summaryrefslogtreecommitdiffstats
path: root/doc/src/sgml/html/amcheck.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/src/sgml/html/amcheck.html')
-rw-r--r--doc/src/sgml/html/amcheck.html377
1 files changed, 377 insertions, 0 deletions
diff --git a/doc/src/sgml/html/amcheck.html b/doc/src/sgml/html/amcheck.html
new file mode 100644
index 0000000..97a929a
--- /dev/null
+++ b/doc/src/sgml/html/amcheck.html
@@ -0,0 +1,377 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>F.2. amcheck</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets Vsnapshot" /><link rel="prev" href="adminpack.html" title="F.1. adminpack" /><link rel="next" href="auth-delay.html" title="F.3. auth_delay" /></head><body id="docContent" class="container-fluid col-10"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">F.2. amcheck</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="adminpack.html" title="F.1. adminpack">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="contrib.html" title="Appendix F. Additional Supplied Modules">Up</a></td><th width="60%" align="center">Appendix F. Additional Supplied Modules</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="auth-delay.html" title="F.3. auth_delay">Next</a></td></tr></table><hr /></div><div class="sect1" id="AMCHECK"><div class="titlepage"><div><div><h2 class="title" style="clear: both">F.2. amcheck</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="amcheck.html#id-1.11.7.11.8">F.2.1. Functions</a></span></dt><dt><span class="sect2"><a href="amcheck.html#id-1.11.7.11.9">F.2.2. Optional <em class="parameter"><code>heapallindexed</code></em> Verification</a></span></dt><dt><span class="sect2"><a href="amcheck.html#id-1.11.7.11.10">F.2.3. Using <code class="filename">amcheck</code> Effectively</a></span></dt><dt><span class="sect2"><a href="amcheck.html#id-1.11.7.11.11">F.2.4. Repairing Corruption</a></span></dt></dl></div><a id="id-1.11.7.11.2" class="indexterm"></a><p>
+ The <code class="filename">amcheck</code> module provides functions that allow you to
+ verify the logical consistency of the structure of relations.
+ </p><p>
+ The B-Tree checking functions verify various <span class="emphasis"><em>invariants</em></span> in the
+ structure of the representation of particular relations. The
+ correctness of the access method functions behind index scans and
+ other important operations relies on these invariants always
+ holding. For example, certain functions verify, among other things,
+ that all B-Tree pages have items in <span class="quote">“<span class="quote">logical</span>”</span> order (e.g.,
+ for B-Tree indexes on <code class="type">text</code>, index tuples should be in
+ collated lexical order). If that particular invariant somehow fails
+ to hold, we can expect binary searches on the affected page to
+ incorrectly guide index scans, resulting in wrong answers to SQL
+ queries. If the structure appears to be valid, no error is raised.
+ </p><p>
+ Verification is performed using the same procedures as those used by
+ index scans themselves, which may be user-defined operator class
+ code. For example, B-Tree index verification relies on comparisons
+ made with one or more B-Tree support function 1 routines. See <a class="xref" href="xindex.html#XINDEX-SUPPORT" title="38.16.3. Index Method Support Routines">Section 38.16.3</a> for details of operator class support
+ functions.
+ </p><p>
+ Unlike the B-Tree checking functions which report corruption by raising
+ errors, the heap checking function <code class="function">verify_heapam</code> checks
+ a table and attempts to return a set of rows, one row per corruption
+ detected. Despite this, if facilities that
+ <code class="function">verify_heapam</code> relies upon are themselves corrupted, the
+ function may be unable to continue and may instead raise an error.
+ </p><p>
+ Permission to execute <code class="filename">amcheck</code> functions may be granted
+ to non-superusers, but before granting such permissions careful consideration
+ should be given to data security and privacy concerns. Although the
+ corruption reports generated by these functions do not focus on the contents
+ of the corrupted data so much as on the structure of that data and the nature
+ of the corruptions found, an attacker who gains permission to execute these
+ functions, particularly if the attacker can also induce corruption, might be
+ able to infer something of the data itself from such messages.
