Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * verify_heapam.c
4 : : * Functions to check postgresql heap relations for corruption
5 : : *
6 : : * Copyright (c) 2016-2025, PostgreSQL Global Development Group
7 : : *
8 : : * contrib/amcheck/verify_heapam.c
9 : : *-------------------------------------------------------------------------
10 : : */
11 : : #include "postgres.h"
12 : :
13 : : #include "access/detoast.h"
14 : : #include "access/genam.h"
15 : : #include "access/heaptoast.h"
16 : : #include "access/multixact.h"
17 : : #include "access/relation.h"
18 : : #include "access/table.h"
19 : : #include "access/toast_internals.h"
20 : : #include "access/visibilitymap.h"
21 : : #include "access/xact.h"
22 : : #include "catalog/pg_am.h"
23 : : #include "catalog/pg_class.h"
24 : : #include "funcapi.h"
25 : : #include "miscadmin.h"
26 : : #include "storage/bufmgr.h"
27 : : #include "storage/procarray.h"
28 : : #include "storage/read_stream.h"
29 : : #include "utils/builtins.h"
30 : : #include "utils/fmgroids.h"
31 : : #include "utils/rel.h"
32 : :
1780 rhaas@postgresql.org 33 :CBC 302 : PG_FUNCTION_INFO_V1(verify_heapam);
34 : :
35 : : /* The number of columns in tuples returned by verify_heapam */
36 : : #define HEAPCHECK_RELATION_COLS 4
37 : :
38 : : /* The largest valid toast va_rawsize */
39 : : #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
40 : :
41 : : /*
42 : : * Despite the name, we use this for reporting problems with both XIDs and
43 : : * MXIDs.
44 : : */
45 : : typedef enum XidBoundsViolation
46 : : {
47 : : XID_INVALID,
48 : : XID_IN_FUTURE,
49 : : XID_PRECEDES_CLUSTERMIN,
50 : : XID_PRECEDES_RELMIN,
51 : : XID_BOUNDS_OK,
52 : : } XidBoundsViolation;
53 : :
54 : : typedef enum XidCommitStatus
55 : : {
56 : : XID_COMMITTED,
57 : : XID_IS_CURRENT_XID,
58 : : XID_IN_PROGRESS,
59 : : XID_ABORTED,
60 : : } XidCommitStatus;
61 : :
62 : : typedef enum SkipPages
63 : : {
64 : : SKIP_PAGES_ALL_FROZEN,
65 : : SKIP_PAGES_ALL_VISIBLE,
66 : : SKIP_PAGES_NONE,
67 : : } SkipPages;
68 : :
69 : : /*
70 : : * Struct holding information about a toasted attribute sufficient to both
71 : : * check the toasted attribute and, if found to be corrupt, to report where it
72 : : * was encountered in the main table.
73 : : */
74 : : typedef struct ToastedAttribute
75 : : {
76 : : struct varatt_external toast_pointer;
77 : : BlockNumber blkno; /* block in main table */
78 : : OffsetNumber offnum; /* offset in main table */
79 : : AttrNumber attnum; /* attribute in main table */
80 : : } ToastedAttribute;
81 : :
82 : : /*
83 : : * Struct holding the running context information during
84 : : * a lifetime of a verify_heapam execution.
85 : : */
86 : : typedef struct HeapCheckContext
87 : : {
88 : : /*
89 : : * Cached copies of values from TransamVariables and computed values from
90 : : * them.
91 : : */
92 : : FullTransactionId next_fxid; /* TransamVariables->nextXid */
93 : : TransactionId next_xid; /* 32-bit version of next_fxid */
94 : : TransactionId oldest_xid; /* TransamVariables->oldestXid */
95 : : FullTransactionId oldest_fxid; /* 64-bit version of oldest_xid, computed
96 : : * relative to next_fxid */
97 : : TransactionId safe_xmin; /* this XID and newer ones can't become
98 : : * all-visible while we're running */
99 : :
100 : : /*
101 : : * Cached copy of value from MultiXactState
102 : : */
103 : : MultiXactId next_mxact; /* MultiXactState->nextMXact */
104 : : MultiXactId oldest_mxact; /* MultiXactState->oldestMultiXactId */
105 : :
106 : : /*
107 : : * Cached copies of the most recently checked xid and its status.
108 : : */
109 : : TransactionId cached_xid;
110 : : XidCommitStatus cached_status;
111 : :
112 : : /* Values concerning the heap relation being checked */
113 : : Relation rel;
114 : : TransactionId relfrozenxid;
115 : : FullTransactionId relfrozenfxid;
116 : : TransactionId relminmxid;
117 : : Relation toast_rel;
118 : : Relation *toast_indexes;
119 : : Relation valid_toast_index;
120 : : int num_toast_indexes;
121 : :
122 : : /*
123 : : * Values for iterating over pages in the relation. `blkno` is the most
124 : : * recent block in the buffer yielded by the read stream API.
125 : : */
126 : : BlockNumber blkno;
127 : : BufferAccessStrategy bstrategy;
128 : : Buffer buffer;
129 : : Page page;
130 : :
131 : : /* Values for iterating over tuples within a page */
132 : : OffsetNumber offnum;
133 : : ItemId itemid;
134 : : uint16 lp_len;
135 : : uint16 lp_off;
136 : : HeapTupleHeader tuphdr;
137 : : int natts;
138 : :
139 : : /* Values for iterating over attributes within the tuple */
140 : : uint32 offset; /* offset in tuple data */
141 : : AttrNumber attnum;
142 : :
143 : : /* True if tuple's xmax makes it eligible for pruning */
144 : : bool tuple_could_be_pruned;
145 : :
146 : : /*
147 : : * List of ToastedAttribute structs for toasted attributes which are not
148 : : * eligible for pruning and should be checked
149 : : */
150 : : List *toasted_attributes;
151 : :
152 : : /* Whether verify_heapam has yet encountered any corrupt tuples */
153 : : bool is_corrupt;
154 : :
155 : : /* The descriptor and tuplestore for verify_heapam's result tuples */
156 : : TupleDesc tupdesc;
157 : : Tuplestorestate *tupstore;
158 : : } HeapCheckContext;
159 : :
160 : : /*
161 : : * The per-relation data provided to the read stream API for heap amcheck to
162 : : * use in its callback for the SKIP_PAGES_ALL_FROZEN and
163 : : * SKIP_PAGES_ALL_VISIBLE options.
164 : : */
165 : : typedef struct HeapCheckReadStreamData
166 : : {
167 : : /*
168 : : * `range` is used by all SkipPages options. SKIP_PAGES_NONE uses the
169 : : * default read stream callback, block_range_read_stream_cb(), which takes
170 : : * a BlockRangeReadStreamPrivate as its callback_private_data. `range`
171 : : * keeps track of the current block number across
172 : : * read_stream_next_buffer() invocations.
173 : : */
174 : : BlockRangeReadStreamPrivate range;
175 : : SkipPages skip_option;
176 : : Relation rel;
177 : : Buffer *vmbuffer;
178 : : } HeapCheckReadStreamData;
179 : :
180 : :
181 : : /* Internal implementation */
182 : : static BlockNumber heapcheck_read_stream_next_unskippable(ReadStream *stream,
183 : : void *callback_private_data,
184 : : void *per_buffer_data);
185 : :
186 : : static void check_tuple(HeapCheckContext *ctx,
187 : : bool *xmin_commit_status_ok,
188 : : XidCommitStatus *xmin_commit_status);
189 : : static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
190 : : ToastedAttribute *ta, int32 *expected_chunk_seq,
191 : : uint32 extsize);
192 : :
193 : : static bool check_tuple_attribute(HeapCheckContext *ctx);
194 : : static void check_toasted_attribute(HeapCheckContext *ctx,
195 : : ToastedAttribute *ta);
196 : :
197 : : static bool check_tuple_header(HeapCheckContext *ctx);
198 : : static bool check_tuple_visibility(HeapCheckContext *ctx,
199 : : bool *xmin_commit_status_ok,
200 : : XidCommitStatus *xmin_commit_status);
201 : :
202 : : static void report_corruption(HeapCheckContext *ctx, char *msg);
203 : : static void report_toast_corruption(HeapCheckContext *ctx,
204 : : ToastedAttribute *ta, char *msg);
205 : : static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
206 : : const HeapCheckContext *ctx);
207 : : static void update_cached_xid_range(HeapCheckContext *ctx);
208 : : static void update_cached_mxid_range(HeapCheckContext *ctx);
209 : : static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
210 : : HeapCheckContext *ctx);
211 : : static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
212 : : HeapCheckContext *ctx);
213 : : static XidBoundsViolation get_xid_status(TransactionId xid,
214 : : HeapCheckContext *ctx,
215 : : XidCommitStatus *status);
216 : :
217 : : /*
218 : : * Scan and report corruption in heap pages, optionally reconciling toasted
219 : : * attributes with entries in the associated toast table. Intended to be
220 : : * called from SQL with the following parameters:
221 : : *
222 : : * relation:
223 : : * The Oid of the heap relation to be checked.
224 : : *
225 : : * on_error_stop:
226 : : * Whether to stop at the end of the first page for which errors are
227 : : * detected. Note that multiple rows may be returned.
228 : : *
229 : : * check_toast:
230 : : * Whether to check each toasted attribute against the toast table to
231 : : * verify that it can be found there.
232 : : *
233 : : * skip:
234 : : * What kinds of pages in the heap relation should be skipped. Valid
235 : : * options are "all-visible", "all-frozen", and "none".
236 : : *
237 : : * Returns to the SQL caller a set of tuples, each containing the location
238 : : * and a description of a corruption found in the heap.
239 : : *
240 : : * This code goes to some trouble to avoid crashing the server even if the
241 : : * table pages are badly corrupted, but it's probably not perfect. If
242 : : * check_toast is true, we'll use regular index lookups to try to fetch TOAST
243 : : * tuples, which can certainly cause crashes if the right kind of corruption
244 : : * exists in the toast table or index. No matter what parameters you pass,
245 : : * we can't protect against crashes that might occur trying to look up the
246 : : * commit status of transaction IDs (though we avoid trying to do such lookups
247 : : * for transaction IDs that can't legally appear in the table).
248 : : */
249 : : Datum
250 : 3418 : verify_heapam(PG_FUNCTION_ARGS)
251 : : {
252 : 3418 : ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
253 : : HeapCheckContext ctx;
254 : 3418 : Buffer vmbuffer = InvalidBuffer;
255 : : Oid relid;
256 : : bool on_error_stop;
257 : : bool check_toast;
258 : 3418 : SkipPages skip_option = SKIP_PAGES_NONE;
259 : : BlockNumber first_block;
260 : : BlockNumber last_block;
261 : : BlockNumber nblocks;
262 : : const char *skip;
263 : : ReadStream *stream;
264 : : int stream_flags;
265 : : ReadStreamBlockNumberCB stream_cb;
266 : : void *stream_data;
267 : : HeapCheckReadStreamData stream_skip_data;
268 : :
269 : : /* Check supplied arguments */
270 [ - + ]: 3418 : if (PG_ARGISNULL(0))
1780 rhaas@postgresql.org 271 [ # # ]:UBC 0 : ereport(ERROR,
272 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
273 : : errmsg("relation cannot be null")));
1780 rhaas@postgresql.org 274 :CBC 3418 : relid = PG_GETARG_OID(0);
275 : :
276 [ - + ]: 3418 : if (PG_ARGISNULL(1))
1780 rhaas@postgresql.org 277 [ # # ]:UBC 0 : ereport(ERROR,
278 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
279 : : errmsg("on_error_stop cannot be null")));
1780 rhaas@postgresql.org 280 :CBC 3418 : on_error_stop = PG_GETARG_BOOL(1);
281 : :
282 [ - + ]: 3418 : if (PG_ARGISNULL(2))
1780 rhaas@postgresql.org 283 [ # # ]:UBC 0 : ereport(ERROR,
284 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
285 : : errmsg("check_toast cannot be null")));
1780 rhaas@postgresql.org 286 :CBC 3418 : check_toast = PG_GETARG_BOOL(2);
287 : :
288 [ - + ]: 3418 : if (PG_ARGISNULL(3))
1780 rhaas@postgresql.org 289 [ # # ]:UBC 0 : ereport(ERROR,
290 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
291 : : errmsg("skip cannot be null")));
1780 rhaas@postgresql.org 292 :CBC 3418 : skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
293 [ + + ]: 3418 : if (pg_strcasecmp(skip, "all-visible") == 0)
294 : 84 : skip_option = SKIP_PAGES_ALL_VISIBLE;
295 [ + + ]: 3334 : else if (pg_strcasecmp(skip, "all-frozen") == 0)
296 : 87 : skip_option = SKIP_PAGES_ALL_FROZEN;
297 [ + + ]: 3247 : else if (pg_strcasecmp(skip, "none") == 0)
298 : 3246 : skip_option = SKIP_PAGES_NONE;
299 : : else
300 [ + - ]: 1 : ereport(ERROR,
301 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
302 : : errmsg("invalid skip option"),
303 : : errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
304 : :
305 : 3417 : memset(&ctx, 0, sizeof(HeapCheckContext));
306 : 3417 : ctx.cached_xid = InvalidTransactionId;
1613 307 : 3417 : ctx.toasted_attributes = NIL;
308 : :
309 : : /*
310 : : * Any xmin newer than the xmin of our snapshot can't become all-visible
311 : : * while we're running.
