PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
verify_heapam.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * verify_heapam.c
4 * Functions to check postgresql heap relations for corruption
5 *
6 * Copyright (c) 2016-2025, PostgreSQL Global Development Group
7 *
8 * contrib/amcheck/verify_heapam.c
9 *-------------------------------------------------------------------------
10 */
11#include "postgres.h"
12
13#include "access/detoast.h"
14#include "access/genam.h"
15#include "access/heaptoast.h"
16#include "access/multixact.h"
17#include "access/relation.h"
18#include "access/table.h"
19#include "access/toast_internals.h"
20#include "access/visibilitymap.h"
21#include "access/xact.h"
22#include "catalog/pg_am.h"
23#include "catalog/pg_class.h"
24#include "funcapi.h"
25#include "miscadmin.h"
26#include "storage/bufmgr.h"
27#include "storage/procarray.h"
28#include "storage/read_stream.h"
29#include "utils/builtins.h"
30#include "utils/fmgroids.h"
31#include "utils/rel.h"
32
33PG_FUNCTION_INFO_V1(verify_heapam);
34
35/* The number of columns in tuples returned by verify_heapam */
36#define HEAPCHECK_RELATION_COLS 4
37
38/* The largest valid toast va_rawsize */
39#define VARLENA_SIZE_LIMIT 0x3FFFFFFF
40
41/*
42 * Despite the name, we use this for reporting problems with both XIDs and
43 * MXIDs.
44 */
45typedef enum XidBoundsViolation
46{
47 XID_INVALID,
48 XID_IN_FUTURE,
49 XID_PRECEDES_CLUSTERMIN,
50 XID_PRECEDES_RELMIN,
51 XID_BOUNDS_OK,
52} XidBoundsViolation;
53
54typedef enum XidCommitStatus
55{
56 XID_COMMITTED,
57 XID_IS_CURRENT_XID,
58 XID_IN_PROGRESS,
59 XID_ABORTED,
60} XidCommitStatus;
61
62typedef enum SkipPages
63{
64 SKIP_PAGES_ALL_FROZEN,
65 SKIP_PAGES_ALL_VISIBLE,
66 SKIP_PAGES_NONE,
67} SkipPages;
68
69/*
70 * Struct holding information about a toasted attribute sufficient to both
71 * check the toasted attribute and, if found to be corrupt, to report where it
72 * was encountered in the main table.
73 */
74typedef struct ToastedAttribute
75{
76 struct varatt_external toast_pointer;
77 BlockNumber blkno; /* block in main table */
78 OffsetNumber offnum; /* offset in main table */
79 AttrNumber attnum; /* attribute in main table */
80} ToastedAttribute;
81
82/*
83 * Struct holding the running context information during
84 * a lifetime of a verify_heapam execution.
85 */
86typedef struct HeapCheckContext
87{
88 /*
89 * Cached copies of values from TransamVariables and computed values from
90 * them.
91 */
92 FullTransactionId next_fxid; /* TransamVariables->nextXid */
93 TransactionId next_xid; /* 32-bit version of next_fxid */
94 TransactionId oldest_xid; /* TransamVariables->oldestXid */
95 FullTransactionId oldest_fxid; /* 64-bit version of oldest_xid, computed
96 * relative to next_fxid */
97 TransactionId safe_xmin; /* this XID and newer ones can't become
98 * all-visible while we're running */
99
100 /*
101 * Cached copy of value from MultiXactState
102 */
103 MultiXactId next_mxact; /* MultiXactState->nextMXact */
104 MultiXactId oldest_mxact; /* MultiXactState->oldestMultiXactId */
105
106 /*
107 * Cached copies of the most recently checked xid and its status.
108 */
109 TransactionId cached_xid;
110 XidCommitStatus cached_status;
111
112 /* Values concerning the heap relation being checked */
113 Relation rel;
114 TransactionId relfrozenxid;
115 FullTransactionId relfrozenfxid;
116 TransactionId relminmxid;
117 Relation toast_rel;
118 Relation *toast_indexes;
119 Relation valid_toast_index;
120 int num_toast_indexes;
121
122 /*
123 * Values for iterating over pages in the relation. `blkno` is the most
124 * recent block in the buffer yielded by the read stream API.
125 */
126 BlockNumber blkno;
127 BufferAccessStrategy bstrategy;
128 Buffer buffer;
129 Page page;
130
131 /* Values for iterating over tuples within a page */
132 OffsetNumber offnum;
133 ItemId itemid;
134 uint16 lp_len;
135 uint16 lp_off;
136 HeapTupleHeader tuphdr;
137 int natts;
138
139 /* Values for iterating over attributes within the tuple */
140 uint32 offset; /* offset in tuple data */
141 AttrNumber attnum;
142
143 /* True if tuple's xmax makes it eligible for pruning */
144 bool tuple_could_be_pruned;
145
146 /*
147 * List of ToastedAttribute structs for toasted attributes which are not
148 * eligible for pruning and should be checked
149 */
150 List *toasted_attributes;
151
152 /* Whether verify_heapam has yet encountered any corrupt tuples */
153 bool is_corrupt;
154
155 /* The descriptor and tuplestore for verify_heapam's result tuples */
156 TupleDesc tupdesc;
157 Tuplestorestate *tupstore;
158} HeapCheckContext;
159
160/*
161 * The per-relation data provided to the read stream API for heap amcheck to
162 * use in its callback for the SKIP_PAGES_ALL_FROZEN and
163 * SKIP_PAGES_ALL_VISIBLE options.
164 */
165typedef struct HeapCheckReadStreamData
166{
167 /*
168 * `range` is used by all SkipPages options. SKIP_PAGES_NONE uses the
169 * default read stream callback, block_range_read_stream_cb(), which takes
170 * a BlockRangeReadStreamPrivate as its callback_private_data. `range`
171 * keeps track of the current block number across
172 * read_stream_next_buffer() invocations.
173 */
174 BlockRangeReadStreamPrivate range;
175 SkipPages skip_option;
176 Relation rel;
177 Buffer *vmbuffer;
178} HeapCheckReadStreamData;
179
180
181/* Internal implementation */
182static BlockNumber heapcheck_read_stream_next_unskippable(ReadStream *stream,
183 void *callback_private_data,
184 void *per_buffer_data);
185
186static void check_tuple(HeapCheckContext *ctx,
187 bool *xmin_commit_status_ok,
188 XidCommitStatus *xmin_commit_status);
189static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
190 ToastedAttribute *ta, int32 *expected_chunk_seq,
191 uint32 extsize);
192
193static bool check_tuple_attribute(HeapCheckContext *ctx);
194static void check_toasted_attribute(HeapCheckContext *ctx,
195 ToastedAttribute *ta);
196
197static bool check_tuple_header(HeapCheckContext *ctx);
198static bool check_tuple_visibility(HeapCheckContext *ctx,
199 bool *xmin_commit_status_ok,
200 XidCommitStatus *xmin_commit_status);
201
202static void report_corruption(HeapCheckContext *ctx, char *msg);
203static void report_toast_corruption(HeapCheckContext *ctx,
204 ToastedAttribute *ta, char *msg);
205static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
206 const HeapCheckContext *ctx);
207static void update_cached_xid_range(HeapCheckContext *ctx);
208static void update_cached_mxid_range(HeapCheckContext *ctx);
209static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
210 HeapCheckContext *ctx);
211static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
212 HeapCheckContext *ctx);
213static XidBoundsViolation get_xid_status(TransactionId xid,
214 HeapCheckContext *ctx,
215 XidCommitStatus *status);
216
217/*
218 * Scan and report corruption in heap pages, optionally reconciling toasted
219 * attributes with entries in the associated toast table. Intended to be
220 * called from SQL with the following parameters:
221 *
222 * relation:
223 * The Oid of the heap relation to be checked.
224 *
225 * on_error_stop:
226 * Whether to stop at the end of the first page for which errors are
227 * detected. Note that multiple rows may be returned.
228 *
229 * check_toast:
230 * Whether to check each toasted attribute against the toast table to
231 * verify that it can be found there.
232 *
233 * skip:
234 * What kinds of pages in the heap relation should be skipped. Valid
235 * options are "all-visible", "all-frozen", and "none".
236 *
237 * Returns to the SQL caller a set of tuples, each containing the location
238 * and a description of a corruption found in the heap.
239 *
240 * This code goes to some trouble to avoid crashing the server even if the
241 * table pages are badly corrupted, but it's probably not perfect. If
242 * check_toast is true, we'll use regular index lookups to try to fetch TOAST
243 * tuples, which can certainly cause crashes if the right kind of corruption
244 * exists in the toast table or index. No matter what parameters you pass,
245 * we can't protect against crashes that might occur trying to look up the
246 * commit status of transaction IDs (though we avoid trying to do such lookups
247 * for transaction IDs that can't legally appear in the table).
248 */
249Datum
250verify_heapam(PG_FUNCTION_ARGS)
251{
252 ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
253 HeapCheckContext ctx;
254 Buffer vmbuffer = InvalidBuffer;
255 Oid relid;
256 bool on_error_stop;
257 bool check_toast;
258 SkipPages skip_option = SKIP_PAGES_NONE;
259 BlockNumber first_block;
260 BlockNumber last_block;
261 BlockNumber nblocks;
262 const char *skip;
263 ReadStream *stream;
264 int stream_flags;
265 ReadStreamBlockNumberCB stream_cb;
266 void *stream_data;
267 HeapCheckReadStreamData stream_skip_data;
268
269 /* Check supplied arguments */
270 if (PG_ARGISNULL(0))
271 ereport(ERROR,
272 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
273 errmsg("relation cannot be null")));
274 relid = PG_GETARG_OID(0);
275
276 if (PG_ARGISNULL(1))
277 ereport(ERROR,
278 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
279 errmsg("on_error_stop cannot be null")));
280 on_error_stop = PG_GETARG_BOOL(1);
281
282 if (PG_ARGISNULL(2))
283 ereport(ERROR,
284 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
285 errmsg("check_toast cannot be null")));
286 check_toast = PG_GETARG_BOOL(2);
287
288 if (PG_ARGISNULL(3))
289 ereport(ERROR,
290 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
291 errmsg("skip cannot be null")));
292 skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
293 if (pg_strcasecmp(skip, "all-visible") == 0)
294 skip_option = SKIP_PAGES_ALL_VISIBLE;
295 else if (pg_strcasecmp(skip, "all-frozen") == 0)
296 skip_option = SKIP_PAGES_ALL_FROZEN;
297 else if (pg_strcasecmp(skip, "none") == 0)
298 skip_option = SKIP_PAGES_NONE;
299 else
300 ereport(ERROR,
301 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
302 errmsg("invalid skip option"),
303 errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
304
305 memset(&ctx, 0, sizeof(HeapCheckContext));
306 ctx.cached_xid = InvalidTransactionId;
307 ctx.toasted_attributes = NIL;
308
309 /*
310 * Any xmin newer than the xmin of our snapshot can't become all-visible
311 * while we're running.
312 */
313 ctx.safe_xmin = GetTransactionSnapshot()->xmin;
314
315 /*
316 * If we report corruption when not examining some individual attribute,
317 * we need attnum to be reported as NULL. Set that up before any
318 * corruption reporting might happen.
319 */
320 ctx.attnum = -1;
321
322 /* Construct the tuplestore and tuple descriptor */
323 InitMaterializedSRF(fcinfo, 0);
324 ctx.tupdesc = rsinfo->setDesc;
325 ctx.tupstore = rsinfo->setResult;
326
327 /* Open relation, check relkind and access method */
328 ctx.rel = relation_open(relid, AccessShareLock);
329
330 /*
331 * Check that a relation's relkind and access method are both supported.
332 */
333 if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
334 ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
335 ereport(ERROR,
336 (errcode(ERRCODE_WRONG_OBJECT_TYPE),
337 errmsg("cannot check relation \"%s\"",
338 RelationGetRelationName(ctx.rel)),
339 errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
340
341 /*
342 * Sequences always use heap AM, but they don't show that in the catalogs.
343 * Other relkinds might be using a different AM, so check.
344 */
345 if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
346 ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
347 ereport(ERROR,
348 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
349 errmsg("only heap AM is supported")));
350
351 /*
352 * Early exit for unlogged relations during recovery. These will have no
353 * relation fork, so there won't be anything to check. We behave as if
354 * the relation is empty.
