Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * verify_heapam.c
4 : : * Functions to check postgresql heap relations for corruption
5 : : *
6 : : * Copyright (c) 2016-2024, PostgreSQL Global Development Group
7 : : *
8 : : * contrib/amcheck/verify_heapam.c
9 : : *-------------------------------------------------------------------------
10 : : */
11 : : #include "postgres.h"
12 : :
13 : : #include "access/detoast.h"
14 : : #include "access/genam.h"
15 : : #include "access/heapam.h"
16 : : #include "access/heaptoast.h"
17 : : #include "access/multixact.h"
18 : : #include "access/toast_internals.h"
19 : : #include "access/visibilitymap.h"
20 : : #include "catalog/pg_am.h"
21 : : #include "funcapi.h"
22 : : #include "miscadmin.h"
23 : : #include "storage/bufmgr.h"
24 : : #include "storage/procarray.h"
25 : : #include "utils/builtins.h"
26 : : #include "utils/fmgroids.h"
27 : :
1270 rhaas@postgresql.org 28 :CBC 301 : PG_FUNCTION_INFO_V1(verify_heapam);
29 : :
30 : : /* The number of columns in tuples returned by verify_heapam */
31 : : #define HEAPCHECK_RELATION_COLS 4
32 : :
33 : : /* The largest valid toast va_rawsize */
34 : : #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
35 : :
36 : : /*
37 : : * Despite the name, we use this for reporting problems with both XIDs and
38 : : * MXIDs.
39 : : */
40 : : typedef enum XidBoundsViolation
41 : : {
42 : : XID_INVALID,
43 : : XID_IN_FUTURE,
44 : : XID_PRECEDES_CLUSTERMIN,
45 : : XID_PRECEDES_RELMIN,
46 : : XID_BOUNDS_OK,
47 : : } XidBoundsViolation;
48 : :
49 : : typedef enum XidCommitStatus
50 : : {
51 : : XID_COMMITTED,
52 : : XID_IS_CURRENT_XID,
53 : : XID_IN_PROGRESS,
54 : : XID_ABORTED,
55 : : } XidCommitStatus;
56 : :
57 : : typedef enum SkipPages
58 : : {
59 : : SKIP_PAGES_ALL_FROZEN,
60 : : SKIP_PAGES_ALL_VISIBLE,
61 : : SKIP_PAGES_NONE,
62 : : } SkipPages;
63 : :
64 : : /*
65 : : * Struct holding information about a toasted attribute sufficient to both
66 : : * check the toasted attribute and, if found to be corrupt, to report where it
67 : : * was encountered in the main table.
68 : : */
69 : : typedef struct ToastedAttribute
70 : : {
71 : : struct varatt_external toast_pointer;
72 : : BlockNumber blkno; /* block in main table */
73 : : OffsetNumber offnum; /* offset in main table */
74 : : AttrNumber attnum; /* attribute in main table */
75 : : } ToastedAttribute;
76 : :
77 : : /*
78 : : * Struct holding the running context information during
79 : : * a lifetime of a verify_heapam execution.
80 : : */
81 : : typedef struct HeapCheckContext
82 : : {
83 : : /*
84 : : * Cached copies of values from TransamVariables and computed values from
85 : : * them.
86 : : */
87 : : FullTransactionId next_fxid; /* TransamVariables->nextXid */
88 : : TransactionId next_xid; /* 32-bit version of next_fxid */
89 : : TransactionId oldest_xid; /* TransamVariables->oldestXid */
90 : : FullTransactionId oldest_fxid; /* 64-bit version of oldest_xid, computed
91 : : * relative to next_fxid */
92 : : TransactionId safe_xmin; /* this XID and newer ones can't become
93 : : * all-visible while we're running */
94 : :
95 : : /*
96 : : * Cached copy of value from MultiXactState
97 : : */
98 : : MultiXactId next_mxact; /* MultiXactState->nextMXact */
99 : : MultiXactId oldest_mxact; /* MultiXactState->oldestMultiXactId */
100 : :
101 : : /*
102 : : * Cached copies of the most recently checked xid and its status.
