summaryrefslogtreecommitdiffstats
path: root/src/backend/postmaster/postmaster.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/backend/postmaster/postmaster.c')
-rw-r--r--src/backend/postmaster/postmaster.c6549
1 files changed, 6549 insertions, 0 deletions
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
new file mode 100644
index 0000000..b42aae4
--- /dev/null
+++ b/src/backend/postmaster/postmaster.c
@@ -0,0 +1,6549 @@
+/*-------------------------------------------------------------------------
+ *
+ * postmaster.c
+ * This program acts as a clearing house for requests to the
+ * POSTGRES system. Frontend programs send a startup message
+ * to the Postmaster and the postmaster uses the info in the
+ * message to setup a backend process.
+ *
+ * The postmaster also manages system-wide operations such as
+ * startup and shutdown. The postmaster itself doesn't do those
+ * operations, mind you --- it just forks off a subprocess to do them
+ * at the right times. It also takes care of resetting the system
+ * if a backend crashes.
+ *
+ * The postmaster process creates the shared memory and semaphore
+ * pools during startup, but as a rule does not touch them itself.
+ * In particular, it is not a member of the PGPROC array of backends
+ * and so it cannot participate in lock-manager operations. Keeping
+ * the postmaster away from shared memory operations makes it simpler
+ * and more reliable. The postmaster is almost always able to recover
+ * from crashes of individual backends by resetting shared memory;
+ * if it did much with shared memory then it would be prone to crashing
+ * along with the backends.
+ *
+ * When a request message is received, we now fork() immediately.
+ * The child process performs authentication of the request, and
+ * then becomes a backend if successful. This allows the auth code
+ * to be written in a simple single-threaded style (as opposed to the
+ * crufty "poor man's multitasking" code that used to be needed).
+ * More importantly, it ensures that blockages in non-multithreaded
+ * libraries like SSL or PAM cannot cause denial of service to other
+ * clients.
+ *
+ *
+ * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ *
+ * IDENTIFICATION
+ * src/backend/postmaster/postmaster.c
+ *
+ * NOTES
+ *
+ * Initialization:
+ * The Postmaster sets up shared memory data structures
+ * for the backends.
+ *
+ * Synchronization:
+ * The Postmaster shares memory with the backends but should avoid
+ * touching shared memory, so as not to become stuck if a crashing
+ * backend screws up locks or shared memory. Likewise, the Postmaster
+ * should never block on messages from frontend clients.
+ *
+ * Garbage Collection:
+ * The Postmaster cleans up after backends if they have an emergency
+ * exit and/or core dump.
+ *
+ * Error Reporting:
+ * Use write_stderr() only for reporting "interactive" errors
+ * (essentially, bogus arguments on the command line). Once the
+ * postmaster is launched, use ereport().
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+
+#include <unistd.h>
+#include <signal.h>
+#include <time.h>
+#include <sys/wait.h>
+#include <ctype.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <fcntl.h>
+#include <sys/param.h>
+#include <netdb.h>
+#include <limits.h>
+
+#ifdef USE_BONJOUR
+#include <dns_sd.h>
+#endif
+
+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
+#ifdef HAVE_PTHREAD_IS_THREADED_NP
+#include <pthread.h>
+#endif
+
+#include "access/transam.h"
+#include "access/xlog.h"
+#include "access/xlogrecovery.h"
+#include "catalog/pg_control.h"
+#include "common/file_perm.h"
+#include "common/ip.h"
+#include "common/pg_prng.h"
+#include "common/string.h"
+#include "lib/ilist.h"
+#include "libpq/auth.h"
+#include "libpq/libpq.h"
+#include "libpq/pqformat.h"
+#include "libpq/pqsignal.h"
+#include "nodes/queryjumble.h"
+#include "pg_getopt.h"
+#include "pgstat.h"
+#include "port/pg_bswap.h"
+#include "postmaster/autovacuum.h"
+#include "postmaster/auxprocess.h"
+#include "postmaster/bgworker_internals.h"
+#include "postmaster/fork_process.h"
+#include "postmaster/interrupt.h"
+#include "postmaster/pgarch.h"
+#include "postmaster/postmaster.h"
+#include "postmaster/syslogger.h"
+#include "replication/logicallauncher.h"
+#include "replication/walsender.h"
+#include "storage/fd.h"
+#include "storage/ipc.h"
+#include "storage/pg_shmem.h"
+#include "storage/pmsignal.h"
+#include "storage/proc.h"
+#include "tcop/tcopprot.h"
+#include "utils/builtins.h"
+#include "utils/datetime.h"
+#include "utils/memutils.h"
+#include "utils/pidfile.h"
+#include "utils/ps_status.h"
+#include "utils/timeout.h"
+#include "utils/timestamp.h"
+#include "utils/varlena.h"
+
+#ifdef EXEC_BACKEND
+#include "storage/spin.h"
+#endif
+
+
+/*
+ * Possible types of a backend. Beyond being the possible bkend_type values in
+ * struct bkend, these are OR-able request flag bits for SignalSomeChildren()
+ * and CountChildren().
+ */
+#define BACKEND_TYPE_NORMAL 0x0001 /* normal backend */
+#define BACKEND_TYPE_AUTOVAC 0x0002 /* autovacuum worker process */
+#define BACKEND_TYPE_WALSND 0x0004 /* walsender process */
+#define BACKEND_TYPE_BGWORKER 0x0008 /* bgworker process */
+#define BACKEND_TYPE_ALL 0x000F /* OR of all the above */
+
+/*
+ * List of active backends (or child processes anyway; we don't actually
+ * know whether a given child has become a backend or is still in the
+ * authorization phase). This is used mainly to keep track of how many
+ * children we have and send them appropriate signals when necessary.
+ *
+ * As shown in the above set of backend types, this list includes not only
+ * "normal" client sessions, but also autovacuum workers, walsenders, and
+ * background workers. (Note that at the time of launch, walsenders are
+ * labeled BACKEND_TYPE_NORMAL; we relabel them to BACKEND_TYPE_WALSND
+ * upon noticing they've changed their PMChildFlags entry. Hence that check
+ * must be done before any operation that needs to distinguish walsenders
+ * from normal backends.)
+ *
+ * Also, "dead_end" children are in it: these are children launched just for
+ * the purpose of sending a friendly rejection message to a would-be client.
+ * We must track them because they are attached to shared memory, but we know
+ * they will never become live backends. dead_end children are not assigned a
+ * PMChildSlot. dead_end children have bkend_type NORMAL.
+ *
+ * "Special" children such as the startup, bgwriter and autovacuum launcher
+ * tasks are not in this list. They are tracked via StartupPID and other
+ * pid_t variables below. (Thus, there can't be more than one of any given
+ * "special" child process type. We use BackendList entries for any child
+ * process there can be more than one of.)
+ */
+typedef struct bkend
+{
+ pid_t pid; /* process id of backend */
+ int32 cancel_key; /* cancel key for cancels for this backend */
+ int child_slot; /* PMChildSlot for this backend, if any */
+ int bkend_type; /* child process flavor, see above */
+ bool dead_end; /* is it going to send an error and quit? */
+ bool bgworker_notify; /* gets bgworker start/stop notifications */
+ dlist_node elem; /* list link in BackendList */
+} Backend;
+
+static dlist_head BackendList = DLIST_STATIC_INIT(BackendList);
+
+#ifdef EXEC_BACKEND
+static Backend *ShmemBackendArray;
+#endif
+
+BackgroundWorker *MyBgworkerEntry = NULL;
+
+
+
+/* The socket number we are listening for connections on */
+int PostPortNumber = DEF_PGPORT;
+
+/* The directory names for Unix socket(s) */
+char *Unix_socket_directories;
+
+/* The TCP listen address(es) */
+char *ListenAddresses;
+
+/*
+ * SuperuserReservedConnections is the number of backends reserved for
+ * superuser use, and ReservedConnections is the number of backends reserved
+ * for use by roles with privileges of the pg_use_reserved_connections
+ * predefined role. These are taken out of the pool of MaxConnections backend
+ * slots, so the number of backend slots available for roles that are neither
+ * superuser nor have privileges of pg_use_reserved_connections is
+ * (MaxConnections - SuperuserReservedConnections - ReservedConnections).
+ *
+ * If the number of remaining slots is less than or equal to
+ * SuperuserReservedConnections, only superusers can make new connections. If
+ * the number of remaining slots is greater than SuperuserReservedConnections
+ * but less than or equal to
+ * (SuperuserReservedConnections + ReservedConnections), only superusers and
+ * roles with privileges of pg_use_reserved_connections can make new
+ * connections. Note that pre-existing superuser and
+ * pg_use_reserved_connections connections don't count against the limits.
+ */
+int SuperuserReservedConnections;
+int ReservedConnections;
+
+/* The socket(s) we're listening to. */
+#define MAXLISTEN 64
+static pgsocket ListenSocket[MAXLISTEN];
+
+/* still more option variables */
+bool EnableSSL = false;
+
+int PreAuthDelay = 0;
+int AuthenticationTimeout = 60;
+
+bool log_hostname; /* for ps display and logging */
+bool Log_connections = false;
+bool Db_user_namespace = false;
+
+bool enable_bonjour = false;
+char *bonjour_name;
+bool restart_after_crash = true;
+bool remove_temp_files_after_crash = true;
+bool send_abort_for_crash = false;
+bool send_abort_for_kill = false;
+
+/* PIDs of special child processes; 0 when not running */
+static pid_t StartupPID = 0,
+ BgWriterPID = 0,
+ CheckpointerPID = 0,
+ WalWriterPID = 0,
+ WalReceiverPID = 0,
+ AutoVacPID = 0,
+ PgArchPID = 0,
+ SysLoggerPID = 0;
+
+/* Startup process's status */
+typedef enum
+{
+ STARTUP_NOT_RUNNING,
+ STARTUP_RUNNING,
+ STARTUP_SIGNALED, /* we sent it a SIGQUIT or SIGKILL */
+ STARTUP_CRASHED
+} StartupStatusEnum;
+
+static StartupStatusEnum StartupStatus = STARTUP_NOT_RUNNING;
+
+/* Startup/shutdown state */
+#define NoShutdown 0
+#define SmartShutdown 1
+#define FastShutdown 2
+#define ImmediateShutdown 3
+
+static int Shutdown = NoShutdown;
+
+static bool FatalError = false; /* T if recovering from backend crash */
+
+/*
+ * We use a simple state machine to control startup, shutdown, and
+ * crash recovery (which is rather like shutdown followed by startup).
+ *
+ * After doing all the postmaster initialization work, we enter PM_STARTUP
+ * state and the startup process is launched. The startup process begins by
+ * reading the control file and other preliminary initialization steps.
+ * In a normal startup, or after crash recovery, the startup process exits
+ * with exit code 0 and we switch to PM_RUN state. However, archive recovery
+ * is handled specially since it takes much longer and we would like to support
+ * hot standby during archive recovery.
+ *
+ * When the startup process is ready to start archive recovery, it signals the
+ * postmaster, and we switch to PM_RECOVERY state. The background writer and
+ * checkpointer are launched, while the startup process continues applying WAL.
+ * If Hot Standby is enabled, then, after reaching a consistent point in WAL
+ * redo, startup process signals us again, and we switch to PM_HOT_STANDBY
+ * state and begin accepting connections to perform read-only queries. When
+ * archive recovery is finished, the startup process exits with exit code 0
+ * and we switch to PM_RUN state.
+ *
+ * Normal child backends can only be launched when we are in PM_RUN or
+ * PM_HOT_STANDBY state. (connsAllowed can also restrict launching.)
+ * In other states we handle connection requests by launching "dead_end"
+ * child processes, which will simply send the client an error message and
+ * quit. (We track these in the BackendList so that we can know when they
+ * are all gone; this is important because they're still connected to shared
+ * memory, and would interfere with an attempt to destroy the shmem segment,
+ * possibly leading to SHMALL failure when we try to make a new one.)
+ * In PM_WAIT_DEAD_END state we are waiting for all the dead_end children
+ * to drain out of the system, and therefore stop accepting connection
+ * requests at all until the last existing child has quit (which hopefully
+ * will not be very long).
+ *
+ * Notice that this state variable does not distinguish *why* we entered
+ * states later than PM_RUN --- Shutdown and FatalError must be consulted
+ * to find that out. FatalError is never true in PM_RECOVERY, PM_HOT_STANDBY,
+ * or PM_RUN states, nor in PM_SHUTDOWN states (because we don't enter those
+ * states when trying to recover from a crash). It can be true in PM_STARTUP
+ * state, because we don't clear it until we've successfully started WAL redo.
+ */
+typedef enum
+{
+ PM_INIT, /* postmaster starting */
+ PM_STARTUP, /* waiting for startup subprocess */
+ PM_RECOVERY, /* in archive recovery mode */
+ PM_HOT_STANDBY, /* in hot standby mode */
+ PM_RUN, /* normal "database is alive" state */
+ PM_STOP_BACKENDS, /* need to stop remaining backends */
+ PM_WAIT_BACKENDS, /* waiting for live backends to exit */
+ PM_SHUTDOWN, /* waiting for checkpointer to do shutdown
+ * ckpt */
+ PM_SHUTDOWN_2, /* waiting for archiver and walsenders to
+ * finish */
+ PM_WAIT_DEAD_END, /* waiting for dead_end children to exit */
+ PM_NO_CHILDREN /* all important children have exited */
+} PMState;
+
+static PMState pmState = PM_INIT;
+
+/*
+ * While performing a "smart shutdown", we restrict new connections but stay
+ * in PM_RUN or PM_HOT_STANDBY state until all the client backends are gone.
+ * connsAllowed is a sub-state indicator showing the active restriction.
+ * It is of no interest unless pmState is PM_RUN or PM_HOT_STANDBY.
+ */
+static bool connsAllowed = true;
+
+/* Start time of SIGKILL timeout during immediate shutdown or child crash */
+/* Zero means timeout is not running */
+static time_t AbortStartTime = 0;
+
+/* Length of said timeout */
+#define SIGKILL_CHILDREN_AFTER_SECS 5
+
+static bool ReachedNormalRunning = false; /* T if we've reached PM_RUN */
+
+bool ClientAuthInProgress = false; /* T during new-client
+ * authentication */
+
+bool redirection_done = false; /* stderr redirected for syslogger? */
+
+/* received START_AUTOVAC_LAUNCHER signal */
+static bool start_autovac_launcher = false;
+
+/* the launcher needs to be signaled to communicate some condition */
+static bool avlauncher_needs_signal = false;
+
+/* received START_WALRECEIVER signal */
+static bool WalReceiverRequested = false;
+
+/* set when there's a worker that needs to be started up */
+static bool StartWorkerNeeded = true;
+static bool HaveCrashedWorker = false;
+
+/* set when signals arrive */
+static volatile sig_atomic_t pending_pm_pmsignal;
+static volatile sig_atomic_t pending_pm_child_exit;
+static volatile sig_atomic_t pending_pm_reload_request;
+static volatile sig_atomic_t pending_pm_shutdown_request;
+static volatile sig_atomic_t pending_pm_fast_shutdown_request;
+static volatile sig_atomic_t pending_pm_immediate_shutdown_request;
+
+/* event multiplexing object */
+static WaitEventSet *pm_wait_set;
+
+#ifdef USE_SSL
+/* Set when and if SSL has been initialized properly */
+static bool LoadedSSL = false;
+#endif
+
+#ifdef USE_BONJOUR
+static DNSServiceRef bonjour_sdref = NULL;
+#endif
+
+/*
+ * postmaster.c - function prototypes
+ */
+static void CloseServerPorts(int status, Datum arg);
+static void unlink_external_pid_file(int status, Datum arg);
+static void getInstallationPaths(const char *argv0);
+static void checkControlFile(void);
+static Port *ConnCreate(int serverFd);
+static void ConnFree(Port *port);
+static void handle_pm_pmsignal_signal(SIGNAL_ARGS);
+static void handle_pm_child_exit_signal(SIGNAL_ARGS);
+static void handle_pm_reload_request_signal(SIGNAL_ARGS);
+static void handle_pm_shutdown_request_signal(SIGNAL_ARGS);
+static void process_pm_pmsignal(void);
+static void process_pm_child_exit(void);
+static void process_pm_reload_request(void);
+static void process_pm_shutdown_request(void);
+static void process_startup_packet_die(SIGNAL_ARGS);
+static void dummy_handler(SIGNAL_ARGS);
+static void StartupPacketTimeoutHandler(void);
+static void CleanupBackend(int pid, int exitstatus);
+static bool CleanupBackgroundWorker(int pid, int exitstatus);
+static void HandleChildCrash(int pid, int exitstatus, const char *procname);
+static void LogChildExit(int lev, const char *procname,
+ int pid, int exitstatus);
+static void PostmasterStateMachine(void);
+static void BackendInitialize(Port *port);
+static void BackendRun(Port *port) pg_attribute_noreturn();
+static void ExitPostmaster(int status) pg_attribute_noreturn();
+static int ServerLoop(void);
+static int BackendStartup(Port *port);
+static int ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done);
+static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options);
+static void processCancelRequest(Port *port, void *pkt);
+static void report_fork_failure_to_client(Port *port, int errnum);
+static CAC_state canAcceptConnections(int backend_type);
+static bool RandomCancelKey(int32 *cancel_key);
+static void signal_child(pid_t pid, int signal);
+static void sigquit_child(pid_t pid);
+static bool SignalSomeChildren(int signal, int target);
+static void TerminateChildren(int signal);
+
+#define SignalChildren(sig) SignalSomeChildren(sig, BACKEND_TYPE_ALL)
+
+static int CountChildren(int target);
+static bool assign_backendlist_entry(RegisteredBgWorker *rw);
+static void maybe_start_bgworkers(void);
+static bool CreateOptsFile(int argc, char *argv[], char *fullprogname);
+static pid_t StartChildProcess(AuxProcType type);
+static void StartAutovacuumWorker(void);
+static void MaybeStartWalReceiver(void);
+static void InitPostmasterDeathWatchHandle(void);
+
+/*
+ * Archiver is allowed to start up at the current postmaster state?
+ *
+ * If WAL archiving is enabled always, we are allowed to start archiver
+ * even during recovery.
+ */
+#define PgArchStartupAllowed() \
+ (((XLogArchivingActive() && pmState == PM_RUN) || \
+ (XLogArchivingAlways() && \
+ (pmState == PM_RECOVERY || pmState == PM_HOT_STANDBY))) && \
+ PgArchCanRestart())
+
+#ifdef EXEC_BACKEND
+
+#ifdef WIN32
+#define WNOHANG 0 /* ignored, so any integer value will do */
+
+static pid_t waitpid(pid_t pid, int *exitstatus, int options);
+static void WINAPI pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
+
+static HANDLE win32ChildQueue;
+
+typedef struct
+{
+ HANDLE waitHandle;
+ HANDLE procHandle;
+ DWORD procId;
+} win32_deadchild_waitinfo;
+#endif /* WIN32 */
+
+static pid_t backend_forkexec(Port *port);
+static pid_t internal_forkexec(int argc, char *argv[], Port *port);
+
+/* Type for a socket that can be inherited to a client process */
+#ifdef WIN32
+typedef struct
+{
+ SOCKET origsocket; /* Original socket value, or PGINVALID_SOCKET
+ * if not a socket */
+ WSAPROTOCOL_INFO wsainfo;
+} InheritableSocket;
+#else
+typedef int InheritableSocket;
+#endif
+
+/*
+ * Structure contains all variables passed to exec:ed backends
+ */
+typedef struct
+{
+ Port port;
+ InheritableSocket portsocket;
+ char DataDir[MAXPGPATH];
+ pgsocket ListenSocket[MAXLISTEN];
+ int32 MyCancelKey;
+ int MyPMChildSlot;
+#ifndef WIN32
+ unsigned long UsedShmemSegID;
+#else
+ void *ShmemProtectiveRegion;
+ HANDLE UsedShmemSegID;
+#endif
+ void *UsedShmemSegAddr;
+ slock_t *ShmemLock;
+ VariableCache ShmemVariableCache;
+ Backend *ShmemBackendArray;
+#ifndef HAVE_SPINLOCKS
+ PGSemaphore *SpinlockSemaArray;
+#endif
+ int NamedLWLockTrancheRequests;
+ NamedLWLockTranche *NamedLWLockTrancheArray;
+ LWLockPadded *MainLWLockArray;
+ slock_t *ProcStructLock;
+ PROC_HDR *ProcGlobal;
+ PGPROC *AuxiliaryProcs;
+ PGPROC *PreparedXactProcs;
+ PMSignalData *PMSignalState;
+ pid_t PostmasterPid;
+ TimestampTz PgStartTime;
+ TimestampTz PgReloadTime;
+ pg_time_t first_syslogger_file_time;
+ bool redirection_done;
+ bool IsBinaryUpgrade;
+ bool query_id_enabled;
+ int max_safe_fds;
+ int MaxBackends;
+#ifdef WIN32
+ HANDLE PostmasterHandle;
+ HANDLE initial_signal_pipe;
+ HANDLE syslogPipe[2];
+#else
+ int postmaster_alive_fds[2];
+ int syslogPipe[2];
+#endif
+ char my_exec_path[MAXPGPATH];
+ char pkglib_path[MAXPGPATH];
+} BackendParameters;
+
+static void read_backend_variables(char *id, Port *port);
+static void restore_backend_variables(BackendParameters *param, Port *port);
+
+#ifndef WIN32
+static bool save_backend_variables(BackendParameters *param, Port *port);
+#else
+static bool save_backend_variables(BackendParameters *param, Port *port,
+ HANDLE childProcess, pid_t childPid);
+#endif
+
+static void ShmemBackendArrayAdd(Backend *bn);
+static void ShmemBackendArrayRemove(Backend *bn);
+#endif /* EXEC_BACKEND */
+
+#define StartupDataBase() StartChildProcess(StartupProcess)
+#define StartArchiver() StartChildProcess(ArchiverProcess)
+#define StartBackgroundWriter() StartChildProcess(BgWriterProcess)
+#define StartCheckpointer() StartChildProcess(CheckpointerProcess)
+#define StartWalWriter() StartChildProcess(WalWriterProcess)
+#define StartWalReceiver() StartChildProcess(WalReceiverProcess)
+
+/* Macros to check exit status of a child process */
+#define EXIT_STATUS_0(st) ((st) == 0)
+#define EXIT_STATUS_1(st) (WIFEXITED(st) && WEXITSTATUS(st) == 1)
+#define EXIT_STATUS_3(st) (WIFEXITED(st) && WEXITSTATUS(st) == 3)
+
+#ifndef WIN32
+/*
+ * File descriptors for pipe used to monitor if postmaster is alive.
+ * First is POSTMASTER_FD_WATCH, second is POSTMASTER_FD_OWN.
+ */
+int postmaster_alive_fds[2] = {-1, -1};
+#else
+/* Process handle of postmaster used for the same purpose on Windows */
+HANDLE PostmasterHandle;
+#endif
+
+/*
+ * Postmaster main entry point
+ */
+void
+PostmasterMain(int argc, char *argv[])
+{
+ int opt;
+ int status;
+ char *userDoption = NULL;
+ bool listen_addr_saved = false;
+ int i;
+ char *output_config_variable = NULL;
+
+ InitProcessGlobals();
+
+ PostmasterPid = MyProcPid;
+
+ IsPostmasterEnvironment = true;
+
+ /*
+ * Start our win32 signal implementation
+ */
+#ifdef WIN32
+ pgwin32_signal_initialize();
+#endif
+
+ /*
+ * We should not be creating any files or directories before we check the
+ * data directory (see checkDataDir()), but just in case set the umask to
+ * the most restrictive (owner-only) permissions.
+ *
+ * checkDataDir() will reset the umask based on the data directory
+ * permissions.
+ */
+ umask(PG_MODE_MASK_OWNER);
+
+ /*
+ * By default, palloc() requests in the postmaster will be allocated in
+ * the PostmasterContext, which is space that can be recycled by backends.
+ * Allocated data that needs to be available to backends should be
+ * allocated in TopMemoryContext.
+ */
+ PostmasterContext = AllocSetContextCreate(TopMemoryContext,
+ "Postmaster",
+ ALLOCSET_DEFAULT_SIZES);
+ MemoryContextSwitchTo(PostmasterContext);
+
+ /* Initialize paths to installation files */
+ getInstallationPaths(argv[0]);
+
+ /*
+ * Set up signal handlers for the postmaster process.
+ *
+ * CAUTION: when changing this list, check for side-effects on the signal
+ * handling setup of child processes. See tcop/postgres.c,
+ * bootstrap/bootstrap.c, postmaster/bgwriter.c, postmaster/walwriter.c,
+ * postmaster/autovacuum.c, postmaster/pgarch.c, postmaster/syslogger.c,
+ * postmaster/bgworker.c and postmaster/checkpointer.c.
+ */
+ pqinitmask();
+ sigprocmask(SIG_SETMASK, &BlockSig, NULL);
+
+ pqsignal(SIGHUP, handle_pm_reload_request_signal);
+ pqsignal(SIGINT, handle_pm_shutdown_request_signal);
+ pqsignal(SIGQUIT, handle_pm_shutdown_request_signal);
+ pqsignal(SIGTERM, handle_pm_shutdown_request_signal);
+ pqsignal(SIGALRM, SIG_IGN); /* ignored */
+ pqsignal(SIGPIPE, SIG_IGN); /* ignored */
+ pqsignal(SIGUSR1, handle_pm_pmsignal_signal);
+ pqsignal(SIGUSR2, dummy_handler); /* unused, reserve for children */
+ pqsignal(SIGCHLD, handle_pm_child_exit_signal);
+
+ /* This may configure SIGURG, depending on platform. */
+ InitializeLatchSupport();
+ InitProcessLocalLatch();
+
+ /*
+ * No other place in Postgres should touch SIGTTIN/SIGTTOU handling. We
+ * ignore those signals in a postmaster environment, so that there is no
+ * risk of a child process freezing up due to writing to stderr. But for
+ * a standalone backend, their default handling is reasonable. Hence, all
+ * child processes should just allow the inherited settings to stand.
+ */
+#ifdef SIGTTIN
+ pqsignal(SIGTTIN, SIG_IGN); /* ignored */
+#endif
+#ifdef SIGTTOU
+ pqsignal(SIGTTOU, SIG_IGN); /* ignored */
+#endif
+
+ /* ignore SIGXFSZ, so that ulimit violations work like disk full */
+#ifdef SIGXFSZ
+ pqsignal(SIGXFSZ, SIG_IGN); /* ignored */
+#endif
+
+ /* Begin accepting signals. */
+ sigprocmask(SIG_SETMASK, &UnBlockSig, NULL);
+
+ /*
+ * Options setup
+ */
+ InitializeGUCOptions();
+
+ opterr = 1;
+
+ /*
+ * Parse command-line options. CAUTION: keep this in sync with
+ * tcop/postgres.c (the option sets should not conflict) and with the
+ * common help() function in main/main.c.