+ </p><div class="sect2" id="id-1.11.7.11.8"><div class="titlepage"><div><div><h3 class="title">F.2.1. Functions</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+ <code class="function">bt_index_check(index regclass, heapallindexed boolean) returns void</code>
+ <a id="id-1.11.7.11.8.2.1.1.2" class="indexterm"></a>
+ </span></dt><dd><p>
+ <code class="function">bt_index_check</code> tests that its target, a
+ B-Tree index, respects a variety of invariants. Example usage:
+</p><pre class="screen">
+test=# SELECT bt_index_check(index =&gt; c.oid, heapallindexed =&gt; i.indisunique),
+ c.relname,
+ c.relpages
+FROM pg_index i
+JOIN pg_opclass op ON i.indclass[0] = op.oid
+JOIN pg_am am ON op.opcmethod = am.oid
+JOIN pg_class c ON i.indexrelid = c.oid
+JOIN pg_namespace n ON c.relnamespace = n.oid
+WHERE am.amname = 'btree' AND n.nspname = 'pg_catalog'
+-- Don't check temp tables, which may be from another session:
+AND c.relpersistence != 't'
+-- Function may throw an error when this is omitted:
+AND c.relkind = 'i' AND i.indisready AND i.indisvalid
+ORDER BY c.relpages DESC LIMIT 10;
+ bt_index_check | relname | relpages
+----------------+---------------------------------+----------
+ | pg_depend_reference_index | 43
+ | pg_depend_depender_index | 40
+ | pg_proc_proname_args_nsp_index | 31
+ | pg_description_o_c_o_index | 21
+ | pg_attribute_relid_attnam_index | 14
+ | pg_proc_oid_index | 10
+ | pg_attribute_relid_attnum_index | 9
+ | pg_amproc_fam_proc_index | 5
+ | pg_amop_opr_fam_index | 5
+ | pg_amop_fam_strat_index | 5
+(10 rows)
+</pre><p>
+ This example shows a session that performs verification of the
+ 10 largest catalog indexes in the database <span class="quote">“<span class="quote">test</span>”</span>.
+ Verification of the presence of heap tuples as index tuples is
+ requested for the subset that are unique indexes. Since no
+ error is raised, all indexes tested appear to be logically
+ consistent. Naturally, this query could easily be changed to
+ call <code class="function">bt_index_check</code> for every index in the
+ database where verification is supported.
+ </p><p>
+ <code class="function">bt_index_check</code> acquires an <code class="literal">AccessShareLock</code>
+ on the target index and the heap relation it belongs to. This lock mode
+ is the same lock mode acquired on relations by simple
+ <code class="literal">SELECT</code> statements.
+ <code class="function">bt_index_check</code> does not verify invariants
+ that span child/parent relationships, but will verify the
+ presence of all heap tuples as index tuples within the index
+ when <em class="parameter"><code>heapallindexed</code></em> is
+ <code class="literal">true</code>. When a routine, lightweight test for
+ corruption is required in a live production environment, using
+ <code class="function">bt_index_check</code> often provides the best
+ trade-off between thoroughness of verification and limiting the
+ impact on application performance and availability.
+ </p></dd><dt><span class="term">
+ <code class="function">bt_index_parent_check(index regclass, heapallindexed boolean, rootdescend boolean) returns void</code>
+ <a id="id-1.11.7.11.8.2.2.1.2" class="indexterm"></a>
+ </span></dt><dd><p>
+ <code class="function">bt_index_parent_check</code> tests that its
+ target, a B-Tree index, respects a variety of invariants.
+ Optionally, when the <em class="parameter"><code>heapallindexed</code></em>
+ argument is <code class="literal">true</code>, the function verifies the
+ presence of all heap tuples that should be found within the
+ index. When the optional <em class="parameter"><code>rootdescend</code></em>
+ argument is <code class="literal">true</code>, verification re-finds
+ tuples on the leaf level by performing a new search from the
+ root page for each tuple. The checks that can be performed by
+ <code class="function">bt_index_parent_check</code> are a superset of the
+ checks that can be performed by <code class="function">bt_index_check</code>.
+ <code class="function">bt_index_parent_check</code> can be thought of as
+ a more thorough variant of <code class="function">bt_index_check</code>:
+ unlike <code class="function">bt_index_check</code>,
+ <code class="function">bt_index_parent_check</code> also checks
+ invariants that span parent/child relationships, including checking
+ that there are no missing downlinks in the index structure.
+ <code class="function">bt_index_parent_check</code> follows the general
+ convention of raising an error if it finds a logical
+ inconsistency or other problem.
+ </p><p>
+ A <code class="literal">ShareLock</code> is required on the target index by
+ <code class="function">bt_index_parent_check</code> (a
+ <code class="literal">ShareLock</code> is also acquired on the heap relation).
+ These locks prevent concurrent data modification from
+ <code class="command">INSERT</code>, <code class="command">UPDATE</code>, and <code class="command">DELETE</code>
+ commands. The locks also prevent the underlying relation from
+ being concurrently processed by <code class="command">VACUUM</code>, as well as
+ all other utility commands. Note that the function holds locks
+ only while running, not for the entire transaction.