103 : : */
104 : : TransactionId cached_xid;
105 : : XidCommitStatus cached_status;
106 : :
107 : : /* Values concerning the heap relation being checked */
108 : : Relation rel;
109 : : TransactionId relfrozenxid;
110 : : FullTransactionId relfrozenfxid;
111 : : TransactionId relminmxid;
112 : : Relation toast_rel;
113 : : Relation *toast_indexes;
114 : : Relation valid_toast_index;
115 : : int num_toast_indexes;
116 : :
117 : : /* Values for iterating over pages in the relation */
118 : : BlockNumber blkno;
119 : : BufferAccessStrategy bstrategy;
120 : : Buffer buffer;
121 : : Page page;
122 : :
123 : : /* Values for iterating over tuples within a page */
124 : : OffsetNumber offnum;
125 : : ItemId itemid;
126 : : uint16 lp_len;
127 : : uint16 lp_off;
128 : : HeapTupleHeader tuphdr;
129 : : int natts;
130 : :
131 : : /* Values for iterating over attributes within the tuple */
132 : : uint32 offset; /* offset in tuple data */
133 : : AttrNumber attnum;
134 : :
135 : : /* True if tuple's xmax makes it eligible for pruning */
136 : : bool tuple_could_be_pruned;
137 : :
138 : : /*
139 : : * List of ToastedAttribute structs for toasted attributes which are not
140 : : * eligible for pruning and should be checked
141 : : */
142 : : List *toasted_attributes;
143 : :
144 : : /* Whether verify_heapam has yet encountered any corrupt tuples */
145 : : bool is_corrupt;
146 : :
147 : : /* The descriptor and tuplestore for verify_heapam's result tuples */
148 : : TupleDesc tupdesc;
149 : : Tuplestorestate *tupstore;
150 : : } HeapCheckContext;
151 : :
152 : : /* Internal implementation */
153 : : static void check_tuple(HeapCheckContext *ctx,
154 : : bool *xmin_commit_status_ok,
155 : : XidCommitStatus *xmin_commit_status);
156 : : static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
157 : : ToastedAttribute *ta, int32 *expected_chunk_seq,
158 : : uint32 extsize);
159 : :
160 : : static bool check_tuple_attribute(HeapCheckContext *ctx);
161 : : static void check_toasted_attribute(HeapCheckContext *ctx,
162 : : ToastedAttribute *ta);
163 : :
164 : : static bool check_tuple_header(HeapCheckContext *ctx);
165 : : static bool check_tuple_visibility(HeapCheckContext *ctx,
166 : : bool *xmin_commit_status_ok,
167 : : XidCommitStatus *xmin_commit_status);
168 : :
169 : : static void report_corruption(HeapCheckContext *ctx, char *msg);
170 : : static void report_toast_corruption(HeapCheckContext *ctx,
171 : : ToastedAttribute *ta, char *msg);
172 : : static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
173 : : const HeapCheckContext *ctx);
174 : : static void update_cached_xid_range(HeapCheckContext *ctx);
175 : : static void update_cached_mxid_range(HeapCheckContext *ctx);
176 : : static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
177 : : HeapCheckContext *ctx);
178 : : static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
179 : : HeapCheckContext *ctx);
180 : : static XidBoundsViolation get_xid_status(TransactionId xid,
181 : : HeapCheckContext *ctx,
182 : : XidCommitStatus *status);
183 : :
184 : : /*
185 : : * Scan and report corruption in heap pages, optionally reconciling toasted
186 : : * attributes with entries in the associated toast table. Intended to be
187 : : * called from SQL with the following parameters:
188 : : *
189 : : * relation:
190 : : * The Oid of the heap relation to be checked.
191 : : *
192 : : * on_error_stop:
193 : : * Whether to stop at the end of the first page for which errors are
194 : : * detected. Note that multiple rows may be returned.
195 : : *
196 : : * check_toast:
197 : : * Whether to check each toasted attribute against the toast table to
198 : : * verify that it can be found there.
199 : : *
200 : : * skip:
201 : : * What kinds of pages in the heap relation should be skipped. Valid
202 : : * options are "all-visible", "all-frozen", and "none".
203 : : *
204 : : * Returns to the SQL caller a set of tuples, each containing the location
205 : : * and a description of a corruption found in the heap.
206 : : *
207 : : * This code goes to some trouble to avoid crashing the server even if the
208 : : * table pages are badly corrupted, but it's probably not perfect. If
209 : : * check_toast is true, we'll use regular index lookups to try to fetch TOAST
210 : : * tuples, which can certainly cause crashes if the right kind of corruption
211 : : * exists in the toast table or index. No matter what parameters you pass,
212 : : * we can't protect against crashes that might occur trying to look up the
213 : : * commit status of transaction IDs (though we avoid trying to do such lookups
214 : : * for transaction IDs that can't legally appear in the table).
