1 <!-- doc/src/sgml/amcheck.sgml -->
3 <sect1 id="amcheck" xreflabel="amcheck">
6 <indexterm zone="amcheck">
7 <primary>amcheck</primary>
11 The <filename>amcheck</filename> module provides functions that allow you to
12 verify the logical consistency of the structure of relations. If the
13 structure appears to be valid, no error is raised.
17 The functions verify various <emphasis>invariants</emphasis> in the
18 structure of the representation of particular relations. The
19 correctness of the access method functions behind index scans and
20 other important operations relies on these invariants always
21 holding. For example, certain functions verify, among other things,
22 that all B-Tree pages have items in <quote>logical</quote> order (e.g.,
23 for B-Tree indexes on <type>text</type>, index tuples should be in
24 collated lexical order). If that particular invariant somehow fails
25 to hold, we can expect binary searches on the affected page to
26 incorrectly guide index scans, resulting in wrong answers to SQL
30 Verification is performed using the same procedures as those used by
31 index scans themselves, which may be user-defined operator class
32 code. For example, B-Tree index verification relies on comparisons
33 made with one or more B-Tree support function 1 routines. See <xref
34 linkend="xindex-support"/> for details of operator class support
38 <filename>amcheck</filename> functions may only be used by superusers.
42 <title>Functions</title>
47 <function>bt_index_check(index regclass, heapallindexed boolean) returns void</function>
49 <primary>bt_index_check</primary>
55 <function>bt_index_check</function> tests that its target, a
56 B-Tree index, respects a variety of invariants. Example usage:
58 test=# SELECT bt_index_check(index => c.oid, heapallindexed => i.indisunique),
62 JOIN pg_opclass op ON i.indclass[0] = op.oid
63 JOIN pg_am am ON op.opcmethod = am.oid
64 JOIN pg_class c ON i.indexrelid = c.oid
65 JOIN pg_namespace n ON c.relnamespace = n.oid
66 WHERE am.amname = 'btree' AND n.nspname = 'pg_catalog'
67 -- Don't check temp tables, which may be from another session:
68 AND c.relpersistence != 't'
69 -- Function may throw an error when this is omitted:
70 AND c.relkind = 'i' AND i.indisready AND i.indisvalid
71 ORDER BY c.relpages DESC LIMIT 10;
72 bt_index_check | relname | relpages
73 ----------------+---------------------------------+----------
74 | pg_depend_reference_index | 43
75 | pg_depend_depender_index | 40
76 | pg_proc_proname_args_nsp_index | 31
77 | pg_description_o_c_o_index | 21
78 | pg_attribute_relid_attnam_index | 14
79 | pg_proc_oid_index | 10
80 | pg_attribute_relid_attnum_index | 9
81 | pg_amproc_fam_proc_index | 5
82 | pg_amop_opr_fam_index | 5
83 | pg_amop_fam_strat_index | 5
86 This example shows a session that performs verification of the
87 10 largest catalog indexes in the database <quote>test</quote>.
88 Verification of the presence of heap tuples as index tuples is
89 requested for the subset that are unique indexes. Since no
90 error is raised, all indexes tested appear to be logically
91 consistent. Naturally, this query could easily be changed to
92 call <function>bt_index_check</function> for every index in the
93 database where verification is supported.
96 <function>bt_index_check</function> acquires an <literal>AccessShareLock</literal>
97 on the target index and the heap relation it belongs to. This lock mode
98 is the same lock mode acquired on relations by simple
99 <literal>SELECT</literal> statements.
100 <function>bt_index_check</function> does not verify invariants
101 that span child/parent relationships, but will verify the
102 presence of all heap tuples as index tuples within the index
103 when <parameter>heapallindexed</parameter> is
104 <literal>true</literal>. When a routine, lightweight test for
105 corruption is required in a live production environment, using
106 <function>bt_index_check</function> often provides the best
107 trade-off between thoroughness of verification and limiting the
108 impact on application performance and availability.