355 */
356 if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
357 RecoveryInProgress())
358 {
359 ereport(DEBUG1,
360 (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
361 errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
362 RelationGetRelationName(ctx.rel))));
363 relation_close(ctx.rel, AccessShareLock);
364 PG_RETURN_NULL();
365 }
366
367 /* Early exit if the relation is empty */
368 nblocks = RelationGetNumberOfBlocks(ctx.rel);
369 if (!nblocks)
370 {
371 relation_close(ctx.rel, AccessShareLock);
372 PG_RETURN_NULL();
373 }
374
375 ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
376 ctx.buffer = InvalidBuffer;
377 ctx.page = NULL;
378
379 /* Validate block numbers, or handle nulls. */
380 if (PG_ARGISNULL(4))
381 first_block = 0;
382 else
383 {
384 int64 fb = PG_GETARG_INT64(4);
385
386 if (fb < 0 || fb >= nblocks)
387 ereport(ERROR,
388 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
389 errmsg("starting block number must be between 0 and %u",
390 nblocks - 1)));
391 first_block = (BlockNumber) fb;
392 }
393 if (PG_ARGISNULL(5))
394 last_block = nblocks - 1;
395 else
396 {
397 int64 lb = PG_GETARG_INT64(5);
398
399 if (lb < 0 || lb >= nblocks)
400 ereport(ERROR,
401 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
402 errmsg("ending block number must be between 0 and %u",
403 nblocks - 1)));
404 last_block = (BlockNumber) lb;
405 }
406
407 /* Optionally open the toast relation, if any. */
408 if (ctx.rel->rd_rel->reltoastrelid && check_toast)
409 {
410 int offset;
411
412 /* Main relation has associated toast relation */
413 ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
414 AccessShareLock);
415 offset = toast_open_indexes(ctx.toast_rel,
416 AccessShareLock,
417 &(ctx.toast_indexes),
418 &(ctx.num_toast_indexes));
419 ctx.valid_toast_index = ctx.toast_indexes[offset];
420 }
421 else
422 {
423 /*
424 * Main relation has no associated toast relation, or we're
425 * intentionally skipping it.
426 */
427 ctx.toast_rel = NULL;
428 ctx.toast_indexes = NULL;
429 ctx.num_toast_indexes = 0;
430 }
431
432 update_cached_xid_range(&ctx);
433 update_cached_mxid_range(&ctx);
434 ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
435 ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
436 ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
437
438 if (TransactionIdIsNormal(ctx.relfrozenxid))
439 ctx.oldest_xid = ctx.relfrozenxid;
440
441 /* Now that `ctx` is set up, set up the read stream */
442 stream_skip_data.range.current_blocknum = first_block;
443 stream_skip_data.range.last_exclusive = last_block + 1;
444 stream_skip_data.skip_option = skip_option;
445 stream_skip_data.rel = ctx.rel;
446 stream_skip_data.vmbuffer = &vmbuffer;
447
448 if (skip_option == SKIP_PAGES_NONE)
449 {
450 /*
451 * It is safe to use batchmode as block_range_read_stream_cb takes no
452 * locks.
453 */
454 stream_cb = block_range_read_stream_cb;
455 stream_flags = READ_STREAM_SEQUENTIAL |
456 READ_STREAM_FULL |
457 READ_STREAM_USE_BATCHING;
458 stream_data = &stream_skip_data.range;
459 }
460 else
461 {
462 /*
463 * It would not be safe to naively use use batchmode, as
464 * heapcheck_read_stream_next_unskippable takes locks. It shouldn't be
465 * too hard to convert though.
466 */
467 stream_cb = heapcheck_read_stream_next_unskippable;
468 stream_flags = READ_STREAM_DEFAULT;
469 stream_data = &stream_skip_data;
470 }
471
472 stream = read_stream_begin_relation(stream_flags,
473 ctx.bstrategy,
474 ctx.rel,
475 MAIN_FORKNUM,
476 stream_cb,
477 stream_data,
478 0);
479
480 while ((ctx.buffer = read_stream_next_buffer(stream, NULL)) != InvalidBuffer)
481 {
482 OffsetNumber maxoff;
483 OffsetNumber predecessor[MaxOffsetNumber];
484 OffsetNumber successor[MaxOffsetNumber];
485 bool lp_valid[MaxOffsetNumber];
486 bool xmin_commit_status_ok[MaxOffsetNumber];
487 XidCommitStatus xmin_commit_status[MaxOffsetNumber];
488
489 CHECK_FOR_INTERRUPTS();
490
491 memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
492
493 /* Lock the next page. */
494 Assert(BufferIsValid(ctx.buffer));
495 LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
496
497 ctx.blkno = BufferGetBlockNumber(ctx.buffer);
498 ctx.page = BufferGetPage(ctx.buffer);
499
500 /* Perform tuple checks */
501 maxoff = PageGetMaxOffsetNumber(ctx.page);
502 for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
503 ctx.offnum = OffsetNumberNext(ctx.offnum))
504 {
505 BlockNumber nextblkno;
506 OffsetNumber nextoffnum;
507
508 successor[ctx.offnum] = InvalidOffsetNumber;
509 lp_valid[ctx.offnum] = false;
510 xmin_commit_status_ok[ctx.offnum] = false;
511 ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
512
513 /* Skip over unused/dead line pointers */
514 if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
515 continue;
516
517 /*
518 * If this line pointer has been redirected, check that it
519 * redirects to a valid offset within the line pointer array
520 */
521 if (ItemIdIsRedirected(ctx.itemid))
522 {
523 OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
524 ItemId rditem;
525
526 if (rdoffnum < FirstOffsetNumber)
527 {
528 report_corruption(&ctx,
529 psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
530 (unsigned) rdoffnum,
531 (unsigned) FirstOffsetNumber));
532 continue;
533 }
534 if (rdoffnum > maxoff)
535 {
536 report_corruption(&ctx,
537 psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
538 (unsigned) rdoffnum,
539 (unsigned) maxoff));
540 continue;
541 }
542
543 /*
544 * Since we've checked that this redirect points to a line
545 * pointer between FirstOffsetNumber and maxoff, it should now
546 * be safe to fetch the referenced line pointer. We expect it
547 * to be LP_NORMAL; if not, that's corruption.
548 */
549 rditem = PageGetItemId(ctx.page, rdoffnum);
550 if (!ItemIdIsUsed(rditem))
551 {
552 report_corruption(&ctx,
553 psprintf("redirected line pointer points to an unused item at offset %u",
554 (unsigned) rdoffnum));
555 continue;
556 }
557 else if (ItemIdIsDead(rditem))
558 {
559 report_corruption(&ctx,
560 psprintf("redirected line pointer points to a dead item at offset %u",
561 (unsigned) rdoffnum));
562 continue;
563 }
564 else if (ItemIdIsRedirected(rditem))
565 {
566 report_corruption(&ctx,
567 psprintf("redirected line pointer points to another redirected line pointer at offset %u",
568 (unsigned) rdoffnum));
569 continue;
570 }
571
572 /*
573 * Record the fact that this line pointer has passed basic
574 * sanity checking, and also the offset number to which it
575 * points.
576 */
577 lp_valid[ctx.offnum] = true;
578 successor[ctx.offnum] = rdoffnum;
579 continue;
580 }
581
582 /* Sanity-check the line pointer's offset and length values */
583 ctx.lp_len = ItemIdGetLength(ctx.itemid);
584 ctx.lp_off = ItemIdGetOffset(ctx.itemid);
585
586 if (ctx.lp_off != MAXALIGN(ctx.lp_off))
587 {
588 report_corruption(&ctx,
589 psprintf("line pointer to page offset %u is not maximally aligned",
590 ctx.lp_off));
591 continue;
592 }
593 if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
594 {
595 report_corruption(&ctx,
596 psprintf("line pointer length %u is less than the minimum tuple header size %u",
597 ctx.lp_len,
598 (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
599 continue;
600 }
601 if (ctx.lp_off + ctx.lp_len > BLCKSZ)
602 {
603 report_corruption(&ctx,
604 psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
605 ctx.lp_off,
606 ctx.lp_len,
607 (unsigned) BLCKSZ));
608 continue;
609 }
610
611 /* It should be safe to examine the tuple's header, at least */
612 lp_valid[ctx.offnum] = true;
613 ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
614 ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
615
616 /* Ok, ready to check this next tuple */
617 check_tuple(&ctx,
618 &xmin_commit_status_ok[ctx.offnum],
619 &xmin_commit_status[ctx.offnum]);
620
621 /*
622 * If the CTID field of this tuple seems to point to another tuple
623 * on the same page, record that tuple as the successor of this
624 * one.
625 */
626 nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
627 nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
628 if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
629 nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
630 successor[ctx.offnum] = nextoffnum;
631 }
632
633 /*
634 * Update chain validation. Check each line pointer that's got a valid
635 * successor against that successor.
636 */
637 ctx.attnum = -1;
638 for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
639 ctx.offnum = OffsetNumberNext(ctx.offnum))
640 {
641 ItemId curr_lp;
642 ItemId next_lp;
643 HeapTupleHeader curr_htup;
644 HeapTupleHeader next_htup;
645 TransactionId curr_xmin;
646 TransactionId curr_xmax;
647 TransactionId next_xmin;
648 OffsetNumber nextoffnum = successor[ctx.offnum];
649
650 /*
651 * The current line pointer may not have a successor, either
652 * because it's not valid or because it didn't point to anything.
653 * In either case, we have to give up.
654 *
655 * If the current line pointer does point to something, it's
656 * possible that the target line pointer isn't valid. We have to
657 * give up in that case, too.
658 */
659 if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
660 continue;
661
662 /* We have two valid line pointers that we can examine. */
663 curr_lp = PageGetItemId(ctx.page, ctx.offnum);
664 next_lp = PageGetItemId(ctx.page, nextoffnum);
665
666 /* Handle the cases where the current line pointer is a redirect. */
667 if (ItemIdIsRedirected(curr_lp))
668 {
669 /*
670 * We should not have set successor[ctx.offnum] to a value
671 * other than InvalidOffsetNumber unless that line pointer is
672 * LP_NORMAL.
673 */
674 Assert(ItemIdIsNormal(next_lp));
675
676 /* Can only redirect to a HOT tuple. */
677 next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
678 if (!HeapTupleHeaderIsHeapOnly(next_htup))
679 {
680 report_corruption(&ctx,
681 psprintf("redirected line pointer points to a non-heap-only tuple at offset %u",
682 (unsigned) nextoffnum));
683 }
684
685 /* HOT chains should not intersect. */
686 if (predecessor[nextoffnum] != InvalidOffsetNumber)
687 {
688 report_corruption(&ctx,
689 psprintf("redirect line pointer points to offset %u, but offset %u also points there",
690 (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
691 continue;
692 }
693
694 /*
695 * This redirect and the tuple to which it points seem to be
696 * part of an update chain.
697 */
698 predecessor[nextoffnum] = ctx.offnum;
699 continue;
700 }
701
702 /*
703 * If the next line pointer is a redirect, or if it's a tuple but
704 * the XMAX of this tuple doesn't match the XMIN of the next
705 * tuple, then the two aren't part of the same update chain and
706 * there is nothing more to do.
707 */
708 if (ItemIdIsRedirected(next_lp))
709 continue;
710 curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
711 curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
712 next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
713 next_xmin = HeapTupleHeaderGetXmin(next_htup);
714 if (!TransactionIdIsValid(curr_xmax) ||
715 !TransactionIdEquals(curr_xmax, next_xmin))
716 continue;
717
718 /* HOT chains should not intersect. */
719 if (predecessor[nextoffnum] != InvalidOffsetNumber)
720 {
721 report_corruption(&ctx,
722 psprintf("tuple points to new version at offset %u, but offset %u also points there",
723 (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
724 continue;
725 }
726
727 /*
728 * This tuple and the tuple to which it points seem to be part of
729 * an update chain.
730 */
731 predecessor[nextoffnum] = ctx.offnum;
732
733 /*
734 * If the current tuple is marked as HOT-updated, then the next
735 * tuple should be marked as a heap-only tuple. Conversely, if the
736 * current tuple isn't marked as HOT-updated, then the next tuple
737 * shouldn't be marked as a heap-only tuple.
738 *
739 * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
740 * hint bits indicate xmin/xmax aborted.
741 */
742 if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
743 HeapTupleHeaderIsHeapOnly(next_htup))
744 {
745 report_corruption(&ctx,
746 psprintf("non-heap-only update produced a heap-only tuple at offset %u",
747 (unsigned) nextoffnum));
748 }
749 if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
750 !HeapTupleHeaderIsHeapOnly(next_htup))
751 {
752 report_corruption(&ctx,
753 psprintf("heap-only update produced a non-heap only tuple at offset %u",
754 (unsigned) nextoffnum));
755 }
756
757 /*
758 * If the current tuple's xmin is still in progress but the
759 * successor tuple's xmin is committed, that's corruption.
