| blob | 73a80559194e75f5ca2c8c69060b35b79199ff3f |
1 /*-------------------------------------------------------------------------
2 *
3 * twophase.c
4 * Two-phase commit support functions.
5 *
6 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 * IDENTIFICATION
10 * src/backend/access/transam/twophase.c
11 *
12 * NOTES
13 * Each global transaction is associated with a global transaction
14 * identifier (GID). The client assigns a GID to a postgres
15 * transaction with the PREPARE TRANSACTION command.
16 *
17 * We keep all active global transactions in a shared memory array.
18 * When the PREPARE TRANSACTION command is issued, the GID is
19 * reserved for the transaction in the array. This is done before
20 * a WAL entry is made, because the reservation checks for duplicate
21 * GIDs and aborts the transaction if there already is a global
22 * transaction in prepared state with the same GID.
23 *
24 * A global transaction (gxact) also has dummy PGPROC; this is what keeps
25 * the XID considered running by TransactionIdIsInProgress. It is also
26 * convenient as a PGPROC to hook the gxact's locks to.
27 *
28 * Information to recover prepared transactions in case of crash is
29 * now stored in WAL for the common case. In some cases there will be
30 * an extended period between preparing a GXACT and commit/abort, in
31 * which case we need to separately record prepared transaction data
32 * in permanent storage. This includes locking information, pending
33 * notifications etc. All that state information is written to the
34 * per-transaction state file in the pg_twophase directory.
35 * All prepared transactions will be written prior to shutdown.
36 *
37 * Life track of state data is following:
38 *
39 * * On PREPARE TRANSACTION backend writes state data only to the WAL and
40 * stores pointer to the start of the WAL record in
41 * gxact->prepare_start_lsn.
42 * * If COMMIT occurs before checkpoint then backend reads data from WAL
43 * using prepare_start_lsn.
44 * * On checkpoint state data copied to files in pg_twophase directory and
45 * fsynced
46 * * If COMMIT happens after checkpoint then backend reads state data from
47 * files
48 *
49 * During replay and replication, TwoPhaseState also holds information
50 * about active prepared transactions that haven't been moved to disk yet.
51 *
52 * Replay of twophase records happens by the following rules:
53 *
54 * * At the beginning of recovery, pg_twophase is scanned once, filling
55 * TwoPhaseState with entries marked with gxact->inredo and
56 * gxact->ondisk. Two-phase file data older than the XID horizon of
57 * the redo position are discarded.
58 * * On PREPARE redo, the transaction is added to TwoPhaseState->prepXacts.
59 * gxact->inredo is set to true for such entries.
60 * * On Checkpoint we iterate through TwoPhaseState->prepXacts entries
61 * that have gxact->inredo set and are behind the redo_horizon. We
62 * save them to disk and then switch gxact->ondisk to true.
63 * * On COMMIT/ABORT we delete the entry from TwoPhaseState->prepXacts.
64 * If gxact->ondisk is true, the corresponding entry from the disk
65 * is additionally deleted.
66 * * RecoverPreparedTransactions(), StandbyRecoverPreparedTransactions()
67 * and PrescanPreparedTransactions() have been modified to go through
68 * gxact->inredo entries that have not made it to disk.
69 *
70 *-------------------------------------------------------------------------
71 */
74 #include <fcntl.h>
75 #include <sys/stat.h>
76 #include <time.h>
77 #include <unistd.h>
109 /*
110 * Directory where Two-phase commit files reside within PGDATA
111 */
114 /* GUC variable, can't be changed after startup */
117 /*
118 * This struct describes one global transaction that is in prepared state
119 * or attempting to become prepared.
120 *
121 * The lifecycle of a global transaction is:
122 *
123 * 1. After checking that the requested GID is not in use, set up an entry in
124 * the TwoPhaseState->prepXacts array with the correct GID and valid = false,
125 * and mark it as locked by my backend.
126 *
127 * 2. After successfully completing prepare, set valid = true and enter the
128 * referenced PGPROC into the global ProcArray.
129 *
130 * 3. To begin COMMIT PREPARED or ROLLBACK PREPARED, check that the entry is
131 * valid and not locked, then mark the entry as locked by storing my current
132 * proc number into locking_backend. This prevents concurrent attempts to
133 * commit or rollback the same prepared xact.
134 *
135 * 4. On completion of COMMIT PREPARED or ROLLBACK PREPARED, remove the entry
136 * from the ProcArray and the TwoPhaseState->prepXacts array and return it to
137 * the freelist.
138 *
139 * Note that if the preparing transaction fails between steps 1 and 2, the
140 * entry must be removed so that the GID and the GlobalTransaction struct
141 * can be reused. See AtAbort_Twophase().
142 *
143 * typedef struct GlobalTransactionData *GlobalTransaction appears in
144 * twophase.h
145 */
148 {
153 /*
154 * Note that we need to keep track of two LSNs for each GXACT. We keep
155 * track of the start LSN because this is the address we must use to read
156 * state data back from WAL when committing a prepared GXACT. We keep
157 * track of the end LSN because that is the LSN we need to wait for prior
158 * to commit.
159 */
172 /*
173 * Two Phase Commit shared state. Access to this struct is protected
174 * by TwoPhaseStateLock.
