PostgreSQL Source Code  git master
verify_heapam.c File Reference
#include "postgres.h"
#include "access/detoast.h"
#include "access/genam.h"
#include "access/heaptoast.h"
#include "access/multixact.h"
#include "access/relation.h"
#include "access/table.h"
#include "access/toast_internals.h"
#include "access/visibilitymap.h"
#include "access/xact.h"
#include "catalog/pg_am.h"
#include "catalog/pg_class.h"
#include "funcapi.h"
#include "miscadmin.h"
#include "storage/bufmgr.h"
#include "storage/procarray.h"
#include "utils/builtins.h"
#include "utils/fmgroids.h"
#include "utils/rel.h"
Include dependency graph for verify_heapam.c:

Go to the source code of this file.

Data Structures

struct  ToastedAttribute
 
struct  HeapCheckContext
 

Macros

#define HEAPCHECK_RELATION_COLS   4
 
#define VARLENA_SIZE_LIMIT   0x3FFFFFFF
 

Typedefs

typedef enum XidBoundsViolation XidBoundsViolation
 
typedef enum XidCommitStatus XidCommitStatus
 
typedef enum SkipPages SkipPages
 
typedef struct ToastedAttribute ToastedAttribute
 
typedef struct HeapCheckContext HeapCheckContext
 

Enumerations

enum  XidBoundsViolation {
  XID_INVALID , XID_IN_FUTURE , XID_PRECEDES_CLUSTERMIN , XID_PRECEDES_RELMIN ,
  XID_BOUNDS_OK
}
 
enum  XidCommitStatus { XID_COMMITTED , XID_IS_CURRENT_XID , XID_IN_PROGRESS , XID_ABORTED }
 
enum  SkipPages { SKIP_PAGES_ALL_FROZEN , SKIP_PAGES_ALL_VISIBLE , SKIP_PAGES_NONE }
 

Functions

 PG_FUNCTION_INFO_V1 (verify_heapam)
 
static void check_tuple (HeapCheckContext *ctx, bool *xmin_commit_status_ok, XidCommitStatus *xmin_commit_status)
 
static void check_toast_tuple (HeapTuple toasttup, HeapCheckContext *ctx, ToastedAttribute *ta, int32 *expected_chunk_seq, uint32 extsize)
 
static bool check_tuple_attribute (HeapCheckContext *ctx)
 
static void check_toasted_attribute (HeapCheckContext *ctx, ToastedAttribute *ta)
 
static bool check_tuple_header (HeapCheckContext *ctx)
 
static bool check_tuple_visibility (HeapCheckContext *ctx, bool *xmin_commit_status_ok, XidCommitStatus *xmin_commit_status)
 
static void report_corruption (HeapCheckContext *ctx, char *msg)
 
static void report_toast_corruption (HeapCheckContext *ctx, ToastedAttribute *ta, char *msg)
 
static FullTransactionId FullTransactionIdFromXidAndCtx (TransactionId xid, const HeapCheckContext *ctx)
 
static void update_cached_xid_range (HeapCheckContext *ctx)
 
static void update_cached_mxid_range (HeapCheckContext *ctx)
 
static XidBoundsViolation check_mxid_in_range (MultiXactId mxid, HeapCheckContext *ctx)
 
static XidBoundsViolation check_mxid_valid_in_rel (MultiXactId mxid, HeapCheckContext *ctx)
 
static XidBoundsViolation get_xid_status (TransactionId xid, HeapCheckContext *ctx, XidCommitStatus *status)
 
Datum verify_heapam (PG_FUNCTION_ARGS)
 
static void report_corruption_internal (Tuplestorestate *tupstore, TupleDesc tupdesc, BlockNumber blkno, OffsetNumber offnum, AttrNumber attnum, char *msg)
 
static bool fxid_in_cached_range (FullTransactionId fxid, const HeapCheckContext *ctx)
 

Macro Definition Documentation

◆ HEAPCHECK_RELATION_COLS

#define HEAPCHECK_RELATION_COLS   4

Definition at line 35 of file verify_heapam.c.

◆ VARLENA_SIZE_LIMIT

#define VARLENA_SIZE_LIMIT   0x3FFFFFFF

Definition at line 38 of file verify_heapam.c.

Typedef Documentation

◆ HeapCheckContext

◆ SkipPages

typedef enum SkipPages SkipPages

◆ ToastedAttribute

◆ XidBoundsViolation

◆ XidCommitStatus

Enumeration Type Documentation

◆ SkipPages

enum SkipPages
Enumerator
SKIP_PAGES_ALL_FROZEN 
SKIP_PAGES_ALL_VISIBLE 
SKIP_PAGES_NONE 

Definition at line 61 of file verify_heapam.c.

62 {
66 } SkipPages;
SkipPages
Definition: verify_heapam.c:62
@ SKIP_PAGES_ALL_VISIBLE
Definition: verify_heapam.c:64
@ SKIP_PAGES_ALL_FROZEN
Definition: verify_heapam.c:63
@ SKIP_PAGES_NONE
Definition: verify_heapam.c:65

◆ XidBoundsViolation

Enumerator
XID_INVALID 
XID_IN_FUTURE 
XID_PRECEDES_CLUSTERMIN 
XID_PRECEDES_RELMIN 
XID_BOUNDS_OK 

Definition at line 44 of file verify_heapam.c.

45 {
XidBoundsViolation
Definition: verify_heapam.c:45
@ XID_IN_FUTURE
Definition: verify_heapam.c:47
@ XID_PRECEDES_CLUSTERMIN
Definition: verify_heapam.c:48
@ XID_INVALID
Definition: verify_heapam.c:46
@ XID_PRECEDES_RELMIN
Definition: verify_heapam.c:49
@ XID_BOUNDS_OK
Definition: verify_heapam.c:50

◆ XidCommitStatus

Enumerator
XID_COMMITTED 
XID_IS_CURRENT_XID 
XID_IN_PROGRESS 
XID_ABORTED 

Definition at line 53 of file verify_heapam.c.

54 {
XidCommitStatus
Definition: verify_heapam.c:54
@ XID_IS_CURRENT_XID
Definition: verify_heapam.c:56
@ XID_IN_PROGRESS
Definition: verify_heapam.c:57
@ XID_COMMITTED
Definition: verify_heapam.c:55
@ XID_ABORTED
Definition: verify_heapam.c:58

Function Documentation

◆ check_mxid_in_range()

static XidBoundsViolation check_mxid_in_range ( MultiXactId  mxid,
HeapCheckContext ctx 
)
static

Definition at line 1965 of file verify_heapam.c.

1966 {
1967  if (!TransactionIdIsValid(mxid))
1968  return XID_INVALID;
1969  if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
1970  return XID_PRECEDES_RELMIN;
1971  if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
1972  return XID_PRECEDES_CLUSTERMIN;
1973  if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
1974  return XID_IN_FUTURE;
1975  return XID_BOUNDS_OK;
1976 }
bool MultiXactIdPrecedes(MultiXactId multi1, MultiXactId multi2)
Definition: multixact.c:3317
bool MultiXactIdPrecedesOrEquals(MultiXactId multi1, MultiXactId multi2)
Definition: multixact.c:3331
TransactionId relminmxid
MultiXactId next_mxact
MultiXactId oldest_mxact
#define TransactionIdIsValid(xid)
Definition: transam.h:41

References MultiXactIdPrecedes(), MultiXactIdPrecedesOrEquals(), HeapCheckContext::next_mxact, HeapCheckContext::oldest_mxact, HeapCheckContext::relminmxid, TransactionIdIsValid, XID_BOUNDS_OK, XID_IN_FUTURE, XID_INVALID, XID_PRECEDES_CLUSTERMIN, and XID_PRECEDES_RELMIN.

Referenced by check_mxid_valid_in_rel().

◆ check_mxid_valid_in_rel()

static XidBoundsViolation check_mxid_valid_in_rel ( MultiXactId  mxid,
HeapCheckContext ctx 
)
static

Definition at line 1987 of file verify_heapam.c.

1988 {
1989  XidBoundsViolation result;
1990 
1991  result = check_mxid_in_range(mxid, ctx);
1992  if (result == XID_BOUNDS_OK)
1993  return XID_BOUNDS_OK;
1994 
1995  /* The range may have advanced. Recheck. */
1997  return check_mxid_in_range(mxid, ctx);
1998 }
static XidBoundsViolation check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
static void update_cached_mxid_range(HeapCheckContext *ctx)

References check_mxid_in_range(), update_cached_mxid_range(), and XID_BOUNDS_OK.

Referenced by check_tuple_visibility().

◆ check_toast_tuple()

static void check_toast_tuple ( HeapTuple  toasttup,
HeapCheckContext ctx,
ToastedAttribute ta,
int32 expected_chunk_seq,
uint32  extsize 
)
static

Definition at line 1462 of file verify_heapam.c.

