Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * verify_heapam.c
4 : : * Functions to check postgresql heap relations for corruption
5 : : *
6 : : * Copyright (c) 2016-2026, PostgreSQL Global Development Group
7 : : *
8 : : * contrib/amcheck/verify_heapam.c
9 : : *-------------------------------------------------------------------------
10 : : */
11 : : #include "postgres.h"
12 : :
13 : : #include "access/detoast.h"
14 : : #include "access/genam.h"
15 : : #include "access/heaptoast.h"
16 : : #include "access/multixact.h"
17 : : #include "access/relation.h"
18 : : #include "access/table.h"
19 : : #include "access/toast_internals.h"
20 : : #include "access/visibilitymap.h"
21 : : #include "access/xact.h"
22 : : #include "catalog/pg_am.h"
23 : : #include "catalog/pg_class.h"
24 : : #include "funcapi.h"
25 : : #include "miscadmin.h"
26 : : #include "storage/bufmgr.h"
27 : : #include "storage/lwlock.h"
28 : : #include "storage/procarray.h"
29 : : #include "storage/read_stream.h"
30 : : #include "utils/builtins.h"
31 : : #include "utils/fmgroids.h"
32 : : #include "utils/rel.h"
33 : : #include "utils/tuplestore.h"
34 : :
2021 rhaas@postgresql.org 35 :CBC 303 : PG_FUNCTION_INFO_V1(verify_heapam);
36 : :
37 : : /* The number of columns in tuples returned by verify_heapam */
38 : : #define HEAPCHECK_RELATION_COLS 4
39 : :
40 : : /* The largest valid toast va_rawsize */
41 : : #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
42 : :
43 : : /*
44 : : * Despite the name, we use this for reporting problems with both XIDs and
45 : : * MXIDs.
46 : : */
47 : : typedef enum XidBoundsViolation
48 : : {
49 : : XID_INVALID,
50 : : XID_IN_FUTURE,
51 : : XID_PRECEDES_CLUSTERMIN,
52 : : XID_PRECEDES_RELMIN,
53 : : XID_BOUNDS_OK,
54 : : } XidBoundsViolation;
55 : :
56 : : typedef enum XidCommitStatus
57 : : {
58 : : XID_COMMITTED,
59 : : XID_IS_CURRENT_XID,
60 : : XID_IN_PROGRESS,
61 : : XID_ABORTED,
62 : : } XidCommitStatus;
63 : :
64 : : typedef enum SkipPages
65 : : {
66 : : SKIP_PAGES_ALL_FROZEN,
67 : : SKIP_PAGES_ALL_VISIBLE,
68 : : SKIP_PAGES_NONE,
69 : : } SkipPages;
70 : :
71 : : /*
72 : : * Struct holding information about a toasted attribute sufficient to both
73 : : * check the toasted attribute and, if found to be corrupt, to report where it
74 : : * was encountered in the main table.
75 : : */
76 : : typedef struct ToastedAttribute
77 : : {
78 : : varatt_external toast_pointer;
79 : : BlockNumber blkno; /* block in main table */
80 : : OffsetNumber offnum; /* offset in main table */
81 : : AttrNumber attnum; /* attribute in main table */
82 : : } ToastedAttribute;
83 : :
84 : : /*
85 : : * Struct holding the running context information during
86 : : * a lifetime of a verify_heapam execution.
87 : : */
88 : : typedef struct HeapCheckContext
89 : : {
90 : : /*
91 : : * Cached copies of values from TransamVariables and computed values from
92 : : * them.
93 : : */
94 : : FullTransactionId next_fxid; /* TransamVariables->nextXid */
95 : : TransactionId next_xid; /* 32-bit version of next_fxid */
96 : : TransactionId oldest_xid; /* TransamVariables->oldestXid */
97 : : FullTransactionId oldest_fxid; /* 64-bit version of oldest_xid, computed
98 : : * relative to next_fxid */
99 : : TransactionId safe_xmin; /* this XID and newer ones can't become
100 : : * all-visible while we're running */
101 : :
102 : : /*
103 : : * Cached copy of value from MultiXactState
104 : : */
105 : : MultiXactId next_mxact; /* MultiXactState->nextMXact */
106 : : MultiXactId oldest_mxact; /* MultiXactState->oldestMultiXactId */
107 : :
108 : : /*
109 : : * Cached copies of the most recently checked xid and its status.
110 : : */
111 : : TransactionId cached_xid;
112 : : XidCommitStatus cached_status;
113 : :
114 : : /* Values concerning the heap relation being checked */
115 : : Relation rel;
116 : : TransactionId relfrozenxid;
117 : : FullTransactionId relfrozenfxid;
118 : : TransactionId relminmxid;
119 : : Relation toast_rel;
120 : : Relation *toast_indexes;
121 : : Relation valid_toast_index;
122 : : int num_toast_indexes;
123 : :
124 : : /*
125 : : * Values for iterating over pages in the relation. `blkno` is the most
126 : : * recent block in the buffer yielded by the read stream API.
127 : : */
128 : : BlockNumber blkno;
129 : : BufferAccessStrategy bstrategy;
130 : : Buffer buffer;
131 : : Page page;
132 : :
133 : : /* Values for iterating over tuples within a page */
134 : : OffsetNumber offnum;
135 : : ItemId itemid;
136 : : uint16 lp_len;
137 : : uint16 lp_off;
138 : : HeapTupleHeader tuphdr;
139 : : int natts;
140 : :
141 : : /* Values for iterating over attributes within the tuple */
142 : : uint32 offset; /* offset in tuple data */
143 : : AttrNumber attnum;
144 : :
145 : : /* True if tuple's xmax makes it eligible for pruning */
146 : : bool tuple_could_be_pruned;
147 : :
148 : : /*
149 : : * List of ToastedAttribute structs for toasted attributes which are not
150 : : * eligible for pruning and should be checked
151 : : */
152 : : List *toasted_attributes;
153 : :
154 : : /* Whether verify_heapam has yet encountered any corrupt tuples */
155 : : bool is_corrupt;
156 : :
157 : : /* The descriptor and tuplestore for verify_heapam's result tuples */
158 : : TupleDesc tupdesc;
159 : : Tuplestorestate *tupstore;
160 : : } HeapCheckContext;
161 : :
162 : : /*
163 : : * The per-relation data provided to the read stream API for heap amcheck to
164 : : * use in its callback for the SKIP_PAGES_ALL_FROZEN and
165 : : * SKIP_PAGES_ALL_VISIBLE options.
166 : : */
167 : : typedef struct HeapCheckReadStreamData
168 : : {
169 : : /*
170 : : * `range` is used by all SkipPages options. SKIP_PAGES_NONE uses the
171 : : * default read stream callback, block_range_read_stream_cb(), which takes
172 : : * a BlockRangeReadStreamPrivate as its callback_private_data. `range`
173 : : * keeps track of the current block number across
174 : : * read_stream_next_buffer() invocations.
175 : : */
176 : : BlockRangeReadStreamPrivate range;
177 : : SkipPages skip_option;
178 : : Relation rel;
179 : : Buffer *vmbuffer;
180 : : } HeapCheckReadStreamData;
181 : :
182 : :
183 : : /* Internal implementation */
184 : : static BlockNumber heapcheck_read_stream_next_unskippable(ReadStream *stream,
185 : : void *callback_private_data,
186 : : void *per_buffer_data);
187 : :
188 : : static void check_tuple(HeapCheckContext *ctx,
189 : : bool *xmin_commit_status_ok,
190 : : XidCommitStatus *xmin_commit_status);
191 : : static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
192 : : ToastedAttribute *ta, int32 *expected_chunk_seq,
193 : : uint32 extsize);
194 : :
195 : : static bool check_tuple_attribute(HeapCheckContext *ctx);
196 : : static void check_toasted_attribute(HeapCheckContext *ctx,
197 : : ToastedAttribute *ta);
198 : :
199 : : static bool check_tuple_header(HeapCheckContext *ctx);
200 : : static bool check_tuple_visibility(HeapCheckContext *ctx,
201 : : bool *xmin_commit_status_ok,
202 : : XidCommitStatus *xmin_commit_status);
203 : :
204 : : static void report_corruption(HeapCheckContext *ctx, char *msg);
205 : : static void report_toast_corruption(HeapCheckContext *ctx,
206 : : ToastedAttribute *ta, char *msg);
207 : : static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
208 : : const HeapCheckContext *ctx);
209 : : static void update_cached_xid_range(HeapCheckContext *ctx);
210 : : static void update_cached_mxid_range(HeapCheckContext *ctx);
211 : : static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
212 : : HeapCheckContext *ctx);
213 : : static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
214 : : HeapCheckContext *ctx);
215 : : static XidBoundsViolation get_xid_status(TransactionId xid,
216 : : HeapCheckContext *ctx,
217 : : XidCommitStatus *status);
218 : :
219 : : /*
220 : : * Scan and report corruption in heap pages, optionally reconciling toasted
221 : : * attributes with entries in the associated toast table. Intended to be
222 : : * called from SQL with the following parameters:
223 : : *
224 : : * relation:
225 : : * The Oid of the heap relation to be checked.
226 : : *
227 : : * on_error_stop:
228 : : * Whether to stop at the end of the first page for which errors are
229 : : * detected. Note that multiple rows may be returned.
230 : : *
231 : : * check_toast:
232 : : * Whether to check each toasted attribute against the toast table to
233 : : * verify that it can be found there.
234 : : *
235 : : * skip:
236 : : * What kinds of pages in the heap relation should be skipped. Valid
237 : : * options are "all-visible", "all-frozen", and "none".
238 : : *
239 : : * Returns to the SQL caller a set of tuples, each containing the location
240 : : * and a description of a corruption found in the heap.
241 : : *
242 : : * This code goes to some trouble to avoid crashing the server even if the
243 : : * table pages are badly corrupted, but it's probably not perfect. If
244 : : * check_toast is true, we'll use regular index lookups to try to fetch TOAST
245 : : * tuples, which can certainly cause crashes if the right kind of corruption
246 : : * exists in the toast table or index. No matter what parameters you pass,
247 : : * we can't protect against crashes that might occur trying to look up the
248 : : * commit status of transaction IDs (though we avoid trying to do such lookups
249 : : * for transaction IDs that can't legally appear in the table).
250 : : */
251 : : Datum
252 : 3454 : verify_heapam(PG_FUNCTION_ARGS)
253 : : {
254 : 3454 : ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
255 : : HeapCheckContext ctx;
256 : 3454 : Buffer vmbuffer = InvalidBuffer;
257 : : Oid relid;
258 : : bool on_error_stop;
259 : : bool check_toast;
260 : 3454 : SkipPages skip_option = SKIP_PAGES_NONE;
261 : : BlockNumber first_block;
262 : : BlockNumber last_block;
263 : : BlockNumber nblocks;
264 : : const char *skip;
265 : : ReadStream *stream;
266 : : int stream_flags;
267 : : ReadStreamBlockNumberCB stream_cb;
268 : : void *stream_data;
269 : : HeapCheckReadStreamData stream_skip_data;
270 : :
271 : : /* Check supplied arguments */
272 [ - + ]: 3454 : if (PG_ARGISNULL(0))
2021 rhaas@postgresql.org 273 [ # # ]:UBC 0 : ereport(ERROR,
274 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
275 : : errmsg("relation cannot be null")));
2021 rhaas@postgresql.org 276 :CBC 3454 : relid = PG_GETARG_OID(0);
277 : :
278 [ - + ]: 3454 : if (PG_ARGISNULL(1))
2021 rhaas@postgresql.org 279 [ # # ]:UBC 0 : ereport(ERROR,
280 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
281 : : errmsg("on_error_stop cannot be null")));
2021 rhaas@postgresql.org 282 :CBC 3454 : on_error_stop = PG_GETARG_BOOL(1);
283 : :
284 [ - + ]: 3454 : if (PG_ARGISNULL(2))
2021 rhaas@postgresql.org 285 [ # # ]:UBC 0 : ereport(ERROR,
286 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
287 : : errmsg("check_toast cannot be null")));
2021 rhaas@postgresql.org 288 :CBC 3454 : check_toast = PG_GETARG_BOOL(2);
289 : :
290 [ - + ]: 3454 : if (PG_ARGISNULL(3))
2021 rhaas@postgresql.org 291 [ # # ]:UBC 0 : ereport(ERROR,
292 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
293 : : errmsg("skip cannot be null")));
2021 rhaas@postgresql.org 294 :CBC 3454 : skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
295 [ + + ]: 3454 : if (pg_strcasecmp(skip, "all-visible") == 0)
296 : 84 : skip_option = SKIP_PAGES_ALL_VISIBLE;
297 [ + + ]: 3370 : else if (pg_strcasecmp(skip, "all-frozen") == 0)
298 : 87 : skip_option = SKIP_PAGES_ALL_FROZEN;
299 [ + + ]: 3283 : else if (pg_strcasecmp(skip, "none") == 0)
300 : 3282 : skip_option = SKIP_PAGES_NONE;
301 : : else
302 [ + - ]: 1 : ereport(ERROR,
303 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
304 : : errmsg("invalid skip option"),
305 : : errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
306 : :
307 : 3453 : memset(&ctx, 0, sizeof(HeapCheckContext));
308 : 3453 : ctx.cached_xid = InvalidTransactionId;
1854 309 : 3453 : ctx.toasted_attributes = NIL;
310 : :
311 : : /*
312 : : * Any xmin newer than the xmin of our snapshot can't become all-visible
313 : : * while we're running.