760 *
761 * NB: We recheck the commit status of the current tuple's xmin
762 * here, because it might have committed after we checked it and
763 * before we checked the commit status of the successor tuple's
764 * xmin. This should be safe because the xmin itself can't have
765 * changed, only its commit status.
766 */
767 curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
768 if (xmin_commit_status_ok[ctx.offnum] &&
769 xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
770 xmin_commit_status_ok[nextoffnum] &&
771 xmin_commit_status[nextoffnum] == XID_COMMITTED &&
772 TransactionIdIsInProgress(curr_xmin))
773 {
774 report_corruption(&ctx,
775 psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
776 (unsigned) curr_xmin,
777 (unsigned) ctx.offnum,
778 (unsigned) next_xmin));
779 }
780
781 /*
782 * If the current tuple's xmin is aborted but the successor
783 * tuple's xmin is in-progress or committed, that's corruption.
784 */
785 if (xmin_commit_status_ok[ctx.offnum] &&
786 xmin_commit_status[ctx.offnum] == XID_ABORTED &&
787 xmin_commit_status_ok[nextoffnum])
788 {
789 if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
790 report_corruption(&ctx,
791 psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
792 (unsigned) curr_xmin,
793 (unsigned) ctx.offnum,
794 (unsigned) next_xmin));
795 else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
796 report_corruption(&ctx,
797 psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
798 (unsigned) curr_xmin,
799 (unsigned) ctx.offnum,
800 (unsigned) next_xmin));
801 }
802 }
803
804 /*
805 * An update chain can start either with a non-heap-only tuple or with
806 * a redirect line pointer, but not with a heap-only tuple.
807 *
808 * (This check is in a separate loop because we need the predecessor
809 * array to be fully populated before we can perform it.)
810 */
811 for (ctx.offnum = FirstOffsetNumber;
812 ctx.offnum <= maxoff;
813 ctx.offnum = OffsetNumberNext(ctx.offnum))
814 {
815 if (xmin_commit_status_ok[ctx.offnum] &&
816 (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
817 xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
818 predecessor[ctx.offnum] == InvalidOffsetNumber)
819 {
820 ItemId curr_lp;
821
822 curr_lp = PageGetItemId(ctx.page, ctx.offnum);
823 if (!ItemIdIsRedirected(curr_lp))
824 {
825 HeapTupleHeader curr_htup;
826
827 curr_htup = (HeapTupleHeader)
828 PageGetItem(ctx.page, curr_lp);
829 if (HeapTupleHeaderIsHeapOnly(curr_htup))
830 report_corruption(&ctx,
831 psprintf("tuple is root of chain but is marked as heap-only tuple"));
832 }
833 }
834 }
835
836 /* clean up */
837 UnlockReleaseBuffer(ctx.buffer);
838
839 /*
840 * Check any toast pointers from the page whose lock we just released
841 */
842 if (ctx.toasted_attributes != NIL)
843 {
844 ListCell *cell;
845
846 foreach(cell, ctx.toasted_attributes)
847 check_toasted_attribute(&ctx, lfirst(cell));
848 list_free_deep(ctx.toasted_attributes);
849 ctx.toasted_attributes = NIL;
850 }
851
852 if (on_error_stop && ctx.is_corrupt)
853 break;
854 }
855
856 read_stream_end(stream);
857
858 if (vmbuffer != InvalidBuffer)
859 ReleaseBuffer(vmbuffer);
860
861 /* Close the associated toast table and indexes, if any. */
862 if (ctx.toast_indexes)
863 toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
864 AccessShareLock);
865 if (ctx.toast_rel)
866 table_close(ctx.toast_rel, AccessShareLock);
867
868 /* Close the main relation */
869 relation_close(ctx.rel, AccessShareLock);
870
871 PG_RETURN_NULL();
872}
873
874/*
875 * Heap amcheck's read stream callback for getting the next unskippable block.
876 * This callback is only used when 'all-visible' or 'all-frozen' is provided
877 * as the skip option to verify_heapam(). With the default 'none',
878 * block_range_read_stream_cb() is used instead.
879 */
880static BlockNumber
881heapcheck_read_stream_next_unskippable(ReadStream *stream,
882 void *callback_private_data,
883 void *per_buffer_data)
884{
885 HeapCheckReadStreamData *p = callback_private_data;
886
887 /* Loops over [current_blocknum, last_exclusive) blocks */
888 for (BlockNumber i; (i = p->range.current_blocknum++) < p->range.last_exclusive;)
889 {
890 uint8 mapbits = visibilitymap_get_status(p->rel, i, p->vmbuffer);
891
892 if (p->skip_option == SKIP_PAGES_ALL_FROZEN)
893 {
894 if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
895 continue;
896 }
897
898 if (p->skip_option == SKIP_PAGES_ALL_VISIBLE)
899 {
900 if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
901 continue;
902 }
903
904 return i;
905 }
906
907 return InvalidBlockNumber;
908}
909
910/*
911 * Shared internal implementation for report_corruption and
912 * report_toast_corruption.
913 */
914static void
915report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
916 BlockNumber blkno, OffsetNumber offnum,
917 AttrNumber attnum, char *msg)
918{
919 Datum values[HEAPCHECK_RELATION_COLS] = {0};
920 bool nulls[HEAPCHECK_RELATION_COLS] = {0};
921 HeapTuple tuple;
922
923 values[0] = Int64GetDatum(blkno);
924 values[1] = Int32GetDatum(offnum);
925 values[2] = Int32GetDatum(attnum);
926 nulls[2] = (attnum < 0);
927 values[3] = CStringGetTextDatum(msg);
928
929 /*
930 * In principle, there is nothing to prevent a scan over a large, highly
931 * corrupted table from using work_mem worth of memory building up the
932 * tuplestore. That's ok, but if we also leak the msg argument memory
933 * until the end of the query, we could exceed work_mem by more than a
934 * trivial amount. Therefore, free the msg argument each time we are
935 * called rather than waiting for our current memory context to be freed.
936 */
937 pfree(msg);
938
939 tuple = heap_form_tuple(tupdesc, values, nulls);
940 tuplestore_puttuple(tupstore, tuple);
941}
942
943/*
944 * Record a single corruption found in the main table. The values in ctx should
945 * indicate the location of the corruption, and the msg argument should contain
946 * a human-readable description of the corruption.
947 *
948 * The msg argument is pfree'd by this function.
949 */
950static void
951report_corruption(HeapCheckContext *ctx, char *msg)
952{
953 report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
954 ctx->offnum, ctx->attnum, msg);
955 ctx->is_corrupt = true;
956}
957
958/*
959 * Record corruption found in the toast table. The values in ta should
960 * indicate the location in the main table where the toast pointer was
961 * encountered, and the msg argument should contain a human-readable
962 * description of the toast table corruption.
963 *
964 * As above, the msg argument is pfree'd by this function.
965 */
966static void
967report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
968 char *msg)
969{
970 report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
971 ta->offnum, ta->attnum, msg);
972 ctx->is_corrupt = true;
973}
974
975/*
976 * Check for tuple header corruption.
977 *
978 * Some kinds of corruption make it unsafe to check the tuple attributes, for
979 * example when the line pointer refers to a range of bytes outside the page.
980 * In such cases, we return false (not checkable) after recording appropriate
981 * corruption messages.
982 *
983 * Some other kinds of tuple header corruption confuse the question of where
984 * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
985 * unreasonable to attempt to check attributes, even if all candidate answers
986 * to those questions would not result in reading past the end of the line
987 * pointer or page. In such cases, like above, we record corruption messages
988 * about the header and then return false.
989 *
990 * Other kinds of tuple header corruption do not bear on the question of
991 * whether the tuple attributes can be checked, so we record corruption
992 * messages for them but we do not return false merely because we detected
993 * them.
994 *
995 * Returns whether the tuple is sufficiently sensible to undergo visibility and
996 * attribute checks.
997 */
998static bool
999check_tuple_header(HeapCheckContext *ctx)
1000{
1001 HeapTupleHeader tuphdr = ctx->tuphdr;
1002 uint16 infomask = tuphdr->t_infomask;
1003 TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
1004 bool result = true;
1005 unsigned expected_hoff;
1006
1007 if (ctx->tuphdr->t_hoff > ctx->lp_len)
1008 {
1009 report_corruption(ctx,
1010 psprintf("data begins at offset %u beyond the tuple length %u",
1011 ctx->tuphdr->t_hoff, ctx->lp_len));
1012 result = false;
1013 }
1014
1015 if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
1016 (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
1017 {
1018 report_corruption(ctx,
1019 pstrdup("multixact should not be marked committed"));
1020
1021 /*
1022 * This condition is clearly wrong, but it's not enough to justify
1023 * skipping further checks, because we don't rely on this to determine
1024 * whether the tuple is visible or to interpret other relevant header
1025 * fields.
1026 */
1027 }
1028
1029 if (!TransactionIdIsValid(curr_xmax) &&
1030 HeapTupleHeaderIsHotUpdated(tuphdr))
1031 {
1032 report_corruption(ctx,
1033 psprintf("tuple has been HOT updated, but xmax is 0"));
1034
1035 /*
1036 * As above, even though this shouldn't happen, it's not sufficient
1037 * justification for skipping further checks, we should still be able
1038 * to perform sensibly.
1039 */
1040 }
1041
1042 if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
1043 ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
1044 {
1045 report_corruption(ctx,
1046 psprintf("tuple is heap only, but not the result of an update"));
1047
1048 /* Here again, we can still perform further checks. */
1049 }
1050
1051 if (infomask & HEAP_HASNULL)
1052 expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
1053 else
1054 expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
1055 if (ctx->tuphdr->t_hoff != expected_hoff)
1056 {
1057 if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
1058 report_corruption(ctx,
1059 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
1060 expected_hoff, ctx->tuphdr->t_hoff));
1061 else if ((infomask & HEAP_HASNULL))
1062 report_corruption(ctx,
1063 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
1064 expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1065 else if (ctx->natts == 1)
1066 report_corruption(ctx,
1067 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
1068 expected_hoff, ctx->tuphdr->t_hoff));
1069 else
1070 report_corruption(ctx,
1071 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
1072 expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1073 result = false;
1074 }
1075
1076 return result;
1077}
1078
1079/*
1080 * Checks tuple visibility so we know which further checks are safe to
1081 * perform.
1082 *
1083 * If a tuple could have been inserted by a transaction that also added a
1084 * column to the table, but which ultimately did not commit, or which has not
1085 * yet committed, then the table's current TupleDesc might differ from the one
1086 * used to construct this tuple, so we must not check it.
1087 *
1088 * As a special case, if our own transaction inserted the tuple, even if we
1089 * added a column to the table, our TupleDesc should match. We could check the
1090 * tuple, but choose not to do so.
1091 *
1092 * If a tuple has been updated or deleted, we can still read the old tuple for
1093 * corruption checking purposes, as long as we are careful about concurrent
1094 * vacuums. The main table tuple itself cannot be vacuumed away because we
1095 * hold a buffer lock on the page, but if the deleting transaction is older
1096 * than our transaction snapshot's xmin, then vacuum could remove the toast at
1097 * any time, so we must not try to follow TOAST pointers.
1098 *
1099 * If xmin or xmax values are older than can be checked against clog, or appear
1100 * to be in the future (possibly due to wrap-around), then we cannot make a
1101 * determination about the visibility of the tuple, so we skip further checks.
1102 *
1103 * Returns true if the tuple itself should be checked, false otherwise. Sets
1104 * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1105 * TOAST tuples -- are eligible for pruning.
1106 *
1107 * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1108 * and false otherwise. If it's set to true, then also set *xmin_commit_status
1109 * to the actual commit status.