1465 {
1466  int32 chunk_seq;
1467  int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1468  Pointer chunk;
1469  bool isnull;
1470  int32 chunksize;
1471  int32 expected_size;
1472 
1473  /* Sanity-check the sequence number. */
1474  chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1475  ctx->toast_rel->rd_att, &isnull));
1476  if (isnull)
1477  {
1478  report_toast_corruption(ctx, ta,
1479  psprintf("toast value %u has toast chunk with null sequence number",
1480  ta->toast_pointer.va_valueid));
1481  return;
1482  }
1483  if (chunk_seq != *expected_chunk_seq)
1484  {
1485  /* Either the TOAST index is corrupt, or we don't have all chunks. */
1486  report_toast_corruption(ctx, ta,
1487  psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1489  chunk_seq, *expected_chunk_seq));
1490  }
1491  *expected_chunk_seq = chunk_seq + 1;
1492 
1493  /* Sanity-check the chunk data. */
1494  chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1495  ctx->toast_rel->rd_att, &isnull));
1496  if (isnull)
1497  {
1498  report_toast_corruption(ctx, ta,
1499  psprintf("toast value %u chunk %d has null data",
1501  chunk_seq));
1502  return;
1503  }
1504  if (!VARATT_IS_EXTENDED(chunk))
1505  chunksize = VARSIZE(chunk) - VARHDRSZ;
1506  else if (VARATT_IS_SHORT(chunk))
1507  {
1508  /*
1509  * could happen due to heap_form_tuple doing its thing
1510  */
1511  chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1512  }
1513  else
1514  {
1515  /* should never happen */
1516  uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1517 
1518  report_toast_corruption(ctx, ta,
1519  psprintf("toast value %u chunk %d has invalid varlena header %0x",
1521  chunk_seq, header));
1522  return;
1523  }
1524 
1525  /*
1526  * Some checks on the data we've found
1527  */
1528  if (chunk_seq > last_chunk_seq)
1529  {
1530  report_toast_corruption(ctx, ta,
1531  psprintf("toast value %u chunk %d follows last expected chunk %d",
1533  chunk_seq, last_chunk_seq));
1534  return;
1535  }
1536 
1537  expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1538  : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1539 
1540  if (chunksize != expected_size)
1541  report_toast_corruption(ctx, ta,
1542  psprintf("toast value %u chunk %d has size %u, but expected size %u",
1544  chunk_seq, chunksize, expected_size));
1545 }
char * Pointer
Definition: c.h:476
#define VARHDRSZ
Definition: c.h:646
int32_t int32
Definition: c.h:481
uint32_t uint32
Definition: c.h:485
uint64 chunk
#define TOAST_MAX_CHUNK_SIZE
Definition: heaptoast.h:84
static Datum fastgetattr(HeapTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
Definition: htup_details.h:749
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:312
static int32 DatumGetInt32(Datum X)
Definition: postgres.h:202
char * psprintf(const char *fmt,...)
Definition: psprintf.c:43
TupleDesc rd_att
Definition: rel.h:112
struct varatt_external toast_pointer
Definition: verify_heapam.c:75
Oid va_valueid
Definition: varatt.h:37
#define VARHDRSZ_SHORT
Definition: varatt.h:255
#define VARSIZE_SHORT(PTR)
Definition: varatt.h:281
#define VARATT_IS_EXTENDED(PTR)
Definition: varatt.h:303
#define VARATT_IS_SHORT(PTR)
Definition: varatt.h:302
#define VARSIZE(PTR)
Definition: varatt.h:279
static void report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta, char *msg)

References chunk, DatumGetInt32(), DatumGetPointer(), fastgetattr(), psprintf(), RelationData::rd_att, report_toast_corruption(), TOAST_MAX_CHUNK_SIZE, ToastedAttribute::toast_pointer, HeapCheckContext::toast_rel, varatt_external::va_valueid, VARATT_IS_EXTENDED, VARATT_IS_SHORT, VARHDRSZ, VARHDRSZ_SHORT, VARSIZE, and VARSIZE_SHORT.

Referenced by check_toasted_attribute().

◆ check_toasted_attribute()

static void check_toasted_attribute ( HeapCheckContext ctx,
ToastedAttribute ta 
)
static

Definition at line 1768 of file verify_heapam.c.

1769 {
1770  SnapshotData SnapshotToast;
1771  ScanKeyData toastkey;
1772  SysScanDesc toastscan;
1773  bool found_toasttup;
1774  HeapTuple toasttup;
1775  uint32 extsize;
1776  int32 expected_chunk_seq = 0;
1777  int32 last_chunk_seq;
1778 
1780  last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1781 
1782  /*
1783  * Setup a scan key to find chunks in toast table with matching va_valueid
1784  */
1785  ScanKeyInit(&toastkey,
1786  (AttrNumber) 1,
1787  BTEqualStrategyNumber, F_OIDEQ,
1789 
1790  /*
1791  * Check if any chunks for this toasted object exist in the toast table,
1792  * accessible via the index.
1793  */
1794  init_toast_snapshot(&SnapshotToast);
1795  toastscan = systable_beginscan_ordered(ctx->toast_rel,
1796  ctx->valid_toast_index,
1797  &SnapshotToast, 1,
1798  &toastkey);
1799  found_toasttup = false;
1800  while ((toasttup =
1801  systable_getnext_ordered(toastscan,
1802  ForwardScanDirection)) != NULL)
1803  {
1804  found_toasttup = true;
1805  check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1806  }
1807  systable_endscan_ordered(toastscan);
1808 
1809  if (!found_toasttup)
1810  report_toast_corruption(ctx, ta,
1811  psprintf("toast value %u not found in toast table",
1812  ta->toast_pointer.va_valueid));
1813  else if (expected_chunk_seq <= last_chunk_seq)
1814  report_toast_corruption(ctx, ta,
1815  psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1817  last_chunk_seq, expected_chunk_seq));
1818 }
int16 AttrNumber
Definition: attnum.h:21
SysScanDesc systable_beginscan_ordered(Relation heapRelation, Relation indexRelation, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:653
void systable_endscan_ordered(SysScanDesc sysscan)
Definition: genam.c:760
HeapTuple systable_getnext_ordered(SysScanDesc sysscan, ScanDirection direction)
Definition: genam.c:735
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:252
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
@ ForwardScanDirection
Definition: sdir.h:28
#define BTEqualStrategyNumber
Definition: stratnum.h:31
Relation valid_toast_index
void init_toast_snapshot(Snapshot toast_snapshot)
#define VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer)
Definition: varatt.h:334
static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx, ToastedAttribute *ta, int32 *expected_chunk_seq, uint32 extsize)

References BTEqualStrategyNumber, check_toast_tuple(), ForwardScanDirection, init_toast_snapshot(), ObjectIdGetDatum(), psprintf(), report_toast_corruption(), ScanKeyInit(), systable_beginscan_ordered(), systable_endscan_ordered(), systable_getnext_ordered(), TOAST_MAX_CHUNK_SIZE, ToastedAttribute::toast_pointer, HeapCheckContext::toast_rel, varatt_external::va_valueid, HeapCheckContext::valid_toast_index, and VARATT_EXTERNAL_GET_EXTSIZE.

Referenced by verify_heapam().

◆ check_tuple()

static void check_tuple ( HeapCheckContext ctx,
bool *  xmin_commit_status_ok,
XidCommitStatus xmin_commit_status 
)
static

Definition at line 1828 of file verify_heapam.c.

1830 {
1831  /*
1832  * Check various forms of tuple header corruption, and if the header is
1833  * too corrupt, do not continue with other checks.
1834  */
1835  if (!check_tuple_header(ctx))
1836  return;
1837 
1838  /*
1839  * Check tuple visibility. If the inserting transaction aborted, we
1840  * cannot assume our relation description matches the tuple structure, and
1841  * therefore cannot check it.
1842  */
1843  if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1844  xmin_commit_status))
1845  return;
1846 
1847  /*
1848  * The tuple is visible, so it must be compatible with the current version
1849  * of the relation descriptor. It might have fewer columns than are
1850  * present in the relation descriptor, but it cannot have more.
1851  */
1852  if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1853  {
1854  report_corruption(ctx,
1855  psprintf("number of attributes %u exceeds maximum expected for table %u",
1856  ctx->natts,
1857  RelationGetDescr(ctx->rel)->natts));
1858  return;
1859  }
1860 
1861  /*
1862  * Check each attribute unless we hit corruption that confuses what to do
1863  * next, at which point we abort further attribute checks for this tuple.
1864  * Note that we don't abort for all types of corruption, only for those
1865  * types where we don't know how to continue. We also don't abort the
1866  * checking of toasted attributes collected from the tuple prior to
1867  * aborting. Those will still be checked later along with other toasted
1868  * attributes collected from the page.
1869  */
1870  ctx->offset = 0;
1871  for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1872  if (!check_tuple_attribute(ctx))
1873  break; /* cannot continue */
1874 
1875  /* revert attnum to -1 until we again examine individual attributes */
1876  ctx->attnum = -1;
1877 }
#define RelationGetDescr(relation)
Definition: rel.h:531
AttrNumber attnum
static bool check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok, XidCommitStatus *xmin_commit_status)
static bool check_tuple_header(HeapCheckContext *ctx)
static bool check_tuple_attribute(HeapCheckContext *ctx)
static void report_corruption(HeapCheckContext *ctx, char *msg)

References HeapCheckContext::attnum, check_tuple_attribute(), check_tuple_header(), check_tuple_visibility(), HeapCheckContext::natts, HeapCheckContext::offset, psprintf(), HeapCheckContext::rel, RelationGetDescr, and report_corruption().

Referenced by verify_heapam().

◆ check_tuple_attribute()

static bool check_tuple_attribute ( HeapCheckContext ctx)
static

Definition at line 1568 of file verify_heapam.c.