314 : : */
1860 315 : 3453 : ctx.safe_xmin = GetTransactionSnapshot()->xmin;
316 : :
317 : : /*
318 : : * If we report corruption when not examining some individual attribute,
319 : : * we need attnum to be reported as NULL. Set that up before any
320 : : * corruption reporting might happen.
321 : : */
2020 tgl@sss.pgh.pa.us 322 : 3453 : ctx.attnum = -1;
323 : :
324 : : /* Construct the tuplestore and tuple descriptor */
1295 michael@paquier.xyz 325 : 3453 : InitMaterializedSRF(fcinfo, 0);
1519 326 : 3453 : ctx.tupdesc = rsinfo->setDesc;
327 : 3453 : ctx.tupstore = rsinfo->setResult;
328 : :
329 : : /* Open relation, check relkind and access method */
2021 rhaas@postgresql.org 330 : 3453 : ctx.rel = relation_open(relid, AccessShareLock);
331 : :
332 : : /*
333 : : * Check that a relation's relkind and access method are both supported.
334 : : */
1614 peter@eisentraut.org 335 [ + + + + : 3453 : if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
+ + ]
1680 336 [ + + ]: 195 : ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
1762 337 [ + - ]: 4 : ereport(ERROR,
338 : : (errcode(ERRCODE_WRONG_OBJECT_TYPE),
339 : : errmsg("cannot check relation \"%s\"",
340 : : RelationGetRelationName(ctx.rel)),
341 : : errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
342 : :
343 : : /*
344 : : * Sequences always use heap AM, but they don't show that in the catalogs.
345 : : * Other relkinds might be using a different AM, so check.
346 : : */
1680 347 [ + + ]: 3449 : if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
348 [ - + ]: 3258 : ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
1762 peter@eisentraut.org 349 [ # # ]:UBC 0 : ereport(ERROR,
350 : : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
351 : : errmsg("only heap AM is supported")));
352 : :
353 : : /*
354 : : * Early exit for unlogged relations during recovery. These will have no
355 : : * relation fork, so there won't be anything to check. We behave as if
356 : : * the relation is empty.
357 : : */
1667 pg@bowt.ie 358 [ - + - - ]:CBC 3449 : if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
1667 pg@bowt.ie 359 :UBC 0 : RecoveryInProgress())
360 : : {
361 [ # # ]: 0 : ereport(DEBUG1,
362 : : (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
363 : : errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
364 : : RelationGetRelationName(ctx.rel))));
365 : 0 : relation_close(ctx.rel, AccessShareLock);
366 : 0 : PG_RETURN_NULL();
367 : : }
368 : :
369 : : /* Early exit if the relation is empty */
2021 rhaas@postgresql.org 370 :CBC 3449 : nblocks = RelationGetNumberOfBlocks(ctx.rel);
371 [ + + ]: 3432 : if (!nblocks)
372 : : {
373 : 2000 : relation_close(ctx.rel, AccessShareLock);
374 : 2000 : PG_RETURN_NULL();
375 : : }
376 : :
377 : 1432 : ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
378 : 1432 : ctx.buffer = InvalidBuffer;
379 : 1432 : ctx.page = NULL;
380 : :
381 : : /* Validate block numbers, or handle nulls. */
382 [ + + ]: 1432 : if (PG_ARGISNULL(4))
383 : 1309 : first_block = 0;
384 : : else
385 : : {
386 : 123 : int64 fb = PG_GETARG_INT64(4);
387 : :
388 [ + - + + ]: 123 : if (fb < 0 || fb >= nblocks)
389 [ + - ]: 1 : ereport(ERROR,
390 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
391 : : errmsg("starting block number must be between 0 and %u",
392 : : nblocks - 1)));
393 : 122 : first_block = (BlockNumber) fb;
394 : : }
395 [ + + ]: 1431 : if (PG_ARGISNULL(5))
396 : 1308 : last_block = nblocks - 1;
397 : : else
398 : : {
399 : 123 : int64 lb = PG_GETARG_INT64(5);
400 : :
401 [ + - + + ]: 123 : if (lb < 0 || lb >= nblocks)
402 [ + - ]: 1 : ereport(ERROR,
403 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
404 : : errmsg("ending block number must be between 0 and %u",
405 : : nblocks - 1)));
406 : 122 : last_block = (BlockNumber) lb;
407 : : }
408 : :
409 : : /* Optionally open the toast relation, if any. */
410 [ + + + + ]: 1430 : if (ctx.rel->rd_rel->reltoastrelid && check_toast)
411 : 673 : {
412 : : int offset;
413 : :
414 : : /* Main relation has associated toast relation */
415 : 673 : ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
416 : : AccessShareLock);
417 : 673 : offset = toast_open_indexes(ctx.toast_rel,
418 : : AccessShareLock,
419 : : &(ctx.toast_indexes),
420 : : &(ctx.num_toast_indexes));
421 : 673 : ctx.valid_toast_index = ctx.toast_indexes[offset];
422 : : }
423 : : else
424 : : {
425 : : /*
426 : : * Main relation has no associated toast relation, or we're
427 : : * intentionally skipping it.
428 : : */
429 : 757 : ctx.toast_rel = NULL;
430 : 757 : ctx.toast_indexes = NULL;
431 : 757 : ctx.num_toast_indexes = 0;
432 : : }
433 : :
434 : 1430 : update_cached_xid_range(&ctx);
435 : 1430 : update_cached_mxid_range(&ctx);
436 : 1430 : ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
437 : 1430 : ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
438 : 1430 : ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
439 : :
440 [ + + ]: 1430 : if (TransactionIdIsNormal(ctx.relfrozenxid))
441 : 1239 : ctx.oldest_xid = ctx.relfrozenxid;
442 : :
443 : : /* Now that `ctx` is set up, set up the read stream */
404 melanieplageman@gmai 444 : 1430 : stream_skip_data.range.current_blocknum = first_block;
445 : 1430 : stream_skip_data.range.last_exclusive = last_block + 1;
446 : 1430 : stream_skip_data.skip_option = skip_option;
447 : 1430 : stream_skip_data.rel = ctx.rel;
448 : 1430 : stream_skip_data.vmbuffer = &vmbuffer;
449 : :
450 [ + + ]: 1430 : if (skip_option == SKIP_PAGES_NONE)
451 : : {
452 : : /*
453 : : * It is safe to use batchmode as block_range_read_stream_cb takes no
454 : : * locks.
455 : : */
456 : 1265 : stream_cb = block_range_read_stream_cb;
401 andres@anarazel.de 457 : 1265 : stream_flags = READ_STREAM_SEQUENTIAL |
458 : : READ_STREAM_FULL |
459 : : READ_STREAM_USE_BATCHING;
404 melanieplageman@gmai 460 : 1265 : stream_data = &stream_skip_data.range;
461 : : }
462 : : else
463 : : {
464 : : /*
465 : : * It would not be safe to naively use batchmode, as
466 : : * heapcheck_read_stream_next_unskippable takes locks. It shouldn't be
467 : : * too hard to convert though.
468 : : */
469 : 165 : stream_cb = heapcheck_read_stream_next_unskippable;
470 : 165 : stream_flags = READ_STREAM_DEFAULT;
471 : 165 : stream_data = &stream_skip_data;
472 : : }
473 : :
474 : 1430 : stream = read_stream_begin_relation(stream_flags,
475 : : ctx.bstrategy,
476 : : ctx.rel,
477 : : MAIN_FORKNUM,
478 : : stream_cb,
479 : : stream_data,
480 : : 0);
481 : :
482 [ + + ]: 13435 : while ((ctx.buffer = read_stream_next_buffer(stream, NULL)) != InvalidBuffer)
483 : : {
484 : : OffsetNumber maxoff;
485 : : OffsetNumber predecessor[MaxOffsetNumber];
486 : : OffsetNumber successor[MaxOffsetNumber];
487 : : bool lp_valid[MaxOffsetNumber];
488 : : bool xmin_commit_status_ok[MaxOffsetNumber];
489 : : XidCommitStatus xmin_commit_status[MaxOffsetNumber];
490 : :
1713 pg@bowt.ie 491 [ - + ]: 12008 : CHECK_FOR_INTERRUPTS();
492 : :
1140 rhaas@postgresql.org 493 : 12008 : memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
494 : :
495 : : /* Lock the next page. */
404 melanieplageman@gmai 496 [ - + ]: 12008 : Assert(BufferIsValid(ctx.buffer));
2021 rhaas@postgresql.org 497 : 12008 : LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
498 : :
404 melanieplageman@gmai 499 : 12008 : ctx.blkno = BufferGetBlockNumber(ctx.buffer);
2021 rhaas@postgresql.org 500 : 12008 : ctx.page = BufferGetPage(ctx.buffer);
501 : :
502 : : /* Perform tuple checks */
503 : 12008 : maxoff = PageGetMaxOffsetNumber(ctx.page);
504 [ + + ]: 578553 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
505 : 566545 : ctx.offnum = OffsetNumberNext(ctx.offnum))
506 : : {
507 : : BlockNumber nextblkno;
508 : : OffsetNumber nextoffnum;
509 : :
1140 510 : 566545 : successor[ctx.offnum] = InvalidOffsetNumber;
511 : 566545 : lp_valid[ctx.offnum] = false;
512 : 566545 : xmin_commit_status_ok[ctx.offnum] = false;
2021 513 : 566545 : ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
514 : :
515 : : /* Skip over unused/dead line pointers */
516 [ + + + + ]: 566545 : if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
517 : 7529 : continue;
518 : :
519 : : /*
520 : : * If this line pointer has been redirected, check that it
521 : : * redirects to a valid offset within the line pointer array
522 : : */
523 [ + + ]: 559016 : if (ItemIdIsRedirected(ctx.itemid))
524 : 4966 : {
525 : 4986 : OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
526 : : ItemId rditem;
527 : :
2020 tgl@sss.pgh.pa.us 528 [ + + ]: 4986 : if (rdoffnum < FirstOffsetNumber)
529 : : {
530 : 6 : report_corruption(&ctx,
531 : : psprintf("line pointer redirection to item at offset %d precedes minimum offset %d",
532 : : rdoffnum,
533 : : FirstOffsetNumber));
534 : 6 : continue;
535 : : }
536 [ + + ]: 4980 : if (rdoffnum > maxoff)
537 : : {
2021 rhaas@postgresql.org 538 : 14 : report_corruption(&ctx,
539 : : psprintf("line pointer redirection to item at offset %d exceeds maximum offset %d",
540 : : rdoffnum,
541 : : maxoff));
542 : 14 : continue;
543 : : }
544 : :
545 : : /*
546 : : * Since we've checked that this redirect points to a line
547 : : * pointer between FirstOffsetNumber and maxoff, it should now
548 : : * be safe to fetch the referenced line pointer. We expect it
549 : : * to be LP_NORMAL; if not, that's corruption.
