcallback.previous;
7141 * Update lastReplayedEndRecPtr after this record has been
7142 * successfully replayed.
7144 SpinLockAcquire(&XLogCtl->info_lck);
7145 XLogCtl->lastReplayedEndRecPtr = EndRecPtr;
7146 XLogCtl->lastReplayedTLI = ThisTimeLineID;
7147 SpinLockRelease(&XLogCtl->info_lck);
7150 * If rm_redo called XLogRequestWalReceiverReply, then we wake
7151 * up the receiver so that it notices the updated
7152 * lastReplayedEndRecPtr and sends a reply to the master.
7154 if (doRequestWalReceiverReply)
7156 doRequestWalReceiverReply = false;
7160 /* Remember this record as the last-applied one */
7161 LastRec = ReadRecPtr;
7163 /* Allow read-only connections if we're consistent now */
7164 CheckRecoveryConsistency();
7166 /* Is this a timeline switch? */
7170 * Before we continue on the new timeline, clean up any
7171 * (possibly bogus) future WAL segments on the old
7174 RemoveNonParentXlogFiles(EndRecPtr, ThisTimeLineID);
7177 * Wake up any walsenders to notice that we are on a new
7180 if (switchedTLI && AllowCascadeReplication())
7184 /* Exit loop if we reached inclusive recovery target */
7185 if (recoveryStopsAfter(xlogreader))
7187 reachedStopPoint = true;
7191 /* Else, try to fetch the next WAL record */
7192 record = ReadRecord(xlogreader, InvalidXLogRecPtr, LOG, false);
7193 } while (record != NULL);
7196 * end of main redo apply loop
7199 if (reachedStopPoint)
7201 if (!reachedConsistency)
7203 (errmsg("requested recovery stop point is before consistent recovery point")));
7206 * This is the last point where we can restart recovery with a
7207 * new recovery target, if we shutdown and begin again. After
7208 * this, Resource Managers may choose to do permanent
7209 * corrective actions at end of recovery.
7211 switch (recoveryTargetAction)
7213 case RECOVERY_TARGET_ACTION_SHUTDOWN:
7216 * exit with special return code to request shutdown
7217 * of postmaster. Log messages issued from
7222 case RECOVERY_TARGET_ACTION_PAUSE:
7223 SetRecoveryPause(true);
7224 recoveryPausesHere();
7226 /* drop into promote */
7228 case RECOVERY_TARGET_ACTION_PROMOTE:
7233 /* Allow resource managers to do any required cleanup. */
7234 for (rmid = 0; rmid <= RM_MAX_ID; rmid++)
7236 if (RmgrTable[rmid].rm_cleanup != NULL)
7237 RmgrTable[rmid].rm_cleanup();
7241 (errmsg("redo done at %X/%X",
7242 (uint32) (ReadRecPtr >> 32), (uint32) ReadRecPtr)));
7243 xtime = GetLatestXTime();
7246 (errmsg("last completed transaction was at log time %s",
7247 timestamptz_to_str(xtime))));
7253 /* there are no WAL records following the checkpoint */
7255 (errmsg("redo is not required")));
7260 * Kill WAL receiver, if it's still running, before we continue to write
7261 * the startup checkpoint record. It will trump over the checkpoint and
7262 * subsequent records if it's still alive when we start writing WAL.
7267 * Reset unlogged relations to the contents of their INIT fork. This is
7268 * done AFTER recovery is complete so as to include any unlogged relations
7269 * created during recovery, but BEFORE recovery is marked as having
7270 * completed successfully. Otherwise we'd not retry if any of the post
7271 * end-of-recovery steps fail.
7274 ResetUnloggedRelations(UNLOGGED_RELATION_INIT);
7277 * We don't need the latch anymore. It's not strictly necessary to disown
7278 * it, but let's do it for the sake of tidiness.
7280 if (StandbyModeRequested)
7281 DisownLatch(&XLogCtl->recoveryWakeupLatch);
7284 * We are now done reading the xlog from stream. Turn off streaming
7285 * recovery to force fetching the files (which would be required at end of
7286 * recovery, e.g., timeline history file) from archive or pg_wal.
7288 StandbyMode = false;
7291 * Re-fetch the last valid or last applied record, so we can identify the
7292 * exact endpoint of what we consider the valid portion of WAL.
7294 record = ReadRecord(xlogreader, LastRec, PANIC, false);
7295 EndOfLog = EndRecPtr;
7298 * EndOfLogTLI is the TLI in the filename of the XLOG segment containing
7299 * the end-of-log. It could be different from the timeline that EndOfLog
7300 * nominally belongs to, if there was a timeline switch in that segment,
7301 * and we were reading the old WAL from a segment belonging to a higher
7304 EndOfLogTLI = xlogreader->readPageTLI;
7307 * Complain if we did not roll forward far enough to render the backup
7308 * dump consistent. Note: it is indeed okay to look at the local variable
7309 * minRecoveryPoint here, even though ControlFile->minRecoveryPoint might
7310 * be further ahead --- ControlFile->minRecoveryPoint cannot have been
7311 * advanced beyond the WAL we processed.
7314 (EndOfLog < minRecoveryPoint ||
7315 !XLogRecPtrIsInvalid(ControlFile->backupStartPoint)))
7318 * Ran off end of WAL before reaching end-of-backup WAL record, or
7319 * minRecoveryPoint. That's usually a bad sign, indicating that you
7320 * tried to recover from an online backup but never called
7321 * pg_stop_backup(), or you didn't archive all the WAL up to that
7322 * point. However, this also happens in crash recovery, if the system
7323 * crashes while an online backup is in progress. We must not treat
7324 * that as an error, or the database will refuse to start up.
7326 if (ArchiveRecoveryRequested || ControlFile->backupEndRequired)
7328 if (ControlFile->backupEndRequired)
7330 (errmsg("WAL ends before end of online backup"),
7331 errhint("All WAL generated while online backup was taken must be available at recovery.")));
7332 else if (!XLogRecPtrIsInvalid(ControlFile->backupStartPoint))
7334 (errmsg("WAL ends before end of online backup"),
7335 errhint("Online backup started with pg_start_backup() must be ended with pg_stop_backup(), and all WAL up to that point must be available at recovery.")));
7338 (errmsg("WAL ends before consistent recovery point")));
7343 * Consider whether we need to assign a new timeline ID.
7345 * If we are doing an archive recovery, we always assign a new ID. This
7346 * handles a couple of issues. If we stopped short of the end of WAL
7347 * during recovery, then we are clearly generating a new timeline and must
7348 * assign it a unique new ID. Even if we ran to the end, modifying the
7349 * current last segment is problematic because it may result in trying to
7350 * overwrite an already-archived copy of that segment, and we encourage
7351 * DBAs to make their archive_commands reject that. We can dodge the
7352 * problem by making the new active segment have a new timeline ID.
7354 * In a normal crash recovery, we can just extend the timeline we were in.
7356 PrevTimeLineID = ThisTimeLineID;
7357 if (ArchiveRecoveryRequested)
7361 Assert(InArchiveRecovery);
7363 ThisTimeLineID = findNewestTimeLine(recoveryTargetTLI) + 1;
7365 (errmsg("selected new timeline ID: %u", ThisTimeLineID)));
7368 * Create a comment for the history file to explain why and where
7371 if (recoveryTarget == RECOVERY_TARGET_XID)
7372 snprintf(reason, sizeof(reason),
7373 "%s transaction %u",
7374 recoveryStopAfter ? "after" : "before",
7376 else if (recoveryTarget == RECOVERY_TARGET_TIME)
7377 snprintf(reason, sizeof(reason),
7379 recoveryStopAfter ? "after" : "before",
7380 timestamptz_to_str(recoveryStopTime));
7381 else if (recoveryTarget == RECOVERY_TARGET_LSN)
7382 snprintf(reason, sizeof(reason),
7384 recoveryStopAfter ? "after" : "before",
7385 (uint32 ) (recoveryStopLSN >> 32),
7386 (uint32) recoveryStopLSN);
7387 else if (recoveryTarget == RECOVERY_TARGET_NAME)
7388 snprintf(reason, sizeof(reason),
7389 "at restore point \"%s\"",
7391 else if (recoveryTarget == RECOVERY_TARGET_IMMEDIATE)
7392 snprintf(reason, sizeof(reason), "reached consistency");
7394 snprintf(reason, sizeof(reason), "no recovery target specified");
7396 writeTimeLineHistory(ThisTimeLineID, recoveryTargetTLI,
7400 /* Save the selected TimeLineID in shared memory, too */
7401 XLogCtl->ThisTimeLineID = ThisTimeLineID;
7402 XLogCtl->PrevTimeLineID = PrevTimeLineID;
7405 * We are now done reading the old WAL. Turn off archive fetching if it
7406 * was active, and make a writable copy of the last WAL segment. (Note
7407 * that we also have a copy of the last block of the old WAL in readBuf;
7408 * we will use that below.)
7410 if (ArchiveRecoveryRequested)
7411 exitArchiveRecovery(EndOfLogTLI, EndOfLog);
7414 * Prepare to write WAL starting at EndOfLog position, and init xlog
7415 * buffer cache using the block containing the last record from the
7416 * previous incarnation.
7418 Insert = &XLogCtl->Insert;
7419 Insert->PrevBytePos = XLogRecPtrToBytePos(LastRec);
7420 Insert->CurrBytePos = XLogRecPtrToBytePos(EndOfLog);
7423 * Tricky point here: readBuf contains the *last* block that the LastRec
7424 * record spans, not the one it starts in. The last block is indeed the
7425 * one we want to use.
7427 if (EndOfLog % XLOG_BLCKSZ != 0)
7432 XLogRecPtr pageBeginPtr;
7434 pageBeginPtr = EndOfLog - (EndOfLog % XLOG_BLCKSZ);
7435 Assert(readOff == pageBeginPtr % XLogSegSize);
7437 firstIdx = XLogRecPtrToBufIdx(EndOfLog);
7439 /* Copy the valid part of the last block, and zero the rest */
7440 page = &XLogCtl->pages[firstIdx * XLOG_BLCKSZ];
7441 len = EndOfLog % XLOG_BLCKSZ;
7442 memcpy(page, xlogreader->readBuf, len);
7443 memset(page + len, 0, XLOG_BLCKSZ - len);
7445 XLogCtl->xlblocks[firstIdx] = pageBeginPtr + XLOG_BLCKSZ;
7446 XLogCtl->InitializedUpTo = pageBeginPtr + XLOG_BLCKSZ;
7451 * There is no partial block to copy. Just set InitializedUpTo, and
7452 * let the first attempt to insert a log record to initialize the next
7455 XLogCtl->InitializedUpTo = EndOfLog;
7458 LogwrtResult.Write = LogwrtResult.Flush = EndOfLog;
7460 XLogCtl->LogwrtResult = LogwrtResult;
7462 XLogCtl->LogwrtRqst.Write = EndOfLog;
7463 XLogCtl->LogwrtRqst.Flush = EndOfLog;
7465 /* Pre-scan prepared transactions to find out the range of XIDs present */
7466 oldestActiveXID = PrescanPreparedTransactions(NULL, NULL);
7469 * Update full_page_writes in shared memory and write an XLOG_FPW_CHANGE
7470 * record before resource manager writes cleanup WAL records or checkpoint
7471 * record is written.
7473 Insert->fullPageWrites = lastFullPageWrites;
7474 LocalSetXLogInsertAllowed();
7475 UpdateFullPageWrites();
7476 LocalXLogInsertAllowed = -1;
7481 * Perform a checkpoint to update all our recovery activity to disk.
7483 * Note that we write a shutdown checkpoint rather than an on-line
7484 * one. This is not particularly critical, but since we may be
7485 * assigning a new TLI, using a shutdown checkpoint allows us to have
7486 * the rule that TLI only changes in shutdown checkpoints, which
7487 * allows some extra error checking in xlog_redo.
7489 * In fast promotion, only create a lightweight end-of-recovery record
7490 * instead of a full checkpoint. A checkpoint is requested later,
7491 * after we're fully out of recovery mode and already accepting
7494 if (bgwriterLaunched)
7498 checkPointLoc = ControlFile->prevCheckPoint;
7501 * Confirm the last checkpoint is available for us to recover
7502 * from if we fail. Note that we don't check for the secondary
7503 * checkpoint since that isn't available in most base backups.
7505 record = ReadCheckpointRecord(xlogreader, checkPointLoc, 1, false);
7508 fast_promoted = true;
7511 * Insert a special WAL record to mark the end of
7512 * recovery, since we aren't doing a checkpoint. That
7513 * means that the checkpointer process may likely be in
7514 * the middle of a time-smoothed restartpoint and could
7515 * continue to be for minutes after this. That sounds
7516 * strange, but the effect is roughly the same and it
7517 * would be stranger to try to come out of the
7518 * restartpoint and then checkpoint. We request a
7519 * checkpoint later anyway, just for safety.
7521 CreateEndOfRecoveryRecord();
7526 RequestCheckpoint(CHECKPOINT_END_OF_RECOVERY |
7527 CHECKPOINT_IMMEDIATE |
7531 CreateCheckPoint(CHECKPOINT_END_OF_RECOVERY | CHECKPOINT_IMMEDIATE);
7534 * And finally, execute the recovery_end_command, if any.
7536 if (recoveryEndCommand)
7537 ExecuteRecoveryCommand(recoveryEndCommand,
7538 "recovery_end_command",
7542 if (ArchiveRecoveryRequested)
7545 * We switched to a new timeline. Clean up segments on the old
7548 * If there are any higher-numbered segments on the old timeline,
7549 * remove them. They might contain valid WAL, but they might also be
7550 * pre-allocated files containing garbage. In any case, they are not
7551 * part of the new timeline's history so we don't need them.
7553 RemoveNonParentXlogFiles(EndOfLog, ThisTimeLineID);
7556 * If the switch happened in the middle of a segment, what to do with
7557 * the last, partial segment on the old timeline? If we don't archive
7558 * it, and the server that created the WAL never archives it either
7559 * (e.g. because it was hit by a meteor), it will never make it to the
7560 * archive. That's OK from our point of view, because the new segment
7561 * that we created with the new TLI contains all the WAL from the old
7562 * timeline up to the switch point. But if you later try to do PITR to
7563 * the "missing" WAL on the old timeline, recovery won't find it in
7564 * the archive. It's physically present in the new file with new TLI,
7565 * but recovery won't look there when it's recovering to the older
7566 * timeline. On the other hand, if we archive the partial segment, and
7567 * the original server on that timeline is still running and archives
7568 * the completed version of the same segment later, it will fail. (We
7569 * used to do that in 9.4 and below, and it caused such problems).
7571 * As a compromise, we rename the last segment with the .partial
7572 * suffix, and archive it. Archive recovery will never try to read
7573 * .partial segments, so they will normally go unused. But in the odd
7574 * PITR case, the administrator can copy them manually to the pg_wal
7575 * directory (removing the suffix). They can be useful in debugging,
7578 * If a .done or .ready file already exists for the old timeline,
7579 * however, we had already determined that the segment is complete, so
7580 * we can let it be archived normally. (In particular, if it was
7581 * restored from the archive to begin with, it's expected to have a
7584 if (EndOfLog % XLOG_SEG_SIZE != 0 && XLogArchivingActive())
7586 char origfname[MAXFNAMELEN];
7587 XLogSegNo endLogSegNo;
7589 XLByteToPrevSeg(EndOfLog, endLogSegNo);
7590 XLogFileName(origfname, EndOfLogTLI, endLogSegNo);
7592 if (!XLogArchiveIsReadyOrDone(origfname))
7594 char origpath[MAXPGPATH];
7595 char partialfname[MAXFNAMELEN];
7596 char partialpath[MAXPGPATH];
7598 XLogFilePath(origpath, EndOfLogTLI, endLogSegNo);
7599 snprintf(partialfname, MAXFNAMELEN, "%s.partial", origfname);
7600 snprintf(partialpath, MAXPGPATH, "%s.partial", origpath);
7603 * Make sure there's no .done or .ready file for the .partial
7606 XLogArchiveCleanup(partialfname);
7608 durable_rename(origpath, partialpath, ERROR);
7609 XLogArchiveNotify(partialfname);
7615 * Preallocate additional log files, if wanted.
7617 PreallocXlogFiles(EndOfLog);
7620 * Okay, we're officially UP.
7624 /* start the archive_timeout timer and LSN running */
7625 XLogCtl->lastSegSwitchTime = (pg_time_t) time(NULL);
7626 XLogCtl->lastSegSwitchLSN = EndOfLog;
7628 /* also initialize latestCompletedXid, to nextXid - 1 */
7629 LWLockAcquire(ProcArrayLock, LW_EXCLUSIVE);
7630 ShmemVariableCache->latestCompletedXid = ShmemVariableCache->nextXid;
7631 TransactionIdRetreat(ShmemVariableCache->latestCompletedXid);
7632 LWLockRelease(ProcArrayLock);
7635 * Start up the commit log and subtrans, if not already done for hot
7636 * standby. (commit timestamps are started below, if necessary.)
7638 if (standbyState == STANDBY_DISABLED)
7641 StartupSUBTRANS(oldestActiveXID);
7645 * Perform end of recovery actions for any SLRUs that need it.
7650 /* Reload shared-memory state for prepared transactions */
7651 RecoverPreparedTransactions();
7654 * Shutdown the recovery environment. This must occur after
7655 * RecoverPreparedTransactions(), see notes for lock_twophase_recover()
7657 if (standbyState != STANDBY_DISABLED)
7658 ShutdownRecoveryTransactionEnvironment();
7660 /* Shut down xlogreader */
7666 XLogReaderFree(xlogreader);
7669 * If any of the critical GUCs have changed, log them before we allow
7670 * backends to write WAL.
7672 LocalSetXLogInsertAllowed();
7673 XLogReportParameters();
7676 * Local WAL inserts enabled, so it's time to finish initialization of
7679 CompleteCommitTsInitialization();
7682 * All done with end-of-recovery actions.
7684 * Now allow backends to write WAL and update the control file status in
7685 * consequence. The boolean flag allowing backends to write WAL is
7686 * updated while holding ControlFileLock to prevent other backends to look
7687 * at an inconsistent state of the control file in shared memory. There
7688 * is still a small window during which backends can write WAL and the
7689 * control file is still referring to a system not in DB_IN_PRODUCTION
7690 * state while looking at the on-disk control file.
7692 * Also, although the boolean flag to allow WAL is probably atomic in
7693 * itself, we use the info_lck here to ensure that there are no race
7694 * conditions concerning visibility of other recent updates to shared
7697 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
7698 ControlFile->state = DB_IN_PRODUCTION;
7699 ControlFile->time = (pg_time_t) time(NULL);
7701 SpinLockAcquire(&XLogCtl->info_lck);
7702 XLogCtl->SharedRecoveryInProgress = false;
7703 SpinLockRelease(&XLogCtl->info_lck);
7705 UpdateControlFile();
7706 LWLockRelease(ControlFileLock);
7709 * If there were cascading standby servers connected to us, nudge any wal
7710 * sender processes to notice that we've been promoted.
7715 * If this was a fast promotion, request an (online) checkpoint now. This
7716 * isn't required for consistency, but the last restartpoint might be far
7717 * back, and in case of a crash, recovering from it might take a longer
7718 * than is appropriate now that we're not in standby mode anymore.
7721 RequestCheckpoint(CHECKPOINT_FORCE);
7725 * Checks if recovery has reached a consistent state. When consistency is
7726 * reached and we have a valid starting standby snapshot, tell postmaster
7727 * that it can start accepting read-only connections.
7730 CheckRecoveryConsistency(void)
7732 XLogRecPtr lastReplayedEndRecPtr;
7735 * During crash recovery, we don't reach a consistent state until we've
7736 * replayed all the WAL.
7738 if (XLogRecPtrIsInvalid(minRecoveryPoint))
7742 * assume that we are called in the startup process, and hence don't need
7743 * a lock to read lastReplayedEndRecPtr
7745 lastReplayedEndRecPtr = XLogCtl->lastReplayedEndRecPtr;
7748 * Have we reached the point where our base backup was completed?
