PostgreSQL Source Code  git master
verify_nbtree.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * verify_nbtree.c
4  * Verifies the integrity of nbtree indexes based on invariants.
5  *
6  * For B-Tree indexes, verification includes checking that each page in the
7  * target index has items in logical order as reported by an insertion scankey
8  * (the insertion scankey sort-wise NULL semantics are needed for
9  * verification).
10  *
11  * When index-to-heap verification is requested, a Bloom filter is used to
12  * fingerprint all tuples in the target index, as the index is traversed to
13  * verify its structure. A heap scan later uses Bloom filter probes to verify
14  * that every visible heap tuple has a matching index tuple.
15  *
16  *
17  * Copyright (c) 2017-2021, PostgreSQL Global Development Group
18  *
19  * IDENTIFICATION
20  * contrib/amcheck/verify_nbtree.c
21  *
22  *-------------------------------------------------------------------------
23  */
24 #include "postgres.h"
25 
26 #include "access/htup_details.h"
27 #include "access/nbtree.h"
28 #include "access/table.h"
29 #include "access/tableam.h"
30 #include "access/transam.h"
31 #include "access/xact.h"
32 #include "catalog/index.h"
33 #include "catalog/pg_am.h"
34 #include "commands/tablecmds.h"
35 #include "lib/bloomfilter.h"
36 #include "miscadmin.h"
37 #include "storage/lmgr.h"
38 #include "storage/smgr.h"
39 #include "utils/memutils.h"
40 #include "utils/snapmgr.h"
41 
42 
43 PG_MODULE_MAGIC;
44 
45 /*
46  * A B-Tree cannot possibly have this many levels, since there must be one
47  * block per level, which is bound by the range of BlockNumber:
48  */
49 #define InvalidBtreeLevel ((uint32) InvalidBlockNumber)
50 #define BTreeTupleGetNKeyAtts(itup, rel) \
51  Min(IndexRelationGetNumberOfKeyAttributes(rel), BTreeTupleGetNAtts(itup, rel))
52 
53 /*
54  * State associated with verifying a B-Tree index
55  *
56  * target is the point of reference for a verification operation.
57  *
58  * Other B-Tree pages may be allocated, but those are always auxiliary (e.g.,
59  * they are current target's child pages). Conceptually, problems are only
60  * ever found in the current target page (or for a particular heap tuple during
61  * heapallindexed verification). Each page found by verification's left/right,
62  * top/bottom scan becomes the target exactly once.
63  */
64 typedef struct BtreeCheckState
65 {
66  /*
67  * Unchanging state, established at start of verification:
68  */
69 
70  /* B-Tree Index Relation and associated heap relation */
71  Relation rel;
72  Relation heaprel;
73  /* rel is heapkeyspace index? */
74  bool heapkeyspace;
75  /* ShareLock held on heap/index, rather than AccessShareLock? */
76  bool readonly;
77  /* Also verifying heap has no unindexed tuples? */
78  bool heapallindexed;
79  /* Also making sure non-pivot tuples can be found by new search? */
80  bool rootdescend;
81  /* Per-page context */
82  MemoryContext targetcontext;
83  /* Buffer access strategy */
84  BufferAccessStrategy checkstrategy;
85 
86  /*
87  * Mutable state, for verification of particular page:
88  */
89 
90  /* Current target page */
91  Page target;
92  /* Target block number */
93  BlockNumber targetblock;
94  /* Target page's LSN */
95  XLogRecPtr targetlsn;
96 
97  /*
98  * Low key: high key of left sibling of target page. Used only for child
99  * verification. So, 'lowkey' is kept only when 'readonly' is set.
100  */
101  IndexTuple lowkey;
102 
103  /*
104  * The rightlink and incomplete split flag of block one level down to the
105  * target page, which was visited last time via downlink from taget page.
106  * We use it to check for missing downlinks.
107  */
108  BlockNumber prevrightlink;
109  bool previncompletesplit;
110 
111  /*
112  * Mutable state, for optional heapallindexed verification:
113  */
114 
115  /* Bloom filter fingerprints B-Tree index */
116  bloom_filter *filter;
117  /* Debug counter */
118  int64 heaptuplespresent;
119 } BtreeCheckState;
120 
121 /*
122  * Starting point for verifying an entire B-Tree index level
123  */
124 typedef struct BtreeLevel
125 {
126  /* Level number (0 is leaf page level). */
127  uint32 level;
128 
129  /* Left most block on level. Scan of level begins here. */
130  BlockNumber leftmost;
131 
132  /* Is this level reported as "true" root level by meta page? */
133  bool istruerootlevel;
134 } BtreeLevel;
135 
136 PG_FUNCTION_INFO_V1(bt_index_check);
137 PG_FUNCTION_INFO_V1(bt_index_parent_check);
138 
139 static void bt_index_check_internal(Oid indrelid, bool parentcheck,
140  bool heapallindexed, bool rootdescend);
141 static inline void btree_index_checkable(Relation rel);
142 static inline bool btree_index_mainfork_expected(Relation rel);
143 static void bt_check_every_level(Relation rel, Relation heaprel,
144  bool heapkeyspace, bool readonly, bool heapallindexed,
145  bool rootdescend);
146 static BtreeLevel bt_check_level_from_leftmost(BtreeCheckState *state,
147  BtreeLevel level);
148 static void bt_recheck_sibling_links(BtreeCheckState *state,
149  BlockNumber btpo_prev_from_target,
150  BlockNumber leftcurrent);
151 static void bt_target_page_check(BtreeCheckState *state);
152 static BTScanInsert bt_right_page_check_scankey(BtreeCheckState *state);
153 static void bt_child_check(BtreeCheckState *state, BTScanInsert targetkey,
154  OffsetNumber downlinkoffnum);
155 static void bt_child_highkey_check(BtreeCheckState *state,
156  OffsetNumber target_downlinkoffnum,
157  Page loaded_child,
158  uint32 target_level);
159 static void bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit,
160  BlockNumber targetblock, Page target);
161 static void bt_tuple_present_callback(Relation index, ItemPointer tid,
162  Datum *values, bool *isnull,
163  bool tupleIsAlive, void *checkstate);
164 static IndexTuple bt_normalize_tuple(BtreeCheckState *state,
165  IndexTuple itup);
166 static inline IndexTuple bt_posting_plain_tuple(IndexTuple itup, int n);
167 static bool bt_rootdescend(BtreeCheckState *state, IndexTuple itup);
168 static inline bool offset_is_negative_infinity(BTPageOpaque opaque,
169  OffsetNumber offset);
170 static inline bool invariant_l_offset(BtreeCheckState *state, BTScanInsert key,
171  OffsetNumber upperbound);
172 static inline bool invariant_leq_offset(BtreeCheckState *state,
173  BTScanInsert key,
174  OffsetNumber upperbound);
175 static inline bool invariant_g_offset(BtreeCheckState *state, BTScanInsert key,
176  OffsetNumber lowerbound);
177 static inline bool invariant_l_nontarget_offset(BtreeCheckState *state,
178  BTScanInsert key,
179  BlockNumber nontargetblock,
180  Page nontarget,
181  OffsetNumber upperbound);
182 static Page palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum);
183 static inline BTScanInsert bt_mkscankey_pivotsearch(Relation rel,
184  IndexTuple itup);
185 static ItemId PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block,
186  Page page, OffsetNumber offset);
187 static inline ItemPointer BTreeTupleGetHeapTIDCareful(BtreeCheckState *state,
188  IndexTuple itup, bool nonpivot);
189 static inline ItemPointer BTreeTupleGetPointsToTID(IndexTuple itup);
190 
191 /*
192  * bt_index_check(index regclass, heapallindexed boolean)
193  *
194  * Verify integrity of B-Tree index.
195  *
196  * Acquires AccessShareLock on heap & index relations. Does not consider
197  * invariants that exist between parent/child pages. Optionally verifies
198  * that heap does not contain any unindexed or incorrectly indexed tuples.
199  */
200 Datum
201 bt_index_check(PG_FUNCTION_ARGS)
202 {
203  Oid indrelid = PG_GETARG_OID(0);
204  bool heapallindexed = false;
205 
206  if (PG_NARGS() == 2)
207  heapallindexed = PG_GETARG_BOOL(1);
208 
209  bt_index_check_internal(indrelid, false, heapallindexed, false);
210 
211  PG_RETURN_VOID();
212 }
213 
214 /*
215  * bt_index_parent_check(index regclass, heapallindexed boolean)
216  *
217  * Verify integrity of B-Tree index.
218  *
219  * Acquires ShareLock on heap & index relations. Verifies that downlinks in
220  * parent pages are valid lower bounds on child pages. Optionally verifies
221  * that heap does not contain any unindexed or incorrectly indexed tuples.
222  */
223 Datum
224 bt_index_parent_check(PG_FUNCTION_ARGS)
225 {
226  Oid indrelid = PG_GETARG_OID(0);
227  bool heapallindexed = false;
228  bool rootdescend = false;
229 
230  if (PG_NARGS() >= 2)
231  heapallindexed = PG_GETARG_BOOL(1);
232  if (PG_NARGS() == 3)
233  rootdescend = PG_GETARG_BOOL(2);
234 
235  bt_index_check_internal(indrelid, true, heapallindexed, rootdescend);
236 
237  PG_RETURN_VOID();
238 }
239 
240 /*
241  * Helper for bt_index_[parent_]check, coordinating the bulk of the work.
242  */
243 static void
244 bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
245  bool rootdescend)
246 {
247  Oid heapid;
248  Relation indrel;
249  Relation heaprel;
250  LOCKMODE lockmode;
251 
252  if (parentcheck)
253  lockmode = ShareLock;
254  else
255  lockmode = AccessShareLock;
256 
257  /*
258  * We must lock table before index to avoid deadlocks. However, if the
259  * passed indrelid isn't an index then IndexGetRelation() will fail.
260  * Rather than emitting a not-very-helpful error message, postpone
261  * complaining, expecting that the is-it-an-index test below will fail.
262  *
263  * In hot standby mode this will raise an error when parentcheck is true.
264  */
265  heapid = IndexGetRelation(indrelid, true);
266  if (OidIsValid(heapid))
267  heaprel = table_open(heapid, lockmode);
268  else
269  heaprel = NULL;
270 
271  /*
272  * Open the target index relations separately (like relation_openrv(), but
273  * with heap relation locked first to prevent deadlocking). In hot
274  * standby mode this will raise an error when parentcheck is true.
275  *
276  * There is no need for the usual indcheckxmin usability horizon test
277  * here, even in the heapallindexed case, because index undergoing
278  * verification only needs to have entries for a new transaction snapshot.
279  * (If this is a parentcheck verification, there is no question about
280  * committed or recently dead heap tuples lacking index entries due to
281  * concurrent activity.)
282  */
283  indrel = index_open(indrelid, lockmode);
284 
285  /*
286  * Since we did the IndexGetRelation call above without any lock, it's
287  * barely possible that a race against an index drop/recreation could have
288  * netted us the wrong table.
289  */
290  if (heaprel == NULL || heapid != IndexGetRelation(indrelid, false))
291  ereport(ERROR,
292  (errcode(ERRCODE_UNDEFINED_TABLE),
293  errmsg("could not open parent table of index \"%s\"",
294  RelationGetRelationName(indrel))));
295 
296  /* Relation suitable for checking as B-Tree? */
297  btree_index_checkable(indrel);
298 
299  if (btree_index_mainfork_expected(indrel))
300  {
301  bool heapkeyspace,
302  allequalimage;
303 
304  RelationOpenSmgr(indrel);
305  if (!smgrexists(indrel->rd_smgr, MAIN_FORKNUM))
306  ereport(ERROR,
307  (errcode(ERRCODE_INDEX_CORRUPTED),
308  errmsg("index \"%s\" lacks a main relation fork",
309  RelationGetRelationName(indrel))));
310 
311  /* Extract metadata from metapage, and sanitize it in passing */
312  _bt_metaversion(indrel, &heapkeyspace, &allequalimage);
313  if (allequalimage && !heapkeyspace)
314  ereport(ERROR,
315  (errcode(ERRCODE_INDEX_CORRUPTED),
316  errmsg("index \"%s\" metapage has equalimage field set on unsupported nbtree version",
317  RelationGetRelationName(indrel))));
318  if (allequalimage && !_bt_allequalimage(indrel, false))
319  ereport(ERROR,
320  (errcode(ERRCODE_INDEX_CORRUPTED),
321  errmsg("index \"%s\" metapage incorrectly indicates that deduplication is safe",
322  RelationGetRelationName(indrel))));
323 
324  /* Check index, possibly against table it is an index on */
325  bt_check_every_level(indrel, heaprel, heapkeyspace, parentcheck,
326  heapallindexed, rootdescend);
327  }
328 
329  /*
330  * Release locks early. That's ok here because nothing in the called
331  * routines will trigger shared cache invalidations to be sent, so we can
332  * relax the usual pattern of only releasing locks after commit.
333  */
334  index_close(indrel, lockmode);
335  if (heaprel)
336  table_close(heaprel, lockmode);
337 }
338 
339 /*
340  * Basic checks about the suitability of a relation for checking as a B-Tree
341  * index.
342  *
343  * NB: Intentionally not checking permissions, the function is normally not
344  * callable by non-superusers. If granted, it's useful to be able to check a
345  * whole cluster.
346  */
347 static inline void
348 btree_index_checkable(Relation rel)
349 {
350  if (rel->rd_rel->relkind != RELKIND_INDEX ||
351  rel->rd_rel->relam != BTREE_AM_OID)
352  ereport(ERROR,
353  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
354  errmsg("only B-Tree indexes are supported as targets for verification"),
355  errdetail("Relation \"%s\" is not a B-Tree index.",
356  RelationGetRelationName(rel))));
357 
358  if (RELATION_IS_OTHER_TEMP(rel))
359  ereport(ERROR,
360  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
361  errmsg("cannot access temporary tables of other sessions"),
362  errdetail("Index \"%s\" is associated with temporary relation.",
363  RelationGetRelationName(rel))));
364 
365  if (!rel->rd_index->indisvalid)
366  ereport(ERROR,
367  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
368  errmsg("cannot check index \"%s\"",
369  RelationGetRelationName(rel)),
370  errdetail("Index is not valid.")));
371 }
372 
373 /*
374  * Check if B-Tree index relation should have a file for its main relation
375  * fork. Verification uses this to skip unlogged indexes when in hot standby
376  * mode, where there is simply nothing to verify.
377  *
378  * NB: Caller should call btree_index_checkable() before calling here.
379  */
380 static inline bool
381 btree_index_mainfork_expected(Relation rel)
382 {
383  if (rel->rd_rel->relpersistence != RELPERSISTENCE_UNLOGGED ||
384  !RecoveryInProgress())
385  return true;
386 
387  ereport(NOTICE,
388  (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
389  errmsg("cannot verify unlogged index \"%s\" during recovery, skipping",
390  RelationGetRelationName(rel))));
391 
392  return false;
393 }
394 
395 /*
396  * Main entry point for B-Tree SQL-callable functions. Walks the B-Tree in
397  * logical order, verifying invariants as it goes. Optionally, verification
398  * checks if the heap relation contains any tuples that are not represented in
399  * the index but should be.
400  *
401  * It is the caller's responsibility to acquire appropriate heavyweight lock on
402  * the index relation, and advise us if extra checks are safe when a ShareLock
403  * is held. (A lock of the same type must also have been acquired on the heap
404  * relation.)
405  *
406  * A ShareLock is generally assumed to prevent any kind of physical
407  * modification to the index structure, including modifications that VACUUM may
408  * make. This does not include setting of the LP_DEAD bit by concurrent index
409  * scans, although that is just metadata that is not able to directly affect
410  * any check performed here. Any concurrent process that might act on the
411  * LP_DEAD bit being set (recycle space) requires a heavyweight lock that
412  * cannot be held while we hold a ShareLock. (Besides, even if that could
413  * happen, the ad-hoc recycling when a page might otherwise split is performed
414  * per-page, and requires an exclusive buffer lock, which wouldn't cause us
415  * trouble. _bt_delitems_vacuum() may only delete leaf items, and so the extra
416  * parent/child check cannot be affected.)
417  */
418 static void
419 bt_check_every_level(Relation rel, Relation heaprel, bool heapkeyspace,
420  bool readonly, bool heapallindexed, bool rootdescend)
421 {
422  BtreeCheckState *state;
423  Page metapage;
424  BTMetaPageData *metad;
425  uint32 previouslevel;
426  BtreeLevel current;
427  Snapshot snapshot = SnapshotAny;
428 
429  if (!readonly)
430  elog(DEBUG1, "verifying consistency of tree structure for index \"%s\"",
431  RelationGetRelationName(rel));
432  else
433  elog(DEBUG1, "verifying consistency of tree structure for index \"%s\" with cross-level checks",
434  RelationGetRelationName(rel));
435 
436  /*
437  * This assertion matches the one in index_getnext_tid(). See page
438  * recycling/"visible to everyone" notes in nbtree README.
439  */
440  Assert(TransactionIdIsValid(RecentXmin));
441 
442  /*
443  * Initialize state for entire verification operation
444  */
445  state = palloc0(sizeof(BtreeCheckState));
446  state->rel = rel;
447  state->heaprel = heaprel;
448  state->heapkeyspace = heapkeyspace;
449  state->readonly = readonly;
450  state->heapallindexed = heapallindexed;
451  state->rootdescend = rootdescend;
452 
453  if (state->heapallindexed)
454  {
455  int64 total_pages;
456  int64 total_elems;
457  uint64 seed;
458 
459  /*
460  * Size Bloom filter based on estimated number of tuples in index,
461  * while conservatively assuming that each block must contain at least
462  * MaxTIDsPerBTreePage / 3 "plain" tuples -- see
463  * bt_posting_plain_tuple() for definition, and details of how posting
464  * list tuples are handled.
465  */
466  total_pages = RelationGetNumberOfBlocks(rel);
467  total_elems = Max(total_pages * (MaxTIDsPerBTreePage / 3),
468  (int64) state->rel->rd_rel->reltuples);
469  /* Random seed relies on backend srandom() call to avoid repetition */
470  seed = random();
471  /* Create Bloom filter to fingerprint index */
472  state->filter = bloom_create(total_elems, maintenance_work_mem, seed);
473  state->heaptuplespresent = 0;
474 
475  /*
476  * Register our own snapshot in !readonly case, rather than asking
477  * table_index_build_scan() to do this for us later. This needs to
478  * happen before index fingerprinting begins, so we can later be
479  * certain that index fingerprinting should have reached all tuples
480  * returned by table_index_build_scan().
481  */
482  if (!state->readonly)
483  {
484  snapshot = RegisterSnapshot(GetTransactionSnapshot());
485 
486  /*
487  * GetTransactionSnapshot() always acquires a new MVCC snapshot in
488  * READ COMMITTED mode. A new snapshot is guaranteed to have all
489  * the entries it requires in the index.
490  *
491  * We must defend against the possibility that an old xact
492  * snapshot was returned at higher isolation levels when that
493  * snapshot is not safe for index scans of the target index. This
494  * is possible when the snapshot sees tuples that are before the
495  * index's indcheckxmin horizon. Throwing an error here should be
496  * very rare. It doesn't seem worth using a secondary snapshot to
497  * avoid this.
498  */
499  if (IsolationUsesXactSnapshot() && rel->rd_index->indcheckxmin &&
500  !TransactionIdPrecedes(HeapTupleHeaderGetXmin(rel->rd_indextuple->t_data),
501  snapshot->xmin))
502  ereport(ERROR,
503  (errcode(ERRCODE_T_R_SERIALIZATION_FAILURE),
504  errmsg("index \"%s\" cannot be verified using transaction snapshot",
505  RelationGetRelationName(rel))));
506  }
507  }
508 
509  Assert(!state->rootdescend || state->readonly);
510  if (state->rootdescend && !state->heapkeyspace)
511  ereport(ERROR,
512  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
513  errmsg("cannot verify that tuples from index \"%s\" can each be found by an independent index search",
514  RelationGetRelationName(rel)),
515  errhint("Only B-Tree version 4 indexes support rootdescend verification.")));
516 
517  /* Create context for page */
518  state->targetcontext = AllocSetContextCreate(CurrentMemoryContext,
519  "amcheck context",
520  ALLOCSET_DEFAULT_SIZES);
521  state->checkstrategy = GetAccessStrategy(BAS_BULKREAD);
522 
523  /* Get true root block from meta-page */
524  metapage = palloc_btree_page(state, BTREE_METAPAGE);
525  metad = BTPageGetMeta(metapage);
526 
527  /*
528  * Certain deletion patterns can result in "skinny" B-Tree indexes, where
529  * the fast root and true root differ.
