PostgreSQL Source Code git master
verify_nbtree.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * verify_nbtree.c
4 * Verifies the integrity of nbtree indexes based on invariants.
5 *
6 * For B-Tree indexes, verification includes checking that each page in the
7 * target index has items in logical order as reported by an insertion scankey
8 * (the insertion scankey sort-wise NULL semantics are needed for
9 * verification).
10 *
11 * When index-to-heap verification is requested, a Bloom filter is used to
12 * fingerprint all tuples in the target index, as the index is traversed to
13 * verify its structure. A heap scan later uses Bloom filter probes to verify
14 * that every visible heap tuple has a matching index tuple.
15 *
16 *
17 * Copyright (c) 2017-2025, PostgreSQL Global Development Group
18 *
19 * IDENTIFICATION
20 * contrib/amcheck/verify_nbtree.c
21 *
22 *-------------------------------------------------------------------------
23 */
24#include "postgres.h"
25
26#include "access/heaptoast.h"
27#include "access/htup_details.h"
28#include "access/nbtree.h"
29#include "access/table.h"
30#include "access/tableam.h"
31#include "access/transam.h"
32#include "access/xact.h"
33#include "catalog/index.h"
34#include "catalog/pg_am.h"
35#include "catalog/pg_opfamily_d.h"
36#include "common/pg_prng.h"
37#include "lib/bloomfilter.h"
38#include "miscadmin.h"
39#include "storage/smgr.h"
40#include "utils/guc.h"
41#include "utils/memutils.h"
42#include "utils/snapmgr.h"
43
44
45PG_MODULE_MAGIC;
46
47/*
48 * A B-Tree cannot possibly have this many levels, since there must be one
49 * block per level, which is bound by the range of BlockNumber:
50 */
51#define InvalidBtreeLevel ((uint32) InvalidBlockNumber)
52#define BTreeTupleGetNKeyAtts(itup, rel) \
53 Min(IndexRelationGetNumberOfKeyAttributes(rel), BTreeTupleGetNAtts(itup, rel))
54
55/*
56 * State associated with verifying a B-Tree index
57 *
58 * target is the point of reference for a verification operation.
59 *
60 * Other B-Tree pages may be allocated, but those are always auxiliary (e.g.,
61 * they are current target's child pages). Conceptually, problems are only
62 * ever found in the current target page (or for a particular heap tuple during
63 * heapallindexed verification). Each page found by verification's left/right,
64 * top/bottom scan becomes the target exactly once.
65 */
66typedef struct BtreeCheckState
67{
68 /*
69 * Unchanging state, established at start of verification:
70 */
71
72 /* B-Tree Index Relation and associated heap relation */
73 Relation rel;
74 Relation heaprel;
75 /* rel is heapkeyspace index? */
76 bool heapkeyspace;
77 /* ShareLock held on heap/index, rather than AccessShareLock? */
78 bool readonly;
79 /* Also verifying heap has no unindexed tuples? */
80 bool heapallindexed;
81 /* Also making sure non-pivot tuples can be found by new search? */
82 bool rootdescend;
83 /* Also check uniqueness constraint if index is unique */
84 bool checkunique;
85 /* Per-page context */
86 MemoryContext targetcontext;
87 /* Buffer access strategy */
88 BufferAccessStrategy checkstrategy;
89
90 /*
91 * Info for uniqueness checking. Fill these fields once per index check.
92 */
93 IndexInfo *indexinfo;
94 Snapshot snapshot;
95
96 /*
97 * Mutable state, for verification of particular page:
98 */
99
100 /* Current target page */
101 Page target;
102 /* Target block number */
103 BlockNumber targetblock;
104 /* Target page's LSN */
105 XLogRecPtr targetlsn;
106
107 /*
108 * Low key: high key of left sibling of target page. Used only for child
109 * verification. So, 'lowkey' is kept only when 'readonly' is set.
110 */
111 IndexTuple lowkey;
112
113 /*
114 * The rightlink and incomplete split flag of block one level down to the
115 * target page, which was visited last time via downlink from target page.
116 * We use it to check for missing downlinks.
117 */
118 BlockNumber prevrightlink;
119 bool previncompletesplit;
120
121 /*
122 * Mutable state, for optional heapallindexed verification:
123 */
124
125 /* Bloom filter fingerprints B-Tree index */
126 bloom_filter *filter;
127 /* Debug counter */
128 int64 heaptuplespresent;
129} BtreeCheckState;
130
131/*
132 * Starting point for verifying an entire B-Tree index level
133 */
134typedef struct BtreeLevel
135{
136 /* Level number (0 is leaf page level). */
137 uint32 level;
138
139 /* Left most block on level. Scan of level begins here. */
140 BlockNumber leftmost;
141
142 /* Is this level reported as "true" root level by meta page? */
143 bool istruerootlevel;
144} BtreeLevel;
145
146/*
147 * Information about the last visible entry with current B-tree key. Used
148 * for validation of the unique constraint.
149 */
150typedef struct BtreeLastVisibleEntry
151{
152 BlockNumber blkno; /* Index block */
153 OffsetNumber offset; /* Offset on index block */
154 int postingIndex; /* Number in the posting list (-1 for
155 * non-deduplicated tuples) */
156 ItemPointer tid; /* Heap tid */
157} BtreeLastVisibleEntry;
158
159PG_FUNCTION_INFO_V1(bt_index_check);
160PG_FUNCTION_INFO_V1(bt_index_parent_check);
161
162static void bt_index_check_internal(Oid indrelid, bool parentcheck,
163 bool heapallindexed, bool rootdescend,
164 bool checkunique);
165static inline void btree_index_checkable(Relation rel);
166static inline bool btree_index_mainfork_expected(Relation rel);
167static void bt_check_every_level(Relation rel, Relation heaprel,
168 bool heapkeyspace, bool readonly, bool heapallindexed,
169 bool rootdescend, bool checkunique);
170static BtreeLevel bt_check_level_from_leftmost(BtreeCheckState *state,
171 BtreeLevel level);
172static bool bt_leftmost_ignoring_half_dead(BtreeCheckState *state,
173 BlockNumber start,
174 BTPageOpaque start_opaque);
175static void bt_recheck_sibling_links(BtreeCheckState *state,
176 BlockNumber btpo_prev_from_target,
177 BlockNumber leftcurrent);
178static bool heap_entry_is_visible(BtreeCheckState *state, ItemPointer tid);
179static void bt_report_duplicate(BtreeCheckState *state,
180 BtreeLastVisibleEntry *lVis,
181 ItemPointer nexttid,
182 BlockNumber nblock, OffsetNumber noffset,
183 int nposting);
184static void bt_entry_unique_check(BtreeCheckState *state, IndexTuple itup,
185 BlockNumber targetblock, OffsetNumber offset,
186 BtreeLastVisibleEntry *lVis);
187static void bt_target_page_check(BtreeCheckState *state);
188static BTScanInsert bt_right_page_check_scankey(BtreeCheckState *state,
189 OffsetNumber *rightfirstoffset);
190static void bt_child_check(BtreeCheckState *state, BTScanInsert targetkey,
191 OffsetNumber downlinkoffnum);
192static void bt_child_highkey_check(BtreeCheckState *state,
193 OffsetNumber target_downlinkoffnum,
194 Page loaded_child,
195 uint32 target_level);
196static void bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit,
197 BlockNumber blkno, Page page);
198static void bt_tuple_present_callback(Relation index, ItemPointer tid,
199 Datum *values, bool *isnull,
200 bool tupleIsAlive, void *checkstate);
201static IndexTuple bt_normalize_tuple(BtreeCheckState *state,
202 IndexTuple itup);
203static inline IndexTuple bt_posting_plain_tuple(IndexTuple itup, int n);
204static bool bt_rootdescend(BtreeCheckState *state, IndexTuple itup);
205static inline bool offset_is_negative_infinity(BTPageOpaque opaque,
206 OffsetNumber offset);
207static inline bool invariant_l_offset(BtreeCheckState *state, BTScanInsert key,
208 OffsetNumber upperbound);
209static inline bool invariant_leq_offset(BtreeCheckState *state,
210 BTScanInsert key,
211 OffsetNumber upperbound);
212static inline bool invariant_g_offset(BtreeCheckState *state, BTScanInsert key,
213 OffsetNumber lowerbound);
214static inline bool invariant_l_nontarget_offset(BtreeCheckState *state,
215 BTScanInsert key,
216 BlockNumber nontargetblock,
217 Page nontarget,
218 OffsetNumber upperbound);
219static Page palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum);
220static inline BTScanInsert bt_mkscankey_pivotsearch(Relation rel,
221 IndexTuple itup);
222static ItemId PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block,
223 Page page, OffsetNumber offset);
224static inline ItemPointer BTreeTupleGetHeapTIDCareful(BtreeCheckState *state,
225 IndexTuple itup, bool nonpivot);
226static inline ItemPointer BTreeTupleGetPointsToTID(IndexTuple itup);
227
228/*
229 * bt_index_check(index regclass, heapallindexed boolean, checkunique boolean)
230 *
231 * Verify integrity of B-Tree index.
232 *
233 * Acquires AccessShareLock on heap & index relations. Does not consider
234 * invariants that exist between parent/child pages. Optionally verifies
235 * that heap does not contain any unindexed or incorrectly indexed tuples.
236 */
237Datum
238bt_index_check(PG_FUNCTION_ARGS)
239{
240 Oid indrelid = PG_GETARG_OID(0);
241 bool heapallindexed = false;
242 bool checkunique = false;
243
244 if (PG_NARGS() >= 2)
245 heapallindexed = PG_GETARG_BOOL(1);
246 if (PG_NARGS() == 3)
247 checkunique = PG_GETARG_BOOL(2);
248
249 bt_index_check_internal(indrelid, false, heapallindexed, false, checkunique);
250
251 PG_RETURN_VOID();
252}
253
254/*
255 * bt_index_parent_check(index regclass, heapallindexed boolean, rootdescend boolean, checkunique boolean)
256 *
257 * Verify integrity of B-Tree index.
258 *
259 * Acquires ShareLock on heap & index relations. Verifies that downlinks in
260 * parent pages are valid lower bounds on child pages. Optionally verifies
261 * that heap does not contain any unindexed or incorrectly indexed tuples.
262 */
263Datum
264bt_index_parent_check(PG_FUNCTION_ARGS)
265{
266 Oid indrelid = PG_GETARG_OID(0);
267 bool heapallindexed = false;
268 bool rootdescend = false;
269 bool checkunique = false;
270
271 if (PG_NARGS() >= 2)
272 heapallindexed = PG_GETARG_BOOL(1);
273 if (PG_NARGS() >= 3)
274 rootdescend = PG_GETARG_BOOL(2);
275 if (PG_NARGS() == 4)
276 checkunique = PG_GETARG_BOOL(3);
277
278 bt_index_check_internal(indrelid, true, heapallindexed, rootdescend, checkunique);
279
280 PG_RETURN_VOID();
281}
282
283/*
284 * Helper for bt_index_[parent_]check, coordinating the bulk of the work.
285 */
286static void
287bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed,
288 bool rootdescend, bool checkunique)
289{
290 Oid heapid;
291 Relation indrel;
292 Relation heaprel;
293 LOCKMODE lockmode;
294 Oid save_userid;
295 int save_sec_context;
296 int save_nestlevel;
297
298 if (parentcheck)
299 lockmode = ShareLock;
300 else
301 lockmode = AccessShareLock;
302
303 /*
304 * We must lock table before index to avoid deadlocks. However, if the
305 * passed indrelid isn't an index then IndexGetRelation() will fail.
306 * Rather than emitting a not-very-helpful error message, postpone
307 * complaining, expecting that the is-it-an-index test below will fail.
308 *
309 * In hot standby mode this will raise an error when parentcheck is true.
310 */
311 heapid = IndexGetRelation(indrelid, true);
312 if (OidIsValid(heapid))
313 {
314 heaprel = table_open(heapid, lockmode);
315
316 /*
317 * Switch to the table owner's userid, so that any index functions are
318 * run as that user. Also lock down security-restricted operations
319 * and arrange to make GUC variable changes local to this command.
320 */
321 GetUserIdAndSecContext(&save_userid, &save_sec_context);
322 SetUserIdAndSecContext(heaprel->rd_rel->relowner,
323 save_sec_context | SECURITY_RESTRICTED_OPERATION);
324 save_nestlevel = NewGUCNestLevel();
325 RestrictSearchPath();
326 }
327 else
328 {
329 heaprel = NULL;
330 /* Set these just to suppress "uninitialized variable" warnings */
331 save_userid = InvalidOid;
332 save_sec_context = -1;
333 save_nestlevel = -1;
334 }
335
336 /*
337 * Open the target index relations separately (like relation_openrv(), but
338 * with heap relation locked first to prevent deadlocking). In hot
339 * standby mode this will raise an error when parentcheck is true.
340 *
341 * There is no need for the usual indcheckxmin usability horizon test
342 * here, even in the heapallindexed case, because index undergoing
343 * verification only needs to have entries for a new transaction snapshot.
344 * (If this is a parentcheck verification, there is no question about
345 * committed or recently dead heap tuples lacking index entries due to
346 * concurrent activity.)
347 */
348 indrel = index_open(indrelid, lockmode);
349
350 /*
351 * Since we did the IndexGetRelation call above without any lock, it's
352 * barely possible that a race against an index drop/recreation could have
353 * netted us the wrong table.
354 */
355 if (heaprel == NULL || heapid != IndexGetRelation(indrelid, false))
356 ereport(ERROR,
357 (errcode(ERRCODE_UNDEFINED_TABLE),
358 errmsg("could not open parent table of index \"%s\"",
359 RelationGetRelationName(indrel))));
360
361 /* Relation suitable for checking as B-Tree? */
362 btree_index_checkable(indrel);
363
364 if (btree_index_mainfork_expected(indrel))
365 {
366 bool heapkeyspace,
367 allequalimage;
368
369 if (!smgrexists(RelationGetSmgr(indrel), MAIN_FORKNUM))
370 ereport(ERROR,
371 (errcode(ERRCODE_INDEX_CORRUPTED),
372 errmsg("index \"%s\" lacks a main relation fork",
373 RelationGetRelationName(indrel))));
374
375 /* Extract metadata from metapage, and sanitize it in passing */
376 _bt_metaversion(indrel, &heapkeyspace, &allequalimage);
377 if (allequalimage && !heapkeyspace)
378 ereport(ERROR,
379 (errcode(ERRCODE_INDEX_CORRUPTED),
380 errmsg("index \"%s\" metapage has equalimage field set on unsupported nbtree version",
381 RelationGetRelationName(indrel))));
382 if (allequalimage && !_bt_allequalimage(indrel, false))
383 {
384 bool has_interval_ops = false;
385
386 for (int i = 0; i < IndexRelationGetNumberOfKeyAttributes(indrel); i++)
387 if (indrel->rd_opfamily[i] == INTERVAL_BTREE_FAM_OID)
388 has_interval_ops = true;
389 ereport(ERROR,
390 (errcode(ERRCODE_INDEX_CORRUPTED),
391 errmsg("index \"%s\" metapage incorrectly indicates that deduplication is safe",
392 RelationGetRelationName(indrel)),
393 has_interval_ops
394 ? errhint("This is known of \"interval\" indexes last built on a version predating 2023-11.")
395 : 0));
396 }
397
398 /* Check index, possibly against table it is an index on */
399 bt_check_every_level(indrel, heaprel, heapkeyspace, parentcheck,
400 heapallindexed, rootdescend, checkunique);
401 }
402
403 /* Roll back any GUC changes executed by index functions */
404 AtEOXact_GUC(false, save_nestlevel);
405
406 /* Restore userid and security context */
407 SetUserIdAndSecContext(save_userid, save_sec_context);
408
409 /*
410 * Release locks early. That's ok here because nothing in the called
411 * routines will trigger shared cache invalidations to be sent, so we can
412 * relax the usual pattern of only releasing locks after commit.
413 */
414 index_close(indrel, lockmode);
415 if (heaprel)
416 table_close(heaprel, lockmode);
417}
418
419/*
420 * Basic checks about the suitability of a relation for checking as a B-Tree
421 * index.
422 *
423 * NB: Intentionally not checking permissions, the function is normally not
424 * callable by non-superusers. If granted, it's useful to be able to check a
425 * whole cluster.
426 */
427static inline void
428btree_index_checkable(Relation rel)
429{
430 if (rel->rd_rel->relkind != RELKIND_INDEX ||
431 rel->rd_rel->relam != BTREE_AM_OID)
432 ereport(ERROR,
433 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
434 errmsg("only B-Tree indexes are supported as targets for verification"),
435 errdetail("Relation \"%s\" is not a B-Tree index.",
436 RelationGetRelationName(rel))));
437
438 if (RELATION_IS_OTHER_TEMP(rel))
439 ereport(ERROR,
440 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
441 errmsg("cannot access temporary tables of other sessions"),
442 errdetail("Index \"%s\" is associated with temporary relation.",
443 RelationGetRelationName(rel))));
444
445 if (!rel->rd_index->indisvalid)
446 ereport(ERROR,
447 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
448 errmsg("cannot check index \"%s\"",
449 RelationGetRelationName(rel)),
450 errdetail("Index is not valid.")));
451}
452
453/*
454 * Check if B-Tree index relation should have a file for its main relation
455 * fork. Verification uses this to skip unlogged indexes when in hot standby
456 * mode, where there is simply nothing to verify. We behave as if the
457 * relation is empty.
458 *
459 * NB: Caller should call btree_index_checkable() before calling here.
460 */
461static inline bool
462btree_index_mainfork_expected(Relation rel)
463{
464 if (rel->rd_rel->relpersistence != RELPERSISTENCE_UNLOGGED ||
465 !RecoveryInProgress())
466 return true;
467
468 ereport(DEBUG1,
469 (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
470 errmsg("cannot verify unlogged index \"%s\" during recovery, skipping",
471 RelationGetRelationName(rel))));
472
473 return false;
474}
475
476/*
477 * Main entry point for B-Tree SQL-callable functions. Walks the B-Tree in
478 * logical order, verifying invariants as it goes. Optionally, verification
479 * checks if the heap relation contains any tuples that are not represented in
480 * the index but should be.
481 *
482 * It is the caller's responsibility to acquire appropriate heavyweight lock on
483 * the index relation, and advise us if extra checks are safe when a ShareLock
484 * is held. (A lock of the same type must also have been acquired on the heap
485 * relation.)
486 *
487 * A ShareLock is generally assumed to prevent any kind of physical
488 * modification to the index structure, including modifications that VACUUM may
489 * make. This does not include setting of the LP_DEAD bit by concurrent index
490 * scans, although that is just metadata that is not able to directly affect
491 * any check performed here. Any concurrent process that might act on the
492 * LP_DEAD bit being set (recycle space) requires a heavyweight lock that
493 * cannot be held while we hold a ShareLock. (Besides, even if that could
494 * happen, the ad-hoc recycling when a page might otherwise split is performed
495 * per-page, and requires an exclusive buffer lock, which wouldn't cause us
496 * trouble. _bt_delitems_vacuum() may only delete leaf items, and so the extra
497 * parent/child check cannot be affected.)
498 */
499static void
500bt_check_every_level(Relation rel, Relation heaprel, bool heapkeyspace,
501 bool readonly, bool heapallindexed, bool rootdescend,
502 bool checkunique)
503{
504 BtreeCheckState *state;
505 Page metapage;
506 BTMetaPageData *metad;
507 uint32 previouslevel;
508 BtreeLevel current;
509 Snapshot snapshot = SnapshotAny;
510
511 if (!readonly)
512 elog(DEBUG1, "verifying consistency of tree structure for index \"%s\"",
513 RelationGetRelationName(rel));
514 else
515 elog(DEBUG1, "verifying consistency of tree structure for index \"%s\" with cross-level checks",
516 RelationGetRelationName(rel));
517
518 /*
519 * This assertion matches the one in index_getnext_tid(). See page
520 * recycling/"visible to everyone" notes in nbtree README.
521 */
522 Assert(TransactionIdIsValid(RecentXmin));
523
524 /*
525 * Initialize state for entire verification operation
526 */
527 state = palloc0(sizeof(BtreeCheckState));
528 state->rel = rel;
529 state->heaprel = heaprel;
530 state->heapkeyspace = heapkeyspace;
531 state->readonly = readonly;
532 state->heapallindexed = heapallindexed;
533 state->rootdescend = rootdescend;
534 state->checkunique = checkunique;
535 state->snapshot = InvalidSnapshot;
536
537 if (state->heapallindexed)
538 {
539 int64 total_pages;
540 int64 total_elems;
541 uint64 seed;
542
543 /*
544 * Size Bloom filter based on estimated number of tuples in index,
545 * while conservatively assuming that each block must contain at least
546 * MaxTIDsPerBTreePage / 3 "plain" tuples -- see
547 * bt_posting_plain_tuple() for definition, and details of how posting
548 * list tuples are handled.
549 */
550 total_pages = RelationGetNumberOfBlocks(rel);
551 total_elems = Max(total_pages * (MaxTIDsPerBTreePage / 3),
552 (int64) state->rel->rd_rel->reltuples);
553 /* Generate a random seed to avoid repetition */
554 seed = pg_prng_uint64(&pg_global_prng_state);
555 /* Create Bloom filter to fingerprint index */
556 state->filter = bloom_create(total_elems, maintenance_work_mem, seed);
557 state->heaptuplespresent = 0;
558
559 /*
560 * Register our own snapshot in !readonly case, rather than asking
561 * table_index_build_scan() to do this for us later. This needs to
562 * happen before index fingerprinting begins, so we can later be
563 * certain that index fingerprinting should have reached all tuples
564 * returned by table_index_build_scan().
565 */
566 if (!state->readonly)
567 {
568 snapshot = RegisterSnapshot(GetTransactionSnapshot());
569
570 /*
571 * GetTransactionSnapshot() always acquires a new MVCC snapshot in
572 * READ COMMITTED mode. A new snapshot is guaranteed to have all
573 * the entries it requires in the index.
574 *
575 * We must defend against the possibility that an old xact
576 * snapshot was returned at higher isolation levels when that
577 * snapshot is not safe for index scans of the target index. This
578 * is possible when the snapshot sees tuples that are before the
579 * index's indcheckxmin horizon. Throwing an error here should be
580 * very rare. It doesn't seem worth using a secondary snapshot to
581 * avoid this.
582 */
583 if (IsolationUsesXactSnapshot() && rel->rd_index->indcheckxmin &&
584 !TransactionIdPrecedes(HeapTupleHeaderGetXmin(rel->rd_indextuple->t_data),
585 snapshot->xmin))
586 ereport(ERROR,
587 (errcode(ERRCODE_T_R_SERIALIZATION_FAILURE),
588 errmsg("index \"%s\" cannot be verified using transaction snapshot",
589 RelationGetRelationName(rel))));
590 }
591 }
592
593 /*
594 * We need a snapshot to check the uniqueness of the index. For better
595 * performance take it once per index check. If snapshot already taken
596 * reuse it.