7750 if (!XLogRecPtrIsInvalid(ControlFile->backupEndPoint) &&
7751 ControlFile->backupEndPoint <= lastReplayedEndRecPtr)
7754 * We have reached the end of base backup, as indicated by pg_control.
7755 * The data on disk is now consistent. Reset backupStartPoint and
7756 * backupEndPoint, and update minRecoveryPoint to make sure we don't
7757 * allow starting up at an earlier point even if recovery is stopped
7758 * and restarted soon after this.
7760 elog(DEBUG1, "end of backup reached");
7762 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
7764 if (ControlFile->minRecoveryPoint < lastReplayedEndRecPtr)
7765 ControlFile->minRecoveryPoint = lastReplayedEndRecPtr;
7767 ControlFile->backupStartPoint = InvalidXLogRecPtr;
7768 ControlFile->backupEndPoint = InvalidXLogRecPtr;
7769 ControlFile->backupEndRequired = false;
7770 UpdateControlFile();
7772 LWLockRelease(ControlFileLock);
7776 * Have we passed our safe starting point? Note that minRecoveryPoint is
7777 * known to be incorrectly set if ControlFile->backupEndRequired, until
7778 * the XLOG_BACKUP_RECORD arrives to advise us of the correct
7779 * minRecoveryPoint. All we know prior to that is that we're not
7782 if (!reachedConsistency && !ControlFile->backupEndRequired &&
7783 minRecoveryPoint <= lastReplayedEndRecPtr &&
7784 XLogRecPtrIsInvalid(ControlFile->backupStartPoint))
7787 * Check to see if the XLOG sequence contained any unresolved
7788 * references to uninitialized pages.
7790 XLogCheckInvalidPages();
7792 reachedConsistency = true;
7794 (errmsg("consistent recovery state reached at %X/%X",
7795 (uint32) (lastReplayedEndRecPtr >> 32),
7796 (uint32) lastReplayedEndRecPtr)));
7800 * Have we got a valid starting snapshot that will allow queries to be
7801 * run? If so, we can tell postmaster that the database is consistent now,
7802 * enabling connections.
7804 if (standbyState == STANDBY_SNAPSHOT_READY &&
7805 !LocalHotStandbyActive &&
7806 reachedConsistency &&
7809 SpinLockAcquire(&XLogCtl->info_lck);
7810 XLogCtl->SharedHotStandbyActive = true;
7811 SpinLockRelease(&XLogCtl->info_lck);
7813 LocalHotStandbyActive = true;
7815 SendPostmasterSignal(PMSIGNAL_BEGIN_HOT_STANDBY);
7820 * Is the system still in recovery?
7822 * Unlike testing InRecovery, this works in any process that's connected to
7825 * As a side-effect, we initialize the local TimeLineID and RedoRecPtr
7826 * variables the first time we see that recovery is finished.
7829 RecoveryInProgress(void)
7832 * We check shared state each time only until we leave recovery mode. We
7833 * can't re-enter recovery, so there's no need to keep checking after the
7834 * shared variable has once been seen false.
7836 if (!LocalRecoveryInProgress)
7841 * use volatile pointer to make sure we make a fresh read of the
7844 volatile XLogCtlData *xlogctl = XLogCtl;
7846 LocalRecoveryInProgress = xlogctl->SharedRecoveryInProgress;
7849 * Initialize TimeLineID and RedoRecPtr when we discover that recovery
7850 * is finished. InitPostgres() relies upon this behaviour to ensure
7851 * that InitXLOGAccess() is called at backend startup. (If you change
7852 * this, see also LocalSetXLogInsertAllowed.)
7854 if (!LocalRecoveryInProgress)
7857 * If we just exited recovery, make sure we read TimeLineID and
7858 * RedoRecPtr after SharedRecoveryInProgress (for machines with
7859 * weak memory ordering).
7861 pg_memory_barrier();
7866 * Note: We don't need a memory barrier when we're still in recovery.
7867 * We might exit recovery immediately after return, so the caller
7868 * can't rely on 'true' meaning that we're still in recovery anyway.
7871 return LocalRecoveryInProgress;
7876 * Is HotStandby active yet? This is only important in special backends
7877 * since normal backends won't ever be able to connect until this returns
7878 * true. Postmaster knows this by way of signal, not via shared memory.
7880 * Unlike testing standbyState, this works in any process that's connected to
7881 * shared memory. (And note that standbyState alone doesn't tell the truth
7885 HotStandbyActive(void)
7888 * We check shared state each time only until Hot Standby is active. We
7889 * can't de-activate Hot Standby, so there's no need to keep checking
7890 * after the shared variable has once been seen true.
7892 if (LocalHotStandbyActive)
7896 /* spinlock is essential on machines with weak memory ordering! */
7897 SpinLockAcquire(&XLogCtl->info_lck);
7898 LocalHotStandbyActive = XLogCtl->SharedHotStandbyActive;
7899 SpinLockRelease(&XLogCtl->info_lck);
7901 return LocalHotStandbyActive;
7906 * Like HotStandbyActive(), but to be used only in WAL replay code,
7907 * where we don't need to ask any other process what the state is.
7910 HotStandbyActiveInReplay(void)
7912 Assert(AmStartupProcess() || !IsPostmasterEnvironment);
7913 return LocalHotStandbyActive;
7917 * Is this process allowed to insert new WAL records?
7919 * Ordinarily this is essentially equivalent to !RecoveryInProgress().
7920 * But we also have provisions for forcing the result "true" or "false"
7921 * within specific processes regardless of the global state.
7924 XLogInsertAllowed(void)
7927 * If value is "unconditionally true" or "unconditionally false", just
7928 * return it. This provides the normal fast path once recovery is known
7931 if (LocalXLogInsertAllowed >= 0)
7932 return (bool) LocalXLogInsertAllowed;
7935 * Else, must check to see if we're still in recovery.
7937 if (RecoveryInProgress())
7941 * On exit from recovery, reset to "unconditionally true", since there is
7942 * no need to keep checking.
7944 LocalXLogInsertAllowed = 1;
7949 * Make XLogInsertAllowed() return true in the current process only.
7951 * Note: it is allowed to switch LocalXLogInsertAllowed back to -1 later,
7952 * and even call LocalSetXLogInsertAllowed() again after that.
7955 LocalSetXLogInsertAllowed(void)
7957 Assert(LocalXLogInsertAllowed == -1);
7958 LocalXLogInsertAllowed = 1;
7960 /* Initialize as RecoveryInProgress() would do when switching state */
7965 * Subroutine to try to fetch and validate a prior checkpoint record.
7967 * whichChkpt identifies the checkpoint (merely for reporting purposes).
7968 * 1 for "primary", 2 for "secondary", 0 for "other" (backup_label)
7971 ReadCheckpointRecord(XLogReaderState *xlogreader, XLogRecPtr RecPtr,
7972 int whichChkpt, bool report)
7977 if (!XRecOffIsValid(RecPtr))
7986 (errmsg("invalid primary checkpoint link in control file")));
7990 (errmsg("invalid secondary checkpoint link in control file")));
7994 (errmsg("invalid checkpoint link in backup_label file")));
8000 record = ReadRecord(xlogreader, RecPtr, LOG, true);
8011 (errmsg("invalid primary checkpoint record")));
8015 (errmsg("invalid secondary checkpoint record")));
8019 (errmsg("invalid checkpoint record")));
8024 if (record->xl_rmid != RM_XLOG_ID)
8030 (errmsg("invalid resource manager ID in primary checkpoint record")));
8034 (errmsg("invalid resource manager ID in secondary checkpoint record")));
8038 (errmsg("invalid resource manager ID in checkpoint record")));
8043 info = record->xl_info & ~XLR_INFO_MASK;
8044 if (info != XLOG_CHECKPOINT_SHUTDOWN &&
8045 info != XLOG_CHECKPOINT_ONLINE)
8051 (errmsg("invalid xl_info in primary checkpoint record")));
8055 (errmsg("invalid xl_info in secondary checkpoint record")));
8059 (errmsg("invalid xl_info in checkpoint record")));
8064 if (record->xl_tot_len != SizeOfXLogRecord + SizeOfXLogRecordDataHeaderShort + sizeof(CheckPoint))
8070 (errmsg("invalid length of primary checkpoint record")));
8074 (errmsg("invalid length of secondary checkpoint record")));
8078 (errmsg("invalid length of checkpoint record")));
8087 * This must be called in a backend process before creating WAL records
8088 * (except in a standalone backend, which does StartupXLOG instead). We need
8089 * to initialize the local copies of ThisTimeLineID and RedoRecPtr.
8091 * Note: before Postgres 8.0, we went to some effort to keep the postmaster
8092 * process's copies of ThisTimeLineID and RedoRecPtr valid too. This was
8093 * unnecessary however, since the postmaster itself never touches XLOG anyway.
8096 InitXLOGAccess(void)
8098 XLogCtlInsert *Insert = &XLogCtl->Insert;
8100 /* ThisTimeLineID doesn't change so we need no lock to copy it */
8101 ThisTimeLineID = XLogCtl->ThisTimeLineID;
8102 Assert(ThisTimeLineID != 0 || IsBootstrapProcessingMode());
8104 /* Use GetRedoRecPtr to copy the RedoRecPtr safely */
8105 (void) GetRedoRecPtr();
8106 /* Also update our copy of doPageWrites. */
8107 doPageWrites = (Insert->fullPageWrites || Insert->forcePageWrites);
8109 /* Also initialize the working areas for constructing WAL records */
8114 * Return the current Redo pointer from shared memory.
8116 * As a side-effect, the local RedoRecPtr copy is updated.
8124 * The possibly not up-to-date copy in XlogCtl is enough. Even if we
8125 * grabbed a WAL insertion lock to read the master copy, someone might
8126 * update it just after we've released the lock.
8128 SpinLockAcquire(&XLogCtl->info_lck);
8129 ptr = XLogCtl->RedoRecPtr;
8130 SpinLockRelease(&XLogCtl->info_lck);
8132 if (RedoRecPtr < ptr)
8139 * Return information needed to decide whether a modified block needs a
8140 * full-page image to be included in the WAL record.
8142 * The returned values are cached copies from backend-private memory, and
8143 * possibly out-of-date. XLogInsertRecord will re-check them against
8144 * up-to-date values, while holding the WAL insert lock.
8147 GetFullPageWriteInfo(XLogRecPtr *RedoRecPtr_p, bool *doPageWrites_p)
8149 *RedoRecPtr_p = RedoRecPtr;
8150 *doPageWrites_p = doPageWrites;
8154 * GetInsertRecPtr -- Returns the current insert position.
8156 * NOTE: The value *actually* returned is the position of the last full
8157 * xlog page. It lags behind the real insert position by at most 1 page.
8158 * For that, we don't need to scan through WAL insertion locks, and an
8159 * approximation is enough for the current usage of this function.
8162 GetInsertRecPtr(void)
8166 SpinLockAcquire(&XLogCtl->info_lck);
8167 recptr = XLogCtl->LogwrtRqst.Write;
8168 SpinLockRelease(&XLogCtl->info_lck);
8174 * GetFlushRecPtr -- Returns the current flush position, ie, the last WAL
8175 * position known to be fsync'd to disk.
8178 GetFlushRecPtr(void)
8180 SpinLockAcquire(&XLogCtl->info_lck);
8181 LogwrtResult = XLogCtl->LogwrtResult;
8182 SpinLockRelease(&XLogCtl->info_lck);
8184 return LogwrtResult.Flush;
8188 * GetLastImportantRecPtr -- Returns the LSN of the last important record
8189 * inserted. All records not explicitly marked as unimportant are considered
8192 * The LSN is determined by computing the maximum of
8193 * WALInsertLocks[i].lastImportantAt.
8196 GetLastImportantRecPtr(void)
8198 XLogRecPtr res = InvalidXLogRecPtr;
8201 for (i = 0; i < NUM_XLOGINSERT_LOCKS; i++)
8203 XLogRecPtr last_important;
8206 * Need to take a lock to prevent torn reads of the LSN, which are
8207 * possible on some of the supported platforms. WAL insert locks only
8208 * support exclusive mode, so we have to use that.
8210 LWLockAcquire(&WALInsertLocks[i].l.lock, LW_EXCLUSIVE);
8211 last_important = WALInsertLocks[i].l.lastImportantAt;
8212 LWLockRelease(&WALInsertLocks[i].l.lock);
8214 if (res < last_important)
8215 res = last_important;
8222 * Get the time and LSN of the last xlog segment switch
8225 GetLastSegSwitchData(XLogRecPtr *lastSwitchLSN)
8229 /* Need WALWriteLock, but shared lock is sufficient */
8230 LWLockAcquire(WALWriteLock, LW_SHARED);
8231 result = XLogCtl->lastSegSwitchTime;
8232 *lastSwitchLSN = XLogCtl->lastSegSwitchLSN;
8233 LWLockRelease(WALWriteLock);
8239 * GetNextXidAndEpoch - get the current nextXid value and associated epoch
8241 * This is exported for use by code that would like to have 64-bit XIDs.
8242 * We don't really support such things, but all XIDs within the system
8243 * can be presumed "close to" the result, and thus the epoch associated
8244 * with them can be determined.
8247 GetNextXidAndEpoch(TransactionId *xid, uint32 *epoch)
8249 uint32 ckptXidEpoch;
8250 TransactionId ckptXid;
8251 TransactionId nextXid;
8253 /* Must read checkpoint info first, else have race condition */
8254 SpinLockAcquire(&XLogCtl->info_lck);
8255 ckptXidEpoch = XLogCtl->ckptXidEpoch;
8256 ckptXid = XLogCtl->ckptXid;
8257 SpinLockRelease(&XLogCtl->info_lck);
8259 /* Now fetch current nextXid */
8260 nextXid = ReadNewTransactionId();
8263 * nextXid is certainly logically later than ckptXid. So if it's
8264 * numerically less, it must have wrapped into the next epoch.
8266 if (nextXid < ckptXid)
8270 *epoch = ckptXidEpoch;
8274 * This must be called ONCE during postmaster or standalone-backend shutdown
8277 ShutdownXLOG(int code, Datum arg)
8279 /* Don't be chatty in standalone mode */
8280 ereport(IsPostmasterEnvironment ? LOG : NOTICE,
8281 (errmsg("shutting down")));
8283 if (RecoveryInProgress())
8284 CreateRestartPoint(CHECKPOINT_IS_SHUTDOWN | CHECKPOINT_IMMEDIATE);
8288 * If archiving is enabled, rotate the last XLOG file so that all the
8289 * remaining records are archived (postmaster wakes up the archiver
8290 * process one more time at the end of shutdown). The checkpoint
8291 * record will go to the next XLOG file and won't be archived (yet).
8293 if (XLogArchivingActive() && XLogArchiveCommandSet())
8294 RequestXLogSwitch(false);
8296 CreateCheckPoint(CHECKPOINT_IS_SHUTDOWN | CHECKPOINT_IMMEDIATE);
8301 ShutdownMultiXact();
8305 * Log start of a checkpoint.
8308 LogCheckpointStart(int flags, bool restartpoint)
8310 elog(LOG, "%s starting:%s%s%s%s%s%s%s%s",
8311 restartpoint ? "restartpoint" : "checkpoint",
8312 (flags & CHECKPOINT_IS_SHUTDOWN) ? " shutdown" : "",
8313 (flags & CHECKPOINT_END_OF_RECOVERY) ? " end-of-recovery" : "",
8314 (flags & CHECKPOINT_IMMEDIATE) ? " immediate" : "",
8315 (flags & CHECKPOINT_FORCE) ? " force" : "",
8316 (flags & CHECKPOINT_WAIT) ? " wait" : "",
8317 (flags & CHECKPOINT_CAUSE_XLOG) ? " xlog" : "",
8318 (flags & CHECKPOINT_CAUSE_TIME) ? " time" : "",
8319 (flags & CHECKPOINT_FLUSH_ALL) ? " flush-all" : "");
8323 * Log end of a checkpoint.
8326 LogCheckpointEnd(bool restartpoint)
8338 uint64 average_sync_time;
8340 CheckpointStats.ckpt_end_t = GetCurrentTimestamp();
8342 TimestampDifference(CheckpointStats.ckpt_write_t,
8343 CheckpointStats.ckpt_sync_t,
8344 &write_secs, &write_usecs);
8346 TimestampDifference(CheckpointStats.ckpt_sync_t,
8347 CheckpointStats.ckpt_sync_end_t,
8348 &sync_secs, &sync_usecs);
8350 /* Accumulate checkpoint timing summary data, in milliseconds. */
8351 BgWriterStats.m_checkpoint_write_time +=
8352 write_secs * 1000 + write_usecs / 1000;
8353 BgWriterStats.m_checkpoint_sync_time +=
8354 sync_secs * 1000 + sync_usecs / 1000;
8357 * All of the published timing statistics are accounted for. Only
8358 * continue if a log message is to be written.
8360 if (!log_checkpoints)
8363 TimestampDifference(CheckpointStats.ckpt_start_t,
8364 CheckpointStats.ckpt_end_t,
8365 &total_secs, &total_usecs);
8368 * Timing values returned from CheckpointStats are in microseconds.
8369 * Convert to the second plus microsecond form that TimestampDifference
8370 * returns for homogeneous printing.
8372 longest_secs = (long) (CheckpointStats.ckpt_longest_sync / 1000000);
8373 longest_usecs = CheckpointStats.ckpt_longest_sync -
8374 (uint64) longest_secs *1000000;
8376 average_sync_time = 0;
8377 if (CheckpointStats.ckpt_sync_rels > 0)
8378 average_sync_time = CheckpointStats.ckpt_agg_sync_time /
8379 CheckpointStats.ckpt_sync_rels;
8380 average_secs = (long) (average_sync_time / 1000000);
8381 average_usecs = average_sync_time - (uint64) average_secs *1000000;
8383 elog(LOG, "%s complete: wrote %d buffers (%.1f%%); "
8384 "%d transaction log file(s) added, %d removed, %d recycled; "
8385 "write=%ld.%03d s, sync=%ld.%03d s, total=%ld.%03d s; "
8386 "sync files=%d, longest=%ld.%03d s, average=%ld.%03d s; "
8387 "distance=%d kB, estimate=%d kB",
8388 restartpoint ? "restartpoint" : "checkpoint",
8389 CheckpointStats.ckpt_bufs_written,
8390 (double) CheckpointStats.ckpt_bufs_written * 100 / NBuffers,
8391 CheckpointStats.ckpt_segs_added,
8392 CheckpointStats.ckpt_segs_removed,
8393 CheckpointStats.ckpt_segs_recycled,
8394 write_secs, write_usecs / 1000,
8395 sync_secs, sync_usecs / 1000,
8396 total_secs, total_usecs / 1000,
8397 CheckpointStats.ckpt_sync_rels,
8398 longest_secs, longest_usecs / 1000,
8399 average_secs, average_usecs / 1000,
8400 (int) (PrevCheckPointDistance / 1024.0),
8401 (int) (CheckPointDistanceEstimate / 1024.0));
8405 * Update the estimate of distance between checkpoints.
8407 * The estimate is used to calculate the number of WAL segments to keep
8408 * preallocated, see XLOGFileSlop().
8411 UpdateCheckPointDistanceEstimate(uint64 nbytes)
8414 * To estimate the number of segments consumed between checkpoints, keep a
8415 * moving average of the amount of WAL generated in previous checkpoint
8416 * cycles. However, if the load is bursty, with quiet periods and busy
8417 * periods, we want to cater for the peak load. So instead of a plain
8418 * moving average, let the average decline slowly if the previous cycle
8419 * used less WAL than estimated, but bump it up immediately if it used
8422 * When checkpoints are triggered by max_wal_size, this should converge to
8423 * CheckpointSegments * XLOG_SEG_SIZE,
8425 * Note: This doesn't pay any attention to what caused the checkpoint.
8426 * Checkpoints triggered manually with CHECKPOINT command, or by e.g.
8427 * starting a base backup, are counted the same as those created
8428 * automatically. The slow-decline will largely mask them out, if they are
8429 * not frequent. If they are frequent, it seems reasonable to count them
8430 * in as any others; if you issue a manual checkpoint every 5 minutes and
8431 * never let a timed checkpoint happen, it makes sense to base the
8432 * preallocation on that 5 minute interval rather than whatever
8433 * checkpoint_timeout is set to.