550 : : */
551 : 4966 : rditem = PageGetItemId(ctx.page, rdoffnum);
552 [ - + ]: 4966 : if (!ItemIdIsUsed(rditem))
553 : : {
2021 rhaas@postgresql.org 554 :UBC 0 : report_corruption(&ctx,
555 : : psprintf("redirected line pointer points to an unused item at offset %d",
556 : : rdoffnum));
1135 557 : 0 : continue;
558 : : }
1135 rhaas@postgresql.org 559 [ - + ]:CBC 4966 : else if (ItemIdIsDead(rditem))
560 : : {
1135 rhaas@postgresql.org 561 :UBC 0 : report_corruption(&ctx,
562 : : psprintf("redirected line pointer points to a dead item at offset %d",
563 : : rdoffnum));
564 : 0 : continue;
565 : : }
1135 rhaas@postgresql.org 566 [ - + ]:CBC 4966 : else if (ItemIdIsRedirected(rditem))
567 : : {
1135 rhaas@postgresql.org 568 :UBC 0 : report_corruption(&ctx,
569 : : psprintf("redirected line pointer points to another redirected line pointer at offset %d",
570 : : rdoffnum));
571 : 0 : continue;
572 : : }
573 : :
574 : : /*
575 : : * Record the fact that this line pointer has passed basic
576 : : * sanity checking, and also the offset number to which it
577 : : * points.
578 : : */
1140 rhaas@postgresql.org 579 :CBC 4966 : lp_valid[ctx.offnum] = true;
580 : 4966 : successor[ctx.offnum] = rdoffnum;
2021 581 : 4966 : continue;
582 : : }
583 : :
584 : : /* Sanity-check the line pointer's offset and length values */
585 : 554030 : ctx.lp_len = ItemIdGetLength(ctx.itemid);
2020 tgl@sss.pgh.pa.us 586 : 554030 : ctx.lp_off = ItemIdGetOffset(ctx.itemid);
587 : :
588 [ + + ]: 554030 : if (ctx.lp_off != MAXALIGN(ctx.lp_off))
589 : : {
590 : 6 : report_corruption(&ctx,
591 : : psprintf("line pointer to page offset %u is not maximally aligned",
592 : 6 : ctx.lp_off));
593 : 6 : continue;
594 : : }
595 [ + + ]: 554024 : if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
596 : : {
597 : 12 : report_corruption(&ctx,
598 : : psprintf("line pointer length %u is less than the minimum tuple header size %u",
599 : 12 : ctx.lp_len,
600 : : (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
601 : 12 : continue;
602 : : }
603 [ + + ]: 554012 : if (ctx.lp_off + ctx.lp_len > BLCKSZ)
604 : : {
605 : 14 : report_corruption(&ctx,
606 : : psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %d",
607 : 14 : ctx.lp_off,
608 : 14 : ctx.lp_len,
609 : : BLCKSZ));
610 : 14 : continue;
611 : : }
612 : :
613 : : /* It should be safe to examine the tuple's header, at least */
1140 rhaas@postgresql.org 614 : 553998 : lp_valid[ctx.offnum] = true;
2021 615 : 553998 : ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
616 : 553998 : ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
617 : :
618 : : /* Ok, ready to check this next tuple */
1140 619 : 553998 : check_tuple(&ctx,
620 : 553998 : &xmin_commit_status_ok[ctx.offnum],
621 : 553998 : &xmin_commit_status[ctx.offnum]);
622 : :
623 : : /*
624 : : * If the CTID field of this tuple seems to point to another tuple
625 : : * on the same page, record that tuple as the successor of this
626 : : * one.
627 : : */
628 : 553998 : nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
629 : 553998 : nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
1139 630 [ + + + + : 553998 : if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
+ - ]
631 [ + - ]: 160 : nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
1140 632 : 160 : successor[ctx.offnum] = nextoffnum;
633 : : }
634 : :
635 : : /*
636 : : * Update chain validation. Check each line pointer that's got a valid
637 : : * successor against that successor.
638 : : */
639 : 12008 : ctx.attnum = -1;
640 [ + + ]: 578553 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
641 : 566545 : ctx.offnum = OffsetNumberNext(ctx.offnum))
642 : : {
643 : : ItemId curr_lp;
644 : : ItemId next_lp;
645 : : HeapTupleHeader curr_htup;
646 : : HeapTupleHeader next_htup;
647 : : TransactionId curr_xmin;
648 : : TransactionId curr_xmax;
649 : : TransactionId next_xmin;
650 : 566545 : OffsetNumber nextoffnum = successor[ctx.offnum];
651 : :
652 : : /*
653 : : * The current line pointer may not have a successor, either
654 : : * because it's not valid or because it didn't point to anything.
655 : : * In either case, we have to give up.
656 : : *
657 : : * If the current line pointer does point to something, it's
658 : : * possible that the target line pointer isn't valid. We have to
659 : : * give up in that case, too.
660 : : */
661 [ + + - + ]: 566545 : if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
662 : 561419 : continue;
663 : :
664 : : /* We have two valid line pointers that we can examine. */
665 : 5126 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
666 : 5126 : next_lp = PageGetItemId(ctx.page, nextoffnum);
667 : :
668 : : /* Handle the cases where the current line pointer is a redirect. */
669 [ + + ]: 5126 : if (ItemIdIsRedirected(curr_lp))
670 : : {
671 : : /*
672 : : * We should not have set successor[ctx.offnum] to a value
673 : : * other than InvalidOffsetNumber unless that line pointer is
674 : : * LP_NORMAL.
675 : : */
1135 676 [ - + ]: 4966 : Assert(ItemIdIsNormal(next_lp));
677 : :
678 : : /* Can only redirect to a HOT tuple. */
1140 679 : 4966 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
680 [ - + ]: 4966 : if (!HeapTupleHeaderIsHeapOnly(next_htup))
681 : : {
1140 rhaas@postgresql.org 682 :UBC 0 : report_corruption(&ctx,
683 : : psprintf("redirected line pointer points to a non-heap-only tuple at offset %d",
684 : : nextoffnum));
685 : : }
686 : :
687 : : /* HOT chains should not intersect. */
1140 rhaas@postgresql.org 688 [ - + ]:CBC 4966 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
689 : : {
1140 rhaas@postgresql.org 690 :UBC 0 : report_corruption(&ctx,
691 : : psprintf("redirect line pointer points to offset %d, but offset %d also points there",
147 peter@eisentraut.org 692 :UNC 0 : nextoffnum, predecessor[nextoffnum]));
1140 rhaas@postgresql.org 693 :UBC 0 : continue;
694 : : }
695 : :
696 : : /*
697 : : * This redirect and the tuple to which it points seem to be
698 : : * part of an update chain.
699 : : */
1140 rhaas@postgresql.org 700 :CBC 4966 : predecessor[nextoffnum] = ctx.offnum;
701 : 4966 : continue;
702 : : }
703 : :
704 : : /*
705 : : * If the next line pointer is a redirect, or if it's a tuple but
706 : : * the XMAX of this tuple doesn't match the XMIN of the next
707 : : * tuple, then the two aren't part of the same update chain and
708 : : * there is nothing more to do.
709 : : */
710 [ - + ]: 160 : if (ItemIdIsRedirected(next_lp))
1140 rhaas@postgresql.org 711 :UBC 0 : continue;
1140 rhaas@postgresql.org 712 :CBC 160 : curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
713 : 160 : curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
714 : 160 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
715 : 160 : next_xmin = HeapTupleHeaderGetXmin(next_htup);
716 [ + + - + ]: 160 : if (!TransactionIdIsValid(curr_xmax) ||
717 : : !TransactionIdEquals(curr_xmax, next_xmin))
718 : 2 : continue;
719 : :
720 : : /* HOT chains should not intersect. */
721 [ - + ]: 158 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
722 : : {
1140 rhaas@postgresql.org 723 :UBC 0 : report_corruption(&ctx,
724 : : psprintf("tuple points to new version at offset %d, but offset %d also points there",
147 peter@eisentraut.org 725 :UNC 0 : nextoffnum, predecessor[nextoffnum]));
1140 rhaas@postgresql.org 726 :UBC 0 : continue;
727 : : }
728 : :
729 : : /*
730 : : * This tuple and the tuple to which it points seem to be part of
731 : : * an update chain.
732 : : */
1140 rhaas@postgresql.org 733 :CBC 158 : predecessor[nextoffnum] = ctx.offnum;
734 : :
735 : : /*
736 : : * If the current tuple is marked as HOT-updated, then the next
737 : : * tuple should be marked as a heap-only tuple. Conversely, if the
738 : : * current tuple isn't marked as HOT-updated, then the next tuple
739 : : * shouldn't be marked as a heap-only tuple.
740 : : *
741 : : * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
742 : : * hint bits indicate xmin/xmax aborted.
743 : : */
1139 744 [ - + - - ]: 158 : if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
1140 rhaas@postgresql.org 745 :UBC 0 : HeapTupleHeaderIsHeapOnly(next_htup))
746 : : {
747 : 0 : report_corruption(&ctx,
748 : : psprintf("non-heap-only update produced a heap-only tuple at offset %d",
749 : : nextoffnum));
750 : : }
1139 rhaas@postgresql.org 751 [ + - ]:CBC 158 : if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
1140 752 [ - + ]: 158 : !HeapTupleHeaderIsHeapOnly(next_htup))
753 : : {
1140 rhaas@postgresql.org 754 :UBC 0 : report_corruption(&ctx,
755 : : psprintf("heap-only update produced a non-heap only tuple at offset %d",
756 : : nextoffnum));
757 : : }
758 : :
759 : : /*
760 : : * If the current tuple's xmin is still in progress but the
761 : : * successor tuple's xmin is committed, that's corruption.
762 : : *
763 : : * NB: We recheck the commit status of the current tuple's xmin
764 : : * here, because it might have committed after we checked it and
765 : : * before we checked the commit status of the successor tuple's
766 : : * xmin. This should be safe because the xmin itself can't have
767 : : * changed, only its commit status.
768 : : */
1140 rhaas@postgresql.org 769 :CBC 158 : curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
770 [ + - ]: 158 : if (xmin_commit_status_ok[ctx.offnum] &&
771 [ - + ]: 158 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
1140 rhaas@postgresql.org 772 [ # # ]:UBC 0 : xmin_commit_status_ok[nextoffnum] &&
773 [ # # # # ]: 0 : xmin_commit_status[nextoffnum] == XID_COMMITTED &&
774 : 0 : TransactionIdIsInProgress(curr_xmin))
775 : : {
776 : 0 : report_corruption(&ctx,
777 : : psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %d with committed xmin %u",
778 : : curr_xmin,
147 peter@eisentraut.org 779 :UNC 0 : ctx.offnum,
780 : : next_xmin));
781 : : }
782 : :
783 : : /*
784 : : * If the current tuple's xmin is aborted but the successor
785 : : * tuple's xmin is in-progress or committed, that's corruption.
786 : : */
1140 rhaas@postgresql.org 787 [ + - ]:CBC 158 : if (xmin_commit_status_ok[ctx.offnum] &&
788 [ - + ]: 158 : xmin_commit_status[ctx.offnum] == XID_ABORTED &&
1140 rhaas@postgresql.org 789 [ # # ]:UBC 0 : xmin_commit_status_ok[nextoffnum])
790 : : {
791 [ # # ]: 0 : if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
792 : 0 : report_corruption(&ctx,
793 : : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %d with in-progress xmin %u",
794 : : curr_xmin,
147 peter@eisentraut.org 795 :UNC 0 : ctx.offnum,
796 : : next_xmin));
1140 rhaas@postgresql.org 797 [ # # ]:UBC 0 : else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
798 : 0 : report_corruption(&ctx,
799 : : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %d with committed xmin %u",
800 : : curr_xmin,
147 peter@eisentraut.org 801 :UNC 0 : ctx.offnum,
802 : : next_xmin));
803 : : }
804 : : }
805 : :
806 : : /*
807 : : * An update chain can start either with a non-heap-only tuple or with
808 : : * a redirect line pointer, but not with a heap-only tuple.
809 : : *
810 : : * (This check is in a separate loop because we need the predecessor
811 : : * array to be fully populated before we can perform it.)