312 : : */
1619 313 : 3417 : ctx.safe_xmin = GetTransactionSnapshot()->xmin;
314 : :
315 : : /*
316 : : * If we report corruption when not examining some individual attribute,
317 : : * we need attnum to be reported as NULL. Set that up before any
318 : : * corruption reporting might happen.
319 : : */
1779 tgl@sss.pgh.pa.us 320 : 3417 : ctx.attnum = -1;
321 : :
322 : : /* Construct the tuplestore and tuple descriptor */
1054 michael@paquier.xyz 323 : 3417 : InitMaterializedSRF(fcinfo, 0);
1278 324 : 3417 : ctx.tupdesc = rsinfo->setDesc;
325 : 3417 : ctx.tupstore = rsinfo->setResult;
326 : :
327 : : /* Open relation, check relkind and access method */
1780 rhaas@postgresql.org 328 : 3417 : ctx.rel = relation_open(relid, AccessShareLock);
329 : :
330 : : /*
331 : : * Check that a relation's relkind and access method are both supported.
332 : : */
1373 peter@eisentraut.org 333 [ + + + + : 3417 : if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
+ + ]
1439 334 [ + + ]: 195 : ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
1521 335 [ + - ]: 4 : ereport(ERROR,
336 : : (errcode(ERRCODE_WRONG_OBJECT_TYPE),
337 : : errmsg("cannot check relation \"%s\"",
338 : : RelationGetRelationName(ctx.rel)),
339 : : errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
340 : :
341 : : /*
342 : : * Sequences always use heap AM, but they don't show that in the catalogs.
343 : : * Other relkinds might be using a different AM, so check.
344 : : */
1439 345 [ + + ]: 3413 : if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
346 [ - + ]: 3222 : ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
1521 peter@eisentraut.org 347 [ # # ]:UBC 0 : ereport(ERROR,
348 : : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
349 : : errmsg("only heap AM is supported")));
350 : :
351 : : /*
352 : : * Early exit for unlogged relations during recovery. These will have no
353 : : * relation fork, so there won't be anything to check. We behave as if
354 : : * the relation is empty.
355 : : */
1426 pg@bowt.ie 356 [ - + - - ]:CBC 3413 : if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
1426 pg@bowt.ie 357 :UBC 0 : RecoveryInProgress())
358 : : {
359 [ # # ]: 0 : ereport(DEBUG1,
360 : : (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
361 : : errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
362 : : RelationGetRelationName(ctx.rel))));
363 : 0 : relation_close(ctx.rel, AccessShareLock);
364 : 0 : PG_RETURN_NULL();
365 : : }
366 : :
367 : : /* Early exit if the relation is empty */
1780 rhaas@postgresql.org 368 :CBC 3413 : nblocks = RelationGetNumberOfBlocks(ctx.rel);
369 [ + + ]: 3396 : if (!nblocks)
370 : : {
371 : 1919 : relation_close(ctx.rel, AccessShareLock);
372 : 1919 : PG_RETURN_NULL();
373 : : }
374 : :
375 : 1477 : ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
376 : 1477 : ctx.buffer = InvalidBuffer;
377 : 1477 : ctx.page = NULL;
378 : :
379 : : /* Validate block numbers, or handle nulls. */
380 [ + + ]: 1477 : if (PG_ARGISNULL(4))
381 : 1354 : first_block = 0;
382 : : else
383 : : {
384 : 123 : int64 fb = PG_GETARG_INT64(4);
385 : :
386 [ + - + + ]: 123 : if (fb < 0 || fb >= nblocks)
387 [ + - ]: 1 : ereport(ERROR,
388 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
389 : : errmsg("starting block number must be between 0 and %u",
390 : : nblocks - 1)));
391 : 122 : first_block = (BlockNumber) fb;
392 : : }
393 [ + + ]: 1476 : if (PG_ARGISNULL(5))
394 : 1353 : last_block = nblocks - 1;
395 : : else
396 : : {
397 : 123 : int64 lb = PG_GETARG_INT64(5);
398 : :
399 [ + - + + ]: 123 : if (lb < 0 || lb >= nblocks)
400 [ + - ]: 1 : ereport(ERROR,
401 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
402 : : errmsg("ending block number must be between 0 and %u",
403 : : nblocks - 1)));
404 : 122 : last_block = (BlockNumber) lb;
405 : : }
406 : :
407 : : /* Optionally open the toast relation, if any. */
408 [ + + + + ]: 1475 : if (ctx.rel->rd_rel->reltoastrelid && check_toast)
409 : 696 : {
410 : : int offset;
411 : :
412 : : /* Main relation has associated toast relation */
413 : 696 : ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
414 : : AccessShareLock);
415 : 696 : offset = toast_open_indexes(ctx.toast_rel,
416 : : AccessShareLock,
417 : : &(ctx.toast_indexes),
418 : : &(ctx.num_toast_indexes));
419 : 696 : ctx.valid_toast_index = ctx.toast_indexes[offset];
420 : : }
421 : : else
422 : : {
423 : : /*
424 : : * Main relation has no associated toast relation, or we're
425 : : * intentionally skipping it.
426 : : */
427 : 779 : ctx.toast_rel = NULL;
428 : 779 : ctx.toast_indexes = NULL;
429 : 779 : ctx.num_toast_indexes = 0;
430 : : }
431 : :
432 : 1475 : update_cached_xid_range(&ctx);
433 : 1475 : update_cached_mxid_range(&ctx);
434 : 1475 : ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
435 : 1475 : ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
436 : 1475 : ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
437 : :
438 [ + + ]: 1475 : if (TransactionIdIsNormal(ctx.relfrozenxid))
439 : 1284 : ctx.oldest_xid = ctx.relfrozenxid;
440 : :
441 : : /* Now that `ctx` is set up, set up the read stream */
163 melanieplageman@gmai 442 : 1475 : stream_skip_data.range.current_blocknum = first_block;
443 : 1475 : stream_skip_data.range.last_exclusive = last_block + 1;
444 : 1475 : stream_skip_data.skip_option = skip_option;
445 : 1475 : stream_skip_data.rel = ctx.rel;
446 : 1475 : stream_skip_data.vmbuffer = &vmbuffer;
447 : :
448 [ + + ]: 1475 : if (skip_option == SKIP_PAGES_NONE)
449 : : {
450 : : /*
451 : : * It is safe to use batchmode as block_range_read_stream_cb takes no
452 : : * locks.
453 : : */
454 : 1310 : stream_cb = block_range_read_stream_cb;
160 andres@anarazel.de 455 : 1310 : stream_flags = READ_STREAM_SEQUENTIAL |
456 : : READ_STREAM_FULL |
457 : : READ_STREAM_USE_BATCHING;
163 melanieplageman@gmai 458 : 1310 : stream_data = &stream_skip_data.range;
459 : : }
460 : : else
461 : : {
462 : : /*
463 : : * It would not be safe to naively use batchmode, as
464 : : * heapcheck_read_stream_next_unskippable takes locks. It shouldn't be
465 : : * too hard to convert though.
466 : : */
467 : 165 : stream_cb = heapcheck_read_stream_next_unskippable;
468 : 165 : stream_flags = READ_STREAM_DEFAULT;
469 : 165 : stream_data = &stream_skip_data;
470 : : }
471 : :
472 : 1475 : stream = read_stream_begin_relation(stream_flags,
473 : : ctx.bstrategy,
474 : : ctx.rel,
475 : : MAIN_FORKNUM,
476 : : stream_cb,
477 : : stream_data,
478 : : 0);
479 : :
480 [ + + ]: 13767 : while ((ctx.buffer = read_stream_next_buffer(stream, NULL)) != InvalidBuffer)
481 : : {
482 : : OffsetNumber maxoff;
483 : : OffsetNumber predecessor[MaxOffsetNumber];
484 : : OffsetNumber successor[MaxOffsetNumber];
485 : : bool lp_valid[MaxOffsetNumber];
486 : : bool xmin_commit_status_ok[MaxOffsetNumber];
487 : : XidCommitStatus xmin_commit_status[MaxOffsetNumber];
488 : :
1472 pg@bowt.ie 489 [ - + ]: 12295 : CHECK_FOR_INTERRUPTS();
490 : :
899 rhaas@postgresql.org 491 : 12295 : memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
492 : :
493 : : /* Lock the next page. */
163 melanieplageman@gmai 494 [ - + ]: 12295 : Assert(BufferIsValid(ctx.buffer));
1780 rhaas@postgresql.org 495 : 12295 : LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
496 : :
163 melanieplageman@gmai 497 : 12295 : ctx.blkno = BufferGetBlockNumber(ctx.buffer);
1780 rhaas@postgresql.org 498 : 12295 : ctx.page = BufferGetPage(ctx.buffer);
499 : :
500 : : /* Perform tuple checks */
501 : 12295 : maxoff = PageGetMaxOffsetNumber(ctx.page);
502 [ + + ]: 587838 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
503 : 575543 : ctx.offnum = OffsetNumberNext(ctx.offnum))
504 : : {
505 : : BlockNumber nextblkno;
506 : : OffsetNumber nextoffnum;
507 : :
899 508 : 575543 : successor[ctx.offnum] = InvalidOffsetNumber;
509 : 575543 : lp_valid[ctx.offnum] = false;
510 : 575543 : xmin_commit_status_ok[ctx.offnum] = false;
1780 511 : 575543 : ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
512 : :
513 : : /* Skip over unused/dead line pointers */
514 [ + + + + ]: 575543 : if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
515 : 9099 : continue;
516 : :
517 : : /*
518 : : * If this line pointer has been redirected, check that it
519 : : * redirects to a valid offset within the line pointer array
520 : : */
521 [ + + ]: 566444 : if (ItemIdIsRedirected(ctx.itemid))
522 : 5822 : {
523 : 5843 : OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
524 : : ItemId rditem;
525 : :
1779 tgl@sss.pgh.pa.us 526 [ + + ]: 5843 : if (rdoffnum < FirstOffsetNumber)
527 : : {
528 : 6 : report_corruption(&ctx,
529 : : psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
530 : : (unsigned) rdoffnum,
531 : : (unsigned) FirstOffsetNumber));
532 : 6 : continue;
533 : : }
534 [ + + ]: 5837 : if (rdoffnum > maxoff)
535 : : {
1780 rhaas@postgresql.org 536 : 14 : report_corruption(&ctx,
537 : : psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
538 : : (unsigned) rdoffnum,
539 : : (unsigned) maxoff));
540 : 14 : continue;
541 : : }
542 : :
543 : : /*
544 : : * Since we've checked that this redirect points to a line
545 : : * pointer between FirstOffsetNumber and maxoff, it should now
546 : : * be safe to fetch the referenced line pointer. We expect it
547 : : * to be LP_NORMAL; if not, that's corruption.