597 */
598 if (state->checkunique)
599 {
600 state->indexinfo = BuildIndexInfo(state->rel);
601 if (state->indexinfo->ii_Unique)
602 {
603 if (snapshot != SnapshotAny)
604 state->snapshot = snapshot;
605 else
606 state->snapshot = RegisterSnapshot(GetTransactionSnapshot());
607 }
608 }
609
610 Assert(!state->rootdescend || state->readonly);
611 if (state->rootdescend && !state->heapkeyspace)
612 ereport(ERROR,
613 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
614 errmsg("cannot verify that tuples from index \"%s\" can each be found by an independent index search",
615 RelationGetRelationName(rel)),
616 errhint("Only B-Tree version 4 indexes support rootdescend verification.")));
617
618 /* Create context for page */
619 state->targetcontext = AllocSetContextCreate(CurrentMemoryContext,
620 "amcheck context",
621 ALLOCSET_DEFAULT_SIZES);
622 state->checkstrategy = GetAccessStrategy(BAS_BULKREAD);
623
624 /* Get true root block from meta-page */
625 metapage = palloc_btree_page(state, BTREE_METAPAGE);
626 metad = BTPageGetMeta(metapage);
627
628 /*
629 * Certain deletion patterns can result in "skinny" B-Tree indexes, where
630 * the fast root and true root differ.
631 *
632 * Start from the true root, not the fast root, unlike conventional index
633 * scans. This approach is more thorough, and removes the risk of
634 * following a stale fast root from the meta page.
635 */
636 if (metad->btm_fastroot != metad->btm_root)
637 ereport(DEBUG1,
638 (errcode(ERRCODE_NO_DATA),
639 errmsg_internal("harmless fast root mismatch in index \"%s\"",
640 RelationGetRelationName(rel)),
641 errdetail_internal("Fast root block %u (level %u) differs from true root block %u (level %u).",
642 metad->btm_fastroot, metad->btm_fastlevel,
643 metad->btm_root, metad->btm_level)));
644
645 /*
646 * Starting at the root, verify every level. Move left to right, top to
647 * bottom. Note that there may be no pages other than the meta page (meta
648 * page can indicate that root is P_NONE when the index is totally empty).
649 */
650 previouslevel = InvalidBtreeLevel;
651 current.level = metad->btm_level;
652 current.leftmost = metad->btm_root;
653 current.istruerootlevel = true;
654 while (current.leftmost != P_NONE)
655 {
656 /*
657 * Verify this level, and get left most page for next level down, if
658 * not at leaf level
659 */
660 current = bt_check_level_from_leftmost(state, current);
661
662 if (current.leftmost == InvalidBlockNumber)
663 ereport(ERROR,
664 (errcode(ERRCODE_INDEX_CORRUPTED),
665 errmsg("index \"%s\" has no valid pages on level below %u or first level",
666 RelationGetRelationName(rel), previouslevel)));
667
668 previouslevel = current.level;
669 }
670
671 /*
672 * * Check whether heap contains unindexed/malformed tuples *
673 */
674 if (state->heapallindexed)
675 {
676 IndexInfo *indexinfo = BuildIndexInfo(state->rel);
677 TableScanDesc scan;
678
679 /*
680 * Create our own scan for table_index_build_scan(), rather than
681 * getting it to do so for us. This is required so that we can
682 * actually use the MVCC snapshot registered earlier in !readonly
683 * case.
684 *
685 * Note that table_index_build_scan() calls heap_endscan() for us.
686 */
687 scan = table_beginscan_strat(state->heaprel, /* relation */
688 snapshot, /* snapshot */
689 0, /* number of keys */
690 NULL, /* scan key */
691 true, /* buffer access strategy OK */
692 true); /* syncscan OK? */
693
694 /*
695 * Scan will behave as the first scan of a CREATE INDEX CONCURRENTLY
696 * behaves in !readonly case.
697 *
698 * It's okay that we don't actually use the same lock strength for the
699 * heap relation as any other ii_Concurrent caller would in !readonly
700 * case. We have no reason to care about a concurrent VACUUM
701 * operation, since there isn't going to be a second scan of the heap
702 * that needs to be sure that there was no concurrent recycling of
703 * TIDs.
704 */
705 indexinfo->ii_Concurrent = !state->readonly;
706
707 /*
708 * Don't wait for uncommitted tuple xact commit/abort when index is a
709 * unique index on a catalog (or an index used by an exclusion
710 * constraint). This could otherwise happen in the readonly case.
711 */
712 indexinfo->ii_Unique = false;
713 indexinfo->ii_ExclusionOps = NULL;
714 indexinfo->ii_ExclusionProcs = NULL;
715 indexinfo->ii_ExclusionStrats = NULL;
716
717 elog(DEBUG1, "verifying that tuples from index \"%s\" are present in \"%s\"",
718 RelationGetRelationName(state->rel),
719 RelationGetRelationName(state->heaprel));
720
721 table_index_build_scan(state->heaprel, state->rel, indexinfo, true, false,
722 bt_tuple_present_callback, state, scan);
723
724 ereport(DEBUG1,
725 (errmsg_internal("finished verifying presence of " INT64_FORMAT " tuples from table \"%s\" with bitset %.2f%% set",
726 state->heaptuplespresent, RelationGetRelationName(heaprel),
727 100.0 * bloom_prop_bits_set(state->filter))));
728
729 if (snapshot != SnapshotAny)
730 UnregisterSnapshot(snapshot);
731
732 bloom_free(state->filter);
733 }
734
735 /* Be tidy: */
736 if (snapshot == SnapshotAny && state->snapshot != InvalidSnapshot)
737 UnregisterSnapshot(state->snapshot);
738 MemoryContextDelete(state->targetcontext);
739}
740
741/*
742 * Given a left-most block at some level, move right, verifying each page
743 * individually (with more verification across pages for "readonly"
744 * callers). Caller should pass the true root page as the leftmost initially,
745 * working their way down by passing what is returned for the last call here
746 * until level 0 (leaf page level) was reached.
747 *
748 * Returns state for next call, if any. This includes left-most block number
749 * one level lower that should be passed on next level/call, which is set to
750 * P_NONE on last call here (when leaf level is verified). Level numbers
751 * follow the nbtree convention: higher levels have higher numbers, because new
752 * levels are added only due to a root page split. Note that prior to the
753 * first root page split, the root is also a leaf page, so there is always a
754 * level 0 (leaf level), and it's always the last level processed.
755 *
756 * Note on memory management: State's per-page context is reset here, between
757 * each call to bt_target_page_check().
758 */
759static BtreeLevel
760bt_check_level_from_leftmost(BtreeCheckState *state, BtreeLevel level)
761{
762 /* State to establish early, concerning entire level */
763 BTPageOpaque opaque;
764 MemoryContext oldcontext;
765 BtreeLevel nextleveldown;
766
767 /* Variables for iterating across level using right links */
768 BlockNumber leftcurrent = P_NONE;
769 BlockNumber current = level.leftmost;
770
771 /* Initialize return state */
772 nextleveldown.leftmost = InvalidBlockNumber;
773 nextleveldown.level = InvalidBtreeLevel;
774 nextleveldown.istruerootlevel = false;
775
776 /* Use page-level context for duration of this call */
777 oldcontext = MemoryContextSwitchTo(state->targetcontext);
778
779 elog(DEBUG1, "verifying level %u%s", level.level,
780 level.istruerootlevel ?
781 " (true root level)" : level.level == 0 ? " (leaf level)" : "");
782
783 state->prevrightlink = InvalidBlockNumber;
784 state->previncompletesplit = false;
785
786 do
787 {
788 /* Don't rely on CHECK_FOR_INTERRUPTS() calls at lower level */
789 CHECK_FOR_INTERRUPTS();
790
791 /* Initialize state for this iteration */
792 state->targetblock = current;
793 state->target = palloc_btree_page(state, state->targetblock);
794 state->targetlsn = PageGetLSN(state->target);
795
796 opaque = BTPageGetOpaque(state->target);
797
798 if (P_IGNORE(opaque))
799 {
800 /*
801 * Since there cannot be a concurrent VACUUM operation in readonly
802 * mode, and since a page has no links within other pages
803 * (siblings and parent) once it is marked fully deleted, it
804 * should be impossible to land on a fully deleted page in
805 * readonly mode. See bt_child_check() for further details.
806 *
807 * The bt_child_check() P_ISDELETED() check is repeated here so
808 * that pages that are only reachable through sibling links get
809 * checked.
810 */
811 if (state->readonly && P_ISDELETED(opaque))
812 ereport(ERROR,
813 (errcode(ERRCODE_INDEX_CORRUPTED),
814 errmsg("downlink or sibling link points to deleted block in index \"%s\"",
815 RelationGetRelationName(state->rel)),
816 errdetail_internal("Block=%u left block=%u left link from block=%u.",
817 current, leftcurrent, opaque->btpo_prev)));
818
819 if (P_RIGHTMOST(opaque))
820 ereport(ERROR,
821 (errcode(ERRCODE_INDEX_CORRUPTED),
822 errmsg("block %u fell off the end of index \"%s\"",
823 current, RelationGetRelationName(state->rel))));
824 else
825 ereport(DEBUG1,
826 (errcode(ERRCODE_NO_DATA),
827 errmsg_internal("block %u of index \"%s\" concurrently deleted",
828 current, RelationGetRelationName(state->rel))));
829 goto nextpage;
830 }
831 else if (nextleveldown.leftmost == InvalidBlockNumber)
832 {
833 /*
834 * A concurrent page split could make the caller supplied leftmost
835 * block no longer contain the leftmost page, or no longer be the
836 * true root, but where that isn't possible due to heavyweight
837 * locking, check that the first valid page meets caller's
838 * expectations.
839 */
840 if (state->readonly)
841 {
842 if (!bt_leftmost_ignoring_half_dead(state, current, opaque))
843 ereport(ERROR,
844 (errcode(ERRCODE_INDEX_CORRUPTED),
845 errmsg("block %u is not leftmost in index \"%s\"",
846 current, RelationGetRelationName(state->rel))));
847
848 if (level.istruerootlevel && !P_ISROOT(opaque))
849 ereport(ERROR,
850 (errcode(ERRCODE_INDEX_CORRUPTED),
851 errmsg("block %u is not true root in index \"%s\"",
852 current, RelationGetRelationName(state->rel))));
853 }
854
855 /*
856 * Before beginning any non-trivial examination of level, prepare
857 * state for next bt_check_level_from_leftmost() invocation for
858 * the next level for the next level down (if any).
859 *
860 * There should be at least one non-ignorable page per level,
861 * unless this is the leaf level, which is assumed by caller to be
862 * final level.
863 */
864 if (!P_ISLEAF(opaque))
865 {
866 IndexTuple itup;
867 ItemId itemid;
868
869 /* Internal page -- downlink gets leftmost on next level */
870 itemid = PageGetItemIdCareful(state, state->targetblock,
871 state->target,
872 P_FIRSTDATAKEY(opaque));
873 itup = (IndexTuple) PageGetItem(state->target, itemid);
874 nextleveldown.leftmost = BTreeTupleGetDownLink(itup);
875 nextleveldown.level = opaque->btpo_level - 1;
876 }
877 else
878 {
879 /*
880 * Leaf page -- final level caller must process.
881 *
882 * Note that this could also be the root page, if there has
883 * been no root page split yet.
884 */
885 nextleveldown.leftmost = P_NONE;
886 nextleveldown.level = InvalidBtreeLevel;
887 }
888
889 /*
890 * Finished setting up state for this call/level. Control will
891 * never end up back here in any future loop iteration for this
892 * level.
893 */
894 }
895
896 /*
897 * Sibling links should be in mutual agreement. There arises
898 * leftcurrent == P_NONE && btpo_prev != P_NONE when the left sibling
899 * of the parent's low-key downlink is half-dead. (A half-dead page
900 * has no downlink from its parent.) Under heavyweight locking, the
901 * last bt_leftmost_ignoring_half_dead() validated this btpo_prev.
902 * Without heavyweight locking, validation of the P_NONE case remains
903 * unimplemented.
904 */
905 if (opaque->btpo_prev != leftcurrent && leftcurrent != P_NONE)
906 bt_recheck_sibling_links(state, opaque->btpo_prev, leftcurrent);
907
908 /* Check level */
909 if (level.level != opaque->btpo_level)
910 ereport(ERROR,
911 (errcode(ERRCODE_INDEX_CORRUPTED),
912 errmsg("leftmost down link for level points to block in index \"%s\" whose level is not one level down",
913 RelationGetRelationName(state->rel)),
914 errdetail_internal("Block pointed to=%u expected level=%u level in pointed to block=%u.",
915 current, level.level, opaque->btpo_level)));
916
917 /* Verify invariants for page */
918 bt_target_page_check(state);
919
920nextpage:
921
922 /* Try to detect circular links */
923 if (current == leftcurrent || current == opaque->btpo_prev)
924 ereport(ERROR,
925 (errcode(ERRCODE_INDEX_CORRUPTED),
926 errmsg("circular link chain found in block %u of index \"%s\"",
927 current, RelationGetRelationName(state->rel))));
928
929 leftcurrent = current;
930 current = opaque->btpo_next;
931
932 if (state->lowkey)
933 {
934 Assert(state->readonly);
935 pfree(state->lowkey);
936 state->lowkey = NULL;
937 }
938
939 /*
940 * Copy current target high key as the low key of right sibling.
941 * Allocate memory in upper level context, so it would be cleared
942 * after reset of target context.
943 *
944 * We only need the low key in corner cases of checking child high
945 * keys. We use high key only when incomplete split on the child level
946 * falls to the boundary of pages on the target level. See
947 * bt_child_highkey_check() for details. So, typically we won't end
948 * up doing anything with low key, but it's simpler for general case
949 * high key verification to always have it available.
950 *
951 * The correctness of managing low key in the case of concurrent
952 * splits wasn't investigated yet. Thankfully we only need low key
953 * for readonly verification and concurrent splits won't happen.
954 */
955 if (state->readonly && !P_RIGHTMOST(opaque))
956 {
957 IndexTuple itup;
958 ItemId itemid;
959
960 itemid = PageGetItemIdCareful(state, state->targetblock,
961 state->target, P_HIKEY);
962 itup = (IndexTuple) PageGetItem(state->target, itemid);
963
964 state->lowkey = MemoryContextAlloc(oldcontext, IndexTupleSize(itup));
965 memcpy(state->lowkey, itup, IndexTupleSize(itup));
966 }
967
968 /* Free page and associated memory for this iteration */
969 MemoryContextReset(state->targetcontext);
970 }
971 while (current != P_NONE);
972
973 if (state->lowkey)
974 {
975 Assert(state->readonly);
976 pfree(state->lowkey);
977 state->lowkey = NULL;
978 }
979
980 /* Don't change context for caller */
981 MemoryContextSwitchTo(oldcontext);
982
983 return nextleveldown;
984}
985
986/* Check visibility of the table entry referenced by nbtree index */
987static bool
988heap_entry_is_visible(BtreeCheckState *state, ItemPointer tid)
989{
990 bool tid_visible;
991
992 TupleTableSlot *slot = table_slot_create(state->heaprel, NULL);
993
994 tid_visible = table_tuple_fetch_row_version(state->heaprel,
995 tid, state->snapshot, slot);
996 if (slot != NULL)
997 ExecDropSingleTupleTableSlot(slot);
998
999 return tid_visible;
1000}
1001
1002/*
1003 * Prepare an error message for unique constrain violation in
1004 * a btree index and report ERROR.
1005 */
1006static void
1007bt_report_duplicate(BtreeCheckState *state,
1008 BtreeLastVisibleEntry *lVis,
1009 ItemPointer nexttid, BlockNumber nblock, OffsetNumber noffset,
1010 int nposting)
1011{
1012 char *htid,
1013 *nhtid,
1014 *itid,
1015 *nitid = "",
1016 *pposting = "",
1017 *pnposting = "";
1018
1019 htid = psprintf("tid=(%u,%u)",
1020 ItemPointerGetBlockNumberNoCheck(lVis->tid),
1021 ItemPointerGetOffsetNumberNoCheck(lVis->tid));
1022 nhtid = psprintf("tid=(%u,%u)",
1023 ItemPointerGetBlockNumberNoCheck(nexttid),
1024 ItemPointerGetOffsetNumberNoCheck(nexttid));
1025 itid = psprintf("tid=(%u,%u)", lVis->blkno, lVis->offset);
1026
1027 if (nblock != lVis->blkno || noffset != lVis->offset)
1028 nitid = psprintf(" tid=(%u,%u)", nblock, noffset);
1029
1030 if (lVis->postingIndex >= 0)
1031 pposting = psprintf(" posting %u", lVis->postingIndex);
1032
1033 if (nposting >= 0)
1034 pnposting = psprintf(" posting %u", nposting);
1035
1036 ereport(ERROR,
1037 (errcode(ERRCODE_INDEX_CORRUPTED),
1038 errmsg("index uniqueness is violated for index \"%s\"",
1039 RelationGetRelationName(state->rel)),
1040 errdetail("Index %s%s and%s%s (point to heap %s and %s) page lsn=%X/%X.",
1041 itid, pposting, nitid, pnposting, htid, nhtid,
1042 LSN_FORMAT_ARGS(state->targetlsn))));
1043}
1044
1045/* Check if current nbtree leaf entry complies with UNIQUE constraint */
1046static void
1047bt_entry_unique_check(BtreeCheckState *state, IndexTuple itup,
1048 BlockNumber targetblock, OffsetNumber offset,
1049 BtreeLastVisibleEntry *lVis)
1050{
1051 ItemPointer tid;
1052 bool has_visible_entry = false;
1053
1054 Assert(targetblock != P_NONE);
1055
1056 /*
1057 * Current tuple has posting list. Report duplicate if TID of any posting
1058 * list entry is visible and lVis->tid is valid.
1059 */
1060 if (BTreeTupleIsPosting(itup))
1061 {
1062 for (int i = 0; i < BTreeTupleGetNPosting(itup); i++)
1063 {
1064 tid = BTreeTupleGetPostingN(itup, i);
1065 if (heap_entry_is_visible(state, tid))
1066 {
1067 has_visible_entry = true;
1068 if (ItemPointerIsValid(lVis->tid))
1069 {
1070 bt_report_duplicate(state,
1071 lVis,
1072 tid, targetblock,
1073 offset, i);
1074 }
1075
1076 /*
1077 * Prevent double reporting unique constraint violation
1078 * between the posting list entries of the first tuple on the
1079 * page after cross-page check.
1080 */
1081 if (lVis->blkno != targetblock && ItemPointerIsValid(lVis->tid))
1082 return;
1083
1084 lVis->blkno = targetblock;
1085 lVis->offset = offset;
1086 lVis->postingIndex = i;
1087 lVis->tid = tid;
1088 }
1089 }
1090 }
1091
1092 /*
1093 * Current tuple has no posting list. If TID is visible save info about it
1094 * for the next comparisons in the loop in bt_target_page_check(). Report
1095 * duplicate if lVis->tid is already valid.
1096 */
1097 else
1098 {
1099 tid = BTreeTupleGetHeapTID(itup);
1100 if (heap_entry_is_visible(state, tid))
1101 {
1102 has_visible_entry = true;
1103 if (ItemPointerIsValid(lVis->tid))
1104 {
1105 bt_report_duplicate(state,
1106 lVis,
1107 tid, targetblock,
1108 offset, -1);
1109 }
1110
1111 lVis->blkno = targetblock;
1112 lVis->offset = offset;
1113 lVis->tid = tid;
1114 lVis->postingIndex = -1;
1115 }
1116 }
1117
1118 if (!has_visible_entry &&
1119 lVis->blkno != InvalidBlockNumber &&
1120 lVis->blkno != targetblock)
1121 {
1122 char *posting = "";
1123
1124 if (lVis->postingIndex >= 0)
1125 posting = psprintf(" posting %u", lVis->postingIndex);
1126 ereport(DEBUG1,
1127 (errcode(ERRCODE_NO_DATA),
1128 errmsg("index uniqueness can not be checked for index tid=(%u,%u) in index \"%s\"",
1129 targetblock, offset,
1130 RelationGetRelationName(state->rel)),
1131 errdetail("It doesn't have visible heap tids and key is equal to the tid=(%u,%u)%s (points to heap tid=(%u,%u)).",
1132 lVis->blkno, lVis->offset, posting,
1133 ItemPointerGetBlockNumberNoCheck(lVis->tid),
1134 ItemPointerGetOffsetNumberNoCheck(lVis->tid)),
1135 errhint("VACUUM the table and repeat the check.")));
1136 }
1137}
1138
1139/*
1140 * Like P_LEFTMOST(start_opaque), but accept an arbitrarily-long chain of
1141 * half-dead, sibling-linked pages to the left. If a half-dead page appears
1142 * under state->readonly, the database exited recovery between the first-stage
1143 * and second-stage WAL records of a deletion.
1144 */
1145static bool
1146bt_leftmost_ignoring_half_dead(BtreeCheckState *state,
1147 BlockNumber start,
1148 BTPageOpaque start_opaque)
1149{
1150 BlockNumber reached = start_opaque->btpo_prev,
1151 reached_from = start;
1152 bool all_half_dead = true;
1153
1154 /*
1155 * To handle the !readonly case, we'd need to accept BTP_DELETED pages and
1156 * potentially observe nbtree/README "Page deletion and backwards scans".
1157 */
1158 Assert(state->readonly);
1159
1160 while (reached != P_NONE && all_half_dead)
1161 {
1162 Page page = palloc_btree_page(state, reached);
1163 BTPageOpaque reached_opaque = BTPageGetOpaque(page);
1164
1165 CHECK_FOR_INTERRUPTS();
1166
1167 /*
1168 * Try to detect btpo_prev circular links. _bt_unlink_halfdead_page()
1169 * writes that side-links will continue to point to the siblings.
1170 * Check btpo_next for that property.
1171 */
1172 all_half_dead = P_ISHALFDEAD(reached_opaque) &&
1173 reached != start &&
1174 reached != reached_from &&
1175 reached_opaque->btpo_next == reached_from;
1176 if (all_half_dead)
1177 {
1178 XLogRecPtr pagelsn = PageGetLSN(page);
1179
1180 /* pagelsn should point to an XLOG_BTREE_MARK_PAGE_HALFDEAD */
1181 ereport(DEBUG1,
1182 (errcode(ERRCODE_NO_DATA),
1183 errmsg_internal("harmless interrupted page deletion detected in index \"%s\"",
1184 RelationGetRelationName(state->rel)),
1185 errdetail_internal("Block=%u right block=%u page lsn=%X/%X.",
1186 reached, reached_from,
1187 LSN_FORMAT_ARGS(pagelsn))));
1188
1189 reached_from = reached;
1190 reached = reached_opaque->btpo_prev;
1191 }
1192
1193 pfree(page);
1194 }
1195
1196 return all_half_dead;
1197}
1198
1199/*
1200 * Raise an error when target page's left link does not point back to the
1201 * previous target page, called leftcurrent here. The leftcurrent page's
1202 * right link was followed to get to the current target page, and we expect
1203 * mutual agreement among leftcurrent and the current target page. Make sure
1204 * that this condition has definitely been violated in the !readonly case,
1205 * where concurrent page splits are something that we need to deal with.
1206 *
1207 * Cross-page inconsistencies involving pages that don't agree about being
1208 * siblings are known to be a particularly good indicator of corruption
1209 * involving partial writes/lost updates. The bt_right_page_check_scankey
1210 * check also provides a way of detecting cross-page inconsistencies for
1211 * !readonly callers, but it can only detect sibling pages that have an
1212 * out-of-order keyspace, which can't catch many of the problems that we
1213 * expect to catch here.