175 */
177 {
178 /* Head of linked list of free GlobalTransactionData structs */
179 GlobalTransaction freeGXacts;
181 /* Number of valid prepXacts entries. */
184 /* There are max_prepared_xacts items in this array */
190 /*
191 * Global transaction entry currently locked by us, if any. Note that any
192 * access to the entry pointed to by this variable must be protected by
193 * TwoPhaseStateLock, though obviously the pointer itself doesn't need to be
194 * (since it's just local memory).
195 */
225 XLogRecPtr prepare_start_lsn,
229 Oid databaseid);
233 /*
234 * Initialization of shared memory
235 */
236 Size
238 {
239 Size size;
241 /* Need the fixed struct, the array of pointers, and the GTD structs */
250 }
252 void
254 {
261 {
262 GlobalTransaction gxacts;
269 /*
270 * Initialize the linked list of free GlobalTransactionData structs
271 */
277 {
278 /* insert into linked list */
282 /* associate it with a PGPROC assigned by InitProcGlobal */
284 }
285 }
286 else
288 }
290 /*
291 * Exit hook to unlock the global transaction entry we're working on.
292 */
293 static void
295 {
296 /* same logic as abort */
298 }
300 /*
301 * Abort hook to unlock the global transaction entry we're working on.
302 */
303 void
305 {
309 /*
310 * What to do with the locked global transaction entry? If we were in the
311 * process of preparing the transaction, but haven't written the WAL
312 * record and state file yet, the transaction must not be considered as
313 * prepared. Likewise, if we are in the process of finishing an
314 * already-prepared transaction, and fail after having already written the
315 * 2nd phase commit or rollback record to the WAL, the transaction should
316 * not be considered as prepared anymore. In those cases, just remove the
317 * entry from shared memory.
318 *
319 * Otherwise, the entry must be left in place so that the transaction can
320 * be finished later, so just unlock it.
321 *
322 * If we abort during prepare, after having written the WAL record, we
323 * might not have transferred all locks and other state to the prepared
324 * transaction yet. Likewise, if we abort during commit or rollback,
325 * after having written the WAL record, we might not have released all the
326 * resources held by the transaction yet. In those cases, the in-memory
327 * state can be wrong, but it's too late to back out.
328 */
332 else
337 }
339 /*
340 * This is called after we have finished transferring state to the prepared
341 * PGPROC entry.
342 */
343 void
345 {
351 }
354 /*
355 * MarkAsPreparing
356 * Reserve the GID for the given transaction.
357 */
358 GlobalTransaction
361 {
362 GlobalTransaction gxact;
369 gid)));
371 /* fail immediately if feature is disabled */
378 /* on first call, register the exit hook */
380 {
383 }
387 /* Check for conflicting GID */
389 {
392 {
396 gid)));
397 }
398 }
400 /* Get a free gxact from the freelist */
406 max_prepared_xacts)));
414 /* And insert it into the active array */
421 }
423 /*
424 * MarkAsPreparingGuts
425 *
426 * This uses a gxact struct and puts it into the active array.
427 * NOTE: this is also used when reloading a gxact after a crash; so avoid
428 * assuming that we can use very much backend context.
429 *
430 * Note: This function should be called with appropriate locks held.
431 */
432 static void
435 {
444 /* Initialize the PGPROC entry */
449 {
450 /* clone VXID, for TwoPhaseGetXidByVirtualXID() to find */
453 }
454 else
455 {
457 /* GetLockConflicts() uses this to specify a wait on the XID */
460 }
477 /* subxid data must be filled later by GXactLoadSubxactData */
489 /*
490 * Remember that we have this GlobalTransaction entry locked for us. If we
491 * abort after this, we must release it.
492 */
494 }
496 /*
497 * GXactLoadSubxactData
498 *
499 * If the transaction being persisted had any subtransactions, this must
500 * be called before MarkAsPrepared() to load information into the dummy
501 * PGPROC.
502 */
503 static void
506 {
509 /* We need no extra lock since the GXACT isn't valid yet */
511 {
514 }
516 {
520 }
521 }
523 /*
524 * MarkAsPrepared
525 * Mark the GXACT as fully valid, and enter it into the global ProcArray.
526 *
527 * lock_held indicates whether caller already holds TwoPhaseStateLock.
528 */
529 static void
531 {
532 /* Lock here may be overkill, but I'm not convinced of that ... */
540 /*
541 * Put it into the global ProcArray so TransactionIdIsInProgress considers
542 * the XID as still running.
543 */
545 }
547 /*
548 * LockGXact
549 * Locate the prepared transaction and mark it busy for COMMIT or PREPARE.
550 */
551 static GlobalTransaction
553 {
556 /* on first call, register the exit hook */
558 {
561 }
566 {
570 /* Ignore not-yet-valid GIDs */
576 /* Found it, but has someone else got it locked? */
581 gid)));
589 /*
590 * Note: it probably would be possible to allow committing from
591 * another database; but at the moment NOTIFY is known not to work and
592 * there may be some other issues as well. Hence disallow until
593 * someone gets motivated to make it work.
594 */
601 /* OK for me to lock it */
608 }
615 gid)));
617 /* NOTREACHED */
619 }
621 /*
622 * RemoveGXact
623 * Remove the prepared transaction from the shared memory array.