548 : : */
549 : 5823 : rditem = PageGetItemId(ctx.page, rdoffnum);
550 [ - + ]: 5823 : if (!ItemIdIsUsed(rditem))
551 : : {
1780 rhaas@postgresql.org 552 :UBC 0 : report_corruption(&ctx,
553 : : psprintf("redirected line pointer points to an unused item at offset %u",
554 : : (unsigned) rdoffnum));
894 555 : 0 : continue;
556 : : }
894 rhaas@postgresql.org 557 [ - + ]:CBC 5823 : else if (ItemIdIsDead(rditem))
558 : : {
894 rhaas@postgresql.org 559 :UBC 0 : report_corruption(&ctx,
560 : : psprintf("redirected line pointer points to a dead item at offset %u",
561 : : (unsigned) rdoffnum));
562 : 0 : continue;
563 : : }
894 rhaas@postgresql.org 564 [ + + ]:CBC 5823 : else if (ItemIdIsRedirected(rditem))
565 : : {
566 : 1 : report_corruption(&ctx,
567 : : psprintf("redirected line pointer points to another redirected line pointer at offset %u",
568 : : (unsigned) rdoffnum));
569 : 1 : continue;
570 : : }
571 : :
572 : : /*
573 : : * Record the fact that this line pointer has passed basic
574 : : * sanity checking, and also the offset number to which it
575 : : * points.
576 : : */
899 577 : 5822 : lp_valid[ctx.offnum] = true;
578 : 5822 : successor[ctx.offnum] = rdoffnum;
1780 579 : 5822 : continue;
580 : : }
581 : :
582 : : /* Sanity-check the line pointer's offset and length values */
583 : 560601 : ctx.lp_len = ItemIdGetLength(ctx.itemid);
1779 tgl@sss.pgh.pa.us 584 : 560601 : ctx.lp_off = ItemIdGetOffset(ctx.itemid);
585 : :
586 [ + + ]: 560601 : if (ctx.lp_off != MAXALIGN(ctx.lp_off))
587 : : {
588 : 6 : report_corruption(&ctx,
589 : : psprintf("line pointer to page offset %u is not maximally aligned",
590 : 6 : ctx.lp_off));
591 : 6 : continue;
592 : : }
593 [ + + ]: 560595 : if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
594 : : {
595 : 12 : report_corruption(&ctx,
596 : : psprintf("line pointer length %u is less than the minimum tuple header size %u",
597 : 12 : ctx.lp_len,
598 : : (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
599 : 12 : continue;
600 : : }
601 [ + + ]: 560583 : if (ctx.lp_off + ctx.lp_len > BLCKSZ)
602 : : {
603 : 14 : report_corruption(&ctx,
604 : : psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
605 : 14 : ctx.lp_off,
606 : 14 : ctx.lp_len,
607 : : (unsigned) BLCKSZ));
608 : 14 : continue;
609 : : }
610 : :
611 : : /* It should be safe to examine the tuple's header, at least */
899 rhaas@postgresql.org 612 : 560569 : lp_valid[ctx.offnum] = true;
1780 613 : 560569 : ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
614 : 560569 : ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
615 : :
616 : : /* Ok, ready to check this next tuple */
899 617 : 560569 : check_tuple(&ctx,
618 : 560569 : &xmin_commit_status_ok[ctx.offnum],
619 : 560569 : &xmin_commit_status[ctx.offnum]);
620 : :
621 : : /*
622 : : * If the CTID field of this tuple seems to point to another tuple
623 : : * on the same page, record that tuple as the successor of this
624 : : * one.
625 : : */
626 : 560569 : nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
627 : 560569 : nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
898 628 [ + + + + : 560569 : if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
+ - ]
629 [ + - ]: 198 : nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
899 630 : 198 : successor[ctx.offnum] = nextoffnum;
631 : : }
632 : :
633 : : /*
634 : : * Update chain validation. Check each line pointer that's got a valid
635 : : * successor against that successor.
636 : : */
637 : 12295 : ctx.attnum = -1;
638 [ + + ]: 587838 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
639 : 575543 : ctx.offnum = OffsetNumberNext(ctx.offnum))
640 : : {
641 : : ItemId curr_lp;
642 : : ItemId next_lp;
643 : : HeapTupleHeader curr_htup;
644 : : HeapTupleHeader next_htup;
645 : : TransactionId curr_xmin;
646 : : TransactionId curr_xmax;
647 : : TransactionId next_xmin;
648 : 575543 : OffsetNumber nextoffnum = successor[ctx.offnum];
649 : :
650 : : /*
651 : : * The current line pointer may not have a successor, either
652 : : * because it's not valid or because it didn't point to anything.
653 : : * In either case, we have to give up.
654 : : *
655 : : * If the current line pointer does point to something, it's
656 : : * possible that the target line pointer isn't valid. We have to
657 : : * give up in that case, too.
658 : : */
659 [ + + - + ]: 575543 : if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
660 : 569523 : continue;
661 : :
662 : : /* We have two valid line pointers that we can examine. */
663 : 6020 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
664 : 6020 : next_lp = PageGetItemId(ctx.page, nextoffnum);
665 : :
666 : : /* Handle the cases where the current line pointer is a redirect. */
667 [ + + ]: 6020 : if (ItemIdIsRedirected(curr_lp))
668 : : {
669 : : /*
670 : : * We should not have set successor[ctx.offnum] to a value
671 : : * other than InvalidOffsetNumber unless that line pointer is
672 : : * LP_NORMAL.
673 : : */
894 674 [ - + ]: 5822 : Assert(ItemIdIsNormal(next_lp));
675 : :
676 : : /* Can only redirect to a HOT tuple. */
899 677 : 5822 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
678 [ + + ]: 5822 : if (!HeapTupleHeaderIsHeapOnly(next_htup))
679 : : {
680 : 1 : report_corruption(&ctx,
681 : : psprintf("redirected line pointer points to a non-heap-only tuple at offset %u",
682 : : (unsigned) nextoffnum));
683 : : }
684 : :
685 : : /* HOT chains should not intersect. */
686 [ + + ]: 5822 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
687 : : {
688 : 1 : report_corruption(&ctx,
689 : : psprintf("redirect line pointer points to offset %u, but offset %u also points there",
690 : 1 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
691 : 1 : continue;
692 : : }
693 : :
694 : : /*
695 : : * This redirect and the tuple to which it points seem to be
696 : : * part of an update chain.
697 : : */
698 : 5821 : predecessor[nextoffnum] = ctx.offnum;
699 : 5821 : continue;
700 : : }
701 : :
702 : : /*
703 : : * If the next line pointer is a redirect, or if it's a tuple but
704 : : * the XMAX of this tuple doesn't match the XMIN of the next
705 : : * tuple, then the two aren't part of the same update chain and
706 : : * there is nothing more to do.
707 : : */
708 [ - + ]: 198 : if (ItemIdIsRedirected(next_lp))
899 rhaas@postgresql.org 709 :UBC 0 : continue;
899 rhaas@postgresql.org 710 :CBC 198 : curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
711 : 198 : curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
712 : 198 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
713 : 198 : next_xmin = HeapTupleHeaderGetXmin(next_htup);
714 [ + + - + ]: 198 : if (!TransactionIdIsValid(curr_xmax) ||
715 : : !TransactionIdEquals(curr_xmax, next_xmin))
716 : 4 : continue;
717 : :
718 : : /* HOT chains should not intersect. */
719 [ + + ]: 194 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
720 : : {
721 : 1 : report_corruption(&ctx,
722 : : psprintf("tuple points to new version at offset %u, but offset %u also points there",
723 : 1 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
724 : 1 : continue;
725 : : }
726 : :
727 : : /*
728 : : * This tuple and the tuple to which it points seem to be part of
729 : : * an update chain.
730 : : */
731 : 193 : predecessor[nextoffnum] = ctx.offnum;
732 : :
733 : : /*
734 : : * If the current tuple is marked as HOT-updated, then the next
735 : : * tuple should be marked as a heap-only tuple. Conversely, if the
736 : : * current tuple isn't marked as HOT-updated, then the next tuple
737 : : * shouldn't be marked as a heap-only tuple.
738 : : *
739 : : * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
740 : : * hint bits indicate xmin/xmax aborted.
741 : : */
898 742 [ + + + - ]: 194 : if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
899 743 : 1 : HeapTupleHeaderIsHeapOnly(next_htup))
744 : : {
745 : 1 : report_corruption(&ctx,
746 : : psprintf("non-heap-only update produced a heap-only tuple at offset %u",
747 : : (unsigned) nextoffnum));
748 : : }
898 749 [ + + ]: 193 : if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
899 750 [ + + ]: 192 : !HeapTupleHeaderIsHeapOnly(next_htup))
751 : : {
752 : 1 : report_corruption(&ctx,
753 : : psprintf("heap-only update produced a non-heap only tuple at offset %u",
754 : : (unsigned) nextoffnum));
755 : : }
756 : :
757 : : /*
758 : : * If the current tuple's xmin is still in progress but the
759 : : * successor tuple's xmin is committed, that's corruption.
760 : : *
761 : : * NB: We recheck the commit status of the current tuple's xmin
762 : : * here, because it might have committed after we checked it and
763 : : * before we checked the commit status of the successor tuple's
764 : : * xmin. This should be safe because the xmin itself can't have
765 : : * changed, only its commit status.
766 : : */
767 : 193 : curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
768 [ + - ]: 193 : if (xmin_commit_status_ok[ctx.offnum] &&
769 [ + + ]: 193 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
770 [ + - ]: 1 : xmin_commit_status_ok[nextoffnum] &&
771 [ + - + - ]: 2 : xmin_commit_status[nextoffnum] == XID_COMMITTED &&
772 : 1 : TransactionIdIsInProgress(curr_xmin))
773 : : {
774 : 1 : report_corruption(&ctx,
775 : : psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
776 : : (unsigned) curr_xmin,
777 : 1 : (unsigned) ctx.offnum,
778 : : (unsigned) next_xmin));
779 : : }
780 : :
781 : : /*
782 : : * If the current tuple's xmin is aborted but the successor
783 : : * tuple's xmin is in-progress or committed, that's corruption.
784 : : */
785 [ + - ]: 193 : if (xmin_commit_status_ok[ctx.offnum] &&
786 [ + + ]: 193 : xmin_commit_status[ctx.offnum] == XID_ABORTED &&
787 [ + - ]: 2 : xmin_commit_status_ok[nextoffnum])
788 : : {
789 [ + + ]: 2 : if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
790 : 1 : report_corruption(&ctx,
791 : : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
792 : : (unsigned) curr_xmin,
793 : 1 : (unsigned) ctx.offnum,
794 : : (unsigned) next_xmin));
795 [ + - ]: 1 : else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
796 : 1 : report_corruption(&ctx,
797 : : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
798 : : (unsigned) curr_xmin,
799 : 1 : (unsigned) ctx.offnum,
800 : : (unsigned) next_xmin));
801 : : }
802 : : }
803 : :
804 : : /*
805 : : * An update chain can start either with a non-heap-only tuple or with
806 : : * a redirect line pointer, but not with a heap-only tuple.
807 : : *
808 : : * (This check is in a separate loop because we need the predecessor
809 : : * array to be fully populated before we can perform it.)