215 : : */
216 : : Datum
217 : 3440 : verify_heapam(PG_FUNCTION_ARGS)
218 : : {
219 : 3440 : ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
220 : : HeapCheckContext ctx;
221 : 3440 : Buffer vmbuffer = InvalidBuffer;
222 : : Oid relid;
223 : : bool on_error_stop;
224 : : bool check_toast;
225 : 3440 : SkipPages skip_option = SKIP_PAGES_NONE;
226 : : BlockNumber first_block;
227 : : BlockNumber last_block;
228 : : BlockNumber nblocks;
229 : : const char *skip;
230 : :
231 : : /* Check supplied arguments */
232 [ - + ]: 3440 : if (PG_ARGISNULL(0))
1270 rhaas@postgresql.org 233 [ # # ]:UBC 0 : ereport(ERROR,
234 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
235 : : errmsg("relation cannot be null")));
1270 rhaas@postgresql.org 236 :CBC 3440 : relid = PG_GETARG_OID(0);
237 : :
238 [ - + ]: 3440 : if (PG_ARGISNULL(1))
1270 rhaas@postgresql.org 239 [ # # ]:UBC 0 : ereport(ERROR,
240 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
241 : : errmsg("on_error_stop cannot be null")));
1270 rhaas@postgresql.org 242 :CBC 3440 : on_error_stop = PG_GETARG_BOOL(1);
243 : :
244 [ - + ]: 3440 : if (PG_ARGISNULL(2))
1270 rhaas@postgresql.org 245 [ # # ]:UBC 0 : ereport(ERROR,
246 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
247 : : errmsg("check_toast cannot be null")));
1270 rhaas@postgresql.org 248 :CBC 3440 : check_toast = PG_GETARG_BOOL(2);
249 : :
250 [ - + ]: 3440 : if (PG_ARGISNULL(3))
1270 rhaas@postgresql.org 251 [ # # ]:UBC 0 : ereport(ERROR,
252 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
253 : : errmsg("skip cannot be null")));
1270 rhaas@postgresql.org 254 :CBC 3440 : skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
255 [ + + ]: 3440 : if (pg_strcasecmp(skip, "all-visible") == 0)
256 : 84 : skip_option = SKIP_PAGES_ALL_VISIBLE;
257 [ + + ]: 3356 : else if (pg_strcasecmp(skip, "all-frozen") == 0)
258 : 87 : skip_option = SKIP_PAGES_ALL_FROZEN;
259 [ + + ]: 3269 : else if (pg_strcasecmp(skip, "none") == 0)
260 : 3268 : skip_option = SKIP_PAGES_NONE;
261 : : else
262 [ + - ]: 1 : ereport(ERROR,
263 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
264 : : errmsg("invalid skip option"),
265 : : errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
266 : :
267 : 3439 : memset(&ctx, 0, sizeof(HeapCheckContext));
268 : 3439 : ctx.cached_xid = InvalidTransactionId;
1103 269 : 3439 : ctx.toasted_attributes = NIL;
270 : :
271 : : /*
272 : : * Any xmin newer than the xmin of our snapshot can't become all-visible
273 : : * while we're running.
274 : : */
1109 275 : 3439 : ctx.safe_xmin = GetTransactionSnapshot()->xmin;
276 : :
277 : : /*
278 : : * If we report corruption when not examining some individual attribute,
279 : : * we need attnum to be reported as NULL. Set that up before any
280 : : * corruption reporting might happen.
281 : : */
1269 tgl@sss.pgh.pa.us 282 : 3439 : ctx.attnum = -1;
283 : :
284 : : /* Construct the tuplestore and tuple descriptor */
544 michael@paquier.xyz 285 : 3439 : InitMaterializedSRF(fcinfo, 0);
768 286 : 3439 : ctx.tupdesc = rsinfo->setDesc;
287 : 3439 : ctx.tupstore = rsinfo->setResult;
288 : :
289 : : /* Open relation, check relkind and access method */
1270 rhaas@postgresql.org 290 : 3439 : ctx.rel = relation_open(relid, AccessShareLock);
291 : :
292 : : /*
293 : : * Check that a relation's relkind and access method are both supported.
294 : : */
863 peter@eisentraut.org 295 [ + + + + : 3439 : if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
+ + ]
929 296 [ + + ]: 195 : ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
1011 297 [ + - ]: 4 : ereport(ERROR,
298 : : (errcode(ERRCODE_WRONG_OBJECT_TYPE),
299 : : errmsg("cannot check relation \"%s\"",
300 : : RelationGetRelationName(ctx.rel)),
301 : : errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
302 : :
303 : : /*
304 : : * Sequences always use heap AM, but they don't show that in the catalogs.
305 : : * Other relkinds might be using a different AM, so check.
306 : : */
929 307 [ + + ]: 3435 : if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
308 [ - + ]: 3244 : ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
1011 peter@eisentraut.org 309 [ # # ]:UBC 0 : ereport(ERROR,
310 : : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
311 : : errmsg("only heap AM is supported")));
312 : :
313 : : /*
314 : : * Early exit for unlogged relations during recovery. These will have no
315 : : * relation fork, so there won't be anything to check. We behave as if
316 : : * the relation is empty.