1569 {
1570  Datum attdatum;
1571  struct varlena *attr;
1572  char *tp; /* pointer to the tuple data */
1573  uint16 infomask;
1574  Form_pg_attribute thisatt;
1575  struct varatt_external toast_pointer;
1576 
1577  infomask = ctx->tuphdr->t_infomask;
1578  thisatt = TupleDescAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1579 
1580  tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1581 
1582  if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1583  {
1584  report_corruption(ctx,
1585  psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1586  thisatt->attlen,
1587  ctx->tuphdr->t_hoff + ctx->offset,
1588  ctx->lp_len));
1589  return false;
1590  }
1591 
1592  /* Skip null values */
1593  if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1594  return true;
1595 
1596  /* Skip non-varlena values, but update offset first */
1597  if (thisatt->attlen != -1)
1598  {
1599  ctx->offset = att_align_nominal(ctx->offset, thisatt->attalign);
1600  ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1601  tp + ctx->offset);
1602  if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1603  {
1604  report_corruption(ctx,
1605  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1606  thisatt->attlen,
1607  ctx->tuphdr->t_hoff + ctx->offset,
1608  ctx->lp_len));
1609  return false;
1610  }
1611  return true;
1612  }
1613 
1614  /* Ok, we're looking at a varlena attribute. */
1615  ctx->offset = att_align_pointer(ctx->offset, thisatt->attalign, -1,
1616  tp + ctx->offset);
1617 
1618  /* Get the (possibly corrupt) varlena datum */
1619  attdatum = fetchatt(thisatt, tp + ctx->offset);
1620 
1621  /*
1622  * We have the datum, but we cannot decode it carelessly, as it may still
1623  * be corrupt.
1624  */
1625 
1626  /*
1627  * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1628  * risking a call into att_addlength_pointer
1629  */
1630  if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1631  {
1632  uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1633 
1634  if (va_tag != VARTAG_ONDISK)
1635  {
1636  report_corruption(ctx,
1637  psprintf("toasted attribute has unexpected TOAST tag %u",
1638  va_tag));
1639  /* We can't know where the next attribute begins */
1640  return false;
1641  }
1642  }
1643 
1644  /* Ok, should be safe now */
1645  ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1646  tp + ctx->offset);
1647 
1648  if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1649  {
1650  report_corruption(ctx,
1651  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1652  thisatt->attlen,
1653  ctx->tuphdr->t_hoff + ctx->offset,
1654  ctx->lp_len));
1655 
1656  return false;
1657  }
1658 
1659  /*
1660  * heap_deform_tuple would be done with this attribute at this point,
1661  * having stored it in values[], and would continue to the next attribute.
1662  * We go further, because we need to check if the toast datum is corrupt.
1663  */
1664 
1665  attr = (struct varlena *) DatumGetPointer(attdatum);
1666 
1667  /*
1668  * Now we follow the logic of detoast_external_attr(), with the same
1669  * caveats about being paranoid about corruption.
1670  */
1671 
1672  /* Skip values that are not external */
1673  if (!VARATT_IS_EXTERNAL(attr))
1674  return true;
1675 
1676  /* It is external, and we're looking at a page on disk */
1677 
1678  /*
1679  * Must copy attr into toast_pointer for alignment considerations
1680  */
1681  VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
1682 
1683  /* Toasted attributes too large to be untoasted should never be stored */
1684  if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
1685  report_corruption(ctx,
1686  psprintf("toast value %u rawsize %d exceeds limit %d",
1687  toast_pointer.va_valueid,
1688  toast_pointer.va_rawsize,
1690 
1691  if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1692  {
1693  ToastCompressionId cmid;
1694  bool valid = false;
1695 
1696  /* Compressed attributes should have a valid compression method */
1697  cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1698  switch (cmid)
1699  {
1700  /* List of all valid compression method IDs */
1703  valid = true;
1704  break;
1705 
1706  /* Recognized but invalid compression method ID */
1708  break;
1709 
1710  /* Intentionally no default here */
1711  }
1712  if (!valid)
1713  report_corruption(ctx,
1714  psprintf("toast value %u has invalid compression method id %d",
1715  toast_pointer.va_valueid, cmid));
1716  }
1717 
1718  /* The tuple header better claim to contain toasted values */
1719  if (!(infomask & HEAP_HASEXTERNAL))
1720  {
1721  report_corruption(ctx,
1722  psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1723  toast_pointer.va_valueid));
1724  return true;
1725  }
1726 
1727  /* The relation better have a toast table */
1728  if (!ctx->rel->rd_rel->reltoastrelid)
1729  {
1730  report_corruption(ctx,
1731  psprintf("toast value %u is external but relation has no toast relation",
1732  toast_pointer.va_valueid));
1733  return true;
1734  }
1735 
1736  /* If we were told to skip toast checking, then we're done. */
1737  if (ctx->toast_rel == NULL)
1738  return true;
1739 
1740  /*
1741  * If this tuple is eligible to be pruned, we cannot check the toast.
1742  * Otherwise, we push a copy of the toast tuple so we can check it after
1743  * releasing the main table buffer lock.
1744  */
1745  if (!ctx->tuple_could_be_pruned)
1746  {
1747  ToastedAttribute *ta;
1748 
1749  ta = (ToastedAttribute *) palloc0(sizeof(ToastedAttribute));
1750 
1752  ta->blkno = ctx->blkno;
1753  ta->offnum = ctx->offnum;
1754  ta->attnum = ctx->attnum;
1756  }
1757 
1758  return true;
1759 }
uint8_t uint8
Definition: c.h:483
uint16_t uint16
Definition: c.h:484
#define VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr)
Definition: detoast.h:22
#define HEAP_HASNULL
Definition: htup_details.h:190
#define HEAP_HASEXTERNAL
Definition: htup_details.h:192
if(TABLE==NULL||TABLE_index==NULL)
Definition: isn.c:76
List * lappend(List *list, void *datum)
Definition: list.c:339
void * palloc0(Size size)
Definition: mcxt.c:1347
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:209
uintptr_t Datum
Definition: postgres.h:64
BlockNumber blkno
List * toasted_attributes
OffsetNumber offnum
HeapTupleHeader tuphdr
bits8 t_bits[FLEXIBLE_ARRAY_MEMBER]
Definition: htup_details.h:178
Form_pg_class rd_rel
Definition: rel.h:111
AttrNumber attnum
Definition: verify_heapam.c:78
OffsetNumber offnum
Definition: verify_heapam.c:77
BlockNumber blkno
Definition: verify_heapam.c:76
Definition: c.h:641
ToastCompressionId
@ TOAST_INVALID_COMPRESSION_ID
@ TOAST_LZ4_COMPRESSION_ID
@ TOAST_PGLZ_COMPRESSION_ID
#define TOAST_COMPRESS_METHOD(ptr)
#define TupleDescAttr(tupdesc, i)
Definition: tupdesc.h:92
#define att_align_pointer(cur_offset, attalign, attlen, attptr)
Definition: tupmacs.h:107
#define att_align_nominal(cur_offset, attalign)
Definition: tupmacs.h:129
static bool att_isnull(int ATT, const bits8 *BITS)
Definition: tupmacs.h:26
#define att_addlength_pointer(cur_offset, attlen, attptr)
Definition: tupmacs.h:157
#define fetchatt(A, T)
Definition: tupmacs.h:46
#define VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer)
Definition: varatt.h:354
#define VARTAG_EXTERNAL(PTR)
Definition: varatt.h:284
#define VARATT_IS_EXTERNAL(PTR)
Definition: varatt.h:289
@ VARTAG_ONDISK
Definition: varatt.h:89
#define VARLENA_SIZE_LIMIT
Definition: verify_heapam.c:38

References att_addlength_pointer, att_align_nominal, att_align_pointer, att_isnull(), ToastedAttribute::attnum, HeapCheckContext::attnum, ToastedAttribute::blkno, HeapCheckContext::blkno, DatumGetPointer(), fetchatt, HEAP_HASEXTERNAL, HEAP_HASNULL, if(), lappend(), HeapCheckContext::lp_len, ToastedAttribute::offnum, HeapCheckContext::offnum, HeapCheckContext::offset, palloc0(), psprintf(), RelationData::rd_rel, HeapCheckContext::rel, RelationGetDescr, report_corruption(), HeapTupleHeaderData::t_bits, HeapTupleHeaderData::t_hoff, HeapTupleHeaderData::t_infomask, TOAST_COMPRESS_METHOD, TOAST_INVALID_COMPRESSION_ID, TOAST_LZ4_COMPRESSION_ID, TOAST_PGLZ_COMPRESSION_ID, ToastedAttribute::toast_pointer, HeapCheckContext::toast_rel, HeapCheckContext::toasted_attributes, HeapCheckContext::tuphdr, HeapCheckContext::tuple_could_be_pruned, TupleDescAttr, varatt_external::va_rawsize, varatt_external::va_valueid, VARATT_EXTERNAL_GET_POINTER, VARATT_EXTERNAL_IS_COMPRESSED, VARATT_IS_EXTERNAL, VARLENA_SIZE_LIMIT, VARTAG_EXTERNAL, and VARTAG_ONDISK.

Referenced by check_tuple().

◆ check_tuple_header()

static bool check_tuple_header ( HeapCheckContext ctx)
static

Definition at line 907 of file verify_heapam.c.

908 {
909  HeapTupleHeader tuphdr = ctx->tuphdr;
910  uint16 infomask = tuphdr->t_infomask;
911  TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
912  bool result = true;
913  unsigned expected_hoff;
914 
915  if (ctx->tuphdr->t_hoff > ctx->lp_len)
916  {
917  report_corruption(ctx,
918  psprintf("data begins at offset %u beyond the tuple length %u",
919  ctx->tuphdr->t_hoff, ctx->lp_len));
920  result = false;
921  }
922 
923  if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
925  {
926  report_corruption(ctx,
927  pstrdup("multixact should not be marked committed"));
928 
929  /*
930  * This condition is clearly wrong, but it's not enough to justify
931  * skipping further checks, because we don't rely on this to determine
932  * whether the tuple is visible or to interpret other relevant header
933  * fields.
934  */
935  }
936 
937  if (!TransactionIdIsValid(curr_xmax) &&
939  {
940  report_corruption(ctx,
941  psprintf("tuple has been HOT updated, but xmax is 0"));
942 
943  /*
944  * As above, even though this shouldn't happen, it's not sufficient
945  * justification for skipping further checks, we should still be able
946  * to perform sensibly.
947  */
948  }
949 
950  if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
951  ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
952  {
953  report_corruption(ctx,
954  psprintf("tuple is heap only, but not the result of an update"));
955 
956  /* Here again, we can still perform further checks. */
957  }
958 
959  if (infomask & HEAP_HASNULL)
960  expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
961  else
962  expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
963  if (ctx->tuphdr->t_hoff != expected_hoff)
964  {
965  if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
966  report_corruption(ctx,
967  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
968  expected_hoff, ctx->tuphdr->t_hoff));
969  else if ((infomask & HEAP_HASNULL))
970  report_corruption(ctx,
971  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
972  expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
973  else if (ctx->natts == 1)
974  report_corruption(ctx,
975  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
976  expected_hoff, ctx->tuphdr->t_hoff));
977  else
978  report_corruption(ctx,
979  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
980  expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
981  result = false;
982  }
983 
984  return result;
985 }
#define MAXALIGN(LEN)
Definition: c.h:765
uint32 TransactionId
Definition: c.h:606
#define SizeofHeapTupleHeader
Definition: htup_details.h:185
#define HeapTupleHeaderIsHeapOnly(tup)
Definition: htup_details.h:499
#define BITMAPLEN(NATTS)
Definition: htup_details.h:545
#define HEAP_XMAX_IS_MULTI
Definition: htup_details.h:209
#define HEAP_XMAX_COMMITTED
Definition: htup_details.h:207
#define HEAP_UPDATED
Definition: htup_details.h:210
#define HeapTupleHeaderGetUpdateXid(tup)
Definition: htup_details.h:361
#define HeapTupleHeaderIsHotUpdated(tup)
Definition: htup_details.h:482
char * pstrdup(const char *in)
Definition: mcxt.c:1696

References BITMAPLEN, HEAP_HASNULL, HEAP_UPDATED, HEAP_XMAX_COMMITTED, HEAP_XMAX_IS_MULTI, HeapTupleHeaderGetUpdateXid, HeapTupleHeaderIsHeapOnly, HeapTupleHeaderIsHotUpdated, HeapCheckContext::lp_len, MAXALIGN, HeapCheckContext::natts, psprintf(), pstrdup(), report_corruption(), SizeofHeapTupleHeader, HeapTupleHeaderData::t_hoff, HeapTupleHeaderData::t_infomask, TransactionIdIsValid, and HeapCheckContext::tuphdr.