1110 */
1111static bool
1112check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1113 XidCommitStatus *xmin_commit_status)
1114{
1115 TransactionId xmin;
1116 TransactionId xvac;
1117 TransactionId xmax;
1118 XidCommitStatus xmin_status;
1119 XidCommitStatus xvac_status;
1120 XidCommitStatus xmax_status;
1121 HeapTupleHeader tuphdr = ctx->tuphdr;
1122
1123 ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
1124 *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1125
1126 /* If xmin is normal, it should be within valid range */
1127 xmin = HeapTupleHeaderGetXmin(tuphdr);
1128 switch (get_xid_status(xmin, ctx, &xmin_status))
1129 {
1130 case XID_INVALID:
1131 /* Could be the result of a speculative insertion that aborted. */
1132 return false;
1133 case XID_BOUNDS_OK:
1134 *xmin_commit_status_ok = true;
1135 *xmin_commit_status = xmin_status;
1136 break;
1137 case XID_IN_FUTURE:
1138 report_corruption(ctx,
1139 psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1140 xmin,
1141 EpochFromFullTransactionId(ctx->next_fxid),
1142 XidFromFullTransactionId(ctx->next_fxid)));
1143 return false;
1144 case XID_PRECEDES_CLUSTERMIN:
1145 report_corruption(ctx,
1146 psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1147 xmin,
1148 EpochFromFullTransactionId(ctx->oldest_fxid),
1149 XidFromFullTransactionId(ctx->oldest_fxid)));
1150 return false;
1151 case XID_PRECEDES_RELMIN:
1152 report_corruption(ctx,
1153 psprintf("xmin %u precedes relation freeze threshold %u:%u",
1154 xmin,
1155 EpochFromFullTransactionId(ctx->relfrozenfxid),
1156 XidFromFullTransactionId(ctx->relfrozenfxid)));
1157 return false;
1158 }
1159
1160 /*
1161 * Has inserting transaction committed?
1162 */
1163 if (!HeapTupleHeaderXminCommitted(tuphdr))
1164 {
1165 if (HeapTupleHeaderXminInvalid(tuphdr))
1166 return false; /* inserter aborted, don't check */
1167 /* Used by pre-9.0 binary upgrades */
1168 else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1169 {
1170 xvac = HeapTupleHeaderGetXvac(tuphdr);
1171
1172 switch (get_xid_status(xvac, ctx, &xvac_status))
1173 {
1174 case XID_INVALID:
1175 report_corruption(ctx,
1176 pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1177 return false;
1178 case XID_IN_FUTURE:
1179 report_corruption(ctx,
1180 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1181 xvac,
1182 EpochFromFullTransactionId(ctx->next_fxid),
1183 XidFromFullTransactionId(ctx->next_fxid)));
1184 return false;
1185 case XID_PRECEDES_RELMIN:
1186 report_corruption(ctx,
1187 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1188 xvac,
1189 EpochFromFullTransactionId(ctx->relfrozenfxid),
1190 XidFromFullTransactionId(ctx->relfrozenfxid)));
1191 return false;
1192 case XID_PRECEDES_CLUSTERMIN:
1193 report_corruption(ctx,
1194 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1195 xvac,
1196 EpochFromFullTransactionId(ctx->oldest_fxid),
1197 XidFromFullTransactionId(ctx->oldest_fxid)));
1198 return false;
1199 case XID_BOUNDS_OK:
1200 break;
1201 }
1202
1203 switch (xvac_status)
1204 {
1205 case XID_IS_CURRENT_XID:
1206 report_corruption(ctx,
1207 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1208 xvac));
1209 return false;
1210 case XID_IN_PROGRESS:
1211 report_corruption(ctx,
1212 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1213 xvac));
1214 return false;
1215
1216 case XID_COMMITTED:
1217
1218 /*
1219 * The tuple is dead, because the xvac transaction moved
1220 * it off and committed. It's checkable, but also
1221 * prunable.
1222 */
1223 return true;
1224
1225 case XID_ABORTED:
1226
1227 /*
1228 * The original xmin must have committed, because the xvac
1229 * transaction tried to move it later. Since xvac is
1230 * aborted, whether it's still alive now depends on the
1231 * status of xmax.
1232 */
1233 break;
1234 }
1235 }
1236 /* Used by pre-9.0 binary upgrades */
1237 else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1238 {
1239 xvac = HeapTupleHeaderGetXvac(tuphdr);
1240
1241 switch (get_xid_status(xvac, ctx, &xvac_status))
1242 {
1243 case XID_INVALID:
1244 report_corruption(ctx,
1245 pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1246 return false;
1247 case XID_IN_FUTURE:
1248 report_corruption(ctx,
1249 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1250 xvac,
1251 EpochFromFullTransactionId(ctx->next_fxid),
1252 XidFromFullTransactionId(ctx->next_fxid)));
1253 return false;
1254 case XID_PRECEDES_RELMIN:
1255 report_corruption(ctx,
1256 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1257 xvac,
1258 EpochFromFullTransactionId(ctx->relfrozenfxid),
1259 XidFromFullTransactionId(ctx->relfrozenfxid)));
1260 return false;
1261 case XID_PRECEDES_CLUSTERMIN:
1262 report_corruption(ctx,
1263 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1264 xvac,
1265 EpochFromFullTransactionId(ctx->oldest_fxid),
1266 XidFromFullTransactionId(ctx->oldest_fxid)));
1267 return false;
1268 case XID_BOUNDS_OK:
1269 break;
1270 }
1271
1272 switch (xvac_status)
1273 {
1274 case XID_IS_CURRENT_XID:
1275 report_corruption(ctx,
1276 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1277 xvac));
1278 return false;
1279 case XID_IN_PROGRESS:
1280 report_corruption(ctx,
1281 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1282 xvac));
1283 return false;
1284
1285 case XID_COMMITTED:
1286
1287 /*
1288 * The original xmin must have committed, because the xvac
1289 * transaction moved it later. Whether it's still alive
1290 * now depends on the status of xmax.
1291 */
1292 break;
1293
1294 case XID_ABORTED:
1295
1296 /*
1297 * The tuple is dead, because the xvac transaction moved
1298 * it off and committed. It's checkable, but also
1299 * prunable.
1300 */
1301 return true;
1302 }
1303 }
1304 else if (xmin_status != XID_COMMITTED)
1305 {
1306 /*
1307 * Inserting transaction is not in progress, and not committed, so
1308 * it might have changed the TupleDesc in ways we don't know
1309 * about. Thus, don't try to check the tuple structure.
1310 *
1311 * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1312 * any such DDL changes ought to be visible to us, so perhaps we
1313 * could check anyway in that case. But, for now, let's be
1314 * conservative and treat this like any other uncommitted insert.
1315 */
1316 return false;
1317 }
1318 }
1319
1320 /*
1321 * Okay, the inserter committed, so it was good at some point. Now what
1322 * about the deleting transaction?
1323 */
1324
1325 if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1326 {
1327 /*
1328 * xmax is a multixact, so sanity-check the MXID. Note that we do this
1329 * prior to checking for HEAP_XMAX_INVALID or
1330 * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1331 * things that wouldn't actually be a problem during a normal scan,
1332 * but eventually we're going to have to freeze, and that process will
1333 * ignore hint bits.
1334 *
1335 * Even if the MXID is out of range, we still know that the original
1336 * insert committed, so we can check the tuple itself. However, we
1337 * can't rule out the possibility that this tuple is dead, so don't
1338 * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1339 * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1340 * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1341 * avoiding possibly-bogus complaints about missing TOAST entries.
1342 */
1343 xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1344 switch (check_mxid_valid_in_rel(xmax, ctx))
1345 {
1346 case XID_INVALID:
1347 report_corruption(ctx,
1348 pstrdup("multitransaction ID is invalid"));
1349 return true;
1350 case XID_PRECEDES_RELMIN:
1351 report_corruption(ctx,
1352 psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1353 xmax, ctx->relminmxid));
1354 return true;
1355 case XID_PRECEDES_CLUSTERMIN:
1356 report_corruption(ctx,
1357 psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1358 xmax, ctx->oldest_mxact));
1359 return true;
1360 case XID_IN_FUTURE:
1361 report_corruption(ctx,
1362 psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1363 xmax,
1364 ctx->next_mxact));
1365 return true;
1366 case XID_BOUNDS_OK:
1367 break;
1368 }
1369 }
1370
1371 if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1372 {
1373 /*
1374 * This tuple is live. A concurrently running transaction could
1375 * delete it before we get around to checking the toast, but any such
1376 * running transaction is surely not less than our safe_xmin, so the
1377 * toast cannot be vacuumed out from under us.
1378 */
1379 ctx->tuple_could_be_pruned = false;
1380 return true;
1381 }
1382
1383 if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1384 {
1385 /*
1386 * "Deleting" xact really only locked it, so the tuple is live in any
1387 * case. As above, a concurrently running transaction could delete
1388 * it, but it cannot be vacuumed out from under us.
1389 */
1390 ctx->tuple_could_be_pruned = false;
1391 return true;
1392 }
1393
1394 if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1395 {
1396 /*
1397 * We already checked above that this multixact is within limits for
1398 * this table. Now check the update xid from this multixact.
1399 */
1400 xmax = HeapTupleGetUpdateXid(tuphdr);
1401 switch (get_xid_status(xmax, ctx, &xmax_status))
1402 {
1403 case XID_INVALID:
1404 /* not LOCKED_ONLY, so it has to have an xmax */
1405 report_corruption(ctx,
1406 pstrdup("update xid is invalid"));
1407 return true;
1408 case XID_IN_FUTURE:
1409 report_corruption(ctx,
1410 psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1411 xmax,
1412 EpochFromFullTransactionId(ctx->next_fxid),
1413 XidFromFullTransactionId(ctx->next_fxid)));
1414 return true;
1415 case XID_PRECEDES_RELMIN:
1416 report_corruption(ctx,
1417 psprintf("update xid %u precedes relation freeze threshold %u:%u",
1418 xmax,
1419 EpochFromFullTransactionId(ctx->relfrozenfxid),
1420 XidFromFullTransactionId(ctx->relfrozenfxid)));
1421 return true;
1422 case XID_PRECEDES_CLUSTERMIN:
1423 report_corruption(ctx,
1424 psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1425 xmax,
1426 EpochFromFullTransactionId(ctx->oldest_fxid),
1427 XidFromFullTransactionId(ctx->oldest_fxid)));
1428 return true;
1429 case XID_BOUNDS_OK:
1430 break;
1431 }
1432
1433 switch (xmax_status)
1434 {
1435 case XID_IS_CURRENT_XID:
1436 case XID_IN_PROGRESS:
1437
1438 /*
1439 * The delete is in progress, so it cannot be visible to our
1440 * snapshot.
1441 */
1442 ctx->tuple_could_be_pruned = false;
1443 break;
1444 case XID_COMMITTED:
1445
1446 /*
1447 * The delete committed. Whether the toast can be vacuumed
1448 * away depends on how old the deleting transaction is.
1449 */
1450 ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1451 ctx->safe_xmin);
1452 break;
1453 case XID_ABORTED:
1454
1455 /*
1456 * The delete aborted or crashed. The tuple is still live.
1457 */
1458 ctx->tuple_could_be_pruned = false;
1459 break;
1460 }
1461
1462 /* Tuple itself is checkable even if it's dead. */
1463 return true;
1464 }
1465
1466 /* xmax is an XID, not a MXID. Sanity check it. */
1467 xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1468 switch (get_xid_status(xmax, ctx, &xmax_status))
1469 {
1470 case XID_INVALID:
1471 ctx->tuple_could_be_pruned = false;
1472 return true;
1473 case XID_IN_FUTURE:
1474 report_corruption(ctx,
1475 psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1476 xmax,
1477 EpochFromFullTransactionId(ctx->next_fxid),
1478 XidFromFullTransactionId(ctx->next_fxid)));
1479 return false; /* corrupt */
1480 case XID_PRECEDES_RELMIN:
1481 report_corruption(ctx,
1482 psprintf("xmax %u precedes relation freeze threshold %u:%u",
1483 xmax,
1484 EpochFromFullTransactionId(ctx->relfrozenfxid),
1485 XidFromFullTransactionId(ctx->relfrozenfxid)));
1486 return false; /* corrupt */
1487 case XID_PRECEDES_CLUSTERMIN:
1488 report_corruption(ctx,
1489 psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1490 xmax,
1491 EpochFromFullTransactionId(ctx->oldest_fxid),
1492 XidFromFullTransactionId(ctx->oldest_fxid)));
1493 return false; /* corrupt */
1494 case XID_BOUNDS_OK:
1495 break;
1496 }
1497
1498 /*
1499 * Whether the toast can be vacuumed away depends on how old the deleting
1500 * transaction is.
1501 */
1502 switch (xmax_status)
1503 {
1504 case XID_IS_CURRENT_XID:
1505 case XID_IN_PROGRESS:
1506
1507 /*
1508 * The delete is in progress, so it cannot be visible to our
1509 * snapshot.
1510 */
1511 ctx->tuple_could_be_pruned = false;
1512 break;
1513
1514 case XID_COMMITTED:
1515
1516 /*
1517 * The delete committed. Whether the toast can be vacuumed away
1518 * depends on how old the deleting transaction is.