1214 *
1215 * The classic example of the kind of inconsistency that we can only catch
1216 * with this check (when in !readonly mode) involves three sibling pages that
1217 * were affected by a faulty page split at some point in the past. The
1218 * effects of the split are reflected in the original page and its new right
1219 * sibling page, with a lack of any accompanying changes for the _original_
1220 * right sibling page. The original right sibling page's left link fails to
1221 * point to the new right sibling page (its left link still points to the
1222 * original page), even though the first phase of a page split is supposed to
1223 * work as a single atomic action. This subtle inconsistency will probably
1224 * only break backwards scans in practice.
1225 *
1226 * Note that this is the only place where amcheck will "couple" buffer locks
1227 * (and only for !readonly callers). In general we prefer to avoid more
1228 * thorough cross-page checks in !readonly mode, but it seems worth the
1229 * complexity here. Also, the performance overhead of performing lock
1230 * coupling here is negligible in practice. Control only reaches here with a
1231 * non-corrupt index when there is a concurrent page split at the instant
1232 * caller crossed over to target page from leftcurrent page.
1233 */
1234static void
1235bt_recheck_sibling_links(BtreeCheckState *state,
1236 BlockNumber btpo_prev_from_target,
1237 BlockNumber leftcurrent)
1238{
1239 /* passing metapage to BTPageGetOpaque() would give irrelevant findings */
1240 Assert(leftcurrent != P_NONE);
1241
1242 if (!state->readonly)
1243 {
1244 Buffer lbuf;
1245 Buffer newtargetbuf;
1246 Page page;
1247 BTPageOpaque opaque;
1248 BlockNumber newtargetblock;
1249
1250 /* Couple locks in the usual order for nbtree: Left to right */
1251 lbuf = ReadBufferExtended(state->rel, MAIN_FORKNUM, leftcurrent,
1252 RBM_NORMAL, state->checkstrategy);
1253 LockBuffer(lbuf, BT_READ);
1254 _bt_checkpage(state->rel, lbuf);
1255 page = BufferGetPage(lbuf);
1256 opaque = BTPageGetOpaque(page);
1257 if (P_ISDELETED(opaque))
1258 {
1259 /*
1260 * Cannot reason about concurrently deleted page -- the left link
1261 * in the page to the right is expected to point to some other
1262 * page to the left (not leftcurrent page).
1263 *
1264 * Note that we deliberately don't give up with a half-dead page.
1265 */
1266 UnlockReleaseBuffer(lbuf);
1267 return;
1268 }
1269
1270 newtargetblock = opaque->btpo_next;
1271 /* Avoid self-deadlock when newtargetblock == leftcurrent */
1272 if (newtargetblock != leftcurrent)
1273 {
1274 newtargetbuf = ReadBufferExtended(state->rel, MAIN_FORKNUM,
1275 newtargetblock, RBM_NORMAL,
1276 state->checkstrategy);
1277 LockBuffer(newtargetbuf, BT_READ);
1278 _bt_checkpage(state->rel, newtargetbuf);
1279 page = BufferGetPage(newtargetbuf);
1280 opaque = BTPageGetOpaque(page);
1281 /* btpo_prev_from_target may have changed; update it */
1282 btpo_prev_from_target = opaque->btpo_prev;
1283 }
1284 else
1285 {
1286 /*
1287 * leftcurrent right sibling points back to leftcurrent block.
1288 * Index is corrupt. Easiest way to handle this is to pretend
1289 * that we actually read from a distinct page that has an invalid
1290 * block number in its btpo_prev.
1291 */
1292 newtargetbuf = InvalidBuffer;
1293 btpo_prev_from_target = InvalidBlockNumber;
1294 }
1295
1296 /*
1297 * No need to check P_ISDELETED here, since new target block cannot be
1298 * marked deleted as long as we hold a lock on lbuf
1299 */
1300 if (BufferIsValid(newtargetbuf))
1301 UnlockReleaseBuffer(newtargetbuf);
1302 UnlockReleaseBuffer(lbuf);
1303
1304 if (btpo_prev_from_target == leftcurrent)
1305 {
1306 /* Report split in left sibling, not target (or new target) */
1307 ereport(DEBUG1,
1308 (errcode(ERRCODE_INTERNAL_ERROR),
1309 errmsg_internal("harmless concurrent page split detected in index \"%s\"",
1310 RelationGetRelationName(state->rel)),
1311 errdetail_internal("Block=%u new right sibling=%u original right sibling=%u.",
1312 leftcurrent, newtargetblock,
1313 state->targetblock)));
1314 return;
1315 }
1316
1317 /*
1318 * Index is corrupt. Make sure that we report correct target page.
1319 *
1320 * This could have changed in cases where there was a concurrent page
1321 * split, as well as index corruption (at least in theory). Note that
1322 * btpo_prev_from_target was already updated above.
1323 */
1324 state->targetblock = newtargetblock;
1325 }
1326
1327 ereport(ERROR,
1328 (errcode(ERRCODE_INDEX_CORRUPTED),
1329 errmsg("left link/right link pair in index \"%s\" not in agreement",
1330 RelationGetRelationName(state->rel)),
1331 errdetail_internal("Block=%u left block=%u left link from block=%u.",
1332 state->targetblock, leftcurrent,
1333 btpo_prev_from_target)));
1334}
1335
1336/*
1337 * Function performs the following checks on target page, or pages ancillary to
1338 * target page:
1339 *
1340 * - That every "real" data item is less than or equal to the high key, which
1341 * is an upper bound on the items on the page. Data items should be
1342 * strictly less than the high key when the page is an internal page.
1343 *
1344 * - That within the page, every data item is strictly less than the item
1345 * immediately to its right, if any (i.e., that the items are in order
1346 * within the page, so that the binary searches performed by index scans are
1347 * sane).
1348 *
1349 * - That the last data item stored on the page is strictly less than the
1350 * first data item on the page to the right (when such a first item is
1351 * available).
1352 *
1353 * - Various checks on the structure of tuples themselves. For example, check
1354 * that non-pivot tuples have no truncated attributes.
1355 *
1356 * - For index with unique constraint make sure that only one of table entries
1357 * for equal keys is visible.
1358 *
1359 * Furthermore, when state passed shows ShareLock held, function also checks:
1360 *
1361 * - That all child pages respect strict lower bound from parent's pivot
1362 * tuple.
1363 *
1364 * - That downlink to block was encountered in parent where that's expected.
1365 *
1366 * - That high keys of child pages matches corresponding pivot keys in parent.
1367 *
1368 * This is also where heapallindexed callers use their Bloom filter to
1369 * fingerprint IndexTuples for later table_index_build_scan() verification.
1370 *
1371 * Note: Memory allocated in this routine is expected to be released by caller
1372 * resetting state->targetcontext.
1373 */
1374static void
1375bt_target_page_check(BtreeCheckState *state)
1376{
1377 OffsetNumber offset;
1378 OffsetNumber max;
1379 BTPageOpaque topaque;
1380
1381 /* Last visible entry info for checking indexes with unique constraint */
1382 BtreeLastVisibleEntry lVis = {InvalidBlockNumber, InvalidOffsetNumber, -1, NULL};
1383
1384 topaque = BTPageGetOpaque(state->target);
1385 max = PageGetMaxOffsetNumber(state->target);
1386
1387 elog(DEBUG2, "verifying %u items on %s block %u", max,
1388 P_ISLEAF(topaque) ? "leaf" : "internal", state->targetblock);
1389
1390 /*
1391 * Check the number of attributes in high key. Note, rightmost page
1392 * doesn't contain a high key, so nothing to check
1393 */
1394 if (!P_RIGHTMOST(topaque))
1395 {
1396 ItemId itemid;
1397 IndexTuple itup;
1398
1399 /* Verify line pointer before checking tuple */
1400 itemid = PageGetItemIdCareful(state, state->targetblock,
1401 state->target, P_HIKEY);
1402 if (!_bt_check_natts(state->rel, state->heapkeyspace, state->target,
1403 P_HIKEY))
1404 {
1405 itup = (IndexTuple) PageGetItem(state->target, itemid);
1406 ereport(ERROR,
1407 (errcode(ERRCODE_INDEX_CORRUPTED),
1408 errmsg("wrong number of high key index tuple attributes in index \"%s\"",
1409 RelationGetRelationName(state->rel)),
1410 errdetail_internal("Index block=%u natts=%u block type=%s page lsn=%X/%X.",
1411 state->targetblock,
1412 BTreeTupleGetNAtts(itup, state->rel),
1413 P_ISLEAF(topaque) ? "heap" : "index",
1414 LSN_FORMAT_ARGS(state->targetlsn))));
1415 }
1416 }
1417
1418 /*
1419 * Loop over page items, starting from first non-highkey item, not high
1420 * key (if any). Most tests are not performed for the "negative infinity"
1421 * real item (if any).
1422 */
1423 for (offset = P_FIRSTDATAKEY(topaque);
1424 offset <= max;
1425 offset = OffsetNumberNext(offset))
1426 {
1427 ItemId itemid;
1428 IndexTuple itup;
1429 size_t tupsize;
1430 BTScanInsert skey;
1431 bool lowersizelimit;
1432 ItemPointer scantid;
1433
1434 /*
1435 * True if we already called bt_entry_unique_check() for the current
1436 * item. This helps to avoid visiting the heap for keys, which are
1437 * anyway presented only once and can't comprise a unique violation.
1438 */
1439 bool unique_checked = false;
1440
1441 CHECK_FOR_INTERRUPTS();
1442
1443 itemid = PageGetItemIdCareful(state, state->targetblock,
1444 state->target, offset);
1445 itup = (IndexTuple) PageGetItem(state->target, itemid);
1446 tupsize = IndexTupleSize(itup);
1447
1448 /*
1449 * lp_len should match the IndexTuple reported length exactly, since
1450 * lp_len is completely redundant in indexes, and both sources of
1451 * tuple length are MAXALIGN()'d. nbtree does not use lp_len all that
1452 * frequently, and is surprisingly tolerant of corrupt lp_len fields.
1453 */
1454 if (tupsize != ItemIdGetLength(itemid))
1455 ereport(ERROR,
1456 (errcode(ERRCODE_INDEX_CORRUPTED),
1457 errmsg("index tuple size does not equal lp_len in index \"%s\"",
1458 RelationGetRelationName(state->rel)),
1459 errdetail_internal("Index tid=(%u,%u) tuple size=%zu lp_len=%u page lsn=%X/%X.",
1460 state->targetblock, offset,
1461 tupsize, ItemIdGetLength(itemid),
1462 LSN_FORMAT_ARGS(state->targetlsn)),
1463 errhint("This could be a torn page problem.")));
1464
1465 /* Check the number of index tuple attributes */
1466 if (!_bt_check_natts(state->rel, state->heapkeyspace, state->target,
1467 offset))
1468 {
1469 ItemPointer tid;
1470 char *itid,
1471 *htid;
1472
1473 itid = psprintf("(%u,%u)", state->targetblock, offset);
1474 tid = BTreeTupleGetPointsToTID(itup);
1475 htid = psprintf("(%u,%u)",
1476 ItemPointerGetBlockNumberNoCheck(tid),
1477 ItemPointerGetOffsetNumberNoCheck(tid));
1478
1479 ereport(ERROR,
1480 (errcode(ERRCODE_INDEX_CORRUPTED),
1481 errmsg("wrong number of index tuple attributes in index \"%s\"",
1482 RelationGetRelationName(state->rel)),
1483 errdetail_internal("Index tid=%s natts=%u points to %s tid=%s page lsn=%X/%X.",
1484 itid,
1485 BTreeTupleGetNAtts(itup, state->rel),
1486 P_ISLEAF(topaque) ? "heap" : "index",
1487 htid,
1488 LSN_FORMAT_ARGS(state->targetlsn))));
1489 }
1490
1491 /*
1492 * Don't try to generate scankey using "negative infinity" item on
1493 * internal pages. They are always truncated to zero attributes.
1494 */
1495 if (offset_is_negative_infinity(topaque, offset))
1496 {
1497 /*
1498 * We don't call bt_child_check() for "negative infinity" items.
1499 * But if we're performing downlink connectivity check, we do it
1500 * for every item including "negative infinity" one.
1501 */
1502 if (!P_ISLEAF(topaque) && state->readonly)
1503 {
1504 bt_child_highkey_check(state,
1505 offset,
1506 NULL,
1507 topaque->btpo_level);
1508 }
1509 continue;
1510 }
1511
1512 /*
1513 * Readonly callers may optionally verify that non-pivot tuples can
1514 * each be found by an independent search that starts from the root.
1515 * Note that we deliberately don't do individual searches for each
1516 * TID, since the posting list itself is validated by other checks.
1517 */
1518 if (state->rootdescend && P_ISLEAF(topaque) &&
1519 !bt_rootdescend(state, itup))
1520 {
1521 ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1522 char *itid,
1523 *htid;
1524
1525 itid = psprintf("(%u,%u)", state->targetblock, offset);
1526 htid = psprintf("(%u,%u)", ItemPointerGetBlockNumber(tid),
1527 ItemPointerGetOffsetNumber(tid));
1528
1529 ereport(ERROR,
1530 (errcode(ERRCODE_INDEX_CORRUPTED),
1531 errmsg("could not find tuple using search from root page in index \"%s\"",
1532 RelationGetRelationName(state->rel)),
1533 errdetail_internal("Index tid=%s points to heap tid=%s page lsn=%X/%X.",
1534 itid, htid,
1535 LSN_FORMAT_ARGS(state->targetlsn))));
1536 }
1537
1538 /*
1539 * If tuple is a posting list tuple, make sure posting list TIDs are
1540 * in order
1541 */
1542 if (BTreeTupleIsPosting(itup))
1543 {
1544 ItemPointerData last;
1545 ItemPointer current;
1546
1547 ItemPointerCopy(BTreeTupleGetHeapTID(itup), &last);
1548
1549 for (int i = 1; i < BTreeTupleGetNPosting(itup); i++)
1550 {
1551
1552 current = BTreeTupleGetPostingN(itup, i);
1553
1554 if (ItemPointerCompare(current, &last) <= 0)
1555 {
1556 char *itid = psprintf("(%u,%u)", state->targetblock, offset);
1557
1558 ereport(ERROR,
1559 (errcode(ERRCODE_INDEX_CORRUPTED),
1560 errmsg_internal("posting list contains misplaced TID in index \"%s\"",
1561 RelationGetRelationName(state->rel)),
1562 errdetail_internal("Index tid=%s posting list offset=%d page lsn=%X/%X.",
1563 itid, i,
1564 LSN_FORMAT_ARGS(state->targetlsn))));
1565 }
1566
1567 ItemPointerCopy(current, &last);
1568 }
1569 }
1570
1571 /* Build insertion scankey for current page offset */
1572 skey = bt_mkscankey_pivotsearch(state->rel, itup);
1573
1574 /*
1575 * Make sure tuple size does not exceed the relevant BTREE_VERSION
1576 * specific limit.
1577 *
1578 * BTREE_VERSION 4 (which introduced heapkeyspace rules) requisitioned
1579 * a small amount of space from BTMaxItemSize() in order to ensure
1580 * that suffix truncation always has enough space to add an explicit
1581 * heap TID back to a tuple -- we pessimistically assume that every
1582 * newly inserted tuple will eventually need to have a heap TID
1583 * appended during a future leaf page split, when the tuple becomes
1584 * the basis of the new high key (pivot tuple) for the leaf page.
1585 *
1586 * Since the reclaimed space is reserved for that purpose, we must not
1587 * enforce the slightly lower limit when the extra space has been used
1588 * as intended. In other words, there is only a cross-version
1589 * difference in the limit on tuple size within leaf pages.
1590 *
1591 * Still, we're particular about the details within BTREE_VERSION 4
1592 * internal pages. Pivot tuples may only use the extra space for its
1593 * designated purpose. Enforce the lower limit for pivot tuples when
1594 * an explicit heap TID isn't actually present. (In all other cases
1595 * suffix truncation is guaranteed to generate a pivot tuple that's no
1596 * larger than the firstright tuple provided to it by its caller.)
1597 */
1598 lowersizelimit = skey->heapkeyspace &&
1599 (P_ISLEAF(topaque) || BTreeTupleGetHeapTID(itup) == NULL);
1600 if (tupsize > (lowersizelimit ? BTMaxItemSize : BTMaxItemSizeNoHeapTid))
1601 {
1602 ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1603 char *itid,
1604 *htid;
1605
1606 itid = psprintf("(%u,%u)", state->targetblock, offset);
1607 htid = psprintf("(%u,%u)",
1608 ItemPointerGetBlockNumberNoCheck(tid),
1609 ItemPointerGetOffsetNumberNoCheck(tid));
1610
1611 ereport(ERROR,
1612 (errcode(ERRCODE_INDEX_CORRUPTED),
1613 errmsg("index row size %zu exceeds maximum for index \"%s\"",
1614 tupsize, RelationGetRelationName(state->rel)),
1615 errdetail_internal("Index tid=%s points to %s tid=%s page lsn=%X/%X.",
1616 itid,
1617 P_ISLEAF(topaque) ? "heap" : "index",
1618 htid,
1619 LSN_FORMAT_ARGS(state->targetlsn))));
1620 }
1621
1622 /* Fingerprint leaf page tuples (those that point to the heap) */
1623 if (state->heapallindexed && P_ISLEAF(topaque) && !ItemIdIsDead(itemid))
1624 {
1625 IndexTuple norm;
1626
1627 if (BTreeTupleIsPosting(itup))
1628 {
1629 /* Fingerprint all elements as distinct "plain" tuples */
1630 for (int i = 0; i < BTreeTupleGetNPosting(itup); i++)
1631 {
1632 IndexTuple logtuple;
1633
1634 logtuple = bt_posting_plain_tuple(itup, i);
1635 norm = bt_normalize_tuple(state, logtuple);
1636 bloom_add_element(state->filter, (unsigned char *) norm,
1637 IndexTupleSize(norm));
1638 /* Be tidy */
1639 if (norm != logtuple)
1640 pfree(norm);
1641 pfree(logtuple);
1642 }
1643 }
1644 else
1645 {
1646 norm = bt_normalize_tuple(state, itup);
1647 bloom_add_element(state->filter, (unsigned char *) norm,
1648 IndexTupleSize(norm));
1649 /* Be tidy */
1650 if (norm != itup)
1651 pfree(norm);
1652 }
1653 }
1654
1655 /*
1656 * * High key check *
1657 *
1658 * If there is a high key (if this is not the rightmost page on its
1659 * entire level), check that high key actually is upper bound on all
1660 * page items. If this is a posting list tuple, we'll need to set
1661 * scantid to be highest TID in posting list.
1662 *
1663 * We prefer to check all items against high key rather than checking
1664 * just the last and trusting that the operator class obeys the
1665 * transitive law (which implies that all previous items also
1666 * respected the high key invariant if they pass the item order
1667 * check).
1668 *
1669 * Ideally, we'd compare every item in the index against every other
1670 * item in the index, and not trust opclass obedience of the
1671 * transitive law to bridge the gap between children and their
1672 * grandparents (as well as great-grandparents, and so on). We don't
1673 * go to those lengths because that would be prohibitively expensive,
1674 * and probably not markedly more effective in practice.
1675 *
1676 * On the leaf level, we check that the key is <= the highkey.
1677 * However, on non-leaf levels we check that the key is < the highkey,
1678 * because the high key is "just another separator" rather than a copy
1679 * of some existing key item; we expect it to be unique among all keys
1680 * on the same level. (Suffix truncation will sometimes produce a
1681 * leaf highkey that is an untruncated copy of the lastleft item, but
1682 * never any other item, which necessitates weakening the leaf level
1683 * check to <=.)
1684 *
1685 * Full explanation for why a highkey is never truly a copy of another
1686 * item from the same level on internal levels:
1687 *
1688 * While the new left page's high key is copied from the first offset
1689 * on the right page during an internal page split, that's not the
1690 * full story. In effect, internal pages are split in the middle of
1691 * the firstright tuple, not between the would-be lastleft and
1692 * firstright tuples: the firstright key ends up on the left side as
1693 * left's new highkey, and the firstright downlink ends up on the
1694 * right side as right's new "negative infinity" item. The negative
1695 * infinity tuple is truncated to zero attributes, so we're only left
1696 * with the downlink. In other words, the copying is just an
1697 * implementation detail of splitting in the middle of a (pivot)
1698 * tuple. (See also: "Notes About Data Representation" in the nbtree
1699 * README.)
1700 */
1701 scantid = skey->scantid;
1702 if (state->heapkeyspace && BTreeTupleIsPosting(itup))
1703 skey->scantid = BTreeTupleGetMaxHeapTID(itup);
1704
1705 if (!P_RIGHTMOST(topaque) &&
1706 !(P_ISLEAF(topaque) ? invariant_leq_offset(state, skey, P_HIKEY) :
1707 invariant_l_offset(state, skey, P_HIKEY)))
1708 {
1709 ItemPointer tid = BTreeTupleGetPointsToTID(itup);
1710 char *itid,
1711 *htid;
1712
1713 itid = psprintf("(%u,%u)", state->targetblock, offset);
1714 htid = psprintf("(%u,%u)",
1715 ItemPointerGetBlockNumberNoCheck(tid),
1716 ItemPointerGetOffsetNumberNoCheck(tid));
1717
1718 ereport(ERROR,
1719 (errcode(ERRCODE_INDEX_CORRUPTED),
1720 errmsg("high key invariant violated for index \"%s\"",
1721 RelationGetRelationName(state->rel)),
1722 errdetail_internal("Index tid=%s points to %s tid=%s page lsn=%X/%X.",
1723 itid,
1724 P_ISLEAF(topaque) ? "heap" : "index",
1725 htid,
1726 LSN_FORMAT_ARGS(state->targetlsn))));
1727 }
1728 /* Reset, in case scantid was set to (itup) posting tuple's max TID */
1729 skey->scantid = scantid;
1730
1731 /*
1732 * * Item order check *
1733 *
1734 * Check that items are stored on page in logical order, by checking
1735 * current item is strictly less than next item (if any).
1736 */
1737 if (OffsetNumberNext(offset) <= max &&
1738 !invariant_l_offset(state, skey, OffsetNumberNext(offset)))
1739 {
1740 ItemPointer tid;
1741 char *itid,
1742 *htid,
1743 *nitid,
1744 *nhtid;
1745
1746 itid = psprintf("(%u,%u)", state->targetblock, offset);
1747 tid = BTreeTupleGetPointsToTID(itup);
1748 htid = psprintf("(%u,%u)",
1749 ItemPointerGetBlockNumberNoCheck(tid),
1750 ItemPointerGetOffsetNumberNoCheck(tid));
1751 nitid = psprintf("(%u,%u)", state->targetblock,
1752 OffsetNumberNext(offset));
1753
1754 /* Reuse itup to get pointed-to heap location of second item */
1755 itemid = PageGetItemIdCareful(state, state->targetblock,
1756 state->target,
1757 OffsetNumberNext(offset));
1758 itup = (IndexTuple) PageGetItem(state->target, itemid);
1759 tid = BTreeTupleGetPointsToTID(itup);
1760 nhtid = psprintf("(%u,%u)",
1761 ItemPointerGetBlockNumberNoCheck(tid),
1762 ItemPointerGetOffsetNumberNoCheck(tid));
1763
1764 ereport(ERROR,
1765 (errcode(ERRCODE_INDEX_CORRUPTED),
1766 errmsg("item order invariant violated for index \"%s\"",
1767 RelationGetRelationName(state->rel)),
1768 errdetail_internal("Lower index tid=%s (points to %s tid=%s) "
1769 "higher index tid=%s (points to %s tid=%s) "
1770 "page lsn=%X/%X.",
1771 itid,
1772 P_ISLEAF(topaque) ? "heap" : "index",
1773 htid,
1774 nitid,
1775 P_ISLEAF(topaque) ? "heap" : "index",
1776 nhtid,
1777 LSN_FORMAT_ARGS(state->targetlsn))));
1778 }
1779
1780 /*
1781 * If the index is unique verify entries uniqueness by checking the
1782 * heap tuples visibility. Immediately check posting tuples and
1783 * tuples with repeated keys. Postpone check for keys, which have the
1784 * first appearance.
