| blob | f43229dfda610b0f3e0001944567bcc9d09d15b4 |
1 /*-------------------------------------------------------------------------
2 *
3 * standby.c
4 * Misc functions used in Hot Standby mode.
5 *
6 * All functions for handling RM_STANDBY_ID, which relate to
7 * AccessExclusiveLocks and starting snapshots for Hot Standby mode.
8 * Plus conflict recovery processing.
9 *
10 * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
11 * Portions Copyright (c) 1994, Regents of the University of California
12 *
13 * IDENTIFICATION
14 * src/backend/storage/ipc/standby.c
15 *
16 *-------------------------------------------------------------------------
17 */
39 /* User-settable GUC parameters */
45 /*
46 * Keep track of all the exclusive locks owned by original transactions.
47 * For each known exclusive lock, there is a RecoveryLockEntry in the
48 * RecoveryLockHash hash table. All RecoveryLockEntrys belonging to a
49 * given XID are chained together so that we can find them easily.
50 * For each original transaction that is known to have any such locks,
51 * there is a RecoveryLockXidEntry in the RecoveryLockXidHash hash table,
52 * which stores the head of the chain of its locks.
53 */
55 {
61 {
69 /* Flags set by timeout handlers */
75 ProcSignalReason reason,
76 uint32 wait_event_info,
83 /*
84 * InitRecoveryTransactionEnvironment
85 * Initialize tracking of our primary's in-progress transactions.
86 *
87 * We need to issue shared invalidations and hold locks. Holding locks
88 * means others may want to wait on us, so we need to make a lock table
89 * vxact entry like a real transaction. We could create and delete
90 * lock table entries for each transaction but its simpler just to create
91 * one permanent entry and leave it there all the time. Locks are then
92 * acquired and released as needed. Yes, this means you can see the
93 * Startup process in pg_locks once we have run this.
94 */
95 void
97 {
98 VirtualTransactionId vxid;
99 HASHCTL hash_ctl;
103 /*
104 * Initialize the hash tables for tracking the locks held by each
105 * transaction.
106 */
120 /*
121 * Initialize shared invalidation management for Startup process, being
122 * careful to register ourselves as a sendOnly process so we don't need to
123 * read messages, nor will we get signaled when the queue starts filling
124 * up.
125 */
128 /*
129 * Lock a virtual transaction id for Startup process.
130 *
131 * We need to do GetNextLocalTransactionId() because
132 * SharedInvalBackendInit() leaves localTransactionId invalid and the lock
133 * manager doesn't like that at all.
134 *
135 * Note that we don't need to run XactLockTableInsert() because nobody
136 * needs to wait on xids. That sounds a little strange, but table locks
137 * are held by vxids and row level locks are held by xids. All queries
138 * hold AccessShareLocks so never block while we write or lock new rows.
139 */
145 }
147 /*
148 * ShutdownRecoveryTransactionEnvironment
149 * Shut down transaction tracking
150 *
151 * Prepare to switch from hot standby mode to normal operation. Shut down
152 * recovery-time transaction tracking.
153 *
154 * This must be called even in shutdown of startup process if transaction
155 * tracking has been initialized. Otherwise some locks the tracked
156 * transactions were holding will not be released and may interfere with
157 * the processes still running (but will exit soon later) at the exit of
158 * startup process.
159 */
160 void
162 {
163 /*
164 * Do nothing if RecoveryLockHash is NULL because that means that
165 * transaction tracking has not yet been initialized or has already been
166 * shut down. This makes it safe to have possibly-redundant calls of this
167 * function during process exit.
168 */
172 /* Mark all tracked in-progress transactions as finished. */
175 /* Release all locks the tracked transactions were holding */
178 /* Destroy the lock hash tables. */
184 /* Cleanup our VirtualTransaction */
186 }
189 /*
190 * -----------------------------------------------------
191 * Standby wait timers and backend cancel logic
192 * -----------------------------------------------------
193 */
195 /*
196 * Determine the cutoff time at which we want to start canceling conflicting
197 * transactions. Returns zero (a time safely in the past) if we are willing
198 * to wait forever.