1519 */
1520 ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1521 ctx->safe_xmin);
1522 break;
1523
1524 case XID_ABORTED:
1525
1526 /*
1527 * The delete aborted or crashed. The tuple is still live.
1528 */
1529 ctx->tuple_could_be_pruned = false;
1530 break;
1531 }
1532
1533 /* Tuple itself is checkable even if it's dead. */
1534 return true;
1535}
1536
1537
1538/*
1539 * Check the current toast tuple against the state tracked in ctx, recording
1540 * any corruption found in ctx->tupstore.
1541 *
1542 * This is not equivalent to running verify_heapam on the toast table itself,
1543 * and is not hardened against corruption of the toast table. Rather, when
1544 * validating a toasted attribute in the main table, the sequence of toast
1545 * tuples that store the toasted value are retrieved and checked in order, with
1546 * each toast tuple being checked against where we are in the sequence, as well
1547 * as each toast tuple having its varlena structure sanity checked.
1548 *
1549 * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1550 * to find in toasttup. On exit, it will be updated to the value the next call
1551 * to this function should expect to see.
1552 */
1553static void
1554check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
1555 ToastedAttribute *ta, int32 *expected_chunk_seq,
1556 uint32 extsize)
1557{
1558 int32 chunk_seq;
1559 int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1560 Pointer chunk;
1561 bool isnull;
1562 int32 chunksize;
1563 int32 expected_size;
1564
1565 /* Sanity-check the sequence number. */
1566 chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1567 ctx->toast_rel->rd_att, &isnull));
1568 if (isnull)
1569 {
1570 report_toast_corruption(ctx, ta,
1571 psprintf("toast value %u has toast chunk with null sequence number",
1572 ta->toast_pointer.va_valueid));
1573 return;
1574 }
1575 if (chunk_seq != *expected_chunk_seq)
1576 {
1577 /* Either the TOAST index is corrupt, or we don't have all chunks. */
1578 report_toast_corruption(ctx, ta,
1579 psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1580 ta->toast_pointer.va_valueid,
1581 chunk_seq, *expected_chunk_seq));
1582 }
1583 *expected_chunk_seq = chunk_seq + 1;
1584
1585 /* Sanity-check the chunk data. */
1586 chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1587 ctx->toast_rel->rd_att, &isnull));
1588 if (isnull)
1589 {
1590 report_toast_corruption(ctx, ta,
1591 psprintf("toast value %u chunk %d has null data",
1592 ta->toast_pointer.va_valueid,
1593 chunk_seq));
1594 return;
1595 }
1596 if (!VARATT_IS_EXTENDED(chunk))
1597 chunksize = VARSIZE(chunk) - VARHDRSZ;
1598 else if (VARATT_IS_SHORT(chunk))
1599 {
1600 /*
1601 * could happen due to heap_form_tuple doing its thing
1602 */
1603 chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1604 }
1605 else
1606 {
1607 /* should never happen */
1608 uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1609
1610 report_toast_corruption(ctx, ta,
1611 psprintf("toast value %u chunk %d has invalid varlena header %0x",
1612 ta->toast_pointer.va_valueid,
1613 chunk_seq, header));
1614 return;
1615 }
1616
1617 /*
1618 * Some checks on the data we've found
1619 */
1620 if (chunk_seq > last_chunk_seq)
1621 {
1622 report_toast_corruption(ctx, ta,
1623 psprintf("toast value %u chunk %d follows last expected chunk %d",
1624 ta->toast_pointer.va_valueid,
1625 chunk_seq, last_chunk_seq));
1626 return;
1627 }
1628
1629 expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1630 : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1631
1632 if (chunksize != expected_size)
1633 report_toast_corruption(ctx, ta,
1634 psprintf("toast value %u chunk %d has size %u, but expected size %u",
1635 ta->toast_pointer.va_valueid,
1636 chunk_seq, chunksize, expected_size));
1637}
1638
1639/*
1640 * Check the current attribute as tracked in ctx, recording any corruption
1641 * found in ctx->tupstore.
1642 *
1643 * This function follows the logic performed by heap_deform_tuple(), and in the
1644 * case of a toasted value, optionally stores the toast pointer so later it can
1645 * be checked following the logic of detoast_external_attr(), checking for any
1646 * conditions that would result in either of those functions Asserting or
1647 * crashing the backend. The checks performed by Asserts present in those two
1648 * functions are also performed here and in check_toasted_attribute. In cases
1649 * where those two functions are a bit cavalier in their assumptions about data
1650 * being correct, we perform additional checks not present in either of those
1651 * two functions. Where some condition is checked in both of those functions,
1652 * we perform it here twice, as we parallel the logical flow of those two
1653 * functions. The presence of duplicate checks seems a reasonable price to pay
1654 * for keeping this code tightly coupled with the code it protects.
1655 *
1656 * Returns true if the tuple attribute is sane enough for processing to
1657 * continue on to the next attribute, false otherwise.
1658 */
1659static bool
1660check_tuple_attribute(HeapCheckContext *ctx)
1661{
1662 Datum attdatum;
1663 struct varlena *attr;
1664 char *tp; /* pointer to the tuple data */
1665 uint16 infomask;
1666 CompactAttribute *thisatt;
1667 struct varatt_external toast_pointer;
1668
1669 infomask = ctx->tuphdr->t_infomask;
1670 thisatt = TupleDescCompactAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1671
1672 tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1673
1674 if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1675 {
1676 report_corruption(ctx,
1677 psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1678 thisatt->attlen,
1679 ctx->tuphdr->t_hoff + ctx->offset,
1680 ctx->lp_len));
1681 return false;
1682 }
1683
1684 /* Skip null values */
1685 if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1686 return true;
1687
1688 /* Skip non-varlena values, but update offset first */
1689 if (thisatt->attlen != -1)
1690 {
1691 ctx->offset = att_nominal_alignby(ctx->offset, thisatt->attalignby);
1692 ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1693 tp + ctx->offset);
1694 if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1695 {
1696 report_corruption(ctx,
1697 psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1698 thisatt->attlen,
1699 ctx->tuphdr->t_hoff + ctx->offset,
1700 ctx->lp_len));
1701 return false;
1702 }
1703 return true;
1704 }
1705
1706 /* Ok, we're looking at a varlena attribute. */
1707 ctx->offset = att_pointer_alignby(ctx->offset, thisatt->attalignby, -1,
1708 tp + ctx->offset);
1709
1710 /* Get the (possibly corrupt) varlena datum */
1711 attdatum = fetchatt(thisatt, tp + ctx->offset);
1712
1713 /*
1714 * We have the datum, but we cannot decode it carelessly, as it may still
1715 * be corrupt.
1716 */
1717
1718 /*
1719 * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1720 * risking a call into att_addlength_pointer
1721 */
1722 if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1723 {
1724 uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1725
1726 if (va_tag != VARTAG_ONDISK)
1727 {
1728 report_corruption(ctx,
1729 psprintf("toasted attribute has unexpected TOAST tag %u",
1730 va_tag));
1731 /* We can't know where the next attribute begins */
1732 return false;
1733 }
1734 }
1735
1736 /* Ok, should be safe now */
1737 ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1738 tp + ctx->offset);
1739
1740 if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1741 {
1742 report_corruption(ctx,
1743 psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1744 thisatt->attlen,
1745 ctx->tuphdr->t_hoff + ctx->offset,
1746 ctx->lp_len));
1747
1748 return false;
1749 }
1750
1751 /*
1752 * heap_deform_tuple would be done with this attribute at this point,
1753 * having stored it in values[], and would continue to the next attribute.
1754 * We go further, because we need to check if the toast datum is corrupt.
1755 */
1756
1757 attr = (struct varlena *) DatumGetPointer(attdatum);
1758
1759 /*
1760 * Now we follow the logic of detoast_external_attr(), with the same
1761 * caveats about being paranoid about corruption.
1762 */
1763
1764 /* Skip values that are not external */
1765 if (!VARATT_IS_EXTERNAL(attr))
1766 return true;
1767
1768 /* It is external, and we're looking at a page on disk */
1769
1770 /*
1771 * Must copy attr into toast_pointer for alignment considerations
1772 */
1773 VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
1774
1775 /* Toasted attributes too large to be untoasted should never be stored */
1776 if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
1777 report_corruption(ctx,
1778 psprintf("toast value %u rawsize %d exceeds limit %d",
1779 toast_pointer.va_valueid,
1780 toast_pointer.va_rawsize,
1781 VARLENA_SIZE_LIMIT));
1782
1783 if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1784 {
1785 ToastCompressionId cmid;
1786 bool valid = false;
1787
1788 /* Compressed attributes should have a valid compression method */
1789 cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1790 switch (cmid)
1791 {
1792 /* List of all valid compression method IDs */
1793 case TOAST_PGLZ_COMPRESSION_ID:
1794 case TOAST_LZ4_COMPRESSION_ID:
1795 valid = true;
1796 break;
1797
1798 /* Recognized but invalid compression method ID */
1799 case TOAST_INVALID_COMPRESSION_ID:
1800 break;
1801
1802 /* Intentionally no default here */
1803 }
1804 if (!valid)
1805 report_corruption(ctx,
1806 psprintf("toast value %u has invalid compression method id %d",
1807 toast_pointer.va_valueid, cmid));
1808 }
1809
1810 /* The tuple header better claim to contain toasted values */
1811 if (!(infomask & HEAP_HASEXTERNAL))
1812 {
1813 report_corruption(ctx,
1814 psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1815 toast_pointer.va_valueid));
1816 return true;
1817 }
1818
1819 /* The relation better have a toast table */
1820 if (!ctx->rel->rd_rel->reltoastrelid)
1821 {
1822 report_corruption(ctx,
1823 psprintf("toast value %u is external but relation has no toast relation",
1824 toast_pointer.va_valueid));
1825 return true;
1826 }
1827
1828 /* If we were told to skip toast checking, then we're done. */
1829 if (ctx->toast_rel == NULL)
1830 return true;
1831
1832 /*
1833 * If this tuple is eligible to be pruned, we cannot check the toast.
1834 * Otherwise, we push a copy of the toast tuple so we can check it after
1835 * releasing the main table buffer lock.
1836 */
1837 if (!ctx->tuple_could_be_pruned)
1838 {
1839 ToastedAttribute *ta;
1840
1841 ta = (ToastedAttribute *) palloc0(sizeof(ToastedAttribute));
1842
1843 VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
1844 ta->blkno = ctx->blkno;
1845 ta->offnum = ctx->offnum;
1846 ta->attnum = ctx->attnum;
1847 ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
1848 }
1849
1850 return true;
1851}
1852
1853/*
1854 * For each attribute collected in ctx->toasted_attributes, look up the value
1855 * in the toast table and perform checks on it. This function should only be
1856 * called on toast pointers which cannot be vacuumed away during our
1857 * processing.
1858 */
1859static void
1860check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
1861{
1862 ScanKeyData toastkey;
1863 SysScanDesc toastscan;
1864 bool found_toasttup;
1865 HeapTuple toasttup;
1866 uint32 extsize;
1867 int32 expected_chunk_seq = 0;
1868 int32 last_chunk_seq;
1869
1870 extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
1871 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1872
1873 /*
1874 * Setup a scan key to find chunks in toast table with matching va_valueid
1875 */
1876 ScanKeyInit(&toastkey,
1877 (AttrNumber) 1,
1878 BTEqualStrategyNumber, F_OIDEQ,
1879 ObjectIdGetDatum(ta->toast_pointer.va_valueid));
1880
1881 /*
1882 * Check if any chunks for this toasted object exist in the toast table,
1883 * accessible via the index.
1884 */
1885 toastscan = systable_beginscan_ordered(ctx->toast_rel,
1886 ctx->valid_toast_index,
1887 get_toast_snapshot(), 1,
1888 &toastkey);
1889 found_toasttup = false;
1890 while ((toasttup =
1891 systable_getnext_ordered(toastscan,
1892 ForwardScanDirection)) != NULL)
1893 {
1894 found_toasttup = true;
1895 check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1896 }
1897 systable_endscan_ordered(toastscan);
1898
1899 if (!found_toasttup)
1900 report_toast_corruption(ctx, ta,
1901 psprintf("toast value %u not found in toast table",
1902 ta->toast_pointer.va_valueid));
1903 else if (expected_chunk_seq <= last_chunk_seq)
1904 report_toast_corruption(ctx, ta,
1905 psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1906 ta->toast_pointer.va_valueid,
1907 last_chunk_seq, expected_chunk_seq));
1908}
1909
1910/*
1911 * Check the current tuple as tracked in ctx, recording any corruption found in
1912 * ctx->tupstore.
