| blob | 20c3741aa1ee2861552282d2d491fe24e1d4dd1a |
1 /*-------------------------------------------------------------------------
2 *
3 * fd.c
4 * Virtual file descriptor code.
5 *
6 * Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 * IDENTIFICATION
10 * src/backend/storage/file/fd.c
11 *
12 * NOTES:
13 *
14 * This code manages a cache of 'virtual' file descriptors (VFDs).
15 * The server opens many file descriptors for a variety of reasons,
16 * including base tables, scratch files (e.g., sort and hash spool
17 * files), and random calls to C library routines like system(3); it
18 * is quite easy to exceed system limits on the number of open files a
19 * single process can have. (This is around 1024 on many modern
20 * operating systems, but may be lower on others.)
21 *
22 * VFDs are managed as an LRU pool, with actual OS file descriptors
23 * being opened and closed as needed. Obviously, if a routine is
24 * opened using these interfaces, all subsequent operations must also
25 * be through these interfaces (the File type is not a real file
26 * descriptor).
27 *
28 * For this scheme to work, most (if not all) routines throughout the
29 * server should use these interfaces instead of calling the C library
30 * routines (e.g., open(2) and fopen(3)) themselves. Otherwise, we
31 * may find ourselves short of real file descriptors anyway.
32 *
33 * INTERFACE ROUTINES
34 *
35 * PathNameOpenFile and OpenTemporaryFile are used to open virtual files.
36 * A File opened with OpenTemporaryFile is automatically deleted when the
37 * File is closed, either explicitly or implicitly at end of transaction or
38 * process exit. PathNameOpenFile is intended for files that are held open
39 * for a long time, like relation files. It is the caller's responsibility
40 * to close them, there is no automatic mechanism in fd.c for that.
41 *
42 * PathName(Create|Open|Delete)Temporary(File|Dir) are used to manage
43 * temporary files that have names so that they can be shared between
44 * backends. Such files are automatically closed and count against the
45 * temporary file limit of the backend that creates them, but unlike anonymous
46 * files they are not automatically deleted. See sharedfileset.c for a shared
47 * ownership mechanism that provides automatic cleanup for shared files when
48 * the last of a group of backends detaches.
49 *
50 * AllocateFile, AllocateDir, OpenPipeStream and OpenTransientFile are
51 * wrappers around fopen(3), opendir(3), popen(3) and open(2), respectively.
52 * They behave like the corresponding native functions, except that the handle
53 * is registered with the current subtransaction, and will be automatically
54 * closed at abort. These are intended mainly for short operations like
55 * reading a configuration file; there is a limit on the number of files that
56 * can be opened using these functions at any one time.
57 *
58 * Finally, BasicOpenFile is just a thin wrapper around open() that can
59 * release file descriptors in use by the virtual file descriptors if
60 * necessary. There is no automatic cleanup of file descriptors returned by
61 * BasicOpenFile, it is solely the caller's responsibility to close the file
62 * descriptor by calling close(2).
63 *
64 * If a non-virtual file descriptor needs to be held open for any length of
65 * time, report it to fd.c by calling AcquireExternalFD or ReserveExternalFD
66 * (and eventually ReleaseExternalFD), so that we can take it into account
67 * while deciding how many VFDs can be open. This applies to FDs obtained
68 * with BasicOpenFile as well as those obtained without use of any fd.c API.
69 *
70 *-------------------------------------------------------------------------
71 */
75 #include <dirent.h>
76 #include <sys/file.h>
77 #include <sys/param.h>
79 #include <sys/stat.h>
80 #include <sys/types.h>
81 #ifndef WIN32
82 #include <sys/mman.h>
83 #endif
84 #include <limits.h>
85 #include <unistd.h>
86 #include <fcntl.h>
104 /* Define PG_FLUSH_DATA_WORKS if we have an implementation for pg_flush_data */
105 #if defined(HAVE_SYNC_FILE_RANGE)
106 #define PG_FLUSH_DATA_WORKS 1
107 #elif !defined(WIN32) && defined(MS_ASYNC)
108 #define PG_FLUSH_DATA_WORKS 1
109 #elif defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
110 #define PG_FLUSH_DATA_WORKS 1
111 #endif
113 /*
114 * We must leave some file descriptors free for system(), the dynamic loader,
115 * and other code that tries to open files without consulting fd.c. This
116 * is the number left free. (While we try fairly hard to prevent EMFILE
117 * errors, there's never any guarantee that we won't get ENFILE due to
118 * other processes chewing up FDs. So it's a bad idea to try to open files
119 * without consulting fd.c. Nonetheless we cannot control all code.)
120 *
121 * Because this is just a fixed setting, we are effectively assuming that
122 * no such code will leave FDs open over the long term; otherwise the slop
123 * is likely to be insufficient. Note in particular that we expect that
124 * loading a shared library does not result in any permanent increase in
125 * the number of open files. (This appears to be true on most if not
126 * all platforms as of Feb 2004.)
127 */
128 #define NUM_RESERVED_FDS 10
130 /*
131 * If we have fewer than this many usable FDs after allowing for the reserved
132 * ones, choke. (This value is chosen to work with "ulimit -n 64", but not
133 * much less than that. Note that this value ensures numExternalFDs can be
134 * at least 16; as of this writing, the contrib/postgres_fdw regression tests
135 * will not pass unless that can grow to at least 14.)
136 */
137 #define FD_MINFREE 48
139 /*
140 * A number of platforms allow individual processes to open many more files
141 * than they can really support when *many* processes do the same thing.
142 * This GUC parameter lets the DBA limit max_safe_fds to something less than
143 * what the postmaster's initial probe suggests will work.
144 */
147 /*
148 * Maximum number of file descriptors to open for operations that fd.c knows
149 * about (VFDs, AllocateFile etc, or "external" FDs). This is initialized
150 * to a conservative value, and remains that way indefinitely in bootstrap or
151 * standalone-backend cases. In normal postmaster operation, the postmaster
152 * calls set_max_safe_fds() late in initialization to update the value, and
153 * that value is then inherited by forked subprocesses.
154 *
155 * Note: the value of max_files_per_process is taken into account while
156 * setting this variable, and so need not be tested separately.
157 */
160 /* Whether it is safe to continue running after fsync() fails. */
163 /* How SyncDataDirectory() should do its job. */
166 /* Debugging.... */
168 #ifdef FDDEBUG
169 #define DO_DB(A) \
170 do { \
171 int _do_db_save_errno = errno; \
172 A; \
173 errno = _do_db_save_errno; \
174 } while (0)
175 #else
176 #define DO_DB(A) \
177 ((void) 0)
178 #endif
180 #define VFD_CLOSED (-1)
182 #define FileIsValid(file) \
183 ((file) > 0 && (file) < (int) SizeVfdCache && VfdCache[file].fileName != NULL)
185 #define FileIsNotOpen(file) (VfdCache[file].fd == VFD_CLOSED)
187 /* these are the assigned bits in fdstate below: */
193 {
199 File lruLessRecently;
202 /* NB: fileName is malloc'd, and must be free'd when closing the VFD */
207 /*
208 * Virtual File Descriptor array pointer and size. This grows as
209 * needed. 'File' values are indexes into this array.
210 * Note that VfdCache[0] is not a usable VFD, just a list header.
211 */
215 /*
216 * Number of file descriptors known to be in use by VFD entries.
217 */
220 /*
221 * Flag to tell whether it's worth scanning VfdCache looking for temp files
222 * to close
223 */
226 /*
227 * Tracks the total size of all temporary files. Note: when temp_file_limit
228 * is being enforced, this cannot overflow since the limit cannot be more
229 * than INT_MAX kilobytes. When not enforcing, it could theoretically
230 * overflow, but we don't care.
231 */
234 /* Temporary file access initialized and not yet shut down? */
235 #ifdef USE_ASSERT_CHECKING
237 #endif
239 /*
240 * List of OS handles opened with AllocateFile, AllocateDir and
241 * OpenTransientFile.
242 */
244 {
245 AllocateDescFile,
246 AllocateDescPipe,
247 AllocateDescDir,
248 AllocateDescRawFD
252 {
253 AllocateDescKind kind;
254 SubTransactionId create_subid;
255 union
256 {
267 /*
268 * Number of open "external" FDs reported to Reserve/ReleaseExternalFD.