+ */
+ while ((opt = getopt(argc, argv, "B:bC:c:D:d:EeFf:h:ijk:lN:OPp:r:S:sTt:W:-:")) != -1)
+ {
+ switch (opt)
+ {
+ case 'B':
+ SetConfigOption("shared_buffers", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'b':
+ /* Undocumented flag used for binary upgrades */
+ IsBinaryUpgrade = true;
+ break;
+
+ case 'C':
+ output_config_variable = strdup(optarg);
+ break;
+
+ case 'c':
+ case '-':
+ {
+ char *name,
+ *value;
+
+ ParseLongOption(optarg, &name, &value);
+ if (!value)
+ {
+ if (opt == '-')
+ ereport(ERROR,
+ (errcode(ERRCODE_SYNTAX_ERROR),
+ errmsg("--%s requires a value",
+ optarg)));
+ else
+ ereport(ERROR,
+ (errcode(ERRCODE_SYNTAX_ERROR),
+ errmsg("-c %s requires a value",
+ optarg)));
+ }
+
+ SetConfigOption(name, value, PGC_POSTMASTER, PGC_S_ARGV);
+ pfree(name);
+ pfree(value);
+ break;
+ }
+
+ case 'D':
+ userDoption = strdup(optarg);
+ break;
+
+ case 'd':
+ set_debug_options(atoi(optarg), PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'E':
+ SetConfigOption("log_statement", "all", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'e':
+ SetConfigOption("datestyle", "euro", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'F':
+ SetConfigOption("fsync", "false", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'f':
+ if (!set_plan_disabling_options(optarg, PGC_POSTMASTER, PGC_S_ARGV))
+ {
+ write_stderr("%s: invalid argument for option -f: \"%s\"\n",
+ progname, optarg);
+ ExitPostmaster(1);
+ }
+ break;
+
+ case 'h':
+ SetConfigOption("listen_addresses", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'i':
+ SetConfigOption("listen_addresses", "*", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'j':
+ /* only used by interactive backend */
+ break;
+
+ case 'k':
+ SetConfigOption("unix_socket_directories", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'l':
+ SetConfigOption("ssl", "true", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'N':
+ SetConfigOption("max_connections", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'O':
+ SetConfigOption("allow_system_table_mods", "true", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'P':
+ SetConfigOption("ignore_system_indexes", "true", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'p':
+ SetConfigOption("port", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'r':
+ /* only used by single-user backend */
+ break;
+
+ case 'S':
+ SetConfigOption("work_mem", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 's':
+ SetConfigOption("log_statement_stats", "true", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 'T':
+
+ /*
+ * This option used to be defined as sending SIGSTOP after a
+ * backend crash, but sending SIGABRT seems more useful.
+ */
+ SetConfigOption("send_abort_for_crash", "true", PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ case 't':
+ {
+ const char *tmp = get_stats_option_name(optarg);
+
+ if (tmp)
+ {
+ SetConfigOption(tmp, "true", PGC_POSTMASTER, PGC_S_ARGV);
+ }
+ else
+ {
+ write_stderr("%s: invalid argument for option -t: \"%s\"\n",
+ progname, optarg);
+ ExitPostmaster(1);
+ }
+ break;
+ }
+
+ case 'W':
+ SetConfigOption("post_auth_delay", optarg, PGC_POSTMASTER, PGC_S_ARGV);
+ break;
+
+ default:
+ write_stderr("Try \"%s --help\" for more information.\n",
+ progname);
+ ExitPostmaster(1);
+ }
+ }
+
+ /*
+ * Postmaster accepts no non-option switch arguments.
+ */
+ if (optind < argc)
+ {
+ write_stderr("%s: invalid argument: \"%s\"\n",
+ progname, argv[optind]);
+ write_stderr("Try \"%s --help\" for more information.\n",
+ progname);
+ ExitPostmaster(1);
+ }
+
+ /*
+ * Locate the proper configuration files and data directory, and read
+ * postgresql.conf for the first time.
+ */
+ if (!SelectConfigFiles(userDoption, progname))
+ ExitPostmaster(2);
+
+ if (output_config_variable != NULL)
+ {
+ /*
+ * If this is a runtime-computed GUC, it hasn't yet been initialized,
+ * and the present value is not useful. However, this is a convenient
+ * place to print the value for most GUCs because it is safe to run
+ * postmaster startup to this point even if the server is already
+ * running. For the handful of runtime-computed GUCs that we cannot
+ * provide meaningful values for yet, we wait until later in
+ * postmaster startup to print the value. We won't be able to use -C
+ * on running servers for those GUCs, but using this option now would
+ * lead to incorrect results for them.
+ */
+ int flags = GetConfigOptionFlags(output_config_variable, true);
+
+ if ((flags & GUC_RUNTIME_COMPUTED) == 0)
+ {
+ /*
+ * "-C guc" was specified, so print GUC's value and exit. No
+ * extra permission check is needed because the user is reading
+ * inside the data dir.
+ */
+ const char *config_val = GetConfigOption(output_config_variable,
+ false, false);
+
+ puts(config_val ? config_val : "");
+ ExitPostmaster(0);
+ }
+
+ /*
+ * A runtime-computed GUC will be printed later on. As we initialize
+ * a server startup sequence, silence any log messages that may show
+ * up in the output generated. FATAL and more severe messages are
+ * useful to show, even if one would only expect at least PANIC. LOG
+ * entries are hidden.
+ */
+ SetConfigOption("log_min_messages", "FATAL", PGC_SUSET,
+ PGC_S_OVERRIDE);
+ }
+
+ /* Verify that DataDir looks reasonable */
+ checkDataDir();
+
+ /* Check that pg_control exists */
+ checkControlFile();
+
+ /* And switch working directory into it */
+ ChangeToDataDir();
+
+ /*
+ * Check for invalid combinations of GUC settings.
+ */
+ if (SuperuserReservedConnections + ReservedConnections >= MaxConnections)
+ {
+ write_stderr("%s: superuser_reserved_connections (%d) plus reserved_connections (%d) must be less than max_connections (%d)\n",
+ progname,
+ SuperuserReservedConnections, ReservedConnections,
+ MaxConnections);
+ ExitPostmaster(1);
+ }
+ if (XLogArchiveMode > ARCHIVE_MODE_OFF && wal_level == WAL_LEVEL_MINIMAL)
+ ereport(ERROR,
+ (errmsg("WAL archival cannot be enabled when wal_level is \"minimal\"")));
+ if (max_wal_senders > 0 && wal_level == WAL_LEVEL_MINIMAL)
+ ereport(ERROR,
+ (errmsg("WAL streaming (max_wal_senders > 0) requires wal_level \"replica\" or \"logical\"")));
+
+ /*
+ * Other one-time internal sanity checks can go here, if they are fast.
+ * (Put any slow processing further down, after postmaster.pid creation.)
+ */
+ if (!CheckDateTokenTables())
+ {
+ write_stderr("%s: invalid datetoken tables, please fix\n", progname);
+ ExitPostmaster(1);
+ }
+
+ /*
+ * Now that we are done processing the postmaster arguments, reset
+ * getopt(3) library so that it will work correctly in subprocesses.
+ */
+ optind = 1;
+#ifdef HAVE_INT_OPTRESET
+ optreset = 1; /* some systems need this too */
+#endif
+
+ /* For debugging: display postmaster environment */
+ {
+ extern char **environ;
+ char **p;
+
+ ereport(DEBUG3,
+ (errmsg_internal("%s: PostmasterMain: initial environment dump:",
+ progname)));
+ ereport(DEBUG3,
+ (errmsg_internal("-----------------------------------------")));
+ for (p = environ; *p; ++p)
+ ereport(DEBUG3,
+ (errmsg_internal("\t%s", *p)));
+ ereport(DEBUG3,
+ (errmsg_internal("-----------------------------------------")));
+ }
+
+ /*
+ * Create lockfile for data directory.
+ *
+ * We want to do this before we try to grab the input sockets, because the
+ * data directory interlock is more reliable than the socket-file
+ * interlock (thanks to whoever decided to put socket files in /tmp :-().
+ * For the same reason, it's best to grab the TCP socket(s) before the
+ * Unix socket(s).
+ *
+ * Also note that this internally sets up the on_proc_exit function that
+ * is responsible for removing both data directory and socket lockfiles;
+ * so it must happen before opening sockets so that at exit, the socket
+ * lockfiles go away after CloseServerPorts runs.
+ */
+ CreateDataDirLockFile(true);
+
+ /*
+ * Read the control file (for error checking and config info).
+ *
+ * Since we verify the control file's CRC, this has a useful side effect
+ * on machines where we need a run-time test for CRC support instructions.
+ * The postmaster will do the test once at startup, and then its child
+ * processes will inherit the correct function pointer and not need to
+ * repeat the test.
+ */
+ LocalProcessControlFile(false);
+
+ /*
+ * Register the apply launcher. It's probably a good idea to call this
+ * before any modules had a chance to take the background worker slots.
+ */
+ ApplyLauncherRegister();
+
+ /*
+ * process any libraries that should be preloaded at postmaster start
+ */
+ process_shared_preload_libraries();
+
+ /*
+ * Initialize SSL library, if specified.
+ */
+#ifdef USE_SSL
+ if (EnableSSL)
+ {
+ (void) secure_initialize(true);
+ LoadedSSL = true;
+ }
+#endif
+
+ /*
+ * Now that loadable modules have had their chance to alter any GUCs,
+ * calculate MaxBackends.
+ */
+ InitializeMaxBackends();
+
+ /*
+ * Give preloaded libraries a chance to request additional shared memory.
+ */
+ process_shmem_requests();
+
+ /*
+ * Now that loadable modules have had their chance to request additional
+ * shared memory, determine the value of any runtime-computed GUCs that
+ * depend on the amount of shared memory required.
+ */
+ InitializeShmemGUCs();
+
+ /*
+ * Now that modules have been loaded, we can process any custom resource
+ * managers specified in the wal_consistency_checking GUC.
+ */
+ InitializeWalConsistencyChecking();
+
+ /*
+ * If -C was specified with a runtime-computed GUC, we held off printing
+ * the value earlier, as the GUC was not yet initialized. We handle -C
+ * for most GUCs before we lock the data directory so that the option may
+ * be used on a running server. However, a handful of GUCs are runtime-
+ * computed and do not have meaningful values until after locking the data
+ * directory, and we cannot safely calculate their values earlier on a
+ * running server. At this point, such GUCs should be properly
+ * initialized, and we haven't yet set up shared memory, so this is a good
+ * time to handle the -C option for these special GUCs.
+ */
+ if (output_config_variable != NULL)
+ {
+ const char *config_val = GetConfigOption(output_config_variable,
+ false, false);
+
+ puts(config_val ? config_val : "");
+ ExitPostmaster(0);
+ }
+
+ /*
+ * Set up shared memory and semaphores.
+ *
+ * Note: if using SysV shmem and/or semas, each postmaster startup will
+ * normally choose the same IPC keys. This helps ensure that we will
+ * clean up dead IPC objects if the postmaster crashes and is restarted.
+ */
+ CreateSharedMemoryAndSemaphores();
+
+ /*
+ * Estimate number of openable files. This must happen after setting up
+ * semaphores, because on some platforms semaphores count as open files.
+ */
+ set_max_safe_fds();
+
+ /*
+ * Set reference point for stack-depth checking.
+ */
+ (void) set_stack_base();
+
+ /*
+ * Initialize pipe (or process handle on Windows) that allows children to
+ * wake up from sleep on postmaster death.
+ */
+ InitPostmasterDeathWatchHandle();
+
+#ifdef WIN32
+
+ /*
+ * Initialize I/O completion port used to deliver list of dead children.
+ */
+ win32ChildQueue = CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 1);
+ if (win32ChildQueue == NULL)
+ ereport(FATAL,
+ (errmsg("could not create I/O completion port for child queue")));
+#endif
+
+#ifdef EXEC_BACKEND
+ /* Write out nondefault GUC settings for child processes to use */
+ write_nondefault_variables(PGC_POSTMASTER);
+
+ /*
+ * Clean out the temp directory used to transmit parameters to child
+ * processes (see internal_forkexec, below). We must do this before
+ * launching any child processes, else we have a race condition: we could
+ * remove a parameter file before the child can read it. It should be
+ * safe to do so now, because we verified earlier that there are no
+ * conflicting Postgres processes in this data directory.
+ */
+ RemovePgTempFilesInDir(PG_TEMP_FILES_DIR, true, false);
+#endif
+
+ /*
+ * Forcibly remove the files signaling a standby promotion request.
+ * Otherwise, the existence of those files triggers a promotion too early,
+ * whether a user wants that or not.
+ *
+ * This removal of files is usually unnecessary because they can exist
+ * only during a few moments during a standby promotion. However there is
+ * a race condition: if pg_ctl promote is executed and creates the files
+ * during a promotion, the files can stay around even after the server is
+ * brought up to be the primary. Then, if a new standby starts by using
+ * the backup taken from the new primary, the files can exist at server
+ * startup and must be removed in order to avoid an unexpected promotion.
+ *
+ * Note that promotion signal files need to be removed before the startup
+ * process is invoked. Because, after that, they can be used by
+ * postmaster's SIGUSR1 signal handler.
+ */
+ RemovePromoteSignalFiles();
+
+ /* Do the same for logrotate signal file */
+ RemoveLogrotateSignalFiles();
+
+ /* Remove any outdated file holding the current log filenames. */
+ if (unlink(LOG_METAINFO_DATAFILE) < 0 && errno != ENOENT)
+ ereport(LOG,
+ (errcode_for_file_access(),
+ errmsg("could not remove file \"%s\": %m",
+ LOG_METAINFO_DATAFILE)));
+
+ /*
+ * Initialize input sockets.
+ *
+ * Mark them all closed, and set up an on_proc_exit function that's
+ * charged with closing the sockets again at postmaster shutdown.
+ */
+ for (i = 0; i < MAXLISTEN; i++)
+ ListenSocket[i] = PGINVALID_SOCKET;
+
+ on_proc_exit(CloseServerPorts, 0);
+
+ /*
+ * If enabled, start up syslogger collection subprocess
+ */
+ SysLoggerPID = SysLogger_Start();
+
+ /*
+ * Reset whereToSendOutput from DestDebug (its starting state) to
+ * DestNone. This stops ereport from sending log messages to stderr unless
+ * Log_destination permits. We don't do this until the postmaster is
+ * fully launched, since startup failures may as well be reported to
+ * stderr.
+ *
+ * If we are in fact disabling logging to stderr, first emit a log message
+ * saying so, to provide a breadcrumb trail for users who may not remember
+ * that their logging is configured to go somewhere else.
+ */
+ if (!(Log_destination & LOG_DESTINATION_STDERR))
+ ereport(LOG,
+ (errmsg("ending log output to stderr"),
+ errhint("Future log output will go to log destination \"%s\".",
+ Log_destination_string)));
+
+ whereToSendOutput = DestNone;
+
+ /*
+ * Report server startup in log. While we could emit this much earlier,
+ * it seems best to do so after starting the log collector, if we intend
+ * to use one.
+ */
+ ereport(LOG,
+ (errmsg("starting %s", PG_VERSION_STR)));
+
+ /*
+ * Establish input sockets.
+ */
+ if (ListenAddresses)
+ {
+ char *rawstring;
+ List *elemlist;
+ ListCell *l;
+ int success = 0;
+
+ /* Need a modifiable copy of ListenAddresses */
+ rawstring = pstrdup(ListenAddresses);
+
+ /* Parse string into list of hostnames */
+ if (!SplitGUCList(rawstring, ',', &elemlist))
+ {
+ /* syntax error in list */
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("invalid list syntax in parameter \"%s\"",
+ "listen_addresses")));
+ }
+
+ foreach(l, elemlist)
+ {
+ char *curhost = (char *) lfirst(l);
+
+ if (strcmp(curhost, "*") == 0)
+ status = StreamServerPort(AF_UNSPEC, NULL,
+ (unsigned short) PostPortNumber,
+ NULL,
+ ListenSocket, MAXLISTEN);
+ else
+ status = StreamServerPort(AF_UNSPEC, curhost,
+ (unsigned short) PostPortNumber,
+ NULL,
+ ListenSocket, MAXLISTEN);
+
+ if (status == STATUS_OK)
+ {
+ success++;
+ /* record the first successful host addr in lockfile */
+ if (!listen_addr_saved)
+ {
+ AddToDataDirLockFile(LOCK_FILE_LINE_LISTEN_ADDR, curhost);
+ listen_addr_saved = true;
+ }
+ }
+ else
+ ereport(WARNING,
+ (errmsg("could not create listen socket for \"%s\"",
+ curhost)));
+ }
+
+ if (!success && elemlist != NIL)
+ ereport(FATAL,
+ (errmsg("could not create any TCP/IP sockets")));
+
+ list_free(elemlist);
+ pfree(rawstring);
+ }
+
+#ifdef USE_BONJOUR
+ /* Register for Bonjour only if we opened TCP socket(s) */
+ if (enable_bonjour && ListenSocket[0] != PGINVALID_SOCKET)
+ {
+ DNSServiceErrorType err;
+
+ /*
+ * We pass 0 for interface_index, which will result in registering on
+ * all "applicable" interfaces. It's not entirely clear from the
+ * DNS-SD docs whether this would be appropriate if we have bound to
+ * just a subset of the available network interfaces.
+ */
+ err = DNSServiceRegister(&bonjour_sdref,
+ 0,
+ 0,
+ bonjour_name,
+ "_postgresql._tcp.",
+ NULL,
+ NULL,
+ pg_hton16(PostPortNumber),
+ 0,
+ NULL,
+ NULL,
+ NULL);
+ if (err != kDNSServiceErr_NoError)
+ ereport(LOG,
+ (errmsg("DNSServiceRegister() failed: error code %ld",
+ (long) err)));
+
+ /*
+ * We don't bother to read the mDNS daemon's reply, and we expect that
+ * it will automatically terminate our registration when the socket is
+ * closed at postmaster termination. So there's nothing more to be
+ * done here. However, the bonjour_sdref is kept around so that
+ * forked children can close their copies of the socket.
+ */
+ }
+#endif
+
+ if (Unix_socket_directories)
+ {
+ char *rawstring;
+ List *elemlist;
+ ListCell *l;
+ int success = 0;
+
+ /* Need a modifiable copy of Unix_socket_directories */
+ rawstring = pstrdup(Unix_socket_directories);
+
+ /* Parse string into list of directories */
+ if (!SplitDirectoriesString(rawstring, ',', &elemlist))
+ {
+ /* syntax error in list */
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("invalid list syntax in parameter \"%s\"",
+ "unix_socket_directories")));
+ }
+
+ foreach(l, elemlist)
+ {
+ char *socketdir = (char *) lfirst(l);
+
+ status = StreamServerPort(AF_UNIX, NULL,
+ (unsigned short) PostPortNumber,
+ socketdir,
+ ListenSocket, MAXLISTEN);
+
+ if (status == STATUS_OK)
+ {
+ success++;
+ /* record the first successful Unix socket in lockfile */
+ if (success == 1)
+ AddToDataDirLockFile(LOCK_FILE_LINE_SOCKET_DIR, socketdir);
+ }
+ else
+ ereport(WARNING,
+ (errmsg("could not create Unix-domain socket in directory \"%s\"",
+ socketdir)));
+ }
+
+ if (!success && elemlist != NIL)
+ ereport(FATAL,
+ (errmsg("could not create any Unix-domain sockets")));
+
+ list_free_deep(elemlist);
+ pfree(rawstring);
+ }
+
+ /*
+ * check that we have some socket to listen on
+ */
+ if (ListenSocket[0] == PGINVALID_SOCKET)
+ ereport(FATAL,
+ (errmsg("no socket created for listening")));
+
+ /*
+ * If no valid TCP ports, write an empty line for listen address,
+ * indicating the Unix socket must be used. Note that this line is not
+ * added to the lock file until there is a socket backing it.
+ */
+ if (!listen_addr_saved)
+ AddToDataDirLockFile(LOCK_FILE_LINE_LISTEN_ADDR, "");
+
+ /*
+ * Record postmaster options. We delay this till now to avoid recording
+ * bogus options (eg, unusable port number).
+ */
+ if (!CreateOptsFile(argc, argv, my_exec_path))
+ ExitPostmaster(1);
+
+ /*
+ * Write the external PID file if requested
+ */
+ if (external_pid_file)
+ {
+ FILE *fpidfile = fopen(external_pid_file, "w");
+
+ if (fpidfile)
+ {
+ fprintf(fpidfile, "%d\n", MyProcPid);
+ fclose(fpidfile);
+
+ /* Make PID file world readable */
+ if (chmod(external_pid_file, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)
+ write_stderr("%s: could not change permissions of external PID file \"%s\": %s\n",
+ progname, external_pid_file, strerror(errno));
+ }
+ else
+ write_stderr("%s: could not write external PID file \"%s\": %s\n",
+ progname, external_pid_file, strerror(errno));
+
+ on_proc_exit(unlink_external_pid_file, 0);
+ }
+
+ /*
+ * Remove old temporary files. At this point there can be no other
+ * Postgres processes running in this directory, so this should be safe.
+ */
+ RemovePgTempFiles();
+
+ /*
+ * Initialize the autovacuum subsystem (again, no process start yet)
+ */
+ autovac_init();
+
+ /*
+ * Load configuration files for client authentication.
+ */
+ if (!load_hba())
+ {
+ /*
+ * It makes no sense to continue if we fail to load the HBA file,
+ * since there is no way to connect to the database in this case.
+ */
+ ereport(FATAL,
+ /* translator: %s is a configuration file */
+ (errmsg("could not load %s", HbaFileName)));
+ }
+ if (!load_ident())
+ {
+ /*
+ * We can start up without the IDENT file, although it means that you
+ * cannot log in using any of the authentication methods that need a
+ * user name mapping. load_ident() already logged the details of error
+ * to the log.
+ */
+ }
+
+#ifdef HAVE_PTHREAD_IS_THREADED_NP
+
+ /*
+ * On macOS, libintl replaces setlocale() with a version that calls
+ * CFLocaleCopyCurrent() when its second argument is "" and every relevant
+ * environment variable is unset or empty. CFLocaleCopyCurrent() makes
+ * the process multithreaded. The postmaster calls sigprocmask() and
+ * calls fork() without an immediate exec(), both of which have undefined
+ * behavior in a multithreaded program. A multithreaded postmaster is the
+ * normal case on Windows, which offers neither fork() nor sigprocmask().
+ */
+ if (pthread_is_threaded_np() != 0)
+ ereport(FATAL,
+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
+ errmsg("postmaster became multithreaded during startup"),
+ errhint("Set the LC_ALL environment variable to a valid locale.")));
+#endif
+
+ /*
+ * Remember postmaster startup time
+ */
+ PgStartTime = GetCurrentTimestamp();
+
+ /*
+ * Report postmaster status in the postmaster.pid file, to allow pg_ctl to
+ * see what's happening.
+ */
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_STARTING);
+
+ /* Start bgwriter and checkpointer so they can help with recovery */
+ if (CheckpointerPID == 0)
+ CheckpointerPID = StartCheckpointer();
+ if (BgWriterPID == 0)
+ BgWriterPID = StartBackgroundWriter();
+
+ /*
+ * We're ready to rock and roll...
+ */
+ StartupPID = StartupDataBase();
+ Assert(StartupPID != 0);
+ StartupStatus = STARTUP_RUNNING;
+ pmState = PM_STARTUP;
+
+ /* Some workers may be scheduled to start now */
+ maybe_start_bgworkers();
+
+ status = ServerLoop();
+
+ /*
+ * ServerLoop probably shouldn't ever return, but if it does, close down.
+ */
+ ExitPostmaster(status != STATUS_OK);
+
+ abort(); /* not reached */
+}
+
+
+/*
+ * on_proc_exit callback to close server's listen sockets
+ */
+static void
+CloseServerPorts(int status, Datum arg)
+{
+ int i;
+
+ /*
+ * First, explicitly close all the socket FDs. We used to just let this
+ * happen implicitly at postmaster exit, but it's better to close them
+ * before we remove the postmaster.pid lockfile; otherwise there's a race
+ * condition if a new postmaster wants to re-use the TCP port number.
+ */
+ for (i = 0; i < MAXLISTEN; i++)
+ {
+ if (ListenSocket[i] != PGINVALID_SOCKET)
+ {
+ StreamClose(ListenSocket[i]);
+ ListenSocket[i] = PGINVALID_SOCKET;
+ }
+ }
+
+ /*
+ * Next, remove any filesystem entries for Unix sockets. To avoid race
+ * conditions against incoming postmasters, this must happen after closing
+ * the sockets and before removing lock files.
+ */
+ RemoveSocketFiles();
+
+ /*
+ * We don't do anything about socket lock files here; those will be
+ * removed in a later on_proc_exit callback.
+ */
+}
+
+/*
+ * on_proc_exit callback to delete external_pid_file
+ */
+static void
+unlink_external_pid_file(int status, Datum arg)
+{
+ if (external_pid_file)
+ unlink(external_pid_file);
+}
+
+
+/*
+ * Compute and check the directory paths to files that are part of the
+ * installation (as deduced from the postgres executable's own location)
+ */
+static void
+getInstallationPaths(const char *argv0)
+{
+ DIR *pdir;
+
+ /* Locate the postgres executable itself */
+ if (find_my_exec(argv0, my_exec_path) < 0)
+ ereport(FATAL,
+ (errmsg("%s: could not locate my own executable path", argv0)));
+
+#ifdef EXEC_BACKEND
+ /* Locate executable backend before we change working directory */
+ if (find_other_exec(argv0, "postgres", PG_BACKEND_VERSIONSTR,
+ postgres_exec_path) < 0)
+ ereport(FATAL,
+ (errmsg("%s: could not locate matching postgres executable",
+ argv0)));
+#endif
+
+ /*
+ * Locate the pkglib directory --- this has to be set early in case we try
+ * to load any modules from it in response to postgresql.conf entries.
+ */
+ get_pkglib_path(my_exec_path, pkglib_path);
+
+ /*
+ * Verify that there's a readable directory there; otherwise the Postgres
+ * installation is incomplete or corrupt. (A typical cause of this
+ * failure is that the postgres executable has been moved or hardlinked to
+ * some directory that's not a sibling of the installation lib/
+ * directory.)
+ */
+ pdir = AllocateDir(pkglib_path);
+ if (pdir == NULL)
+ ereport(ERROR,
+ (errcode_for_file_access(),
+ errmsg("could not open directory \"%s\": %m",
+ pkglib_path),
+ errhint("This may indicate an incomplete PostgreSQL installation, or that the file \"%s\" has been moved away from its proper location.",
+ my_exec_path)));
+ FreeDir(pdir);
+
+ /*
+ * XXX is it worth similarly checking the share/ directory? If the lib/
+ * directory is there, then share/ probably is too.
+ */
+}
+
+/*
+ * Check that pg_control exists in the correct location in the data directory.
+ *
+ * No attempt is made to validate the contents of pg_control here. This is
+ * just a sanity check to see if we are looking at a real data directory.