810 : : */
811 : 12295 : for (ctx.offnum = FirstOffsetNumber;
812 [ + + ]: 587838 : ctx.offnum <= maxoff;
813 : 575543 : ctx.offnum = OffsetNumberNext(ctx.offnum))
814 : : {
815 [ + + ]: 575543 : if (xmin_commit_status_ok[ctx.offnum] &&
816 [ + + ]: 560560 : (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
817 [ + + ]: 7 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
818 [ + + ]: 560555 : predecessor[ctx.offnum] == InvalidOffsetNumber)
819 : : {
820 : : ItemId curr_lp;
821 : :
822 : 554544 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
823 [ + - ]: 554544 : if (!ItemIdIsRedirected(curr_lp))
824 : : {
825 : : HeapTupleHeader curr_htup;
826 : :
827 : : curr_htup = (HeapTupleHeader)
828 : 554544 : PageGetItem(ctx.page, curr_lp);
829 [ + + ]: 554544 : if (HeapTupleHeaderIsHeapOnly(curr_htup))
830 : 4 : report_corruption(&ctx,
831 : : psprintf("tuple is root of chain but is marked as heap-only tuple"));
832 : : }
833 : : }
834 : : }
835 : :
836 : : /* clean up */
1780 837 : 12295 : UnlockReleaseBuffer(ctx.buffer);
838 : :
839 : : /*
840 : : * Check any toast pointers from the page whose lock we just released
841 : : */
1613 842 [ + + ]: 12295 : if (ctx.toasted_attributes != NIL)
843 : : {
844 : : ListCell *cell;
845 : :
846 [ + - + + : 12661 : foreach(cell, ctx.toasted_attributes)
+ + ]
847 : 11818 : check_toasted_attribute(&ctx, lfirst(cell));
848 : 843 : list_free_deep(ctx.toasted_attributes);
849 : 843 : ctx.toasted_attributes = NIL;
850 : : }
851 : :
1780 852 [ + + - + ]: 12292 : if (on_error_stop && ctx.is_corrupt)
1780 rhaas@postgresql.org 853 :UBC 0 : break;
854 : : }
855 : :
163 melanieplageman@gmai 856 :CBC 1472 : read_stream_end(stream);
857 : :
1780 rhaas@postgresql.org 858 [ + + ]: 1472 : if (vmbuffer != InvalidBuffer)
859 : 3 : ReleaseBuffer(vmbuffer);
860 : :
861 : : /* Close the associated toast table and indexes, if any. */
862 [ + + ]: 1472 : if (ctx.toast_indexes)
863 : 693 : toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
864 : : AccessShareLock);
865 [ + + ]: 1472 : if (ctx.toast_rel)
866 : 693 : table_close(ctx.toast_rel, AccessShareLock);
867 : :
868 : : /* Close the main relation */
869 : 1472 : relation_close(ctx.rel, AccessShareLock);
870 : :
871 : 1472 : PG_RETURN_NULL();
872 : : }
873 : :
874 : : /*
875 : : * Heap amcheck's read stream callback for getting the next unskippable block.
876 : : * This callback is only used when 'all-visible' or 'all-frozen' is provided
877 : : * as the skip option to verify_heapam(). With the default 'none',
878 : : * block_range_read_stream_cb() is used instead.
879 : : */
880 : : static BlockNumber
163 melanieplageman@gmai 881 : 867 : heapcheck_read_stream_next_unskippable(ReadStream *stream,
882 : : void *callback_private_data,
883 : : void *per_buffer_data)
884 : : {
885 : 867 : HeapCheckReadStreamData *p = callback_private_data;
886 : :
887 : : /* Loops over [current_blocknum, last_exclusive) blocks */
888 [ + + ]: 900 : for (BlockNumber i; (i = p->range.current_blocknum++) < p->range.last_exclusive;)
889 : : {
890 : 735 : uint8 mapbits = visibilitymap_get_status(p->rel, i, p->vmbuffer);
891 : :
892 [ + + ]: 735 : if (p->skip_option == SKIP_PAGES_ALL_FROZEN)
893 : : {
894 [ + + ]: 384 : if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
895 : 32 : continue;
896 : : }
897 : :
898 [ + + ]: 703 : if (p->skip_option == SKIP_PAGES_ALL_VISIBLE)
899 : : {
900 [ + + ]: 351 : if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
901 : 1 : continue;
902 : : }
903 : :
904 : 702 : return i;
905 : : }
906 : :
907 : 165 : return InvalidBlockNumber;
908 : : }
909 : :
910 : : /*
911 : : * Shared internal implementation for report_corruption and
912 : : * report_toast_corruption.
913 : : */
914 : : static void
1613 rhaas@postgresql.org 915 : 86 : report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
916 : : BlockNumber blkno, OffsetNumber offnum,
917 : : AttrNumber attnum, char *msg)
918 : : {
1148 peter@eisentraut.org 919 : 86 : Datum values[HEAPCHECK_RELATION_COLS] = {0};
920 : 86 : bool nulls[HEAPCHECK_RELATION_COLS] = {0};
921 : : HeapTuple tuple;
922 : :
1613 rhaas@postgresql.org 923 : 86 : values[0] = Int64GetDatum(blkno);
924 : 86 : values[1] = Int32GetDatum(offnum);
925 : 86 : values[2] = Int32GetDatum(attnum);
926 : 86 : nulls[2] = (attnum < 0);
1780 927 : 86 : values[3] = CStringGetTextDatum(msg);
928 : :
929 : : /*
930 : : * In principle, there is nothing to prevent a scan over a large, highly
931 : : * corrupted table from using work_mem worth of memory building up the
932 : : * tuplestore. That's ok, but if we also leak the msg argument memory
933 : : * until the end of the query, we could exceed work_mem by more than a
934 : : * trivial amount. Therefore, free the msg argument each time we are
935 : : * called rather than waiting for our current memory context to be freed.
936 : : */
937 : 86 : pfree(msg);
938 : :
1613 939 : 86 : tuple = heap_form_tuple(tupdesc, values, nulls);
940 : 86 : tuplestore_puttuple(tupstore, tuple);
941 : 86 : }
942 : :
943 : : /*
944 : : * Record a single corruption found in the main table. The values in ctx should
945 : : * indicate the location of the corruption, and the msg argument should contain
946 : : * a human-readable description of the corruption.
947 : : *
948 : : * The msg argument is pfree'd by this function.
949 : : */
950 : : static void
951 : 85 : report_corruption(HeapCheckContext *ctx, char *msg)
952 : : {
953 : 85 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
954 : 85 : ctx->offnum, ctx->attnum, msg);
955 : 85 : ctx->is_corrupt = true;
956 : 85 : }
957 : :
958 : : /*
959 : : * Record corruption found in the toast table. The values in ta should
960 : : * indicate the location in the main table where the toast pointer was
961 : : * encountered, and the msg argument should contain a human-readable
962 : : * description of the toast table corruption.
963 : : *
964 : : * As above, the msg argument is pfree'd by this function.
965 : : */
966 : : static void
967 : 1 : report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
968 : : char *msg)
969 : : {
970 : 1 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
971 : 1 : ta->offnum, ta->attnum, msg);
1780 972 : 1 : ctx->is_corrupt = true;
973 : 1 : }
974 : :
975 : : /*
976 : : * Check for tuple header corruption.
977 : : *
978 : : * Some kinds of corruption make it unsafe to check the tuple attributes, for
979 : : * example when the line pointer refers to a range of bytes outside the page.
980 : : * In such cases, we return false (not checkable) after recording appropriate
981 : : * corruption messages.
982 : : *
983 : : * Some other kinds of tuple header corruption confuse the question of where
984 : : * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
985 : : * unreasonable to attempt to check attributes, even if all candidate answers
986 : : * to those questions would not result in reading past the end of the line
987 : : * pointer or page. In such cases, like above, we record corruption messages
988 : : * about the header and then return false.
989 : : *
990 : : * Other kinds of tuple header corruption do not bear on the question of
991 : : * whether the tuple attributes can be checked, so we record corruption
992 : : * messages for them but we do not return false merely because we detected
993 : : * them.
994 : : *
995 : : * Returns whether the tuple is sufficiently sensible to undergo visibility and
996 : : * attribute checks.
997 : : */
998 : : static bool
1619 999 : 560569 : check_tuple_header(HeapCheckContext *ctx)
1000 : : {
1001 : 560569 : HeapTupleHeader tuphdr = ctx->tuphdr;
1780 1002 : 560569 : uint16 infomask = tuphdr->t_infomask;
899 1003 : 560569 : TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
1619 1004 : 560569 : bool result = true;
1005 : : unsigned expected_hoff;
1006 : :
1780 1007 [ + + ]: 560569 : if (ctx->tuphdr->t_hoff > ctx->lp_len)
1008 : : {
1009 : 1 : report_corruption(ctx,
1010 : : psprintf("data begins at offset %u beyond the tuple length %u",
1011 : 1 : ctx->tuphdr->t_hoff, ctx->lp_len));
1619 1012 : 1 : result = false;
1013 : : }
1014 : :
1780 1015 [ + + ]: 560569 : if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
1016 [ + + ]: 176 : (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
1017 : : {
1018 : 2 : report_corruption(ctx,
1019 : : pstrdup("multixact should not be marked committed"));
1020 : :
1021 : : /*
1022 : : * This condition is clearly wrong, but it's not enough to justify
1023 : : * skipping further checks, because we don't rely on this to determine
1024 : : * whether the tuple is visible or to interpret other relevant header
1025 : : * fields.
1026 : : */
1027 : : }
1028 : :
899 1029 [ + + + + ]: 1119667 : if (!TransactionIdIsValid(curr_xmax) &&
1030 : 559098 : HeapTupleHeaderIsHotUpdated(tuphdr))
1031 : : {
1032 : 1 : report_corruption(ctx,
1033 : : psprintf("tuple has been HOT updated, but xmax is 0"));
1034 : :
1035 : : /*
1036 : : * As above, even though this shouldn't happen, it's not sufficient
1037 : : * justification for skipping further checks, we should still be able
1038 : : * to perform sensibly.
1039 : : */
1040 : : }
1041 : :
894 1042 [ + + ]: 560569 : if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
1043 [ + + ]: 6016 : ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
1044 : : {
1045 : 1 : report_corruption(ctx,
1046 : : psprintf("tuple is heap only, but not the result of an update"));
1047 : :
1048 : : /* Here again, we can still perform further checks. */
1049 : : }
1050 : :
1780 1051 [ + + ]: 560569 : if (infomask & HEAP_HASNULL)
1052 : 259354 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
1053 : : else
1054 : 301215 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
1055 [ + + ]: 560569 : if (ctx->tuphdr->t_hoff != expected_hoff)
1056 : : {
1057 [ + + - + ]: 5 : if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
1780 rhaas@postgresql.org 1058 :UBC 0 : report_corruption(ctx,
1059 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
1060 : 0 : expected_hoff, ctx->tuphdr->t_hoff));
1780 rhaas@postgresql.org 1061 [ + + ]:CBC 5 : else if ((infomask & HEAP_HASNULL))
1062 : 1 : report_corruption(ctx,
1063 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
1064 : 1 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1065 [ - + ]: 4 : else if (ctx->natts == 1)
1780 rhaas@postgresql.org 1066 :UBC 0 : report_corruption(ctx,
1067 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
1068 : 0 : expected_hoff, ctx->tuphdr->t_hoff));
1069 : : else
1780 rhaas@postgresql.org 1070 :CBC 4 : report_corruption(ctx,
1071 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
1072 : 4 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1619 1073 : 5 : result = false;
1074 : : }
1075 : :
1076 : 560569 : return result;
1077 : : }
1078 : :
1079 : : /*
1080 : : * Checks tuple visibility so we know which further checks are safe to
1081 : : * perform.
1082 : : *
1083 : : * If a tuple could have been inserted by a transaction that also added a
1084 : : * column to the table, but which ultimately did not commit, or which has not
1085 : : * yet committed, then the table's current TupleDesc might differ from the one
1086 : : * used to construct this tuple, so we must not check it.
1087 : : *
1088 : : * As a special case, if our own transaction inserted the tuple, even if we
1089 : : * added a column to the table, our TupleDesc should match. We could check the
1090 : : * tuple, but choose not to do so.