530  *
531  * Start from the true root, not the fast root, unlike conventional index
532  * scans. This approach is more thorough, and removes the risk of
533  * following a stale fast root from the meta page.
534  */
535  if (metad->btm_fastroot != metad->btm_root)
536  ereport(DEBUG1,
537  (errcode(ERRCODE_NO_DATA),
538  errmsg_internal("harmless fast root mismatch in index \"%s\"",
539  RelationGetRelationName(rel)),
540  errdetail_internal("Fast root block %u (level %u) differs from true root block %u (level %u).",
541  metad->btm_fastroot, metad->btm_fastlevel,
542  metad->btm_root, metad->btm_level)));
543 
544  /*
545  * Starting at the root, verify every level. Move left to right, top to
546  * bottom. Note that there may be no pages other than the meta page (meta
547  * page can indicate that root is P_NONE when the index is totally empty).
548  */
549  previouslevel = InvalidBtreeLevel;
550  current.level = metad->btm_level;
551  current.leftmost = metad->btm_root;
552  current.istruerootlevel = true;
553  while (current.leftmost != P_NONE)
554  {
555  /*
556  * Verify this level, and get left most page for next level down, if
557  * not at leaf level
558  */
559  current = bt_check_level_from_leftmost(state, current);
560 
561  if (current.leftmost == InvalidBlockNumber)
562  ereport(ERROR,
563  (errcode(ERRCODE_INDEX_CORRUPTED),
564  errmsg("index \"%s\" has no valid pages on level below %u or first level",
565  RelationGetRelationName(rel), previouslevel)));
566 
567  previouslevel = current.level;
568  }
569 
570  /*
571  * * Check whether heap contains unindexed/malformed tuples *
572  */
573  if (state->heapallindexed)
574  {
575  IndexInfo *indexinfo = BuildIndexInfo(state->rel);
576  TableScanDesc scan;
577 
578  /*
579  * Create our own scan for table_index_build_scan(), rather than
580  * getting it to do so for us. This is required so that we can
581  * actually use the MVCC snapshot registered earlier in !readonly
582  * case.
583  *
584  * Note that table_index_build_scan() calls heap_endscan() for us.
585  */
586  scan = table_beginscan_strat(state->heaprel, /* relation */
587  snapshot, /* snapshot */
588  0, /* number of keys */
589  NULL, /* scan key */
590  true, /* buffer access strategy OK */
591  true); /* syncscan OK? */
592 
593  /*
594  * Scan will behave as the first scan of a CREATE INDEX CONCURRENTLY
595  * behaves in !readonly case.
596  *
597  * It's okay that we don't actually use the same lock strength for the
598  * heap relation as any other ii_Concurrent caller would in !readonly
599  * case. We have no reason to care about a concurrent VACUUM
600  * operation, since there isn't going to be a second scan of the heap
601  * that needs to be sure that there was no concurrent recycling of
602  * TIDs.
603  */
604  indexinfo->ii_Concurrent = !state->readonly;
605 
606  /*
607  * Don't wait for uncommitted tuple xact commit/abort when index is a
608  * unique index on a catalog (or an index used by an exclusion
609  * constraint). This could otherwise happen in the readonly case.
610  */
611  indexinfo->ii_Unique = false;
612  indexinfo->ii_ExclusionOps = NULL;
613  indexinfo->ii_ExclusionProcs = NULL;
614  indexinfo->ii_ExclusionStrats = NULL;
615 
616  elog(DEBUG1, "verifying that tuples from index \"%s\" are present in \"%s\"",
617  RelationGetRelationName(state->rel),
618  RelationGetRelationName(state->heaprel));
619 
620  table_index_build_scan(state->heaprel, state->rel, indexinfo, true, false,
621  bt_tuple_present_callback, (void *) state, scan);
622 
623  ereport(DEBUG1,
624  (errmsg_internal("finished verifying presence of " INT64_FORMAT " tuples from table \"%s\" with bitset %.2f%% set",
625  state->heaptuplespresent, RelationGetRelationName(heaprel),
626  100.0 * bloom_prop_bits_set(state->filter))));
627 
628  if (snapshot != SnapshotAny)
629  UnregisterSnapshot(snapshot);
630 
631  bloom_free(state->filter);
632  }
633 
634  /* Be tidy: */
635  MemoryContextDelete(state->targetcontext);
636 }
637 
638 /*
639  * Given a left-most block at some level, move right, verifying each page
640  * individually (with more verification across pages for "readonly"
641  * callers). Caller should pass the true root page as the leftmost initially,
642  * working their way down by passing what is returned for the last call here
643  * until level 0 (leaf page level) was reached.
644  *
645  * Returns state for next call, if any. This includes left-most block number
646  * one level lower that should be passed on next level/call, which is set to
647  * P_NONE on last call here (when leaf level is verified). Level numbers
648  * follow the nbtree convention: higher levels have higher numbers, because new
649  * levels are added only due to a root page split. Note that prior to the
650  * first root page split, the root is also a leaf page, so there is always a
651  * level 0 (leaf level), and it's always the last level processed.
652  *
653  * Note on memory management: State's per-page context is reset here, between
654  * each call to bt_target_page_check().
655  */
656 static BtreeLevel
657 bt_check_level_from_leftmost(BtreeCheckState *state, BtreeLevel level)
658 {
659  /* State to establish early, concerning entire level */
660  BTPageOpaque opaque;
661  MemoryContext oldcontext;
662  BtreeLevel nextleveldown;
663 
664  /* Variables for iterating across level using right links */
665  BlockNumber leftcurrent = P_NONE;
666  BlockNumber current = level.leftmost;
667 
668  /* Initialize return state */
669  nextleveldown.leftmost = InvalidBlockNumber;
670  nextleveldown.level = InvalidBtreeLevel;
671  nextleveldown.istruerootlevel = false;
672 
673  /* Use page-level context for duration of this call */
674  oldcontext = MemoryContextSwitchTo(state->targetcontext);
675 
676  elog(DEBUG1, "verifying level %u%s", level.level,
677  level.istruerootlevel ?
678  " (true root level)" : level.level == 0 ? " (leaf level)" : "");
679 
680  state->prevrightlink = InvalidBlockNumber;
681  state->previncompletesplit = false;
682 
683  do
684  {
685  /* Don't rely on CHECK_FOR_INTERRUPTS() calls at lower level */
686  CHECK_FOR_INTERRUPTS();
687 
688  /* Initialize state for this iteration */
689  state->targetblock = current;
690  state->target = palloc_btree_page(state, state->targetblock);
691  state->targetlsn = PageGetLSN(state->target);
692 
693  opaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
694 
695  if (P_IGNORE(opaque))
696  {
697  /*
698  * Since there cannot be a concurrent VACUUM operation in readonly
699  * mode, and since a page has no links within other pages
700  * (siblings and parent) once it is marked fully deleted, it
701  * should be impossible to land on a fully deleted page in
702  * readonly mode. See bt_child_check() for further details.
703  *
704  * The bt_child_check() P_ISDELETED() check is repeated here so
705  * that pages that are only reachable through sibling links get
706  * checked.
707  */
708  if (state->readonly && P_ISDELETED(opaque))
709  ereport(ERROR,
710  (errcode(ERRCODE_INDEX_CORRUPTED),
711  errmsg("downlink or sibling link points to deleted block in index \"%s\"",
712  RelationGetRelationName(state->rel)),
713  errdetail_internal("Block=%u left block=%u left link from block=%u.",
714  current, leftcurrent, opaque->btpo_prev)));
715 
716  if (P_RIGHTMOST(opaque))
717  ereport(ERROR,
718  (errcode(ERRCODE_INDEX_CORRUPTED),
719  errmsg("block %u fell off the end of index \"%s\"",
720  current, RelationGetRelationName(state->rel))));
721  else
722  ereport(DEBUG1,
723  (errcode(ERRCODE_NO_DATA),
724  errmsg_internal("block %u of index \"%s\" concurrently deleted",
725  current, RelationGetRelationName(state->rel))));
726  goto nextpage;
727  }
728  else if (nextleveldown.leftmost == InvalidBlockNumber)
729  {
730  /*
731  * A concurrent page split could make the caller supplied leftmost
732  * block no longer contain the leftmost page, or no longer be the
733  * true root, but where that isn't possible due to heavyweight
734  * locking, check that the first valid page meets caller's
735  * expectations.
736  */
737  if (state->readonly)
738  {
739  if (!P_LEFTMOST(opaque))
740  ereport(ERROR,
741  (errcode(ERRCODE_INDEX_CORRUPTED),
742  errmsg("block %u is not leftmost in index \"%s\"",
743  current, RelationGetRelationName(state->rel))));
744 
745  if (level.istruerootlevel && !P_ISROOT(opaque))
746  ereport(ERROR,
747  (errcode(ERRCODE_INDEX_CORRUPTED),
748  errmsg("block %u is not true root in index \"%s\"",
749  current, RelationGetRelationName(state->rel))));
750  }
751 
752  /*
753  * Before beginning any non-trivial examination of level, prepare
754  * state for next bt_check_level_from_leftmost() invocation for
755  * the next level for the next level down (if any).
756  *
757  * There should be at least one non-ignorable page per level,
758  * unless this is the leaf level, which is assumed by caller to be
759  * final level.
760  */
761  if (!P_ISLEAF(opaque))
762  {
763  IndexTuple itup;
764  ItemId itemid;
765 
766  /* Internal page -- downlink gets leftmost on next level */
767  itemid = PageGetItemIdCareful(state, state->targetblock,
768  state->target,
769  P_FIRSTDATAKEY(opaque));
770  itup = (IndexTuple) PageGetItem(state->target, itemid);
771  nextleveldown.leftmost = BTreeTupleGetDownLink(itup);
772  nextleveldown.level = opaque->btpo_level - 1;
773  }
774  else
775  {
776  /*
777  * Leaf page -- final level caller must process.
778  *
779  * Note that this could also be the root page, if there has
780  * been no root page split yet.
781  */
782  nextleveldown.leftmost = P_NONE;
783  nextleveldown.level = InvalidBtreeLevel;
784  }
785 
786  /*
787  * Finished setting up state for this call/level. Control will
788  * never end up back here in any future loop iteration for this
789  * level.
790  */
791  }
792 
793  /* Sibling links should be in mutual agreement */
794  if (opaque->btpo_prev != leftcurrent)
795  bt_recheck_sibling_links(state, opaque->btpo_prev, leftcurrent);
796 
797  /* Check level */
798  if (level.level != opaque->btpo_level)
799  ereport(ERROR,
800  (errcode(ERRCODE_INDEX_CORRUPTED),
801  errmsg("leftmost down link for level points to block in index \"%s\" whose level is not one level down",
802  RelationGetRelationName(state->rel)),
803  errdetail_internal("Block pointed to=%u expected level=%u level in pointed to block=%u.",
804  current, level.level, opaque->btpo_level)));
805 
806  /* Verify invariants for page */
807  bt_target_page_check(state);
808 
809 nextpage:
810 
811  /* Try to detect circular links */
812  if (current == leftcurrent || current == opaque->btpo_prev)
813  ereport(ERROR,
814  (errcode(ERRCODE_INDEX_CORRUPTED),
815  errmsg("circular link chain found in block %u of index \"%s\"",
816  current, RelationGetRelationName(state->rel))));
817 
818  leftcurrent = current;
819  current = opaque->btpo_next;
820 
821  if (state->lowkey)
822  {
823  Assert(state->readonly);
824  pfree(state->lowkey);
825  state->lowkey = NULL;
826  }
827 
828  /*
829  * Copy current target high key as the low key of right sibling.
830  * Allocate memory in upper level context, so it would be cleared
831  * after reset of target context.
832  *
833  * We only need the low key in corner cases of checking child high
834  * keys. We use high key only when incomplete split on the child level
835  * falls to the boundary of pages on the target level. See
836  * bt_child_highkey_check() for details. So, typically we won't end
837  * up doing anything with low key, but it's simpler for general case
838  * high key verification to always have it available.
839  *
840  * The correctness of managing low key in the case of concurrent
841  * splits wasn't investigated yet. Thankfully we only need low key
842  * for readonly verification and concurrent splits won't happen.
843  */
844  if (state->readonly && !P_RIGHTMOST(opaque))
845  {
846  IndexTuple itup;
847  ItemId itemid;
848 
849  itemid = PageGetItemIdCareful(state, state->targetblock,
850  state->target, P_HIKEY);
851  itup = (IndexTuple) PageGetItem(state->target, itemid);
852 
853  state->lowkey = MemoryContextAlloc(oldcontext, IndexTupleSize(itup));
854  memcpy(state->lowkey, itup, IndexTupleSize(itup));
855  }
856 
857  /* Free page and associated memory for this iteration */
858  MemoryContextReset(state->targetcontext);
859  }
860  while (current != P_NONE);
861 
862  if (state->lowkey)
863  {
864  Assert(state->readonly);
865  pfree(state->lowkey);
866  state->lowkey = NULL;
867  }
868 
869  /* Don't change context for caller */
870  MemoryContextSwitchTo(oldcontext);
871 
872  return nextleveldown;
873 }
874 
875 /*
876  * Raise an error when target page's left link does not point back to the
877  * previous target page, called leftcurrent here. The leftcurrent page's
878  * right link was followed to get to the current target page, and we expect
879  * mutual agreement among leftcurrent and the current target page. Make sure
880  * that this condition has definitely been violated in the !readonly case,
881  * where concurrent page splits are something that we need to deal with.
882  *
883  * Cross-page inconsistencies involving pages that don't agree about being
884  * siblings are known to be a particularly good indicator of corruption
885  * involving partial writes/lost updates. The bt_right_page_check_scankey
886  * check also provides a way of detecting cross-page inconsistencies for
887  * !readonly callers, but it can only detect sibling pages that have an
888  * out-of-order keyspace, which can't catch many of the problems that we
889  * expect to catch here.
890  *
891  * The classic example of the kind of inconsistency that we can only catch
892  * with this check (when in !readonly mode) involves three sibling pages that
893  * were affected by a faulty page split at some point in the past. The
894  * effects of the split are reflected in the original page and its new right
895  * sibling page, with a lack of any accompanying changes for the _original_
896  * right sibling page. The original right sibling page's left link fails to
897  * point to the new right sibling page (its left link still points to the
898  * original page), even though the first phase of a page split is supposed to
899  * work as a single atomic action. This subtle inconsistency will probably
900  * only break backwards scans in practice.
901  *
902  * Note that this is the only place where amcheck will "couple" buffer locks
903  * (and only for !readonly callers). In general we prefer to avoid more
904  * thorough cross-page checks in !readonly mode, but it seems worth the
905  * complexity here. Also, the performance overhead of performing lock
906  * coupling here is negligible in practice. Control only reaches here with a
907  * non-corrupt index when there is a concurrent page split at the instant
908  * caller crossed over to target page from leftcurrent page.
909  */
910 static void
911 bt_recheck_sibling_links(BtreeCheckState *state,
912  BlockNumber btpo_prev_from_target,
913  BlockNumber leftcurrent)
914 {
915  if (!state->readonly)
916  {
917  Buffer lbuf;
918  Buffer newtargetbuf;
919  Page page;
920  BTPageOpaque opaque;
921  BlockNumber newtargetblock;
922 
923  /* Couple locks in the usual order for nbtree: Left to right */
924  lbuf = ReadBufferExtended(state->rel, MAIN_FORKNUM, leftcurrent,
925  RBM_NORMAL, state->checkstrategy);
926  LockBuffer(lbuf, BT_READ);
927  _bt_checkpage(state->rel, lbuf);
928  page = BufferGetPage(lbuf);
929  opaque = (BTPageOpaque) PageGetSpecialPointer(page);
930  if (P_ISDELETED(opaque))
931  {
932  /*
933  * Cannot reason about concurrently deleted page -- the left link
934  * in the page to the right is expected to point to some other
935  * page to the left (not leftcurrent page).
936  *
937  * Note that we deliberately don't give up with a half-dead page.
938  */
939  UnlockReleaseBuffer(lbuf);
940  return;
941  }
942 
943  newtargetblock = opaque->btpo_next;
944  /* Avoid self-deadlock when newtargetblock == leftcurrent */
945  if (newtargetblock != leftcurrent)
946  {
947  newtargetbuf = ReadBufferExtended(state->rel, MAIN_FORKNUM,
948  newtargetblock, RBM_NORMAL,
949  state->checkstrategy);
950  LockBuffer(newtargetbuf, BT_READ);
951  _bt_checkpage(state->rel, newtargetbuf);
952  page = BufferGetPage(newtargetbuf);
953  opaque = (BTPageOpaque) PageGetSpecialPointer(page);
954  /* btpo_prev_from_target may have changed; update it */
955  btpo_prev_from_target = opaque->btpo_prev;
956  }
957  else
958  {
959  /*
960  * leftcurrent right sibling points back to leftcurrent block.
961  * Index is corrupt. Easiest way to handle this is to pretend
962  * that we actually read from a distinct page that has an invalid
963  * block number in its btpo_prev.
964  */
965  newtargetbuf = InvalidBuffer;
966  btpo_prev_from_target = InvalidBlockNumber;
967  }
968 
969  /*
970  * No need to check P_ISDELETED here, since new target block cannot be
971  * marked deleted as long as we hold a lock on lbuf
972  */
973  if (BufferIsValid(newtargetbuf))
974  UnlockReleaseBuffer(newtargetbuf);
975  UnlockReleaseBuffer(lbuf);
976 
977  if (btpo_prev_from_target == leftcurrent)
978  {
979  /* Report split in left sibling, not target (or new target) */
980  ereport(DEBUG1,
981  (errcode(ERRCODE_INTERNAL_ERROR),
982  errmsg_internal("harmless concurrent page split detected in index \"%s\"",
983  RelationGetRelationName(state->rel)),
984  errdetail_internal("Block=%u new right sibling=%u original right sibling=%u.",
985  leftcurrent, newtargetblock,
986  state->targetblock)));
987  return;
988  }
989 
990  /*
991  * Index is corrupt. Make sure that we report correct target page.
992  *
993  * This could have changed in cases where there was a concurrent page
994  * split, as well as index corruption (at least in theory). Note that
995  * btpo_prev_from_target was already updated above.
996  */
997  state->targetblock = newtargetblock;
998  }
999 
1000  ereport(ERROR,
1001  (errcode(ERRCODE_INDEX_CORRUPTED),
1002  errmsg("left link/right link pair in index \"%s\" not in agreement",
1003  RelationGetRelationName(state->rel)),
1004  errdetail_internal("Block=%u left block=%u left link from block=%u.",
1005  state->targetblock, leftcurrent,
1006  btpo_prev_from_target)));
1007 }
1008 
1009 /*
1010  * Function performs the following checks on target page, or pages ancillary to
1011  * target page:
1012  *
1013  * - That every "real" data item is less than or equal to the high key, which
1014  * is an upper bound on the items on the page. Data items should be
1015  * strictly less than the high key when the page is an internal page.
1016  *
1017  * - That within the page, every data item is strictly less than the item
1018  * immediately to its right, if any (i.e., that the items are in order
1019  * within the page, so that the binary searches performed by index scans are
1020  * sane).
1021  *
1022  * - That the last data item stored on the page is strictly less than the
1023  * first data item on the page to the right (when such a first item is
1024  * available).
1025  *
1026  * - Various checks on the structure of tuples themselves. For example, check
1027  * that non-pivot tuples have no truncated attributes.
1028  *
1029  * Furthermore, when state passed shows ShareLock held, function also checks:
1030  *
1031  * - That all child pages respect strict lower bound from parent's pivot
1032  * tuple.
1033  *
1034  * - That downlink to block was encountered in parent where that's expected.
1035  *
1036  * - That high keys of child pages matches corresponding pivot keys in parent.
