Backpatch nbtree page deletion hardening.

Postgres 14 commit 5b861baa taught nbtree VACUUM to tolerate buggy
opclasses.  VACUUM's inability to locate a to-be-deleted page's downlink
in the parent page was logged instead of throwing an error.  VACUUM
could just press on with vacuuming the index, and vacuuming the table as
a whole.

There are now anecdotal reports of this error causing problems that were
much more disruptive than the underlying index corruption ever could be.
Anything that makes VACUUM unable to make forward progress against one
table/index ultimately risks making the system enter xidStopLimit mode.
There is no good reason to take any chances here, so backpatch the
hardening commit.

Author: Peter Geoghegan <pg@bowt.ie>
Discussion: https://postgr.es/m/CAH2-Wzm9HR6Pow=t-iQa57zT8qmX6_M4h14F-pTtb=xFDW5FBA@mail.gmail.com
Backpatch: 10-13 (all supported versions that lacked the hardening)

diff --git a/src/backend/access/nbtree/nbtpage.c b/src/backend/access/nbtree/nbtpage.c
index ac6c38b15534fcd67224175461025ef8e0c32f02..f9811b6d3c2c82c64dc945b6b8bdbfa89f60f0ea 100644 (file)
--- a/src/backend/access/nbtree/nbtpage.c
+++ b/src/backend/access/nbtree/nbtpage.c
@@ -2388,10 +2388,26 @@ _bt_lock_subtree_parent(Relation rel, BlockNumber child, BTStack stack,
     */
    pbuf = _bt_getstackbuf(rel, stack, child);
    if (pbuf == InvalidBuffer)
-       ereport(ERROR,
+   {
+       /*
+        * Failed to "re-find" a pivot tuple whose downlink matched our child
+        * block number on the parent level -- the index must be corrupt.
+        * Don't even try to delete the leafbuf subtree.  Just report the
+        * issue and press on with vacuuming the index.
+        *
+        * Note: _bt_getstackbuf() recovers from concurrent page splits that
+        * take place on the parent level.  Its approach is a near-exhaustive
+        * linear search.  This also gives it a surprisingly good chance of
+        * recovering in the event of a buggy or inconsistent opclass.  But we
+        * don't rely on that here.
+        */
+       ereport(LOG,
                (errcode(ERRCODE_INDEX_CORRUPTED),
                 errmsg_internal("failed to re-find parent key in index \"%s\" for deletion target page %u",
                                 RelationGetRelationName(rel), child)));
+       return false;
+   }
+
    parent = stack->bts_blkno;
    parentoffset = stack->bts_offset;