317 : : */
916 pg@bowt.ie 318 [ - + - - ]:CBC 3435 : if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
916 pg@bowt.ie 319 :UBC 0 : RecoveryInProgress())
320 : : {
321 [ # # ]: 0 : ereport(DEBUG1,
322 : : (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
323 : : errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
324 : : RelationGetRelationName(ctx.rel))));
325 : 0 : relation_close(ctx.rel, AccessShareLock);
326 : 0 : PG_RETURN_NULL();
327 : : }
328 : :
329 : : /* Early exit if the relation is empty */
1270 rhaas@postgresql.org 330 :CBC 3435 : nblocks = RelationGetNumberOfBlocks(ctx.rel);
331 [ + + ]: 3418 : if (!nblocks)
332 : : {
333 : 1941 : relation_close(ctx.rel, AccessShareLock);
334 : 1941 : PG_RETURN_NULL();
335 : : }
336 : :
337 : 1477 : ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
338 : 1477 : ctx.buffer = InvalidBuffer;
339 : 1477 : ctx.page = NULL;
340 : :
341 : : /* Validate block numbers, or handle nulls. */
342 [ + + ]: 1477 : if (PG_ARGISNULL(4))
343 : 1354 : first_block = 0;
344 : : else
345 : : {
346 : 123 : int64 fb = PG_GETARG_INT64(4);
347 : :
348 [ + - + + ]: 123 : if (fb < 0 || fb >= nblocks)
349 [ + - ]: 1 : ereport(ERROR,
350 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
351 : : errmsg("starting block number must be between 0 and %u",
352 : : nblocks - 1)));
353 : 122 : first_block = (BlockNumber) fb;
354 : : }
355 [ + + ]: 1476 : if (PG_ARGISNULL(5))
356 : 1353 : last_block = nblocks - 1;
357 : : else
358 : : {
359 : 123 : int64 lb = PG_GETARG_INT64(5);
360 : :
361 [ + - + + ]: 123 : if (lb < 0 || lb >= nblocks)
362 [ + - ]: 1 : ereport(ERROR,
363 : : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
364 : : errmsg("ending block number must be between 0 and %u",
365 : : nblocks - 1)));
366 : 122 : last_block = (BlockNumber) lb;
367 : : }
368 : :
369 : : /* Optionally open the toast relation, if any. */
370 [ + + + + ]: 1475 : if (ctx.rel->rd_rel->reltoastrelid && check_toast)
371 : 696 : {
372 : : int offset;
373 : :
374 : : /* Main relation has associated toast relation */
375 : 696 : ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
376 : : AccessShareLock);
377 : 696 : offset = toast_open_indexes(ctx.toast_rel,
378 : : AccessShareLock,
379 : : &(ctx.toast_indexes),
380 : : &(ctx.num_toast_indexes));
381 : 696 : ctx.valid_toast_index = ctx.toast_indexes[offset];
382 : : }
383 : : else
384 : : {
385 : : /*
386 : : * Main relation has no associated toast relation, or we're
387 : : * intentionally skipping it.
388 : : */
389 : 779 : ctx.toast_rel = NULL;
390 : 779 : ctx.toast_indexes = NULL;
391 : 779 : ctx.num_toast_indexes = 0;
392 : : }
393 : :
394 : 1475 : update_cached_xid_range(&ctx);
395 : 1475 : update_cached_mxid_range(&ctx);
396 : 1475 : ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
397 : 1475 : ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
398 : 1475 : ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
399 : :
400 [ + + ]: 1475 : if (TransactionIdIsNormal(ctx.relfrozenxid))
401 : 1284 : ctx.oldest_xid = ctx.relfrozenxid;
402 : :
403 [ + + ]: 13481 : for (ctx.blkno = first_block; ctx.blkno <= last_block; ctx.blkno++)
404 : : {
405 : : OffsetNumber maxoff;
406 : : OffsetNumber predecessor[MaxOffsetNumber];
407 : : OffsetNumber successor[MaxOffsetNumber];
408 : : bool lp_valid[MaxOffsetNumber];
409 : : bool xmin_commit_status_ok[MaxOffsetNumber];
410 : : XidCommitStatus xmin_commit_status[MaxOffsetNumber];
411 : :
962 pg@bowt.ie 412 [ - + ]: 12009 : CHECK_FOR_INTERRUPTS();
413 : :
389 rhaas@postgresql.org 414 : 12009 : memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
415 : :
416 : : /* Optionally skip over all-frozen or all-visible blocks */
1270 417 [ + + ]: 12009 : if (skip_option != SKIP_PAGES_NONE)
418 : : {
419 : : int32 mapbits;
420 : :
421 : 735 : mapbits = (int32) visibilitymap_get_status(ctx.rel, ctx.blkno,
422 : : &vmbuffer);
423 [ + + ]: 735 : if (skip_option == SKIP_PAGES_ALL_FROZEN)
424 : : {
425 [ + + ]: 384 : if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
426 : 33 : continue;
427 : : }
428 : :
429 [ + + ]: 703 : if (skip_option == SKIP_PAGES_ALL_VISIBLE)
430 : : {
431 [ + + ]: 351 : if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
432 : 1 : continue;
433 : : }
434 : : }
435 : :
436 : : /* Read and lock the next page. */
437 : 11976 : ctx.buffer = ReadBufferExtended(ctx.rel, MAIN_FORKNUM, ctx.blkno,
438 : : RBM_NORMAL, ctx.bstrategy);
439 : 11976 : LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
440 : 11976 : ctx.page = BufferGetPage(ctx.buffer);
441 : :
442 : : /* Perform tuple checks */
443 : 11976 : maxoff = PageGetMaxOffsetNumber(ctx.page);
444 [ + + ]: 571037 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