269 */
272 /*
273 * Number of temporary files opened during the current session;
274 * this is used in generation of tempfile names.
275 */
278 /*
279 * Array of OIDs of temp tablespaces. (Some entries may be InvalidOid,
280 * indicating that the current database's default tablespace should be used.)
281 * When numTempTableSpaces is -1, this has not been set in the current
282 * transaction.
283 */
289 /*--------------------
290 *
291 * Private Routines
292 *
293 * Delete - delete a file from the Lru ring
294 * LruDelete - remove a file from the Lru ring and close its FD
295 * Insert - put a file at the front of the Lru ring
296 * LruInsert - put a file at the front of the Lru ring and open it
297 * ReleaseLruFile - Release an fd by closing the last entry in the Lru ring
298 * ReleaseLruFiles - Release fd(s) until we're under the max_safe_fds limit
299 * AllocateVfd - grab a free (or new) file record (from VfdCache)
300 * FreeVfd - free a file record
301 *
302 * The Least Recently Used ring is a doubly linked list that begins and
303 * ends on element zero. Element zero is special -- it doesn't represent
304 * a file and its "fd" field always == VFD_CLOSED. Element zero is just an
305 * anchor that shows us the beginning/end of the ring.
306 * Only VFD elements that are currently really open (have an FD assigned) are
307 * in the Lru ring. Elements that are "virtually" open can be recognized
308 * by having a non-null fileName field.
309 *
310 * example:
311 *
312 * /--less----\ /---------\
313 * v \ v \
314 * #0 --more---> LeastRecentlyUsed --more-\ \
315 * ^\ | |
316 * \\less--> MostRecentlyUsedFile <---/ |
317 * \more---/ \--less--/
318 *
319 *--------------------
320 */
344 #ifdef PG_FLUSH_DATA_WORKS
346 #endif
353 /*
354 * pg_fsync --- do fsync with or without writethrough
355 */
356 int
358 {
359 #if !defined(WIN32) && defined(USE_ASSERT_CHECKING)
362 /*
363 * Some operating system implementations of fsync() have requirements
364 * about the file access modes that were used when their file descriptor
365 * argument was opened, and these requirements differ depending on whether
366 * the file descriptor is for a directory.
367 *
368 * For any file descriptor that may eventually be handed to fsync(), we
369 * should have opened it with access modes that are compatible with
370 * fsync() on all supported systems, otherwise the code may not be
371 * portable, even if it runs ok on the current system.
372 *
373 * We assert here that a descriptor for a file was opened with write
374 * permissions (either O_RDWR or O_WRONLY) and for a directory without
375 * write permissions (O_RDONLY).
376 *
377 * Ignore any fstat errors and let the follow-up fsync() do its work.
378 * Doing this sanity check here counts for the case where fsync() is
379 * disabled.
380 */
382 {
385 /*
386 * O_RDONLY is historically 0, so just make sure that for directories
387 * no write flags are used.
388 */
391 else
393 }
395 #endif
397 /* #if is to skip the sync_method test if there's no need for it */
398 #if defined(HAVE_FSYNC_WRITETHROUGH) && !defined(FSYNC_WRITETHROUGH_IS_FSYNC)
401 else
402 #endif
404 }
407 /*
408 * pg_fsync_no_writethrough --- same as fsync except does nothing if
409 * enableFsync is off
410 */
411 int
413 {
416 else
418 }
420 /*
421 * pg_fsync_writethrough
422 */
423 int
425 {
427 {
428 #ifdef WIN32
430 #elif defined(F_FULLFSYNC)
432 #else
435 #endif
436 }
437 else
439 }
441 /*
442 * pg_fdatasync --- same as fdatasync except does nothing if enableFsync is off
443 */
444 int
446 {
449 else
451 }
453 /*
454 * pg_flush_data --- advise OS that the described dirty data should be flushed
455 *
456 * offset of 0 with nbytes 0 means that the entire file should be flushed
457 */
458 void
460 {
461 /*
462 * Right now file flushing is primarily used to avoid making later
463 * fsync()/fdatasync() calls have less impact. Thus don't trigger flushes
464 * if fsyncs are disabled - that's a decision we might want to make
465 * configurable at some point.
466 */
470 /*
471 * We compile all alternatives that are supported on the current platform,
472 * to find portability problems more easily.
473 */
474 #if defined(HAVE_SYNC_FILE_RANGE)
475 {
482 /*
483 * sync_file_range(SYNC_FILE_RANGE_WRITE), currently linux specific,
484 * tells the OS that writeback for the specified blocks should be
485 * started, but that we don't want to wait for completion. Note that
486 * this call might block if too much dirty data exists in the range.
487 * This is the preferable method on OSs supporting it, as it works
488 * reliably when available (contrast to msync()) and doesn't flush out
489 * clean data (like FADV_DONTNEED).
490 */
492 SYNC_FILE_RANGE_WRITE);
494 {
497 /*
498 * For systems that don't have an implementation of
499 * sync_file_range() such as Windows WSL, generate only one
500 * warning and then suppress all further attempts by this process.
501 */
503 {
506 }
507 else
513 }
516 }
517 #endif
518 #if !defined(WIN32) && defined(MS_ASYNC)
519 {
523 /*
524 * On several OSs msync(MS_ASYNC) on a mmap'ed file triggers
525 * writeback. On linux it only does so if MS_SYNC is specified, but
526 * then it does the writeback synchronously. Luckily all common linux
527 * systems have sync_file_range(). This is preferable over
528 * FADV_DONTNEED because it doesn't flush out clean data.
529 *
530 * We map the file (mmap()), tell the kernel to sync back the contents
531 * (msync()), and then remove the mapping again (munmap()).
532 */
534 /* mmap() needs actual length if we want to map whole file */
536 {
539 {
544 }
545 }
547 /*
548 * Some platforms reject partial-page mmap() attempts. To deal with
549 * that, just truncate the request to a page boundary. If any extra
550 * bytes don't get flushed, well, it's only a hint anyway.
551 */
553 /* fetch pagesize only once */
557 /* align length to pagesize, dropping any fractional page */
561 /* fractional-page request is a no-op */
565 /*
566 * mmap could well fail, particularly on 32-bit platforms where there
567 * may simply not be enough address space. If so, silently fall
568 * through to the next implementation.
569 */
572 else
576 {
581 {
585 /* NB: need to fall through to munmap()! */
586 }
590 {
591 /* FATAL error because mapping would remain */
595 }
598 }
599 }
600 #endif
601 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_DONTNEED)
602 {
605 /*
606 * Signal the kernel that the passed in range should not be cached
607 * anymore. This has the, desired, side effect of writing out dirty
608 * data, and the, undesired, side effect of likely discarding useful
609 * clean cached blocks. For the latter reason this is the least
610 * preferable method.
611 */
616 {
617 /* don't error out, this is just a performance optimization */
621 }
624 }
625 #endif
626 }
628 /*
629 * Truncate a file to a given length by name.
630 */
631 int
633 {
634 #ifdef WIN32
641 {
646 }
647 else
651 #else
653 #endif
654 }
656 /*
657 * fsync_fname -- fsync a file or directory, handling errors properly
658 *
659 * Try to fsync a file or directory. When doing the latter, ignore errors that
660 * indicate the OS just doesn't allow/require fsyncing directories.
661 */
662 void
664 {
666 }
668 /*
669 * durable_rename -- rename(2) wrapper, issuing fsyncs required for durability
670 *
671 * This routine ensures that, after returning, the effect of renaming file
672 * persists in case of a crash. A crash while this routine is running will
673 * leave you with either the pre-existing or the moved file in place of the
674 * new file; no mixed state or truncated files are possible.
675 *
676 * It does so by using fsync on the old filename and the possibly existing
677 * target filename before the rename, and the target file and directory after.
678 *
679 * Note that rename() cannot be used across arbitrary directories, as they
680 * might not be on the same filesystem. Therefore this routine does not
681 * support renaming across directories.
682 *
683 * Log errors with the caller specified severity.