1091 : : *
1092 : : * If a tuple has been updated or deleted, we can still read the old tuple for
1093 : : * corruption checking purposes, as long as we are careful about concurrent
1094 : : * vacuums. The main table tuple itself cannot be vacuumed away because we
1095 : : * hold a buffer lock on the page, but if the deleting transaction is older
1096 : : * than our transaction snapshot's xmin, then vacuum could remove the toast at
1097 : : * any time, so we must not try to follow TOAST pointers.
1098 : : *
1099 : : * If xmin or xmax values are older than can be checked against clog, or appear
1100 : : * to be in the future (possibly due to wrap-around), then we cannot make a
1101 : : * determination about the visibility of the tuple, so we skip further checks.
1102 : : *
1103 : : * Returns true if the tuple itself should be checked, false otherwise. Sets
1104 : : * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1105 : : * TOAST tuples -- are eligible for pruning.
1106 : : *
1107 : : * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1108 : : * and false otherwise. If it's set to true, then also set *xmin_commit_status
1109 : : * to the actual commit status.
1110 : : */
1111 : : static bool
899 1112 : 560564 : check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1113 : : XidCommitStatus *xmin_commit_status)
1114 : : {
1115 : : TransactionId xmin;
1116 : : TransactionId xvac;
1117 : : TransactionId xmax;
1118 : : XidCommitStatus xmin_status;
1119 : : XidCommitStatus xvac_status;
1120 : : XidCommitStatus xmax_status;
1619 1121 : 560564 : HeapTupleHeader tuphdr = ctx->tuphdr;
1122 : :
1123 : 560564 : ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
841 tgl@sss.pgh.pa.us 1124 : 560564 : *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1125 : :
1126 : : /* If xmin is normal, it should be within valid range */
1619 rhaas@postgresql.org 1127 : 560564 : xmin = HeapTupleHeaderGetXmin(tuphdr);
1128 [ - + + + : 560564 : switch (get_xid_status(xmin, ctx, &xmin_status))
+ - ]
1129 : : {
1619 rhaas@postgresql.org 1130 :UBC 0 : case XID_INVALID:
1131 : : /* Could be the result of a speculative insertion that aborted. */
898 1132 : 0 : return false;
1619 rhaas@postgresql.org 1133 :CBC 560560 : case XID_BOUNDS_OK:
899 1134 : 560560 : *xmin_commit_status_ok = true;
1135 : 560560 : *xmin_commit_status = xmin_status;
1619 1136 : 560560 : break;
1137 : 1 : case XID_IN_FUTURE:
1138 : 1 : report_corruption(ctx,
1139 : : psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1140 : : xmin,
1141 : 1 : EpochFromFullTransactionId(ctx->next_fxid),
1142 : 1 : XidFromFullTransactionId(ctx->next_fxid)));
1143 : 1 : return false;
1144 : 2 : case XID_PRECEDES_CLUSTERMIN:
1145 : 2 : report_corruption(ctx,
1146 : : psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1147 : : xmin,
1148 : 2 : EpochFromFullTransactionId(ctx->oldest_fxid),
1149 : 2 : XidFromFullTransactionId(ctx->oldest_fxid)));
1150 : 2 : return false;
1151 : 1 : case XID_PRECEDES_RELMIN:
1152 : 1 : report_corruption(ctx,
1153 : : psprintf("xmin %u precedes relation freeze threshold %u:%u",
1154 : : xmin,
1155 : 1 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1156 : 1 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1157 : 1 : return false;
1158 : : }
1159 : :
1160 : : /*
1161 : : * Has inserting transaction committed?
1162 : : */
1780 1163 [ + + ]: 560560 : if (!HeapTupleHeaderXminCommitted(tuphdr))
1164 : : {
1165 [ - + ]: 15594 : if (HeapTupleHeaderXminInvalid(tuphdr))
1619 rhaas@postgresql.org 1166 :UBC 0 : return false; /* inserter aborted, don't check */
1167 : : /* Used by pre-9.0 binary upgrades */
1619 rhaas@postgresql.org 1168 [ - + ]:CBC 15594 : else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1169 : : {
1619 rhaas@postgresql.org 1170 :UBC 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1171 : :
1172 [ # # # # : 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
# # ]
1173 : : {
1780 1174 : 0 : case XID_INVALID:
1175 : 0 : report_corruption(ctx,
1176 : : pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1619 1177 : 0 : return false;
1780 1178 : 0 : case XID_IN_FUTURE:
1179 : 0 : report_corruption(ctx,
1180 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1181 : : xvac,
1182 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1183 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1619 1184 : 0 : return false;
1780 1185 : 0 : case XID_PRECEDES_RELMIN:
1186 : 0 : report_corruption(ctx,
1187 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1188 : : xvac,
1189 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1190 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1619 1191 : 0 : return false;
1780 1192 : 0 : case XID_PRECEDES_CLUSTERMIN:
1193 : 0 : report_corruption(ctx,
1194 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1195 : : xvac,
1196 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1197 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1619 1198 : 0 : return false;
1780 1199 : 0 : case XID_BOUNDS_OK:
1619 1200 : 0 : break;
1201 : : }
1202 : :
1203 [ # # # # : 0 : switch (xvac_status)
# ]
1204 : : {
1205 : 0 : case XID_IS_CURRENT_XID:
1206 : 0 : report_corruption(ctx,
1207 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1208 : : xvac));
1209 : 0 : return false;
1210 : 0 : case XID_IN_PROGRESS:
1211 : 0 : report_corruption(ctx,
1212 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1213 : : xvac));
1214 : 0 : return false;
1215 : :
1216 : 0 : case XID_COMMITTED:
1217 : :
1218 : : /*
1219 : : * The tuple is dead, because the xvac transaction moved
1220 : : * it off and committed. It's checkable, but also
1221 : : * prunable.
1222 : : */
1223 : 0 : return true;
1224 : :
1225 : 0 : case XID_ABORTED:
1226 : :
1227 : : /*
1228 : : * The original xmin must have committed, because the xvac
1229 : : * transaction tried to move it later. Since xvac is
1230 : : * aborted, whether it's still alive now depends on the
1231 : : * status of xmax.
1232 : : */
1233 : 0 : break;
1234 : : }
1235 : : }
1236 : : /* Used by pre-9.0 binary upgrades */
1619 rhaas@postgresql.org 1237 [ - + ]:CBC 15594 : else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1238 : : {
1619 rhaas@postgresql.org 1239 :UBC 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1240 : :
1241 [ # # # # : 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
# # ]
1242 : : {
1780 1243 : 0 : case XID_INVALID:
1244 : 0 : report_corruption(ctx,
1245 : : pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1246 : 0 : return false;
1247 : 0 : case XID_IN_FUTURE:
1248 : 0 : report_corruption(ctx,
1249 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1250 : : xvac,
1251 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1252 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1619 1253 : 0 : return false;
1780 1254 : 0 : case XID_PRECEDES_RELMIN:
1255 : 0 : report_corruption(ctx,
1256 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1257 : : xvac,
1258 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1259 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1619 1260 : 0 : return false;
1780 1261 : 0 : case XID_PRECEDES_CLUSTERMIN:
1262 : 0 : report_corruption(ctx,
1263 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1264 : : xvac,
1265 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1266 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1619 1267 : 0 : return false;
1780 1268 : 0 : case XID_BOUNDS_OK:
1619 1269 : 0 : break;
1270 : : }
1271 : :
1272 [ # # # # : 0 : switch (xvac_status)
# ]
1273 : : {
1274 : 0 : case XID_IS_CURRENT_XID:
1275 : 0 : report_corruption(ctx,
1276 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1277 : : xvac));
1278 : 0 : return false;
1279 : 0 : case XID_IN_PROGRESS:
1280 : 0 : report_corruption(ctx,
1281 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1282 : : xvac));
1283 : 0 : return false;
1284 : :
1285 : 0 : case XID_COMMITTED:
1286 : :
1287 : : /*
1288 : : * The original xmin must have committed, because the xvac
1289 : : * transaction moved it later. Whether it's still alive
1290 : : * now depends on the status of xmax.
1291 : : */
1292 : 0 : break;
1293 : :
1294 : 0 : case XID_ABORTED:
1295 : :
1296 : : /*
1297 : : * The tuple is dead, because the xvac transaction moved
1298 : : * it off and committed. It's checkable, but also
1299 : : * prunable.
1300 : : */
1301 : 0 : return true;
1302 : : }
1303 : : }
1619 rhaas@postgresql.org 1304 [ + + ]:CBC 15594 : else if (xmin_status != XID_COMMITTED)
1305 : : {
1306 : : /*
1307 : : * Inserting transaction is not in progress, and not committed, so
1308 : : * it might have changed the TupleDesc in ways we don't know
1309 : : * about. Thus, don't try to check the tuple structure.
1310 : : *
1311 : : * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1312 : : * any such DDL changes ought to be visible to us, so perhaps we
1313 : : * could check anyway in that case. But, for now, let's be
1314 : : * conservative and treat this like any other uncommitted insert.
1315 : : */
1316 : 7 : return false;
1317 : : }
1318 : : }
1319 : :
1320 : : /*
1321 : : * Okay, the inserter committed, so it was good at some point. Now what
1322 : : * about the deleting transaction?
1323 : : */
1324 : :
1325 [ + + ]: 560553 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1326 : : {
1327 : : /*
1328 : : * xmax is a multixact, so sanity-check the MXID. Note that we do this
1329 : : * prior to checking for HEAP_XMAX_INVALID or
1330 : : * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1331 : : * things that wouldn't actually be a problem during a normal scan,
1332 : : * but eventually we're going to have to freeze, and that process will
1333 : : * ignore hint bits.
1334 : : *
1335 : : * Even if the MXID is out of range, we still know that the original
1336 : : * insert committed, so we can check the tuple itself. However, we
1337 : : * can't rule out the possibility that this tuple is dead, so don't
1338 : : * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1339 : : * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1340 : : * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1341 : : * avoiding possibly-bogus complaints about missing TOAST entries.
1342 : : */
1343 : 58 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1344 [ - + - + : 58 : switch (check_mxid_valid_in_rel(xmax, ctx))
+ - ]
1345 : : {
1619 rhaas@postgresql.org 1346 :UBC 0 : case XID_INVALID:
1347 : 0 : report_corruption(ctx,
1348 : : pstrdup("multitransaction ID is invalid"));
1349 : 0 : return true;
1619 rhaas@postgresql.org 1350 :CBC 1 : case XID_PRECEDES_RELMIN:
1351 : 1 : report_corruption(ctx,
1352 : : psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1353 : : xmax, ctx->relminmxid));
1354 : 1 : return true;
1619 rhaas@postgresql.org 1355 :UBC 0 : case XID_PRECEDES_CLUSTERMIN:
1356 : 0 : report_corruption(ctx,
1357 : : psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1358 : : xmax, ctx->oldest_mxact));
1359 : 0 : return true;
1619 rhaas@postgresql.org 1360 :CBC 1 : case XID_IN_FUTURE:
1361 : 1 : report_corruption(ctx,
1362 : : psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1363 : : xmax,
1364 : : ctx->next_mxact));
1365 : 1 : return true;
1366 : 56 : case XID_BOUNDS_OK:
1367 : 56 : break;
1368 : : }
1369 : : }
1370 : :
1371 [ + + ]: 560551 : if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1372 : : {
1373 : : /*
1374 : : * This tuple is live. A concurrently running transaction could
1375 : : * delete it before we get around to checking the toast, but any such
1376 : : * running transaction is surely not less than our safe_xmin, so the
1377 : : * toast cannot be vacuumed out from under us.
1378 : : */
1379 : 559085 : ctx->tuple_could_be_pruned = false;
1380 : 559085 : return true;
1381 : : }
1382 : :
1383 [ + + ]: 1466 : if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1384 : : {
1385 : : /*
1386 : : * "Deleting" xact really only locked it, so the tuple is live in any
1387 : : * case. As above, a concurrently running transaction could delete
1388 : : * it, but it cannot be vacuumed out from under us.