624 *
625 * NB: caller should have already removed it from ProcArray
626 */
627 static void
629 {
635 {
637 {
638 /* remove from the active array */
642 /* and put it back in the freelist */
647 }
648 }
651 }
653 /*
654 * Returns an array of all prepared transactions for the user-level
655 * function pg_prepared_xact.
656 *
657 * The returned array and all its elements are copies of internal data
658 * structures, to minimize the time we need to hold the TwoPhaseStateLock.
659 *
660 * WARNING -- we return even those transactions that are not fully prepared
661 * yet. The caller should filter them out if he doesn't want them.
662 *
663 * The returned array is palloc'd.
664 */
665 static int
667 {
668 GlobalTransaction array;
675 {
680 }
692 }
695 /* Working status for pg_prepared_xact */
697 {
698 GlobalTransaction array;
703 /*
704 * pg_prepared_xact
705 * Produce a view with one row per prepared transaction.
706 *
707 * This function is here so we don't have to export the
708 * GlobalTransactionData struct definition.
709 */
710 Datum
712 {
717 {
718 TupleDesc tupdesc;
719 MemoryContext oldcontext;
721 /* create a function context for cross-call persistence */
724 /*
725 * Switch to memory context appropriate for multiple function calls
726 */
729 /* build tupdesc for result tuples */
730 /* this had better match pg_prepared_xacts view in system_views.sql */
745 /*
746 * Collect all the 2PC status information that we will format and send
747 * out as a result set.
748 */
756 }
762 {
767 HeapTuple tuple;
768 Datum result;
773 /*
774 * Form tuple with appropriate data.
775 */
786 }
789 }
791 /*
792 * TwoPhaseGetGXact
793 * Get the GlobalTransaction struct for a prepared transaction
794 * specified by XID
795 *
796 * If lock_held is set to true, TwoPhaseStateLock will not be taken, so the
797 * caller had better hold it.
798 */
799 static GlobalTransaction
801 {
810 /*
811 * During a recovery, COMMIT PREPARED, or ABORT PREPARED, we'll be called
812 * repeatedly for the same XID. We can save work with a simple cache.
813 */
821 {
825 {
828 }
829 }
841 }
843 /*
844 * TwoPhaseGetXidByVirtualXID
845 * Lookup VXID among xacts prepared since last startup.
846 *
847 * (This won't find recovered xacts.) If more than one matches, return any
848 * and set "have_more" to true. To witness multiple matches, a single
849 * proc number must consume 2^32 LXIDs, with no intervening database restart.
850 */
851 TransactionId
854 {
862 {
865 VirtualTransactionId proc_vxid;
872 {
873 /*
874 * Startup process sets proc->vxid.procNumber to
875 * INVALID_PROC_NUMBER.
876 */
880 {
883 }
885 }
886 }
891 }
893 /*
894 * TwoPhaseGetDummyProcNumber
895 * Get the dummy proc number for prepared transaction specified by XID
896 *
897 * Dummy proc numbers are similar to proc numbers of real backends. They
898 * start at MaxBackends, and are unique across all currently active real
899 * backends and prepared transactions. If lock_held is set to true,
900 * TwoPhaseStateLock will not be taken, so the caller had better hold it.
901 */
902 ProcNumber
904 {
908 }
910 /*
911 * TwoPhaseGetDummyProc
912 * Get the PGPROC that represents a prepared transaction specified by XID
913 *
914 * If lock_held is set to true, TwoPhaseStateLock will not be taken, so the
915 * caller had better hold it.
916 */
917 PGPROC *
919 {
923 }
925 /************************************************************************/
926 /* State file support */
927 /************************************************************************/
929 /*
930 * Compute the FullTransactionId for the given TransactionId.
931 *
932 * This is safe if the xid has not yet reached COMMIT PREPARED or ROLLBACK
933 * PREPARED. After those commands, concurrent vac_truncate_clog() may make
934 * the xid cease to qualify as allowable. XXX Not all callers limit their
935 * calls accordingly.
936 */
939 {
942 }
946 {
952 }
954 /*
955 * 2PC state file format:
956 *
957 * 1. TwoPhaseFileHeader
958 * 2. TransactionId[] (subtransactions)
959 * 3. RelFileLocator[] (files to be deleted at commit)
960 * 4. RelFileLocator[] (files to be deleted at abort)
961 * 5. SharedInvalidationMessage[] (inval messages to be sent at commit)
962 * 6. TwoPhaseRecordOnDisk
963 * 7. ...
964 * 8. TwoPhaseRecordOnDisk (end sentinel, rmid == TWOPHASE_RM_END_ID)
965 * 9. checksum (CRC-32C)
966 *
967 * Each segment except the final checksum is MAXALIGN'd.
968 */
970 /*
971 * Header for a 2PC state file
972 */
977 /*
978 * Header for each record in a state file
979 *
980 * NOTE: len counts only the rmgr data, not the TwoPhaseRecordOnDisk header.
981 * The rmgr data will be stored starting on a MAXALIGN boundary.
982 */
984 {
990 /*
991 * During prepare, the state file is assembled in memory before writing it
992 * to WAL and the actual state file. We use a chain of StateFileChunk blocks
993 * for that.