+ </p><p>
+ <code class="function">bt_index_parent_check</code>'s additional
+ verification is more likely to detect various pathological
+ cases. These cases may involve an incorrectly implemented
+ B-Tree operator class used by the index that is checked, or,
+ hypothetically, undiscovered bugs in the underlying B-Tree index
+ access method code. Note that
+ <code class="function">bt_index_parent_check</code> cannot be used when
+ hot standby mode is enabled (i.e., on read-only physical
+ replicas), unlike <code class="function">bt_index_check</code>.
+ </p></dd></dl></div><div class="tip"><h3 class="title">Tip</h3><p>
+ <code class="function">bt_index_check</code> and
+ <code class="function">bt_index_parent_check</code> both output log
+ messages about the verification process at
+ <code class="literal">DEBUG1</code> and <code class="literal">DEBUG2</code> severity
+ levels. These messages provide detailed information about the
+ verification process that may be of interest to
+ <span class="productname">PostgreSQL</span> developers. Advanced users
+ may also find this information helpful, since it provides
+ additional context should verification actually detect an
+ inconsistency. Running:
+</p><pre class="programlisting">
+SET client_min_messages = DEBUG1;
+</pre><p>
+ in an interactive <span class="application">psql</span> session before
+ running a verification query will display messages about the
+ progress of verification with a manageable level of detail.
+ </p></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">
+ <code class="function">
+ verify_heapam(relation regclass,
+ on_error_stop boolean,
+ check_toast boolean,
+ skip text,
+ startblock bigint,
+ endblock bigint,
+ blkno OUT bigint,
+ offnum OUT integer,
+ attnum OUT integer,
+ msg OUT text)
+ returns setof record
+ </code>
+ </span></dt><dd><p>
+ Checks a table, sequence, or materialized view for structural corruption,
+ where pages in the relation contain data that is invalidly formatted, and
+ for logical corruption, where pages are structurally valid but
+ inconsistent with the rest of the database cluster.
+ </p><p>
+ The following optional arguments are recognized:
+ </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">on_error_stop</code></span></dt><dd><p>
+ If true, corruption checking stops at the end of the first block in
+ which any corruptions are found.
+ </p><p>
+ Defaults to false.
+ </p></dd><dt><span class="term"><code class="literal">check_toast</code></span></dt><dd><p>
+ If true, toasted values are checked against the target relation's
+ TOAST table.
+ </p><p>
+ This option is known to be slow. Also, if the toast table or its
+ index is corrupt, checking it against toast values could conceivably
+ crash the server, although in many cases this would just produce an
+ error.
+ </p><p>
+ Defaults to false.
+ </p></dd><dt><span class="term"><code class="literal">skip</code></span></dt><dd><p>
+ If not <code class="literal">none</code>, corruption checking skips blocks that
+ are marked as all-visible or all-frozen, as specified.
+ Valid options are <code class="literal">all-visible</code>,
+ <code class="literal">all-frozen</code> and <code class="literal">none</code>.
+ </p><p>
+ Defaults to <code class="literal">none</code>.
+ </p></dd><dt><span class="term"><code class="literal">startblock</code></span></dt><dd><p>
+ If specified, corruption checking begins at the specified block,
+ skipping all previous blocks. It is an error to specify a
+ <em class="parameter"><code>startblock</code></em> outside the range of blocks in the
+ target table.
+ </p><p>
+ By default, checking begins at the first block.
+ </p></dd><dt><span class="term"><code class="literal">endblock</code></span></dt><dd><p>
+ If specified, corruption checking ends at the specified block,
+ skipping all remaining blocks. It is an error to specify an
+ <em class="parameter"><code>endblock</code></em> outside the range of blocks in the target
+ table.
+ </p><p>
+ By default, all blocks are checked.
+ </p></dd></dl></div><p>
+ For each corruption detected, <code class="function">verify_heapam</code> returns
+ a row with the following columns:
+ </p><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="literal">blkno</code></span></dt><dd><p>
+ The number of the block containing the corrupt page.
+ </p></dd><dt><span class="term"><code class="literal">offnum</code></span></dt><dd><p>
+ The OffsetNumber of the corrupt tuple.
+ </p></dd><dt><span class="term"><code class="literal">attnum</code></span></dt><dd><p>
+ The attribute number of the corrupt column in the tuple, if the
+ corruption is specific to a column and not the tuple as a whole.
+ </p></dd><dt><span class="term"><code class="literal">msg</code></span></dt><dd><p>
+ A message describing the problem detected.
