From 7d1b7609f80d073d2ca0b13b432ead8133850c0a Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Sat, 2 Sep 2017 21:07:21 +0900 Subject: [PATCH 1/2] Change detection of corrupted 2PC files as FATAL When scanning 2PC files, be it for initializing a hot standby node or finding the XID range at the end of recovery, bumping on a corrupted 2PC file is reported as a WARNING and are blindly corrupted. If it happened that the corrupted file was actually legit, there is actually a risk of corruption, so switch that to a hard failure. --- src/backend/access/transam/twophase.c | 28 ++++++++++------------------ src/backend/access/transam/xlog.c | 10 +++++++--- 2 files changed, 17 insertions(+), 21 deletions(-) diff --git a/src/backend/access/transam/twophase.c b/src/backend/access/transam/twophase.c index cfaf8da781..e09b85428d 100644 --- a/src/backend/access/transam/twophase.c +++ b/src/backend/access/transam/twophase.c @@ -1778,6 +1778,10 @@ restoreTwoPhaseData(void) * write a WAL entry, and so there might be no evidence in WAL of those * subxact XIDs. * + * On corrupted two-phase files, fail immediately. Keeping around broken + * entries and let replay continue causes harm on the system, and likely + * a new backup should be rolled in. + * * Our other responsibility is to determine and return the oldest valid XID * among the prepared xacts (if none, return ShmemVariableCache->nextXid). * This is needed to synchronize pg_subtrans startup properly. @@ -2070,13 +2074,9 @@ ProcessTwoPhaseBuffer(TransactionId xid, /* Read and validate file */ buf = ReadTwoPhaseFile(xid, true); if (buf == NULL) - { - ereport(WARNING, - (errmsg("removing corrupt two-phase state file for transaction %u", + ereport(FATAL, + (errmsg("corrupted two-phase state file for \"%u\"", xid))); - RemoveTwoPhaseFile(xid, true); - return NULL; - } } else { @@ -2089,21 +2089,13 @@ ProcessTwoPhaseBuffer(TransactionId xid, if (!TransactionIdEquals(hdr->xid, xid)) { if (fromdisk) - { - ereport(WARNING, - (errmsg("removing corrupt two-phase state file for transaction %u", + ereport(FATAL, + (errmsg("corrupted two-phase state file for \"%u\"", xid))); - RemoveTwoPhaseFile(xid, true); - } else - { - ereport(WARNING, - (errmsg("removing corrupt two-phase state from memory for transaction %u", + ereport(FATAL, + (errmsg("corrupted two-phase state in memory for \"%u\"", xid))); - PrepareRedoRemove(xid, true); - } - pfree(buf); - return NULL; } /* diff --git a/src/backend/access/transam/xlog.c b/src/backend/access/transam/xlog.c index dd028a12a4..64a7d24e85 100644 --- a/src/backend/access/transam/xlog.c +++ b/src/backend/access/transam/xlog.c @@ -7463,6 +7463,13 @@ StartupXLOG(void) } } + /* + * Pre-scan prepared transactions to find out the range of XIDs present. + * We don't need this information quite yet, but if it fails for some + * reason, better to fail before we make any on-disk changes. + */ + oldestActiveXID = PrescanPreparedTransactions(NULL, NULL); + /* * Consider whether we need to assign a new timeline ID. * @@ -7586,9 +7593,6 @@ StartupXLOG(void) XLogCtl->LogwrtRqst.Write = EndOfLog; XLogCtl->LogwrtRqst.Flush = EndOfLog; - /* Pre-scan prepared transactions to find out the range of XIDs present */ - oldestActiveXID = PrescanPreparedTransactions(NULL, NULL); - /* * Update full_page_writes in shared memory and write an XLOG_FPW_CHANGE * record before resource manager writes cleanup WAL records or checkpoint -- 2.14.2