199 */
200 static TimestampTz
202 {
203 TimestampTz rtime;
206 /*
207 * The cutoff time is the last WAL data receipt time plus the appropriate
208 * delay variable. Delay of -1 means wait forever.
209 */
212 {
216 }
217 else
218 {
222 }
223 }
225 #define STANDBY_INITIAL_WAIT_US 1000
228 /*
229 * Standby wait logic for ResolveRecoveryConflictWithVirtualXIDs.
230 * We wait here for a while then return. If we decide we can't wait any
231 * more then we return true, if we can wait some more return false.
232 */
233 static bool
235 {
236 TimestampTz ltime;
240 /* Are we past the limit time? */
245 /*
246 * Sleep a bit (this is essential to avoid busy-waiting).
247 */
252 /*
253 * Progressively increase the sleep times, but not to more than 1s, since
254 * pg_usleep isn't interruptible on some platforms.
255 */
261 }
263 /*
264 * Log the recovery conflict.
265 *
266 * wait_start is the timestamp when the caller started to wait.
267 * now is the timestamp when this function has been called.
268 * wait_list is the list of virtual transaction ids assigned to
269 * conflicting processes. still_waiting indicates whether
270 * the startup process is still waiting for the recovery conflict
271 * to be resolved or not.
272 */
273 void
277 {
281 StringInfoData buf;
284 /*
285 * There must be no conflicting processes when the recovery conflict has
286 * already been resolved.
287 */
295 {
298 /* Construct a string of list of the conflicting processes */
301 {
304 /* proc can be NULL if the target backend is not active */
306 {
308 {
311 }
312 else
315 nprocs++;
316 }
318 vxids++;
319 }
320 }
322 /*
323 * If wait_list is specified, report the list of PIDs of active
324 * conflicting backends in a detail message. Note that if all the backends
325 * in the list are not active, no detail message is logged.
326 */
328 {
335 }
336 else
337 {
341 }
345 }
347 /*
348 * This is the main executioner for any query backend that conflicts with
349 * recovery processing. Judgement has already been passed on it within
350 * a specific rmgr. Here we just issue the orders to the procs. The procs
351 * then throw the required error as instructed.
352 *
353 * If report_waiting is true, "waiting" is reported in PS display and the
354 * wait for recovery conflict is reported in the log, if necessary. If
355 * the caller is responsible for reporting them, report_waiting should be
356 * false. Otherwise, both the caller and this function report the same
357 * thing unexpectedly.
358 */
359 static void
363 {
368 /* Fast exit, to avoid a kernel call if there's no work to be done. */
372 /* Set the wait start timestamp for reporting */
377 {
378 /* reset standbyWait_us for each xact we wait for */
381 /* wait until the virtual xid is gone */
383 {
384 /* Is it time to kill it? */
386 {
387 pid_t pid;
389 /*
390 * Now find out who to throw out of the balloon.
391 */
395 /*
396 * Wait a little bit for it to die so that we avoid flooding
397 * an unresponsive backend when system is heavily loaded.
398 */
401 }
404 {
412 /* Get the current timestamp if not report yet */
416 /*
417 * Report via ps if we have been waiting for more than 500
418 * msec (should that be configurable?)
419 */
422 {
432 }
434 /*
435 * Emit the log message if the startup process is waiting
436 * longer than deadlock_timeout for recovery conflict.
437 */
440 {
443 }
444 }
445 }
447 /* The virtual transaction is gone now, wait for the next one */
448 waitlist++;
449 }
451 /*
452 * Emit the log message if recovery conflict was resolved but the startup
453 * process waited longer than deadlock_timeout for it.
454 */
459 /* Reset ps display if we changed it */
461 {
464 }
465 }
467 /*
468 * Generate whatever recovery conflicts are needed to eliminate snapshots that
469 * might see XIDs <= snapshotConflictHorizon as still running.
