PostgreSQL Source Code  git master
verify_nbtree.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * verify_nbtree.c
4  * Verifies the integrity of nbtree indexes based on invariants.
5  *
6  * For B-Tree indexes, verification includes checking that each page in the
7  * target index has items in logical order as reported by an insertion scankey
8  * (the insertion scankey sort-wise NULL semantics are needed for
9  * verification).
10  *
11  * When index-to-heap verification is requested, a Bloom filter is used to
12  * fingerprint all tuples in the target index, as the index is traversed to
13  * verify its structure. A heap scan later uses Bloom filter probes to verify
14  * that every visible heap tuple has a matching index tuple.
15  *
16  *
17  * Copyright (c) 2017-2024, PostgreSQL Global Development Group
18  *
19  * IDENTIFICATION
20  * contrib/amcheck/verify_nbtree.c
21  *
22  *-------------------------------------------------------------------------
23  */
24 #include "postgres.h"
25 
26 #include "access/heaptoast.h"
27 #include "access/htup_details.h"
28 #include "access/nbtree.h"
29 #include "access/table.h"
30 #include "access/tableam.h"
31 #include "access/transam.h"
32 #include "access/xact.h"
33 #include "catalog/index.h"
34 #include "catalog/pg_am.h"
35 #include "catalog/pg_opfamily_d.h"
36 #include "commands/tablecmds.h"
37 #include "common/pg_prng.h"
38 #include "lib/bloomfilter.h"
39 #include "miscadmin.h"
40 #include "storage/lmgr.h"
41 #include "storage/smgr.h"
42 #include "utils/guc.h"
43 #include "utils/memutils.h"
44 #include "utils/snapmgr.h"
45 
46 
47 PG_MODULE_MAGIC;
48 
49 /*
50  * A B-Tree cannot possibly have this many levels, since there must be one
51  * block per level, which is bound by the range of BlockNumber:
52  */
53 #define InvalidBtreeLevel ((uint32) InvalidBlockNumber)
54 #define BTreeTupleGetNKeyAtts(itup, rel) \
55  Min(IndexRelationGetNumberOfKeyAttributes(rel), BTreeTupleGetNAtts(itup, rel))
56 
57 /*
58  * State associated with verifying a B-Tree index
59  *
60  * target is the point of reference for a verification operation.
61  *
62  * Other B-Tree pages may be allocated, but those are always auxiliary (e.g.,
63  * they are current target's child pages). Conceptually, problems are only
64  * ever found in the current target page (or for a particular heap tuple during
65  * heapallindexed verification). Each page found by verification's left/right,
66  * top/bottom scan becomes the target exactly once.
67  */
68 typedef struct BtreeCheckState
69 {
70  /*
71  * Unchanging state, established at start of verification:
72  */
73 
74  /* B-Tree Index Relation and associated heap relation */
75  Relation rel;
76  Relation heaprel;
77  /* rel is heapkeyspace index? */
78  bool heapkeyspace;
79  /* ShareLock held on heap/index, rather than AccessShareLock? */
80  bool readonly;
81  /* Also verifying heap has no unindexed tuples? */
82  bool heapallindexed;
83  /* Also making sure non-pivot tuples can be found by new search? */
84  bool rootdescend;
85  /* Also check uniqueness constraint if index is unique */
86  bool checkunique;
87  /* Per-page context */
88  MemoryContext targetcontext;
89  /* Buffer access strategy */
90  BufferAccessStrategy checkstrategy;
91 
92  /*
93  * Info for uniqueness checking. Fill these fields once per index check.
94  */
95  IndexInfo *indexinfo;
96  Snapshot snapshot;
97 
98  /*
99  * Mutable state, for verification of particular page:
100  */
101 
102  /* Current target page */
103  Page target;
104  /* Target block number */
105  BlockNumber targetblock;
106  /* Target page's LSN */
107  XLogRecPtr targetlsn;
108 
109  /*
110  * Low key: high key of left sibling of target page. Used only for child
111  * verification. So, 'lowkey' is kept only when 'readonly' is set.
112  */
113  IndexTuple lowkey;
114 
115  /*
116  * The rightlink and incomplete split flag of block one level down to the
117  * target page, which was visited last time via downlink from target page.
118  * We use it to check for missing downlinks.
119  */
120  BlockNumber prevrightlink;
121  bool previncompletesplit;
122 
123  /*
124  * Mutable state, for optional heapallindexed verification:
125  */
126 
127  /* Bloom filter fingerprints B-Tree index */
128  bloom_filter *filter;
129  /* Debug counter */
130  int64 heaptuplespresent;
131 } BtreeCheckState;
132 
133 /*
134  * Starting point for verifying an entire B-Tree index level
135  */
136 typedef struct BtreeLevel
137 {
138  /* Level number (0 is leaf page level). */
139  uint32 level;
140 
141  /* Left most block on level. Scan of level begins here. */
142  BlockNumber leftmost;
143 
144  /* Is this level reported as "true" root level by meta page? */
145  bool istruerootlevel;
146 } BtreeLevel;
147 
148 /*
149  * Information about the last visible entry with current B-tree key. Used
150  * for validation of the unique constraint.
151  */
152 typedef struct BtreeLastVisibleEntry
153 {
154  BlockNumber blkno; /* Index block */
155  OffsetNumber offset; /* Offset on index block */
156  int postingIndex; /* Number in the posting list (-1 for
157  * non-deduplicated tuples) */
158  ItemPointer tid; /* Heap tid */
159 } BtreeLastVisibleEntry;
160 
161 PG_FUNCTION_INFO_V1(bt_index_check);
162 PG_FUNCTION_INFO_V1(bt_index_parent_check);
163 
164 static void bt_index_check_internal(Oid indrelid, bool parentcheck,
165  bool heapallindexed, bool rootdescend,
166  bool checkunique);
167 static inline void btree_index_checkable(Relation rel);
168 static inline bool btree_index_mainfork_expected(Relation rel);
169 static void bt_check_every_level(Relation rel, Relation heaprel,
170  bool heapkeyspace, bool readonly, bool heapallindexed,
171  bool rootdescend, bool checkunique);
172 static BtreeLevel bt_check_level_from_leftmost(BtreeCheckState *state,
173  BtreeLevel level);
174 static bool bt_leftmost_ignoring_half_dead(BtreeCheckState *state,
175  BlockNumber start,
176  BTPageOpaque start_opaque);
177 static void bt_recheck_sibling_links(BtreeCheckState *state,
178  BlockNumber btpo_prev_from_target,
179  BlockNumber leftcurrent);
180 static bool heap_entry_is_visible(BtreeCheckState *state, ItemPointer tid);
181 static void bt_report_duplicate(BtreeCheckState *state,
182  BtreeLastVisibleEntry *lVis,
183  ItemPointer nexttid,
184  BlockNumber nblock, OffsetNumber noffset,
185  int nposting);
186 static void bt_entry_unique_check(BtreeCheckState *state, IndexTuple itup,
187  BlockNumber targetblock, OffsetNumber offset,
188  BtreeLastVisibleEntry *lVis);
189 static void bt_target_page_check(BtreeCheckState *state);
190 static BTScanInsert bt_right_page_check_scankey(BtreeCheckState *state,
191  OffsetNumber *rightfirstoffset);
192 static void bt_child_check(BtreeCheckState *state, BTScanInsert targetkey,
193  OffsetNumber downlinkoffnum);
194 static void bt_child_highkey_check(BtreeCheckState *state,
195  OffsetNumber target_downlinkoffnum,
196  Page loaded_child,
197  uint32 target_level);
198 static void bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit,
199  BlockNumber blkno, Page page);
200 static void bt_tuple_present_callback(Relation index, ItemPointer tid,
201  Datum *values, bool *isnull,
202  bool tupleIsAlive, void *checkstate);
203 static IndexTuple bt_normalize_tuple(BtreeCheckState *state,
204  IndexTuple itup);
205 static inline IndexTuple bt_posting_plain_tuple(IndexTuple itup, int n);
206 static bool bt_rootdescend(BtreeCheckState *state, IndexTuple itup);
207 static inline bool offset_is_negative_infinity(BTPageOpaque opaque,
208  OffsetNumber offset);
209 static inline bool invariant_l_offset(BtreeCheckState *state, BTScanInsert key,
210  OffsetNumber upperbound);
211 static inline bool invariant_leq_offset(BtreeCheckState *state,
212  BTScanInsert key,
213  OffsetNumber upperbound);
214 static inline bool invariant_g_offset(BtreeCheckState *state, BTScanInsert key,
215  OffsetNumber lowerbound);
216 static inline bool invariant_l_nontarget_offset(BtreeCheckState *state,
217  BTScanInsert key,
218  BlockNumber nontargetblock,
219  Page nontarget,
220  OffsetNumber upperbound);
221 static Page palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum);
222 static inline BTScanInsert bt_mkscankey_pivotsearch(Relation rel,
223  IndexTuple itup);
224 static ItemId PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block,
225  Page page, OffsetNumber offset);
226 static inline ItemPointer BTreeTupleGetHeapTIDCareful(BtreeCheckState *state,
227  IndexTuple itup, bool nonpivot);
228 static inline ItemPointer BTreeTupleGetPointsToTID(IndexTuple itup);
229 
230 /*
231  * bt_index_check(index regclass, heapallindexed boolean, checkunique boolean)
232  *
233  * Verify integrity of B-Tree index.
234  *
235  * Acquires AccessShareLock on heap & index relations. Does not consider
236  * invariants that exist between parent/child pages. Optionally verifies
237  * that heap does not contain any unindexed or incorrectly indexed tuples.
238  */
239 Datum
240 bt_index_check(PG_FUNCTION_ARGS)
241 {
242  Oid indrelid = PG_GETARG_OID(0);
243  bool heapallindexed = false;
244  bool checkunique = false;
245 
246  if (PG_NARGS() >= 2)
247  heapallindexed = PG_GETARG_BOOL(1);
248  if (PG_NARGS() == 3)
249  checkunique = PG_GETARG_BOOL(2);
250 
251  bt_index_check_internal(indrelid, false, heapallindexed, false, checkunique);
252 
253  PG_RETURN_VOID();
254 }
255 
256 /*
257  * bt_index_parent_check(index regclass, heapallindexed boolean, rootdescend boolean, checkunique boolean)
258  *
259  * Verify integrity of B-Tree index.
260  *
261  * Acquires ShareLock on heap & index relations. Verifies that downlinks in
262  * parent pages are valid lower bounds on child pages. Optionally verifies
263  * that heap does not contain any unindexed or incorrectly indexed tuples.
264  */
265 Datum
266 bt_index_parent_check(PG_FUNCTION_ARGS)
267 {
268  Oid indrelid = PG_GETARG_OID(0);
269  bool heapallindexed = false;
270  bool rootdescend = false;
271  bool checkunique = false;
272 
273  if (PG_NARGS() >= 2)
274  heapallindexed = PG_GETARG_BOOL(1);
275  if (PG_NARGS() >= 3)
276  rootdescend = PG_GETARG_BOOL(2);
277  if (PG_NARGS() == 4)
278  checkunique = PG_GETARG_BOOL(3);
279 
280  bt_index_check_internal(indrelid, true, heapallindexed, rootdescend, checkunique);
281 
282  PG_RETURN_VOID();
283 }
284 
285 /*
286  * Helper for bt_index_[parent_]check, coordinating the bulk of the work.
287  */
288 static void
289 bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
290  bool rootdescend, bool checkunique)
291 {
292  Oid heapid;
293  Relation indrel;
294  Relation heaprel;
295  LOCKMODE lockmode;
296  Oid save_userid;
297  int save_sec_context;
298  int save_nestlevel;
299 
300  if (parentcheck)
301  lockmode = ShareLock;
302  else
303  lockmode = AccessShareLock;
304 
305  /*
306  * We must lock table before index to avoid deadlocks. However, if the
307  * passed indrelid isn't an index then IndexGetRelation() will fail.
308  * Rather than emitting a not-very-helpful error message, postpone
309  * complaining, expecting that the is-it-an-index test below will fail.
310  *
311  * In hot standby mode this will raise an error when parentcheck is true.
312  */
313  heapid = IndexGetRelation(indrelid, true);
314  if (OidIsValid(heapid))
315  {
316  heaprel = table_open(heapid, lockmode);
317 
318  /*
319  * Switch to the table owner's userid, so that any index functions are
320  * run as that user. Also lock down security-restricted operations
321  * and arrange to make GUC variable changes local to this command.
322  */
323  GetUserIdAndSecContext(&save_userid, &save_sec_context);
324  SetUserIdAndSecContext(heaprel->rd_rel->relowner,
325  save_sec_context | SECURITY_RESTRICTED_OPERATION);
326  save_nestlevel = NewGUCNestLevel();
327  RestrictSearchPath();
328  }
329  else
330  {
331  heaprel = NULL;
332  /* Set these just to suppress "uninitialized variable" warnings */
333  save_userid = InvalidOid;
334  save_sec_context = -1;
335  save_nestlevel = -1;
336  }
337 
338  /*
339  * Open the target index relations separately (like relation_openrv(), but
340  * with heap relation locked first to prevent deadlocking). In hot
341  * standby mode this will raise an error when parentcheck is true.
342  *
343  * There is no need for the usual indcheckxmin usability horizon test
344  * here, even in the heapallindexed case, because index undergoing
345  * verification only needs to have entries for a new transaction snapshot.
346  * (If this is a parentcheck verification, there is no question about
347  * committed or recently dead heap tuples lacking index entries due to
348  * concurrent activity.)
349  */
350  indrel = index_open(indrelid, lockmode);
351 
352  /*
353  * Since we did the IndexGetRelation call above without any lock, it's
354  * barely possible that a race against an index drop/recreation could have
355  * netted us the wrong table.
356  */
357  if (heaprel == NULL || heapid != IndexGetRelation(indrelid, false))
358  ereport(ERROR,
359  (errcode(ERRCODE_UNDEFINED_TABLE),
360  errmsg("could not open parent table of index \"%s\"",
361  RelationGetRelationName(indrel))));
362 
363  /* Relation suitable for checking as B-Tree? */
364  btree_index_checkable(indrel);
365 
366  if (btree_index_mainfork_expected(indrel))
367  {
368  bool heapkeyspace,
369  allequalimage;
370 
371  if (!smgrexists(RelationGetSmgr(indrel), MAIN_FORKNUM))
372  ereport(ERROR,
373  (errcode(ERRCODE_INDEX_CORRUPTED),
374  errmsg("index \"%s\" lacks a main relation fork",
375  RelationGetRelationName(indrel))));
376 
377  /* Extract metadata from metapage, and sanitize it in passing */
378  _bt_metaversion(indrel, &heapkeyspace, &allequalimage);
379  if (allequalimage && !heapkeyspace)
380  ereport(ERROR,
381  (errcode(ERRCODE_INDEX_CORRUPTED),
382  errmsg("index \"%s\" metapage has equalimage field set on unsupported nbtree version",
383  RelationGetRelationName(indrel))));
384  if (allequalimage && !_bt_allequalimage(indrel, false))
385  {
386  bool has_interval_ops = false;
387 
388  for (int i = 0; i < IndexRelationGetNumberOfKeyAttributes(indrel); i++)
389  if (indrel->rd_opfamily[i] == INTERVAL_BTREE_FAM_OID)
390  has_interval_ops = true;
391  ereport(ERROR,
392  (errcode(ERRCODE_INDEX_CORRUPTED),
393  errmsg("index \"%s\" metapage incorrectly indicates that deduplication is safe",
394  RelationGetRelationName(indrel)),
395  has_interval_ops
396  ? errhint("This is known of \"interval\" indexes last built on a version predating 2023-11.")
397  : 0));
398  }
399 
400  /* Check index, possibly against table it is an index on */
401  bt_check_every_level(indrel, heaprel, heapkeyspace, parentcheck,
402  heapallindexed, rootdescend, checkunique);
403  }
404 
405  /* Roll back any GUC changes executed by index functions */
406  AtEOXact_GUC(false, save_nestlevel);
407 
408  /* Restore userid and security context */
409  SetUserIdAndSecContext(save_userid, save_sec_context);
410 
411  /*
412  * Release locks early. That's ok here because nothing in the called
413  * routines will trigger shared cache invalidations to be sent, so we can
414  * relax the usual pattern of only releasing locks after commit.
415  */
416  index_close(indrel, lockmode);
417  if (heaprel)
418  table_close(heaprel, lockmode);
419 }
420 
421 /*
422  * Basic checks about the suitability of a relation for checking as a B-Tree
423  * index.
424  *
425  * NB: Intentionally not checking permissions, the function is normally not
426  * callable by non-superusers. If granted, it's useful to be able to check a
427  * whole cluster.
428  */
429 static inline void
430 btree_index_checkable(Relation rel)
431 {
432  if (rel->rd_rel->relkind != RELKIND_INDEX ||
433  rel->rd_rel->relam != BTREE_AM_OID)
434  ereport(ERROR,
435  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
436  errmsg("only B-Tree indexes are supported as targets for verification"),
437  errdetail("Relation \"%s\" is not a B-Tree index.",
438  RelationGetRelationName(rel))));
439 
440  if (RELATION_IS_OTHER_TEMP(rel))
441  ereport(ERROR,
442  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
443  errmsg("cannot access temporary tables of other sessions"),
444  errdetail("Index \"%s\" is associated with temporary relation.",
445  RelationGetRelationName(rel))));
446 
447  if (!rel->rd_index->indisvalid)
448  ereport(ERROR,
449  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
450  errmsg("cannot check index \"%s\"",
451  RelationGetRelationName(rel)),
452  errdetail("Index is not valid.")));
453 }
454 
455 /*
456  * Check if B-Tree index relation should have a file for its main relation
457  * fork. Verification uses this to skip unlogged indexes when in hot standby
458  * mode, where there is simply nothing to verify. We behave as if the
459  * relation is empty.
460  *
461  * NB: Caller should call btree_index_checkable() before calling here.
462  */
463 static inline bool
464 btree_index_mainfork_expected(Relation rel)
465 {
466  if (rel->rd_rel->relpersistence != RELPERSISTENCE_UNLOGGED ||
467  !RecoveryInProgress())
468  return true;
469 
470  ereport(DEBUG1,
471  (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
472  errmsg("cannot verify unlogged index \"%s\" during recovery, skipping",
473  RelationGetRelationName(rel))));
474 
475  return false;
476 }
477 
478 /*
479  * Main entry point for B-Tree SQL-callable functions. Walks the B-Tree in
480  * logical order, verifying invariants as it goes. Optionally, verification
481  * checks if the heap relation contains any tuples that are not represented in
482  * the index but should be.
483  *
484  * It is the caller's responsibility to acquire appropriate heavyweight lock on
485  * the index relation, and advise us if extra checks are safe when a ShareLock
486  * is held. (A lock of the same type must also have been acquired on the heap
487  * relation.)
488  *
489  * A ShareLock is generally assumed to prevent any kind of physical
490  * modification to the index structure, including modifications that VACUUM may
491  * make. This does not include setting of the LP_DEAD bit by concurrent index
492  * scans, although that is just metadata that is not able to directly affect
493  * any check performed here. Any concurrent process that might act on the
494  * LP_DEAD bit being set (recycle space) requires a heavyweight lock that
495  * cannot be held while we hold a ShareLock. (Besides, even if that could
496  * happen, the ad-hoc recycling when a page might otherwise split is performed
497  * per-page, and requires an exclusive buffer lock, which wouldn't cause us
498  * trouble. _bt_delitems_vacuum() may only delete leaf items, and so the extra
499  * parent/child check cannot be affected.)
500  */
501 static void
502 bt_check_every_level(Relation rel, Relation heaprel, bool heapkeyspace,
503  bool readonly, bool heapallindexed, bool rootdescend,
504  bool checkunique)
505 {
506  BtreeCheckState *state;
507  Page metapage;
508  BTMetaPageData *metad;
509  uint32 previouslevel;
510  BtreeLevel current;
511  Snapshot snapshot = SnapshotAny;
512 
513  if (!readonly)
514  elog(DEBUG1, "verifying consistency of tree structure for index \"%s\"",
515  RelationGetRelationName(rel));
516  else
517  elog(DEBUG1, "verifying consistency of tree structure for index \"%s\" with cross-level checks",
518  RelationGetRelationName(rel));
519 
520  /*
521  * This assertion matches the one in index_getnext_tid(). See page
522  * recycling/"visible to everyone" notes in nbtree README.
523  */
524  Assert(TransactionIdIsValid(RecentXmin));
525 
526  /*
527  * Initialize state for entire verification operation
528  */
529  state = palloc0(sizeof(BtreeCheckState));
530  state->rel = rel;
531  state->heaprel = heaprel;
532  state->heapkeyspace = heapkeyspace;
533  state->readonly = readonly;
534  state->heapallindexed = heapallindexed;
535  state->rootdescend = rootdescend;
536  state->checkunique = checkunique;
537  state->snapshot = InvalidSnapshot;
538 
539  if (state->heapallindexed)
540  {
541  int64 total_pages;
542  int64 total_elems;
543  uint64 seed;
544 
545  /*
546  * Size Bloom filter based on estimated number of tuples in index,
547  * while conservatively assuming that each block must contain at least
548  * MaxTIDsPerBTreePage / 3 "plain" tuples -- see
549  * bt_posting_plain_tuple() for definition, and details of how posting
550  * list tuples are handled.
551  */
552  total_pages = RelationGetNumberOfBlocks(rel);
553  total_elems = Max(total_pages * (MaxTIDsPerBTreePage / 3),
554  (int64) state->rel->rd_rel->reltuples);
555  /* Generate a random seed to avoid repetition */
556  seed = pg_prng_uint64(&pg_global_prng_state);
557  /* Create Bloom filter to fingerprint index */
558  state->filter = bloom_create(total_elems, maintenance_work_mem, seed);
559  state->heaptuplespresent = 0;
560 
561  /*
562  * Register our own snapshot in !readonly case, rather than asking
563  * table_index_build_scan() to do this for us later. This needs to
564  * happen before index fingerprinting begins, so we can later be
565  * certain that index fingerprinting should have reached all tuples
566  * returned by table_index_build_scan().
567  */
568  if (!state->readonly)
569  {
570  snapshot = RegisterSnapshot(GetTransactionSnapshot());
571 
572  /*
573  * GetTransactionSnapshot() always acquires a new MVCC snapshot in
574  * READ COMMITTED mode. A new snapshot is guaranteed to have all
575  * the entries it requires in the index.
576  *
577  * We must defend against the possibility that an old xact
578  * snapshot was returned at higher isolation levels when that
579  * snapshot is not safe for index scans of the target index. This
580  * is possible when the snapshot sees tuples that are before the
581  * index's indcheckxmin horizon. Throwing an error here should be
582  * very rare. It doesn't seem worth using a secondary snapshot to
583  * avoid this.
584  */
585  if (IsolationUsesXactSnapshot() && rel->rd_index->indcheckxmin &&
586  !TransactionIdPrecedes(HeapTupleHeaderGetXmin(rel->rd_indextuple->t_data),
587  snapshot->xmin))
588  ereport(ERROR,
589  (errcode(ERRCODE_T_R_SERIALIZATION_FAILURE),
590  errmsg("index \"%s\" cannot be verified using transaction snapshot",
591  RelationGetRelationName(rel))));
592  }
593  }
594 
595  /*
596  * We need a snapshot to check the uniqueness of the index. For better
597  * performance take it once per index check. If snapshot already taken
598  * reuse it.