994 */
996 {
998 uint32 len;
1002 static struct xllist
1003 {
1006 uint32 num_chunks;
1012 /*
1013 * Append a block of data to records data structure.
1014 *
1015 * NB: each block is padded to a MAXALIGN multiple. This must be
1016 * accounted for when the file is later read!
1017 *
1018 * The data is copied, so the caller is free to modify it afterwards.
1019 */
1020 static void
1022 {
1026 {
1035 }
1041 }
1043 /*
1044 * Start preparing a state file.
1045 *
1046 * Initializes data structure and inserts the 2PC file header record.
1047 */
1048 void
1050 {
1053 TwoPhaseFileHeader hdr;
1061 /* Initialize linked list */
1074 /* Create header */
1091 /* EndPrepare will fill the origin data, if necessary */
1098 /*
1099 * Add the additional info about subxacts, deletable files and cache
1100 * invalidation messages.
1101 */
1103 {
1105 /* While we have the child-xact data, stuff it in the gxact too */
1107 }
1109 {
1112 }
1114 {
1117 }
1119 {
1123 }
1125 {
1129 }
1131 {
1135 }
1136 }
1138 /*
1139 * Finish preparing state data and writing it to WAL.
1140 */
1141 void
1143 {
1148 /* Add the end sentinel to the list of 2PC records */
1152 /* Go back and fill in total_len in the file header record */
1161 {
1164 }
1166 /*
1167 * If the data size exceeds MaxAllocSize, we won't be able to read it in
1168 * ReadTwoPhaseFile. Check for that now, rather than fail in the case
1169 * where we write data to file and then re-read at commit time.
1170 */
1176 /*
1177 * Now writing 2PC state data to WAL. We let the WAL's CRC protection
1178 * cover us, so no need to calculate a separate CRC.
1179 *
1180 * We have to set DELAY_CHKPT_START here, too; otherwise a checkpoint
1181 * starting immediately after the WAL record is inserted could complete
1182 * without fsync'ing our state file. (This is essentially the same kind
1183 * of race condition as the COMMIT-to-clog-write case that
1184 * RecordTransactionCommit uses DELAY_CHKPT_START for; see notes there.)
1185 *
1186 * We save the PREPARE record's location in the gxact for later use by
1187 * CheckPointTwoPhase.
1188 */
1205 {
1206 /* Move LSNs forward for this replication origin */
1209 }
1213 /* If we crash now, we have prepared: WAL replay will fix things */
1215 /* Store record's start location to read that later on Commit */
1218 /*
1219 * Mark the prepared transaction as valid. As soon as xact.c marks MyProc
1220 * as not running our XID (which it will do immediately after this
1221 * function returns), others can commit/rollback the xact.
1222 *
1223 * NB: a side effect of this is to make a dummy ProcArray entry for the
1224 * prepared XID. This must happen before we clear the XID from MyProc /
1225 * ProcGlobal->xids[], else there is a window where the XID is not running
1226 * according to TransactionIdIsInProgress, and onlookers would be entitled
1227 * to assume the xact crashed. Instead we have a window where the same
1228 * XID appears twice in ProcArray, which is OK.
1229 */
1232 /*
1233 * Now we can mark ourselves as out of the commit critical section: a
1234 * checkpoint starting after this will certainly see the gxact as a
1235 * candidate for fsyncing.
1236 */
1239 /*
1240 * Remember that we have this GlobalTransaction entry locked for us. If
1241 * we crash after this point, it's too late to abort, but we must unlock
1242 * it so that the prepared transaction can be committed or rolled back.
1243 */
1248 /*
1249 * Wait for synchronous replication, if required.
1250 *
1251 * Note that at this stage we have marked the prepare, but still show as
1252 * running in the procarray (twice!) and continue to hold locks.
1253 */
1258 }
1260 /*
1261 * Register a 2PC record to be written to state file.
1262 */
1263 void
1266 {
1267 TwoPhaseRecordOnDisk record;
1275 }
1278 /*
1279 * Read and validate the state file for xid.
1280 *
1281 * If it looks OK (has a valid magic number and CRC), return the palloc'd
1282 * contents of the file, issuing an error when finding corrupted data. If
1283 * missing_ok is true, which indicates that missing files can be safely
1284 * ignored, then return NULL. This state can be reached when doing recovery.
1285 */
1288 {
1294 uint32 crc_offset;
1295 pg_crc32c calc_crc,
1296 file_crc;
1303 {
1310 }
1312 /*
1313 * Check file length. We can determine a lower bound pretty easily. We
1314 * set an upper bound to avoid palloc() failure on a corrupt file, though
1315 * we can't guarantee that we won't get an out of memory error anyway,
1316 * even on a valid file.
1317 */
1339 path)));
1341 /*
1342 * OK, slurp in the file.
1343 */
1349 {
1354 else
1358 }
1372 path)));
1378 path)));
1390 path)));
1393 }
1396 /*
1397 * Reads 2PC data from xlog. During checkpoint this data will be moved to
1398 * twophase files and ReadTwoPhaseFile should be used instead.
1399 *
1400 * Note clearly that this function can access WAL during normal operation,
1401 * similarly to the way WALSender or Logical Decoding would do.
