]> git.ipfire.org Git - thirdparty/postgresql.git/commitdiff
Backpatch nbtree page deletion hardening.
authorPeter Geoghegan <pg@bowt.ie>
Mon, 5 Sep 2022 18:20:01 +0000 (11:20 -0700)
committerPeter Geoghegan <pg@bowt.ie>
Mon, 5 Sep 2022 18:20:01 +0000 (11:20 -0700)
Postgres 14 commit 5b861baa taught nbtree VACUUM to tolerate buggy
opclasses.  VACUUM's inability to locate a to-be-deleted page's downlink
in the parent page was logged instead of throwing an error.  VACUUM
could just press on with vacuuming the index, and vacuuming the table as
a whole.

There are now anecdotal reports of this error causing problems that were
much more disruptive than the underlying index corruption ever could be.
Anything that makes VACUUM unable to make forward progress against one
table/index ultimately risks making the system enter xidStopLimit mode.
There is no good reason to take any chances here, so backpatch the
hardening commit.

Author: Peter Geoghegan <pg@bowt.ie>
Discussion: https://postgr.es/m/CAH2-Wzm9HR6Pow=t-iQa57zT8qmX6_M4h14F-pTtb=xFDW5FBA@mail.gmail.com
Backpatch: 10-13 (all supported versions that lacked the hardening)

src/backend/access/nbtree/nbtpage.c

index db8fa54375fcbfafb30be06785c3ffc0db5e62be..3614e4c0d9dc2b17b858eb5d95e6683e1c705ef7 100644 (file)
@@ -1121,8 +1121,25 @@ _bt_lock_branch_parent(Relation rel, BlockNumber child, BTStack stack,
        stack->bts_btentry = child;
        pbuf = _bt_getstackbuf(rel, stack, BT_WRITE);
        if (pbuf == InvalidBuffer)
-               elog(ERROR, "failed to re-find parent key in index \"%s\" for deletion target page %u",
-                        RelationGetRelationName(rel), child);
+       {
+               /*
+                * Failed to "re-find" a pivot tuple whose downlink matched our child
+                * block number on the parent level -- the index must be corrupt.
+                * Don't even try to delete the leafbuf subtree.  Just report the
+                * issue and press on with vacuuming the index.
+                *
+                * Note: _bt_getstackbuf() recovers from concurrent page splits that
+                * take place on the parent level.  Its approach is a near-exhaustive
+                * linear search.  This also gives it a surprisingly good chance of
+                * recovering in the event of a buggy or inconsistent opclass.  But we
+                * don't rely on that here.
+                */
+               ereport(LOG,
+                               (errcode(ERRCODE_INDEX_CORRUPTED),
+                                errmsg_internal("failed to re-find parent key in index \"%s\" for deletion target page %u",
+                                                                RelationGetRelationName(rel), child)));
+               return false;
+       }
        parent = stack->bts_blkno;
        poffset = stack->bts_offset;