812 : : */
1140 rhaas@postgresql.org 813 :CBC 12008 : for (ctx.offnum = FirstOffsetNumber;
814 [ + + ]: 578553 : ctx.offnum <= maxoff;
815 : 566545 : ctx.offnum = OffsetNumberNext(ctx.offnum))
816 : : {
817 [ + + ]: 566545 : if (xmin_commit_status_ok[ctx.offnum] &&
818 [ + + ]: 553998 : (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
819 [ - + ]: 2 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
820 [ + + ]: 553996 : predecessor[ctx.offnum] == InvalidOffsetNumber)
821 : : {
822 : : ItemId curr_lp;
823 : :
824 : 548874 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
825 [ + - ]: 548874 : if (!ItemIdIsRedirected(curr_lp))
826 : : {
827 : : HeapTupleHeader curr_htup;
828 : :
829 : : curr_htup = (HeapTupleHeader)
830 : 548874 : PageGetItem(ctx.page, curr_lp);
831 [ - + ]: 548874 : if (HeapTupleHeaderIsHeapOnly(curr_htup))
1140 rhaas@postgresql.org 832 :UBC 0 : report_corruption(&ctx,
833 : : psprintf("tuple is root of chain but is marked as heap-only tuple"));
834 : : }
835 : : }
836 : : }
837 : :
838 : : /* clean up */
2021 rhaas@postgresql.org 839 :CBC 12008 : UnlockReleaseBuffer(ctx.buffer);
840 : :
841 : : /*
842 : : * Check any toast pointers from the page whose lock we just released
843 : : */
1854 844 [ + + ]: 12008 : if (ctx.toasted_attributes != NIL)
845 : : {
846 : : ListCell *cell;
847 : :
848 [ + - + + : 13346 : foreach(cell, ctx.toasted_attributes)
+ + ]
849 : 12482 : check_toasted_attribute(&ctx, lfirst(cell));
850 : 864 : list_free_deep(ctx.toasted_attributes);
851 : 864 : ctx.toasted_attributes = NIL;
852 : : }
853 : :
2021 854 [ + + - + ]: 12005 : if (on_error_stop && ctx.is_corrupt)
2021 rhaas@postgresql.org 855 :UBC 0 : break;
856 : : }
857 : :
404 melanieplageman@gmai 858 :CBC 1427 : read_stream_end(stream);
859 : :
2021 rhaas@postgresql.org 860 [ + + ]: 1427 : if (vmbuffer != InvalidBuffer)
861 : 37 : ReleaseBuffer(vmbuffer);
862 : :
863 : : /* Close the associated toast table and indexes, if any. */
864 [ + + ]: 1427 : if (ctx.toast_indexes)
865 : 670 : toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
866 : : AccessShareLock);
867 [ + + ]: 1427 : if (ctx.toast_rel)
868 : 670 : table_close(ctx.toast_rel, AccessShareLock);
869 : :
870 : : /* Close the main relation */
871 : 1427 : relation_close(ctx.rel, AccessShareLock);
872 : :
873 : 1427 : PG_RETURN_NULL();
874 : : }
875 : :
876 : : /*
877 : : * Heap amcheck's read stream callback for getting the next unskippable block.
878 : : * This callback is only used when 'all-visible' or 'all-frozen' is provided
879 : : * as the skip option to verify_heapam(). With the default 'none',
880 : : * block_range_read_stream_cb() is used instead.
881 : : */
882 : : static BlockNumber
404 melanieplageman@gmai 883 : 867 : heapcheck_read_stream_next_unskippable(ReadStream *stream,
884 : : void *callback_private_data,
885 : : void *per_buffer_data)
886 : : {
887 : 867 : HeapCheckReadStreamData *p = callback_private_data;
888 : :
889 : : /* Loops over [current_blocknum, last_exclusive) blocks */
890 [ + + ]: 900 : for (BlockNumber i; (i = p->range.current_blocknum++) < p->range.last_exclusive;)
891 : : {
892 : 735 : uint8 mapbits = visibilitymap_get_status(p->rel, i, p->vmbuffer);
893 : :
894 [ + + ]: 735 : if (p->skip_option == SKIP_PAGES_ALL_FROZEN)
895 : : {
896 [ + + ]: 384 : if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
897 : 32 : continue;
898 : : }
899 : :
900 [ + + ]: 703 : if (p->skip_option == SKIP_PAGES_ALL_VISIBLE)
901 : : {
902 [ + + ]: 351 : if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
903 : 1 : continue;
904 : : }
905 : :
906 : 702 : return i;
907 : : }
908 : :
909 : 165 : return InvalidBlockNumber;
910 : : }
911 : :
912 : : /*
913 : : * Shared internal implementation for report_corruption and
914 : : * report_toast_corruption.
915 : : */
916 : : static void
1854 rhaas@postgresql.org 917 : 52 : report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
918 : : BlockNumber blkno, OffsetNumber offnum,
919 : : AttrNumber attnum, char *msg)
920 : : {
1389 peter@eisentraut.org 921 : 52 : Datum values[HEAPCHECK_RELATION_COLS] = {0};
922 : 52 : bool nulls[HEAPCHECK_RELATION_COLS] = {0};
923 : : HeapTuple tuple;
924 : :
1854 rhaas@postgresql.org 925 : 52 : values[0] = Int64GetDatum(blkno);
926 : 52 : values[1] = Int32GetDatum(offnum);
927 : 52 : values[2] = Int32GetDatum(attnum);
928 : 52 : nulls[2] = (attnum < 0);
2021 929 : 52 : values[3] = CStringGetTextDatum(msg);
930 : :
931 : : /*
932 : : * In principle, there is nothing to prevent a scan over a large, highly
933 : : * corrupted table from using work_mem worth of memory building up the
934 : : * tuplestore. That's ok, but if we also leak the msg argument memory
935 : : * until the end of the query, we could exceed work_mem by more than a
936 : : * trivial amount. Therefore, free the msg argument each time we are
937 : : * called rather than waiting for our current memory context to be freed.
938 : : */
939 : 52 : pfree(msg);
940 : :
1854 941 : 52 : tuple = heap_form_tuple(tupdesc, values, nulls);
942 : 52 : tuplestore_puttuple(tupstore, tuple);
943 : 52 : }
944 : :
945 : : /*
946 : : * Record a single corruption found in the main table. The values in ctx should
947 : : * indicate the location of the corruption, and the msg argument should contain
948 : : * a human-readable description of the corruption.
949 : : *
950 : : * The msg argument is pfree'd by this function.
951 : : */
952 : : static void
953 : 52 : report_corruption(HeapCheckContext *ctx, char *msg)
954 : : {
955 : 52 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
956 : 52 : ctx->offnum, ctx->attnum, msg);
957 : 52 : ctx->is_corrupt = true;
958 : 52 : }
959 : :
960 : : /*
961 : : * Record corruption found in the toast table. The values in ta should
962 : : * indicate the location in the main table where the toast pointer was
963 : : * encountered, and the msg argument should contain a human-readable
964 : : * description of the toast table corruption.
965 : : *
966 : : * As above, the msg argument is pfree'd by this function.
967 : : */
968 : : static void
1854 rhaas@postgresql.org 969 :UBC 0 : report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
970 : : char *msg)
971 : : {
972 : 0 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
973 : 0 : ta->offnum, ta->attnum, msg);
2021 974 : 0 : ctx->is_corrupt = true;
975 : 0 : }
976 : :
977 : : /*
978 : : * Check for tuple header corruption.
979 : : *
980 : : * Some kinds of corruption make it unsafe to check the tuple attributes, for
981 : : * example when the line pointer refers to a range of bytes outside the page.
982 : : * In such cases, we return false (not checkable) after recording appropriate
983 : : * corruption messages.
984 : : *
985 : : * Some other kinds of tuple header corruption confuse the question of where
986 : : * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
987 : : * unreasonable to attempt to check attributes, even if all candidate answers
988 : : * to those questions would not result in reading past the end of the line
989 : : * pointer or page. In such cases, like above, we record corruption messages
990 : : * about the header and then return false.
991 : : *
992 : : * Other kinds of tuple header corruption do not bear on the question of
993 : : * whether the tuple attributes can be checked, so we record corruption
994 : : * messages for them but we do not return false merely because we detected
995 : : * them.
996 : : *
997 : : * Returns whether the tuple is sufficiently sensible to undergo visibility and
998 : : * attribute checks.
999 : : */
1000 : : static bool
1860 rhaas@postgresql.org 1001 :CBC 553998 : check_tuple_header(HeapCheckContext *ctx)
1002 : : {
1003 : 553998 : HeapTupleHeader tuphdr = ctx->tuphdr;
2021 1004 : 553998 : uint16 infomask = tuphdr->t_infomask;
1140 1005 : 553998 : TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
1860 1006 : 553998 : bool result = true;
1007 : : unsigned expected_hoff;
1008 : :
2021 1009 [ - + ]: 553998 : if (ctx->tuphdr->t_hoff > ctx->lp_len)
1010 : : {
2021 rhaas@postgresql.org 1011 :UBC 0 : report_corruption(ctx,
1012 : : psprintf("data begins at offset %u beyond the tuple length %u",
1013 : 0 : ctx->tuphdr->t_hoff, ctx->lp_len));
1860 1014 : 0 : result = false;
1015 : : }
1016 : :
2021 rhaas@postgresql.org 1017 [ + + ]:CBC 553998 : if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
1018 [ - + ]: 122 : (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
1019 : : {
2021 rhaas@postgresql.org 1020 :UBC 0 : report_corruption(ctx,
1021 : : pstrdup("multixact should not be marked committed"));
1022 : :
1023 : : /*
1024 : : * This condition is clearly wrong, but it's not enough to justify
1025 : : * skipping further checks, because we don't rely on this to determine
1026 : : * whether the tuple is visible or to interpret other relevant header
1027 : : * fields.
1028 : : */
1029 : : }
1030 : :
1140 rhaas@postgresql.org 1031 [ + + - + ]:CBC 1106971 : if (!TransactionIdIsValid(curr_xmax) &&
1032 : 552973 : HeapTupleHeaderIsHotUpdated(tuphdr))
1033 : : {
1140 rhaas@postgresql.org 1034 :UBC 0 : report_corruption(ctx,
1035 : : psprintf("tuple has been HOT updated, but xmax is 0"));
1036 : :
1037 : : /*
1038 : : * As above, even though this shouldn't happen, it's not sufficient
1039 : : * justification for skipping further checks, we should still be able
1040 : : * to perform sensibly.
1041 : : */
1042 : : }
1043 : :
1135 rhaas@postgresql.org 1044 [ + + ]:CBC 553998 : if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
1045 [ - + ]: 5124 : ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
1046 : : {
1135 rhaas@postgresql.org 1047 :UBC 0 : report_corruption(ctx,
1048 : : psprintf("tuple is heap only, but not the result of an update"));
1049 : :
1050 : : /* Here again, we can still perform further checks. */
1051 : : }
1052 : :
2021 rhaas@postgresql.org 1053 [ + + ]:CBC 553998 : if (infomask & HEAP_HASNULL)
1054 : 258797 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
1055 : : else
1056 : 295201 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
1057 [ - + ]: 553998 : if (ctx->tuphdr->t_hoff != expected_hoff)
1058 : : {
2021 rhaas@postgresql.org 1059 [ # # # # ]:UBC 0 : if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
1060 : 0 : report_corruption(ctx,
1061 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
1062 : 0 : expected_hoff, ctx->tuphdr->t_hoff));
1063 [ # # ]: 0 : else if ((infomask & HEAP_HASNULL))
1064 : 0 : report_corruption(ctx,
1065 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
1066 : 0 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1067 [ # # ]: 0 : else if (ctx->natts == 1)
1068 : 0 : report_corruption(ctx,
1069 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
1070 : 0 : expected_hoff, ctx->tuphdr->t_hoff));
1071 : : else
1072 : 0 : report_corruption(ctx,
1073 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
1074 : 0 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1860 1075 : 0 : result = false;
1076 : : }
1077 : :
1860 rhaas@postgresql.org 1078 :CBC 553998 : return result;
1079 : : }
1080 : :
1081 : : /*
1082 : : * Checks tuple visibility so we know which further checks are safe to
1083 : : * perform.
1084 : : *
1085 : : * If a tuple could have been inserted by a transaction that also added a
1086 : : * column to the table, but which ultimately did not commit, or which has not
1087 : : * yet committed, then the table's current TupleDesc might differ from the one
1088 : : * used to construct this tuple, so we must not check it.