599  */
600  if (state->checkunique)
601  {
602  state->indexinfo = BuildIndexInfo(state->rel);
603  if (state->indexinfo->ii_Unique)
604  {
605  if (snapshot != SnapshotAny)
606  state->snapshot = snapshot;
607  else
608  state->snapshot = RegisterSnapshot(GetTransactionSnapshot());
609  }
610  }
611 
612  Assert(!state->rootdescend || state->readonly);
613  if (state->rootdescend && !state->heapkeyspace)
614  ereport(ERROR,
615  (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
616  errmsg("cannot verify that tuples from index \"%s\" can each be found by an independent index search",
617  RelationGetRelationName(rel)),
618  errhint("Only B-Tree version 4 indexes support rootdescend verification.")));
619 
620  /* Create context for page */
621  state->targetcontext = AllocSetContextCreate(CurrentMemoryContext,
622  "amcheck context",
623  ALLOCSET_DEFAULT_SIZES);
624  state->checkstrategy = GetAccessStrategy(BAS_BULKREAD);
625 
626  /* Get true root block from meta-page */
627  metapage = palloc_btree_page(state, BTREE_METAPAGE);
628  metad = BTPageGetMeta(metapage);
629 
630  /*
631  * Certain deletion patterns can result in "skinny" B-Tree indexes, where
632  * the fast root and true root differ.
633  *
634  * Start from the true root, not the fast root, unlike conventional index
635  * scans. This approach is more thorough, and removes the risk of
636  * following a stale fast root from the meta page.
637  */
638  if (metad->btm_fastroot != metad->btm_root)
639  ereport(DEBUG1,
640  (errcode(ERRCODE_NO_DATA),
641  errmsg_internal("harmless fast root mismatch in index \"%s\"",
642  RelationGetRelationName(rel)),
643  errdetail_internal("Fast root block %u (level %u) differs from true root block %u (level %u).",
644  metad->btm_fastroot, metad->btm_fastlevel,
645  metad->btm_root, metad->btm_level)));
646 
647  /*
648  * Starting at the root, verify every level. Move left to right, top to
649  * bottom. Note that there may be no pages other than the meta page (meta
650  * page can indicate that root is P_NONE when the index is totally empty).
651  */
652  previouslevel = InvalidBtreeLevel;
653  current.level = metad->btm_level;
654  current.leftmost = metad->btm_root;
655  current.istruerootlevel = true;
656  while (current.leftmost != P_NONE)
657  {
658  /*
659  * Verify this level, and get left most page for next level down, if
660  * not at leaf level
661  */
662  current = bt_check_level_from_leftmost(state, current);
663 
664  if (current.leftmost == InvalidBlockNumber)
665  ereport(ERROR,
666  (errcode(ERRCODE_INDEX_CORRUPTED),
667  errmsg("index \"%s\" has no valid pages on level below %u or first level",
668  RelationGetRelationName(rel), previouslevel)));
669 
670  previouslevel = current.level;
671  }
672 
673  /*
674  * * Check whether heap contains unindexed/malformed tuples *
675  */
676  if (state->heapallindexed)
677  {
678  IndexInfo *indexinfo = BuildIndexInfo(state->rel);
679  TableScanDesc scan;
680 
681  /*
682  * Create our own scan for table_index_build_scan(), rather than
683  * getting it to do so for us. This is required so that we can
684  * actually use the MVCC snapshot registered earlier in !readonly
685  * case.
686  *
687  * Note that table_index_build_scan() calls heap_endscan() for us.
688  */
689  scan = table_beginscan_strat(state->heaprel, /* relation */
690  snapshot, /* snapshot */
691  0, /* number of keys */
692  NULL, /* scan key */
693  true, /* buffer access strategy OK */
694  true); /* syncscan OK? */
695 
696  /*
697  * Scan will behave as the first scan of a CREATE INDEX CONCURRENTLY
698  * behaves in !readonly case.
699  *
700  * It's okay that we don't actually use the same lock strength for the
701  * heap relation as any other ii_Concurrent caller would in !readonly
702  * case. We have no reason to care about a concurrent VACUUM
703  * operation, since there isn't going to be a second scan of the heap
704  * that needs to be sure that there was no concurrent recycling of
705  * TIDs.
706  */
707  indexinfo->ii_Concurrent = !state->readonly;
708 
709  /*
710  * Don't wait for uncommitted tuple xact commit/abort when index is a
711  * unique index on a catalog (or an index used by an exclusion
712  * constraint). This could otherwise happen in the readonly case.
713  */
714  indexinfo->ii_Unique = false;
715  indexinfo->ii_ExclusionOps = NULL;
716  indexinfo->ii_ExclusionProcs = NULL;
717  indexinfo->ii_ExclusionStrats = NULL;
718 
719  elog(DEBUG1, "verifying that tuples from index \"%s\" are present in \"%s\"",
720  RelationGetRelationName(state->rel),
721  RelationGetRelationName(state->heaprel));
722 
723  table_index_build_scan(state->heaprel, state->rel, indexinfo, true, false,
724  bt_tuple_present_callback, (void *) state, scan);
725 
726  ereport(DEBUG1,
727  (errmsg_internal("finished verifying presence of " INT64_FORMAT " tuples from table \"%s\" with bitset %.2f%% set",
728  state->heaptuplespresent, RelationGetRelationName(heaprel),
729  100.0 * bloom_prop_bits_set(state->filter))));
730 
731  if (snapshot != SnapshotAny)
732  UnregisterSnapshot(snapshot);
733 
734  bloom_free(state->filter);
735  }
736 
737  /* Be tidy: */
738  if (snapshot == SnapshotAny && state->snapshot != InvalidSnapshot)
739  UnregisterSnapshot(state->snapshot);
740  MemoryContextDelete(state->targetcontext);
741 }
742 
743 /*
744  * Given a left-most block at some level, move right, verifying each page
745  * individually (with more verification across pages for "readonly"
746  * callers). Caller should pass the true root page as the leftmost initially,
747  * working their way down by passing what is returned for the last call here
748  * until level 0 (leaf page level) was reached.
749  *
750  * Returns state for next call, if any. This includes left-most block number
751  * one level lower that should be passed on next level/call, which is set to
752  * P_NONE on last call here (when leaf level is verified). Level numbers
753  * follow the nbtree convention: higher levels have higher numbers, because new
754  * levels are added only due to a root page split. Note that prior to the
755  * first root page split, the root is also a leaf page, so there is always a
756  * level 0 (leaf level), and it's always the last level processed.
757  *
758  * Note on memory management: State's per-page context is reset here, between
759  * each call to bt_target_page_check().
760  */
761 static BtreeLevel
762 bt_check_level_from_leftmost(BtreeCheckState *state, BtreeLevel level)
763 {
764  /* State to establish early, concerning entire level */
765  BTPageOpaque opaque;
766  MemoryContext oldcontext;
767  BtreeLevel nextleveldown;
768 
769  /* Variables for iterating across level using right links */
770  BlockNumber leftcurrent = P_NONE;
771  BlockNumber current = level.leftmost;
772 
773  /* Initialize return state */
774  nextleveldown.leftmost = InvalidBlockNumber;
775  nextleveldown.level = InvalidBtreeLevel;
776  nextleveldown.istruerootlevel = false;
777 
778  /* Use page-level context for duration of this call */
779  oldcontext = MemoryContextSwitchTo(state->targetcontext);
780 
781  elog(DEBUG1, "verifying level %u%s", level.level,
782  level.istruerootlevel ?
783  " (true root level)" : level.level == 0 ? " (leaf level)" : "");
784 
785  state->prevrightlink = InvalidBlockNumber;
786  state->previncompletesplit = false;
787 
788  do
789  {
790  /* Don't rely on CHECK_FOR_INTERRUPTS() calls at lower level */
791  CHECK_FOR_INTERRUPTS();
792 
793  /* Initialize state for this iteration */
794  state->targetblock = current;
795  state->target = palloc_btree_page(state, state->targetblock);
796  state->targetlsn = PageGetLSN(state->target);
797 
798  opaque = BTPageGetOpaque(state->target);
799 
800  if (P_IGNORE(opaque))
801  {
802  /*
803  * Since there cannot be a concurrent VACUUM operation in readonly
804  * mode, and since a page has no links within other pages
805  * (siblings and parent) once it is marked fully deleted, it
806  * should be impossible to land on a fully deleted page in
807  * readonly mode. See bt_child_check() for further details.
808  *
809  * The bt_child_check() P_ISDELETED() check is repeated here so
810  * that pages that are only reachable through sibling links get
811  * checked.
812  */
813  if (state->readonly && P_ISDELETED(opaque))
814  ereport(ERROR,
815  (errcode(ERRCODE_INDEX_CORRUPTED),
816  errmsg("downlink or sibling link points to deleted block in index \"%s\"",
817  RelationGetRelationName(state->rel)),
818  errdetail_internal("Block=%u left block=%u left link from block=%u.",
819  current, leftcurrent, opaque->btpo_prev)));
820 
821  if (P_RIGHTMOST(opaque))
822  ereport(ERROR,
823  (errcode(ERRCODE_INDEX_CORRUPTED),
824  errmsg("block %u fell off the end of index \"%s\"",
825  current, RelationGetRelationName(state->rel))));
826  else
827  ereport(DEBUG1,
828  (errcode(ERRCODE_NO_DATA),
829  errmsg_internal("block %u of index \"%s\" concurrently deleted",
830  current, RelationGetRelationName(state->rel))));
831  goto nextpage;
832  }
833  else if (nextleveldown.leftmost == InvalidBlockNumber)
834  {
835  /*
836  * A concurrent page split could make the caller supplied leftmost
837  * block no longer contain the leftmost page, or no longer be the
838  * true root, but where that isn't possible due to heavyweight
839  * locking, check that the first valid page meets caller's
840  * expectations.
841  */
842  if (state->readonly)
843  {
844  if (!bt_leftmost_ignoring_half_dead(state, current, opaque))
845  ereport(ERROR,
846  (errcode(ERRCODE_INDEX_CORRUPTED),
847  errmsg("block %u is not leftmost in index \"%s\"",
848  current, RelationGetRelationName(state->rel))));
849 
850  if (level.istruerootlevel && !P_ISROOT(opaque))
851  ereport(ERROR,
852  (errcode(ERRCODE_INDEX_CORRUPTED),
853  errmsg("block %u is not true root in index \"%s\"",
854  current, RelationGetRelationName(state->rel))));
855  }
856 
857  /*
858  * Before beginning any non-trivial examination of level, prepare
859  * state for next bt_check_level_from_leftmost() invocation for
860  * the next level for the next level down (if any).
861  *
862  * There should be at least one non-ignorable page per level,
863  * unless this is the leaf level, which is assumed by caller to be
864  * final level.
865  */
866  if (!P_ISLEAF(opaque))
867  {
868  IndexTuple itup;
869  ItemId itemid;
870 
871  /* Internal page -- downlink gets leftmost on next level */
872  itemid = PageGetItemIdCareful(state, state->targetblock,
873  state->target,
874  P_FIRSTDATAKEY(opaque));
875  itup = (IndexTuple) PageGetItem(state->target, itemid);
876  nextleveldown.leftmost = BTreeTupleGetDownLink(itup);
877  nextleveldown.level = opaque->btpo_level - 1;
878  }
879  else
880  {
881  /*
882  * Leaf page -- final level caller must process.
883  *
884  * Note that this could also be the root page, if there has
885  * been no root page split yet.
886  */
887  nextleveldown.leftmost = P_NONE;
888  nextleveldown.level = InvalidBtreeLevel;
889  }
890 
891  /*
892  * Finished setting up state for this call/level. Control will
893  * never end up back here in any future loop iteration for this
894  * level.
895  */
896  }
897 
898  /*
899  * Sibling links should be in mutual agreement. There arises
900  * leftcurrent == P_NONE && btpo_prev != P_NONE when the left sibling
901  * of the parent's low-key downlink is half-dead. (A half-dead page
902  * has no downlink from its parent.) Under heavyweight locking, the
903  * last bt_leftmost_ignoring_half_dead() validated this btpo_prev.
904  * Without heavyweight locking, validation of the P_NONE case remains
905  * unimplemented.
906  */
907  if (opaque->btpo_prev != leftcurrent && leftcurrent != P_NONE)
908  bt_recheck_sibling_links(state, opaque->btpo_prev, leftcurrent);
909 
910  /* Check level */
911  if (level.level != opaque->btpo_level)
912  ereport(ERROR,
913  (errcode(ERRCODE_INDEX_CORRUPTED),
914  errmsg("leftmost down link for level points to block in index \"%s\" whose level is not one level down",
915  RelationGetRelationName(state->rel)),
916  errdetail_internal("Block pointed to=%u expected level=%u level in pointed to block=%u.",
917  current, level.level, opaque->btpo_level)));
918 
919  /* Verify invariants for page */
920  bt_target_page_check(state);
921 
922 nextpage:
923 
924  /* Try to detect circular links */
925  if (current == leftcurrent || current == opaque->btpo_prev)
926  ereport(ERROR,
927  (errcode(ERRCODE_INDEX_CORRUPTED),
928  errmsg("circular link chain found in block %u of index \"%s\"",
929  current, RelationGetRelationName(state->rel))));
930 
931  leftcurrent = current;
932  current = opaque->btpo_next;
933 
934  if (state->lowkey)
935  {
936  Assert(state->readonly);
937  pfree(state->lowkey);
938  state->lowkey = NULL;
939  }
940 
941  /*
942  * Copy current target high key as the low key of right sibling.
943  * Allocate memory in upper level context, so it would be cleared
944  * after reset of target context.
945  *
946  * We only need the low key in corner cases of checking child high
947  * keys. We use high key only when incomplete split on the child level
948  * falls to the boundary of pages on the target level. See
949  * bt_child_highkey_check() for details. So, typically we won't end
950  * up doing anything with low key, but it's simpler for general case
951  * high key verification to always have it available.
952  *
953  * The correctness of managing low key in the case of concurrent
954  * splits wasn't investigated yet. Thankfully we only need low key
955  * for readonly verification and concurrent splits won't happen.
956  */
957  if (state->readonly && !P_RIGHTMOST(opaque))
958  {
959  IndexTuple itup;
960  ItemId itemid;
961 
962  itemid = PageGetItemIdCareful(state, state->targetblock,
963  state->target, P_HIKEY);
964  itup = (IndexTuple) PageGetItem(state->target, itemid);
965 
966  state->lowkey = MemoryContextAlloc(oldcontext, IndexTupleSize(itup));
967  memcpy(state->lowkey, itup, IndexTupleSize(itup));
968  }
969 
970  /* Free page and associated memory for this iteration */
971  MemoryContextReset(state->targetcontext);
972  }
973  while (current != P_NONE);
974 
975  if (state->lowkey)
976  {
977  Assert(state->readonly);
978  pfree(state->lowkey);
979  state->lowkey = NULL;
980  }
981 
982  /* Don't change context for caller */
983  MemoryContextSwitchTo(oldcontext);
984 
985  return nextleveldown;
986 }
987 
988 /* Check visibility of the table entry referenced by nbtree index */
989 static bool
990 heap_entry_is_visible(BtreeCheckState *state, ItemPointer tid)
991 {
992  bool tid_visible;
993 
994  TupleTableSlot *slot = table_slot_create(state->heaprel, NULL);
995 
996  tid_visible = table_tuple_fetch_row_version(state->heaprel,
997  tid, state->snapshot, slot);
998  if (slot != NULL)
999  ExecDropSingleTupleTableSlot(slot);
1000 
1001  return tid_visible;
1002 }
1003 
1004 /*
1005  * Prepare an error message for unique constrain violation in
1006  * a btree index and report ERROR.
1007  */
1008 static void
1009 bt_report_duplicate(BtreeCheckState *state,
1010  BtreeLastVisibleEntry *lVis,
1011  ItemPointer nexttid, BlockNumber nblock, OffsetNumber noffset,
1012  int nposting)
1013 {
1014  char *htid,
1015  *nhtid,
1016  *itid,
1017  *nitid = "",
1018  *pposting = "",
1019  *pnposting = "";
1020 
1021  htid = psprintf("tid=(%u,%u)",
1022  ItemPointerGetBlockNumberNoCheck(lVis->tid),
1023  ItemPointerGetOffsetNumberNoCheck(lVis->tid));
1024  nhtid = psprintf("tid=(%u,%u)",
1025  ItemPointerGetBlockNumberNoCheck(nexttid),
1026  ItemPointerGetOffsetNumberNoCheck(nexttid));
1027  itid = psprintf("tid=(%u,%u)", lVis->blkno, lVis->offset);
1028 
1029  if (nblock != lVis->blkno || noffset != lVis->offset)
1030  nitid = psprintf(" tid=(%u,%u)", nblock, noffset);
1031 
1032  if (lVis->postingIndex >= 0)
1033  pposting = psprintf(" posting %u", lVis->postingIndex);
1034 
1035  if (nposting >= 0)
1036  pnposting = psprintf(" posting %u", nposting);
1037 
1038  ereport(ERROR,
1039  (errcode(ERRCODE_INDEX_CORRUPTED),
1040  errmsg("index uniqueness is violated for index \"%s\"",
1041  RelationGetRelationName(state->rel)),
1042  errdetail("Index %s%s and%s%s (point to heap %s and %s) page lsn=%X/%X.",
1043  itid, pposting, nitid, pnposting, htid, nhtid,
1044  LSN_FORMAT_ARGS(state->targetlsn))));
1045 }
1046 
1047 /* Check if current nbtree leaf entry complies with UNIQUE constraint */
1048 static void
1049 bt_entry_unique_check(BtreeCheckState *state, IndexTuple itup,
1050  BlockNumber targetblock, OffsetNumber offset,
1051  BtreeLastVisibleEntry *lVis)
1052 {
1053  ItemPointer tid;
1054  bool has_visible_entry = false;
1055 
1056  Assert(targetblock != P_NONE);
1057 
1058  /*
1059  * Current tuple has posting list. Report duplicate if TID of any posting
1060  * list entry is visible and lVis->tid is valid.
1061  */
1062  if (BTreeTupleIsPosting(itup))
1063  {
1064  for (int i = 0; i < BTreeTupleGetNPosting(itup); i++)
1065  {
1066  tid = BTreeTupleGetPostingN(itup, i);
1067  if (heap_entry_is_visible(state, tid))
1068  {
1069  has_visible_entry = true;
1070  if (ItemPointerIsValid(lVis->tid))
1071  {
1072  bt_report_duplicate(state,
1073  lVis,
1074  tid, targetblock,
1075  offset, i);
1076  }
1077 
1078  /*
1079  * Prevent double reporting unique constraint violation
1080  * between the posting list entries of the first tuple on the
1081  * page after cross-page check.
1082  */
1083  if (lVis->blkno != targetblock && ItemPointerIsValid(lVis->tid))
1084  return;
1085 
1086  lVis->blkno = targetblock;
1087  lVis->offset = offset;
1088  lVis->postingIndex = i;
1089  lVis->tid = tid;
1090  }
1091  }
1092  }
1093 
1094  /*
1095  * Current tuple has no posting list. If TID is visible save info about it
1096  * for the next comparisons in the loop in bt_target_page_check(). Report
1097  * duplicate if lVis->tid is already valid.
1098  */
1099  else
1100  {
1101  tid = BTreeTupleGetHeapTID(itup);
1102  if (heap_entry_is_visible(state, tid))
1103  {
1104  has_visible_entry = true;
1105  if (ItemPointerIsValid(lVis->tid))
1106  {
1107  bt_report_duplicate(state,
1108  lVis,
1109  tid, targetblock,
1110  offset, -1);
1111  }
1112 
1113  lVis->blkno = targetblock;
1114  lVis->offset = offset;
1115  lVis->tid = tid;
1116  lVis->postingIndex = -1;
1117  }
1118  }
1119 
1120  if (!has_visible_entry &&
1121  lVis->blkno != InvalidBlockNumber &&
1122  lVis->blkno != targetblock)
1123  {
1124  char *posting = "";
1125 
1126  if (lVis->postingIndex >= 0)
1127  posting = psprintf(" posting %u", lVis->postingIndex);
1128  ereport(DEBUG1,
1129  (errcode(ERRCODE_NO_DATA),
1130  errmsg("index uniqueness can not be checked for index tid=(%u,%u) in index \"%s\"",
1131  targetblock, offset,
1132  RelationGetRelationName(state->rel)),
1133  errdetail("It doesn't have visible heap tids and key is equal to the tid=(%u,%u)%s (points to heap tid=(%u,%u)).",
1134  lVis->blkno, lVis->offset, posting,
1135  ItemPointerGetBlockNumberNoCheck(lVis->tid),
1136  ItemPointerGetOffsetNumberNoCheck(lVis->tid)),
1137  errhint("VACUUM the table and repeat the check.")));
1138  }
1139 }
1140 
1141 /*
1142  * Like P_LEFTMOST(start_opaque), but accept an arbitrarily-long chain of
1143  * half-dead, sibling-linked pages to the left. If a half-dead page appears
1144  * under state->readonly, the database exited recovery between the first-stage
1145  * and second-stage WAL records of a deletion.
1146  */
1147 static bool
1148 bt_leftmost_ignoring_half_dead(BtreeCheckState *state,
1149  BlockNumber start,
1150  BTPageOpaque start_opaque)
1151 {
1152  BlockNumber reached = start_opaque->btpo_prev,
1153  reached_from = start;
1154  bool all_half_dead = true;
1155 
1156  /*
1157  * To handle the !readonly case, we'd need to accept BTP_DELETED pages and
1158  * potentially observe nbtree/README "Page deletion and backwards scans".
1159  */
1160  Assert(state->readonly);
1161 
1162  while (reached != P_NONE && all_half_dead)
1163  {
1164  Page page = palloc_btree_page(state, reached);
1165  BTPageOpaque reached_opaque = BTPageGetOpaque(page);
1166 
1167  CHECK_FOR_INTERRUPTS();
1168 
1169  /*
1170  * Try to detect btpo_prev circular links. _bt_unlink_halfdead_page()
1171  * writes that side-links will continue to point to the siblings.
1172  * Check btpo_next for that property.
1173  */
1174  all_half_dead = P_ISHALFDEAD(reached_opaque) &&
1175  reached != start &&
1176  reached != reached_from &&
1177  reached_opaque->btpo_next == reached_from;
1178  if (all_half_dead)
1179  {
1180  XLogRecPtr pagelsn = PageGetLSN(page);
1181 
1182  /* pagelsn should point to an XLOG_BTREE_MARK_PAGE_HALFDEAD */
1183  ereport(DEBUG1,
1184  (errcode(ERRCODE_NO_DATA),
1185  errmsg_internal("harmless interrupted page deletion detected in index \"%s\"",
1186  RelationGetRelationName(state->rel)),
1187  errdetail_internal("Block=%u right block=%u page lsn=%X/%X.",
1188  reached, reached_from,
1189  LSN_FORMAT_ARGS(pagelsn))));
1190 
1191  reached_from = reached;
1192  reached = reached_opaque->btpo_prev;
1193  }
1194 
1195  pfree(page);
1196  }
1197 
1198  return all_half_dead;
1199 }
1200 
1201 /*
1202  * Raise an error when target page's left link does not point back to the
1203  * previous target page, called leftcurrent here. The leftcurrent page's
1204  * right link was followed to get to the current target page, and we expect
1205  * mutual agreement among leftcurrent and the current target page. Make sure
1206  * that this condition has definitely been violated in the !readonly case,
1207  * where concurrent page splits are something that we need to deal with.