684 *
685 * Returns 0 if the operation succeeded, -1 otherwise. Note that errno is not
686 * valid upon return.
687 */
688 int
690 {
693 /*
694 * First fsync the old and target path (if it exists), to ensure that they
695 * are properly persistent on disk. Syncing the target file is not
696 * strictly necessary, but it makes it easier to reason about crashes;
697 * because it's then guaranteed that either source or target file exists
698 * after a crash.
699 */
705 {
707 {
712 }
713 }
714 else
715 {
717 {
720 /* close file upon error, might not be in transaction context */
729 }
732 {
737 }
738 }
740 /* Time to do the real deal... */
742 {
748 }
750 /*
751 * To guarantee renaming the file is persistent, fsync the file with its
752 * new name, and its containing directory.
753 */
761 }
763 /*
764 * durable_unlink -- remove a file in a durable manner
765 *
766 * This routine ensures that, after returning, the effect of removing file
767 * persists in case of a crash. A crash while this routine is running will
768 * leave the system in no mixed state.
769 *
770 * It does so by using fsync on the parent directory of the file after the
771 * actual removal is done.
772 *
773 * Log errors with the severity specified by caller.
774 *
775 * Returns 0 if the operation succeeded, -1 otherwise. Note that errno is not
776 * valid upon return.
777 */
778 int
780 {
782 {
786 fname)));
788 }
790 /*
791 * To guarantee that the removal of the file is persistent, fsync its
792 * parent directory.
793 */
798 }
800 /*
801 * InitFileAccess --- initialize this module during backend startup
802 *
803 * This is called during either normal or standalone backend start.
804 * It is *not* called in the postmaster.
805 *
806 * Note that this does not initialize temporary file access, that is
807 * separately initialized via InitTemporaryFileAccess().
808 */
809 void
811 {
814 /* initialize cache header entry */
825 }
827 /*
828 * InitTemporaryFileAccess --- initialize temporary file access during startup
829 *
830 * This is called during either normal or standalone backend start.
831 * It is *not* called in the postmaster.
832 *
833 * This is separate from InitFileAccess() because temporary file cleanup can
834 * cause pgstat reporting. As pgstat is shut down during before_shmem_exit(),
835 * our reporting has to happen before that. Low level file access should be
836 * available for longer, hence the separate initialization / shutdown of
837 * temporary file handling.
838 */
839 void
841 {
845 /*
846 * Register before-shmem-exit hook to ensure temp files are dropped while
847 * we can still report stats.
848 */
851 #ifdef USE_ASSERT_CHECKING
853 #endif
854 }
856 /*
857 * count_usable_fds --- count how many FDs the system will let us open,
858 * and estimate how many are already open.
859 *
860 * We stop counting if usable_fds reaches max_to_probe. Note: a small
861 * value of max_to_probe might result in an underestimate of already_open;
862 * we must fill in any "gaps" in the set of used FDs before the calculation
863 * of already_open will give the right answer. In practice, max_to_probe
864 * of a couple of dozen should be enough to ensure good results.
865 *
866 * We assume stderr (FD 2) is available for dup'ing. While the calling
867 * script could theoretically close that, it would be a really bad idea,
868 * since then one risks loss of error messages from, e.g., libc.
869 */
870 static void
872 {
879 #ifdef HAVE_GETRLIMIT
882 #endif
887 #ifdef HAVE_GETRLIMIT
893 /* dup until failure or probe limit reached */
895 {
898 #ifdef HAVE_GETRLIMIT
900 /*
901 * don't go beyond RLIMIT_NOFILE; causes irritating kernel logs on
902 * some platforms
903 */
906 #endif
910 {
911 /* Expect EMFILE or ENFILE, else it's fishy */
915 }
918 {
921 }
929 }
931 /* release the files we opened */
937 /*
938 * Return results. usable_fds is just the number of successful dups. We
939 * assume that the system limit is highestfd+1 (remember 0 is a legal FD
940 * number) and so already_open is highestfd+1 - usable_fds.
941 */
944 }
946 /*
947 * set_max_safe_fds
948 * Determine number of file descriptors that fd.c is allowed to use
949 */
950 void
952 {
956 /*----------
957 * We want to set max_safe_fds to
958 * MIN(usable_fds, max_files_per_process - already_open)
959 * less the slop factor for files that are opened without consulting
960 * fd.c. This ensures that we won't exceed either max_files_per_process
961 * or the experimentally-determined EMFILE limit.
962 *----------
963 */
969 /*
970 * Take off the FDs reserved for system() etc.
971 */
974 /*
975 * Make sure we still have enough to get by.
976 */
987 }
989 /*
990 * Open a file with BasicOpenFilePerm() and pass default file mode for the
991 * fileMode parameter.
992 */
993 int
995 {
997 }
999 /*
1000 * BasicOpenFilePerm --- same as open(2) except can free other FDs if needed
1001 *
1002 * This is exported for use by places that really want a plain kernel FD,
1003 * but need to be proof against running out of FDs. Once an FD has been
1004 * successfully returned, it is the caller's responsibility to ensure that
1005 * it will not be leaked on ereport()! Most users should *not* call this
1006 * routine directly, but instead use the VFD abstraction level, which
1007 * provides protection against descriptor leaks as well as management of
1008 * files that need to be open for more than a short period of time.
1009 *
1010 * Ideally this should be the *only* direct call of open() in the backend.
1011 * In practice, the postmaster calls open() directly, and there are some
1012 * direct open() calls done early in backend startup. Those are OK since
1013 * this module wouldn't have any open files to close at that point anyway.
1014 */
1015 int
1017 {
1020 tryAgain:
1021 #ifdef PG_O_DIRECT_USE_F_NOCACHE
1023 /*
1024 * The value we defined to stand in for O_DIRECT when simulating it with
1025 * F_NOCACHE had better not collide with any of the standard flags.
1026 */
1029 O_CREAT |
1030 O_EXCL |
1031 O_RDWR |
1032 O_RDONLY |
1033 O_SYNC |
1034 O_TRUNC |
1037 #if defined(O_CLOEXEC)
1040 #endif
1041 #if defined(O_DSYNC)
1044 #endif
1047 #else
1049 #endif
1052 {
1053 #ifdef PG_O_DIRECT_USE_F_NOCACHE
1055 {
1057 {
1063 }
1064 }
1065 #endif
1068 }
1071 {
1081 }
1084 }
1086 /*
1087 * AcquireExternalFD - attempt to reserve an external file descriptor
1088 *
1089 * This should be used by callers that need to hold a file descriptor open
1090 * over more than a short interval, but cannot use any of the other facilities
1091 * provided by this module.
1092 *
1093 * The difference between this and the underlying ReserveExternalFD function
1094 * is that this will report failure (by setting errno and returning false)
1095 * if "too many" external FDs are already reserved. This should be used in
1096 * any code where the total number of FDs to be reserved is not predictable
1097 * and small.
1098 */
1099 bool
1101 {
1102 /*
1103 * We don't want more than max_safe_fds / 3 FDs to be consumed for
1104 * "external" FDs.
1105 */
1107 {
1110 }
1113 }
1115 /*
1116 * ReserveExternalFD - report external consumption of a file descriptor
1117 *
1118 * This should be used by callers that need to hold a file descriptor open
1119 * over more than a short interval, but cannot use any of the other facilities
1120 * provided by this module. This just tracks the use of the FD and closes
1121 * VFDs if needed to ensure we keep NUM_RESERVED_FDS FDs available.
1122 *
1123 * Call this directly only in code where failure to reserve the FD would be
1124 * fatal; for example, the WAL-writing code does so, since the alternative is
1125 * session failure. Also, it's very unwise to do so in code that could
1126 * consume more than one FD per process.
1127 *
1128 * Note: as long as everybody plays nice so that NUM_RESERVED_FDS FDs remain
1129 * available, it doesn't matter too much whether this is called before or
1130 * after actually opening the FD; but doing so beforehand reduces the risk of
1131 * an EMFILE failure if not everybody played nice. In any case, it's solely
1132 * caller's responsibility to keep the external-FD count in sync with reality.