+ </p></dd></dl></div></dd></dl></div></div><div class="sect2" id="id-1.11.7.11.9"><div class="titlepage"><div><div><h3 class="title">F.2.2. Optional <em class="parameter"><code>heapallindexed</code></em> Verification</h3></div></div></div><p>
+ When the <em class="parameter"><code>heapallindexed</code></em> argument to B-Tree
+ verification functions is <code class="literal">true</code>, an additional
+ phase of verification is performed against the table associated with
+ the target index relation. This consists of a <span class="quote">“<span class="quote">dummy</span>”</span>
+ <code class="command">CREATE INDEX</code> operation, which checks for the
+ presence of all hypothetical new index tuples against a temporary,
+ in-memory summarizing structure (this is built when needed during
+ the basic first phase of verification). The summarizing structure
+ <span class="quote">“<span class="quote">fingerprints</span>”</span> every tuple found within the target
+ index. The high level principle behind
+ <em class="parameter"><code>heapallindexed</code></em> verification is that a new
+ index that is equivalent to the existing, target index must only
+ have entries that can be found in the existing structure.
+ </p><p>
+ The additional <em class="parameter"><code>heapallindexed</code></em> phase adds
+ significant overhead: verification will typically take several times
+ longer. However, there is no change to the relation-level locks
+ acquired when <em class="parameter"><code>heapallindexed</code></em> verification is
+ performed.
+ </p><p>
+ The summarizing structure is bound in size by
+ <code class="varname">maintenance_work_mem</code>. In order to ensure that
+ there is no more than a 2% probability of failure to detect an
+ inconsistency for each heap tuple that should be represented in the
+ index, approximately 2 bytes of memory are needed per tuple. As
+ less memory is made available per tuple, the probability of missing
+ an inconsistency slowly increases. This approach limits the
+ overhead of verification significantly, while only slightly reducing
+ the probability of detecting a problem, especially for installations
+ where verification is treated as a routine maintenance task. Any
+ single absent or malformed tuple has a new opportunity to be
+ detected with each new verification attempt.
+ </p></div><div class="sect2" id="id-1.11.7.11.10"><div class="titlepage"><div><div><h3 class="title">F.2.3. Using <code class="filename">amcheck</code> Effectively</h3></div></div></div><p>
+ <code class="filename">amcheck</code> can be effective at detecting various types of
+ failure modes that <a class="link" href="app-initdb.html#APP-INITDB-DATA-CHECKSUMS"><span class="application">data
+ checksums</span></a> will fail to catch. These include:
+
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>
+ Structural inconsistencies caused by incorrect operator class
+ implementations.
+ </p><p>
+ This includes issues caused by the comparison rules of operating
+ system collations changing. Comparisons of datums of a collatable
+ type like <code class="type">text</code> must be immutable (just as all
+ comparisons used for B-Tree index scans must be immutable), which
+ implies that operating system collation rules must never change.
+ Though rare, updates to operating system collation rules can
+ cause these issues. More commonly, an inconsistency in the
+ collation order between a primary server and a standby server is
+ implicated, possibly because the <span class="emphasis"><em>major</em></span> operating
+ system version in use is inconsistent. Such inconsistencies will
+ generally only arise on standby servers, and so can generally
+ only be detected on standby servers.
+ </p><p>
+ If a problem like this arises, it may not affect each individual
+ index that is ordered using an affected collation, simply because
+ <span class="emphasis"><em>indexed</em></span> values might happen to have the same
+ absolute ordering regardless of the behavioral inconsistency. See
+ <a class="xref" href="locale.html" title="24.1. Locale Support">Section 24.1</a> and <a class="xref" href="collation.html" title="24.2. Collation Support">Section 24.2</a> for
+ further details about how <span class="productname">PostgreSQL</span> uses
+ operating system locales and collations.
+ </p></li><li class="listitem"><p>
+ Structural inconsistencies between indexes and the heap relations
+ that are indexed (when <em class="parameter"><code>heapallindexed</code></em>
+ verification is performed).
+ </p><p>
+ There is no cross-checking of indexes against their heap relation
+ during normal operation. Symptoms of heap corruption can be subtle.
+ </p></li><li class="listitem"><p>
+ Corruption caused by hypothetical undiscovered bugs in the
+ underlying <span class="productname">PostgreSQL</span> access method
+ code, sort code, or transaction management code.
+ </p><p>
+ Automatic verification of the structural integrity of indexes
+ plays a role in the general testing of new or proposed
+ <span class="productname">PostgreSQL</span> features that could plausibly allow a
+ logical inconsistency to be introduced. Verification of table
+ structure and associated visibility and transaction status
+ information plays a similar role. One obvious testing strategy
+ is to call <code class="filename">amcheck</code> functions continuously
+ when running the standard regression tests. See <a class="xref" href="regress-run.html" title="33.1. Running the Tests">Section 33.1</a> for details on running the tests.