1402 */
1403 static void
1405 {
1414 NULL);
1425 {
1431 else
1436 }
1452 }
1455 /*
1456 * Confirms an xid is prepared, during recovery
1457 */
1458 bool
1460 {
1470 /* Read and validate file */
1475 /* Check header also */
1481 }
1483 /*
1484 * FinishPreparedTransaction: execute COMMIT PREPARED or ROLLBACK PREPARED
1485 */
1486 void
1488 {
1489 GlobalTransaction gxact;
1491 TransactionId xid;
1496 TransactionId latestXid;
1506 /*
1507 * Validate the GID, and lock the GXACT to ensure that two backends do not
1508 * try to commit the same GID at once.
1509 */
1514 /*
1515 * Read and validate 2PC state data. State data will typically be stored
1516 * in WAL files if the LSN is after the last checkpoint record, or moved
1517 * to disk if for some reason they have lived for a long time.
1518 */
1521 else
1525 /*
1526 * Disassemble the header area
1527 */
1545 /* compute latestXid among all children */
1548 /* Prevent cancel/die interrupt while cleaning up */
1551 /*
1552 * The order of operations here is critical: make the XLOG entry for
1553 * commit or abort, then mark the transaction committed or aborted in
1554 * pg_xact, then remove its PGPROC from the global ProcArray (which means
1555 * TransactionIdIsInProgress will stop saying the prepared xact is in
1556 * progress), then run the post-commit or post-abort callbacks. The
1557 * callbacks will release the locks the transaction held.
1558 */
1564 commitstats,
1567 else
1572 abortstats,
1573 gid);
1577 /*
1578 * In case we fail while running the callbacks, mark the gxact invalid so
1579 * no one else will try to commit/rollback, and so it will be recycled if
1580 * we fail after this point. It is still locked by our backend so it
1581 * won't go away yet.
1582 *
1583 * (We assume it's safe to do this without taking TwoPhaseStateLock.)
1584 */
1587 /*
1588 * We have to remove any files that were supposed to be dropped. For
1589 * consistency with the regular xact.c code paths, must do this before
1590 * releasing locks, so do it before running the callbacks.
1591 *
1592 * NB: this code knows that we couldn't be dropping any temp rels ...
1593 */
1595 {
1598 }
1599 else
1600 {
1603 }
1605 /* Make sure files supposed to be dropped are dropped */
1610 else
1613 /*
1614 * Handle cache invalidation messages.
1615 *
1616 * Relcache init file invalidation requires processing both before and
1617 * after we send the SI messages, only when committing. See
1618 * AtEOXact_Inval().
1619 */
1621 {
1627 }
1629 /*
1630 * Acquire the two-phase lock. We want to work on the two-phase callbacks
1631 * while holding it to avoid potential conflicts with other transactions
1632 * attempting to use the same GID, so the lock is released once the shared
1633 * memory state is cleared.
1634 */
1637 /* And now do the callbacks */
1640 else
1645 /*
1646 * Read this value while holding the two-phase lock, as the on-disk 2PC
1647 * file is physically removed after the lock is released.
1648 */
1651 /* Clear shared memory state */
1654 /*
1655 * Release the lock as all callbacks are called and shared memory cleanup
1656 * is done.
1657 */
1660 /* Count the prepared xact as committed or aborted */
1663 /*
1664 * And now we can clean up any files we may have left.
1665 */
1674 }
1676 /*
1677 * Scan 2PC state data in memory and call the indicated callbacks for each 2PC record.
1678 */
1679 static void
1682 {
1684 {
1697 }
1698 }
1700 /*
1701 * Remove the 2PC file for the specified XID.
1702 *
1703 * If giveWarning is false, do not complain about file-not-present;
1704 * this is an expected case during WAL replay.
1705 */
1706 static void
1708 {
1717 }
1719 /*
1720 * Recreates a state file. This is used in WAL replay and during
1721 * checkpoint creation.
1722 *
1723 * Note: content and len don't include CRC.
1724 */
1725 static void
1727 {
1729 pg_crc32c statefile_crc;
1732 /* Recompute CRC */
1746 /* Write content and CRC */
1750 {
1751 /* if write didn't set errno, assume problem is no disk space */
1757 }
1759 {
1760 /* if write didn't set errno, assume problem is no disk space */
1766 }
1769 /*
1770 * We must fsync the file because the end-of-replay checkpoint will not do
1771 * so, there being no GXACT in shared memory yet to tell it to.
1772 */
1784 }
1786 /*
1787 * CheckPointTwoPhase -- handle 2PC component of checkpointing.
1788 *
1789 * We must fsync the state file of any GXACT that is valid or has been
1790 * generated during redo and has a PREPARE LSN <= the checkpoint's redo
1791 * horizon. (If the gxact isn't valid yet, has not been generated in
1792 * redo, or has a later LSN, this checkpoint is not responsible for
1793 * fsyncing it.)
1794 *
1795 * This is deliberately run as late as possible in the checkpoint sequence,
1796 * because GXACTs ordinarily have short lifespans, and so it is quite
1797 * possible that GXACTs that were valid at checkpoint start will no longer
1798 * exist if we wait a little bit. With typical checkpoint settings this
1799 * will be about 3 minutes for an online checkpoint, so as a result we
1800 * expect that there will be no GXACTs that need to be copied to disk.