8435 PrevCheckPointDistance = nbytes;
8436 if (CheckPointDistanceEstimate < nbytes)
8437 CheckPointDistanceEstimate = nbytes;
8439 CheckPointDistanceEstimate =
8440 (0.90 * CheckPointDistanceEstimate + 0.10 * (double) nbytes);
8444 * Perform a checkpoint --- either during shutdown, or on-the-fly
8446 * flags is a bitwise OR of the following:
8447 * CHECKPOINT_IS_SHUTDOWN: checkpoint is for database shutdown.
8448 * CHECKPOINT_END_OF_RECOVERY: checkpoint is for end of WAL recovery.
8449 * CHECKPOINT_IMMEDIATE: finish the checkpoint ASAP,
8450 * ignoring checkpoint_completion_target parameter.
8451 * CHECKPOINT_FORCE: force a checkpoint even if no XLOG activity has occurred
8452 * since the last one (implied by CHECKPOINT_IS_SHUTDOWN or
8453 * CHECKPOINT_END_OF_RECOVERY).
8454 * CHECKPOINT_FLUSH_ALL: also flush buffers of unlogged tables.
8456 * Note: flags contains other bits, of interest here only for logging purposes.
8457 * In particular note that this routine is synchronous and does not pay
8458 * attention to CHECKPOINT_WAIT.
8460 * If !shutdown then we are writing an online checkpoint. This is a very special
8461 * kind of operation and WAL record because the checkpoint action occurs over
8462 * a period of time yet logically occurs at just a single LSN. The logical
8463 * position of the WAL record (redo ptr) is the same or earlier than the
8464 * physical position. When we replay WAL we locate the checkpoint via its
8465 * physical position then read the redo ptr and actually start replay at the
8466 * earlier logical position. Note that we don't write *anything* to WAL at
8467 * the logical position, so that location could be any other kind of WAL record.
8468 * All of this mechanism allows us to continue working while we checkpoint.
8469 * As a result, timing of actions is critical here and be careful to note that
8470 * this function will likely take minutes to execute on a busy system.
8473 CreateCheckPoint(int flags)
8476 CheckPoint checkPoint;
8478 XLogCtlInsert *Insert = &XLogCtl->Insert;
8480 XLogRecPtr PriorRedoPtr;
8481 XLogRecPtr curInsert;
8482 XLogRecPtr last_important_lsn;
8483 VirtualTransactionId *vxids;
8487 * An end-of-recovery checkpoint is really a shutdown checkpoint, just
8488 * issued at a different time.
8490 if (flags & (CHECKPOINT_IS_SHUTDOWN | CHECKPOINT_END_OF_RECOVERY))
8496 if (RecoveryInProgress() && (flags & CHECKPOINT_END_OF_RECOVERY) == 0)
8497 elog(ERROR, "can't create a checkpoint during recovery");
8500 * Initialize InitXLogInsert working areas before entering the critical
8501 * section. Normally, this is done by the first call to
8502 * RecoveryInProgress() or LocalSetXLogInsertAllowed(), but when creating
8503 * an end-of-recovery checkpoint, the LocalSetXLogInsertAllowed call is
8504 * done below in a critical section, and InitXLogInsert cannot be called
8505 * in a critical section.
8510 * Acquire CheckpointLock to ensure only one checkpoint happens at a time.
8511 * (This is just pro forma, since in the present system structure there is
8512 * only one process that is allowed to issue checkpoints at any given
8515 LWLockAcquire(CheckpointLock, LW_EXCLUSIVE);
8518 * Prepare to accumulate statistics.
8520 * Note: because it is possible for log_checkpoints to change while a
8521 * checkpoint proceeds, we always accumulate stats, even if
8522 * log_checkpoints is currently off.
8524 MemSet(&CheckpointStats, 0, sizeof(CheckpointStats));
8525 CheckpointStats.ckpt_start_t = GetCurrentTimestamp();
8528 * Use a critical section to force system panic if we have trouble.
8530 START_CRIT_SECTION();
8534 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
8535 ControlFile->state = DB_SHUTDOWNING;
8536 ControlFile->time = (pg_time_t) time(NULL);
8537 UpdateControlFile();
8538 LWLockRelease(ControlFileLock);
8542 * Let smgr prepare for checkpoint; this has to happen before we determine
8543 * the REDO pointer. Note that smgr must not do anything that'd have to
8544 * be undone if we decide no checkpoint is needed.
8548 /* Begin filling in the checkpoint WAL record */
8549 MemSet(&checkPoint, 0, sizeof(checkPoint));
8550 checkPoint.time = (pg_time_t) time(NULL);
8553 * For Hot Standby, derive the oldestActiveXid before we fix the redo
8554 * pointer. This allows us to begin accumulating changes to assemble our
8555 * starting snapshot of locks and transactions.
8557 if (!shutdown && XLogStandbyInfoActive())
8558 checkPoint.oldestActiveXid = GetOldestActiveTransactionId();
8560 checkPoint.oldestActiveXid = InvalidTransactionId;
8563 * Get location of last important record before acquiring insert locks (as
8564 * GetLastImportantRecPtr() also locks WAL locks).
8566 last_important_lsn = GetLastImportantRecPtr();
8569 * We must block concurrent insertions while examining insert state to
8570 * determine the checkpoint REDO pointer.
8572 WALInsertLockAcquireExclusive();
8573 curInsert = XLogBytePosToRecPtr(Insert->CurrBytePos);
8576 * If this isn't a shutdown or forced checkpoint, and if there has been no
8577 * WAL activity requiring a checkpoint, skip it. The idea here is to
8578 * avoid inserting duplicate checkpoints when the system is idle.
8580 if ((flags & (CHECKPOINT_IS_SHUTDOWN | CHECKPOINT_END_OF_RECOVERY |
8581 CHECKPOINT_FORCE)) == 0)
8583 if (last_important_lsn == ControlFile->checkPoint)
8585 WALInsertLockRelease();
8586 LWLockRelease(CheckpointLock);
8589 (errmsg("checkpoint skipped due to an idle system")));
8595 * An end-of-recovery checkpoint is created before anyone is allowed to
8596 * write WAL. To allow us to write the checkpoint record, temporarily
8597 * enable XLogInsertAllowed. (This also ensures ThisTimeLineID is
8598 * initialized, which we need here and in AdvanceXLInsertBuffer.)
8600 if (flags & CHECKPOINT_END_OF_RECOVERY)
8601 LocalSetXLogInsertAllowed();
8603 checkPoint.ThisTimeLineID = ThisTimeLineID;
8604 if (flags & CHECKPOINT_END_OF_RECOVERY)
8605 checkPoint.PrevTimeLineID = XLogCtl->PrevTimeLineID;
8607 checkPoint.PrevTimeLineID = ThisTimeLineID;
8609 checkPoint.fullPageWrites = Insert->fullPageWrites;
8612 * Compute new REDO record ptr = location of next XLOG record.
8614 * NB: this is NOT necessarily where the checkpoint record itself will be,
8615 * since other backends may insert more XLOG records while we're off doing
8616 * the buffer flush work. Those XLOG records are logically after the
8617 * checkpoint, even though physically before it. Got that?
8619 freespace = INSERT_FREESPACE(curInsert);
8622 if (curInsert % XLogSegSize == 0)
8623 curInsert += SizeOfXLogLongPHD;
8625 curInsert += SizeOfXLogShortPHD;
8627 checkPoint.redo = curInsert;
8630 * Here we update the shared RedoRecPtr for future XLogInsert calls; this
8631 * must be done while holding all the insertion locks.
8633 * Note: if we fail to complete the checkpoint, RedoRecPtr will be left
8634 * pointing past where it really needs to point. This is okay; the only
8635 * consequence is that XLogInsert might back up whole buffers that it
8636 * didn't really need to. We can't postpone advancing RedoRecPtr because
8637 * XLogInserts that happen while we are dumping buffers must assume that
8638 * their buffer changes are not included in the checkpoint.
8640 RedoRecPtr = XLogCtl->Insert.RedoRecPtr = checkPoint.redo;
8643 * Now we can release the WAL insertion locks, allowing other xacts to
8644 * proceed while we are flushing disk buffers.
8646 WALInsertLockRelease();
8648 /* Update the info_lck-protected copy of RedoRecPtr as well */
8649 SpinLockAcquire(&XLogCtl->info_lck);
8650 XLogCtl->RedoRecPtr = checkPoint.redo;
8651 SpinLockRelease(&XLogCtl->info_lck);
8654 * If enabled, log checkpoint start. We postpone this until now so as not
8655 * to log anything if we decided to skip the checkpoint.
8657 if (log_checkpoints)
8658 LogCheckpointStart(flags, false);
8660 TRACE_POSTGRESQL_CHECKPOINT_START(flags);
8663 * Get the other info we need for the checkpoint record.
8665 LWLockAcquire(XidGenLock, LW_SHARED);
8666 checkPoint.nextXid = ShmemVariableCache->nextXid;
8667 checkPoint.oldestXid = ShmemVariableCache->oldestXid;
8668 checkPoint.oldestXidDB = ShmemVariableCache->oldestXidDB;
8669 LWLockRelease(XidGenLock);
8671 LWLockAcquire(CommitTsLock, LW_SHARED);
8672 checkPoint.oldestCommitTsXid = ShmemVariableCache->oldestCommitTsXid;
8673 checkPoint.newestCommitTsXid = ShmemVariableCache->newestCommitTsXid;
8674 LWLockRelease(CommitTsLock);
8676 /* Increase XID epoch if we've wrapped around since last checkpoint */
8677 checkPoint.nextXidEpoch = ControlFile->checkPointCopy.nextXidEpoch;
8678 if (checkPoint.nextXid < ControlFile->checkPointCopy.nextXid)
8679 checkPoint.nextXidEpoch++;
8681 LWLockAcquire(OidGenLock, LW_SHARED);
8682 checkPoint.nextOid = ShmemVariableCache->nextOid;
8684 checkPoint.nextOid += ShmemVariableCache->oidCount;
8685 LWLockRelease(OidGenLock);
8687 MultiXactGetCheckptMulti(shutdown,
8688 &checkPoint.nextMulti,
8689 &checkPoint.nextMultiOffset,
8690 &checkPoint.oldestMulti,
8691 &checkPoint.oldestMultiDB);
8694 * Having constructed the checkpoint record, ensure all shmem disk buffers
8695 * and commit-log buffers are flushed to disk.
8697 * This I/O could fail for various reasons. If so, we will fail to
8698 * complete the checkpoint, but there is no reason to force a system
8699 * panic. Accordingly, exit critical section while doing it.
8704 * In some cases there are groups of actions that must all occur on one
8705 * side or the other of a checkpoint record. Before flushing the
8706 * checkpoint record we must explicitly wait for any backend currently
8707 * performing those groups of actions.
8709 * One example is end of transaction, so we must wait for any transactions
8710 * that are currently in commit critical sections. If an xact inserted
8711 * its commit record into XLOG just before the REDO point, then a crash
8712 * restart from the REDO point would not replay that record, which means
8713 * that our flushing had better include the xact's update of pg_xact. So
8714 * we wait till he's out of his commit critical section before proceeding.
8715 * See notes in RecordTransactionCommit().
8717 * Because we've already released the insertion locks, this test is a bit
8718 * fuzzy: it is possible that we will wait for xacts we didn't really need
8719 * to wait for. But the delay should be short and it seems better to make
8720 * checkpoint take a bit longer than to hold off insertions longer than
8721 * necessary. (In fact, the whole reason we have this issue is that xact.c
8722 * does commit record XLOG insertion and clog update as two separate steps
8723 * protected by different locks, but again that seems best on grounds of
8724 * minimizing lock contention.)
8726 * A transaction that has not yet set delayChkpt when we look cannot be at
8727 * risk, since he's not inserted his commit record yet; and one that's
8728 * already cleared it is not at risk either, since he's done fixing clog
8729 * and we will correctly flush the update below. So we cannot miss any
8730 * xacts we need to wait for.
8732 vxids = GetVirtualXIDsDelayingChkpt(&nvxids);
8737 pg_usleep(10000L); /* wait for 10 msec */
8738 } while (HaveVirtualXIDsDelayingChkpt(vxids, nvxids));
8742 CheckPointGuts(checkPoint.redo, flags);
8745 * Take a snapshot of running transactions and write this to WAL. This
8746 * allows us to reconstruct the state of running transactions during
8747 * archive recovery, if required. Skip, if this info disabled.
8749 * If we are shutting down, or Startup process is completing crash
8750 * recovery we don't need to write running xact data.
8752 if (!shutdown && XLogStandbyInfoActive())
8753 LogStandbySnapshot();
8755 START_CRIT_SECTION();
8758 * Now insert the checkpoint record into XLOG.
8761 XLogRegisterData((char *) (&checkPoint), sizeof(checkPoint));
8762 recptr = XLogInsert(RM_XLOG_ID,
8763 shutdown ? XLOG_CHECKPOINT_SHUTDOWN :
8764 XLOG_CHECKPOINT_ONLINE);
8769 * We mustn't write any new WAL after a shutdown checkpoint, or it will be
8770 * overwritten at next startup. No-one should even try, this just allows
8771 * sanity-checking. In the case of an end-of-recovery checkpoint, we want
8772 * to just temporarily disable writing until the system has exited
8777 if (flags & CHECKPOINT_END_OF_RECOVERY)
8778 LocalXLogInsertAllowed = -1; /* return to "check" state */
8780 LocalXLogInsertAllowed = 0; /* never again write WAL */
8784 * We now have ProcLastRecPtr = start of actual checkpoint record, recptr
8785 * = end of actual checkpoint record.
8787 if (shutdown && checkPoint.redo != ProcLastRecPtr)
8789 (errmsg("concurrent transaction log activity while database system is shutting down")));
8792 * Remember the prior checkpoint's redo pointer, used later to determine
8793 * the point where the log can be truncated.
8795 PriorRedoPtr = ControlFile->checkPointCopy.redo;
8798 * Update the control file.
8800 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
8802 ControlFile->state = DB_SHUTDOWNED;
8803 ControlFile->prevCheckPoint = ControlFile->checkPoint;
8804 ControlFile->checkPoint = ProcLastRecPtr;
8805 ControlFile->checkPointCopy = checkPoint;
8806 ControlFile->time = (pg_time_t) time(NULL);
8807 /* crash recovery should always recover to the end of WAL */
8808 ControlFile->minRecoveryPoint = InvalidXLogRecPtr;
8809 ControlFile->minRecoveryPointTLI = 0;
8812 * Persist unloggedLSN value. It's reset on crash recovery, so this goes
8813 * unused on non-shutdown checkpoints, but seems useful to store it always
8814 * for debugging purposes.
8816 SpinLockAcquire(&XLogCtl->ulsn_lck);
8817 ControlFile->unloggedLSN = XLogCtl->unloggedLSN;
8818 SpinLockRelease(&XLogCtl->ulsn_lck);
8820 UpdateControlFile();
8821 LWLockRelease(ControlFileLock);
8823 /* Update shared-memory copy of checkpoint XID/epoch */
8824 SpinLockAcquire(&XLogCtl->info_lck);
8825 XLogCtl->ckptXidEpoch = checkPoint.nextXidEpoch;
8826 XLogCtl->ckptXid = checkPoint.nextXid;
8827 SpinLockRelease(&XLogCtl->info_lck);
8830 * We are now done with critical updates; no need for system panic if we
8831 * have trouble while fooling with old log segments.
8836 * Let smgr do post-checkpoint cleanup (eg, deleting old files).
8841 * Delete old log files (those no longer needed even for previous
8842 * checkpoint or the standbys in XLOG streaming).
8844 if (PriorRedoPtr != InvalidXLogRecPtr)
8846 XLogSegNo _logSegNo;
8848 /* Update the average distance between checkpoints. */
8849 UpdateCheckPointDistanceEstimate(RedoRecPtr - PriorRedoPtr);
8851 XLByteToSeg(PriorRedoPtr, _logSegNo);
8852 KeepLogSeg(recptr, &_logSegNo);
8854 RemoveOldXlogFiles(_logSegNo, PriorRedoPtr, recptr);
8858 * Make more log segments if needed. (Do this after recycling old log
8859 * segments, since that may supply some of the needed files.)
8862 PreallocXlogFiles(recptr);
8865 * Truncate pg_subtrans if possible. We can throw away all data before
8866 * the oldest XMIN of any running transaction. No future transaction will
8867 * attempt to reference any pg_subtrans entry older than that (see Asserts
8868 * in subtrans.c). During recovery, though, we mustn't do this because
8869 * StartupSUBTRANS hasn't been called yet.
8871 if (!RecoveryInProgress())
8872 TruncateSUBTRANS(GetOldestXmin(NULL, false));
8874 /* Real work is done, but log and update stats before releasing lock. */
8875 LogCheckpointEnd(false);
8877 TRACE_POSTGRESQL_CHECKPOINT_DONE(CheckpointStats.ckpt_bufs_written,
8879 CheckpointStats.ckpt_segs_added,
8880 CheckpointStats.ckpt_segs_removed,
8881 CheckpointStats.ckpt_segs_recycled);
8883 LWLockRelease(CheckpointLock);
8887 * Mark the end of recovery in WAL though without running a full checkpoint.
8888 * We can expect that a restartpoint is likely to be in progress as we
8889 * do this, though we are unwilling to wait for it to complete. So be
8890 * careful to avoid taking the CheckpointLock anywhere here.
8892 * CreateRestartPoint() allows for the case where recovery may end before
8893 * the restartpoint completes so there is no concern of concurrent behaviour.
8896 CreateEndOfRecoveryRecord(void)
8898 xl_end_of_recovery xlrec;
8902 if (!RecoveryInProgress())
8903 elog(ERROR, "can only be used to end recovery");
8905 xlrec.end_time = GetCurrentTimestamp();
8907 WALInsertLockAcquireExclusive();
8908 xlrec.ThisTimeLineID = ThisTimeLineID;
8909 xlrec.PrevTimeLineID = XLogCtl->PrevTimeLineID;
8910 WALInsertLockRelease();
8912 LocalSetXLogInsertAllowed();
8914 START_CRIT_SECTION();
8917 XLogRegisterData((char *) &xlrec, sizeof(xl_end_of_recovery));
8918 recptr = XLogInsert(RM_XLOG_ID, XLOG_END_OF_RECOVERY);
8923 * Update the control file so that crash recovery can follow the timeline
8924 * changes to this point.
8926 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
8927 ControlFile->time = (pg_time_t) time(NULL);
8928 ControlFile->minRecoveryPoint = recptr;
8929 ControlFile->minRecoveryPointTLI = ThisTimeLineID;
8930 UpdateControlFile();
8931 LWLockRelease(ControlFileLock);
8935 LocalXLogInsertAllowed = -1; /* return to "check" state */
8939 * Flush all data in shared memory to disk, and fsync
8941 * This is the common code shared between regular checkpoints and
8942 * recovery restartpoints.
8945 CheckPointGuts(XLogRecPtr checkPointRedo, int flags)
8948 CheckPointCommitTs();
8949 CheckPointSUBTRANS();
8950 CheckPointMultiXact();
8951 CheckPointPredicate();
8952 CheckPointRelationMap();
8953 CheckPointReplicationSlots();
8954 CheckPointSnapBuild();
8955 CheckPointLogicalRewriteHeap();
8956 CheckPointBuffers(flags); /* performs all required fsyncs */
8957 CheckPointReplicationOrigin();
8958 /* We deliberately delay 2PC checkpointing as long as possible */
8959 CheckPointTwoPhase(checkPointRedo);
8963 * Save a checkpoint for recovery restart if appropriate
8965 * This function is called each time a checkpoint record is read from XLOG.