470 *
471 * snapshotConflictHorizon cutoffs are our standard approach to generating
472 * granular recovery conflicts. Note that InvalidTransactionId values are
473 * interpreted as "definitely don't need any conflicts" here, which is a
474 * general convention that WAL records can (and often do) depend on.
475 */
476 void
478 RelFileLocator locator)
479 {
482 /*
483 * If we get passed InvalidTransactionId then we do nothing (no conflict).
484 *
485 * This can happen when replaying already-applied WAL records after a
486 * standby crash or restart, or when replaying an XLOG_HEAP2_VISIBLE
487 * record that marks as frozen a page which was already all-visible. It's
488 * also quite common with records generated during index deletion
489 * (original execution of the deletion can reason that a recovery conflict
490 * which is sufficient for the deletion operation must take place before
491 * replay of the deletion record itself).
492 */
499 PROCSIG_RECOVERY_CONFLICT_SNAPSHOT,
500 WAIT_EVENT_RECOVERY_CONFLICT_SNAPSHOT,
502 }
504 /*
505 * Variant of ResolveRecoveryConflictWithSnapshot that works with
506 * FullTransactionId values
507 */
508 void
510 RelFileLocator locator)
511 {
512 /*
513 * ResolveRecoveryConflictWithSnapshot operates on 32-bit TransactionIds,
514 * so truncate the logged FullTransactionId. If the logged value is very
515 * old, so that XID wrap-around already happened on it, there can't be any
516 * snapshots that still see it.
517 */
519 uint64 diff;
524 {
525 TransactionId truncated;
529 }
530 }
532 void
534 {
537 /*
538 * Standby users may be currently using this tablespace for their
539 * temporary files. We only care about current users because
540 * temp_tablespace parameter will just ignore tablespaces that no longer
541 * exist.
542 *
543 * Ask everybody to cancel their queries immediately so we can ensure no
544 * temp files remain and we can remove the tablespace. Nuke the entire
545 * site from orbit, it's the only way to be sure.
546 *
547 * XXX: We could work out the pids of active backends using this
548 * tablespace by examining the temp filenames in the directory. We would
549 * then convert the pids into VirtualXIDs before attempting to cancel
550 * them.
551 *
552 * We don't wait for commit because drop tablespace is non-transactional.
553 */
555 InvalidOid);
557 PROCSIG_RECOVERY_CONFLICT_TABLESPACE,
558 WAIT_EVENT_RECOVERY_CONFLICT_TABLESPACE,
560 }
562 void
564 {
565 /*
566 * We don't do ResolveRecoveryConflictWithVirtualXIDs() here since that
567 * only waits for transactions and completely idle sessions would block
568 * us. This is rare enough that we do this as simply as possible: no wait,
569 * just force them off immediately.
570 *
571 * No locking is required here because we already acquired
572 * AccessExclusiveLock. Anybody trying to connect while we do this will
573 * block during InitPostgres() and then disconnect when they see the
574 * database has been removed.
575 */
577 {
580 /*
581 * Wait awhile for them to die so that we avoid flooding an
582 * unresponsive backend when system is heavily loaded.
583 */
585 }
586 }
588 /*
589 * ResolveRecoveryConflictWithLock is called from ProcSleep()
590 * to resolve conflicts with other backends holding relation locks.
591 *
592 * The WaitLatch sleep normally done in ProcSleep()
593 * (when not InHotStandby) is performed here, for code clarity.
594 *
595 * We either resolve conflicts immediately or set a timeout to wake us at
596 * the limit of our patience.
597 *
598 * Resolve conflicts by canceling to all backends holding a conflicting
599 * lock. As we are already queued to be granted the lock, no new lock
600 * requests conflicting with ours will be granted in the meantime.
601 *
602 * We also must check for deadlocks involving the Startup process and
603 * hot-standby backend processes. If deadlock_timeout is reached in
604 * this function, all the backends holding the conflicting locks are
605 * requested to check themselves for deadlocks.