1801 *
1802 * If a GXACT remains valid across multiple checkpoints, it will already
1803 * be on disk so we don't bother to repeat that write.
1804 */
1805 void
1807 {
1816 /*
1817 * We are expecting there to be zero GXACTs that need to be copied to
1818 * disk, so we perform all I/O while holding TwoPhaseStateLock for
1819 * simplicity. This prevents any new xacts from preparing while this
1820 * occurs, which shouldn't be a problem since the presence of long-lived
1821 * prepared xacts indicates the transaction manager isn't active.
1822 *
1823 * It's also possible to move I/O out of the lock, but on every error we
1824 * should check whether somebody committed our transaction in different
1825 * backend. Let's leave this optimization for future, if somebody will
1826 * spot that this place cause bottleneck.
1827 *
1828 * Note that it isn't possible for there to be a GXACT with a
1829 * prepare_end_lsn set prior to the last checkpoint yet is marked invalid,
1830 * because of the efforts with delayChkptFlags.
1831 */
1834 {
1835 /*
1836 * Note that we are using gxact not PGPROC so this works in recovery
1837 * also
1838 */
1844 {
1854 serialized_xacts++;
1855 }
1856 }
1859 /*
1860 * Flush unconditionally the parent directory to make any information
1861 * durable on disk. Two-phase files could have been removed and those
1862 * removals need to be made persistent as well as any files newly created
1863 * previously since the last checkpoint.
1864 */
1873 "%u two-phase state files were written "
1875 serialized_xacts,
1876 serialized_xacts)));
1877 }
1879 /*
1880 * restoreTwoPhaseData
1881 *
1882 * Scan pg_twophase and fill TwoPhaseState depending on the on-disk data.
1883 * This is called once at the beginning of recovery, saving any extra
1884 * lookups in the future. Two-phase files that are newer than the
1885 * minimum XID horizon are discarded on the way.
1886 */
1887 void
1889 {
1896 {
1899 {
1900 TransactionId xid;
1901 FullTransactionId fxid;
1914 }
1915 }
1918 }
1920 /*
1921 * PrescanPreparedTransactions
1922 *
1923 * Scan the shared memory entries of TwoPhaseState and determine the range
1924 * of valid XIDs present. This is run during database startup, after we
1925 * have completed reading WAL. TransamVariables->nextXid has been set to
1926 * one more than the highest XID for which evidence exists in WAL.
1927 *
1928 * We throw away any prepared xacts with main XID beyond nextXid --- if any
1929 * are present, it suggests that the DBA has done a PITR recovery to an
1930 * earlier point in time without cleaning out pg_twophase. We dare not
1931 * try to recover such prepared xacts since they likely depend on database
1932 * state that doesn't exist now.
1933 *
1934 * However, we will advance nextXid beyond any subxact XIDs belonging to
1935 * valid prepared xacts. We need to do this since subxact commit doesn't
1936 * write a WAL entry, and so there might be no evidence in WAL of those
1937 * subxact XIDs.
1938 *
1939 * On corrupted two-phase files, fail immediately. Keeping around broken
1940 * entries and let replay continue causes harm on the system, and a new
1941 * backup should be rolled in.
1942 *
1943 * Our other responsibility is to determine and return the oldest valid XID
1944 * among the prepared xacts (if none, return TransamVariables->nextXid).
1945 * This is needed to synchronize pg_subtrans startup properly.
1946 *
1947 * If xids_p and nxids_p are not NULL, pointer to a palloc'd array of all
1948 * top-level xids is stored in *xids_p. The number of entries in the array
1949 * is returned in *nxids_p.
1950 */
1951 TransactionId
1953 {
1964 {
1965 TransactionId xid;
1980 /*
1981 * OK, we think this file is valid. Incorporate xid into the
1982 * running-minimum result.
1983 */
1988 {
1990 {
1992 {
1995 }
1996 else
1997 {
2000 }
2001 }
2003 }
2006 }
2010 {
2013 }
2016 }
2018 /*
2019 * StandbyRecoverPreparedTransactions
2020 *
2021 * Scan the shared memory entries of TwoPhaseState and setup all the required
2022 * information to allow standby queries to treat prepared transactions as still
2023 * active.
2024 *
2025 * This is never called at the end of recovery - we use
2026 * RecoverPreparedTransactions() at that point.
2027 *
2028 * This updates pg_subtrans, so that any subtransactions will be correctly
2029 * seen as in-progress in snapshots taken during recovery.
2030 */
2031 void
2033 {
2038 {
2039 TransactionId xid;
2052 }
2054 }
2056 /*
2057 * RecoverPreparedTransactions
2058 *
2059 * Scan the shared memory entries of TwoPhaseState and reload the state for
2060 * each prepared transaction (reacquire locks, etc).
2061 *
2062 * This is run at the end of recovery, but before we allow backends to write
2063 * WAL.
2064 *
2065 * At the end of recovery the way we take snapshots will change. We now need
2066 * to mark all running transactions with their full SubTransSetParent() info
2067 * to allow normal snapshots to work correctly if snapshots overflow.
2068 * We do this here because by definition prepared transactions are the only
2069 * type of write transaction still running, so this is necessary and
2070 * complete.
