Re: new heapcheck contrib module
| От | Mark Dilger |
|---|---|
| Тема | Re: new heapcheck contrib module |
| Дата | |
| Msg-id | 1B0E97CE-DEC4-4A9F-BF8F-38822A2840F5@enterprisedb.com обсуждение исходный текст |
| Ответ на | Re: new heapcheck contrib module (Peter Geoghegan <pg@bowt.ie>) |
| Ответы |
Re: new heapcheck contrib module
|
| Список | pgsql-hackers |
> On Nov 19, 2020, at 11:47 AM, Peter Geoghegan <pg@bowt.ie> wrote: > >> I think in general you're worrying too much about the possibility of >> this tool causing backend crashes. I think it's good that you wrote >> the heapcheck code in a way that's hardened against that, and I think >> we should try to harden other things as time permits. But I don't >> think that the remote possibility of a crash due to the lack of such >> hardening should dictate the design behavior of this tool. If the >> crash possibilities are not remote, then I think the solution is to >> fix them, rather than cutting out important checks. > > I couldn't agree more. Owing to how much run-time overhead it would entail, much of the backend code has not been, and probably will not be, hardenedagainst corruption. The amcheck code uses backend code for accessing heaps and indexes. Only some of those usescan be preceded with sufficient safety checks to avoid stepping on landmines. It makes sense to me to have a "don'trun through minefields" option, and a "go ahead, run through minefields" option for pg_amcheck, given that users indiffering situations will have differing business consequences to bringing down the server in question. As an example that we've already looked at, checking the status of an xid against clog is a dangerous thing to do. I wrotea patch to make it safer to query clog (0003) and a patch for pg_amcheck to use the safer interface (0004) and it looksunlikely either of those will ever be committed. I doubt other backend hardening is any more likely to get committed. It doesn't follow that if crash possibilities are not remote that we should therefore harden the backend. Theperformance considerations of the backend are not well aligned with the safety considerations of this tool. The backendcode is written with the assumption of non-corrupt data, and this tool with the assumption of corrupt data, or atleast a fair probability of corrupt data. I don't see how any one-hardening-fits-all will ever work. — Mark Dilger EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: