Simon Riggs [Mon, 19 Apr 2010 18:03:38 +0000 (18:03 +0000)]
Check RecoveryInProgress() while holding ProcArrayLock during snapshots.
This prevents a rare, yet possible race condition at the exact moment
of transition from recovery to normal running.
Tom Lane [Mon, 19 Apr 2010 17:54:48 +0000 (17:54 +0000)]
Fix uninitialized local variables. Not sure why gcc doesn't complain about
these --- maybe because they're effectively unused? MSVC does complain though,
per buildfarm.
Magnus Hagander [Mon, 19 Apr 2010 14:10:45 +0000 (14:10 +0000)]
Add wrapper function libpqrcv_PQexec() in the walreceiver that uses async
libpq to send queries, making the waiting for responses interruptible on
platforms where PQexec() can't normally be interrupted by signals, such
as win32.
Robert Haas [Mon, 19 Apr 2010 00:55:26 +0000 (00:55 +0000)]
Add an 'enable_material' GUC.
The logic for determining whether to materialize has been significantly
overhauled for 9.0. In case there should be any doubt about whether
materialization is a win in any particular case, this should provide a
convenient way of seeing what happens without it; but even with enable_material
turned off, we still materialize in cases where it is required for
correctness.
Simon Riggs [Sun, 18 Apr 2010 18:44:53 +0000 (18:44 +0000)]
Improve sequence and sense of messages from pg_stop_backup().
Now doesn't report it is waiting until it actually is waiting,
plus message doesn't appear until at least 5 seconds wait, so
we avoid reporting the wait before we've given the archiver
a reasonable time to wake up and archive the file we just
created earlier in the function.
Also add new unconditional message to confirm safe completion.
Now a normal, healthy execution does not report waiting at
all, just safe completion.
Simon Riggs [Sun, 18 Apr 2010 18:06:07 +0000 (18:06 +0000)]
Tune GetSnapshotData() during Hot Standby by avoiding loop
through normal backends. Makes code clearer also, since we
avoid various Assert()s. Performance of snapshots taken
during recovery no longer depends upon number of read-only
backends.
On Windows, syslogger runs in two threads. The main thread processes config
reload and rotation signals, and a helper thread reads messages from the
pipe and writes them to the log file. However, server code isn't generally
thread-safe, so if both try to do e.g palloc()/pfree() at the same time,
bad things will happen. To fix that, use a critical section (which is like
a mutex) to enforce that only one the threads are active at a time.
In standby mode, suppress repeated LOG messages about a corrupt record,
which just indicates that we've reached the end of valid WAL found in
the standby.
Tom Lane [Wed, 14 Apr 2010 23:52:10 +0000 (23:52 +0000)]
Fix plpgsql's exec_eval_expr() to ensure it returns a sane type OID
even when the expression is a query that returns no rows.
So far as I can tell, the only caller that actually fails when a garbage
OID is returned is exec_stmt_case(), which is new in 8.4 --- in all other
cases, we might make a useless trip through casting logic, but we won't
fail since the isnull flag will be set. Hence, backpatch only to 8.4,
just in case there are apps out there that aren't expecting an error to
be thrown if the query returns more or less than one column. (Which seems
unlikely, since the error would be thrown if the query ever did return a
row; but it's possible there's some never-exercised code out there.)
Tom Lane [Wed, 14 Apr 2010 21:31:11 +0000 (21:31 +0000)]
Fix a problem introduced by my patch of 2010-01-12 that revised the way
relcache reload works. In the patched code, a relcache entry in process of
being rebuilt doesn't get unhooked from the relcache hash table; which means
that if a cache flush occurs due to sinval queue overrun while we're
rebuilding it, the entry could get blown away by RelationCacheInvalidate,
resulting in crash or misbehavior. Fix by ensuring that an entry being
rebuilt has positive refcount, so it won't be seen as a target for removal
if a cache flush occurs. (This will mean that the entry gets rebuilt twice
in such a scenario, but that's okay.) It appears that the problem can only
arise within a transaction that has previously reassigned the relfilenode of
a pre-existing table, via TRUNCATE or a similar operation. Per bug #5412
from Rusty Conover.
Back-patch to 8.2, same as the patch that introduced the problem.
I think that the failure can't actually occur in 8.2, since it lacks the
rd_newRelfilenodeSubid optimization, but let's make it work like the later
branches anyway.
