Add amcheck corruption checks (c1/c2), rename buffercache to m1#89
Merged
Add amcheck corruption checks (c1/c2), rename buffercache to m1#89
Conversation
- c1: B-tree index integrity check (bt_index_check, non-blocking, safe for production) - c2: Full B-tree + heap integrity check (bt_index_parent_check + verify_heapam, takes locks) - Both handle: missing extension, insufficient privileges, PG version differences - bt_index_parent_check(checkunique) on PG14+, rootdescend on PG11+ - verify_heapam with TOAST checking on PG14+ - Rename c1_buffercache.sql -> m1_buffercache.sql (memory group) - Add amcheck extension to CI test matrix - Tested on PG13 and PG17, superuser and non-superuser
![tembo[bot]](https://avatars.githubusercontent.com/in/1223475?s=60&v=4){kind=small}
| psql -h localhost -U postgres -d test -c 'CREATE EXTENSION IF NOT EXISTS pg_buffercache;' | ||
| psql -h localhost -U postgres -d test -c 'CREATE EXTENSION IF NOT EXISTS amcheck;' | ||
| # amcheck needs execute privileges for non-superusers | ||
| psql -h localhost -U postgres -d test -c 'GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO PUBLIC;' |
There was a problem hiding this comment.
Granting execute to public in CI feels broader than needed and can mask permission issues. Since you already create dba_user, I'd target that role (and move this grant after the user is created).
Suggested change
| psql -h localhost -U postgres -d test -c 'GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO PUBLIC;' | |
| psql -h localhost -U postgres -d test -c 'GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO dba_user;' |
| order by n.nspname, t.relname, c.relname | ||
| loop | ||
| begin | ||
| perform bt_index_check(rec.index_oid); |
There was a problem hiding this comment.
Minor: casting to regclass here avoids any ambiguity around the function signature.
Suggested change
| perform bt_index_check(rec.index_oid); | |
| perform bt_index_check(rec.index_oid::regclass); |
Comment on lines
+90
to
+98
| where c.relkind = 'r' | ||
| and n.nspname not in ('pg_catalog', 'information_schema') | ||
| and c.relpersistence != 't' | ||
| order by n.nspname, c.relname | ||
| loop | ||
| has_errors := false; | ||
| begin | ||
| for corruption in | ||
| select * from verify_heapam(rec.table_oid, check_toast := true) |
There was a problem hiding this comment.
Heap loop currently includes pg_toast tables, and verify_heapam(..., check_toast := true) already traverses TOAST. Excluding the pg_toast schema avoids redundant work/noise. Also, explicit regclass cast keeps the call unambiguous.
Suggested change
| where c.relkind = 'r' | |
| and n.nspname not in ('pg_catalog', 'information_schema') | |
| and c.relpersistence != 't' | |
| order by n.nspname, c.relname | |
| loop | |
| has_errors := false; | |
| begin | |
| for corruption in | |
| select * from verify_heapam(rec.table_oid, check_toast := true) | |
| where c.relkind = 'r' | |
| and n.nspname not in ('pg_catalog', 'information_schema') | |
| and n.nspname !~ '^pg_toast' | |
| and c.relpersistence != 't' | |
| order by n.nspname, c.relname | |
| loop | |
| has_errors := false; | |
| begin | |
| for corruption in | |
| select * from verify_heapam(rec.table_oid::regclass, check_toast := true) |
Comment on lines
+53
to
+71
| order by pg_relation_size(c.oid) asc -- smallest first | ||
| loop | ||
| begin | ||
| if pg_version >= 140000 then | ||
| perform bt_index_parent_check( | ||
| rec.index_oid, | ||
| heapallindexed := true, | ||
| rootdescend := true, | ||
| checkunique := true | ||
| ); | ||
| elsif pg_version >= 110000 then | ||
| perform bt_index_parent_check( | ||
| rec.index_oid, | ||
| heapallindexed := true, | ||
| rootdescend := true | ||
| ); | ||
| else | ||
| perform bt_index_parent_check(rec.index_oid, heapallindexed := true); | ||
| end if; |
There was a problem hiding this comment.
Two small things here: order by pg_relation_size(...) recalculates work you already selected as index_size, and casting to regclass makes the amcheck calls a bit more robust.