1037  *
1038  * This is also where heapallindexed callers use their Bloom filter to
1039  * fingerprint IndexTuples for later table_index_build_scan() verification.
1040  *
1041  * Note: Memory allocated in this routine is expected to be released by caller
1042  * resetting state->targetcontext.
1043  */
1044 static void
1045 bt_target_page_check(BtreeCheckState *state)
1046 {
1047  OffsetNumber offset;
1048  OffsetNumber max;
1049  BTPageOpaque topaque;
1050 
1051  topaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
1052  max = PageGetMaxOffsetNumber(state->target);
1053 
1054  elog(DEBUG2, "verifying %u items on %s block %u", max,
1055  P_ISLEAF(topaque) ? "leaf" : "internal", state->targetblock);
1056 
1057  /*
1058  * Check the number of attributes in high key. Note, rightmost page
1059  * doesn't contain a high key, so nothing to check
1060  */
1061  if (!P_RIGHTMOST(topaque))
1062  {
1063  ItemId itemid;
1064  IndexTuple itup;
1065 
1066  /* Verify line pointer before checking tuple */
1067  itemid = PageGetItemIdCareful(state, state->targetblock,
1068  state->target, P_HIKEY);
1069  if (!_bt_check_natts(state->rel, state->heapkeyspace, state->target,
1070  P_HIKEY))
1071  {
1072  itup = (IndexTuple) PageGetItem(state->target, itemid);
1073  ereport(ERROR,
1074  (errcode(ERRCODE_INDEX_CORRUPTED),
1075  errmsg("wrong number of high key index tuple attributes in index \"%s\"",
1076  RelationGetRelationName(state->rel)),
1077  errdetail_internal("Index block=%u natts=%u block type=%s page lsn=%X/%X.",
1078  state->targetblock,
1079  BTreeTupleGetNAtts(itup, state->rel),
1080  P_ISLEAF(topaque) ? "heap" : "index",
1081  LSN_FORMAT_ARGS(state->targetlsn))));
1082  }
1083  }
1084 
1085  /*
1086  * Loop over page items, starting from first non-highkey item, not high
1087  * key (if any). Most tests are not performed for the "negative infinity"
1088  * real item (if any).
1089  */
1090  for (offset = P_FIRSTDATAKEY(topaque);
1091  offset <= max;
1092  offset = OffsetNumberNext(offset))
1093  {
1094  ItemId itemid;
1095  IndexTuple itup;
1096  size_t tupsize;
1097  BTScanInsert skey;
1098  bool lowersizelimit;
1099  ItemPointer scantid;
1100 
1101  CHECK_FOR_INTERRUPTS();
1102 
1103  itemid = PageGetItemIdCareful(state, state->targetblock,
1104  state->target, offset);
1105  itup = (IndexTuple) PageGetItem(state->target, itemid);
1106  tupsize = IndexTupleSize(itup);
1107 
1108  /*
1109  * lp_len should match the IndexTuple reported length exactly, since
1110  * lp_len is completely redundant in indexes, and both sources of
1111  * tuple length are MAXALIGN()'d. nbtree does not use lp_len all that
1112  * frequently, and is surprisingly tolerant of corrupt lp_len fields.
1113  */
1114  if (tupsize != ItemIdGetLength(itemid))
1115  ereport(ERROR,
1116  (errcode(ERRCODE_INDEX_CORRUPTED),
1117  errmsg("index tuple size does not equal lp_len in index \"%s\"",
1118  RelationGetRelationName(state->rel)),
1119  errdetail_internal("Index tid=(%u,%u) tuple size=%zu lp_len=%u page lsn=%X/%X.",
1120  state->targetblock, offset,
1121  tupsize, ItemIdGetLength(itemid),
1122  LSN_FORMAT_ARGS(state->targetlsn)),
1123  errhint("This could be a torn page problem.")));
1124 
1125  /* Check the number of index tuple attributes */
1126  if (!_bt_check_natts(state->rel, state->heapkeyspace, state->target,
1127  offset))
1128  {
1129  ItemPointer tid;
1130  char *itid,
1131  *htid;
1132 
1133  itid = psprintf("(%u,%u)", state->targetblock, offset);
1134  tid = BTreeTupleGetPointsToTID(itup);
1135  htid = psprintf("(%u,%u)",
1136  ItemPointerGetBlockNumberNoCheck(tid),
1137  ItemPointerGetOffsetNumberNoCheck(tid));
1138 
1139  ereport(ERROR,
1140  (errcode(ERRCODE_INDEX_CORRUPTED),
1141  errmsg("wrong number of index tuple attributes in index \"%s\"",
1142  RelationGetRelationName(state->rel)),
1143  errdetail_internal("Index tid=%s natts=%u points to %s tid=%s page lsn=%X/%X.",
1144  itid,
1145  BTreeTupleGetNAtts(itup, state->rel),
1146  P_ISLEAF(topaque) ? "heap" : "index",
1147  htid,
1148  LSN_FORMAT_ARGS(state->targetlsn))));
1149  }
1150 
1151  /*
1152  * Don't try to generate scankey using "negative infinity" item on
1153  * internal pages. They are always truncated to zero attributes.
1154  */
1155  if (offset_is_negative_infinity(topaque, offset))
1156  {
1157  /*
1158  * We don't call bt_child_check() for "negative infinity" items.
1159  * But if we're performing downlink connectivity check, we do it
1160  * for every item including "negative infinity" one.
1161  */
1162  if (!P_ISLEAF(topaque) && state->readonly)
1163  {
1164  bt_child_highkey_check(state,
1165  offset,
1166  NULL,
1167  topaque->btpo_level);
1168  }
1169  continue;
1170  }
1171 
1172  /*
1173  * Readonly callers may optionally verify that non-pivot tuples can
1174  * each be found by an independent search that starts from the root.
1175  * Note that we deliberately don't do individual searches for each
1176  * TID, since the posting list itself is validated by other checks.
1177  */
1178  if (state->rootdescend && P_ISLEAF(topaque) &&
1179  !bt_rootdescend(state, itup))
1180  {
1181  ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1182  char *itid,
1183  *htid;
1184 
1185  itid = psprintf("(%u,%u)", state->targetblock, offset);
1186  htid = psprintf("(%u,%u)", ItemPointerGetBlockNumber(tid),
1187  ItemPointerGetOffsetNumber(tid));
1188 
1189  ereport(ERROR,
1190  (errcode(ERRCODE_INDEX_CORRUPTED),
1191  errmsg("could not find tuple using search from root page in index \"%s\"",
1192  RelationGetRelationName(state->rel)),
1193  errdetail_internal("Index tid=%s points to heap tid=%s page lsn=%X/%X.",
1194  itid, htid,
1195  LSN_FORMAT_ARGS(state->targetlsn))));
1196  }
1197 
1198  /*
1199  * If tuple is a posting list tuple, make sure posting list TIDs are
1200  * in order
1201  */
1202  if (BTreeTupleIsPosting(itup))
1203  {
1204  ItemPointerData last;
1205  ItemPointer current;
1206 
1207  ItemPointerCopy(BTreeTupleGetHeapTID(itup), &last);
1208 
1209  for (int i = 1; i < BTreeTupleGetNPosting(itup); i++)
1210  {
1211 
1212  current = BTreeTupleGetPostingN(itup, i);
1213 
1214  if (ItemPointerCompare(current, &last) <= 0)
1215  {
1216  char *itid = psprintf("(%u,%u)", state->targetblock, offset);
1217 
1218  ereport(ERROR,
1219  (errcode(ERRCODE_INDEX_CORRUPTED),
1220  errmsg_internal("posting list contains misplaced TID in index \"%s\"",
1221  RelationGetRelationName(state->rel)),
1222  errdetail_internal("Index tid=%s posting list offset=%d page lsn=%X/%X.",
1223  itid, i,
1224  LSN_FORMAT_ARGS(state->targetlsn))));
1225  }
1226 
1227  ItemPointerCopy(current, &last);
1228  }
1229  }
1230 
1231  /* Build insertion scankey for current page offset */
1232  skey = bt_mkscankey_pivotsearch(state->rel, itup);
1233 
1234  /*
1235  * Make sure tuple size does not exceed the relevant BTREE_VERSION
1236  * specific limit.
1237  *
1238  * BTREE_VERSION 4 (which introduced heapkeyspace rules) requisitioned
1239  * a small amount of space from BTMaxItemSize() in order to ensure
1240  * that suffix truncation always has enough space to add an explicit
1241  * heap TID back to a tuple -- we pessimistically assume that every
1242  * newly inserted tuple will eventually need to have a heap TID
1243  * appended during a future leaf page split, when the tuple becomes
1244  * the basis of the new high key (pivot tuple) for the leaf page.
1245  *
1246  * Since the reclaimed space is reserved for that purpose, we must not
1247  * enforce the slightly lower limit when the extra space has been used
1248  * as intended. In other words, there is only a cross-version
1249  * difference in the limit on tuple size within leaf pages.
1250  *
1251  * Still, we're particular about the details within BTREE_VERSION 4
1252  * internal pages. Pivot tuples may only use the extra space for its
1253  * designated purpose. Enforce the lower limit for pivot tuples when
1254  * an explicit heap TID isn't actually present. (In all other cases
1255  * suffix truncation is guaranteed to generate a pivot tuple that's no
1256  * larger than the firstright tuple provided to it by its caller.)
1257  */
1258  lowersizelimit = skey->heapkeyspace &&
1259  (P_ISLEAF(topaque) || BTreeTupleGetHeapTID(itup) == NULL);
1260  if (tupsize > (lowersizelimit ? BTMaxItemSize(state->target) :
1261  BTMaxItemSizeNoHeapTid(state->target)))
1262  {
1263  ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1264  char *itid,
1265  *htid;
1266 
1267  itid = psprintf("(%u,%u)", state->targetblock, offset);
1268  htid = psprintf("(%u,%u)",
1269  ItemPointerGetBlockNumberNoCheck(tid),
1270  ItemPointerGetOffsetNumberNoCheck(tid));
1271 
1272  ereport(ERROR,
1273  (errcode(ERRCODE_INDEX_CORRUPTED),
1274  errmsg("index row size %zu exceeds maximum for index \"%s\"",
1275  tupsize, RelationGetRelationName(state->rel)),
1276  errdetail_internal("Index tid=%s points to %s tid=%s page lsn=%X/%X.",
1277  itid,
1278  P_ISLEAF(topaque) ? "heap" : "index",
1279  htid,
1280  LSN_FORMAT_ARGS(state->targetlsn))));
1281  }
1282 
1283  /* Fingerprint leaf page tuples (those that point to the heap) */
1284  if (state->heapallindexed && P_ISLEAF(topaque) && !ItemIdIsDead(itemid))
1285  {
1286  IndexTuple norm;
1287 
1288  if (BTreeTupleIsPosting(itup))
1289  {
1290  /* Fingerprint all elements as distinct "plain" tuples */
1291  for (int i = 0; i < BTreeTupleGetNPosting(itup); i++)
1292  {
1293  IndexTuple logtuple;
1294 
1295  logtuple = bt_posting_plain_tuple(itup, i);
1296  norm = bt_normalize_tuple(state, logtuple);
1297  bloom_add_element(state->filter, (unsigned char *) norm,
1298  IndexTupleSize(norm));
1299  /* Be tidy */
1300  if (norm != logtuple)
1301  pfree(norm);
1302  pfree(logtuple);
1303  }
1304  }
1305  else
1306  {
1307  norm = bt_normalize_tuple(state, itup);
1308  bloom_add_element(state->filter, (unsigned char *) norm,
1309  IndexTupleSize(norm));
1310  /* Be tidy */
1311  if (norm != itup)
1312  pfree(norm);
1313  }
1314  }
1315 
1316  /*
1317  * * High key check *
1318  *
1319  * If there is a high key (if this is not the rightmost page on its
1320  * entire level), check that high key actually is upper bound on all
1321  * page items. If this is a posting list tuple, we'll need to set
1322  * scantid to be highest TID in posting list.
1323  *
1324  * We prefer to check all items against high key rather than checking
1325  * just the last and trusting that the operator class obeys the
1326  * transitive law (which implies that all previous items also
1327  * respected the high key invariant if they pass the item order
1328  * check).
1329  *
1330  * Ideally, we'd compare every item in the index against every other
1331  * item in the index, and not trust opclass obedience of the
1332  * transitive law to bridge the gap between children and their
1333  * grandparents (as well as great-grandparents, and so on). We don't
1334  * go to those lengths because that would be prohibitively expensive,
1335  * and probably not markedly more effective in practice.
1336  *
1337  * On the leaf level, we check that the key is <= the highkey.
1338  * However, on non-leaf levels we check that the key is < the highkey,
1339  * because the high key is "just another separator" rather than a copy
1340  * of some existing key item; we expect it to be unique among all keys
1341  * on the same level. (Suffix truncation will sometimes produce a
1342  * leaf highkey that is an untruncated copy of the lastleft item, but
1343  * never any other item, which necessitates weakening the leaf level
1344  * check to <=.)
1345  *
1346  * Full explanation for why a highkey is never truly a copy of another
1347  * item from the same level on internal levels:
1348  *
1349  * While the new left page's high key is copied from the first offset
1350  * on the right page during an internal page split, that's not the
1351  * full story. In effect, internal pages are split in the middle of
1352  * the firstright tuple, not between the would-be lastleft and
1353  * firstright tuples: the firstright key ends up on the left side as
1354  * left's new highkey, and the firstright downlink ends up on the
1355  * right side as right's new "negative infinity" item. The negative
1356  * infinity tuple is truncated to zero attributes, so we're only left
1357  * with the downlink. In other words, the copying is just an
1358  * implementation detail of splitting in the middle of a (pivot)
1359  * tuple. (See also: "Notes About Data Representation" in the nbtree
1360  * README.)
1361  */
1362  scantid = skey->scantid;
1363  if (state->heapkeyspace && BTreeTupleIsPosting(itup))
1364  skey->scantid = BTreeTupleGetMaxHeapTID(itup);
1365 
1366  if (!P_RIGHTMOST(topaque) &&
1367  !(P_ISLEAF(topaque) ? invariant_leq_offset(state, skey, P_HIKEY) :
1368  invariant_l_offset(state, skey, P_HIKEY)))
1369  {
1370  ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1371  char *itid,
1372  *htid;
1373 
1374  itid = psprintf("(%u,%u)", state->targetblock, offset);
1375  htid = psprintf("(%u,%u)",
1376  ItemPointerGetBlockNumberNoCheck(tid),
1377  ItemPointerGetOffsetNumberNoCheck(tid));
1378 
1379  ereport(ERROR,
1380  (errcode(ERRCODE_INDEX_CORRUPTED),
1381  errmsg("high key invariant violated for index \"%s\"",
1382  RelationGetRelationName(state->rel)),
1383  errdetail_internal("Index tid=%s points to %s tid=%s page lsn=%X/%X.",
1384  itid,
1385  P_ISLEAF(topaque) ? "heap" : "index",
1386  htid,
1387  LSN_FORMAT_ARGS(state->targetlsn))));
1388  }
1389  /* Reset, in case scantid was set to (itup) posting tuple's max TID */
1390  skey->scantid = scantid;
1391 
1392  /*
1393  * * Item order check *
1394  *
1395  * Check that items are stored on page in logical order, by checking
1396  * current item is strictly less than next item (if any).
1397  */
1398  if (OffsetNumberNext(offset) <= max &&
1399  !invariant_l_offset(state, skey, OffsetNumberNext(offset)))
1400  {
1401  ItemPointer tid;
1402  char *itid,
1403  *htid,
1404  *nitid,
1405  *nhtid;
1406 
1407  itid = psprintf("(%u,%u)", state->targetblock, offset);
1408  tid = BTreeTupleGetPointsToTID(itup);
1409  htid = psprintf("(%u,%u)",
1410  ItemPointerGetBlockNumberNoCheck(tid),
1411  ItemPointerGetOffsetNumberNoCheck(tid));
1412  nitid = psprintf("(%u,%u)", state->targetblock,
1413  OffsetNumberNext(offset));
1414 
1415  /* Reuse itup to get pointed-to heap location of second item */
1416  itemid = PageGetItemIdCareful(state, state->targetblock,
1417  state->target,
1418  OffsetNumberNext(offset));
1419  itup = (IndexTuple) PageGetItem(state->target, itemid);
1420  tid = BTreeTupleGetPointsToTID(itup);
1421  nhtid = psprintf("(%u,%u)",
1422  ItemPointerGetBlockNumberNoCheck(tid),
1423  ItemPointerGetOffsetNumberNoCheck(tid));
1424 
1425  ereport(ERROR,
1426  (errcode(ERRCODE_INDEX_CORRUPTED),
1427  errmsg("item order invariant violated for index \"%s\"",
1428  RelationGetRelationName(state->rel)),
1429  errdetail_internal("Lower index tid=%s (points to %s tid=%s) "
1430  "higher index tid=%s (points to %s tid=%s) "
1431  "page lsn=%X/%X.",
1432  itid,
1433  P_ISLEAF(topaque) ? "heap" : "index",
1434  htid,
1435  nitid,
1436  P_ISLEAF(topaque) ? "heap" : "index",
1437  nhtid,
1438  LSN_FORMAT_ARGS(state->targetlsn))));
1439  }
1440 
1441  /*
1442  * * Last item check *
1443  *
1444  * Check last item against next/right page's first data item's when
1445  * last item on page is reached. This additional check will detect
1446  * transposed pages iff the supposed right sibling page happens to
1447  * belong before target in the key space. (Otherwise, a subsequent
1448  * heap verification will probably detect the problem.)
1449  *
1450  * This check is similar to the item order check that will have
1451  * already been performed for every other "real" item on target page
1452  * when last item is checked. The difference is that the next item
1453  * (the item that is compared to target's last item) needs to come
1454  * from the next/sibling page. There may not be such an item
1455  * available from sibling for various reasons, though (e.g., target is
1456  * the rightmost page on level).
1457  */
1458  else if (offset == max)
1459  {
1460  BTScanInsert rightkey;
1461 
1462  /* Get item in next/right page */
1463  rightkey = bt_right_page_check_scankey(state);
1464 
1465  if (rightkey &&
1466  !invariant_g_offset(state, rightkey, max))
1467  {
1468  /*
1469  * As explained at length in bt_right_page_check_scankey(),
1470  * there is a known !readonly race that could account for
1471  * apparent violation of invariant, which we must check for
1472  * before actually proceeding with raising error. Our canary
1473  * condition is that target page was deleted.
1474  */
1475  if (!state->readonly)
1476  {
1477  /* Get fresh copy of target page */
1478  state->target = palloc_btree_page(state, state->targetblock);
1479  /* Note that we deliberately do not update target LSN */
1480  topaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
1481 
1482  /*
1483  * All !readonly checks now performed; just return
1484  */
1485  if (P_IGNORE(topaque))
1486  return;
1487  }
1488 
1489  ereport(ERROR,
1490  (errcode(ERRCODE_INDEX_CORRUPTED),
1491  errmsg("cross page item order invariant violated for index \"%s\"",
1492  RelationGetRelationName(state->rel)),
1493  errdetail_internal("Last item on page tid=(%u,%u) page lsn=%X/%X.",
1494  state->targetblock, offset,
1495  LSN_FORMAT_ARGS(state->targetlsn))));
1496  }
1497  }
1498 
1499  /*
1500  * * Downlink check *
1501  *
1502  * Additional check of child items iff this is an internal page and
1503  * caller holds a ShareLock. This happens for every downlink (item)
1504  * in target excluding the negative-infinity downlink (again, this is
1505  * because it has no useful value to compare).
1506  */
1507  if (!P_ISLEAF(topaque) && state->readonly)
1508  bt_child_check(state, skey, offset);
1509  }
1510 
1511  /*
1512  * Special case bt_child_highkey_check() call
1513  *
1514  * We don't pass an real downlink, but we've to finish the level
1515  * processing. If condition is satisfied, we've already processed all the
1516  * downlinks from the target level. But there still might be pages to the
1517  * right of the child page pointer to by our rightmost downlink. And they
1518  * might have missing downlinks. This final call checks for them.