8966 * It must determine whether the checkpoint represents a safe restartpoint or
8967 * not. If so, the checkpoint record is stashed in shared memory so that
8968 * CreateRestartPoint can consult it. (Note that the latter function is
8969 * executed by the checkpointer, while this one will be executed by the
8973 RecoveryRestartPoint(const CheckPoint *checkPoint)
8976 * Also refrain from creating a restartpoint if we have seen any
8977 * references to non-existent pages. Restarting recovery from the
8978 * restartpoint would not see the references, so we would lose the
8979 * cross-check that the pages belonged to a relation that was dropped
8982 if (XLogHaveInvalidPages())
8984 elog(trace_recovery(DEBUG2),
8985 "could not record restart point at %X/%X because there "
8986 "are unresolved references to invalid pages",
8987 (uint32) (checkPoint->redo >> 32),
8988 (uint32) checkPoint->redo);
8993 * Copy the checkpoint record to shared memory, so that checkpointer can
8994 * work out the next time it wants to perform a restartpoint.
8996 SpinLockAcquire(&XLogCtl->info_lck);
8997 XLogCtl->lastCheckPointRecPtr = ReadRecPtr;
8998 XLogCtl->lastCheckPointEndPtr = EndRecPtr;
8999 XLogCtl->lastCheckPoint = *checkPoint;
9000 SpinLockRelease(&XLogCtl->info_lck);
9004 * Establish a restartpoint if possible.
9006 * This is similar to CreateCheckPoint, but is used during WAL recovery
9007 * to establish a point from which recovery can roll forward without
9008 * replaying the entire recovery log.
9010 * Returns true if a new restartpoint was established. We can only establish
9011 * a restartpoint if we have replayed a safe checkpoint record since last
9015 CreateRestartPoint(int flags)
9017 XLogRecPtr lastCheckPointRecPtr;
9018 XLogRecPtr lastCheckPointEndPtr;
9019 CheckPoint lastCheckPoint;
9020 XLogRecPtr PriorRedoPtr;
9024 * Acquire CheckpointLock to ensure only one restartpoint or checkpoint
9025 * happens at a time.
9027 LWLockAcquire(CheckpointLock, LW_EXCLUSIVE);
9029 /* Get a local copy of the last safe checkpoint record. */
9030 SpinLockAcquire(&XLogCtl->info_lck);
9031 lastCheckPointRecPtr = XLogCtl->lastCheckPointRecPtr;
9032 lastCheckPointEndPtr = XLogCtl->lastCheckPointEndPtr;
9033 lastCheckPoint = XLogCtl->lastCheckPoint;
9034 SpinLockRelease(&XLogCtl->info_lck);
9037 * Check that we're still in recovery mode. It's ok if we exit recovery
9038 * mode after this check, the restart point is valid anyway.
9040 if (!RecoveryInProgress())
9043 (errmsg("skipping restartpoint, recovery has already ended")));
9044 LWLockRelease(CheckpointLock);
9049 * If the last checkpoint record we've replayed is already our last
9050 * restartpoint, we can't perform a new restart point. We still update
9051 * minRecoveryPoint in that case, so that if this is a shutdown restart
9052 * point, we won't start up earlier than before. That's not strictly
9053 * necessary, but when hot standby is enabled, it would be rather weird if
9054 * the database opened up for read-only connections at a point-in-time
9055 * before the last shutdown. Such time travel is still possible in case of
9056 * immediate shutdown, though.
9058 * We don't explicitly advance minRecoveryPoint when we do create a
9059 * restartpoint. It's assumed that flushing the buffers will do that as a
9062 if (XLogRecPtrIsInvalid(lastCheckPointRecPtr) ||
9063 lastCheckPoint.redo <= ControlFile->checkPointCopy.redo)
9066 (errmsg("skipping restartpoint, already performed at %X/%X",
9067 (uint32) (lastCheckPoint.redo >> 32),
9068 (uint32) lastCheckPoint.redo)));
9070 UpdateMinRecoveryPoint(InvalidXLogRecPtr, true);
9071 if (flags & CHECKPOINT_IS_SHUTDOWN)
9073 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
9074 ControlFile->state = DB_SHUTDOWNED_IN_RECOVERY;
9075 ControlFile->time = (pg_time_t) time(NULL);
9076 UpdateControlFile();
9077 LWLockRelease(ControlFileLock);
9079 LWLockRelease(CheckpointLock);
9084 * Update the shared RedoRecPtr so that the startup process can calculate
9085 * the number of segments replayed since last restartpoint, and request a
9086 * restartpoint if it exceeds CheckPointSegments.
9088 * Like in CreateCheckPoint(), hold off insertions to update it, although
9089 * during recovery this is just pro forma, because no WAL insertions are
9092 WALInsertLockAcquireExclusive();
9093 RedoRecPtr = XLogCtl->Insert.RedoRecPtr = lastCheckPoint.redo;
9094 WALInsertLockRelease();
9096 /* Also update the info_lck-protected copy */
9097 SpinLockAcquire(&XLogCtl->info_lck);
9098 XLogCtl->RedoRecPtr = lastCheckPoint.redo;
9099 SpinLockRelease(&XLogCtl->info_lck);
9102 * Prepare to accumulate statistics.
9104 * Note: because it is possible for log_checkpoints to change while a
9105 * checkpoint proceeds, we always accumulate stats, even if
9106 * log_checkpoints is currently off.
9108 MemSet(&CheckpointStats, 0, sizeof(CheckpointStats));
9109 CheckpointStats.ckpt_start_t = GetCurrentTimestamp();
9111 if (log_checkpoints)
9112 LogCheckpointStart(flags, true);
9114 CheckPointGuts(lastCheckPoint.redo, flags);
9117 * Remember the prior checkpoint's redo pointer, used later to determine
9118 * the point at which we can truncate the log.
9120 PriorRedoPtr = ControlFile->checkPointCopy.redo;
9123 * Update pg_control, using current time. Check that it still shows
9124 * IN_ARCHIVE_RECOVERY state and an older checkpoint, else do nothing;
9125 * this is a quick hack to make sure nothing really bad happens if somehow
9126 * we get here after the end-of-recovery checkpoint.
9128 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
9129 if (ControlFile->state == DB_IN_ARCHIVE_RECOVERY &&
9130 ControlFile->checkPointCopy.redo < lastCheckPoint.redo)
9132 ControlFile->prevCheckPoint = ControlFile->checkPoint;
9133 ControlFile->checkPoint = lastCheckPointRecPtr;
9134 ControlFile->checkPointCopy = lastCheckPoint;
9135 ControlFile->time = (pg_time_t) time(NULL);
9138 * Ensure minRecoveryPoint is past the checkpoint record. Normally,
9139 * this will have happened already while writing out dirty buffers,
9140 * but not necessarily - e.g. because no buffers were dirtied. We do
9141 * this because a non-exclusive base backup uses minRecoveryPoint to
9142 * determine which WAL files must be included in the backup, and the
9143 * file (or files) containing the checkpoint record must be included,
9144 * at a minimum. Note that for an ordinary restart of recovery there's
9145 * no value in having the minimum recovery point any earlier than this
9146 * anyway, because redo will begin just after the checkpoint record.
9148 if (ControlFile->minRecoveryPoint < lastCheckPointEndPtr)
9150 ControlFile->minRecoveryPoint = lastCheckPointEndPtr;
9151 ControlFile->minRecoveryPointTLI = lastCheckPoint.ThisTimeLineID;
9153 /* update local copy */
9154 minRecoveryPoint = ControlFile->minRecoveryPoint;
9155 minRecoveryPointTLI = ControlFile->minRecoveryPointTLI;
9157 if (flags & CHECKPOINT_IS_SHUTDOWN)
9158 ControlFile->state = DB_SHUTDOWNED_IN_RECOVERY;
9159 UpdateControlFile();
9161 LWLockRelease(ControlFileLock);
9164 * Delete old log files (those no longer needed even for previous
9165 * checkpoint/restartpoint) to prevent the disk holding the xlog from
9168 if (PriorRedoPtr != InvalidXLogRecPtr)
9170 XLogRecPtr receivePtr;
9171 XLogRecPtr replayPtr;
9172 TimeLineID replayTLI;
9174 XLogSegNo _logSegNo;
9176 /* Update the average distance between checkpoints/restartpoints. */
9177 UpdateCheckPointDistanceEstimate(RedoRecPtr - PriorRedoPtr);
9179 XLByteToSeg(PriorRedoPtr, _logSegNo);
9182 * Get the current end of xlog replayed or received, whichever is
9185 receivePtr = GetWalRcvWriteRecPtr(NULL, NULL);
9186 replayPtr = GetXLogReplayRecPtr(&replayTLI);
9187 endptr = (receivePtr < replayPtr) ? replayPtr : receivePtr;
9189 KeepLogSeg(endptr, &_logSegNo);
9193 * Try to recycle segments on a useful timeline. If we've been
9194 * promoted since the beginning of this restartpoint, use the new
9195 * timeline chosen at end of recovery (RecoveryInProgress() sets
9196 * ThisTimeLineID in that case). If we're still in recovery, use the
9197 * timeline we're currently replaying.
9199 * There is no guarantee that the WAL segments will be useful on the
9200 * current timeline; if recovery proceeds to a new timeline right
9201 * after this, the pre-allocated WAL segments on this timeline will
9202 * not be used, and will go wasted until recycled on the next
9203 * restartpoint. We'll live with that.
9205 if (RecoveryInProgress())
9206 ThisTimeLineID = replayTLI;
9208 RemoveOldXlogFiles(_logSegNo, PriorRedoPtr, endptr);
9211 * Make more log segments if needed. (Do this after recycling old log
9212 * segments, since that may supply some of the needed files.)
9214 PreallocXlogFiles(endptr);
9217 * ThisTimeLineID is normally not set when we're still in recovery.
9218 * However, recycling/preallocating segments above needed
9219 * ThisTimeLineID to determine which timeline to install the segments
9220 * on. Reset it now, to restore the normal state of affairs for
9221 * debugging purposes.
9223 if (RecoveryInProgress())
9228 * Truncate pg_subtrans if possible. We can throw away all data before
9229 * the oldest XMIN of any running transaction. No future transaction will
9230 * attempt to reference any pg_subtrans entry older than that (see Asserts
9231 * in subtrans.c). When hot standby is disabled, though, we mustn't do
9232 * this because StartupSUBTRANS hasn't been called yet.
9234 if (EnableHotStandby)
9235 TruncateSUBTRANS(GetOldestXmin(NULL, false));
9237 /* Real work is done, but log and update before releasing lock. */
9238 LogCheckpointEnd(true);
9240 xtime = GetLatestXTime();
9241 ereport((log_checkpoints ? LOG : DEBUG2),
9242 (errmsg("recovery restart point at %X/%X",
9243 (uint32) (lastCheckPoint.redo >> 32), (uint32) lastCheckPoint.redo),
9244 xtime ? errdetail("last completed transaction was at log time %s",
9245 timestamptz_to_str(xtime)) : 0));
9247 LWLockRelease(CheckpointLock);
9250 * Finally, execute archive_cleanup_command, if any.
9252 if (XLogCtl->archiveCleanupCommand[0])
9253 ExecuteRecoveryCommand(XLogCtl->archiveCleanupCommand,
9254 "archive_cleanup_command",
9261 * Retreat *logSegNo to the last segment that we need to retain because of
9262 * either wal_keep_segments or replication slots.
9264 * This is calculated by subtracting wal_keep_segments from the given xlog
9265 * location, recptr and by making sure that that result is below the
9266 * requirement of replication slots.
9269 KeepLogSeg(XLogRecPtr recptr, XLogSegNo *logSegNo)
9274 XLByteToSeg(recptr, segno);
9275 keep = XLogGetReplicationSlotMinimumLSN();
9277 /* compute limit for wal_keep_segments first */
9278 if (wal_keep_segments > 0)
9280 /* avoid underflow, don't go below 1 */
9281 if (segno <= wal_keep_segments)
9284 segno = segno - wal_keep_segments;
9287 /* then check whether slots limit removal further */
9288 if (max_replication_slots > 0 && keep != InvalidXLogRecPtr)
9290 XLogSegNo slotSegNo;
9292 XLByteToSeg(keep, slotSegNo);
9296 else if (slotSegNo < segno)
9300 /* don't delete WAL segments newer than the calculated segment */
9301 if (segno < *logSegNo)
9306 * Write a NEXTOID log record
9309 XLogPutNextOid(Oid nextOid)
9312 XLogRegisterData((char *) (&nextOid), sizeof(Oid));
9313 (void) XLogInsert(RM_XLOG_ID, XLOG_NEXTOID);
9316 * We need not flush the NEXTOID record immediately, because any of the
9317 * just-allocated OIDs could only reach disk as part of a tuple insert or
9318 * update that would have its own XLOG record that must follow the NEXTOID
9319 * record. Therefore, the standard buffer LSN interlock applied to those
9320 * records will ensure no such OID reaches disk before the NEXTOID record
9323 * Note, however, that the above statement only covers state "within" the
9324 * database. When we use a generated OID as a file or directory name, we
9325 * are in a sense violating the basic WAL rule, because that filesystem
9326 * change may reach disk before the NEXTOID WAL record does. The impact
9327 * of this is that if a database crash occurs immediately afterward, we
9328 * might after restart re-generate the same OID and find that it conflicts
9329 * with the leftover file or directory. But since for safety's sake we
9330 * always loop until finding a nonconflicting filename, this poses no real
9331 * problem in practice. See pgsql-hackers discussion 27-Sep-2006.
9336 * Write an XLOG SWITCH record.
9338 * Here we just blindly issue an XLogInsert request for the record.
9339 * All the magic happens inside XLogInsert.
9341 * The return value is either the end+1 address of the switch record,
9342 * or the end+1 address of the prior segment if we did not need to
9343 * write a switch record because we are already at segment start.
9346 RequestXLogSwitch(bool mark_unimportant)
9350 /* XLOG SWITCH has no data */
9353 if (mark_unimportant)
9354 XLogSetRecordFlags(XLOG_MARK_UNIMPORTANT);
9355 RecPtr = XLogInsert(RM_XLOG_ID, XLOG_SWITCH);
9361 * Write a RESTORE POINT record
9364 XLogRestorePoint(const char *rpName)
9367 xl_restore_point xlrec;
9369 xlrec.rp_time = GetCurrentTimestamp();
9370 strlcpy(xlrec.rp_name, rpName, MAXFNAMELEN);
9373 XLogRegisterData((char *) &xlrec, sizeof(xl_restore_point));
9375 RecPtr = XLogInsert(RM_XLOG_ID, XLOG_RESTORE_POINT);
9378 (errmsg("restore point \"%s\" created at %X/%X",
9379 rpName, (uint32) (RecPtr >> 32), (uint32) RecPtr)));
9385 * Check if any of the GUC parameters that are critical for hot standby
9386 * have changed, and update the value in pg_control file if necessary.
9389 XLogReportParameters(void)
9391 if (wal_level != ControlFile->wal_level ||
9392 wal_log_hints != ControlFile->wal_log_hints ||
9393 MaxConnections != ControlFile->MaxConnections ||
9394 max_worker_processes != ControlFile->max_worker_processes ||
9395 max_prepared_xacts != ControlFile->max_prepared_xacts ||
9396 max_locks_per_xact != ControlFile->max_locks_per_xact ||
9397 track_commit_timestamp != ControlFile->track_commit_timestamp)
9400 * The change in number of backend slots doesn't need to be WAL-logged
9401 * if archiving is not enabled, as you can't start archive recovery
9402 * with wal_level=minimal anyway. We don't really care about the
9403 * values in pg_control either if wal_level=minimal, but seems better
9404 * to keep them up-to-date to avoid confusion.
9406 if (wal_level != ControlFile->wal_level || XLogIsNeeded())
9408 xl_parameter_change xlrec;
9411 xlrec.MaxConnections = MaxConnections;
9412 xlrec.max_worker_processes = max_worker_processes;
9413 xlrec.max_prepared_xacts = max_prepared_xacts;
9414 xlrec.max_locks_per_xact = max_locks_per_xact;
9415 xlrec.wal_level = wal_level;
9416 xlrec.wal_log_hints = wal_log_hints;
9417 xlrec.track_commit_timestamp = track_commit_timestamp;
9420 XLogRegisterData((char *) &xlrec, sizeof(xlrec));
9422 recptr = XLogInsert(RM_XLOG_ID, XLOG_PARAMETER_CHANGE);
9426 ControlFile->MaxConnections = MaxConnections;
9427 ControlFile->max_worker_processes = max_worker_processes;
9428 ControlFile->max_prepared_xacts = max_prepared_xacts;
9429 ControlFile->max_locks_per_xact = max_locks_per_xact;
9430 ControlFile->wal_level = wal_level;
9431 ControlFile->wal_log_hints = wal_log_hints;
9432 ControlFile->track_commit_timestamp = track_commit_timestamp;
9433 UpdateControlFile();
9438 * Update full_page_writes in shared memory, and write an
9439 * XLOG_FPW_CHANGE record if necessary.
9441 * Note: this function assumes there is no other process running
9442 * concurrently that could update it.
9445 UpdateFullPageWrites(void)
9447 XLogCtlInsert *Insert = &XLogCtl->Insert;
9450 * Do nothing if full_page_writes has not been changed.
9452 * It's safe to check the shared full_page_writes without the lock,
9453 * because we assume that there is no concurrently running process which
9456 if (fullPageWrites == Insert->fullPageWrites)
9459 START_CRIT_SECTION();
9462 * It's always safe to take full page images, even when not strictly
9463 * required, but not the other round. So if we're setting full_page_writes
9464 * to true, first set it true and then write the WAL record. If we're
9465 * setting it to false, first write the WAL record and then set the global
9470 WALInsertLockAcquireExclusive();
9471 Insert->fullPageWrites = true;
9472 WALInsertLockRelease();
9476 * Write an XLOG_FPW_CHANGE record. This allows us to keep track of
9477 * full_page_writes during archive recovery, if required.
9479 if (XLogStandbyInfoActive() && !RecoveryInProgress())
9482 XLogRegisterData((char *) (&fullPageWrites), sizeof(bool));
9484 XLogInsert(RM_XLOG_ID, XLOG_FPW_CHANGE);
9487 if (!fullPageWrites)
9489 WALInsertLockAcquireExclusive();
9490 Insert->fullPageWrites = false;
9491 WALInsertLockRelease();
9497 * Check that it's OK to switch to new timeline during recovery.
9499 * 'lsn' is the address of the shutdown checkpoint record we're about to
9500 * replay. (Currently, timeline can only change at a shutdown checkpoint).
9503 checkTimeLineSwitch(XLogRecPtr lsn, TimeLineID newTLI, TimeLineID prevTLI)
9505 /* Check that the record agrees on what the current (old) timeline is */
9506 if (prevTLI != ThisTimeLineID)
9508 (errmsg("unexpected previous timeline ID %u (current timeline ID %u) in checkpoint record",
9509 prevTLI, ThisTimeLineID)));
9512 * The new timeline better be in the list of timelines we expect to see,
9513 * according to the timeline history. It should also not decrease.
9515 if (newTLI < ThisTimeLineID || !tliInHistory(newTLI, expectedTLEs))
9517 (errmsg("unexpected timeline ID %u (after %u) in checkpoint record",
9518 newTLI, ThisTimeLineID)));
9521 * If we have not yet reached min recovery point, and we're about to
9522 * switch to a timeline greater than the timeline of the min recovery
9523 * point: trouble. After switching to the new timeline, we could not
9524 * possibly visit the min recovery point on the correct timeline anymore.
9525 * This can happen if there is a newer timeline in the archive that
9526 * branched before the timeline the min recovery point is on, and you
9527 * attempt to do PITR to the new timeline.
9529 if (!XLogRecPtrIsInvalid(minRecoveryPoint) &&
9530 lsn < minRecoveryPoint &&
9531 newTLI > minRecoveryPointTLI)
9533 (errmsg("unexpected timeline ID %u in checkpoint record, before reaching minimum recovery point %X/%X on timeline %u",
9535 (uint32) (minRecoveryPoint >> 32),
9536 (uint32) minRecoveryPoint,
9537 minRecoveryPointTLI)));
9543 * XLOG resource manager's routines
9545 * Definitions of info values are in include/catalog/pg_control.h, though
9546 * not all record types are related to control file updates.