1785 */
1786 if (state->checkunique && state->indexinfo->ii_Unique &&
1787 P_ISLEAF(topaque) && !skey->anynullkeys &&
1788 (BTreeTupleIsPosting(itup) || ItemPointerIsValid(lVis.tid)))
1789 {
1790 bt_entry_unique_check(state, itup, state->targetblock, offset,
1791 &lVis);
1792 unique_checked = true;
1793 }
1794
1795 if (state->checkunique && state->indexinfo->ii_Unique &&
1796 P_ISLEAF(topaque) && OffsetNumberNext(offset) <= max)
1797 {
1798 /* Save current scankey tid */
1799 scantid = skey->scantid;
1800
1801 /*
1802 * Invalidate scankey tid to make _bt_compare compare only keys in
1803 * the item to report equality even if heap TIDs are different
1804 */
1805 skey->scantid = NULL;
1806
1807 /*
1808 * If next key tuple is different, invalidate last visible entry
1809 * data (whole index tuple or last posting in index tuple). Key
1810 * containing null value does not violate unique constraint and
1811 * treated as different to any other key.
1812 *
1813 * If the next key is the same as the previous one, do the
1814 * bt_entry_unique_check() call if it was postponed.
1815 */
1816 if (_bt_compare(state->rel, skey, state->target,
1817 OffsetNumberNext(offset)) != 0 || skey->anynullkeys)
1818 {
1819 lVis.blkno = InvalidBlockNumber;
1820 lVis.offset = InvalidOffsetNumber;
1821 lVis.postingIndex = -1;
1822 lVis.tid = NULL;
1823 }
1824 else if (!unique_checked)
1825 {
1826 bt_entry_unique_check(state, itup, state->targetblock, offset,
1827 &lVis);
1828 }
1829 skey->scantid = scantid; /* Restore saved scan key state */
1830 }
1831
1832 /*
1833 * * Last item check *
1834 *
1835 * Check last item against next/right page's first data item's when
1836 * last item on page is reached. This additional check will detect
1837 * transposed pages iff the supposed right sibling page happens to
1838 * belong before target in the key space. (Otherwise, a subsequent
1839 * heap verification will probably detect the problem.)
1840 *
1841 * This check is similar to the item order check that will have
1842 * already been performed for every other "real" item on target page
1843 * when last item is checked. The difference is that the next item
1844 * (the item that is compared to target's last item) needs to come
1845 * from the next/sibling page. There may not be such an item
1846 * available from sibling for various reasons, though (e.g., target is
1847 * the rightmost page on level).
1848 */
1849 if (offset == max)
1850 {
1851 BTScanInsert rightkey;
1852
1853 /* first offset on a right index page (log only) */
1854 OffsetNumber rightfirstoffset = InvalidOffsetNumber;
1855
1856 /* Get item in next/right page */
1857 rightkey = bt_right_page_check_scankey(state, &rightfirstoffset);
1858
1859 if (rightkey &&
1860 !invariant_g_offset(state, rightkey, max))
1861 {
1862 /*
1863 * As explained at length in bt_right_page_check_scankey(),
1864 * there is a known !readonly race that could account for
1865 * apparent violation of invariant, which we must check for
1866 * before actually proceeding with raising error. Our canary
1867 * condition is that target page was deleted.
1868 */
1869 if (!state->readonly)
1870 {
1871 /* Get fresh copy of target page */
1872 state->target = palloc_btree_page(state, state->targetblock);
1873 /* Note that we deliberately do not update target LSN */
1874 topaque = BTPageGetOpaque(state->target);
1875
1876 /*
1877 * All !readonly checks now performed; just return
1878 */
1879 if (P_IGNORE(topaque))
1880 return;
1881 }
1882
1883 ereport(ERROR,
1884 (errcode(ERRCODE_INDEX_CORRUPTED),
1885 errmsg("cross page item order invariant violated for index \"%s\"",
1886 RelationGetRelationName(state->rel)),
1887 errdetail_internal("Last item on page tid=(%u,%u) page lsn=%X/%X.",
1888 state->targetblock, offset,
1889 LSN_FORMAT_ARGS(state->targetlsn))));
1890 }
1891
1892 /*
1893 * If index has unique constraint make sure that no more than one
1894 * found equal items is visible.
1895 */
1896 if (state->checkunique && state->indexinfo->ii_Unique &&
1897 rightkey && P_ISLEAF(topaque) && !P_RIGHTMOST(topaque))
1898 {
1899 BlockNumber rightblock_number = topaque->btpo_next;
1900
1901 elog(DEBUG2, "check cross page unique condition");
1902
1903 /*
1904 * Make _bt_compare compare only index keys without heap TIDs.
1905 * rightkey->scantid is modified destructively but it is ok
1906 * for it is not used later.
1907 */
1908 rightkey->scantid = NULL;
1909
1910 /* The first key on the next page is the same */
1911 if (_bt_compare(state->rel, rightkey, state->target, max) == 0 &&
1912 !rightkey->anynullkeys)
1913 {
1914 Page rightpage;
1915
1916 /*
1917 * Do the bt_entry_unique_check() call if it was
1918 * postponed.
1919 */
1920 if (!unique_checked)
1921 bt_entry_unique_check(state, itup, state->targetblock,
1922 offset, &lVis);
1923
1924 elog(DEBUG2, "cross page equal keys");
1925 rightpage = palloc_btree_page(state,
1926 rightblock_number);
1927 topaque = BTPageGetOpaque(rightpage);
1928
1929 if (P_IGNORE(topaque))
1930 {
1931 pfree(rightpage);
1932 break;
1933 }
1934
1935 if (unlikely(!P_ISLEAF(topaque)))
1936 ereport(ERROR,
1937 (errcode(ERRCODE_INDEX_CORRUPTED),
1938 errmsg("right block of leaf block is non-leaf for index \"%s\"",
1939 RelationGetRelationName(state->rel)),
1940 errdetail_internal("Block=%u page lsn=%X/%X.",
1941 state->targetblock,
1942 LSN_FORMAT_ARGS(state->targetlsn))));
1943
1944 itemid = PageGetItemIdCareful(state, rightblock_number,
1945 rightpage,
1946 rightfirstoffset);
1947 itup = (IndexTuple) PageGetItem(rightpage, itemid);
1948
1949 bt_entry_unique_check(state, itup, rightblock_number, rightfirstoffset, &lVis);
1950
1951 pfree(rightpage);
1952 }
1953 }
1954 }
1955
1956 /*
1957 * * Downlink check *
1958 *
1959 * Additional check of child items iff this is an internal page and
1960 * caller holds a ShareLock. This happens for every downlink (item)
1961 * in target excluding the negative-infinity downlink (again, this is
1962 * because it has no useful value to compare).
1963 */
1964 if (!P_ISLEAF(topaque) && state->readonly)
1965 bt_child_check(state, skey, offset);
1966 }
1967
1968 /*
1969 * Special case bt_child_highkey_check() call
1970 *
1971 * We don't pass a real downlink, but we've to finish the level
1972 * processing. If condition is satisfied, we've already processed all the
1973 * downlinks from the target level. But there still might be pages to the
1974 * right of the child page pointer to by our rightmost downlink. And they
1975 * might have missing downlinks. This final call checks for them.
1976 */
1977 if (!P_ISLEAF(topaque) && P_RIGHTMOST(topaque) && state->readonly)
1978 {
1979 bt_child_highkey_check(state, InvalidOffsetNumber,
1980 NULL, topaque->btpo_level);
1981 }
1982}
1983
1984/*
1985 * Return a scankey for an item on page to right of current target (or the
1986 * first non-ignorable page), sufficient to check ordering invariant on last
1987 * item in current target page. Returned scankey relies on local memory
1988 * allocated for the child page, which caller cannot pfree(). Caller's memory
1989 * context should be reset between calls here.
1990 *
1991 * This is the first data item, and so all adjacent items are checked against
1992 * their immediate sibling item (which may be on a sibling page, or even a
1993 * "cousin" page at parent boundaries where target's rightlink points to page
1994 * with different parent page). If no such valid item is available, return
1995 * NULL instead.
1996 *
1997 * Note that !readonly callers must reverify that target page has not
1998 * been concurrently deleted.
1999 *
2000 * Save rightfirstoffset for detailed error message.
2001 */
2002static BTScanInsert
2003bt_right_page_check_scankey(BtreeCheckState *state, OffsetNumber *rightfirstoffset)
2004{
2005 BTPageOpaque opaque;
2006 ItemId rightitem;
2007 IndexTuple firstitup;
2008 BlockNumber targetnext;
2009 Page rightpage;
2010 OffsetNumber nline;
2011
2012 /* Determine target's next block number */
2013 opaque = BTPageGetOpaque(state->target);
2014
2015 /* If target is already rightmost, no right sibling; nothing to do here */
2016 if (P_RIGHTMOST(opaque))
2017 return NULL;
2018
2019 /*
2020 * General notes on concurrent page splits and page deletion:
2021 *
2022 * Routines like _bt_search() don't require *any* page split interlock
2023 * when descending the tree, including something very light like a buffer
2024 * pin. That's why it's okay that we don't either. This avoidance of any
2025 * need to "couple" buffer locks is the raison d' etre of the Lehman & Yao
2026 * algorithm, in fact.
2027 *
2028 * That leaves deletion. A deleted page won't actually be recycled by
2029 * VACUUM early enough for us to fail to at least follow its right link
2030 * (or left link, or downlink) and find its sibling, because recycling
2031 * does not occur until no possible index scan could land on the page.
2032 * Index scans can follow links with nothing more than their snapshot as
2033 * an interlock and be sure of at least that much. (See page
2034 * recycling/"visible to everyone" notes in nbtree README.)
2035 *
2036 * Furthermore, it's okay if we follow a rightlink and find a half-dead or
2037 * dead (ignorable) page one or more times. There will either be a
2038 * further right link to follow that leads to a live page before too long
2039 * (before passing by parent's rightmost child), or we will find the end
2040 * of the entire level instead (possible when parent page is itself the
2041 * rightmost on its level).
2042 */
2043 targetnext = opaque->btpo_next;
2044 for (;;)
2045 {
2046 CHECK_FOR_INTERRUPTS();
2047
2048 rightpage = palloc_btree_page(state, targetnext);
2049 opaque = BTPageGetOpaque(rightpage);
2050
2051 if (!P_IGNORE(opaque) || P_RIGHTMOST(opaque))
2052 break;
2053
2054 /*
2055 * We landed on a deleted or half-dead sibling page. Step right until
2056 * we locate a live sibling page.
2057 */
2058 ereport(DEBUG2,
2059 (errcode(ERRCODE_NO_DATA),
2060 errmsg_internal("level %u sibling page in block %u of index \"%s\" was found deleted or half dead",
2061 opaque->btpo_level, targetnext, RelationGetRelationName(state->rel)),
2062 errdetail_internal("Deleted page found when building scankey from right sibling.")));
2063
2064 targetnext = opaque->btpo_next;
2065
2066 /* Be slightly more pro-active in freeing this memory, just in case */
2067 pfree(rightpage);
2068 }
2069
2070 /*
2071 * No ShareLock held case -- why it's safe to proceed.
2072 *
2073 * Problem:
2074 *
2075 * We must avoid false positive reports of corruption when caller treats
2076 * item returned here as an upper bound on target's last item. In
2077 * general, false positives are disallowed. Avoiding them here when
2078 * caller is !readonly is subtle.
2079 *
2080 * A concurrent page deletion by VACUUM of the target page can result in
2081 * the insertion of items on to this right sibling page that would
2082 * previously have been inserted on our target page. There might have
2083 * been insertions that followed the target's downlink after it was made
2084 * to point to right sibling instead of target by page deletion's first
2085 * phase. The inserters insert items that would belong on target page.
2086 * This race is very tight, but it's possible. This is our only problem.
2087 *
2088 * Non-problems:
2089 *
2090 * We are not hindered by a concurrent page split of the target; we'll
2091 * never land on the second half of the page anyway. A concurrent split
2092 * of the right page will also not matter, because the first data item
2093 * remains the same within the left half, which we'll reliably land on. If
2094 * we had to skip over ignorable/deleted pages, it cannot matter because
2095 * their key space has already been atomically merged with the first
2096 * non-ignorable page we eventually find (doesn't matter whether the page
2097 * we eventually find is a true sibling or a cousin of target, which we go
2098 * into below).
2099 *
2100 * Solution:
2101 *
2102 * Caller knows that it should reverify that target is not ignorable
2103 * (half-dead or deleted) when cross-page sibling item comparison appears
2104 * to indicate corruption (invariant fails). This detects the single race
2105 * condition that exists for caller. This is correct because the
2106 * continued existence of target block as non-ignorable (not half-dead or
2107 * deleted) implies that target page was not merged into from the right by
2108 * deletion; the key space at or after target never moved left. Target's
2109 * parent either has the same downlink to target as before, or a <
2110 * downlink due to deletion at the left of target. Target either has the
2111 * same highkey as before, or a highkey < before when there is a page
2112 * split. (The rightmost concurrently-split-from-target-page page will
2113 * still have the same highkey as target was originally found to have,
2114 * which for our purposes is equivalent to target's highkey itself never
2115 * changing, since we reliably skip over
2116 * concurrently-split-from-target-page pages.)
2117 *
2118 * In simpler terms, we allow that the key space of the target may expand
2119 * left (the key space can move left on the left side of target only), but
2120 * the target key space cannot expand right and get ahead of us without
2121 * our detecting it. The key space of the target cannot shrink, unless it
2122 * shrinks to zero due to the deletion of the original page, our canary
2123 * condition. (To be very precise, we're a bit stricter than that because
2124 * it might just have been that the target page split and only the
2125 * original target page was deleted. We can be more strict, just not more
2126 * lax.)
2127 *
2128 * Top level tree walk caller moves on to next page (makes it the new
2129 * target) following recovery from this race. (cf. The rationale for
2130 * child/downlink verification needing a ShareLock within
2131 * bt_child_check(), where page deletion is also the main source of
2132 * trouble.)
2133 *
2134 * Note that it doesn't matter if right sibling page here is actually a
2135 * cousin page, because in order for the key space to be readjusted in a
2136 * way that causes us issues in next level up (guiding problematic
2137 * concurrent insertions to the cousin from the grandparent rather than to
2138 * the sibling from the parent), there'd have to be page deletion of
2139 * target's parent page (affecting target's parent's downlink in target's
2140 * grandparent page). Internal page deletion only occurs when there are
2141 * no child pages (they were all fully deleted), and caller is checking
2142 * that the target's parent has at least one non-deleted (so
2143 * non-ignorable) child: the target page. (Note that the first phase of
2144 * deletion atomically marks the page to be deleted half-dead/ignorable at
2145 * the same time downlink in its parent is removed, so caller will
2146 * definitely not fail to detect that this happened.)
2147 *
2148 * This trick is inspired by the method backward scans use for dealing
2149 * with concurrent page splits; concurrent page deletion is a problem that
2150 * similarly receives special consideration sometimes (it's possible that
2151 * the backwards scan will re-read its "original" block after failing to
2152 * find a right-link to it, having already moved in the opposite direction
2153 * (right/"forwards") a few times to try to locate one). Just like us,
2154 * that happens only to determine if there was a concurrent page deletion
2155 * of a reference page, and just like us if there was a page deletion of
2156 * that reference page it means we can move on from caring about the
2157 * reference page. See the nbtree README for a full description of how
2158 * that works.
2159 */
2160 nline = PageGetMaxOffsetNumber(rightpage);
2161
2162 /*
2163 * Get first data item, if any
2164 */
2165 if (P_ISLEAF(opaque) && nline >= P_FIRSTDATAKEY(opaque))
2166 {
2167 /* Return first data item (if any) */
2168 rightitem = PageGetItemIdCareful(state, targetnext, rightpage,
2169 P_FIRSTDATAKEY(opaque));
2170 *rightfirstoffset = P_FIRSTDATAKEY(opaque);
2171 }
2172 else if (!P_ISLEAF(opaque) &&
2173 nline >= OffsetNumberNext(P_FIRSTDATAKEY(opaque)))
2174 {
2175 /*
2176 * Return first item after the internal page's "negative infinity"
2177 * item
2178 */
2179 rightitem = PageGetItemIdCareful(state, targetnext, rightpage,
2180 OffsetNumberNext(P_FIRSTDATAKEY(opaque)));
2181 }
2182 else
2183 {
2184 /*
2185 * No first item. Page is probably empty leaf page, but it's also
2186 * possible that it's an internal page with only a negative infinity
2187 * item.
2188 */
2189 ereport(DEBUG2,
2190 (errcode(ERRCODE_NO_DATA),
2191 errmsg_internal("%s block %u of index \"%s\" has no first data item",
2192 P_ISLEAF(opaque) ? "leaf" : "internal", targetnext,
2193 RelationGetRelationName(state->rel))));
2194 return NULL;
2195 }
2196
2197 /*
2198 * Return first real item scankey. Note that this relies on right page
2199 * memory remaining allocated.
2200 */
2201 firstitup = (IndexTuple) PageGetItem(rightpage, rightitem);
2202 return bt_mkscankey_pivotsearch(state->rel, firstitup);
2203}
2204
2205/*
2206 * Check if two tuples are binary identical except the block number. So,
2207 * this function is capable to compare pivot keys on different levels.
2208 */
2209static bool
2210bt_pivot_tuple_identical(bool heapkeyspace, IndexTuple itup1, IndexTuple itup2)
2211{
2212 if (IndexTupleSize(itup1) != IndexTupleSize(itup2))
2213 return false;
2214
2215 if (heapkeyspace)
2216 {
2217 /*
2218 * Offset number will contain important information in heapkeyspace
2219 * indexes: the number of attributes left in the pivot tuple following
2220 * suffix truncation. Don't skip over it (compare it too).
2221 */
2222 if (memcmp(&itup1->t_tid.ip_posid, &itup2->t_tid.ip_posid,
2223 IndexTupleSize(itup1) -
2224 offsetof(ItemPointerData, ip_posid)) != 0)
2225 return false;
2226 }
2227 else
2228 {
2229 /*
2230 * Cannot rely on offset number field having consistent value across
2231 * levels on pg_upgrade'd !heapkeyspace indexes. Compare contents of
2232 * tuple starting from just after item pointer (i.e. after block
2233 * number and offset number).
2234 */
2235 if (memcmp(&itup1->t_info, &itup2->t_info,
2236 IndexTupleSize(itup1) -
2237 offsetof(IndexTupleData, t_info)) != 0)
2238 return false;
2239 }
2240
2241 return true;
2242}
2243
2244/*---
2245 * Check high keys on the child level. Traverse rightlinks from previous
2246 * downlink to the current one. Check that there are no intermediate pages
2247 * with missing downlinks.
2248 *
2249 * If 'loaded_child' is given, it's assumed to be the page pointed to by the
2250 * downlink referenced by 'downlinkoffnum' of the target page.
2251 *
2252 * Basically this function is called for each target downlink and checks two
2253 * invariants:
2254 *
2255 * 1) You can reach the next child from previous one via rightlinks;
2256 * 2) Each child high key have matching pivot key on target level.
2257 *
2258 * Consider the sample tree picture.
2259 *
2260 * 1
2261 * / \
2262 * 2 <-> 3
2263 * / \ / \
2264 * 4 <> 5 <> 6 <> 7 <> 8
2265 *
2266 * This function will be called for blocks 4, 5, 6 and 8. Consider what is
2267 * happening for each function call.
2268 *
2269 * - The function call for block 4 initializes data structure and matches high
2270 * key of block 4 to downlink's pivot key of block 2.
2271 * - The high key of block 5 is matched to the high key of block 2.
2272 * - The block 6 has an incomplete split flag set, so its high key isn't
2273 * matched to anything.
2274 * - The function call for block 8 checks that block 8 can be found while
2275 * following rightlinks from block 6. The high key of block 7 will be
2276 * matched to downlink's pivot key in block 3.
2277 *
2278 * There is also final call of this function, which checks that there is no
2279 * missing downlinks for children to the right of the child referenced by
2280 * rightmost downlink in target level.
2281 */
2282static void
2283bt_child_highkey_check(BtreeCheckState *state,
2284 OffsetNumber target_downlinkoffnum,
2285 Page loaded_child,
2286 uint32 target_level)
2287{
2288 BlockNumber blkno = state->prevrightlink;
2289 Page page;
2290 BTPageOpaque opaque;
2291 bool rightsplit = state->previncompletesplit;
2292 bool first = true;
2293 ItemId itemid;
2294 IndexTuple itup;
2295 BlockNumber downlink;
2296
2297 if (OffsetNumberIsValid(target_downlinkoffnum))
2298 {
2299 itemid = PageGetItemIdCareful(state, state->targetblock,
2300 state->target, target_downlinkoffnum);
2301 itup = (IndexTuple) PageGetItem(state->target, itemid);
2302 downlink = BTreeTupleGetDownLink(itup);
2303 }
2304 else
2305 {
2306 downlink = P_NONE;
2307 }
2308
2309 /*
2310 * If no previous rightlink is memorized for current level just below
2311 * target page's level, we are about to start from the leftmost page. We
2312 * can't follow rightlinks from previous page, because there is no
2313 * previous page. But we still can match high key.
2314 *
2315 * So we initialize variables for the loop above like there is previous
2316 * page referencing current child. Also we imply previous page to not
2317 * have incomplete split flag, that would make us require downlink for
2318 * current child. That's correct, because leftmost page on the level
2319 * should always have parent downlink.
2320 */
2321 if (!BlockNumberIsValid(blkno))
2322 {
2323 blkno = downlink;
2324 rightsplit = false;
2325 }
2326
2327 /* Move to the right on the child level */
2328 while (true)
2329 {
2330 /*
2331 * Did we traverse the whole tree level and this is check for pages to
2332 * the right of rightmost downlink?