1913 *
1914 * We return some information about the status of xmin to aid in validating
1915 * update chains.
1916 */
1917static void
1918check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1919 XidCommitStatus *xmin_commit_status)
1920{
1921 /*
1922 * Check various forms of tuple header corruption, and if the header is
1923 * too corrupt, do not continue with other checks.
1924 */
1925 if (!check_tuple_header(ctx))
1926 return;
1927
1928 /*
1929 * Check tuple visibility. If the inserting transaction aborted, we
1930 * cannot assume our relation description matches the tuple structure, and
1931 * therefore cannot check it.
1932 */
1933 if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1934 xmin_commit_status))
1935 return;
1936
1937 /*
1938 * The tuple is visible, so it must be compatible with the current version
1939 * of the relation descriptor. It might have fewer columns than are
1940 * present in the relation descriptor, but it cannot have more.
1941 */
1942 if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1943 {
1944 report_corruption(ctx,
1945 psprintf("number of attributes %u exceeds maximum expected for table %u",
1946 ctx->natts,
1947 RelationGetDescr(ctx->rel)->natts));
1948 return;
1949 }
1950
1951 /*
1952 * Check each attribute unless we hit corruption that confuses what to do
1953 * next, at which point we abort further attribute checks for this tuple.
1954 * Note that we don't abort for all types of corruption, only for those
1955 * types where we don't know how to continue. We also don't abort the
1956 * checking of toasted attributes collected from the tuple prior to
1957 * aborting. Those will still be checked later along with other toasted
1958 * attributes collected from the page.
1959 */
1960 ctx->offset = 0;
1961 for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1962 if (!check_tuple_attribute(ctx))
1963 break; /* cannot continue */
1964
1965 /* revert attnum to -1 until we again examine individual attributes */
1966 ctx->attnum = -1;
1967}
1968
1969/*
1970 * Convert a TransactionId into a FullTransactionId using our cached values of
1971 * the valid transaction ID range. It is the caller's responsibility to have
1972 * already updated the cached values, if necessary. This is akin to
1973 * FullTransactionIdFromAllowableAt(), but it tolerates corruption in the form
1974 * of an xid before epoch 0.
1975 */
1976static FullTransactionId
1977FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
1978{
1979 uint64 nextfxid_i;
1980 int32 diff;
1981 FullTransactionId fxid;
1982
1983 Assert(TransactionIdIsNormal(ctx->next_xid));
1984 Assert(FullTransactionIdIsNormal(ctx->next_fxid));
1985 Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
1986
1987 if (!TransactionIdIsNormal(xid))
1988 return FullTransactionIdFromEpochAndXid(0, xid);
1989
1990 nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1991
1992 /* compute the 32bit modulo difference */
1993 diff = (int32) (ctx->next_xid - xid);
1994
1995 /*
1996 * In cases of corruption we might see a 32bit xid that is before epoch 0.
1997 * We can't represent that as a 64bit xid, due to 64bit xids being
1998 * unsigned integers, without the modulo arithmetic of 32bit xid. There's
1999 * no really nice way to deal with that, but it works ok enough to use
2000 * FirstNormalFullTransactionId in that case, as a freshly initdb'd
2001 * cluster already has a newer horizon.
2002 */
2003 if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
2004 {
2005 Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
2006 fxid = FirstNormalFullTransactionId;
2007 }
2008 else
2009 fxid = FullTransactionIdFromU64(nextfxid_i - diff);
2010
2011 Assert(FullTransactionIdIsNormal(fxid));
2012 return fxid;
2013}
2014
2015/*
2016 * Update our cached range of valid transaction IDs.
2017 */
2018static void
2019update_cached_xid_range(HeapCheckContext *ctx)
2020{
2021 /* Make cached copies */
2022 LWLockAcquire(XidGenLock, LW_SHARED);
2023 ctx->next_fxid = TransamVariables->nextXid;
2024 ctx->oldest_xid = TransamVariables->oldestXid;
2025 LWLockRelease(XidGenLock);
2026
2027 /* And compute alternate versions of the same */
2028 ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
2029 ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
2030}
2031
2032/*
2033 * Update our cached range of valid multitransaction IDs.
2034 */
2035static void
2036update_cached_mxid_range(HeapCheckContext *ctx)
2037{
2038 ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
2039}
2040
2041/*
2042 * Return whether the given FullTransactionId is within our cached valid
2043 * transaction ID range.
2044 */
2045static inline bool
2046fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
2047{
2048 return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
2049 FullTransactionIdPrecedes(fxid, ctx->next_fxid));
2050}
2051
2052/*
2053 * Checks whether a multitransaction ID is in the cached valid range, returning
2054 * the nature of the range violation, if any.
2055 */
2056static XidBoundsViolation
2057check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
2058{
2059 if (!TransactionIdIsValid(mxid))
2060 return XID_INVALID;
2061 if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
2062 return XID_PRECEDES_RELMIN;
2063 if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
2064 return XID_PRECEDES_CLUSTERMIN;
2065 if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
2066 return XID_IN_FUTURE;
2067 return XID_BOUNDS_OK;
2068}
2069
2070/*
2071 * Checks whether the given mxid is valid to appear in the heap being checked,
2072 * returning the nature of the range violation, if any.
2073 *
2074 * This function attempts to return quickly by caching the known valid mxid
2075 * range in ctx. Callers should already have performed the initial setup of
2076 * the cache prior to the first call to this function.
2077 */
2078static XidBoundsViolation
2079check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
2080{
2081 XidBoundsViolation result;
2082
2083 result = check_mxid_in_range(mxid, ctx);
2084 if (result == XID_BOUNDS_OK)
2085 return XID_BOUNDS_OK;
2086
2087 /* The range may have advanced. Recheck. */
2088 update_cached_mxid_range(ctx);
2089 return check_mxid_in_range(mxid, ctx);
2090}
2091
2092/*
2093 * Checks whether the given transaction ID is (or was recently) valid to appear
2094 * in the heap being checked, or whether it is too old or too new to appear in
2095 * the relation, returning information about the nature of the bounds violation.
2096 *
2097 * We cache the range of valid transaction IDs. If xid is in that range, we
2098 * conclude that it is valid, even though concurrent changes to the table might
2099 * invalidate it under certain corrupt conditions. (For example, if the table
2100 * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2101 * containing the xid and then truncate clog and advance the relfrozenxid
2102 * beyond xid.) Reporting the xid as valid under such conditions seems
2103 * acceptable, since if we had checked it earlier in our scan it would have
2104 * truly been valid at that time.
2105 *
2106 * If the status argument is not NULL, and if and only if the transaction ID
2107 * appears to be valid in this relation, the status argument will be set with
2108 * the commit status of the transaction ID.
2109 */
2110static XidBoundsViolation
2111get_xid_status(TransactionId xid, HeapCheckContext *ctx,
2112 XidCommitStatus *status)
2113{
2114 FullTransactionId fxid;
2115 FullTransactionId clog_horizon;
2116
2117 /* Quick check for special xids */
2118 if (!TransactionIdIsValid(xid))
2119 return XID_INVALID;
2120 else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2121 {
2122 if (status != NULL)
2123 *status = XID_COMMITTED;
2124 return XID_BOUNDS_OK;
2125 }
2126
2127 /* Check if the xid is within bounds */
2128 fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2129 if (!fxid_in_cached_range(fxid, ctx))
2130 {
2131 /*
2132 * We may have been checking against stale values. Update the cached
2133 * range to be sure, and since we relied on the cached range when we
2134 * performed the full xid conversion, reconvert.
2135 */
2136 update_cached_xid_range(ctx);
2137 fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2138 }
2139
2140 if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
2141 return XID_IN_FUTURE;
2142 if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
2143 return XID_PRECEDES_CLUSTERMIN;
2144 if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
2145 return XID_PRECEDES_RELMIN;
2146
2147 /* Early return if the caller does not request clog checking */
2148 if (status == NULL)
2149 return XID_BOUNDS_OK;
2150
2151 /* Early return if we just checked this xid in a prior call */
2152 if (xid == ctx->cached_xid)
2153 {
2154 *status = ctx->cached_status;
2155 return XID_BOUNDS_OK;
2156 }
2157
2158 *status = XID_COMMITTED;
2159 LWLockAcquire(XactTruncationLock, LW_SHARED);
2160 clog_horizon =
2161 FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
2162 ctx);
2163 if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2164 {
2165 if (TransactionIdIsCurrentTransactionId(xid))
2166 *status = XID_IS_CURRENT_XID;
2167 else if (TransactionIdIsInProgress(xid))
2168 *status = XID_IN_PROGRESS;
2169 else if (TransactionIdDidCommit(xid))
2170 *status = XID_COMMITTED;
2171 else
2172 *status = XID_ABORTED;
2173 }
2174 LWLockRelease(XactTruncationLock);
2175 ctx->cached_xid = xid;
2176 ctx->cached_status = *status;
2177 return XID_BOUNDS_OK;
2178}
AttrNumber
int16 AttrNumber
Definition: attnum.h:21
BlockNumber
uint32 BlockNumber
Definition: block.h:31
InvalidBlockNumber
#define InvalidBlockNumber
Definition: block.h:33
values
static Datum values[MAXATTR]
Definition: bootstrap.c:151
Buffer
int Buffer
Definition: buf.h:23
InvalidBuffer
#define InvalidBuffer
Definition: buf.h:25
BufferGetBlockNumber
BlockNumber BufferGetBlockNumber(Buffer buffer)
Definition: bufmgr.c:4161
ReleaseBuffer
void ReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:5303
UnlockReleaseBuffer
void UnlockReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:5320
LockBuffer
void LockBuffer(Buffer buffer, int mode)
Definition: bufmgr.c:5537
BAS_BULKREAD
@ BAS_BULKREAD
Definition: bufmgr.h:37
BUFFER_LOCK_SHARE
#define BUFFER_LOCK_SHARE
Definition: bufmgr.h:197
RelationGetNumberOfBlocks
#define RelationGetNumberOfBlocks(reln)
Definition: bufmgr.h:280
BufferGetPage
static Page BufferGetPage(Buffer buffer)
Definition: bufmgr.h:414
BufferIsValid
static bool BufferIsValid(Buffer bufnum)
Definition: bufmgr.h:365
PageGetItem
static Item PageGetItem(const PageData *page, const ItemIdData *itemId)
Definition: bufpage.h:354
PageGetItemId
static ItemId PageGetItemId(Page page, OffsetNumber offsetNumber)
Definition: bufpage.h:244
Page
PageData * Page
Definition: bufpage.h:82
PageGetMaxOffsetNumber
static OffsetNumber PageGetMaxOffsetNumber(const PageData *page)
Definition: bufpage.h:372
CStringGetTextDatum
#define CStringGetTextDatum(s)
Definition: builtins.h:97
MAXALIGN
#define MAXALIGN(LEN)
Definition: c.h:782
uint8
uint8_t uint8
Definition: c.h:500
Pointer
char * Pointer
Definition: c.h:493
VARHDRSZ
#define VARHDRSZ
Definition: c.h:663
int64
int64_t int64
Definition: c.h:499
MultiXactId
TransactionId MultiXactId
Definition: c.h:633
int32
int32_t int32
Definition: c.h:498
uint64
uint64_t uint64
Definition: c.h:503
uint16
uint16_t uint16
Definition: c.h:501
uint32
uint32_t uint32
Definition: c.h:502
TransactionId
uint32 TransactionId
Definition: c.h:623
VARATT_EXTERNAL_GET_POINTER
#define VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr)
Definition: detoast.h:22
errhint
int errhint(const char *fmt,...)
Definition: elog.c:1318
errcode
int errcode(int sqlerrcode)
Definition: elog.c:854
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1071
DEBUG1
#define DEBUG1
Definition: elog.h:30
ERROR
#define ERROR
Definition: elog.h:39
ereport
#define ereport(elevel,...)