9549 xlog_redo(XLogReaderState *record)
9551 uint8 info = XLogRecGetInfo(record) & ~XLR_INFO_MASK;
9552 XLogRecPtr lsn = record->EndRecPtr;
9554 /* in XLOG rmgr, backup blocks are only used by XLOG_FPI records */
9555 Assert(info == XLOG_FPI || info == XLOG_FPI_FOR_HINT ||
9556 !XLogRecHasAnyBlockRefs(record));
9558 if (info == XLOG_NEXTOID)
9563 * We used to try to take the maximum of ShmemVariableCache->nextOid
9564 * and the recorded nextOid, but that fails if the OID counter wraps
9565 * around. Since no OID allocation should be happening during replay
9566 * anyway, better to just believe the record exactly. We still take
9567 * OidGenLock while setting the variable, just in case.
9569 memcpy(&nextOid, XLogRecGetData(record), sizeof(Oid));
9570 LWLockAcquire(OidGenLock, LW_EXCLUSIVE);
9571 ShmemVariableCache->nextOid = nextOid;
9572 ShmemVariableCache->oidCount = 0;
9573 LWLockRelease(OidGenLock);
9575 else if (info == XLOG_CHECKPOINT_SHUTDOWN)
9577 CheckPoint checkPoint;
9579 memcpy(&checkPoint, XLogRecGetData(record), sizeof(CheckPoint));
9580 /* In a SHUTDOWN checkpoint, believe the counters exactly */
9581 LWLockAcquire(XidGenLock, LW_EXCLUSIVE);
9582 ShmemVariableCache->nextXid = checkPoint.nextXid;
9583 LWLockRelease(XidGenLock);
9584 LWLockAcquire(OidGenLock, LW_EXCLUSIVE);
9585 ShmemVariableCache->nextOid = checkPoint.nextOid;
9586 ShmemVariableCache->oidCount = 0;
9587 LWLockRelease(OidGenLock);
9588 MultiXactSetNextMXact(checkPoint.nextMulti,
9589 checkPoint.nextMultiOffset);
9591 MultiXactAdvanceOldest(checkPoint.oldestMulti,
9592 checkPoint.oldestMultiDB);
9593 SetTransactionIdLimit(checkPoint.oldestXid, checkPoint.oldestXidDB);
9596 * If we see a shutdown checkpoint while waiting for an end-of-backup
9597 * record, the backup was canceled and the end-of-backup record will
9600 if (ArchiveRecoveryRequested &&
9601 !XLogRecPtrIsInvalid(ControlFile->backupStartPoint) &&
9602 XLogRecPtrIsInvalid(ControlFile->backupEndPoint))
9604 (errmsg("online backup was canceled, recovery cannot continue")));
9607 * If we see a shutdown checkpoint, we know that nothing was running
9608 * on the master at this point. So fake-up an empty running-xacts
9609 * record and use that here and now. Recover additional standby state
9610 * for prepared transactions.
9612 if (standbyState >= STANDBY_INITIALIZED)
9614 TransactionId *xids;
9616 TransactionId oldestActiveXID;
9617 TransactionId latestCompletedXid;
9618 RunningTransactionsData running;
9620 oldestActiveXID = PrescanPreparedTransactions(&xids, &nxids);
9623 * Construct a RunningTransactions snapshot representing a shut
9624 * down server, with only prepared transactions still alive. We're
9625 * never overflowed at this point because all subxids are listed
9626 * with their parent prepared transactions.
9628 running.xcnt = nxids;
9629 running.subxcnt = 0;
9630 running.subxid_overflow = false;
9631 running.nextXid = checkPoint.nextXid;
9632 running.oldestRunningXid = oldestActiveXID;
9633 latestCompletedXid = checkPoint.nextXid;
9634 TransactionIdRetreat(latestCompletedXid);
9635 Assert(TransactionIdIsNormal(latestCompletedXid));
9636 running.latestCompletedXid = latestCompletedXid;
9637 running.xids = xids;
9639 ProcArrayApplyRecoveryInfo(&running);
9641 StandbyRecoverPreparedTransactions(true);
9644 /* ControlFile->checkPointCopy always tracks the latest ckpt XID */
9645 ControlFile->checkPointCopy.nextXidEpoch = checkPoint.nextXidEpoch;
9646 ControlFile->checkPointCopy.nextXid = checkPoint.nextXid;
9648 /* Update shared-memory copy of checkpoint XID/epoch */
9649 SpinLockAcquire(&XLogCtl->info_lck);
9650 XLogCtl->ckptXidEpoch = checkPoint.nextXidEpoch;
9651 XLogCtl->ckptXid = checkPoint.nextXid;
9652 SpinLockRelease(&XLogCtl->info_lck);
9655 * We should've already switched to the new TLI before replaying this
9658 if (checkPoint.ThisTimeLineID != ThisTimeLineID)
9660 (errmsg("unexpected timeline ID %u (should be %u) in checkpoint record",
9661 checkPoint.ThisTimeLineID, ThisTimeLineID)));
9663 RecoveryRestartPoint(&checkPoint);
9665 else if (info == XLOG_CHECKPOINT_ONLINE)
9667 CheckPoint checkPoint;
9669 memcpy(&checkPoint, XLogRecGetData(record), sizeof(CheckPoint));
9670 /* In an ONLINE checkpoint, treat the XID counter as a minimum */
9671 LWLockAcquire(XidGenLock, LW_EXCLUSIVE);
9672 if (TransactionIdPrecedes(ShmemVariableCache->nextXid,
9673 checkPoint.nextXid))
9674 ShmemVariableCache->nextXid = checkPoint.nextXid;
9675 LWLockRelease(XidGenLock);
9676 /* ... but still treat OID counter as exact */
9677 LWLockAcquire(OidGenLock, LW_EXCLUSIVE);
9678 ShmemVariableCache->nextOid = checkPoint.nextOid;
9679 ShmemVariableCache->oidCount = 0;
9680 LWLockRelease(OidGenLock);
9681 MultiXactAdvanceNextMXact(checkPoint.nextMulti,
9682 checkPoint.nextMultiOffset);
9685 * NB: This may perform multixact truncation when replaying WAL
9686 * generated by an older primary.
9688 MultiXactAdvanceOldest(checkPoint.oldestMulti,
9689 checkPoint.oldestMultiDB);
9690 if (TransactionIdPrecedes(ShmemVariableCache->oldestXid,
9691 checkPoint.oldestXid))
9692 SetTransactionIdLimit(checkPoint.oldestXid,
9693 checkPoint.oldestXidDB);
9694 /* ControlFile->checkPointCopy always tracks the latest ckpt XID */
9695 ControlFile->checkPointCopy.nextXidEpoch = checkPoint.nextXidEpoch;
9696 ControlFile->checkPointCopy.nextXid = checkPoint.nextXid;
9698 /* Update shared-memory copy of checkpoint XID/epoch */
9699 SpinLockAcquire(&XLogCtl->info_lck);
9700 XLogCtl->ckptXidEpoch = checkPoint.nextXidEpoch;
9701 XLogCtl->ckptXid = checkPoint.nextXid;
9702 SpinLockRelease(&XLogCtl->info_lck);
9704 /* TLI should not change in an on-line checkpoint */
9705 if (checkPoint.ThisTimeLineID != ThisTimeLineID)
9707 (errmsg("unexpected timeline ID %u (should be %u) in checkpoint record",
9708 checkPoint.ThisTimeLineID, ThisTimeLineID)));
9710 RecoveryRestartPoint(&checkPoint);
9712 else if (info == XLOG_END_OF_RECOVERY)
9714 xl_end_of_recovery xlrec;
9716 memcpy(&xlrec, XLogRecGetData(record), sizeof(xl_end_of_recovery));
9719 * For Hot Standby, we could treat this like a Shutdown Checkpoint,
9720 * but this case is rarer and harder to test, so the benefit doesn't
9721 * outweigh the potential extra cost of maintenance.
9725 * We should've already switched to the new TLI before replaying this
9728 if (xlrec.ThisTimeLineID != ThisTimeLineID)
9730 (errmsg("unexpected timeline ID %u (should be %u) in checkpoint record",
9731 xlrec.ThisTimeLineID, ThisTimeLineID)));
9733 else if (info == XLOG_NOOP)
9735 /* nothing to do here */
9737 else if (info == XLOG_SWITCH)
9739 /* nothing to do here */
9741 else if (info == XLOG_RESTORE_POINT)
9743 /* nothing to do here */
9745 else if (info == XLOG_FPI || info == XLOG_FPI_FOR_HINT)
9750 * Full-page image (FPI) records contain nothing else but a backup
9751 * block. The block reference must include a full-page image -
9752 * otherwise there would be no point in this record.
9754 * No recovery conflicts are generated by these generic records - if a
9755 * resource manager needs to generate conflicts, it has to define a
9756 * separate WAL record type and redo routine.
9758 * XLOG_FPI_FOR_HINT records are generated when a page needs to be
9759 * WAL- logged because of a hint bit update. They are only generated
9760 * when checksums are enabled. There is no difference in handling
9761 * XLOG_FPI and XLOG_FPI_FOR_HINT records, they use a different info
9762 * code just to distinguish them for statistics purposes.
9764 if (XLogReadBufferForRedo(record, 0, &buffer) != BLK_RESTORED)
9765 elog(ERROR, "unexpected XLogReadBufferForRedo result when restoring backup block");
9766 UnlockReleaseBuffer(buffer);
9768 else if (info == XLOG_BACKUP_END)
9770 XLogRecPtr startpoint;
9772 memcpy(&startpoint, XLogRecGetData(record), sizeof(startpoint));
9774 if (ControlFile->backupStartPoint == startpoint)
9777 * We have reached the end of base backup, the point where
9778 * pg_stop_backup() was done. The data on disk is now consistent.
9779 * Reset backupStartPoint, and update minRecoveryPoint to make
9780 * sure we don't allow starting up at an earlier point even if
9781 * recovery is stopped and restarted soon after this.
9783 elog(DEBUG1, "end of backup reached");
9785 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
9787 if (ControlFile->minRecoveryPoint < lsn)
9789 ControlFile->minRecoveryPoint = lsn;
9790 ControlFile->minRecoveryPointTLI = ThisTimeLineID;
9792 ControlFile->backupStartPoint = InvalidXLogRecPtr;
9793 ControlFile->backupEndRequired = false;
9794 UpdateControlFile();
9796 LWLockRelease(ControlFileLock);
9799 else if (info == XLOG_PARAMETER_CHANGE)
9801 xl_parameter_change xlrec;
9803 /* Update our copy of the parameters in pg_control */
9804 memcpy(&xlrec, XLogRecGetData(record), sizeof(xl_parameter_change));
9806 LWLockAcquire(ControlFileLock, LW_EXCLUSIVE);
9807 ControlFile->MaxConnections = xlrec.MaxConnections;
9808 ControlFile->max_worker_processes = xlrec.max_worker_processes;
9809 ControlFile->max_prepared_xacts = xlrec.max_prepared_xacts;
9810 ControlFile->max_locks_per_xact = xlrec.max_locks_per_xact;
9811 ControlFile->wal_level = xlrec.wal_level;
9812 ControlFile->wal_log_hints = xlrec.wal_log_hints;
9815 * Update minRecoveryPoint to ensure that if recovery is aborted, we
9816 * recover back up to this point before allowing hot standby again.
9817 * This is important if the max_* settings are decreased, to ensure
9818 * you don't run queries against the WAL preceding the change.
9820 minRecoveryPoint = ControlFile->minRecoveryPoint;
9821 minRecoveryPointTLI = ControlFile->minRecoveryPointTLI;
9822 if (minRecoveryPoint != 0 && minRecoveryPoint < lsn)
9824 ControlFile->minRecoveryPoint = lsn;
9825 ControlFile->minRecoveryPointTLI = ThisTimeLineID;
9828 CommitTsParameterChange(xlrec.track_commit_timestamp,
9829 ControlFile->track_commit_timestamp);
9830 ControlFile->track_commit_timestamp = xlrec.track_commit_timestamp;
9832 UpdateControlFile();
9833 LWLockRelease(ControlFileLock);
9835 /* Check to see if any changes to max_connections give problems */
9836 CheckRequiredParameterValues();
9838 else if (info == XLOG_FPW_CHANGE)
9842 memcpy(&fpw, XLogRecGetData(record), sizeof(bool));
9845 * Update the LSN of the last replayed XLOG_FPW_CHANGE record so that
9846 * do_pg_start_backup() and do_pg_stop_backup() can check whether
9847 * full_page_writes has been disabled during online backup.
9851 SpinLockAcquire(&XLogCtl->info_lck);
9852 if (XLogCtl->lastFpwDisableRecPtr < ReadRecPtr)
9853 XLogCtl->lastFpwDisableRecPtr = ReadRecPtr;
9854 SpinLockRelease(&XLogCtl->info_lck);
9857 /* Keep track of full_page_writes */
9858 lastFullPageWrites = fpw;
9865 xlog_outrec(StringInfo buf, XLogReaderState *record)
9869 appendStringInfo(buf, "prev %X/%X; xid %u",
9870 (uint32) (XLogRecGetPrev(record) >> 32),
9871 (uint32) XLogRecGetPrev(record),
9872 XLogRecGetXid(record));
9874 appendStringInfo(buf, "; len %u",
9875 XLogRecGetDataLen(record));
9877 /* decode block references */
9878 for (block_id = 0; block_id <= record->max_block_id; block_id++)
9884 if (!XLogRecHasBlockRef(record, block_id))
9887 XLogRecGetBlockTag(record, block_id, &rnode, &forknum, &blk);
9888 if (forknum != MAIN_FORKNUM)
9889 appendStringInfo(buf, "; blkref #%u: rel %u/%u/%u, fork %u, blk %u",
9891 rnode.spcNode, rnode.dbNode, rnode.relNode,
9895 appendStringInfo(buf, "; blkref #%u: rel %u/%u/%u, blk %u",
9897 rnode.spcNode, rnode.dbNode, rnode.relNode,
9899 if (XLogRecHasBlockImage(record, block_id))
9900 appendStringInfoString(buf, " FPW");
9903 #endif /* WAL_DEBUG */
9906 * Returns a string describing an XLogRecord, consisting of its identity
9907 * optionally followed by a colon, a space, and a further description.
9910 xlog_outdesc(StringInfo buf, XLogReaderState *record)
9912 RmgrId rmid = XLogRecGetRmid(record);
9913 uint8 info = XLogRecGetInfo(record);
9916 appendStringInfoString(buf, RmgrTable[rmid].rm_name);
9917 appendStringInfoChar(buf, '/');
9919 id = RmgrTable[rmid].rm_identify(info);
9921 appendStringInfo(buf, "UNKNOWN (%X): ", info & ~XLR_INFO_MASK);
9923 appendStringInfo(buf, "%s: ", id);
9925 RmgrTable[rmid].rm_desc(buf, record);
9930 * Return the (possible) sync flag used for opening a file, depending on the
9931 * value of the GUC wal_sync_method.
9934 get_sync_bit(int method)
9936 int o_direct_flag = 0;
9938 /* If fsync is disabled, never open in sync mode */
9943 * Optimize writes by bypassing kernel cache with O_DIRECT when using
9944 * O_SYNC/O_FSYNC and O_DSYNC. But only if archiving and streaming are
9945 * disabled, otherwise the archive command or walsender process will read
9946 * the WAL soon after writing it, which is guaranteed to cause a physical
9947 * read if we bypassed the kernel cache. We also skip the
9948 * posix_fadvise(POSIX_FADV_DONTNEED) call in XLogFileClose() for the same
9951 * Never use O_DIRECT in walreceiver process for similar reasons; the WAL
9952 * written by walreceiver is normally read by the startup process soon
9953 * after its written. Also, walreceiver performs unaligned writes, which
9954 * don't work with O_DIRECT, so it is required for correctness too.
9956 if (!XLogIsNeeded() && !AmWalReceiverProcess())
9957 o_direct_flag = PG_O_DIRECT;
9962 * enum values for all sync options are defined even if they are
9963 * not supported on the current platform. But if not, they are
9964 * not included in the enum option array, and therefore will never
9967 case SYNC_METHOD_FSYNC:
9968 case SYNC_METHOD_FSYNC_WRITETHROUGH:
9969 case SYNC_METHOD_FDATASYNC:
9971 #ifdef OPEN_SYNC_FLAG
9972 case SYNC_METHOD_OPEN:
9973 return OPEN_SYNC_FLAG | o_direct_flag;
9975 #ifdef OPEN_DATASYNC_FLAG
9976 case SYNC_METHOD_OPEN_DSYNC:
9977 return OPEN_DATASYNC_FLAG | o_direct_flag;
9980 /* can't happen (unless we are out of sync with option array) */
9981 elog(ERROR, "unrecognized wal_sync_method: %d", method);
9982 return 0; /* silence warning */
9990 assign_xlog_sync_method(int new_sync_method, void *extra)
9992 if (sync_method != new_sync_method)
9995 * To ensure that no blocks escape unsynced, force an fsync on the
9996 * currently open log segment (if any). Also, if the open flag is
9997 * changing, close the log file so it will be reopened (with new flag
10000 if (openLogFile >= 0)
10002 if (pg_fsync(openLogFile) != 0)
10004 (errcode_for_file_access(),
10005 errmsg("could not fsync log segment %s: %m",
10006 XLogFileNameP(ThisTimeLineID, openLogSegNo))));
10007 if (get_sync_bit(sync_method) != get_sync_bit(new_sync_method))
10015 * Issue appropriate kind of fsync (if any) for an XLOG output file.
10017 * 'fd' is a file descriptor for the XLOG file to be fsync'd.
10018 * 'log' and 'seg' are for error reporting purposes.
10021 issue_xlog_fsync(int fd, XLogSegNo segno)
10023 switch (sync_method)
10025 case SYNC_METHOD_FSYNC:
10026 if (pg_fsync_no_writethrough(fd) != 0)
10028 (errcode_for_file_access(),
10029 errmsg("could not fsync log file %s: %m",
10030 XLogFileNameP(ThisTimeLineID, segno))));
10032 #ifdef HAVE_FSYNC_WRITETHROUGH
10033 case SYNC_METHOD_FSYNC_WRITETHROUGH:
10034 if (pg_fsync_writethrough(fd) != 0)
10036 (errcode_for_file_access(),
10037 errmsg("could not fsync write-through log file %s: %m",
10038 XLogFileNameP(ThisTimeLineID, segno))));
10041 #ifdef HAVE_FDATASYNC
10042 case SYNC_METHOD_FDATASYNC:
10043 if (pg_fdatasync(fd) != 0)
10045 (errcode_for_file_access(),
10046 errmsg("could not fdatasync log file %s: %m",
10047 XLogFileNameP(ThisTimeLineID, segno))));
10050 case SYNC_METHOD_OPEN:
10051 case SYNC_METHOD_OPEN_DSYNC:
10052 /* write synced it already */
10055 elog(PANIC, "unrecognized wal_sync_method: %d", sync_method);
10061 * Return the filename of given log segment, as a palloc'd string.
10064 XLogFileNameP(TimeLineID tli, XLogSegNo segno)
10066 char *result = palloc(MAXFNAMELEN);
10068 XLogFileName(result, tli, segno);
10073 * do_pg_start_backup is the workhorse of the user-visible pg_start_backup()
10074 * function. It creates the necessary starting checkpoint and constructs the
10075 * backup label file.
10077 * There are two kind of backups: exclusive and non-exclusive. An exclusive
10078 * backup is started with pg_start_backup(), and there can be only one active
10079 * at a time. The backup and tablespace map files of an exclusive backup are
10080 * written to $PGDATA/backup_label and $PGDATA/tablespace_map, and they are
10081 * removed by pg_stop_backup().
10083 * A non-exclusive backup is used for the streaming base backups (see
10084 * src/backend/replication/basebackup.c). The difference to exclusive backups
10085 * is that the backup label and tablespace map files are not written to disk.
10086 * Instead, their would-be contents are returned in *labelfile and *tblspcmapfile,
10087 * and the caller is responsible for including them in the backup archive as
10088 * 'backup_label' and 'tablespace_map'. There can be many non-exclusive backups
10089 * active at the same time, and they don't conflict with an exclusive backup
10092 * tblspcmapfile is required mainly for tar format in windows as native windows
10093 * utilities are not able to create symlinks while extracting files from tar.