Magnus Hagander [Tue, 13 Apr 2010 08:16:09 +0000 (08:16 +0000)]
Only try to do a graceful disconnect if we've successfully loaded the
shared library with the disconnect function in it. Fixes segmentation
fault reported by Jeff Davis.
Update the location of last removed WAL segment in shared memory only
after actually removing one, so that if we can't remove segments because
WAL archiving is lagging behind, we don't unnecessarily forbid streaming
the old not-yet-archived segments that are still perfectly valid. Per
suggestion from Fujii Masao.
Change the logic to decide when to delete old WAL segments, so that it
doesn't take into account how far the WAL senders are. This way a hung
WAL sender doesn't prevent old WAL segments from being recycled/removed
in the primary, ultimately causing the disk to fill up. Instead add
standby_keep_segments setting to control how many old WAL segments are
kept in the primary. This also makes it more reliable to use streaming
replication without WAL archiving, assuming that you set
standby_keep_segments high enough.
Magnus Hagander [Thu, 8 Apr 2010 11:25:58 +0000 (11:25 +0000)]
Proceed to look for the next timezone when matching a localized
Windows timezone name where the information in the registry is
incomplete, instead of aborting.
This fixes cases when the registry information is incomplete for
a timezone that is alphabetically before the one that is in use.
Robert Haas [Thu, 8 Apr 2010 01:39:37 +0000 (01:39 +0000)]
Make smart shutdown work in combination with Hot Standby/Streaming Replication.
At present, killing the startup process does not release any locks it holds,
so we must wait to stop the startup and walreceiver processes until all
read-only backends have exited. Without this patch, the startup and
walreceiver processes never exit, so the server gets permanently stuck in
a half-shutdown state.
Fujii Masao, with review, docs, and comment adjustments by me.
Tom Lane [Wed, 7 Apr 2010 21:41:53 +0000 (21:41 +0000)]
Fix to_char YYY, YY, Y format codes so that FM zero-suppression really works,
rather than only sort-of working as the previous attempt had left it.
Clean up some unnecessary differences between the way these were coded and
the way the YYYY case was coded. Update the regression test cases that
proved that it wasn't working.
Allow quotes to be escaped in recovery.conf, by doubling them. This patch
also makes the parsing a little bit stricter, rejecting garbage after the
parameter value and values with missing ending quotes, for example.
Forbid using pg_xlogfile_name() and pg_xlogfile_name_offset() during
recovery. We might want to relax this in the future, but ThisTimeLineID
isn't currently correct in backends during recovery, so the filename
returned was wrong.
Magnus Hagander [Tue, 6 Apr 2010 20:35:11 +0000 (20:35 +0000)]
Log the actual timezone name that we fail to look up the values for in
case the registry data doesn't follow the format we expect, to facilitate
debugging.
Add missing completions for:
- ALTER SEQUENCE name OWNER TO
- ALTER TYPE name RENAME TO
- ALTER VIEW name ALTER COLUMN
- ALTER VIEW name OWNER TO
- ALTER VIEW name SET SCHEMA
Fix wrong completions for:
- ALTER FUNCTION/AGGREGATE name (arguments) ...
"(arguments)" has been ignored.
- ALTER ... SET SCHEMA
"SCHEMA" has been considered as a variable name.
Andrew Dunstan [Mon, 5 Apr 2010 03:09:09 +0000 (03:09 +0000)]
Exclude unwanted typedef symbols in pgindent, including FD_SET which is found on some Windows platforms. Also, silence unnecessary messages and make awk happier about literal '*' on some platforms.
Tom Lane [Mon, 5 Apr 2010 01:58:03 +0000 (01:58 +0000)]
Arrange to remove pg_default_acl entries completely if their ACL setting
is changed to match the hard-wired default. This avoids accumulating useless
catalog entries, and also provides a path for dropping the owning role without
using DROP OWNED BY. Per yesterday's complaint from Jaime Casanova, the
need to use DROP OWNED BY for that is less than obvious, so providing this
alternative method might save some user frustration.
Tom Lane [Mon, 5 Apr 2010 01:09:53 +0000 (01:09 +0000)]
Fix updateAclDependencies() to not assume that ACL role dependencies can only
be added during GRANT and can only be removed during REVOKE; and fix its
callers to not lie to it about the existing set of dependencies when
instantiating a formerly-default ACL. The previous coding accidentally failed
to malfunction so long as default ACLs contain only references to the object's
owning role, because that role is ignored by updateAclDependencies. However
this is obviously pretty fragile, as well as being an undocumented assumption.
The new coding is a few lines longer but IMO much clearer.
Tom Lane [Sat, 3 Apr 2010 20:55:57 +0000 (20:55 +0000)]
\ddp should be recognized as such even if user appends S or + to it.
Those options do nothing right now, but might be wanted later, and in
any case it's confusing for the command to be interpreted as \dd if
anything is appended. Per Jaime Casanova.
Remove unnecessary xref endterm attributes and title ids
The endterm attribute is mainly useful when the toolchain does not support
automatic link target text generation for a particular situation. In the
past, this was required by the man page tools for all reference page links,
but that is no longer the case, and it now actually gets in the way of
proper automatic link text generation. The only remaining use cases are
currently xrefs to refsects.
Simon Riggs [Fri, 2 Apr 2010 13:10:56 +0000 (13:10 +0000)]
Move system startup message prior to any calls out of data directory.
This allows us to see what mode the server is in before it starts to
perform actions that can block or hang. Otherwise server messages
may not appear until after messages that say FATAL the database
server is starting up.
Michael Meskes [Fri, 2 Apr 2010 10:27:45 +0000 (10:27 +0000)]
FATAL errors are meant to stop ecpg immediately, e.g. because the syntax is
corrupted. This error, however, does is not a compilation problem but a runtime
one, so we can keep compiling but still have to declare ERROR.
Don't pass an invalid file handle to dup2(). That causes a crash on
Windows, thanks to a feature in CRT called Parameter Validation.
Backpatch to 8.2, which is the oldest version supported on Windows. In
8.2 and 8.3 also backpatch the earlier change to use DEVNULL instead of
NULL_DEV #define for a /dev/null-like device. NULL_DEV was hard-coded to
"/dev/null" regardless of platform, which didn't work on Windows, while
DEVNULL works on all platforms. Restarting syslogger didn't work on
Windows on versions 8.3 and below because of that.
Andrew Dunstan [Thu, 1 Apr 2010 14:44:39 +0000 (14:44 +0000)]
Use a file of patterns of filenames to exclude from pgindent runs, instead if using multiple invocations of egrep. Add perl ppport.h to the current list.
Michael Meskes [Thu, 1 Apr 2010 10:30:53 +0000 (10:30 +0000)]
Zoltan beautified his hidden-variable-patch for ecpg. This also makes sure we get an error message instead of a warning if the variable have different types.
Robert Haas [Thu, 1 Apr 2010 00:43:29 +0000 (00:43 +0000)]
Refer to max_wal_senders in a more consistent fashion.
The error message now makes explicit reference to the GUC that must be changed
to fix the problem, using wording suggested by Tom Lane. Along the way,
rename the GUC from MaxWalSenders to max_wal_senders for consistency and
grep-ability.
Enhance documentation of the build-in standby mode, explaining the retry
loop in standby mode, trying to restore from archive, pg_xlog and
streaming.
Move sections around to make the high availability chapter more
coherent: the most prominent part is now a "Log-Shipping Standby Servers"
section that describes what a standby server is (like the old
"Warm Standby Servers for High Availability" section), and how to
set up a warm standby server, including streaming replication, using the
built-in standby mode. The pg_standby method is desribed in another
section called "Alternative method for log shipping", with the added
caveat that it doesn't work with streaming replication.
Tom Lane [Tue, 30 Mar 2010 21:58:11 +0000 (21:58 +0000)]
Fix "constraint_exclusion = partition" logic so that it will also attempt
constraint exclusion on an inheritance set that is the target of an UPDATE
or DELETE query. Per gripe from Marc Cousin. Back-patch to 8.4 where
the feature was introduced.
Change the retry-loop in standby mode to also try restoring files from
pg_xlog directory. This is essential for replaying WAL records that
were streamed from the master, after a standby server restart.
If a corrupt record is seen in a file restored from the archive or
streamed from the master, log it as a WARNING and keep retrying. If the
corruption is permanent, and not just a glitch in the whatever copies the
files to the archive or a network error not caught by CRC checks in TCP
for example, we will keep retrying and logging the WARNING indefinitely.
But that's better than shutting down completely, the standby is still
useful for running read-only queries. In PITR the recovery ends at such a
corrupt record, which is a bit questionable, but that's the behavior we
had in previous releases and we don't feel like chaning it now. It does
make sense for tools like pg_standby.