Definition: elog.h:149
Int64GetDatum
Datum Int64GetDatum(int64 X)
Definition: fmgr.c:1807
PG_GETARG_OID
#define PG_GETARG_OID(n)
Definition: fmgr.h:275
PG_GETARG_TEXT_PP
#define PG_GETARG_TEXT_PP(n)
Definition: fmgr.h:309
PG_ARGISNULL
#define PG_ARGISNULL(n)
Definition: fmgr.h:209
PG_RETURN_NULL
#define PG_RETURN_NULL()
Definition: fmgr.h:345
PG_GETARG_INT64
#define PG_GETARG_INT64(n)
Definition: fmgr.h:283
PG_GETARG_BOOL
#define PG_GETARG_BOOL(n)
Definition: fmgr.h:274
PG_FUNCTION_ARGS
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
GetAccessStrategy
BufferAccessStrategy GetAccessStrategy(BufferAccessStrategyType btype)
Definition: freelist.c:541
InitMaterializedSRF
void InitMaterializedSRF(FunctionCallInfo fcinfo, bits32 flags)
Definition: funcapi.c:76
systable_beginscan_ordered
SysScanDesc systable_beginscan_ordered(Relation heapRelation, Relation indexRelation, Snapshot snapshot, int nkeys, ScanKey key)
Definition: genam.c:650
systable_endscan_ordered
void systable_endscan_ordered(SysScanDesc sysscan)
Definition: genam.c:757
systable_getnext_ordered
HeapTuple systable_getnext_ordered(SysScanDesc sysscan, ScanDirection direction)
Definition: genam.c:732
Assert
Assert(PointerIsAligned(start, uint64))
HeapTupleGetUpdateXid
TransactionId HeapTupleGetUpdateXid(const HeapTupleHeaderData *tup)
Definition: heapam.c:7535
TOAST_MAX_CHUNK_SIZE
#define TOAST_MAX_CHUNK_SIZE
Definition: heaptoast.h:84
heap_form_tuple
HeapTuple heap_form_tuple(TupleDesc tupleDescriptor, const Datum *values, const bool *isnull)
Definition: heaptuple.c:1117
HeapTupleHeader
HeapTupleHeaderData * HeapTupleHeader
Definition: htup.h:23
HEAP_MOVED_OFF
#define HEAP_MOVED_OFF
Definition: htup_details.h:211
HeapTupleHeaderGetNatts
#define HeapTupleHeaderGetNatts(tup)
Definition: htup_details.h:577
SizeofHeapTupleHeader
#define SizeofHeapTupleHeader
Definition: htup_details.h:185
HEAP_HOT_UPDATED
#define HEAP_HOT_UPDATED
Definition: htup_details.h:290
HEAP_HASNULL
#define HEAP_HASNULL
Definition: htup_details.h:190
HEAP_XMAX_IS_LOCKED_ONLY
static bool HEAP_XMAX_IS_LOCKED_ONLY(uint16 infomask)
Definition: htup_details.h:226
BITMAPLEN
static int BITMAPLEN(int NATTS)
Definition: htup_details.h:594
HeapTupleHeaderXminInvalid
static bool HeapTupleHeaderXminInvalid(const HeapTupleHeaderData *tup)
Definition: htup_details.h:343
HeapTupleHeaderGetXvac
static TransactionId HeapTupleHeaderGetXvac(const HeapTupleHeaderData *tup)
Definition: htup_details.h:442
HEAP_MOVED_IN
#define HEAP_MOVED_IN
Definition: htup_details.h:212
HeapTupleHeaderGetRawXmax
static TransactionId HeapTupleHeaderGetRawXmax(const HeapTupleHeaderData *tup)
Definition: htup_details.h:377
HeapTupleHeaderIsHeapOnly
static bool HeapTupleHeaderIsHeapOnly(const HeapTupleHeaderData *tup)
Definition: htup_details.h:555
HEAP_XMAX_IS_MULTI
#define HEAP_XMAX_IS_MULTI
Definition: htup_details.h:209
HEAP_XMAX_COMMITTED
#define HEAP_XMAX_COMMITTED
Definition: htup_details.h:207
HeapTupleHeaderGetXmin
static TransactionId HeapTupleHeaderGetXmin(const HeapTupleHeaderData *tup)
Definition: htup_details.h:324
HEAP_HASEXTERNAL
#define HEAP_HASEXTERNAL
Definition: htup_details.h:192
HeapTupleHeaderIsHotUpdated
static bool HeapTupleHeaderIsHotUpdated(const HeapTupleHeaderData *tup)
Definition: htup_details.h:534
HEAP_XMAX_INVALID
#define HEAP_XMAX_INVALID
Definition: htup_details.h:208
HeapTupleHeaderGetUpdateXid
static TransactionId HeapTupleHeaderGetUpdateXid(const HeapTupleHeaderData *tup)
Definition: htup_details.h:397
HEAP_UPDATED
#define HEAP_UPDATED
Definition: htup_details.h:210
fastgetattr
static Datum fastgetattr(HeapTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
Definition: htup_details.h:861
HeapTupleHeaderXminCommitted
static bool HeapTupleHeaderXminCommitted(const HeapTupleHeaderData *tup)
Definition: htup_details.h:337
i
int i
Definition: isn.c:77
if
if(TABLE==NULL||TABLE_index==NULL)
Definition: isn.c:81
ItemIdGetLength
#define ItemIdGetLength(itemId)
Definition: itemid.h:59
ItemIdIsNormal
#define ItemIdIsNormal(itemId)
Definition: itemid.h:99
ItemIdGetOffset
#define ItemIdGetOffset(itemId)
Definition: itemid.h:65
ItemIdGetRedirect
#define ItemIdGetRedirect(itemId)
Definition: itemid.h:78
ItemIdIsDead
#define ItemIdIsDead(itemId)
Definition: itemid.h:113
ItemIdIsUsed
#define ItemIdIsUsed(itemId)
Definition: itemid.h:92
ItemIdIsRedirected
#define ItemIdIsRedirected(itemId)
Definition: itemid.h:106
ItemPointerGetOffsetNumber
static OffsetNumber ItemPointerGetOffsetNumber(const ItemPointerData *pointer)
Definition: itemptr.h:124
ItemPointerGetBlockNumber
static BlockNumber ItemPointerGetBlockNumber(const ItemPointerData *pointer)
Definition: itemptr.h:103
lappend
List * lappend(List *list, void *datum)
Definition: list.c:339
list_free_deep
void list_free_deep(List *list)
Definition: list.c:1560
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
LWLockAcquire
bool LWLockAcquire(LWLock *lock, LWLockMode mode)
Definition: lwlock.c:1182
LWLockRelease
void LWLockRelease(LWLock *lock)
Definition: lwlock.c:1902
LW_SHARED
@ LW_SHARED
Definition: lwlock.h:115
pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:2322
pfree
void pfree(void *pointer)
Definition: mcxt.c:2147
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1970
CHECK_FOR_INTERRUPTS
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:123
ReadMultiXactIdRange
void ReadMultiXactIdRange(MultiXactId *oldest, MultiXactId *next)
Definition: multixact.c:791
MultiXactIdPrecedes
bool MultiXactIdPrecedes(MultiXactId multi1, MultiXactId multi2)
Definition: multixact.c:3317
MultiXactIdPrecedesOrEquals
bool MultiXactIdPrecedesOrEquals(MultiXactId multi1, MultiXactId multi2)
Definition: multixact.c:3331
InvalidOffsetNumber
#define InvalidOffsetNumber
Definition: off.h:26
OffsetNumberNext
#define OffsetNumberNext(offsetNumber)
Definition: off.h:52
OffsetNumber
uint16 OffsetNumber
Definition: off.h:24
FirstOffsetNumber
#define FirstOffsetNumber
Definition: off.h:27
MaxOffsetNumber
#define MaxOffsetNumber
Definition: off.h:28
pg_am.h
attnum
int16 attnum
Definition: pg_attribute.h:74
skip
static const struct exclude_list_item skip[]
Definition: pg_checksums.c:107
errdetail_relkind_not_supported
int errdetail_relkind_not_supported(char relkind)
Definition: pg_class.c:24
pg_class.h
lfirst
#define lfirst(lc)
Definition: pg_list.h:172
NIL
#define NIL
Definition: pg_list.h:68
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36
Datum
uintptr_t Datum
Definition: postgres.h:69
ObjectIdGetDatum
static Datum ObjectIdGetDatum(Oid X)
Definition: postgres.h:257
DatumGetPointer
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:317
Int32GetDatum
static Datum Int32GetDatum(int32 X)
Definition: postgres.h:217
DatumGetInt32
static int32 DatumGetInt32(Datum X)
Definition: postgres.h:207
Oid
unsigned int Oid
Definition: postgres_ext.h:30
fb
static int fb(int x)
Definition: preproc-init.c:92
TransactionIdIsInProgress
bool TransactionIdIsInProgress(TransactionId xid)
Definition: procarray.c:1402
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:43
read_stream_next_buffer
Buffer read_stream_next_buffer(ReadStream *stream, void **per_buffer_data)
Definition: read_stream.c:770
read_stream_begin_relation
ReadStream * read_stream_begin_relation(int flags, BufferAccessStrategy strategy, Relation rel, ForkNumber forknum, ReadStreamBlockNumberCB callback, void *callback_private_data, size_t per_buffer_data_size)
Definition: read_stream.c:716
read_stream_end
void read_stream_end(ReadStream *stream)
Definition: read_stream.c:1055
block_range_read_stream_cb
BlockNumber block_range_read_stream_cb(ReadStream *stream, void *callback_private_data, void *per_buffer_data)
Definition: read_stream.c:162
read_stream.h
READ_STREAM_USE_BATCHING
#define READ_STREAM_USE_BATCHING
Definition: read_stream.h:64
ReadStreamBlockNumberCB
BlockNumber(* ReadStreamBlockNumberCB)(ReadStream *stream, void *callback_private_data, void *per_buffer_data)
Definition: read_stream.h:77
READ_STREAM_FULL
#define READ_STREAM_FULL
Definition: read_stream.h:43
READ_STREAM_DEFAULT
#define READ_STREAM_DEFAULT
Definition: read_stream.h:21
READ_STREAM_SEQUENTIAL
#define READ_STREAM_SEQUENTIAL
Definition: read_stream.h:36
RelationGetDescr
#define RelationGetDescr(relation)
Definition: rel.h:542
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:550
MAIN_FORKNUM
@ MAIN_FORKNUM
Definition: relpath.h:58
ScanKeyInit
void ScanKeyInit(ScanKey entry, AttrNumber attributeNumber, StrategyNumber strategy, RegProcedure procedure, Datum argument)
Definition: scankey.c:76
ForwardScanDirection
@ ForwardScanDirection
Definition: sdir.h:28
GetTransactionSnapshot
Snapshot GetTransactionSnapshot(void)
Definition: snapmgr.c:271
relation_close
void relation_close(Relation relation, LOCKMODE lockmode)
Definition: relation.c:205
relation_open
Relation relation_open(Oid relationId, LOCKMODE lockmode)
Definition: relation.c:47
BTEqualStrategyNumber
#define BTEqualStrategyNumber
Definition: stratnum.h:31
CompactAttribute::attalignby
uint8 attalignby
Definition: tupdesc.h:80
CompactAttribute::attlen
int16 attlen
Definition: tupdesc.h:71
HeapCheckContext::tupstore
Tuplestorestate * tupstore
Definition: verify_heapam.c:157
HeapCheckContext::relminmxid
TransactionId relminmxid
Definition: verify_heapam.c:116
HeapCheckContext::attnum
AttrNumber attnum
Definition: verify_heapam.c:141
HeapCheckContext::oldest_fxid
FullTransactionId oldest_fxid
Definition: verify_heapam.c:95
HeapCheckContext::toast_indexes
Relation * toast_indexes
Definition: verify_heapam.c:118
HeapCheckContext::bstrategy
BufferAccessStrategy bstrategy
Definition: verify_heapam.c:127
HeapCheckContext::relfrozenxid
TransactionId relfrozenxid
Definition: verify_heapam.c:114
HeapCheckContext::cached_xid
TransactionId cached_xid
Definition: verify_heapam.c:109
HeapCheckContext::next_fxid
FullTransactionId next_fxid
Definition: verify_heapam.c:92
HeapCheckContext::blkno
BlockNumber blkno
Definition: verify_heapam.c:126
HeapCheckContext::toasted_attributes
List * toasted_attributes
Definition: verify_heapam.c:150
HeapCheckContext::next_mxact
MultiXactId next_mxact
Definition: verify_heapam.c:103
HeapCheckContext::relfrozenfxid
FullTransactionId relfrozenfxid
Definition: verify_heapam.c:115
HeapCheckContext::valid_toast_index
Relation valid_toast_index
Definition: verify_heapam.c:119
HeapCheckContext::cached_status
XidCommitStatus cached_status
Definition: verify_heapam.c:110
HeapCheckContext::safe_xmin