1133 */
1134 void
1136 {
1137 /*
1138 * Release VFDs if needed to stay safe. Because we do this before
1139 * incrementing numExternalFDs, the final state will be as desired, i.e.,
1140 * nfile + numAllocatedDescs + numExternalFDs <= max_safe_fds.
1141 */
1144 numExternalFDs++;
1145 }
1147 /*
1148 * ReleaseExternalFD - report release of an external file descriptor
1149 *
1150 * This is guaranteed not to change errno, so it can be used in failure paths.
1151 */
1152 void
1154 {
1156 numExternalFDs--;
1157 }
1160 #if defined(FDDEBUG)
1162 static void
1164 {
1171 {
1175 }
1178 }
1181 static void
1183 {
1198 }
1200 static void
1202 {
1212 /*
1213 * Close the file. We aren't expecting this to fail; if it does, better
1214 * to leak the FD than to mess up our internal state.
1215 */
1222 /* delete the vfd record from the LRU ring */
1224 }
1226 static void
1228 {
1245 }
1247 /* returns 0 on success, -1 on re-open failure (with errno set) */
1248 static int
1250 {
1261 {
1262 /* Close excess kernel FDs. */
1265 /*
1266 * The open could still fail for lack of file descriptors, eg due to
1267 * overall system file table being full. So, be prepared to release
1268 * another FD if necessary...
1269 */
1273 {
1276 }
1277 else
1278 {
1280 }
1281 }
1283 /*
1284 * put it at the head of the Lru ring
1285 */
1290 }
1292 /*
1293 * Release one kernel FD by closing the least-recently-used VFD.
1294 */
1295 static bool
1297 {
1301 {
1302 /*
1303 * There are opened files and so there should be at least one used vfd
1304 * in the ring.
1305 */
1309 }
1311 }
1313 /*
1314 * Release kernel FDs as needed to get under the max_safe_fds limit.
1315 * After calling this, it's OK to try to open another file.
1316 */
1317 static void
1319 {
1321 {
1324 }
1325 }
1327 static File
1329 {
1330 Index i;
1331 File file;
1338 {
1339 /*
1340 * The free list is empty so it is time to increase the size of the
1341 * array. We choose to double it each time this happens. However,
1342 * there's not much point in starting *real* small.
1343 */
1350 /*
1351 * Be careful not to clobber VfdCache ptr if realloc fails.
1352 */
1360 /*
1361 * Initialize the new entries and link them into the free list.
1362 */
1364 {
1368 }
1372 /*
1373 * Record the new size
1374 */
1376 }
1383 }
1385 static void
1387 {
1394 {
1397 }
1402 }
1404 /* returns 0 on success, -1 on re-open failure (with errno set) */
1405 static int
1407 {
1413 /*
1414 * Is the file open? If not, open it and put it at the head of the LRU
1415 * ring (possibly closing the least recently used file to get an FD).
1416 */
1419 {
1423 }
1425 {
1426 /*
1427 * We now know that the file is open and that it is not the last one
1428 * accessed, so we need to move it to the head of the Lru ring.
1429 */
1433 }
1436 }
1438 /*
1439 * Called whenever a temporary file is deleted to report its size.
1440 */
1441 static void
1443 {
1447 {
1452 }
1453 }
1455 /*
1456 * Called to register a temporary file for automatic close.
1457 * ResourceOwnerEnlargeFiles(CurrentResourceOwner) must have been called
1458 * before the file was opened.
1459 */
1460 static void
1462 {
1466 /* Backup mechanism for closing at end of xact. */
1469 }
1471 /*
1472 * Called when we get a shared invalidation message on some relation.
1473 */
1474 #ifdef NOT_USED
1475 void
1477 {
1481 }
1482 #endif
1484 /*
1485 * Open a file with PathNameOpenFilePerm() and pass default file mode for the
1486 * fileMode parameter.
1487 */
1488 File
1490 {
1492 }
1494 /*
1495 * open a file in an arbitrary directory
1496 *
1497 * NB: if the passed pathname is relative (which it usually is),
1498 * it will be interpreted relative to the process' working directory
1499 * (which should always be $PGDATA when this code is running).
1500 */
1501 File
1503 {
1505 File file;
1511 /*
1512 * We need a malloc'd copy of the file name; fail cleanly if no room.
1513 */
1523 /* Close excess kernel FDs. */
1529 {
1536 }
1542 /* Saved flags are adjusted to be OK for re-opening file */
1552 }
1554 /*
1555 * Create directory 'directory'. If necessary, create 'basedir', which must
1556 * be the directory above it. This is designed for creating the top-level
1557 * temporary directory on demand before creating a directory underneath it.
1558 * Do nothing if the directory already exists.
1559 *
1560 * Directories created within the top-level temporary directory should begin
1561 * with PG_TEMP_FILE_PREFIX, so that they can be identified as temporary and
1562 * deleted at startup by RemovePgTempFiles(). Further subdirectories below
1563 * that do not need any particular prefix.
1564 */
1565 void
1567 {
1569 {
1573 /*
1574 * Failed. Try to create basedir first in case it's missing. Tolerate
1575 * EEXIST to close a race against another process following the same
1576 * algorithm.
1577 */
1582 basedir)));
1584 /* Try again. */
1589 directory)));
1590 }
1591 }
1593 /*
1594 * Delete a directory and everything in it, if it exists.
1595 */
1596 void
1598 {
1601 /* Silently ignore missing directory. */
1605 /*
1606 * Currently, walkdir doesn't offer a way for our passed in function to
1607 * maintain state. Perhaps it should, so that we could tell the caller
1608 * whether this operation succeeded or failed. Since this operation is
1609 * used in a cleanup path, we wouldn't actually behave differently: we'll
1610 * just log failures.
1611 */
1613 }
1615 /*
1616 * Open a temporary file that will disappear when we close it.
1617 *
1618 * This routine takes care of generating an appropriate tempfile name.
1619 * There's no need to pass in fileFlags or fileMode either, since only
1620 * one setting makes any sense for a temp file.
1621 *
1622 * Unless interXact is true, the file is remembered by CurrentResourceOwner
1623 * to ensure it's closed and deleted when it's no longer needed, typically at
1624 * the end-of-transaction. In most cases, you don't want temporary files to
1625 * outlive the transaction that created them, so this should be false -- but
1626 * if you need "somewhat" temporary storage, this might be useful. In either
1627 * case, the file is removed when the File is explicitly closed.
1628 */
1629 File
1631 {
1636 /*
1637 * Make sure the current resource owner has space for this File before we
1638 * open it, if we'll be registering it below.
1639 */
1643 /*
1644 * If some temp tablespace(s) have been given to us, try to use the next
1645 * one. If a given tablespace can't be found, we silently fall back to
1646 * the database's default tablespace.
1647 *
1648 * BUT: if the temp file is slated to outlive the current transaction,
1649 * force it into the database's default tablespace, so that it will not
1650 * pose a threat to possible tablespace drop attempts.
1651 */
1653 {
1658 }
1660 /*
1661 * If not, or if tablespace is bad, create in database's default
1662 * tablespace. MyDatabaseTableSpace should normally be set before we get
1663 * here, but just in case it isn't, fall back to pg_default tablespace.
1664 */
1667 MyDatabaseTableSpace :
1668 DEFAULTTABLESPACE_OID,
1671 /* Mark it for deletion at close and temporary file size limit */
1674 /* Register it with the current resource owner */
1679 }
1681 /*
1682 * Return the path of the temp directory in a given tablespace.
1683 */
1684 void
1686 {
1687 /*
1688 * Identify the tempfile directory for this tablespace.
1689 *
1690 * If someone tries to specify pg_global, use pg_default instead.
1691 */
1696 else
1697 {
1698 /* All other tablespaces are accessed via symlinks */
1701 PG_TEMP_FILES_DIR);
1702 }
1703 }
1705 /*
1706 * Open a temporary file in a specific tablespace.
1707 * Subroutine for OpenTemporaryFile, which see for details.
1708 */
1709 static File
1711 {
1714 File file;
1718 /*
1719 * Generate a tempfile name that should be unique within the current
1720 * database instance.
1721 */
1725 /*
1726 * Open the file. Note: we don't use O_EXCL, in case there is an orphaned
1727 * temp file that can be reused.