+ */
+static void
+checkControlFile(void)
+{
+ char path[MAXPGPATH];
+ FILE *fp;
+
+ snprintf(path, sizeof(path), "%s/global/pg_control", DataDir);
+
+ fp = AllocateFile(path, PG_BINARY_R);
+ if (fp == NULL)
+ {
+ write_stderr("%s: could not find the database system\n"
+ "Expected to find it in the directory \"%s\",\n"
+ "but could not open file \"%s\": %s\n",
+ progname, DataDir, path, strerror(errno));
+ ExitPostmaster(2);
+ }
+ FreeFile(fp);
+}
+
+/*
+ * Determine how long should we let ServerLoop sleep, in milliseconds.
+ *
+ * In normal conditions we wait at most one minute, to ensure that the other
+ * background tasks handled by ServerLoop get done even when no requests are
+ * arriving. However, if there are background workers waiting to be started,
+ * we don't actually sleep so that they are quickly serviced. Other exception
+ * cases are as shown in the code.
+ */
+static int
+DetermineSleepTime(void)
+{
+ TimestampTz next_wakeup = 0;
+
+ /*
+ * Normal case: either there are no background workers at all, or we're in
+ * a shutdown sequence (during which we ignore bgworkers altogether).
+ */
+ if (Shutdown > NoShutdown ||
+ (!StartWorkerNeeded && !HaveCrashedWorker))
+ {
+ if (AbortStartTime != 0)
+ {
+ int seconds;
+
+ /* time left to abort; clamp to 0 in case it already expired */
+ seconds = SIGKILL_CHILDREN_AFTER_SECS -
+ (time(NULL) - AbortStartTime);
+
+ return Max(seconds * 1000, 0);
+ }
+ else
+ return 60 * 1000;
+ }
+
+ if (StartWorkerNeeded)
+ return 0;
+
+ if (HaveCrashedWorker)
+ {
+ slist_mutable_iter siter;
+
+ /*
+ * When there are crashed bgworkers, we sleep just long enough that
+ * they are restarted when they request to be. Scan the list to
+ * determine the minimum of all wakeup times according to most recent
+ * crash time and requested restart interval.
+ */
+ slist_foreach_modify(siter, &BackgroundWorkerList)
+ {
+ RegisteredBgWorker *rw;
+ TimestampTz this_wakeup;
+
+ rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
+
+ if (rw->rw_crashed_at == 0)
+ continue;
+
+ if (rw->rw_worker.bgw_restart_time == BGW_NEVER_RESTART
+ || rw->rw_terminate)
+ {
+ ForgetBackgroundWorker(&siter);
+ continue;
+ }
+
+ this_wakeup = TimestampTzPlusMilliseconds(rw->rw_crashed_at,
+ 1000L * rw->rw_worker.bgw_restart_time);
+ if (next_wakeup == 0 || this_wakeup < next_wakeup)
+ next_wakeup = this_wakeup;
+ }
+ }
+
+ if (next_wakeup != 0)
+ {
+ int ms;
+
+ /* result of TimestampDifferenceMilliseconds is in [0, INT_MAX] */
+ ms = (int) TimestampDifferenceMilliseconds(GetCurrentTimestamp(),
+ next_wakeup);
+ return Min(60 * 1000, ms);
+ }
+
+ return 60 * 1000;
+}
+
+/*
+ * Activate or deactivate notifications of server socket events. Since we
+ * don't currently have a way to remove events from an existing WaitEventSet,
+ * we'll just destroy and recreate the whole thing. This is called during
+ * shutdown so we can wait for backends to exit without accepting new
+ * connections, and during crash reinitialization when we need to start
+ * listening for new connections again. The WaitEventSet will be freed in fork
+ * children by ClosePostmasterPorts().
+ */
+static void
+ConfigurePostmasterWaitSet(bool accept_connections)
+{
+ int nsockets;
+
+ if (pm_wait_set)
+ FreeWaitEventSet(pm_wait_set);
+ pm_wait_set = NULL;
+
+ /* How many server sockets do we need to wait for? */
+ nsockets = 0;
+ if (accept_connections)
+ {
+ while (nsockets < MAXLISTEN &&
+ ListenSocket[nsockets] != PGINVALID_SOCKET)
+ ++nsockets;
+ }
+
+ pm_wait_set = CreateWaitEventSet(CurrentMemoryContext, 1 + nsockets);
+ AddWaitEventToSet(pm_wait_set, WL_LATCH_SET, PGINVALID_SOCKET, MyLatch,
+ NULL);
+
+ if (accept_connections)
+ {
+ for (int i = 0; i < nsockets; i++)
+ AddWaitEventToSet(pm_wait_set, WL_SOCKET_ACCEPT, ListenSocket[i],
+ NULL, NULL);
+ }
+}
+
+/*
+ * Main idle loop of postmaster
+ */
+static int
+ServerLoop(void)
+{
+ time_t last_lockfile_recheck_time,
+ last_touch_time;
+ WaitEvent events[MAXLISTEN];
+ int nevents;
+
+ ConfigurePostmasterWaitSet(true);
+ last_lockfile_recheck_time = last_touch_time = time(NULL);
+
+ for (;;)
+ {
+ time_t now;
+
+ nevents = WaitEventSetWait(pm_wait_set,
+ DetermineSleepTime(),
+ events,
+ lengthof(events),
+ 0 /* postmaster posts no wait_events */ );
+
+ /*
+ * Latch set by signal handler, or new connection pending on any of
+ * our sockets? If the latter, fork a child process to deal with it.
+ */
+ for (int i = 0; i < nevents; i++)
+ {
+ if (events[i].events & WL_LATCH_SET)
+ ResetLatch(MyLatch);
+
+ /*
+ * The following requests are handled unconditionally, even if we
+ * didn't see WL_LATCH_SET. This gives high priority to shutdown
+ * and reload requests where the latch happens to appear later in
+ * events[] or will be reported by a later call to
+ * WaitEventSetWait().
+ */
+ if (pending_pm_shutdown_request)
+ process_pm_shutdown_request();
+ if (pending_pm_reload_request)
+ process_pm_reload_request();
+ if (pending_pm_child_exit)
+ process_pm_child_exit();
+ if (pending_pm_pmsignal)
+ process_pm_pmsignal();
+
+ if (events[i].events & WL_SOCKET_ACCEPT)
+ {
+ Port *port;
+
+ port = ConnCreate(events[i].fd);
+ if (port)
+ {
+ BackendStartup(port);
+
+ /*
+ * We no longer need the open socket or port structure in
+ * this process
+ */
+ StreamClose(port->sock);
+ ConnFree(port);
+ }
+ }
+ }
+
+ /* If we have lost the log collector, try to start a new one */
+ if (SysLoggerPID == 0 && Logging_collector)
+ SysLoggerPID = SysLogger_Start();
+
+ /*
+ * If no background writer process is running, and we are not in a
+ * state that prevents it, start one. It doesn't matter if this
+ * fails, we'll just try again later. Likewise for the checkpointer.
+ */
+ if (pmState == PM_RUN || pmState == PM_RECOVERY ||
+ pmState == PM_HOT_STANDBY || pmState == PM_STARTUP)
+ {
+ if (CheckpointerPID == 0)
+ CheckpointerPID = StartCheckpointer();
+ if (BgWriterPID == 0)
+ BgWriterPID = StartBackgroundWriter();
+ }
+
+ /*
+ * Likewise, if we have lost the walwriter process, try to start a new
+ * one. But this is needed only in normal operation (else we cannot
+ * be writing any new WAL).
+ */
+ if (WalWriterPID == 0 && pmState == PM_RUN)
+ WalWriterPID = StartWalWriter();
+
+ /*
+ * If we have lost the autovacuum launcher, try to start a new one. We
+ * don't want autovacuum to run in binary upgrade mode because
+ * autovacuum might update relfrozenxid for empty tables before the
+ * physical files are put in place.
+ */
+ if (!IsBinaryUpgrade && AutoVacPID == 0 &&
+ (AutoVacuumingActive() || start_autovac_launcher) &&
+ pmState == PM_RUN)
+ {
+ AutoVacPID = StartAutoVacLauncher();
+ if (AutoVacPID != 0)
+ start_autovac_launcher = false; /* signal processed */
+ }
+
+ /* If we have lost the archiver, try to start a new one. */
+ if (PgArchPID == 0 && PgArchStartupAllowed())
+ PgArchPID = StartArchiver();
+
+ /* If we need to signal the autovacuum launcher, do so now */
+ if (avlauncher_needs_signal)
+ {
+ avlauncher_needs_signal = false;
+ if (AutoVacPID != 0)
+ kill(AutoVacPID, SIGUSR2);
+ }
+
+ /* If we need to start a WAL receiver, try to do that now */
+ if (WalReceiverRequested)
+ MaybeStartWalReceiver();
+
+ /* Get other worker processes running, if needed */
+ if (StartWorkerNeeded || HaveCrashedWorker)
+ maybe_start_bgworkers();
+
+#ifdef HAVE_PTHREAD_IS_THREADED_NP
+
+ /*
+ * With assertions enabled, check regularly for appearance of
+ * additional threads. All builds check at start and exit.
+ */
+ Assert(pthread_is_threaded_np() == 0);
+#endif
+
+ /*
+ * Lastly, check to see if it's time to do some things that we don't
+ * want to do every single time through the loop, because they're a
+ * bit expensive. Note that there's up to a minute of slop in when
+ * these tasks will be performed, since DetermineSleepTime() will let
+ * us sleep at most that long; except for SIGKILL timeout which has
+ * special-case logic there.
+ */
+ now = time(NULL);
+
+ /*
+ * If we already sent SIGQUIT to children and they are slow to shut
+ * down, it's time to send them SIGKILL (or SIGABRT if requested).
+ * This doesn't happen normally, but under certain conditions backends
+ * can get stuck while shutting down. This is a last measure to get
+ * them unwedged.
+ *
+ * Note we also do this during recovery from a process crash.
+ */
+ if ((Shutdown >= ImmediateShutdown || FatalError) &&
+ AbortStartTime != 0 &&
+ (now - AbortStartTime) >= SIGKILL_CHILDREN_AFTER_SECS)
+ {
+ /* We were gentle with them before. Not anymore */
+ ereport(LOG,
+ /* translator: %s is SIGKILL or SIGABRT */
+ (errmsg("issuing %s to recalcitrant children",
+ send_abort_for_kill ? "SIGABRT" : "SIGKILL")));
+ TerminateChildren(send_abort_for_kill ? SIGABRT : SIGKILL);
+ /* reset flag so we don't SIGKILL again */
+ AbortStartTime = 0;
+ }
+
+ /*
+ * Once a minute, verify that postmaster.pid hasn't been removed or
+ * overwritten. If it has, we force a shutdown. This avoids having
+ * postmasters and child processes hanging around after their database
+ * is gone, and maybe causing problems if a new database cluster is
+ * created in the same place. It also provides some protection
+ * against a DBA foolishly removing postmaster.pid and manually
+ * starting a new postmaster. Data corruption is likely to ensue from
+ * that anyway, but we can minimize the damage by aborting ASAP.
+ */
+ if (now - last_lockfile_recheck_time >= 1 * SECS_PER_MINUTE)
+ {
+ if (!RecheckDataDirLockFile())
+ {
+ ereport(LOG,
+ (errmsg("performing immediate shutdown because data directory lock file is invalid")));
+ kill(MyProcPid, SIGQUIT);
+ }
+ last_lockfile_recheck_time = now;
+ }
+
+ /*
+ * Touch Unix socket and lock files every 58 minutes, to ensure that
+ * they are not removed by overzealous /tmp-cleaning tasks. We assume
+ * no one runs cleaners with cutoff times of less than an hour ...
+ */
+ if (now - last_touch_time >= 58 * SECS_PER_MINUTE)
+ {
+ TouchSocketFiles();
+ TouchSocketLockFiles();
+ last_touch_time = now;
+ }
+ }
+}
+
+/*
+ * Read a client's startup packet and do something according to it.
+ *
+ * Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and
+ * not return at all.
+ *
+ * (Note that ereport(FATAL) stuff is sent to the client, so only use it
+ * if that's what you want. Return STATUS_ERROR if you don't want to
+ * send anything to the client, which would typically be appropriate
+ * if we detect a communications failure.)
+ *
+ * Set ssl_done and/or gss_done when negotiation of an encrypted layer
+ * (currently, TLS or GSSAPI) is completed. A successful negotiation of either
+ * encryption layer sets both flags, but a rejected negotiation sets only the
+ * flag for that layer, since the client may wish to try the other one. We
+ * should make no assumption here about the order in which the client may make
+ * requests.
+ */
+static int
+ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done)
+{
+ int32 len;
+ char *buf;
+ ProtocolVersion proto;
+ MemoryContext oldcontext;
+
+ pq_startmsgread();
+
+ /*
+ * Grab the first byte of the length word separately, so that we can tell
+ * whether we have no data at all or an incomplete packet. (This might
+ * sound inefficient, but it's not really, because of buffering in
+ * pqcomm.c.)
+ */
+ if (pq_getbytes((char *) &len, 1) == EOF)
+ {
+ /*
+ * If we get no data at all, don't clutter the log with a complaint;
+ * such cases often occur for legitimate reasons. An example is that
+ * we might be here after responding to NEGOTIATE_SSL_CODE, and if the
+ * client didn't like our response, it'll probably just drop the
+ * connection. Service-monitoring software also often just opens and
+ * closes a connection without sending anything. (So do port
+ * scanners, which may be less benign, but it's not really our job to
+ * notice those.)
+ */
+ return STATUS_ERROR;
+ }
+
+ if (pq_getbytes(((char *) &len) + 1, 3) == EOF)
+ {
+ /* Got a partial length word, so bleat about that */
+ if (!ssl_done && !gss_done)
+ ereport(COMMERROR,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("incomplete startup packet")));
+ return STATUS_ERROR;
+ }
+
+ len = pg_ntoh32(len);
+ len -= 4;
+
+ if (len < (int32) sizeof(ProtocolVersion) ||
+ len > MAX_STARTUP_PACKET_LENGTH)
+ {
+ ereport(COMMERROR,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("invalid length of startup packet")));
+ return STATUS_ERROR;
+ }
+
+ /*
+ * Allocate space to hold the startup packet, plus one extra byte that's
+ * initialized to be zero. This ensures we will have null termination of
+ * all strings inside the packet.
+ */
+ buf = palloc(len + 1);
+ buf[len] = '\0';
+
+ if (pq_getbytes(buf, len) == EOF)
+ {
+ ereport(COMMERROR,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("incomplete startup packet")));
+ return STATUS_ERROR;
+ }
+ pq_endmsgread();
+
+ /*
+ * The first field is either a protocol version number or a special
+ * request code.
+ */
+ port->proto = proto = pg_ntoh32(*((ProtocolVersion *) buf));
+
+ if (proto == CANCEL_REQUEST_CODE)
+ {
+ if (len != sizeof(CancelRequestPacket))
+ {
+ ereport(COMMERROR,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("invalid length of startup packet")));
+ return STATUS_ERROR;
+ }
+ processCancelRequest(port, buf);
+ /* Not really an error, but we don't want to proceed further */
+ return STATUS_ERROR;
+ }
+
+ if (proto == NEGOTIATE_SSL_CODE && !ssl_done)
+ {
+ char SSLok;
+
+#ifdef USE_SSL
+ /* No SSL when disabled or on Unix sockets */
+ if (!LoadedSSL || port->laddr.addr.ss_family == AF_UNIX)
+ SSLok = 'N';
+ else
+ SSLok = 'S'; /* Support for SSL */
+#else
+ SSLok = 'N'; /* No support for SSL */
+#endif
+
+retry1:
+ if (send(port->sock, &SSLok, 1, 0) != 1)
+ {
+ if (errno == EINTR)
+ goto retry1; /* if interrupted, just retry */
+ ereport(COMMERROR,
+ (errcode_for_socket_access(),
+ errmsg("failed to send SSL negotiation response: %m")));
+ return STATUS_ERROR; /* close the connection */
+ }
+
+#ifdef USE_SSL
+ if (SSLok == 'S' && secure_open_server(port) == -1)
+ return STATUS_ERROR;
+#endif
+
+ /*
+ * At this point we should have no data already buffered. If we do,
+ * it was received before we performed the SSL handshake, so it wasn't
+ * encrypted and indeed may have been injected by a man-in-the-middle.
+ * We report this case to the client.
+ */
+ if (pq_buffer_has_data())
+ ereport(FATAL,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("received unencrypted data after SSL request"),
+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
+ /*
+ * regular startup packet, cancel, etc packet should follow, but not
+ * another SSL negotiation request, and a GSS request should only
+ * follow if SSL was rejected (client may negotiate in either order)
+ */
+ return ProcessStartupPacket(port, true, SSLok == 'S');
+ }
+ else if (proto == NEGOTIATE_GSS_CODE && !gss_done)
+ {
+ char GSSok = 'N';
+
+#ifdef ENABLE_GSS
+ /* No GSSAPI encryption when on Unix socket */
+ if (port->laddr.addr.ss_family != AF_UNIX)
+ GSSok = 'G';
+#endif
+
+ while (send(port->sock, &GSSok, 1, 0) != 1)
+ {
+ if (errno == EINTR)
+ continue;
+ ereport(COMMERROR,
+ (errcode_for_socket_access(),
+ errmsg("failed to send GSSAPI negotiation response: %m")));
+ return STATUS_ERROR; /* close the connection */
+ }
+
+#ifdef ENABLE_GSS
+ if (GSSok == 'G' && secure_open_gssapi(port) == -1)
+ return STATUS_ERROR;
+#endif
+
+ /*
+ * At this point we should have no data already buffered. If we do,
+ * it was received before we performed the GSS handshake, so it wasn't
+ * encrypted and indeed may have been injected by a man-in-the-middle.
+ * We report this case to the client.
+ */
+ if (pq_buffer_has_data())
+ ereport(FATAL,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("received unencrypted data after GSSAPI encryption request"),
+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
+ /*
+ * regular startup packet, cancel, etc packet should follow, but not
+ * another GSS negotiation request, and an SSL request should only
+ * follow if GSS was rejected (client may negotiate in either order)
+ */
+ return ProcessStartupPacket(port, GSSok == 'G', true);
+ }
+
+ /* Could add additional special packet types here */
+
+ /*
+ * Set FrontendProtocol now so that ereport() knows what format to send if
+ * we fail during startup.
+ */
+ FrontendProtocol = proto;
+
+ /* Check that the major protocol version is in range. */
+ if (PG_PROTOCOL_MAJOR(proto) < PG_PROTOCOL_MAJOR(PG_PROTOCOL_EARLIEST) ||
+ PG_PROTOCOL_MAJOR(proto) > PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST))
+ ereport(FATAL,
+ (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+ errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u",
+ PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto),
+ PG_PROTOCOL_MAJOR(PG_PROTOCOL_EARLIEST),
+ PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST),
+ PG_PROTOCOL_MINOR(PG_PROTOCOL_LATEST))));
+
+ /*
+ * Now fetch parameters out of startup packet and save them into the Port
+ * structure. All data structures attached to the Port struct must be
+ * allocated in TopMemoryContext so that they will remain available in a
+ * running backend (even after PostmasterContext is destroyed). We need
+ * not worry about leaking this storage on failure, since we aren't in the
+ * postmaster process anymore.
+ */
+ oldcontext = MemoryContextSwitchTo(TopMemoryContext);
+
+ /* Handle protocol version 3 startup packet */
+ {
+ int32 offset = sizeof(ProtocolVersion);
+ List *unrecognized_protocol_options = NIL;
+
+ /*
+ * Scan packet body for name/option pairs. We can assume any string
+ * beginning within the packet body is null-terminated, thanks to
+ * zeroing extra byte above.
+ */
+ port->guc_options = NIL;
+
+ while (offset < len)
+ {
+ char *nameptr = buf + offset;
+ int32 valoffset;
+ char *valptr;
+
+ if (*nameptr == '\0')
+ break; /* found packet terminator */
+ valoffset = offset + strlen(nameptr) + 1;
+ if (valoffset >= len)
+ break; /* missing value, will complain below */
+ valptr = buf + valoffset;
+
+ if (strcmp(nameptr, "database") == 0)
+ port->database_name = pstrdup(valptr);
+ else if (strcmp(nameptr, "user") == 0)
+ port->user_name = pstrdup(valptr);
+ else if (strcmp(nameptr, "options") == 0)
+ port->cmdline_options = pstrdup(valptr);
+ else if (strcmp(nameptr, "replication") == 0)
+ {
+ /*
+ * Due to backward compatibility concerns the replication
+ * parameter is a hybrid beast which allows the value to be
+ * either boolean or the string 'database'. The latter
+ * connects to a specific database which is e.g. required for
+ * logical decoding while.
+ */
+ if (strcmp(valptr, "database") == 0)
+ {
+ am_walsender = true;
+ am_db_walsender = true;
+ }
+ else if (!parse_bool(valptr, &am_walsender))
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+ errmsg("invalid value for parameter \"%s\": \"%s\"",
+ "replication",
+ valptr),
+ errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\".")));
+ }
+ else if (strncmp(nameptr, "_pq_.", 5) == 0)
+ {
+ /*
+ * Any option beginning with _pq_. is reserved for use as a
+ * protocol-level option, but at present no such options are
+ * defined.
+ */
+ unrecognized_protocol_options =
+ lappend(unrecognized_protocol_options, pstrdup(nameptr));
+ }
+ else
+ {
+ /* Assume it's a generic GUC option */
+ port->guc_options = lappend(port->guc_options,
+ pstrdup(nameptr));
+ port->guc_options = lappend(port->guc_options,
+ pstrdup(valptr));
+
+ /*
+ * Copy application_name to port if we come across it. This
+ * is done so we can log the application_name in the
+ * connection authorization message. Note that the GUC would
+ * be used but we haven't gone through GUC setup yet.
+ */
+ if (strcmp(nameptr, "application_name") == 0)
+ {
+ port->application_name = pg_clean_ascii(valptr, 0);
+ }
+ }
+ offset = valoffset + strlen(valptr) + 1;
+ }
+
+ /*
+ * If we didn't find a packet terminator exactly at the end of the
+ * given packet length, complain.
+ */
+ if (offset != len - 1)
+ ereport(FATAL,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("invalid startup packet layout: expected terminator as last byte")));
+
+ /*
+ * If the client requested a newer protocol version or if the client
+ * requested any protocol options we didn't recognize, let them know
+ * the newest minor protocol version we do support and the names of
+ * any unrecognized options.
+ */
+ if (PG_PROTOCOL_MINOR(proto) > PG_PROTOCOL_MINOR(PG_PROTOCOL_LATEST) ||
+ unrecognized_protocol_options != NIL)
+ SendNegotiateProtocolVersion(unrecognized_protocol_options);
+ }
+
+ /* Check a user name was given. */
+ if (port->user_name == NULL || port->user_name[0] == '\0')
+ ereport(FATAL,
+ (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+ errmsg("no PostgreSQL user name specified in startup packet")));
+
+ /* The database defaults to the user name. */
+ if (port->database_name == NULL || port->database_name[0] == '\0')
+ port->database_name = pstrdup(port->user_name);
+
+ if (Db_user_namespace)
+ {
+ /*
+ * If user@, it is a global user, remove '@'. We only want to do this
+ * if there is an '@' at the end and no earlier in the user string or
+ * they may fake as a local user of another database attaching to this
+ * database.
+ */
+ if (strchr(port->user_name, '@') ==
+ port->user_name + strlen(port->user_name) - 1)
+ *strchr(port->user_name, '@') = '\0';
+ else
+ {
+ /* Append '@' and dbname */
+ port->user_name = psprintf("%s@%s", port->user_name, port->database_name);
+ }
+ }
+
+ /*
+ * Truncate given database and user names to length of a Postgres name.
+ * This avoids lookup failures when overlength names are given.
+ */
+ if (strlen(port->database_name) >= NAMEDATALEN)
+ port->database_name[NAMEDATALEN - 1] = '\0';
+ if (strlen(port->user_name) >= NAMEDATALEN)
+ port->user_name[NAMEDATALEN - 1] = '\0';
+
+ if (am_walsender)
+ MyBackendType = B_WAL_SENDER;
+ else
+ MyBackendType = B_BACKEND;
+
+ /*
+ * Normal walsender backends, e.g. for streaming replication, are not
+ * connected to a particular database. But walsenders used for logical
+ * replication need to connect to a specific database. We allow streaming
+ * replication commands to be issued even if connected to a database as it
+ * can make sense to first make a basebackup and then stream changes
+ * starting from that.
+ */
+ if (am_walsender && !am_db_walsender)
+ port->database_name[0] = '\0';
+
+ /*
+ * Done putting stuff in TopMemoryContext.
+ */
+ MemoryContextSwitchTo(oldcontext);
+
+ /*
+ * If we're going to reject the connection due to database state, say so
+ * now instead of wasting cycles on an authentication exchange. (This also
+ * allows a pg_ping utility to be written.)
+ */
+ switch (port->canAcceptConnections)
+ {
+ case CAC_STARTUP:
+ ereport(FATAL,
+ (errcode(ERRCODE_CANNOT_CONNECT_NOW),
+ errmsg("the database system is starting up")));
+ break;
+ case CAC_NOTCONSISTENT:
+ if (EnableHotStandby)
+ ereport(FATAL,
+ (errcode(ERRCODE_CANNOT_CONNECT_NOW),
+ errmsg("the database system is not yet accepting connections"),
+ errdetail("Consistent recovery state has not been yet reached.")));
+ else
+ ereport(FATAL,
+ (errcode(ERRCODE_CANNOT_CONNECT_NOW),
+ errmsg("the database system is not accepting connections"),
+ errdetail("Hot standby mode is disabled.")));
+ break;
+ case CAC_SHUTDOWN:
+ ereport(FATAL,
+ (errcode(ERRCODE_CANNOT_CONNECT_NOW),
+ errmsg("the database system is shutting down")));
+ break;
+ case CAC_RECOVERY:
+ ereport(FATAL,
+ (errcode(ERRCODE_CANNOT_CONNECT_NOW),
+ errmsg("the database system is in recovery mode")));
+ break;
+ case CAC_TOOMANY:
+ ereport(FATAL,
+ (errcode(ERRCODE_TOO_MANY_CONNECTIONS),
+ errmsg("sorry, too many clients already")));
+ break;
+ case CAC_OK:
+ break;
+ }
+
+ return STATUS_OK;
+}
+
+/*
+ * Send a NegotiateProtocolVersion to the client. This lets the client know
+ * that they have requested a newer minor protocol version than we are able
+ * to speak. We'll speak the highest version we know about; the client can,
+ * of course, abandon the connection if that's a problem.
+ *
+ * We also include in the response a list of protocol options we didn't
+ * understand. This allows clients to include optional parameters that might
+ * be present either in newer protocol versions or third-party protocol
+ * extensions without fear of having to reconnect if those options are not
+ * understood, while at the same time making certain that the client is aware
+ * of which options were actually accepted.