TransactionId safe_xmin
Definition: verify_heapam.c:97
HeapCheckContext::offnum
OffsetNumber offnum
Definition: verify_heapam.c:132
HeapCheckContext::next_xid
TransactionId next_xid
Definition: verify_heapam.c:93
HeapCheckContext::tuphdr
HeapTupleHeader tuphdr
Definition: verify_heapam.c:136
HeapCheckContext::oldest_xid
TransactionId oldest_xid
Definition: verify_heapam.c:94
HeapCheckContext::oldest_mxact
MultiXactId oldest_mxact
Definition: verify_heapam.c:104
HeapCheckReadStreamData::range
BlockRangeReadStreamPrivate range
Definition: verify_heapam.c:174
HeapTupleHeaderData::t_bits
bits8 t_bits[FLEXIBLE_ARRAY_MEMBER]
Definition: htup_details.h:178
List
Definition: pg_list.h:54
RelationData::rd_att
TupleDesc rd_att
Definition: rel.h:112
RelationData::rd_rel
Form_pg_class rd_rel
Definition: rel.h:111
ReturnSetInfo::setDesc
TupleDesc setDesc
Definition: execnodes.h:359
ReturnSetInfo::setResult
Tuplestorestate * setResult
Definition: execnodes.h:358
SnapshotData::xmin
TransactionId xmin
Definition: snapshot.h:153
ToastedAttribute::attnum
AttrNumber attnum
Definition: verify_heapam.c:79
ToastedAttribute::toast_pointer
struct varatt_external toast_pointer
Definition: verify_heapam.c:76
ToastedAttribute::offnum
OffsetNumber offnum
Definition: verify_heapam.c:78
ToastedAttribute::blkno
BlockNumber blkno
Definition: verify_heapam.c:77
TransamVariablesData::nextXid
FullTransactionId nextXid
Definition: transam.h:220
TransamVariablesData::oldestClogXid
TransactionId oldestClogXid
Definition: transam.h:253
TransamVariablesData::oldestXid
TransactionId oldestXid
Definition: transam.h:222
varatt_external
Definition: varatt.h:33
varatt_external::va_rawsize
int32 va_rawsize
Definition: varatt.h:34
varatt_external::va_valueid
Oid va_valueid
Definition: varatt.h:37
varlena
Definition: c.h:658
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40
ToastCompressionId
ToastCompressionId
Definition: toast_compression.h:38
TOAST_INVALID_COMPRESSION_ID
@ TOAST_INVALID_COMPRESSION_ID
Definition: toast_compression.h:41
TOAST_LZ4_COMPRESSION_ID
@ TOAST_LZ4_COMPRESSION_ID
Definition: toast_compression.h:40
TOAST_PGLZ_COMPRESSION_ID
@ TOAST_PGLZ_COMPRESSION_ID
Definition: toast_compression.h:39
toast_close_indexes
void toast_close_indexes(Relation *toastidxs, int num_indexes, LOCKMODE lock)
Definition: toast_internals.c:621
toast_open_indexes
int toast_open_indexes(Relation toastrel, LOCKMODE lock, Relation **toastidxs, int *num_indexes)
Definition: toast_internals.c:562
get_toast_snapshot
Snapshot get_toast_snapshot(void)
Definition: toast_internals.c:638
toast_internals.h
TOAST_COMPRESS_METHOD
#define TOAST_COMPRESS_METHOD(ptr)
Definition: toast_internals.h:36
TransactionIdDidCommit
bool TransactionIdDidCommit(TransactionId transactionId)
Definition: transam.c:126
TransactionIdPrecedes
bool TransactionIdPrecedes(TransactionId id1, TransactionId id2)
Definition: transam.c:280
FullTransactionIdIsNormal
#define FullTransactionIdIsNormal(x)
Definition: transam.h:58
FrozenTransactionId
#define FrozenTransactionId
Definition: transam.h:33
InvalidTransactionId
#define InvalidTransactionId
Definition: transam.h:31
FullTransactionIdPrecedesOrEquals
#define FullTransactionIdPrecedesOrEquals(a, b)
Definition: transam.h:52
EpochFromFullTransactionId
#define EpochFromFullTransactionId(x)
Definition: transam.h:47
U64FromFullTransactionId
#define U64FromFullTransactionId(x)
Definition: transam.h:49
FullTransactionIdFromU64
static FullTransactionId FullTransactionIdFromU64(uint64 value)
Definition: transam.h:81
TransactionIdEquals
#define TransactionIdEquals(id1, id2)
Definition: transam.h:43
BootstrapTransactionId
#define BootstrapTransactionId
Definition: transam.h:32
XidFromFullTransactionId
#define XidFromFullTransactionId(x)
Definition: transam.h:48
FirstNormalTransactionId
#define FirstNormalTransactionId
Definition: transam.h:34
TransactionIdIsValid
#define TransactionIdIsValid(xid)
Definition: transam.h:41
FullTransactionIdFromEpochAndXid
static FullTransactionId FullTransactionIdFromEpochAndXid(uint32 epoch, TransactionId xid)
Definition: transam.h:71
TransactionIdIsNormal
#define TransactionIdIsNormal(xid)
Definition: transam.h:42
FirstNormalFullTransactionId
#define FirstNormalFullTransactionId
Definition: transam.h:57
FullTransactionIdPrecedes
#define FullTransactionIdPrecedes(a, b)
Definition: transam.h:51
TupleDescCompactAttr
static CompactAttribute * TupleDescCompactAttr(TupleDesc tupdesc, int i)
Definition: tupdesc.h:175
tuplestore_puttuple
void tuplestore_puttuple(Tuplestorestate *state, HeapTuple tuple)
Definition: tuplestore.c:764
att_nominal_alignby
#define att_nominal_alignby(cur_offset, attalignby)
Definition: tupmacs.h:165
att_isnull
static bool att_isnull(int ATT, const bits8 *BITS)
Definition: tupmacs.h:26
att_addlength_pointer
#define att_addlength_pointer(cur_offset, attlen, attptr)
Definition: tupmacs.h:185
att_pointer_alignby
#define att_pointer_alignby(cur_offset, attalignby, attlen, attptr)
Definition: tupmacs.h:129
fetchatt
#define fetchatt(A, T)
Definition: tupmacs.h:47
varattrib_4b
Definition: varatt.h:112
VARHDRSZ_SHORT
#define VARHDRSZ_SHORT
Definition: varatt.h:255
VARSIZE_SHORT
#define VARSIZE_SHORT(PTR)
Definition: varatt.h:281
VARATT_IS_EXTENDED
#define VARATT_IS_EXTENDED(PTR)
Definition: varatt.h:303
VARATT_IS_SHORT
#define VARATT_IS_SHORT(PTR)
Definition: varatt.h:302
VARATT_EXTERNAL_IS_COMPRESSED
#define VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer)
Definition: varatt.h:354
VARSIZE
#define VARSIZE(PTR)
Definition: varatt.h:279
VARATT_EXTERNAL_GET_EXTSIZE
#define VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer)
Definition: varatt.h:334
VARTAG_EXTERNAL
#define VARTAG_EXTERNAL(PTR)
Definition: varatt.h:284
VARATT_IS_EXTERNAL
#define VARATT_IS_EXTERNAL(PTR)
Definition: varatt.h:289
VARTAG_ONDISK
@ VARTAG_ONDISK
Definition: varatt.h:89
text_to_cstring
char * text_to_cstring(const text *t)
Definition: varlena.c:225
TransamVariables
TransamVariablesData * TransamVariables
Definition: varsup.c:34
check_mxid_valid_in_rel
static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
Definition: verify_heapam.c:2079
check_toasted_attribute
static void check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
Definition: verify_heapam.c:1860
PG_FUNCTION_INFO_V1
PG_FUNCTION_INFO_V1(verify_heapam)
VARLENA_SIZE_LIMIT
#define VARLENA_SIZE_LIMIT
Definition: verify_heapam.c:39
get_xid_status
static XidBoundsViolation get_xid_status(TransactionId xid, HeapCheckContext *ctx, XidCommitStatus *status)
Definition: verify_heapam.c:2111
XidCommitStatus
XidCommitStatus
Definition: verify_heapam.c:55
XID_IS_CURRENT_XID
@ XID_IS_CURRENT_XID
Definition: verify_heapam.c:57
XID_IN_PROGRESS
@ XID_IN_PROGRESS
Definition: verify_heapam.c:58
XID_COMMITTED
@ XID_COMMITTED
Definition: verify_heapam.c:56
XID_ABORTED
@ XID_ABORTED
Definition: verify_heapam.c:59
XidBoundsViolation
XidBoundsViolation
Definition: verify_heapam.c:46
XID_IN_FUTURE
@ XID_IN_FUTURE
Definition: verify_heapam.c:48
XID_PRECEDES_CLUSTERMIN
@ XID_PRECEDES_CLUSTERMIN
Definition: verify_heapam.c:49
XID_INVALID
@ XID_INVALID
Definition: verify_heapam.c:47
XID_PRECEDES_RELMIN
@ XID_PRECEDES_RELMIN
Definition: verify_heapam.c:50
XID_BOUNDS_OK
@ XID_BOUNDS_OK
Definition: verify_heapam.c:51
report_corruption_internal
static void report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc, BlockNumber blkno, OffsetNumber offnum, AttrNumber attnum, char *msg)
Definition: verify_heapam.c:915
check_tuple_visibility
static bool check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok, XidCommitStatus *xmin_commit_status)
Definition: verify_heapam.c:1112
HEAPCHECK_RELATION_COLS
#define HEAPCHECK_RELATION_COLS
Definition: verify_heapam.c:36
HeapCheckReadStreamData
struct HeapCheckReadStreamData HeapCheckReadStreamData
HeapCheckContext
struct HeapCheckContext HeapCheckContext
check_toast_tuple
static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx, ToastedAttribute *ta, int32 *expected_chunk_seq, uint32 extsize)
Definition: verify_heapam.c:1554
fxid_in_cached_range
static bool fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
Definition: verify_heapam.c:2046
check_mxid_in_range
static XidBoundsViolation check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
Definition: verify_heapam.c:2057
update_cached_mxid_range
static void update_cached_mxid_range(HeapCheckContext *ctx)
Definition: verify_heapam.c:2036
update_cached_xid_range
static void update_cached_xid_range(HeapCheckContext *ctx)
Definition: verify_heapam.c:2019
SkipPages
SkipPages
Definition: verify_heapam.c:63
SKIP_PAGES_ALL_VISIBLE
@ SKIP_PAGES_ALL_VISIBLE
Definition: verify_heapam.c:65
SKIP_PAGES_ALL_FROZEN
@ SKIP_PAGES_ALL_FROZEN
Definition: verify_heapam.c:64
SKIP_PAGES_NONE
@ SKIP_PAGES_NONE
Definition: verify_heapam.c:66
FullTransactionIdFromXidAndCtx
static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
Definition: verify_heapam.c:1977
check_tuple
static void check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok, XidCommitStatus *xmin_commit_status)
Definition: verify_heapam.c:1918
ToastedAttribute
struct ToastedAttribute ToastedAttribute
check_tuple_header
static bool check_tuple_header(HeapCheckContext *ctx)
Definition: verify_heapam.c:999
report_toast_corruption
static void report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta, char *msg)
Definition: verify_heapam.c:967
check_tuple_attribute
static bool check_tuple_attribute(HeapCheckContext *ctx)
Definition: verify_heapam.c:1660
report_corruption
static void report_corruption(HeapCheckContext *ctx, char *msg)
Definition: verify_heapam.c:951
heapcheck_read_stream_next_unskippable
static BlockNumber heapcheck_read_stream_next_unskippable(ReadStream *stream, void *callback_private_data, void *per_buffer_data)
Definition: verify_heapam.c:881
verify_heapam
Datum verify_heapam(PG_FUNCTION_ARGS)
Definition: verify_heapam.c:250
visibilitymap_get_status
uint8 visibilitymap_get_status(Relation rel, BlockNumber heapBlk, Buffer *vmbuf)
Definition: visibilitymap.c:341
VISIBILITYMAP_ALL_FROZEN
#define VISIBILITYMAP_ALL_FROZEN
Definition: visibilitymapdefs.h:21
VISIBILITYMAP_ALL_VISIBLE
#define VISIBILITYMAP_ALL_VISIBLE
Definition: visibilitymapdefs.h:20
TransactionIdIsCurrentTransactionId
bool TransactionIdIsCurrentTransactionId(TransactionId xid)
Definition: xact.c:941
RecoveryInProgress
bool RecoveryInProgress(void)
Definition: xlog.c:6522