10094 * However for consistency, the same is used for all platforms.
10096 * needtblspcmapfile is true for the cases (exclusive backup and for
10097 * non-exclusive backup only when tar format is used for taking backup)
10098 * when backup needs to generate tablespace_map file, it is used to
10099 * embed escape character before newline character in tablespace path.
10101 * Returns the minimum WAL position that must be present to restore from this
10102 * backup, and the corresponding timeline ID in *starttli_p.
10104 * Every successfully started non-exclusive backup must be stopped by calling
10105 * do_pg_stop_backup() or do_pg_abort_backup().
10107 * It is the responsibility of the caller of this function to verify the
10108 * permissions of the calling user!
10111 do_pg_start_backup(const char *backupidstr, bool fast, TimeLineID *starttli_p,
10112 StringInfo labelfile, DIR *tblspcdir, List **tablespaces,
10113 StringInfo tblspcmapfile, bool infotbssize,
10114 bool needtblspcmapfile)
10116 bool exclusive = (labelfile == NULL);
10117 bool backup_started_in_recovery = false;
10118 XLogRecPtr checkpointloc;
10119 XLogRecPtr startpoint;
10120 TimeLineID starttli;
10121 pg_time_t stamp_time;
10123 char xlogfilename[MAXFNAMELEN];
10124 XLogSegNo _logSegNo;
10125 struct stat stat_buf;
10128 backup_started_in_recovery = RecoveryInProgress();
10131 * Currently only non-exclusive backup can be taken during recovery.
10133 if (backup_started_in_recovery && exclusive)
10135 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10136 errmsg("recovery is in progress"),
10137 errhint("WAL control functions cannot be executed during recovery.")));
10140 * During recovery, we don't need to check WAL level. Because, if WAL
10141 * level is not sufficient, it's impossible to get here during recovery.
10143 if (!backup_started_in_recovery && !XLogIsNeeded())
10145 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10146 errmsg("WAL level not sufficient for making an online backup"),
10147 errhint("wal_level must be set to \"replica\" or \"logical\" at server start.")));
10149 if (strlen(backupidstr) > MAXPGPATH)
10151 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
10152 errmsg("backup label too long (max %d bytes)",
10156 * Mark backup active in shared memory. We must do full-page WAL writes
10157 * during an on-line backup even if not doing so at other times, because
10158 * it's quite possible for the backup dump to obtain a "torn" (partially
10159 * written) copy of a database page if it reads the page concurrently with
10160 * our write to the same page. This can be fixed as long as the first
10161 * write to the page in the WAL sequence is a full-page write. Hence, we
10162 * turn on forcePageWrites and then force a CHECKPOINT, to ensure there
10163 * are no dirty pages in shared memory that might get dumped while the
10164 * backup is in progress without having a corresponding WAL record. (Once
10165 * the backup is complete, we need not force full-page writes anymore,
10166 * since we expect that any pages not modified during the backup interval
10167 * must have been correctly captured by the backup.)
10169 * Note that forcePageWrites has no effect during an online backup from
10172 * We must hold all the insertion locks to change the value of
10173 * forcePageWrites, to ensure adequate interlocking against
10174 * XLogInsertRecord().
10176 WALInsertLockAcquireExclusive();
10180 * At first, mark that we're now starting an exclusive backup,
10181 * to ensure that there are no other sessions currently running
10182 * pg_start_backup() or pg_stop_backup().
10184 if (XLogCtl->Insert.exclusiveBackupState != EXCLUSIVE_BACKUP_NONE)
10186 WALInsertLockRelease();
10188 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10189 errmsg("a backup is already in progress"),
10190 errhint("Run pg_stop_backup() and try again.")));
10192 XLogCtl->Insert.exclusiveBackupState = EXCLUSIVE_BACKUP_STARTING;
10195 XLogCtl->Insert.nonExclusiveBackups++;
10196 XLogCtl->Insert.forcePageWrites = true;
10197 WALInsertLockRelease();
10199 /* Ensure we release forcePageWrites if fail below */
10200 PG_ENSURE_ERROR_CLEANUP(pg_start_backup_callback, (Datum) BoolGetDatum(exclusive));
10202 bool gotUniqueStartpoint = false;
10204 tablespaceinfo *ti;
10205 int datadirpathlen;
10208 * Force an XLOG file switch before the checkpoint, to ensure that the
10209 * WAL segment the checkpoint is written to doesn't contain pages with
10210 * old timeline IDs. That would otherwise happen if you called
10211 * pg_start_backup() right after restoring from a PITR archive: the
10212 * first WAL segment containing the startup checkpoint has pages in
10213 * the beginning with the old timeline ID. That can cause trouble at
10214 * recovery: we won't have a history file covering the old timeline if
10215 * pg_wal directory was not included in the base backup and the WAL
10216 * archive was cleared too before starting the backup.
10218 * This also ensures that we have emitted a WAL page header that has
10219 * XLP_BKP_REMOVABLE off before we emit the checkpoint record.
10220 * Therefore, if a WAL archiver (such as pglesslog) is trying to
10221 * compress out removable backup blocks, it won't remove any that
10222 * occur after this point.
10224 * During recovery, we skip forcing XLOG file switch, which means that
10225 * the backup taken during recovery is not available for the special
10226 * recovery case described above.
10228 if (!backup_started_in_recovery)
10229 RequestXLogSwitch(false);
10233 bool checkpointfpw;
10236 * Force a CHECKPOINT. Aside from being necessary to prevent torn
10237 * page problems, this guarantees that two successive backup runs
10238 * will have different checkpoint positions and hence different
10239 * history file names, even if nothing happened in between.
10241 * During recovery, establish a restartpoint if possible. We use
10242 * the last restartpoint as the backup starting checkpoint. This
10243 * means that two successive backup runs can have same checkpoint
10246 * Since the fact that we are executing do_pg_start_backup()
10247 * during recovery means that checkpointer is running, we can use
10248 * RequestCheckpoint() to establish a restartpoint.
10250 * We use CHECKPOINT_IMMEDIATE only if requested by user (via
10251 * passing fast = true). Otherwise this can take awhile.
10253 RequestCheckpoint(CHECKPOINT_FORCE | CHECKPOINT_WAIT |
10254 (fast ? CHECKPOINT_IMMEDIATE : 0));
10257 * Now we need to fetch the checkpoint record location, and also
10258 * its REDO pointer. The oldest point in WAL that would be needed
10259 * to restore starting from the checkpoint is precisely the REDO
10262 LWLockAcquire(ControlFileLock, LW_SHARED);
10263 checkpointloc = ControlFile->checkPoint;
10264 startpoint = ControlFile->checkPointCopy.redo;
10265 starttli = ControlFile->checkPointCopy.ThisTimeLineID;
10266 checkpointfpw = ControlFile->checkPointCopy.fullPageWrites;
10267 LWLockRelease(ControlFileLock);
10269 if (backup_started_in_recovery)
10274 * Check to see if all WAL replayed during online backup
10275 * (i.e., since last restartpoint used as backup starting
10276 * checkpoint) contain full-page writes.
10278 SpinLockAcquire(&XLogCtl->info_lck);
10279 recptr = XLogCtl->lastFpwDisableRecPtr;
10280 SpinLockRelease(&XLogCtl->info_lck);
10282 if (!checkpointfpw || startpoint <= recptr)
10284 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10285 errmsg("WAL generated with full_page_writes=off was replayed "
10286 "since last restartpoint"),
10287 errhint("This means that the backup being taken on the standby "
10288 "is corrupt and should not be used. "
10289 "Enable full_page_writes and run CHECKPOINT on the master, "
10290 "and then try an online backup again.")));
10293 * During recovery, since we don't use the end-of-backup WAL
10294 * record and don't write the backup history file, the
10295 * starting WAL location doesn't need to be unique. This means
10296 * that two base backups started at the same time might use
10297 * the same checkpoint as starting locations.
10299 gotUniqueStartpoint = true;
10303 * If two base backups are started at the same time (in WAL sender
10304 * processes), we need to make sure that they use different
10305 * checkpoints as starting locations, because we use the starting
10306 * WAL location as a unique identifier for the base backup in the
10307 * end-of-backup WAL record and when we write the backup history
10308 * file. Perhaps it would be better generate a separate unique ID
10309 * for each backup instead of forcing another checkpoint, but
10310 * taking a checkpoint right after another is not that expensive
10311 * either because only few buffers have been dirtied yet.
10313 WALInsertLockAcquireExclusive();
10314 if (XLogCtl->Insert.lastBackupStart < startpoint)
10316 XLogCtl->Insert.lastBackupStart = startpoint;
10317 gotUniqueStartpoint = true;
10319 WALInsertLockRelease();
10320 } while (!gotUniqueStartpoint);
10322 XLByteToSeg(startpoint, _logSegNo);
10323 XLogFileName(xlogfilename, starttli, _logSegNo);
10326 * Construct tablespace_map file
10329 tblspcmapfile = makeStringInfo();
10331 datadirpathlen = strlen(DataDir);
10333 /* Collect information about all tablespaces */
10334 while ((de = ReadDir(tblspcdir, "pg_tblspc")) != NULL)
10336 char fullpath[MAXPGPATH];
10337 char linkpath[MAXPGPATH];
10338 char *relpath = NULL;
10340 StringInfoData buflinkpath;
10341 char *s = linkpath;
10343 /* Skip special stuff */
10344 if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0)
10347 snprintf(fullpath, sizeof(fullpath), "pg_tblspc/%s", de->d_name);
10349 #if defined(HAVE_READLINK) || defined(WIN32)
10350 rllen = readlink(fullpath, linkpath, sizeof(linkpath));
10354 (errmsg("could not read symbolic link \"%s\": %m",
10358 else if (rllen >= sizeof(linkpath))
10361 (errmsg("symbolic link \"%s\" target is too long",
10365 linkpath[rllen] = '\0';
10368 * Add the escape character '\\' before newline in a string to
10369 * ensure that we can distinguish between the newline in the
10370 * tablespace path and end of line while reading tablespace_map
10371 * file during archive recovery.
10373 initStringInfo(&buflinkpath);
10377 if ((*s == '\n' || *s == '\r') && needtblspcmapfile)
10378 appendStringInfoChar(&buflinkpath, '\\');
10379 appendStringInfoChar(&buflinkpath, *s++);
10384 * Relpath holds the relative path of the tablespace directory
10385 * when it's located within PGDATA, or NULL if it's located
10388 if (rllen > datadirpathlen &&
10389 strncmp(linkpath, DataDir, datadirpathlen) == 0 &&
10390 IS_DIR_SEP(linkpath[datadirpathlen]))
10391 relpath = linkpath + datadirpathlen + 1;
10393 ti = palloc(sizeof(tablespaceinfo));
10394 ti->oid = pstrdup(de->d_name);
10395 ti->path = pstrdup(buflinkpath.data);
10396 ti->rpath = relpath ? pstrdup(relpath) : NULL;
10397 ti->size = infotbssize ? sendTablespace(fullpath, true) : -1;
10400 *tablespaces = lappend(*tablespaces, ti);
10402 appendStringInfo(tblspcmapfile, "%s %s\n", ti->oid, ti->path);
10404 pfree(buflinkpath.data);
10408 * If the platform does not have symbolic links, it should not be
10409 * possible to have tablespaces - clearly somebody else created
10410 * them. Warn about it and ignore.
10413 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
10414 errmsg("tablespaces are not supported on this platform")));
10419 * Construct backup label file
10422 labelfile = makeStringInfo();
10424 /* Use the log timezone here, not the session timezone */
10425 stamp_time = (pg_time_t) time(NULL);
10426 pg_strftime(strfbuf, sizeof(strfbuf),
10427 "%Y-%m-%d %H:%M:%S %Z",
10428 pg_localtime(&stamp_time, log_timezone));
10429 appendStringInfo(labelfile, "START WAL LOCATION: %X/%X (file %s)\n",
10430 (uint32) (startpoint >> 32), (uint32) startpoint, xlogfilename);
10431 appendStringInfo(labelfile, "CHECKPOINT LOCATION: %X/%X\n",
10432 (uint32) (checkpointloc >> 32), (uint32) checkpointloc);
10433 appendStringInfo(labelfile, "BACKUP METHOD: %s\n",
10434 exclusive ? "pg_start_backup" : "streamed");
10435 appendStringInfo(labelfile, "BACKUP FROM: %s\n",
10436 backup_started_in_recovery ? "standby" : "master");
10437 appendStringInfo(labelfile, "START TIME: %s\n", strfbuf);
10438 appendStringInfo(labelfile, "LABEL: %s\n", backupidstr);
10441 * Okay, write the file, or return its contents to caller.
10446 * Check for existing backup label --- implies a backup is already
10447 * running. (XXX given that we checked exclusiveBackupState above,
10448 * maybe it would be OK to just unlink any such label file?)
10450 if (stat(BACKUP_LABEL_FILE, &stat_buf) != 0)
10452 if (errno != ENOENT)
10454 (errcode_for_file_access(),
10455 errmsg("could not stat file \"%s\": %m",
10456 BACKUP_LABEL_FILE)));
10460 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10461 errmsg("a backup is already in progress"),
10462 errhint("If you're sure there is no backup in progress, remove file \"%s\" and try again.",
10463 BACKUP_LABEL_FILE)));
10465 fp = AllocateFile(BACKUP_LABEL_FILE, "w");
10469 (errcode_for_file_access(),
10470 errmsg("could not create file \"%s\": %m",
10471 BACKUP_LABEL_FILE)));
10472 if (fwrite(labelfile->data, labelfile->len, 1, fp) != 1 ||
10474 pg_fsync(fileno(fp)) != 0 ||
10478 (errcode_for_file_access(),
10479 errmsg("could not write file \"%s\": %m",
10480 BACKUP_LABEL_FILE)));
10481 /* Allocated locally for exclusive backups, so free separately */
10482 pfree(labelfile->data);
10485 /* Write backup tablespace_map file. */
10486 if (tblspcmapfile->len > 0)
10488 if (stat(TABLESPACE_MAP, &stat_buf) != 0)
10490 if (errno != ENOENT)
10492 (errcode_for_file_access(),
10493 errmsg("could not stat file \"%s\": %m",
10498 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10499 errmsg("a backup is already in progress"),
10500 errhint("If you're sure there is no backup in progress, remove file \"%s\" and try again.",
10503 fp = AllocateFile(TABLESPACE_MAP, "w");
10507 (errcode_for_file_access(),
10508 errmsg("could not create file \"%s\": %m",
10510 if (fwrite(tblspcmapfile->data, tblspcmapfile->len, 1, fp) != 1 ||
10512 pg_fsync(fileno(fp)) != 0 ||
10516 (errcode_for_file_access(),
10517 errmsg("could not write file \"%s\": %m",
10521 /* Allocated locally for exclusive backups, so free separately */
10522 pfree(tblspcmapfile->data);
10523 pfree(tblspcmapfile);
10526 PG_END_ENSURE_ERROR_CLEANUP(pg_start_backup_callback, (Datum) BoolGetDatum(exclusive));
10529 * Mark that start phase has correctly finished for an exclusive backup.
10533 WALInsertLockAcquireExclusive();
10534 XLogCtl->Insert.exclusiveBackupState = EXCLUSIVE_BACKUP_IN_PROGRESS;
10535 WALInsertLockRelease();
10539 * We're done. As a convenience, return the starting WAL location.
10542 *starttli_p = starttli;
10546 /* Error cleanup callback for pg_start_backup */
10548 pg_start_backup_callback(int code, Datum arg)
10550 bool exclusive = DatumGetBool(arg);
10552 /* Update backup counters and forcePageWrites on failure */
10553 WALInsertLockAcquireExclusive();
10556 Assert(XLogCtl->Insert.exclusiveBackupState == EXCLUSIVE_BACKUP_STARTING);
10557 XLogCtl->Insert.exclusiveBackupState = EXCLUSIVE_BACKUP_NONE;
10561 Assert(XLogCtl->Insert.nonExclusiveBackups > 0);
10562 XLogCtl->Insert.nonExclusiveBackups--;
10565 if (XLogCtl->Insert.exclusiveBackupState == EXCLUSIVE_BACKUP_NONE &&
10566 XLogCtl->Insert.nonExclusiveBackups == 0)
10568 XLogCtl->Insert.forcePageWrites = false;
10570 WALInsertLockRelease();
10574 * Error cleanup callback for pg_stop_backup
10577 pg_stop_backup_callback(int code, Datum arg)
10579 bool exclusive = DatumGetBool(arg);
10581 /* Update backup status on failure */
10582 WALInsertLockAcquireExclusive();
10585 Assert(XLogCtl->Insert.exclusiveBackupState == EXCLUSIVE_BACKUP_STOPPING);
10586 XLogCtl->Insert.exclusiveBackupState = EXCLUSIVE_BACKUP_IN_PROGRESS;
10588 WALInsertLockRelease();
10592 * do_pg_stop_backup is the workhorse of the user-visible pg_stop_backup()
10595 * If labelfile is NULL, this stops an exclusive backup. Otherwise this stops
10596 * the non-exclusive backup specified by 'labelfile'.
10598 * Returns the last WAL position that must be present to restore from this
10599 * backup, and the corresponding timeline ID in *stoptli_p.
10601 * It is the responsibility of the caller of this function to verify the
10602 * permissions of the calling user!
10605 do_pg_stop_backup(char *labelfile, bool waitforarchive, TimeLineID *stoptli_p)
10607 bool exclusive = (labelfile == NULL);
10608 bool backup_started_in_recovery = false;
10609 XLogRecPtr startpoint;
10610 XLogRecPtr stoppoint;
10611 TimeLineID stoptli;
10612 pg_time_t stamp_time;
10614 char histfilepath[MAXPGPATH];
10615 char startxlogfilename[MAXFNAMELEN];
10616 char stopxlogfilename[MAXFNAMELEN];
10617 char lastxlogfilename[MAXFNAMELEN];
10618 char histfilename[MAXFNAMELEN];
10619 char backupfrom[20];
10620 XLogSegNo _logSegNo;
10624 int seconds_before_warning;
10626 bool reported_waiting = false;
10632 backup_started_in_recovery = RecoveryInProgress();
10635 * Currently only non-exclusive backup can be taken during recovery.
10637 if (backup_started_in_recovery && exclusive)
10639 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10640 errmsg("recovery is in progress"),
10641 errhint("WAL control functions cannot be executed during recovery.")));
10644 * During recovery, we don't need to check WAL level. Because, if WAL
10645 * level is not sufficient, it's impossible to get here during recovery.
10647 if (!backup_started_in_recovery && !XLogIsNeeded())
10649 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10650 errmsg("WAL level not sufficient for making an online backup"),
10651 errhint("wal_level must be set to \"replica\" or \"logical\" at server start.")));
10656 * At first, mark that we're now stopping an exclusive backup,
10657 * to ensure that there are no other sessions currently running
10658 * pg_start_backup() or pg_stop_backup().
10660 WALInsertLockAcquireExclusive();
10661 if (XLogCtl->Insert.exclusiveBackupState != EXCLUSIVE_BACKUP_IN_PROGRESS)
10663 WALInsertLockRelease();
10665 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10666 errmsg("exclusive backup not in progress")));
10668 XLogCtl->Insert.exclusiveBackupState = EXCLUSIVE_BACKUP_STOPPING;
10669 WALInsertLockRelease();
10672 * Remove backup_label. In case of failure, the state for an exclusive
10673 * backup is switched back to in-progress.
10675 PG_ENSURE_ERROR_CLEANUP(pg_stop_backup_callback, (Datum) BoolGetDatum(exclusive));
10678 * Read the existing label file into memory.