+ */
+static void
+SendNegotiateProtocolVersion(List *unrecognized_protocol_options)
+{
+ StringInfoData buf;
+ ListCell *lc;
+
+ pq_beginmessage(&buf, 'v'); /* NegotiateProtocolVersion */
+ pq_sendint32(&buf, PG_PROTOCOL_LATEST);
+ pq_sendint32(&buf, list_length(unrecognized_protocol_options));
+ foreach(lc, unrecognized_protocol_options)
+ pq_sendstring(&buf, lfirst(lc));
+ pq_endmessage(&buf);
+
+ /* no need to flush, some other message will follow */
+}
+
+/*
+ * The client has sent a cancel request packet, not a normal
+ * start-a-new-connection packet. Perform the necessary processing.
+ * Nothing is sent back to the client.
+ */
+static void
+processCancelRequest(Port *port, void *pkt)
+{
+ CancelRequestPacket *canc = (CancelRequestPacket *) pkt;
+ int backendPID;
+ int32 cancelAuthCode;
+ Backend *bp;
+
+#ifndef EXEC_BACKEND
+ dlist_iter iter;
+#else
+ int i;
+#endif
+
+ backendPID = (int) pg_ntoh32(canc->backendPID);
+ cancelAuthCode = (int32) pg_ntoh32(canc->cancelAuthCode);
+
+ /*
+ * See if we have a matching backend. In the EXEC_BACKEND case, we can no
+ * longer access the postmaster's own backend list, and must rely on the
+ * duplicate array in shared memory.
+ */
+#ifndef EXEC_BACKEND
+ dlist_foreach(iter, &BackendList)
+ {
+ bp = dlist_container(Backend, elem, iter.cur);
+#else
+ for (i = MaxLivePostmasterChildren() - 1; i >= 0; i--)
+ {
+ bp = (Backend *) &ShmemBackendArray[i];
+#endif
+ if (bp->pid == backendPID)
+ {
+ if (bp->cancel_key == cancelAuthCode)
+ {
+ /* Found a match; signal that backend to cancel current op */
+ ereport(DEBUG2,
+ (errmsg_internal("processing cancel request: sending SIGINT to process %d",
+ backendPID)));
+ signal_child(bp->pid, SIGINT);
+ }
+ else
+ /* Right PID, wrong key: no way, Jose */
+ ereport(LOG,
+ (errmsg("wrong key in cancel request for process %d",
+ backendPID)));
+ return;
+ }
+#ifndef EXEC_BACKEND /* make GNU Emacs 26.1 see brace balance */
+ }
+#else
+ }
+#endif
+
+ /* No matching backend */
+ ereport(LOG,
+ (errmsg("PID %d in cancel request did not match any process",
+ backendPID)));
+}
+
+/*
+ * canAcceptConnections --- check to see if database state allows connections
+ * of the specified type. backend_type can be BACKEND_TYPE_NORMAL,
+ * BACKEND_TYPE_AUTOVAC, or BACKEND_TYPE_BGWORKER. (Note that we don't yet
+ * know whether a NORMAL connection might turn into a walsender.)
+ */
+static CAC_state
+canAcceptConnections(int backend_type)
+{
+ CAC_state result = CAC_OK;
+
+ /*
+ * Can't start backends when in startup/shutdown/inconsistent recovery
+ * state. We treat autovac workers the same as user backends for this
+ * purpose. However, bgworkers are excluded from this test; we expect
+ * bgworker_should_start_now() decided whether the DB state allows them.
+ */
+ if (pmState != PM_RUN && pmState != PM_HOT_STANDBY &&
+ backend_type != BACKEND_TYPE_BGWORKER)
+ {
+ if (Shutdown > NoShutdown)
+ return CAC_SHUTDOWN; /* shutdown is pending */
+ else if (!FatalError && pmState == PM_STARTUP)
+ return CAC_STARTUP; /* normal startup */
+ else if (!FatalError && pmState == PM_RECOVERY)
+ return CAC_NOTCONSISTENT; /* not yet at consistent recovery
+ * state */
+ else
+ return CAC_RECOVERY; /* else must be crash recovery */
+ }
+
+ /*
+ * "Smart shutdown" restrictions are applied only to normal connections,
+ * not to autovac workers or bgworkers.
+ */
+ if (!connsAllowed && backend_type == BACKEND_TYPE_NORMAL)
+ return CAC_SHUTDOWN; /* shutdown is pending */
+
+ /*
+ * Don't start too many children.
+ *
+ * We allow more connections here than we can have backends because some
+ * might still be authenticating; they might fail auth, or some existing
+ * backend might exit before the auth cycle is completed. The exact
+ * MaxBackends limit is enforced when a new backend tries to join the
+ * shared-inval backend array.
+ *
+ * The limit here must match the sizes of the per-child-process arrays;
+ * see comments for MaxLivePostmasterChildren().
+ */
+ if (CountChildren(BACKEND_TYPE_ALL) >= MaxLivePostmasterChildren())
+ result = CAC_TOOMANY;
+
+ return result;
+}
+
+
+/*
+ * ConnCreate -- create a local connection data structure
+ *
+ * Returns NULL on failure, other than out-of-memory which is fatal.
+ */
+static Port *
+ConnCreate(int serverFd)
+{
+ Port *port;
+
+ if (!(port = (Port *) calloc(1, sizeof(Port))))
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_OUT_OF_MEMORY),
+ errmsg("out of memory")));
+ ExitPostmaster(1);
+ }
+
+ if (StreamConnection(serverFd, port) != STATUS_OK)
+ {
+ if (port->sock != PGINVALID_SOCKET)
+ StreamClose(port->sock);
+ ConnFree(port);
+ return NULL;
+ }
+
+ return port;
+}
+
+
+/*
+ * ConnFree -- free a local connection data structure
+ *
+ * Caller has already closed the socket if any, so there's not much
+ * to do here.
+ */
+static void
+ConnFree(Port *port)
+{
+ free(port);
+}
+
+
+/*
+ * ClosePostmasterPorts -- close all the postmaster's open sockets
+ *
+ * This is called during child process startup to release file descriptors
+ * that are not needed by that child process. The postmaster still has
+ * them open, of course.
+ *
+ * Note: we pass am_syslogger as a boolean because we don't want to set
+ * the global variable yet when this is called.
+ */
+void
+ClosePostmasterPorts(bool am_syslogger)
+{
+ int i;
+
+ /* Release resources held by the postmaster's WaitEventSet. */
+ if (pm_wait_set)
+ {
+ FreeWaitEventSetAfterFork(pm_wait_set);
+ pm_wait_set = NULL;
+ }
+
+#ifndef WIN32
+
+ /*
+ * Close the write end of postmaster death watch pipe. It's important to
+ * do this as early as possible, so that if postmaster dies, others won't
+ * think that it's still running because we're holding the pipe open.
+ */
+ if (close(postmaster_alive_fds[POSTMASTER_FD_OWN]) != 0)
+ ereport(FATAL,
+ (errcode_for_file_access(),
+ errmsg_internal("could not close postmaster death monitoring pipe in child process: %m")));
+ postmaster_alive_fds[POSTMASTER_FD_OWN] = -1;
+ /* Notify fd.c that we released one pipe FD. */
+ ReleaseExternalFD();
+#endif
+
+ /*
+ * Close the postmaster's listen sockets. These aren't tracked by fd.c,
+ * so we don't call ReleaseExternalFD() here.
+ */
+ for (i = 0; i < MAXLISTEN; i++)
+ {
+ if (ListenSocket[i] != PGINVALID_SOCKET)
+ {
+ StreamClose(ListenSocket[i]);
+ ListenSocket[i] = PGINVALID_SOCKET;
+ }
+ }
+
+ /*
+ * If using syslogger, close the read side of the pipe. We don't bother
+ * tracking this in fd.c, either.
+ */
+ if (!am_syslogger)
+ {
+#ifndef WIN32
+ if (syslogPipe[0] >= 0)
+ close(syslogPipe[0]);
+ syslogPipe[0] = -1;
+#else
+ if (syslogPipe[0])
+ CloseHandle(syslogPipe[0]);
+ syslogPipe[0] = 0;
+#endif
+ }
+
+#ifdef USE_BONJOUR
+ /* If using Bonjour, close the connection to the mDNS daemon */
+ if (bonjour_sdref)
+ close(DNSServiceRefSockFD(bonjour_sdref));
+#endif
+}
+
+
+/*
+ * InitProcessGlobals -- set MyProcPid, MyStartTime[stamp], random seeds
+ *
+ * Called early in the postmaster and every backend.
+ */
+void
+InitProcessGlobals(void)
+{
+ MyProcPid = getpid();
+ MyStartTimestamp = GetCurrentTimestamp();
+ MyStartTime = timestamptz_to_time_t(MyStartTimestamp);
+
+ /*
+ * Set a different global seed in every process. We want something
+ * unpredictable, so if possible, use high-quality random bits for the
+ * seed. Otherwise, fall back to a seed based on timestamp and PID.
+ */
+ if (unlikely(!pg_prng_strong_seed(&pg_global_prng_state)))
+ {
+ uint64 rseed;
+
+ /*
+ * Since PIDs and timestamps tend to change more frequently in their
+ * least significant bits, shift the timestamp left to allow a larger
+ * total number of seeds in a given time period. Since that would
+ * leave only 20 bits of the timestamp that cycle every ~1 second,
+ * also mix in some higher bits.
+ */
+ rseed = ((uint64) MyProcPid) ^
+ ((uint64) MyStartTimestamp << 12) ^
+ ((uint64) MyStartTimestamp >> 20);
+
+ pg_prng_seed(&pg_global_prng_state, rseed);
+ }
+
+ /*
+ * Also make sure that we've set a good seed for random(3). Use of that
+ * is deprecated in core Postgres, but extensions might use it.
+ */
+#ifndef WIN32
+ srandom(pg_prng_uint32(&pg_global_prng_state));
+#endif
+}
+
+/*
+ * Child processes use SIGUSR1 to notify us of 'pmsignals'. pg_ctl uses
+ * SIGUSR1 to ask postmaster to check for logrotate and promote files.
+ */
+static void
+handle_pm_pmsignal_signal(SIGNAL_ARGS)
+{
+ int save_errno = errno;
+
+ pending_pm_pmsignal = true;
+ SetLatch(MyLatch);
+
+ errno = save_errno;
+}
+
+/*
+ * pg_ctl uses SIGHUP to request a reload of the configuration files.
+ */
+static void
+handle_pm_reload_request_signal(SIGNAL_ARGS)
+{
+ int save_errno = errno;
+
+ pending_pm_reload_request = true;
+ SetLatch(MyLatch);
+
+ errno = save_errno;
+}
+
+/*
+ * Re-read config files, and tell children to do same.
+ */
+static void
+process_pm_reload_request(void)
+{
+ pending_pm_reload_request = false;
+
+ ereport(DEBUG2,
+ (errmsg_internal("postmaster received reload request signal")));
+
+ if (Shutdown <= SmartShutdown)
+ {
+ ereport(LOG,
+ (errmsg("received SIGHUP, reloading configuration files")));
+ ProcessConfigFile(PGC_SIGHUP);
+ SignalChildren(SIGHUP);
+ if (StartupPID != 0)
+ signal_child(StartupPID, SIGHUP);
+ if (BgWriterPID != 0)
+ signal_child(BgWriterPID, SIGHUP);
+ if (CheckpointerPID != 0)
+ signal_child(CheckpointerPID, SIGHUP);
+ if (WalWriterPID != 0)
+ signal_child(WalWriterPID, SIGHUP);
+ if (WalReceiverPID != 0)
+ signal_child(WalReceiverPID, SIGHUP);
+ if (AutoVacPID != 0)
+ signal_child(AutoVacPID, SIGHUP);
+ if (PgArchPID != 0)
+ signal_child(PgArchPID, SIGHUP);
+ if (SysLoggerPID != 0)
+ signal_child(SysLoggerPID, SIGHUP);
+
+ /* Reload authentication config files too */
+ if (!load_hba())
+ ereport(LOG,
+ /* translator: %s is a configuration file */
+ (errmsg("%s was not reloaded", HbaFileName)));
+
+ if (!load_ident())
+ ereport(LOG,
+ (errmsg("%s was not reloaded", IdentFileName)));
+
+#ifdef USE_SSL
+ /* Reload SSL configuration as well */
+ if (EnableSSL)
+ {
+ if (secure_initialize(false) == 0)
+ LoadedSSL = true;
+ else
+ ereport(LOG,
+ (errmsg("SSL configuration was not reloaded")));
+ }
+ else
+ {
+ secure_destroy();
+ LoadedSSL = false;
+ }
+#endif
+
+#ifdef EXEC_BACKEND
+ /* Update the starting-point file for future children */
+ write_nondefault_variables(PGC_SIGHUP);
+#endif
+ }
+}
+
+/*
+ * pg_ctl uses SIGTERM, SIGINT and SIGQUIT to request different types of
+ * shutdown.
+ */
+static void
+handle_pm_shutdown_request_signal(SIGNAL_ARGS)
+{
+ int save_errno = errno;
+
+ switch (postgres_signal_arg)
+ {
+ case SIGTERM:
+ /* smart is implied if the other two flags aren't set */
+ pending_pm_shutdown_request = true;
+ break;
+ case SIGINT:
+ pending_pm_fast_shutdown_request = true;
+ pending_pm_shutdown_request = true;
+ break;
+ case SIGQUIT:
+ pending_pm_immediate_shutdown_request = true;
+ pending_pm_shutdown_request = true;
+ break;
+ }
+ SetLatch(MyLatch);
+
+ errno = save_errno;
+}
+
+/*
+ * Process shutdown request.
+ */
+static void
+process_pm_shutdown_request(void)
+{
+ int mode;
+
+ ereport(DEBUG2,
+ (errmsg_internal("postmaster received shutdown request signal")));
+
+ pending_pm_shutdown_request = false;
+
+ /*
+ * If more than one shutdown request signal arrived since the last server
+ * loop, take the one that is the most immediate. That matches the
+ * priority that would apply if we processed them one by one in any order.
+ */
+ if (pending_pm_immediate_shutdown_request)
+ {
+ pending_pm_immediate_shutdown_request = false;
+ pending_pm_fast_shutdown_request = false;
+ mode = ImmediateShutdown;
+ }
+ else if (pending_pm_fast_shutdown_request)
+ {
+ pending_pm_fast_shutdown_request = false;
+ mode = FastShutdown;
+ }
+ else
+ mode = SmartShutdown;
+
+ switch (mode)
+ {
+ case SmartShutdown:
+
+ /*
+ * Smart Shutdown:
+ *
+ * Wait for children to end their work, then shut down.
+ */
+ if (Shutdown >= SmartShutdown)
+ break;
+ Shutdown = SmartShutdown;
+ ereport(LOG,
+ (errmsg("received smart shutdown request")));
+
+ /* Report status */
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_STOPPING);
+#ifdef USE_SYSTEMD
+ sd_notify(0, "STOPPING=1");
+#endif
+
+ /*
+ * If we reached normal running, we go straight to waiting for
+ * client backends to exit. If already in PM_STOP_BACKENDS or a
+ * later state, do not change it.
+ */
+ if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
+ connsAllowed = false;
+ else if (pmState == PM_STARTUP || pmState == PM_RECOVERY)
+ {
+ /* There should be no clients, so proceed to stop children */
+ pmState = PM_STOP_BACKENDS;
+ }
+
+ /*
+ * Now wait for online backup mode to end and backends to exit. If
+ * that is already the case, PostmasterStateMachine will take the
+ * next step.
+ */
+ PostmasterStateMachine();
+ break;
+
+ case FastShutdown:
+
+ /*
+ * Fast Shutdown:
+ *
+ * Abort all children with SIGTERM (rollback active transactions
+ * and exit) and shut down when they are gone.
+ */
+ if (Shutdown >= FastShutdown)
+ break;
+ Shutdown = FastShutdown;
+ ereport(LOG,
+ (errmsg("received fast shutdown request")));
+
+ /* Report status */
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_STOPPING);
+#ifdef USE_SYSTEMD
+ sd_notify(0, "STOPPING=1");
+#endif
+
+ if (pmState == PM_STARTUP || pmState == PM_RECOVERY)
+ {
+ /* Just shut down background processes silently */
+ pmState = PM_STOP_BACKENDS;
+ }
+ else if (pmState == PM_RUN ||
+ pmState == PM_HOT_STANDBY)
+ {
+ /* Report that we're about to zap live client sessions */
+ ereport(LOG,
+ (errmsg("aborting any active transactions")));
+ pmState = PM_STOP_BACKENDS;
+ }
+
+ /*
+ * PostmasterStateMachine will issue any necessary signals, or
+ * take the next step if no child processes need to be killed.
+ */
+ PostmasterStateMachine();
+ break;
+
+ case ImmediateShutdown:
+
+ /*
+ * Immediate Shutdown:
+ *
+ * abort all children with SIGQUIT, wait for them to exit,
+ * terminate remaining ones with SIGKILL, then exit without
+ * attempt to properly shut down the data base system.
+ */
+ if (Shutdown >= ImmediateShutdown)
+ break;
+ Shutdown = ImmediateShutdown;
+ ereport(LOG,
+ (errmsg("received immediate shutdown request")));
+
+ /* Report status */
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_STOPPING);
+#ifdef USE_SYSTEMD
+ sd_notify(0, "STOPPING=1");
+#endif
+
+ /* tell children to shut down ASAP */
+ /* (note we don't apply send_abort_for_crash here) */
+ SetQuitSignalReason(PMQUIT_FOR_STOP);
+ TerminateChildren(SIGQUIT);
+ pmState = PM_WAIT_BACKENDS;
+
+ /* set stopwatch for them to die */
+ AbortStartTime = time(NULL);
+
+ /*
+ * Now wait for backends to exit. If there are none,
+ * PostmasterStateMachine will take the next step.
+ */
+ PostmasterStateMachine();
+ break;
+ }
+}
+
+static void
+handle_pm_child_exit_signal(SIGNAL_ARGS)
+{
+ int save_errno = errno;
+
+ pending_pm_child_exit = true;
+ SetLatch(MyLatch);
+
+ errno = save_errno;
+}
+
+/*
+ * Cleanup after a child process dies.
+ */
+static void
+process_pm_child_exit(void)
+{
+ int pid; /* process id of dead child process */
+ int exitstatus; /* its exit status */
+
+ pending_pm_child_exit = false;
+
+ ereport(DEBUG4,
+ (errmsg_internal("reaping dead processes")));
+
+ while ((pid = waitpid(-1, &exitstatus, WNOHANG)) > 0)
+ {
+ /*
+ * Check if this child was a startup process.
+ */
+ if (pid == StartupPID)
+ {
+ StartupPID = 0;
+
+ /*
+ * Startup process exited in response to a shutdown request (or it
+ * completed normally regardless of the shutdown request).
+ */
+ if (Shutdown > NoShutdown &&
+ (EXIT_STATUS_0(exitstatus) || EXIT_STATUS_1(exitstatus)))
+ {
+ StartupStatus = STARTUP_NOT_RUNNING;
+ pmState = PM_WAIT_BACKENDS;
+ /* PostmasterStateMachine logic does the rest */
+ continue;
+ }
+
+ if (EXIT_STATUS_3(exitstatus))
+ {
+ ereport(LOG,
+ (errmsg("shutdown at recovery target")));
+ StartupStatus = STARTUP_NOT_RUNNING;
+ Shutdown = Max(Shutdown, SmartShutdown);
+ TerminateChildren(SIGTERM);
+ pmState = PM_WAIT_BACKENDS;
+ /* PostmasterStateMachine logic does the rest */
+ continue;
+ }
+
+ /*
+ * Unexpected exit of startup process (including FATAL exit)
+ * during PM_STARTUP is treated as catastrophic. There are no
+ * other processes running yet, so we can just exit.
+ */
+ if (pmState == PM_STARTUP &&
+ StartupStatus != STARTUP_SIGNALED &&
+ !EXIT_STATUS_0(exitstatus))
+ {
+ LogChildExit(LOG, _("startup process"),
+ pid, exitstatus);
+ ereport(LOG,
+ (errmsg("aborting startup due to startup process failure")));
+ ExitPostmaster(1);
+ }
+
+ /*
+ * After PM_STARTUP, any unexpected exit (including FATAL exit) of
+ * the startup process is catastrophic, so kill other children,
+ * and set StartupStatus so we don't try to reinitialize after
+ * they're gone. Exception: if StartupStatus is STARTUP_SIGNALED,
+ * then we previously sent the startup process a SIGQUIT; so
+ * that's probably the reason it died, and we do want to try to
+ * restart in that case.
+ *
+ * This stanza also handles the case where we sent a SIGQUIT
+ * during PM_STARTUP due to some dead_end child crashing: in that
+ * situation, if the startup process dies on the SIGQUIT, we need
+ * to transition to PM_WAIT_BACKENDS state which will allow
+ * PostmasterStateMachine to restart the startup process. (On the
+ * other hand, the startup process might complete normally, if we
+ * were too late with the SIGQUIT. In that case we'll fall
+ * through and commence normal operations.)
+ */
+ if (!EXIT_STATUS_0(exitstatus))
+ {
+ if (StartupStatus == STARTUP_SIGNALED)
+ {
+ StartupStatus = STARTUP_NOT_RUNNING;
+ if (pmState == PM_STARTUP)
+ pmState = PM_WAIT_BACKENDS;
+ }
+ else
+ StartupStatus = STARTUP_CRASHED;
+ HandleChildCrash(pid, exitstatus,
+ _("startup process"));
+ continue;
+ }
+
+ /*
+ * Startup succeeded, commence normal operations
+ */
+ StartupStatus = STARTUP_NOT_RUNNING;
+ FatalError = false;
+ AbortStartTime = 0;
+ ReachedNormalRunning = true;
+ pmState = PM_RUN;
+ connsAllowed = true;
+
+ /*
+ * Crank up the background tasks, if we didn't do that already
+ * when we entered consistent recovery state. It doesn't matter
+ * if this fails, we'll just try again later.
+ */
+ if (CheckpointerPID == 0)
+ CheckpointerPID = StartCheckpointer();
+ if (BgWriterPID == 0)
+ BgWriterPID = StartBackgroundWriter();
+ if (WalWriterPID == 0)
+ WalWriterPID = StartWalWriter();
+
+ /*
+ * Likewise, start other special children as needed. In a restart
+ * situation, some of them may be alive already.
+ */
+ if (!IsBinaryUpgrade && AutoVacuumingActive() && AutoVacPID == 0)
+ AutoVacPID = StartAutoVacLauncher();
+ if (PgArchStartupAllowed() && PgArchPID == 0)
+ PgArchPID = StartArchiver();
+
+ /* workers may be scheduled to start now */
+ maybe_start_bgworkers();
+
+ /* at this point we are really open for business */
+ ereport(LOG,
+ (errmsg("database system is ready to accept connections")));
+
+ /* Report status */
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_READY);
+#ifdef USE_SYSTEMD
+ sd_notify(0, "READY=1");
+#endif
+
+ continue;
+ }
+
+ /*
+ * Was it the bgwriter? Normal exit can be ignored; we'll start a new
+ * one at the next iteration of the postmaster's main loop, if
+ * necessary. Any other exit condition is treated as a crash.
+ */
+ if (pid == BgWriterPID)
+ {
+ BgWriterPID = 0;
+ if (!EXIT_STATUS_0(exitstatus))
+ HandleChildCrash(pid, exitstatus,
+ _("background writer process"));
+ continue;
+ }
+
+ /*
+ * Was it the checkpointer?
+ */
+ if (pid == CheckpointerPID)
+ {
+ CheckpointerPID = 0;
+ if (EXIT_STATUS_0(exitstatus) && pmState == PM_SHUTDOWN)
+ {
+ /*
+ * OK, we saw normal exit of the checkpointer after it's been
+ * told to shut down. We expect that it wrote a shutdown
+ * checkpoint. (If for some reason it didn't, recovery will
+ * occur on next postmaster start.)
+ *
+ * At this point we should have no normal backend children
+ * left (else we'd not be in PM_SHUTDOWN state) but we might
+ * have dead_end children to wait for.
+ *
+ * If we have an archiver subprocess, tell it to do a last
+ * archive cycle and quit. Likewise, if we have walsender
+ * processes, tell them to send any remaining WAL and quit.
+ */
+ Assert(Shutdown > NoShutdown);
+
+ /* Waken archiver for the last time */
+ if (PgArchPID != 0)
+ signal_child(PgArchPID, SIGUSR2);
+
+ /*
+ * Waken walsenders for the last time. No regular backends
+ * should be around anymore.
+ */
+ SignalChildren(SIGUSR2);
+
+ pmState = PM_SHUTDOWN_2;
+ }
+ else
+ {
+ /*
+ * Any unexpected exit of the checkpointer (including FATAL
+ * exit) is treated as a crash.
+ */
+ HandleChildCrash(pid, exitstatus,
+ _("checkpointer process"));
+ }
+
+ continue;
+ }
+
+ /*
+ * Was it the wal writer? Normal exit can be ignored; we'll start a
+ * new one at the next iteration of the postmaster's main loop, if
+ * necessary. Any other exit condition is treated as a crash.
+ */
+ if (pid == WalWriterPID)
+ {
+ WalWriterPID = 0;
+ if (!EXIT_STATUS_0(exitstatus))
+ HandleChildCrash(pid, exitstatus,
+ _("WAL writer process"));
+ continue;
+ }
+
+ /*
+ * Was it the wal receiver? If exit status is zero (normal) or one
+ * (FATAL exit), we assume everything is all right just like normal
+ * backends. (If we need a new wal receiver, we'll start one at the
+ * next iteration of the postmaster's main loop.)
+ */
+ if (pid == WalReceiverPID)
+ {
+ WalReceiverPID = 0;
+ if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
+ HandleChildCrash(pid, exitstatus,
+ _("WAL receiver process"));
+ continue;
+ }
+
+ /*
+ * Was it the autovacuum launcher? Normal exit can be ignored; we'll
+ * start a new one at the next iteration of the postmaster's main
+ * loop, if necessary. Any other exit condition is treated as a
+ * crash.
+ */
+ if (pid == AutoVacPID)
+ {
+ AutoVacPID = 0;
+ if (!EXIT_STATUS_0(exitstatus))
+ HandleChildCrash(pid, exitstatus,
+ _("autovacuum launcher process"));
+ continue;
+ }
+
+ /*
+ * Was it the archiver? If exit status is zero (normal) or one (FATAL
+ * exit), we assume everything is all right just like normal backends
+ * and just try to restart a new one so that we immediately retry
+ * archiving remaining files. (If fail, we'll try again in future
+ * cycles of the postmaster's main loop.) Unless we were waiting for
+ * it to shut down; don't restart it in that case, and
+ * PostmasterStateMachine() will advance to the next shutdown step.