1728 */
1732 {
1733 /*
1734 * We might need to create the tablespace's tempfile directory, if no
1735 * one has yet done so.
1736 *
1737 * Don't check for an error from MakePGDirectory; it could fail if
1738 * someone else just did the same thing. If it doesn't work then
1739 * we'll bomb out on the second create attempt, instead.
1740 */
1747 tempfilepath);
1748 }
1751 }
1754 /*
1755 * Create a new file. The directory containing it must already exist. Files
1756 * created this way are subject to temp_file_limit and are automatically
1757 * closed at end of transaction, but are not automatically deleted on close
1758 * because they are intended to be shared between cooperating backends.
1759 *
1760 * If the file is inside the top-level temporary directory, its name should
1761 * begin with PG_TEMP_FILE_PREFIX so that it can be identified as temporary
1762 * and deleted at startup by RemovePgTempFiles(). Alternatively, it can be
1763 * inside a directory created with PathNameCreateTemporaryDir(), in which case
1764 * the prefix isn't needed.
1765 */
1766 File
1768 {
1769 File file;
1775 /*
1776 * Open the file. Note: we don't use O_EXCL, in case there is an orphaned
1777 * temp file that can be reused.
1778 */
1781 {
1786 path)));
1787 else
1789 }
1791 /* Mark it for temp_file_limit accounting. */
1794 /* Register it for automatic close. */
1798 }
1800 /*
1801 * Open a file that was created with PathNameCreateTemporaryFile, possibly in
1802 * another backend. Files opened this way don't count against the
1803 * temp_file_limit of the caller, are automatically closed at the end of the
1804 * transaction but are not deleted on close.
1805 */
1806 File
1808 {
1809 File file;
1817 /* If no such file, then we don't raise an error. */
1822 path)));
1825 {
1826 /* Register it for automatic close. */
1828 }
1831 }
1833 /*
1834 * Delete a file by pathname. Return true if the file existed, false if
1835 * didn't.
1836 */
1837 bool
1839 {
1843 /* Get the final size for pgstat reporting. */
1846 else
1849 /*
1850 * Unlike FileClose's automatic file deletion code, we tolerate
1851 * non-existence to support BufFileDeleteFileSet which doesn't know how
1852 * many segments it has to delete until it runs out.
1853 */
1858 {
1863 path)));
1865 }
1869 else
1870 {
1875 }
1878 }
1880 /*
1881 * close a file when done with it
1882 */
1883 void
1885 {
1896 {
1897 /* close the file */
1899 {
1900 /*
1901 * We may need to panic on failure to close non-temporary files;
1902 * see LruDelete.
1903 */
1906 }
1911 /* remove the file from the lru ring */
1913 }
1916 {
1917 /* Subtract its size from current usage (do first in case of error) */
1920 }
1922 /*
1923 * Delete the file if it was temporary, and make a log entry if wanted
1924 */
1926 {
1930 /*
1931 * If we get an error, as could happen within the ereport/elog calls,
1932 * we'll come right back here during transaction abort. Reset the
1933 * flag to ensure that we can't get into an infinite loop. This code
1934 * is arranged to ensure that the worst-case consequence is failing to
1935 * emit log message(s), not failing to attempt the unlink.
1936 */
1940 /* first try the stat() */
1943 else
1946 /* in any case do the unlink */
1952 /* and last report the stat results */
1955 else
1956 {
1961 }
1962 }
1964 /* Unregister it from the resource owner */
1968 /*
1969 * Return the Vfd slot to the free list
1970 */
1972 }
1974 /*
1975 * FilePrefetch - initiate asynchronous read of a given range of the file.
1976 *
1977 * Currently the only implementation of this function is using posix_fadvise
1978 * which is the simplest standardized interface that accomplishes this.
1979 * We could add an implementation using libaio in the future; but note that
1980 * this API is inappropriate for libaio, which wants to have a buffer provided
1981 * to read into.
1982 */
1983 int
1985 {
1986 #if defined(USE_POSIX_FADVISE) && defined(POSIX_FADV_WILLNEED)
2001 POSIX_FADV_WILLNEED);
2005 #else
2008 #endif
2009 }
2011 void
2013 {
2032 }
2034 int
2036 uint32 wait_event_info)
2037 {
2054 retry:
2060 {
2061 /*
2062 * Windows may run out of kernel buffers and return "Insufficient
2063 * system resources" error. Wait a bit and retry to solve it.
2064 *
2065 * It is rumored that EINTR is also possible on some Unix filesystems,
2066 * in which case immediate retry is indicated.
2067 */
2068 #ifdef WIN32
2072 {
2080 }
2081 #endif
2082 /* OK to retry if interrupted */
2085 }
2088 }
2090 int
2092 uint32 wait_event_info)
2093 {
2110 /*
2111 * If enforcing temp_file_limit and it's a temp file, check to see if the
2112 * write would overrun temp_file_limit, and throw error if so. Note: it's
2113 * really a modularity violation to throw error here; we should set errno
2114 * and return -1. However, there's no way to report a suitable error
2115 * message if we do that. All current callers would just throw error
2116 * immediately anyway, so this is safe at present.
2117 */
2119 {
2123 {
2131 temp_file_limit)));
2132 }
2133 }
2135 retry:
2141 /* if write didn't set errno, assume problem is no disk space */
2146 {
2147 /*
2148 * Maintain fileSize and temporary_files_size if it's a temp file.
2149 */
2151 {
2155 {
2158 }
2159 }
2160 }
2161 else
2162 {
2163 /*
2164 * See comments in FileRead()
2165 */
2166 #ifdef WIN32
2170 {
2178 }
2179 #endif
2180 /* OK to retry if interrupted */
2183 }
2186 }
2188 int
2190 {
2207 }
2209 off_t
2211 {
2218 {
2221 }
2224 }
2226 int
2228 {
2245 {
2246 /* adjust our state for truncation of a temp file */
2250 }
2253 }
2255 /*
2256 * Return the pathname associated with an open file.
2257 *
2258 * The returned string points to an internal buffer, which is valid until
2259 * the file is closed.
2260 */
2263 {
2267 }
2269 /*
2270 * Return the raw file descriptor of an opened file.
2271 *
2272 * The returned file descriptor will be valid until the file is closed, but
2273 * there are a lot of things that can make that happen. So the caller should
2274 * be careful not to do much of anything else before it finishes using the
2275 * returned file descriptor.
2276 */
2277 int
2279 {
2282 }
2284 /*
2285 * FileGetRawFlags - returns the file flags on open(2)
2286 */
2287 int
2289 {
2292 }
2294 /*
2295 * FileGetRawMode - returns the mode bitmask passed to open(2)
2296 */
2297 mode_t
2299 {
2302 }
2304 /*
2305 * Make room for another allocatedDescs[] array entry if needed and possible.
2306 * Returns true if an array element is available.
2307 */
2308 static bool
2310 {
2314 /* Quick out if array already has a free slot. */
2318 /*
2319 * If the array hasn't yet been created in the current process, initialize
2320 * it with FD_MINFREE / 3 elements. In many scenarios this is as many as
2321 * we will ever need, anyway. We don't want to look at max_safe_fds
2322 * immediately because set_max_safe_fds() may not have run yet.
2323 */
2325 {
2328 /* Out of memory already? Treat as fatal error. */
2336 }
2338 /*
2339 * Consider enlarging the array beyond the initial allocation used above.
2340 * By the time this happens, max_safe_fds should be known accurately.
2341 *
2342 * We mustn't let allocated descriptors hog all the available FDs, and in
2343 * practice we'd better leave a reasonable number of FDs for VFD use. So
2344 * set the maximum to max_safe_fds / 3. (This should certainly be at
2345 * least as large as the initial size, FD_MINFREE / 3, so we aren't
2346 * tightening the restriction here.) Recall that "external" FDs are
2347 * allowed to consume another third of max_safe_fds.
2348 */
2351 {
2354 /* Treat out-of-memory as a non-fatal error. */
2360 }
2362 /* Can't enlarge allocatedDescs[] any more. */
2364 }
2366 /*
2367 * Routines that want to use stdio (ie, FILE*) should use AllocateFile
2368 * rather than plain fopen(). This lets fd.c deal with freeing FDs if
2369 * necessary to open the file. When done, call FreeFile rather than fclose.