1389 : : */
1390 : 28 : ctx->tuple_could_be_pruned = false;
1391 : 28 : return true;
1392 : : }
1393 : :
1394 [ + + ]: 1438 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1395 : : {
1396 : : /*
1397 : : * We already checked above that this multixact is within limits for
1398 : : * this table. Now check the update xid from this multixact.
1399 : : */
1400 : 28 : xmax = HeapTupleGetUpdateXid(tuphdr);
1401 [ - - - - : 28 : switch (get_xid_status(xmax, ctx, &xmax_status))
+ - ]
1402 : : {
1619 rhaas@postgresql.org 1403 :UBC 0 : case XID_INVALID:
1404 : : /* not LOCKED_ONLY, so it has to have an xmax */
1405 : 0 : report_corruption(ctx,
1406 : : pstrdup("update xid is invalid"));
1407 : 0 : return true;
1408 : 0 : case XID_IN_FUTURE:
1409 : 0 : report_corruption(ctx,
1410 : : psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1411 : : xmax,
1412 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1413 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1414 : 0 : return true;
1415 : 0 : case XID_PRECEDES_RELMIN:
1416 : 0 : report_corruption(ctx,
1417 : : psprintf("update xid %u precedes relation freeze threshold %u:%u",
1418 : : xmax,
1419 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1420 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1421 : 0 : return true;
1422 : 0 : case XID_PRECEDES_CLUSTERMIN:
1423 : 0 : report_corruption(ctx,
1424 : : psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1425 : : xmax,
1426 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1427 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1428 : 0 : return true;
1619 rhaas@postgresql.org 1429 :CBC 28 : case XID_BOUNDS_OK:
1430 : 28 : break;
1431 : : }
1432 : :
1433 [ - + - - ]: 28 : switch (xmax_status)
1434 : : {
1619 rhaas@postgresql.org 1435 :UBC 0 : case XID_IS_CURRENT_XID:
1436 : : case XID_IN_PROGRESS:
1437 : :
1438 : : /*
1439 : : * The delete is in progress, so it cannot be visible to our
1440 : : * snapshot.
1441 : : */
1442 : 0 : ctx->tuple_could_be_pruned = false;
1443 : 0 : break;
1619 rhaas@postgresql.org 1444 :CBC 28 : case XID_COMMITTED:
1445 : :
1446 : : /*
1447 : : * The delete committed. Whether the toast can be vacuumed
1448 : : * away depends on how old the deleting transaction is.
1449 : : */
1450 : 28 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1451 : : ctx->safe_xmin);
1452 : 28 : break;
1619 rhaas@postgresql.org 1453 :UBC 0 : case XID_ABORTED:
1454 : :
1455 : : /*
1456 : : * The delete aborted or crashed. The tuple is still live.
1457 : : */
1458 : 0 : ctx->tuple_could_be_pruned = false;
1459 : 0 : break;
1460 : : }
1461 : :
1462 : : /* Tuple itself is checkable even if it's dead. */
1619 rhaas@postgresql.org 1463 :CBC 28 : return true;
1464 : : }
1465 : :
1466 : : /* xmax is an XID, not a MXID. Sanity check it. */
1467 : 1410 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1468 [ + - - + : 1410 : switch (get_xid_status(xmax, ctx, &xmax_status))
+ - ]
1469 : : {
898 1470 : 1 : case XID_INVALID:
1471 : 1 : ctx->tuple_could_be_pruned = false;
1472 : 1 : return true;
1619 rhaas@postgresql.org 1473 :UBC 0 : case XID_IN_FUTURE:
1474 : 0 : report_corruption(ctx,
1475 : : psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1476 : : xmax,
1477 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1478 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1479 : 0 : return false; /* corrupt */
1480 : 0 : case XID_PRECEDES_RELMIN:
1481 : 0 : report_corruption(ctx,
1482 : : psprintf("xmax %u precedes relation freeze threshold %u:%u",
1483 : : xmax,
1484 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1485 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1486 : 0 : return false; /* corrupt */
1619 rhaas@postgresql.org 1487 :CBC 1 : case XID_PRECEDES_CLUSTERMIN:
1488 : 1 : report_corruption(ctx,
1489 : : psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1490 : : xmax,
1491 : 1 : EpochFromFullTransactionId(ctx->oldest_fxid),
1492 : 1 : XidFromFullTransactionId(ctx->oldest_fxid)));
1493 : 1 : return false; /* corrupt */
1494 : 1408 : case XID_BOUNDS_OK:
1495 : 1408 : break;
1496 : : }
1497 : :
1498 : : /*
1499 : : * Whether the toast can be vacuumed away depends on how old the deleting
1500 : : * transaction is.
1501 : : */
1502 [ - + + - ]: 1408 : switch (xmax_status)
1503 : : {
1619 rhaas@postgresql.org 1504 :UBC 0 : case XID_IS_CURRENT_XID:
1505 : : case XID_IN_PROGRESS:
1506 : :
1507 : : /*
1508 : : * The delete is in progress, so it cannot be visible to our
1509 : : * snapshot.
1510 : : */
1511 : 0 : ctx->tuple_could_be_pruned = false;
1512 : 0 : break;
1513 : :
1619 rhaas@postgresql.org 1514 :CBC 1405 : case XID_COMMITTED:
1515 : :
1516 : : /*
1517 : : * The delete committed. Whether the toast can be vacuumed away
1518 : : * depends on how old the deleting transaction is.
1519 : : */
1520 : 1405 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1521 : : ctx->safe_xmin);
1522 : 1405 : break;
1523 : :
1524 : 3 : case XID_ABORTED:
1525 : :
1526 : : /*
1527 : : * The delete aborted or crashed. The tuple is still live.
1528 : : */
1529 : 3 : ctx->tuple_could_be_pruned = false;
1530 : 3 : break;
1531 : : }
1532 : :
1533 : : /* Tuple itself is checkable even if it's dead. */
1534 : 1408 : return true;
1535 : : }
1536 : :
1537 : :
1538 : : /*
1539 : : * Check the current toast tuple against the state tracked in ctx, recording
1540 : : * any corruption found in ctx->tupstore.
1541 : : *
1542 : : * This is not equivalent to running verify_heapam on the toast table itself,
1543 : : * and is not hardened against corruption of the toast table. Rather, when
1544 : : * validating a toasted attribute in the main table, the sequence of toast
1545 : : * tuples that store the toasted value are retrieved and checked in order, with
1546 : : * each toast tuple being checked against where we are in the sequence, as well
1547 : : * as each toast tuple having its varlena structure sanity checked.
1548 : : *
1549 : : * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1550 : : * to find in toasttup. On exit, it will be updated to the value the next call
1551 : : * to this function should expect to see.
1552 : : */
1553 : : static void
1613 1554 : 41682 : check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
1555 : : ToastedAttribute *ta, int32 *expected_chunk_seq,
1556 : : uint32 extsize)
1557 : : {
1558 : : int32 chunk_seq;
1587 1559 : 41682 : int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1560 : : Pointer chunk;
1561 : : bool isnull;
1562 : : int32 chunksize;
1563 : : int32 expected_size;
1564 : :
1565 : : /* Sanity-check the sequence number. */
1566 : 41682 : chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1567 : 41682 : ctx->toast_rel->rd_att, &isnull));
1780 1568 [ - + ]: 41682 : if (isnull)
1569 : : {
1613 rhaas@postgresql.org 1570 :UBC 0 : report_toast_corruption(ctx, ta,
1571 : : psprintf("toast value %u has toast chunk with null sequence number",
1572 : : ta->toast_pointer.va_valueid));
1780 1573 : 0 : return;
1574 : : }
1587 rhaas@postgresql.org 1575 [ - + ]:CBC 41682 : if (chunk_seq != *expected_chunk_seq)
1576 : : {
1577 : : /* Either the TOAST index is corrupt, or we don't have all chunks. */
1587 rhaas@postgresql.org 1578 :UBC 0 : report_toast_corruption(ctx, ta,
1579 : : psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1580 : : ta->toast_pointer.va_valueid,
1581 : : chunk_seq, *expected_chunk_seq));
1582 : : }
1587 rhaas@postgresql.org 1583 :CBC 41682 : *expected_chunk_seq = chunk_seq + 1;
1584 : :
1585 : : /* Sanity-check the chunk data. */
1780 1586 : 41682 : chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1587 : 41682 : ctx->toast_rel->rd_att, &isnull));
1588 [ - + ]: 41682 : if (isnull)
1589 : : {
1613 rhaas@postgresql.org 1590 :UBC 0 : report_toast_corruption(ctx, ta,
1591 : : psprintf("toast value %u chunk %d has null data",
1592 : : ta->toast_pointer.va_valueid,
1593 : : chunk_seq));
1780 1594 : 0 : return;
1595 : : }
1780 rhaas@postgresql.org 1596 [ + - ]:CBC 41682 : if (!VARATT_IS_EXTENDED(chunk))
1597 : 41682 : chunksize = VARSIZE(chunk) - VARHDRSZ;
1780 rhaas@postgresql.org 1598 [ # # ]:UBC 0 : else if (VARATT_IS_SHORT(chunk))
1599 : : {
1600 : : /*
1601 : : * could happen due to heap_form_tuple doing its thing
1602 : : */
1603 : 0 : chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1604 : : }
1605 : : else
1606 : : {
1607 : : /* should never happen */
1608 : 0 : uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1609 : :
1613 1610 : 0 : report_toast_corruption(ctx, ta,
1611 : : psprintf("toast value %u chunk %d has invalid varlena header %0x",
1612 : : ta->toast_pointer.va_valueid,
1613 : : chunk_seq, header));
1780 1614 : 0 : return;
1615 : : }
1616 : :
1617 : : /*
1618 : : * Some checks on the data we've found
1619 : : */
1587 rhaas@postgresql.org 1620 [ - + ]:CBC 41682 : if (chunk_seq > last_chunk_seq)
1621 : : {
1613 rhaas@postgresql.org 1622 :UBC 0 : report_toast_corruption(ctx, ta,
1623 : : psprintf("toast value %u chunk %d follows last expected chunk %d",
1624 : : ta->toast_pointer.va_valueid,
1625 : : chunk_seq, last_chunk_seq));
1780 1626 : 0 : return;
1627 : : }
1628 : :
1587 rhaas@postgresql.org 1629 [ + + ]:CBC 41682 : expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1630 : 11814 : : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1631 : :
1780 1632 [ - + ]: 41682 : if (chunksize != expected_size)
1613 rhaas@postgresql.org 1633 :UBC 0 : report_toast_corruption(ctx, ta,
1634 : : psprintf("toast value %u chunk %d has size %u, but expected size %u",
1635 : : ta->toast_pointer.va_valueid,
1636 : : chunk_seq, chunksize, expected_size));
1637 : : }
1638 : :
1639 : : /*
1640 : : * Check the current attribute as tracked in ctx, recording any corruption
1641 : : * found in ctx->tupstore.
1642 : : *
1643 : : * This function follows the logic performed by heap_deform_tuple(), and in the
1644 : : * case of a toasted value, optionally stores the toast pointer so later it can
1645 : : * be checked following the logic of detoast_external_attr(), checking for any
1646 : : * conditions that would result in either of those functions Asserting or
1647 : : * crashing the backend. The checks performed by Asserts present in those two
1648 : : * functions are also performed here and in check_toasted_attribute. In cases
1649 : : * where those two functions are a bit cavalier in their assumptions about data
1650 : : * being correct, we perform additional checks not present in either of those
1651 : : * two functions. Where some condition is checked in both of those functions,
1652 : : * we perform it here twice, as we parallel the logical flow of those two
1653 : : * functions. The presence of duplicate checks seems a reasonable price to pay
1654 : : * for keeping this code tightly coupled with the code it protects.
1655 : : *
1656 : : * Returns true if the tuple attribute is sane enough for processing to
1657 : : * continue on to the next attribute, false otherwise.