1519  */
1520  if (!P_ISLEAF(topaque) && P_RIGHTMOST(topaque) && state->readonly)
1521  {
1522  bt_child_highkey_check(state, InvalidOffsetNumber,
1523  NULL, topaque->btpo_level);
1524  }
1525 }
1526 
1527 /*
1528  * Return a scankey for an item on page to right of current target (or the
1529  * first non-ignorable page), sufficient to check ordering invariant on last
1530  * item in current target page. Returned scankey relies on local memory
1531  * allocated for the child page, which caller cannot pfree(). Caller's memory
1532  * context should be reset between calls here.
1533  *
1534  * This is the first data item, and so all adjacent items are checked against
1535  * their immediate sibling item (which may be on a sibling page, or even a
1536  * "cousin" page at parent boundaries where target's rightlink points to page
1537  * with different parent page). If no such valid item is available, return
1538  * NULL instead.
1539  *
1540  * Note that !readonly callers must reverify that target page has not
1541  * been concurrently deleted.
1542  */
1543 static BTScanInsert
1544 bt_right_page_check_scankey(BtreeCheckState *state)
1545 {
1546  BTPageOpaque opaque;
1547  ItemId rightitem;
1548  IndexTuple firstitup;
1549  BlockNumber targetnext;
1550  Page rightpage;
1551  OffsetNumber nline;
1552 
1553  /* Determine target's next block number */
1554  opaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
1555 
1556  /* If target is already rightmost, no right sibling; nothing to do here */
1557  if (P_RIGHTMOST(opaque))
1558  return NULL;
1559 
1560  /*
1561  * General notes on concurrent page splits and page deletion:
1562  *
1563  * Routines like _bt_search() don't require *any* page split interlock
1564  * when descending the tree, including something very light like a buffer
1565  * pin. That's why it's okay that we don't either. This avoidance of any
1566  * need to "couple" buffer locks is the raison d' etre of the Lehman & Yao
1567  * algorithm, in fact.
1568  *
1569  * That leaves deletion. A deleted page won't actually be recycled by
1570  * VACUUM early enough for us to fail to at least follow its right link
1571  * (or left link, or downlink) and find its sibling, because recycling
1572  * does not occur until no possible index scan could land on the page.
1573  * Index scans can follow links with nothing more than their snapshot as
1574  * an interlock and be sure of at least that much. (See page
1575  * recycling/"visible to everyone" notes in nbtree README.)
1576  *
1577  * Furthermore, it's okay if we follow a rightlink and find a half-dead or
1578  * dead (ignorable) page one or more times. There will either be a
1579  * further right link to follow that leads to a live page before too long
1580  * (before passing by parent's rightmost child), or we will find the end
1581  * of the entire level instead (possible when parent page is itself the
1582  * rightmost on its level).
1583  */
1584  targetnext = opaque->btpo_next;
1585  for (;;)
1586  {
1587  CHECK_FOR_INTERRUPTS();
1588 
1589  rightpage = palloc_btree_page(state, targetnext);
1590  opaque = (BTPageOpaque) PageGetSpecialPointer(rightpage);
1591 
1592  if (!P_IGNORE(opaque) || P_RIGHTMOST(opaque))
1593  break;
1594 
1595  /*
1596  * We landed on a deleted or half-dead sibling page. Step right until
1597  * we locate a live sibling page.
1598  */
1599  ereport(DEBUG2,
1600  (errcode(ERRCODE_NO_DATA),
1601  errmsg_internal("level %u sibling page in block %u of index \"%s\" was found deleted or half dead",
1602  opaque->btpo_level, targetnext, RelationGetRelationName(state->rel)),
1603  errdetail_internal("Deleted page found when building scankey from right sibling.")));
1604 
1605  targetnext = opaque->btpo_next;
1606 
1607  /* Be slightly more pro-active in freeing this memory, just in case */
1608  pfree(rightpage);
1609  }
1610 
1611  /*
1612  * No ShareLock held case -- why it's safe to proceed.
1613  *
1614  * Problem:
1615  *
1616  * We must avoid false positive reports of corruption when caller treats
1617  * item returned here as an upper bound on target's last item. In
1618  * general, false positives are disallowed. Avoiding them here when
1619  * caller is !readonly is subtle.
1620  *
1621  * A concurrent page deletion by VACUUM of the target page can result in
1622  * the insertion of items on to this right sibling page that would
1623  * previously have been inserted on our target page. There might have
1624  * been insertions that followed the target's downlink after it was made
1625  * to point to right sibling instead of target by page deletion's first
1626  * phase. The inserters insert items that would belong on target page.
1627  * This race is very tight, but it's possible. This is our only problem.
1628  *
1629  * Non-problems:
1630  *
1631  * We are not hindered by a concurrent page split of the target; we'll
1632  * never land on the second half of the page anyway. A concurrent split
1633  * of the right page will also not matter, because the first data item
1634  * remains the same within the left half, which we'll reliably land on. If
1635  * we had to skip over ignorable/deleted pages, it cannot matter because
1636  * their key space has already been atomically merged with the first
1637  * non-ignorable page we eventually find (doesn't matter whether the page
1638  * we eventually find is a true sibling or a cousin of target, which we go
1639  * into below).
1640  *
1641  * Solution:
1642  *
1643  * Caller knows that it should reverify that target is not ignorable
1644  * (half-dead or deleted) when cross-page sibling item comparison appears
1645  * to indicate corruption (invariant fails). This detects the single race
1646  * condition that exists for caller. This is correct because the
1647  * continued existence of target block as non-ignorable (not half-dead or
1648  * deleted) implies that target page was not merged into from the right by
1649  * deletion; the key space at or after target never moved left. Target's
1650  * parent either has the same downlink to target as before, or a <
1651  * downlink due to deletion at the left of target. Target either has the
1652  * same highkey as before, or a highkey < before when there is a page
1653  * split. (The rightmost concurrently-split-from-target-page page will
1654  * still have the same highkey as target was originally found to have,
1655  * which for our purposes is equivalent to target's highkey itself never
1656  * changing, since we reliably skip over
1657  * concurrently-split-from-target-page pages.)
1658  *
1659  * In simpler terms, we allow that the key space of the target may expand
1660  * left (the key space can move left on the left side of target only), but
1661  * the target key space cannot expand right and get ahead of us without
1662  * our detecting it. The key space of the target cannot shrink, unless it
1663  * shrinks to zero due to the deletion of the original page, our canary
1664  * condition. (To be very precise, we're a bit stricter than that because
1665  * it might just have been that the target page split and only the
1666  * original target page was deleted. We can be more strict, just not more
1667  * lax.)
1668  *
1669  * Top level tree walk caller moves on to next page (makes it the new
1670  * target) following recovery from this race. (cf. The rationale for
1671  * child/downlink verification needing a ShareLock within
1672  * bt_child_check(), where page deletion is also the main source of
1673  * trouble.)
1674  *
1675  * Note that it doesn't matter if right sibling page here is actually a
1676  * cousin page, because in order for the key space to be readjusted in a
1677  * way that causes us issues in next level up (guiding problematic
1678  * concurrent insertions to the cousin from the grandparent rather than to
1679  * the sibling from the parent), there'd have to be page deletion of
1680  * target's parent page (affecting target's parent's downlink in target's
1681  * grandparent page). Internal page deletion only occurs when there are
1682  * no child pages (they were all fully deleted), and caller is checking
1683  * that the target's parent has at least one non-deleted (so
1684  * non-ignorable) child: the target page. (Note that the first phase of
1685  * deletion atomically marks the page to be deleted half-dead/ignorable at
1686  * the same time downlink in its parent is removed, so caller will
1687  * definitely not fail to detect that this happened.)
1688  *
1689  * This trick is inspired by the method backward scans use for dealing
1690  * with concurrent page splits; concurrent page deletion is a problem that
1691  * similarly receives special consideration sometimes (it's possible that
1692  * the backwards scan will re-read its "original" block after failing to
1693  * find a right-link to it, having already moved in the opposite direction
1694  * (right/"forwards") a few times to try to locate one). Just like us,
1695  * that happens only to determine if there was a concurrent page deletion
1696  * of a reference page, and just like us if there was a page deletion of
1697  * that reference page it means we can move on from caring about the
1698  * reference page. See the nbtree README for a full description of how
1699  * that works.
1700  */
1701  nline = PageGetMaxOffsetNumber(rightpage);
1702 
1703  /*
1704  * Get first data item, if any
1705  */
1706  if (P_ISLEAF(opaque) && nline >= P_FIRSTDATAKEY(opaque))
1707  {
1708  /* Return first data item (if any) */
1709  rightitem = PageGetItemIdCareful(state, targetnext, rightpage,
1710  P_FIRSTDATAKEY(opaque));
1711  }
1712  else if (!P_ISLEAF(opaque) &&
1713  nline >= OffsetNumberNext(P_FIRSTDATAKEY(opaque)))
1714  {
1715  /*
1716  * Return first item after the internal page's "negative infinity"
1717  * item
1718  */
1719  rightitem = PageGetItemIdCareful(state, targetnext, rightpage,
1720  OffsetNumberNext(P_FIRSTDATAKEY(opaque)));
1721  }
1722  else
1723  {
1724  /*
1725  * No first item. Page is probably empty leaf page, but it's also
1726  * possible that it's an internal page with only a negative infinity
1727  * item.
1728  */
1729  ereport(DEBUG2,
1730  (errcode(ERRCODE_NO_DATA),
1731  errmsg_internal("%s block %u of index \"%s\" has no first data item",
1732  P_ISLEAF(opaque) ? "leaf" : "internal", targetnext,
1733  RelationGetRelationName(state->rel))));
1734  return NULL;
1735  }
1736 
1737  /*
1738  * Return first real item scankey. Note that this relies on right page
1739  * memory remaining allocated.
1740  */
1741  firstitup = (IndexTuple) PageGetItem(rightpage, rightitem);
1742  return bt_mkscankey_pivotsearch(state->rel, firstitup);
1743 }
1744 
1745 /*
1746  * Check if two tuples are binary identical except the block number. So,
1747  * this function is capable to compare pivot keys on different levels.
1748  */
1749 static bool
1750 bt_pivot_tuple_identical(bool heapkeyspace, IndexTuple itup1, IndexTuple itup2)
1751 {
1752  if (IndexTupleSize(itup1) != IndexTupleSize(itup2))
1753  return false;
1754 
1755  if (heapkeyspace)
1756  {
1757  /*
1758  * Offset number will contain important information in heapkeyspace
1759  * indexes: the number of attributes left in the pivot tuple following
1760  * suffix truncation. Don't skip over it (compare it too).
1761  */
1762  if (memcmp(&itup1->t_tid.ip_posid, &itup2->t_tid.ip_posid,
1763  IndexTupleSize(itup1) -
1764  offsetof(ItemPointerData, ip_posid)) != 0)
1765  return false;
1766  }
1767  else
1768  {
1769  /*
1770  * Cannot rely on offset number field having consistent value across
1771  * levels on pg_upgrade'd !heapkeyspace indexes. Compare contents of
1772  * tuple starting from just after item pointer (i.e. after block
1773  * number and offset number).
1774  */
1775  if (memcmp(&itup1->t_info, &itup2->t_info,
1776  IndexTupleSize(itup1) -
1777  offsetof(IndexTupleData, t_info)) != 0)
1778  return false;
1779  }
1780 
1781  return true;
1782 }
1783 
1784 /*---
1785  * Check high keys on the child level. Traverse rightlinks from previous
1786  * downlink to the current one. Check that there are no intermediate pages
1787  * with missing downlinks.
1788  *
1789  * If 'loaded_child' is given, it's assumed to be the page pointed to by the
1790  * downlink referenced by 'downlinkoffnum' of the target page.
1791  *
1792  * Basically this function is called for each target downlink and checks two
1793  * invariants:
1794  *
1795  * 1) You can reach the next child from previous one via rightlinks;
1796  * 2) Each child high key have matching pivot key on target level.
1797  *
1798  * Consider the sample tree picture.
1799  *
1800  * 1
1801  * / \
1802  * 2 <-> 3
1803  * / \ / \
1804  * 4 <> 5 <> 6 <> 7 <> 8
1805  *
1806  * This function will be called for blocks 4, 5, 6 and 8. Consider what is
1807  * happening for each function call.
1808  *
1809  * - The function call for block 4 initializes data structure and matches high
1810  * key of block 4 to downlink's pivot key of block 2.
1811  * - The high key of block 5 is matched to the high key of block 2.
1812  * - The block 6 has an incomplete split flag set, so its high key isn't
1813  * matched to anything.
1814  * - The function call for block 8 checks that block 8 can be found while
1815  * following rightlinks from block 6. The high key of block 7 will be
1816  * matched to downlink's pivot key in block 3.
1817  *
1818  * There is also final call of this function, which checks that there is no
1819  * missing downlinks for children to the right of the child referenced by
1820  * rightmost downlink in target level.
1821  */
1822 static void
1823 bt_child_highkey_check(BtreeCheckState *state,
1824  OffsetNumber target_downlinkoffnum,
1825  Page loaded_child,
1826  uint32 target_level)
1827 {
1828  BlockNumber blkno = state->prevrightlink;
1829  Page page;
1830  BTPageOpaque opaque;
1831  bool rightsplit = state->previncompletesplit;
1832  bool first = true;
1833  ItemId itemid;
1834  IndexTuple itup;
1835  BlockNumber downlink;
1836 
1837  if (OffsetNumberIsValid(target_downlinkoffnum))
1838  {
1839  itemid = PageGetItemIdCareful(state, state->targetblock,
1840  state->target, target_downlinkoffnum);
1841  itup = (IndexTuple) PageGetItem(state->target, itemid);
1842  downlink = BTreeTupleGetDownLink(itup);
1843  }
1844  else
1845  {
1846  downlink = P_NONE;
1847  }
1848 
1849  /*
1850  * If no previous rightlink is memorized for current level just below
1851  * target page's level, we are about to start from the leftmost page. We
1852  * can't follow rightlinks from previous page, because there is no
1853  * previous page. But we still can match high key.
1854  *
1855  * So we initialize variables for the loop above like there is previous
1856  * page referencing current child. Also we imply previous page to not
1857  * have incomplete split flag, that would make us require downlink for
1858  * current child. That's correct, because leftmost page on the level
1859  * should always have parent downlink.
1860  */
1861  if (!BlockNumberIsValid(blkno))
1862  {
1863  blkno = downlink;
1864  rightsplit = false;
1865  }
1866 
1867  /* Move to the right on the child level */
1868  while (true)
1869  {
1870  /*
1871  * Did we traverse the whole tree level and this is check for pages to
1872  * the right of rightmost downlink?
1873  */
1874  if (blkno == P_NONE && downlink == P_NONE)
1875  {
1876  state->prevrightlink = InvalidBlockNumber;
1877  state->previncompletesplit = false;
1878  return;
1879  }
1880 
1881  /* Did we traverse the whole tree level and don't find next downlink? */
1882  if (blkno == P_NONE)
1883  ereport(ERROR,
1884  (errcode(ERRCODE_INDEX_CORRUPTED),
1885  errmsg("can't traverse from downlink %u to downlink %u of index \"%s\"",
1886  state->prevrightlink, downlink,
1887  RelationGetRelationName(state->rel))));
1888 
1889  /* Load page contents */
1890  if (blkno == downlink && loaded_child)
1891  page = loaded_child;
1892  else
1893  page = palloc_btree_page(state, blkno);
1894 
1895  opaque = (BTPageOpaque) PageGetSpecialPointer(page);
1896 
1897  /* The first page we visit at the level should be leftmost */
1898  if (first && !BlockNumberIsValid(state->prevrightlink) && !P_LEFTMOST(opaque))
1899  ereport(ERROR,
1900  (errcode(ERRCODE_INDEX_CORRUPTED),
1901  errmsg("the first child of leftmost target page is not leftmost of its level in index \"%s\"",
1902  RelationGetRelationName(state->rel)),
1903  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
1904  state->targetblock, blkno,
1905  LSN_FORMAT_ARGS(state->targetlsn))));
1906 
1907  /* Do level sanity check */
1908  if ((!P_ISDELETED(opaque) || P_HAS_FULLXID(opaque)) &&
1909  opaque->btpo_level != target_level - 1)
1910  ereport(ERROR,
1911  (errcode(ERRCODE_INDEX_CORRUPTED),
1912  errmsg("block found while following rightlinks from child of index \"%s\" has invalid level",
1913  RelationGetRelationName(state->rel)),
1914  errdetail_internal("Block pointed to=%u expected level=%u level in pointed to block=%u.",
1915  blkno, target_level - 1, opaque->btpo_level)));
1916 
1917  /* Try to detect circular links */
1918  if ((!first && blkno == state->prevrightlink) || blkno == opaque->btpo_prev)
1919  ereport(ERROR,
1920  (errcode(ERRCODE_INDEX_CORRUPTED),
1921  errmsg("circular link chain found in block %u of index \"%s\"",
1922  blkno, RelationGetRelationName(state->rel))));
1923 
1924  if (blkno != downlink && !P_IGNORE(opaque))
1925  {
1926  /* blkno probably has missing parent downlink */
1927  bt_downlink_missing_check(state, rightsplit, blkno, page);
1928  }
1929 
1930  rightsplit = P_INCOMPLETE_SPLIT(opaque);
1931 
1932  /*
1933  * If we visit page with high key, check that it is equal to the
1934  * target key next to corresponding downlink.
1935  */
1936  if (!rightsplit && !P_RIGHTMOST(opaque))
1937  {
1938  BTPageOpaque topaque;
1939  IndexTuple highkey;
1940  OffsetNumber pivotkey_offset;
1941 
1942  /* Get high key */
1943  itemid = PageGetItemIdCareful(state, blkno, page, P_HIKEY);
1944  highkey = (IndexTuple) PageGetItem(page, itemid);
1945 
1946  /*
1947  * There might be two situations when we examine high key. If
1948  * current child page is referenced by given target downlink, we
1949  * should look to the next offset number for matching key from
1950  * target page.
1951  *
1952  * Alternatively, we're following rightlinks somewhere in the
1953  * middle between page referenced by previous target's downlink
1954  * and the page referenced by current target's downlink. If
1955  * current child page hasn't incomplete split flag set, then its
1956  * high key should match to the target's key of current offset
1957  * number. This happens when a previous call here (to
1958  * bt_child_highkey_check()) found an incomplete split, and we
1959  * reach a right sibling page without a downlink -- the right
1960  * sibling page's high key still needs to be matched to a
1961  * separator key on the parent/target level.
1962  *
1963  * Don't apply OffsetNumberNext() to target_downlinkoffnum when we
1964  * already had to step right on the child level. Our traversal of
1965  * the child level must try to move in perfect lockstep behind (to
1966  * the left of) the target/parent level traversal.
1967  */
1968  if (blkno == downlink)
1969  pivotkey_offset = OffsetNumberNext(target_downlinkoffnum);
1970  else
1971  pivotkey_offset = target_downlinkoffnum;
1972 
1973  topaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
1974 
1975  if (!offset_is_negative_infinity(topaque, pivotkey_offset))
1976  {
1977  /*
1978  * If we're looking for the next pivot tuple in target page,
1979  * but there is no more pivot tuples, then we should match to
1980  * high key instead.
1981  */
1982  if (pivotkey_offset > PageGetMaxOffsetNumber(state->target))
1983  {
1984  if (P_RIGHTMOST(topaque))
1985  ereport(ERROR,
1986  (errcode(ERRCODE_INDEX_CORRUPTED),
1987  errmsg("child high key is greater than rightmost pivot key on target level in index \"%s\"",
1988  RelationGetRelationName(state->rel)),
1989  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
1990  state->targetblock, blkno,
1991  LSN_FORMAT_ARGS(state->targetlsn))));
1992  pivotkey_offset = P_HIKEY;
1993  }
1994  itemid = PageGetItemIdCareful(state, state->targetblock,
1995  state->target, pivotkey_offset);
1996  itup = (IndexTuple) PageGetItem(state->target, itemid);
1997  }
1998  else
1999  {
2000  /*
2001  * We cannot try to match child's high key to a negative
2002  * infinity key in target, since there is nothing to compare.
2003  * However, it's still possible to match child's high key
2004  * outside of target page. The reason why we're are is that
2005  * bt_child_highkey_check() was previously called for the
2006  * cousin page of 'loaded_child', which is incomplete split.