+ */
+ if (pid == PgArchPID)
+ {
+ PgArchPID = 0;
+ if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
+ HandleChildCrash(pid, exitstatus,
+ _("archiver process"));
+ if (PgArchStartupAllowed())
+ PgArchPID = StartArchiver();
+ continue;
+ }
+
+ /* Was it the system logger? If so, try to start a new one */
+ if (pid == SysLoggerPID)
+ {
+ SysLoggerPID = 0;
+ /* for safety's sake, launch new logger *first* */
+ SysLoggerPID = SysLogger_Start();
+ if (!EXIT_STATUS_0(exitstatus))
+ LogChildExit(LOG, _("system logger process"),
+ pid, exitstatus);
+ continue;
+ }
+
+ /* Was it one of our background workers? */
+ if (CleanupBackgroundWorker(pid, exitstatus))
+ {
+ /* have it be restarted */
+ HaveCrashedWorker = true;
+ continue;
+ }
+
+ /*
+ * Else do standard backend child cleanup.
+ */
+ CleanupBackend(pid, exitstatus);
+ } /* loop over pending child-death reports */
+
+ /*
+ * After cleaning out the SIGCHLD queue, see if we have any state changes
+ * or actions to make.
+ */
+ PostmasterStateMachine();
+}
+
+/*
+ * Scan the bgworkers list and see if the given PID (which has just stopped
+ * or crashed) is in it. Handle its shutdown if so, and return true. If not a
+ * bgworker, return false.
+ *
+ * This is heavily based on CleanupBackend. One important difference is that
+ * we don't know yet that the dying process is a bgworker, so we must be silent
+ * until we're sure it is.
+ */
+static bool
+CleanupBackgroundWorker(int pid,
+ int exitstatus) /* child's exit status */
+{
+ char namebuf[MAXPGPATH];
+ slist_mutable_iter iter;
+
+ slist_foreach_modify(iter, &BackgroundWorkerList)
+ {
+ RegisteredBgWorker *rw;
+
+ rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
+
+ if (rw->rw_pid != pid)
+ continue;
+
+#ifdef WIN32
+ /* see CleanupBackend */
+ if (exitstatus == ERROR_WAIT_NO_CHILDREN)
+ exitstatus = 0;
+#endif
+
+ snprintf(namebuf, MAXPGPATH, _("background worker \"%s\""),
+ rw->rw_worker.bgw_type);
+
+
+ if (!EXIT_STATUS_0(exitstatus))
+ {
+ /* Record timestamp, so we know when to restart the worker. */
+ rw->rw_crashed_at = GetCurrentTimestamp();
+ }
+ else
+ {
+ /* Zero exit status means terminate */
+ rw->rw_crashed_at = 0;
+ rw->rw_terminate = true;
+ }
+
+ /*
+ * Additionally, just like a backend, any exit status other than 0 or
+ * 1 is considered a crash and causes a system-wide restart.
+ */
+ if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
+ {
+ HandleChildCrash(pid, exitstatus, namebuf);
+ return true;
+ }
+
+ /*
+ * We must release the postmaster child slot. If the worker failed to
+ * do so, it did not clean up after itself, requiring a crash-restart
+ * cycle.
+ */
+ if (!ReleasePostmasterChildSlot(rw->rw_child_slot))
+ {
+ HandleChildCrash(pid, exitstatus, namebuf);
+ return true;
+ }
+
+ /* Get it out of the BackendList and clear out remaining data */
+ dlist_delete(&rw->rw_backend->elem);
+#ifdef EXEC_BACKEND
+ ShmemBackendArrayRemove(rw->rw_backend);
+#endif
+
+ /*
+ * It's possible that this background worker started some OTHER
+ * background worker and asked to be notified when that worker started
+ * or stopped. If so, cancel any notifications destined for the
+ * now-dead backend.
+ */
+ if (rw->rw_backend->bgworker_notify)
+ BackgroundWorkerStopNotifications(rw->rw_pid);
+ free(rw->rw_backend);
+ rw->rw_backend = NULL;
+ rw->rw_pid = 0;
+ rw->rw_child_slot = 0;
+ ReportBackgroundWorkerExit(&iter); /* report child death */
+
+ LogChildExit(EXIT_STATUS_0(exitstatus) ? DEBUG1 : LOG,
+ namebuf, pid, exitstatus);
+
+ return true;
+ }
+
+ return false;
+}
+
+/*
+ * CleanupBackend -- cleanup after terminated backend.
+ *
+ * Remove all local state associated with backend.
+ *
+ * If you change this, see also CleanupBackgroundWorker.
+ */
+static void
+CleanupBackend(int pid,
+ int exitstatus) /* child's exit status. */
+{
+ dlist_mutable_iter iter;
+
+ LogChildExit(DEBUG2, _("server process"), pid, exitstatus);
+
+ /*
+ * If a backend dies in an ugly way then we must signal all other backends
+ * to quickdie. If exit status is zero (normal) or one (FATAL exit), we
+ * assume everything is all right and proceed to remove the backend from
+ * the active backend list.
+ */
+
+#ifdef WIN32
+
+ /*
+ * On win32, also treat ERROR_WAIT_NO_CHILDREN (128) as nonfatal case,
+ * since that sometimes happens under load when the process fails to start
+ * properly (long before it starts using shared memory). Microsoft reports
+ * it is related to mutex failure:
+ * http://archives.postgresql.org/pgsql-hackers/2010-09/msg00790.php
+ */
+ if (exitstatus == ERROR_WAIT_NO_CHILDREN)
+ {
+ LogChildExit(LOG, _("server process"), pid, exitstatus);
+ exitstatus = 0;
+ }
+#endif
+
+ if (!EXIT_STATUS_0(exitstatus) && !EXIT_STATUS_1(exitstatus))
+ {
+ HandleChildCrash(pid, exitstatus, _("server process"));
+ return;
+ }
+
+ dlist_foreach_modify(iter, &BackendList)
+ {
+ Backend *bp = dlist_container(Backend, elem, iter.cur);
+
+ if (bp->pid == pid)
+ {
+ if (!bp->dead_end)
+ {
+ if (!ReleasePostmasterChildSlot(bp->child_slot))
+ {
+ /*
+ * Uh-oh, the child failed to clean itself up. Treat as a
+ * crash after all.
+ */
+ HandleChildCrash(pid, exitstatus, _("server process"));
+ return;
+ }
+#ifdef EXEC_BACKEND
+ ShmemBackendArrayRemove(bp);
+#endif
+ }
+ if (bp->bgworker_notify)
+ {
+ /*
+ * This backend may have been slated to receive SIGUSR1 when
+ * some background worker started or stopped. Cancel those
+ * notifications, as we don't want to signal PIDs that are not
+ * PostgreSQL backends. This gets skipped in the (probably
+ * very common) case where the backend has never requested any
+ * such notifications.
+ */
+ BackgroundWorkerStopNotifications(bp->pid);
+ }
+ dlist_delete(iter.cur);
+ free(bp);
+ break;
+ }
+ }
+}
+
+/*
+ * HandleChildCrash -- cleanup after failed backend, bgwriter, checkpointer,
+ * walwriter, autovacuum, archiver or background worker.
+ *
+ * The objectives here are to clean up our local state about the child
+ * process, and to signal all other remaining children to quickdie.
+ */
+static void
+HandleChildCrash(int pid, int exitstatus, const char *procname)
+{
+ dlist_mutable_iter iter;
+ slist_iter siter;
+ Backend *bp;
+ bool take_action;
+
+ /*
+ * We only log messages and send signals if this is the first process
+ * crash and we're not doing an immediate shutdown; otherwise, we're only
+ * here to update postmaster's idea of live processes. If we have already
+ * signaled children, nonzero exit status is to be expected, so don't
+ * clutter log.
+ */
+ take_action = !FatalError && Shutdown != ImmediateShutdown;
+
+ if (take_action)
+ {
+ LogChildExit(LOG, procname, pid, exitstatus);
+ ereport(LOG,
+ (errmsg("terminating any other active server processes")));
+ SetQuitSignalReason(PMQUIT_FOR_CRASH);
+ }
+
+ /* Process background workers. */
+ slist_foreach(siter, &BackgroundWorkerList)
+ {
+ RegisteredBgWorker *rw;
+
+ rw = slist_container(RegisteredBgWorker, rw_lnode, siter.cur);
+ if (rw->rw_pid == 0)
+ continue; /* not running */
+ if (rw->rw_pid == pid)
+ {
+ /*
+ * Found entry for freshly-dead worker, so remove it.
+ */
+ (void) ReleasePostmasterChildSlot(rw->rw_child_slot);
+ dlist_delete(&rw->rw_backend->elem);
+#ifdef EXEC_BACKEND
+ ShmemBackendArrayRemove(rw->rw_backend);
+#endif
+ free(rw->rw_backend);
+ rw->rw_backend = NULL;
+ rw->rw_pid = 0;
+ rw->rw_child_slot = 0;
+ /* don't reset crashed_at */
+ /* don't report child stop, either */
+ /* Keep looping so we can signal remaining workers */
+ }
+ else
+ {
+ /*
+ * This worker is still alive. Unless we did so already, tell it
+ * to commit hara-kiri.
+ */
+ if (take_action)
+ sigquit_child(rw->rw_pid);
+ }
+ }
+
+ /* Process regular backends */
+ dlist_foreach_modify(iter, &BackendList)
+ {
+ bp = dlist_container(Backend, elem, iter.cur);
+
+ if (bp->pid == pid)
+ {
+ /*
+ * Found entry for freshly-dead backend, so remove it.
+ */
+ if (!bp->dead_end)
+ {
+ (void) ReleasePostmasterChildSlot(bp->child_slot);
+#ifdef EXEC_BACKEND
+ ShmemBackendArrayRemove(bp);
+#endif
+ }
+ dlist_delete(iter.cur);
+ free(bp);
+ /* Keep looping so we can signal remaining backends */
+ }
+ else
+ {
+ /*
+ * This backend is still alive. Unless we did so already, tell it
+ * to commit hara-kiri.
+ *
+ * We could exclude dead_end children here, but at least when
+ * sending SIGABRT it seems better to include them.
+ *
+ * Background workers were already processed above; ignore them
+ * here.
+ */
+ if (bp->bkend_type == BACKEND_TYPE_BGWORKER)
+ continue;
+
+ if (take_action)
+ sigquit_child(bp->pid);
+ }
+ }
+
+ /* Take care of the startup process too */
+ if (pid == StartupPID)
+ {
+ StartupPID = 0;
+ /* Caller adjusts StartupStatus, so don't touch it here */
+ }
+ else if (StartupPID != 0 && take_action)
+ {
+ sigquit_child(StartupPID);
+ StartupStatus = STARTUP_SIGNALED;
+ }
+
+ /* Take care of the bgwriter too */
+ if (pid == BgWriterPID)
+ BgWriterPID = 0;
+ else if (BgWriterPID != 0 && take_action)
+ sigquit_child(BgWriterPID);
+
+ /* Take care of the checkpointer too */
+ if (pid == CheckpointerPID)
+ CheckpointerPID = 0;
+ else if (CheckpointerPID != 0 && take_action)
+ sigquit_child(CheckpointerPID);
+
+ /* Take care of the walwriter too */
+ if (pid == WalWriterPID)
+ WalWriterPID = 0;
+ else if (WalWriterPID != 0 && take_action)
+ sigquit_child(WalWriterPID);
+
+ /* Take care of the walreceiver too */
+ if (pid == WalReceiverPID)
+ WalReceiverPID = 0;
+ else if (WalReceiverPID != 0 && take_action)
+ sigquit_child(WalReceiverPID);
+
+ /* Take care of the autovacuum launcher too */
+ if (pid == AutoVacPID)
+ AutoVacPID = 0;
+ else if (AutoVacPID != 0 && take_action)
+ sigquit_child(AutoVacPID);
+
+ /* Take care of the archiver too */
+ if (pid == PgArchPID)
+ PgArchPID = 0;
+ else if (PgArchPID != 0 && take_action)
+ sigquit_child(PgArchPID);
+
+ /* We do NOT restart the syslogger */
+
+ if (Shutdown != ImmediateShutdown)
+ FatalError = true;
+
+ /* We now transit into a state of waiting for children to die */
+ if (pmState == PM_RECOVERY ||
+ pmState == PM_HOT_STANDBY ||
+ pmState == PM_RUN ||
+ pmState == PM_STOP_BACKENDS ||
+ pmState == PM_SHUTDOWN)
+ pmState = PM_WAIT_BACKENDS;
+
+ /*
+ * .. and if this doesn't happen quickly enough, now the clock is ticking
+ * for us to kill them without mercy.
+ */
+ if (AbortStartTime == 0)
+ AbortStartTime = time(NULL);
+}
+
+/*
+ * Log the death of a child process.
+ */
+static void
+LogChildExit(int lev, const char *procname, int pid, int exitstatus)
+{
+ /*
+ * size of activity_buffer is arbitrary, but set equal to default
+ * track_activity_query_size
+ */
+ char activity_buffer[1024];
+ const char *activity = NULL;
+
+ if (!EXIT_STATUS_0(exitstatus))
+ activity = pgstat_get_crashed_backend_activity(pid,
+ activity_buffer,
+ sizeof(activity_buffer));
+
+ if (WIFEXITED(exitstatus))
+ ereport(lev,
+
+ /*------
+ translator: %s is a noun phrase describing a child process, such as
+ "server process" */
+ (errmsg("%s (PID %d) exited with exit code %d",
+ procname, pid, WEXITSTATUS(exitstatus)),
+ activity ? errdetail("Failed process was running: %s", activity) : 0));
+ else if (WIFSIGNALED(exitstatus))
+ {
+#if defined(WIN32)
+ ereport(lev,
+
+ /*------
+ translator: %s is a noun phrase describing a child process, such as
+ "server process" */
+ (errmsg("%s (PID %d) was terminated by exception 0x%X",
+ procname, pid, WTERMSIG(exitstatus)),
+ errhint("See C include file \"ntstatus.h\" for a description of the hexadecimal value."),
+ activity ? errdetail("Failed process was running: %s", activity) : 0));
+#else
+ ereport(lev,
+
+ /*------
+ translator: %s is a noun phrase describing a child process, such as
+ "server process" */
+ (errmsg("%s (PID %d) was terminated by signal %d: %s",
+ procname, pid, WTERMSIG(exitstatus),
+ pg_strsignal(WTERMSIG(exitstatus))),
+ activity ? errdetail("Failed process was running: %s", activity) : 0));
+#endif
+ }
+ else
+ ereport(lev,
+
+ /*------
+ translator: %s is a noun phrase describing a child process, such as
+ "server process" */
+ (errmsg("%s (PID %d) exited with unrecognized status %d",
+ procname, pid, exitstatus),
+ activity ? errdetail("Failed process was running: %s", activity) : 0));
+}
+
+/*
+ * Advance the postmaster's state machine and take actions as appropriate
+ *
+ * This is common code for process_pm_shutdown_request(),
+ * process_pm_child_exit() and process_pm_pmsignal(), which process the signals
+ * that might mean we need to change state.
+ */
+static void
+PostmasterStateMachine(void)
+{
+ /* If we're doing a smart shutdown, try to advance that state. */
+ if (pmState == PM_RUN || pmState == PM_HOT_STANDBY)
+ {
+ if (!connsAllowed)
+ {
+ /*
+ * This state ends when we have no normal client backends running.
+ * Then we're ready to stop other children.
+ */
+ if (CountChildren(BACKEND_TYPE_NORMAL) == 0)
+ pmState = PM_STOP_BACKENDS;
+ }
+ }
+
+ /*
+ * If we're ready to do so, signal child processes to shut down. (This
+ * isn't a persistent state, but treating it as a distinct pmState allows
+ * us to share this code across multiple shutdown code paths.)
+ */
+ if (pmState == PM_STOP_BACKENDS)
+ {
+ /*
+ * Forget any pending requests for background workers, since we're no
+ * longer willing to launch any new workers. (If additional requests
+ * arrive, BackgroundWorkerStateChange will reject them.)
+ */
+ ForgetUnstartedBackgroundWorkers();
+
+ /* Signal all backend children except walsenders */
+ SignalSomeChildren(SIGTERM,
+ BACKEND_TYPE_ALL - BACKEND_TYPE_WALSND);
+ /* and the autovac launcher too */
+ if (AutoVacPID != 0)
+ signal_child(AutoVacPID, SIGTERM);
+ /* and the bgwriter too */
+ if (BgWriterPID != 0)
+ signal_child(BgWriterPID, SIGTERM);
+ /* and the walwriter too */
+ if (WalWriterPID != 0)
+ signal_child(WalWriterPID, SIGTERM);
+ /* If we're in recovery, also stop startup and walreceiver procs */
+ if (StartupPID != 0)
+ signal_child(StartupPID, SIGTERM);
+ if (WalReceiverPID != 0)
+ signal_child(WalReceiverPID, SIGTERM);
+ /* checkpointer, archiver, stats, and syslogger may continue for now */
+
+ /* Now transition to PM_WAIT_BACKENDS state to wait for them to die */
+ pmState = PM_WAIT_BACKENDS;
+ }
+
+ /*
+ * If we are in a state-machine state that implies waiting for backends to
+ * exit, see if they're all gone, and change state if so.
+ */
+ if (pmState == PM_WAIT_BACKENDS)
+ {
+ /*
+ * PM_WAIT_BACKENDS state ends when we have no regular backends
+ * (including autovac workers), no bgworkers (including unconnected
+ * ones), and no walwriter, autovac launcher or bgwriter. If we are
+ * doing crash recovery or an immediate shutdown then we expect the
+ * checkpointer to exit as well, otherwise not. The stats and
+ * syslogger processes are disregarded since they are not connected to
+ * shared memory; we also disregard dead_end children here. Walsenders
+ * and archiver are also disregarded, they will be terminated later
+ * after writing the checkpoint record.
+ */
+ if (CountChildren(BACKEND_TYPE_ALL - BACKEND_TYPE_WALSND) == 0 &&
+ StartupPID == 0 &&
+ WalReceiverPID == 0 &&
+ BgWriterPID == 0 &&
+ (CheckpointerPID == 0 ||
+ (!FatalError && Shutdown < ImmediateShutdown)) &&
+ WalWriterPID == 0 &&
+ AutoVacPID == 0)
+ {
+ if (Shutdown >= ImmediateShutdown || FatalError)
+ {
+ /*
+ * Start waiting for dead_end children to die. This state
+ * change causes ServerLoop to stop creating new ones.
+ */
+ pmState = PM_WAIT_DEAD_END;
+
+ /*
+ * We already SIGQUIT'd the archiver and stats processes, if
+ * any, when we started immediate shutdown or entered
+ * FatalError state.
+ */
+ }
+ else
+ {
+ /*
+ * If we get here, we are proceeding with normal shutdown. All
+ * the regular children are gone, and it's time to tell the
+ * checkpointer to do a shutdown checkpoint.
+ */
+ Assert(Shutdown > NoShutdown);
+ /* Start the checkpointer if not running */
+ if (CheckpointerPID == 0)
+ CheckpointerPID = StartCheckpointer();
+ /* And tell it to shut down */
+ if (CheckpointerPID != 0)
+ {
+ signal_child(CheckpointerPID, SIGUSR2);
+ pmState = PM_SHUTDOWN;
+ }
+ else
+ {
+ /*
+ * If we failed to fork a checkpointer, just shut down.
+ * Any required cleanup will happen at next restart. We
+ * set FatalError so that an "abnormal shutdown" message
+ * gets logged when we exit.
+ *
+ * We don't consult send_abort_for_crash here, as it's
+ * unlikely that dumping cores would illuminate the reason
+ * for checkpointer fork failure.
+ */
+ FatalError = true;
+ pmState = PM_WAIT_DEAD_END;
+
+ /* Kill the walsenders and archiver too */
+ SignalChildren(SIGQUIT);
+ if (PgArchPID != 0)
+ signal_child(PgArchPID, SIGQUIT);
+ }
+ }
+ }
+ }
+
+ if (pmState == PM_SHUTDOWN_2)
+ {
+ /*
+ * PM_SHUTDOWN_2 state ends when there's no other children than
+ * dead_end children left. There shouldn't be any regular backends
+ * left by now anyway; what we're really waiting for is walsenders and
+ * archiver.
+ */
+ if (PgArchPID == 0 && CountChildren(BACKEND_TYPE_ALL) == 0)
+ {
+ pmState = PM_WAIT_DEAD_END;
+ }
+ }
+
+ if (pmState == PM_WAIT_DEAD_END)
+ {
+ /* Don't allow any new socket connection events. */
+ ConfigurePostmasterWaitSet(false);
+
+ /*
+ * PM_WAIT_DEAD_END state ends when the BackendList is entirely empty
+ * (ie, no dead_end children remain), and the archiver is gone too.
+ *
+ * The reason we wait for those two is to protect them against a new
+ * postmaster starting conflicting subprocesses; this isn't an
+ * ironclad protection, but it at least helps in the
+ * shutdown-and-immediately-restart scenario. Note that they have
+ * already been sent appropriate shutdown signals, either during a
+ * normal state transition leading up to PM_WAIT_DEAD_END, or during
+ * FatalError processing.
+ */
+ if (dlist_is_empty(&BackendList) && PgArchPID == 0)
+ {
+ /* These other guys should be dead already */
+ Assert(StartupPID == 0);
+ Assert(WalReceiverPID == 0);
+ Assert(BgWriterPID == 0);
+ Assert(CheckpointerPID == 0);
+ Assert(WalWriterPID == 0);
+ Assert(AutoVacPID == 0);
+ /* syslogger is not considered here */
+ pmState = PM_NO_CHILDREN;
+ }
+ }
+
+ /*
+ * If we've been told to shut down, we exit as soon as there are no
+ * remaining children. If there was a crash, cleanup will occur at the
+ * next startup. (Before PostgreSQL 8.3, we tried to recover from the
+ * crash before exiting, but that seems unwise if we are quitting because
+ * we got SIGTERM from init --- there may well not be time for recovery
+ * before init decides to SIGKILL us.)
+ *
+ * Note that the syslogger continues to run. It will exit when it sees
+ * EOF on its input pipe, which happens when there are no more upstream
+ * processes.
+ */
+ if (Shutdown > NoShutdown && pmState == PM_NO_CHILDREN)
+ {
+ if (FatalError)
+ {
+ ereport(LOG, (errmsg("abnormal database system shutdown")));
+ ExitPostmaster(1);
+ }
+ else
+ {
+ /*
+ * Normal exit from the postmaster is here. We don't need to log
+ * anything here, since the UnlinkLockFiles proc_exit callback
+ * will do so, and that should be the last user-visible action.
+ */
+ ExitPostmaster(0);
+ }
+ }
+
+ /*
+ * If the startup process failed, or the user does not want an automatic
+ * restart after backend crashes, wait for all non-syslogger children to
+ * exit, and then exit postmaster. We don't try to reinitialize when the
+ * startup process fails, because more than likely it will just fail again
+ * and we will keep trying forever.
+ */
+ if (pmState == PM_NO_CHILDREN)
+ {
+ if (StartupStatus == STARTUP_CRASHED)
+ {
+ ereport(LOG,
+ (errmsg("shutting down due to startup process failure")));
+ ExitPostmaster(1);
+ }
+ if (!restart_after_crash)
+ {
+ ereport(LOG,
+ (errmsg("shutting down because restart_after_crash is off")));
+ ExitPostmaster(1);
+ }
+ }
+
+ /*
+ * If we need to recover from a crash, wait for all non-syslogger children
+ * to exit, then reset shmem and StartupDataBase.
+ */
+ if (FatalError && pmState == PM_NO_CHILDREN)
+ {
+ ereport(LOG,
+ (errmsg("all server processes terminated; reinitializing")));
+
+ /* remove leftover temporary files after a crash */
+ if (remove_temp_files_after_crash)
+ RemovePgTempFiles();
+
+ /* allow background workers to immediately restart */
+ ResetBackgroundWorkerCrashTimes();
+
+ shmem_exit(1);
+
+ /* re-read control file into local memory */
+ LocalProcessControlFile(true);
+
+ /* re-create shared memory and semaphores */
+ CreateSharedMemoryAndSemaphores();
+
+ StartupPID = StartupDataBase();
+ Assert(StartupPID != 0);
+ StartupStatus = STARTUP_RUNNING;
+ pmState = PM_STARTUP;
+ /* crash recovery started, reset SIGKILL flag */
+ AbortStartTime = 0;
+
+ /* start accepting server socket connection events again */
+ ConfigurePostmasterWaitSet(true);
+ }
+}
+
+
+/*
+ * Send a signal to a postmaster child process
+ *
+ * On systems that have setsid(), each child process sets itself up as a
+ * process group leader. For signals that are generally interpreted in the
+ * appropriate fashion, we signal the entire process group not just the
+ * direct child process. This allows us to, for example, SIGQUIT a blocked
+ * archive_recovery script, or SIGINT a script being run by a backend via
+ * system().
+ *
+ * There is a race condition for recently-forked children: they might not
+ * have executed setsid() yet. So we signal the child directly as well as
+ * the group. We assume such a child will handle the signal before trying
+ * to spawn any grandchild processes. We also assume that signaling the
+ * child twice will not cause any problems.
+ */
+static void
+signal_child(pid_t pid, int signal)
+{
+ if (kill(pid, signal) < 0)
+ elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) pid, signal);
+#ifdef HAVE_SETSID
+ switch (signal)
+ {
+ case SIGINT:
+ case SIGTERM:
+ case SIGQUIT:
+ case SIGKILL:
+ case SIGABRT:
+ if (kill(-pid, signal) < 0)
+ elog(DEBUG3, "kill(%ld,%d) failed: %m", (long) (-pid), signal);
+ break;
+ default:
+ break;
+ }
+#endif
+}
+
+/*
+ * Convenience function for killing a child process after a crash of some
+ * other child process. We log the action at a higher level than we would
+ * otherwise do, and we apply send_abort_for_crash to decide which signal
+ * to send. Normally it's SIGQUIT -- and most other comments in this file
+ * are written on the assumption that it is -- but developers might prefer
+ * to use SIGABRT to collect per-child core dumps.
+ */
+static void
+sigquit_child(pid_t pid)
+{
+ ereport(DEBUG2,
+ (errmsg_internal("sending %s to process %d",
+ (send_abort_for_crash ? "SIGABRT" : "SIGQUIT"),
+ (int) pid)));
+ signal_child(pid, (send_abort_for_crash ? SIGABRT : SIGQUIT));
+}
+
+/*
+ * Send a signal to the targeted children (but NOT special children;
+ * dead_end children are never signaled, either).
+ */
+static bool
+SignalSomeChildren(int signal, int target)
+{
+ dlist_iter iter;
+ bool signaled = false;
+
+ dlist_foreach(iter, &BackendList)
+ {
+ Backend *bp = dlist_container(Backend, elem, iter.cur);
+
+ if (bp->dead_end)
+ continue;
+
+ /*
+ * Since target == BACKEND_TYPE_ALL is the most common case, we test
+ * it first and avoid touching shared memory for every child.
+ */
+ if (target != BACKEND_TYPE_ALL)
+ {
+ /*
+ * Assign bkend_type for any recently announced WAL Sender
+ * processes.
