• Michael Paquier's avatar
    Prevent hard failures of standbys caused by recycled WAL segments · 70b4f82a
    Michael Paquier authored
    When a standby's WAL receiver stops reading WAL from a WAL stream, it
    writes data to the current WAL segment without having priorily zero'ed
    the page currently written to, which can cause the WAL reader to read
    junk data from a past recycled segment and then it would try to get a
    record from it.  While sanity checks in place provide most of the
    protection needed, in some rare circumstances, with chances increasing
    when a record header crosses a page boundary, then the startup process
    could fail violently on an allocation failure, as follows:
    FATAL:  invalid memory alloc request size XXX
    
    This is confusing for the user and also unhelpful as this requires in
    the worst case a manual restart of the instance, impacting potentially
    the availability of the cluster, and this also makes WAL data look like
    it is in a corrupted state.
    
    The chances of seeing failures are higher if the connection between the
    standby and its root node is unstable, causing WAL pages to be written
    in the middle.  A couple of approaches have been discussed, like
    zero-ing  new WAL pages within the WAL receiver itself but this has the
    disadvantage of impacting performance of any existing instances as this
    breaks the sequential writes done by the WAL receiver.  This commit
    deals with the problem with a more simple approach, which has no
    performance impact without reducing the detection of the problem: if a
    record is found with a length higher than 1GB for backends, then do not
    try any allocation and report a soft failure which will force the
    standby to retry reading WAL.  It could be possible that the allocation
    call passes and that an unnecessary amount of memory is allocated,
    however follow-up checks on records would just fail, making this
    allocation short-lived anyway.
    
    This patch owes a great deal to Tsunakawa Takayuki for reporting the
    failure first, and then discussing a couple of potential approaches to
    the problem.
    
    Backpatch down to 9.5, which is where palloc_extended has been
    introduced.
    
    Reported-by: Tsunakawa Takayuki
    Reviewed-by: Tsunakawa Takayuki
    Author: Michael Paquier
    Discussion: https://postgr.es/m/0A3221C70F24FB45833433255569204D1F8B57AD@G01JPEXMBYT05
    70b4f82a
xlogreader.c 39.7 KB