1208  *
1209  * Cross-page inconsistencies involving pages that don't agree about being
1210  * siblings are known to be a particularly good indicator of corruption
1211  * involving partial writes/lost updates. The bt_right_page_check_scankey
1212  * check also provides a way of detecting cross-page inconsistencies for
1213  * !readonly callers, but it can only detect sibling pages that have an
1214  * out-of-order keyspace, which can't catch many of the problems that we
1215  * expect to catch here.
1216  *
1217  * The classic example of the kind of inconsistency that we can only catch
1218  * with this check (when in !readonly mode) involves three sibling pages that
1219  * were affected by a faulty page split at some point in the past. The
1220  * effects of the split are reflected in the original page and its new right
1221  * sibling page, with a lack of any accompanying changes for the _original_
1222  * right sibling page. The original right sibling page's left link fails to
1223  * point to the new right sibling page (its left link still points to the
1224  * original page), even though the first phase of a page split is supposed to
1225  * work as a single atomic action. This subtle inconsistency will probably
1226  * only break backwards scans in practice.
1227  *
1228  * Note that this is the only place where amcheck will "couple" buffer locks
1229  * (and only for !readonly callers). In general we prefer to avoid more
1230  * thorough cross-page checks in !readonly mode, but it seems worth the
1231  * complexity here. Also, the performance overhead of performing lock
1232  * coupling here is negligible in practice. Control only reaches here with a
1233  * non-corrupt index when there is a concurrent page split at the instant
1234  * caller crossed over to target page from leftcurrent page.
1235  */
1236 static void
1237 bt_recheck_sibling_links(BtreeCheckState *state,
1238  BlockNumber btpo_prev_from_target,
1239  BlockNumber leftcurrent)
1240 {
1241  /* passing metapage to BTPageGetOpaque() would give irrelevant findings */
1242  Assert(leftcurrent != P_NONE);
1243 
1244  if (!state->readonly)
1245  {
1246  Buffer lbuf;
1247  Buffer newtargetbuf;
1248  Page page;
1249  BTPageOpaque opaque;
1250  BlockNumber newtargetblock;
1251 
1252  /* Couple locks in the usual order for nbtree: Left to right */
1253  lbuf = ReadBufferExtended(state->rel, MAIN_FORKNUM, leftcurrent,
1254  RBM_NORMAL, state->checkstrategy);
1255  LockBuffer(lbuf, BT_READ);
1256  _bt_checkpage(state->rel, lbuf);
1257  page = BufferGetPage(lbuf);
1258  opaque = BTPageGetOpaque(page);
1259  if (P_ISDELETED(opaque))
1260  {
1261  /*
1262  * Cannot reason about concurrently deleted page -- the left link
1263  * in the page to the right is expected to point to some other
1264  * page to the left (not leftcurrent page).
1265  *
1266  * Note that we deliberately don't give up with a half-dead page.
1267  */
1268  UnlockReleaseBuffer(lbuf);
1269  return;
1270  }
1271 
1272  newtargetblock = opaque->btpo_next;
1273  /* Avoid self-deadlock when newtargetblock == leftcurrent */
1274  if (newtargetblock != leftcurrent)
1275  {
1276  newtargetbuf = ReadBufferExtended(state->rel, MAIN_FORKNUM,
1277  newtargetblock, RBM_NORMAL,
1278  state->checkstrategy);
1279  LockBuffer(newtargetbuf, BT_READ);
1280  _bt_checkpage(state->rel, newtargetbuf);
1281  page = BufferGetPage(newtargetbuf);
1282  opaque = BTPageGetOpaque(page);
1283  /* btpo_prev_from_target may have changed; update it */
1284  btpo_prev_from_target = opaque->btpo_prev;
1285  }
1286  else
1287  {
1288  /*
1289  * leftcurrent right sibling points back to leftcurrent block.
1290  * Index is corrupt. Easiest way to handle this is to pretend
1291  * that we actually read from a distinct page that has an invalid
1292  * block number in its btpo_prev.
1293  */
1294  newtargetbuf = InvalidBuffer;
1295  btpo_prev_from_target = InvalidBlockNumber;
1296  }
1297 
1298  /*
1299  * No need to check P_ISDELETED here, since new target block cannot be
1300  * marked deleted as long as we hold a lock on lbuf
1301  */
1302  if (BufferIsValid(newtargetbuf))
1303  UnlockReleaseBuffer(newtargetbuf);
1304  UnlockReleaseBuffer(lbuf);
1305 
1306  if (btpo_prev_from_target == leftcurrent)
1307  {
1308  /* Report split in left sibling, not target (or new target) */
1309  ereport(DEBUG1,
1310  (errcode(ERRCODE_INTERNAL_ERROR),
1311  errmsg_internal("harmless concurrent page split detected in index \"%s\"",
1312  RelationGetRelationName(state->rel)),
1313  errdetail_internal("Block=%u new right sibling=%u original right sibling=%u.",
1314  leftcurrent, newtargetblock,
1315  state->targetblock)));
1316  return;
1317  }
1318 
1319  /*
1320  * Index is corrupt. Make sure that we report correct target page.
1321  *
1322  * This could have changed in cases where there was a concurrent page
1323  * split, as well as index corruption (at least in theory). Note that
1324  * btpo_prev_from_target was already updated above.
1325  */
1326  state->targetblock = newtargetblock;
1327  }
1328 
1329  ereport(ERROR,
1330  (errcode(ERRCODE_INDEX_CORRUPTED),
1331  errmsg("left link/right link pair in index \"%s\" not in agreement",
1332  RelationGetRelationName(state->rel)),
1333  errdetail_internal("Block=%u left block=%u left link from block=%u.",
1334  state->targetblock, leftcurrent,
1335  btpo_prev_from_target)));
1336 }
1337 
1338 /*
1339  * Function performs the following checks on target page, or pages ancillary to
1340  * target page:
1341  *
1342  * - That every "real" data item is less than or equal to the high key, which
1343  * is an upper bound on the items on the page. Data items should be
1344  * strictly less than the high key when the page is an internal page.
1345  *
1346  * - That within the page, every data item is strictly less than the item
1347  * immediately to its right, if any (i.e., that the items are in order
1348  * within the page, so that the binary searches performed by index scans are
1349  * sane).
1350  *
1351  * - That the last data item stored on the page is strictly less than the
1352  * first data item on the page to the right (when such a first item is
1353  * available).
1354  *
1355  * - Various checks on the structure of tuples themselves. For example, check
1356  * that non-pivot tuples have no truncated attributes.
1357  *
1358  * - For index with unique constraint make sure that only one of table entries
1359  * for equal keys is visible.
1360  *
1361  * Furthermore, when state passed shows ShareLock held, function also checks:
1362  *
1363  * - That all child pages respect strict lower bound from parent's pivot
1364  * tuple.
1365  *
1366  * - That downlink to block was encountered in parent where that's expected.
1367  *
1368  * - That high keys of child pages matches corresponding pivot keys in parent.
1369  *
1370  * This is also where heapallindexed callers use their Bloom filter to
1371  * fingerprint IndexTuples for later table_index_build_scan() verification.
1372  *
1373  * Note: Memory allocated in this routine is expected to be released by caller
1374  * resetting state->targetcontext.
1375  */
1376 static void
1377 bt_target_page_check(BtreeCheckState *state)
1378 {
1379  OffsetNumber offset;
1380  OffsetNumber max;
1381  BTPageOpaque topaque;
1382 
1383  /* Last visible entry info for checking indexes with unique constraint */
1384  BtreeLastVisibleEntry lVis = {InvalidBlockNumber, InvalidOffsetNumber, -1, NULL};
1385 
1386  topaque = BTPageGetOpaque(state->target);
1387  max = PageGetMaxOffsetNumber(state->target);
1388 
1389  elog(DEBUG2, "verifying %u items on %s block %u", max,
1390  P_ISLEAF(topaque) ? "leaf" : "internal", state->targetblock);
1391 
1392  /*
1393  * Check the number of attributes in high key. Note, rightmost page
1394  * doesn't contain a high key, so nothing to check
1395  */
1396  if (!P_RIGHTMOST(topaque))
1397  {
1398  ItemId itemid;
1399  IndexTuple itup;
1400 
1401  /* Verify line pointer before checking tuple */
1402  itemid = PageGetItemIdCareful(state, state->targetblock,
1403  state->target, P_HIKEY);
1404  if (!_bt_check_natts(state->rel, state->heapkeyspace, state->target,
1405  P_HIKEY))
1406  {
1407  itup = (IndexTuple) PageGetItem(state->target, itemid);
1408  ereport(ERROR,
1409  (errcode(ERRCODE_INDEX_CORRUPTED),
1410  errmsg("wrong number of high key index tuple attributes in index \"%s\"",
1411  RelationGetRelationName(state->rel)),
1412  errdetail_internal("Index block=%u natts=%u block type=%s page lsn=%X/%X.",
1413  state->targetblock,
1414  BTreeTupleGetNAtts(itup, state->rel),
1415  P_ISLEAF(topaque) ? "heap" : "index",
1416  LSN_FORMAT_ARGS(state->targetlsn))));
1417  }
1418  }
1419 
1420  /*
1421  * Loop over page items, starting from first non-highkey item, not high
1422  * key (if any). Most tests are not performed for the "negative infinity"
1423  * real item (if any).
1424  */
1425  for (offset = P_FIRSTDATAKEY(topaque);
1426  offset <= max;
1427  offset = OffsetNumberNext(offset))
1428  {
1429  ItemId itemid;
1430  IndexTuple itup;
1431  size_t tupsize;
1432  BTScanInsert skey;
1433  bool lowersizelimit;
1434  ItemPointer scantid;
1435 
1436  /*
1437  * True if we already called bt_entry_unique_check() for the current
1438  * item. This helps to avoid visiting the heap for keys, which are
1439  * anyway presented only once and can't comprise a unique violation.
1440  */
1441  bool unique_checked = false;
1442 
1443  CHECK_FOR_INTERRUPTS();
1444 
1445  itemid = PageGetItemIdCareful(state, state->targetblock,
1446  state->target, offset);
1447  itup = (IndexTuple) PageGetItem(state->target, itemid);
1448  tupsize = IndexTupleSize(itup);
1449 
1450  /*
1451  * lp_len should match the IndexTuple reported length exactly, since
1452  * lp_len is completely redundant in indexes, and both sources of
1453  * tuple length are MAXALIGN()'d. nbtree does not use lp_len all that
1454  * frequently, and is surprisingly tolerant of corrupt lp_len fields.
1455  */
1456  if (tupsize != ItemIdGetLength(itemid))
1457  ereport(ERROR,
1458  (errcode(ERRCODE_INDEX_CORRUPTED),
1459  errmsg("index tuple size does not equal lp_len in index \"%s\"",
1460  RelationGetRelationName(state->rel)),
1461  errdetail_internal("Index tid=(%u,%u) tuple size=%zu lp_len=%u page lsn=%X/%X.",
1462  state->targetblock, offset,
1463  tupsize, ItemIdGetLength(itemid),
1464  LSN_FORMAT_ARGS(state->targetlsn)),
1465  errhint("This could be a torn page problem.")));
1466 
1467  /* Check the number of index tuple attributes */
1468  if (!_bt_check_natts(state->rel, state->heapkeyspace, state->target,
1469  offset))
1470  {
1471  ItemPointer tid;
1472  char *itid,
1473  *htid;
1474 
1475  itid = psprintf("(%u,%u)", state->targetblock, offset);
1476  tid = BTreeTupleGetPointsToTID(itup);
1477  htid = psprintf("(%u,%u)",
1478  ItemPointerGetBlockNumberNoCheck(tid),
1479  ItemPointerGetOffsetNumberNoCheck(tid));
1480 
1481  ereport(ERROR,
1482  (errcode(ERRCODE_INDEX_CORRUPTED),
1483  errmsg("wrong number of index tuple attributes in index \"%s\"",
1484  RelationGetRelationName(state->rel)),
1485  errdetail_internal("Index tid=%s natts=%u points to %s tid=%s page lsn=%X/%X.",
1486  itid,
1487  BTreeTupleGetNAtts(itup, state->rel),
1488  P_ISLEAF(topaque) ? "heap" : "index",
1489  htid,
1490  LSN_FORMAT_ARGS(state->targetlsn))));
1491  }
1492 
1493  /*
1494  * Don't try to generate scankey using "negative infinity" item on
1495  * internal pages. They are always truncated to zero attributes.
1496  */
1497  if (offset_is_negative_infinity(topaque, offset))
1498  {
1499  /*
1500  * We don't call bt_child_check() for "negative infinity" items.
1501  * But if we're performing downlink connectivity check, we do it
1502  * for every item including "negative infinity" one.
1503  */
1504  if (!P_ISLEAF(topaque) && state->readonly)
1505  {
1506  bt_child_highkey_check(state,
1507  offset,
1508  NULL,
1509  topaque->btpo_level);
1510  }
1511  continue;
1512  }
1513 
1514  /*
1515  * Readonly callers may optionally verify that non-pivot tuples can
1516  * each be found by an independent search that starts from the root.
1517  * Note that we deliberately don't do individual searches for each
1518  * TID, since the posting list itself is validated by other checks.
1519  */
1520  if (state->rootdescend && P_ISLEAF(topaque) &&
1521  !bt_rootdescend(state, itup))
1522  {
1523  ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1524  char *itid,
1525  *htid;
1526 
1527  itid = psprintf("(%u,%u)", state->targetblock, offset);
1528  htid = psprintf("(%u,%u)", ItemPointerGetBlockNumber(tid),
1529  ItemPointerGetOffsetNumber(tid));
1530 
1531  ereport(ERROR,
1532  (errcode(ERRCODE_INDEX_CORRUPTED),
1533  errmsg("could not find tuple using search from root page in index \"%s\"",
1534  RelationGetRelationName(state->rel)),
1535  errdetail_internal("Index tid=%s points to heap tid=%s page lsn=%X/%X.",
1536  itid, htid,
1537  LSN_FORMAT_ARGS(state->targetlsn))));
1538  }
1539 
1540  /*
1541  * If tuple is a posting list tuple, make sure posting list TIDs are
1542  * in order
1543  */
1544  if (BTreeTupleIsPosting(itup))
1545  {
1546  ItemPointerData last;
1547  ItemPointer current;
1548 
1549  ItemPointerCopy(BTreeTupleGetHeapTID(itup), &last);
1550 
1551  for (int i = 1; i < BTreeTupleGetNPosting(itup); i++)
1552  {
1553 
1554  current = BTreeTupleGetPostingN(itup, i);
1555 
1556  if (ItemPointerCompare(current, &last) <= 0)
1557  {
1558  char *itid = psprintf("(%u,%u)", state->targetblock, offset);
1559 
1560  ereport(ERROR,
1561  (errcode(ERRCODE_INDEX_CORRUPTED),
1562  errmsg_internal("posting list contains misplaced TID in index \"%s\"",
1563  RelationGetRelationName(state->rel)),
1564  errdetail_internal("Index tid=%s posting list offset=%d page lsn=%X/%X.",
1565  itid, i,
1566  LSN_FORMAT_ARGS(state->targetlsn))));
1567  }
1568 
1569  ItemPointerCopy(current, &last);
1570  }
1571  }
1572 
1573  /* Build insertion scankey for current page offset */
1574  skey = bt_mkscankey_pivotsearch(state->rel, itup);
1575 
1576  /*
1577  * Make sure tuple size does not exceed the relevant BTREE_VERSION
1578  * specific limit.
1579  *
1580  * BTREE_VERSION 4 (which introduced heapkeyspace rules) requisitioned
1581  * a small amount of space from BTMaxItemSize() in order to ensure
1582  * that suffix truncation always has enough space to add an explicit
1583  * heap TID back to a tuple -- we pessimistically assume that every
1584  * newly inserted tuple will eventually need to have a heap TID
1585  * appended during a future leaf page split, when the tuple becomes
1586  * the basis of the new high key (pivot tuple) for the leaf page.
1587  *
1588  * Since the reclaimed space is reserved for that purpose, we must not
1589  * enforce the slightly lower limit when the extra space has been used
1590  * as intended. In other words, there is only a cross-version
1591  * difference in the limit on tuple size within leaf pages.
1592  *
1593  * Still, we're particular about the details within BTREE_VERSION 4
1594  * internal pages. Pivot tuples may only use the extra space for its
1595  * designated purpose. Enforce the lower limit for pivot tuples when
1596  * an explicit heap TID isn't actually present. (In all other cases
1597  * suffix truncation is guaranteed to generate a pivot tuple that's no
1598  * larger than the firstright tuple provided to it by its caller.)
1599  */
1600  lowersizelimit = skey->heapkeyspace &&
1601  (P_ISLEAF(topaque) || BTreeTupleGetHeapTID(itup) == NULL);
1602  if (tupsize > (lowersizelimit ? BTMaxItemSize(state->target) :
1603  BTMaxItemSizeNoHeapTid(state->target)))
1604  {
1605  ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1606  char *itid,
1607  *htid;
1608 
1609  itid = psprintf("(%u,%u)", state->targetblock, offset);
1610  htid = psprintf("(%u,%u)",
1611  ItemPointerGetBlockNumberNoCheck(tid),
1612  ItemPointerGetOffsetNumberNoCheck(tid));
1613 
1614  ereport(ERROR,
1615  (errcode(ERRCODE_INDEX_CORRUPTED),
1616  errmsg("index row size %zu exceeds maximum for index \"%s\"",
1617  tupsize, RelationGetRelationName(state->rel)),
1618  errdetail_internal("Index tid=%s points to %s tid=%s page lsn=%X/%X.",
1619  itid,
1620  P_ISLEAF(topaque) ? "heap" : "index",
1621  htid,
1622  LSN_FORMAT_ARGS(state->targetlsn))));
1623  }
1624 
1625  /* Fingerprint leaf page tuples (those that point to the heap) */
1626  if (state->heapallindexed && P_ISLEAF(topaque) && !ItemIdIsDead(itemid))
1627  {
1628  IndexTuple norm;
1629 
1630  if (BTreeTupleIsPosting(itup))
1631  {
1632  /* Fingerprint all elements as distinct "plain" tuples */
1633  for (int i = 0; i < BTreeTupleGetNPosting(itup); i++)
1634  {
1635  IndexTuple logtuple;
1636 
1637  logtuple = bt_posting_plain_tuple(itup, i);
1638  norm = bt_normalize_tuple(state, logtuple);
1639  bloom_add_element(state->filter, (unsigned char *) norm,
1640  IndexTupleSize(norm));
1641  /* Be tidy */
1642  if (norm != logtuple)
1643  pfree(norm);
1644  pfree(logtuple);
1645  }
1646  }
1647  else
1648  {
1649  norm = bt_normalize_tuple(state, itup);
1650  bloom_add_element(state->filter, (unsigned char *) norm,
1651  IndexTupleSize(norm));
1652  /* Be tidy */
1653  if (norm != itup)
1654  pfree(norm);
1655  }
1656  }
1657 
1658  /*
1659  * * High key check *
1660  *
1661  * If there is a high key (if this is not the rightmost page on its
1662  * entire level), check that high key actually is upper bound on all
1663  * page items. If this is a posting list tuple, we'll need to set
1664  * scantid to be highest TID in posting list.
1665  *
1666  * We prefer to check all items against high key rather than checking
1667  * just the last and trusting that the operator class obeys the
1668  * transitive law (which implies that all previous items also
1669  * respected the high key invariant if they pass the item order
1670  * check).
1671  *
1672  * Ideally, we'd compare every item in the index against every other
1673  * item in the index, and not trust opclass obedience of the
1674  * transitive law to bridge the gap between children and their
1675  * grandparents (as well as great-grandparents, and so on). We don't
1676  * go to those lengths because that would be prohibitively expensive,
1677  * and probably not markedly more effective in practice.
1678  *
1679  * On the leaf level, we check that the key is <= the highkey.
1680  * However, on non-leaf levels we check that the key is < the highkey,
1681  * because the high key is "just another separator" rather than a copy
1682  * of some existing key item; we expect it to be unique among all keys
1683  * on the same level. (Suffix truncation will sometimes produce a
1684  * leaf highkey that is an untruncated copy of the lastleft item, but
1685  * never any other item, which necessitates weakening the leaf level
1686  * check to <=.)
1687  *
1688  * Full explanation for why a highkey is never truly a copy of another
1689  * item from the same level on internal levels:
1690  *
1691  * While the new left page's high key is copied from the first offset
1692  * on the right page during an internal page split, that's not the
1693  * full story. In effect, internal pages are split in the middle of
1694  * the firstright tuple, not between the would-be lastleft and
1695  * firstright tuples: the firstright key ends up on the left side as
1696  * left's new highkey, and the firstright downlink ends up on the
1697  * right side as right's new "negative infinity" item. The negative
1698  * infinity tuple is truncated to zero attributes, so we're only left
1699  * with the downlink. In other words, the copying is just an
1700  * implementation detail of splitting in the middle of a (pivot)
1701  * tuple. (See also: "Notes About Data Representation" in the nbtree
1702  * README.)
1703  */
1704  scantid = skey->scantid;
1705  if (state->heapkeyspace && BTreeTupleIsPosting(itup))
1706  skey->scantid = BTreeTupleGetMaxHeapTID(itup);
1707 
1708  if (!P_RIGHTMOST(topaque) &&
1709  !(P_ISLEAF(topaque) ? invariant_leq_offset(state, skey, P_HIKEY) :
1710  invariant_l_offset(state, skey, P_HIKEY)))
1711  {
1712  ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1713  char *itid,
1714  *htid;
1715 
1716  itid = psprintf("(%u,%u)", state->targetblock, offset);
1717  htid = psprintf("(%u,%u)",
1718  ItemPointerGetBlockNumberNoCheck(tid),
1719  ItemPointerGetOffsetNumberNoCheck(tid));
1720 
1721  ereport(ERROR,
1722  (errcode(ERRCODE_INDEX_CORRUPTED),
1723  errmsg("high key invariant violated for index \"%s\"",
1724  RelationGetRelationName(state->rel)),
1725  errdetail_internal("Index tid=%s points to %s tid=%s page lsn=%X/%X.",
1726  itid,
1727  P_ISLEAF(topaque) ? "heap" : "index",
1728  htid,
1729  LSN_FORMAT_ARGS(state->targetlsn))));
1730  }
1731  /* Reset, in case scantid was set to (itup) posting tuple's max TID */
1732  skey->scantid = scantid;
1733 
1734  /*
1735  * * Item order check *
1736  *
1737  * Check that items are stored on page in logical order, by checking
1738  * current item is strictly less than next item (if any).