+ */
+ if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
+ IsPostmasterChildWalSender(bp->child_slot))
+ bp->bkend_type = BACKEND_TYPE_WALSND;
+
+ if (!(target & bp->bkend_type))
+ continue;
+ }
+
+ ereport(DEBUG4,
+ (errmsg_internal("sending signal %d to process %d",
+ signal, (int) bp->pid)));
+ signal_child(bp->pid, signal);
+ signaled = true;
+ }
+ return signaled;
+}
+
+/*
+ * Send a termination signal to children. This considers all of our children
+ * processes, except syslogger and dead_end backends.
+ */
+static void
+TerminateChildren(int signal)
+{
+ SignalChildren(signal);
+ if (StartupPID != 0)
+ {
+ signal_child(StartupPID, signal);
+ if (signal == SIGQUIT || signal == SIGKILL || signal == SIGABRT)
+ StartupStatus = STARTUP_SIGNALED;
+ }
+ if (BgWriterPID != 0)
+ signal_child(BgWriterPID, signal);
+ if (CheckpointerPID != 0)
+ signal_child(CheckpointerPID, signal);
+ if (WalWriterPID != 0)
+ signal_child(WalWriterPID, signal);
+ if (WalReceiverPID != 0)
+ signal_child(WalReceiverPID, signal);
+ if (AutoVacPID != 0)
+ signal_child(AutoVacPID, signal);
+ if (PgArchPID != 0)
+ signal_child(PgArchPID, signal);
+}
+
+/*
+ * BackendStartup -- start backend process
+ *
+ * returns: STATUS_ERROR if the fork failed, STATUS_OK otherwise.
+ *
+ * Note: if you change this code, also consider StartAutovacuumWorker.
+ */
+static int
+BackendStartup(Port *port)
+{
+ Backend *bn; /* for backend cleanup */
+ pid_t pid;
+
+ /*
+ * Create backend data structure. Better before the fork() so we can
+ * handle failure cleanly.
+ */
+ bn = (Backend *) malloc(sizeof(Backend));
+ if (!bn)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_OUT_OF_MEMORY),
+ errmsg("out of memory")));
+ return STATUS_ERROR;
+ }
+
+ /*
+ * Compute the cancel key that will be assigned to this backend. The
+ * backend will have its own copy in the forked-off process' value of
+ * MyCancelKey, so that it can transmit the key to the frontend.
+ */
+ if (!RandomCancelKey(&MyCancelKey))
+ {
+ free(bn);
+ ereport(LOG,
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg("could not generate random cancel key")));
+ return STATUS_ERROR;
+ }
+
+ bn->cancel_key = MyCancelKey;
+
+ /* Pass down canAcceptConnections state */
+ port->canAcceptConnections = canAcceptConnections(BACKEND_TYPE_NORMAL);
+ bn->dead_end = (port->canAcceptConnections != CAC_OK);
+
+ /*
+ * Unless it's a dead_end child, assign it a child slot number
+ */
+ if (!bn->dead_end)
+ bn->child_slot = MyPMChildSlot = AssignPostmasterChildSlot();
+ else
+ bn->child_slot = 0;
+
+ /* Hasn't asked to be notified about any bgworkers yet */
+ bn->bgworker_notify = false;
+
+#ifdef EXEC_BACKEND
+ pid = backend_forkexec(port);
+#else /* !EXEC_BACKEND */
+ pid = fork_process();
+ if (pid == 0) /* child */
+ {
+ free(bn);
+
+ /* Detangle from postmaster */
+ InitPostmasterChild();
+
+ /* Close the postmaster's sockets */
+ ClosePostmasterPorts(false);
+
+ /* Perform additional initialization and collect startup packet */
+ BackendInitialize(port);
+
+ /*
+ * Create a per-backend PGPROC struct in shared memory. We must do
+ * this before we can use LWLocks. In the !EXEC_BACKEND case (here)
+ * this could be delayed a bit further, but EXEC_BACKEND needs to do
+ * stuff with LWLocks before PostgresMain(), so we do it here as well
+ * for symmetry.
+ */
+ InitProcess();
+
+ /* And run the backend */
+ BackendRun(port);
+ }
+#endif /* EXEC_BACKEND */
+
+ if (pid < 0)
+ {
+ /* in parent, fork failed */
+ int save_errno = errno;
+
+ if (!bn->dead_end)
+ (void) ReleasePostmasterChildSlot(bn->child_slot);
+ free(bn);
+ errno = save_errno;
+ ereport(LOG,
+ (errmsg("could not fork new process for connection: %m")));
+ report_fork_failure_to_client(port, save_errno);
+ return STATUS_ERROR;
+ }
+
+ /* in parent, successful fork */
+ ereport(DEBUG2,
+ (errmsg_internal("forked new backend, pid=%d socket=%d",
+ (int) pid, (int) port->sock)));
+
+ /*
+ * Everything's been successful, it's safe to add this backend to our list
+ * of backends.
+ */
+ bn->pid = pid;
+ bn->bkend_type = BACKEND_TYPE_NORMAL; /* Can change later to WALSND */
+ dlist_push_head(&BackendList, &bn->elem);
+
+#ifdef EXEC_BACKEND
+ if (!bn->dead_end)
+ ShmemBackendArrayAdd(bn);
+#endif
+
+ return STATUS_OK;
+}
+
+/*
+ * Try to report backend fork() failure to client before we close the
+ * connection. Since we do not care to risk blocking the postmaster on
+ * this connection, we set the connection to non-blocking and try only once.
+ *
+ * This is grungy special-purpose code; we cannot use backend libpq since
+ * it's not up and running.
+ */
+static void
+report_fork_failure_to_client(Port *port, int errnum)
+{
+ char buffer[1000];
+ int rc;
+
+ /* Format the error message packet (always V2 protocol) */
+ snprintf(buffer, sizeof(buffer), "E%s%s\n",
+ _("could not fork new process for connection: "),
+ strerror(errnum));
+
+ /* Set port to non-blocking. Don't do send() if this fails */
+ if (!pg_set_noblock(port->sock))
+ return;
+
+ /* We'll retry after EINTR, but ignore all other failures */
+ do
+ {
+ rc = send(port->sock, buffer, strlen(buffer) + 1, 0);
+ } while (rc < 0 && errno == EINTR);
+}
+
+
+/*
+ * BackendInitialize -- initialize an interactive (postmaster-child)
+ * backend process, and collect the client's startup packet.
+ *
+ * returns: nothing. Will not return at all if there's any failure.
+ *
+ * Note: this code does not depend on having any access to shared memory.
+ * Indeed, our approach to SIGTERM/timeout handling *requires* that
+ * shared memory not have been touched yet; see comments within.
+ * In the EXEC_BACKEND case, we are physically attached to shared memory
+ * but have not yet set up most of our local pointers to shmem structures.
+ */
+static void
+BackendInitialize(Port *port)
+{
+ int status;
+ int ret;
+ char remote_host[NI_MAXHOST];
+ char remote_port[NI_MAXSERV];
+ StringInfoData ps_data;
+
+ /* Save port etc. for ps status */
+ MyProcPort = port;
+
+ /* Tell fd.c about the long-lived FD associated with the port */
+ ReserveExternalFD();
+
+ /*
+ * PreAuthDelay is a debugging aid for investigating problems in the
+ * authentication cycle: it can be set in postgresql.conf to allow time to
+ * attach to the newly-forked backend with a debugger. (See also
+ * PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it
+ * is not honored until after authentication.)
+ */
+ if (PreAuthDelay > 0)
+ pg_usleep(PreAuthDelay * 1000000L);
+
+ /* This flag will remain set until InitPostgres finishes authentication */
+ ClientAuthInProgress = true; /* limit visibility of log messages */
+
+ /* set these to empty in case they are needed before we set them up */
+ port->remote_host = "";
+ port->remote_port = "";
+
+ /*
+ * Initialize libpq and enable reporting of ereport errors to the client.
+ * Must do this now because authentication uses libpq to send messages.
+ */
+ pq_init(); /* initialize libpq to talk to client */
+ whereToSendOutput = DestRemote; /* now safe to ereport to client */
+
+ /*
+ * We arrange to do _exit(1) if we receive SIGTERM or timeout while trying
+ * to collect the startup packet; while SIGQUIT results in _exit(2).
+ * Otherwise the postmaster cannot shutdown the database FAST or IMMED
+ * cleanly if a buggy client fails to send the packet promptly.
+ *
+ * Exiting with _exit(1) is only possible because we have not yet touched
+ * shared memory; therefore no outside-the-process state needs to get
+ * cleaned up.
+ */
+ pqsignal(SIGTERM, process_startup_packet_die);
+ /* SIGQUIT handler was already set up by InitPostmasterChild */
+ InitializeTimeouts(); /* establishes SIGALRM handler */
+ sigprocmask(SIG_SETMASK, &StartupBlockSig, NULL);
+
+ /*
+ * Get the remote host name and port for logging and status display.
+ */
+ remote_host[0] = '\0';
+ remote_port[0] = '\0';
+ if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
+ remote_host, sizeof(remote_host),
+ remote_port, sizeof(remote_port),
+ (log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0)
+ ereport(WARNING,
+ (errmsg_internal("pg_getnameinfo_all() failed: %s",
+ gai_strerror(ret))));
+
+ /*
+ * Save remote_host and remote_port in port structure (after this, they
+ * will appear in log_line_prefix data for log messages).
+ */
+ port->remote_host = strdup(remote_host);
+ port->remote_port = strdup(remote_port);
+
+ /* And now we can issue the Log_connections message, if wanted */
+ if (Log_connections)
+ {
+ if (remote_port[0])
+ ereport(LOG,
+ (errmsg("connection received: host=%s port=%s",
+ remote_host,
+ remote_port)));
+ else
+ ereport(LOG,
+ (errmsg("connection received: host=%s",
+ remote_host)));
+ }
+
+ /*
+ * If we did a reverse lookup to name, we might as well save the results
+ * rather than possibly repeating the lookup during authentication.
+ *
+ * Note that we don't want to specify NI_NAMEREQD above, because then we'd
+ * get nothing useful for a client without an rDNS entry. Therefore, we
+ * must check whether we got a numeric IPv4 or IPv6 address, and not save
+ * it into remote_hostname if so. (This test is conservative and might
+ * sometimes classify a hostname as numeric, but an error in that
+ * direction is safe; it only results in a possible extra lookup.)
+ */
+ if (log_hostname &&
+ ret == 0 &&
+ strspn(remote_host, "0123456789.") < strlen(remote_host) &&
+ strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host))
+ port->remote_hostname = strdup(remote_host);
+
+ /*
+ * Ready to begin client interaction. We will give up and _exit(1) after
+ * a time delay, so that a broken client can't hog a connection
+ * indefinitely. PreAuthDelay and any DNS interactions above don't count
+ * against the time limit.
+ *
+ * Note: AuthenticationTimeout is applied here while waiting for the
+ * startup packet, and then again in InitPostgres for the duration of any
+ * authentication operations. So a hostile client could tie up the
+ * process for nearly twice AuthenticationTimeout before we kick him off.
+ *
+ * Note: because PostgresMain will call InitializeTimeouts again, the
+ * registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay
+ * since we never use it again after this function.
+ */
+ RegisterTimeout(STARTUP_PACKET_TIMEOUT, StartupPacketTimeoutHandler);
+ enable_timeout_after(STARTUP_PACKET_TIMEOUT, AuthenticationTimeout * 1000);
+
+ /*
+ * Receive the startup packet (which might turn out to be a cancel request
+ * packet).
+ */
+ status = ProcessStartupPacket(port, false, false);
+
+ /*
+ * Disable the timeout, and prevent SIGTERM again.
+ */
+ disable_timeout(STARTUP_PACKET_TIMEOUT, false);
+ sigprocmask(SIG_SETMASK, &BlockSig, NULL);
+
+ /*
+ * As a safety check that nothing in startup has yet performed
+ * shared-memory modifications that would need to be undone if we had
+ * exited through SIGTERM or timeout above, check that no on_shmem_exit
+ * handlers have been registered yet. (This isn't terribly bulletproof,
+ * since someone might misuse an on_proc_exit handler for shmem cleanup,
+ * but it's a cheap and helpful check. We cannot disallow on_proc_exit
+ * handlers unfortunately, since pq_init() already registered one.)
+ */
+ check_on_shmem_exit_lists_are_empty();
+
+ /*
+ * Stop here if it was bad or a cancel packet. ProcessStartupPacket
+ * already did any appropriate error reporting.
+ */
+ if (status != STATUS_OK)
+ proc_exit(0);
+
+ /*
+ * Now that we have the user and database name, we can set the process
+ * title for ps. It's good to do this as early as possible in startup.
+ */
+ initStringInfo(&ps_data);
+ if (am_walsender)
+ appendStringInfo(&ps_data, "%s ", GetBackendTypeDesc(B_WAL_SENDER));
+ appendStringInfo(&ps_data, "%s ", port->user_name);
+ if (port->database_name[0] != '\0')
+ appendStringInfo(&ps_data, "%s ", port->database_name);
+ appendStringInfoString(&ps_data, port->remote_host);
+ if (port->remote_port[0] != '\0')
+ appendStringInfo(&ps_data, "(%s)", port->remote_port);
+
+ init_ps_display(ps_data.data);
+ pfree(ps_data.data);
+
+ set_ps_display("initializing");
+}
+
+
+/*
+ * BackendRun -- set up the backend's argument list and invoke PostgresMain()
+ *
+ * returns:
+ * Doesn't return at all.
+ */
+static void
+BackendRun(Port *port)
+{
+ /*
+ * Make sure we aren't in PostmasterContext anymore. (We can't delete it
+ * just yet, though, because InitPostgres will need the HBA data.)
+ */
+ MemoryContextSwitchTo(TopMemoryContext);
+
+ PostgresMain(port->database_name, port->user_name);
+}
+
+
+#ifdef EXEC_BACKEND
+
+/*
+ * postmaster_forkexec -- fork and exec a postmaster subprocess
+ *
+ * The caller must have set up the argv array already, except for argv[2]
+ * which will be filled with the name of the temp variable file.
+ *
+ * Returns the child process PID, or -1 on fork failure (a suitable error
+ * message has been logged on failure).
+ *
+ * All uses of this routine will dispatch to SubPostmasterMain in the
+ * child process.
+ */
+pid_t
+postmaster_forkexec(int argc, char *argv[])
+{
+ Port port;
+
+ /* This entry point passes dummy values for the Port variables */
+ memset(&port, 0, sizeof(port));
+ return internal_forkexec(argc, argv, &port);
+}
+
+/*
+ * backend_forkexec -- fork/exec off a backend process
+ *
+ * Some operating systems (WIN32) don't have fork() so we have to simulate
+ * it by storing parameters that need to be passed to the child and
+ * then create a new child process.
+ *
+ * returns the pid of the fork/exec'd process, or -1 on failure
+ */
+static pid_t
+backend_forkexec(Port *port)
+{
+ char *av[4];
+ int ac = 0;
+
+ av[ac++] = "postgres";
+ av[ac++] = "--forkbackend";
+ av[ac++] = NULL; /* filled in by internal_forkexec */
+
+ av[ac] = NULL;
+ Assert(ac < lengthof(av));
+
+ return internal_forkexec(ac, av, port);
+}
+
+#ifndef WIN32
+
+/*
+ * internal_forkexec non-win32 implementation
+ *
+ * - writes out backend variables to the parameter file
+ * - fork():s, and then exec():s the child process
+ */
+static pid_t
+internal_forkexec(int argc, char *argv[], Port *port)
+{
+ static unsigned long tmpBackendFileNum = 0;
+ pid_t pid;
+ char tmpfilename[MAXPGPATH];
+ BackendParameters param;
+ FILE *fp;
+
+ if (!save_backend_variables(&param, port))
+ return -1; /* log made by save_backend_variables */
+
+ /* Calculate name for temp file */
+ snprintf(tmpfilename, MAXPGPATH, "%s/%s.backend_var.%d.%lu",
+ PG_TEMP_FILES_DIR, PG_TEMP_FILE_PREFIX,
+ MyProcPid, ++tmpBackendFileNum);
+
+ /* Open file */
+ fp = AllocateFile(tmpfilename, PG_BINARY_W);
+ if (!fp)
+ {
+ /*
+ * As in OpenTemporaryFileInTablespace, try to make the temp-file
+ * directory, ignoring errors.
+ */
+ (void) MakePGDirectory(PG_TEMP_FILES_DIR);
+
+ fp = AllocateFile(tmpfilename, PG_BINARY_W);
+ if (!fp)
+ {
+ ereport(LOG,
+ (errcode_for_file_access(),
+ errmsg("could not create file \"%s\": %m",
+ tmpfilename)));
+ return -1;
+ }
+ }
+
+ if (fwrite(&param, sizeof(param), 1, fp) != 1)
+ {
+ ereport(LOG,
+ (errcode_for_file_access(),
+ errmsg("could not write to file \"%s\": %m", tmpfilename)));
+ FreeFile(fp);
+ return -1;
+ }
+
+ /* Release file */
+ if (FreeFile(fp))
+ {
+ ereport(LOG,
+ (errcode_for_file_access(),
+ errmsg("could not write to file \"%s\": %m", tmpfilename)));
+ return -1;
+ }
+
+ /* Make sure caller set up argv properly */
+ Assert(argc >= 3);
+ Assert(argv[argc] == NULL);
+ Assert(strncmp(argv[1], "--fork", 6) == 0);
+ Assert(argv[2] == NULL);
+
+ /* Insert temp file name after --fork argument */
+ argv[2] = tmpfilename;
+
+ /* Fire off execv in child */
+ if ((pid = fork_process()) == 0)
+ {
+ if (execv(postgres_exec_path, argv) < 0)
+ {
+ ereport(LOG,
+ (errmsg("could not execute server process \"%s\": %m",
+ postgres_exec_path)));
+ /* We're already in the child process here, can't return */
+ exit(1);
+ }
+ }
+
+ return pid; /* Parent returns pid, or -1 on fork failure */
+}
+#else /* WIN32 */
+
+/*
+ * internal_forkexec win32 implementation
+ *
+ * - starts backend using CreateProcess(), in suspended state
+ * - writes out backend variables to the parameter file
+ * - during this, duplicates handles and sockets required for
+ * inheritance into the new process
+ * - resumes execution of the new process once the backend parameter
+ * file is complete.
+ */
+static pid_t
+internal_forkexec(int argc, char *argv[], Port *port)
+{
+ int retry_count = 0;
+ STARTUPINFO si;
+ PROCESS_INFORMATION pi;
+ int i;
+ int j;
+ char cmdLine[MAXPGPATH * 2];
+ HANDLE paramHandle;
+ BackendParameters *param;
+ SECURITY_ATTRIBUTES sa;
+ char paramHandleStr[32];
+ win32_deadchild_waitinfo *childinfo;
+
+ /* Make sure caller set up argv properly */
+ Assert(argc >= 3);
+ Assert(argv[argc] == NULL);
+ Assert(strncmp(argv[1], "--fork", 6) == 0);
+ Assert(argv[2] == NULL);
+
+ /* Resume here if we need to retry */
+retry:
+
+ /* Set up shared memory for parameter passing */
+ ZeroMemory(&sa, sizeof(sa));
+ sa.nLength = sizeof(sa);
+ sa.bInheritHandle = TRUE;
+ paramHandle = CreateFileMapping(INVALID_HANDLE_VALUE,
+ &sa,
+ PAGE_READWRITE,
+ 0,
+ sizeof(BackendParameters),
+ NULL);
+ if (paramHandle == INVALID_HANDLE_VALUE)
+ {
+ ereport(LOG,
+ (errmsg("could not create backend parameter file mapping: error code %lu",
+ GetLastError())));
+ return -1;
+ }
+
+ param = MapViewOfFile(paramHandle, FILE_MAP_WRITE, 0, 0, sizeof(BackendParameters));
+ if (!param)
+ {
+ ereport(LOG,
+ (errmsg("could not map backend parameter memory: error code %lu",
+ GetLastError())));
+ CloseHandle(paramHandle);
+ return -1;
+ }
+
+ /* Insert temp file name after --fork argument */
+#ifdef _WIN64
+ sprintf(paramHandleStr, "%llu", (LONG_PTR) paramHandle);
+#else
+ sprintf(paramHandleStr, "%lu", (DWORD) paramHandle);
+#endif
+ argv[2] = paramHandleStr;
+
+ /* Format the cmd line */
+ cmdLine[sizeof(cmdLine) - 1] = '\0';
+ cmdLine[sizeof(cmdLine) - 2] = '\0';
+ snprintf(cmdLine, sizeof(cmdLine) - 1, "\"%s\"", postgres_exec_path);
+ i = 0;
+ while (argv[++i] != NULL)
+ {
+ j = strlen(cmdLine);
+ snprintf(cmdLine + j, sizeof(cmdLine) - 1 - j, " \"%s\"", argv[i]);
+ }
+ if (cmdLine[sizeof(cmdLine) - 2] != '\0')
+ {
+ ereport(LOG,
+ (errmsg("subprocess command line too long")));
+ UnmapViewOfFile(param);
+ CloseHandle(paramHandle);
+ return -1;
+ }
+
+ memset(&pi, 0, sizeof(pi));
+ memset(&si, 0, sizeof(si));
+ si.cb = sizeof(si);
+
+ /*
+ * Create the subprocess in a suspended state. This will be resumed later,
+ * once we have written out the parameter file.
+ */
+ if (!CreateProcess(NULL, cmdLine, NULL, NULL, TRUE, CREATE_SUSPENDED,
+ NULL, NULL, &si, &pi))
+ {
+ ereport(LOG,
+ (errmsg("CreateProcess() call failed: %m (error code %lu)",
+ GetLastError())));
+ UnmapViewOfFile(param);
+ CloseHandle(paramHandle);
+ return -1;
+ }
+
+ if (!save_backend_variables(param, port, pi.hProcess, pi.dwProcessId))
+ {
+ /*
+ * log made by save_backend_variables, but we have to clean up the
+ * mess with the half-started process
+ */
+ if (!TerminateProcess(pi.hProcess, 255))
+ ereport(LOG,
+ (errmsg_internal("could not terminate unstarted process: error code %lu",
+ GetLastError())));
+ CloseHandle(pi.hProcess);
+ CloseHandle(pi.hThread);
+ UnmapViewOfFile(param);
+ CloseHandle(paramHandle);
+ return -1; /* log made by save_backend_variables */
+ }
+
+ /* Drop the parameter shared memory that is now inherited to the backend */
+ if (!UnmapViewOfFile(param))
+ ereport(LOG,
+ (errmsg("could not unmap view of backend parameter file: error code %lu",
+ GetLastError())));
+ if (!CloseHandle(paramHandle))
+ ereport(LOG,
+ (errmsg("could not close handle to backend parameter file: error code %lu",
+ GetLastError())));
+
+ /*
+ * Reserve the memory region used by our main shared memory segment before
+ * we resume the child process. Normally this should succeed, but if ASLR
+ * is active then it might sometimes fail due to the stack or heap having
+ * gotten mapped into that range. In that case, just terminate the
+ * process and retry.
+ */
+ if (!pgwin32_ReserveSharedMemoryRegion(pi.hProcess))
+ {
+ /* pgwin32_ReserveSharedMemoryRegion already made a log entry */
+ if (!TerminateProcess(pi.hProcess, 255))
+ ereport(LOG,
+ (errmsg_internal("could not terminate process that failed to reserve memory: error code %lu",
+ GetLastError())));
+ CloseHandle(pi.hProcess);
+ CloseHandle(pi.hThread);
+ if (++retry_count < 100)
+ goto retry;
+ ereport(LOG,
+ (errmsg("giving up after too many tries to reserve shared memory"),
+ errhint("This might be caused by ASLR or antivirus software.")));
+ return -1;
+ }
+
+ /*
+ * Now that the backend variables are written out, we start the child
+ * thread so it can start initializing while we set up the rest of the
+ * parent state.
+ */
+ if (ResumeThread(pi.hThread) == -1)
+ {
+ if (!TerminateProcess(pi.hProcess, 255))
+ {
+ ereport(LOG,
+ (errmsg_internal("could not terminate unstartable process: error code %lu",
+ GetLastError())));
+ CloseHandle(pi.hProcess);
+ CloseHandle(pi.hThread);
+ return -1;
+ }
+ CloseHandle(pi.hProcess);
+ CloseHandle(pi.hThread);
+ ereport(LOG,
+ (errmsg_internal("could not resume thread of unstarted process: error code %lu",
+ GetLastError())));
+ return -1;
+ }
+
+ /*
+ * Queue a waiter to signal when this child dies. The wait will be handled
+ * automatically by an operating system thread pool. The memory will be
+ * freed by a later call to waitpid().
+ */
+ childinfo = palloc(sizeof(win32_deadchild_waitinfo));
+ childinfo->procHandle = pi.hProcess;
+ childinfo->procId = pi.dwProcessId;
+
+ if (!RegisterWaitForSingleObject(&childinfo->waitHandle,
+ pi.hProcess,
+ pgwin32_deadchild_callback,
+ childinfo,
+ INFINITE,
+ WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD))
+ ereport(FATAL,
+ (errmsg_internal("could not register process for wait: error code %lu",
+ GetLastError())));
+
+ /* Don't close pi.hProcess here - waitpid() needs access to it */
+
+ CloseHandle(pi.hThread);
+
+ return pi.dwProcessId;
+}
+#endif /* WIN32 */
+
+
+/*
+ * SubPostmasterMain -- Get the fork/exec'd process into a state equivalent
+ * to what it would be if we'd simply forked on Unix, and then
+ * dispatch to the appropriate place.
+ *
+ * The first two command line arguments are expected to be "--forkFOO"
+ * (where FOO indicates which postmaster child we are to become), and
+ * the name of a variables file that we can read to load data that would
+ * have been inherited by fork() on Unix. Remaining arguments go to the
+ * subprocess FooMain() routine.
+ */
+void
+SubPostmasterMain(int argc, char *argv[])
+{
+ Port port;
+
+ /* In EXEC_BACKEND case we will not have inherited these settings */
+ IsPostmasterEnvironment = true;
+ whereToSendOutput = DestNone;
+
+ /* Setup essential subsystems (to ensure elog() behaves sanely) */
+ InitializeGUCOptions();
+
+ /* Check we got appropriate args */
+ if (argc < 3)
+ elog(FATAL, "invalid subpostmaster invocation");
+
+ /* Read in the variables file */
+ memset(&port, 0, sizeof(Port));
+ read_backend_variables(argv[2], &port);
+
+ /* Close the postmaster's sockets (as soon as we know them) */
+ ClosePostmasterPorts(strcmp(argv[1], "--forklog") == 0);
+
+ /* Setup as postmaster child */
+ InitPostmasterChild();
+
+ /*
+ * If appropriate, physically re-attach to shared memory segment. We want
+ * to do this before going any further to ensure that we can attach at the
+ * same address the postmaster used. On the other hand, if we choose not
+ * to re-attach, we may have other cleanup to do.