2370 *
2371 * Note that files that will be open for any significant length of time
2372 * should NOT be handled this way, since they cannot share kernel file
2373 * descriptors with other files; there is grave risk of running out of FDs
2374 * if anyone locks down too many FDs. Most callers of this routine are
2375 * simply reading a config file that they will read and close immediately.
2376 *
2377 * fd.c will automatically close all files opened with AllocateFile at
2378 * transaction commit or abort; this prevents FD leakage if a routine
2379 * that calls AllocateFile is terminated prematurely by ereport(ERROR).
2380 *
2381 * Ideally this should be the *only* direct call of fopen() in the backend.
2382 */
2385 {
2391 /* Can we allocate another non-virtual FD? */
2398 /* Close excess kernel FDs. */
2401 TryAgain:
2403 {
2409 numAllocatedDescs++;
2411 }
2414 {
2424 }
2427 }
2429 /*
2430 * Open a file with OpenTransientFilePerm() and pass default file mode for
2431 * the fileMode parameter.
2432 */
2433 int
2435 {
2437 }
2439 /*
2440 * Like AllocateFile, but returns an unbuffered fd like open(2)
2441 */
2442 int
2444 {
2450 /* Can we allocate another non-virtual FD? */
2457 /* Close excess kernel FDs. */
2463 {
2469 numAllocatedDescs++;
2472 }
2475 }
2477 /*
2478 * Routines that want to initiate a pipe stream should use OpenPipeStream
2479 * rather than plain popen(). This lets fd.c deal with freeing FDs if
2480 * necessary. When done, call ClosePipeStream rather than pclose.
2481 *
2482 * This function also ensures that the popen'd program is run with default
2483 * SIGPIPE processing, rather than the SIG_IGN setting the backend normally
2484 * uses. This ensures desirable response to, eg, closing a read pipe early.
2485 */
2488 {
2495 /* Can we allocate another non-virtual FD? */
2502 /* Close excess kernel FDs. */
2505 TryAgain:
2514 {
2520 numAllocatedDescs++;
2522 }
2525 {
2532 }
2535 }
2537 /*
2538 * Free an AllocateDesc of any type.
2539 *
2540 * The argument *must* point into the allocatedDescs[] array.
2541 */
2542 static int
2544 {
2547 /* Close the underlying object */
2549 {
2566 }
2568 /* Compact storage in the allocatedDescs array */
2569 numAllocatedDescs--;
2573 }
2575 /*
2576 * Close a file returned by AllocateFile.
2577 *
2578 * Note we do not check fclose's return value --- it is up to the caller
2579 * to handle close errors.
2580 */
2581 int
2583 {
2588 /* Remove file from list of allocated files, if it's present */
2590 {
2595 }
2597 /* Only get here if someone passes us a file not in allocatedDescs */
2601 }
2603 /*
2604 * Close a file returned by OpenTransientFile.
2605 *
2606 * Note we do not check close's return value --- it is up to the caller
2607 * to handle close errors.
2608 */
2609 int
2611 {
2616 /* Remove fd from list of allocated files, if it's present */
2618 {
2623 }
2625 /* Only get here if someone passes us a file not in allocatedDescs */
2629 }
2631 /*
2632 * Routines that want to use <dirent.h> (ie, DIR*) should use AllocateDir
2633 * rather than plain opendir(). This lets fd.c deal with freeing FDs if
2634 * necessary to open the directory, and with closing it after an elog.
2635 * When done, call FreeDir rather than closedir.
2636 *
2637 * Returns NULL, with errno set, on failure. Note that failure detection
2638 * is commonly left to the following call of ReadDir or ReadDirExtended;
2639 * see the comments for ReadDir.
2640 *
2641 * Ideally this should be the *only* direct call of opendir() in the backend.
2642 */
2645 {
2651 /* Can we allocate another non-virtual FD? */
2658 /* Close excess kernel FDs. */
2661 TryAgain:
2663 {
2669 numAllocatedDescs++;
2671 }
2674 {
2684 }
2687 }
2689 /*
2690 * Read a directory opened with AllocateDir, ereport'ing any error.
2691 *
2692 * This is easier to use than raw readdir() since it takes care of some
2693 * otherwise rather tedious and error-prone manipulation of errno. Also,
2694 * if you are happy with a generic error message for AllocateDir failure,
2695 * you can just do
2696 *
2697 * dir = AllocateDir(path);
2698 * while ((dirent = ReadDir(dir, path)) != NULL)
2699 * process dirent;
2700 * FreeDir(dir);
2701 *
2702 * since a NULL dir parameter is taken as indicating AllocateDir failed.
2703 * (Make sure errno isn't changed between AllocateDir and ReadDir if you
2704 * use this shortcut.)
2705 *
2706 * The pathname passed to AllocateDir must be passed to this routine too,
2707 * but it is only used for error reporting.
2708 */
2711 {
2713 }
2715 /*
2716 * Alternate version of ReadDir that allows caller to specify the elevel
2717 * for any error report (whether it's reporting an initial failure of
2718 * AllocateDir or a subsequent directory read failure).
2719 *
2720 * If elevel < ERROR, returns NULL after any error. With the normal coding
2721 * pattern, this will result in falling out of the loop immediately as
2722 * though the directory contained no (more) entries.
2723 */
2726 {
2729 /* Give a generic message for AllocateDir failure, if caller didn't */
2731 {
2735 dirname)));
2737 }
2747 dirname)));
2749 }
2751 /*
2752 * Close a directory opened with AllocateDir.
2753 *
2754 * Returns closedir's return value (with errno set if it's not 0).
2755 * Note we do not check the return value --- it is up to the caller
2756 * to handle close errors if wanted.
2757 *
2758 * Does nothing if dir == NULL; we assume that directory open failure was
2759 * already reported if desired.
2760 */
2761 int
2763 {
2766 /* Nothing to do if AllocateDir failed */
2772 /* Remove dir from list of allocated dirs, if it's present */
2774 {
2779 }
2781 /* Only get here if someone passes us a dir not in allocatedDescs */
2785 }
2788 /*
2789 * Close a pipe stream returned by OpenPipeStream.
2790 */
2791 int
2793 {
2798 /* Remove file from list of allocated files, if it's present */
2800 {
2805 }
2807 /* Only get here if someone passes us a file not in allocatedDescs */
2811 }
2813 /*
2814 * closeAllVfds
2815 *
2816 * Force all VFDs into the physically-closed state, so that the fewest
2817 * possible number of kernel file descriptors are in use. There is no
2818 * change in the logical state of the VFDs.
2819 */
2820 void
2822 {
2823 Index i;
2826 {
2829 {
2832 }
2833 }
2834 }
2837 /*
2838 * SetTempTablespaces
2839 *
2840 * Define a list (actually an array) of OIDs of tablespaces to use for
2841 * temporary files. This list will be used until end of transaction,
2842 * unless this function is called again before then. It is caller's
2843 * responsibility that the passed-in array has adequate lifespan (typically
2844 * it'd be allocated in TopTransactionContext).
2845 *
2846 * Some entries of the array may be InvalidOid, indicating that the current
2847 * database's default tablespace should be used.
2848 */
2849 void
2851 {
2856 /*
2857 * Select a random starting point in the list. This is to minimize
2858 * conflicts between backends that are most likely sharing the same list
2859 * of temp tablespaces. Note that if we create multiple temp files in the
2860 * same transaction, we'll advance circularly through the list --- this
2861 * ensures that large temporary sort files are nicely spread across all
2862 * available tablespaces.
2863 */
2867 else
2869 }
2871 /*
2872 * TempTablespacesAreSet
2873 *
2874 * Returns true if SetTempTablespaces has been called in current transaction.
2875 * (This is just so that tablespaces.c doesn't need its own per-transaction
2876 * state.)
2877 */
2878 bool
2880 {
2882 }
2884 /*
2885 * GetTempTablespaces
2886 *
2887 * Populate an array with the OIDs of the tablespaces that should be used for
2888 * temporary files. (Some entries may be InvalidOid, indicating that the
2889 * current database's default tablespace should be used.) At most numSpaces
2890 * entries will be filled.