1739  */
1740  if (OffsetNumberNext(offset) <= max &&
1741  !invariant_l_offset(state, skey, OffsetNumberNext(offset)))
1742  {
1743  ItemPointer tid;
1744  char *itid,
1745  *htid,
1746  *nitid,
1747  *nhtid;
1748 
1749  itid = psprintf("(%u,%u)", state->targetblock, offset);
1750  tid = BTreeTupleGetPointsToTID(itup);
1751  htid = psprintf("(%u,%u)",
1752  ItemPointerGetBlockNumberNoCheck(tid),
1753  ItemPointerGetOffsetNumberNoCheck(tid));
1754  nitid = psprintf("(%u,%u)", state->targetblock,
1755  OffsetNumberNext(offset));
1756 
1757  /* Reuse itup to get pointed-to heap location of second item */
1758  itemid = PageGetItemIdCareful(state, state->targetblock,
1759  state->target,
1760  OffsetNumberNext(offset));
1761  itup = (IndexTuple) PageGetItem(state->target, itemid);
1762  tid = BTreeTupleGetPointsToTID(itup);
1763  nhtid = psprintf("(%u,%u)",
1764  ItemPointerGetBlockNumberNoCheck(tid),
1765  ItemPointerGetOffsetNumberNoCheck(tid));
1766 
1767  ereport(ERROR,
1768  (errcode(ERRCODE_INDEX_CORRUPTED),
1769  errmsg("item order invariant violated for index \"%s\"",
1770  RelationGetRelationName(state->rel)),
1771  errdetail_internal("Lower index tid=%s (points to %s tid=%s) "
1772  "higher index tid=%s (points to %s tid=%s) "
1773  "page lsn=%X/%X.",
1774  itid,
1775  P_ISLEAF(topaque) ? "heap" : "index",
1776  htid,
1777  nitid,
1778  P_ISLEAF(topaque) ? "heap" : "index",
1779  nhtid,
1780  LSN_FORMAT_ARGS(state->targetlsn))));
1781  }
1782 
1783  /*
1784  * If the index is unique verify entries uniqueness by checking the
1785  * heap tuples visibility. Immediately check posting tuples and
1786  * tuples with repeated keys. Postpone check for keys, which have the
1787  * first appearance.
1788  */
1789  if (state->checkunique && state->indexinfo->ii_Unique &&
1790  P_ISLEAF(topaque) && !skey->anynullkeys &&
1791  (BTreeTupleIsPosting(itup) || ItemPointerIsValid(lVis.tid)))
1792  {
1793  bt_entry_unique_check(state, itup, state->targetblock, offset,
1794  &lVis);
1795  unique_checked = true;
1796  }
1797 
1798  if (state->checkunique && state->indexinfo->ii_Unique &&
1799  P_ISLEAF(topaque) && OffsetNumberNext(offset) <= max)
1800  {
1801  /* Save current scankey tid */
1802  scantid = skey->scantid;
1803 
1804  /*
1805  * Invalidate scankey tid to make _bt_compare compare only keys in
1806  * the item to report equality even if heap TIDs are different
1807  */
1808  skey->scantid = NULL;
1809 
1810  /*
1811  * If next key tuple is different, invalidate last visible entry
1812  * data (whole index tuple or last posting in index tuple). Key
1813  * containing null value does not violate unique constraint and
1814  * treated as different to any other key.
1815  *
1816  * If the next key is the same as the previous one, do the
1817  * bt_entry_unique_check() call if it was postponed.
1818  */
1819  if (_bt_compare(state->rel, skey, state->target,
1820  OffsetNumberNext(offset)) != 0 || skey->anynullkeys)
1821  {
1822  lVis.blkno = InvalidBlockNumber;
1823  lVis.offset = InvalidOffsetNumber;
1824  lVis.postingIndex = -1;
1825  lVis.tid = NULL;
1826  }
1827  else if (!unique_checked)
1828  {
1829  bt_entry_unique_check(state, itup, state->targetblock, offset,
1830  &lVis);
1831  }
1832  skey->scantid = scantid; /* Restore saved scan key state */
1833  }
1834 
1835  /*
1836  * * Last item check *
1837  *
1838  * Check last item against next/right page's first data item's when
1839  * last item on page is reached. This additional check will detect
1840  * transposed pages iff the supposed right sibling page happens to
1841  * belong before target in the key space. (Otherwise, a subsequent
1842  * heap verification will probably detect the problem.)
1843  *
1844  * This check is similar to the item order check that will have
1845  * already been performed for every other "real" item on target page
1846  * when last item is checked. The difference is that the next item
1847  * (the item that is compared to target's last item) needs to come
1848  * from the next/sibling page. There may not be such an item
1849  * available from sibling for various reasons, though (e.g., target is
1850  * the rightmost page on level).
1851  */
1852  if (offset == max)
1853  {
1854  BTScanInsert rightkey;
1855 
1856  /* first offset on a right index page (log only) */
1857  OffsetNumber rightfirstoffset = InvalidOffsetNumber;
1858 
1859  /* Get item in next/right page */
1860  rightkey = bt_right_page_check_scankey(state, &rightfirstoffset);
1861 
1862  if (rightkey &&
1863  !invariant_g_offset(state, rightkey, max))
1864  {
1865  /*
1866  * As explained at length in bt_right_page_check_scankey(),
1867  * there is a known !readonly race that could account for
1868  * apparent violation of invariant, which we must check for
1869  * before actually proceeding with raising error. Our canary
1870  * condition is that target page was deleted.
1871  */
1872  if (!state->readonly)
1873  {
1874  /* Get fresh copy of target page */
1875  state->target = palloc_btree_page(state, state->targetblock);
1876  /* Note that we deliberately do not update target LSN */
1877  topaque = BTPageGetOpaque(state->target);
1878 
1879  /*
1880  * All !readonly checks now performed; just return
1881  */
1882  if (P_IGNORE(topaque))
1883  return;
1884  }
1885 
1886  ereport(ERROR,
1887  (errcode(ERRCODE_INDEX_CORRUPTED),
1888  errmsg("cross page item order invariant violated for index \"%s\"",
1889  RelationGetRelationName(state->rel)),
1890  errdetail_internal("Last item on page tid=(%u,%u) page lsn=%X/%X.",
1891  state->targetblock, offset,
1892  LSN_FORMAT_ARGS(state->targetlsn))));
1893  }
1894 
1895  /*
1896  * If index has unique constraint make sure that no more than one
1897  * found equal items is visible.
1898  */
1899  if (state->checkunique && state->indexinfo->ii_Unique &&
1900  rightkey && P_ISLEAF(topaque) && !P_RIGHTMOST(topaque))
1901  {
1902  BlockNumber rightblock_number = topaque->btpo_next;
1903 
1904  elog(DEBUG2, "check cross page unique condition");
1905 
1906  /*
1907  * Make _bt_compare compare only index keys without heap TIDs.
1908  * rightkey->scantid is modified destructively but it is ok
1909  * for it is not used later.
1910  */
1911  rightkey->scantid = NULL;
1912 
1913  /* The first key on the next page is the same */
1914  if (_bt_compare(state->rel, rightkey, state->target, max) == 0 &&
1915  !rightkey->anynullkeys)
1916  {
1917  Page rightpage;
1918 
1919  /*
1920  * Do the bt_entry_unique_check() call if it was
1921  * postponed.
1922  */
1923  if (!unique_checked)
1924  bt_entry_unique_check(state, itup, state->targetblock,
1925  offset, &lVis);
1926 
1927  elog(DEBUG2, "cross page equal keys");
1928  rightpage = palloc_btree_page(state,
1929  rightblock_number);
1930  topaque = BTPageGetOpaque(rightpage);
1931 
1932  if (P_IGNORE(topaque))
1933  {
1934  pfree(rightpage);
1935  break;
1936  }
1937 
1938  if (unlikely(!P_ISLEAF(topaque)))
1939  ereport(ERROR,
1940  (errcode(ERRCODE_INDEX_CORRUPTED),
1941  errmsg("right block of leaf block is non-leaf for index \"%s\"",
1942  RelationGetRelationName(state->rel)),
1943  errdetail_internal("Block=%u page lsn=%X/%X.",
1944  state->targetblock,
1945  LSN_FORMAT_ARGS(state->targetlsn))));
1946 
1947  itemid = PageGetItemIdCareful(state, rightblock_number,
1948  rightpage,
1949  rightfirstoffset);
1950  itup = (IndexTuple) PageGetItem(rightpage, itemid);
1951 
1952  bt_entry_unique_check(state, itup, rightblock_number, rightfirstoffset, &lVis);
1953 
1954  pfree(rightpage);
1955  }
1956  }
1957  }
1958 
1959  /*
1960  * * Downlink check *
1961  *
1962  * Additional check of child items iff this is an internal page and
1963  * caller holds a ShareLock. This happens for every downlink (item)
1964  * in target excluding the negative-infinity downlink (again, this is
1965  * because it has no useful value to compare).
1966  */
1967  if (!P_ISLEAF(topaque) && state->readonly)
1968  bt_child_check(state, skey, offset);
1969  }
1970 
1971  /*
1972  * Special case bt_child_highkey_check() call
1973  *
1974  * We don't pass a real downlink, but we've to finish the level
1975  * processing. If condition is satisfied, we've already processed all the
1976  * downlinks from the target level. But there still might be pages to the
1977  * right of the child page pointer to by our rightmost downlink. And they
1978  * might have missing downlinks. This final call checks for them.
1979  */
1980  if (!P_ISLEAF(topaque) && P_RIGHTMOST(topaque) && state->readonly)
1981  {
1982  bt_child_highkey_check(state, InvalidOffsetNumber,
1983  NULL, topaque->btpo_level);
1984  }
1985 }
1986 
1987 /*
1988  * Return a scankey for an item on page to right of current target (or the
1989  * first non-ignorable page), sufficient to check ordering invariant on last
1990  * item in current target page. Returned scankey relies on local memory
1991  * allocated for the child page, which caller cannot pfree(). Caller's memory
1992  * context should be reset between calls here.
1993  *
1994  * This is the first data item, and so all adjacent items are checked against
1995  * their immediate sibling item (which may be on a sibling page, or even a
1996  * "cousin" page at parent boundaries where target's rightlink points to page
1997  * with different parent page). If no such valid item is available, return
1998  * NULL instead.
1999  *
2000  * Note that !readonly callers must reverify that target page has not
2001  * been concurrently deleted.
2002  *
2003  * Save rightfirstoffset for detailed error message.
2004  */
2005 static BTScanInsert
2006 bt_right_page_check_scankey(BtreeCheckState *state, OffsetNumber *rightfirstoffset)
2007 {
2008  BTPageOpaque opaque;
2009  ItemId rightitem;
2010  IndexTuple firstitup;
2011  BlockNumber targetnext;
2012  Page rightpage;
2013  OffsetNumber nline;
2014 
2015  /* Determine target's next block number */
2016  opaque = BTPageGetOpaque(state->target);
2017 
2018  /* If target is already rightmost, no right sibling; nothing to do here */
2019  if (P_RIGHTMOST(opaque))
2020  return NULL;
2021 
2022  /*
2023  * General notes on concurrent page splits and page deletion:
2024  *
2025  * Routines like _bt_search() don't require *any* page split interlock
2026  * when descending the tree, including something very light like a buffer
2027  * pin. That's why it's okay that we don't either. This avoidance of any
2028  * need to "couple" buffer locks is the raison d' etre of the Lehman & Yao
2029  * algorithm, in fact.
2030  *
2031  * That leaves deletion. A deleted page won't actually be recycled by
2032  * VACUUM early enough for us to fail to at least follow its right link
2033  * (or left link, or downlink) and find its sibling, because recycling
2034  * does not occur until no possible index scan could land on the page.
2035  * Index scans can follow links with nothing more than their snapshot as
2036  * an interlock and be sure of at least that much. (See page
2037  * recycling/"visible to everyone" notes in nbtree README.)
2038  *
2039  * Furthermore, it's okay if we follow a rightlink and find a half-dead or
2040  * dead (ignorable) page one or more times. There will either be a
2041  * further right link to follow that leads to a live page before too long
2042  * (before passing by parent's rightmost child), or we will find the end
2043  * of the entire level instead (possible when parent page is itself the
2044  * rightmost on its level).
2045  */
2046  targetnext = opaque->btpo_next;
2047  for (;;)
2048  {
2049  CHECK_FOR_INTERRUPTS();
2050 
2051  rightpage = palloc_btree_page(state, targetnext);
2052  opaque = BTPageGetOpaque(rightpage);
2053 
2054  if (!P_IGNORE(opaque) || P_RIGHTMOST(opaque))
2055  break;
2056 
2057  /*
2058  * We landed on a deleted or half-dead sibling page. Step right until
2059  * we locate a live sibling page.
2060  */
2061  ereport(DEBUG2,
2062  (errcode(ERRCODE_NO_DATA),
2063  errmsg_internal("level %u sibling page in block %u of index \"%s\" was found deleted or half dead",
2064  opaque->btpo_level, targetnext, RelationGetRelationName(state->rel)),
2065  errdetail_internal("Deleted page found when building scankey from right sibling.")));
2066 
2067  targetnext = opaque->btpo_next;
2068 
2069  /* Be slightly more pro-active in freeing this memory, just in case */
2070  pfree(rightpage);
2071  }
2072 
2073  /*
2074  * No ShareLock held case -- why it's safe to proceed.
2075  *
2076  * Problem:
2077  *
2078  * We must avoid false positive reports of corruption when caller treats
2079  * item returned here as an upper bound on target's last item. In
2080  * general, false positives are disallowed. Avoiding them here when
2081  * caller is !readonly is subtle.
2082  *
2083  * A concurrent page deletion by VACUUM of the target page can result in
2084  * the insertion of items on to this right sibling page that would
2085  * previously have been inserted on our target page. There might have
2086  * been insertions that followed the target's downlink after it was made
2087  * to point to right sibling instead of target by page deletion's first
2088  * phase. The inserters insert items that would belong on target page.
2089  * This race is very tight, but it's possible. This is our only problem.
2090  *
2091  * Non-problems:
2092  *
2093  * We are not hindered by a concurrent page split of the target; we'll
2094  * never land on the second half of the page anyway. A concurrent split
2095  * of the right page will also not matter, because the first data item
2096  * remains the same within the left half, which we'll reliably land on. If
2097  * we had to skip over ignorable/deleted pages, it cannot matter because
2098  * their key space has already been atomically merged with the first
2099  * non-ignorable page we eventually find (doesn't matter whether the page
2100  * we eventually find is a true sibling or a cousin of target, which we go
2101  * into below).
2102  *
2103  * Solution:
2104  *
2105  * Caller knows that it should reverify that target is not ignorable
2106  * (half-dead or deleted) when cross-page sibling item comparison appears
2107  * to indicate corruption (invariant fails). This detects the single race
2108  * condition that exists for caller. This is correct because the
2109  * continued existence of target block as non-ignorable (not half-dead or
2110  * deleted) implies that target page was not merged into from the right by
2111  * deletion; the key space at or after target never moved left. Target's
2112  * parent either has the same downlink to target as before, or a <
2113  * downlink due to deletion at the left of target. Target either has the
2114  * same highkey as before, or a highkey < before when there is a page
2115  * split. (The rightmost concurrently-split-from-target-page page will
2116  * still have the same highkey as target was originally found to have,
2117  * which for our purposes is equivalent to target's highkey itself never
2118  * changing, since we reliably skip over
2119  * concurrently-split-from-target-page pages.)
2120  *
2121  * In simpler terms, we allow that the key space of the target may expand
2122  * left (the key space can move left on the left side of target only), but
2123  * the target key space cannot expand right and get ahead of us without
2124  * our detecting it. The key space of the target cannot shrink, unless it
2125  * shrinks to zero due to the deletion of the original page, our canary
2126  * condition. (To be very precise, we're a bit stricter than that because
2127  * it might just have been that the target page split and only the
2128  * original target page was deleted. We can be more strict, just not more
2129  * lax.)
2130  *
2131  * Top level tree walk caller moves on to next page (makes it the new
2132  * target) following recovery from this race. (cf. The rationale for
2133  * child/downlink verification needing a ShareLock within
2134  * bt_child_check(), where page deletion is also the main source of
2135  * trouble.)
2136  *
2137  * Note that it doesn't matter if right sibling page here is actually a
2138  * cousin page, because in order for the key space to be readjusted in a
2139  * way that causes us issues in next level up (guiding problematic
2140  * concurrent insertions to the cousin from the grandparent rather than to
2141  * the sibling from the parent), there'd have to be page deletion of
2142  * target's parent page (affecting target's parent's downlink in target's
2143  * grandparent page). Internal page deletion only occurs when there are
2144  * no child pages (they were all fully deleted), and caller is checking
2145  * that the target's parent has at least one non-deleted (so
2146  * non-ignorable) child: the target page. (Note that the first phase of
2147  * deletion atomically marks the page to be deleted half-dead/ignorable at
2148  * the same time downlink in its parent is removed, so caller will
2149  * definitely not fail to detect that this happened.)
2150  *
2151  * This trick is inspired by the method backward scans use for dealing
2152  * with concurrent page splits; concurrent page deletion is a problem that
2153  * similarly receives special consideration sometimes (it's possible that
2154  * the backwards scan will re-read its "original" block after failing to
2155  * find a right-link to it, having already moved in the opposite direction
2156  * (right/"forwards") a few times to try to locate one). Just like us,
2157  * that happens only to determine if there was a concurrent page deletion
2158  * of a reference page, and just like us if there was a page deletion of
2159  * that reference page it means we can move on from caring about the
2160  * reference page. See the nbtree README for a full description of how
2161  * that works.
2162  */
2163  nline = PageGetMaxOffsetNumber(rightpage);
2164 
2165  /*
2166  * Get first data item, if any
2167  */
2168  if (P_ISLEAF(opaque) && nline >= P_FIRSTDATAKEY(opaque))
2169  {
2170  /* Return first data item (if any) */
2171  rightitem = PageGetItemIdCareful(state, targetnext, rightpage,
2172  P_FIRSTDATAKEY(opaque));
2173  *rightfirstoffset = P_FIRSTDATAKEY(opaque);
2174  }
2175  else if (!P_ISLEAF(opaque) &&
2176  nline >= OffsetNumberNext(P_FIRSTDATAKEY(opaque)))
2177  {
2178  /*
2179  * Return first item after the internal page's "negative infinity"
2180  * item
2181  */
2182  rightitem = PageGetItemIdCareful(state, targetnext, rightpage,
2183  OffsetNumberNext(P_FIRSTDATAKEY(opaque)));
2184  }
2185  else
2186  {
2187  /*
2188  * No first item. Page is probably empty leaf page, but it's also
2189  * possible that it's an internal page with only a negative infinity
2190  * item.
2191  */
2192  ereport(DEBUG2,
2193  (errcode(ERRCODE_NO_DATA),
2194  errmsg_internal("%s block %u of index \"%s\" has no first data item",
2195  P_ISLEAF(opaque) ? "leaf" : "internal", targetnext,
2196  RelationGetRelationName(state->rel))));
2197  return NULL;
2198  }
2199 
2200  /*
2201  * Return first real item scankey. Note that this relies on right page
2202  * memory remaining allocated.
2203  */
2204  firstitup = (IndexTuple) PageGetItem(rightpage, rightitem);
2205  return bt_mkscankey_pivotsearch(state->rel, firstitup);
2206 }
2207 
2208 /*
2209  * Check if two tuples are binary identical except the block number. So,
2210  * this function is capable to compare pivot keys on different levels.
2211  */
2212 static bool
2213 bt_pivot_tuple_identical(bool heapkeyspace, IndexTuple itup1, IndexTuple itup2)
2214 {
2215  if (IndexTupleSize(itup1) != IndexTupleSize(itup2))
2216  return false;
2217 
2218  if (heapkeyspace)
2219  {
2220  /*
2221  * Offset number will contain important information in heapkeyspace
2222  * indexes: the number of attributes left in the pivot tuple following
2223  * suffix truncation. Don't skip over it (compare it too).
2224  */
2225  if (memcmp(&itup1->t_tid.ip_posid, &itup2->t_tid.ip_posid,
2226  IndexTupleSize(itup1) -
2227  offsetof(ItemPointerData, ip_posid)) != 0)
2228  return false;
2229  }
2230  else
2231  {
2232  /*
2233  * Cannot rely on offset number field having consistent value across
2234  * levels on pg_upgrade'd !heapkeyspace indexes. Compare contents of
2235  * tuple starting from just after item pointer (i.e. after block
2236  * number and offset number).
2237  */
2238  if (memcmp(&itup1->t_info, &itup2->t_info,
2239  IndexTupleSize(itup1) -
2240  offsetof(IndexTupleData, t_info)) != 0)
2241  return false;
2242  }
2243 
2244  return true;
2245 }
2246 
2247 /*---
2248  * Check high keys on the child level. Traverse rightlinks from previous
2249  * downlink to the current one. Check that there are no intermediate pages
2250  * with missing downlinks.
2251  *
2252  * If 'loaded_child' is given, it's assumed to be the page pointed to by the
2253  * downlink referenced by 'downlinkoffnum' of the target page.
2254  *
2255  * Basically this function is called for each target downlink and checks two
2256  * invariants:
2257  *
2258  * 1) You can reach the next child from previous one via rightlinks;
2259  * 2) Each child high key have matching pivot key on target level.
2260  *
2261  * Consider the sample tree picture.
2262  *
2263  * 1
2264  * / \
2265  * 2 <-> 3
2266  * / \ / \
2267  * 4 <> 5 <> 6 <> 7 <> 8
2268  *
2269  * This function will be called for blocks 4, 5, 6 and 8. Consider what is
2270  * happening for each function call.
2271  *
2272  * - The function call for block 4 initializes data structure and matches high
2273  * key of block 4 to downlink's pivot key of block 2.
2274  * - The high key of block 5 is matched to the high key of block 2.
2275  * - The block 6 has an incomplete split flag set, so its high key isn't
2276  * matched to anything.
2277  * - The function call for block 8 checks that block 8 can be found while
2278  * following rightlinks from block 6. The high key of block 7 will be
2279  * matched to downlink's pivot key in block 3.
2280  *
2281  * There is also final call of this function, which checks that there is no
2282  * missing downlinks for children to the right of the child referenced by
2283  * rightmost downlink in target level.
2284  */
2285 static void
2286 bt_child_highkey_check(BtreeCheckState *state,
2287  OffsetNumber target_downlinkoffnum,
2288  Page loaded_child,
2289  uint32 target_level)
2290 {
2291  BlockNumber blkno = state->prevrightlink;
2292  Page page;
2293  BTPageOpaque opaque;
2294  bool rightsplit = state->previncompletesplit;
2295  bool first = true;
2296  ItemId itemid;
2297  IndexTuple itup;
2298  BlockNumber downlink;
2299 
2300  if (OffsetNumberIsValid(target_downlinkoffnum))
2301  {
2302  itemid = PageGetItemIdCareful(state, state->targetblock,
2303  state->target, target_downlinkoffnum);
2304  itup = (IndexTuple) PageGetItem(state->target, itemid);
2305  downlink = BTreeTupleGetDownLink(itup);
2306  }
2307  else
2308  {
2309  downlink = P_NONE;
2310  }
2311 
2312  /*
2313  * If no previous rightlink is memorized for current level just below
2314  * target page's level, we are about to start from the leftmost page. We
2315  * can't follow rightlinks from previous page, because there is no
2316  * previous page. But we still can match high key.