2007  * So, now we traverse to the right of that cousin page and
2008  * current child level page under consideration still belongs
2009  * to the subtree of target's left sibling. Thus, we need to
2010  * match child's high key to it's left uncle page high key.
2011  * Thankfully we saved it, it's called a "low key" of target
2012  * page.
2013  */
2014  if (!state->lowkey)
2015  ereport(ERROR,
2016  (errcode(ERRCODE_INDEX_CORRUPTED),
2017  errmsg("can't find left sibling high key in index \"%s\"",
2018  RelationGetRelationName(state->rel)),
2019  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2020  state->targetblock, blkno,
2021  LSN_FORMAT_ARGS(state->targetlsn))));
2022  itup = state->lowkey;
2023  }
2024 
2025  if (!bt_pivot_tuple_identical(state->heapkeyspace, highkey, itup))
2026  {
2027  ereport(ERROR,
2028  (errcode(ERRCODE_INDEX_CORRUPTED),
2029  errmsg("mismatch between parent key and child high key in index \"%s\"",
2030  RelationGetRelationName(state->rel)),
2031  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2032  state->targetblock, blkno,
2033  LSN_FORMAT_ARGS(state->targetlsn))));
2034  }
2035  }
2036 
2037  /* Exit if we already found next downlink */
2038  if (blkno == downlink)
2039  {
2040  state->prevrightlink = opaque->btpo_next;
2041  state->previncompletesplit = rightsplit;
2042  return;
2043  }
2044 
2045  /* Traverse to the next page using rightlink */
2046  blkno = opaque->btpo_next;
2047 
2048  /* Free page contents if it's allocated by us */
2049  if (page != loaded_child)
2050  pfree(page);
2051  first = false;
2052  }
2053 }
2054 
2055 /*
2056  * Checks one of target's downlink against its child page.
2057  *
2058  * Conceptually, the target page continues to be what is checked here. The
2059  * target block is still blamed in the event of finding an invariant violation.
2060  * The downlink insertion into the target is probably where any problem raised
2061  * here arises, and there is no such thing as a parent link, so doing the
2062  * verification this way around is much more practical.
2063  *
2064  * This function visits child page and it's sequentially called for each
2065  * downlink of target page. Assuming this we also check downlink connectivity
2066  * here in order to save child page visits.
2067  */
2068 static void
2069 bt_child_check(BtreeCheckState *state, BTScanInsert targetkey,
2070  OffsetNumber downlinkoffnum)
2071 {
2072  ItemId itemid;
2073  IndexTuple itup;
2074  BlockNumber childblock;
2075  OffsetNumber offset;
2076  OffsetNumber maxoffset;
2077  Page child;
2078  BTPageOpaque copaque;
2079  BTPageOpaque topaque;
2080 
2081  itemid = PageGetItemIdCareful(state, state->targetblock,
2082  state->target, downlinkoffnum);
2083  itup = (IndexTuple) PageGetItem(state->target, itemid);
2084  childblock = BTreeTupleGetDownLink(itup);
2085 
2086  /*
2087  * Caller must have ShareLock on target relation, because of
2088  * considerations around page deletion by VACUUM.
2089  *
2090  * NB: In general, page deletion deletes the right sibling's downlink, not
2091  * the downlink of the page being deleted; the deleted page's downlink is
2092  * reused for its sibling. The key space is thereby consolidated between
2093  * the deleted page and its right sibling. (We cannot delete a parent
2094  * page's rightmost child unless it is the last child page, and we intend
2095  * to also delete the parent itself.)
2096  *
2097  * If this verification happened without a ShareLock, the following race
2098  * condition could cause false positives:
2099  *
2100  * In general, concurrent page deletion might occur, including deletion of
2101  * the left sibling of the child page that is examined here. If such a
2102  * page deletion were to occur, closely followed by an insertion into the
2103  * newly expanded key space of the child, a window for the false positive
2104  * opens up: the stale parent/target downlink originally followed to get
2105  * to the child legitimately ceases to be a lower bound on all items in
2106  * the page, since the key space was concurrently expanded "left".
2107  * (Insertion followed the "new" downlink for the child, not our now-stale
2108  * downlink, which was concurrently physically removed in target/parent as
2109  * part of deletion's first phase.)
2110  *
2111  * While we use various techniques elsewhere to perform cross-page
2112  * verification for !readonly callers, a similar trick seems difficult
2113  * here. The tricks used by bt_recheck_sibling_links and by
2114  * bt_right_page_check_scankey both involve verification of a same-level,
2115  * cross-sibling invariant. Cross-level invariants are far more squishy,
2116  * though. The nbtree REDO routines do not actually couple buffer locks
2117  * across levels during page splits, so making any cross-level check work
2118  * reliably in !readonly mode may be impossible.
2119  */
2120  Assert(state->readonly);
2121 
2122  /*
2123  * Verify child page has the downlink key from target page (its parent) as
2124  * a lower bound; downlink must be strictly less than all keys on the
2125  * page.
2126  *
2127  * Check all items, rather than checking just the first and trusting that
2128  * the operator class obeys the transitive law.
2129  */
2130  topaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
2131  child = palloc_btree_page(state, childblock);
2132  copaque = (BTPageOpaque) PageGetSpecialPointer(child);
2133  maxoffset = PageGetMaxOffsetNumber(child);
2134 
2135  /*
2136  * Since we've already loaded the child block, combine this check with
2137  * check for downlink connectivity.
2138  */
2139  bt_child_highkey_check(state, downlinkoffnum,
2140  child, topaque->btpo_level);
2141 
2142  /*
2143  * Since there cannot be a concurrent VACUUM operation in readonly mode,
2144  * and since a page has no links within other pages (siblings and parent)
2145  * once it is marked fully deleted, it should be impossible to land on a
2146  * fully deleted page.
2147  *
2148  * It does not quite make sense to enforce that the page cannot even be
2149  * half-dead, despite the fact the downlink is modified at the same stage
2150  * that the child leaf page is marked half-dead. That's incorrect because
2151  * there may occasionally be multiple downlinks from a chain of pages
2152  * undergoing deletion, where multiple successive calls are made to
2153  * _bt_unlink_halfdead_page() by VACUUM before it can finally safely mark
2154  * the leaf page as fully dead. While _bt_mark_page_halfdead() usually
2155  * removes the downlink to the leaf page that is marked half-dead, that's
2156  * not guaranteed, so it's possible we'll land on a half-dead page with a
2157  * downlink due to an interrupted multi-level page deletion.
2158  *
2159  * We go ahead with our checks if the child page is half-dead. It's safe
2160  * to do so because we do not test the child's high key, so it does not
2161  * matter that the original high key will have been replaced by a dummy
2162  * truncated high key within _bt_mark_page_halfdead(). All other page
2163  * items are left intact on a half-dead page, so there is still something
2164  * to test.
2165  */
2166  if (P_ISDELETED(copaque))
2167  ereport(ERROR,
2168  (errcode(ERRCODE_INDEX_CORRUPTED),
2169  errmsg("downlink to deleted page found in index \"%s\"",
2170  RelationGetRelationName(state->rel)),
2171  errdetail_internal("Parent block=%u child block=%u parent page lsn=%X/%X.",
2172  state->targetblock, childblock,
2173  LSN_FORMAT_ARGS(state->targetlsn))));
2174 
2175  for (offset = P_FIRSTDATAKEY(copaque);
2176  offset <= maxoffset;
2177  offset = OffsetNumberNext(offset))
2178  {
2179  /*
2180  * Skip comparison of target page key against "negative infinity"
2181  * item, if any. Checking it would indicate that it's not a strict
2182  * lower bound, but that's only because of the hard-coding for
2183  * negative infinity items within _bt_compare().
2184  *
2185  * If nbtree didn't truncate negative infinity tuples during internal
2186  * page splits then we'd expect child's negative infinity key to be
2187  * equal to the scankey/downlink from target/parent (it would be a
2188  * "low key" in this hypothetical scenario, and so it would still need
2189  * to be treated as a special case here).
2190  *
2191  * Negative infinity items can be thought of as a strict lower bound
2192  * that works transitively, with the last non-negative-infinity pivot
2193  * followed during a descent from the root as its "true" strict lower
2194  * bound. Only a small number of negative infinity items are truly
2195  * negative infinity; those that are the first items of leftmost
2196  * internal pages. In more general terms, a negative infinity item is
2197  * only negative infinity with respect to the subtree that the page is
2198  * at the root of.
2199  *
2200  * See also: bt_rootdescend(), which can even detect transitive
2201  * inconsistencies on cousin leaf pages.
2202  */
2203  if (offset_is_negative_infinity(copaque, offset))
2204  continue;
2205 
2206  if (!invariant_l_nontarget_offset(state, targetkey, childblock, child,
2207  offset))
2208  ereport(ERROR,
2209  (errcode(ERRCODE_INDEX_CORRUPTED),
2210  errmsg("down-link lower bound invariant violated for index \"%s\"",
2211  RelationGetRelationName(state->rel)),
2212  errdetail_internal("Parent block=%u child index tid=(%u,%u) parent page lsn=%X/%X.",
2213  state->targetblock, childblock, offset,
2214  LSN_FORMAT_ARGS(state->targetlsn))));
2215  }
2216 
2217  pfree(child);
2218 }
2219 
2220 /*
2221  * Checks if page is missing a downlink that it should have.
2222  *
2223  * A page that lacks a downlink/parent may indicate corruption. However, we
2224  * must account for the fact that a missing downlink can occasionally be
2225  * encountered in a non-corrupt index. This can be due to an interrupted page
2226  * split, or an interrupted multi-level page deletion (i.e. there was a hard
2227  * crash or an error during a page split, or while VACUUM was deleting a
2228  * multi-level chain of pages).
2229  *
2230  * Note that this can only be called in readonly mode, so there is no need to
2231  * be concerned about concurrent page splits or page deletions.
2232  */
2233 static void
2234 bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit,
2235  BlockNumber blkno, Page page)
2236 {
2237  BTPageOpaque opaque = (BTPageOpaque) PageGetSpecialPointer(page);
2238  ItemId itemid;
2239  IndexTuple itup;
2240  Page child;
2241  BTPageOpaque copaque;
2242  uint32 level;
2243  BlockNumber childblk;
2244  XLogRecPtr pagelsn;
2245 
2246  Assert(state->readonly);
2247  Assert(!P_IGNORE(opaque));
2248 
2249  /* No next level up with downlinks to fingerprint from the true root */
2250  if (P_ISROOT(opaque))
2251  return;
2252 
2253  pagelsn = PageGetLSN(page);
2254 
2255  /*
2256  * Incomplete (interrupted) page splits can account for the lack of a
2257  * downlink. Some inserting transaction should eventually complete the
2258  * page split in passing, when it notices that the left sibling page is
2259  * P_INCOMPLETE_SPLIT().
2260  *
2261  * In general, VACUUM is not prepared for there to be no downlink to a
2262  * page that it deletes. This is the main reason why the lack of a
2263  * downlink can be reported as corruption here. It's not obvious that an
2264  * invalid missing downlink can result in wrong answers to queries,
2265  * though, since index scans that land on the child may end up
2266  * consistently moving right. The handling of concurrent page splits (and
2267  * page deletions) within _bt_moveright() cannot distinguish
2268  * inconsistencies that last for a moment from inconsistencies that are
2269  * permanent and irrecoverable.
2270  *
2271  * VACUUM isn't even prepared to delete pages that have no downlink due to
2272  * an incomplete page split, but it can detect and reason about that case
2273  * by design, so it shouldn't be taken to indicate corruption. See
2274  * _bt_pagedel() for full details.
2275  */
2276  if (rightsplit)
2277  {
2278  ereport(DEBUG1,
2279  (errcode(ERRCODE_NO_DATA),
2280  errmsg_internal("harmless interrupted page split detected in index \"%s\"",
2281  RelationGetRelationName(state->rel)),
2282  errdetail_internal("Block=%u level=%u left sibling=%u page lsn=%X/%X.",
2283  blkno, opaque->btpo_level,
2284  opaque->btpo_prev,
2285  LSN_FORMAT_ARGS(pagelsn))));
2286  return;
2287  }
2288 
2289  /*
2290  * Page under check is probably the "top parent" of a multi-level page
2291  * deletion. We'll need to descend the subtree to make sure that
2292  * descendant pages are consistent with that, though.
2293  *
2294  * If the page (which must be non-ignorable) is a leaf page, then clearly
2295  * it can't be the top parent. The lack of a downlink is probably a
2296  * symptom of a broad problem that could just as easily cause
2297  * inconsistencies anywhere else.
2298  */
2299  if (P_ISLEAF(opaque))
2300  ereport(ERROR,
2301  (errcode(ERRCODE_INDEX_CORRUPTED),
2302  errmsg("leaf index block lacks downlink in index \"%s\"",
2303  RelationGetRelationName(state->rel)),
2304  errdetail_internal("Block=%u page lsn=%X/%X.",
2305  blkno,
2306  LSN_FORMAT_ARGS(pagelsn))));
2307 
2308  /* Descend from the given page, which is an internal page */
2309  elog(DEBUG1, "checking for interrupted multi-level deletion due to missing downlink in index \"%s\"",
2310  RelationGetRelationName(state->rel));
2311 
2312  level = opaque->btpo_level;
2313  itemid = PageGetItemIdCareful(state, blkno, page, P_FIRSTDATAKEY(opaque));
2314  itup = (IndexTuple) PageGetItem(page, itemid);
2315  childblk = BTreeTupleGetDownLink(itup);
2316  for (;;)
2317  {
2318  CHECK_FOR_INTERRUPTS();
2319 
2320  child = palloc_btree_page(state, childblk);
2321  copaque = (BTPageOpaque) PageGetSpecialPointer(child);
2322 
2323  if (P_ISLEAF(copaque))
2324  break;
2325 
2326  /* Do an extra sanity check in passing on internal pages */
2327  if (copaque->btpo_level != level - 1)
2328  ereport(ERROR,
2329  (errcode(ERRCODE_INDEX_CORRUPTED),
2330  errmsg_internal("downlink points to block in index \"%s\" whose level is not one level down",
2331  RelationGetRelationName(state->rel)),
2332  errdetail_internal("Top parent/under check block=%u block pointed to=%u expected level=%u level in pointed to block=%u.",
2333  blkno, childblk,
2334  level - 1, copaque->btpo_level)));
2335 
2336  level = copaque->btpo_level;
2337  itemid = PageGetItemIdCareful(state, childblk, child,
2338  P_FIRSTDATAKEY(copaque));
2339  itup = (IndexTuple) PageGetItem(child, itemid);
2340  childblk = BTreeTupleGetDownLink(itup);
2341  /* Be slightly more pro-active in freeing this memory, just in case */
2342  pfree(child);
2343  }
2344 
2345  /*
2346  * Since there cannot be a concurrent VACUUM operation in readonly mode,
2347  * and since a page has no links within other pages (siblings and parent)
2348  * once it is marked fully deleted, it should be impossible to land on a
2349  * fully deleted page. See bt_child_check() for further details.
2350  *
2351  * The bt_child_check() P_ISDELETED() check is repeated here because
2352  * bt_child_check() does not visit pages reachable through negative
2353  * infinity items. Besides, bt_child_check() is unwilling to descend
2354  * multiple levels. (The similar bt_child_check() P_ISDELETED() check
2355  * within bt_check_level_from_leftmost() won't reach the page either,
2356  * since the leaf's live siblings should have their sibling links updated
2357  * to bypass the deletion target page when it is marked fully dead.)
2358  *
2359  * If this error is raised, it might be due to a previous multi-level page
2360  * deletion that failed to realize that it wasn't yet safe to mark the
2361  * leaf page as fully dead. A "dangling downlink" will still remain when
2362  * this happens. The fact that the dangling downlink's page (the leaf's
2363  * parent/ancestor page) lacked a downlink is incidental.
2364  */
2365  if (P_ISDELETED(copaque))
2366  ereport(ERROR,
2367  (errcode(ERRCODE_INDEX_CORRUPTED),
2368  errmsg_internal("downlink to deleted leaf page found in index \"%s\"",
2369  RelationGetRelationName(state->rel)),
2370  errdetail_internal("Top parent/target block=%u leaf block=%u top parent/under check lsn=%X/%X.",
2371  blkno, childblk,
2372  LSN_FORMAT_ARGS(pagelsn))));
2373 
2374  /*
2375  * Iff leaf page is half-dead, its high key top parent link should point
2376  * to what VACUUM considered to be the top parent page at the instant it
2377  * was interrupted. Provided the high key link actually points to the
2378  * page under check, the missing downlink we detected is consistent with
2379  * there having been an interrupted multi-level page deletion. This means
2380  * that the subtree with the page under check at its root (a page deletion
2381  * chain) is in a consistent state, enabling VACUUM to resume deleting the
2382  * entire chain the next time it encounters the half-dead leaf page.
2383  */
2384  if (P_ISHALFDEAD(copaque) && !P_RIGHTMOST(copaque))
2385  {
2386  itemid = PageGetItemIdCareful(state, childblk, child, P_HIKEY);
2387  itup = (IndexTuple) PageGetItem(child, itemid);
2388  if (BTreeTupleGetTopParent(itup) == blkno)
2389  return;
2390  }
2391 
2392  ereport(ERROR,
2393  (errcode(ERRCODE_INDEX_CORRUPTED),
2394  errmsg("internal index block lacks downlink in index \"%s\"",
2395  RelationGetRelationName(state->rel)),
2396  errdetail_internal("Block=%u level=%u page lsn=%X/%X.",
2397  blkno, opaque->btpo_level,
2398  LSN_FORMAT_ARGS(pagelsn))));
2399 }
2400 
2401 /*
2402  * Per-tuple callback from table_index_build_scan, used to determine if index has
2403  * all the entries that definitely should have been observed in leaf pages of
2404  * the target index (that is, all IndexTuples that were fingerprinted by our
2405  * Bloom filter). All heapallindexed checks occur here.
2406  *
2407  * The redundancy between an index and the table it indexes provides a good
2408  * opportunity to detect corruption, especially corruption within the table.
2409  * The high level principle behind the verification performed here is that any
2410  * IndexTuple that should be in an index following a fresh CREATE INDEX (based
2411  * on the same index definition) should also have been in the original,
2412  * existing index, which should have used exactly the same representation
2413  *
2414  * Since the overall structure of the index has already been verified, the most
2415  * likely explanation for error here is a corrupt heap page (could be logical
2416  * or physical corruption). Index corruption may still be detected here,
2417  * though. Only readonly callers will have verified that left links and right
2418  * links are in agreement, and so it's possible that a leaf page transposition
2419  * within index is actually the source of corruption detected here (for
2420  * !readonly callers). The checks performed only for readonly callers might
2421  * more accurately frame the problem as a cross-page invariant issue (this
2422  * could even be due to recovery not replaying all WAL records). The !readonly
2423  * ERROR message raised here includes a HINT about retrying with readonly
2424  * verification, just in case it's a cross-page invariant issue, though that
2425  * isn't particularly likely.
2426  *
2427  * table_index_build_scan() expects to be able to find the root tuple when a
2428  * heap-only tuple (the live tuple at the end of some HOT chain) needs to be
2429  * indexed, in order to replace the actual tuple's TID with the root tuple's
2430  * TID (which is what we're actually passed back here). The index build heap
2431  * scan code will raise an error when a tuple that claims to be the root of the
2432  * heap-only tuple's HOT chain cannot be located. This catches cases where the
2433  * original root item offset/root tuple for a HOT chain indicates (for whatever
2434  * reason) that the entire HOT chain is dead, despite the fact that the latest
2435  * heap-only tuple should be indexed. When this happens, sequential scans may
2436  * always give correct answers, and all indexes may be considered structurally
2437  * consistent (i.e. the nbtree structural checks would not detect corruption).
2438  * It may be the case that only index scans give wrong answers, and yet heap or
2439  * SLRU corruption is the real culprit. (While it's true that LP_DEAD bit
2440  * setting will probably also leave the index in a corrupt state before too
2441  * long, the problem is nonetheless that there is heap corruption.)