606 *
607 * logging_conflict should be true if the recovery conflict has not been
608 * logged yet even though logging is enabled. After deadlock_timeout is
609 * reached and the request for deadlock check is sent, we wait again to
610 * be signaled by the release of the lock if logging_conflict is false.
611 * Otherwise we return without waiting again so that the caller can report
612 * the recovery conflict. In this case, then, this function is called again
613 * with logging_conflict=false (because the recovery conflict has already
614 * been logged) and we will wait again for the lock to be released.
615 */
616 void
618 {
619 TimestampTz ltime;
620 TimestampTz now;
627 /*
628 * Update waitStart if first time through after the startup process
629 * started waiting for the lock. It should not be updated every time
630 * ResolveRecoveryConflictWithLock() is called during the wait.
631 *
632 * Use the current time obtained for comparison with ltime as waitStart
633 * (i.e., the time when this process started waiting for the lock). Since
634 * getting the current time newly can cause overhead, we reuse the
635 * already-obtained time to avoid that overhead.
636 *
637 * Note that waitStart is updated without holding the lock table's
638 * partition lock, to avoid the overhead by additional lock acquisition.
639 * This can cause "waitstart" in pg_locks to become NULL for a very short
640 * period of time after the wait started even though "granted" is false.
641 * This is OK in practice because we can assume that users are likely to
642 * look at "waitstart" when waiting for the lock for a long time.
643 */
648 {
649 /*
650 * We're already behind, so clear a path as quickly as possible.
651 */
656 /*
657 * Prevent ResolveRecoveryConflictWithVirtualXIDs() from reporting
658 * "waiting" in PS display by disabling its argument report_waiting
659 * because the caller, WaitOnLock(), has already reported that.
660 */
662 PROCSIG_RECOVERY_CONFLICT_LOCK,
665 }
666 else
667 {
668 /*
669 * Wait (or wait again) until ltime, and check for deadlocks as well
670 * if we will be waiting longer than deadlock_timeout
671 */
676 {
681 cnt++;
682 }
688 cnt++;
691 }
693 /* Wait to be signaled by the release of the Relation Lock */
696 /*
697 * Exit if ltime is reached. Then all the backends holding conflicting
698 * locks will be canceled in the next ResolveRecoveryConflictWithLock()
699 * call.
700 */
705 {
710 /* Quick exit if there's no work to be done */
714 /*
715 * Send signals to all the backends holding the conflicting locks, to
716 * ask them to check themselves for deadlocks.
717 */
719 {
721 PROCSIG_RECOVERY_CONFLICT_STARTUP_DEADLOCK,
723 backends++;
724 }
726 /*
727 * Exit if the recovery conflict has not been logged yet even though
728 * logging is enabled, so that the caller can log that. Then
729 * RecoveryConflictWithLock() is called again and we will wait again
730 * for the lock to be released.
731 */
735 /*
736 * Wait again here to be signaled by the release of the Relation Lock,
737 * to prevent the subsequent RecoveryConflictWithLock() from causing
738 * deadlock_timeout and sending a request for deadlocks check again.
739 * Otherwise the request continues to be sent every deadlock_timeout
740 * until the relation locks are released or ltime is reached.
741 */
744 }
746 cleanup:
748 /*
749 * Clear any timeout requests established above. We assume here that the
750 * Startup process doesn't have any other outstanding timeouts than those
751 * used by this function. If that stops being true, we could cancel the
752 * timeouts individually, but that'd be slower.
753 */
757 }
759 /*
760 * ResolveRecoveryConflictWithBufferPin is called from LockBufferForCleanup()
761 * to resolve conflicts with other backends holding buffer pins.
762 *
763 * The ProcWaitForSignal() sleep normally done in LockBufferForCleanup()
764 * (when not InHotStandby) is performed here, for code clarity.
765 *
766 * We either resolve conflicts immediately or set a timeout to wake us at
767 * the limit of our patience.