2317  *
2318  * So we initialize variables for the loop above like there is previous
2319  * page referencing current child. Also we imply previous page to not
2320  * have incomplete split flag, that would make us require downlink for
2321  * current child. That's correct, because leftmost page on the level
2322  * should always have parent downlink.
2323  */
2324  if (!BlockNumberIsValid(blkno))
2325  {
2326  blkno = downlink;
2327  rightsplit = false;
2328  }
2329 
2330  /* Move to the right on the child level */
2331  while (true)
2332  {
2333  /*
2334  * Did we traverse the whole tree level and this is check for pages to
2335  * the right of rightmost downlink?
2336  */
2337  if (blkno == P_NONE && downlink == P_NONE)
2338  {
2339  state->prevrightlink = InvalidBlockNumber;
2340  state->previncompletesplit = false;
2341  return;
2342  }
2343 
2344  /* Did we traverse the whole tree level and don't find next downlink? */
2345  if (blkno == P_NONE)
2346  ereport(ERROR,
2347  (errcode(ERRCODE_INDEX_CORRUPTED),
2348  errmsg("can't traverse from downlink %u to downlink %u of index \"%s\"",
2349  state->prevrightlink, downlink,
2350  RelationGetRelationName(state->rel))));
2351 
2352  /* Load page contents */
2353  if (blkno == downlink && loaded_child)
2354  page = loaded_child;
2355  else
2356  page = palloc_btree_page(state, blkno);
2357 
2358  opaque = BTPageGetOpaque(page);
2359 
2360  /* The first page we visit at the level should be leftmost */
2361  if (first && !BlockNumberIsValid(state->prevrightlink) &&
2362  !bt_leftmost_ignoring_half_dead(state, blkno, opaque))
2363  ereport(ERROR,
2364  (errcode(ERRCODE_INDEX_CORRUPTED),
2365  errmsg("the first child of leftmost target page is not leftmost of its level in index \"%s\"",
2366  RelationGetRelationName(state->rel)),
2367  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2368  state->targetblock, blkno,
2369  LSN_FORMAT_ARGS(state->targetlsn))));
2370 
2371  /* Do level sanity check */
2372  if ((!P_ISDELETED(opaque) || P_HAS_FULLXID(opaque)) &&
2373  opaque->btpo_level != target_level - 1)
2374  ereport(ERROR,
2375  (errcode(ERRCODE_INDEX_CORRUPTED),
2376  errmsg("block found while following rightlinks from child of index \"%s\" has invalid level",
2377  RelationGetRelationName(state->rel)),
2378  errdetail_internal("Block pointed to=%u expected level=%u level in pointed to block=%u.",
2379  blkno, target_level - 1, opaque->btpo_level)));
2380 
2381  /* Try to detect circular links */
2382  if ((!first && blkno == state->prevrightlink) || blkno == opaque->btpo_prev)
2383  ereport(ERROR,
2384  (errcode(ERRCODE_INDEX_CORRUPTED),
2385  errmsg("circular link chain found in block %u of index \"%s\"",
2386  blkno, RelationGetRelationName(state->rel))));
2387 
2388  if (blkno != downlink && !P_IGNORE(opaque))
2389  {
2390  /* blkno probably has missing parent downlink */
2391  bt_downlink_missing_check(state, rightsplit, blkno, page);
2392  }
2393 
2394  rightsplit = P_INCOMPLETE_SPLIT(opaque);
2395 
2396  /*
2397  * If we visit page with high key, check that it is equal to the
2398  * target key next to corresponding downlink.
2399  */
2400  if (!rightsplit && !P_RIGHTMOST(opaque))
2401  {
2402  BTPageOpaque topaque;
2403  IndexTuple highkey;
2404  OffsetNumber pivotkey_offset;
2405 
2406  /* Get high key */
2407  itemid = PageGetItemIdCareful(state, blkno, page, P_HIKEY);
2408  highkey = (IndexTuple) PageGetItem(page, itemid);
2409 
2410  /*
2411  * There might be two situations when we examine high key. If
2412  * current child page is referenced by given target downlink, we
2413  * should look to the next offset number for matching key from
2414  * target page.
2415  *
2416  * Alternatively, we're following rightlinks somewhere in the
2417  * middle between page referenced by previous target's downlink
2418  * and the page referenced by current target's downlink. If
2419  * current child page hasn't incomplete split flag set, then its
2420  * high key should match to the target's key of current offset
2421  * number. This happens when a previous call here (to
2422  * bt_child_highkey_check()) found an incomplete split, and we
2423  * reach a right sibling page without a downlink -- the right
2424  * sibling page's high key still needs to be matched to a
2425  * separator key on the parent/target level.
2426  *
2427  * Don't apply OffsetNumberNext() to target_downlinkoffnum when we
2428  * already had to step right on the child level. Our traversal of
2429  * the child level must try to move in perfect lockstep behind (to
2430  * the left of) the target/parent level traversal.
2431  */
2432  if (blkno == downlink)
2433  pivotkey_offset = OffsetNumberNext(target_downlinkoffnum);
2434  else
2435  pivotkey_offset = target_downlinkoffnum;
2436 
2437  topaque = BTPageGetOpaque(state->target);
2438 
2439  if (!offset_is_negative_infinity(topaque, pivotkey_offset))
2440  {
2441  /*
2442  * If we're looking for the next pivot tuple in target page,
2443  * but there is no more pivot tuples, then we should match to
2444  * high key instead.
2445  */
2446  if (pivotkey_offset > PageGetMaxOffsetNumber(state->target))
2447  {
2448  if (P_RIGHTMOST(topaque))
2449  ereport(ERROR,
2450  (errcode(ERRCODE_INDEX_CORRUPTED),
2451  errmsg("child high key is greater than rightmost pivot key on target level in index \"%s\"",
2452  RelationGetRelationName(state->rel)),
2453  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2454  state->targetblock, blkno,
2455  LSN_FORMAT_ARGS(state->targetlsn))));
2456  pivotkey_offset = P_HIKEY;
2457  }
2458  itemid = PageGetItemIdCareful(state, state->targetblock,
2459  state->target, pivotkey_offset);
2460  itup = (IndexTuple) PageGetItem(state->target, itemid);
2461  }
2462  else
2463  {
2464  /*
2465  * We cannot try to match child's high key to a negative
2466  * infinity key in target, since there is nothing to compare.
2467  * However, it's still possible to match child's high key
2468  * outside of target page. The reason why we're are is that
2469  * bt_child_highkey_check() was previously called for the
2470  * cousin page of 'loaded_child', which is incomplete split.
2471  * So, now we traverse to the right of that cousin page and
2472  * current child level page under consideration still belongs
2473  * to the subtree of target's left sibling. Thus, we need to
2474  * match child's high key to it's left uncle page high key.
2475  * Thankfully we saved it, it's called a "low key" of target
2476  * page.
2477  */
2478  if (!state->lowkey)
2479  ereport(ERROR,
2480  (errcode(ERRCODE_INDEX_CORRUPTED),
2481  errmsg("can't find left sibling high key in index \"%s\"",
2482  RelationGetRelationName(state->rel)),
2483  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2484  state->targetblock, blkno,
2485  LSN_FORMAT_ARGS(state->targetlsn))));
2486  itup = state->lowkey;
2487  }
2488 
2489  if (!bt_pivot_tuple_identical(state->heapkeyspace, highkey, itup))
2490  {
2491  ereport(ERROR,
2492  (errcode(ERRCODE_INDEX_CORRUPTED),
2493  errmsg("mismatch between parent key and child high key in index \"%s\"",
2494  RelationGetRelationName(state->rel)),
2495  errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2496  state->targetblock, blkno,
2497  LSN_FORMAT_ARGS(state->targetlsn))));
2498  }
2499  }
2500 
2501  /* Exit if we already found next downlink */
2502  if (blkno == downlink)
2503  {
2504  state->prevrightlink = opaque->btpo_next;
2505  state->previncompletesplit = rightsplit;
2506  return;
2507  }
2508 
2509  /* Traverse to the next page using rightlink */
2510  blkno = opaque->btpo_next;
2511 
2512  /* Free page contents if it's allocated by us */
2513  if (page != loaded_child)
2514  pfree(page);
2515  first = false;
2516  }
2517 }
2518 
2519 /*
2520  * Checks one of target's downlink against its child page.
2521  *
2522  * Conceptually, the target page continues to be what is checked here. The
2523  * target block is still blamed in the event of finding an invariant violation.
2524  * The downlink insertion into the target is probably where any problem raised
2525  * here arises, and there is no such thing as a parent link, so doing the
2526  * verification this way around is much more practical.
2527  *
2528  * This function visits child page and it's sequentially called for each
2529  * downlink of target page. Assuming this we also check downlink connectivity
2530  * here in order to save child page visits.
2531  */
2532 static void
2533 bt_child_check(BtreeCheckState *state, BTScanInsert targetkey,
2534  OffsetNumber downlinkoffnum)
2535 {
2536  ItemId itemid;
2537  IndexTuple itup;
2538  BlockNumber childblock;
2539  OffsetNumber offset;
2540  OffsetNumber maxoffset;
2541  Page child;
2542  BTPageOpaque copaque;
2543  BTPageOpaque topaque;
2544 
2545  itemid = PageGetItemIdCareful(state, state->targetblock,
2546  state->target, downlinkoffnum);
2547  itup = (IndexTuple) PageGetItem(state->target, itemid);
2548  childblock = BTreeTupleGetDownLink(itup);
2549 
2550  /*
2551  * Caller must have ShareLock on target relation, because of
2552  * considerations around page deletion by VACUUM.
2553  *
2554  * NB: In general, page deletion deletes the right sibling's downlink, not
2555  * the downlink of the page being deleted; the deleted page's downlink is
2556  * reused for its sibling. The key space is thereby consolidated between
2557  * the deleted page and its right sibling. (We cannot delete a parent
2558  * page's rightmost child unless it is the last child page, and we intend
2559  * to also delete the parent itself.)
2560  *
2561  * If this verification happened without a ShareLock, the following race
2562  * condition could cause false positives:
2563  *
2564  * In general, concurrent page deletion might occur, including deletion of
2565  * the left sibling of the child page that is examined here. If such a
2566  * page deletion were to occur, closely followed by an insertion into the
2567  * newly expanded key space of the child, a window for the false positive
2568  * opens up: the stale parent/target downlink originally followed to get
2569  * to the child legitimately ceases to be a lower bound on all items in
2570  * the page, since the key space was concurrently expanded "left".
2571  * (Insertion followed the "new" downlink for the child, not our now-stale
2572  * downlink, which was concurrently physically removed in target/parent as
2573  * part of deletion's first phase.)
2574  *
2575  * While we use various techniques elsewhere to perform cross-page
2576  * verification for !readonly callers, a similar trick seems difficult
2577  * here. The tricks used by bt_recheck_sibling_links and by
2578  * bt_right_page_check_scankey both involve verification of a same-level,
2579  * cross-sibling invariant. Cross-level invariants are far more squishy,
2580  * though. The nbtree REDO routines do not actually couple buffer locks
2581  * across levels during page splits, so making any cross-level check work
2582  * reliably in !readonly mode may be impossible.
2583  */
2584  Assert(state->readonly);
2585 
2586  /*
2587  * Verify child page has the downlink key from target page (its parent) as
2588  * a lower bound; downlink must be strictly less than all keys on the
2589  * page.
2590  *
2591  * Check all items, rather than checking just the first and trusting that
2592  * the operator class obeys the transitive law.
2593  */
2594  topaque = BTPageGetOpaque(state->target);
2595  child = palloc_btree_page(state, childblock);
2596  copaque = BTPageGetOpaque(child);
2597  maxoffset = PageGetMaxOffsetNumber(child);
2598 
2599  /*
2600  * Since we've already loaded the child block, combine this check with
2601  * check for downlink connectivity.
2602  */
2603  bt_child_highkey_check(state, downlinkoffnum,
2604  child, topaque->btpo_level);
2605 
2606  /*
2607  * Since there cannot be a concurrent VACUUM operation in readonly mode,
2608  * and since a page has no links within other pages (siblings and parent)
2609  * once it is marked fully deleted, it should be impossible to land on a
2610  * fully deleted page.
2611  *
2612  * It does not quite make sense to enforce that the page cannot even be
2613  * half-dead, despite the fact the downlink is modified at the same stage
2614  * that the child leaf page is marked half-dead. That's incorrect because
2615  * there may occasionally be multiple downlinks from a chain of pages
2616  * undergoing deletion, where multiple successive calls are made to
2617  * _bt_unlink_halfdead_page() by VACUUM before it can finally safely mark
2618  * the leaf page as fully dead. While _bt_mark_page_halfdead() usually
2619  * removes the downlink to the leaf page that is marked half-dead, that's
2620  * not guaranteed, so it's possible we'll land on a half-dead page with a
2621  * downlink due to an interrupted multi-level page deletion.
2622  *
2623  * We go ahead with our checks if the child page is half-dead. It's safe
2624  * to do so because we do not test the child's high key, so it does not
2625  * matter that the original high key will have been replaced by a dummy
2626  * truncated high key within _bt_mark_page_halfdead(). All other page
2627  * items are left intact on a half-dead page, so there is still something
2628  * to test.
2629  */
2630  if (P_ISDELETED(copaque))
2631  ereport(ERROR,
2632  (errcode(ERRCODE_INDEX_CORRUPTED),
2633  errmsg("downlink to deleted page found in index \"%s\"",
2634  RelationGetRelationName(state->rel)),
2635  errdetail_internal("Parent block=%u child block=%u parent page lsn=%X/%X.",
2636  state->targetblock, childblock,
2637  LSN_FORMAT_ARGS(state->targetlsn))));
2638 
2639  for (offset = P_FIRSTDATAKEY(copaque);
2640  offset <= maxoffset;
2641  offset = OffsetNumberNext(offset))
2642  {
2643  /*
2644  * Skip comparison of target page key against "negative infinity"
2645  * item, if any. Checking it would indicate that it's not a strict
2646  * lower bound, but that's only because of the hard-coding for
2647  * negative infinity items within _bt_compare().
2648  *
2649  * If nbtree didn't truncate negative infinity tuples during internal
2650  * page splits then we'd expect child's negative infinity key to be
2651  * equal to the scankey/downlink from target/parent (it would be a
2652  * "low key" in this hypothetical scenario, and so it would still need
2653  * to be treated as a special case here).
2654  *
2655  * Negative infinity items can be thought of as a strict lower bound
2656  * that works transitively, with the last non-negative-infinity pivot
2657  * followed during a descent from the root as its "true" strict lower
2658  * bound. Only a small number of negative infinity items are truly
2659  * negative infinity; those that are the first items of leftmost
2660  * internal pages. In more general terms, a negative infinity item is
2661  * only negative infinity with respect to the subtree that the page is
2662  * at the root of.
2663  *
2664  * See also: bt_rootdescend(), which can even detect transitive
2665  * inconsistencies on cousin leaf pages.
2666  */
2667  if (offset_is_negative_infinity(copaque, offset))
2668  continue;
2669 
2670  if (!invariant_l_nontarget_offset(state, targetkey, childblock, child,
2671  offset))
2672  ereport(ERROR,
2673  (errcode(ERRCODE_INDEX_CORRUPTED),
2674  errmsg("down-link lower bound invariant violated for index \"%s\"",
2675  RelationGetRelationName(state->rel)),
2676  errdetail_internal("Parent block=%u child index tid=(%u,%u) parent page lsn=%X/%X.",
2677  state->targetblock, childblock, offset,
2678  LSN_FORMAT_ARGS(state->targetlsn))));
2679  }
2680 
2681  pfree(child);
2682 }
2683 
2684 /*
2685  * Checks if page is missing a downlink that it should have.
2686  *
2687  * A page that lacks a downlink/parent may indicate corruption. However, we
2688  * must account for the fact that a missing downlink can occasionally be
2689  * encountered in a non-corrupt index. This can be due to an interrupted page
2690  * split, or an interrupted multi-level page deletion (i.e. there was a hard
2691  * crash or an error during a page split, or while VACUUM was deleting a
2692  * multi-level chain of pages).
2693  *
2694  * Note that this can only be called in readonly mode, so there is no need to
2695  * be concerned about concurrent page splits or page deletions.
2696  */
2697 static void
2698 bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit,
2699  BlockNumber blkno, Page page)
2700 {
2701  BTPageOpaque opaque = BTPageGetOpaque(page);
2702  ItemId itemid;
2703  IndexTuple itup;
2704  Page child;
2705  BTPageOpaque copaque;
2706  uint32 level;
2707  BlockNumber childblk;
2708  XLogRecPtr pagelsn;
2709 
2710  Assert(state->readonly);
2711  Assert(!P_IGNORE(opaque));
2712 
2713  /* No next level up with downlinks to fingerprint from the true root */
2714  if (P_ISROOT(opaque))
2715  return;
2716 
2717  pagelsn = PageGetLSN(page);
2718 
2719  /*
2720  * Incomplete (interrupted) page splits can account for the lack of a
2721  * downlink. Some inserting transaction should eventually complete the
2722  * page split in passing, when it notices that the left sibling page is
2723  * P_INCOMPLETE_SPLIT().
2724  *
2725  * In general, VACUUM is not prepared for there to be no downlink to a
2726  * page that it deletes. This is the main reason why the lack of a
2727  * downlink can be reported as corruption here. It's not obvious that an
2728  * invalid missing downlink can result in wrong answers to queries,
2729  * though, since index scans that land on the child may end up
2730  * consistently moving right. The handling of concurrent page splits (and
2731  * page deletions) within _bt_moveright() cannot distinguish
2732  * inconsistencies that last for a moment from inconsistencies that are
2733  * permanent and irrecoverable.
2734  *
2735  * VACUUM isn't even prepared to delete pages that have no downlink due to
2736  * an incomplete page split, but it can detect and reason about that case
2737  * by design, so it shouldn't be taken to indicate corruption. See
2738  * _bt_pagedel() for full details.
2739  */
2740  if (rightsplit)
2741  {
2742  ereport(DEBUG1,
2743  (errcode(ERRCODE_NO_DATA),
2744  errmsg_internal("harmless interrupted page split detected in index \"%s\"",
2745  RelationGetRelationName(state->rel)),
2746  errdetail_internal("Block=%u level=%u left sibling=%u page lsn=%X/%X.",
2747  blkno, opaque->btpo_level,
2748  opaque->btpo_prev,
2749  LSN_FORMAT_ARGS(pagelsn))));
2750  return;
2751  }
2752 
2753  /*
2754  * Page under check is probably the "top parent" of a multi-level page
2755  * deletion. We'll need to descend the subtree to make sure that
2756  * descendant pages are consistent with that, though.
2757  *
2758  * If the page (which must be non-ignorable) is a leaf page, then clearly
2759  * it can't be the top parent. The lack of a downlink is probably a
2760  * symptom of a broad problem that could just as easily cause
2761  * inconsistencies anywhere else.
2762  */
2763  if (P_ISLEAF(opaque))
2764  ereport(ERROR,
2765  (errcode(ERRCODE_INDEX_CORRUPTED),
2766  errmsg("leaf index block lacks downlink in index \"%s\"",
2767  RelationGetRelationName(state->rel)),
2768  errdetail_internal("Block=%u page lsn=%X/%X.",
2769  blkno,
2770  LSN_FORMAT_ARGS(pagelsn))));
2771 
2772  /* Descend from the given page, which is an internal page */
2773  elog(DEBUG1, "checking for interrupted multi-level deletion due to missing downlink in index \"%s\"",
2774  RelationGetRelationName(state->rel));
2775 
2776  level = opaque->btpo_level;
2777  itemid = PageGetItemIdCareful(state, blkno, page, P_FIRSTDATAKEY(opaque));
2778  itup = (IndexTuple) PageGetItem(page, itemid);
2779  childblk = BTreeTupleGetDownLink(itup);
2780  for (;;)
2781  {
2782  CHECK_FOR_INTERRUPTS();
2783 
2784  child = palloc_btree_page(state, childblk);
2785  copaque = BTPageGetOpaque(child);
2786 
2787  if (P_ISLEAF(copaque))
2788  break;
2789 
2790  /* Do an extra sanity check in passing on internal pages */
2791  if (copaque->btpo_level != level - 1)
2792  ereport(ERROR,
2793  (errcode(ERRCODE_INDEX_CORRUPTED),
2794  errmsg_internal("downlink points to block in index \"%s\" whose level is not one level down",
2795  RelationGetRelationName(state->rel)),
2796  errdetail_internal("Top parent/under check block=%u block pointed to=%u expected level=%u level in pointed to block=%u.",
2797  blkno, childblk,
2798  level - 1, copaque->btpo_level)));
2799 
2800  level = copaque->btpo_level;
2801  itemid = PageGetItemIdCareful(state, childblk, child,
2802  P_FIRSTDATAKEY(copaque));
2803  itup = (IndexTuple) PageGetItem(child, itemid);
2804  childblk = BTreeTupleGetDownLink(itup);
2805  /* Be slightly more pro-active in freeing this memory, just in case */
2806  pfree(child);
2807  }
2808 
2809  /*
2810  * Since there cannot be a concurrent VACUUM operation in readonly mode,
2811  * and since a page has no links within other pages (siblings and parent)
2812  * once it is marked fully deleted, it should be impossible to land on a
2813  * fully deleted page. See bt_child_check() for further details.
2814  *
2815  * The bt_child_check() P_ISDELETED() check is repeated here because
2816  * bt_child_check() does not visit pages reachable through negative
2817  * infinity items. Besides, bt_child_check() is unwilling to descend
2818  * multiple levels. (The similar bt_child_check() P_ISDELETED() check
2819  * within bt_check_level_from_leftmost() won't reach the page either,
2820  * since the leaf's live siblings should have their sibling links updated
2821  * to bypass the deletion target page when it is marked fully dead.)
2822  *
2823  * If this error is raised, it might be due to a previous multi-level page
2824  * deletion that failed to realize that it wasn't yet safe to mark the
2825  * leaf page as fully dead. A "dangling downlink" will still remain when
2826  * this happens. The fact that the dangling downlink's page (the leaf's
2827  * parent/ancestor page) lacked a downlink is incidental.
2828  */
2829  if (P_ISDELETED(copaque))
2830  ereport(ERROR,
2831  (errcode(ERRCODE_INDEX_CORRUPTED),
2832  errmsg_internal("downlink to deleted leaf page found in index \"%s\"",
2833  RelationGetRelationName(state->rel)),
2834  errdetail_internal("Top parent/target block=%u leaf block=%u top parent/under check lsn=%X/%X.",
2835  blkno, childblk,
2836  LSN_FORMAT_ARGS(pagelsn))));
2837 
2838  /*
2839  * Iff leaf page is half-dead, its high key top parent link should point
2840  * to what VACUUM considered to be the top parent page at the instant it
2841  * was interrupted. Provided the high key link actually points to the
2842  * page under check, the missing downlink we detected is consistent with
2843  * there having been an interrupted multi-level page deletion. This means
2844  * that the subtree with the page under check at its root (a page deletion
2845  * chain) is in a consistent state, enabling VACUUM to resume deleting the
2846  * entire chain the next time it encounters the half-dead leaf page.