2442  *
2443  * Heap-only tuple handling within table_index_build_scan() works in a way that
2444  * helps us to detect index tuples that contain the wrong values (values that
2445  * don't match the latest tuple in the HOT chain). This can happen when there
2446  * is no superseding index tuple due to a faulty assessment of HOT safety,
2447  * perhaps during the original CREATE INDEX. Because the latest tuple's
2448  * contents are used with the root TID, an error will be raised when a tuple
2449  * with the same TID but non-matching attribute values is passed back to us.
2450  * Faulty assessment of HOT-safety was behind at least two distinct CREATE
2451  * INDEX CONCURRENTLY bugs that made it into stable releases, one of which was
2452  * undetected for many years. In short, the same principle that allows a
2453  * REINDEX to repair corruption when there was an (undetected) broken HOT chain
2454  * also allows us to detect the corruption in many cases.
2455  */
2456 static void
2457 bt_tuple_present_callback(Relation index, ItemPointer tid, Datum *values,
2458  bool *isnull, bool tupleIsAlive, void *checkstate)
2459 {
2460  BtreeCheckState *state = (BtreeCheckState *) checkstate;
2461  IndexTuple itup,
2462  norm;
2463 
2464  Assert(state->heapallindexed);
2465 
2466  /* Generate a normalized index tuple for fingerprinting */
2467  itup = index_form_tuple(RelationGetDescr(index), values, isnull);
2468  itup->t_tid = *tid;
2469  norm = bt_normalize_tuple(state, itup);
2470 
2471  /* Probe Bloom filter -- tuple should be present */
2472  if (bloom_lacks_element(state->filter, (unsigned char *) norm,
2473  IndexTupleSize(norm)))
2474  ereport(ERROR,
2475  (errcode(ERRCODE_DATA_CORRUPTED),
2476  errmsg("heap tuple (%u,%u) from table \"%s\" lacks matching index tuple within index \"%s\"",
2477  ItemPointerGetBlockNumber(&(itup->t_tid)),
2478  ItemPointerGetOffsetNumber(&(itup->t_tid)),
2479  RelationGetRelationName(state->heaprel),
2480  RelationGetRelationName(state->rel)),
2481  !state->readonly
2482  ? errhint("Retrying verification using the function bt_index_parent_check() might provide a more specific error.")
2483  : 0));
2484 
2485  state->heaptuplespresent++;
2486  pfree(itup);
2487  /* Cannot leak memory here */
2488  if (norm != itup)
2489  pfree(norm);
2490 }
2491 
2492 /*
2493  * Normalize an index tuple for fingerprinting.
2494  *
2495  * In general, index tuple formation is assumed to be deterministic by
2496  * heapallindexed verification, and IndexTuples are assumed immutable. While
2497  * the LP_DEAD bit is mutable in leaf pages, that's ItemId metadata, which is
2498  * not fingerprinted. Normalization is required to compensate for corner
2499  * cases where the determinism assumption doesn't quite work.
2500  *
2501  * There is currently one such case: index_form_tuple() does not try to hide
2502  * the source TOAST state of input datums. The executor applies TOAST
2503  * compression for heap tuples based on different criteria to the compression
2504  * applied within btinsert()'s call to index_form_tuple(): it sometimes
2505  * compresses more aggressively, resulting in compressed heap tuple datums but
2506  * uncompressed corresponding index tuple datums. A subsequent heapallindexed
2507  * verification will get a logically equivalent though bitwise unequal tuple
2508  * from index_form_tuple(). False positive heapallindexed corruption reports
2509  * could occur without normalizing away the inconsistency.
2510  *
2511  * Returned tuple is often caller's own original tuple. Otherwise, it is a
2512  * new representation of caller's original index tuple, palloc()'d in caller's
2513  * memory context.
2514  *
2515  * Note: This routine is not concerned with distinctions about the
2516  * representation of tuples beyond those that might break heapallindexed
2517  * verification. In particular, it won't try to normalize opclass-equal
2518  * datums with potentially distinct representations (e.g., btree/numeric_ops
2519  * index datums will not get their display scale normalized-away here).
2520  * Caller does normalization for non-pivot tuples that have a posting list,
2521  * since dummy CREATE INDEX callback code generates new tuples with the same
2522  * normalized representation.
2523  */
2524 static IndexTuple
2525 bt_normalize_tuple(BtreeCheckState *state, IndexTuple itup)
2526 {
2527  TupleDesc tupleDescriptor = RelationGetDescr(state->rel);
2528  Datum normalized[INDEX_MAX_KEYS];
2529  bool isnull[INDEX_MAX_KEYS];
2530  bool toast_free[INDEX_MAX_KEYS];
2531  bool formnewtup = false;
2532  IndexTuple reformed;
2533  int i;
2534 
2535  /* Caller should only pass "logical" non-pivot tuples here */
2536  Assert(!BTreeTupleIsPosting(itup) && !BTreeTupleIsPivot(itup));
2537 
2538  /* Easy case: It's immediately clear that tuple has no varlena datums */
2539  if (!IndexTupleHasVarwidths(itup))
2540  return itup;
2541 
2542  for (i = 0; i < tupleDescriptor->natts; i++)
2543  {
2544  Form_pg_attribute att;
2545 
2546  att = TupleDescAttr(tupleDescriptor, i);
2547 
2548  /* Assume untoasted/already normalized datum initially */
2549  toast_free[i] = false;
2550  normalized[i] = index_getattr(itup, att->attnum,
2551  tupleDescriptor,
2552  &isnull[i]);
2553  if (att->attbyval || att->attlen != -1 || isnull[i])
2554  continue;
2555 
2556  /*
2557  * Callers always pass a tuple that could safely be inserted into the
2558  * index without further processing, so an external varlena header
2559  * should never be encountered here
2560  */
2561  if (VARATT_IS_EXTERNAL(DatumGetPointer(normalized[i])))
2562  ereport(ERROR,
2563  (errcode(ERRCODE_INDEX_CORRUPTED),
2564  errmsg("external varlena datum in tuple that references heap row (%u,%u) in index \"%s\"",
2565  ItemPointerGetBlockNumber(&(itup->t_tid)),
2566  ItemPointerGetOffsetNumber(&(itup->t_tid)),
2567  RelationGetRelationName(state->rel))));
2568  else if (VARATT_IS_COMPRESSED(DatumGetPointer(normalized[i])))
2569  {
2570  formnewtup = true;
2571  normalized[i] = PointerGetDatum(PG_DETOAST_DATUM(normalized[i]));
2572  toast_free[i] = true;
2573  }
2574  }
2575 
2576  /* Easier case: Tuple has varlena datums, none of which are compressed */
2577  if (!formnewtup)
2578  return itup;
2579 
2580  /*
2581  * Hard case: Tuple had compressed varlena datums that necessitate
2582  * creating normalized version of the tuple from uncompressed input datums
2583  * (normalized input datums). This is rather naive, but shouldn't be
2584  * necessary too often.
2585  *
2586  * Note that we rely on deterministic index_form_tuple() TOAST compression
2587  * of normalized input.
2588  */
2589  reformed = index_form_tuple(tupleDescriptor, normalized, isnull);
2590  reformed->t_tid = itup->t_tid;
2591 
2592  /* Cannot leak memory here */
2593  for (i = 0; i < tupleDescriptor->natts; i++)
2594  if (toast_free[i])
2595  pfree(DatumGetPointer(normalized[i]));
2596 
2597  return reformed;
2598 }
2599 
2600 /*
2601  * Produce palloc()'d "plain" tuple for nth posting list entry/TID.
2602  *
2603  * In general, deduplication is not supposed to change the logical contents of
2604  * an index. Multiple index tuples are merged together into one equivalent
2605  * posting list index tuple when convenient.
2606  *
2607  * heapallindexed verification must normalize-away this variation in
2608  * representation by converting posting list tuples into two or more "plain"
2609  * tuples. Each tuple must be fingerprinted separately -- there must be one
2610  * tuple for each corresponding Bloom filter probe during the heap scan.
2611  *
2612  * Note: Caller still needs to call bt_normalize_tuple() with returned tuple.
2613  */
2614 static inline IndexTuple
2615 bt_posting_plain_tuple(IndexTuple itup, int n)
2616 {
2617  Assert(BTreeTupleIsPosting(itup));
2618 
2619  /* Returns non-posting-list tuple */
2620  return _bt_form_posting(itup, BTreeTupleGetPostingN(itup, n), 1);
2621 }
2622 
2623 /*
2624  * Search for itup in index, starting from fast root page. itup must be a
2625  * non-pivot tuple. This is only supported with heapkeyspace indexes, since
2626  * we rely on having fully unique keys to find a match with only a single
2627  * visit to a leaf page, barring an interrupted page split, where we may have
2628  * to move right. (A concurrent page split is impossible because caller must
2629  * be readonly caller.)
2630  *
2631  * This routine can detect very subtle transitive consistency issues across
2632  * more than one level of the tree. Leaf pages all have a high key (even the
2633  * rightmost page has a conceptual positive infinity high key), but not a low
2634  * key. Their downlink in parent is a lower bound, which along with the high
2635  * key is almost enough to detect every possible inconsistency. A downlink
2636  * separator key value won't always be available from parent, though, because
2637  * the first items of internal pages are negative infinity items, truncated
2638  * down to zero attributes during internal page splits. While it's true that
2639  * bt_child_check() and the high key check can detect most imaginable key
2640  * space problems, there are remaining problems it won't detect with non-pivot
2641  * tuples in cousin leaf pages. Starting a search from the root for every
2642  * existing leaf tuple detects small inconsistencies in upper levels of the
2643  * tree that cannot be detected any other way. (Besides all this, this is
2644  * probably also useful as a direct test of the code used by index scans
2645  * themselves.)
2646  */
2647 static bool
2648 bt_rootdescend(BtreeCheckState *state, IndexTuple itup)
2649 {
2650  BTScanInsert key;
2651  BTStack stack;
2652  Buffer lbuf;
2653  bool exists;
2654 
2655  key = _bt_mkscankey(state->rel, itup);
2656  Assert(key->heapkeyspace && key->scantid != NULL);
2657 
2658  /*
2659  * Search from root.
2660  *
2661  * Ideally, we would arrange to only move right within _bt_search() when
2662  * an interrupted page split is detected (i.e. when the incomplete split
2663  * bit is found to be set), but for now we accept the possibility that
2664  * that could conceal an inconsistency.
2665  */
2666  Assert(state->readonly && state->rootdescend);
2667  exists = false;
2668  stack = _bt_search(state->rel, key, &lbuf, BT_READ, NULL);
2669 
2670  if (BufferIsValid(lbuf))
2671  {
2672  BTInsertStateData insertstate;
2673  OffsetNumber offnum;
2674  Page page;
2675 
2676  insertstate.itup = itup;
2677  insertstate.itemsz = MAXALIGN(IndexTupleSize(itup));
2678  insertstate.itup_key = key;
2679  insertstate.postingoff = 0;
2680  insertstate.bounds_valid = false;
2681  insertstate.buf = lbuf;
2682 
2683  /* Get matching tuple on leaf page */
2684  offnum = _bt_binsrch_insert(state->rel, &insertstate);
2685  /* Compare first >= matching item on leaf page, if any */
2686  page = BufferGetPage(lbuf);
2687  /* Should match on first heap TID when tuple has a posting list */
2688  if (offnum <= PageGetMaxOffsetNumber(page) &&
2689  insertstate.postingoff <= 0 &&
2690  _bt_compare(state->rel, key, page, offnum) == 0)
2691  exists = true;
2692  _bt_relbuf(state->rel, lbuf);
2693  }
2694 
2695  _bt_freestack(stack);
2696  pfree(key);
2697 
2698  return exists;
2699 }
2700 
2701 /*
2702  * Is particular offset within page (whose special state is passed by caller)
2703  * the page negative-infinity item?
2704  *
2705  * As noted in comments above _bt_compare(), there is special handling of the
2706  * first data item as a "negative infinity" item. The hard-coding within
2707  * _bt_compare() makes comparing this item for the purposes of verification
2708  * pointless at best, since the IndexTuple only contains a valid TID (a
2709  * reference TID to child page).
2710  */
2711 static inline bool
2712 offset_is_negative_infinity(BTPageOpaque opaque, OffsetNumber offset)
2713 {
2714  /*
2715  * For internal pages only, the first item after high key, if any, is
2716  * negative infinity item. Internal pages always have a negative infinity
2717  * item, whereas leaf pages never have one. This implies that negative
2718  * infinity item is either first or second line item, or there is none
2719  * within page.
2720  *
2721  * Negative infinity items are a special case among pivot tuples. They
2722  * always have zero attributes, while all other pivot tuples always have
2723  * nkeyatts attributes.
2724  *
2725  * Right-most pages don't have a high key, but could be said to
2726  * conceptually have a "positive infinity" high key. Thus, there is a
2727  * symmetry between down link items in parent pages, and high keys in
2728  * children. Together, they represent the part of the key space that
2729  * belongs to each page in the index. For example, all children of the
2730  * root page will have negative infinity as a lower bound from root
2731  * negative infinity downlink, and positive infinity as an upper bound
2732  * (implicitly, from "imaginary" positive infinity high key in root).
2733  */
2734  return !P_ISLEAF(opaque) && offset == P_FIRSTDATAKEY(opaque);
2735 }
2736 
2737 /*
2738  * Does the invariant hold that the key is strictly less than a given upper
2739  * bound offset item?
2740  *
2741  * Verifies line pointer on behalf of caller.
2742  *
2743  * If this function returns false, convention is that caller throws error due
2744  * to corruption.
2745  */
2746 static inline bool
2747 invariant_l_offset(BtreeCheckState *state, BTScanInsert key,
2748  OffsetNumber upperbound)
2749 {
2750  ItemId itemid;
2751  int32 cmp;
2752 
2753  Assert(key->pivotsearch);
2754 
2755  /* Verify line pointer before checking tuple */
2756  itemid = PageGetItemIdCareful(state, state->targetblock, state->target,
2757  upperbound);
2758  /* pg_upgrade'd indexes may legally have equal sibling tuples */
2759  if (!key->heapkeyspace)
2760  return invariant_leq_offset(state, key, upperbound);
2761 
2762  cmp = _bt_compare(state->rel, key, state->target, upperbound);
2763 
2764  /*
2765  * _bt_compare() is capable of determining that a scankey with a
2766  * filled-out attribute is greater than pivot tuples where the comparison
2767  * is resolved at a truncated attribute (value of attribute in pivot is
2768  * minus infinity). However, it is not capable of determining that a
2769  * scankey is _less than_ a tuple on the basis of a comparison resolved at
2770  * _scankey_ minus infinity attribute. Complete an extra step to simulate
2771  * having minus infinity values for omitted scankey attribute(s).
2772  */
2773  if (cmp == 0)
2774  {
2775  BTPageOpaque topaque;
2776  IndexTuple ritup;
2777  int uppnkeyatts;
2778  ItemPointer rheaptid;
2779  bool nonpivot;
2780 
2781  ritup = (IndexTuple) PageGetItem(state->target, itemid);
2782  topaque = (BTPageOpaque) PageGetSpecialPointer(state->target);
2783  nonpivot = P_ISLEAF(topaque) && upperbound >= P_FIRSTDATAKEY(topaque);
2784 
2785  /* Get number of keys + heap TID for item to the right */
2786  uppnkeyatts = BTreeTupleGetNKeyAtts(ritup, state->rel);
2787  rheaptid = BTreeTupleGetHeapTIDCareful(state, ritup, nonpivot);
2788 
2789  /* Heap TID is tiebreaker key attribute */
2790  if (key->keysz == uppnkeyatts)
2791  return key->scantid == NULL && rheaptid != NULL;
2792 
2793  return key->keysz < uppnkeyatts;
2794  }
2795 
2796  return cmp < 0;
2797 }
2798 
2799 /*
2800  * Does the invariant hold that the key is less than or equal to a given upper
2801  * bound offset item?
2802  *
2803  * Caller should have verified that upperbound's line pointer is consistent
2804  * using PageGetItemIdCareful() call.
2805  *
2806  * If this function returns false, convention is that caller throws error due
2807  * to corruption.
2808  */
2809 static inline bool
2810 invariant_leq_offset(BtreeCheckState *state, BTScanInsert key,
2811  OffsetNumber upperbound)
2812 {
2813  int32 cmp;
2814 
2815  Assert(key->pivotsearch);
2816 
2817  cmp = _bt_compare(state->rel, key, state->target, upperbound);
2818 
2819  return cmp <= 0;
2820 }
2821 
2822 /*
2823  * Does the invariant hold that the key is strictly greater than a given lower
2824  * bound offset item?
2825  *
2826  * Caller should have verified that lowerbound's line pointer is consistent
2827  * using PageGetItemIdCareful() call.
2828  *
2829  * If this function returns false, convention is that caller throws error due
2830  * to corruption.
2831  */
2832 static inline bool
2833 invariant_g_offset(BtreeCheckState *state, BTScanInsert key,
2834  OffsetNumber lowerbound)
2835 {
2836  int32 cmp;
2837 
2838  Assert(key->pivotsearch);
2839 
2840  cmp = _bt_compare(state->rel, key, state->target, lowerbound);
2841 
2842  /* pg_upgrade'd indexes may legally have equal sibling tuples */
2843  if (!key->heapkeyspace)
2844  return cmp >= 0;
2845 
2846  /*
2847  * No need to consider the possibility that scankey has attributes that we
2848  * need to force to be interpreted as negative infinity. _bt_compare() is
2849  * able to determine that scankey is greater than negative infinity. The
2850  * distinction between "==" and "<" isn't interesting here, since
2851  * corruption is indicated either way.
2852  */
2853  return cmp > 0;
2854 }
2855 
2856 /*
2857  * Does the invariant hold that the key is strictly less than a given upper
2858  * bound offset item, with the offset relating to a caller-supplied page that
2859  * is not the current target page?
2860  *
2861  * Caller's non-target page is a child page of the target, checked as part of
2862  * checking a property of the target page (i.e. the key comes from the
2863  * target). Verifies line pointer on behalf of caller.
2864  *
2865  * If this function returns false, convention is that caller throws error due
2866  * to corruption.
2867  */
2868 static inline bool
2869 invariant_l_nontarget_offset(BtreeCheckState *state, BTScanInsert key,
2870  BlockNumber nontargetblock, Page nontarget,
2871  OffsetNumber upperbound)
2872 {
2873  ItemId itemid;
2874  int32 cmp;
2875 
2876  Assert(key->pivotsearch);
2877 
2878  /* Verify line pointer before checking tuple */
2879  itemid = PageGetItemIdCareful(state, nontargetblock, nontarget,
2880  upperbound);
2881  cmp = _bt_compare(state->rel, key, nontarget, upperbound);
2882 
2883  /* pg_upgrade'd indexes may legally have equal sibling tuples */
2884  if (!key->heapkeyspace)
2885  return cmp <= 0;
2886 
2887  /* See invariant_l_offset() for an explanation of this extra step */
2888  if (cmp == 0)
2889  {
2890  IndexTuple child;
2891  int uppnkeyatts;
2892  ItemPointer childheaptid;
2893  BTPageOpaque copaque;
2894  bool nonpivot;
2895 
2896  child = (IndexTuple) PageGetItem(nontarget, itemid);
2897  copaque = (BTPageOpaque) PageGetSpecialPointer(nontarget);
2898  nonpivot = P_ISLEAF(copaque) && upperbound >= P_FIRSTDATAKEY(copaque);
2899 
2900  /* Get number of keys + heap TID for child/non-target item */
2901  uppnkeyatts = BTreeTupleGetNKeyAtts(child, state->rel);
2902  childheaptid = BTreeTupleGetHeapTIDCareful(state, child, nonpivot);
2903 
2904  /* Heap TID is tiebreaker key attribute */
2905  if (key->keysz == uppnkeyatts)
2906  return key->scantid == NULL && childheaptid != NULL;
2907 
2908  return key->keysz < uppnkeyatts;
2909  }
2910 
2911  return cmp < 0;
2912 }
2913 
2914 /*
2915  * Given a block number of a B-Tree page, return page in palloc()'d memory.
2916  * While at it, perform some basic checks of the page.
2917  *
2918  * There is never an attempt to get a consistent view of multiple pages using
2919  * multiple concurrent buffer locks; in general, we only acquire a single pin
2920  * and buffer lock at a time, which is often all that the nbtree code requires.