Referenced by check_tuple().

◆ check_tuple_visibility()

static bool check_tuple_visibility ( HeapCheckContext ctx,
bool *  xmin_commit_status_ok,
XidCommitStatus xmin_commit_status 
)
static

Definition at line 1020 of file verify_heapam.c.

1022 {
1023  TransactionId xmin;
1024  TransactionId xvac;
1025  TransactionId xmax;
1026  XidCommitStatus xmin_status;
1027  XidCommitStatus xvac_status;
1028  XidCommitStatus xmax_status;
1029  HeapTupleHeader tuphdr = ctx->tuphdr;
1030 
1031  ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
1032  *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1033 
1034  /* If xmin is normal, it should be within valid range */
1035  xmin = HeapTupleHeaderGetXmin(tuphdr);
1036  switch (get_xid_status(xmin, ctx, &xmin_status))
1037  {
1038  case XID_INVALID:
1039  /* Could be the result of a speculative insertion that aborted. */
1040  return false;
1041  case XID_BOUNDS_OK:
1042  *xmin_commit_status_ok = true;
1043  *xmin_commit_status = xmin_status;
1044  break;
1045  case XID_IN_FUTURE:
1046  report_corruption(ctx,
1047  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1048  xmin,
1051  return false;
1053  report_corruption(ctx,
1054  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1055  xmin,
1058  return false;
1059  case XID_PRECEDES_RELMIN:
1060  report_corruption(ctx,
1061  psprintf("xmin %u precedes relation freeze threshold %u:%u",
1062  xmin,
1065  return false;
1066  }
1067 
1068  /*
1069  * Has inserting transaction committed?
1070  */
1071  if (!HeapTupleHeaderXminCommitted(tuphdr))
1072  {
1073  if (HeapTupleHeaderXminInvalid(tuphdr))
1074  return false; /* inserter aborted, don't check */
1075  /* Used by pre-9.0 binary upgrades */
1076  else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1077  {
1078  xvac = HeapTupleHeaderGetXvac(tuphdr);
1079 
1080  switch (get_xid_status(xvac, ctx, &xvac_status))
1081  {
1082  case XID_INVALID:
1083  report_corruption(ctx,
1084  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1085  return false;
1086  case XID_IN_FUTURE:
1087  report_corruption(ctx,
1088  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1089  xvac,
1092  return false;
1093  case XID_PRECEDES_RELMIN:
1094  report_corruption(ctx,
1095  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1096  xvac,
1099  return false;
1101  report_corruption(ctx,
1102  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1103  xvac,
1106  return false;
1107  case XID_BOUNDS_OK:
1108  break;
1109  }
1110 
1111  switch (xvac_status)
1112  {
1113  case XID_IS_CURRENT_XID:
1114  report_corruption(ctx,
1115  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1116  xvac));
1117  return false;
1118  case XID_IN_PROGRESS:
1119  report_corruption(ctx,
1120  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1121  xvac));
1122  return false;
1123 
1124  case XID_COMMITTED:
1125 
1126  /*
1127  * The tuple is dead, because the xvac transaction moved
1128  * it off and committed. It's checkable, but also
1129  * prunable.
1130  */
1131  return true;
1132 
1133  case XID_ABORTED:
1134 
1135  /*
1136  * The original xmin must have committed, because the xvac
1137  * transaction tried to move it later. Since xvac is
1138  * aborted, whether it's still alive now depends on the
1139  * status of xmax.
1140  */
1141  break;
1142  }
1143  }
1144  /* Used by pre-9.0 binary upgrades */
1145  else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1146  {
1147  xvac = HeapTupleHeaderGetXvac(tuphdr);
1148 
1149  switch (get_xid_status(xvac, ctx, &xvac_status))
1150  {
1151  case XID_INVALID:
1152  report_corruption(ctx,
1153  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1154  return false;
1155  case XID_IN_FUTURE:
1156  report_corruption(ctx,
1157  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1158  xvac,
1161  return false;
1162  case XID_PRECEDES_RELMIN:
1163  report_corruption(ctx,
1164  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1165  xvac,
1168  return false;
1170  report_corruption(ctx,
1171  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1172  xvac,
1175  return false;
1176  case XID_BOUNDS_OK:
1177  break;
1178  }
1179 
1180  switch (xvac_status)
1181  {
1182  case XID_IS_CURRENT_XID:
1183  report_corruption(ctx,
1184  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1185  xvac));
1186  return false;
1187  case XID_IN_PROGRESS:
1188  report_corruption(ctx,
1189  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1190  xvac));
1191  return false;
1192 
1193  case XID_COMMITTED:
1194 
1195  /*
1196  * The original xmin must have committed, because the xvac
1197  * transaction moved it later. Whether it's still alive
1198  * now depends on the status of xmax.
1199  */
1200  break;
1201 
1202  case XID_ABORTED:
1203 
1204  /*
1205  * The tuple is dead, because the xvac transaction moved
1206  * it off and committed. It's checkable, but also
1207  * prunable.
1208  */
1209  return true;
1210  }
1211  }
1212  else if (xmin_status != XID_COMMITTED)
1213  {
1214  /*
1215  * Inserting transaction is not in progress, and not committed, so
1216  * it might have changed the TupleDesc in ways we don't know
1217  * about. Thus, don't try to check the tuple structure.
1218  *
1219  * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1220  * any such DDL changes ought to be visible to us, so perhaps we
1221  * could check anyway in that case. But, for now, let's be
1222  * conservative and treat this like any other uncommitted insert.
1223  */
1224  return false;
1225  }
1226  }
1227 
1228  /*
1229  * Okay, the inserter committed, so it was good at some point. Now what
1230  * about the deleting transaction?
1231  */
1232 
1233  if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1234  {
1235  /*
1236  * xmax is a multixact, so sanity-check the MXID. Note that we do this
1237  * prior to checking for HEAP_XMAX_INVALID or
1238  * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1239  * things that wouldn't actually be a problem during a normal scan,
1240  * but eventually we're going to have to freeze, and that process will
1241  * ignore hint bits.
1242  *
1243  * Even if the MXID is out of range, we still know that the original
1244  * insert committed, so we can check the tuple itself. However, we
1245  * can't rule out the possibility that this tuple is dead, so don't
1246  * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1247  * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1248  * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1249  * avoiding possibly-bogus complaints about missing TOAST entries.
1250  */
1251  xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1252  switch (check_mxid_valid_in_rel(xmax, ctx))
1253  {
1254  case XID_INVALID:
1255  report_corruption(ctx,
1256  pstrdup("multitransaction ID is invalid"));
1257  return true;
1258  case XID_PRECEDES_RELMIN:
1259  report_corruption(ctx,
1260  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1261  xmax, ctx->relminmxid));
1262  return true;
1264  report_corruption(ctx,
1265  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1266  xmax, ctx->oldest_mxact));
1267  return true;
1268  case XID_IN_FUTURE:
1269  report_corruption(ctx,
1270  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1271  xmax,
1272  ctx->next_mxact));
1273  return true;
1274  case XID_BOUNDS_OK:
1275  break;
1276  }
1277  }
1278 
1279  if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1280  {
1281  /*
1282  * This tuple is live. A concurrently running transaction could
1283  * delete it before we get around to checking the toast, but any such
1284  * running transaction is surely not less than our safe_xmin, so the
1285  * toast cannot be vacuumed out from under us.
1286  */
1287  ctx->tuple_could_be_pruned = false;
1288  return true;
1289  }
1290 
1291  if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1292  {
1293  /*
1294  * "Deleting" xact really only locked it, so the tuple is live in any
1295  * case. As above, a concurrently running transaction could delete
1296  * it, but it cannot be vacuumed out from under us.
1297  */
1298  ctx->tuple_could_be_pruned = false;
1299  return true;
1300  }
1301 
1302  if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1303  {
1304  /*
1305  * We already checked above that this multixact is within limits for
1306  * this table. Now check the update xid from this multixact.
1307  */
1308  xmax = HeapTupleGetUpdateXid(tuphdr);
1309  switch (get_xid_status(xmax, ctx, &xmax_status))
1310  {
1311  case XID_INVALID:
1312  /* not LOCKED_ONLY, so it has to have an xmax */
1313  report_corruption(ctx,
1314  pstrdup("update xid is invalid"));
1315  return true;
1316  case XID_IN_FUTURE:
1317  report_corruption(ctx,
1318  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1319  xmax,
1322  return true;
1323  case XID_PRECEDES_RELMIN:
1324  report_corruption(ctx,
1325  psprintf("update xid %u precedes relation freeze threshold %u:%u",
1326  xmax,
1329  return true;
1331  report_corruption(ctx,
1332  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1333  xmax,
1336  return true;
1337  case XID_BOUNDS_OK:
1338  break;
1339  }
1340 
1341  switch (xmax_status)
1342  {
1343  case XID_IS_CURRENT_XID:
1344  case XID_IN_PROGRESS:
1345 
1346  /*
1347  * The delete is in progress, so it cannot be visible to our
1348  * snapshot.
1349  */
1350  ctx->tuple_could_be_pruned = false;
1351  break;
1352  case XID_COMMITTED:
1353 
1354  /*
1355  * The delete committed. Whether the toast can be vacuumed
1356  * away depends on how old the deleting transaction is.
1357  */
1359  ctx->safe_xmin);
1360  break;
1361  case XID_ABORTED:
1362 
1363  /*
1364  * The delete aborted or crashed. The tuple is still live.
1365  */
1366  ctx->tuple_could_be_pruned = false;
1367  break;
1368  }
1369 
1370  /* Tuple itself is checkable even if it's dead. */
1371  return true;
1372  }
1373 
1374  /* xmax is an XID, not a MXID. Sanity check it. */
1375  xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1376  switch (get_xid_status(xmax, ctx, &xmax_status))
1377  {
1378  case XID_INVALID:
1379  ctx->tuple_could_be_pruned = false;
1380  return true;
1381  case XID_IN_FUTURE:
1382  report_corruption(ctx,
1383  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1384  xmax,
1387  return false; /* corrupt */
1388  case XID_PRECEDES_RELMIN:
1389  report_corruption(ctx,
1390  psprintf("xmax %u precedes relation freeze threshold %u:%u",
1391  xmax,
1394  return false; /* corrupt */
1396  report_corruption(ctx,
1397  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1398  xmax,
1401  return false; /* corrupt */
1402  case XID_BOUNDS_OK:
1403  break;
1404  }
1405 
1406  /*
1407  * Whether the toast can be vacuumed away depends on how old the deleting
1408  * transaction is.
1409  */
1410  switch (xmax_status)
1411  {
1412  case XID_IS_CURRENT_XID:
1413  case XID_IN_PROGRESS:
1414 
1415  /*
1416  * The delete is in progress, so it cannot be visible to our
1417  * snapshot.
1418  */
1419  ctx->tuple_could_be_pruned = false;
1420  break;
1421 
1422  case XID_COMMITTED:
1423 
1424  /*
1425  * The delete committed. Whether the toast can be vacuumed away
1426  * depends on how old the deleting transaction is.
1427  */
1429  ctx->safe_xmin);
1430  break;
1431 
1432  case XID_ABORTED:
1433 
1434  /*
1435  * The delete aborted or crashed. The tuple is still live.
1436  */
1437  ctx->tuple_could_be_pruned = false;
1438  break;
1439  }
1440 
1441  /* Tuple itself is checkable even if it's dead. */
1442  return true;
1443 }
TransactionId HeapTupleGetUpdateXid(HeapTupleHeader tuple)
Definition: heapam.c:7419
#define HEAP_MOVED_OFF
Definition: htup_details.h:211
#define HEAP_XMAX_IS_LOCKED_ONLY(infomask)
Definition: htup_details.h:227
#define HeapTupleHeaderGetXvac(tup)
Definition: htup_details.h:411
#define HEAP_MOVED_IN
Definition: htup_details.h:212
#define HeapTupleHeaderGetXmin(tup)
Definition: htup_details.h:309
#define HEAP_XMAX_INVALID
Definition: htup_details.h:208
#define HeapTupleHeaderXminCommitted(tup)
Definition: htup_details.h:320
#define HeapTupleHeaderGetRawXmax(tup)
Definition: htup_details.h:371
#define HeapTupleHeaderXminInvalid(tup)
Definition: htup_details.h:325
FullTransactionId oldest_fxid
Definition: verify_heapam.c:94
FullTransactionId next_fxid
Definition: verify_heapam.c:91
FullTransactionId relfrozenfxid
TransactionId safe_xmin
Definition: verify_heapam.c:96
bool TransactionIdPrecedes(TransactionId id1, TransactionId id2)
Definition: transam.c:280
#define EpochFromFullTransactionId(x)
Definition: transam.h:47
#define XidFromFullTransactionId(x)
Definition: transam.h:48
static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
static XidBoundsViolation get_xid_status(TransactionId xid, HeapCheckContext *ctx, XidCommitStatus *status)