+ *
+ * If testing EXEC_BACKEND on Linux, you should run this as root before
+ * starting the postmaster:
+ *
+ * sysctl -w kernel.randomize_va_space=0
+ *
+ * This prevents using randomized stack and code addresses that cause the
+ * child process's memory map to be different from the parent's, making it
+ * sometimes impossible to attach to shared memory at the desired address.
+ * Return the setting to its old value (usually '1' or '2') when finished.
+ */
+ if (strcmp(argv[1], "--forkbackend") == 0 ||
+ strcmp(argv[1], "--forkavlauncher") == 0 ||
+ strcmp(argv[1], "--forkavworker") == 0 ||
+ strcmp(argv[1], "--forkaux") == 0 ||
+ strncmp(argv[1], "--forkbgworker=", 15) == 0)
+ PGSharedMemoryReAttach();
+ else
+ PGSharedMemoryNoReAttach();
+
+ /* autovacuum needs this set before calling InitProcess */
+ if (strcmp(argv[1], "--forkavlauncher") == 0)
+ AutovacuumLauncherIAm();
+ if (strcmp(argv[1], "--forkavworker") == 0)
+ AutovacuumWorkerIAm();
+
+ /* Read in remaining GUC variables */
+ read_nondefault_variables();
+
+ /*
+ * Check that the data directory looks valid, which will also check the
+ * privileges on the data directory and update our umask and file/group
+ * variables for creating files later. Note: this should really be done
+ * before we create any files or directories.
+ */
+ checkDataDir();
+
+ /*
+ * (re-)read control file, as it contains config. The postmaster will
+ * already have read this, but this process doesn't know about that.
+ */
+ LocalProcessControlFile(false);
+
+ /*
+ * Reload any libraries that were preloaded by the postmaster. Since we
+ * exec'd this process, those libraries didn't come along with us; but we
+ * should load them into all child processes to be consistent with the
+ * non-EXEC_BACKEND behavior.
+ */
+ process_shared_preload_libraries();
+
+ /* Run backend or appropriate child */
+ if (strcmp(argv[1], "--forkbackend") == 0)
+ {
+ Assert(argc == 3); /* shouldn't be any more args */
+
+ /*
+ * Need to reinitialize the SSL library in the backend, since the
+ * context structures contain function pointers and cannot be passed
+ * through the parameter file.
+ *
+ * If for some reason reload fails (maybe the user installed broken
+ * key files), soldier on without SSL; that's better than all
+ * connections becoming impossible.
+ *
+ * XXX should we do this in all child processes? For the moment it's
+ * enough to do it in backend children.
+ */
+#ifdef USE_SSL
+ if (EnableSSL)
+ {
+ if (secure_initialize(false) == 0)
+ LoadedSSL = true;
+ else
+ ereport(LOG,
+ (errmsg("SSL configuration could not be loaded in child process")));
+ }
+#endif
+
+ /*
+ * Perform additional initialization and collect startup packet.
+ *
+ * We want to do this before InitProcess() for a couple of reasons: 1.
+ * so that we aren't eating up a PGPROC slot while waiting on the
+ * client. 2. so that if InitProcess() fails due to being out of
+ * PGPROC slots, we have already initialized libpq and are able to
+ * report the error to the client.
+ */
+ BackendInitialize(&port);
+
+ /* Restore basic shared memory pointers */
+ InitShmemAccess(UsedShmemSegAddr);
+
+ /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
+ InitProcess();
+
+ /* Attach process to shared data structures */
+ CreateSharedMemoryAndSemaphores();
+
+ /* And run the backend */
+ BackendRun(&port); /* does not return */
+ }
+ if (strcmp(argv[1], "--forkaux") == 0)
+ {
+ AuxProcType auxtype;
+
+ Assert(argc == 4);
+
+ /* Restore basic shared memory pointers */
+ InitShmemAccess(UsedShmemSegAddr);
+
+ /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
+ InitAuxiliaryProcess();
+
+ /* Attach process to shared data structures */
+ CreateSharedMemoryAndSemaphores();
+
+ auxtype = atoi(argv[3]);
+ AuxiliaryProcessMain(auxtype); /* does not return */
+ }
+ if (strcmp(argv[1], "--forkavlauncher") == 0)
+ {
+ /* Restore basic shared memory pointers */
+ InitShmemAccess(UsedShmemSegAddr);
+
+ /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
+ InitProcess();
+
+ /* Attach process to shared data structures */
+ CreateSharedMemoryAndSemaphores();
+
+ AutoVacLauncherMain(argc - 2, argv + 2); /* does not return */
+ }
+ if (strcmp(argv[1], "--forkavworker") == 0)
+ {
+ /* Restore basic shared memory pointers */
+ InitShmemAccess(UsedShmemSegAddr);
+
+ /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
+ InitProcess();
+
+ /* Attach process to shared data structures */
+ CreateSharedMemoryAndSemaphores();
+
+ AutoVacWorkerMain(argc - 2, argv + 2); /* does not return */
+ }
+ if (strncmp(argv[1], "--forkbgworker=", 15) == 0)
+ {
+ int shmem_slot;
+
+ /* do this as early as possible; in particular, before InitProcess() */
+ IsBackgroundWorker = true;
+
+ /* Restore basic shared memory pointers */
+ InitShmemAccess(UsedShmemSegAddr);
+
+ /* Need a PGPROC to run CreateSharedMemoryAndSemaphores */
+ InitProcess();
+
+ /* Attach process to shared data structures */
+ CreateSharedMemoryAndSemaphores();
+
+ /* Fetch MyBgworkerEntry from shared memory */
+ shmem_slot = atoi(argv[1] + 15);
+ MyBgworkerEntry = BackgroundWorkerEntry(shmem_slot);
+
+ StartBackgroundWorker();
+ }
+ if (strcmp(argv[1], "--forklog") == 0)
+ {
+ /* Do not want to attach to shared memory */
+
+ SysLoggerMain(argc, argv); /* does not return */
+ }
+
+ abort(); /* shouldn't get here */
+}
+#endif /* EXEC_BACKEND */
+
+
+/*
+ * ExitPostmaster -- cleanup
+ *
+ * Do NOT call exit() directly --- always go through here!
+ */
+static void
+ExitPostmaster(int status)
+{
+#ifdef HAVE_PTHREAD_IS_THREADED_NP
+
+ /*
+ * There is no known cause for a postmaster to become multithreaded after
+ * startup. Recheck to account for the possibility of unknown causes.
+ * This message uses LOG level, because an unclean shutdown at this point
+ * would usually not look much different from a clean shutdown.
+ */
+ if (pthread_is_threaded_np() != 0)
+ ereport(LOG,
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg_internal("postmaster became multithreaded"),
+ errdetail("Please report this to <%s>.", PACKAGE_BUGREPORT)));
+#endif
+
+ /* should cleanup shared memory and kill all backends */
+
+ /*
+ * Not sure of the semantics here. When the Postmaster dies, should the
+ * backends all be killed? probably not.
+ *
+ * MUST -- vadim 05-10-1999
+ */
+
+ proc_exit(status);
+}
+
+/*
+ * Handle pmsignal conditions representing requests from backends,
+ * and check for promote and logrotate requests from pg_ctl.
+ */
+static void
+process_pm_pmsignal(void)
+{
+ pending_pm_pmsignal = false;
+
+ ereport(DEBUG2,
+ (errmsg_internal("postmaster received pmsignal signal")));
+
+ /*
+ * RECOVERY_STARTED and BEGIN_HOT_STANDBY signals are ignored in
+ * unexpected states. If the startup process quickly starts up, completes
+ * recovery, exits, we might process the death of the startup process
+ * first. We don't want to go back to recovery in that case.
+ */
+ if (CheckPostmasterSignal(PMSIGNAL_RECOVERY_STARTED) &&
+ pmState == PM_STARTUP && Shutdown == NoShutdown)
+ {
+ /* WAL redo has started. We're out of reinitialization. */
+ FatalError = false;
+ AbortStartTime = 0;
+
+ /*
+ * Start the archiver if we're responsible for (re-)archiving received
+ * files.
+ */
+ Assert(PgArchPID == 0);
+ if (XLogArchivingAlways())
+ PgArchPID = StartArchiver();
+
+ /*
+ * If we aren't planning to enter hot standby mode later, treat
+ * RECOVERY_STARTED as meaning we're out of startup, and report status
+ * accordingly.
+ */
+ if (!EnableHotStandby)
+ {
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_STANDBY);
+#ifdef USE_SYSTEMD
+ sd_notify(0, "READY=1");
+#endif
+ }
+
+ pmState = PM_RECOVERY;
+ }
+
+ if (CheckPostmasterSignal(PMSIGNAL_BEGIN_HOT_STANDBY) &&
+ pmState == PM_RECOVERY && Shutdown == NoShutdown)
+ {
+ ereport(LOG,
+ (errmsg("database system is ready to accept read-only connections")));
+
+ /* Report status */
+ AddToDataDirLockFile(LOCK_FILE_LINE_PM_STATUS, PM_STATUS_READY);
+#ifdef USE_SYSTEMD
+ sd_notify(0, "READY=1");
+#endif
+
+ pmState = PM_HOT_STANDBY;
+ connsAllowed = true;
+
+ /* Some workers may be scheduled to start now */
+ StartWorkerNeeded = true;
+ }
+
+ /* Process background worker state changes. */
+ if (CheckPostmasterSignal(PMSIGNAL_BACKGROUND_WORKER_CHANGE))
+ {
+ /* Accept new worker requests only if not stopping. */
+ BackgroundWorkerStateChange(pmState < PM_STOP_BACKENDS);
+ StartWorkerNeeded = true;
+ }
+
+ if (StartWorkerNeeded || HaveCrashedWorker)
+ maybe_start_bgworkers();
+
+ /* Tell syslogger to rotate logfile if requested */
+ if (SysLoggerPID != 0)
+ {
+ if (CheckLogrotateSignal())
+ {
+ signal_child(SysLoggerPID, SIGUSR1);
+ RemoveLogrotateSignalFiles();
+ }
+ else if (CheckPostmasterSignal(PMSIGNAL_ROTATE_LOGFILE))
+ {
+ signal_child(SysLoggerPID, SIGUSR1);
+ }
+ }
+
+ if (CheckPostmasterSignal(PMSIGNAL_START_AUTOVAC_LAUNCHER) &&
+ Shutdown <= SmartShutdown && pmState < PM_STOP_BACKENDS)
+ {
+ /*
+ * Start one iteration of the autovacuum daemon, even if autovacuuming
+ * is nominally not enabled. This is so we can have an active defense
+ * against transaction ID wraparound. We set a flag for the main loop
+ * to do it rather than trying to do it here --- this is because the
+ * autovac process itself may send the signal, and we want to handle
+ * that by launching another iteration as soon as the current one
+ * completes.
+ */
+ start_autovac_launcher = true;
+ }
+
+ if (CheckPostmasterSignal(PMSIGNAL_START_AUTOVAC_WORKER) &&
+ Shutdown <= SmartShutdown && pmState < PM_STOP_BACKENDS)
+ {
+ /* The autovacuum launcher wants us to start a worker process. */
+ StartAutovacuumWorker();
+ }
+
+ if (CheckPostmasterSignal(PMSIGNAL_START_WALRECEIVER))
+ {
+ /* Startup Process wants us to start the walreceiver process. */
+ /* Start immediately if possible, else remember request for later. */
+ WalReceiverRequested = true;
+ MaybeStartWalReceiver();
+ }
+
+ /*
+ * Try to advance postmaster's state machine, if a child requests it.
+ *
+ * Be careful about the order of this action relative to this function's
+ * other actions. Generally, this should be after other actions, in case
+ * they have effects PostmasterStateMachine would need to know about.
+ * However, we should do it before the CheckPromoteSignal step, which
+ * cannot have any (immediate) effect on the state machine, but does
+ * depend on what state we're in now.
+ */
+ if (CheckPostmasterSignal(PMSIGNAL_ADVANCE_STATE_MACHINE))
+ {
+ PostmasterStateMachine();
+ }
+
+ if (StartupPID != 0 &&
+ (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
+ pmState == PM_HOT_STANDBY) &&
+ CheckPromoteSignal())
+ {
+ /*
+ * Tell startup process to finish recovery.
+ *
+ * Leave the promote signal file in place and let the Startup process
+ * do the unlink.
+ */
+ signal_child(StartupPID, SIGUSR2);
+ }
+}
+
+/*
+ * SIGTERM while processing startup packet.
+ *
+ * Running proc_exit() from a signal handler would be quite unsafe.
+ * However, since we have not yet touched shared memory, we can just
+ * pull the plug and exit without running any atexit handlers.
+ *
+ * One might be tempted to try to send a message, or log one, indicating
+ * why we are disconnecting. However, that would be quite unsafe in itself.
+ * Also, it seems undesirable to provide clues about the database's state
+ * to a client that has not yet completed authentication, or even sent us
+ * a startup packet.
+ */
+static void
+process_startup_packet_die(SIGNAL_ARGS)
+{
+ _exit(1);
+}
+
+/*
+ * Dummy signal handler
+ *
+ * We use this for signals that we don't actually use in the postmaster,
+ * but we do use in backends. If we were to SIG_IGN such signals in the
+ * postmaster, then a newly started backend might drop a signal that arrives
+ * before it's able to reconfigure its signal processing. (See notes in
+ * tcop/postgres.c.)
+ */
+static void
+dummy_handler(SIGNAL_ARGS)
+{
+}
+
+/*
+ * Timeout while processing startup packet.
+ * As for process_startup_packet_die(), we exit via _exit(1).
+ */
+static void
+StartupPacketTimeoutHandler(void)
+{
+ _exit(1);
+}
+
+
+/*
+ * Generate a random cancel key.
+ */
+static bool
+RandomCancelKey(int32 *cancel_key)
+{
+ return pg_strong_random(cancel_key, sizeof(int32));
+}
+
+/*
+ * Count up number of child processes of specified types (dead_end children
+ * are always excluded).
+ */
+static int
+CountChildren(int target)
+{
+ dlist_iter iter;
+ int cnt = 0;
+
+ dlist_foreach(iter, &BackendList)
+ {
+ Backend *bp = dlist_container(Backend, elem, iter.cur);
+
+ if (bp->dead_end)
+ continue;
+
+ /*
+ * Since target == BACKEND_TYPE_ALL is the most common case, we test
+ * it first and avoid touching shared memory for every child.
+ */
+ if (target != BACKEND_TYPE_ALL)
+ {
+ /*
+ * Assign bkend_type for any recently announced WAL Sender
+ * processes.
+ */
+ if (bp->bkend_type == BACKEND_TYPE_NORMAL &&
+ IsPostmasterChildWalSender(bp->child_slot))
+ bp->bkend_type = BACKEND_TYPE_WALSND;
+
+ if (!(target & bp->bkend_type))
+ continue;
+ }
+
+ cnt++;
+ }
+ return cnt;
+}
+
+
+/*
+ * StartChildProcess -- start an auxiliary process for the postmaster
+ *
+ * "type" determines what kind of child will be started. All child types
+ * initially go to AuxiliaryProcessMain, which will handle common setup.
+ *
+ * Return value of StartChildProcess is subprocess' PID, or 0 if failed
+ * to start subprocess.
+ */
+static pid_t
+StartChildProcess(AuxProcType type)
+{
+ pid_t pid;
+
+#ifdef EXEC_BACKEND
+ {
+ char *av[10];
+ int ac = 0;
+ char typebuf[32];
+
+ /*
+ * Set up command-line arguments for subprocess
+ */
+ av[ac++] = "postgres";
+ av[ac++] = "--forkaux";
+ av[ac++] = NULL; /* filled in by postmaster_forkexec */
+
+ snprintf(typebuf, sizeof(typebuf), "%d", type);
+ av[ac++] = typebuf;
+
+ av[ac] = NULL;
+ Assert(ac < lengthof(av));
+
+ pid = postmaster_forkexec(ac, av);
+ }
+#else /* !EXEC_BACKEND */
+ pid = fork_process();
+
+ if (pid == 0) /* child */
+ {
+ InitPostmasterChild();
+
+ /* Close the postmaster's sockets */
+ ClosePostmasterPorts(false);
+
+ /* Release postmaster's working memory context */
+ MemoryContextSwitchTo(TopMemoryContext);
+ MemoryContextDelete(PostmasterContext);
+ PostmasterContext = NULL;
+
+ AuxiliaryProcessMain(type); /* does not return */
+ }
+#endif /* EXEC_BACKEND */
+
+ if (pid < 0)
+ {
+ /* in parent, fork failed */
+ int save_errno = errno;
+
+ errno = save_errno;
+ switch (type)
+ {
+ case StartupProcess:
+ ereport(LOG,
+ (errmsg("could not fork startup process: %m")));
+ break;
+ case ArchiverProcess:
+ ereport(LOG,
+ (errmsg("could not fork archiver process: %m")));
+ break;
+ case BgWriterProcess:
+ ereport(LOG,
+ (errmsg("could not fork background writer process: %m")));
+ break;
+ case CheckpointerProcess:
+ ereport(LOG,
+ (errmsg("could not fork checkpointer process: %m")));
+ break;
+ case WalWriterProcess:
+ ereport(LOG,
+ (errmsg("could not fork WAL writer process: %m")));
+ break;
+ case WalReceiverProcess:
+ ereport(LOG,
+ (errmsg("could not fork WAL receiver process: %m")));
+ break;
+ default:
+ ereport(LOG,
+ (errmsg("could not fork process: %m")));
+ break;
+ }
+
+ /*
+ * fork failure is fatal during startup, but there's no need to choke
+ * immediately if starting other child types fails.
+ */
+ if (type == StartupProcess)
+ ExitPostmaster(1);
+ return 0;
+ }
+
+ /*
+ * in parent, successful fork
+ */
+ return pid;
+}
+
+/*
+ * StartAutovacuumWorker
+ * Start an autovac worker process.
+ *
+ * This function is here because it enters the resulting PID into the
+ * postmaster's private backends list.
+ *
+ * NB -- this code very roughly matches BackendStartup.
+ */
+static void
+StartAutovacuumWorker(void)
+{
+ Backend *bn;
+
+ /*
+ * If not in condition to run a process, don't try, but handle it like a
+ * fork failure. This does not normally happen, since the signal is only
+ * supposed to be sent by autovacuum launcher when it's OK to do it, but
+ * we have to check to avoid race-condition problems during DB state
+ * changes.
+ */
+ if (canAcceptConnections(BACKEND_TYPE_AUTOVAC) == CAC_OK)
+ {
+ /*
+ * Compute the cancel key that will be assigned to this session. We
+ * probably don't need cancel keys for autovac workers, but we'd
+ * better have something random in the field to prevent unfriendly
+ * people from sending cancels to them.
+ */
+ if (!RandomCancelKey(&MyCancelKey))
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg("could not generate random cancel key")));
+ return;
+ }
+
+ bn = (Backend *) malloc(sizeof(Backend));
+ if (bn)
+ {
+ bn->cancel_key = MyCancelKey;
+
+ /* Autovac workers are not dead_end and need a child slot */
+ bn->dead_end = false;
+ bn->child_slot = MyPMChildSlot = AssignPostmasterChildSlot();
+ bn->bgworker_notify = false;
+
+ bn->pid = StartAutoVacWorker();
+ if (bn->pid > 0)
+ {
+ bn->bkend_type = BACKEND_TYPE_AUTOVAC;
+ dlist_push_head(&BackendList, &bn->elem);
+#ifdef EXEC_BACKEND
+ ShmemBackendArrayAdd(bn);
+#endif
+ /* all OK */
+ return;
+ }
+
+ /*
+ * fork failed, fall through to report -- actual error message was
+ * logged by StartAutoVacWorker
+ */
+ (void) ReleasePostmasterChildSlot(bn->child_slot);
+ free(bn);
+ }
+ else
+ ereport(LOG,
+ (errcode(ERRCODE_OUT_OF_MEMORY),
+ errmsg("out of memory")));
+ }
+
+ /*
+ * Report the failure to the launcher, if it's running. (If it's not, we
+ * might not even be connected to shared memory, so don't try to call
+ * AutoVacWorkerFailed.) Note that we also need to signal it so that it
+ * responds to the condition, but we don't do that here, instead waiting
+ * for ServerLoop to do it. This way we avoid a ping-pong signaling in
+ * quick succession between the autovac launcher and postmaster in case
+ * things get ugly.
+ */
+ if (AutoVacPID != 0)
+ {
+ AutoVacWorkerFailed();
+ avlauncher_needs_signal = true;
+ }
+}
+
+/*
+ * MaybeStartWalReceiver
+ * Start the WAL receiver process, if not running and our state allows.
+ *
+ * Note: if WalReceiverPID is already nonzero, it might seem that we should
+ * clear WalReceiverRequested. However, there's a race condition if the
+ * walreceiver terminates and the startup process immediately requests a new
+ * one: it's quite possible to get the signal for the request before reaping
+ * the dead walreceiver process. Better to risk launching an extra
+ * walreceiver than to miss launching one we need. (The walreceiver code
+ * has logic to recognize that it should go away if not needed.)
+ */
+static void
+MaybeStartWalReceiver(void)
+{
+ if (WalReceiverPID == 0 &&
+ (pmState == PM_STARTUP || pmState == PM_RECOVERY ||
+ pmState == PM_HOT_STANDBY) &&
+ Shutdown <= SmartShutdown)
+ {
+ WalReceiverPID = StartWalReceiver();
+ if (WalReceiverPID != 0)
+ WalReceiverRequested = false;
+ /* else leave the flag set, so we'll try again later */
+ }
+}
+
+
+/*
+ * Create the opts file
+ */
+static bool
+CreateOptsFile(int argc, char *argv[], char *fullprogname)
+{
+ FILE *fp;
+ int i;
+
+#define OPTS_FILE "postmaster.opts"
+
+ if ((fp = fopen(OPTS_FILE, "w")) == NULL)
+ {
+ ereport(LOG,
+ (errcode_for_file_access(),
+ errmsg("could not create file \"%s\": %m", OPTS_FILE)));
+ return false;
+ }
+
+ fprintf(fp, "%s", fullprogname);
+ for (i = 1; i < argc; i++)
+ fprintf(fp, " \"%s\"", argv[i]);
+ fputs("\n", fp);
+
+ if (fclose(fp))
+ {
+ ereport(LOG,
+ (errcode_for_file_access(),
+ errmsg("could not write file \"%s\": %m", OPTS_FILE)));
+ return false;
+ }
+
+ return true;
+}
+
+
+/*
+ * MaxLivePostmasterChildren
+ *
+ * This reports the number of entries needed in per-child-process arrays
+ * (the PMChildFlags array, and if EXEC_BACKEND the ShmemBackendArray).
+ * These arrays include regular backends, autovac workers, walsenders
+ * and background workers, but not special children nor dead_end children.
+ * This allows the arrays to have a fixed maximum size, to wit the same
+ * too-many-children limit enforced by canAcceptConnections(). The exact value
+ * isn't too critical as long as it's more than MaxBackends.
+ */
+int
+MaxLivePostmasterChildren(void)
+{
+ return 2 * (MaxConnections + autovacuum_max_workers + 1 +
+ max_wal_senders + max_worker_processes);
+}
+
+/*
+ * Connect background worker to a database.
+ */
+void
+BackgroundWorkerInitializeConnection(const char *dbname, const char *username, uint32 flags)
+{
+ BackgroundWorker *worker = MyBgworkerEntry;
+
+ /* XXX is this the right errcode? */
+ if (!(worker->bgw_flags & BGWORKER_BACKEND_DATABASE_CONNECTION))
+ ereport(FATAL,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("database connection requirement not indicated during registration")));
+
+ InitPostgres(dbname, InvalidOid, /* database to connect to */
+ username, InvalidOid, /* role to connect as */
+ false, /* never honor session_preload_libraries */
+ (flags & BGWORKER_BYPASS_ALLOWCONN) != 0, /* ignore datallowconn? */
+ NULL); /* no out_dbname */
+
+ /* it had better not gotten out of "init" mode yet */
+ if (!IsInitProcessingMode())
+ ereport(ERROR,
+ (errmsg("invalid processing mode in background worker")));
+ SetProcessingMode(NormalProcessing);
+}
+
+/*
+ * Connect background worker to a database using OIDs.
+ */
+void
+BackgroundWorkerInitializeConnectionByOid(Oid dboid, Oid useroid, uint32 flags)
+{
+ BackgroundWorker *worker = MyBgworkerEntry;
+
+ /* XXX is this the right errcode? */
+ if (!(worker->bgw_flags & BGWORKER_BACKEND_DATABASE_CONNECTION))
+ ereport(FATAL,
+ (errcode(ERRCODE_PROGRAM_LIMIT_EXCEEDED),
+ errmsg("database connection requirement not indicated during registration")));
+
+ InitPostgres(NULL, dboid, /* database to connect to */
+ NULL, useroid, /* role to connect as */
+ false, /* never honor session_preload_libraries */
+ (flags & BGWORKER_BYPASS_ALLOWCONN) != 0, /* ignore datallowconn? */
+ NULL); /* no out_dbname */
+
+ /* it had better not gotten out of "init" mode yet */
+ if (!IsInitProcessingMode())
+ ereport(ERROR,
+ (errmsg("invalid processing mode in background worker")));
+ SetProcessingMode(NormalProcessing);
+}
+
+/*
+ * Block/unblock signals in a background worker
+ */
+void
+BackgroundWorkerBlockSignals(void)
+{
+ sigprocmask(SIG_SETMASK, &BlockSig, NULL);
+}
+
+void
+BackgroundWorkerUnblockSignals(void)
+{
+ sigprocmask(SIG_SETMASK, &UnBlockSig, NULL);
+}
+
+#ifdef EXEC_BACKEND
+static pid_t
+bgworker_forkexec(int shmem_slot)
+{
+ char *av[10];
+ int ac = 0;
+ char forkav[MAXPGPATH];
+
+ snprintf(forkav, MAXPGPATH, "--forkbgworker=%d", shmem_slot);
+
+ av[ac++] = "postgres";
+ av[ac++] = forkav;
+ av[ac++] = NULL; /* filled in by postmaster_forkexec */
+ av[ac] = NULL;
+
+ Assert(ac < lengthof(av));
+
+ return postmaster_forkexec(ac, av);
+}
+#endif
+
+/*
+ * Start a new bgworker.
+ * Starting time conditions must have been checked already.
+ *
+ * Returns true on success, false on failure.
+ * In either case, update the RegisteredBgWorker's state appropriately.
+ *
+ * This code is heavily based on autovacuum.c, q.v.
+ */
+static bool
+do_start_bgworker(RegisteredBgWorker *rw)
+{
+ pid_t worker_pid;
+
+ Assert(rw->rw_pid == 0);
+
+ /*
+ * Allocate and assign the Backend element. Note we must do this before
+ * forking, so that we can handle failures (out of memory or child-process
+ * slots) cleanly.