2921  * (Actually, bt_recheck_sibling_links couples buffer locks, which is the only
2922  * exception to this general rule.)
2923  *
2924  * Operating on a copy of the page is useful because it prevents control
2925  * getting stuck in an uninterruptible state when an underlying operator class
2926  * misbehaves.
2927  */
2928 static Page
2929 palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum)
2930 {
2931  Buffer buffer;
2932  Page page;
2933  BTPageOpaque opaque;
2934  OffsetNumber maxoffset;
2935 
2936  page = palloc(BLCKSZ);
2937 
2938  /*
2939  * We copy the page into local storage to avoid holding pin on the buffer
2940  * longer than we must.
2941  */
2942  buffer = ReadBufferExtended(state->rel, MAIN_FORKNUM, blocknum, RBM_NORMAL,
2943  state->checkstrategy);
2944  LockBuffer(buffer, BT_READ);
2945 
2946  /*
2947  * Perform the same basic sanity checking that nbtree itself performs for
2948  * every page:
2949  */
2950  _bt_checkpage(state->rel, buffer);
2951 
2952  /* Only use copy of page in palloc()'d memory */
2953  memcpy(page, BufferGetPage(buffer), BLCKSZ);
2954  UnlockReleaseBuffer(buffer);
2955 
2956  opaque = (BTPageOpaque) PageGetSpecialPointer(page);
2957 
2958  if (P_ISMETA(opaque) && blocknum != BTREE_METAPAGE)
2959  ereport(ERROR,
2960  (errcode(ERRCODE_INDEX_CORRUPTED),
2961  errmsg("invalid meta page found at block %u in index \"%s\"",
2962  blocknum, RelationGetRelationName(state->rel))));
2963 
2964  /* Check page from block that ought to be meta page */
2965  if (blocknum == BTREE_METAPAGE)
2966  {
2967  BTMetaPageData *metad = BTPageGetMeta(page);
2968 
2969  if (!P_ISMETA(opaque) ||
2970  metad->btm_magic != BTREE_MAGIC)
2971  ereport(ERROR,
2972  (errcode(ERRCODE_INDEX_CORRUPTED),
2973  errmsg("index \"%s\" meta page is corrupt",
2974  RelationGetRelationName(state->rel))));
2975 
2976  if (metad->btm_version < BTREE_MIN_VERSION ||
2977  metad->btm_version > BTREE_VERSION)
2978  ereport(ERROR,
2979  (errcode(ERRCODE_INDEX_CORRUPTED),
2980  errmsg("version mismatch in index \"%s\": file version %d, "
2981  "current version %d, minimum supported version %d",
2982  RelationGetRelationName(state->rel),
2983  metad->btm_version, BTREE_VERSION,
2984  BTREE_MIN_VERSION)));
2985 
2986  /* Finished with metapage checks */
2987  return page;
2988  }
2989 
2990  /*
2991  * Deleted pages that still use the old 32-bit XID representation have no
2992  * sane "level" field because they type pun the field, but all other pages
2993  * (including pages deleted on Postgres 14+) have a valid value.
2994  */
2995  if (!P_ISDELETED(opaque) || P_HAS_FULLXID(opaque))
2996  {
2997  /* Okay, no reason not to trust btpo_level field from page */
2998 
2999  if (P_ISLEAF(opaque) && opaque->btpo_level != 0)
3000  ereport(ERROR,
3001  (errcode(ERRCODE_INDEX_CORRUPTED),
3002  errmsg_internal("invalid leaf page level %u for block %u in index \"%s\"",
3003  opaque->btpo_level, blocknum,
3004  RelationGetRelationName(state->rel))));
3005 
3006  if (!P_ISLEAF(opaque) && opaque->btpo_level == 0)
3007  ereport(ERROR,
3008  (errcode(ERRCODE_INDEX_CORRUPTED),
3009  errmsg_internal("invalid internal page level 0 for block %u in index \"%s\"",
3010  blocknum,
3011  RelationGetRelationName(state->rel))));
3012  }
3013 
3014  /*
3015  * Sanity checks for number of items on page.
3016  *
3017  * As noted at the beginning of _bt_binsrch(), an internal page must have
3018  * children, since there must always be a negative infinity downlink
3019  * (there may also be a highkey). In the case of non-rightmost leaf
3020  * pages, there must be at least a highkey. The exceptions are deleted
3021  * pages, which contain no items.
3022  *
3023  * This is correct when pages are half-dead, since internal pages are
3024  * never half-dead, and leaf pages must have a high key when half-dead
3025  * (the rightmost page can never be deleted). It's also correct with
3026  * fully deleted pages: _bt_unlink_halfdead_page() doesn't change anything
3027  * about the target page other than setting the page as fully dead, and
3028  * setting its xact field. In particular, it doesn't change the sibling
3029  * links in the deletion target itself, since they're required when index
3030  * scans land on the deletion target, and then need to move right (or need
3031  * to move left, in the case of backward index scans).
3032  */
3033  maxoffset = PageGetMaxOffsetNumber(page);
3034  if (maxoffset > MaxIndexTuplesPerPage)
3035  ereport(ERROR,
3036  (errcode(ERRCODE_INDEX_CORRUPTED),
3037  errmsg("Number of items on block %u of index \"%s\" exceeds MaxIndexTuplesPerPage (%u)",
3038  blocknum, RelationGetRelationName(state->rel),
3039  MaxIndexTuplesPerPage)));
3040 
3041  if (!P_ISLEAF(opaque) && !P_ISDELETED(opaque) && maxoffset < P_FIRSTDATAKEY(opaque))
3042  ereport(ERROR,
3043  (errcode(ERRCODE_INDEX_CORRUPTED),
3044  errmsg("internal block %u in index \"%s\" lacks high key and/or at least one downlink",
3045  blocknum, RelationGetRelationName(state->rel))));
3046 
3047  if (P_ISLEAF(opaque) && !P_ISDELETED(opaque) && !P_RIGHTMOST(opaque) && maxoffset < P_HIKEY)
3048  ereport(ERROR,
3049  (errcode(ERRCODE_INDEX_CORRUPTED),
3050  errmsg("non-rightmost leaf block %u in index \"%s\" lacks high key item",
3051  blocknum, RelationGetRelationName(state->rel))));
3052 
3053  /*
3054  * In general, internal pages are never marked half-dead, except on
3055  * versions of Postgres prior to 9.4, where it can be valid transient
3056  * state. This state is nonetheless treated as corruption by VACUUM on
3057  * from version 9.4 on, so do the same here. See _bt_pagedel() for full
3058  * details.
3059  */
3060  if (!P_ISLEAF(opaque) && P_ISHALFDEAD(opaque))
3061  ereport(ERROR,
3062  (errcode(ERRCODE_INDEX_CORRUPTED),
3063  errmsg("internal page block %u in index \"%s\" is half-dead",
3064  blocknum, RelationGetRelationName(state->rel)),
3065  errhint("This can be caused by an interrupted VACUUM in version 9.3 or older, before upgrade. Please REINDEX it.")));
3066 
3067  /*
3068  * Check that internal pages have no garbage items, and that no page has
3069  * an invalid combination of deletion-related page level flags
3070  */
3071  if (!P_ISLEAF(opaque) && P_HAS_GARBAGE(opaque))
3072  ereport(ERROR,
3073  (errcode(ERRCODE_INDEX_CORRUPTED),
3074  errmsg_internal("internal page block %u in index \"%s\" has garbage items",
3075  blocknum, RelationGetRelationName(state->rel))));
3076 
3077  if (P_HAS_FULLXID(opaque) && !P_ISDELETED(opaque))
3078  ereport(ERROR,
3079  (errcode(ERRCODE_INDEX_CORRUPTED),
3080  errmsg_internal("full transaction id page flag appears in non-deleted block %u in index \"%s\"",
3081  blocknum, RelationGetRelationName(state->rel))));
3082 
3083  if (P_ISDELETED(opaque) && P_ISHALFDEAD(opaque))
3084  ereport(ERROR,
3085  (errcode(ERRCODE_INDEX_CORRUPTED),
3086  errmsg_internal("deleted page block %u in index \"%s\" is half-dead",
3087  blocknum, RelationGetRelationName(state->rel))));
3088 
3089  return page;
3090 }
3091 
3092 /*
3093  * _bt_mkscankey() wrapper that automatically prevents insertion scankey from
3094  * being considered greater than the pivot tuple that its values originated
3095  * from (or some other identical pivot tuple) in the common case where there
3096  * are truncated/minus infinity attributes. Without this extra step, there
3097  * are forms of corruption that amcheck could theoretically fail to report.
3098  *
3099  * For example, invariant_g_offset() might miss a cross-page invariant failure
3100  * on an internal level if the scankey built from the first item on the
3101  * target's right sibling page happened to be equal to (not greater than) the
3102  * last item on target page. The !pivotsearch tiebreaker in _bt_compare()
3103  * might otherwise cause amcheck to assume (rather than actually verify) that
3104  * the scankey is greater.
3105  */
3106 static inline BTScanInsert
3107 bt_mkscankey_pivotsearch(Relation rel, IndexTuple itup)
3108 {
3109  BTScanInsert skey;
3110 
3111  skey = _bt_mkscankey(rel, itup);
3112  skey->pivotsearch = true;
3113 
3114  return skey;
3115 }
3116 
3117 /*
3118  * PageGetItemId() wrapper that validates returned line pointer.
3119  *
3120  * Buffer page/page item access macros generally trust that line pointers are
3121  * not corrupt, which might cause problems for verification itself. For
3122  * example, there is no bounds checking in PageGetItem(). Passing it a
3123  * corrupt line pointer can cause it to return a tuple/pointer that is unsafe
3124  * to dereference.
3125  *
3126  * Validating line pointers before tuples avoids undefined behavior and
3127  * assertion failures with corrupt indexes, making the verification process
3128  * more robust and predictable.
3129  */
3130 static ItemId
3131 PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block, Page page,
3132  OffsetNumber offset)
3133 {
3134  ItemId itemid = PageGetItemId(page, offset);
3135 
3136  if (ItemIdGetOffset(itemid) + ItemIdGetLength(itemid) >
3137  BLCKSZ - sizeof(BTPageOpaqueData))
3138  ereport(ERROR,
3139  (errcode(ERRCODE_INDEX_CORRUPTED),
3140  errmsg("line pointer points past end of tuple space in index \"%s\"",
3141  RelationGetRelationName(state->rel)),
3142  errdetail_internal("Index tid=(%u,%u) lp_off=%u, lp_len=%u lp_flags=%u.",
3143  block, offset, ItemIdGetOffset(itemid),
3144  ItemIdGetLength(itemid),
3145  ItemIdGetFlags(itemid))));
3146 
3147  /*
3148  * Verify that line pointer isn't LP_REDIRECT or LP_UNUSED, since nbtree
3149  * never uses either. Verify that line pointer has storage, too, since
3150  * even LP_DEAD items should within nbtree.
3151  */
3152  if (ItemIdIsRedirected(itemid) || !ItemIdIsUsed(itemid) ||
3153  ItemIdGetLength(itemid) == 0)
3154  ereport(ERROR,
3155  (errcode(ERRCODE_INDEX_CORRUPTED),
3156  errmsg("invalid line pointer storage in index \"%s\"",
3157  RelationGetRelationName(state->rel)),
3158  errdetail_internal("Index tid=(%u,%u) lp_off=%u, lp_len=%u lp_flags=%u.",
3159  block, offset, ItemIdGetOffset(itemid),
3160  ItemIdGetLength(itemid),
3161  ItemIdGetFlags(itemid))));
3162 
3163  return itemid;
3164 }
3165 
3166 /*
3167  * BTreeTupleGetHeapTID() wrapper that enforces that a heap TID is present in
3168  * cases where that is mandatory (i.e. for non-pivot tuples)
3169  */
3170 static inline ItemPointer
3171 BTreeTupleGetHeapTIDCareful(BtreeCheckState *state, IndexTuple itup,
3172  bool nonpivot)
3173 {
3174  ItemPointer htid;
3175 
3176  /*
3177  * Caller determines whether this is supposed to be a pivot or non-pivot
3178  * tuple using page type and item offset number. Verify that tuple
3179  * metadata agrees with this.
3180  */
3181  Assert(state->heapkeyspace);
3182  if (BTreeTupleIsPivot(itup) && nonpivot)
3183  ereport(ERROR,
3184  (errcode(ERRCODE_INDEX_CORRUPTED),
3185  errmsg_internal("block %u or its right sibling block or child block in index \"%s\" has unexpected pivot tuple",
3186  state->targetblock,
3187  RelationGetRelationName(state->rel))));
3188 
3189  if (!BTreeTupleIsPivot(itup) && !nonpivot)
3190  ereport(ERROR,
3191  (errcode(ERRCODE_INDEX_CORRUPTED),
3192  errmsg_internal("block %u or its right sibling block or child block in index \"%s\" has unexpected non-pivot tuple",
3193  state->targetblock,
3194  RelationGetRelationName(state->rel))));
3195 
3196  htid = BTreeTupleGetHeapTID(itup);
3197  if (!ItemPointerIsValid(htid) && nonpivot)
3198  ereport(ERROR,
3199  (errcode(ERRCODE_INDEX_CORRUPTED),
3200  errmsg("block %u or its right sibling block or child block in index \"%s\" contains non-pivot tuple that lacks a heap TID",
3201  state->targetblock,
3202  RelationGetRelationName(state->rel))));
3203 
3204  return htid;
3205 }
3206 
3207 /*
3208  * Return the "pointed to" TID for itup, which is used to generate a
3209  * descriptive error message. itup must be a "data item" tuple (it wouldn't
3210  * make much sense to call here with a high key tuple, since there won't be a
3211  * valid downlink/block number to display).
3212  *
3213  * Returns either a heap TID (which will be the first heap TID in posting list
3214  * if itup is posting list tuple), or a TID that contains downlink block
3215  * number, plus some encoded metadata (e.g., the number of attributes present
3216  * in itup).
3217  */
3218 static inline ItemPointer
3219 BTreeTupleGetPointsToTID(IndexTuple itup)
3220 {
3221  /*
3222  * Rely on the assumption that !heapkeyspace internal page data items will
3223  * correctly return TID with downlink here -- BTreeTupleGetHeapTID() won't
3224  * recognize it as a pivot tuple, but everything still works out because
3225  * the t_tid field is still returned
3226  */
3227  if (!BTreeTupleIsPivot(itup))
3228  return BTreeTupleGetHeapTID(itup);
3229 
3230  /* Pivot tuple returns TID with downlink block (heapkeyspace variant) */
3231  return &itup->t_tid;
3232 }
PG_MODULE_MAGIC
PG_MODULE_MAGIC
Definition: verify_nbtree.c:43
GetAccessStrategy
BufferAccessStrategy GetAccessStrategy(BufferAccessStrategyType btype)
Definition: freelist.c:542
ItemPointerCompare
int32 ItemPointerCompare(ItemPointer arg1, ItemPointer arg2)
Definition: itemptr.c:52
ItemPointerIsValid
#define ItemPointerIsValid(pointer)
Definition: itemptr.h:82
ItemPointerGetOffsetNumberNoCheck
#define ItemPointerGetOffsetNumberNoCheck(pointer)
Definition: itemptr.h:108
bloom_create
bloom_filter * bloom_create(int64 total_elems, int bloom_work_mem, uint64 seed)
Definition: bloomfilter.c:88
IndexGetRelation
Oid IndexGetRelation(Oid indexId, bool missing_ok)
Definition: index.c:3641
VARATT_IS_COMPRESSED
#define VARATT_IS_COMPRESSED(PTR)
Definition: postgres.h:325
invariant_leq_offset
static bool invariant_leq_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber upperbound)
Definition: verify_nbtree.c:2810
BTreeTupleGetPointsToTID
static ItemPointer BTreeTupleGetPointsToTID(IndexTuple itup)
Definition: verify_nbtree.c:3219
_bt_freestack
void _bt_freestack(BTStack stack)
Definition: nbtutils.c:175
BtreeCheckState::targetblock
BlockNumber targetblock
Definition: verify_nbtree.c:93
_bt_form_posting
IndexTuple _bt_form_posting(IndexTuple base, ItemPointer htids, int nhtids)
Definition: nbtdedup.c:859
BTPageOpaqueData::btpo_next
BlockNumber btpo_next
Definition: nbtree.h:65
btree_index_mainfork_expected
static bool btree_index_mainfork_expected(Relation rel)
Definition: verify_nbtree.c:381
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:218
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:173
DEBUG1
#define DEBUG1
Definition: elog.h:25
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:167
errhint
int errhint(const char *fmt,...)
Definition: elog.c:1156
ERRCODE_UNDEFINED_TABLE
#define ERRCODE_UNDEFINED_TABLE
Definition: pgbench.c:76
bt_index_parent_check
Datum bt_index_parent_check(PG_FUNCTION_ARGS)
Definition: verify_nbtree.c:224
btree_index_checkable
static void btree_index_checkable(Relation rel)
Definition: verify_nbtree.c:348
ItemIdIsRedirected
#define ItemIdIsRedirected(itemId)
Definition: itemid.h:106
P_IGNORE
#define P_IGNORE(opaque)
Definition: nbtree.h:224
BTreeTupleIsPivot
static bool BTreeTupleIsPivot(IndexTuple itup)
Definition: nbtree.h:473
BTInsertStateData::bounds_valid
bool bounds_valid
Definition: nbtree.h:821
bt_check_level_from_leftmost
static BtreeLevel bt_check_level_from_leftmost(BtreeCheckState *state, BtreeLevel level)
Definition: verify_nbtree.c:657
RegisterSnapshot
Snapshot RegisterSnapshot(Snapshot snapshot)
Definition: snapmgr.c:810
BTMetaPageData::btm_version
uint32 btm_version
Definition: nbtree.h:104
BTreeTupleGetHeapTID
static ItemPointer BTreeTupleGetHeapTID(IndexTuple itup)
Definition: nbtree.h:631
RelationGetDescr
#define RelationGetDescr(relation)
Definition: rel.h:483
LOCKMODE
int LOCKMODE
Definition: lockdefs.h:26
_bt_mkscankey
BTScanInsert _bt_mkscankey(Relation rel, IndexTuple itup)
Definition: nbtutils.c:90
BTScanInsertData::scantid
ItemPointer scantid
Definition: nbtree.h:789
palloc_btree_page
static Page palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum)
Definition: verify_nbtree.c:2929
BtreeLevel::level
uint32 level
Definition: verify_nbtree.c:127
PointerGetDatum
#define PointerGetDatum(X)
Definition: postgres.h:600
BTREE_VERSION
#define BTREE_VERSION
Definition: nbtree.h:148
bloom_add_element
void bloom_add_element(bloom_filter *filter, unsigned char *elem, size_t len)
Definition: bloomfilter.c:136
TupleDescAttr
#define TupleDescAttr(tupdesc, i)
Definition: tupdesc.h:92
random
long random(void)
Definition: random.c:22
RelationData::rd_smgr
struct SMgrRelationData * rd_smgr
Definition: rel.h:57
bt_tuple_present_callback
static void bt_tuple_present_callback(Relation index, ItemPointer tid, Datum *values, bool *isnull, bool tupleIsAlive, void *checkstate)
Definition: verify_nbtree.c:2457
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
P_FIRSTDATAKEY
#define P_FIRSTDATAKEY(opaque)
Definition: nbtree.h:369
BTMetaPageData::btm_magic
uint32 btm_magic
Definition: nbtree.h:103
ReadBufferExtended
Buffer ReadBufferExtended(Relation reln, ForkNumber forkNum, BlockNumber blockNum, ReadBufferMode mode, BufferAccessStrategy strategy)
Definition: bufmgr.c:744
bt_normalize_tuple
static IndexTuple bt_normalize_tuple(BtreeCheckState *state, IndexTuple itup)
Definition: verify_nbtree.c:2525
IndexTupleData::t_tid
ItemPointerData t_tid
Definition: itup.h:37
bt_pivot_tuple_identical
static bool bt_pivot_tuple_identical(bool heapkeyspace, IndexTuple itup1, IndexTuple itup2)
Definition: verify_nbtree.c:1750
ItemIdIsUsed
#define ItemIdIsUsed(itemId)
Definition: itemid.h:92
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:109
IsolationUsesXactSnapshot
#define IsolationUsesXactSnapshot()
Definition: xact.h:51
P_NONE
#define P_NONE
Definition: nbtree.h:211
BTreeTupleGetDownLink
static BlockNumber BTreeTupleGetDownLink(IndexTuple pivot)
Definition: nbtree.h:549
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
BTMaxItemSizeNoHeapTid
#define BTMaxItemSizeNoHeapTid(page)
Definition: nbtree.h:168
InvalidBuffer
#define InvalidBuffer
Definition: buf.h:25
IndexInfo::ii_ExclusionProcs
Oid * ii_ExclusionProcs
Definition: execnodes.h:166
P_HAS_GARBAGE
#define P_HAS_GARBAGE(opaque)
Definition: nbtree.h:225
errcode
int errcode(int sqlerrcode)
Definition: elog.c:698
RecentXmin
TransactionId RecentXmin
Definition: snapmgr.c:113
MemoryContextReset
void MemoryContextReset(MemoryContext context)
Definition: mcxt.c:143
bt_right_page_check_scankey
static BTScanInsert bt_right_page_check_scankey(BtreeCheckState *state)
Definition: verify_nbtree.c:1544
BlockNumber
uint32 BlockNumber
Definition: block.h:31
P_INCOMPLETE_SPLIT
#define P_INCOMPLETE_SPLIT(opaque)
Definition: nbtree.h:226
PG_GETARG_BOOL
#define PG_GETARG_BOOL(n)
Definition: fmgr.h:274
BuildIndexInfo
IndexInfo * BuildIndexInfo(Relation index)
Definition: index.c:2543
smgrexists
bool smgrexists(SMgrRelation reln, ForkNumber forknum)
Definition: smgr.c:247
MaxTIDsPerBTreePage
#define MaxTIDsPerBTreePage
Definition: nbtree.h:184
RelationData::rd_rel
Form_pg_class rd_rel
Definition: rel.h:110
Oid
unsigned int Oid
Definition: postgres_ext.h:31
RecoveryInProgress
bool RecoveryInProgress(void)
Definition: xlog.c:8237
ItemIdIsDead
#define ItemIdIsDead(itemId)
Definition: itemid.h:113
BTreeTupleGetNAtts
#define BTreeTupleGetNAtts(itup, rel)
Definition: nbtree.h:570
BtreeCheckState::checkstrategy
BufferAccessStrategy checkstrategy
Definition: verify_nbtree.c:84
GetTransactionSnapshot
Snapshot GetTransactionSnapshot(void)
Definition: snapmgr.c:250
OidIsValid
#define OidIsValid(objectId)
Definition: c.h:710
PageGetMaxOffsetNumber
#define PageGetMaxOffsetNumber(page)
Definition: bufpage.h:357
BTPageOpaque
BTPageOpaqueData * BTPageOpaque
Definition: nbtree.h:71
bt_downlink_missing_check
static void bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit, BlockNumber targetblock, Page target)
Definition: verify_nbtree.c:2234
table_beginscan_strat
static TableScanDesc table_beginscan_strat(Relation rel, Snapshot snapshot, int nkeys, struct ScanKeyData *key, bool allow_strat, bool allow_sync)
Definition: tableam.h:907
BtreeCheckState::filter
bloom_filter * filter
Definition: verify_nbtree.c:116
int32
signed int int32
Definition: c.h:429
errdetail_internal
int errdetail_internal(const char *fmt,...)