1658 : : */
1659 : : static bool
1780 rhaas@postgresql.org 1660 :CBC 8009263 : check_tuple_attribute(HeapCheckContext *ctx)
1661 : : {
1662 : : Datum attdatum;
1663 : : struct varlena *attr;
1664 : : char *tp; /* pointer to the tuple data */
1665 : : uint16 infomask;
1666 : : CompactAttribute *thisatt;
1667 : : struct varatt_external toast_pointer;
1668 : :
1669 : 8009263 : infomask = ctx->tuphdr->t_infomask;
260 drowley@postgresql.o 1670 : 8009263 : thisatt = TupleDescCompactAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1671 : :
1780 rhaas@postgresql.org 1672 : 8009263 : tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1673 : :
1674 [ - + ]: 8009263 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1675 : : {
1780 rhaas@postgresql.org 1676 :UBC 0 : report_corruption(ctx,
1677 : : psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1678 : 0 : thisatt->attlen,
1679 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1680 : 0 : ctx->lp_len));
1681 : 0 : return false;
1682 : : }
1683 : :
1684 : : /* Skip null values */
1780 rhaas@postgresql.org 1685 [ + + + + ]:CBC 8009263 : if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1686 : 1370667 : return true;
1687 : :
1688 : : /* Skip non-varlena values, but update offset first */
1689 [ + + ]: 6638596 : if (thisatt->attlen != -1)
1690 : : {
259 drowley@postgresql.o 1691 : 6057071 : ctx->offset = att_nominal_alignby(ctx->offset, thisatt->attalignby);
1780 rhaas@postgresql.org 1692 [ + - - - : 6057071 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
- - - - -
- - - - -
- - ]
1693 : : tp + ctx->offset);
1694 [ - + ]: 6057071 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1695 : : {
1780 rhaas@postgresql.org 1696 :UBC 0 : report_corruption(ctx,
1697 : : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1698 : 0 : thisatt->attlen,
1699 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1700 : 0 : ctx->lp_len));
1701 : 0 : return false;
1702 : : }
1780 rhaas@postgresql.org 1703 :CBC 6057071 : return true;
1704 : : }
1705 : :
1706 : : /* Ok, we're looking at a varlena attribute. */
259 drowley@postgresql.o 1707 [ + + ]: 581525 : ctx->offset = att_pointer_alignby(ctx->offset, thisatt->attalignby, -1,
1708 : : tp + ctx->offset);
1709 : :
1710 : : /* Get the (possibly corrupt) varlena datum */
1780 rhaas@postgresql.org 1711 : 581525 : attdatum = fetchatt(thisatt, tp + ctx->offset);
1712 : :
1713 : : /*
1714 : : * We have the datum, but we cannot decode it carelessly, as it may still
1715 : : * be corrupt.
1716 : : */
1717 : :
1718 : : /*
1719 : : * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1720 : : * risking a call into att_addlength_pointer
1721 : : */
1722 [ + + ]: 581525 : if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1723 : : {
1724 : 26255 : uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1725 : :
1726 [ - + ]: 26255 : if (va_tag != VARTAG_ONDISK)
1727 : : {
1780 rhaas@postgresql.org 1728 :UBC 0 : report_corruption(ctx,
1729 : : psprintf("toasted attribute has unexpected TOAST tag %u",
1730 : : va_tag));
1731 : : /* We can't know where the next attribute begins */
1732 : 0 : return false;
1733 : : }
1734 : : }
1735 : :
1736 : : /* Ok, should be safe now */
1780 rhaas@postgresql.org 1737 [ - + + - :CBC 581525 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
- - + - +
- - + + +
- - ]
1738 : : tp + ctx->offset);
1739 : :
1740 [ + + ]: 581525 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1741 : : {
1742 : 1 : report_corruption(ctx,
1743 : : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1744 : 1 : thisatt->attlen,
1745 : 1 : ctx->tuphdr->t_hoff + ctx->offset,
1746 : 1 : ctx->lp_len));
1747 : :
1748 : 1 : return false;
1749 : : }
1750 : :
1751 : : /*
1752 : : * heap_deform_tuple would be done with this attribute at this point,
1753 : : * having stored it in values[], and would continue to the next attribute.
1754 : : * We go further, because we need to check if the toast datum is corrupt.
1755 : : */
1756 : :
1757 : 581524 : attr = (struct varlena *) DatumGetPointer(attdatum);
1758 : :
1759 : : /*
1760 : : * Now we follow the logic of detoast_external_attr(), with the same
1761 : : * caveats about being paranoid about corruption.
1762 : : */
1763 : :
1764 : : /* Skip values that are not external */
1765 [ + + ]: 581524 : if (!VARATT_IS_EXTERNAL(attr))
1766 : 555269 : return true;
1767 : :
1768 : : /* It is external, and we're looking at a page on disk */
1769 : :
1770 : : /*
1771 : : * Must copy attr into toast_pointer for alignment considerations
1772 : : */
1606 1773 [ - + - + : 26255 : VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
+ - - + -
+ ]
1774 : :
1775 : : /* Toasted attributes too large to be untoasted should never be stored */
1401 1776 [ - + ]: 26255 : if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
1401 rhaas@postgresql.org 1777 :UBC 0 : report_corruption(ctx,
1778 : : psprintf("toast value %u rawsize %d exceeds limit %d",
1779 : : toast_pointer.va_valueid,
1780 : : toast_pointer.va_rawsize,
1781 : : VARLENA_SIZE_LIMIT));
1782 : :
1172 rhaas@postgresql.org 1783 [ + + ]:CBC 26255 : if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1784 : : {
1785 : : ToastCompressionId cmid;
1401 1786 : 2027 : bool valid = false;
1787 : :
1788 : : /* Compressed attributes should have a valid compression method */
1789 : 2027 : cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1790 [ + - - ]: 2027 : switch (cmid)
1791 : : {
1792 : : /* List of all valid compression method IDs */
1793 : 2027 : case TOAST_PGLZ_COMPRESSION_ID:
1794 : : case TOAST_LZ4_COMPRESSION_ID:
1795 : 2027 : valid = true;
1796 : 2027 : break;
1797 : :
1798 : : /* Recognized but invalid compression method ID */
1401 rhaas@postgresql.org 1799 :UBC 0 : case TOAST_INVALID_COMPRESSION_ID:
1800 : 0 : break;
1801 : :
1802 : : /* Intentionally no default here */
1803 : : }
1401 rhaas@postgresql.org 1804 [ - + ]:CBC 2027 : if (!valid)
1401 rhaas@postgresql.org 1805 :UBC 0 : report_corruption(ctx,
1806 : : psprintf("toast value %u has invalid compression method id %d",
1807 : : toast_pointer.va_valueid, cmid));
1808 : : }
1809 : :
1810 : : /* The tuple header better claim to contain toasted values */
1780 rhaas@postgresql.org 1811 [ - + ]:CBC 26255 : if (!(infomask & HEAP_HASEXTERNAL))
1812 : : {
1780 rhaas@postgresql.org 1813 :UBC 0 : report_corruption(ctx,
1814 : : psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1815 : : toast_pointer.va_valueid));
1816 : 0 : return true;
1817 : : }
1818 : :
1819 : : /* The relation better have a toast table */
1780 rhaas@postgresql.org 1820 [ - + ]:CBC 26255 : if (!ctx->rel->rd_rel->reltoastrelid)
1821 : : {
1780 rhaas@postgresql.org 1822 :UBC 0 : report_corruption(ctx,
1823 : : psprintf("toast value %u is external but relation has no toast relation",
1824 : : toast_pointer.va_valueid));
1825 : 0 : return true;
1826 : : }
1827 : :
1828 : : /* If we were told to skip toast checking, then we're done. */
1780 rhaas@postgresql.org 1829 [ + + ]:CBC 26255 : if (ctx->toast_rel == NULL)
1830 : 14429 : return true;
1831 : :
1832 : : /*
1833 : : * If this tuple is eligible to be pruned, we cannot check the toast.
1834 : : * Otherwise, we push a copy of the toast tuple so we can check it after
1835 : : * releasing the main table buffer lock.
1836 : : */
1613 1837 [ + + ]: 11826 : if (!ctx->tuple_could_be_pruned)
1838 : : {
1839 : : ToastedAttribute *ta;
1840 : :
1841 : 11824 : ta = (ToastedAttribute *) palloc0(sizeof(ToastedAttribute));
1842 : :
1843 [ - + - + : 11824 : VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
+ - - + -
+ ]
1844 : 11824 : ta->blkno = ctx->blkno;
1845 : 11824 : ta->offnum = ctx->offnum;
1846 : 11824 : ta->attnum = ctx->attnum;
1847 : 11824 : ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
1848 : : }
1849 : :
1850 : 11826 : return true;
1851 : : }
1852 : :
1853 : : /*
1854 : : * For each attribute collected in ctx->toasted_attributes, look up the value
1855 : : * in the toast table and perform checks on it. This function should only be
1856 : : * called on toast pointers which cannot be vacuumed away during our
1857 : : * processing.
1858 : : */
1859 : : static void
1860 : 11818 : check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
1861 : : {
1862 : : ScanKeyData toastkey;
1863 : : SysScanDesc toastscan;
1864 : : bool found_toasttup;
1865 : : HeapTuple toasttup;
1866 : : uint32 extsize;
1587 1867 : 11818 : int32 expected_chunk_seq = 0;
1868 : : int32 last_chunk_seq;
1869 : :
1870 : 11818 : extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
1871 : 11818 : last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1872 : :
1873 : : /*
1874 : : * Setup a scan key to find chunks in toast table with matching va_valueid
1875 : : */
1780 1876 : 11818 : ScanKeyInit(&toastkey,
1877 : : (AttrNumber) 1,
1878 : : BTEqualStrategyNumber, F_OIDEQ,
1879 : : ObjectIdGetDatum(ta->toast_pointer.va_valueid));
1880 : :
1881 : : /*
1882 : : * Check if any chunks for this toasted object exist in the toast table,
1883 : : * accessible via the index.
1884 : : */
1885 : 11818 : toastscan = systable_beginscan_ordered(ctx->toast_rel,
1886 : : ctx->valid_toast_index,
1887 : : get_toast_snapshot(), 1,
1888 : : &toastkey);
1889 : 11818 : found_toasttup = false;
1890 : 11818 : while ((toasttup =
1891 : 53500 : systable_getnext_ordered(toastscan,
1892 [ + + ]: 53497 : ForwardScanDirection)) != NULL)
1893 : : {
1894 : 41682 : found_toasttup = true;
1587 1895 : 41682 : check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1896 : : }
1780 1897 : 11815 : systable_endscan_ordered(toastscan);
1898 : :
1613 1899 [ + + ]: 11815 : if (!found_toasttup)
1900 : 1 : report_toast_corruption(ctx, ta,
1901 : : psprintf("toast value %u not found in toast table",
1902 : : ta->toast_pointer.va_valueid));
1587 1903 [ - + ]: 11814 : else if (expected_chunk_seq <= last_chunk_seq)
1613 rhaas@postgresql.org 1904 :UBC 0 : report_toast_corruption(ctx, ta,
1905 : : psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1906 : : ta->toast_pointer.va_valueid,
1907 : : last_chunk_seq, expected_chunk_seq));
1780 rhaas@postgresql.org 1908 :CBC 11815 : }
1909 : :
1910 : : /*
1911 : : * Check the current tuple as tracked in ctx, recording any corruption found in
1912 : : * ctx->tupstore.
1913 : : *
1914 : : * We return some information about the status of xmin to aid in validating
1915 : : * update chains.
1916 : : */
1917 : : static void
899 1918 : 560569 : check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1919 : : XidCommitStatus *xmin_commit_status)
1920 : : {
1921 : : /*
1922 : : * Check various forms of tuple header corruption, and if the header is
1923 : : * too corrupt, do not continue with other checks.
1924 : : */
1613 1925 [ + + ]: 560569 : if (!check_tuple_header(ctx))
1780 1926 : 5 : return;
1927 : :
1928 : : /*
1929 : : * Check tuple visibility. If the inserting transaction aborted, we
1930 : : * cannot assume our relation description matches the tuple structure, and
1931 : : * therefore cannot check it.