2071 */
2072 void
2074 {
2079 {
2080 TransactionId xid;
2090 /*
2091 * Reconstruct subtrans state for the transaction --- needed because
2092 * pg_subtrans is not preserved over a restart. Note that we are
2093 * linking all the subtransactions directly to the top-level XID;
2094 * there may originally have been a more complex hierarchy, but
2095 * there's no need to restore that exactly. It's possible that
2096 * SubTransSetParent has been set before, if the prepared transaction
2097 * generated xid assignment records.
2098 */
2121 /*
2122 * Recreate its GXACT and dummy PGPROC. But, check whether it was
2123 * added in redo and already has a shmem entry for it.
2124 */
2129 /* recovered, so reset the flag for entries generated by redo */
2137 /*
2138 * Recover other state (notably locks) using resource managers.
2139 */
2142 /*
2143 * Release locks held by the standby process after we process each
2144 * prepared transaction. As a result, we don't need too many
2145 * additional locks at any one time.
2146 */
2150 /*
2151 * We're done with recovering this transaction. Clear MyLockedGxact,
2152 * like we do in PrepareTransaction() during normal operation.
2153 */
2159 }
2162 }
2164 /*
2165 * ProcessTwoPhaseBuffer
2166 *
2167 * Given a transaction id, read it either from disk or read it directly
2168 * via shmem xlog record pointer using the provided "prepare_start_lsn".
2169 *
2170 * If setParent is true, set up subtransaction parent linkages.
2171 *
2172 * If setNextXid is true, set TransamVariables->nextXid to the newest
2173 * value scanned.
2174 */
2177 XLogRecPtr prepare_start_lsn,
2180 {
2193 /* Already processed? */
2195 {
2197 {
2200 xid)));
2202 }
2203 else
2204 {
2207 xid)));
2209 }
2211 }
2213 /* Reject XID if too new */
2215 {
2217 {
2220 xid)));
2222 }
2223 else
2224 {
2227 xid)));
2229 }
2231 }
2234 {
2235 /* Read and validate file */
2237 }
2238 else
2239 {
2240 /* Read xlog data */
2242 }
2244 /* Deconstruct header */
2247 {
2252 xid)));
2253 else
2257 xid)));
2258 }
2260 /*
2261 * Examine subtransaction XIDs ... they should all follow main XID, and
2262 * they may force us to advance nextXid.
2263 */
2268 {
2273 /* update nextXid if needed */
2279 }
2282 }
2285 /*
2286 * RecordTransactionCommitPrepared
2287 *
2288 * This is basically the same as RecordTransactionCommit (q.v. if you change
2289 * this function): in particular, we must set DELAY_CHKPT_START to avoid a
2290 * race condition.
2291 *
2292 * We know the transaction made at least one XLOG entry (its PREPARE),
2293 * so it is never possible to optimize out the commit record.
2294 */
2295 static void
2307 {
2308 XLogRecPtr recptr;
2312 /*
2313 * Are we using the replication origins feature? Or, in other words, are
2314 * we replaying remote actions?
2315 */
2321 /* See notes in RecordTransactionCommit */
2325 /*
2326 * Emit the XLOG commit record. Note that we mark 2PC commits as
2327 * potentially having AccessExclusiveLocks since we don't know whether or
2328 * not they do.
2329 */
2334 initfileinval,
2340 /* Move LSNs forward for this replication origin */
2342 XactLastRecEnd);
2344 /*
2345 * Record commit timestamp. The value comes from plain commit timestamp
2346 * if replorigin is not enabled, or replorigin already set a value for us
2347 * in replorigin_session_origin_timestamp otherwise.
2348 *
2349 * We don't need to WAL-log anything here, as the commit record written
2350 * above already contains the data.
2351 */
2356 replorigin_session_origin_timestamp,
2357 replorigin_session_origin);
2359 /*
2360 * We don't currently try to sleep before flush here ... nor is there any
2361 * support for async commit of a prepared xact (the very idea is probably
2362 * a contradiction)
2363 */
2365 /* Flush XLOG to disk */
2368 /* Mark the transaction committed in pg_xact */
2371 /* Checkpoint can proceed now */
2376 /*
2377 * Wait for synchronous replication, if required.
2378 *
2379 * Note that at this stage we have marked clog, but still show as running
2380 * in the procarray and continue to hold locks.
2381 */
2383 }
2385 /*
2386 * RecordTransactionAbortPrepared
2387 *
2388 * This is basically the same as RecordTransactionAbort.
2389 *
2390 * We know the transaction made at least one XLOG entry (its PREPARE),
2391 * so it is never possible to optimize out the abort record.
2392 */
2393 static void
2402 {
2403 XLogRecPtr recptr;
2406 /*
2407 * Are we using the replication origins feature? Or, in other words, are
2408 * we replaying remote actions?
2409 */
2413 /*
2414 * Catch the scenario where we aborted partway through
2415 * RecordTransactionCommitPrepared ...
2416 */
2419 xid);
2423 /*
2424 * Emit the XLOG commit record. Note that we mark 2PC aborts as
2425 * potentially having AccessExclusiveLocks since we don't know whether or
2426 * not they do.
2427 */
2436 /* Move LSNs forward for this replication origin */
2438 XactLastRecEnd);
2440 /* Always flush, since we're about to remove the 2PC state file */
2443 /*
2444 * Mark the transaction aborted in clog. This is not absolutely necessary
2445 * but we may as well do it while we are here.