Definition: elog.c:1069
RelationData::rd_indextuple
struct HeapTupleData * rd_indextuple
Definition: rel.h:177
P_HAS_FULLXID
#define P_HAS_FULLXID(opaque)
Definition: nbtree.h:227
OffsetNumber
uint16 OffsetNumber
Definition: off.h:24
HeapTupleData::t_data
HeapTupleHeader t_data
Definition: htup.h:68
invariant_l_offset
static bool invariant_l_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber upperbound)
Definition: verify_nbtree.c:2747
index
Definition: type.h:89
P_ISMETA
#define P_ISMETA(opaque)
Definition: nbtree.h:222
bt_index_check_internal
static void bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, bool rootdescend)
Definition: verify_nbtree.c:244
invariant_g_offset
static bool invariant_g_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber lowerbound)
Definition: verify_nbtree.c:2833
RelationOpenSmgr
#define RelationOpenSmgr(relation)
Definition: rel.h:514
VARATT_IS_EXTERNAL
#define VARATT_IS_EXTERNAL(PTR)
Definition: postgres.h:326
index_form_tuple
IndexTuple index_form_tuple(TupleDesc tupleDescriptor, Datum *values, bool *isnull)
Definition: indextuple.c:47
BT_READ
#define BT_READ
Definition: nbtree.h:712
LSN_FORMAT_ARGS
#define LSN_FORMAT_ARGS(lsn)
Definition: xlogdefs.h:43
BtreeCheckState::targetlsn
XLogRecPtr targetlsn
Definition: verify_nbtree.c:95
RelationData::rd_index
Form_pg_index rd_index
Definition: rel.h:175
BTMetaPageData::btm_fastroot
BlockNumber btm_fastroot
Definition: nbtree.h:107
ItemIdGetLength
#define ItemIdGetLength(itemId)
Definition: itemid.h:59
pfree
void pfree(void *pointer)
Definition: mcxt.c:1169
BTREE_MAGIC
#define BTREE_MAGIC
Definition: nbtree.h:147
_bt_checkpage
void _bt_checkpage(Relation rel, Buffer buf)
Definition: nbtpage.c:794
P_ISHALFDEAD
#define P_ISHALFDEAD(opaque)
Definition: nbtree.h:223
UnlockReleaseBuffer
void UnlockReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:3807
ERROR
#define ERROR
Definition: elog.h:46
table_index_build_scan
static double table_index_build_scan(Relation table_rel, Relation index_rel, struct IndexInfo *index_info, bool allow_sync, bool progress, IndexBuildCallback callback, void *callback_state, TableScanDesc scan)
Definition: tableam.h:1745
ALLOCSET_DEFAULT_SIZES
#define ALLOCSET_DEFAULT_SIZES
Definition: memutils.h:195
DEBUG2
#define DEBUG2
Definition: elog.h:24
bt_recheck_sibling_links
static void bt_recheck_sibling_links(BtreeCheckState *state, BlockNumber btpo_prev_from_target, BlockNumber leftcurrent)
Definition: verify_nbtree.c:911
BTPageGetMeta
#define BTPageGetMeta(p)
Definition: nbtree.h:119
BTPageOpaqueData::btpo_prev
BlockNumber btpo_prev
Definition: nbtree.h:64
BTPageOpaqueData::btpo_level
uint32 btpo_level
Definition: nbtree.h:66
bt_index_check
Datum bt_index_check(PG_FUNCTION_ARGS)
Definition: verify_nbtree.c:201
PG_GETARG_OID
#define PG_GETARG_OID(n)
Definition: fmgr.h:275
bt_check_every_level
static void bt_check_every_level(Relation rel, Relation heaprel, bool heapkeyspace, bool readonly, bool heapallindexed, bool rootdescend)
Definition: verify_nbtree.c:419
_bt_binsrch_insert
OffsetNumber _bt_binsrch_insert(Relation rel, BTInsertState insertstate)
Definition: nbtsearch.c:447
BtreeLevel::leftmost
BlockNumber leftmost
Definition: verify_nbtree.c:130
IndexTuple
IndexTupleData * IndexTuple
Definition: itup.h:53
errdetail
int errdetail(const char *fmt,...)
Definition: elog.c:1042
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:491
P_LEFTMOST
#define P_LEFTMOST(opaque)
Definition: nbtree.h:217
Form_pg_attribute
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:203
uint32
unsigned int uint32
Definition: c.h:441
ItemIdGetOffset
#define ItemIdGetOffset(itemId)
Definition: itemid.h:65
SnapshotData::xmin
TransactionId xmin
Definition: snapshot.h:157
CurrentMemoryContext
MemoryContext CurrentMemoryContext
Definition: mcxt.c:42
BTInsertStateData::itup
IndexTuple itup
Definition: nbtree.h:809
_bt_compare
int32 _bt_compare(Relation rel, BTScanInsert key, Page page, OffsetNumber offnum)
Definition: nbtsearch.c:644
BufferGetPage
#define BufferGetPage(buffer)
Definition: bufmgr.h:169
htup_details.h
BTreeTupleGetHeapTIDCareful
static ItemPointer BTreeTupleGetHeapTIDCareful(BtreeCheckState *state, IndexTuple itup, bool nonpivot)
Definition: verify_nbtree.c:3171
BTREE_METAPAGE
#define BTREE_METAPAGE
Definition: nbtree.h:146
BTScanInsertData::pivotsearch
bool pivotsearch
Definition: nbtree.h:788
P_ISDELETED
#define P_ISDELETED(opaque)
Definition: nbtree.h:221
TransactionIdPrecedes
bool TransactionIdPrecedes(TransactionId id1, TransactionId id2)
Definition: transam.c:300
P_ISROOT
#define P_ISROOT(opaque)
Definition: nbtree.h:220
_bt_metaversion
void _bt_metaversion(Relation rel, bool *heapkeyspace, bool *allequalimage)
Definition: nbtpage.c:736
UnregisterSnapshot
void UnregisterSnapshot(Snapshot snapshot)
Definition: snapmgr.c:852
ERRCODE_DATA_CORRUPTED
#define ERRCODE_DATA_CORRUPTED
Definition: pg_basebackup.c:45
bloom_free
void bloom_free(bloom_filter *filter)
Definition: bloomfilter.c:127
PageGetItemId
#define PageGetItemId(page, offsetNumber)
Definition: bufpage.h:235
bloom_filter
Definition: bloomfilter.c:44
BtreeCheckState::heaprel
Relation heaprel
Definition: verify_nbtree.c:72
BTMetaPageData::btm_fastlevel
uint32 btm_fastlevel
Definition: nbtree.h:108
BTreeTupleGetMaxHeapTID
static ItemPointer BTreeTupleGetMaxHeapTID(IndexTuple itup)
Definition: nbtree.h:657
invariant_l_nontarget_offset
static bool invariant_l_nontarget_offset(BtreeCheckState *state, BTScanInsert key, BlockNumber nontargetblock, Page nontarget, OffsetNumber upperbound)
Definition: verify_nbtree.c:2869
ItemIdGetFlags
#define ItemIdGetFlags(itemId)
Definition: itemid.h:71
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1093
Datum
uintptr_t Datum
Definition: postgres.h:411
bt_mkscankey_pivotsearch
static BTScanInsert bt_mkscankey_pivotsearch(Relation rel, IndexTuple itup)
Definition: verify_nbtree.c:3107
LockBuffer
void LockBuffer(Buffer buffer, int mode)
Definition: bufmgr.c:4023
BTMetaPageData::btm_root
BlockNumber btm_root
Definition: nbtree.h:105
RelationGetNumberOfBlocks
#define RelationGetNumberOfBlocks(reln)
Definition: bufmgr.h:213
BTREE_MIN_VERSION
#define BTREE_MIN_VERSION
Definition: nbtree.h:149
InvalidOffsetNumber
#define InvalidOffsetNumber
Definition: off.h:26
_bt_relbuf
void _bt_relbuf(Relation rel, Buffer buf)
Definition: nbtpage.c:1035
ereport
#define ereport(elevel,...)
Definition: elog.h:157
maintenance_work_mem
int maintenance_work_mem
Definition: globals.c:126
BlockNumberIsValid
#define BlockNumberIsValid(blockNumber)
Definition: block.h:70
NOTICE
#define NOTICE
Definition: elog.h:37
BTreeTupleGetPostingN
static ItemPointer BTreeTupleGetPostingN(IndexTuple posting, int n)
Definition: nbtree.h:537
PG_RETURN_VOID
#define PG_RETURN_VOID()
Definition: fmgr.h:349
BTreeTupleIsPosting
static bool BTreeTupleIsPosting(IndexTuple itup)
Definition: nbtree.h:485
errmsg_internal
int errmsg_internal(const char *fmt,...)
Definition: elog.c:996
IndexInfo::ii_Unique
bool ii_Unique
Definition: execnodes.h:172
Max
#define Max(x, y)
Definition: c.h:980
_bt_check_natts
bool _bt_check_natts(Relation rel, bool heapkeyspace, Page page, OffsetNumber offnum)
Definition: nbtutils.c:2466
bt_child_highkey_check
static void bt_child_highkey_check(BtreeCheckState *state, OffsetNumber target_downlinkoffnum, Page loaded_child, uint32 target_level)
Definition: verify_nbtree.c:1823
XLogRecPtr
uint64 XLogRecPtr
Definition: xlogdefs.h:21
BTInsertStateData::itup_key
BTScanInsert itup_key
Definition: nbtree.h:811
Assert
#define Assert(condition)
Definition: c.h:804
state
Definition: regguts.h:317
RELATION_IS_OTHER_TEMP
#define RELATION_IS_OTHER_TEMP(relation)
Definition: rel.h:600
BTreeTupleGetNKeyAtts
#define BTreeTupleGetNKeyAtts(itup, rel)
Definition: verify_nbtree.c:50
bt_target_page_check
static void bt_target_page_check(BtreeCheckState *state)
Definition: verify_nbtree.c:1045
BtreeLevel
struct BtreeLevel BtreeLevel
BTScanInsertData::heapkeyspace
bool heapkeyspace
Definition: nbtree.h:784
HeapTupleHeaderGetXmin
#define HeapTupleHeaderGetXmin(tup)
Definition: htup_details.h:313
INDEX_MAX_KEYS
#define INDEX_MAX_KEYS
Definition: pg_config_manual.h:52
OffsetNumberNext
#define OffsetNumberNext(offsetNumber)
Definition: off.h:52
PageGetSpecialPointer
#define PageGetSpecialPointer(page)
Definition: bufpage.h:326
InvalidBlockNumber
#define InvalidBlockNumber
Definition: block.h:33
MAXALIGN
#define MAXALIGN(LEN)
Definition: c.h:757
BufferIsValid
#define BufferIsValid(bufnum)
Definition: bufmgr.h:123
index_getattr
#define index_getattr(tup, attnum, tupleDesc, isnull)
Definition: itup.h:100
ItemPointerGetOffsetNumber
#define ItemPointerGetOffsetNumber(pointer)
Definition: itemptr.h:117
PG_NARGS
#define PG_NARGS()
Definition: fmgr.h:203
IndexTupleHasVarwidths
#define IndexTupleHasVarwidths(itup)
Definition: itup.h:73
IndexInfo::ii_Concurrent
bool ii_Concurrent
Definition: execnodes.h:174
INT64_FORMAT
#define INT64_FORMAT
Definition: c.h:483
SnapshotAny
#define SnapshotAny
Definition: snapmgr.h:67
bloom_prop_bits_set
double bloom_prop_bits_set(bloom_filter *filter)
Definition: bloomfilter.c:188
bt_child_check
static void bt_child_check(BtreeCheckState *state, BTScanInsert targetkey, OffsetNumber downlinkoffnum)
Definition: verify_nbtree.c:2069
index_close
void index_close(Relation relation, LOCKMODE lockmode)
Definition: indexam.c:158
PageGetLSN
#define PageGetLSN(page)
Definition: bufpage.h:366
DatumGetPointer
#define DatumGetPointer(X)
Definition: postgres.h:593
BtreeCheckState::lowkey
IndexTuple lowkey
Definition: verify_nbtree.c:101
BTMaxItemSize
#define BTMaxItemSize(page)
Definition: nbtree.h:162
P_HIKEY
#define P_HIKEY
Definition: nbtree.h:367
bt_rootdescend
static bool bt_rootdescend(BtreeCheckState *state, IndexTuple itup)
Definition: verify_nbtree.c:2648
values
static Datum values[MAXATTR]
Definition: bootstrap.c:166
IndexInfo::ii_ExclusionOps
Oid * ii_ExclusionOps
Definition: execnodes.h:165
MaxIndexTuplesPerPage
#define MaxIndexTuplesPerPage
Definition: itup.h:145
palloc
void * palloc(Size size)
Definition: mcxt.c:1062
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:909
PageGetItemIdCareful
static ItemId PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block, Page page, OffsetNumber offset)
Definition: verify_nbtree.c:3131
ItemPointerGetBlockNumberNoCheck
#define ItemPointerGetBlockNumberNoCheck(pointer)
Definition: itemptr.h:89
MemoryContextAlloc
void * MemoryContextAlloc(MemoryContext context, Size size)
Definition: mcxt.c:863
BTMetaPageData::btm_level
uint32 btm_level
Definition: nbtree.h:106
elog
#define elog(elevel,...)
Definition: elog.h:232
ShareLock
#define ShareLock
Definition: lockdefs.h:41
i
int i
Definition: preproc-comment.c:23
OffsetNumberIsValid
#define OffsetNumberIsValid(offsetNumber)
Definition: off.h:39
BtreeLevel::istruerootlevel
bool istruerootlevel
Definition: verify_nbtree.c:133
BTreeTupleGetTopParent
static BlockNumber BTreeTupleGetTopParent(IndexTuple leafhikey)
Definition: nbtree.h:613
BTreeTupleGetNPosting
static uint16 BTreeTupleGetNPosting(IndexTuple posting)
Definition: nbtree.h:511
PG_DETOAST_DATUM
#define PG_DETOAST_DATUM(datum)
Definition: fmgr.h:240
PG_FUNCTION_ARGS
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
offset_is_negative_infinity
static bool offset_is_negative_infinity(BTPageOpaque opaque, OffsetNumber offset)
Definition: verify_nbtree.c:2712
CHECK_FOR_INTERRUPTS
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:102
ItemPointerGetBlockNumber
#define ItemPointerGetBlockNumber(pointer)
Definition: itemptr.h:98
InvalidBtreeLevel
#define InvalidBtreeLevel
Definition: verify_nbtree.c:49
IndexTupleData::t_info
unsigned short t_info
Definition: itup.h:49
pg_am.h
TransactionIdIsValid
#define TransactionIdIsValid(xid)
Definition: transam.h:41
PG_FUNCTION_INFO_V1
PG_FUNCTION_INFO_V1(bt_index_check)
IndexInfo::ii_ExclusionStrats
uint16 * ii_ExclusionStrats
Definition: execnodes.h:167
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:39
_bt_allequalimage
bool _bt_allequalimage(Relation rel, bool debugmessage)
Definition: nbtutils.c:2692
BtreeCheckState::targetcontext
MemoryContext targetcontext
Definition: verify_nbtree.c:82
Buffer
int Buffer
Definition: buf.h:23
P_RIGHTMOST
#define P_RIGHTMOST(opaque)
Definition: nbtree.h:218
BtreeCheckState::prevrightlink
BlockNumber prevrightlink
Definition: verify_nbtree.c:108
ItemPointerData::ip_posid
OffsetNumber ip_posid
Definition: itemptr.h:39
index_open
Relation index_open(Oid relationId, LOCKMODE lockmode)
Definition: indexam.c:132
_bt_search
BTStack _bt_search(Relation rel, BTScanInsert key, Buffer *bufP, int access, Snapshot snapshot)
Definition: nbtsearch.c:101
offsetof
#define offsetof(type, field)
Definition: c.h:727
bloom_lacks_element
bool bloom_lacks_element(bloom_filter *filter, unsigned char *elem, size_t len)
Definition: bloomfilter.c:158
PageGetItem
#define PageGetItem(page, itemId)
Definition: bufpage.h:340
Page
Pointer Page
Definition: bufpage.h:78
IndexTupleSize
#define IndexTupleSize(itup)
Definition: itup.h:71
ItemPointerCopy
#define ItemPointerCopy(fromPointer, toPointer)
Definition: itemptr.h:161
cmp
static int cmp(const chr *x, const chr *y, size_t len)
Definition: regc_locale.c:747
bt_posting_plain_tuple
static IndexTuple bt_posting_plain_tuple(IndexTuple itup, int n)
Definition: verify_nbtree.c:2615
P_ISLEAF
#define P_ISLEAF(opaque)
Definition: nbtree.h:219
BtreeCheckState
struct BtreeCheckState BtreeCheckState