References check_mxid_valid_in_rel(), EpochFromFullTransactionId, get_xid_status(), HEAP_MOVED_IN, HEAP_MOVED_OFF, HEAP_XMAX_INVALID, HEAP_XMAX_IS_LOCKED_ONLY, HEAP_XMAX_IS_MULTI, HeapTupleGetUpdateXid(), HeapTupleHeaderGetRawXmax, HeapTupleHeaderGetXmin, HeapTupleHeaderGetXvac, HeapTupleHeaderXminCommitted, HeapTupleHeaderXminInvalid, HeapCheckContext::next_fxid, HeapCheckContext::next_mxact, HeapCheckContext::oldest_fxid, HeapCheckContext::oldest_mxact, psprintf(), pstrdup(), HeapCheckContext::relfrozenfxid, HeapCheckContext::relminmxid, report_corruption(), HeapCheckContext::safe_xmin, HeapTupleHeaderData::t_infomask, TransactionIdPrecedes(), HeapCheckContext::tuphdr, HeapCheckContext::tuple_could_be_pruned, XID_ABORTED, XID_BOUNDS_OK, XID_COMMITTED, XID_IN_FUTURE, XID_IN_PROGRESS, XID_INVALID, XID_IS_CURRENT_XID, XID_PRECEDES_CLUSTERMIN, XID_PRECEDES_RELMIN, and XidFromFullTransactionId.

Referenced by check_tuple().

◆ FullTransactionIdFromXidAndCtx()

static FullTransactionId FullTransactionIdFromXidAndCtx ( TransactionId  xid,
const HeapCheckContext ctx 
)
static

Definition at line 1885 of file verify_heapam.c.

1886 {
1887  uint64 nextfxid_i;
1888  int32 diff;
1889  FullTransactionId fxid;
1890 
1894 
1895  if (!TransactionIdIsNormal(xid))
1896  return FullTransactionIdFromEpochAndXid(0, xid);
1897 
1898  nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1899 
1900  /* compute the 32bit modulo difference */
1901  diff = (int32) (ctx->next_xid - xid);
1902 
1903  /*
1904  * In cases of corruption we might see a 32bit xid that is before epoch 0.
1905  * We can't represent that as a 64bit xid, due to 64bit xids being
1906  * unsigned integers, without the modulo arithmetic of 32bit xid. There's
1907  * no really nice way to deal with that, but it works ok enough to use
1908  * FirstNormalFullTransactionId in that case, as a freshly initdb'd
1909  * cluster already has a newer horizon.
1910  */
1911  if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
1912  {
1915  }
1916  else
1917  fxid = FullTransactionIdFromU64(nextfxid_i - diff);
1918 
1920  return fxid;
1921 }
#define Assert(condition)
Definition: c.h:812
int64_t int64
Definition: c.h:482
uint64_t uint64
Definition: c.h:486
TransactionId next_xid
Definition: verify_heapam.c:92
#define FullTransactionIdIsNormal(x)
Definition: transam.h:58
#define U64FromFullTransactionId(x)
Definition: transam.h:49
static FullTransactionId FullTransactionIdFromU64(uint64 value)
Definition: transam.h:81
#define FirstNormalTransactionId
Definition: transam.h:34
static FullTransactionId FullTransactionIdFromEpochAndXid(uint32 epoch, TransactionId xid)
Definition: transam.h:71
#define TransactionIdIsNormal(xid)
Definition: transam.h:42
#define FirstNormalFullTransactionId
Definition: transam.h:57

References Assert, EpochFromFullTransactionId, FirstNormalFullTransactionId, FirstNormalTransactionId, FullTransactionIdFromEpochAndXid(), FullTransactionIdFromU64(), FullTransactionIdIsNormal, HeapCheckContext::next_fxid, HeapCheckContext::next_xid, TransactionIdIsNormal, U64FromFullTransactionId, and XidFromFullTransactionId.

Referenced by update_cached_xid_range(), and verify_heapam().

◆ fxid_in_cached_range()

static bool fxid_in_cached_range ( FullTransactionId  fxid,
const HeapCheckContext ctx 
)
inlinestatic

Definition at line 1954 of file verify_heapam.c.

1955 {
1956  return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
1957  FullTransactionIdPrecedes(fxid, ctx->next_fxid));
1958 }
#define FullTransactionIdPrecedesOrEquals(a, b)
Definition: transam.h:52
#define FullTransactionIdPrecedes(a, b)
Definition: transam.h:51

References FullTransactionIdPrecedes, FullTransactionIdPrecedesOrEquals, HeapCheckContext::next_fxid, and HeapCheckContext::oldest_fxid.

◆ get_xid_status()

static XidBoundsViolation get_xid_status ( TransactionId  xid,
HeapCheckContext ctx,
XidCommitStatus status 
)
static

Definition at line 2019 of file verify_heapam.c.

2021 {
2022  FullTransactionId fxid;
2023  FullTransactionId clog_horizon;
2024 
2025  /* Quick check for special xids */
2026  if (!TransactionIdIsValid(xid))
2027  return XID_INVALID;
2028  else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2029  {
2030  if (status != NULL)
2031  *status = XID_COMMITTED;
2032  return XID_BOUNDS_OK;
2033  }
2034 
2035  /* Check if the xid is within bounds */
2036  fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2037  if (!fxid_in_cached_range(fxid, ctx))
2038  {
2039  /*
2040  * We may have been checking against stale values. Update the cached
2041  * range to be sure, and since we relied on the cached range when we
2042  * performed the full xid conversion, reconvert.
2043  */
2045  fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2046  }
2047 
2049  return XID_IN_FUTURE;
2050  if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
2051  return XID_PRECEDES_CLUSTERMIN;
2052  if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
2053  return XID_PRECEDES_RELMIN;
2054 
2055  /* Early return if the caller does not request clog checking */
2056  if (status == NULL)
2057  return XID_BOUNDS_OK;
2058 
2059  /* Early return if we just checked this xid in a prior call */
2060  if (xid == ctx->cached_xid)
2061  {
2062  *status = ctx->cached_status;
2063  return XID_BOUNDS_OK;
2064  }
2065 
2066  *status = XID_COMMITTED;
2067  LWLockAcquire(XactTruncationLock, LW_SHARED);
2068  clog_horizon =
2070  ctx);
2071  if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2072  {
2074  *status = XID_IS_CURRENT_XID;
2075  else if (TransactionIdIsInProgress(xid))
2076  *status = XID_IN_PROGRESS;
2077  else if (TransactionIdDidCommit(xid))
2078  *status = XID_COMMITTED;
2079  else
2080  *status = XID_ABORTED;
2081  }
2082  LWLockRelease(XactTruncationLock);
2083  ctx->cached_xid = xid;
2084  ctx->cached_status = *status;
2085  return XID_BOUNDS_OK;
2086 }
bool LWLockAcquire(LWLock *lock, LWLockMode mode)
Definition: lwlock.c:1168
void LWLockRelease(LWLock *lock)
Definition: lwlock.c:1781
@ LW_SHARED
Definition: lwlock.h:115
bool TransactionIdIsInProgress(TransactionId xid)
Definition: procarray.c:1402
TransactionId cached_xid
XidCommitStatus cached_status
TransactionId oldestClogXid
Definition: transam.h:253
bool TransactionIdDidCommit(TransactionId transactionId)
Definition: transam.c:126
#define FrozenTransactionId
Definition: transam.h:33
#define BootstrapTransactionId
Definition: transam.h:32
TransamVariablesData * TransamVariables
Definition: varsup.c:34
static bool fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
static void update_cached_xid_range(HeapCheckContext *ctx)
static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
bool TransactionIdIsCurrentTransactionId(TransactionId xid)
Definition: xact.c:940

Referenced by check_tuple_visibility().

◆ PG_FUNCTION_INFO_V1()

PG_FUNCTION_INFO_V1 ( verify_heapam  )

◆ report_corruption()

static void report_corruption ( HeapCheckContext ctx,
char *  msg 
)
static

Definition at line 859 of file verify_heapam.c.