2333 */
2334 if (blkno == P_NONE && downlink == P_NONE)
2335 {
2336 state->prevrightlink = InvalidBlockNumber;
2337 state->previncompletesplit = false;
2338 return;
2339 }
2340
2341 /* Did we traverse the whole tree level and don't find next downlink? */
2342 if (blkno == P_NONE)
2343 ereport(ERROR,
2344 (errcode(ERRCODE_INDEX_CORRUPTED),
2345 errmsg("can't traverse from downlink %u to downlink %u of index \"%s\"",
2346 state->prevrightlink, downlink,
2347 RelationGetRelationName(state->rel))));
2348
2349 /* Load page contents */
2350 if (blkno == downlink && loaded_child)
2351 page = loaded_child;
2352 else
2353 page = palloc_btree_page(state, blkno);
2354
2355 opaque = BTPageGetOpaque(page);
2356
2357 /* The first page we visit at the level should be leftmost */
2358 if (first && !BlockNumberIsValid(state->prevrightlink) &&
2359 !bt_leftmost_ignoring_half_dead(state, blkno, opaque))
2360 ereport(ERROR,
2361 (errcode(ERRCODE_INDEX_CORRUPTED),
2362 errmsg("the first child of leftmost target page is not leftmost of its level in index \"%s\"",
2363 RelationGetRelationName(state->rel)),
2364 errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2365 state->targetblock, blkno,
2366 LSN_FORMAT_ARGS(state->targetlsn))));
2367
2368 /* Do level sanity check */
2369 if ((!P_ISDELETED(opaque) || P_HAS_FULLXID(opaque)) &&
2370 opaque->btpo_level != target_level - 1)
2371 ereport(ERROR,
2372 (errcode(ERRCODE_INDEX_CORRUPTED),
2373 errmsg("block found while following rightlinks from child of index \"%s\" has invalid level",
2374 RelationGetRelationName(state->rel)),
2375 errdetail_internal("Block pointed to=%u expected level=%u level in pointed to block=%u.",
2376 blkno, target_level - 1, opaque->btpo_level)));
2377
2378 /* Try to detect circular links */
2379 if ((!first && blkno == state->prevrightlink) || blkno == opaque->btpo_prev)
2380 ereport(ERROR,
2381 (errcode(ERRCODE_INDEX_CORRUPTED),
2382 errmsg("circular link chain found in block %u of index \"%s\"",
2383 blkno, RelationGetRelationName(state->rel))));
2384
2385 if (blkno != downlink && !P_IGNORE(opaque))
2386 {
2387 /* blkno probably has missing parent downlink */
2388 bt_downlink_missing_check(state, rightsplit, blkno, page);
2389 }
2390
2391 rightsplit = P_INCOMPLETE_SPLIT(opaque);
2392
2393 /*
2394 * If we visit page with high key, check that it is equal to the
2395 * target key next to corresponding downlink.
2396 */
2397 if (!rightsplit && !P_RIGHTMOST(opaque))
2398 {
2399 BTPageOpaque topaque;
2400 IndexTuple highkey;
2401 OffsetNumber pivotkey_offset;
2402
2403 /* Get high key */
2404 itemid = PageGetItemIdCareful(state, blkno, page, P_HIKEY);
2405 highkey = (IndexTuple) PageGetItem(page, itemid);
2406
2407 /*
2408 * There might be two situations when we examine high key. If
2409 * current child page is referenced by given target downlink, we
2410 * should look to the next offset number for matching key from
2411 * target page.
2412 *
2413 * Alternatively, we're following rightlinks somewhere in the
2414 * middle between page referenced by previous target's downlink
2415 * and the page referenced by current target's downlink. If
2416 * current child page hasn't incomplete split flag set, then its
2417 * high key should match to the target's key of current offset
2418 * number. This happens when a previous call here (to
2419 * bt_child_highkey_check()) found an incomplete split, and we
2420 * reach a right sibling page without a downlink -- the right
2421 * sibling page's high key still needs to be matched to a
2422 * separator key on the parent/target level.
2423 *
2424 * Don't apply OffsetNumberNext() to target_downlinkoffnum when we
2425 * already had to step right on the child level. Our traversal of
2426 * the child level must try to move in perfect lockstep behind (to
2427 * the left of) the target/parent level traversal.
2428 */
2429 if (blkno == downlink)
2430 pivotkey_offset = OffsetNumberNext(target_downlinkoffnum);
2431 else
2432 pivotkey_offset = target_downlinkoffnum;
2433
2434 topaque = BTPageGetOpaque(state->target);
2435
2436 if (!offset_is_negative_infinity(topaque, pivotkey_offset))
2437 {
2438 /*
2439 * If we're looking for the next pivot tuple in target page,
2440 * but there is no more pivot tuples, then we should match to
2441 * high key instead.
2442 */
2443 if (pivotkey_offset > PageGetMaxOffsetNumber(state->target))
2444 {
2445 if (P_RIGHTMOST(topaque))
2446 ereport(ERROR,
2447 (errcode(ERRCODE_INDEX_CORRUPTED),
2448 errmsg("child high key is greater than rightmost pivot key on target level in index \"%s\"",
2449 RelationGetRelationName(state->rel)),
2450 errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2451 state->targetblock, blkno,
2452 LSN_FORMAT_ARGS(state->targetlsn))));
2453 pivotkey_offset = P_HIKEY;
2454 }
2455 itemid = PageGetItemIdCareful(state, state->targetblock,
2456 state->target, pivotkey_offset);
2457 itup = (IndexTuple) PageGetItem(state->target, itemid);
2458 }
2459 else
2460 {
2461 /*
2462 * We cannot try to match child's high key to a negative
2463 * infinity key in target, since there is nothing to compare.
2464 * However, it's still possible to match child's high key
2465 * outside of target page. The reason why we're are is that
2466 * bt_child_highkey_check() was previously called for the
2467 * cousin page of 'loaded_child', which is incomplete split.
2468 * So, now we traverse to the right of that cousin page and
2469 * current child level page under consideration still belongs
2470 * to the subtree of target's left sibling. Thus, we need to
2471 * match child's high key to its left uncle page high key.
2472 * Thankfully we saved it, it's called a "low key" of target
2473 * page.
2474 */
2475 if (!state->lowkey)
2476 ereport(ERROR,
2477 (errcode(ERRCODE_INDEX_CORRUPTED),
2478 errmsg("can't find left sibling high key in index \"%s\"",
2479 RelationGetRelationName(state->rel)),
2480 errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2481 state->targetblock, blkno,
2482 LSN_FORMAT_ARGS(state->targetlsn))));
2483 itup = state->lowkey;
2484 }
2485
2486 if (!bt_pivot_tuple_identical(state->heapkeyspace, highkey, itup))
2487 {
2488 ereport(ERROR,
2489 (errcode(ERRCODE_INDEX_CORRUPTED),
2490 errmsg("mismatch between parent key and child high key in index \"%s\"",
2491 RelationGetRelationName(state->rel)),
2492 errdetail_internal("Target block=%u child block=%u target page lsn=%X/%X.",
2493 state->targetblock, blkno,
2494 LSN_FORMAT_ARGS(state->targetlsn))));
2495 }
2496 }
2497
2498 /* Exit if we already found next downlink */
2499 if (blkno == downlink)
2500 {
2501 state->prevrightlink = opaque->btpo_next;
2502 state->previncompletesplit = rightsplit;
2503 return;
2504 }
2505
2506 /* Traverse to the next page using rightlink */
2507 blkno = opaque->btpo_next;
2508
2509 /* Free page contents if it's allocated by us */
2510 if (page != loaded_child)
2511 pfree(page);
2512 first = false;
2513 }
2514}
2515
2516/*
2517 * Checks one of target's downlink against its child page.
2518 *
2519 * Conceptually, the target page continues to be what is checked here. The
2520 * target block is still blamed in the event of finding an invariant violation.
2521 * The downlink insertion into the target is probably where any problem raised
2522 * here arises, and there is no such thing as a parent link, so doing the
2523 * verification this way around is much more practical.
2524 *
2525 * This function visits child page and it's sequentially called for each
2526 * downlink of target page. Assuming this we also check downlink connectivity
2527 * here in order to save child page visits.
2528 */
2529static void
2530bt_child_check(BtreeCheckState *state, BTScanInsert targetkey,
2531 OffsetNumber downlinkoffnum)
2532{
2533 ItemId itemid;
2534 IndexTuple itup;
2535 BlockNumber childblock;
2536 OffsetNumber offset;
2537 OffsetNumber maxoffset;
2538 Page child;
2539 BTPageOpaque copaque;
2540 BTPageOpaque topaque;
2541
2542 itemid = PageGetItemIdCareful(state, state->targetblock,
2543 state->target, downlinkoffnum);
2544 itup = (IndexTuple) PageGetItem(state->target, itemid);
2545 childblock = BTreeTupleGetDownLink(itup);
2546
2547 /*
2548 * Caller must have ShareLock on target relation, because of
2549 * considerations around page deletion by VACUUM.
2550 *
2551 * NB: In general, page deletion deletes the right sibling's downlink, not
2552 * the downlink of the page being deleted; the deleted page's downlink is
2553 * reused for its sibling. The key space is thereby consolidated between
2554 * the deleted page and its right sibling. (We cannot delete a parent
2555 * page's rightmost child unless it is the last child page, and we intend
2556 * to also delete the parent itself.)
2557 *
2558 * If this verification happened without a ShareLock, the following race
2559 * condition could cause false positives:
2560 *
2561 * In general, concurrent page deletion might occur, including deletion of
2562 * the left sibling of the child page that is examined here. If such a
2563 * page deletion were to occur, closely followed by an insertion into the
2564 * newly expanded key space of the child, a window for the false positive
2565 * opens up: the stale parent/target downlink originally followed to get
2566 * to the child legitimately ceases to be a lower bound on all items in
2567 * the page, since the key space was concurrently expanded "left".
2568 * (Insertion followed the "new" downlink for the child, not our now-stale
2569 * downlink, which was concurrently physically removed in target/parent as
2570 * part of deletion's first phase.)
2571 *
2572 * While we use various techniques elsewhere to perform cross-page
2573 * verification for !readonly callers, a similar trick seems difficult
2574 * here. The tricks used by bt_recheck_sibling_links and by
2575 * bt_right_page_check_scankey both involve verification of a same-level,
2576 * cross-sibling invariant. Cross-level invariants are far more squishy,
2577 * though. The nbtree REDO routines do not actually couple buffer locks
2578 * across levels during page splits, so making any cross-level check work
2579 * reliably in !readonly mode may be impossible.
2580 */
2581 Assert(state->readonly);
2582
2583 /*
2584 * Verify child page has the downlink key from target page (its parent) as
2585 * a lower bound; downlink must be strictly less than all keys on the
2586 * page.
2587 *
2588 * Check all items, rather than checking just the first and trusting that
2589 * the operator class obeys the transitive law.
2590 */
2591 topaque = BTPageGetOpaque(state->target);
2592 child = palloc_btree_page(state, childblock);
2593 copaque = BTPageGetOpaque(child);
2594 maxoffset = PageGetMaxOffsetNumber(child);
2595
2596 /*
2597 * Since we've already loaded the child block, combine this check with
2598 * check for downlink connectivity.
2599 */
2600 bt_child_highkey_check(state, downlinkoffnum,
2601 child, topaque->btpo_level);
2602
2603 /*
2604 * Since there cannot be a concurrent VACUUM operation in readonly mode,
2605 * and since a page has no links within other pages (siblings and parent)
2606 * once it is marked fully deleted, it should be impossible to land on a
2607 * fully deleted page.
2608 *
2609 * It does not quite make sense to enforce that the page cannot even be
2610 * half-dead, despite the fact the downlink is modified at the same stage
2611 * that the child leaf page is marked half-dead. That's incorrect because
2612 * there may occasionally be multiple downlinks from a chain of pages
2613 * undergoing deletion, where multiple successive calls are made to
2614 * _bt_unlink_halfdead_page() by VACUUM before it can finally safely mark
2615 * the leaf page as fully dead. While _bt_mark_page_halfdead() usually
2616 * removes the downlink to the leaf page that is marked half-dead, that's
2617 * not guaranteed, so it's possible we'll land on a half-dead page with a
2618 * downlink due to an interrupted multi-level page deletion.
2619 *
2620 * We go ahead with our checks if the child page is half-dead. It's safe
2621 * to do so because we do not test the child's high key, so it does not
2622 * matter that the original high key will have been replaced by a dummy
2623 * truncated high key within _bt_mark_page_halfdead(). All other page
2624 * items are left intact on a half-dead page, so there is still something
2625 * to test.
2626 */
2627 if (P_ISDELETED(copaque))
2628 ereport(ERROR,
2629 (errcode(ERRCODE_INDEX_CORRUPTED),
2630 errmsg("downlink to deleted page found in index \"%s\"",
2631 RelationGetRelationName(state->rel)),
2632 errdetail_internal("Parent block=%u child block=%u parent page lsn=%X/%X.",
2633 state->targetblock, childblock,
2634 LSN_FORMAT_ARGS(state->targetlsn))));
2635
2636 for (offset = P_FIRSTDATAKEY(copaque);
2637 offset <= maxoffset;
2638 offset = OffsetNumberNext(offset))
2639 {
2640 /*
2641 * Skip comparison of target page key against "negative infinity"
2642 * item, if any. Checking it would indicate that it's not a strict
2643 * lower bound, but that's only because of the hard-coding for
2644 * negative infinity items within _bt_compare().
2645 *
2646 * If nbtree didn't truncate negative infinity tuples during internal
2647 * page splits then we'd expect child's negative infinity key to be
2648 * equal to the scankey/downlink from target/parent (it would be a
2649 * "low key" in this hypothetical scenario, and so it would still need
2650 * to be treated as a special case here).
2651 *
2652 * Negative infinity items can be thought of as a strict lower bound
2653 * that works transitively, with the last non-negative-infinity pivot
2654 * followed during a descent from the root as its "true" strict lower
2655 * bound. Only a small number of negative infinity items are truly
2656 * negative infinity; those that are the first items of leftmost
2657 * internal pages. In more general terms, a negative infinity item is
2658 * only negative infinity with respect to the subtree that the page is
2659 * at the root of.
2660 *
2661 * See also: bt_rootdescend(), which can even detect transitive
2662 * inconsistencies on cousin leaf pages.
2663 */
2664 if (offset_is_negative_infinity(copaque, offset))
2665 continue;
2666
2667 if (!invariant_l_nontarget_offset(state, targetkey, childblock, child,
2668 offset))
2669 ereport(ERROR,
2670 (errcode(ERRCODE_INDEX_CORRUPTED),
2671 errmsg("down-link lower bound invariant violated for index \"%s\"",
2672 RelationGetRelationName(state->rel)),
2673 errdetail_internal("Parent block=%u child index tid=(%u,%u) parent page lsn=%X/%X.",
2674 state->targetblock, childblock, offset,
2675 LSN_FORMAT_ARGS(state->targetlsn))));
2676 }
2677
2678 pfree(child);
2679}
2680
2681/*
2682 * Checks if page is missing a downlink that it should have.
2683 *
2684 * A page that lacks a downlink/parent may indicate corruption. However, we
2685 * must account for the fact that a missing downlink can occasionally be
2686 * encountered in a non-corrupt index. This can be due to an interrupted page
2687 * split, or an interrupted multi-level page deletion (i.e. there was a hard
2688 * crash or an error during a page split, or while VACUUM was deleting a
2689 * multi-level chain of pages).
2690 *
2691 * Note that this can only be called in readonly mode, so there is no need to
2692 * be concerned about concurrent page splits or page deletions.
2693 */
2694static void
2695bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit,
2696 BlockNumber blkno, Page page)
2697{
2698 BTPageOpaque opaque = BTPageGetOpaque(page);
2699 ItemId itemid;
2700 IndexTuple itup;
2701 Page child;
2702 BTPageOpaque copaque;
2703 uint32 level;
2704 BlockNumber childblk;
2705 XLogRecPtr pagelsn;
2706
2707 Assert(state->readonly);
2708 Assert(!P_IGNORE(opaque));
2709
2710 /* No next level up with downlinks to fingerprint from the true root */
2711 if (P_ISROOT(opaque))
2712 return;
2713
2714 pagelsn = PageGetLSN(page);
2715
2716 /*
2717 * Incomplete (interrupted) page splits can account for the lack of a
2718 * downlink. Some inserting transaction should eventually complete the
2719 * page split in passing, when it notices that the left sibling page is
2720 * P_INCOMPLETE_SPLIT().
2721 *
2722 * In general, VACUUM is not prepared for there to be no downlink to a
2723 * page that it deletes. This is the main reason why the lack of a
2724 * downlink can be reported as corruption here. It's not obvious that an
2725 * invalid missing downlink can result in wrong answers to queries,
2726 * though, since index scans that land on the child may end up
2727 * consistently moving right. The handling of concurrent page splits (and
2728 * page deletions) within _bt_moveright() cannot distinguish
2729 * inconsistencies that last for a moment from inconsistencies that are
2730 * permanent and irrecoverable.
2731 *
2732 * VACUUM isn't even prepared to delete pages that have no downlink due to
2733 * an incomplete page split, but it can detect and reason about that case
2734 * by design, so it shouldn't be taken to indicate corruption. See
2735 * _bt_pagedel() for full details.
2736 */
2737 if (rightsplit)
2738 {
2739 ereport(DEBUG1,
2740 (errcode(ERRCODE_NO_DATA),
2741 errmsg_internal("harmless interrupted page split detected in index \"%s\"",
2742 RelationGetRelationName(state->rel)),
2743 errdetail_internal("Block=%u level=%u left sibling=%u page lsn=%X/%X.",
2744 blkno, opaque->btpo_level,
2745 opaque->btpo_prev,
2746 LSN_FORMAT_ARGS(pagelsn))));
2747 return;
2748 }
2749
2750 /*
2751 * Page under check is probably the "top parent" of a multi-level page
2752 * deletion. We'll need to descend the subtree to make sure that
2753 * descendant pages are consistent with that, though.
2754 *
2755 * If the page (which must be non-ignorable) is a leaf page, then clearly
2756 * it can't be the top parent. The lack of a downlink is probably a
2757 * symptom of a broad problem that could just as easily cause
2758 * inconsistencies anywhere else.
2759 */
2760 if (P_ISLEAF(opaque))
2761 ereport(ERROR,
2762 (errcode(ERRCODE_INDEX_CORRUPTED),
2763 errmsg("leaf index block lacks downlink in index \"%s\"",
2764 RelationGetRelationName(state->rel)),
2765 errdetail_internal("Block=%u page lsn=%X/%X.",
2766 blkno,
2767 LSN_FORMAT_ARGS(pagelsn))));
2768
2769 /* Descend from the given page, which is an internal page */
2770 elog(DEBUG1, "checking for interrupted multi-level deletion due to missing downlink in index \"%s\"",
2771 RelationGetRelationName(state->rel));
2772
2773 level = opaque->btpo_level;
2774 itemid = PageGetItemIdCareful(state, blkno, page, P_FIRSTDATAKEY(opaque));
2775 itup = (IndexTuple) PageGetItem(page, itemid);
2776 childblk = BTreeTupleGetDownLink(itup);
2777 for (;;)
2778 {
2779 CHECK_FOR_INTERRUPTS();
2780
2781 child = palloc_btree_page(state, childblk);
2782 copaque = BTPageGetOpaque(child);
2783
2784 if (P_ISLEAF(copaque))
2785 break;
2786
2787 /* Do an extra sanity check in passing on internal pages */
2788 if (copaque->btpo_level != level - 1)
2789 ereport(ERROR,
2790 (errcode(ERRCODE_INDEX_CORRUPTED),
2791 errmsg_internal("downlink points to block in index \"%s\" whose level is not one level down",
2792 RelationGetRelationName(state->rel)),
2793 errdetail_internal("Top parent/under check block=%u block pointed to=%u expected level=%u level in pointed to block=%u.",
2794 blkno, childblk,
2795 level - 1, copaque->btpo_level)));
2796
2797 level = copaque->btpo_level;
2798 itemid = PageGetItemIdCareful(state, childblk, child,
2799 P_FIRSTDATAKEY(copaque));
2800 itup = (IndexTuple) PageGetItem(child, itemid);
2801 childblk = BTreeTupleGetDownLink(itup);
2802 /* Be slightly more pro-active in freeing this memory, just in case */
2803 pfree(child);
2804 }
2805
2806 /*
2807 * Since there cannot be a concurrent VACUUM operation in readonly mode,
2808 * and since a page has no links within other pages (siblings and parent)
2809 * once it is marked fully deleted, it should be impossible to land on a
2810 * fully deleted page. See bt_child_check() for further details.
2811 *
2812 * The bt_child_check() P_ISDELETED() check is repeated here because
2813 * bt_child_check() does not visit pages reachable through negative
2814 * infinity items. Besides, bt_child_check() is unwilling to descend
2815 * multiple levels. (The similar bt_child_check() P_ISDELETED() check
2816 * within bt_check_level_from_leftmost() won't reach the page either,
2817 * since the leaf's live siblings should have their sibling links updated
2818 * to bypass the deletion target page when it is marked fully dead.)
2819 *
2820 * If this error is raised, it might be due to a previous multi-level page
2821 * deletion that failed to realize that it wasn't yet safe to mark the
2822 * leaf page as fully dead. A "dangling downlink" will still remain when
2823 * this happens. The fact that the dangling downlink's page (the leaf's
2824 * parent/ancestor page) lacked a downlink is incidental.
2825 */
2826 if (P_ISDELETED(copaque))
2827 ereport(ERROR,
2828 (errcode(ERRCODE_INDEX_CORRUPTED),
2829 errmsg_internal("downlink to deleted leaf page found in index \"%s\"",
2830 RelationGetRelationName(state->rel)),
2831 errdetail_internal("Top parent/target block=%u leaf block=%u top parent/under check lsn=%X/%X.",
2832 blkno, childblk,
2833 LSN_FORMAT_ARGS(pagelsn))));
2834
2835 /*
2836 * Iff leaf page is half-dead, its high key top parent link should point
2837 * to what VACUUM considered to be the top parent page at the instant it
2838 * was interrupted. Provided the high key link actually points to the
2839 * page under check, the missing downlink we detected is consistent with
2840 * there having been an interrupted multi-level page deletion. This means
2841 * that the subtree with the page under check at its root (a page deletion
2842 * chain) is in a consistent state, enabling VACUUM to resume deleting the
2843 * entire chain the next time it encounters the half-dead leaf page.
2844 */
2845 if (P_ISHALFDEAD(copaque) && !P_RIGHTMOST(copaque))
2846 {
2847 itemid = PageGetItemIdCareful(state, childblk, child, P_HIKEY);
2848 itup = (IndexTuple) PageGetItem(child, itemid);
2849 if (BTreeTupleGetTopParent(itup) == blkno)
2850 return;
2851 }
2852
2853 ereport(ERROR,
2854 (errcode(ERRCODE_INDEX_CORRUPTED),
2855 errmsg("internal index block lacks downlink in index \"%s\"",
2856 RelationGetRelationName(state->rel)),
2857 errdetail_internal("Block=%u level=%u page lsn=%X/%X.",
2858 blkno, opaque->btpo_level,
2859 LSN_FORMAT_ARGS(pagelsn))));
2860}
2861
2862/*
2863 * Per-tuple callback from table_index_build_scan, used to determine if index has
2864 * all the entries that definitely should have been observed in leaf pages of
2865 * the target index (that is, all IndexTuples that were fingerprinted by our
2866 * Bloom filter). All heapallindexed checks occur here.
2867 *
2868 * The redundancy between an index and the table it indexes provides a good
2869 * opportunity to detect corruption, especially corruption within the table.