2847  */
2848  if (P_ISHALFDEAD(copaque) && !P_RIGHTMOST(copaque))
2849  {
2850  itemid = PageGetItemIdCareful(state, childblk, child, P_HIKEY);
2851  itup = (IndexTuple) PageGetItem(child, itemid);
2852  if (BTreeTupleGetTopParent(itup) == blkno)
2853  return;
2854  }
2855 
2856  ereport(ERROR,
2857  (errcode(ERRCODE_INDEX_CORRUPTED),
2858  errmsg("internal index block lacks downlink in index \"%s\"",
2859  RelationGetRelationName(state->rel)),
2860  errdetail_internal("Block=%u level=%u page lsn=%X/%X.",
2861  blkno, opaque->btpo_level,
2862  LSN_FORMAT_ARGS(pagelsn))));
2863 }
2864 
2865 /*
2866  * Per-tuple callback from table_index_build_scan, used to determine if index has
2867  * all the entries that definitely should have been observed in leaf pages of
2868  * the target index (that is, all IndexTuples that were fingerprinted by our
2869  * Bloom filter). All heapallindexed checks occur here.
2870  *
2871  * The redundancy between an index and the table it indexes provides a good
2872  * opportunity to detect corruption, especially corruption within the table.
2873  * The high level principle behind the verification performed here is that any
2874  * IndexTuple that should be in an index following a fresh CREATE INDEX (based
2875  * on the same index definition) should also have been in the original,
2876  * existing index, which should have used exactly the same representation
2877  *
2878  * Since the overall structure of the index has already been verified, the most
2879  * likely explanation for error here is a corrupt heap page (could be logical
2880  * or physical corruption). Index corruption may still be detected here,
2881  * though. Only readonly callers will have verified that left links and right
2882  * links are in agreement, and so it's possible that a leaf page transposition
2883  * within index is actually the source of corruption detected here (for
2884  * !readonly callers). The checks performed only for readonly callers might
2885  * more accurately frame the problem as a cross-page invariant issue (this
2886  * could even be due to recovery not replaying all WAL records). The !readonly
2887  * ERROR message raised here includes a HINT about retrying with readonly
2888  * verification, just in case it's a cross-page invariant issue, though that
2889  * isn't particularly likely.
2890  *
2891  * table_index_build_scan() expects to be able to find the root tuple when a
2892  * heap-only tuple (the live tuple at the end of some HOT chain) needs to be
2893  * indexed, in order to replace the actual tuple's TID with the root tuple's
2894  * TID (which is what we're actually passed back here). The index build heap
2895  * scan code will raise an error when a tuple that claims to be the root of the
2896  * heap-only tuple's HOT chain cannot be located. This catches cases where the
2897  * original root item offset/root tuple for a HOT chain indicates (for whatever
2898  * reason) that the entire HOT chain is dead, despite the fact that the latest
2899  * heap-only tuple should be indexed. When this happens, sequential scans may
2900  * always give correct answers, and all indexes may be considered structurally
2901  * consistent (i.e. the nbtree structural checks would not detect corruption).
2902  * It may be the case that only index scans give wrong answers, and yet heap or
2903  * SLRU corruption is the real culprit. (While it's true that LP_DEAD bit
2904  * setting will probably also leave the index in a corrupt state before too
2905  * long, the problem is nonetheless that there is heap corruption.)
2906  *
2907  * Heap-only tuple handling within table_index_build_scan() works in a way that
2908  * helps us to detect index tuples that contain the wrong values (values that
2909  * don't match the latest tuple in the HOT chain). This can happen when there
2910  * is no superseding index tuple due to a faulty assessment of HOT safety,
2911  * perhaps during the original CREATE INDEX. Because the latest tuple's
2912  * contents are used with the root TID, an error will be raised when a tuple
2913  * with the same TID but non-matching attribute values is passed back to us.
2914  * Faulty assessment of HOT-safety was behind at least two distinct CREATE
2915  * INDEX CONCURRENTLY bugs that made it into stable releases, one of which was
2916  * undetected for many years. In short, the same principle that allows a
2917  * REINDEX to repair corruption when there was an (undetected) broken HOT chain
2918  * also allows us to detect the corruption in many cases.
2919  */
2920 static void
2921 bt_tuple_present_callback(Relation index, ItemPointer tid, Datum *values,
2922  bool *isnull, bool tupleIsAlive, void *checkstate)
2923 {
2924  BtreeCheckState *state = (BtreeCheckState *) checkstate;
2925  IndexTuple itup,
2926  norm;
2927 
2928  Assert(state->heapallindexed);
2929 
2930  /* Generate a normalized index tuple for fingerprinting */
2931  itup = index_form_tuple(RelationGetDescr(index), values, isnull);
2932  itup->t_tid = *tid;
2933  norm = bt_normalize_tuple(state, itup);
2934 
2935  /* Probe Bloom filter -- tuple should be present */
2936  if (bloom_lacks_element(state->filter, (unsigned char *) norm,
2937  IndexTupleSize(norm)))
2938  ereport(ERROR,
2939  (errcode(ERRCODE_DATA_CORRUPTED),
2940  errmsg("heap tuple (%u,%u) from table \"%s\" lacks matching index tuple within index \"%s\"",
2941  ItemPointerGetBlockNumber(&(itup->t_tid)),
2942  ItemPointerGetOffsetNumber(&(itup->t_tid)),
2943  RelationGetRelationName(state->heaprel),
2944  RelationGetRelationName(state->rel)),
2945  !state->readonly
2946  ? errhint("Retrying verification using the function bt_index_parent_check() might provide a more specific error.")
2947  : 0));
2948 
2949  state->heaptuplespresent++;
2950  pfree(itup);
2951  /* Cannot leak memory here */
2952  if (norm != itup)
2953  pfree(norm);
2954 }
2955 
2956 /*
2957  * Normalize an index tuple for fingerprinting.
2958  *
2959  * In general, index tuple formation is assumed to be deterministic by
2960  * heapallindexed verification, and IndexTuples are assumed immutable. While
2961  * the LP_DEAD bit is mutable in leaf pages, that's ItemId metadata, which is
2962  * not fingerprinted. Normalization is required to compensate for corner
2963  * cases where the determinism assumption doesn't quite work.
2964  *
2965  * There is currently one such case: index_form_tuple() does not try to hide
2966  * the source TOAST state of input datums. The executor applies TOAST
2967  * compression for heap tuples based on different criteria to the compression
2968  * applied within btinsert()'s call to index_form_tuple(): it sometimes
2969  * compresses more aggressively, resulting in compressed heap tuple datums but
2970  * uncompressed corresponding index tuple datums. A subsequent heapallindexed
2971  * verification will get a logically equivalent though bitwise unequal tuple
2972  * from index_form_tuple(). False positive heapallindexed corruption reports
2973  * could occur without normalizing away the inconsistency.
2974  *
2975  * Returned tuple is often caller's own original tuple. Otherwise, it is a
2976  * new representation of caller's original index tuple, palloc()'d in caller's
2977  * memory context.
2978  *
2979  * Note: This routine is not concerned with distinctions about the
2980  * representation of tuples beyond those that might break heapallindexed
2981  * verification. In particular, it won't try to normalize opclass-equal
2982  * datums with potentially distinct representations (e.g., btree/numeric_ops
2983  * index datums will not get their display scale normalized-away here).
2984  * Caller does normalization for non-pivot tuples that have a posting list,
2985  * since dummy CREATE INDEX callback code generates new tuples with the same
2986  * normalized representation.
2987  */
2988 static IndexTuple
2989 bt_normalize_tuple(BtreeCheckState *state, IndexTuple itup)
2990 {
2991  TupleDesc tupleDescriptor = RelationGetDescr(state->rel);
2992  Datum normalized[INDEX_MAX_KEYS];
2993  bool isnull[INDEX_MAX_KEYS];
2994  bool need_free[INDEX_MAX_KEYS];
2995  bool formnewtup = false;
2996  IndexTuple reformed;
2997  int i;
2998 
2999  /* Caller should only pass "logical" non-pivot tuples here */
3000  Assert(!BTreeTupleIsPosting(itup) && !BTreeTupleIsPivot(itup));
3001 
3002  /* Easy case: It's immediately clear that tuple has no varlena datums */
3003  if (!IndexTupleHasVarwidths(itup))
3004  return itup;
3005 
3006  for (i = 0; i < tupleDescriptor->natts; i++)
3007  {
3008  Form_pg_attribute att;
3009 
3010  att = TupleDescAttr(tupleDescriptor, i);
3011 
3012  /* Assume untoasted/already normalized datum initially */
3013  need_free[i] = false;
3014  normalized[i] = index_getattr(itup, att->attnum,
3015  tupleDescriptor,
3016  &isnull[i]);
3017  if (att->attbyval || att->attlen != -1 || isnull[i])
3018  continue;
3019 
3020  /*
3021  * Callers always pass a tuple that could safely be inserted into the
3022  * index without further processing, so an external varlena header
3023  * should never be encountered here
3024  */
3025  if (VARATT_IS_EXTERNAL(DatumGetPointer(normalized[i])))
3026  ereport(ERROR,
3027  (errcode(ERRCODE_INDEX_CORRUPTED),
3028  errmsg("external varlena datum in tuple that references heap row (%u,%u) in index \"%s\"",
3029  ItemPointerGetBlockNumber(&(itup->t_tid)),
3030  ItemPointerGetOffsetNumber(&(itup->t_tid)),
3031  RelationGetRelationName(state->rel))));
3032  else if (!VARATT_IS_COMPRESSED(DatumGetPointer(normalized[i])) &&
3033  VARSIZE(DatumGetPointer(normalized[i])) > TOAST_INDEX_TARGET &&
3034  (att->attstorage == TYPSTORAGE_EXTENDED ||
3035  att->attstorage == TYPSTORAGE_MAIN))
3036  {
3037  /*
3038  * This value will be compressed by index_form_tuple() with the
3039  * current storage settings. We may be here because this tuple
3040  * was formed with different storage settings. So, force forming.
3041  */
3042  formnewtup = true;
3043  }
3044  else if (VARATT_IS_COMPRESSED(DatumGetPointer(normalized[i])))
3045  {
3046  formnewtup = true;
3047  normalized[i] = PointerGetDatum(PG_DETOAST_DATUM(normalized[i]));
3048  need_free[i] = true;
3049  }
3050 
3051  /*
3052  * Short tuples may have 1B or 4B header. Convert 4B header of short
3053  * tuples to 1B
3054  */
3055  else if (VARATT_CAN_MAKE_SHORT(DatumGetPointer(normalized[i])))
3056  {
3057  /* convert to short varlena */
3058  Size len = VARATT_CONVERTED_SHORT_SIZE(DatumGetPointer(normalized[i]));
3059  char *data = palloc(len);
3060 
3061  SET_VARSIZE_SHORT(data, len);
3062  memcpy(data + 1, VARDATA(DatumGetPointer(normalized[i])), len - 1);
3063 
3064  formnewtup = true;
3065  normalized[i] = PointerGetDatum(data);
3066  need_free[i] = true;
3067  }
3068  }
3069 
3070  /*
3071  * Easier case: Tuple has varlena datums, none of which are compressed or
3072  * short with 4B header
3073  */
3074  if (!formnewtup)
3075  return itup;
3076 
3077  /*
3078  * Hard case: Tuple had compressed varlena datums that necessitate
3079  * creating normalized version of the tuple from uncompressed input datums
3080  * (normalized input datums). This is rather naive, but shouldn't be
3081  * necessary too often.
3082  *
3083  * In the heap, tuples may contain short varlena datums with both 1B
3084  * header and 4B headers. But the corresponding index tuple should always
3085  * have such varlena's with 1B headers. So, if there is a short varlena
3086  * with 4B header, we need to convert it for fingerprinting.
3087  *
3088  * Note that we rely on deterministic index_form_tuple() TOAST compression
3089  * of normalized input.
3090  */
3091  reformed = index_form_tuple(tupleDescriptor, normalized, isnull);
3092  reformed->t_tid = itup->t_tid;
3093 
3094  /* Cannot leak memory here */
3095  for (i = 0; i < tupleDescriptor->natts; i++)
3096  if (need_free[i])
3097  pfree(DatumGetPointer(normalized[i]));
3098 
3099  return reformed;
3100 }
3101 
3102 /*
3103  * Produce palloc()'d "plain" tuple for nth posting list entry/TID.
3104  *
3105  * In general, deduplication is not supposed to change the logical contents of
3106  * an index. Multiple index tuples are merged together into one equivalent
3107  * posting list index tuple when convenient.
3108  *
3109  * heapallindexed verification must normalize-away this variation in
3110  * representation by converting posting list tuples into two or more "plain"
3111  * tuples. Each tuple must be fingerprinted separately -- there must be one
3112  * tuple for each corresponding Bloom filter probe during the heap scan.
3113  *
3114  * Note: Caller still needs to call bt_normalize_tuple() with returned tuple.
3115  */
3116 static inline IndexTuple
3117 bt_posting_plain_tuple(IndexTuple itup, int n)
3118 {
3119  Assert(BTreeTupleIsPosting(itup));
3120 
3121  /* Returns non-posting-list tuple */
3122  return _bt_form_posting(itup, BTreeTupleGetPostingN(itup, n), 1);
3123 }
3124 
3125 /*
3126  * Search for itup in index, starting from fast root page. itup must be a
3127  * non-pivot tuple. This is only supported with heapkeyspace indexes, since
3128  * we rely on having fully unique keys to find a match with only a single
3129  * visit to a leaf page, barring an interrupted page split, where we may have
3130  * to move right. (A concurrent page split is impossible because caller must
3131  * be readonly caller.)
3132  *
3133  * This routine can detect very subtle transitive consistency issues across
3134  * more than one level of the tree. Leaf pages all have a high key (even the
3135  * rightmost page has a conceptual positive infinity high key), but not a low
3136  * key. Their downlink in parent is a lower bound, which along with the high
3137  * key is almost enough to detect every possible inconsistency. A downlink
3138  * separator key value won't always be available from parent, though, because
3139  * the first items of internal pages are negative infinity items, truncated
3140  * down to zero attributes during internal page splits. While it's true that
3141  * bt_child_check() and the high key check can detect most imaginable key
3142  * space problems, there are remaining problems it won't detect with non-pivot
3143  * tuples in cousin leaf pages. Starting a search from the root for every
3144  * existing leaf tuple detects small inconsistencies in upper levels of the
3145  * tree that cannot be detected any other way. (Besides all this, this is
3146  * probably also useful as a direct test of the code used by index scans
3147  * themselves.)
3148  */
3149 static bool
3150 bt_rootdescend(BtreeCheckState *state, IndexTuple itup)
3151 {
3152  BTScanInsert key;
3153  BTStack stack;
3154  Buffer lbuf;
3155  bool exists;
3156 
3157  key = _bt_mkscankey(state->rel, itup);
3158  Assert(key->heapkeyspace && key->scantid != NULL);
3159 
3160  /*
3161  * Search from root.
3162  *
3163  * Ideally, we would arrange to only move right within _bt_search() when
3164  * an interrupted page split is detected (i.e. when the incomplete split
3165  * bit is found to be set), but for now we accept the possibility that
3166  * that could conceal an inconsistency.
3167  */
3168  Assert(state->readonly && state->rootdescend);
3169  exists = false;
3170  stack = _bt_search(state->rel, NULL, key, &lbuf, BT_READ);
3171 
3172  if (BufferIsValid(lbuf))
3173  {
3174  BTInsertStateData insertstate;
3175  OffsetNumber offnum;
3176  Page page;
3177 
3178  insertstate.itup = itup;
3179  insertstate.itemsz = MAXALIGN(IndexTupleSize(itup));
3180  insertstate.itup_key = key;
3181  insertstate.postingoff = 0;
3182  insertstate.bounds_valid = false;
3183  insertstate.buf = lbuf;
3184 
3185  /* Get matching tuple on leaf page */
3186  offnum = _bt_binsrch_insert(state->rel, &insertstate);
3187  /* Compare first >= matching item on leaf page, if any */
3188  page = BufferGetPage(lbuf);
3189  /* Should match on first heap TID when tuple has a posting list */
3190  if (offnum <= PageGetMaxOffsetNumber(page) &&
3191  insertstate.postingoff <= 0 &&
3192  _bt_compare(state->rel, key, page, offnum) == 0)
3193  exists = true;
3194  _bt_relbuf(state->rel, lbuf);
3195  }
3196 
3197  _bt_freestack(stack);
3198  pfree(key);
3199 
3200  return exists;
3201 }
3202 
3203 /*
3204  * Is particular offset within page (whose special state is passed by caller)
3205  * the page negative-infinity item?
3206  *
3207  * As noted in comments above _bt_compare(), there is special handling of the
3208  * first data item as a "negative infinity" item. The hard-coding within
3209  * _bt_compare() makes comparing this item for the purposes of verification
3210  * pointless at best, since the IndexTuple only contains a valid TID (a
3211  * reference TID to child page).
3212  */
3213 static inline bool
3214 offset_is_negative_infinity(BTPageOpaque opaque, OffsetNumber offset)
3215 {
3216  /*
3217  * For internal pages only, the first item after high key, if any, is
3218  * negative infinity item. Internal pages always have a negative infinity
3219  * item, whereas leaf pages never have one. This implies that negative
3220  * infinity item is either first or second line item, or there is none
3221  * within page.
3222  *
3223  * Negative infinity items are a special case among pivot tuples. They
3224  * always have zero attributes, while all other pivot tuples always have
3225  * nkeyatts attributes.
3226  *
3227  * Right-most pages don't have a high key, but could be said to
3228  * conceptually have a "positive infinity" high key. Thus, there is a
3229  * symmetry between down link items in parent pages, and high keys in
3230  * children. Together, they represent the part of the key space that
3231  * belongs to each page in the index. For example, all children of the
3232  * root page will have negative infinity as a lower bound from root
3233  * negative infinity downlink, and positive infinity as an upper bound
3234  * (implicitly, from "imaginary" positive infinity high key in root).
3235  */
3236  return !P_ISLEAF(opaque) && offset == P_FIRSTDATAKEY(opaque);
3237 }
3238 
3239 /*
3240  * Does the invariant hold that the key is strictly less than a given upper
3241  * bound offset item?
3242  *
3243  * Verifies line pointer on behalf of caller.
3244  *
3245  * If this function returns false, convention is that caller throws error due
3246  * to corruption.
3247  */
3248 static inline bool
3249 invariant_l_offset(BtreeCheckState *state, BTScanInsert key,
3250  OffsetNumber upperbound)
3251 {
3252  ItemId itemid;
3253  int32 cmp;
3254 
3255  Assert(!key->nextkey && key->backward);
3256 
3257  /* Verify line pointer before checking tuple */
3258  itemid = PageGetItemIdCareful(state, state->targetblock, state->target,
3259  upperbound);
3260  /* pg_upgrade'd indexes may legally have equal sibling tuples */
3261  if (!key->heapkeyspace)
3262  return invariant_leq_offset(state, key, upperbound);
3263 
3264  cmp = _bt_compare(state->rel, key, state->target, upperbound);
3265 
3266  /*
3267  * _bt_compare() is capable of determining that a scankey with a
3268  * filled-out attribute is greater than pivot tuples where the comparison
3269  * is resolved at a truncated attribute (value of attribute in pivot is
3270  * minus infinity). However, it is not capable of determining that a
3271  * scankey is _less than_ a tuple on the basis of a comparison resolved at
3272  * _scankey_ minus infinity attribute. Complete an extra step to simulate
3273  * having minus infinity values for omitted scankey attribute(s).
3274  */
3275  if (cmp == 0)
3276  {
3277  BTPageOpaque topaque;
3278  IndexTuple ritup;
3279  int uppnkeyatts;
3280  ItemPointer rheaptid;
3281  bool nonpivot;
3282 
3283  ritup = (IndexTuple) PageGetItem(state->target, itemid);
3284  topaque = BTPageGetOpaque(state->target);
3285  nonpivot = P_ISLEAF(topaque) && upperbound >= P_FIRSTDATAKEY(topaque);
3286 
3287  /* Get number of keys + heap TID for item to the right */
3288  uppnkeyatts = BTreeTupleGetNKeyAtts(ritup, state->rel);
3289  rheaptid = BTreeTupleGetHeapTIDCareful(state, ritup, nonpivot);
3290 
3291  /* Heap TID is tiebreaker key attribute */
3292  if (key->keysz == uppnkeyatts)
3293  return key->scantid == NULL && rheaptid != NULL;
3294 
3295  return key->keysz < uppnkeyatts;
3296  }
3297 
3298  return cmp < 0;
3299 }
3300 
3301 /*
3302  * Does the invariant hold that the key is less than or equal to a given upper
3303  * bound offset item?
3304  *
3305  * Caller should have verified that upperbound's line pointer is consistent
3306  * using PageGetItemIdCareful() call.
3307  *
3308  * If this function returns false, convention is that caller throws error due
3309  * to corruption.
3310  */
3311 static inline bool
3312 invariant_leq_offset(BtreeCheckState *state, BTScanInsert key,
3313  OffsetNumber upperbound)
3314 {
3315  int32 cmp;
3316 
3317  Assert(!key->nextkey && key->backward);
3318 
3319  cmp = _bt_compare(state->rel, key, state->target, upperbound);
3320 
3321  return cmp <= 0;
3322 }
3323 
3324 /*
3325  * Does the invariant hold that the key is strictly greater than a given lower
3326  * bound offset item?
3327  *
3328  * Caller should have verified that lowerbound's line pointer is consistent
3329  * using PageGetItemIdCareful() call.
3330  *
3331  * If this function returns false, convention is that caller throws error due
3332  * to corruption.
3333  */
3334 static inline bool
3335 invariant_g_offset(BtreeCheckState *state, BTScanInsert key,
3336  OffsetNumber lowerbound)
3337 {
3338  int32 cmp;
3339 
3340  Assert(!key->nextkey && key->backward);
3341 
3342  cmp = _bt_compare(state->rel, key, state->target, lowerbound);
3343 
3344  /* pg_upgrade'd indexes may legally have equal sibling tuples */
3345  if (!key->heapkeyspace)
3346  return cmp >= 0;
3347 
3348  /*
3349  * No need to consider the possibility that scankey has attributes that we
3350  * need to force to be interpreted as negative infinity. _bt_compare() is
3351  * able to determine that scankey is greater than negative infinity. The
3352  * distinction between "==" and "<" isn't interesting here, since
3353  * corruption is indicated either way.
3354  */
3355  return cmp > 0;
3356 }
3357 
3358 /*
3359  * Does the invariant hold that the key is strictly less than a given upper
3360  * bound offset item, with the offset relating to a caller-supplied page that
3361  * is not the current target page?
3362  *
3363  * Caller's non-target page is a child page of the target, checked as part of
3364  * checking a property of the target page (i.e. the key comes from the
3365  * target). Verifies line pointer on behalf of caller.
3366  *
3367  * If this function returns false, convention is that caller throws error due
3368  * to corruption.