115 <function>bt_index_parent_check(index regclass, heapallindexed boolean, rootdescend boolean) returns void</function>
117 <primary>bt_index_parent_check</primary>
123 <function>bt_index_parent_check</function> tests that its
124 target, a B-Tree index, respects a variety of invariants.
125 Optionally, when the <parameter>heapallindexed</parameter>
126 argument is <literal>true</literal>, the function verifies the
127 presence of all heap tuples that should be found within the
128 index, and that there are no missing downlinks in the index
129 structure. When the optional <parameter>rootdescend</parameter>
130 argument is <literal>true</literal>, verification re-finds
131 tuples on the leaf level by performing a new search from the
132 root page for each tuple. The checks that can be performed by
133 <function>bt_index_parent_check</function> are a superset of the
134 checks that can be performed by <function>bt_index_check</function>.
135 <function>bt_index_parent_check</function> can be thought of as
136 a more thorough variant of <function>bt_index_check</function>:
137 unlike <function>bt_index_check</function>,
138 <function>bt_index_parent_check</function> also checks
139 invariants that span parent/child relationships.
140 <function>bt_index_parent_check</function> follows the general
141 convention of raising an error if it finds a logical
142 inconsistency or other problem.
145 A <literal>ShareLock</literal> is required on the target index by
146 <function>bt_index_parent_check</function> (a
147 <literal>ShareLock</literal> is also acquired on the heap relation).
148 These locks prevent concurrent data modification from
149 <command>INSERT</command>, <command>UPDATE</command>, and <command>DELETE</command>
150 commands. The locks also prevent the underlying relation from
151 being concurrently processed by <command>VACUUM</command>, as well as
152 all other utility commands. Note that the function holds locks
153 only while running, not for the entire transaction.
156 <function>bt_index_parent_check</function>'s additional
157 verification is more likely to detect various pathological
158 cases. These cases may involve an incorrectly implemented
159 B-Tree operator class used by the index that is checked, or,
160 hypothetically, undiscovered bugs in the underlying B-Tree index
161 access method code. Note that
162 <function>bt_index_parent_check</function> cannot be used when
163 Hot Standby mode is enabled (i.e., on read-only physical
164 replicas), unlike <function>bt_index_check</function>.
172 <title>Optional <parameter>heapallindexed</parameter> verification</title>
174 When the <parameter>heapallindexed</parameter> argument to
175 verification functions is <literal>true</literal>, an additional
176 phase of verification is performed against the table associated with
177 the target index relation. This consists of a <quote>dummy</quote>
178 <command>CREATE INDEX</command> operation, which checks for the
179 presence of all hypothetical new index tuples against a temporary,
180 in-memory summarizing structure (this is built when needed during
181 the basic first phase of verification). The summarizing structure
182 <quote>fingerprints</quote> every tuple found within the target
183 index. The high level principle behind
184 <parameter>heapallindexed</parameter> verification is that a new
185 index that is equivalent to the existing, target index must only
186 have entries that can be found in the existing structure.
189 The additional <parameter>heapallindexed</parameter> phase adds
190 significant overhead: verification will typically take several times
191 longer. However, there is no change to the relation-level locks
192 acquired when <parameter>heapallindexed</parameter> verification is
196 The summarizing structure is bound in size by
197 <varname>maintenance_work_mem</varname>. In order to ensure that
198 there is no more than a 2% probability of failure to detect an
199 inconsistency for each heap tuple that should be represented in the
200 index, approximately 2 bytes of memory are needed per tuple. As
201 less memory is made available per tuple, the probability of missing
202 an inconsistency slowly increases. This approach limits the
203 overhead of verification significantly, while only slightly reducing
204 the probability of detecting a problem, especially for installations
205 where verification is treated as a routine maintenance task. Any
206 single absent or malformed tuple has a new opportunity to be
207 detected with each new verification attempt.