1089 : : *
1090 : : * As a special case, if our own transaction inserted the tuple, even if we
1091 : : * added a column to the table, our TupleDesc should match. We could check the
1092 : : * tuple, but choose not to do so.
1093 : : *
1094 : : * If a tuple has been updated or deleted, we can still read the old tuple for
1095 : : * corruption checking purposes, as long as we are careful about concurrent
1096 : : * vacuums. The main table tuple itself cannot be vacuumed away because we
1097 : : * hold a buffer lock on the page, but if the deleting transaction is older
1098 : : * than our transaction snapshot's xmin, then vacuum could remove the toast at
1099 : : * any time, so we must not try to follow TOAST pointers.
1100 : : *
1101 : : * If xmin or xmax values are older than can be checked against clog, or appear
1102 : : * to be in the future (possibly due to wrap-around), then we cannot make a
1103 : : * determination about the visibility of the tuple, so we skip further checks.
1104 : : *
1105 : : * Returns true if the tuple itself should be checked, false otherwise. Sets
1106 : : * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1107 : : * TOAST tuples -- are eligible for pruning.
1108 : : *
1109 : : * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1110 : : * and false otherwise. If it's set to true, then also set *xmin_commit_status
1111 : : * to the actual commit status.
1112 : : */
1113 : : static bool
1140 1114 : 553998 : check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1115 : : XidCommitStatus *xmin_commit_status)
1116 : : {
1117 : : TransactionId xmin;
1118 : : TransactionId xvac;
1119 : : TransactionId xmax;
1120 : : XidCommitStatus xmin_status;
1121 : : XidCommitStatus xvac_status;
1122 : : XidCommitStatus xmax_status;
1860 1123 : 553998 : HeapTupleHeader tuphdr = ctx->tuphdr;
1124 : :
1125 : 553998 : ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
1082 tgl@sss.pgh.pa.us 1126 : 553998 : *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1127 : :
1128 : : /* If xmin is normal, it should be within valid range */
1860 rhaas@postgresql.org 1129 : 553998 : xmin = HeapTupleHeaderGetXmin(tuphdr);
1130 [ - + - - : 553998 : switch (get_xid_status(xmin, ctx, &xmin_status))
- - ]
1131 : : {
1860 rhaas@postgresql.org 1132 :UBC 0 : case XID_INVALID:
1133 : : /* Could be the result of a speculative insertion that aborted. */
1139 1134 : 0 : return false;
1860 rhaas@postgresql.org 1135 :CBC 553998 : case XID_BOUNDS_OK:
1140 1136 : 553998 : *xmin_commit_status_ok = true;
1137 : 553998 : *xmin_commit_status = xmin_status;
1860 1138 : 553998 : break;
1860 rhaas@postgresql.org 1139 :UBC 0 : case XID_IN_FUTURE:
1140 : 0 : report_corruption(ctx,
1141 : : psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1142 : : xmin,
1143 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1144 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1145 : 0 : return false;
1146 : 0 : case XID_PRECEDES_CLUSTERMIN:
1147 : 0 : report_corruption(ctx,
1148 : : psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1149 : : xmin,
1150 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1151 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1152 : 0 : return false;
1153 : 0 : case XID_PRECEDES_RELMIN:
1154 : 0 : report_corruption(ctx,
1155 : : psprintf("xmin %u precedes relation freeze threshold %u:%u",
1156 : : xmin,
1157 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1158 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1159 : 0 : return false;
1160 : : }
1161 : :
1162 : : /*
1163 : : * Has inserting transaction committed?
1164 : : */
2021 rhaas@postgresql.org 1165 [ + + ]:CBC 553998 : if (!HeapTupleHeaderXminCommitted(tuphdr))
1166 : : {
1167 [ - + ]: 8390 : if (HeapTupleHeaderXminInvalid(tuphdr))
1860 rhaas@postgresql.org 1168 :UBC 0 : return false; /* inserter aborted, don't check */
1169 : : /* Used by pre-9.0 binary upgrades */
1860 rhaas@postgresql.org 1170 [ - + ]:CBC 8390 : else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1171 : : {
1860 rhaas@postgresql.org 1172 :UBC 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1173 : :
1174 [ # # # # : 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
# # ]
1175 : : {
2021 1176 : 0 : case XID_INVALID:
1177 : 0 : report_corruption(ctx,
1178 : : pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1860 1179 : 0 : return false;
2021 1180 : 0 : case XID_IN_FUTURE:
1181 : 0 : report_corruption(ctx,
1182 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1183 : : xvac,
1184 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1185 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1860 1186 : 0 : return false;
2021 1187 : 0 : case XID_PRECEDES_RELMIN:
1188 : 0 : report_corruption(ctx,
1189 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1190 : : xvac,
1191 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1192 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1860 1193 : 0 : return false;
2021 1194 : 0 : case XID_PRECEDES_CLUSTERMIN:
1195 : 0 : report_corruption(ctx,
1196 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1197 : : xvac,
1198 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1199 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1860 1200 : 0 : return false;
2021 1201 : 0 : case XID_BOUNDS_OK:
1860 1202 : 0 : break;
1203 : : }
1204 : :
1205 [ # # # # : 0 : switch (xvac_status)
# ]
1206 : : {
1207 : 0 : case XID_IS_CURRENT_XID:
1208 : 0 : report_corruption(ctx,
1209 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1210 : : xvac));
1211 : 0 : return false;
1212 : 0 : case XID_IN_PROGRESS:
1213 : 0 : report_corruption(ctx,
1214 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1215 : : xvac));
1216 : 0 : return false;
1217 : :
1218 : 0 : case XID_COMMITTED:
1219 : :
1220 : : /*
1221 : : * The tuple is dead, because the xvac transaction moved
1222 : : * it off and committed. It's checkable, but also
1223 : : * prunable.
1224 : : */
1225 : 0 : return true;
1226 : :
1227 : 0 : case XID_ABORTED:
1228 : :
1229 : : /*
1230 : : * The original xmin must have committed, because the xvac
1231 : : * transaction tried to move it later. Since xvac is
1232 : : * aborted, whether it's still alive now depends on the
1233 : : * status of xmax.
1234 : : */
1235 : 0 : break;
1236 : : }
1237 : : }
1238 : : /* Used by pre-9.0 binary upgrades */
1860 rhaas@postgresql.org 1239 [ - + ]:CBC 8390 : else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1240 : : {
1860 rhaas@postgresql.org 1241 :UBC 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1242 : :
1243 [ # # # # : 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
# # ]
1244 : : {
2021 1245 : 0 : case XID_INVALID:
1246 : 0 : report_corruption(ctx,
1247 : : pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1248 : 0 : return false;
1249 : 0 : case XID_IN_FUTURE:
1250 : 0 : report_corruption(ctx,
1251 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1252 : : xvac,
1253 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1254 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1860 1255 : 0 : return false;
2021 1256 : 0 : case XID_PRECEDES_RELMIN:
1257 : 0 : report_corruption(ctx,
1258 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1259 : : xvac,
1260 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1261 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1860 1262 : 0 : return false;
2021 1263 : 0 : case XID_PRECEDES_CLUSTERMIN:
1264 : 0 : report_corruption(ctx,
1265 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1266 : : xvac,
1267 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1268 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1860 1269 : 0 : return false;
2021 1270 : 0 : case XID_BOUNDS_OK:
1860 1271 : 0 : break;
1272 : : }
1273 : :
1274 [ # # # # : 0 : switch (xvac_status)
# ]
1275 : : {
1276 : 0 : case XID_IS_CURRENT_XID:
1277 : 0 : report_corruption(ctx,
1278 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1279 : : xvac));
1280 : 0 : return false;
1281 : 0 : case XID_IN_PROGRESS:
1282 : 0 : report_corruption(ctx,
1283 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1284 : : xvac));
1285 : 0 : return false;
1286 : :
1287 : 0 : case XID_COMMITTED:
1288 : :
1289 : : /*
1290 : : * The original xmin must have committed, because the xvac
1291 : : * transaction moved it later. Whether it's still alive
1292 : : * now depends on the status of xmax.
1293 : : */
1294 : 0 : break;
1295 : :
1296 : 0 : case XID_ABORTED:
1297 : :
1298 : : /*
1299 : : * The tuple is dead, because the xvac transaction moved
1300 : : * it off and committed. It's checkable, but also
1301 : : * prunable.
1302 : : */
1303 : 0 : return true;
1304 : : }
1305 : : }
1860 rhaas@postgresql.org 1306 [ + + ]:CBC 8390 : else if (xmin_status != XID_COMMITTED)
1307 : : {
1308 : : /*
1309 : : * Inserting transaction is not in progress, and not committed, so
1310 : : * it might have changed the TupleDesc in ways we don't know
1311 : : * about. Thus, don't try to check the tuple structure.
1312 : : *
1313 : : * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1314 : : * any such DDL changes ought to be visible to us, so perhaps we
1315 : : * could check anyway in that case. But, for now, let's be
1316 : : * conservative and treat this like any other uncommitted insert.
1317 : : */
1318 : 2 : return false;
1319 : : }
1320 : : }
1321 : :
1322 : : /*
1323 : : * Okay, the inserter committed, so it was good at some point. Now what
1324 : : * about the deleting transaction?
1325 : : */
1326 : :
1327 [ + + ]: 553996 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1328 : : {
1329 : : /*
1330 : : * xmax is a multixact, so sanity-check the MXID. Note that we do this
1331 : : * prior to checking for HEAP_XMAX_INVALID or
1332 : : * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1333 : : * things that wouldn't actually be a problem during a normal scan,
1334 : : * but eventually we're going to have to freeze, and that process will
1335 : : * ignore hint bits.
1336 : : *
1337 : : * Even if the MXID is out of range, we still know that the original
1338 : : * insert committed, so we can check the tuple itself. However, we
1339 : : * can't rule out the possibility that this tuple is dead, so don't
1340 : : * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1341 : : * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1342 : : * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1343 : : * avoiding possibly-bogus complaints about missing TOAST entries.
1344 : : */
1345 : 56 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1346 [ - - - - : 56 : switch (check_mxid_valid_in_rel(xmax, ctx))
+ - ]
1347 : : {
1860 rhaas@postgresql.org 1348 :UBC 0 : case XID_INVALID:
1349 : 0 : report_corruption(ctx,
1350 : : pstrdup("multitransaction ID is invalid"));
1351 : 0 : return true;
1352 : 0 : case XID_PRECEDES_RELMIN:
1353 : 0 : report_corruption(ctx,
1354 : : psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1355 : : xmax, ctx->relminmxid));
1356 : 0 : return true;
1357 : 0 : case XID_PRECEDES_CLUSTERMIN:
1358 : 0 : report_corruption(ctx,
1359 : : psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1360 : : xmax, ctx->oldest_mxact));
1361 : 0 : return true;
1362 : 0 : case XID_IN_FUTURE:
1363 : 0 : report_corruption(ctx,
1364 : : psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1365 : : xmax,
1366 : : ctx->next_mxact));
1367 : 0 : return true;
1860 rhaas@postgresql.org 1368 :CBC 56 : case XID_BOUNDS_OK:
1369 : 56 : break;
1370 : : }
1371 : : }
1372 : :
1373 [ + + ]: 553996 : if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1374 : : {
1375 : : /*
1376 : : * This tuple is live. A concurrently running transaction could
1377 : : * delete it before we get around to checking the toast, but any such
1378 : : * running transaction is surely not less than our safe_xmin, so the
1379 : : * toast cannot be vacuumed out from under us.
1380 : : */
1381 : 552971 : ctx->tuple_could_be_pruned = false;
1382 : 552971 : return true;
1383 : : }
1384 : :
1385 [ + + ]: 1025 : if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1386 : : {
1387 : : /*
1388 : : * "Deleting" xact really only locked it, so the tuple is live in any
1389 : : * case. As above, a concurrently running transaction could delete
1390 : : * it, but it cannot be vacuumed out from under us.
1391 : : */
1392 : 28 : ctx->tuple_could_be_pruned = false;
1393 : 28 : return true;
1394 : : }
1395 : :
1396 [ + + ]: 997 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1397 : : {
1398 : : /*
1399 : : * We already checked above that this multixact is within limits for
1400 : : * this table. Now check the update xid from this multixact.