2870 * The high level principle behind the verification performed here is that any
2871 * IndexTuple that should be in an index following a fresh CREATE INDEX (based
2872 * on the same index definition) should also have been in the original,
2873 * existing index, which should have used exactly the same representation
2874 *
2875 * Since the overall structure of the index has already been verified, the most
2876 * likely explanation for error here is a corrupt heap page (could be logical
2877 * or physical corruption). Index corruption may still be detected here,
2878 * though. Only readonly callers will have verified that left links and right
2879 * links are in agreement, and so it's possible that a leaf page transposition
2880 * within index is actually the source of corruption detected here (for
2881 * !readonly callers). The checks performed only for readonly callers might
2882 * more accurately frame the problem as a cross-page invariant issue (this
2883 * could even be due to recovery not replaying all WAL records). The !readonly
2884 * ERROR message raised here includes a HINT about retrying with readonly
2885 * verification, just in case it's a cross-page invariant issue, though that
2886 * isn't particularly likely.
2887 *
2888 * table_index_build_scan() expects to be able to find the root tuple when a
2889 * heap-only tuple (the live tuple at the end of some HOT chain) needs to be
2890 * indexed, in order to replace the actual tuple's TID with the root tuple's
2891 * TID (which is what we're actually passed back here). The index build heap
2892 * scan code will raise an error when a tuple that claims to be the root of the
2893 * heap-only tuple's HOT chain cannot be located. This catches cases where the
2894 * original root item offset/root tuple for a HOT chain indicates (for whatever
2895 * reason) that the entire HOT chain is dead, despite the fact that the latest
2896 * heap-only tuple should be indexed. When this happens, sequential scans may
2897 * always give correct answers, and all indexes may be considered structurally
2898 * consistent (i.e. the nbtree structural checks would not detect corruption).
2899 * It may be the case that only index scans give wrong answers, and yet heap or
2900 * SLRU corruption is the real culprit. (While it's true that LP_DEAD bit
2901 * setting will probably also leave the index in a corrupt state before too
2902 * long, the problem is nonetheless that there is heap corruption.)
2903 *
2904 * Heap-only tuple handling within table_index_build_scan() works in a way that
2905 * helps us to detect index tuples that contain the wrong values (values that
2906 * don't match the latest tuple in the HOT chain). This can happen when there
2907 * is no superseding index tuple due to a faulty assessment of HOT safety,
2908 * perhaps during the original CREATE INDEX. Because the latest tuple's
2909 * contents are used with the root TID, an error will be raised when a tuple
2910 * with the same TID but non-matching attribute values is passed back to us.
2911 * Faulty assessment of HOT-safety was behind at least two distinct CREATE
2912 * INDEX CONCURRENTLY bugs that made it into stable releases, one of which was
2913 * undetected for many years. In short, the same principle that allows a
2914 * REINDEX to repair corruption when there was an (undetected) broken HOT chain
2915 * also allows us to detect the corruption in many cases.
2916 */
2917static void
2918bt_tuple_present_callback(Relation index, ItemPointer tid, Datum *values,
2919 bool *isnull, bool tupleIsAlive, void *checkstate)
2920{
2921 BtreeCheckState *state = (BtreeCheckState *) checkstate;
2922 IndexTuple itup,
2923 norm;
2924
2925 Assert(state->heapallindexed);
2926
2927 /* Generate a normalized index tuple for fingerprinting */
2928 itup = index_form_tuple(RelationGetDescr(index), values, isnull);
2929 itup->t_tid = *tid;
2930 norm = bt_normalize_tuple(state, itup);
2931
2932 /* Probe Bloom filter -- tuple should be present */
2933 if (bloom_lacks_element(state->filter, (unsigned char *) norm,
2934 IndexTupleSize(norm)))
2935 ereport(ERROR,
2936 (errcode(ERRCODE_DATA_CORRUPTED),
2937 errmsg("heap tuple (%u,%u) from table \"%s\" lacks matching index tuple within index \"%s\"",
2938 ItemPointerGetBlockNumber(&(itup->t_tid)),
2939 ItemPointerGetOffsetNumber(&(itup->t_tid)),
2940 RelationGetRelationName(state->heaprel),
2941 RelationGetRelationName(state->rel)),
2942 !state->readonly
2943 ? errhint("Retrying verification using the function bt_index_parent_check() might provide a more specific error.")
2944 : 0));
2945
2946 state->heaptuplespresent++;
2947 pfree(itup);
2948 /* Cannot leak memory here */
2949 if (norm != itup)
2950 pfree(norm);
2951}
2952
2953/*
2954 * Normalize an index tuple for fingerprinting.
2955 *
2956 * In general, index tuple formation is assumed to be deterministic by
2957 * heapallindexed verification, and IndexTuples are assumed immutable. While
2958 * the LP_DEAD bit is mutable in leaf pages, that's ItemId metadata, which is
2959 * not fingerprinted. Normalization is required to compensate for corner
2960 * cases where the determinism assumption doesn't quite work.
2961 *
2962 * There is currently one such case: index_form_tuple() does not try to hide
2963 * the source TOAST state of input datums. The executor applies TOAST
2964 * compression for heap tuples based on different criteria to the compression
2965 * applied within btinsert()'s call to index_form_tuple(): it sometimes
2966 * compresses more aggressively, resulting in compressed heap tuple datums but
2967 * uncompressed corresponding index tuple datums. A subsequent heapallindexed
2968 * verification will get a logically equivalent though bitwise unequal tuple
2969 * from index_form_tuple(). False positive heapallindexed corruption reports
2970 * could occur without normalizing away the inconsistency.
2971 *
2972 * Returned tuple is often caller's own original tuple. Otherwise, it is a
2973 * new representation of caller's original index tuple, palloc()'d in caller's
2974 * memory context.
2975 *
2976 * Note: This routine is not concerned with distinctions about the
2977 * representation of tuples beyond those that might break heapallindexed
2978 * verification. In particular, it won't try to normalize opclass-equal
2979 * datums with potentially distinct representations (e.g., btree/numeric_ops
2980 * index datums will not get their display scale normalized-away here).
2981 * Caller does normalization for non-pivot tuples that have a posting list,
2982 * since dummy CREATE INDEX callback code generates new tuples with the same
2983 * normalized representation.
2984 */
2985static IndexTuple
2986bt_normalize_tuple(BtreeCheckState *state, IndexTuple itup)
2987{
2988 TupleDesc tupleDescriptor = RelationGetDescr(state->rel);
2989 Datum normalized[INDEX_MAX_KEYS];
2990 bool isnull[INDEX_MAX_KEYS];
2991 bool need_free[INDEX_MAX_KEYS];
2992 bool formnewtup = false;
2993 IndexTuple reformed;
2994 int i;
2995
2996 /* Caller should only pass "logical" non-pivot tuples here */
2997 Assert(!BTreeTupleIsPosting(itup) && !BTreeTupleIsPivot(itup));
2998
2999 /* Easy case: It's immediately clear that tuple has no varlena datums */
3000 if (!IndexTupleHasVarwidths(itup))
3001 return itup;
3002
3003 for (i = 0; i < tupleDescriptor->natts; i++)
3004 {
3005 Form_pg_attribute att;
3006
3007 att = TupleDescAttr(tupleDescriptor, i);
3008
3009 /* Assume untoasted/already normalized datum initially */
3010 need_free[i] = false;
3011 normalized[i] = index_getattr(itup, att->attnum,
3012 tupleDescriptor,
3013 &isnull[i]);
3014 if (att->attbyval || att->attlen != -1 || isnull[i])
3015 continue;
3016
3017 /*
3018 * Callers always pass a tuple that could safely be inserted into the
3019 * index without further processing, so an external varlena header
3020 * should never be encountered here
3021 */
3022 if (VARATT_IS_EXTERNAL(DatumGetPointer(normalized[i])))
3023 ereport(ERROR,
3024 (errcode(ERRCODE_INDEX_CORRUPTED),
3025 errmsg("external varlena datum in tuple that references heap row (%u,%u) in index \"%s\"",
3026 ItemPointerGetBlockNumber(&(itup->t_tid)),
3027 ItemPointerGetOffsetNumber(&(itup->t_tid)),
3028 RelationGetRelationName(state->rel))));
3029 else if (!VARATT_IS_COMPRESSED(DatumGetPointer(normalized[i])) &&
3030 VARSIZE(DatumGetPointer(normalized[i])) > TOAST_INDEX_TARGET &&
3031 (att->attstorage == TYPSTORAGE_EXTENDED ||
3032 att->attstorage == TYPSTORAGE_MAIN))
3033 {
3034 /*
3035 * This value will be compressed by index_form_tuple() with the
3036 * current storage settings. We may be here because this tuple
3037 * was formed with different storage settings. So, force forming.
3038 */
3039 formnewtup = true;
3040 }
3041 else if (VARATT_IS_COMPRESSED(DatumGetPointer(normalized[i])))
3042 {
3043 formnewtup = true;
3044 normalized[i] = PointerGetDatum(PG_DETOAST_DATUM(normalized[i]));
3045 need_free[i] = true;
3046 }
3047
3048 /*
3049 * Short tuples may have 1B or 4B header. Convert 4B header of short
3050 * tuples to 1B
3051 */
3052 else if (VARATT_CAN_MAKE_SHORT(DatumGetPointer(normalized[i])))
3053 {
3054 /* convert to short varlena */
3055 Size len = VARATT_CONVERTED_SHORT_SIZE(DatumGetPointer(normalized[i]));
3056 char *data = palloc(len);
3057
3058 SET_VARSIZE_SHORT(data, len);
3059 memcpy(data + 1, VARDATA(DatumGetPointer(normalized[i])), len - 1);
3060
3061 formnewtup = true;
3062 normalized[i] = PointerGetDatum(data);
3063 need_free[i] = true;
3064 }
3065 }
3066
3067 /*
3068 * Easier case: Tuple has varlena datums, none of which are compressed or
3069 * short with 4B header
3070 */
3071 if (!formnewtup)
3072 return itup;
3073
3074 /*
3075 * Hard case: Tuple had compressed varlena datums that necessitate
3076 * creating normalized version of the tuple from uncompressed input datums
3077 * (normalized input datums). This is rather naive, but shouldn't be
3078 * necessary too often.
3079 *
3080 * In the heap, tuples may contain short varlena datums with both 1B
3081 * header and 4B headers. But the corresponding index tuple should always
3082 * have such varlena's with 1B headers. So, if there is a short varlena
3083 * with 4B header, we need to convert it for fingerprinting.
3084 *
3085 * Note that we rely on deterministic index_form_tuple() TOAST compression
3086 * of normalized input.
3087 */
3088 reformed = index_form_tuple(tupleDescriptor, normalized, isnull);
3089 reformed->t_tid = itup->t_tid;
3090
3091 /* Cannot leak memory here */
3092 for (i = 0; i < tupleDescriptor->natts; i++)
3093 if (need_free[i])
3094 pfree(DatumGetPointer(normalized[i]));
3095
3096 return reformed;
3097}
3098
3099/*
3100 * Produce palloc()'d "plain" tuple for nth posting list entry/TID.
3101 *
3102 * In general, deduplication is not supposed to change the logical contents of
3103 * an index. Multiple index tuples are merged together into one equivalent
3104 * posting list index tuple when convenient.
3105 *
3106 * heapallindexed verification must normalize-away this variation in
3107 * representation by converting posting list tuples into two or more "plain"
3108 * tuples. Each tuple must be fingerprinted separately -- there must be one
3109 * tuple for each corresponding Bloom filter probe during the heap scan.
3110 *
3111 * Note: Caller still needs to call bt_normalize_tuple() with returned tuple.
3112 */
3113static inline IndexTuple
3114bt_posting_plain_tuple(IndexTuple itup, int n)
3115{
3116 Assert(BTreeTupleIsPosting(itup));
3117
3118 /* Returns non-posting-list tuple */
3119 return _bt_form_posting(itup, BTreeTupleGetPostingN(itup, n), 1);
3120}
3121
3122/*
3123 * Search for itup in index, starting from fast root page. itup must be a
3124 * non-pivot tuple. This is only supported with heapkeyspace indexes, since
3125 * we rely on having fully unique keys to find a match with only a single
3126 * visit to a leaf page, barring an interrupted page split, where we may have
3127 * to move right. (A concurrent page split is impossible because caller must
3128 * be readonly caller.)
3129 *
3130 * This routine can detect very subtle transitive consistency issues across
3131 * more than one level of the tree. Leaf pages all have a high key (even the
3132 * rightmost page has a conceptual positive infinity high key), but not a low
3133 * key. Their downlink in parent is a lower bound, which along with the high
3134 * key is almost enough to detect every possible inconsistency. A downlink
3135 * separator key value won't always be available from parent, though, because
3136 * the first items of internal pages are negative infinity items, truncated
3137 * down to zero attributes during internal page splits. While it's true that
3138 * bt_child_check() and the high key check can detect most imaginable key
3139 * space problems, there are remaining problems it won't detect with non-pivot
3140 * tuples in cousin leaf pages. Starting a search from the root for every
3141 * existing leaf tuple detects small inconsistencies in upper levels of the
3142 * tree that cannot be detected any other way. (Besides all this, this is
3143 * probably also useful as a direct test of the code used by index scans
3144 * themselves.)
3145 */
3146static bool
3147bt_rootdescend(BtreeCheckState *state, IndexTuple itup)
3148{
3149 BTScanInsert key;
3150 BTStack stack;
3151 Buffer lbuf;
3152 bool exists;
3153
3154 key = _bt_mkscankey(state->rel, itup);
3155 Assert(key->heapkeyspace && key->scantid != NULL);
3156
3157 /*
3158 * Search from root.
3159 *
3160 * Ideally, we would arrange to only move right within _bt_search() when
3161 * an interrupted page split is detected (i.e. when the incomplete split
3162 * bit is found to be set), but for now we accept the possibility that
3163 * that could conceal an inconsistency.
3164 */
3165 Assert(state->readonly && state->rootdescend);
3166 exists = false;
3167 stack = _bt_search(state->rel, NULL, key, &lbuf, BT_READ);
3168
3169 if (BufferIsValid(lbuf))
3170 {
3171 BTInsertStateData insertstate;
3172 OffsetNumber offnum;
3173 Page page;
3174
3175 insertstate.itup = itup;
3176 insertstate.itemsz = MAXALIGN(IndexTupleSize(itup));
3177 insertstate.itup_key = key;
3178 insertstate.postingoff = 0;
3179 insertstate.bounds_valid = false;
3180 insertstate.buf = lbuf;
3181
3182 /* Get matching tuple on leaf page */
3183 offnum = _bt_binsrch_insert(state->rel, &insertstate);
3184 /* Compare first >= matching item on leaf page, if any */
3185 page = BufferGetPage(lbuf);
3186 /* Should match on first heap TID when tuple has a posting list */
3187 if (offnum <= PageGetMaxOffsetNumber(page) &&
3188 insertstate.postingoff <= 0 &&
3189 _bt_compare(state->rel, key, page, offnum) == 0)
3190 exists = true;
3191 _bt_relbuf(state->rel, lbuf);
3192 }
3193
3194 _bt_freestack(stack);
3195 pfree(key);
3196
3197 return exists;
3198}
3199
3200/*
3201 * Is particular offset within page (whose special state is passed by caller)
3202 * the page negative-infinity item?
3203 *
3204 * As noted in comments above _bt_compare(), there is special handling of the
3205 * first data item as a "negative infinity" item. The hard-coding within
3206 * _bt_compare() makes comparing this item for the purposes of verification
3207 * pointless at best, since the IndexTuple only contains a valid TID (a
3208 * reference TID to child page).
3209 */
3210static inline bool
3211offset_is_negative_infinity(BTPageOpaque opaque, OffsetNumber offset)
3212{
3213 /*
3214 * For internal pages only, the first item after high key, if any, is
3215 * negative infinity item. Internal pages always have a negative infinity
3216 * item, whereas leaf pages never have one. This implies that negative
3217 * infinity item is either first or second line item, or there is none
3218 * within page.
3219 *
3220 * Negative infinity items are a special case among pivot tuples. They
3221 * always have zero attributes, while all other pivot tuples always have
3222 * nkeyatts attributes.
3223 *
3224 * Right-most pages don't have a high key, but could be said to
3225 * conceptually have a "positive infinity" high key. Thus, there is a
3226 * symmetry between down link items in parent pages, and high keys in
3227 * children. Together, they represent the part of the key space that
3228 * belongs to each page in the index. For example, all children of the
3229 * root page will have negative infinity as a lower bound from root
3230 * negative infinity downlink, and positive infinity as an upper bound
3231 * (implicitly, from "imaginary" positive infinity high key in root).
3232 */
3233 return !P_ISLEAF(opaque) && offset == P_FIRSTDATAKEY(opaque);
3234}
3235
3236/*
3237 * Does the invariant hold that the key is strictly less than a given upper
3238 * bound offset item?
3239 *
3240 * Verifies line pointer on behalf of caller.
3241 *
3242 * If this function returns false, convention is that caller throws error due
3243 * to corruption.
3244 */
3245static inline bool
3246invariant_l_offset(BtreeCheckState *state, BTScanInsert key,
3247 OffsetNumber upperbound)
3248{
3249 ItemId itemid;
3250 int32 cmp;
3251
3252 Assert(!key->nextkey && key->backward);
3253
3254 /* Verify line pointer before checking tuple */
3255 itemid = PageGetItemIdCareful(state, state->targetblock, state->target,
3256 upperbound);
3257 /* pg_upgrade'd indexes may legally have equal sibling tuples */
3258 if (!key->heapkeyspace)
3259 return invariant_leq_offset(state, key, upperbound);
3260
3261 cmp = _bt_compare(state->rel, key, state->target, upperbound);
3262
3263 /*
3264 * _bt_compare() is capable of determining that a scankey with a
3265 * filled-out attribute is greater than pivot tuples where the comparison
3266 * is resolved at a truncated attribute (value of attribute in pivot is
3267 * minus infinity). However, it is not capable of determining that a
3268 * scankey is _less than_ a tuple on the basis of a comparison resolved at
3269 * _scankey_ minus infinity attribute. Complete an extra step to simulate
3270 * having minus infinity values for omitted scankey attribute(s).
3271 */
3272 if (cmp == 0)
3273 {
3274 BTPageOpaque topaque;
3275 IndexTuple ritup;
3276 int uppnkeyatts;
3277 ItemPointer rheaptid;
3278 bool nonpivot;
3279
3280 ritup = (IndexTuple) PageGetItem(state->target, itemid);
3281 topaque = BTPageGetOpaque(state->target);
3282 nonpivot = P_ISLEAF(topaque) && upperbound >= P_FIRSTDATAKEY(topaque);
3283
3284 /* Get number of keys + heap TID for item to the right */
3285 uppnkeyatts = BTreeTupleGetNKeyAtts(ritup, state->rel);
3286 rheaptid = BTreeTupleGetHeapTIDCareful(state, ritup, nonpivot);
3287
3288 /* Heap TID is tiebreaker key attribute */
3289 if (key->keysz == uppnkeyatts)
3290 return key->scantid == NULL && rheaptid != NULL;
3291
3292 return key->keysz < uppnkeyatts;
3293 }
3294
3295 return cmp < 0;
3296}
3297
3298/*
3299 * Does the invariant hold that the key is less than or equal to a given upper
3300 * bound offset item?
3301 *
3302 * Caller should have verified that upperbound's line pointer is consistent
3303 * using PageGetItemIdCareful() call.
3304 *
3305 * If this function returns false, convention is that caller throws error due
3306 * to corruption.
3307 */
3308static inline bool
3309invariant_leq_offset(BtreeCheckState *state, BTScanInsert key,
3310 OffsetNumber upperbound)
3311{
3312 int32 cmp;
3313
3314 Assert(!key->nextkey && key->backward);
3315
3316 cmp = _bt_compare(state->rel, key, state->target, upperbound);
3317
3318 return cmp <= 0;
3319}
3320
3321/*
3322 * Does the invariant hold that the key is strictly greater than a given lower
3323 * bound offset item?
3324 *
3325 * Caller should have verified that lowerbound's line pointer is consistent
3326 * using PageGetItemIdCareful() call.
3327 *
3328 * If this function returns false, convention is that caller throws error due
3329 * to corruption.
3330 */
3331static inline bool
3332invariant_g_offset(BtreeCheckState *state, BTScanInsert key,
3333 OffsetNumber lowerbound)
3334{
3335 int32 cmp;
3336
3337 Assert(!key->nextkey && key->backward);
3338
3339 cmp = _bt_compare(state->rel, key, state->target, lowerbound);
3340
3341 /* pg_upgrade'd indexes may legally have equal sibling tuples */
3342 if (!key->heapkeyspace)
3343 return cmp >= 0;
3344
3345 /*
3346 * No need to consider the possibility that scankey has attributes that we
3347 * need to force to be interpreted as negative infinity. _bt_compare() is
3348 * able to determine that scankey is greater than negative infinity. The
3349 * distinction between "==" and "<" isn't interesting here, since
3350 * corruption is indicated either way.
3351 */
3352 return cmp > 0;
3353}
3354
3355/*
3356 * Does the invariant hold that the key is strictly less than a given upper
3357 * bound offset item, with the offset relating to a caller-supplied page that
3358 * is not the current target page?
3359 *
3360 * Caller's non-target page is a child page of the target, checked as part of
3361 * checking a property of the target page (i.e. the key comes from the
3362 * target). Verifies line pointer on behalf of caller.
3363 *
3364 * If this function returns false, convention is that caller throws error due
3365 * to corruption.
3366 */
3367static inline bool
3368invariant_l_nontarget_offset(BtreeCheckState *state, BTScanInsert key,
3369 BlockNumber nontargetblock, Page nontarget,
3370 OffsetNumber upperbound)
3371{
3372 ItemId itemid;
3373 int32 cmp;
3374
3375 Assert(!key->nextkey && key->backward);
3376
3377 /* Verify line pointer before checking tuple */
3378 itemid = PageGetItemIdCareful(state, nontargetblock, nontarget,
3379 upperbound);
3380 cmp = _bt_compare(state->rel, key, nontarget, upperbound);
3381
3382 /* pg_upgrade'd indexes may legally have equal sibling tuples */
3383 if (!key->heapkeyspace)
3384 return cmp <= 0;
3385
3386 /* See invariant_l_offset() for an explanation of this extra step */
3387 if (cmp == 0)
3388 {
3389 IndexTuple child;
3390 int uppnkeyatts;
3391 ItemPointer childheaptid;
3392 BTPageOpaque copaque;
3393 bool nonpivot;
3394
3395 child = (IndexTuple) PageGetItem(nontarget, itemid);
3396 copaque = BTPageGetOpaque(nontarget);
3397 nonpivot = P_ISLEAF(copaque) && upperbound >= P_FIRSTDATAKEY(copaque);
3398
3399 /* Get number of keys + heap TID for child/non-target item */
3400 uppnkeyatts = BTreeTupleGetNKeyAtts(child, state->rel);
3401 childheaptid = BTreeTupleGetHeapTIDCareful(state, child, nonpivot);
3402
3403 /* Heap TID is tiebreaker key attribute */
3404 if (key->keysz == uppnkeyatts)
3405 return key->scantid == NULL && childheaptid != NULL;
3406
3407 return key->keysz < uppnkeyatts;
3408 }
3409
3410 return cmp < 0;
3411}
3412
3413/*
3414 * Given a block number of a B-Tree page, return page in palloc()'d memory.