3369  */
3370 static inline bool
3371 invariant_l_nontarget_offset(BtreeCheckState *state, BTScanInsert key,
3372  BlockNumber nontargetblock, Page nontarget,
3373  OffsetNumber upperbound)
3374 {
3375  ItemId itemid;
3376  int32 cmp;
3377 
3378  Assert(!key->nextkey && key->backward);
3379 
3380  /* Verify line pointer before checking tuple */
3381  itemid = PageGetItemIdCareful(state, nontargetblock, nontarget,
3382  upperbound);
3383  cmp = _bt_compare(state->rel, key, nontarget, upperbound);
3384 
3385  /* pg_upgrade'd indexes may legally have equal sibling tuples */
3386  if (!key->heapkeyspace)
3387  return cmp <= 0;
3388 
3389  /* See invariant_l_offset() for an explanation of this extra step */
3390  if (cmp == 0)
3391  {
3392  IndexTuple child;
3393  int uppnkeyatts;
3394  ItemPointer childheaptid;
3395  BTPageOpaque copaque;
3396  bool nonpivot;
3397 
3398  child = (IndexTuple) PageGetItem(nontarget, itemid);
3399  copaque = BTPageGetOpaque(nontarget);
3400  nonpivot = P_ISLEAF(copaque) && upperbound >= P_FIRSTDATAKEY(copaque);
3401 
3402  /* Get number of keys + heap TID for child/non-target item */
3403  uppnkeyatts = BTreeTupleGetNKeyAtts(child, state->rel);
3404  childheaptid = BTreeTupleGetHeapTIDCareful(state, child, nonpivot);
3405 
3406  /* Heap TID is tiebreaker key attribute */
3407  if (key->keysz == uppnkeyatts)
3408  return key->scantid == NULL && childheaptid != NULL;
3409 
3410  return key->keysz < uppnkeyatts;
3411  }
3412 
3413  return cmp < 0;
3414 }
3415 
3416 /*
3417  * Given a block number of a B-Tree page, return page in palloc()'d memory.
3418  * While at it, perform some basic checks of the page.
3419  *
3420  * There is never an attempt to get a consistent view of multiple pages using
3421  * multiple concurrent buffer locks; in general, we only acquire a single pin
3422  * and buffer lock at a time, which is often all that the nbtree code requires.
3423  * (Actually, bt_recheck_sibling_links couples buffer locks, which is the only
3424  * exception to this general rule.)
3425  *
3426  * Operating on a copy of the page is useful because it prevents control
3427  * getting stuck in an uninterruptible state when an underlying operator class
3428  * misbehaves.
3429  */
3430 static Page
3431 palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum)
3432 {
3433  Buffer buffer;
3434  Page page;
3435  BTPageOpaque opaque;
3436  OffsetNumber maxoffset;
3437 
3438  page = palloc(BLCKSZ);
3439 
3440  /*
3441  * We copy the page into local storage to avoid holding pin on the buffer
3442  * longer than we must.
3443  */
3444  buffer = ReadBufferExtended(state->rel, MAIN_FORKNUM, blocknum, RBM_NORMAL,
3445  state->checkstrategy);
3446  LockBuffer(buffer, BT_READ);
3447 
3448  /*
3449  * Perform the same basic sanity checking that nbtree itself performs for
3450  * every page:
3451  */
3452  _bt_checkpage(state->rel, buffer);
3453 
3454  /* Only use copy of page in palloc()'d memory */
3455  memcpy(page, BufferGetPage(buffer), BLCKSZ);
3456  UnlockReleaseBuffer(buffer);
3457 
3458  opaque = BTPageGetOpaque(page);
3459 
3460  if (P_ISMETA(opaque) && blocknum != BTREE_METAPAGE)
3461  ereport(ERROR,
3462  (errcode(ERRCODE_INDEX_CORRUPTED),
3463  errmsg("invalid meta page found at block %u in index \"%s\"",
3464  blocknum, RelationGetRelationName(state->rel))));
3465 
3466  /* Check page from block that ought to be meta page */
3467  if (blocknum == BTREE_METAPAGE)
3468  {
3469  BTMetaPageData *metad = BTPageGetMeta(page);
3470 
3471  if (!P_ISMETA(opaque) ||
3472  metad->btm_magic != BTREE_MAGIC)
3473  ereport(ERROR,
3474  (errcode(ERRCODE_INDEX_CORRUPTED),
3475  errmsg("index \"%s\" meta page is corrupt",
3476  RelationGetRelationName(state->rel))));
3477 
3478  if (metad->btm_version < BTREE_MIN_VERSION ||
3479  metad->btm_version > BTREE_VERSION)
3480  ereport(ERROR,
3481  (errcode(ERRCODE_INDEX_CORRUPTED),
3482  errmsg("version mismatch in index \"%s\": file version %d, "
3483  "current version %d, minimum supported version %d",
3484  RelationGetRelationName(state->rel),
3485  metad->btm_version, BTREE_VERSION,
3486  BTREE_MIN_VERSION)));
3487 
3488  /* Finished with metapage checks */
3489  return page;
3490  }
3491 
3492  /*
3493  * Deleted pages that still use the old 32-bit XID representation have no
3494  * sane "level" field because they type pun the field, but all other pages
3495  * (including pages deleted on Postgres 14+) have a valid value.
3496  */
3497  if (!P_ISDELETED(opaque) || P_HAS_FULLXID(opaque))
3498  {
3499  /* Okay, no reason not to trust btpo_level field from page */
3500 
3501  if (P_ISLEAF(opaque) && opaque->btpo_level != 0)
3502  ereport(ERROR,
3503  (errcode(ERRCODE_INDEX_CORRUPTED),
3504  errmsg_internal("invalid leaf page level %u for block %u in index \"%s\"",
3505  opaque->btpo_level, blocknum,
3506  RelationGetRelationName(state->rel))));
3507 
3508  if (!P_ISLEAF(opaque) && opaque->btpo_level == 0)
3509  ereport(ERROR,
3510  (errcode(ERRCODE_INDEX_CORRUPTED),
3511  errmsg_internal("invalid internal page level 0 for block %u in index \"%s\"",
3512  blocknum,
3513  RelationGetRelationName(state->rel))));
3514  }
3515 
3516  /*
3517  * Sanity checks for number of items on page.
3518  *
3519  * As noted at the beginning of _bt_binsrch(), an internal page must have
3520  * children, since there must always be a negative infinity downlink
3521  * (there may also be a highkey). In the case of non-rightmost leaf
3522  * pages, there must be at least a highkey. The exceptions are deleted
3523  * pages, which contain no items.
3524  *
3525  * This is correct when pages are half-dead, since internal pages are
3526  * never half-dead, and leaf pages must have a high key when half-dead
3527  * (the rightmost page can never be deleted). It's also correct with
3528  * fully deleted pages: _bt_unlink_halfdead_page() doesn't change anything
3529  * about the target page other than setting the page as fully dead, and
3530  * setting its xact field. In particular, it doesn't change the sibling
3531  * links in the deletion target itself, since they're required when index
3532  * scans land on the deletion target, and then need to move right (or need
3533  * to move left, in the case of backward index scans).
3534  */
3535  maxoffset = PageGetMaxOffsetNumber(page);
3536  if (maxoffset > MaxIndexTuplesPerPage)
3537  ereport(ERROR,
3538  (errcode(ERRCODE_INDEX_CORRUPTED),
3539  errmsg("Number of items on block %u of index \"%s\" exceeds MaxIndexTuplesPerPage (%u)",
3540  blocknum, RelationGetRelationName(state->rel),
3541  MaxIndexTuplesPerPage)));
3542 
3543  if (!P_ISLEAF(opaque) && !P_ISDELETED(opaque) && maxoffset < P_FIRSTDATAKEY(opaque))
3544  ereport(ERROR,
3545  (errcode(ERRCODE_INDEX_CORRUPTED),
3546  errmsg("internal block %u in index \"%s\" lacks high key and/or at least one downlink",
3547  blocknum, RelationGetRelationName(state->rel))));
3548 
3549  if (P_ISLEAF(opaque) && !P_ISDELETED(opaque) && !P_RIGHTMOST(opaque) && maxoffset < P_HIKEY)
3550  ereport(ERROR,
3551  (errcode(ERRCODE_INDEX_CORRUPTED),
3552  errmsg("non-rightmost leaf block %u in index \"%s\" lacks high key item",
3553  blocknum, RelationGetRelationName(state->rel))));
3554 
3555  /*
3556  * In general, internal pages are never marked half-dead, except on
3557  * versions of Postgres prior to 9.4, where it can be valid transient
3558  * state. This state is nonetheless treated as corruption by VACUUM on
3559  * from version 9.4 on, so do the same here. See _bt_pagedel() for full
3560  * details.
3561  */
3562  if (!P_ISLEAF(opaque) && P_ISHALFDEAD(opaque))
3563  ereport(ERROR,
3564  (errcode(ERRCODE_INDEX_CORRUPTED),
3565  errmsg("internal page block %u in index \"%s\" is half-dead",
3566  blocknum, RelationGetRelationName(state->rel)),
3567  errhint("This can be caused by an interrupted VACUUM in version 9.3 or older, before upgrade. Please REINDEX it.")));
3568 
3569  /*
3570  * Check that internal pages have no garbage items, and that no page has
3571  * an invalid combination of deletion-related page level flags
3572  */
3573  if (!P_ISLEAF(opaque) && P_HAS_GARBAGE(opaque))
3574  ereport(ERROR,
3575  (errcode(ERRCODE_INDEX_CORRUPTED),
3576  errmsg_internal("internal page block %u in index \"%s\" has garbage items",
3577  blocknum, RelationGetRelationName(state->rel))));
3578 
3579  if (P_HAS_FULLXID(opaque) && !P_ISDELETED(opaque))
3580  ereport(ERROR,
3581  (errcode(ERRCODE_INDEX_CORRUPTED),
3582  errmsg_internal("full transaction id page flag appears in non-deleted block %u in index \"%s\"",
3583  blocknum, RelationGetRelationName(state->rel))));
3584 
3585  if (P_ISDELETED(opaque) && P_ISHALFDEAD(opaque))
3586  ereport(ERROR,
3587  (errcode(ERRCODE_INDEX_CORRUPTED),
3588  errmsg_internal("deleted page block %u in index \"%s\" is half-dead",
3589  blocknum, RelationGetRelationName(state->rel))));
3590 
3591  return page;
3592 }
3593 
3594 /*
3595  * _bt_mkscankey() wrapper that automatically prevents insertion scankey from
3596  * being considered greater than the pivot tuple that its values originated
3597  * from (or some other identical pivot tuple) in the common case where there
3598  * are truncated/minus infinity attributes. Without this extra step, there
3599  * are forms of corruption that amcheck could theoretically fail to report.
3600  *
3601  * For example, invariant_g_offset() might miss a cross-page invariant failure
3602  * on an internal level if the scankey built from the first item on the
3603  * target's right sibling page happened to be equal to (not greater than) the
3604  * last item on target page. The !backward tiebreaker in _bt_compare() might
3605  * otherwise cause amcheck to assume (rather than actually verify) that the
3606  * scankey is greater.
3607  */
3608 static inline BTScanInsert
3609 bt_mkscankey_pivotsearch(Relation rel, IndexTuple itup)
3610 {
3611  BTScanInsert skey;
3612 
3613  skey = _bt_mkscankey(rel, itup);
3614  skey->backward = true;
3615 
3616  return skey;
3617 }
3618 
3619 /*
3620  * PageGetItemId() wrapper that validates returned line pointer.
3621  *
3622  * Buffer page/page item access macros generally trust that line pointers are
3623  * not corrupt, which might cause problems for verification itself. For
3624  * example, there is no bounds checking in PageGetItem(). Passing it a
3625  * corrupt line pointer can cause it to return a tuple/pointer that is unsafe
3626  * to dereference.
3627  *
3628  * Validating line pointers before tuples avoids undefined behavior and
3629  * assertion failures with corrupt indexes, making the verification process
3630  * more robust and predictable.
3631  */
3632 static ItemId
3633 PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block, Page page,
3634  OffsetNumber offset)
3635 {
3636  ItemId itemid = PageGetItemId(page, offset);
3637 
3638  if (ItemIdGetOffset(itemid) + ItemIdGetLength(itemid) >
3639  BLCKSZ - MAXALIGN(sizeof(BTPageOpaqueData)))
3640  ereport(ERROR,
3641  (errcode(ERRCODE_INDEX_CORRUPTED),
3642  errmsg("line pointer points past end of tuple space in index \"%s\"",
3643  RelationGetRelationName(state->rel)),
3644  errdetail_internal("Index tid=(%u,%u) lp_off=%u, lp_len=%u lp_flags=%u.",
3645  block, offset, ItemIdGetOffset(itemid),
3646  ItemIdGetLength(itemid),
3647  ItemIdGetFlags(itemid))));
3648 
3649  /*
3650  * Verify that line pointer isn't LP_REDIRECT or LP_UNUSED, since nbtree
3651  * never uses either. Verify that line pointer has storage, too, since
3652  * even LP_DEAD items should within nbtree.
3653  */
3654  if (ItemIdIsRedirected(itemid) || !ItemIdIsUsed(itemid) ||
3655  ItemIdGetLength(itemid) == 0)
3656  ereport(ERROR,
3657  (errcode(ERRCODE_INDEX_CORRUPTED),
3658  errmsg("invalid line pointer storage in index \"%s\"",
3659  RelationGetRelationName(state->rel)),
3660  errdetail_internal("Index tid=(%u,%u) lp_off=%u, lp_len=%u lp_flags=%u.",
3661  block, offset, ItemIdGetOffset(itemid),
3662  ItemIdGetLength(itemid),
3663  ItemIdGetFlags(itemid))));
3664 
3665  return itemid;
3666 }
3667 
3668 /*
3669  * BTreeTupleGetHeapTID() wrapper that enforces that a heap TID is present in
3670  * cases where that is mandatory (i.e. for non-pivot tuples)
3671  */
3672 static inline ItemPointer
3673 BTreeTupleGetHeapTIDCareful(BtreeCheckState *state, IndexTuple itup,
3674  bool nonpivot)
3675 {
3676  ItemPointer htid;
3677 
3678  /*
3679  * Caller determines whether this is supposed to be a pivot or non-pivot
3680  * tuple using page type and item offset number. Verify that tuple
3681  * metadata agrees with this.
3682  */
3683  Assert(state->heapkeyspace);
3684  if (BTreeTupleIsPivot(itup) && nonpivot)
3685  ereport(ERROR,
3686  (errcode(ERRCODE_INDEX_CORRUPTED),
3687  errmsg_internal("block %u or its right sibling block or child block in index \"%s\" has unexpected pivot tuple",
3688  state->targetblock,
3689  RelationGetRelationName(state->rel))));
3690 
3691  if (!BTreeTupleIsPivot(itup) && !nonpivot)
3692  ereport(ERROR,
3693  (errcode(ERRCODE_INDEX_CORRUPTED),
3694  errmsg_internal("block %u or its right sibling block or child block in index \"%s\" has unexpected non-pivot tuple",
3695  state->targetblock,
3696  RelationGetRelationName(state->rel))));
3697 
3698  htid = BTreeTupleGetHeapTID(itup);
3699  if (!ItemPointerIsValid(htid) && nonpivot)
3700  ereport(ERROR,
3701  (errcode(ERRCODE_INDEX_CORRUPTED),
3702  errmsg("block %u or its right sibling block or child block in index \"%s\" contains non-pivot tuple that lacks a heap TID",
3703  state->targetblock,
3704  RelationGetRelationName(state->rel))));
3705 
3706  return htid;
3707 }
3708 
3709 /*
3710  * Return the "pointed to" TID for itup, which is used to generate a
3711  * descriptive error message. itup must be a "data item" tuple (it wouldn't
3712  * make much sense to call here with a high key tuple, since there won't be a
3713  * valid downlink/block number to display).
3714  *
3715  * Returns either a heap TID (which will be the first heap TID in posting list
3716  * if itup is posting list tuple), or a TID that contains downlink block
3717  * number, plus some encoded metadata (e.g., the number of attributes present
3718  * in itup).
3719  */
3720 static inline ItemPointer
3721 BTreeTupleGetPointsToTID(IndexTuple itup)
3722 {
3723  /*
3724  * Rely on the assumption that !heapkeyspace internal page data items will
3725  * correctly return TID with downlink here -- BTreeTupleGetHeapTID() won't
3726  * recognize it as a pivot tuple, but everything still works out because
3727  * the t_tid field is still returned
3728  */
3729  if (!BTreeTupleIsPivot(itup))
3730  return BTreeTupleGetHeapTID(itup);
3731 
3732  /* Pivot tuple returns TID with downlink block (heapkeyspace variant) */
3733  return &itup->t_tid;
3734 }
BlockNumber
uint32 BlockNumber
Definition: block.h:31
InvalidBlockNumber
#define InvalidBlockNumber
Definition: block.h:33
BlockNumberIsValid
static bool BlockNumberIsValid(BlockNumber blockNumber)
Definition: block.h:71
bloom_free
void bloom_free(bloom_filter *filter)
Definition: bloomfilter.c:126
bloom_create
bloom_filter * bloom_create(int64 total_elems, int bloom_work_mem, uint64 seed)
Definition: bloomfilter.c:87
bloom_prop_bits_set
double bloom_prop_bits_set(bloom_filter *filter)
Definition: bloomfilter.c:187
bloom_lacks_element
bool bloom_lacks_element(bloom_filter *filter, unsigned char *elem, size_t len)
Definition: bloomfilter.c:157
bloom_add_element
void bloom_add_element(bloom_filter *filter, unsigned char *elem, size_t len)
Definition: bloomfilter.c:135
values
static Datum values[MAXATTR]
Definition: bootstrap.c:150
Buffer
int Buffer
Definition: buf.h:23
InvalidBuffer
#define InvalidBuffer
Definition: buf.h:25
UnlockReleaseBuffer
void UnlockReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:4941
LockBuffer
void LockBuffer(Buffer buffer, int mode)
Definition: bufmgr.c:5158
ReadBufferExtended
Buffer ReadBufferExtended(Relation reln, ForkNumber forkNum, BlockNumber blockNum, ReadBufferMode mode, BufferAccessStrategy strategy)
Definition: bufmgr.c:793
BAS_BULKREAD
@ BAS_BULKREAD
Definition: bufmgr.h:36
RelationGetNumberOfBlocks
#define RelationGetNumberOfBlocks(reln)
Definition: bufmgr.h:273
BufferGetPage
static Page BufferGetPage(Buffer buffer)
Definition: bufmgr.h:400
RBM_NORMAL
@ RBM_NORMAL
Definition: bufmgr.h:45
BufferIsValid
static bool BufferIsValid(Buffer bufnum)
Definition: bufmgr.h:351
Page
Pointer Page
Definition: bufpage.h:81
PageGetItem
static Item PageGetItem(Page page, ItemId itemId)
Definition: bufpage.h:354
PageGetItemId
static ItemId PageGetItemId(Page page, OffsetNumber offsetNumber)
Definition: bufpage.h:243
PageGetLSN
static XLogRecPtr PageGetLSN(const char *page)
Definition: bufpage.h:386
PageGetMaxOffsetNumber
static OffsetNumber PageGetMaxOffsetNumber(Page page)
Definition: bufpage.h:372
uint32
unsigned int uint32
Definition: c.h:506
MAXALIGN
#define MAXALIGN(LEN)
Definition: c.h:802
int32
signed int int32
Definition: c.h:496
Max
#define Max(x, y)
Definition: c.h:989
INT64_FORMAT
#define INT64_FORMAT
Definition: c.h:539
Assert
#define Assert(condition)
Definition: c.h:849
unlikely
#define unlikely(x)
Definition: c.h:314
OidIsValid
#define OidIsValid(objectId)
Definition: c.h:766
Size
size_t Size
Definition: c.h:596
errmsg_internal
int errmsg_internal(const char *fmt,...)
Definition: elog.c:1157
errdetail_internal
int errdetail_internal(const char *fmt,...)
Definition: elog.c:1230
errdetail
int errdetail(const char *fmt,...)
Definition: elog.c:1203
errhint
int errhint(const char *fmt,...)
Definition: elog.c:1317
errcode
int errcode(int sqlerrcode)
Definition: elog.c:853
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1070
DEBUG2
#define DEBUG2
Definition: elog.h:29
DEBUG1
#define DEBUG1
Definition: elog.h:30
ERROR
#define ERROR
Definition: elog.h:39
elog
#define elog(elevel,...)
Definition: elog.h:225
ereport
#define ereport(elevel,...)