+ *
+ * Treat failure as though the worker had crashed. That way, the
+ * postmaster will wait a bit before attempting to start it again; if we
+ * tried again right away, most likely we'd find ourselves hitting the
+ * same resource-exhaustion condition.
+ */
+ if (!assign_backendlist_entry(rw))
+ {
+ rw->rw_crashed_at = GetCurrentTimestamp();
+ return false;
+ }
+
+ ereport(DEBUG1,
+ (errmsg_internal("starting background worker process \"%s\"",
+ rw->rw_worker.bgw_name)));
+
+#ifdef EXEC_BACKEND
+ switch ((worker_pid = bgworker_forkexec(rw->rw_shmem_slot)))
+#else
+ switch ((worker_pid = fork_process()))
+#endif
+ {
+ case -1:
+ /* in postmaster, fork failed ... */
+ ereport(LOG,
+ (errmsg("could not fork worker process: %m")));
+ /* undo what assign_backendlist_entry did */
+ ReleasePostmasterChildSlot(rw->rw_child_slot);
+ rw->rw_child_slot = 0;
+ free(rw->rw_backend);
+ rw->rw_backend = NULL;
+ /* mark entry as crashed, so we'll try again later */
+ rw->rw_crashed_at = GetCurrentTimestamp();
+ break;
+
+#ifndef EXEC_BACKEND
+ case 0:
+ /* in postmaster child ... */
+ InitPostmasterChild();
+
+ /* Close the postmaster's sockets */
+ ClosePostmasterPorts(false);
+
+ /*
+ * Before blowing away PostmasterContext, save this bgworker's
+ * data where it can find it.
+ */
+ MyBgworkerEntry = (BackgroundWorker *)
+ MemoryContextAlloc(TopMemoryContext, sizeof(BackgroundWorker));
+ memcpy(MyBgworkerEntry, &rw->rw_worker, sizeof(BackgroundWorker));
+
+ /* Release postmaster's working memory context */
+ MemoryContextSwitchTo(TopMemoryContext);
+ MemoryContextDelete(PostmasterContext);
+ PostmasterContext = NULL;
+
+ StartBackgroundWorker();
+
+ exit(1); /* should not get here */
+ break;
+#endif
+ default:
+ /* in postmaster, fork successful ... */
+ rw->rw_pid = worker_pid;
+ rw->rw_backend->pid = rw->rw_pid;
+ ReportBackgroundWorkerPID(rw);
+ /* add new worker to lists of backends */
+ dlist_push_head(&BackendList, &rw->rw_backend->elem);
+#ifdef EXEC_BACKEND
+ ShmemBackendArrayAdd(rw->rw_backend);
+#endif
+ return true;
+ }
+
+ return false;
+}
+
+/*
+ * Does the current postmaster state require starting a worker with the
+ * specified start_time?
+ */
+static bool
+bgworker_should_start_now(BgWorkerStartTime start_time)
+{
+ switch (pmState)
+ {
+ case PM_NO_CHILDREN:
+ case PM_WAIT_DEAD_END:
+ case PM_SHUTDOWN_2:
+ case PM_SHUTDOWN:
+ case PM_WAIT_BACKENDS:
+ case PM_STOP_BACKENDS:
+ break;
+
+ case PM_RUN:
+ if (start_time == BgWorkerStart_RecoveryFinished)
+ return true;
+ /* fall through */
+
+ case PM_HOT_STANDBY:
+ if (start_time == BgWorkerStart_ConsistentState)
+ return true;
+ /* fall through */
+
+ case PM_RECOVERY:
+ case PM_STARTUP:
+ case PM_INIT:
+ if (start_time == BgWorkerStart_PostmasterStart)
+ return true;
+ /* fall through */
+ }
+
+ return false;
+}
+
+/*
+ * Allocate the Backend struct for a connected background worker, but don't
+ * add it to the list of backends just yet.
+ *
+ * On failure, return false without changing any worker state.
+ *
+ * Some info from the Backend is copied into the passed rw.
+ */
+static bool
+assign_backendlist_entry(RegisteredBgWorker *rw)
+{
+ Backend *bn;
+
+ /*
+ * Check that database state allows another connection. Currently the
+ * only possible failure is CAC_TOOMANY, so we just log an error message
+ * based on that rather than checking the error code precisely.
+ */
+ if (canAcceptConnections(BACKEND_TYPE_BGWORKER) != CAC_OK)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_CONFIGURATION_LIMIT_EXCEEDED),
+ errmsg("no slot available for new worker process")));
+ return false;
+ }
+
+ /*
+ * Compute the cancel key that will be assigned to this session. We
+ * probably don't need cancel keys for background workers, but we'd better
+ * have something random in the field to prevent unfriendly people from
+ * sending cancels to them.
+ */
+ if (!RandomCancelKey(&MyCancelKey))
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_INTERNAL_ERROR),
+ errmsg("could not generate random cancel key")));
+ return false;
+ }
+
+ bn = malloc(sizeof(Backend));
+ if (bn == NULL)
+ {
+ ereport(LOG,
+ (errcode(ERRCODE_OUT_OF_MEMORY),
+ errmsg("out of memory")));
+ return false;
+ }
+
+ bn->cancel_key = MyCancelKey;
+ bn->child_slot = MyPMChildSlot = AssignPostmasterChildSlot();
+ bn->bkend_type = BACKEND_TYPE_BGWORKER;
+ bn->dead_end = false;
+ bn->bgworker_notify = false;
+
+ rw->rw_backend = bn;
+ rw->rw_child_slot = bn->child_slot;
+
+ return true;
+}
+
+/*
+ * If the time is right, start background worker(s).
+ *
+ * As a side effect, the bgworker control variables are set or reset
+ * depending on whether more workers may need to be started.
+ *
+ * We limit the number of workers started per call, to avoid consuming the
+ * postmaster's attention for too long when many such requests are pending.
+ * As long as StartWorkerNeeded is true, ServerLoop will not block and will
+ * call this function again after dealing with any other issues.
+ */
+static void
+maybe_start_bgworkers(void)
+{
+#define MAX_BGWORKERS_TO_LAUNCH 100
+ int num_launched = 0;
+ TimestampTz now = 0;
+ slist_mutable_iter iter;
+
+ /*
+ * During crash recovery, we have no need to be called until the state
+ * transition out of recovery.
+ */
+ if (FatalError)
+ {
+ StartWorkerNeeded = false;
+ HaveCrashedWorker = false;
+ return;
+ }
+
+ /* Don't need to be called again unless we find a reason for it below */
+ StartWorkerNeeded = false;
+ HaveCrashedWorker = false;
+
+ slist_foreach_modify(iter, &BackgroundWorkerList)
+ {
+ RegisteredBgWorker *rw;
+
+ rw = slist_container(RegisteredBgWorker, rw_lnode, iter.cur);
+
+ /* ignore if already running */
+ if (rw->rw_pid != 0)
+ continue;
+
+ /* if marked for death, clean up and remove from list */
+ if (rw->rw_terminate)
+ {
+ ForgetBackgroundWorker(&iter);
+ continue;
+ }
+
+ /*
+ * If this worker has crashed previously, maybe it needs to be
+ * restarted (unless on registration it specified it doesn't want to
+ * be restarted at all). Check how long ago did a crash last happen.
+ * If the last crash is too recent, don't start it right away; let it
+ * be restarted once enough time has passed.
+ */
+ if (rw->rw_crashed_at != 0)
+ {
+ if (rw->rw_worker.bgw_restart_time == BGW_NEVER_RESTART)
+ {
+ int notify_pid;
+
+ notify_pid = rw->rw_worker.bgw_notify_pid;
+
+ ForgetBackgroundWorker(&iter);
+
+ /* Report worker is gone now. */
+ if (notify_pid != 0)
+ kill(notify_pid, SIGUSR1);
+
+ continue;
+ }
+
+ /* read system time only when needed */
+ if (now == 0)
+ now = GetCurrentTimestamp();
+
+ if (!TimestampDifferenceExceeds(rw->rw_crashed_at, now,
+ rw->rw_worker.bgw_restart_time * 1000))
+ {
+ /* Set flag to remember that we have workers to start later */
+ HaveCrashedWorker = true;
+ continue;
+ }
+ }
+
+ if (bgworker_should_start_now(rw->rw_worker.bgw_start_time))
+ {
+ /* reset crash time before trying to start worker */
+ rw->rw_crashed_at = 0;
+
+ /*
+ * Try to start the worker.
+ *
+ * On failure, give up processing workers for now, but set
+ * StartWorkerNeeded so we'll come back here on the next iteration
+ * of ServerLoop to try again. (We don't want to wait, because
+ * there might be additional ready-to-run workers.) We could set
+ * HaveCrashedWorker as well, since this worker is now marked
+ * crashed, but there's no need because the next run of this
+ * function will do that.
+ */
+ if (!do_start_bgworker(rw))
+ {
+ StartWorkerNeeded = true;
+ return;
+ }
+
+ /*
+ * If we've launched as many workers as allowed, quit, but have
+ * ServerLoop call us again to look for additional ready-to-run
+ * workers. There might not be any, but we'll find out the next
+ * time we run.
+ */
+ if (++num_launched >= MAX_BGWORKERS_TO_LAUNCH)
+ {
+ StartWorkerNeeded = true;
+ return;
+ }
+ }
+ }
+}
+
+/*
+ * When a backend asks to be notified about worker state changes, we
+ * set a flag in its backend entry. The background worker machinery needs
+ * to know when such backends exit.
+ */
+bool
+PostmasterMarkPIDForWorkerNotify(int pid)
+{
+ dlist_iter iter;
+ Backend *bp;
+
+ dlist_foreach(iter, &BackendList)
+ {
+ bp = dlist_container(Backend, elem, iter.cur);
+ if (bp->pid == pid)
+ {
+ bp->bgworker_notify = true;
+ return true;
+ }
+ }
+ return false;
+}
+
+#ifdef EXEC_BACKEND
+
+/*
+ * The following need to be available to the save/restore_backend_variables
+ * functions. They are marked NON_EXEC_STATIC in their home modules.
+ */
+extern slock_t *ShmemLock;
+extern slock_t *ProcStructLock;
+extern PGPROC *AuxiliaryProcs;
+extern PMSignalData *PMSignalState;
+extern pg_time_t first_syslogger_file_time;
+
+#ifndef WIN32
+#define write_inheritable_socket(dest, src, childpid) ((*(dest) = (src)), true)
+#define read_inheritable_socket(dest, src) (*(dest) = *(src))
+#else
+static bool write_duplicated_handle(HANDLE *dest, HANDLE src, HANDLE child);
+static bool write_inheritable_socket(InheritableSocket *dest, SOCKET src,
+ pid_t childPid);
+static void read_inheritable_socket(SOCKET *dest, InheritableSocket *src);
+#endif
+
+
+/* Save critical backend variables into the BackendParameters struct */
+#ifndef WIN32
+static bool
+save_backend_variables(BackendParameters *param, Port *port)
+#else
+static bool
+save_backend_variables(BackendParameters *param, Port *port,
+ HANDLE childProcess, pid_t childPid)
+#endif
+{
+ memcpy(&param->port, port, sizeof(Port));
+ if (!write_inheritable_socket(&param->portsocket, port->sock, childPid))
+ return false;
+
+ strlcpy(param->DataDir, DataDir, MAXPGPATH);
+
+ memcpy(&param->ListenSocket, &ListenSocket, sizeof(ListenSocket));
+
+ param->MyCancelKey = MyCancelKey;
+ param->MyPMChildSlot = MyPMChildSlot;
+
+#ifdef WIN32
+ param->ShmemProtectiveRegion = ShmemProtectiveRegion;
+#endif
+ param->UsedShmemSegID = UsedShmemSegID;
+ param->UsedShmemSegAddr = UsedShmemSegAddr;
+
+ param->ShmemLock = ShmemLock;
+ param->ShmemVariableCache = ShmemVariableCache;
+ param->ShmemBackendArray = ShmemBackendArray;
+
+#ifndef HAVE_SPINLOCKS
+ param->SpinlockSemaArray = SpinlockSemaArray;
+#endif
+ param->NamedLWLockTrancheRequests = NamedLWLockTrancheRequests;
+ param->NamedLWLockTrancheArray = NamedLWLockTrancheArray;
+ param->MainLWLockArray = MainLWLockArray;
+ param->ProcStructLock = ProcStructLock;
+ param->ProcGlobal = ProcGlobal;
+ param->AuxiliaryProcs = AuxiliaryProcs;
+ param->PreparedXactProcs = PreparedXactProcs;
+ param->PMSignalState = PMSignalState;
+
+ param->PostmasterPid = PostmasterPid;
+ param->PgStartTime = PgStartTime;
+ param->PgReloadTime = PgReloadTime;
+ param->first_syslogger_file_time = first_syslogger_file_time;
+
+ param->redirection_done = redirection_done;
+ param->IsBinaryUpgrade = IsBinaryUpgrade;
+ param->query_id_enabled = query_id_enabled;
+ param->max_safe_fds = max_safe_fds;
+
+ param->MaxBackends = MaxBackends;
+
+#ifdef WIN32
+ param->PostmasterHandle = PostmasterHandle;
+ if (!write_duplicated_handle(&param->initial_signal_pipe,
+ pgwin32_create_signal_listener(childPid),
+ childProcess))
+ return false;
+#else
+ memcpy(&param->postmaster_alive_fds, &postmaster_alive_fds,
+ sizeof(postmaster_alive_fds));
+#endif
+
+ memcpy(&param->syslogPipe, &syslogPipe, sizeof(syslogPipe));
+
+ strlcpy(param->my_exec_path, my_exec_path, MAXPGPATH);
+
+ strlcpy(param->pkglib_path, pkglib_path, MAXPGPATH);
+
+ return true;
+}
+
+
+#ifdef WIN32
+/*
+ * Duplicate a handle for usage in a child process, and write the child
+ * process instance of the handle to the parameter file.
+ */
+static bool
+write_duplicated_handle(HANDLE *dest, HANDLE src, HANDLE childProcess)
+{
+ HANDLE hChild = INVALID_HANDLE_VALUE;
+
+ if (!DuplicateHandle(GetCurrentProcess(),
+ src,
+ childProcess,
+ &hChild,
+ 0,
+ TRUE,
+ DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS))
+ {
+ ereport(LOG,
+ (errmsg_internal("could not duplicate handle to be written to backend parameter file: error code %lu",
+ GetLastError())));
+ return false;
+ }
+
+ *dest = hChild;
+ return true;
+}
+
+/*
+ * Duplicate a socket for usage in a child process, and write the resulting
+ * structure to the parameter file.
+ * This is required because a number of LSPs (Layered Service Providers) very
+ * common on Windows (antivirus, firewalls, download managers etc) break
+ * straight socket inheritance.
+ */
+static bool
+write_inheritable_socket(InheritableSocket *dest, SOCKET src, pid_t childpid)
+{
+ dest->origsocket = src;
+ if (src != 0 && src != PGINVALID_SOCKET)
+ {
+ /* Actual socket */
+ if (WSADuplicateSocket(src, childpid, &dest->wsainfo) != 0)
+ {
+ ereport(LOG,
+ (errmsg("could not duplicate socket %d for use in backend: error code %d",
+ (int) src, WSAGetLastError())));
+ return false;
+ }
+ }
+ return true;
+}
+
+/*
+ * Read a duplicate socket structure back, and get the socket descriptor.
+ */
+static void
+read_inheritable_socket(SOCKET *dest, InheritableSocket *src)
+{
+ SOCKET s;
+
+ if (src->origsocket == PGINVALID_SOCKET || src->origsocket == 0)
+ {
+ /* Not a real socket! */
+ *dest = src->origsocket;
+ }
+ else
+ {
+ /* Actual socket, so create from structure */
+ s = WSASocket(FROM_PROTOCOL_INFO,
+ FROM_PROTOCOL_INFO,
+ FROM_PROTOCOL_INFO,
+ &src->wsainfo,
+ 0,
+ 0);
+ if (s == INVALID_SOCKET)
+ {
+ write_stderr("could not create inherited socket: error code %d\n",
+ WSAGetLastError());
+ exit(1);
+ }
+ *dest = s;
+
+ /*
+ * To make sure we don't get two references to the same socket, close
+ * the original one. (This would happen when inheritance actually
+ * works..
+ */
+ closesocket(src->origsocket);
+ }
+}
+#endif
+
+static void
+read_backend_variables(char *id, Port *port)
+{
+ BackendParameters param;
+
+#ifndef WIN32
+ /* Non-win32 implementation reads from file */
+ FILE *fp;
+
+ /* Open file */
+ fp = AllocateFile(id, PG_BINARY_R);
+ if (!fp)
+ {
+ write_stderr("could not open backend variables file \"%s\": %s\n",
+ id, strerror(errno));
+ exit(1);
+ }
+
+ if (fread(&param, sizeof(param), 1, fp) != 1)
+ {
+ write_stderr("could not read from backend variables file \"%s\": %s\n",
+ id, strerror(errno));
+ exit(1);
+ }
+
+ /* Release file */
+ FreeFile(fp);
+ if (unlink(id) != 0)
+ {
+ write_stderr("could not remove file \"%s\": %s\n",
+ id, strerror(errno));
+ exit(1);
+ }
+#else
+ /* Win32 version uses mapped file */
+ HANDLE paramHandle;
+ BackendParameters *paramp;
+
+#ifdef _WIN64
+ paramHandle = (HANDLE) _atoi64(id);
+#else
+ paramHandle = (HANDLE) atol(id);
+#endif
+ paramp = MapViewOfFile(paramHandle, FILE_MAP_READ, 0, 0, 0);
+ if (!paramp)
+ {
+ write_stderr("could not map view of backend variables: error code %lu\n",
+ GetLastError());
+ exit(1);
+ }
+
+ memcpy(&param, paramp, sizeof(BackendParameters));
+
+ if (!UnmapViewOfFile(paramp))
+ {
+ write_stderr("could not unmap view of backend variables: error code %lu\n",
+ GetLastError());
+ exit(1);
+ }
+
+ if (!CloseHandle(paramHandle))
+ {
+ write_stderr("could not close handle to backend parameter variables: error code %lu\n",
+ GetLastError());
+ exit(1);
+ }
+#endif
+
+ restore_backend_variables(&param, port);
+}
+
+/* Restore critical backend variables from the BackendParameters struct */
+static void
+restore_backend_variables(BackendParameters *param, Port *port)
+{
+ memcpy(port, &param->port, sizeof(Port));
+ read_inheritable_socket(&port->sock, &param->portsocket);
+
+ SetDataDir(param->DataDir);
+
+ memcpy(&ListenSocket, &param->ListenSocket, sizeof(ListenSocket));
+
+ MyCancelKey = param->MyCancelKey;
+ MyPMChildSlot = param->MyPMChildSlot;
+
+#ifdef WIN32
+ ShmemProtectiveRegion = param->ShmemProtectiveRegion;
+#endif
+ UsedShmemSegID = param->UsedShmemSegID;
+ UsedShmemSegAddr = param->UsedShmemSegAddr;
+
+ ShmemLock = param->ShmemLock;
+ ShmemVariableCache = param->ShmemVariableCache;
+ ShmemBackendArray = param->ShmemBackendArray;
+
+#ifndef HAVE_SPINLOCKS
+ SpinlockSemaArray = param->SpinlockSemaArray;
+#endif
+ NamedLWLockTrancheRequests = param->NamedLWLockTrancheRequests;
+ NamedLWLockTrancheArray = param->NamedLWLockTrancheArray;
+ MainLWLockArray = param->MainLWLockArray;
+ ProcStructLock = param->ProcStructLock;
+ ProcGlobal = param->ProcGlobal;
+ AuxiliaryProcs = param->AuxiliaryProcs;
+ PreparedXactProcs = param->PreparedXactProcs;
+ PMSignalState = param->PMSignalState;
+
+ PostmasterPid = param->PostmasterPid;
+ PgStartTime = param->PgStartTime;
+ PgReloadTime = param->PgReloadTime;
+ first_syslogger_file_time = param->first_syslogger_file_time;
+
+ redirection_done = param->redirection_done;
+ IsBinaryUpgrade = param->IsBinaryUpgrade;
+ query_id_enabled = param->query_id_enabled;
+ max_safe_fds = param->max_safe_fds;
+
+ MaxBackends = param->MaxBackends;
+
+#ifdef WIN32
+ PostmasterHandle = param->PostmasterHandle;
+ pgwin32_initial_signal_pipe = param->initial_signal_pipe;
+#else
+ memcpy(&postmaster_alive_fds, &param->postmaster_alive_fds,
+ sizeof(postmaster_alive_fds));
+#endif
+
+ memcpy(&syslogPipe, &param->syslogPipe, sizeof(syslogPipe));
+
+ strlcpy(my_exec_path, param->my_exec_path, MAXPGPATH);
+
+ strlcpy(pkglib_path, param->pkglib_path, MAXPGPATH);
+
+ /*
+ * We need to restore fd.c's counts of externally-opened FDs; to avoid
+ * confusion, be sure to do this after restoring max_safe_fds. (Note:
+ * BackendInitialize will handle this for port->sock.)
+ */
+#ifndef WIN32
+ if (postmaster_alive_fds[0] >= 0)
+ ReserveExternalFD();
+ if (postmaster_alive_fds[1] >= 0)
+ ReserveExternalFD();
+#endif
+}
+
+
+Size
+ShmemBackendArraySize(void)
+{
+ return mul_size(MaxLivePostmasterChildren(), sizeof(Backend));
+}
+
+void
+ShmemBackendArrayAllocation(void)
+{
+ Size size = ShmemBackendArraySize();
+
+ ShmemBackendArray = (Backend *) ShmemAlloc(size);
+ /* Mark all slots as empty */
+ memset(ShmemBackendArray, 0, size);
+}
+
+static void
+ShmemBackendArrayAdd(Backend *bn)
+{
+ /* The array slot corresponding to my PMChildSlot should be free */
+ int i = bn->child_slot - 1;
+
+ Assert(ShmemBackendArray[i].pid == 0);
+ ShmemBackendArray[i] = *bn;
+}
+
+static void
+ShmemBackendArrayRemove(Backend *bn)
+{
+ int i = bn->child_slot - 1;
+
+ Assert(ShmemBackendArray[i].pid == bn->pid);
+ /* Mark the slot as empty */
+ ShmemBackendArray[i].pid = 0;
+}
+#endif /* EXEC_BACKEND */
+
+
+#ifdef WIN32
+
+/*
+ * Subset implementation of waitpid() for Windows. We assume pid is -1
+ * (that is, check all child processes) and options is WNOHANG (don't wait).
+ */
+static pid_t
+waitpid(pid_t pid, int *exitstatus, int options)
+{
+ win32_deadchild_waitinfo *childinfo;
+ DWORD exitcode;
+ DWORD dwd;
+ ULONG_PTR key;
+ OVERLAPPED *ovl;
+
+ /* Try to consume one win32_deadchild_waitinfo from the queue. */
+ if (!GetQueuedCompletionStatus(win32ChildQueue, &dwd, &key, &ovl, 0))
+ {
+ errno = EAGAIN;
+ return -1;
+ }
+
+ childinfo = (win32_deadchild_waitinfo *) key;
+ pid = childinfo->procId;
+
+ /*
+ * Remove handle from wait - required even though it's set to wait only
+ * once
+ */
+ UnregisterWaitEx(childinfo->waitHandle, NULL);
+
+ if (!GetExitCodeProcess(childinfo->procHandle, &exitcode))
+ {
+ /*
+ * Should never happen. Inform user and set a fixed exitcode.
+ */
+ write_stderr("could not read exit code for process\n");
+ exitcode = 255;
+ }
+ *exitstatus = exitcode;
+
+ /*
+ * Close the process handle. Only after this point can the PID can be
+ * recycled by the kernel.
+ */
+ CloseHandle(childinfo->procHandle);
+
+ /*
+ * Free struct that was allocated before the call to
+ * RegisterWaitForSingleObject()
+ */
+ pfree(childinfo);
+
+ return pid;
+}
+
+/*
+ * Note! Code below executes on a thread pool! All operations must
+ * be thread safe! Note that elog() and friends must *not* be used.
+ */
+static void WINAPI
+pgwin32_deadchild_callback(PVOID lpParameter, BOOLEAN TimerOrWaitFired)
+{
+ /* Should never happen, since we use INFINITE as timeout value. */
+ if (TimerOrWaitFired)
+ return;
+
+ /*
+ * Post the win32_deadchild_waitinfo object for waitpid() to deal with. If
+ * that fails, we leak the object, but we also leak a whole process and
+ * get into an unrecoverable state, so there's not much point in worrying
+ * about that. We'd like to panic, but we can't use that infrastructure
+ * from this thread.
+ */
+ if (!PostQueuedCompletionStatus(win32ChildQueue,
+ 0,
+ (ULONG_PTR) lpParameter,
+ NULL))
+ write_stderr("could not post child completion status\n");
+
+ /* Queue SIGCHLD signal. */
+ pg_queue_signal(SIGCHLD);
+}
+#endif /* WIN32 */
+
+/*
+ * Initialize one and only handle for monitoring postmaster death.
+ *
+ * Called once in the postmaster, so that child processes can subsequently
+ * monitor if their parent is dead.
+ */
+static void
+InitPostmasterDeathWatchHandle(void)
+{
+#ifndef WIN32
+
+ /*
+ * Create a pipe. Postmaster holds the write end of the pipe open
+ * (POSTMASTER_FD_OWN), and children hold the read end. Children can pass
+ * the read file descriptor to select() to wake up in case postmaster
+ * dies, or check for postmaster death with a (read() == 0). Children must
+ * close the write end as soon as possible after forking, because EOF
+ * won't be signaled in the read end until all processes have closed the
+ * write fd. That is taken care of in ClosePostmasterPorts().
+ */
+ Assert(MyProcPid == PostmasterPid);
+ if (pipe(postmaster_alive_fds) < 0)
+ ereport(FATAL,
+ (errcode_for_file_access(),
+ errmsg_internal("could not create pipe to monitor postmaster death: %m")));
+
+ /* Notify fd.c that we've eaten two FDs for the pipe. */
+ ReserveExternalFD();
+ ReserveExternalFD();
+
+ /*
+ * Set O_NONBLOCK to allow testing for the fd's presence with a read()
+ * call.
+ */
+ if (fcntl(postmaster_alive_fds[POSTMASTER_FD_WATCH], F_SETFL, O_NONBLOCK) == -1)
+ ereport(FATAL,
+ (errcode_for_socket_access(),
+ errmsg_internal("could not set postmaster death monitoring pipe to nonblocking mode: %m")));
+#else
+
+ /*
+ * On Windows, we use a process handle for the same purpose.
+ */
+ if (DuplicateHandle(GetCurrentProcess(),
+ GetCurrentProcess(),
+ GetCurrentProcess(),
+ &PostmasterHandle,
+ 0,
+ TRUE,
+ DUPLICATE_SAME_ACCESS) == 0)
+ ereport(FATAL,
+ (errmsg_internal("could not duplicate postmaster handle: error code %lu",
+ GetLastError())));
+#endif /* WIN32 */
+}