+ </p></li><li class="listitem"><p>
+ File system or storage subsystem faults where checksums happen to
+ simply not be enabled.
+ </p><p>
+ Note that <code class="filename">amcheck</code> examines a page as represented in some
+ shared memory buffer at the time of verification if there is only a
+ shared buffer hit when accessing the block. Consequently,
+ <code class="filename">amcheck</code> does not necessarily examine data read from the
+ file system at the time of verification. Note that when checksums are
+ enabled, <code class="filename">amcheck</code> may raise an error due to a checksum
+ failure when a corrupt block is read into a buffer.
+ </p></li><li class="listitem"><p>
+ Corruption caused by faulty RAM, or the broader memory subsystem.
+ </p><p>
+ <span class="productname">PostgreSQL</span> does not protect against correctable
+ memory errors and it is assumed you will operate using RAM that
+ uses industry standard Error Correcting Codes (ECC) or better
+ protection. However, ECC memory is typically only immune to
+ single-bit errors, and should not be assumed to provide
+ <span class="emphasis"><em>absolute</em></span> protection against failures that
+ result in memory corruption.
+ </p><p>
+ When <em class="parameter"><code>heapallindexed</code></em> verification is
+ performed, there is generally a greatly increased chance of
+ detecting single-bit errors, since strict binary equality is
+ tested, and the indexed attributes within the heap are tested.
+ </p></li></ul></div><p>
+ </p><p>
+ Structural corruption can happen due to faulty storage hardware, or
+ relation files being overwritten or modified by unrelated software.
+ This kind of corruption can also be detected with
+ <a class="link" href="checksums.html" title="30.2. Data Checksums"><span class="application">data page
+ checksums</span></a>.
+ </p><p>
+ Relation pages which are correctly formatted, internally consistent, and
+ correct relative to their own internal checksums may still contain
+ logical corruption. As such, this kind of corruption cannot be detected
+ with <span class="application">checksums</span>. Examples include toasted
+ values in the main table which lack a corresponding entry in the toast
+ table, and tuples in the main table with a Transaction ID that is older
+ than the oldest valid Transaction ID in the database or cluster.
+ </p><p>
+ Multiple causes of logical corruption have been observed in production
+ systems, including bugs in the <span class="productname">PostgreSQL</span>
+ server software, faulty and ill-conceived backup and restore tools, and
+ user error.
+ </p><p>
+ Corrupt relations are most concerning in live production environments,
+ precisely the same environments where high risk activities are least
+ welcome. For this reason, <code class="function">verify_heapam</code> has been
+ designed to diagnose corruption without undue risk. It cannot guard
+ against all causes of backend crashes, as even executing the calling
+ query could be unsafe on a badly corrupted system. Access to <a class="link" href="catalogs-overview.html" title="53.1. Overview">catalog tables</a> is performed and could
+ be problematic if the catalogs themselves are corrupted.
+ </p><p>
+ In general, <code class="filename">amcheck</code> can only prove the presence of
+ corruption; it cannot prove its absence.
+ </p></div><div class="sect2" id="id-1.11.7.11.11"><div class="titlepage"><div><div><h3 class="title">F.2.4. Repairing Corruption</h3></div></div></div><p>
+ No error concerning corruption raised by <code class="filename">amcheck</code> should
+ ever be a false positive. <code class="filename">amcheck</code> raises
+ errors in the event of conditions that, by definition, should never
+ happen, and so careful analysis of <code class="filename">amcheck</code>
+ errors is often required.
+ </p><p>
+ There is no general method of repairing problems that
+ <code class="filename">amcheck</code> detects. An explanation for the root cause of
+ an invariant violation should be sought. <a class="xref" href="pageinspect.html" title="F.25. pageinspect">pageinspect</a> may play a useful role in diagnosing
+ corruption that <code class="filename">amcheck</code> detects. A <code class="command">REINDEX</code>
+ may not be effective in repairing corruption.
+ </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="adminpack.html" title="F.1. adminpack">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="contrib.html" title="Appendix F. Additional Supplied Modules">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="auth-delay.html" title="F.3. auth_delay">Next</a></td></tr><tr><td width="40%" align="left" valign="top">F.1. adminpack </td><td width="20%" align="center"><a accesskey="h" href="index.html" title="PostgreSQL 15.5 Documentation">Home</a></td><td width="40%" align="right" valign="top"> F.3. auth_delay</td></tr></table></div></body></html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 13:05:26 +0000