860 {
862  ctx->offnum, ctx->attnum, msg);
863  ctx->is_corrupt = true;
864 }
Tuplestorestate * tupstore
static void report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc, BlockNumber blkno, OffsetNumber offnum, AttrNumber attnum, char *msg)

References HeapCheckContext::attnum, HeapCheckContext::blkno, HeapCheckContext::is_corrupt, HeapCheckContext::offnum, report_corruption_internal(), HeapCheckContext::tupdesc, and HeapCheckContext::tupstore.

Referenced by check_tuple(), check_tuple_attribute(), check_tuple_header(), check_tuple_visibility(), and verify_heapam().

◆ report_corruption_internal()

static void report_corruption_internal ( Tuplestorestate tupstore,
TupleDesc  tupdesc,
BlockNumber  blkno,
OffsetNumber  offnum,
AttrNumber  attnum,
char *  msg 
)
static

Definition at line 823 of file verify_heapam.c.

826 {
828  bool nulls[HEAPCHECK_RELATION_COLS] = {0};
829  HeapTuple tuple;
830 
831  values[0] = Int64GetDatum(blkno);
832  values[1] = Int32GetDatum(offnum);
834  nulls[2] = (attnum < 0);
835  values[3] = CStringGetTextDatum(msg);
836 
837  /*
838  * In principle, there is nothing to prevent a scan over a large, highly
839  * corrupted table from using work_mem worth of memory building up the
840  * tuplestore. That's ok, but if we also leak the msg argument memory
841  * until the end of the query, we could exceed work_mem by more than a
842  * trivial amount. Therefore, free the msg argument each time we are
843  * called rather than waiting for our current memory context to be freed.
844  */
845  pfree(msg);
846 
847  tuple = heap_form_tuple(tupdesc, values, nulls);
848  tuplestore_puttuple(tupstore, tuple);
849 }
static Datum values[MAXATTR]
Definition: bootstrap.c:151
#define CStringGetTextDatum(s)
Definition: builtins.h:97
Datum Int64GetDatum(int64 X)
Definition: fmgr.c:1807
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, const Datum *values, const bool *isnull)
Definition: heaptuple.c:1116
void pfree(void *pointer)
Definition: mcxt.c:1521
int16 attnum
Definition: pg_attribute.h:74
static Datum Int32GetDatum(int32 X)
Definition: postgres.h:212
void tuplestore_puttuple(Tuplestorestate *state, HeapTuple tuple)
Definition: tuplestore.c:764
#define HEAPCHECK_RELATION_COLS
Definition: verify_heapam.c:35

References attnum, CStringGetTextDatum, heap_form_tuple(), HEAPCHECK_RELATION_COLS, Int32GetDatum(), Int64GetDatum(), pfree(), tuplestore_puttuple(), and values.

Referenced by report_corruption(), and report_toast_corruption().

◆ report_toast_corruption()

static void report_toast_corruption ( HeapCheckContext ctx,
ToastedAttribute ta,
char *  msg 
)
static

◆ update_cached_mxid_range()

static void update_cached_mxid_range ( HeapCheckContext ctx)
static

Definition at line 1944 of file verify_heapam.c.

1945 {
1947 }
void ReadMultiXactIdRange(MultiXactId *oldest, MultiXactId *next)
Definition: multixact.c:791

References HeapCheckContext::next_mxact, HeapCheckContext::oldest_mxact, and ReadMultiXactIdRange().

Referenced by check_mxid_valid_in_rel(), and verify_heapam().

◆ update_cached_xid_range()

static void update_cached_xid_range ( HeapCheckContext ctx)
static

Definition at line 1927 of file verify_heapam.c.

1928 {
1929  /* Make cached copies */
1930  LWLockAcquire(XidGenLock, LW_SHARED);
1933  LWLockRelease(XidGenLock);
1934 
1935  /* And compute alternate versions of the same */
1938 }
TransactionId oldest_xid
Definition: verify_heapam.c:93
FullTransactionId nextXid
Definition: transam.h:220
TransactionId oldestXid
Definition: transam.h:222

References FullTransactionIdFromXidAndCtx(), LW_SHARED, LWLockAcquire(), LWLockRelease(), HeapCheckContext::next_fxid, HeapCheckContext::next_xid, TransamVariablesData::nextXid, HeapCheckContext::oldest_fxid, HeapCheckContext::oldest_xid, TransamVariablesData::oldestXid, TransamVariables, and XidFromFullTransactionId.

Referenced by verify_heapam().

◆ verify_heapam()

Datum verify_heapam ( PG_FUNCTION_ARGS  )

Definition at line 221 of file verify_heapam.c.