768 *
769 * Resolve conflicts by sending a PROCSIG signal to all backends to check if
770 * they hold one of the buffer pins that is blocking Startup process. If so,
771 * those backends will take an appropriate error action, ERROR or FATAL.
772 *
773 * We also must check for deadlocks. Deadlocks occur because if queries
774 * wait on a lock, that must be behind an AccessExclusiveLock, which can only
775 * be cleared if the Startup process replays a transaction completion record.
776 * If Startup process is also waiting then that is a deadlock. The deadlock
777 * can occur if the query is waiting and then the Startup sleeps, or if
778 * Startup is sleeping and the query waits on a lock. We protect against
779 * only the former sequence here, the latter sequence is checked prior to
780 * the query sleeping, in CheckRecoveryConflictDeadlock().
781 *
782 * Deadlocks are extremely rare, and relatively expensive to check for,
783 * so we don't do a deadlock check right away ... only if we have had to wait
784 * at least deadlock_timeout.
785 */
786 void
788 {
789 TimestampTz ltime;
796 {
797 /*
798 * We're already behind, so clear a path as quickly as possible.
799 */
801 }
802 else
803 {
804 /*
805 * Wake up at ltime, and check for deadlocks as well if we will be
806 * waiting longer than deadlock_timeout
807 */
812 {
816 cnt++;
817 }
823 cnt++;
826 }
828 /*
829 * Wait to be signaled by UnpinBuffer() or for the wait to be interrupted
830 * by one of the timeouts established above.
831 *
832 * We assume that only UnpinBuffer() and the timeout requests established
833 * above can wake us up here. WakeupRecovery() called by walreceiver or
834 * SIGHUP signal handler, etc cannot do that because it uses the different
835 * latch from that ProcWaitForSignal() waits on.
836 */
842 {
843 /*
844 * Send out a request for hot-standby backends to check themselves for
845 * deadlocks.
846 *
847 * XXX The subsequent ResolveRecoveryConflictWithBufferPin() will wait
848 * to be signaled by UnpinBuffer() again and send a request for
849 * deadlocks check if deadlock_timeout happens. This causes the
850 * request to continue to be sent every deadlock_timeout until the
851 * buffer is unpinned or ltime is reached. This would increase the
852 * workload in the startup process and backends. In practice it may
853 * not be so harmful because the period that the buffer is kept pinned
854 * is basically no so long. But we should fix this?
855 */
857 }
859 /*
860 * Clear any timeout requests established above. We assume here that the
861 * Startup process doesn't have any other timeouts than what this function
862 * uses. If that stops being true, we could cancel the timeouts
863 * individually, but that'd be slower.
864 */
868 }
870 static void
872 {
876 /*
877 * We send signal to all backends to ask them if they are holding the
878 * buffer pin which is delaying the Startup process. We must not set the
879 * conflict flag yet, since most backends will be innocent. Let the
880 * SIGUSR1 handling in each backend decide their own fate.
881 */
883 }
885 /*
886 * In Hot Standby perform early deadlock detection. We abort the lock
887 * wait if we are about to sleep while holding the buffer pin that Startup
888 * process is waiting for.
889 *
890 * Note: this code is pessimistic, because there is no way for it to
891 * determine whether an actual deadlock condition is present: the lock we
892 * need to wait for might be unrelated to any held by the Startup process.
893 * Sooner or later, this mechanism should get ripped out in favor of somehow
894 * accounting for buffer locks in DeadLockCheck(). However, errors here
895 * seem to be very low-probability in practice, so for now it's not worth
896 * the trouble.
897 */
898 void
900 {
906 /*
907 * Error message should match ProcessInterrupts() but we avoid calling
908 * that because we aren't handling an interrupt at this point. Note that
909 * we only cancel the current transaction here, so if we are in a
910 * subtransaction and the pin is held by a parent, then the Startup
911 * process will continue to wait even though we have avoided deadlock.