1401 : : */
1402 : 28 : xmax = HeapTupleGetUpdateXid(tuphdr);
1403 [ - - - - : 28 : switch (get_xid_status(xmax, ctx, &xmax_status))
+ - ]
1404 : : {
1860 rhaas@postgresql.org 1405 :UBC 0 : case XID_INVALID:
1406 : : /* not LOCKED_ONLY, so it has to have an xmax */
1407 : 0 : report_corruption(ctx,
1408 : : pstrdup("update xid is invalid"));
1409 : 0 : return true;
1410 : 0 : case XID_IN_FUTURE:
1411 : 0 : report_corruption(ctx,
1412 : : psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1413 : : xmax,
1414 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1415 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1416 : 0 : return true;
1417 : 0 : case XID_PRECEDES_RELMIN:
1418 : 0 : report_corruption(ctx,
1419 : : psprintf("update xid %u precedes relation freeze threshold %u:%u",
1420 : : xmax,
1421 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1422 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1423 : 0 : return true;
1424 : 0 : case XID_PRECEDES_CLUSTERMIN:
1425 : 0 : report_corruption(ctx,
1426 : : psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1427 : : xmax,
1428 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1429 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1430 : 0 : return true;
1860 rhaas@postgresql.org 1431 :CBC 28 : case XID_BOUNDS_OK:
1432 : 28 : break;
1433 : : }
1434 : :
1435 [ - + - - ]: 28 : switch (xmax_status)
1436 : : {
1860 rhaas@postgresql.org 1437 :UBC 0 : case XID_IS_CURRENT_XID:
1438 : : case XID_IN_PROGRESS:
1439 : :
1440 : : /*
1441 : : * The delete is in progress, so it cannot be visible to our
1442 : : * snapshot.
1443 : : */
1444 : 0 : ctx->tuple_could_be_pruned = false;
1445 : 0 : break;
1860 rhaas@postgresql.org 1446 :CBC 28 : case XID_COMMITTED:
1447 : :
1448 : : /*
1449 : : * The delete committed. Whether the toast can be vacuumed
1450 : : * away depends on how old the deleting transaction is.
1451 : : */
1452 : 28 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1453 : : ctx->safe_xmin);
1454 : 28 : break;
1860 rhaas@postgresql.org 1455 :UBC 0 : case XID_ABORTED:
1456 : :
1457 : : /*
1458 : : * The delete aborted or crashed. The tuple is still live.
1459 : : */
1460 : 0 : ctx->tuple_could_be_pruned = false;
1461 : 0 : break;
1462 : : }
1463 : :
1464 : : /* Tuple itself is checkable even if it's dead. */
1860 rhaas@postgresql.org 1465 :CBC 28 : return true;
1466 : : }
1467 : :
1468 : : /* xmax is an XID, not a MXID. Sanity check it. */
1469 : 969 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1470 [ - - - - : 969 : switch (get_xid_status(xmax, ctx, &xmax_status))
+ - ]
1471 : : {
1139 rhaas@postgresql.org 1472 :UBC 0 : case XID_INVALID:
1473 : 0 : ctx->tuple_could_be_pruned = false;
1474 : 0 : return true;
1860 1475 : 0 : case XID_IN_FUTURE:
1476 : 0 : report_corruption(ctx,
1477 : : psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1478 : : xmax,
1479 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1480 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1481 : 0 : return false; /* corrupt */
1482 : 0 : case XID_PRECEDES_RELMIN:
1483 : 0 : report_corruption(ctx,
1484 : : psprintf("xmax %u precedes relation freeze threshold %u:%u",
1485 : : xmax,
1486 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1487 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1488 : 0 : return false; /* corrupt */
1489 : 0 : case XID_PRECEDES_CLUSTERMIN:
1490 : 0 : report_corruption(ctx,
1491 : : psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1492 : : xmax,
1493 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1494 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1495 : 0 : return false; /* corrupt */
1860 rhaas@postgresql.org 1496 :CBC 969 : case XID_BOUNDS_OK:
1497 : 969 : break;
1498 : : }
1499 : :
1500 : : /*
1501 : : * Whether the toast can be vacuumed away depends on how old the deleting
1502 : : * transaction is.
1503 : : */
1504 [ - + + - ]: 969 : switch (xmax_status)
1505 : : {
1860 rhaas@postgresql.org 1506 :UBC 0 : case XID_IS_CURRENT_XID:
1507 : : case XID_IN_PROGRESS:
1508 : :
1509 : : /*
1510 : : * The delete is in progress, so it cannot be visible to our
1511 : : * snapshot.
1512 : : */
1513 : 0 : ctx->tuple_could_be_pruned = false;
1514 : 0 : break;
1515 : :
1860 rhaas@postgresql.org 1516 :CBC 967 : case XID_COMMITTED:
1517 : :
1518 : : /*
1519 : : * The delete committed. Whether the toast can be vacuumed away
1520 : : * depends on how old the deleting transaction is.
1521 : : */
1522 : 967 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1523 : : ctx->safe_xmin);
1524 : 967 : break;
1525 : :
1526 : 2 : case XID_ABORTED:
1527 : :
1528 : : /*
1529 : : * The delete aborted or crashed. The tuple is still live.
1530 : : */
1531 : 2 : ctx->tuple_could_be_pruned = false;
1532 : 2 : break;
1533 : : }
1534 : :
1535 : : /* Tuple itself is checkable even if it's dead. */
1536 : 969 : return true;
1537 : : }
1538 : :
1539 : :
1540 : : /*
1541 : : * Check the current toast tuple against the state tracked in ctx, recording
1542 : : * any corruption found in ctx->tupstore.
1543 : : *
1544 : : * This is not equivalent to running verify_heapam on the toast table itself,
1545 : : * and is not hardened against corruption of the toast table. Rather, when
1546 : : * validating a toasted attribute in the main table, the sequence of toast
1547 : : * tuples that store the toasted value are retrieved and checked in order, with
1548 : : * each toast tuple being checked against where we are in the sequence, as well
1549 : : * as each toast tuple having its varlena structure sanity checked.
1550 : : *
1551 : : * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1552 : : * to find in toasttup. On exit, it will be updated to the value the next call
1553 : : * to this function should expect to see.
1554 : : */
1555 : : static void
1854 1556 : 41933 : check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
1557 : : ToastedAttribute *ta, int32 *expected_chunk_seq,
1558 : : uint32 extsize)
1559 : : {
1560 : : int32 chunk_seq;
1828 1561 : 41933 : int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1562 : : Pointer chunk;
1563 : : bool isnull;
1564 : : int32 chunksize;
1565 : : int32 expected_size;
1566 : :
1567 : : /* Sanity-check the sequence number. */
1568 : 41933 : chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1569 : 41933 : ctx->toast_rel->rd_att, &isnull));
2021 1570 [ - + ]: 41933 : if (isnull)
1571 : : {
1854 rhaas@postgresql.org 1572 :UBC 0 : report_toast_corruption(ctx, ta,
1573 : : psprintf("toast value %u has toast chunk with null sequence number",
1574 : : ta->toast_pointer.va_valueid));
2021 1575 : 0 : return;
1576 : : }
1828 rhaas@postgresql.org 1577 [ - + ]:CBC 41933 : if (chunk_seq != *expected_chunk_seq)
1578 : : {
1579 : : /* Either the TOAST index is corrupt, or we don't have all chunks. */
1828 rhaas@postgresql.org 1580 :UBC 0 : report_toast_corruption(ctx, ta,
1581 : : psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1582 : : ta->toast_pointer.va_valueid,
1583 : : chunk_seq, *expected_chunk_seq));
1584 : : }
1828 rhaas@postgresql.org 1585 :CBC 41933 : *expected_chunk_seq = chunk_seq + 1;
1586 : :
1587 : : /* Sanity-check the chunk data. */
2021 1588 : 41933 : chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1589 : 41933 : ctx->toast_rel->rd_att, &isnull));
1590 [ - + ]: 41933 : if (isnull)
1591 : : {
1854 rhaas@postgresql.org 1592 :UBC 0 : report_toast_corruption(ctx, ta,
1593 : : psprintf("toast value %u chunk %d has null data",
1594 : : ta->toast_pointer.va_valueid,
1595 : : chunk_seq));
2021 1596 : 0 : return;
1597 : : }
2021 rhaas@postgresql.org 1598 [ + - ]:CBC 41933 : if (!VARATT_IS_EXTENDED(chunk))
1599 : 41933 : chunksize = VARSIZE(chunk) - VARHDRSZ;
2021 rhaas@postgresql.org 1600 [ # # ]:UBC 0 : else if (VARATT_IS_SHORT(chunk))
1601 : : {
1602 : : /*
1603 : : * could happen due to heap_form_tuple doing its thing
1604 : : */
1605 : 0 : chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1606 : : }
1607 : : else
1608 : : {
1609 : : /* should never happen */
1610 : 0 : uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1611 : :
1854 1612 : 0 : report_toast_corruption(ctx, ta,
1613 : : psprintf("toast value %u chunk %d has invalid varlena header %0x",
1614 : : ta->toast_pointer.va_valueid,
1615 : : chunk_seq, header));
2021 1616 : 0 : return;
1617 : : }
1618 : :
1619 : : /*
1620 : : * Some checks on the data we've found
1621 : : */
1828 rhaas@postgresql.org 1622 [ - + ]:CBC 41933 : if (chunk_seq > last_chunk_seq)
1623 : : {
1854 rhaas@postgresql.org 1624 :UBC 0 : report_toast_corruption(ctx, ta,
1625 : : psprintf("toast value %u chunk %d follows last expected chunk %d",
1626 : : ta->toast_pointer.va_valueid,
1627 : : chunk_seq, last_chunk_seq));
2021 1628 : 0 : return;
1629 : : }
1630 : :
1828 rhaas@postgresql.org 1631 [ + + ]:CBC 41933 : expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1632 : 12479 : : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1633 : :
2021 1634 [ - + ]: 41933 : if (chunksize != expected_size)
1854 rhaas@postgresql.org 1635 :UBC 0 : report_toast_corruption(ctx, ta,
1636 : : psprintf("toast value %u chunk %d has size %u, but expected size %u",
1637 : : ta->toast_pointer.va_valueid,
1638 : : chunk_seq, chunksize, expected_size));
1639 : : }
1640 : :
1641 : : /*
1642 : : * Check the current attribute as tracked in ctx, recording any corruption
1643 : : * found in ctx->tupstore.
1644 : : *
1645 : : * This function follows the logic performed by heap_deform_tuple(), and in the
1646 : : * case of a toasted value, optionally stores the toast pointer so later it can
1647 : : * be checked following the logic of detoast_external_attr(), checking for any
1648 : : * conditions that would result in either of those functions Asserting or
1649 : : * crashing the backend. The checks performed by Asserts present in those two
1650 : : * functions are also performed here and in check_toasted_attribute. In cases
1651 : : * where those two functions are a bit cavalier in their assumptions about data
1652 : : * being correct, we perform additional checks not present in either of those
1653 : : * two functions. Where some condition is checked in both of those functions,
1654 : : * we perform it here twice, as we parallel the logical flow of those two
1655 : : * functions. The presence of duplicate checks seems a reasonable price to pay
1656 : : * for keeping this code tightly coupled with the code it protects.
1657 : : *
1658 : : * Returns true if the tuple attribute is sane enough for processing to
1659 : : * continue on to the next attribute, false otherwise.