10680 struct stat statbuf;
10683 if (stat(BACKUP_LABEL_FILE, &statbuf))
10685 /* should not happen per the upper checks */
10686 if (errno != ENOENT)
10688 (errcode_for_file_access(),
10689 errmsg("could not stat file \"%s\": %m",
10690 BACKUP_LABEL_FILE)));
10692 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10693 errmsg("a backup is not in progress")));
10696 lfp = AllocateFile(BACKUP_LABEL_FILE, "r");
10700 (errcode_for_file_access(),
10701 errmsg("could not read file \"%s\": %m",
10702 BACKUP_LABEL_FILE)));
10704 labelfile = palloc(statbuf.st_size + 1);
10705 r = fread(labelfile, statbuf.st_size, 1, lfp);
10706 labelfile[statbuf.st_size] = '\0';
10709 * Close and remove the backup label file
10711 if (r != 1 || ferror(lfp) || FreeFile(lfp))
10713 (errcode_for_file_access(),
10714 errmsg("could not read file \"%s\": %m",
10715 BACKUP_LABEL_FILE)));
10716 if (unlink(BACKUP_LABEL_FILE) != 0)
10718 (errcode_for_file_access(),
10719 errmsg("could not remove file \"%s\": %m",
10720 BACKUP_LABEL_FILE)));
10723 * Remove tablespace_map file if present, it is created only if there
10726 unlink(TABLESPACE_MAP);
10728 PG_END_ENSURE_ERROR_CLEANUP(pg_stop_backup_callback, (Datum) BoolGetDatum(exclusive));
10732 * OK to update backup counters and forcePageWrites
10734 WALInsertLockAcquireExclusive();
10737 XLogCtl->Insert.exclusiveBackupState = EXCLUSIVE_BACKUP_NONE;
10742 * The user-visible pg_start/stop_backup() functions that operate on
10743 * exclusive backups can be called at any time, but for non-exclusive
10744 * backups, it is expected that each do_pg_start_backup() call is
10745 * matched by exactly one do_pg_stop_backup() call.
10747 Assert(XLogCtl->Insert.nonExclusiveBackups > 0);
10748 XLogCtl->Insert.nonExclusiveBackups--;
10751 if (XLogCtl->Insert.exclusiveBackupState == EXCLUSIVE_BACKUP_NONE &&
10752 XLogCtl->Insert.nonExclusiveBackups == 0)
10754 XLogCtl->Insert.forcePageWrites = false;
10756 WALInsertLockRelease();
10759 * Read and parse the START WAL LOCATION line (this code is pretty crude,
10760 * but we are not expecting any variability in the file format).
10762 if (sscanf(labelfile, "START WAL LOCATION: %X/%X (file %24s)%c",
10763 &hi, &lo, startxlogfilename,
10764 &ch) != 4 || ch != '\n')
10766 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10767 errmsg("invalid data in file \"%s\"", BACKUP_LABEL_FILE)));
10768 startpoint = ((uint64) hi) << 32 | lo;
10769 remaining = strchr(labelfile, '\n') + 1; /* %n is not portable enough */
10772 * Parse the BACKUP FROM line. If we are taking an online backup from the
10773 * standby, we confirm that the standby has not been promoted during the
10776 ptr = strstr(remaining, "BACKUP FROM:");
10777 if (!ptr || sscanf(ptr, "BACKUP FROM: %19s\n", backupfrom) != 1)
10779 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10780 errmsg("invalid data in file \"%s\"", BACKUP_LABEL_FILE)));
10781 if (strcmp(backupfrom, "standby") == 0 && !backup_started_in_recovery)
10783 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10784 errmsg("the standby was promoted during online backup"),
10785 errhint("This means that the backup being taken is corrupt "
10786 "and should not be used. "
10787 "Try taking another online backup.")));
10790 * During recovery, we don't write an end-of-backup record. We assume that
10791 * pg_control was backed up last and its minimum recovery point can be
10792 * available as the backup end location. Since we don't have an
10793 * end-of-backup record, we use the pg_control value to check whether
10794 * we've reached the end of backup when starting recovery from this
10795 * backup. We have no way of checking if pg_control wasn't backed up last
10798 * We don't force a switch to new WAL file and wait for all the required
10799 * files to be archived. This is okay if we use the backup to start the
10800 * standby. But, if it's for an archive recovery, to ensure all the
10801 * required files are available, a user should wait for them to be
10802 * archived, or include them into the backup.
10804 * We return the current minimum recovery point as the backup end
10805 * location. Note that it can be greater than the exact backup end
10806 * location if the minimum recovery point is updated after the backup of
10807 * pg_control. This is harmless for current uses.
10809 * XXX currently a backup history file is for informational and debug
10810 * purposes only. It's not essential for an online backup. Furthermore,
10811 * even if it's created, it will not be archived during recovery because
10812 * an archiver is not invoked. So it doesn't seem worthwhile to write a
10813 * backup history file during recovery.
10815 if (backup_started_in_recovery)
10820 * Check to see if all WAL replayed during online backup contain
10821 * full-page writes.
10823 SpinLockAcquire(&XLogCtl->info_lck);
10824 recptr = XLogCtl->lastFpwDisableRecPtr;
10825 SpinLockRelease(&XLogCtl->info_lck);
10827 if (startpoint <= recptr)
10829 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
10830 errmsg("WAL generated with full_page_writes=off was replayed "
10831 "during online backup"),
10832 errhint("This means that the backup being taken on the standby "
10833 "is corrupt and should not be used. "
10834 "Enable full_page_writes and run CHECKPOINT on the master, "
10835 "and then try an online backup again.")));
10838 LWLockAcquire(ControlFileLock, LW_SHARED);
10839 stoppoint = ControlFile->minRecoveryPoint;
10840 stoptli = ControlFile->minRecoveryPointTLI;
10841 LWLockRelease(ControlFileLock);
10844 *stoptli_p = stoptli;
10849 * Write the backup-end xlog record
10852 XLogRegisterData((char *) (&startpoint), sizeof(startpoint));
10853 stoppoint = XLogInsert(RM_XLOG_ID, XLOG_BACKUP_END);
10854 stoptli = ThisTimeLineID;
10857 * Force a switch to a new xlog segment file, so that the backup is valid
10858 * as soon as archiver moves out the current segment file.
10860 RequestXLogSwitch(false);
10862 XLByteToPrevSeg(stoppoint, _logSegNo);
10863 XLogFileName(stopxlogfilename, ThisTimeLineID, _logSegNo);
10865 /* Use the log timezone here, not the session timezone */
10866 stamp_time = (pg_time_t) time(NULL);
10867 pg_strftime(strfbuf, sizeof(strfbuf),
10868 "%Y-%m-%d %H:%M:%S %Z",
10869 pg_localtime(&stamp_time, log_timezone));
10872 * Write the backup history file
10874 XLByteToSeg(startpoint, _logSegNo);
10875 BackupHistoryFilePath(histfilepath, ThisTimeLineID, _logSegNo,
10876 (uint32) (startpoint % XLogSegSize));
10877 fp = AllocateFile(histfilepath, "w");
10880 (errcode_for_file_access(),
10881 errmsg("could not create file \"%s\": %m",
10883 fprintf(fp, "START WAL LOCATION: %X/%X (file %s)\n",
10884 (uint32) (startpoint >> 32), (uint32) startpoint, startxlogfilename);
10885 fprintf(fp, "STOP WAL LOCATION: %X/%X (file %s)\n",
10886 (uint32) (stoppoint >> 32), (uint32) stoppoint, stopxlogfilename);
10887 /* transfer remaining lines from label to history file */
10888 fprintf(fp, "%s", remaining);
10889 fprintf(fp, "STOP TIME: %s\n", strfbuf);
10890 if (fflush(fp) || ferror(fp) || FreeFile(fp))
10892 (errcode_for_file_access(),
10893 errmsg("could not write file \"%s\": %m",
10897 * Clean out any no-longer-needed history files. As a side effect, this
10898 * will post a .ready file for the newly created history file, notifying
10899 * the archiver that history file may be archived immediately.
10901 CleanupBackupHistory();
10904 * If archiving is enabled, wait for all the required WAL files to be
10905 * archived before returning. If archiving isn't enabled, the required WAL
10906 * needs to be transported via streaming replication (hopefully with
10907 * wal_keep_segments set high enough), or some more exotic mechanism like
10908 * polling and copying files from pg_wal with script. We have no
10909 * knowledge of those mechanisms, so it's up to the user to ensure that he
10910 * gets all the required WAL.
10912 * We wait until both the last WAL file filled during backup and the
10913 * history file have been archived, and assume that the alphabetic sorting
10914 * property of the WAL files ensures any earlier WAL files are safely
10915 * archived as well.
10917 * We wait forever, since archive_command is supposed to work and we
10918 * assume the admin wanted his backup to work completely. If you don't
10919 * wish to wait, you can set statement_timeout. Also, some notices are
10920 * issued to clue in anyone who might be doing this interactively.
10922 if (waitforarchive && XLogArchivingActive())
10924 XLByteToPrevSeg(stoppoint, _logSegNo);
10925 XLogFileName(lastxlogfilename, ThisTimeLineID, _logSegNo);
10927 XLByteToSeg(startpoint, _logSegNo);
10928 BackupHistoryFileName(histfilename, ThisTimeLineID, _logSegNo,
10929 (uint32) (startpoint % XLogSegSize));
10931 seconds_before_warning = 60;
10934 while (XLogArchiveIsBusy(lastxlogfilename) ||
10935 XLogArchiveIsBusy(histfilename))
10937 CHECK_FOR_INTERRUPTS();
10939 if (!reported_waiting && waits > 5)
10942 (errmsg("pg_stop_backup cleanup done, waiting for required WAL segments to be archived")));
10943 reported_waiting = true;
10946 pg_usleep(1000000L);
10948 if (++waits >= seconds_before_warning)
10950 seconds_before_warning *= 2; /* This wraps in >10 years... */
10952 (errmsg("pg_stop_backup still waiting for all required WAL segments to be archived (%d seconds elapsed)",
10954 errhint("Check that your archive_command is executing properly. "
10955 "pg_stop_backup can be canceled safely, "
10956 "but the database backup will not be usable without all the WAL segments.")));
10961 (errmsg("pg_stop_backup complete, all required WAL segments have been archived")));
10963 else if (waitforarchive)
10965 (errmsg("WAL archiving is not enabled; you must ensure that all required WAL segments are copied through other means to complete the backup")));
10968 * We're done. As a convenience, return the ending WAL location.
10971 *stoptli_p = stoptli;
10977 * do_pg_abort_backup: abort a running backup
10979 * This does just the most basic steps of do_pg_stop_backup(), by taking the
10980 * system out of backup mode, thus making it a lot more safe to call from
10981 * an error handler.
10983 * NB: This is only for aborting a non-exclusive backup that doesn't write
10984 * backup_label. A backup started with pg_start_backup() needs to be finished
10985 * with pg_stop_backup().
10988 do_pg_abort_backup(void)
10990 WALInsertLockAcquireExclusive();
10991 Assert(XLogCtl->Insert.nonExclusiveBackups > 0);
10992 XLogCtl->Insert.nonExclusiveBackups--;
10994 if (XLogCtl->Insert.exclusiveBackupState == EXCLUSIVE_BACKUP_NONE &&
10995 XLogCtl->Insert.nonExclusiveBackups == 0)
10997 XLogCtl->Insert.forcePageWrites = false;
10999 WALInsertLockRelease();
11003 * Get latest redo apply position.
11005 * Exported to allow WALReceiver to read the pointer directly.
11008 GetXLogReplayRecPtr(TimeLineID *replayTLI)
11013 SpinLockAcquire(&XLogCtl->info_lck);
11014 recptr = XLogCtl->lastReplayedEndRecPtr;
11015 tli = XLogCtl->lastReplayedTLI;
11016 SpinLockRelease(&XLogCtl->info_lck);
11024 * Get latest WAL insert pointer
11027 GetXLogInsertRecPtr(void)
11029 XLogCtlInsert *Insert = &XLogCtl->Insert;
11030 uint64 current_bytepos;
11032 SpinLockAcquire(&Insert->insertpos_lck);
11033 current_bytepos = Insert->CurrBytePos;
11034 SpinLockRelease(&Insert->insertpos_lck);
11036 return XLogBytePosToRecPtr(current_bytepos);
11040 * Get latest WAL write pointer
11043 GetXLogWriteRecPtr(void)
11045 SpinLockAcquire(&XLogCtl->info_lck);
11046 LogwrtResult = XLogCtl->LogwrtResult;
11047 SpinLockRelease(&XLogCtl->info_lck);
11049 return LogwrtResult.Write;
11053 * Returns the redo pointer of the last checkpoint or restartpoint. This is
11054 * the oldest point in WAL that we still need, if we have to restart recovery.
11057 GetOldestRestartPoint(XLogRecPtr *oldrecptr, TimeLineID *oldtli)
11059 LWLockAcquire(ControlFileLock, LW_SHARED);
11060 *oldrecptr = ControlFile->checkPointCopy.redo;
11061 *oldtli = ControlFile->checkPointCopy.ThisTimeLineID;
11062 LWLockRelease(ControlFileLock);
11066 * read_backup_label: check to see if a backup_label file is present
11068 * If we see a backup_label during recovery, we assume that we are recovering
11069 * from a backup dump file, and we therefore roll forward from the checkpoint
11070 * identified by the label file, NOT what pg_control says. This avoids the
11071 * problem that pg_control might have been archived one or more checkpoints
11072 * later than the start of the dump, and so if we rely on it as the start
11073 * point, we will fail to restore a consistent database state.
11075 * Returns TRUE if a backup_label was found (and fills the checkpoint
11076 * location and its REDO location into *checkPointLoc and RedoStartLSN,
11077 * respectively); returns FALSE if not. If this backup_label came from a
11078 * streamed backup, *backupEndRequired is set to TRUE. If this backup_label
11079 * was created during recovery, *backupFromStandby is set to TRUE.
11082 read_backup_label(XLogRecPtr *checkPointLoc, bool *backupEndRequired,
11083 bool *backupFromStandby)
11085 char startxlogfilename[MAXFNAMELEN];
11089 char backuptype[20];
11090 char backupfrom[20];
11094 *backupEndRequired = false;
11095 *backupFromStandby = false;
11098 * See if label file is present
11100 lfp = AllocateFile(BACKUP_LABEL_FILE, "r");
11103 if (errno != ENOENT)
11105 (errcode_for_file_access(),
11106 errmsg("could not read file \"%s\": %m",
11107 BACKUP_LABEL_FILE)));
11108 return false; /* it's not there, all is fine */
11112 * Read and parse the START WAL LOCATION and CHECKPOINT lines (this code
11113 * is pretty crude, but we are not expecting any variability in the file
11116 if (fscanf(lfp, "START WAL LOCATION: %X/%X (file %08X%16s)%c",
11117 &hi, &lo, &tli, startxlogfilename, &ch) != 5 || ch != '\n')
11119 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
11120 errmsg("invalid data in file \"%s\"", BACKUP_LABEL_FILE)));
11121 RedoStartLSN = ((uint64) hi) << 32 | lo;
11122 if (fscanf(lfp, "CHECKPOINT LOCATION: %X/%X%c",
11123 &hi, &lo, &ch) != 3 || ch != '\n')
11125 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
11126 errmsg("invalid data in file \"%s\"", BACKUP_LABEL_FILE)));
11127 *checkPointLoc = ((uint64) hi) << 32 | lo;
11130 * BACKUP METHOD and BACKUP FROM lines are new in 9.2. We can't restore
11131 * from an older backup anyway, but since the information on it is not
11132 * strictly required, don't error out if it's missing for some reason.
11134 if (fscanf(lfp, "BACKUP METHOD: %19s\n", backuptype) == 1)
11136 if (strcmp(backuptype, "streamed") == 0)
11137 *backupEndRequired = true;
11140 if (fscanf(lfp, "BACKUP FROM: %19s\n", backupfrom) == 1)
11142 if (strcmp(backupfrom, "standby") == 0)
11143 *backupFromStandby = true;
11146 if (ferror(lfp) || FreeFile(lfp))
11148 (errcode_for_file_access(),
11149 errmsg("could not read file \"%s\": %m",
11150 BACKUP_LABEL_FILE)));
11156 * read_tablespace_map: check to see if a tablespace_map file is present
11158 * If we see a tablespace_map file during recovery, we assume that we are
11159 * recovering from a backup dump file, and we therefore need to create symlinks
11160 * as per the information present in tablespace_map file.
11162 * Returns TRUE if a tablespace_map file was found (and fills the link
11163 * information for all the tablespace links present in file); returns FALSE
11167 read_tablespace_map(List **tablespaces)
11169 tablespaceinfo *ti;
11171 char tbsoid[MAXPGPATH];
11173 char str[MAXPGPATH];
11180 * See if tablespace_map file is present
11182 lfp = AllocateFile(TABLESPACE_MAP, "r");
11185 if (errno != ENOENT)
11187 (errcode_for_file_access(),
11188 errmsg("could not read file \"%s\": %m",
11190 return false; /* it's not there, all is fine */
11194 * Read and parse the link name and path lines from tablespace_map file
11195 * (this code is pretty crude, but we are not expecting any variability in
11196 * the file format). While taking backup we embed escape character '\\'
11197 * before newline in tablespace path, so that during reading of
11198 * tablespace_map file, we could distinguish newline in tablespace path
11199 * and end of line. Now while reading tablespace_map file, remove the
11200 * escape character that has been added in tablespace path during backup.
11202 while ((ch = fgetc(lfp)) != EOF)
11204 if ((ch == '\n' || ch == '\r') && prev_ch != '\\')
11207 if (sscanf(str, "%s %n", tbsoid, &n) != 1)
11209 (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
11210 errmsg("invalid data in file \"%s\"", TABLESPACE_MAP)));
11211 tbslinkpath = str + n;
11214 ti = palloc(sizeof(tablespaceinfo));
11215 ti->oid = pstrdup(tbsoid);
11216 ti->path = pstrdup(tbslinkpath);
11218 *tablespaces = lappend(*tablespaces, ti);
11221 else if ((ch == '\n' || ch == '\r') && prev_ch == '\\')
11228 if (ferror(lfp) || FreeFile(lfp))
11230 (errcode_for_file_access(),
11231 errmsg("could not read file \"%s\": %m",
11238 * Error context callback for errors occurring during rm_redo().
11241 rm_redo_error_callback(void *arg)
11243 XLogReaderState *record = (XLogReaderState *) arg;
11244 StringInfoData buf;
11246 initStringInfo(&buf);
11247 xlog_outdesc(&buf, record);
11249 /* translator: %s is a WAL record description */
11250 errcontext("WAL redo at %X/%X for %s",
11251 (uint32) (record->ReadRecPtr >> 32),
11252 (uint32) record->ReadRecPtr,
11259 * BackupInProgress: check if online backup mode is active
11261 * This is done by checking for existence of the "backup_label" file.
11264 BackupInProgress(void)
11266 struct stat stat_buf;
11268 return (stat(BACKUP_LABEL_FILE, &stat_buf) == 0);
11272 * CancelBackup: rename the "backup_label" and "tablespace_map"
11273 * files to cancel backup mode
11275 * If the "backup_label" file exists, it will be renamed to "backup_label.old".
11276 * Similarly, if the "tablespace_map" file exists, it will be renamed to
11277 * "tablespace_map.old".
11279 * Note that this will render an online backup in progress
11280 * useless. To correctly finish an online backup, pg_stop_backup must be
11286 struct stat stat_buf;
11288 /* if the backup_label file is not there, return */
11289 if (stat(BACKUP_LABEL_FILE, &stat_buf) < 0)
11292 /* remove leftover file from previously canceled backup if it exists */
11293 unlink(BACKUP_LABEL_OLD);
11295 if (durable_rename(BACKUP_LABEL_FILE, BACKUP_LABEL_OLD, DEBUG1) != 0)
11298 (errcode_for_file_access(),
11299 errmsg("online backup mode was not canceled"),
11300 errdetail("File \"%s\" could not be renamed to \"%s\": %m.",
11301 BACKUP_LABEL_FILE, BACKUP_LABEL_OLD)));
11305 /* if the tablespace_map file is not there, return */
11306 if (stat(TABLESPACE_MAP, &stat_buf) < 0)
11309 (errmsg("online backup mode canceled"),
11310 errdetail("File \"%s\" was renamed to \"%s\".",
11311 BACKUP_LABEL_FILE, BACKUP_LABEL_OLD)));
11315 /* remove leftover file from previously canceled backup if it exists */
11316 unlink(TABLESPACE_MAP_OLD);
11318 if (durable_rename(TABLESPACE_MAP, TABLESPACE_MAP_OLD, DEBUG1) == 0)
11321 (errmsg("online backup mode canceled"),
11322 errdetail("Files \"%s\" and \"%s\" were renamed to "
11323 "\"%s\" and \"%s\", respectively.",
11324 BACKUP_LABEL_FILE, TABLESPACE_MAP,
11325 BACKUP_LABEL_OLD, TABLESPACE_MAP_OLD)));
11330 (errcode_for_file_access(),
11331 errmsg("online backup mode canceled"),
11332 errdetail("File \"%s\" was renamed to \"%s\", but "
11333 "file \"%s\" could not be renamed to \"%s\": %m.",
11334 BACKUP_LABEL_FILE, BACKUP_LABEL_OLD,
11335 TABLESPACE_MAP, TABLESPACE_MAP_OLD)));
11340 * Read the XLOG page containing RecPtr into readBuf (if not read already).