912 */
917 }
920 /* --------------------------------
921 * timeout handler routines
922 * --------------------------------
923 */
925 /*
926 * StandbyDeadLockHandler() will be called if STANDBY_DEADLOCK_TIMEOUT is
927 * exceeded.
928 */
929 void
931 {
933 }
935 /*
936 * StandbyTimeoutHandler() will be called if STANDBY_TIMEOUT is exceeded.
937 */
938 void
940 {
942 }
944 /*
945 * StandbyLockTimeoutHandler() will be called if STANDBY_LOCK_TIMEOUT is exceeded.
946 */
947 void
949 {
951 }
953 /*
954 * -----------------------------------------------------
955 * Locking in Recovery Mode
956 * -----------------------------------------------------
957 *
958 * All locks are held by the Startup process using a single virtual
959 * transaction. This implementation is both simpler and in some senses,
960 * more correct. The locks held mean "some original transaction held
961 * this lock, so query access is not allowed at this time". So the Startup
962 * process is the proxy by which the original locks are implemented.
963 *
964 * We only keep track of AccessExclusiveLocks, which are only ever held by
965 * one transaction on one relation.
966 *
967 * We keep a table of known locks in the RecoveryLockHash hash table.
968 * The point of that table is to let us efficiently de-duplicate locks,
969 * which is important because checkpoints will re-report the same locks
970 * already held. There is also a RecoveryLockXidHash table with one entry
971 * per xid, which allows us to efficiently find all the locks held by a
972 * given original transaction.
973 *
974 * We use session locks rather than normal locks so we don't need
975 * ResourceOwners.
976 */
979 void
981 {
984 xl_standby_lock key;
985 LOCKTAG locktag;
988 /* Already processed? */
997 /* dbOid is InvalidOid when we are locking a shared relation. */
1000 /* Create a hash entry for this xid, if we don't have one already. */
1003 {
1006 }
1008 /* Create a hash entry for this lock, unless we have one already. */
1014 {
1015 /* It's new, so link it into the XID's list ... */
1019 /* ... and acquire the lock locally. */
1023 }
1024 }
1026 /*
1027 * Release all the locks associated with this RecoveryLockXidEntry.
1028 */
1029 static void
1031 {
1036 {
1037 LOCKTAG locktag;
1042 /* Release the lock ... */
1045 {
1047 "RecoveryLockHash contains entry for lock no longer recorded by lock manager: xid %u database %u relation %u",
1050 }
1051 /* ... and remove the per-lock hash entry */
1054 }
1057 }
1059 /*
1060 * Release locks for specific XID, or all locks if it's InvalidXid.
1061 */
1062 static void
1064 {
1068 {
1070 {
1073 }
1074 }
1075 else
1077 }
1079 /*
1080 * Release locks for a transaction tree, starting at xid down, from
1081 * RecoveryLockXidHash.
1082 *
1083 * Called during WAL replay of COMMIT/ROLLBACK when in hot standby mode,
1084 * to remove any AccessExclusiveLocks requested by a transaction.
1085 */
1086 void
1088 {
1095 }
1097 /*
1098 * Called at end of recovery and when we see a shutdown checkpoint.
1099 */
1100 void
1102 {
1103 HASH_SEQ_STATUS status;
1110 {
1113 }
1114 }
1116 /*
1117 * StandbyReleaseOldLocks
1118 * Release standby locks held by top-level XIDs that aren't running,
1119 * as long as they're not prepared transactions.
1120 */
1121 void
1123 {
1124 HASH_SEQ_STATUS status;
1129 {
1132 /* Skip if prepared transaction. */
1136 /* Skip if >= oldxid. */
1140 /* Remove all locks and hash table entry. */
1143 }
1144 }
1146 /*
1147 * --------------------------------------------------------------------
1148 * Recovery handling for Rmgr RM_STANDBY_ID
1149 *
1150 * These record types will only be created if XLogStandbyInfoActive()
1151 * --------------------------------------------------------------------
1152 */
1154 void
1156 {
1159 /* Backup blocks are not used in standby records */
1162 /* Do nothing if we're not in hot standby mode */
1167 {
1175 }
1177 {
1179 RunningTransactionsData running;
1190 }
1192 {
1200 }
1201 else
1203 }
1205 /*
1206 * Log details of the current snapshot to WAL. This allows the snapshot state
1207 * to be reconstructed on the standby and for logical decoding.