1932 : : */
899 1933 [ + + ]: 560564 : if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1934 : : xmin_commit_status))
1780 1935 : 12 : return;
1936 : :
1937 : : /*
1938 : : * The tuple is visible, so it must be compatible with the current version
1939 : : * of the relation descriptor. It might have fewer columns than are
1940 : : * present in the relation descriptor, but it cannot have more.
1941 : : */
1942 [ + + ]: 560552 : if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1943 : : {
1944 : 2 : report_corruption(ctx,
1945 : : psprintf("number of attributes %u exceeds maximum %u expected for table",
1946 : : ctx->natts,
1947 : 2 : RelationGetDescr(ctx->rel)->natts));
1948 : 2 : return;
1949 : : }
1950 : :
1951 : : /*
1952 : : * Check each attribute unless we hit corruption that confuses what to do
1953 : : * next, at which point we abort further attribute checks for this tuple.
1954 : : * Note that we don't abort for all types of corruption, only for those
1955 : : * types where we don't know how to continue. We also don't abort the
1956 : : * checking of toasted attributes collected from the tuple prior to
1957 : : * aborting. Those will still be checked later along with other toasted
1958 : : * attributes collected from the page.
1959 : : */
1960 : 560550 : ctx->offset = 0;
1961 [ + + ]: 8569812 : for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1962 [ + + ]: 8009263 : if (!check_tuple_attribute(ctx))
1963 : 1 : break; /* cannot continue */
1964 : :
1965 : : /* revert attnum to -1 until we again examine individual attributes */
1779 tgl@sss.pgh.pa.us 1966 : 560550 : ctx->attnum = -1;
1967 : : }
1968 : :
1969 : : /*
1970 : : * Convert a TransactionId into a FullTransactionId using our cached values of
1971 : : * the valid transaction ID range. It is the caller's responsibility to have
1972 : : * already updated the cached values, if necessary. This is akin to
1973 : : * FullTransactionIdFromAllowableAt(), but it tolerates corruption in the form
1974 : : * of an xid before epoch 0.
1975 : : */
1976 : : static FullTransactionId
1780 rhaas@postgresql.org 1977 : 75690 : FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
1978 : : {
1979 : : uint64 nextfxid_i;
1980 : : int32 diff;
1981 : : FullTransactionId fxid;
1982 : :
910 andres@anarazel.de 1983 [ - + ]: 75690 : Assert(TransactionIdIsNormal(ctx->next_xid));
1984 [ - + ]: 75690 : Assert(FullTransactionIdIsNormal(ctx->next_fxid));
1985 [ - + ]: 75690 : Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
1986 : :
1780 rhaas@postgresql.org 1987 [ + + ]: 75690 : if (!TransactionIdIsNormal(xid))
1988 : 191 : return FullTransactionIdFromEpochAndXid(0, xid);
1989 : :
910 andres@anarazel.de 1990 : 75499 : nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1991 : :
1992 : : /* compute the 32bit modulo difference */
1993 : 75499 : diff = (int32) (ctx->next_xid - xid);
1994 : :
1995 : : /*
1996 : : * In cases of corruption we might see a 32bit xid that is before epoch 0.
1997 : : * We can't represent that as a 64bit xid, due to 64bit xids being
1998 : : * unsigned integers, without the modulo arithmetic of 32bit xid. There's
1999 : : * no really nice way to deal with that, but it works ok enough to use
2000 : : * FirstNormalFullTransactionId in that case, as a freshly initdb'd
2001 : : * cluster already has a newer horizon.
2002 : : */
2003 [ + + + + ]: 75499 : if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
2004 : : {
2005 [ - + ]: 4 : Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
2006 : 4 : fxid = FirstNormalFullTransactionId;
2007 : : }
2008 : : else
2009 : 75495 : fxid = FullTransactionIdFromU64(nextfxid_i - diff);
2010 : :
2011 [ - + ]: 75499 : Assert(FullTransactionIdIsNormal(fxid));
2012 : 75499 : return fxid;
2013 : : }
2014 : :
2015 : : /*
2016 : : * Update our cached range of valid transaction IDs.
2017 : : */
2018 : : static void
1780 rhaas@postgresql.org 2019 : 1479 : update_cached_xid_range(HeapCheckContext *ctx)
2020 : : {
2021 : : /* Make cached copies */
2022 : 1479 : LWLockAcquire(XidGenLock, LW_SHARED);
638 heikki.linnakangas@i 2023 : 1479 : ctx->next_fxid = TransamVariables->nextXid;
2024 : 1479 : ctx->oldest_xid = TransamVariables->oldestXid;
1780 rhaas@postgresql.org 2025 : 1479 : LWLockRelease(XidGenLock);
2026 : :
2027 : : /* And compute alternate versions of the same */
2028 : 1479 : ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
910 andres@anarazel.de 2029 : 1479 : ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
1780 rhaas@postgresql.org 2030 : 1479 : }
2031 : :
2032 : : /*
2033 : : * Update our cached range of valid multitransaction IDs.
2034 : : */
2035 : : static void
2036 : 1477 : update_cached_mxid_range(HeapCheckContext *ctx)
2037 : : {
2038 : 1477 : ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
2039 : 1477 : }
2040 : :
2041 : : /*
2042 : : * Return whether the given FullTransactionId is within our cached valid
2043 : : * transaction ID range.
2044 : : */
2045 : : static inline bool
2046 : 63584 : fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
2047 : : {
2048 [ + + ]: 127165 : return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
2049 [ + + ]: 63581 : FullTransactionIdPrecedes(fxid, ctx->next_fxid));
2050 : : }
2051 : :
2052 : : /*
2053 : : * Checks whether a multitransaction ID is in the cached valid range, returning
2054 : : * the nature of the range violation, if any.
2055 : : */
2056 : : static XidBoundsViolation
2057 : 60 : check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
2058 : : {
2059 [ - + ]: 60 : if (!TransactionIdIsValid(mxid))
1780 rhaas@postgresql.org 2060 :UBC 0 : return XID_INVALID;
1780 rhaas@postgresql.org 2061 [ + + ]:CBC 60 : if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
2062 : 2 : return XID_PRECEDES_RELMIN;
2063 [ - + ]: 58 : if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
1780 rhaas@postgresql.org 2064 :UBC 0 : return XID_PRECEDES_CLUSTERMIN;
1780 rhaas@postgresql.org 2065 [ + + ]:CBC 58 : if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
2066 : 2 : return XID_IN_FUTURE;
2067 : 56 : return XID_BOUNDS_OK;
2068 : : }
2069 : :
2070 : : /*
2071 : : * Checks whether the given mxid is valid to appear in the heap being checked,
2072 : : * returning the nature of the range violation, if any.
2073 : : *
2074 : : * This function attempts to return quickly by caching the known valid mxid
2075 : : * range in ctx. Callers should already have performed the initial setup of
2076 : : * the cache prior to the first call to this function.
2077 : : */
2078 : : static XidBoundsViolation
2079 : 58 : check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
2080 : : {
2081 : : XidBoundsViolation result;
2082 : :
2083 : 58 : result = check_mxid_in_range(mxid, ctx);
2084 [ + + ]: 58 : if (result == XID_BOUNDS_OK)
2085 : 56 : return XID_BOUNDS_OK;
2086 : :
2087 : : /* The range may have advanced. Recheck. */
2088 : 2 : update_cached_mxid_range(ctx);
2089 : 2 : return check_mxid_in_range(mxid, ctx);
2090 : : }
2091 : :
2092 : : /*
2093 : : * Checks whether the given transaction ID is (or was recently) valid to appear
2094 : : * in the heap being checked, or whether it is too old or too new to appear in
2095 : : * the relation, returning information about the nature of the bounds violation.
2096 : : *
2097 : : * We cache the range of valid transaction IDs. If xid is in that range, we
2098 : : * conclude that it is valid, even though concurrent changes to the table might
2099 : : * invalidate it under certain corrupt conditions. (For example, if the table
2100 : : * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2101 : : * containing the xid and then truncate clog and advance the relfrozenxid
2102 : : * beyond xid.) Reporting the xid as valid under such conditions seems
2103 : : * acceptable, since if we had checked it earlier in our scan it would have
2104 : : * truly been valid at that time.
2105 : : *
2106 : : * If the status argument is not NULL, and if and only if the transaction ID
2107 : : * appears to be valid in this relation, the status argument will be set with
2108 : : * the commit status of the transaction ID.
2109 : : */
2110 : : static XidBoundsViolation
2111 : 562002 : get_xid_status(TransactionId xid, HeapCheckContext *ctx,
2112 : : XidCommitStatus *status)
2113 : : {
2114 : : FullTransactionId fxid;
2115 : : FullTransactionId clog_horizon;
2116 : :
2117 : : /* Quick check for special xids */
2118 [ + + ]: 562002 : if (!TransactionIdIsValid(xid))
2119 : 1 : return XID_INVALID;
2120 [ + + + + ]: 562001 : else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2121 : : {
2122 [ + - ]: 498417 : if (status != NULL)
2123 : 498417 : *status = XID_COMMITTED;
2124 : 498417 : return XID_BOUNDS_OK;
2125 : : }
2126 : :
2127 : : /* Check if the xid is within bounds */
2128 : 63584 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2129 [ + + ]: 63584 : if (!fxid_in_cached_range(fxid, ctx))
2130 : : {
2131 : : /*
2132 : : * We may have been checking against stale values. Update the cached
2133 : : * range to be sure, and since we relied on the cached range when we
2134 : : * performed the full xid conversion, reconvert.
2135 : : */
2136 : 4 : update_cached_xid_range(ctx);
2137 : 4 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2138 : : }
2139 : :
2140 [ + + ]: 63584 : if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
2141 : 1 : return XID_IN_FUTURE;
2142 [ + + ]: 63583 : if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
2143 : 3 : return XID_PRECEDES_CLUSTERMIN;
2144 [ + + ]: 63580 : if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
2145 : 1 : return XID_PRECEDES_RELMIN;
2146 : :
2147 : : /* Early return if the caller does not request clog checking */
2148 [ - + ]: 63579 : if (status == NULL)
1780 rhaas@postgresql.org 2149 :UBC 0 : return XID_BOUNDS_OK;
2150 : :
2151 : : /* Early return if we just checked this xid in a prior call */
1780 rhaas@postgresql.org 2152 [ + + ]:CBC 63579 : if (xid == ctx->cached_xid)
2153 : : {
2154 : 54431 : *status = ctx->cached_status;
2155 : 54431 : return XID_BOUNDS_OK;
2156 : : }
2157 : :
2158 : 9148 : *status = XID_COMMITTED;
2159 : 9148 : LWLockAcquire(XactTruncationLock, LW_SHARED);
2160 : : clog_horizon =
638 heikki.linnakangas@i 2161 : 9148 : FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
2162 : : ctx);
1780 rhaas@postgresql.org 2163 [ + - ]: 9148 : if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2164 : : {
2165 [ - + ]: 9148 : if (TransactionIdIsCurrentTransactionId(xid))
1619 rhaas@postgresql.org 2166 :UBC 0 : *status = XID_IS_CURRENT_XID;
1619 rhaas@postgresql.org 2167 [ + + ]:CBC 9148 : else if (TransactionIdIsInProgress(xid))
1780 2168 : 2 : *status = XID_IN_PROGRESS;
2169 [ + + ]: 9146 : else if (TransactionIdDidCommit(xid))
2170 : 9139 : *status = XID_COMMITTED;
2171 : : else
1619 2172 : 7 : *status = XID_ABORTED;
2173 : : }
1780 2174 : 9148 : LWLockRelease(XactTruncationLock);
2175 : 9148 : ctx->cached_xid = xid;
2176 : 9148 : ctx->cached_status = *status;
2177 : 9148 : return XID_BOUNDS_OK;
2178 : : }
|