2891 * Returns the number of OIDs that were copied into the output array.
2892 */
2893 int
2895 {
2903 }
2905 /*
2906 * GetNextTempTableSpace
2907 *
2908 * Select the next temp tablespace to use. A result of InvalidOid means
2909 * to use the current database's default tablespace.
2910 */
2911 Oid
2913 {
2915 {
2916 /* Advance nextTempTableSpace counter with wraparound */
2920 }
2922 }
2925 /*
2926 * AtEOSubXact_Files
2927 *
2928 * Take care of subtransaction commit/abort. At abort, we close temp files
2929 * that the subtransaction may have opened. At commit, we reassign the
2930 * files that were opened to the parent subtransaction.
2931 */
2932 void
2934 SubTransactionId parentSubid)
2935 {
2936 Index i;
2939 {
2941 {
2944 else
2945 {
2946 /* have to recheck the item after FreeDesc (ugly) */
2948 }
2949 }
2950 }
2951 }
2953 /*
2954 * AtEOXact_Files
2955 *
2956 * This routine is called during transaction commit or abort. All still-open
2957 * per-transaction temporary file VFDs are closed, which also causes the
2958 * underlying files to be deleted (although they should've been closed already
2959 * by the ResourceOwner cleanup). Furthermore, all "allocated" stdio files are
2960 * closed. We also forget any transaction-local temp tablespace list.
2961 *
2962 * The isCommit flag is used only to decide whether to emit warnings about
2963 * unclosed files.
2964 */
2965 void
2967 {
2971 }
2973 /*
2974 * BeforeShmemExit_Files
2975 *
2976 * before_shmem_access hook to clean up temp files during backend shutdown.
2977 * Here, we want to clean up *all* temp files including interXact ones.
2978 */
2979 static void
2981 {
2984 /* prevent further temp files from being created */
2985 #ifdef USE_ASSERT_CHECKING
2987 #endif
2988 }
2990 /*
2991 * Close temporary files and delete their underlying files.
2992 *
2993 * isCommit: if true, this is normal transaction commit, and we don't
2994 * expect any remaining files; warn if there are some.
2995 *
2996 * isProcExit: if true, this is being called as the backend process is
2997 * exiting. If that's the case, we should remove all temporary files; if
2998 * that's not the case, we are being called for transaction commit/abort
2999 * and should only remove transaction-local temp files. In either case,
3000 * also clean up "allocated" stdio files, dirs and fds.
3001 */
3002 static void
3004 {
3005 Index i;
3007 /*
3008 * Careful here: at proc_exit we need extra cleanup, not just
3009 * xact_temporary files.
3010 */
3012 {
3015 {
3020 {
3021 /*
3022 * If we're in the process of exiting a backend process, close
3023 * all temporary files. Otherwise, only close temporary files
3024 * local to the current transaction. They should be closed by
3025 * the ResourceOwner mechanism already, so this is just a
3026 * debugging cross-check.
3027 */
3031 {
3036 }
3037 }
3038 }
3041 }
3043 /* Complain if any allocated files remain open at commit. */
3046 numAllocatedDescs);
3048 /* Clean up "allocated" stdio files, dirs and fds. */
3051 }
3054 /*
3055 * Remove temporary and temporary relation files left over from a prior
3056 * postmaster session
3057 *
3058 * This should be called during postmaster startup. It will forcibly
3059 * remove any leftover files created by OpenTemporaryFile and any leftover
3060 * temporary relation files created by mdcreate.
3061 *
3062 * During post-backend-crash restart cycle, this routine is called when
3063 * remove_temp_files_after_crash GUC is enabled. Multiple crashes while
3064 * queries are using temp files could result in useless storage usage that can
3065 * only be reclaimed by a service restart. The argument against enabling it is
3066 * that someone might want to examine the temporary files for debugging
3067 * purposes. This does however mean that OpenTemporaryFile had better allow for
3068 * collision with an existing temp file name.
3069 *
3070 * NOTE: this function and its subroutines generally report syscall failures
3071 * with ereport(LOG) and keep going. Removing temp files is not so critical
3072 * that we should fail to start the database when we can't do it.
3073 */
3074 void
3076 {
3077 char temp_path[MAXPGPATH + 10 + sizeof(TABLESPACE_VERSION_DIRECTORY) + sizeof(PG_TEMP_FILES_DIR)];
3081 /*
3082 * First process temp files in pg_default ($PGDATA/base)
3083 */
3088 /*
3089 * Cycle through temp directories for all non-default tablespaces.
3090 */
3094 {
3106 }
3110 /*
3111 * In EXEC_BACKEND case there is a pgsql_tmp directory at the top level of
3112 * DataDir as well. However, that is *not* cleaned here because doing so
3113 * would create a race condition. It's done separately, earlier in
3114 * postmaster startup.
3115 */
3116 }
3118 /*
3119 * Process one pgsql_tmp directory for RemovePgTempFiles.
3120 *
3121 * If missing_ok is true, it's all right for the named directory to not exist.
3122 * Any other problem results in a LOG message. (missing_ok should be true at
3123 * the top level, since pgsql_tmp directories are not created until needed.)
3124 *
3125 * At the top level, this should be called with unlink_all = false, so that
3126 * only files matching the temporary name prefix will be unlinked. When
3127 * recursing it will be called with unlink_all = true to unlink everything
3128 * under a top-level temporary directory.
3129 *
3130 * (These two flags could be replaced by one, but it seems clearer to keep
3131 * them separate.)
3132 */
3133 void
3135 {
3146 {
3156 PG_TEMP_FILE_PREFIX,
3158 {
3164 {
3165 /* recursively remove contents, then directory itself */
3172 rm_path)));
3173 }
3174 else
3175 {
3180 rm_path)));
3181 }
3182 }
3183 else
3186 rm_path)));
3187 }
3190 }
3192 /* Process one tablespace directory, look for per-DB subdirectories */
3193 static void
3195 {
3203 {
3204 /*
3205 * We're only interested in the per-database directories, which have
3206 * numeric names. Note that this code will also (properly) ignore "."
3207 * and "..".
3208 */
3215 }
3218 }
3220 /* Process one per-dbspace directory for RemovePgTempRelationFiles */
3221 static void
3223 {
3231 {
3242 rm_path)));
3243 }
3246 }
3248 /* t<digits>_<digits>, or t<digits>_<digits>_<forkname> */
3249 bool
3251 {
3255 /* Must start with "t". */
3259 /* Followed by a non-empty string of digits and then an underscore. */
3261 ;
3265 /* Followed by another nonempty string of digits. */
3267 ;
3271 /* We might have _forkname or .segment or both. */
3273 {
3279 }
3281 {
3285 ;
3289 }
3291 /* Now we should be at the end. */
3295 }
3297 #ifdef HAVE_SYNCFS
3298 static void
3300 {
3303 ereport_startup_progress("syncing data directory (syncfs), elapsed time: %ld.%02d s, current path: %s",
3304 path);
3308 {
3313 }
3319 }
3320 #endif
3322 /*
3323 * Issue fsync recursively on PGDATA and all its contents, or issue syncfs for
3324 * all potential filesystem, depending on recovery_init_sync_method setting.
3325 *
3326 * We fsync regular files and directories wherever they are, but we
3327 * follow symlinks only for pg_wal and immediately under pg_tblspc.
3328 * Other symlinks are presumed to point at files we're not responsible
3329 * for fsyncing, and might not have privileges to write at all.
3330 *
3331 * Errors are logged but not considered fatal; that's because this is used
3332 * only during database startup, to deal with the possibility that there are
3333 * issued-but-unsynced writes pending against the data directory. We want to
3334 * ensure that such writes reach disk before anything that's done in the new
3335 * run. However, aborting on error would result in failure to start for
3336 * harmless cases such as read-only files in the data directory, and that's
3337 * not good either.
3338 *
3339 * Note that if we previously crashed due to a PANIC on fsync(), we'll be
3340 * rewriting all changes again during recovery.
3341 *
3342 * Note we assume we're chdir'd into PGDATA to begin with.
3343 */
3344 void
3346 {
3349 /* We can skip this whole thing if fsync is disabled. */
3353 /*
3354 * If pg_wal is a symlink, we'll need to recurse into it separately,
3355 * because the first walkdir below will ignore it.
3356 */
3359 {
3369 }
3371 #ifdef HAVE_SYNCFS
3373 {
3377 /*
3378 * On Linux, we don't have to open every single file one by one. We
3379 * can use syncfs() to sync whole filesystems. We only expect
3380 * filesystem boundaries to exist where we tolerate symlinks, namely
3381 * pg_wal and the tablespaces, so we call syncfs() for each of those
3382 * directories.
3383 */
3385 /* Prepare to report progress syncing the data directory via syncfs. */
3388 /* Sync the top level pgdata directory. */
3390 /* If any tablespaces are configured, sync each of those. */
3393 {
3401 }
3403 /* If pg_wal is a symlink, process that too. */
3407 }
3410 #ifdef PG_FLUSH_DATA_WORKS
3411 /* Prepare to report progress of the pre-fsync phase. */
3414 /*
3415 * If possible, hint to the kernel that we're soon going to fsync the data
3416 * directory and its contents. Errors in this step are even less
3417 * interesting than normal, so log them only at DEBUG1.
3418 */
3423 #endif
3425 /* Prepare to report progress syncing the data directory via fsync. */
3428 /*
3429 * Now we do the fsync()s in the same order.
3430 *
3431 * The main call ignores symlinks, so in addition to specially processing
3432 * pg_wal if it's a symlink, pg_tblspc has to be visited separately with
3433 * process_symlinks = true. Note that if there are any plain directories
3434 * in pg_tblspc, they'll get fsync'd twice. That's not an expected case
3435 * so we don't worry about optimizing it.
3436 */
3441 }
3443 /*
3444 * walkdir: recursively walk a directory, applying the action to each
3445 * regular file and directory (including the named directory itself).
3446 *
3447 * If process_symlinks is true, the action and recursion are also applied
3448 * to regular files and directories that are pointed to by symlinks in the
3449 * given directory; otherwise symlinks are ignored. Symlinks are always
3450 * ignored in subdirectories, ie we intentionally don't pass down the
3451 * process_symlinks flag to recursive calls.
3452 *
3453 * Errors are reported at level elevel, which might be ERROR or less.
3454 *
3455 * See also walkdir in file_utils.c, which is a frontend version of this
3456 * logic.
3457 */
3458 static void
3463 {
3470 {
3482 {
3491 /*
3492 * Errors are already reported directly by get_dirent_type(),
3493 * and any remaining symlinks and unknown file types are
3494 * ignored.
3495 */
3497 }
3498 }
3502 /*
3503 * It's important to fsync the destination directory itself as individual
3504 * file fsyncs don't guarantee that the directory entry for the file is
3505 * synced. However, skip this if AllocateDir failed; the action function
3506 * might not be robust against that.
3507 */
3510 }
3513 /*
3514 * Hint to the OS that it should get ready to fsync() this file.
3515 *
3516 * Ignores errors trying to open unreadable files, and logs other errors at a
3517 * caller-specified level.
3518 */
3519 #ifdef PG_FLUSH_DATA_WORKS
3521 static void
3523 {
3526 /* Don't try to flush directories, it'll likely just fail */
3530 ereport_startup_progress("syncing data directory (pre-fsync), elapsed time: %ld.%02d s, current path: %s",
3531 fname);
3536 {
3543 }
3545 /*
3546 * pg_flush_data() ignores errors, which is ok because this is only a
3547 * hint.
3548 */
3555 }
3559 static void
3561 {
3562 ereport_startup_progress("syncing data directory (fsync), elapsed time: %ld.%02d s, current path: %s",
3563 fname);
3565 /*
3566 * We want to silently ignoring errors about unreadable files. Pass that
3567 * desire on to fsync_fname_ext().
3568 */
3570 }
3572 static void
3574 {
3576 {
3581 }
3582 else
3583 {
3584 /* Use PathNameDeleteTemporaryFile to report filesize */
3586 }
3587 }
3589 /*
3590 * fsync_fname_ext -- Try to fsync a file or directory
3591 *
3592 * If ignore_perm is true, ignore errors upon trying to open unreadable
3593 * files. Logs other errors at a caller-specified level.
3594 *
3595 * Returns 0 if the operation succeeded, -1 otherwise.
3596 */
3597 int
3599 {
3604 /*
3605 * Some OSs require directories to be opened read-only whereas other
3606 * systems don't allow us to fsync files opened read-only; so we need both
3607 * cases here. Using O_RDWR will cause us to fail to fsync files that are
3608 * not writable by our userid, but we assume that's OK.
3609 */
3613 else
3618 /*
3619 * Some OSs don't allow us to open directories at all (Windows returns
3620 * EACCES), just ignore the error in that case. If desired also silently
3621 * ignoring errors about unreadable files. Log others.
3622 */
3628 {
3633 }
3637 /*
3638 * Some OSes don't allow us to fsync directories at all, so we can ignore
3639 * those errors. Anything else needs to be logged.
3640 */
3642 {
3645 /* close file upon error, might not be in transaction context */
3654 }
3657 {
3662 }
3665 }
3667 /*
3668 * fsync_parent_path -- fsync the parent path of a file or directory
3669 *
3670 * This is aimed at making file operations persistent on disk in case of
3671 * an OS crash or power failure.
3672 */
3673 static int
3675 {
3681 /*
3682 * get_parent_directory() returns an empty string if the input argument is
3683 * just a file name (see comments in path.c), so handle that as being the
3684 * current directory.
3685 */
3693 }
3695 /*
3696 * Create a PostgreSQL data sub-directory
3697 *
3698 * The data directory itself, and most of its sub-directories, are created at
3699 * initdb time, but we do have some occasions when we create directories in
3700 * the backend (CREATE TABLESPACE, for example). In those cases, we want to
3701 * make sure that those directories are created consistently. Today, that means
3702 * making sure that the created directory has the correct permissions, which is
3703 * what pg_dir_create_mode tracks for us.
3704 *
3705 * Note that we also set the umask() based on what we understand the correct
3706 * permissions to be (see file_perm.c).
3707 *
3708 * For permissions other than the default, mkdir() can be used directly, but
3709 * be sure to consider carefully such cases -- a sub-directory with incorrect
3710 * permissions in a PostgreSQL data directory could cause backups and other
3711 * processes to fail.
3712 */
3713 int
3715 {
3717 }
3719 /*
3720 * Return the passed-in error level, or PANIC if data_sync_retry is off.
3721 *
3722 * Failure to fsync any data file is cause for immediate panic, unless
3723 * data_sync_retry is enabled. Data may have been written to the operating
3724 * system and removed from our buffer pool already, and if we are running on
3725 * an operating system that forgets dirty data on write-back failure, there
3726 * may be only one copy of the data remaining: in the WAL. A later attempt to
3727 * fsync again might falsely report success. Therefore we must not allow any
3728 * further checkpoints to be attempted. data_sync_retry can in theory be
3729 * enabled on systems known not to drop dirty buffered data on write-back
3730 * failure (with the likely outcome that checkpoints will continue to fail
3731 * until the underlying problem is fixed).
3732 *
3733 * Any code that reports a failure from fsync() or related functions should
3734 * filter the error level with this function.
3735 */
3736 int
3738 {
3740 }
3742 /*
3743 * A convenience wrapper for pwritev() that retries on partial write. If an
3744 * error is returned, it is unspecified how much has been written.
3745 */
3746 ssize_t
3748 {
3751 ssize_t part;
3753 /* We'd better have space to make a copy, in case we need to retry. */
3755 {
3758 }
3761 {
3762 /* Write as much as we can. */
3767 #ifdef SIMULATE_SHORT_WRITE
3769 #endif
3771 /* Count our progress. */
3775 /* Step over iovecs that are done. */
3777 {
3781 }
3783 /* Are they all done? */
3785 {
3786 /* We don't expect the kernel to write more than requested. */
3789 }
3791 /*
3792 * Move whatever's left to the front of our mutable copy and adjust
3793 * the leading iovec.
3794 */
3801 }
3804 }