Definition: elog.h:149
ExecDropSingleTupleTableSlot
void ExecDropSingleTupleTableSlot(TupleTableSlot *slot)
Definition: execTuples.c:1341
PG_RETURN_VOID
#define PG_RETURN_VOID()
Definition: fmgr.h:349
PG_GETARG_OID
#define PG_GETARG_OID(n)
Definition: fmgr.h:275
PG_NARGS
#define PG_NARGS()
Definition: fmgr.h:203
PG_DETOAST_DATUM
#define PG_DETOAST_DATUM(datum)
Definition: fmgr.h:240
PG_GETARG_BOOL
#define PG_GETARG_BOOL(n)
Definition: fmgr.h:274
PG_FUNCTION_ARGS
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
GetAccessStrategy
BufferAccessStrategy GetAccessStrategy(BufferAccessStrategyType btype)
Definition: freelist.c:541
maintenance_work_mem
int maintenance_work_mem
Definition: globals.c:132
NewGUCNestLevel
int NewGUCNestLevel(void)
Definition: guc.c:2234
RestrictSearchPath
void RestrictSearchPath(void)
Definition: guc.c:2245
AtEOXact_GUC
void AtEOXact_GUC(bool isCommit, int nestLevel)
Definition: guc.c:2261
start
return str start
Definition: hashfn_unstable.h:328
TOAST_INDEX_TARGET
#define TOAST_INDEX_TARGET
Definition: heaptoast.h:68
htup_details.h
HeapTupleHeaderGetXmin
#define HeapTupleHeaderGetXmin(tup)
Definition: htup_details.h:309
IndexGetRelation
Oid IndexGetRelation(Oid indexId, bool missing_ok)
Definition: index.c:3534
BuildIndexInfo
IndexInfo * BuildIndexInfo(Relation index)
Definition: index.c:2430
index_close
void index_close(Relation relation, LOCKMODE lockmode)
Definition: indexam.c:177
index_open
Relation index_open(Oid relationId, LOCKMODE lockmode)
Definition: indexam.c:133
index_form_tuple
IndexTuple index_form_tuple(TupleDesc tupleDescriptor, const Datum *values, const bool *isnull)
Definition: indextuple.c:44
i
int i
Definition: isn.c:73
ItemIdGetLength
#define ItemIdGetLength(itemId)
Definition: itemid.h:59
ItemIdGetOffset
#define ItemIdGetOffset(itemId)
Definition: itemid.h:65
ItemIdIsDead
#define ItemIdIsDead(itemId)
Definition: itemid.h:113
ItemIdIsUsed
#define ItemIdIsUsed(itemId)
Definition: itemid.h:92
ItemIdIsRedirected
#define ItemIdIsRedirected(itemId)
Definition: itemid.h:106
ItemIdGetFlags
#define ItemIdGetFlags(itemId)
Definition: itemid.h:71
ItemPointerCompare
int32 ItemPointerCompare(ItemPointer arg1, ItemPointer arg2)
Definition: itemptr.c:51
ItemPointerGetOffsetNumber
static OffsetNumber ItemPointerGetOffsetNumber(const ItemPointerData *pointer)
Definition: itemptr.h:124
ItemPointerGetOffsetNumberNoCheck
static OffsetNumber ItemPointerGetOffsetNumberNoCheck(const ItemPointerData *pointer)
Definition: itemptr.h:114
ItemPointerGetBlockNumber
static BlockNumber ItemPointerGetBlockNumber(const ItemPointerData *pointer)
Definition: itemptr.h:103
ItemPointerGetBlockNumberNoCheck
static BlockNumber ItemPointerGetBlockNumberNoCheck(const ItemPointerData *pointer)
Definition: itemptr.h:93
ItemPointerCopy
static void ItemPointerCopy(const ItemPointerData *fromPointer, ItemPointerData *toPointer)
Definition: itemptr.h:172
ItemPointerIsValid
static bool ItemPointerIsValid(const ItemPointerData *pointer)
Definition: itemptr.h:83
IndexTupleHasVarwidths
#define IndexTupleHasVarwidths(itup)
Definition: itup.h:72
IndexTuple
IndexTupleData * IndexTuple
Definition: itup.h:53
IndexTupleSize
#define IndexTupleSize(itup)
Definition: itup.h:70
index_getattr
static Datum index_getattr(IndexTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
Definition: itup.h:117
MaxIndexTuplesPerPage
#define MaxIndexTuplesPerPage
Definition: itup.h:165
LOCKMODE
int LOCKMODE
Definition: lockdefs.h:26
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
ShareLock
#define ShareLock
Definition: lockdefs.h:40
MemoryContextReset
void MemoryContextReset(MemoryContext context)
Definition: mcxt.c:383
pfree
void pfree(void *pointer)
Definition: mcxt.c:1521
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1347
CurrentMemoryContext
MemoryContext CurrentMemoryContext
Definition: mcxt.c:143
MemoryContextAlloc
void * MemoryContextAlloc(MemoryContext context, Size size)
Definition: mcxt.c:1181
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:454
palloc
void * palloc(Size size)
Definition: mcxt.c:1317
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:129
ALLOCSET_DEFAULT_SIZES
#define ALLOCSET_DEFAULT_SIZES
Definition: memutils.h:160
SECURITY_RESTRICTED_OPERATION
#define SECURITY_RESTRICTED_OPERATION
Definition: miscadmin.h:312
CHECK_FOR_INTERRUPTS
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:122
GetUserIdAndSecContext
void GetUserIdAndSecContext(Oid *userid, int *sec_context)
Definition: miscinit.c:635
SetUserIdAndSecContext
void SetUserIdAndSecContext(Oid userid, int sec_context)
Definition: miscinit.c:642
_bt_form_posting
IndexTuple _bt_form_posting(IndexTuple base, ItemPointer htids, int nhtids)
Definition: nbtdedup.c:864
_bt_relbuf
void _bt_relbuf(Relation rel, Buffer buf)
Definition: nbtpage.c:1023
_bt_checkpage
void _bt_checkpage(Relation rel, Buffer buf)
Definition: nbtpage.c:797
_bt_metaversion
void _bt_metaversion(Relation rel, bool *heapkeyspace, bool *allequalimage)
Definition: nbtpage.c:739
P_HAS_FULLXID
#define P_HAS_FULLXID(opaque)
Definition: nbtree.h:228
P_ISHALFDEAD
#define P_ISHALFDEAD(opaque)
Definition: nbtree.h:224
BTreeTupleGetNPosting
static uint16 BTreeTupleGetNPosting(IndexTuple posting)
Definition: nbtree.h:518
BTreeTupleIsPivot
static bool BTreeTupleIsPivot(IndexTuple itup)
Definition: nbtree.h:480
BTPageGetMeta
#define BTPageGetMeta(p)
Definition: nbtree.h:121
P_ISLEAF
#define P_ISLEAF(opaque)
Definition: nbtree.h:220
BTREE_MIN_VERSION
#define BTREE_MIN_VERSION
Definition: nbtree.h:151
P_HIKEY
#define P_HIKEY
Definition: nbtree.h:367
P_HAS_GARBAGE
#define P_HAS_GARBAGE(opaque)
Definition: nbtree.h:226
BTMaxItemSizeNoHeapTid
#define BTMaxItemSizeNoHeapTid(page)
Definition: nbtree.h:169
P_ISMETA
#define P_ISMETA(opaque)
Definition: nbtree.h:223
BTPageGetOpaque
#define BTPageGetOpaque(page)
Definition: nbtree.h:73
P_ISDELETED
#define P_ISDELETED(opaque)
Definition: nbtree.h:222
BTREE_MAGIC
#define BTREE_MAGIC
Definition: nbtree.h:149
BTREE_VERSION
#define BTREE_VERSION
Definition: nbtree.h:150
BTreeTupleGetTopParent
static BlockNumber BTreeTupleGetTopParent(IndexTuple leafhikey)
Definition: nbtree.h:620
MaxTIDsPerBTreePage
#define MaxTIDsPerBTreePage
Definition: nbtree.h:185
P_FIRSTDATAKEY
#define P_FIRSTDATAKEY(opaque)
Definition: nbtree.h:369
P_ISROOT
#define P_ISROOT(opaque)
Definition: nbtree.h:221
P_NONE
#define P_NONE
Definition: nbtree.h:212
P_RIGHTMOST
#define P_RIGHTMOST(opaque)
Definition: nbtree.h:219
BTMaxItemSize
#define BTMaxItemSize(page)
Definition: nbtree.h:164
P_INCOMPLETE_SPLIT
#define P_INCOMPLETE_SPLIT(opaque)
Definition: nbtree.h:227
BTREE_METAPAGE
#define BTREE_METAPAGE
Definition: nbtree.h:148
BTreeTupleGetPostingN
static ItemPointer BTreeTupleGetPostingN(IndexTuple posting, int n)
Definition: nbtree.h:544
BT_READ
#define BT_READ
Definition: nbtree.h:719
BTreeTupleGetDownLink
static BlockNumber BTreeTupleGetDownLink(IndexTuple pivot)
Definition: nbtree.h:556
P_IGNORE
#define P_IGNORE(opaque)
Definition: nbtree.h:225
BTreeTupleGetMaxHeapTID
static ItemPointer BTreeTupleGetMaxHeapTID(IndexTuple itup)
Definition: nbtree.h:664
BTreeTupleIsPosting
static bool BTreeTupleIsPosting(IndexTuple itup)
Definition: nbtree.h:492
BTreeTupleGetHeapTID
static ItemPointer BTreeTupleGetHeapTID(IndexTuple itup)
Definition: nbtree.h:638
BTreeTupleGetNAtts
#define BTreeTupleGetNAtts(itup, rel)
Definition: nbtree.h:577
_bt_search
BTStack _bt_search(Relation rel, Relation heaprel, BTScanInsert key, Buffer *bufP, int access)
Definition: nbtsearch.c:100
_bt_binsrch_insert
OffsetNumber _bt_binsrch_insert(Relation rel, BTInsertState insertstate)
Definition: nbtsearch.c:472
_bt_compare
int32 _bt_compare(Relation rel, BTScanInsert key, Page page, OffsetNumber offnum)
Definition: nbtsearch.c:686
_bt_freestack
void _bt_freestack(BTStack stack)
Definition: nbtutils.c:221
_bt_mkscankey
BTScanInsert _bt_mkscankey(Relation rel, IndexTuple itup)
Definition: nbtutils.c:129
_bt_check_natts
bool _bt_check_natts(Relation rel, bool heapkeyspace, Page page, OffsetNumber offnum)
Definition: nbtutils.c:4907
_bt_allequalimage
bool _bt_allequalimage(Relation rel, bool debugmessage)
Definition: nbtutils.c:5125
InvalidOffsetNumber
#define InvalidOffsetNumber
Definition: off.h:26
OffsetNumberIsValid
#define OffsetNumberIsValid(offsetNumber)
Definition: off.h:39
OffsetNumberNext
#define OffsetNumberNext(offsetNumber)
Definition: off.h:52
OffsetNumber
uint16 OffsetNumber
Definition: off.h:24
pg_am.h
Form_pg_attribute
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:209
ERRCODE_DATA_CORRUPTED
#define ERRCODE_DATA_CORRUPTED
Definition: pg_basebackup.c:41
INDEX_MAX_KEYS
#define INDEX_MAX_KEYS
Definition: pg_config_manual.h:69
len
const void size_t len
Definition: pg_crc32c_sse42.c:24
data
const void * data
Definition: pg_crc32c_sse42.c:23
pg_prng_uint64
uint64 pg_prng_uint64(pg_prng_state *state)
Definition: pg_prng.c:134
pg_global_prng_state
pg_prng_state pg_global_prng_state
Definition: pg_prng.c:34
pg_prng.h
ERRCODE_T_R_SERIALIZATION_FAILURE
#define ERRCODE_T_R_SERIALIZATION_FAILURE
Definition: pgbench.c:76
ERRCODE_UNDEFINED_TABLE
#define ERRCODE_UNDEFINED_TABLE
Definition: pgbench.c:78
PointerGetDatum
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:322
Datum
uintptr_t Datum
Definition: postgres.h:64
DatumGetPointer
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:312
InvalidOid
#define InvalidOid
Definition: postgres_ext.h:36
Oid
unsigned int Oid
Definition: postgres_ext.h:31
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:46
MemoryContextSwitchTo
MemoryContextSwitchTo(old_ctx)
cmp
static int cmp(const chr *x, const chr *y, size_t len)
Definition: regc_locale.c:743
RelationGetSmgr
static SMgrRelation RelationGetSmgr(Relation rel)
Definition: rel.h:567
RelationGetDescr
#define RelationGetDescr(relation)
Definition: rel.h:531
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:539
RELATION_IS_OTHER_TEMP
#define RELATION_IS_OTHER_TEMP(relation)
Definition: rel.h:658
IndexRelationGetNumberOfKeyAttributes
#define IndexRelationGetNumberOfKeyAttributes(relation)
Definition: rel.h:524
MAIN_FORKNUM
@ MAIN_FORKNUM
Definition: relpath.h:58
smgrexists
bool smgrexists(SMgrRelation reln, ForkNumber forknum)
Definition: smgr.c:401
RecentXmin
TransactionId RecentXmin
Definition: snapmgr.c:99
GetTransactionSnapshot
Snapshot GetTransactionSnapshot(void)
Definition: snapmgr.c:216
UnregisterSnapshot
void UnregisterSnapshot(Snapshot snapshot)
Definition: snapmgr.c:836
RegisterSnapshot
Snapshot RegisterSnapshot(Snapshot snapshot)
Definition: snapmgr.c:794
SnapshotAny
#define SnapshotAny
Definition: snapmgr.h:33
InvalidSnapshot
#define InvalidSnapshot
Definition: snapshot.h:123
BTInsertStateData::bounds_valid
bool bounds_valid
Definition: nbtree.h:823
BTInsertStateData::itup
IndexTuple itup
Definition: nbtree.h:811
BTInsertStateData::itup_key
BTScanInsert itup_key
Definition: nbtree.h:813
BTMetaPageData::btm_level
uint32 btm_level
Definition: nbtree.h:108
BTMetaPageData::btm_fastroot
BlockNumber btm_fastroot
Definition: nbtree.h:109
BTMetaPageData::btm_version
uint32 btm_version
Definition: nbtree.h:106
BTMetaPageData::btm_magic
uint32 btm_magic
Definition: nbtree.h:105
BTMetaPageData::btm_root
BlockNumber btm_root
Definition: nbtree.h:107
BTMetaPageData::btm_fastlevel
uint32 btm_fastlevel
Definition: nbtree.h:110
BTPageOpaqueData::btpo_next
BlockNumber btpo_next
Definition: nbtree.h:65
BTPageOpaqueData::btpo_prev
BlockNumber btpo_prev
Definition: nbtree.h:64
BTPageOpaqueData::btpo_level
uint32 btpo_level
Definition: nbtree.h:66
BTScanInsertData::scantid
ItemPointer scantid
Definition: nbtree.h:791
BTScanInsertData::heapkeyspace
bool heapkeyspace
Definition: nbtree.h:786
BTScanInsertData::anynullkeys
bool anynullkeys
Definition: nbtree.h:788
BtreeCheckState::checkstrategy
BufferAccessStrategy checkstrategy
Definition: verify_nbtree.c:90
BtreeCheckState::snapshot
Snapshot snapshot
Definition: verify_nbtree.c:96
BtreeCheckState::filter
bloom_filter * filter
Definition: verify_nbtree.c:128
BtreeCheckState::targetblock
BlockNumber targetblock
Definition: verify_nbtree.c:105
BtreeCheckState::prevrightlink
BlockNumber prevrightlink
Definition: verify_nbtree.c:120
BtreeCheckState::targetlsn
XLogRecPtr targetlsn
Definition: verify_nbtree.c:107
BtreeCheckState::targetcontext
MemoryContext targetcontext
Definition: verify_nbtree.c:88
BtreeCheckState::lowkey
IndexTuple lowkey
Definition: verify_nbtree.c:113
BtreeCheckState::heaprel
Relation heaprel
Definition: verify_nbtree.c:76
BtreeCheckState::indexinfo
IndexInfo * indexinfo
Definition: verify_nbtree.c:95
BtreeLevel::istruerootlevel
bool istruerootlevel
Definition: verify_nbtree.c:145
BtreeLevel::level
uint32 level
Definition: verify_nbtree.c:139
BtreeLevel::leftmost
BlockNumber leftmost
Definition: verify_nbtree.c:142
HeapTupleData::t_data
HeapTupleHeader t_data
Definition: htup.h:68
IndexInfo::ii_Unique
bool ii_Unique
Definition: execnodes.h:199
IndexInfo::ii_ExclusionStrats
uint16 * ii_ExclusionStrats
Definition: execnodes.h:195
IndexInfo::ii_ExclusionOps
Oid * ii_ExclusionOps
Definition: execnodes.h:193
IndexInfo::ii_Concurrent
bool ii_Concurrent
Definition: execnodes.h:204
IndexInfo::ii_ExclusionProcs
Oid * ii_ExclusionProcs
Definition: execnodes.h:194
IndexTupleData::t_tid
ItemPointerData t_tid
Definition: itup.h:37
IndexTupleData::t_info
unsigned short t_info
Definition: itup.h:49
ItemPointerData::ip_posid
OffsetNumber ip_posid
Definition: itemptr.h:39
RelationData::rd_indextuple
struct HeapTupleData * rd_indextuple
Definition: rel.h:194
RelationData::rd_index
Form_pg_index rd_index
Definition: rel.h:192
RelationData::rd_opfamily
Oid * rd_opfamily
Definition: rel.h:207
RelationData::rd_rel
Form_pg_class rd_rel
Definition: rel.h:111
SnapshotData::xmin
TransactionId xmin
Definition: snapshot.h:157
bloom_filter
Definition: bloomfilter.c:45
index
Definition: type.h:95
state
Definition: regguts.h:323
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40
table_slot_create
TupleTableSlot * table_slot_create(Relation relation, List **reglist)
Definition: tableam.c:91
table_beginscan_strat
static TableScanDesc table_beginscan_strat(Relation rel, Snapshot snapshot, int nkeys, struct ScanKeyData *key, bool allow_strat, bool allow_sync)
Definition: tableam.h:932
table_index_build_scan
static double table_index_build_scan(Relation table_rel, Relation index_rel, struct IndexInfo *index_info, bool allow_sync, bool progress, IndexBuildCallback callback, void *callback_state, TableScanDesc scan)
Definition: tableam.h:1775
table_tuple_fetch_row_version
static bool table_tuple_fetch_row_version(Relation rel, ItemPointer tid, Snapshot snapshot, TupleTableSlot *slot)
Definition: tableam.h:1288
TransactionIdPrecedes
bool TransactionIdPrecedes(TransactionId id1, TransactionId id2)
Definition: transam.c:280
TransactionIdIsValid
#define TransactionIdIsValid(xid)
Definition: transam.h:41
TupleDescAttr
#define TupleDescAttr(tupdesc, i)
Definition: tupdesc.h:92
SET_VARSIZE_SHORT
#define SET_VARSIZE_SHORT(PTR, len)
Definition: varatt.h:306
VARATT_CAN_MAKE_SHORT
#define VARATT_CAN_MAKE_SHORT(PTR)
Definition: varatt.h:258
VARDATA
#define VARDATA(PTR)
Definition: varatt.h:278
VARATT_IS_COMPRESSED
#define VARATT_IS_COMPRESSED(PTR)
Definition: varatt.h:288
VARSIZE
#define VARSIZE(PTR)
Definition: varatt.h:279
VARATT_CONVERTED_SHORT_SIZE
#define VARATT_CONVERTED_SHORT_SIZE(PTR)
Definition: varatt.h:261
VARATT_IS_EXTERNAL
#define VARATT_IS_EXTERNAL(PTR)
Definition: varatt.h:289
offset_is_negative_infinity
static bool offset_is_negative_infinity(BTPageOpaque opaque, OffsetNumber offset)
Definition: verify_nbtree.c:3214
bt_leftmost_ignoring_half_dead
static bool bt_leftmost_ignoring_half_dead(BtreeCheckState *state, BlockNumber start, BTPageOpaque start_opaque)
Definition: verify_nbtree.c:1148
invariant_l_offset
static bool invariant_l_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber upperbound)
Definition: verify_nbtree.c:3249
BTreeTupleGetPointsToTID
static ItemPointer BTreeTupleGetPointsToTID(IndexTuple itup)
Definition: verify_nbtree.c:3721
BtreeCheckState
struct BtreeCheckState BtreeCheckState
bt_posting_plain_tuple
static IndexTuple bt_posting_plain_tuple(IndexTuple itup, int n)
Definition: verify_nbtree.c:3117
BtreeLastVisibleEntry
struct BtreeLastVisibleEntry BtreeLastVisibleEntry
bt_target_page_check
static void bt_target_page_check(BtreeCheckState *state)
Definition: verify_nbtree.c:1377
bt_check_every_level
static void bt_check_every_level(Relation rel, Relation heaprel, bool heapkeyspace, bool readonly, bool heapallindexed, bool rootdescend, bool checkunique)
Definition: verify_nbtree.c:502
bt_report_duplicate
static void bt_report_duplicate(BtreeCheckState *state, BtreeLastVisibleEntry *lVis, ItemPointer nexttid, BlockNumber nblock, OffsetNumber noffset, int nposting)
Definition: verify_nbtree.c:1009
PG_MODULE_MAGIC
PG_MODULE_MAGIC
Definition: verify_nbtree.c:47
bt_pivot_tuple_identical
static bool bt_pivot_tuple_identical(bool heapkeyspace, IndexTuple itup1, IndexTuple itup2)
Definition: verify_nbtree.c:2213
bt_index_check_internal
static void bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, bool rootdescend, bool checkunique)
Definition: verify_nbtree.c:289
invariant_leq_offset
static bool invariant_leq_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber upperbound)
Definition: verify_nbtree.c:3312
bt_index_parent_check
Datum bt_index_parent_check(PG_FUNCTION_ARGS)
Definition: verify_nbtree.c:266
bt_child_highkey_check
static void bt_child_highkey_check(BtreeCheckState *state, OffsetNumber target_downlinkoffnum, Page loaded_child, uint32 target_level)
Definition: verify_nbtree.c:2286
heap_entry_is_visible
static bool heap_entry_is_visible(BtreeCheckState *state, ItemPointer tid)
Definition: verify_nbtree.c:990
bt_mkscankey_pivotsearch
static BTScanInsert bt_mkscankey_pivotsearch(Relation rel, IndexTuple itup)
Definition: verify_nbtree.c:3609
bt_index_check
Datum bt_index_check(PG_FUNCTION_ARGS)
Definition: verify_nbtree.c:240
bt_check_level_from_leftmost
static BtreeLevel bt_check_level_from_leftmost(BtreeCheckState *state, BtreeLevel level)
Definition: verify_nbtree.c:762
bt_downlink_missing_check
static void bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit, BlockNumber blkno, Page page)
Definition: verify_nbtree.c:2698
PG_FUNCTION_INFO_V1
PG_FUNCTION_INFO_V1(bt_index_check)
PageGetItemIdCareful
static ItemId PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block, Page page, OffsetNumber offset)
Definition: verify_nbtree.c:3633
bt_tuple_present_callback
static void bt_tuple_present_callback(Relation index, ItemPointer tid, Datum *values, bool *isnull, bool tupleIsAlive, void *checkstate)
Definition: verify_nbtree.c:2921
btree_index_mainfork_expected
static bool btree_index_mainfork_expected(Relation rel)
Definition: verify_nbtree.c:464
bt_rootdescend
static bool bt_rootdescend(BtreeCheckState *state, IndexTuple itup)
Definition: verify_nbtree.c:3150
bt_right_page_check_scankey
static BTScanInsert bt_right_page_check_scankey(BtreeCheckState *state, OffsetNumber *rightfirstoffset)
Definition: verify_nbtree.c:2006
invariant_g_offset
static bool invariant_g_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber lowerbound)
Definition: verify_nbtree.c:3335
InvalidBtreeLevel
#define InvalidBtreeLevel
Definition: verify_nbtree.c:53
palloc_btree_page
static Page palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum)
Definition: verify_nbtree.c:3431
bt_normalize_tuple
static IndexTuple bt_normalize_tuple(BtreeCheckState *state, IndexTuple itup)
Definition: verify_nbtree.c:2989
bt_recheck_sibling_links
static void bt_recheck_sibling_links(BtreeCheckState *state, BlockNumber btpo_prev_from_target, BlockNumber leftcurrent)
Definition: verify_nbtree.c:1237
BTreeTupleGetHeapTIDCareful
static ItemPointer BTreeTupleGetHeapTIDCareful(BtreeCheckState *state, IndexTuple itup, bool nonpivot)
Definition: verify_nbtree.c:3673
BTreeTupleGetNKeyAtts
#define BTreeTupleGetNKeyAtts(itup, rel)
Definition: verify_nbtree.c:54
bt_child_check
static void bt_child_check(BtreeCheckState *state, BTScanInsert targetkey, OffsetNumber downlinkoffnum)
Definition: verify_nbtree.c:2533
bt_entry_unique_check
static void bt_entry_unique_check(BtreeCheckState *state, IndexTuple itup, BlockNumber targetblock, OffsetNumber offset, BtreeLastVisibleEntry *lVis)
Definition: verify_nbtree.c:1049
btree_index_checkable
static void btree_index_checkable(Relation rel)
Definition: verify_nbtree.c:430
invariant_l_nontarget_offset
static bool invariant_l_nontarget_offset(BtreeCheckState *state, BTScanInsert key, BlockNumber nontargetblock, Page nontarget, OffsetNumber upperbound)
Definition: verify_nbtree.c:3371
BtreeLevel
struct BtreeLevel BtreeLevel
IsolationUsesXactSnapshot
#define IsolationUsesXactSnapshot()
Definition: xact.h:51
RecoveryInProgress
bool RecoveryInProgress(void)
Definition: xlog.c:6333
LSN_FORMAT_ARGS
#define LSN_FORMAT_ARGS(lsn)
Definition: xlogdefs.h:43
XLogRecPtr
uint64 XLogRecPtr
Definition: xlogdefs.h:21