445 : 559061 : ctx.offnum = OffsetNumberNext(ctx.offnum))
446 : : {
447 : : BlockNumber nextblkno;
448 : : OffsetNumber nextoffnum;
449 : :
389 450 : 559061 : successor[ctx.offnum] = InvalidOffsetNumber;
451 : 559061 : lp_valid[ctx.offnum] = false;
452 : 559061 : xmin_commit_status_ok[ctx.offnum] = false;
1270 453 : 559061 : ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
454 : :
455 : : /* Skip over unused/dead line pointers */
456 [ + + + + ]: 559061 : if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
457 : 5245 : continue;
458 : :
459 : : /*
460 : : * If this line pointer has been redirected, check that it
461 : : * redirects to a valid offset within the line pointer array
462 : : */
463 [ + + ]: 553816 : if (ItemIdIsRedirected(ctx.itemid))
464 : 5623 : {
465 : 5644 : OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
466 : : ItemId rditem;
467 : :
1269 tgl@sss.pgh.pa.us 468 [ + + ]: 5644 : if (rdoffnum < FirstOffsetNumber)
469 : : {
470 : 6 : report_corruption(&ctx,
471 : : psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
472 : : (unsigned) rdoffnum,
473 : : (unsigned) FirstOffsetNumber));
474 : 6 : continue;
475 : : }
476 [ + + ]: 5638 : if (rdoffnum > maxoff)
477 : : {
1270 rhaas@postgresql.org 478 : 14 : report_corruption(&ctx,
479 : : psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
480 : : (unsigned) rdoffnum,
481 : : (unsigned) maxoff));
482 : 14 : continue;
483 : : }
484 : :
485 : : /*
486 : : * Since we've checked that this redirect points to a line
487 : : * pointer between FirstOffsetNumber and maxoff, it should now
488 : : * be safe to fetch the referenced line pointer. We expect it
489 : : * to be LP_NORMAL; if not, that's corruption.
490 : : */
491 : 5624 : rditem = PageGetItemId(ctx.page, rdoffnum);
492 [ - + ]: 5624 : if (!ItemIdIsUsed(rditem))
493 : : {
1270 rhaas@postgresql.org 494 :UBC 0 : report_corruption(&ctx,
495 : : psprintf("redirected line pointer points to an unused item at offset %u",
496 : : (unsigned) rdoffnum));
384 497 : 0 : continue;
498 : : }
384 rhaas@postgresql.org 499 [ - + ]:CBC 5624 : else if (ItemIdIsDead(rditem))
500 : : {
384 rhaas@postgresql.org 501 :UBC 0 : report_corruption(&ctx,
502 : : psprintf("redirected line pointer points to a dead item at offset %u",
503 : : (unsigned) rdoffnum));
504 : 0 : continue;
505 : : }
384 rhaas@postgresql.org 506 [ + + ]:CBC 5624 : else if (ItemIdIsRedirected(rditem))
507 : : {
384 rhaas@postgresql.org 508 :GBC 1 : report_corruption(&ctx,
509 : : psprintf("redirected line pointer points to another redirected line pointer at offset %u",
510 : : (unsigned) rdoffnum));
511 : 1 : continue;
512 : : }
513 : :
514 : : /*
515 : : * Record the fact that this line pointer has passed basic
516 : : * sanity checking, and also the offset number to which it
517 : : * points.
518 : : */
389 rhaas@postgresql.org 519 :CBC 5623 : lp_valid[ctx.offnum] = true;
520 : 5623 : successor[ctx.offnum] = rdoffnum;
1270 521 : 5623 : continue;
522 : : }
523 : :
524 : : /* Sanity-check the line pointer's offset and length values */
525 : 548172 : ctx.lp_len = ItemIdGetLength(ctx.itemid);
1269 tgl@sss.pgh.pa.us 526 : 548172 : ctx.lp_off = ItemIdGetOffset(ctx.itemid);
527 : :
528 [ + + ]: 548172 : if (ctx.lp_off != MAXALIGN(ctx.lp_off))
529 : : {
530 : 6 : report_corruption(&ctx,
531 : : psprintf("line pointer to page offset %u is not maximally aligned",
532 : 6 : ctx.lp_off));
533 : 6 : continue;
534 : : }
535 [ + + ]: 548166 : if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
536 : : {
537 : 12 : report_corruption(&ctx,
538 : : psprintf("line pointer length %u is less than the minimum tuple header size %u",
539 : 12 : ctx.lp_len,
540 : : (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
541 : 12 : continue;
542 : : }
543 [ + + ]: 548154 : if (ctx.lp_off + ctx.lp_len > BLCKSZ)
544 : : {
545 : 14 : report_corruption(&ctx,
546 : : psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
547 : 14 : ctx.lp_off,
548 : 14 : ctx.lp_len,
549 : : (unsigned) BLCKSZ));
550 : 14 : continue;
551 : : }
552 : :
553 : : /* It should be safe to examine the tuple's header, at least */
389 rhaas@postgresql.org 554 : 548140 : lp_valid[ctx.offnum] = true;
1270 555 : 548140 : ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
556 : 548140 : ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
557 : :
558 : : /* Ok, ready to check this next tuple */
389 559 : 548140 : check_tuple(&ctx,
560 : 548140 : &xmin_commit_status_ok[ctx.offnum],
561 : 548140 : &xmin_commit_status[ctx.offnum]);
562 : :
563 : : /*
564 : : * If the CTID field of this tuple seems to point to another tuple
565 : : * on the same page, record that tuple as the successor of this
566 : : * one.