1208 *
1209 * This is used for Hot Standby as follows:
1210 *
1211 * We can move directly to STANDBY_SNAPSHOT_READY at startup if we
1212 * start from a shutdown checkpoint because we know nothing was running
1213 * at that time and our recovery snapshot is known empty. In the more
1214 * typical case of an online checkpoint we need to jump through a few
1215 * hoops to get a correct recovery snapshot and this requires a two or
1216 * sometimes a three stage process.
1217 *
1218 * The initial snapshot must contain all running xids and all current
1219 * AccessExclusiveLocks at a point in time on the standby. Assembling
1220 * that information while the server is running requires many and
1221 * various LWLocks, so we choose to derive that information piece by
1222 * piece and then re-assemble that info on the standby. When that
1223 * information is fully assembled we move to STANDBY_SNAPSHOT_READY.
1224 *
1225 * Since locking on the primary when we derive the information is not
1226 * strict, we note that there is a time window between the derivation and
1227 * writing to WAL of the derived information. That allows race conditions
1228 * that we must resolve, since xids and locks may enter or leave the
1229 * snapshot during that window. This creates the issue that an xid or
1230 * lock may start *after* the snapshot has been derived yet *before* the
1231 * snapshot is logged in the running xacts WAL record. We resolve this by
1232 * starting to accumulate changes at a point just prior to when we derive
1233 * the snapshot on the primary, then ignore duplicates when we later apply
1234 * the snapshot from the running xacts record. This is implemented during
1235 * CreateCheckPoint() where we use the logical checkpoint location as
1236 * our starting point and then write the running xacts record immediately
1237 * before writing the main checkpoint WAL record. Since we always start
1238 * up from a checkpoint and are immediately at our starting point, we
1239 * unconditionally move to STANDBY_INITIALIZED. After this point we
1240 * must do 4 things:
1241 * * move shared nextXid forwards as we see new xids
1242 * * extend the clog and subtrans with each new xid
1243 * * keep track of uncommitted known assigned xids
1244 * * keep track of uncommitted AccessExclusiveLocks
1245 *
1246 * When we see a commit/abort we must remove known assigned xids and locks
1247 * from the completing transaction. Attempted removals that cannot locate
1248 * an entry are expected and must not cause an error when we are in state
1249 * STANDBY_INITIALIZED. This is implemented in StandbyReleaseLocks() and
1250 * KnownAssignedXidsRemove().
1251 *
1252 * Later, when we apply the running xact data we must be careful to ignore
1253 * transactions already committed, since those commits raced ahead when
1254 * making WAL entries.
1255 *
1256 * The loose timing also means that locks may be recorded that have a
1257 * zero xid, since xids are removed from procs before locks are removed.
1258 * So we must prune the lock list down to ensure we hold locks only for
1259 * currently running xids, performed by StandbyReleaseOldLocks().
1260 * Zero xids should no longer be possible, but we may be replaying WAL
1261 * from a time when they were possible.
1262 *
1263 * For logical decoding only the running xacts information is needed;
1264 * there's no need to look at the locking information, but it's logged anyway,
1265 * as there's no independent knob to just enable logical decoding. For
1266 * details of how this is used, check snapbuild.c's introductory comment.
1267 *
1268 *
1269 * Returns the RecPtr of the last inserted record.
1270 */
1271 XLogRecPtr
1273 {
1274 XLogRecPtr recptr;
1275 RunningTransactions running;
1281 /*
1282 * Get details of any AccessExclusiveLocks being held at the moment.