213 <title>Using <filename>amcheck</filename> effectively</title>
216 <filename>amcheck</filename> can be effective at detecting various types of
217 failure modes that <link
218 linkend="app-initdb-data-checksums"><application>data page
219 checksums</application></link> will always fail to catch. These include:
224 Structural inconsistencies caused by incorrect operator class
228 This includes issues caused by the comparison rules of operating
229 system collations changing. Comparisons of datums of a collatable
230 type like <type>text</type> must be immutable (just as all
231 comparisons used for B-Tree index scans must be immutable), which
232 implies that operating system collation rules must never change.
233 Though rare, updates to operating system collation rules can
234 cause these issues. More commonly, an inconsistency in the
235 collation order between a master server and a standby server is
236 implicated, possibly because the <emphasis>major</emphasis> operating
237 system version in use is inconsistent. Such inconsistencies will
238 generally only arise on standby servers, and so can generally
239 only be detected on standby servers.
242 If a problem like this arises, it may not affect each individual
243 index that is ordered using an affected collation, simply because
244 <emphasis>indexed</emphasis> values might happen to have the same
245 absolute ordering regardless of the behavioral inconsistency. See
246 <xref linkend="locale"/> and <xref linkend="collation"/> for
247 further details about how <productname>PostgreSQL</productname> uses
248 operating system locales and collations.
253 Structural inconsistencies between indexes and the heap relations
254 that are indexed (when <parameter>heapallindexed</parameter>
255 verification is performed).
258 There is no cross-checking of indexes against their heap relation
259 during normal operation. Symptoms of heap corruption can be subtle.
264 Corruption caused by hypothetical undiscovered bugs in the
265 underlying <productname>PostgreSQL</productname> access method
266 code, sort code, or transaction management code.
269 Automatic verification of the structural integrity of indexes
270 plays a role in the general testing of new or proposed
271 <productname>PostgreSQL</productname> features that could plausibly allow a
272 logical inconsistency to be introduced. Verification of table
273 structure and associated visibility and transaction status
274 information plays a similar role. One obvious testing strategy
275 is to call <filename>amcheck</filename> functions continuously
276 when running the standard regression tests. See <xref
277 linkend="regress-run"/> for details on running the tests.
282 File system or storage subsystem faults where checksums happen to
283 simply not be enabled.
286 Note that <filename>amcheck</filename> examines a page as represented in some
287 shared memory buffer at the time of verification if there is only a
288 shared buffer hit when accessing the block. Consequently,
289 <filename>amcheck</filename> does not necessarily examine data read from the
290 file system at the time of verification. Note that when checksums are
291 enabled, <filename>amcheck</filename> may raise an error due to a checksum
292 failure when a corrupt block is read into a buffer.
297 Corruption caused by faulty RAM, or the broader memory subsystem.
300 <productname>PostgreSQL</productname> does not protect against correctable
301 memory errors and it is assumed you will operate using RAM that
302 uses industry standard Error Correcting Codes (ECC) or better
303 protection. However, ECC memory is typically only immune to
304 single-bit errors, and should not be assumed to provide
305 <emphasis>absolute</emphasis> protection against failures that
306 result in memory corruption.
309 When <parameter>heapallindexed</parameter> verification is
310 performed, there is generally a greatly increased chance of
311 detecting single-bit errors, since strict binary equality is
312 tested, and the indexed attributes within the heap are tested.
316 In general, <filename>amcheck</filename> can only prove the presence of
317 corruption; it cannot prove its absence.
322 <title>Repairing corruption</title>
324 No error concerning corruption raised by <filename>amcheck</filename> should
325 ever be a false positive. <filename>amcheck</filename> raises
326 errors in the event of conditions that, by definition, should never
327 happen, and so careful analysis of <filename>amcheck</filename>
328 errors is often required.
331 There is no general method of repairing problems that
332 <filename>amcheck</filename> detects. An explanation for the root cause of
333 an invariant violation should be sought. <xref
334 linkend="pageinspect"/> may play a useful role in diagnosing
335 corruption that <filename>amcheck</filename> detects. A <command>REINDEX</command>
336 may not be effective in repairing corruption.