567 : : */
568 : 548140 : nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
569 : 548140 : nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
388 570 [ + + + + : 548140 : if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
+ - ]
571 [ + - ]: 171 : nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
389 572 : 171 : successor[ctx.offnum] = nextoffnum;
573 : : }
574 : :
575 : : /*
576 : : * Update chain validation. Check each line pointer that's got a valid
577 : : * successor against that successor.
578 : : */
579 : 11976 : ctx.attnum = -1;
580 [ + + ]: 571037 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
581 : 559061 : ctx.offnum = OffsetNumberNext(ctx.offnum))
582 : : {
583 : : ItemId curr_lp;
584 : : ItemId next_lp;
585 : : HeapTupleHeader curr_htup;
586 : : HeapTupleHeader next_htup;
587 : : TransactionId curr_xmin;
588 : : TransactionId curr_xmax;
589 : : TransactionId next_xmin;
590 : 559061 : OffsetNumber nextoffnum = successor[ctx.offnum];
591 : :
592 : : /*
593 : : * The current line pointer may not have a successor, either
594 : : * because it's not valid or because it didn't point to anything.
595 : : * In either case, we have to give up.
596 : : *
597 : : * If the current line pointer does point to something, it's
598 : : * possible that the target line pointer isn't valid. We have to
599 : : * give up in that case, too.
600 : : */
601 [ + + - + ]: 559061 : if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
602 : 553267 : continue;
603 : :
604 : : /* We have two valid line pointers that we can examine. */
605 : 5794 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
606 : 5794 : next_lp = PageGetItemId(ctx.page, nextoffnum);
607 : :
608 : : /* Handle the cases where the current line pointer is a redirect. */
609 [ + + ]: 5794 : if (ItemIdIsRedirected(curr_lp))
610 : : {
611 : : /*
612 : : * We should not have set successor[ctx.offnum] to a value
613 : : * other than InvalidOffsetNumber unless that line pointer is
614 : : * LP_NORMAL.
615 : : */
384 616 [ - + ]: 5623 : Assert(ItemIdIsNormal(next_lp));
617 : :
618 : : /* Can only redirect to a HOT tuple. */
389 619 : 5623 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
620 [ + + ]: 5623 : if (!HeapTupleHeaderIsHeapOnly(next_htup))
621 : : {
389 rhaas@postgresql.org 622 :GBC 1 : report_corruption(&ctx,
623 : : psprintf("redirected line pointer points to a non-heap-only tuple at offset %u",
624 : : (unsigned) nextoffnum));
625 : : }
626 : :
627 : : /* HOT chains should not intersect. */
389 rhaas@postgresql.org 628 [ + + ]:CBC 5623 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
629 : : {
389 rhaas@postgresql.org 630 :GBC 1 : report_corruption(&ctx,
631 : : psprintf("redirect line pointer points to offset %u, but offset %u also points there",
632 : 1 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
633 : 1 : continue;
634 : : }
635 : :
636 : : /*
637 : : * This redirect and the tuple to which it points seem to be
638 : : * part of an update chain.
639 : : */
389 rhaas@postgresql.org 640 :CBC 5622 : predecessor[nextoffnum] = ctx.offnum;
641 : 5622 : continue;
642 : : }
643 : :
644 : : /*
645 : : * If the next line pointer is a redirect, or if it's a tuple but
646 : : * the XMAX of this tuple doesn't match the XMIN of the next
647 : : * tuple, then the two aren't part of the same update chain and
648 : : * there is nothing more to do.
649 : : */
650 [ - + ]: 171 : if (ItemIdIsRedirected(next_lp))
389 rhaas@postgresql.org 651 :UBC 0 : continue;
389 rhaas@postgresql.org 652 :CBC 171 : curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
653 [ + + + + : 171 : curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
+ - ]
654 : 171 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
655 [ + + ]: 171 : next_xmin = HeapTupleHeaderGetXmin(next_htup);
656 [ + + - + ]: 171 : if (!TransactionIdIsValid(curr_xmax) ||
657 : : !TransactionIdEquals(curr_xmax, next_xmin))
658 : 4 : continue;
659 : :
660 : : /* HOT chains should not intersect. */
661 [ + + ]: 167 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
662 : : {
389 rhaas@postgresql.org 663 :GBC 1 : report_corruption(&ctx,
664 : : psprintf("tuple points to new version at offset %u, but offset %u also points there",
665 : 1 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
666 : 1 : continue;
667 : : }
668 : :
669 : : /*
670 : : * This tuple and the tuple to which it points seem to be part of
671 : : * an update chain.
672 : : */
389 rhaas@postgresql.org 673 :CBC 166 : predecessor[nextoffnum] = ctx.offnum;
674 : :
675 : : /*
676 : : * If the current tuple is marked as HOT-updated, then the next
677 : : * tuple should be marked as a heap-only tuple. Conversely, if the
678 : : * current tuple isn't marked as HOT-updated, then the next tuple
679 : : * shouldn't be marked as a heap-only tuple.
