• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..08-Nov-2021-

MakefileH A D08-Nov-2021534 216

READMEH A D08-Nov-20213.6 KiB6454

bufpage.cH A D08-Nov-202133.2 KiB1,218648

checksum.cH A D08-Nov-2021744 243

itemptr.cH A D08-Nov-20211.9 KiB7433

README

1src/backend/storage/page/README
2
3Checksums
4---------
5
6Checksums on data pages are designed to detect corruption by the I/O system.
7We do not protect buffers against uncorrectable memory errors, since these
8have a very low measured incidence according to research on large server farms,
9http://www.cs.toronto.edu/~bianca/papers/sigmetrics09.pdf, discussed
102010/12/22 on -hackers list.
11
12Current implementation requires this be enabled system-wide at initdb time.
13
14The checksum is not valid at all times on a data page!!
15The checksum is valid when the page leaves the shared pool and is checked
16when it later re-enters the shared pool as a result of I/O.
17We set the checksum on a buffer in the shared pool immediately before we
18flush the buffer. As a result we implicitly invalidate the page's checksum
19when we modify the page for a data change or even a hint. This means that
20many or even most pages in shared buffers have invalid page checksums,
21so be careful how you interpret the pd_checksum field.
22
23That means that WAL-logged changes to a page do NOT update the page checksum,
24so full page images may not have a valid checksum. But those page images have
25the WAL CRC covering them and so are verified separately from this
26mechanism. WAL replay should not test the checksum of a full-page image.
27
28The best way to understand this is that WAL CRCs protect records entering the
29WAL stream, and data page verification protects blocks entering the shared
30buffer pool. They are similar in purpose, yet completely separate.  Together
31they ensure we are able to detect errors in data re-entering
32PostgreSQL-controlled memory. Note also that the WAL checksum is a 32-bit CRC,
33whereas the page checksum is only 16-bits.
34
35Any write of a data block can cause a torn page if the write is unsuccessful.
36Full page writes protect us from that, which are stored in WAL.  Setting hint
37bits when a page is already dirty is OK because a full page write must already
38have been written for it since the last checkpoint.  Setting hint bits on an
39otherwise clean page can allow torn pages; this doesn't normally matter since
40they are just hints, but when the page has checksums, then losing a few bits
41would cause the checksum to be invalid.  So if we have full_page_writes = on
42and checksums enabled then we must write a WAL record specifically so that we
43record a full page image in WAL.  Hint bits updates should be protected using
44MarkBufferDirtyHint(), which is responsible for writing the full-page image
45when necessary.
46
47Note that when we write a page checksum we include the hopefully zeroed bytes
48that form the hole in the centre of a standard page. Thus, when we read the
49block back from storage we implicitly check that the hole is still all zeroes.
50We do this to ensure that we spot errors that could have destroyed data even
51if they haven't actually done so. Full page images stored in WAL do *not*
52check that the hole is all zero; the data in the hole is simply skipped and
53re-zeroed if the backup block is reapplied. We do this because a failure in
54WAL is a fatal error and prevents further recovery, whereas a checksum failure
55on a normal data block is a hard error but not a critical one for the server,
56even if it is a very bad thing for the user.
57
58New WAL records cannot be written during recovery, so hint bits set during
59recovery must not dirty the page if the buffer is not already dirty, when
60checksums are enabled.  Systems in Hot-Standby mode may benefit from hint bits
61being set, but with checksums enabled, a page cannot be dirtied after setting a
62hint bit (due to the torn page risk). So, it must wait for full-page images
63containing the hint bit updates to arrive from the master.
64