NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commitbfa282a

committed

Avoid unlikely data-loss scenarios due to rename() without fsync.

Renaming a file using rename(2) is not guaranteed to be durable in faceof crashes. Use the previously added durable_rename()/durable_link_or_rename()in various places where we previously just renamed files.Most of the changed call sites are arguably not critical, but it seemsbetter to err on the side of too much durability. The most prominentknown case where the previously missing fsyncs could cause data loss iscrashes at the end of a checkpoint. After the actual checkpoint has beenperformed, old WAL files are recycled. When they're filled, theircontents are fdatasynced, but we did not fsync the containingdirectory. An OS/hardware crash in an unfortunate moment could then endup leaving that file with its old name, but new content; WAL replaywould thus not replay it.Reported-By: Tomas VondraAuthor: Michael Paquier, Tomas Vondra, Andres FreundDiscussion: 56583BDD.9060302@2ndquadrant.comBackpatch: All supported branches

1 parente069848 commitbfa282aCopy full SHA for bfa282a

File tree

5 files changed

+17

-88

lines changed

contrib/pg_stat_statements
- pg_stat_statements.c
src/backend
- access/transam
- postmaster
  - pgarch.c

5 files changed

+17

-88

lines changed

`‎contrib/pg_stat_statements/pg_stat_statements.c`

Lines changed: 1 addition & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -588,11 +588,7 @@ pgss_shmem_shutdown(int code, Datum arg)`
`588`	`588`	`/*`
`589`	`589`	`* Rename file into place, so we atomically replace the old one.`
`590`	`590`	`*/`
`591`		`-if (rename(PGSS_DUMP_FILE".tmp",PGSS_DUMP_FILE)!=0)`
`592`		`-ereport(LOG,`
`593`		`-(errcode_for_file_access(),`
`594`		`-errmsg("could not rename pg_stat_statement file \"%s\": %m",`
`595`		`-PGSS_DUMP_FILE".tmp")));`
	`591`	`+(void)durable_rename(PGSS_DUMP_FILE".tmp",PGSS_DUMP_FILE,LOG);`
`596`	`592`
`597`	`593`	`return;`
`598`	`594`

`‎src/backend/access/transam/timeline.c`

Lines changed: 6 additions & 34 deletions

Original file line number	Diff line number	Diff line change
`@@ -418,24 +418,10 @@ writeTimeLineHistory(TimeLineID newTLI, TimeLineID parentTLI,`
`418`	`418`	`TLHistoryFilePath(path,newTLI);`
`419`	`419`
`420`	`420`	`/*`
`421`		`- * Prefer link() to rename() here just to be really sure that we don't`
`422`		`- * overwrite an existing file. However, there shouldn't be one, so`
`423`		`- * rename() is an acceptable substitute except for the truly paranoid.`
	`421`	`+ * Perform the rename using link if available, paranoidly trying to avoid`
	`422`	`+ * overwriting an existing file (there shouldn't be one).`
`424`	`423`	`*/`
`425`		`-#ifHAVE_WORKING_LINK`
`426`		`-if (link(tmppath,path)<0)`
`427`		`-ereport(ERROR,`
`428`		`-(errcode_for_file_access(),`
`429`		`-errmsg("could not link file \"%s\" to \"%s\": %m",`
`430`		`-tmppath,path)));`
`431`		`-unlink(tmppath);`
`432`		`-#else`
`433`		`-if (rename(tmppath,path)<0)`
`434`		`-ereport(ERROR,`
`435`		`-(errcode_for_file_access(),`
`436`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`437`		`-tmppath,path)));`
`438`		`-#endif`
	`424`	`+durable_link_or_rename(tmppath,path,ERROR);`
`439`	`425`
`440`	`426`	`/* The history file can be archived immediately. */`
`441`	`427`	`if (XLogArchivingActive())`
`@@ -508,24 +494,10 @@ writeTimeLineHistoryFile(TimeLineID tli, char *content, int size)`
`508`	`494`	`TLHistoryFilePath(path,tli);`
`509`	`495`
`510`	`496`	`/*`
`511`		`- * Prefer link() to rename() here just to be really sure that we don't`
`512`		`- * overwrite an existing logfile. However, there shouldn't be one, so`
`513`		`- * rename() is an acceptable substitute except for the truly paranoid.`
	`497`	`+ * Perform the rename using link if available, paranoidly trying to avoid`
	`498`	`+ * overwriting an existing file (there shouldn't be one).`
`514`	`499`	`*/`
`515`		`-#ifHAVE_WORKING_LINK`
`516`		`-if (link(tmppath,path)<0)`
`517`		`-ereport(ERROR,`
`518`		`-(errcode_for_file_access(),`
`519`		`-errmsg("could not link file \"%s\" to \"%s\": %m",`
`520`		`-tmppath,path)));`
`521`		`-unlink(tmppath);`
`522`		`-#else`
`523`		`-if (rename(tmppath,path)<0)`
`524`		`-ereport(ERROR,`
`525`		`-(errcode_for_file_access(),`
`526`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`527`		`-tmppath,path)));`
`528`		`-#endif`
	`500`	`+durable_link_or_rename(tmppath,path,ERROR);`
`529`	`501`	`}`
`530`	`502`
`531`	`503`	`/*`