2446 */
2451 /*
2452 * Wait for synchronous replication, if required.
2453 *
2454 * Note that at this stage we have marked clog, but still show as running
2455 * in the procarray and continue to hold locks.
2456 */
2458 }
2460 /*
2461 * PrepareRedoAdd
2462 *
2463 * Store pointers to the start/end of the WAL record along with the xid in
2464 * a gxact entry in shared memory TwoPhaseState structure. If caller
2465 * specifies InvalidXLogRecPtr as WAL location to fetch the two-phase
2466 * data, the entry is marked as located on disk.
2467 */
2468 void
2471 {
2475 GlobalTransaction gxact;
2483 /*
2484 * Reserve the GID for the given transaction in the redo code path.
2485 *
2486 * This creates a gxact struct and puts it into the active array.
2487 *
2488 * In redo, this struct is mainly used to track PREPARE/COMMIT entries in
2489 * shared memory. Hence, we only fill up the bare minimum contents here.
2490 * The gxact also gets marked with gxact->inredo set to true to indicate
2491 * that it got added in the redo phase
2492 */
2494 /*
2495 * In the event of a crash while a checkpoint was running, it may be
2496 * possible that some two-phase data found its way to disk while its
2497 * corresponding record needs to be replayed in the follow-up recovery. As
2498 * the 2PC data was on disk, it has already been restored at the beginning
2499 * of recovery with restoreTwoPhaseData(), so skip this record to avoid
2500 * duplicates in TwoPhaseState. If a consistent state has been reached,
2501 * the record is added to TwoPhaseState and it should have no
2502 * corresponding file in pg_twophase.
2503 */
2505 {
2511 {
2515 errdetail("Two-phase state file has been found in WAL record %X/%X, but this transaction has already been restored from disk.",
2518 }
2524 }
2526 /* Get a free gxact from the freelist */
2532 max_prepared_xacts)));
2547 /* And insert it into the active array */
2552 {
2553 /* recover apply progress */
2556 }
2559 }
2561 /*
2562 * PrepareRedoRemove
2563 *
2564 * Remove the corresponding gxact entry from TwoPhaseState. Also remove
2565 * the 2PC file if a prepared transaction was saved via an earlier checkpoint.
2566 *
2567 * Caller must hold TwoPhaseStateLock in exclusive mode, because TwoPhaseState
2568 * is updated.
2569 */
2570 void
2572 {
2581 {
2585 {
2589 }
2590 }
2592 /*
2593 * Just leave if there is nothing, this is expected during WAL replay.
2594 */
2598 /*
2599 * And now we can clean up any files we may have left.
2600 */
2605 }
2607 /*
2608 * LookupGXact
2609 * Check if the prepared transaction with the given GID, lsn and timestamp
2610 * exists.
2611 *
2612 * Note that we always compare with the LSN where prepare ends because that is
2613 * what is stored as origin_lsn in the 2PC file.
2614 *
2615 * This function is primarily used to check if the prepared transaction
2616 * received from the upstream (remote node) already exists. Checking only GID
2617 * is not sufficient because a different prepared xact with the same GID can
2618 * exist on the same node. So, we are ensuring to match origin_lsn and
2619 * origin_timestamp of prepared xact to avoid the possibility of a match of
2620 * prepared xact from two different nodes.
2621 */
2622 bool
2624 TimestampTz origin_prepare_timestamp)
2625 {
2631 {
2634 /* Ignore not-yet-valid GIDs. */
2636 {
2640 /*
2641 * We are not expecting collisions of GXACTs (same gid) between
2642 * publisher and subscribers, so we perform all I/O while holding
2643 * TwoPhaseStateLock for simplicity.
2644 *
2645 * To move the I/O out of the lock, we need to ensure that no
2646 * other backend commits the prepared xact in the meantime. We can
2647 * do this optimization if we encounter many collisions in GID
2648 * between publisher and subscriber.
2649 */
2652 else
2653 {
2656 }
2662 {
2666 }
2669 }
2670 }
2673 }
2675 /*
2676 * TwoPhaseTransactionGid
2677 * Form the prepared transaction GID for two_phase transactions.
2678 *
2679 * Return the GID in the supplied buffer.
2680 */
2681 void
2683 {
2692 }
2694 /*
2695 * IsTwoPhaseTransactionGidForSubid
2696 * Check whether the given GID (as formed by TwoPhaseTransactionGid) is
2697 * for the specified 'subid'.
2698 */
2699 static bool
2701 {
2703 Oid subid_from_gid;
2704 TransactionId xid_from_gid;
2707 /* Extract the subid and xid from the given GID */
2710 /*
2711 * Check that the given GID has expected format, and at least the subid
2712 * matches.
2713 */
2717 /*
2718 * Reconstruct a temporary GID based on the subid and xid extracted from
2719 * the given GID and check whether the temporary GID and the given GID
2720 * match.
2721 */
2725 }
2727 /*
2728 * LookupGXactBySubid
2729 * Check if the prepared transaction done by apply worker exists.
2730 */
2731 bool
2733 {
2738 {
2741 /* Ignore not-yet-valid GIDs. */
2744 {
2747 }
2748 }
2752 }