1283 */
1289 /*
1290 * Log details of all in-progress transactions. This should be the last
1291 * record we write, because standby will open up when it sees this.
1292 */
1295 /*
1296 * GetRunningTransactionData() acquired ProcArrayLock, we must release it.
1297 * For Hot Standby this can be done before inserting the WAL record
1298 * because ProcArrayApplyRecoveryInfo() rechecks the commit status using
1299 * the clog. For logical decoding, though, the lock can't be released
1300 * early because the clog might be "in the future" from the POV of the
1301 * historic snapshot. This would allow for situations where we're waiting
1302 * for the end of a transaction listed in the xl_running_xacts record
1303 * which, according to the WAL, has committed before the xl_running_xacts
1304 * record. Fortunately this routine isn't executed frequently, and it's
1305 * only a shared lock.
1306 */
1312 /* Release lock if we kept it longer ... */
1316 /* GetRunningTransactionData() acquired XidGenLock, we must release it */
1320 }
1322 /*
1323 * Record an enhanced snapshot of running transactions into WAL.
1324 *
1325 * The definitions of RunningTransactionsData and xl_running_xacts are
1326 * similar. We keep them separate because xl_running_xacts is a contiguous
1327 * chunk of memory and never exists fully until it is assembled in WAL.
1328 * The inserted records are marked as not being important for durability,
1329 * to avoid triggering superfluous checkpoint / archiving activity.
1330 */
1331 static XLogRecPtr
1333 {
1334 xl_running_xacts xlrec;
1335 XLogRecPtr recptr;
1344 /* Header */
1349 /* array of TransactionIds */
1358 "snapshot of %u running transactions overflowed (lsn %X/%X oldest xid %u latest complete %u next xid %u)",
1364 else
1366 "snapshot of %u+%u running transaction ids (lsn %X/%X oldest xid %u latest complete %u next xid %u)",
1373 /*
1374 * Ensure running_xacts information is synced to disk not too far in the
1375 * future. We don't want to stall anything though (i.e. use XLogFlush()),
1376 * so we let the wal writer do it during normal operation.
1377 * XLogSetAsyncXactLSN() conveniently will mark the LSN as to-be-synced
1378 * and nudge the WALWriter into action if sleeping. Check
1379 * XLogBackgroundFlush() for details why a record might not be flushed
1380 * without it.
1381 */
1385 }
1387 /*
1388 * Wholesale logging of AccessExclusiveLocks. Other lock types need not be
1389 * logged, as described in backend/storage/lmgr/README.
1390 */
1391 static void
1393 {
1394 xl_standby_locks xlrec;
1404 }
1406 /*
1407 * Individual logging of AccessExclusiveLocks for use during LockAcquire()
1408 */
1409 void
1411 {
1412 xl_standby_lock xlrec;
1421 }
1423 /*
1424 * Prepare to log an AccessExclusiveLock, for use during LockAcquire()
1425 */
1426 void
1428 {
1429 /*
1430 * Ensure that a TransactionId has been assigned to this transaction, for
1431 * two reasons, both related to lock release on the standby. First, we
1432 * must assign an xid so that RecordTransactionCommit() and
1433 * RecordTransactionAbort() do not optimise away the transaction
1434 * completion record which recovery relies upon to release locks. It's a
1435 * hack, but for a corner case not worth adding code for into the main
1436 * commit path. Second, we must assign an xid before the lock is recorded
1437 * in shared memory, otherwise a concurrently executing
1438 * GetRunningTransactionLocks() might see a lock associated with an
1439 * InvalidTransactionId which we later assert cannot happen.
1440 */
1442 }
1444 /*
1445 * Emit WAL for invalidations. This currently is only used for commits without
1446 * an xid but which contain invalidations.
1447 */
1448 void
1451 {
1452 xl_invalidations xlrec;
1454 /* prepare record */
1461 /* perform insertion */
1467 }
1469 /* Return the description of recovery conflict */
1472 {
1476 {
1497 }
1500 }