11341 * Returns number of bytes read, if the page is read successfully, or -1
11342 * in case of errors. When errors occur, they are ereport'ed, but only
11343 * if they have not been previously reported.
11345 * This is responsible for restoring files from archive as needed, as well
11346 * as for waiting for the requested WAL record to arrive in standby mode.
11348 * 'emode' specifies the log level used for reporting "file not found" or
11349 * "end of WAL" situations in archive recovery, or in standby mode when a
11350 * trigger file is found. If set to WARNING or below, XLogPageRead() returns
11351 * false in those situations, on higher log levels the ereport() won't
11354 * In standby mode, if after a successful return of XLogPageRead() the
11355 * caller finds the record it's interested in to be broken, it should
11356 * ereport the error with the level determined by
11357 * emode_for_corrupt_record(), and then set lastSourceFailed
11358 * and call XLogPageRead() again with the same arguments. This lets
11359 * XLogPageRead() to try fetching the record from another source, or to
11363 XLogPageRead(XLogReaderState *xlogreader, XLogRecPtr targetPagePtr, int reqLen,
11364 XLogRecPtr targetRecPtr, char *readBuf, TimeLineID *readTLI)
11366 XLogPageReadPrivate *private =
11367 (XLogPageReadPrivate *) xlogreader->private_data;
11368 int emode = private->emode;
11369 uint32 targetPageOff;
11370 XLogSegNo targetSegNo PG_USED_FOR_ASSERTS_ONLY;
11372 XLByteToSeg(targetPagePtr, targetSegNo);
11373 targetPageOff = targetPagePtr % XLogSegSize;
11376 * See if we need to switch to a new segment because the requested record
11377 * is not in the currently open one.
11379 if (readFile >= 0 && !XLByteInSeg(targetPagePtr, readSegNo))
11382 * Request a restartpoint if we've replayed too much xlog since the
11385 if (bgwriterLaunched)
11387 if (XLogCheckpointNeeded(readSegNo))
11389 (void) GetRedoRecPtr();
11390 if (XLogCheckpointNeeded(readSegNo))
11391 RequestCheckpoint(CHECKPOINT_CAUSE_XLOG);
11400 XLByteToSeg(targetPagePtr, readSegNo);
11403 /* See if we need to retrieve more data */
11404 if (readFile < 0 ||
11405 (readSource == XLOG_FROM_STREAM &&
11406 receivedUpto < targetPagePtr + reqLen))
11408 if (!WaitForWALToBecomeAvailable(targetPagePtr + reqLen,
11409 private->randAccess,
11410 private->fetching_ckpt,
11424 * At this point, we have the right segment open and if we're streaming we
11425 * know the requested record is in it.
11427 Assert(readFile != -1);
11430 * If the current segment is being streamed from master, calculate how
11431 * much of the current page we have received already. We know the
11432 * requested record has been received, but this is for the benefit of
11433 * future calls, to allow quick exit at the top of this function.
11435 if (readSource == XLOG_FROM_STREAM)
11437 if (((targetPagePtr) / XLOG_BLCKSZ) != (receivedUpto / XLOG_BLCKSZ))
11438 readLen = XLOG_BLCKSZ;
11440 readLen = receivedUpto % XLogSegSize - targetPageOff;
11443 readLen = XLOG_BLCKSZ;
11445 /* Read the requested page */
11446 readOff = targetPageOff;
11447 if (lseek(readFile, (off_t) readOff, SEEK_SET) < 0)
11449 char fname[MAXFNAMELEN];
11451 XLogFileName(fname, curFileTLI, readSegNo);
11452 ereport(emode_for_corrupt_record(emode, targetPagePtr + reqLen),
11453 (errcode_for_file_access(),
11454 errmsg("could not seek in log segment %s to offset %u: %m",
11456 goto next_record_is_invalid;
11459 if (read(readFile, readBuf, XLOG_BLCKSZ) != XLOG_BLCKSZ)
11461 char fname[MAXFNAMELEN];
11463 XLogFileName(fname, curFileTLI, readSegNo);
11464 ereport(emode_for_corrupt_record(emode, targetPagePtr + reqLen),
11465 (errcode_for_file_access(),
11466 errmsg("could not read from log segment %s, offset %u: %m",
11468 goto next_record_is_invalid;
11471 Assert(targetSegNo == readSegNo);
11472 Assert(targetPageOff == readOff);
11473 Assert(reqLen <= readLen);
11475 *readTLI = curFileTLI;
11478 next_record_is_invalid:
11479 lastSourceFailed = true;
11487 /* In standby-mode, keep trying */
11495 * Open the WAL segment containing WAL position 'RecPtr'.
11497 * The segment can be fetched via restore_command, or via walreceiver having
11498 * streamed the record, or it can already be present in pg_wal. Checking
11499 * pg_wal is mainly for crash recovery, but it will be polled in standby mode
11500 * too, in case someone copies a new segment directly to pg_wal. That is not
11501 * documented or recommended, though.
11503 * If 'fetching_ckpt' is true, we're fetching a checkpoint record, and should
11504 * prepare to read WAL starting from RedoStartLSN after this.
11506 * 'RecPtr' might not point to the beginning of the record we're interested
11507 * in, it might also point to the page or segment header. In that case,
11508 * 'tliRecPtr' is the position of the WAL record we're interested in. It is
11509 * used to decide which timeline to stream the requested WAL from.
11511 * If the record is not immediately available, the function returns false
11512 * if we're not in standby mode. In standby mode, waits for it to become
11515 * When the requested record becomes available, the function opens the file
11516 * containing it (if not open already), and returns true. When end of standby
11517 * mode is triggered by the user, and there is no more WAL available, returns
11521 WaitForWALToBecomeAvailable(XLogRecPtr RecPtr, bool randAccess,
11522 bool fetching_ckpt, XLogRecPtr tliRecPtr)
11524 static TimestampTz last_fail_time = 0;
11528 * Standby mode is implemented by a state machine:
11530 * 1. Read from either archive or pg_wal (XLOG_FROM_ARCHIVE), or just
11531 * pg_wal (XLOG_FROM_PG_WAL)
11532 * 2. Check trigger file
11533 * 3. Read from primary server via walreceiver (XLOG_FROM_STREAM)
11534 * 4. Rescan timelines
11535 * 5. Sleep wal_retrieve_retry_interval milliseconds, and loop back to 1.
11537 * Failure to read from the current source advances the state machine to
11540 * 'currentSource' indicates the current state. There are no currentSource
11541 * values for "check trigger", "rescan timelines", and "sleep" states,
11542 * those actions are taken when reading from the previous source fails, as
11543 * part of advancing to the next state.
11546 if (!InArchiveRecovery)
11547 currentSource = XLOG_FROM_PG_WAL;
11548 else if (currentSource == 0)
11549 currentSource = XLOG_FROM_ARCHIVE;
11553 int oldSource = currentSource;
11556 * First check if we failed to read from the current source, and
11557 * advance the state machine if so. The failure to read might've
11558 * happened outside this function, e.g when a CRC check fails on a
11559 * record, or within this loop.
11561 if (lastSourceFailed)
11563 switch (currentSource)
11565 case XLOG_FROM_ARCHIVE:
11566 case XLOG_FROM_PG_WAL:
11569 * Check to see if the trigger file exists. Note that we
11570 * do this only after failure, so when you create the
11571 * trigger file, we still finish replaying as much as we
11572 * can from archive and pg_wal before failover.
11574 if (StandbyMode && CheckForStandbyTrigger())
11581 * Not in standby mode, and we've now tried the archive
11588 * If primary_conninfo is set, launch walreceiver to try
11589 * to stream the missing WAL.
11591 * If fetching_ckpt is TRUE, RecPtr points to the initial
11592 * checkpoint location. In that case, we use RedoStartLSN
11593 * as the streaming start position instead of RecPtr, so
11594 * that when we later jump backwards to start redo at
11595 * RedoStartLSN, we will have the logs streamed already.
11597 if (PrimaryConnInfo)
11604 ptr = RedoStartLSN;
11605 tli = ControlFile->checkPointCopy.ThisTimeLineID;
11610 tli = tliOfPointInHistory(tliRecPtr, expectedTLEs);
11612 if (curFileTLI > 0 && tli < curFileTLI)
11613 elog(ERROR, "according to history file, WAL location %X/%X belongs to timeline %u, but previous recovered WAL file came from timeline %u",
11614 (uint32) (ptr >> 32), (uint32) ptr,
11618 RequestXLogStreaming(tli, ptr, PrimaryConnInfo,
11624 * Move to XLOG_FROM_STREAM state in either case. We'll
11625 * get immediate failure if we didn't launch walreceiver,
11626 * and move on to the next state.
11628 currentSource = XLOG_FROM_STREAM;
11631 case XLOG_FROM_STREAM:
11634 * Failure while streaming. Most likely, we got here
11635 * because streaming replication was terminated, or
11636 * promotion was triggered. But we also get here if we
11637 * find an invalid record in the WAL streamed from master,
11638 * in which case something is seriously wrong. There's
11639 * little chance that the problem will just go away, but
11640 * PANIC is not good for availability either, especially
11641 * in hot standby mode. So, we treat that the same as
11642 * disconnection, and retry from archive/pg_wal again.
11643 * The WAL in the archive should be identical to what was
11644 * streamed, so it's unlikely that it helps, but one can
11649 * Before we leave XLOG_FROM_STREAM state, make sure that
11650 * walreceiver is not active, so that it won't overwrite
11651 * WAL that we restore from archive.
11653 if (WalRcvStreaming())
11657 * Before we sleep, re-scan for possible new timelines if
11658 * we were requested to recover to the latest timeline.
11660 if (recoveryTargetIsLatest)
11662 if (rescanLatestTimeLine())
11664 currentSource = XLOG_FROM_ARCHIVE;
11670 * XLOG_FROM_STREAM is the last state in our state
11671 * machine, so we've exhausted all the options for
11672 * obtaining the requested WAL. We're going to loop back
11673 * and retry from the archive, but if it hasn't been long
11674 * since last attempt, sleep wal_retrieve_retry_interval
11675 * milliseconds to avoid busy-waiting.
11677 now = GetCurrentTimestamp();
11678 if (!TimestampDifferenceExceeds(last_fail_time, now,
11679 wal_retrieve_retry_interval))
11685 TimestampDifference(last_fail_time, now, &secs, &usecs);
11686 wait_time = wal_retrieve_retry_interval -
11687 (secs * 1000 + usecs / 1000);
11689 WaitLatch(&XLogCtl->recoveryWakeupLatch,
11690 WL_LATCH_SET | WL_TIMEOUT | WL_POSTMASTER_DEATH,
11691 wait_time, WAIT_EVENT_RECOVERY_WAL_STREAM);
11692 ResetLatch(&XLogCtl->recoveryWakeupLatch);
11693 now = GetCurrentTimestamp();
11695 last_fail_time = now;
11696 currentSource = XLOG_FROM_ARCHIVE;
11700 elog(ERROR, "unexpected WAL source %d", currentSource);
11703 else if (currentSource == XLOG_FROM_PG_WAL)
11706 * We just successfully read a file in pg_wal. We prefer files in
11707 * the archive over ones in pg_wal, so try the next file again
11708 * from the archive first.
11710 if (InArchiveRecovery)
11711 currentSource = XLOG_FROM_ARCHIVE;
11714 if (currentSource != oldSource)
11715 elog(DEBUG2, "switched WAL source from %s to %s after %s",
11716 xlogSourceNames[oldSource], xlogSourceNames[currentSource],
11717 lastSourceFailed ? "failure" : "success");
11720 * We've now handled possible failure. Try to read from the chosen
11723 lastSourceFailed = false;
11725 switch (currentSource)
11727 case XLOG_FROM_ARCHIVE:
11728 case XLOG_FROM_PG_WAL:
11729 /* Close any old file we might have open. */
11735 /* Reset curFileTLI if random fetch. */
11740 * Try to restore the file from archive, or read an existing
11741 * file from pg_wal.
11743 readFile = XLogFileReadAnyTLI(readSegNo, DEBUG2,
11744 currentSource == XLOG_FROM_ARCHIVE ? XLOG_FROM_ANY :
11747 return true; /* success! */
11750 * Nope, not found in archive or pg_wal.
11752 lastSourceFailed = true;
11755 case XLOG_FROM_STREAM:
11760 * Check if WAL receiver is still active.
11762 if (!WalRcvStreaming())
11764 lastSourceFailed = true;
11769 * Walreceiver is active, so see if new data has arrived.
11771 * We only advance XLogReceiptTime when we obtain fresh
11772 * WAL from walreceiver and observe that we had already
11773 * processed everything before the most recent "chunk"
11774 * that it flushed to disk. In steady state where we are
11775 * keeping up with the incoming data, XLogReceiptTime will
11776 * be updated on each cycle. When we are behind,
11777 * XLogReceiptTime will not advance, so the grace time
11778 * allotted to conflicting queries will decrease.
11780 if (RecPtr < receivedUpto)
11784 XLogRecPtr latestChunkStart;
11786 receivedUpto = GetWalRcvWriteRecPtr(&latestChunkStart, &receiveTLI);
11787 if (RecPtr < receivedUpto && receiveTLI == curFileTLI)
11790 if (latestChunkStart <= RecPtr)
11792 XLogReceiptTime = GetCurrentTimestamp();
11793 SetCurrentChunkStartTime(XLogReceiptTime);
11802 * Great, streamed far enough. Open the file if it's
11803 * not open already. Also read the timeline history
11804 * file if we haven't initialized timeline history
11805 * yet; it should be streamed over and present in
11806 * pg_wal by now. Use XLOG_FROM_STREAM so that
11807 * source info is set correctly and XLogReceiptTime
11813 expectedTLEs = readTimeLineHistory(receiveTLI);
11814 readFile = XLogFileRead(readSegNo, PANIC,
11816 XLOG_FROM_STREAM, false);
11817 Assert(readFile >= 0);
11821 /* just make sure source info is correct... */
11822 readSource = XLOG_FROM_STREAM;
11823 XLogReceiptSource = XLOG_FROM_STREAM;
11830 * Data not here yet. Check for trigger, then wait for
11831 * walreceiver to wake us up when new WAL arrives.
11833 if (CheckForStandbyTrigger())
11836 * Note that we don't "return false" immediately here.
11837 * After being triggered, we still want to replay all
11838 * the WAL that was already streamed. It's in pg_wal
11839 * now, so we just treat this as a failure, and the
11840 * state machine will move on to replay the streamed
11841 * WAL from pg_wal, and then recheck the trigger and
11844 lastSourceFailed = true;
11849 * Wait for more WAL to arrive. Time out after 5 seconds
11850 * to react to a trigger file promptly.
11852 WaitLatch(&XLogCtl->recoveryWakeupLatch,
11853 WL_LATCH_SET | WL_TIMEOUT | WL_POSTMASTER_DEATH,
11854 5000L, WAIT_EVENT_RECOVERY_WAL_ALL);
11855 ResetLatch(&XLogCtl->recoveryWakeupLatch);
11860 elog(ERROR, "unexpected WAL source %d", currentSource);
11864 * This possibly-long loop needs to handle interrupts of startup
11867 HandleStartupProcInterrupts();
11870 return false; /* not reached */
11874 * Determine what log level should be used to report a corrupt WAL record
11875 * in the current WAL page, previously read by XLogPageRead().
11877 * 'emode' is the error mode that would be used to report a file-not-found
11878 * or legitimate end-of-WAL situation. Generally, we use it as-is, but if
11879 * we're retrying the exact same record that we've tried previously, only
11880 * complain the first time to keep the noise down. However, we only do when
11881 * reading from pg_wal, because we don't expect any invalid records in archive
11882 * or in records streamed from master. Files in the archive should be complete,
11883 * and we should never hit the end of WAL because we stop and wait for more WAL
11884 * to arrive before replaying it.
11886 * NOTE: This function remembers the RecPtr value it was last called with,
11887 * to suppress repeated messages about the same record. Only call this when
11888 * you are about to ereport(), or you might cause a later message to be
11889 * erroneously suppressed.
11892 emode_for_corrupt_record(int emode, XLogRecPtr RecPtr)
11894 static XLogRecPtr lastComplaint = 0;
11896 if (readSource == XLOG_FROM_PG_WAL && emode == LOG)
11898 if (RecPtr == lastComplaint)
11901 lastComplaint = RecPtr;
11907 * Check to see whether the user-specified trigger file exists and whether a
11908 * promote request has arrived. If either condition holds, return true.
11911 CheckForStandbyTrigger(void)
11913 struct stat stat_buf;
11914 static bool triggered = false;
11919 if (IsPromoteTriggered())
11922 * In 9.1 and 9.2 the postmaster unlinked the promote file inside the
11923 * signal handler. It now leaves the file in place and lets the
11924 * Startup process do the unlink. This allows Startup to know whether
11925 * it should create a full checkpoint before starting up (fallback
11926 * mode). Fast promotion takes precedence.
11928 if (stat(PROMOTE_SIGNAL_FILE, &stat_buf) == 0)
11930 unlink(PROMOTE_SIGNAL_FILE);
11931 unlink(FALLBACK_PROMOTE_SIGNAL_FILE);
11932 fast_promote = true;
11934 else if (stat(FALLBACK_PROMOTE_SIGNAL_FILE, &stat_buf) == 0)
11936 unlink(FALLBACK_PROMOTE_SIGNAL_FILE);
11937 fast_promote = false;
11940 ereport(LOG, (errmsg("received promote request")));
11942 ResetPromoteTriggered();
11947 if (TriggerFile == NULL)
11950 if (stat(TriggerFile, &stat_buf) == 0)
11953 (errmsg("trigger file found: %s", TriggerFile)));
11954 unlink(TriggerFile);
11956 fast_promote = true;
11959 else if (errno != ENOENT)
11961 (errcode_for_file_access(),
11962 errmsg("could not stat trigger file \"%s\": %m",
11969 * Remove the files signaling a standby promotion request.
11972 RemovePromoteSignalFiles(void)
11974 unlink(PROMOTE_SIGNAL_FILE);
11975 unlink(FALLBACK_PROMOTE_SIGNAL_FILE);
11979 * Check to see if a promote request has arrived. Should be
11980 * called by postmaster after receiving SIGUSR1.
11983 CheckPromoteSignal(void)
11985 struct stat stat_buf;
11987 if (stat(PROMOTE_SIGNAL_FILE, &stat_buf) == 0 ||
11988 stat(FALLBACK_PROMOTE_SIGNAL_FILE, &stat_buf) == 0)
11995 * Wake up startup process to replay newly arrived WAL, or to notice that
11996 * failover has been requested.
11999 WakeupRecovery(void)
12001 SetLatch(&XLogCtl->recoveryWakeupLatch);
12005 * Update the WalWriterSleeping flag.
12008 SetWalWriterSleeping(bool sleeping)
12010 SpinLockAcquire(&XLogCtl->info_lck);
12011 XLogCtl->WalWriterSleeping = sleeping;
12012 SpinLockRelease(&XLogCtl->info_lck);
12016 * Schedule a walreceiver wakeup in the main recovery loop.
12019 XLogRequestWalReceiverReply(void)
12021 doRequestWalReceiverReply = true;