Suggested change
| order by pg_relation_size(c.oid) asc -- smallest first | |
| loop | |
| begin | |
| if pg_version >= 140000 then | |
| perform bt_index_parent_check( | |
| rec.index_oid, | |
| heapallindexed := true, | |
| rootdescend := true, | |
| checkunique := true | |
| ); | |
| elsif pg_version >= 110000 then | |
| perform bt_index_parent_check( | |
| rec.index_oid, | |
| heapallindexed := true, | |
| rootdescend := true | |
| ); | |
| else | |
| perform bt_index_parent_check(rec.index_oid, heapallindexed := true); | |
| end if; | |
| order by index_size asc -- smallest first | |
| loop | |
| begin | |
| if pg_version >= 140000 then | |
| perform bt_index_parent_check( | |
| rec.index_oid::regclass, | |
| heapallindexed := true, | |
| rootdescend := true, | |
| checkunique := true | |
| ); | |
| elsif pg_version >= 110000 then | |
| perform bt_index_parent_check( | |
| rec.index_oid::regclass, | |
| heapallindexed := true, | |
| rootdescend := true | |
| ); | |
| else | |
| perform bt_index_parent_check(rec.index_oid::regclass, heapallindexed := true); | |
| end if; |
Comment on lines
+110
to
+119
| where c.relkind = 'r' | ||
| and n.nspname not in ('pg_catalog', 'information_schema') | ||
| and c.relpersistence != 't' | ||
| order by n.nspname, c.relname | ||
| loop | ||
| has_errors := false; | ||
| begin | ||
| for corruption in | ||
| select * from verify_heapam( | ||
| rec.table_oid, |
There was a problem hiding this comment.
Similar to c1: this will also iterate over pg_toast tables directly (while check_toast := true already checks TOAST). Excluding pg_toast reduces redundant work/noise, and regclass cast makes the call unambiguous.
Suggested change
| where c.relkind = 'r' | |
| and n.nspname not in ('pg_catalog', 'information_schema') | |
| and c.relpersistence != 't' | |
| order by n.nspname, c.relname | |
| loop | |
| has_errors := false; | |
| begin | |
| for corruption in | |
| select * from verify_heapam( | |
| rec.table_oid, | |
| where c.relkind = 'r' | |
| and n.nspname not in ('pg_catalog', 'information_schema') | |
| and n.nspname !~ '^pg_toast' | |
| and c.relpersistence != 't' | |
| order by n.nspname, c.relname | |
| loop | |
| has_errors := false; | |
| begin | |
| for corruption in | |
| select * from verify_heapam( | |
| rec.table_oid::regclass, |
Comment on lines
+73
to
+83
| exception | ||
| when insufficient_privilege then | ||
| raise notice '⚠️ Permission denied for %.% — need superuser or amcheck privileges', rec.schema_name, rec.index_name; | ||
| skip_count := skip_count + 1; | ||
| when others then | ||
| raise warning '❌ CORRUPTION in %.% (table %.%, size %): %', | ||
| rec.schema_name, rec.index_name, | ||
| rec.schema_name, rec.table_name, | ||
| pg_size_pretty(rec.index_size), | ||
| sqlerrm; | ||
| err_count := err_count + 1; |
There was a problem hiding this comment.
when others treats any failure as corruption. For c2 (explicitly lock-heavy), it might be nicer to treat lock/cancel/timeout cases as “skipped” so they don’t look like integrity failures.
Suggested change
| exception | |
| when insufficient_privilege then | |
| raise notice '⚠️ Permission denied for %.% — need superuser or amcheck privileges', rec.schema_name, rec.index_name; | |
| skip_count := skip_count + 1; | |
| when others then | |
| raise warning '❌ CORRUPTION in %.% (table %.%, size %): %', | |
| rec.schema_name, rec.index_name, | |
| rec.schema_name, rec.table_name, | |
| pg_size_pretty(rec.index_size), | |
| sqlerrm; | |
| err_count := err_count + 1; | |
| exception | |
| when insufficient_privilege then | |
| raise notice '⚠️ Permission denied for %.% — need superuser or amcheck privileges', rec.schema_name, rec.index_name; | |
| skip_count := skip_count + 1; | |
| when lock_not_available or deadlock_detected or query_canceled then | |
| raise notice '⚠️ Skipping %.% due to lock/cancel: %', rec.schema_name, rec.index_name, sqlerrm; | |
| skip_count := skip_count + 1; | |
| when others then | |
| raise warning '❌ CORRUPTION in %.% (table %.%, size %): %', | |
| rec.schema_name, rec.index_name, | |
| rec.schema_name, rec.table_name, | |
| pg_size_pretty(rec.index_size), | |
| sqlerrm; | |
| err_count := err_count + 1; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
New reports
bt_index_check()— lightweight, only takes AccessShareLockverify_heapam()for heap corruption detectionbt_index_parent_check(heapallindexed := true)— checks parent-child consistency, sibling pointers, all heap tuples indexedcheckuniqueon PG14+,rootdescendon PG11+verify_heapam()with full TOAST checkingRename
c1_buffercache.sql→m1_buffercache.sql(new "memory" group, freescprefix for corruption)Robustness
CI
Testing