222 {
223  ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
224  HeapCheckContext ctx;
225  Buffer vmbuffer = InvalidBuffer;
226  Oid relid;
227  bool on_error_stop;
228  bool check_toast;
229  SkipPages skip_option = SKIP_PAGES_NONE;
230  BlockNumber first_block;
231  BlockNumber last_block;
232  BlockNumber nblocks;
233  const char *skip;
234 
235  /* Check supplied arguments */
236  if (PG_ARGISNULL(0))
237  ereport(ERROR,
238  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
239  errmsg("relation cannot be null")));
240  relid = PG_GETARG_OID(0);
241 
242  if (PG_ARGISNULL(1))
243  ereport(ERROR,
244  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
245  errmsg("on_error_stop cannot be null")));
246  on_error_stop = PG_GETARG_BOOL(1);
247 
248  if (PG_ARGISNULL(2))
249  ereport(ERROR,
250  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
251  errmsg("check_toast cannot be null")));
252  check_toast = PG_GETARG_BOOL(2);
253 
254  if (PG_ARGISNULL(3))
255  ereport(ERROR,
256  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
257  errmsg("skip cannot be null")));
259  if (pg_strcasecmp(skip, "all-visible") == 0)
260  skip_option = SKIP_PAGES_ALL_VISIBLE;
261  else if (pg_strcasecmp(skip, "all-frozen") == 0)
262  skip_option = SKIP_PAGES_ALL_FROZEN;
263  else if (pg_strcasecmp(skip, "none") == 0)
264  skip_option = SKIP_PAGES_NONE;
265  else
266  ereport(ERROR,
267  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
268  errmsg("invalid skip option"),
269  errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
270 
271  memset(&ctx, 0, sizeof(HeapCheckContext));
272  ctx.cached_xid = InvalidTransactionId;
273  ctx.toasted_attributes = NIL;
274 
275  /*
276  * Any xmin newer than the xmin of our snapshot can't become all-visible
277  * while we're running.
278  */
279  ctx.safe_xmin = GetTransactionSnapshot()->xmin;
280 
281  /*
282  * If we report corruption when not examining some individual attribute,
283  * we need attnum to be reported as NULL. Set that up before any
284  * corruption reporting might happen.
285  */
286  ctx.attnum = -1;
287 
288  /* Construct the tuplestore and tuple descriptor */
289  InitMaterializedSRF(fcinfo, 0);
290  ctx.tupdesc = rsinfo->setDesc;
291  ctx.tupstore = rsinfo->setResult;
292 
293  /* Open relation, check relkind and access method */
294  ctx.rel = relation_open(relid, AccessShareLock);
295 
296  /*
297  * Check that a relation's relkind and access method are both supported.
298  */
299  if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
300  ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
301  ereport(ERROR,
302  (errcode(ERRCODE_WRONG_OBJECT_TYPE),
303  errmsg("cannot check relation \"%s\"",
304  RelationGetRelationName(ctx.rel)),
305  errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
306 
307  /*
308  * Sequences always use heap AM, but they don't show that in the catalogs.
309  * Other relkinds might be using a different AM, so check.
310  */
311  if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
312  ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
313  ereport(ERROR,
314  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
315  errmsg("only heap AM is supported")));
316 
317  /*
318  * Early exit for unlogged relations during recovery. These will have no
319  * relation fork, so there won't be anything to check. We behave as if
320  * the relation is empty.
321  */
322  if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
324  {
325  ereport(DEBUG1,
326  (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
327  errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
328  RelationGetRelationName(ctx.rel))));
330  PG_RETURN_NULL();
331  }
332 
333  /* Early exit if the relation is empty */
334  nblocks = RelationGetNumberOfBlocks(ctx.rel);
335  if (!nblocks)
336  {
338  PG_RETURN_NULL();
339  }
340 
341  ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
342  ctx.buffer = InvalidBuffer;
343  ctx.page = NULL;
344 
345  /* Validate block numbers, or handle nulls. */
346  if (PG_ARGISNULL(4))
347  first_block = 0;
348  else
349  {
350  int64 fb = PG_GETARG_INT64(4);
351 
352  if (fb < 0 || fb >= nblocks)
353  ereport(ERROR,
354  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
355  errmsg("starting block number must be between 0 and %u",
356  nblocks - 1)));
357  first_block = (BlockNumber) fb;
358  }
359  if (PG_ARGISNULL(5))
360  last_block = nblocks - 1;
361  else
362  {
363  int64 lb = PG_GETARG_INT64(5);
364 
365  if (lb < 0 || lb >= nblocks)
366  ereport(ERROR,
367  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
368  errmsg("ending block number must be between 0 and %u",
369  nblocks - 1)));
370  last_block = (BlockNumber) lb;
371  }
372 
373  /* Optionally open the toast relation, if any. */
374  if (ctx.rel->rd_rel->reltoastrelid && check_toast)
375  {
376  int offset;
377 
378  /* Main relation has associated toast relation */
379  ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
381  offset = toast_open_indexes(ctx.toast_rel,
383  &(ctx.toast_indexes),
384  &(ctx.num_toast_indexes));
385  ctx.valid_toast_index = ctx.toast_indexes[offset];
386  }
387  else
388  {
389  /*
390  * Main relation has no associated toast relation, or we're
391  * intentionally skipping it.
392  */
393  ctx.toast_rel = NULL;
394  ctx.toast_indexes = NULL;
395  ctx.num_toast_indexes = 0;
396  }
397 
400  ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
401  ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
402  ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
403 
404  if (TransactionIdIsNormal(ctx.relfrozenxid))
405  ctx.oldest_xid = ctx.relfrozenxid;
406 
407  for (ctx.blkno = first_block; ctx.blkno <= last_block; ctx.blkno++)
408  {
409  OffsetNumber maxoff;
410  OffsetNumber predecessor[MaxOffsetNumber];
411  OffsetNumber successor[MaxOffsetNumber];
412  bool lp_valid[MaxOffsetNumber];
413  bool xmin_commit_status_ok[MaxOffsetNumber];
414  XidCommitStatus xmin_commit_status[MaxOffsetNumber];
415 
417 
418  memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
419 
420  /* Optionally skip over all-frozen or all-visible blocks */
421  if (skip_option != SKIP_PAGES_NONE)
422  {
423  int32 mapbits;
424 
425  mapbits = (int32) visibilitymap_get_status(ctx.rel, ctx.blkno,
426  &vmbuffer);
427  if (skip_option == SKIP_PAGES_ALL_FROZEN)
428  {
429  if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
430  continue;
431  }
432 
433  if (skip_option == SKIP_PAGES_ALL_VISIBLE)
434  {
435  if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
436  continue;
437  }
438  }
439 
440  /* Read and lock the next page. */
441  ctx.buffer = ReadBufferExtended(ctx.rel, MAIN_FORKNUM, ctx.blkno,
442  RBM_NORMAL, ctx.bstrategy);
443  LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
444  ctx.page = BufferGetPage(ctx.buffer);
445 
446  /* Perform tuple checks */
447  maxoff = PageGetMaxOffsetNumber(ctx.page);
448  for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
449  ctx.offnum = OffsetNumberNext(ctx.offnum))
450  {
451  BlockNumber nextblkno;
452  OffsetNumber nextoffnum;
453 
454  successor[ctx.offnum] = InvalidOffsetNumber;
455  lp_valid[ctx.offnum] = false;
456  xmin_commit_status_ok[ctx.offnum] = false;
457  ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
458 
459  /* Skip over unused/dead line pointers */
460  if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
461  continue;
462 
463  /*
464  * If this line pointer has been redirected, check that it
465  * redirects to a valid offset within the line pointer array
466  */
467  if (ItemIdIsRedirected(ctx.itemid))
468  {
469  OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
470  ItemId rditem;
471 
472  if (rdoffnum < FirstOffsetNumber)
473  {
474  report_corruption(&ctx,
475  psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
476  (unsigned) rdoffnum,
477  (unsigned) FirstOffsetNumber));
478  continue;
479  }
480  if (rdoffnum > maxoff)
481  {
482  report_corruption(&ctx,
483  psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
484  (unsigned) rdoffnum,
485  (unsigned) maxoff));
486  continue;
487  }
488 
489  /*
490  * Since we've checked that this redirect points to a line
491  * pointer between FirstOffsetNumber and maxoff, it should now
492  * be safe to fetch the referenced line pointer. We expect it
493  * to be LP_NORMAL; if not, that's corruption.
494  */
495  rditem = PageGetItemId(ctx.page, rdoffnum);
496  if (!ItemIdIsUsed(rditem))
497  {
498  report_corruption(&ctx,
499  psprintf("redirected line pointer points to an unused item at offset %u",
500  (unsigned) rdoffnum));
501  continue;
502  }
503  else if (ItemIdIsDead(rditem))
504  {
505  report_corruption(&ctx,
506  psprintf("redirected line pointer points to a dead item at offset %u",
507  (unsigned) rdoffnum));
508  continue;
509  }
510  else if (ItemIdIsRedirected(rditem))
511  {
512  report_corruption(&ctx,
513  psprintf("redirected line pointer points to another redirected line pointer at offset %u",
514  (unsigned) rdoffnum));
515  continue;
516  }
517 
518  /*
519  * Record the fact that this line pointer has passed basic
520  * sanity checking, and also the offset number to which it
521  * points.
522  */
523  lp_valid[ctx.offnum] = true;
524  successor[ctx.offnum] = rdoffnum;
525  continue;
526  }
527 
528  /* Sanity-check the line pointer's offset and length values */
529  ctx.lp_len = ItemIdGetLength(ctx.itemid);
530  ctx.lp_off = ItemIdGetOffset(ctx.itemid);
531 
532  if (ctx.lp_off != MAXALIGN(ctx.lp_off))
533  {
534  report_corruption(&ctx,
535  psprintf("line pointer to page offset %u is not maximally aligned",
536  ctx.lp_off));
537  continue;
538  }
539  if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
540  {
541  report_corruption(&ctx,
542  psprintf("line pointer length %u is less than the minimum tuple header size %u",
543  ctx.lp_len,
544  (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
545  continue;
546  }
547  if (ctx.lp_off + ctx.lp_len > BLCKSZ)
548  {
549  report_corruption(&ctx,
550  psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
551  ctx.lp_off,
552  ctx.lp_len,
553  (unsigned) BLCKSZ));
554  continue;
555  }
556 
557  /* It should be safe to examine the tuple's header, at least */
558  lp_valid[ctx.offnum] = true;
559  ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
560  ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
561 
562  /* Ok, ready to check this next tuple */
563  check_tuple(&ctx,
564  &xmin_commit_status_ok[ctx.offnum],
565  &xmin_commit_status[ctx.offnum]);
566 
567  /*
568  * If the CTID field of this tuple seems to point to another tuple
569  * on the same page, record that tuple as the successor of this
570  * one.
571  */
572  nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
573  nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
574  if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
575  nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
576  successor[ctx.offnum] = nextoffnum;
577  }
578 
579  /*
580  * Update chain validation. Check each line pointer that's got a valid
581  * successor against that successor.
582  */
583  ctx.attnum = -1;
584  for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
585  ctx.offnum = OffsetNumberNext(ctx.offnum))
586  {
587  ItemId curr_lp;
588  ItemId next_lp;
589  HeapTupleHeader curr_htup;
590  HeapTupleHeader next_htup;
591  TransactionId curr_xmin;
592  TransactionId curr_xmax;
593  TransactionId next_xmin;
594  OffsetNumber nextoffnum = successor[ctx.offnum];
595 
596  /*
597  * The current line pointer may not have a successor, either
598  * because it's not valid or because it didn't point to anything.
599  * In either case, we have to give up.
600  *
601  * If the current line pointer does point to something, it's
602  * possible that the target line pointer isn't valid. We have to
603  * give up in that case, too.
604  */
605  if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
606  continue;
607 
608  /* We have two valid line pointers that we can examine. */
609  curr_lp = PageGetItemId(ctx.page, ctx.offnum);
610  next_lp = PageGetItemId(ctx.page, nextoffnum);
611 
612  /* Handle the cases where the current line pointer is a redirect. */
613  if (ItemIdIsRedirected(curr_lp))
614  {
615  /*
616  * We should not have set successor[ctx.offnum] to a value
617  * other than InvalidOffsetNumber unless that line pointer is
618  * LP_NORMAL.
619  */
620  Assert(ItemIdIsNormal(next_lp));
621 
622  /* Can only redirect to a HOT tuple. */
623  next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
624  if (!HeapTupleHeaderIsHeapOnly(next_htup))
625  {
626  report_corruption(&ctx,
627  psprintf("redirected line pointer points to a non-heap-only tuple at offset %u",
628  (unsigned) nextoffnum));
629  }
630 
631  /* HOT chains should not intersect. */
632  if (predecessor[nextoffnum] != InvalidOffsetNumber)
633  {
634  report_corruption(&ctx,
635  psprintf("redirect line pointer points to offset %u, but offset %u also points there",
636  (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
637  continue;
638  }
639 
640  /*
641  * This redirect and the tuple to which it points seem to be
642  * part of an update chain.
643  */
644  predecessor[nextoffnum] = ctx.offnum;
645  continue;
646  }
647 
648  /*
649  * If the next line pointer is a redirect, or if it's a tuple but
650  * the XMAX of this tuple doesn't match the XMIN of the next
651  * tuple, then the two aren't part of the same update chain and
652  * there is nothing more to do.
653  */
654  if (ItemIdIsRedirected(next_lp))
655  continue;
656  curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
657  curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
658  next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
659  next_xmin = HeapTupleHeaderGetXmin(next_htup);
660  if (!TransactionIdIsValid(curr_xmax) ||
661  !TransactionIdEquals(curr_xmax, next_xmin))
662  continue;
663 
664  /* HOT chains should not intersect. */
665  if (predecessor[nextoffnum] != InvalidOffsetNumber)
666  {
667  report_corruption(&ctx,
668  psprintf("tuple points to new version at offset %u, but offset %u also points there",
669  (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
670  continue;
671  }
672 
673  /*
674  * This tuple and the tuple to which it points seem to be part of
675  * an update chain.
676  */
677  predecessor[nextoffnum] = ctx.offnum;
678 
679  /*
680  * If the current tuple is marked as HOT-updated, then the next
681  * tuple should be marked as a heap-only tuple. Conversely, if the
682  * current tuple isn't marked as HOT-updated, then the next tuple
683  * shouldn't be marked as a heap-only tuple.
684  *
685  * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
686  * hint bits indicate xmin/xmax aborted.
687  */
688  if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
689  HeapTupleHeaderIsHeapOnly(next_htup))
690  {
691  report_corruption(&ctx,
692  psprintf("non-heap-only update produced a heap-only tuple at offset %u",
693  (unsigned) nextoffnum));
694  }
695  if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
696  !HeapTupleHeaderIsHeapOnly(next_htup))
697  {
698  report_corruption(&ctx,
699  psprintf("heap-only update produced a non-heap only tuple at offset %u",
700  (unsigned) nextoffnum));
701  }
702 
703  /*
704  * If the current tuple's xmin is still in progress but the
705  * successor tuple's xmin is committed, that's corruption.
706  *
707  * NB: We recheck the commit status of the current tuple's xmin
708  * here, because it might have committed after we checked it and
709  * before we checked the commit status of the successor tuple's
710  * xmin. This should be safe because the xmin itself can't have
711  * changed, only its commit status.
712  */
713  curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
714  if (xmin_commit_status_ok[ctx.offnum] &&
715  xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
716  xmin_commit_status_ok[nextoffnum] &&
717  xmin_commit_status[nextoffnum] == XID_COMMITTED &&
718  TransactionIdIsInProgress(curr_xmin))
719  {
720  report_corruption(&ctx,
721  psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
722  (unsigned) curr_xmin,
723  (unsigned) ctx.offnum,
724  (unsigned) next_xmin));
725  }
726 
727  /*
728  * If the current tuple's xmin is aborted but the successor
729  * tuple's xmin is in-progress or committed, that's corruption.
730  */
731  if (xmin_commit_status_ok[ctx.offnum] &&
732  xmin_commit_status[ctx.offnum] == XID_ABORTED &&
733  xmin_commit_status_ok[nextoffnum])
734  {
735  if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
736  report_corruption(&ctx,
737  psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
738  (unsigned) curr_xmin,
739  (unsigned) ctx.offnum,
740  (unsigned) next_xmin));
741  else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
742  report_corruption(&ctx,
743  psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
744  (unsigned) curr_xmin,
745  (unsigned) ctx.offnum,
746  (unsigned) next_xmin));
747  }
748  }
749 
750  /*
751  * An update chain can start either with a non-heap-only tuple or with
752  * a redirect line pointer, but not with a heap-only tuple.
753  *
754  * (This check is in a separate loop because we need the predecessor
755  * array to be fully populated before we can perform it.)
756  */
757  for (ctx.offnum = FirstOffsetNumber;
758  ctx.offnum <= maxoff;
759  ctx.offnum = OffsetNumberNext(ctx.offnum))
760  {
761  if (xmin_commit_status_ok[ctx.offnum] &&
762  (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
763  xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
764  predecessor[ctx.offnum] == InvalidOffsetNumber)
765  {
766  ItemId curr_lp;
767 
768  curr_lp = PageGetItemId(ctx.page, ctx.offnum);
769  if (!ItemIdIsRedirected(curr_lp))
770  {
771  HeapTupleHeader curr_htup;
772 
773  curr_htup = (HeapTupleHeader)
774  PageGetItem(ctx.page, curr_lp);
775  if (HeapTupleHeaderIsHeapOnly(curr_htup))
776  report_corruption(&ctx,
777  psprintf("tuple is root of chain but is marked as heap-only tuple"));
778  }
779  }
780  }
781 
782  /* clean up */
783  UnlockReleaseBuffer(ctx.buffer);
784 
785  /*
786  * Check any toast pointers from the page whose lock we just released
787  */
788  if (ctx.toasted_attributes != NIL)
789  {
790  ListCell *cell;
791 
792  foreach(cell, ctx.toasted_attributes)
793  check_toasted_attribute(&ctx, lfirst(cell));
794  list_free_deep(ctx.toasted_attributes);
795  ctx.toasted_attributes = NIL;
796  }
797 
798  if (on_error_stop && ctx.is_corrupt)
799  break;
800  }
801 
802  if (vmbuffer != InvalidBuffer)
803  ReleaseBuffer(vmbuffer);
804 
805  /* Close the associated toast table and indexes, if any. */
806  if (ctx.toast_indexes)
807  toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
809  if (ctx.toast_rel)
810  table_close(ctx.toast_rel, AccessShareLock);
811 
812  /* Close the main relation */
814 
815  PG_RETURN_NULL();
816 }
uint32 BlockNumber
Definition: block.h:31
int Buffer
Definition: buf.h:23
#define InvalidBuffer
Definition: buf.h:25
void ReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:4924
void UnlockReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:4941
void LockBuffer(Buffer buffer, int mode)
Definition: bufmgr.c:5158
Buffer ReadBufferExtended(Relation reln, ForkNumber forkNum, BlockNumber blockNum, ReadBufferMode mode, BufferAccessStrategy strategy)
Definition: bufmgr.c:793
@ BAS_BULKREAD
Definition: bufmgr.h:36
#define BUFFER_LOCK_SHARE
Definition: bufmgr.h:190
#define RelationGetNumberOfBlocks(reln)
Definition: bufmgr.h:273
static Page BufferGetPage(Buffer buffer)
Definition: bufmgr.h:400
@ RBM_NORMAL
Definition: bufmgr.h:45
static Item PageGetItem(Page page, ItemId itemId)
Definition: bufpage.h:354
static ItemId PageGetItemId(Page page, OffsetNumber offsetNumber)
Definition: bufpage.h:243
static OffsetNumber PageGetMaxOffsetNumber(Page page)
Definition: bufpage.h:372
int errhint(const char *fmt,...)
Definition: elog.c:1317
int errcode(int sqlerrcode)
Definition: elog.c:853
int errmsg(const char *fmt,...)
Definition: elog.c:1070
#define DEBUG1
Definition: elog.h:30
#define ERROR
Definition: elog.h:39
#define ereport(elevel,...)
Definition: elog.h:149
#define PG_GETARG_OID(n)
Definition: fmgr.h:275
#define PG_GETARG_TEXT_PP(n)
Definition: fmgr.h:309
#define PG_ARGISNULL(n)
Definition: fmgr.h:209
#define PG_RETURN_NULL()
Definition: fmgr.h:345
#define PG_GETARG_INT64(n)
Definition: fmgr.h:283
#define PG_GETARG_BOOL(n)
Definition: fmgr.h:274
BufferAccessStrategy GetAccessStrategy(BufferAccessStrategyType btype)
Definition: freelist.c:541
void InitMaterializedSRF(FunctionCallInfo fcinfo, bits32 flags)
Definition: funcapi.c:76
HeapTupleHeaderData * HeapTupleHeader
Definition: htup.h:23
#define HeapTupleHeaderGetNatts(tup)
Definition: htup_details.h:529
#define HEAP_HOT_UPDATED
Definition: htup_details.h:276
#define ItemIdGetLength(itemId)
Definition: itemid.h:59
#define ItemIdIsNormal(itemId)
Definition: itemid.h:99
#define ItemIdGetOffset(itemId)
Definition: itemid.h:65
#define ItemIdGetRedirect(itemId)
Definition: itemid.h:78
#define ItemIdIsDead(itemId)
Definition: itemid.h:113
#define ItemIdIsUsed(itemId)
Definition: itemid.h:92
#define ItemIdIsRedirected(itemId)
Definition: itemid.h:106
static OffsetNumber ItemPointerGetOffsetNumber(const ItemPointerData *pointer)
Definition: itemptr.h:124
static BlockNumber ItemPointerGetBlockNumber(const ItemPointerData *pointer)
Definition: itemptr.h:103
void list_free_deep(List *list)
Definition: list.c:1560
#define AccessShareLock
Definition: lockdefs.h:36
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:122
#define InvalidOffsetNumber
Definition: off.h:26
#define OffsetNumberNext(offsetNumber)
Definition: off.h:52
uint16 OffsetNumber
Definition: off.h:24
#define FirstOffsetNumber
Definition: off.h:27
#define MaxOffsetNumber
Definition: off.h:28
static const struct exclude_list_item skip[]
Definition: pg_checksums.c:107
int errdetail_relkind_not_supported(char relkind)
Definition: pg_class.c:24
#define lfirst(lc)
Definition: pg_list.h:172
#define NIL
Definition: pg_list.h:68
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
unsigned int Oid
Definition: postgres_ext.h:31
static int fb(int x)
Definition: preproc-init.c:92
#define RelationGetRelationName(relation)
Definition: rel.h:539
@ MAIN_FORKNUM
Definition: relpath.h:58
Snapshot GetTransactionSnapshot(void)
Definition: snapmgr.c:216
void relation_close(Relation relation, LOCKMODE lockmode)
Definition: relation.c:205
Relation relation_open(Oid relationId, LOCKMODE lockmode)
Definition: relation.c:47
TupleDesc setDesc
Definition: execnodes.h:343
Tuplestorestate * setResult
Definition: execnodes.h:342
TransactionId xmin
Definition: snapshot.h:157
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40
void toast_close_indexes(Relation *toastidxs, int num_indexes, LOCKMODE lock)
int toast_open_indexes(Relation toastrel, LOCKMODE lock, Relation **toastidxs, int *num_indexes)
#define InvalidTransactionId
Definition: transam.h:31
#define TransactionIdEquals(id1, id2)
Definition: transam.h:43
char * text_to_cstring(const text *t)
Definition: varlena.c:217
static void check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
static void check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok, XidCommitStatus *xmin_commit_status)
uint8 visibilitymap_get_status(Relation rel, BlockNumber heapBlk, Buffer *vmbuf)
#define VISIBILITYMAP_ALL_FROZEN
#define VISIBILITYMAP_ALL_VISIBLE
bool RecoveryInProgress(void)
Definition: xlog.c:6334