680 : : *
681 : : * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
682 : : * hint bits indicate xmin/xmax aborted.
683 : : */
388 684 [ + + ]: 166 : if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
389 rhaas@postgresql.org 685 [ + - ]:GBC 1 : HeapTupleHeaderIsHeapOnly(next_htup))
686 : : {
687 : 1 : report_corruption(&ctx,
688 : : psprintf("non-heap-only update produced a heap-only tuple at offset %u",
689 : : (unsigned) nextoffnum));
690 : : }
388 rhaas@postgresql.org 691 [ + + ]:CBC 166 : if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
389 692 [ + + ]: 165 : !HeapTupleHeaderIsHeapOnly(next_htup))
693 : : {
389 rhaas@postgresql.org 694 :GBC 1 : report_corruption(&ctx,
695 : : psprintf("heap-only update produced a non-heap only tuple at offset %u",
696 : : (unsigned) nextoffnum));
697 : : }
698 : :
699 : : /*
700 : : * If the current tuple's xmin is still in progress but the
701 : : * successor tuple's xmin is committed, that's corruption.
702 : : *
703 : : * NB: We recheck the commit status of the current tuple's xmin
704 : : * here, because it might have committed after we checked it and
705 : : * before we checked the commit status of the successor tuple's
706 : : * xmin. This should be safe because the xmin itself can't have
707 : : * changed, only its commit status.
708 : : */
389 rhaas@postgresql.org 709 [ + - ]:CBC 166 : curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
710 [ + - ]: 166 : if (xmin_commit_status_ok[ctx.offnum] &&
711 [ + + ]: 166 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
389 rhaas@postgresql.org 712 [ + - ]:GBC 1 : xmin_commit_status_ok[nextoffnum] &&
713 [ + - + - ]: 2 : xmin_commit_status[nextoffnum] == XID_COMMITTED &&
714 : 1 : TransactionIdIsInProgress(curr_xmin))
715 : : {
716 : 1 : report_corruption(&ctx,
717 : : psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
718 : : (unsigned) curr_xmin,
719 : 1 : (unsigned) ctx.offnum,
720 : : (unsigned) next_xmin));
721 : : }
722 : :
723 : : /*
724 : : * If the current tuple's xmin is aborted but the successor
725 : : * tuple's xmin is in-progress or committed, that's corruption.
726 : : */
389 rhaas@postgresql.org 727 [ + - ]:CBC 166 : if (xmin_commit_status_ok[ctx.offnum] &&
728 [ + + ]: 166 : xmin_commit_status[ctx.offnum] == XID_ABORTED &&
389 rhaas@postgresql.org 729 [ + - ]:GBC 2 : xmin_commit_status_ok[nextoffnum])
730 : : {
731 [ + + ]: 2 : if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
732 : 1 : report_corruption(&ctx,
733 : : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
734 : : (unsigned) curr_xmin,
735 : 1 : (unsigned) ctx.offnum,
736 : : (unsigned) next_xmin));
737 [ + - ]: 1 : else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
738 : 1 : report_corruption(&ctx,
739 : : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
740 : : (unsigned) curr_xmin,
741 : 1 : (unsigned) ctx.offnum,
742 : : (unsigned) next_xmin));
743 : : }
744 : : }
745 : :
746 : : /*
747 : : * An update chain can start either with a non-heap-only tuple or with
748 : : * a redirect line pointer, but not with a heap-only tuple.
749 : : *
750 : : * (This check is in a separate loop because we need the predecessor
751 : : * array to be fully populated before we can perform it.)