3415 * While at it, perform some basic checks of the page.
3416 *
3417 * There is never an attempt to get a consistent view of multiple pages using
3418 * multiple concurrent buffer locks; in general, we only acquire a single pin
3419 * and buffer lock at a time, which is often all that the nbtree code requires.
3420 * (Actually, bt_recheck_sibling_links couples buffer locks, which is the only
3421 * exception to this general rule.)
3422 *
3423 * Operating on a copy of the page is useful because it prevents control
3424 * getting stuck in an uninterruptible state when an underlying operator class
3425 * misbehaves.
3426 */
3427static Page
3428palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum)
3429{
3430 Buffer buffer;
3431 Page page;
3432 BTPageOpaque opaque;
3433 OffsetNumber maxoffset;
3434
3435 page = palloc(BLCKSZ);
3436
3437 /*
3438 * We copy the page into local storage to avoid holding pin on the buffer
3439 * longer than we must.
3440 */
3441 buffer = ReadBufferExtended(state->rel, MAIN_FORKNUM, blocknum, RBM_NORMAL,
3442 state->checkstrategy);
3443 LockBuffer(buffer, BT_READ);
3444
3445 /*
3446 * Perform the same basic sanity checking that nbtree itself performs for
3447 * every page:
3448 */
3449 _bt_checkpage(state->rel, buffer);
3450
3451 /* Only use copy of page in palloc()'d memory */
3452 memcpy(page, BufferGetPage(buffer), BLCKSZ);
3453 UnlockReleaseBuffer(buffer);
3454
3455 opaque = BTPageGetOpaque(page);
3456
3457 if (P_ISMETA(opaque) && blocknum != BTREE_METAPAGE)
3458 ereport(ERROR,
3459 (errcode(ERRCODE_INDEX_CORRUPTED),
3460 errmsg("invalid meta page found at block %u in index \"%s\"",
3461 blocknum, RelationGetRelationName(state->rel))));
3462
3463 /* Check page from block that ought to be meta page */
3464 if (blocknum == BTREE_METAPAGE)
3465 {
3466 BTMetaPageData *metad = BTPageGetMeta(page);
3467
3468 if (!P_ISMETA(opaque) ||
3469 metad->btm_magic != BTREE_MAGIC)
3470 ereport(ERROR,
3471 (errcode(ERRCODE_INDEX_CORRUPTED),
3472 errmsg("index \"%s\" meta page is corrupt",
3473 RelationGetRelationName(state->rel))));
3474
3475 if (metad->btm_version < BTREE_MIN_VERSION ||
3476 metad->btm_version > BTREE_VERSION)
3477 ereport(ERROR,
3478 (errcode(ERRCODE_INDEX_CORRUPTED),
3479 errmsg("version mismatch in index \"%s\": file version %d, "
3480 "current version %d, minimum supported version %d",
3481 RelationGetRelationName(state->rel),
3482 metad->btm_version, BTREE_VERSION,
3483 BTREE_MIN_VERSION)));
3484
3485 /* Finished with metapage checks */
3486 return page;
3487 }
3488
3489 /*
3490 * Deleted pages that still use the old 32-bit XID representation have no
3491 * sane "level" field because they type pun the field, but all other pages
3492 * (including pages deleted on Postgres 14+) have a valid value.
3493 */
3494 if (!P_ISDELETED(opaque) || P_HAS_FULLXID(opaque))
3495 {
3496 /* Okay, no reason not to trust btpo_level field from page */
3497
3498 if (P_ISLEAF(opaque) && opaque->btpo_level != 0)
3499 ereport(ERROR,
3500 (errcode(ERRCODE_INDEX_CORRUPTED),
3501 errmsg_internal("invalid leaf page level %u for block %u in index \"%s\"",
3502 opaque->btpo_level, blocknum,
3503 RelationGetRelationName(state->rel))));
3504
3505 if (!P_ISLEAF(opaque) && opaque->btpo_level == 0)
3506 ereport(ERROR,
3507 (errcode(ERRCODE_INDEX_CORRUPTED),
3508 errmsg_internal("invalid internal page level 0 for block %u in index \"%s\"",
3509 blocknum,
3510 RelationGetRelationName(state->rel))));
3511 }
3512
3513 /*
3514 * Sanity checks for number of items on page.
3515 *
3516 * As noted at the beginning of _bt_binsrch(), an internal page must have
3517 * children, since there must always be a negative infinity downlink
3518 * (there may also be a highkey). In the case of non-rightmost leaf
3519 * pages, there must be at least a highkey. The exceptions are deleted
3520 * pages, which contain no items.
3521 *
3522 * This is correct when pages are half-dead, since internal pages are
3523 * never half-dead, and leaf pages must have a high key when half-dead
3524 * (the rightmost page can never be deleted). It's also correct with
3525 * fully deleted pages: _bt_unlink_halfdead_page() doesn't change anything
3526 * about the target page other than setting the page as fully dead, and
3527 * setting its xact field. In particular, it doesn't change the sibling
3528 * links in the deletion target itself, since they're required when index
3529 * scans land on the deletion target, and then need to move right (or need
3530 * to move left, in the case of backward index scans).
3531 */
3532 maxoffset = PageGetMaxOffsetNumber(page);
3533 if (maxoffset > MaxIndexTuplesPerPage)
3534 ereport(ERROR,
3535 (errcode(ERRCODE_INDEX_CORRUPTED),
3536 errmsg("Number of items on block %u of index \"%s\" exceeds MaxIndexTuplesPerPage (%u)",
3537 blocknum, RelationGetRelationName(state->rel),
3538 MaxIndexTuplesPerPage)));
3539
3540 if (!P_ISLEAF(opaque) && !P_ISDELETED(opaque) && maxoffset < P_FIRSTDATAKEY(opaque))
3541 ereport(ERROR,
3542 (errcode(ERRCODE_INDEX_CORRUPTED),
3543 errmsg("internal block %u in index \"%s\" lacks high key and/or at least one downlink",
3544 blocknum, RelationGetRelationName(state->rel))));
3545
3546 if (P_ISLEAF(opaque) && !P_ISDELETED(opaque) && !P_RIGHTMOST(opaque) && maxoffset < P_HIKEY)
3547 ereport(ERROR,
3548 (errcode(ERRCODE_INDEX_CORRUPTED),
3549 errmsg("non-rightmost leaf block %u in index \"%s\" lacks high key item",
3550 blocknum, RelationGetRelationName(state->rel))));
3551
3552 /*
3553 * In general, internal pages are never marked half-dead, except on
3554 * versions of Postgres prior to 9.4, where it can be valid transient
3555 * state. This state is nonetheless treated as corruption by VACUUM on
3556 * from version 9.4 on, so do the same here. See _bt_pagedel() for full
3557 * details.
3558 */
3559 if (!P_ISLEAF(opaque) && P_ISHALFDEAD(opaque))
3560 ereport(ERROR,
3561 (errcode(ERRCODE_INDEX_CORRUPTED),
3562 errmsg("internal page block %u in index \"%s\" is half-dead",
3563 blocknum, RelationGetRelationName(state->rel)),
3564 errhint("This can be caused by an interrupted VACUUM in version 9.3 or older, before upgrade. Please REINDEX it.")));
3565
3566 /*
3567 * Check that internal pages have no garbage items, and that no page has
3568 * an invalid combination of deletion-related page level flags
3569 */
3570 if (!P_ISLEAF(opaque) && P_HAS_GARBAGE(opaque))
3571 ereport(ERROR,
3572 (errcode(ERRCODE_INDEX_CORRUPTED),
3573 errmsg_internal("internal page block %u in index \"%s\" has garbage items",
3574 blocknum, RelationGetRelationName(state->rel))));
3575
3576 if (P_HAS_FULLXID(opaque) && !P_ISDELETED(opaque))
3577 ereport(ERROR,
3578 (errcode(ERRCODE_INDEX_CORRUPTED),
3579 errmsg_internal("full transaction id page flag appears in non-deleted block %u in index \"%s\"",
3580 blocknum, RelationGetRelationName(state->rel))));
3581
3582 if (P_ISDELETED(opaque) && P_ISHALFDEAD(opaque))
3583 ereport(ERROR,
3584 (errcode(ERRCODE_INDEX_CORRUPTED),
3585 errmsg_internal("deleted page block %u in index \"%s\" is half-dead",
3586 blocknum, RelationGetRelationName(state->rel))));
3587
3588 return page;
3589}
3590
3591/*
3592 * _bt_mkscankey() wrapper that automatically prevents insertion scankey from
3593 * being considered greater than the pivot tuple that its values originated
3594 * from (or some other identical pivot tuple) in the common case where there
3595 * are truncated/minus infinity attributes. Without this extra step, there
3596 * are forms of corruption that amcheck could theoretically fail to report.
3597 *
3598 * For example, invariant_g_offset() might miss a cross-page invariant failure
3599 * on an internal level if the scankey built from the first item on the
3600 * target's right sibling page happened to be equal to (not greater than) the
3601 * last item on target page. The !backward tiebreaker in _bt_compare() might
3602 * otherwise cause amcheck to assume (rather than actually verify) that the
3603 * scankey is greater.
3604 */
3605static inline BTScanInsert
3606bt_mkscankey_pivotsearch(Relation rel, IndexTuple itup)
3607{
3608 BTScanInsert skey;
3609
3610 skey = _bt_mkscankey(rel, itup);
3611 skey->backward = true;
3612
3613 return skey;
3614}
3615
3616/*
3617 * PageGetItemId() wrapper that validates returned line pointer.
3618 *
3619 * Buffer page/page item access macros generally trust that line pointers are
3620 * not corrupt, which might cause problems for verification itself. For
3621 * example, there is no bounds checking in PageGetItem(). Passing it a
3622 * corrupt line pointer can cause it to return a tuple/pointer that is unsafe
3623 * to dereference.
3624 *
3625 * Validating line pointers before tuples avoids undefined behavior and
3626 * assertion failures with corrupt indexes, making the verification process
3627 * more robust and predictable.
3628 */
3629static ItemId
3630PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block, Page page,
3631 OffsetNumber offset)
3632{
3633 ItemId itemid = PageGetItemId(page, offset);
3634
3635 if (ItemIdGetOffset(itemid) + ItemIdGetLength(itemid) >
3636 BLCKSZ - MAXALIGN(sizeof(BTPageOpaqueData)))
3637 ereport(ERROR,
3638 (errcode(ERRCODE_INDEX_CORRUPTED),
3639 errmsg("line pointer points past end of tuple space in index \"%s\"",
3640 RelationGetRelationName(state->rel)),
3641 errdetail_internal("Index tid=(%u,%u) lp_off=%u, lp_len=%u lp_flags=%u.",
3642 block, offset, ItemIdGetOffset(itemid),
3643 ItemIdGetLength(itemid),
3644 ItemIdGetFlags(itemid))));
3645
3646 /*
3647 * Verify that line pointer isn't LP_REDIRECT or LP_UNUSED, since nbtree
3648 * never uses either. Verify that line pointer has storage, too, since
3649 * even LP_DEAD items should within nbtree.
3650 */
3651 if (ItemIdIsRedirected(itemid) || !ItemIdIsUsed(itemid) ||
3652 ItemIdGetLength(itemid) == 0)
3653 ereport(ERROR,
3654 (errcode(ERRCODE_INDEX_CORRUPTED),
3655 errmsg("invalid line pointer storage in index \"%s\"",
3656 RelationGetRelationName(state->rel)),
3657 errdetail_internal("Index tid=(%u,%u) lp_off=%u, lp_len=%u lp_flags=%u.",
3658 block, offset, ItemIdGetOffset(itemid),
3659 ItemIdGetLength(itemid),
3660 ItemIdGetFlags(itemid))));
3661
3662 return itemid;
3663}
3664
3665/*
3666 * BTreeTupleGetHeapTID() wrapper that enforces that a heap TID is present in
3667 * cases where that is mandatory (i.e. for non-pivot tuples)
3668 */
3669static inline ItemPointer
3670BTreeTupleGetHeapTIDCareful(BtreeCheckState *state, IndexTuple itup,
3671 bool nonpivot)
3672{
3673 ItemPointer htid;
3674
3675 /*
3676 * Caller determines whether this is supposed to be a pivot or non-pivot
3677 * tuple using page type and item offset number. Verify that tuple
3678 * metadata agrees with this.
3679 */
3680 Assert(state->heapkeyspace);
3681 if (BTreeTupleIsPivot(itup) && nonpivot)
3682 ereport(ERROR,
3683 (errcode(ERRCODE_INDEX_CORRUPTED),
3684 errmsg_internal("block %u or its right sibling block or child block in index \"%s\" has unexpected pivot tuple",
3685 state->targetblock,
3686 RelationGetRelationName(state->rel))));
3687
3688 if (!BTreeTupleIsPivot(itup) && !nonpivot)
3689 ereport(ERROR,
3690 (errcode(ERRCODE_INDEX_CORRUPTED),
3691 errmsg_internal("block %u or its right sibling block or child block in index \"%s\" has unexpected non-pivot tuple",
3692 state->targetblock,
3693 RelationGetRelationName(state->rel))));
3694
3695 htid = BTreeTupleGetHeapTID(itup);
3696 if (!ItemPointerIsValid(htid) && nonpivot)
3697 ereport(ERROR,
3698 (errcode(ERRCODE_INDEX_CORRUPTED),
3699 errmsg("block %u or its right sibling block or child block in index \"%s\" contains non-pivot tuple that lacks a heap TID",
3700 state->targetblock,
3701 RelationGetRelationName(state->rel))));
3702
3703 return htid;
3704}
3705
3706/*
3707 * Return the "pointed to" TID for itup, which is used to generate a
3708 * descriptive error message. itup must be a "data item" tuple (it wouldn't
3709 * make much sense to call here with a high key tuple, since there won't be a
3710 * valid downlink/block number to display).
3711 *
3712 * Returns either a heap TID (which will be the first heap TID in posting list
3713 * if itup is posting list tuple), or a TID that contains downlink block
3714 * number, plus some encoded metadata (e.g., the number of attributes present
3715 * in itup).
3716 */
3717static inline ItemPointer
3718BTreeTupleGetPointsToTID(IndexTuple itup)
3719{
3720 /*
3721 * Rely on the assumption that !heapkeyspace internal page data items will
3722 * correctly return TID with downlink here -- BTreeTupleGetHeapTID() won't
3723 * recognize it as a pivot tuple, but everything still works out because
3724 * the t_tid field is still returned
3725 */
3726 if (!BTreeTupleIsPivot(itup))
3727 return BTreeTupleGetHeapTID(itup);
3728
3729 /* Pivot tuple returns TID with downlink block (heapkeyspace variant) */
3730 return &itup->t_tid;
3731}
BlockNumber
uint32 BlockNumber
Definition: block.h:31
InvalidBlockNumber
#define InvalidBlockNumber
Definition: block.h:33
BlockNumberIsValid
static bool BlockNumberIsValid(BlockNumber blockNumber)
Definition: block.h:71
bloom_free
void bloom_free(bloom_filter *filter)
Definition: bloomfilter.c:126
bloom_create
bloom_filter * bloom_create(int64 total_elems, int bloom_work_mem, uint64 seed)
Definition: bloomfilter.c:87
bloom_prop_bits_set
double bloom_prop_bits_set(bloom_filter *filter)
Definition: bloomfilter.c:187
bloom_lacks_element
bool bloom_lacks_element(bloom_filter *filter, unsigned char *elem, size_t len)
Definition: bloomfilter.c:157
bloom_add_element
void bloom_add_element(bloom_filter *filter, unsigned char *elem, size_t len)
Definition: bloomfilter.c:135
values
static Datum values[MAXATTR]
Definition: bootstrap.c:151
Buffer
int Buffer
Definition: buf.h:23
InvalidBuffer
#define InvalidBuffer
Definition: buf.h:25
UnlockReleaseBuffer
void UnlockReleaseBuffer(Buffer buffer)
Definition: bufmgr.c:4872
LockBuffer
void LockBuffer(Buffer buffer, int mode)
Definition: bufmgr.c:5089
ReadBufferExtended
Buffer ReadBufferExtended(Relation reln, ForkNumber forkNum, BlockNumber blockNum, ReadBufferMode mode, BufferAccessStrategy strategy)
Definition: bufmgr.c:798
BAS_BULKREAD
@ BAS_BULKREAD
Definition: bufmgr.h:36
RelationGetNumberOfBlocks
#define RelationGetNumberOfBlocks(reln)
Definition: bufmgr.h:275
BufferGetPage
static Page BufferGetPage(Buffer buffer)
Definition: bufmgr.h:402
RBM_NORMAL
@ RBM_NORMAL
Definition: bufmgr.h:45
BufferIsValid
static bool BufferIsValid(Buffer bufnum)
Definition: bufmgr.h:353
PageGetItem
static Item PageGetItem(const PageData *page, const ItemIdData *itemId)
Definition: bufpage.h:354
PageGetItemId
static ItemId PageGetItemId(Page page, OffsetNumber offsetNumber)
Definition: bufpage.h:244
Page
PageData * Page
Definition: bufpage.h:82
PageGetLSN
static XLogRecPtr PageGetLSN(const PageData *page)
Definition: bufpage.h:386
PageGetMaxOffsetNumber
static OffsetNumber PageGetMaxOffsetNumber(const PageData *page)
Definition: bufpage.h:372
MAXALIGN
#define MAXALIGN(LEN)
Definition: c.h:782
Max
#define Max(x, y)
Definition: c.h:969
INT64_FORMAT
#define INT64_FORMAT
Definition: c.h:520
int64
int64_t int64
Definition: c.h:499
int32
int32_t int32
Definition: c.h:498
uint64
uint64_t uint64
Definition: c.h:503
unlikely
#define unlikely(x)
Definition: c.h:347
uint32
uint32_t uint32
Definition: c.h:502
OidIsValid
#define OidIsValid(objectId)
Definition: c.h:746
Size
size_t Size
Definition: c.h:576
errmsg_internal
int errmsg_internal(const char *fmt,...)
Definition: elog.c:1157
errdetail_internal
int errdetail_internal(const char *fmt,...)
Definition: elog.c:1230
errdetail
int errdetail(const char *fmt,...)
Definition: elog.c:1203
errhint
int errhint(const char *fmt,...)
Definition: elog.c:1317
errcode
int errcode(int sqlerrcode)
Definition: elog.c:853
errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1070
DEBUG2
#define DEBUG2
Definition: elog.h:29
DEBUG1
#define DEBUG1
Definition: elog.h:30
ERROR
#define ERROR
Definition: elog.h:39
elog
#define elog(elevel,...)
Definition: elog.h:225
ereport
#define ereport(elevel,...)