`‎src/backend/access/transam/xlog.c`

Lines changed: 7 additions & 33 deletions

Original file line number	Diff line number	Diff line change
`@@ -2553,34 +2553,16 @@ InstallXLogFileSegment(XLogSegNo segno, char tmppath,`
`2553`	`2553`	`}`
`2554`	`2554`
`2555`	`2555`	`/*`
`2556`		`- * Prefer link() to rename() here just to be really sure that we don't`
`2557`		`- * overwrite an existing logfile. However, there shouldn't be one, so`
`2558`		`- * rename() is an acceptable substitute except for the truly paranoid.`
	`2556`	`+ * Perform the rename using link if available, paranoidly trying to avoid`
	`2557`	`+ * overwriting an existing file (there shouldn't be one).`
`2559`	`2558`	`*/`
`2560`		`-#ifHAVE_WORKING_LINK`
`2561`		`-if (link(tmppath,path)<0)`
	`2559`	`+if (durable_link_or_rename(tmppath,path,LOG)!=0)`
`2562`	`2560`	`{`
`2563`	`2561`	`if (use_lock)`
`2564`	`2562`	`LWLockRelease(ControlFileLock);`
`2565`		`-ereport(LOG,`
`2566`		`-(errcode_for_file_access(),`
`2567`		`-errmsg("could not link file \"%s\" to \"%s\" (initialization of log file): %m",`
`2568`		`-tmppath,path)));`
`2569`		`-return false;`
`2570`		`-}`
`2571`		`-unlink(tmppath);`
`2572`		`-#else`
`2573`		`-if (rename(tmppath,path)<0)`
`2574`		`-{`
`2575`		`-if (use_lock)`
`2576`		`-LWLockRelease(ControlFileLock);`
`2577`		`-ereport(LOG,`
`2578`		`-(errcode_for_file_access(),`
`2579`		`-errmsg("could not rename file \"%s\" to \"%s\" (initialization of log file): %m",`
`2580`		`-tmppath,path)));`
	`2563`	`+/* durable_link_or_rename already emitted log message */`
`2581`	`2564`	`return false;`
`2582`	`2565`	`}`
`2583`		`-#endif`
`2584`	`2566`
`2585`	`2567`	`if (use_lock)`
`2586`	`2568`	`LWLockRelease(ControlFileLock);`
`@@ -4474,11 +4456,7 @@ exitArchiveRecovery(TimeLineID endTLI, XLogSegNo endLogSegNo)`
`4474`	`4456`	`* re-enter archive recovery mode in a subsequent crash.`
`4475`	`4457`	`*/`
`4476`	`4458`	`unlink(RECOVERY_COMMAND_DONE);`
`4477`		`-if (rename(RECOVERY_COMMAND_FILE,RECOVERY_COMMAND_DONE)!=0)`
`4478`		`-ereport(FATAL,`
`4479`		`-(errcode_for_file_access(),`
`4480`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`4481`		`-RECOVERY_COMMAND_FILE,RECOVERY_COMMAND_DONE)));`
	`4459`	`+durable_rename(RECOVERY_COMMAND_FILE,RECOVERY_COMMAND_DONE,FATAL);`
`4482`	`4460`
`4483`	`4461`	`ereport(LOG,`
`4484`	`4462`	`(errmsg("archive recovery complete")));`
`@@ -5472,11 +5450,7 @@ StartupXLOG(void)`
`5472`	`5450`	`if (haveBackupLabel)`
`5473`	`5451`	`{`
`5474`	`5452`	`unlink(BACKUP_LABEL_OLD);`
`5475`		`-if (rename(BACKUP_LABEL_FILE,BACKUP_LABEL_OLD)!=0)`
`5476`		`-ereport(FATAL,`
`5477`		`-(errcode_for_file_access(),`
`5478`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`5479`		`-BACKUP_LABEL_FILE,BACKUP_LABEL_OLD)));`
	`5453`	`+durable_rename(BACKUP_LABEL_FILE,BACKUP_LABEL_OLD,FATAL);`
`5480`	`5454`	`}`
`5481`	`5455`
`5482`	`5456`	`/* Check that the GUCs used to generate the WAL allow recovery */`
`@@ -9524,7 +9498,7 @@ CancelBackup(void)`
`9524`	`9498`	`/* remove leftover file from previously canceled backup if it exists */`
`9525`	`9499`	`unlink(BACKUP_LABEL_OLD);`
`9526`	`9500`
`9527`		`-if (rename(BACKUP_LABEL_FILE,BACKUP_LABEL_OLD)==0)`
	`9501`	`+if (durable_rename(BACKUP_LABEL_FILE,BACKUP_LABEL_OLD,DEBUG1)==0)`
`9528`	`9502`	`{`
`9529`	`9503`	`ereport(LOG,`
`9530`	`9504`	`(errmsg("online backup mode canceled"),`