References AccessShareLock, Assert, BAS_BULKREAD, BUFFER_LOCK_SHARE, BufferGetPage(), CHECK_FOR_INTERRUPTS, check_toasted_attribute(), check_tuple(), DEBUG1, ereport, errcode(), errdetail_relkind_not_supported(), errhint(), errmsg(), ERROR, fb(), FirstOffsetNumber, FullTransactionIdFromXidAndCtx(), GetAccessStrategy(), GetTransactionSnapshot(), HEAP_HOT_UPDATED, HeapTupleHeaderGetNatts, HeapTupleHeaderGetUpdateXid, HeapTupleHeaderGetXmin, HeapTupleHeaderIsHeapOnly, if(), InitMaterializedSRF(), InvalidBuffer, InvalidOffsetNumber, InvalidTransactionId, ItemIdGetLength, ItemIdGetOffset, ItemIdGetRedirect, ItemIdIsDead, ItemIdIsNormal, ItemIdIsRedirected, ItemIdIsUsed, ItemPointerGetBlockNumber(), ItemPointerGetOffsetNumber(), lfirst, list_free_deep(), LockBuffer(), MAIN_FORKNUM, MAXALIGN, MaxOffsetNumber, NIL, OffsetNumberNext, PageGetItem(), PageGetItemId(), PageGetMaxOffsetNumber(), PG_ARGISNULL, PG_GETARG_BOOL, PG_GETARG_INT64, PG_GETARG_OID, PG_GETARG_TEXT_PP, PG_RETURN_NULL, pg_strcasecmp(), psprintf(), RBM_NORMAL, ReadBufferExtended(), RecoveryInProgress(), relation_close(), relation_open(), RelationGetNumberOfBlocks, RelationGetRelationName, ReleaseBuffer(), report_corruption(), ReturnSetInfo::setDesc, ReturnSetInfo::setResult, SizeofHeapTupleHeader, skip, SKIP_PAGES_ALL_FROZEN, SKIP_PAGES_ALL_VISIBLE, SKIP_PAGES_NONE, HeapTupleHeaderData::t_infomask2, table_close(), table_open(), text_to_cstring(), toast_close_indexes(), toast_open_indexes(), TransactionIdEquals, TransactionIdIsInProgress(), TransactionIdIsNormal, TransactionIdIsValid, UnlockReleaseBuffer(), update_cached_mxid_range(), update_cached_xid_range(), VISIBILITYMAP_ALL_FROZEN, VISIBILITYMAP_ALL_VISIBLE, visibilitymap_get_status(), XID_ABORTED, XID_COMMITTED, XID_IN_PROGRESS, and SnapshotData::xmin.