1660 : : */
1661 : : static bool
2021 rhaas@postgresql.org 1662 :CBC 7946938 : check_tuple_attribute(HeapCheckContext *ctx)
1663 : : {
1664 : : Datum attdatum;
1665 : : varlena *attr;
1666 : : char *tp; /* pointer to the tuple data */
1667 : : uint16 infomask;
1668 : : CompactAttribute *thisatt;
1669 : : varatt_external toast_pointer;
1670 : :
1671 : 7946938 : infomask = ctx->tuphdr->t_infomask;
501 drowley@postgresql.o 1672 : 7946938 : thisatt = TupleDescCompactAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1673 : :
2021 rhaas@postgresql.org 1674 : 7946938 : tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1675 : :
1676 [ - + ]: 7946938 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1677 : : {
2021 rhaas@postgresql.org 1678 :UBC 0 : report_corruption(ctx,
1679 : : psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1680 : 0 : thisatt->attlen,
1681 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1682 : 0 : ctx->lp_len));
1683 : 0 : return false;
1684 : : }
1685 : :
1686 : : /* Skip null values */
2021 rhaas@postgresql.org 1687 [ + + + + ]:CBC 7946938 : if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1688 : 1352771 : return true;
1689 : :
1690 : : /* Skip non-varlena values, but update offset first */
1691 [ + + ]: 6594167 : if (thisatt->attlen != -1)
1692 : : {
500 drowley@postgresql.o 1693 : 6020440 : ctx->offset = att_nominal_alignby(ctx->offset, thisatt->attalignby);
2021 rhaas@postgresql.org 1694 [ + - - - : 6020440 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
- - - - -
- - - - -
- - ]
1695 : : tp + ctx->offset);
1696 [ - + ]: 6020440 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1697 : : {
2021 rhaas@postgresql.org 1698 :UBC 0 : report_corruption(ctx,
1699 : : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1700 : 0 : thisatt->attlen,
1701 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1702 : 0 : ctx->lp_len));
1703 : 0 : return false;
1704 : : }
2021 rhaas@postgresql.org 1705 :CBC 6020440 : return true;
1706 : : }
1707 : :
1708 : : /* Ok, we're looking at a varlena attribute. */
500 drowley@postgresql.o 1709 [ + + ]: 573727 : ctx->offset = att_pointer_alignby(ctx->offset, thisatt->attalignby, -1,
1710 : : tp + ctx->offset);
1711 : :
1712 : : /* Get the (possibly corrupt) varlena datum */
2021 rhaas@postgresql.org 1713 : 573727 : attdatum = fetchatt(thisatt, tp + ctx->offset);
1714 : :
1715 : : /*
1716 : : * We have the datum, but we cannot decode it carelessly, as it may still
1717 : : * be corrupt.
1718 : : */
1719 : :
1720 : : /*
1721 : : * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1722 : : * risking a call into att_addlength_pointer
1723 : : */
1724 [ + + ]: 573727 : if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1725 : : {
1726 : 26917 : uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1727 : :
1728 [ - + ]: 26917 : if (va_tag != VARTAG_ONDISK)
1729 : : {
2021 rhaas@postgresql.org 1730 :UBC 0 : report_corruption(ctx,
1731 : : psprintf("toasted attribute has unexpected TOAST tag %u",
1732 : : va_tag));
1733 : : /* We can't know where the next attribute begins */
1734 : 0 : return false;
1735 : : }
1736 : : }
1737 : :
1738 : : /* Ok, should be safe now */
2021 rhaas@postgresql.org 1739 [ - + + - :CBC 573727 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
- - + - +
- - + + +
- - ]
1740 : : tp + ctx->offset);
1741 : :
1742 [ - + ]: 573727 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1743 : : {
2021 rhaas@postgresql.org 1744 :UBC 0 : report_corruption(ctx,
1745 : : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1746 : 0 : thisatt->attlen,
1747 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1748 : 0 : ctx->lp_len));
1749 : :
1750 : 0 : return false;
1751 : : }
1752 : :
1753 : : /*
1754 : : * heap_deform_tuple would be done with this attribute at this point,
1755 : : * having stored it in values[], and would continue to the next attribute.
1756 : : * We go further, because we need to check if the toast datum is corrupt.
1757 : : */
1758 : :
83 michael@paquier.xyz 1759 :GNC 573727 : attr = (varlena *) DatumGetPointer(attdatum);
1760 : :
1761 : : /*
1762 : : * Now we follow the logic of detoast_external_attr(), with the same
1763 : : * caveats about being paranoid about corruption.
1764 : : */
1765 : :
1766 : : /* Skip values that are not external */
2021 rhaas@postgresql.org 1767 [ + + ]:CBC 573727 : if (!VARATT_IS_EXTERNAL(attr))
1768 : 546810 : return true;
1769 : :
1770 : : /* It is external, and we're looking at a page on disk */
1771 : :
1772 : : /*
1773 : : * Must copy attr into toast_pointer for alignment considerations
1774 : : */
1847 1775 [ - + - + : 26917 : VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
+ - - + -
+ ]
1776 : :
1777 : : /* Toasted attributes too large to be untoasted should never be stored */
1642 1778 [ - + ]: 26917 : if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
1642 rhaas@postgresql.org 1779 :UBC 0 : report_corruption(ctx,
1780 : : psprintf("toast value %u rawsize %d exceeds limit %d",
1781 : : toast_pointer.va_valueid,
1782 : : toast_pointer.va_rawsize,
1783 : : VARLENA_SIZE_LIMIT));
1784 : :
1413 rhaas@postgresql.org 1785 [ + + ]:CBC 26917 : if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1786 : : {
1787 : : ToastCompressionId cmid;
1642 1788 : 2692 : bool valid = false;
1789 : :
1790 : : /* Compressed attributes should have a valid compression method */
1791 : 2692 : cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1792 [ + - - ]: 2692 : switch (cmid)
1793 : : {
1794 : : /* List of all valid compression method IDs */
1795 : 2692 : case TOAST_PGLZ_COMPRESSION_ID:
1796 : : case TOAST_LZ4_COMPRESSION_ID:
1797 : 2692 : valid = true;
1798 : 2692 : break;
1799 : :
1800 : : /* Recognized but invalid compression method ID */
1642 rhaas@postgresql.org 1801 :UBC 0 : case TOAST_INVALID_COMPRESSION_ID:
1802 : 0 : break;
1803 : :
1804 : : /* Intentionally no default here */
1805 : : }
1642 rhaas@postgresql.org 1806 [ - + ]:CBC 2692 : if (!valid)
1642 rhaas@postgresql.org 1807 :UBC 0 : report_corruption(ctx,
1808 : : psprintf("toast value %u has invalid compression method id %d",
1809 : : toast_pointer.va_valueid, cmid));
1810 : : }
1811 : :
1812 : : /* The tuple header better claim to contain toasted values */
2021 rhaas@postgresql.org 1813 [ - + ]:CBC 26917 : if (!(infomask & HEAP_HASEXTERNAL))
1814 : : {
2021 rhaas@postgresql.org 1815 :UBC 0 : report_corruption(ctx,
1816 : : psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1817 : : toast_pointer.va_valueid));
1818 : 0 : return true;
1819 : : }
1820 : :
1821 : : /* The relation better have a toast table */
2021 rhaas@postgresql.org 1822 [ - + ]:CBC 26917 : if (!ctx->rel->rd_rel->reltoastrelid)
1823 : : {
2021 rhaas@postgresql.org 1824 :UBC 0 : report_corruption(ctx,
1825 : : psprintf("toast value %u is external but relation has no toast relation",
1826 : : toast_pointer.va_valueid));
1827 : 0 : return true;
1828 : : }
1829 : :
1830 : : /* If we were told to skip toast checking, then we're done. */
2021 rhaas@postgresql.org 1831 [ + + ]:CBC 26917 : if (ctx->toast_rel == NULL)
1832 : 14429 : return true;
1833 : :
1834 : : /*
1835 : : * If this tuple is eligible to be pruned, we cannot check the toast.
1836 : : * Otherwise, we push a copy of the toast tuple so we can check it after
1837 : : * releasing the main table buffer lock.
1838 : : */
1854 1839 [ + - ]: 12488 : if (!ctx->tuple_could_be_pruned)
1840 : : {
1841 : : ToastedAttribute *ta;
1842 : :
151 michael@paquier.xyz 1843 :GNC 12488 : ta = palloc0_object(ToastedAttribute);
1844 : :
1854 rhaas@postgresql.org 1845 [ - + - + :CBC 12488 : VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
+ - - + -
+ ]
1846 : 12488 : ta->blkno = ctx->blkno;
1847 : 12488 : ta->offnum = ctx->offnum;
1848 : 12488 : ta->attnum = ctx->attnum;
1849 : 12488 : ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
1850 : : }
1851 : :
1852 : 12488 : return true;
1853 : : }
1854 : :
1855 : : /*
1856 : : * For each attribute collected in ctx->toasted_attributes, look up the value
1857 : : * in the toast table and perform checks on it. This function should only be
1858 : : * called on toast pointers which cannot be vacuumed away during our
1859 : : * processing.
1860 : : */
1861 : : static void
1862 : 12482 : check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
1863 : : {
1864 : : ScanKeyData toastkey;
1865 : : SysScanDesc toastscan;
1866 : : bool found_toasttup;
1867 : : HeapTuple toasttup;
1868 : : uint32 extsize;
1828 1869 : 12482 : int32 expected_chunk_seq = 0;
1870 : : int32 last_chunk_seq;
1871 : :
1872 : 12482 : extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
1873 : 12482 : last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1874 : :
1875 : : /*
1876 : : * Setup a scan key to find chunks in toast table with matching va_valueid
1877 : : */
2021 1878 : 12482 : ScanKeyInit(&toastkey,
1879 : : (AttrNumber) 1,
1880 : : BTEqualStrategyNumber, F_OIDEQ,
1881 : : ObjectIdGetDatum(ta->toast_pointer.va_valueid));
1882 : :
1883 : : /*
1884 : : * Check if any chunks for this toasted object exist in the toast table,
1885 : : * accessible via the index.
1886 : : */
1887 : 12482 : toastscan = systable_beginscan_ordered(ctx->toast_rel,
1888 : : ctx->valid_toast_index,
1889 : : get_toast_snapshot(), 1,
1890 : : &toastkey);
1891 : 12482 : found_toasttup = false;
1892 : 12482 : while ((toasttup =
1893 : 54415 : systable_getnext_ordered(toastscan,
1894 [ + + ]: 54412 : ForwardScanDirection)) != NULL)
1895 : : {
1896 : 41933 : found_toasttup = true;
1828 1897 : 41933 : check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1898 : : }
2021 1899 : 12479 : systable_endscan_ordered(toastscan);
1900 : :
1854 1901 [ - + ]: 12479 : if (!found_toasttup)
1854 rhaas@postgresql.org 1902 :UBC 0 : report_toast_corruption(ctx, ta,
1903 : : psprintf("toast value %u not found in toast table",
1904 : : ta->toast_pointer.va_valueid));
1828 rhaas@postgresql.org 1905 [ - + ]:CBC 12479 : else if (expected_chunk_seq <= last_chunk_seq)
1854 rhaas@postgresql.org 1906 :UBC 0 : report_toast_corruption(ctx, ta,
1907 : : psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1908 : : ta->toast_pointer.va_valueid,
1909 : : last_chunk_seq, expected_chunk_seq));
2021 rhaas@postgresql.org 1910 :CBC 12479 : }
1911 : :
1912 : : /*
1913 : : * Check the current tuple as tracked in ctx, recording any corruption found in
1914 : : * ctx->tupstore.
1915 : : *
1916 : : * We return some information about the status of xmin to aid in validating
1917 : : * update chains.
1918 : : */
1919 : : static void
1140 1920 : 553998 : check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1921 : : XidCommitStatus *xmin_commit_status)
1922 : : {
1923 : : /*
1924 : : * Check various forms of tuple header corruption, and if the header is
1925 : : * too corrupt, do not continue with other checks.
1926 : : */
1854 1927 [ - + ]: 553998 : if (!check_tuple_header(ctx))
2021 rhaas@postgresql.org 1928 :UBC 0 : return;
1929 : :
1930 : : /*
1931 : : * Check tuple visibility. If the inserting transaction aborted, we
1932 : : * cannot assume our relation description matches the tuple structure, and
1933 : : * therefore cannot check it.
1934 : : */
1140 rhaas@postgresql.org 1935 [ + + ]:CBC 553998 : if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1936 : : xmin_commit_status))
2021 1937 : 2 : return;
1938 : :
1939 : : /*
1940 : : * The tuple is visible, so it must be compatible with the current version
1941 : : * of the relation descriptor. It might have fewer columns than are
1942 : : * present in the relation descriptor, but it cannot have more.