`‎src/backend/access/transam/xlogarchive.c`

Lines changed: 2 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -468,11 +468,7 @@ KeepFileRestoredFromArchive(char path, char xlogfname)`
`468`	`468`	`reload= true;`
`469`	`469`	`}`
`470`	`470`
`471`		`-if (rename(path,xlogfpath)<0)`
`472`		`-ereport(ERROR,`
`473`		`-(errcode_for_file_access(),`
`474`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`475`		`-path,xlogfpath)));`
	`471`	`+durable_rename(path,xlogfpath,ERROR);`
`476`	`472`
`477`	`473`	`/*`
`478`	`474`	`* Create .done file forcibly to prevent the restored segment from being`
`@@ -575,12 +571,7 @@ XLogArchiveForceDone(const char *xlog)`
`575`	`571`	`StatusFilePath(archiveReady,xlog,".ready");`
`576`	`572`	`if (stat(archiveReady,&stat_buf)==0)`
`577`	`573`	`{`
`578`		`-if (rename(archiveReady,archiveDone)<0)`
`579`		`-ereport(WARNING,`
`580`		`-(errcode_for_file_access(),`
`581`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`582`		`-archiveReady,archiveDone)));`
`583`		`-`
	`574`	`+(void)durable_rename(archiveReady,archiveDone,WARNING);`
`584`	`575`	`return;`
`585`	`576`	`}`
`586`	`577`

`‎src/backend/postmaster/pgarch.c`

Lines changed: 1 addition & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -750,9 +750,5 @@ pgarch_archiveDone(char *xlog)`
`750`	`750`
`751`	`751`	`StatusFilePath(rlogready,xlog,".ready");`
`752`	`752`	`StatusFilePath(rlogdone,xlog,".done");`
`753`		`-if (rename(rlogready,rlogdone)<0)`
`754`		`-ereport(WARNING,`
`755`		`-(errcode_for_file_access(),`
`756`		`-errmsg("could not rename file \"%s\" to \"%s\": %m",`
`757`		`-rlogready,rlogdone)));`
	`753`	`+(void)durable_rename(rlogready,rlogdone,WARNING);`
`758`	`754`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbfa282a

File tree

5 files changed

5 files changed

`‎contrib/pg_stat_statements/pg_stat_statements.c`

`‎src/backend/access/transam/timeline.c`

`‎src/backend/access/transam/xlog.c`

`‎src/backend/access/transam/xlogarchive.c`

`‎src/backend/postmaster/pgarch.c`

0 commit comments