Definition: elog.h:149
ExecDropSingleTupleTableSlot
void ExecDropSingleTupleTableSlot(TupleTableSlot *slot)
Definition: execTuples.c:1441
PG_RETURN_VOID
#define PG_RETURN_VOID()
Definition: fmgr.h:349
PG_GETARG_OID
#define PG_GETARG_OID(n)
Definition: fmgr.h:275
PG_NARGS
#define PG_NARGS()
Definition: fmgr.h:203
PG_DETOAST_DATUM
#define PG_DETOAST_DATUM(datum)
Definition: fmgr.h:240
PG_GETARG_BOOL
#define PG_GETARG_BOOL(n)
Definition: fmgr.h:274
PG_FUNCTION_ARGS
#define PG_FUNCTION_ARGS
Definition: fmgr.h:193
GetAccessStrategy
BufferAccessStrategy GetAccessStrategy(BufferAccessStrategyType btype)
Definition: freelist.c:541
maintenance_work_mem
int maintenance_work_mem
Definition: globals.c:132
NewGUCNestLevel
int NewGUCNestLevel(void)
Definition: guc.c:2235
RestrictSearchPath
void RestrictSearchPath(void)
Definition: guc.c:2246
AtEOXact_GUC
void AtEOXact_GUC(bool isCommit, int nestLevel)
Definition: guc.c:2262
Assert
Assert(PointerIsAligned(start, uint64))
start
return str start
Definition: hashfn_unstable.h:282
TOAST_INDEX_TARGET
#define TOAST_INDEX_TARGET
Definition: heaptoast.h:68
htup_details.h
HeapTupleHeaderGetXmin
static TransactionId HeapTupleHeaderGetXmin(const HeapTupleHeaderData *tup)
Definition: htup_details.h:324
IndexGetRelation
Oid IndexGetRelation(Oid indexId, bool missing_ok)
Definition: index.c:3583
BuildIndexInfo
IndexInfo * BuildIndexInfo(Relation index)
Definition: index.c:2428
index_close
void index_close(Relation relation, LOCKMODE lockmode)
Definition: indexam.c:177
index_open
Relation index_open(Oid relationId, LOCKMODE lockmode)
Definition: indexam.c:133
index_form_tuple
IndexTuple index_form_tuple(TupleDesc tupleDescriptor, const Datum *values, const bool *isnull)
Definition: indextuple.c:44
i
int i
Definition: isn.c:74
ItemIdGetLength
#define ItemIdGetLength(itemId)
Definition: itemid.h:59
ItemIdGetOffset
#define ItemIdGetOffset(itemId)
Definition: itemid.h:65
ItemIdIsDead
#define ItemIdIsDead(itemId)
Definition: itemid.h:113
ItemIdIsUsed
#define ItemIdIsUsed(itemId)
Definition: itemid.h:92
ItemIdIsRedirected
#define ItemIdIsRedirected(itemId)
Definition: itemid.h:106
ItemIdGetFlags
#define ItemIdGetFlags(itemId)
Definition: itemid.h:71
ItemPointerCompare
int32 ItemPointerCompare(ItemPointer arg1, ItemPointer arg2)
Definition: itemptr.c:51
ItemPointerGetOffsetNumber
static OffsetNumber ItemPointerGetOffsetNumber(const ItemPointerData *pointer)
Definition: itemptr.h:124
ItemPointerGetOffsetNumberNoCheck
static OffsetNumber ItemPointerGetOffsetNumberNoCheck(const ItemPointerData *pointer)
Definition: itemptr.h:114
ItemPointerGetBlockNumber
static BlockNumber ItemPointerGetBlockNumber(const ItemPointerData *pointer)
Definition: itemptr.h:103
ItemPointerGetBlockNumberNoCheck
static BlockNumber ItemPointerGetBlockNumberNoCheck(const ItemPointerData *pointer)
Definition: itemptr.h:93
ItemPointerCopy
static void ItemPointerCopy(const ItemPointerData *fromPointer, ItemPointerData *toPointer)
Definition: itemptr.h:172
ItemPointerIsValid
static bool ItemPointerIsValid(const ItemPointerData *pointer)
Definition: itemptr.h:83
IndexTupleHasVarwidths
static bool IndexTupleHasVarwidths(const IndexTupleData *itup)
Definition: itup.h:83
IndexTuple
IndexTupleData * IndexTuple
Definition: itup.h:53
index_getattr
static Datum index_getattr(IndexTuple tup, int attnum, TupleDesc tupleDesc, bool *isnull)
Definition: itup.h:131
IndexTupleSize
static Size IndexTupleSize(const IndexTupleData *itup)
Definition: itup.h:71
MaxIndexTuplesPerPage
#define MaxIndexTuplesPerPage
Definition: itup.h:181
LOCKMODE
int LOCKMODE
Definition: lockdefs.h:26
AccessShareLock
#define AccessShareLock
Definition: lockdefs.h:36
ShareLock
#define ShareLock
Definition: lockdefs.h:40
MemoryContextAlloc
void * MemoryContextAlloc(MemoryContext context, Size size)
Definition: mcxt.c:1181
MemoryContextReset
void MemoryContextReset(MemoryContext context)
Definition: mcxt.c:383
pfree
void pfree(void *pointer)
Definition: mcxt.c:1524
palloc0
void * palloc0(Size size)
Definition: mcxt.c:1347
palloc
void * palloc(Size size)
Definition: mcxt.c:1317
CurrentMemoryContext
MemoryContext CurrentMemoryContext
Definition: mcxt.c:143
MemoryContextDelete
void MemoryContextDelete(MemoryContext context)
Definition: mcxt.c:454
AllocSetContextCreate
#define AllocSetContextCreate
Definition: memutils.h:129
ALLOCSET_DEFAULT_SIZES
#define ALLOCSET_DEFAULT_SIZES
Definition: memutils.h:160
SECURITY_RESTRICTED_OPERATION
#define SECURITY_RESTRICTED_OPERATION
Definition: miscadmin.h:318
CHECK_FOR_INTERRUPTS
#define CHECK_FOR_INTERRUPTS()
Definition: miscadmin.h:122
GetUserIdAndSecContext
void GetUserIdAndSecContext(Oid *userid, int *sec_context)
Definition: miscinit.c:663
SetUserIdAndSecContext
void SetUserIdAndSecContext(Oid userid, int sec_context)
Definition: miscinit.c:670
_bt_form_posting
IndexTuple _bt_form_posting(IndexTuple base, ItemPointer htids, int nhtids)
Definition: nbtdedup.c:864
_bt_relbuf
void _bt_relbuf(Relation rel, Buffer buf)
Definition: nbtpage.c:1023
_bt_checkpage
void _bt_checkpage(Relation rel, Buffer buf)
Definition: nbtpage.c:797
_bt_metaversion
void _bt_metaversion(Relation rel, bool *heapkeyspace, bool *allequalimage)
Definition: nbtpage.c:739
P_HAS_FULLXID
#define P_HAS_FULLXID(opaque)
Definition: nbtree.h:228
P_ISHALFDEAD
#define P_ISHALFDEAD(opaque)
Definition: nbtree.h:224
BTreeTupleGetNPosting
static uint16 BTreeTupleGetNPosting(IndexTuple posting)
Definition: nbtree.h:518
BTreeTupleIsPivot
static bool BTreeTupleIsPivot(IndexTuple itup)
Definition: nbtree.h:480
BTPageGetMeta
#define BTPageGetMeta(p)
Definition: nbtree.h:121
P_ISLEAF
#define P_ISLEAF(opaque)
Definition: nbtree.h:220
BTREE_MIN_VERSION
#define BTREE_MIN_VERSION
Definition: nbtree.h:151
P_HIKEY
#define P_HIKEY
Definition: nbtree.h:367
P_HAS_GARBAGE
#define P_HAS_GARBAGE(opaque)
Definition: nbtree.h:226
P_ISMETA
#define P_ISMETA(opaque)
Definition: nbtree.h:223
BTPageGetOpaque
#define BTPageGetOpaque(page)
Definition: nbtree.h:73
P_ISDELETED
#define P_ISDELETED(opaque)
Definition: nbtree.h:222
BTREE_MAGIC
#define BTREE_MAGIC
Definition: nbtree.h:149
BTREE_VERSION
#define BTREE_VERSION
Definition: nbtree.h:150
BTreeTupleGetTopParent
static BlockNumber BTreeTupleGetTopParent(IndexTuple leafhikey)
Definition: nbtree.h:620
MaxTIDsPerBTreePage
#define MaxTIDsPerBTreePage
Definition: nbtree.h:185
P_FIRSTDATAKEY
#define P_FIRSTDATAKEY(opaque)
Definition: nbtree.h:369
P_ISROOT
#define P_ISROOT(opaque)
Definition: nbtree.h:221
P_NONE
#define P_NONE
Definition: nbtree.h:212
P_RIGHTMOST
#define P_RIGHTMOST(opaque)
Definition: nbtree.h:219
P_INCOMPLETE_SPLIT
#define P_INCOMPLETE_SPLIT(opaque)
Definition: nbtree.h:227
BTREE_METAPAGE
#define BTREE_METAPAGE
Definition: nbtree.h:148
BTreeTupleGetPostingN
static ItemPointer BTreeTupleGetPostingN(IndexTuple posting, int n)
Definition: nbtree.h:544
BT_READ
#define BT_READ
Definition: nbtree.h:724
BTreeTupleGetDownLink
static BlockNumber BTreeTupleGetDownLink(IndexTuple pivot)
Definition: nbtree.h:556
P_IGNORE
#define P_IGNORE(opaque)
Definition: nbtree.h:225
BTreeTupleGetMaxHeapTID
static ItemPointer BTreeTupleGetMaxHeapTID(IndexTuple itup)
Definition: nbtree.h:664
BTreeTupleIsPosting
static bool BTreeTupleIsPosting(IndexTuple itup)
Definition: nbtree.h:492
BTMaxItemSizeNoHeapTid
#define BTMaxItemSizeNoHeapTid
Definition: nbtree.h:169
BTreeTupleGetHeapTID
static ItemPointer BTreeTupleGetHeapTID(IndexTuple itup)
Definition: nbtree.h:638
BTMaxItemSize
#define BTMaxItemSize
Definition: nbtree.h:164
BTreeTupleGetNAtts
#define BTreeTupleGetNAtts(itup, rel)
Definition: nbtree.h:577
_bt_search
BTStack _bt_search(Relation rel, Relation heaprel, BTScanInsert key, Buffer *bufP, int access)
Definition: nbtsearch.c:102
_bt_binsrch_insert
OffsetNumber _bt_binsrch_insert(Relation rel, BTInsertState insertstate)
Definition: nbtsearch.c:474
_bt_compare
int32 _bt_compare(Relation rel, BTScanInsert key, Page page, OffsetNumber offnum)
Definition: nbtsearch.c:688
_bt_freestack
void _bt_freestack(BTStack stack)
Definition: nbtutils.c:172
_bt_mkscankey
BTScanInsert _bt_mkscankey(Relation rel, IndexTuple itup)
Definition: nbtutils.c:80
_bt_check_natts
bool _bt_check_natts(Relation rel, bool heapkeyspace, Page page, OffsetNumber offnum)
Definition: nbtutils.c:3079
_bt_allequalimage
bool _bt_allequalimage(Relation rel, bool debugmessage)
Definition: nbtutils.c:3296
InvalidOffsetNumber
#define InvalidOffsetNumber
Definition: off.h:26
OffsetNumberIsValid
#define OffsetNumberIsValid(offsetNumber)
Definition: off.h:39
OffsetNumberNext
#define OffsetNumberNext(offsetNumber)
Definition: off.h:52
OffsetNumber
uint16 OffsetNumber
Definition: off.h:24
MemoryContextSwitchTo
static MemoryContext MemoryContextSwitchTo(MemoryContext context)
Definition: palloc.h:124
pg_am.h
Form_pg_attribute
FormData_pg_attribute * Form_pg_attribute
Definition: pg_attribute.h:200
ERRCODE_DATA_CORRUPTED
#define ERRCODE_DATA_CORRUPTED
Definition: pg_basebackup.c:41
INDEX_MAX_KEYS
#define INDEX_MAX_KEYS
Definition: pg_config_manual.h:69
len
const void size_t len
Definition: pg_crc32c_sse42.c:25
data
const void * data
Definition: pg_crc32c_sse42.c:24
pg_prng_uint64
uint64 pg_prng_uint64(pg_prng_state *state)
Definition: pg_prng.c:134
pg_global_prng_state
pg_prng_state pg_global_prng_state
Definition: pg_prng.c:34
pg_prng.h
ERRCODE_T_R_SERIALIZATION_FAILURE
#define ERRCODE_T_R_SERIALIZATION_FAILURE
Definition: pgbench.c:77
ERRCODE_UNDEFINED_TABLE
#define ERRCODE_UNDEFINED_TABLE
Definition: pgbench.c:79
PointerGetDatum
static Datum PointerGetDatum(const void *X)
Definition: postgres.h:327
Datum
uintptr_t Datum
Definition: postgres.h:69
DatumGetPointer
static Pointer DatumGetPointer(Datum X)
Definition: postgres.h:317
InvalidOid
#define InvalidOid
Definition: postgres_ext.h:37
Oid
unsigned int Oid
Definition: postgres_ext.h:32
psprintf
char * psprintf(const char *fmt,...)
Definition: psprintf.c:43
cmp
static int cmp(const chr *x, const chr *y, size_t len)
Definition: regc_locale.c:743
RelationGetSmgr
static SMgrRelation RelationGetSmgr(Relation rel)
Definition: rel.h:575
RelationGetDescr
#define RelationGetDescr(relation)
Definition: rel.h:539
RelationGetRelationName
#define RelationGetRelationName(relation)
Definition: rel.h:547
RELATION_IS_OTHER_TEMP
#define RELATION_IS_OTHER_TEMP(relation)
Definition: rel.h:666
IndexRelationGetNumberOfKeyAttributes
#define IndexRelationGetNumberOfKeyAttributes(relation)
Definition: rel.h:532
MAIN_FORKNUM
@ MAIN_FORKNUM
Definition: relpath.h:58
smgrexists
bool smgrexists(SMgrRelation reln, ForkNumber forknum)
Definition: smgr.c:401
RecentXmin
TransactionId RecentXmin
Definition: snapmgr.c:159
GetTransactionSnapshot
Snapshot GetTransactionSnapshot(void)
Definition: snapmgr.c:271
UnregisterSnapshot
void UnregisterSnapshot(Snapshot snapshot)
Definition: snapmgr.c:853
RegisterSnapshot
Snapshot RegisterSnapshot(Snapshot snapshot)
Definition: snapmgr.c:811
SnapshotAny
#define SnapshotAny
Definition: snapmgr.h:33
InvalidSnapshot
#define InvalidSnapshot
Definition: snapshot.h:119
BTInsertStateData::bounds_valid
bool bounds_valid
Definition: nbtree.h:828
BTInsertStateData::itup
IndexTuple itup
Definition: nbtree.h:816
BTInsertStateData::itup_key
BTScanInsert itup_key
Definition: nbtree.h:818
BTMetaPageData::btm_level
uint32 btm_level
Definition: nbtree.h:108
BTMetaPageData::btm_fastroot
BlockNumber btm_fastroot
Definition: nbtree.h:109
BTMetaPageData::btm_version
uint32 btm_version
Definition: nbtree.h:106
BTMetaPageData::btm_magic
uint32 btm_magic
Definition: nbtree.h:105
BTMetaPageData::btm_root
BlockNumber btm_root
Definition: nbtree.h:107
BTMetaPageData::btm_fastlevel
uint32 btm_fastlevel
Definition: nbtree.h:110
BTPageOpaqueData::btpo_next
BlockNumber btpo_next
Definition: nbtree.h:65
BTPageOpaqueData::btpo_prev
BlockNumber btpo_prev
Definition: nbtree.h:64
BTPageOpaqueData::btpo_level
uint32 btpo_level
Definition: nbtree.h:66
BTScanInsertData::scantid
ItemPointer scantid
Definition: nbtree.h:796
BTScanInsertData::heapkeyspace
bool heapkeyspace
Definition: nbtree.h:791
BTScanInsertData::anynullkeys
bool anynullkeys
Definition: nbtree.h:793
BtreeCheckState::checkstrategy
BufferAccessStrategy checkstrategy
Definition: verify_nbtree.c:88
BtreeCheckState::snapshot
Snapshot snapshot
Definition: verify_nbtree.c:94
BtreeCheckState::filter
bloom_filter * filter
Definition: verify_nbtree.c:126
BtreeCheckState::targetblock
BlockNumber targetblock
Definition: verify_nbtree.c:103
BtreeCheckState::prevrightlink
BlockNumber prevrightlink
Definition: verify_nbtree.c:118
BtreeCheckState::targetlsn
XLogRecPtr targetlsn
Definition: verify_nbtree.c:105
BtreeCheckState::targetcontext
MemoryContext targetcontext
Definition: verify_nbtree.c:86
BtreeCheckState::lowkey
IndexTuple lowkey
Definition: verify_nbtree.c:111
BtreeCheckState::heaprel
Relation heaprel
Definition: verify_nbtree.c:74
BtreeCheckState::indexinfo
IndexInfo * indexinfo
Definition: verify_nbtree.c:93
BtreeLevel::istruerootlevel
bool istruerootlevel
Definition: verify_nbtree.c:143
BtreeLevel::level
uint32 level
Definition: verify_nbtree.c:137
BtreeLevel::leftmost
BlockNumber leftmost
Definition: verify_nbtree.c:140
HeapTupleData::t_data
HeapTupleHeader t_data
Definition: htup.h:68
IndexInfo::ii_Unique
bool ii_Unique
Definition: execnodes.h:209
IndexInfo::ii_ExclusionStrats
uint16 * ii_ExclusionStrats
Definition: execnodes.h:205
IndexInfo::ii_ExclusionOps
Oid * ii_ExclusionOps
Definition: execnodes.h:203
IndexInfo::ii_Concurrent
bool ii_Concurrent
Definition: execnodes.h:214
IndexInfo::ii_ExclusionProcs
Oid * ii_ExclusionProcs
Definition: execnodes.h:204
IndexTupleData::t_tid
ItemPointerData t_tid
Definition: itup.h:37
IndexTupleData::t_info
unsigned short t_info
Definition: itup.h:49
ItemPointerData::ip_posid
OffsetNumber ip_posid
Definition: itemptr.h:39
RelationData::rd_indextuple
struct HeapTupleData * rd_indextuple
Definition: rel.h:194
RelationData::rd_index
Form_pg_index rd_index
Definition: rel.h:192
RelationData::rd_opfamily
Oid * rd_opfamily
Definition: rel.h:207
RelationData::rd_rel
Form_pg_class rd_rel
Definition: rel.h:111
SnapshotData::xmin
TransactionId xmin
Definition: snapshot.h:153
bloom_filter
Definition: bloomfilter.c:45
index
Definition: type.h:96
state
Definition: regguts.h:323
table_close
void table_close(Relation relation, LOCKMODE lockmode)
Definition: table.c:126
table_open
Relation table_open(Oid relationId, LOCKMODE lockmode)
Definition: table.c:40
table_slot_create
TupleTableSlot * table_slot_create(Relation relation, List **reglist)
Definition: tableam.c:92
table_beginscan_strat
static TableScanDesc table_beginscan_strat(Relation rel, Snapshot snapshot, int nkeys, struct ScanKeyData *key, bool allow_strat, bool allow_sync)
Definition: tableam.h:901
table_index_build_scan
static double table_index_build_scan(Relation table_rel, Relation index_rel, struct IndexInfo *index_info, bool allow_sync, bool progress, IndexBuildCallback callback, void *callback_state, TableScanDesc scan)
Definition: tableam.h:1745
table_tuple_fetch_row_version
static bool table_tuple_fetch_row_version(Relation rel, ItemPointer tid, Snapshot snapshot, TupleTableSlot *slot)
Definition: tableam.h:1258
TransactionIdPrecedes
bool TransactionIdPrecedes(TransactionId id1, TransactionId id2)
Definition: transam.c:280
TransactionIdIsValid
#define TransactionIdIsValid(xid)
Definition: transam.h:41
TupleDescAttr
static FormData_pg_attribute * TupleDescAttr(TupleDesc tupdesc, int i)
Definition: tupdesc.h:154
SET_VARSIZE_SHORT
#define SET_VARSIZE_SHORT(PTR, len)
Definition: varatt.h:306
VARATT_CAN_MAKE_SHORT
#define VARATT_CAN_MAKE_SHORT(PTR)
Definition: varatt.h:258
VARDATA
#define VARDATA(PTR)
Definition: varatt.h:278
VARATT_IS_COMPRESSED
#define VARATT_IS_COMPRESSED(PTR)
Definition: varatt.h:288
VARSIZE
#define VARSIZE(PTR)
Definition: varatt.h:279
VARATT_CONVERTED_SHORT_SIZE
#define VARATT_CONVERTED_SHORT_SIZE(PTR)
Definition: varatt.h:261
VARATT_IS_EXTERNAL
#define VARATT_IS_EXTERNAL(PTR)
Definition: varatt.h:289
offset_is_negative_infinity
static bool offset_is_negative_infinity(BTPageOpaque opaque, OffsetNumber offset)
Definition: verify_nbtree.c:3211
bt_leftmost_ignoring_half_dead
static bool bt_leftmost_ignoring_half_dead(BtreeCheckState *state, BlockNumber start, BTPageOpaque start_opaque)
Definition: verify_nbtree.c:1146
invariant_l_offset
static bool invariant_l_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber upperbound)
Definition: verify_nbtree.c:3246
BTreeTupleGetPointsToTID
static ItemPointer BTreeTupleGetPointsToTID(IndexTuple itup)
Definition: verify_nbtree.c:3718
BtreeCheckState
struct BtreeCheckState BtreeCheckState
bt_posting_plain_tuple
static IndexTuple bt_posting_plain_tuple(IndexTuple itup, int n)
Definition: verify_nbtree.c:3114
BtreeLastVisibleEntry
struct BtreeLastVisibleEntry BtreeLastVisibleEntry
bt_target_page_check
static void bt_target_page_check(BtreeCheckState *state)
Definition: verify_nbtree.c:1375
bt_check_every_level
static void bt_check_every_level(Relation rel, Relation heaprel, bool heapkeyspace, bool readonly, bool heapallindexed, bool rootdescend, bool checkunique)
Definition: verify_nbtree.c:500
bt_report_duplicate
static void bt_report_duplicate(BtreeCheckState *state, BtreeLastVisibleEntry *lVis, ItemPointer nexttid, BlockNumber nblock, OffsetNumber noffset, int nposting)
Definition: verify_nbtree.c:1007
PG_MODULE_MAGIC
PG_MODULE_MAGIC
Definition: verify_nbtree.c:45
bt_pivot_tuple_identical
static bool bt_pivot_tuple_identical(bool heapkeyspace, IndexTuple itup1, IndexTuple itup2)
Definition: verify_nbtree.c:2210
bt_index_check_internal
static void bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, bool rootdescend, bool checkunique)
Definition: verify_nbtree.c:287
invariant_leq_offset
static bool invariant_leq_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber upperbound)
Definition: verify_nbtree.c:3309
bt_index_parent_check
Datum bt_index_parent_check(PG_FUNCTION_ARGS)
Definition: verify_nbtree.c:264
bt_child_highkey_check
static void bt_child_highkey_check(BtreeCheckState *state, OffsetNumber target_downlinkoffnum, Page loaded_child, uint32 target_level)
Definition: verify_nbtree.c:2283
heap_entry_is_visible
static bool heap_entry_is_visible(BtreeCheckState *state, ItemPointer tid)
Definition: verify_nbtree.c:988
bt_mkscankey_pivotsearch
static BTScanInsert bt_mkscankey_pivotsearch(Relation rel, IndexTuple itup)
Definition: verify_nbtree.c:3606
bt_index_check
Datum bt_index_check(PG_FUNCTION_ARGS)
Definition: verify_nbtree.c:238
bt_check_level_from_leftmost
static BtreeLevel bt_check_level_from_leftmost(BtreeCheckState *state, BtreeLevel level)
Definition: verify_nbtree.c:760
bt_downlink_missing_check
static void bt_downlink_missing_check(BtreeCheckState *state, bool rightsplit, BlockNumber blkno, Page page)
Definition: verify_nbtree.c:2695
PG_FUNCTION_INFO_V1
PG_FUNCTION_INFO_V1(bt_index_check)
PageGetItemIdCareful
static ItemId PageGetItemIdCareful(BtreeCheckState *state, BlockNumber block, Page page, OffsetNumber offset)
Definition: verify_nbtree.c:3630
bt_tuple_present_callback
static void bt_tuple_present_callback(Relation index, ItemPointer tid, Datum *values, bool *isnull, bool tupleIsAlive, void *checkstate)
Definition: verify_nbtree.c:2918
btree_index_mainfork_expected
static bool btree_index_mainfork_expected(Relation rel)
Definition: verify_nbtree.c:462
bt_rootdescend
static bool bt_rootdescend(BtreeCheckState *state, IndexTuple itup)
Definition: verify_nbtree.c:3147
bt_right_page_check_scankey
static BTScanInsert bt_right_page_check_scankey(BtreeCheckState *state, OffsetNumber *rightfirstoffset)
Definition: verify_nbtree.c:2003
invariant_g_offset
static bool invariant_g_offset(BtreeCheckState *state, BTScanInsert key, OffsetNumber lowerbound)
Definition: verify_nbtree.c:3332
InvalidBtreeLevel
#define InvalidBtreeLevel
Definition: verify_nbtree.c:51
palloc_btree_page
static Page palloc_btree_page(BtreeCheckState *state, BlockNumber blocknum)
Definition: verify_nbtree.c:3428
bt_normalize_tuple
static IndexTuple bt_normalize_tuple(BtreeCheckState *state, IndexTuple itup)
Definition: verify_nbtree.c:2986
bt_recheck_sibling_links
static void bt_recheck_sibling_links(BtreeCheckState *state, BlockNumber btpo_prev_from_target, BlockNumber leftcurrent)
Definition: verify_nbtree.c:1235
BTreeTupleGetHeapTIDCareful
static ItemPointer BTreeTupleGetHeapTIDCareful(BtreeCheckState *state, IndexTuple itup, bool nonpivot)
Definition: verify_nbtree.c:3670
BTreeTupleGetNKeyAtts
#define BTreeTupleGetNKeyAtts(itup, rel)
Definition: verify_nbtree.c:52
bt_child_check
static void bt_child_check(BtreeCheckState *state, BTScanInsert targetkey, OffsetNumber downlinkoffnum)
Definition: verify_nbtree.c:2530
bt_entry_unique_check
static void bt_entry_unique_check(BtreeCheckState *state, IndexTuple itup, BlockNumber targetblock, OffsetNumber offset, BtreeLastVisibleEntry *lVis)
Definition: verify_nbtree.c:1047
btree_index_checkable
static void btree_index_checkable(Relation rel)
Definition: verify_nbtree.c:428
invariant_l_nontarget_offset
static bool invariant_l_nontarget_offset(BtreeCheckState *state, BTScanInsert key, BlockNumber nontargetblock, Page nontarget, OffsetNumber upperbound)
Definition: verify_nbtree.c:3368
BtreeLevel
struct BtreeLevel BtreeLevel
IsolationUsesXactSnapshot
#define IsolationUsesXactSnapshot()
Definition: xact.h:51
RecoveryInProgress
bool RecoveryInProgress(void)
Definition: xlog.c:6380
LSN_FORMAT_ARGS
#define LSN_FORMAT_ARGS(lsn)
Definition: xlogdefs.h:43
XLogRecPtr
uint64 XLogRecPtr
Definition: xlogdefs.h:21