1943 : : */
1944 [ - + ]: 553996 : if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1945 : : {
2021 rhaas@postgresql.org 1946 :UBC 0 : report_corruption(ctx,
1947 : : psprintf("number of attributes %u exceeds maximum %u expected for table",
1948 : : ctx->natts,
1949 : 0 : RelationGetDescr(ctx->rel)->natts));
1950 : 0 : return;
1951 : : }
1952 : :
1953 : : /*
1954 : : * Check each attribute unless we hit corruption that confuses what to do
1955 : : * next, at which point we abort further attribute checks for this tuple.
1956 : : * Note that we don't abort for all types of corruption, only for those
1957 : : * types where we don't know how to continue. We also don't abort the
1958 : : * checking of toasted attributes collected from the tuple prior to
1959 : : * aborting. Those will still be checked later along with other toasted
1960 : : * attributes collected from the page.
1961 : : */
2021 rhaas@postgresql.org 1962 :CBC 553996 : ctx->offset = 0;
1963 [ + + ]: 8500934 : for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1964 [ - + ]: 7946938 : if (!check_tuple_attribute(ctx))
2021 rhaas@postgresql.org 1965 :UBC 0 : break; /* cannot continue */
1966 : :
1967 : : /* revert attnum to -1 until we again examine individual attributes */
2020 tgl@sss.pgh.pa.us 1968 :CBC 553996 : ctx->attnum = -1;
1969 : : }
1970 : :
1971 : : /*
1972 : : * Convert a TransactionId into a FullTransactionId using our cached values of
1973 : : * the valid transaction ID range. It is the caller's responsibility to have
1974 : : * already updated the cached values, if necessary. This is akin to
1975 : : * FullTransactionIdFromAllowableAt(), but it tolerates corruption in the form
1976 : : * of an xid before epoch 0.
1977 : : */
1978 : : static FullTransactionId
2021 rhaas@postgresql.org 1979 : 74591 : FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
1980 : : {
1981 : : uint64 nextfxid_i;
1982 : : int32 diff;
1983 : : FullTransactionId fxid;
1984 : :
1151 andres@anarazel.de 1985 [ - + ]: 74591 : Assert(TransactionIdIsNormal(ctx->next_xid));
1986 [ - + ]: 74591 : Assert(FullTransactionIdIsNormal(ctx->next_fxid));
1987 [ - + ]: 74591 : Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
1988 : :
2021 rhaas@postgresql.org 1989 [ + + ]: 74591 : if (!TransactionIdIsNormal(xid))
1990 : 191 : return FullTransactionIdFromEpochAndXid(0, xid);
1991 : :
1151 andres@anarazel.de 1992 : 74400 : nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1993 : :
1994 : : /* compute the 32bit modulo difference */
1995 : 74400 : diff = (int32) (ctx->next_xid - xid);
1996 : :
1997 : : /*
1998 : : * In cases of corruption we might see a 32bit xid that is before epoch 0.
1999 : : * We can't represent that as a 64bit xid, due to 64bit xids being
2000 : : * unsigned integers, without the modulo arithmetic of 32bit xid. There's
2001 : : * no really nice way to deal with that, but it works ok enough to use
2002 : : * FirstNormalFullTransactionId in that case, as a freshly initdb'd
2003 : : * cluster already has a newer horizon.
2004 : : */
2005 [ + + - + ]: 74400 : if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
2006 : : {
1151 andres@anarazel.de 2007 [ # # ]:UBC 0 : Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
2008 : 0 : fxid = FirstNormalFullTransactionId;
2009 : : }
2010 : : else
1151 andres@anarazel.de 2011 :CBC 74400 : fxid = FullTransactionIdFromU64(nextfxid_i - diff);
2012 : :
2013 [ - + ]: 74400 : Assert(FullTransactionIdIsNormal(fxid));
2014 : 74400 : return fxid;
2015 : : }
2016 : :
2017 : : /*
2018 : : * Update our cached range of valid transaction IDs.
2019 : : */
2020 : : static void
2021 rhaas@postgresql.org 2021 : 1430 : update_cached_xid_range(HeapCheckContext *ctx)
2022 : : {
2023 : : /* Make cached copies */
2024 : 1430 : LWLockAcquire(XidGenLock, LW_SHARED);
879 heikki.linnakangas@i 2025 : 1430 : ctx->next_fxid = TransamVariables->nextXid;
2026 : 1430 : ctx->oldest_xid = TransamVariables->oldestXid;
2021 rhaas@postgresql.org 2027 : 1430 : LWLockRelease(XidGenLock);
2028 : :
2029 : : /* And compute alternate versions of the same */
2030 : 1430 : ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
1151 andres@anarazel.de 2031 : 1430 : ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
2021 rhaas@postgresql.org 2032 : 1430 : }
2033 : :
2034 : : /*
2035 : : * Update our cached range of valid multitransaction IDs.
2036 : : */
2037 : : static void
2038 : 1430 : update_cached_mxid_range(HeapCheckContext *ctx)
2039 : : {
2040 : 1430 : ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
2041 : 1430 : }
2042 : :
2043 : : /*
2044 : : * Return whether the given FullTransactionId is within our cached valid
2045 : : * transaction ID range.
2046 : : */
2047 : : static inline bool
2048 : 62620 : fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
2049 : : {
2050 [ + - ]: 125240 : return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
2051 [ + - ]: 62620 : FullTransactionIdPrecedes(fxid, ctx->next_fxid));
2052 : : }
2053 : :
2054 : : /*
2055 : : * Checks whether a multitransaction ID is in the cached valid range, returning
2056 : : * the nature of the range violation, if any.
2057 : : */
2058 : : static XidBoundsViolation
2059 : 56 : check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
2060 : : {
2061 [ - + ]: 56 : if (!TransactionIdIsValid(mxid))
2021 rhaas@postgresql.org 2062 :UBC 0 : return XID_INVALID;
2021 rhaas@postgresql.org 2063 [ - + ]:CBC 56 : if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
2021 rhaas@postgresql.org 2064 :UBC 0 : return XID_PRECEDES_RELMIN;
2021 rhaas@postgresql.org 2065 [ - + ]:CBC 56 : if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
2021 rhaas@postgresql.org 2066 :UBC 0 : return XID_PRECEDES_CLUSTERMIN;
2021 rhaas@postgresql.org 2067 [ - + ]:CBC 56 : if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
2021 rhaas@postgresql.org 2068 :UBC 0 : return XID_IN_FUTURE;
2021 rhaas@postgresql.org 2069 :CBC 56 : return XID_BOUNDS_OK;
2070 : : }
2071 : :
2072 : : /*
2073 : : * Checks whether the given mxid is valid to appear in the heap being checked,
2074 : : * returning the nature of the range violation, if any.
2075 : : *
2076 : : * This function attempts to return quickly by caching the known valid mxid
2077 : : * range in ctx. Callers should already have performed the initial setup of
2078 : : * the cache prior to the first call to this function.
2079 : : */
2080 : : static XidBoundsViolation
2081 : 56 : check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
2082 : : {
2083 : : XidBoundsViolation result;
2084 : :
2085 : 56 : result = check_mxid_in_range(mxid, ctx);
2086 [ + - ]: 56 : if (result == XID_BOUNDS_OK)
2087 : 56 : return XID_BOUNDS_OK;
2088 : :
2089 : : /* The range may have advanced. Recheck. */
2021 rhaas@postgresql.org 2090 :UBC 0 : update_cached_mxid_range(ctx);
2091 : 0 : return check_mxid_in_range(mxid, ctx);
2092 : : }
2093 : :
2094 : : /*
2095 : : * Checks whether the given transaction ID is (or was recently) valid to appear
2096 : : * in the heap being checked, or whether it is too old or too new to appear in
2097 : : * the relation, returning information about the nature of the bounds violation.
2098 : : *
2099 : : * We cache the range of valid transaction IDs. If xid is in that range, we
2100 : : * conclude that it is valid, even though concurrent changes to the table might
2101 : : * invalidate it under certain corrupt conditions. (For example, if the table
2102 : : * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2103 : : * containing the xid and then truncate clog and advance the relfrozenxid
2104 : : * beyond xid.) Reporting the xid as valid under such conditions seems
2105 : : * acceptable, since if we had checked it earlier in our scan it would have
2106 : : * truly been valid at that time.
2107 : : *
2108 : : * If the status argument is not NULL, and if and only if the transaction ID
2109 : : * appears to be valid in this relation, the status argument will be set with
2110 : : * the commit status of the transaction ID.
2111 : : */
2112 : : static XidBoundsViolation
2021 rhaas@postgresql.org 2113 :CBC 554995 : get_xid_status(TransactionId xid, HeapCheckContext *ctx,
2114 : : XidCommitStatus *status)
2115 : : {
2116 : : FullTransactionId fxid;
2117 : : FullTransactionId clog_horizon;
2118 : :
2119 : : /* Quick check for special xids */
2120 [ - + ]: 554995 : if (!TransactionIdIsValid(xid))
2021 rhaas@postgresql.org 2121 :UBC 0 : return XID_INVALID;
2021 rhaas@postgresql.org 2122 [ + + + + ]:CBC 554995 : else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2123 : : {
2124 [ + - ]: 492375 : if (status != NULL)
2125 : 492375 : *status = XID_COMMITTED;
2126 : 492375 : return XID_BOUNDS_OK;
2127 : : }
2128 : :
2129 : : /* Check if the xid is within bounds */
2130 : 62620 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2131 [ - + ]: 62620 : if (!fxid_in_cached_range(fxid, ctx))
2132 : : {
2133 : : /*
2134 : : * We may have been checking against stale values. Update the cached
2135 : : * range to be sure, and since we relied on the cached range when we
2136 : : * performed the full xid conversion, reconvert.
2137 : : */
2021 rhaas@postgresql.org 2138 :UBC 0 : update_cached_xid_range(ctx);
2139 : 0 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2140 : : }
2141 : :
2021 rhaas@postgresql.org 2142 [ - + ]:CBC 62620 : if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
2021 rhaas@postgresql.org 2143 :UBC 0 : return XID_IN_FUTURE;
2021 rhaas@postgresql.org 2144 [ - + ]:CBC 62620 : if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
2021 rhaas@postgresql.org 2145 :UBC 0 : return XID_PRECEDES_CLUSTERMIN;
2021 rhaas@postgresql.org 2146 [ - + ]:CBC 62620 : if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
2021 rhaas@postgresql.org 2147 :UBC 0 : return XID_PRECEDES_RELMIN;
2148 : :
2149 : : /* Early return if the caller does not request clog checking */
2021 rhaas@postgresql.org 2150 [ - + ]:CBC 62620 : if (status == NULL)
2021 rhaas@postgresql.org 2151 :UBC 0 : return XID_BOUNDS_OK;
2152 : :
2153 : : /* Early return if we just checked this xid in a prior call */
2021 rhaas@postgresql.org 2154 [ + + ]:CBC 62620 : if (xid == ctx->cached_xid)
2155 : : {
2156 : 53509 : *status = ctx->cached_status;
2157 : 53509 : return XID_BOUNDS_OK;
2158 : : }
2159 : :
2160 : 9111 : *status = XID_COMMITTED;
2161 : 9111 : LWLockAcquire(XactTruncationLock, LW_SHARED);
2162 : : clog_horizon =
879 heikki.linnakangas@i 2163 : 9111 : FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
2164 : : ctx);
2021 rhaas@postgresql.org 2165 [ + - ]: 9111 : if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2166 : : {
2167 [ - + ]: 9111 : if (TransactionIdIsCurrentTransactionId(xid))
1860 rhaas@postgresql.org 2168 :UBC 0 : *status = XID_IS_CURRENT_XID;
1860 rhaas@postgresql.org 2169 [ - + ]:CBC 9111 : else if (TransactionIdIsInProgress(xid))
2021 rhaas@postgresql.org 2170 :UBC 0 : *status = XID_IN_PROGRESS;
2021 rhaas@postgresql.org 2171 [ + + ]:CBC 9111 : else if (TransactionIdDidCommit(xid))
2172 : 9107 : *status = XID_COMMITTED;
2173 : : else
1860 2174 : 4 : *status = XID_ABORTED;
2175 : : }
2021 2176 : 9111 : LWLockRelease(XactTruncationLock);
2177 : 9111 : ctx->cached_xid = xid;
2178 : 9111 : ctx->cached_status = *status;
2179 : 9111 : return XID_BOUNDS_OK;
2180 : : }
|