752 : : */
389 rhaas@postgresql.org 753 :CBC 11976 : for (ctx.offnum = FirstOffsetNumber;
754 [ + + ]: 571037 : ctx.offnum <= maxoff;
755 : 559061 : ctx.offnum = OffsetNumberNext(ctx.offnum))
756 : : {
757 [ + + ]: 559061 : if (xmin_commit_status_ok[ctx.offnum] &&
758 [ + + ]: 548131 : (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
759 [ + + ]: 7 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
760 [ + + ]: 548126 : predecessor[ctx.offnum] == InvalidOffsetNumber)
761 : : {
762 : : ItemId curr_lp;
763 : :
764 : 542341 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
765 [ + - ]: 542341 : if (!ItemIdIsRedirected(curr_lp))
766 : : {
767 : : HeapTupleHeader curr_htup;
768 : :
769 : : curr_htup = (HeapTupleHeader)
770 : 542341 : PageGetItem(ctx.page, curr_lp);
771 [ + + ]: 542341 : if (HeapTupleHeaderIsHeapOnly(curr_htup))
389 rhaas@postgresql.org 772 :GBC 4 : report_corruption(&ctx,
773 : : psprintf("tuple is root of chain but is marked as heap-only tuple"));
774 : : }
775 : : }
776 : : }
777 : :
778 : : /* clean up */
1270 rhaas@postgresql.org 779 :CBC 11976 : UnlockReleaseBuffer(ctx.buffer);
780 : :
781 : : /*
782 : : * Check any toast pointers from the page whose lock we just released
783 : : */
1103 784 [ + + ]: 11976 : if (ctx.toasted_attributes != NIL)
785 : : {
786 : : ListCell *cell;
787 : :
788 [ + - + + : 12655 : foreach(cell, ctx.toasted_attributes)
+ + ]
789 : 11815 : check_toasted_attribute(&ctx, lfirst(cell));
790 : 840 : list_free_deep(ctx.toasted_attributes);
791 : 840 : ctx.toasted_attributes = NIL;
792 : : }
793 : :
1270 794 [ + + - + ]: 11973 : if (on_error_stop && ctx.is_corrupt)
1270 rhaas@postgresql.org 795 :UBC 0 : break;
796 : : }
797 : :
1270 rhaas@postgresql.org 798 [ + + ]:CBC 1472 : if (vmbuffer != InvalidBuffer)
799 : 3 : ReleaseBuffer(vmbuffer);
800 : :
801 : : /* Close the associated toast table and indexes, if any. */
802 [ + + ]: 1472 : if (ctx.toast_indexes)
803 : 693 : toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
804 : : AccessShareLock);
805 [ + + ]: 1472 : if (ctx.toast_rel)
806 : 693 : table_close(ctx.toast_rel, AccessShareLock);
807 : :
808 : : /* Close the main relation */
809 : 1472 : relation_close(ctx.rel, AccessShareLock);
810 : :
811 : 1472 : PG_RETURN_NULL();
812 : : }
813 : :
814 : : /*
815 : : * Shared internal implementation for report_corruption and
816 : : * report_toast_corruption.
817 : : */
818 : : static void
1103 819 : 86 : report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
820 : : BlockNumber blkno, OffsetNumber offnum,
821 : : AttrNumber attnum, char *msg)
822 : : {
638 peter@eisentraut.org 823 : 86 : Datum values[HEAPCHECK_RELATION_COLS] = {0};
824 : 86 : bool nulls[HEAPCHECK_RELATION_COLS] = {0};
825 : : HeapTuple tuple;
826 : :
1103 rhaas@postgresql.org 827 : 86 : values[0] = Int64GetDatum(blkno);
828 : 86 : values[1] = Int32GetDatum(offnum);
829 : 86 : values[2] = Int32GetDatum(attnum);
830 : 86 : nulls[2] = (attnum < 0);
1270 831 : 86 : values[3] = CStringGetTextDatum(msg);
832 : :
833 : : /*
834 : : * In principle, there is nothing to prevent a scan over a large, highly
835 : : * corrupted table from using work_mem worth of memory building up the
836 : : * tuplestore. That's ok, but if we also leak the msg argument memory
837 : : * until the end of the query, we could exceed work_mem by more than a
838 : : * trivial amount. Therefore, free the msg argument each time we are
839 : : * called rather than waiting for our current memory context to be freed.
840 : : */
841 : 86 : pfree(msg);
842 : :
1103 843 : 86 : tuple = heap_form_tuple(tupdesc, values, nulls);
844 : 86 : tuplestore_puttuple(tupstore, tuple);
845 : 86 : }
846 : :
847 : : /*
848 : : * Record a single corruption found in the main table. The values in ctx should
849 : : * indicate the location of the corruption, and the msg argument should contain
850 : : * a human-readable description of the corruption.
851 : : *
852 : : * The msg argument is pfree'd by this function.
853 : : */
854 : : static void
855 : 85 : report_corruption(HeapCheckContext *ctx, char *msg)
856 : : {
857 : 85 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
858 : 85 : ctx->offnum, ctx->attnum, msg);
859 : 85 : ctx->is_corrupt = true;
860 : 85 : }
861 : :
862 : : /*
863 : : * Record corruption found in the toast table. The values in ta should
864 : : * indicate the location in the main table where the toast pointer was
865 : : * encountered, and the msg argument should contain a human-readable
866 : : * description of the toast table corruption.
867 : : *
868 : : * As above, the msg argument is pfree'd by this function.
869 : : */
870 : : static void
1103 rhaas@postgresql.org 871 :GBC 1 : report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
872 : : char *msg)
873 : : {
874 : 1 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
875 : 1 : ta->offnum, ta->attnum, msg);
1270 876 : 1 : ctx->is_corrupt = true;
877 : 1 : }
878 : :
879 : : /*
880 : : * Check for tuple header corruption.
881 : : *
882 : : * Some kinds of corruption make it unsafe to check the tuple attributes, for
883 : : * example when the line pointer refers to a range of bytes outside the page.
884 : : * In such cases, we return false (not checkable) after recording appropriate
885 : : * corruption messages.
886 : : *
887 : : * Some other kinds of tuple header corruption confuse the question of where
888 : : * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
889 : : * unreasonable to attempt to check attributes, even if all candidate answers
890 : : * to those questions would not result in reading past the end of the line
891 : : * pointer or page. In such cases, like above, we record corruption messages
892 : : * about the header and then return false.
893 : : *
894 : : * Other kinds of tuple header corruption do not bear on the question of
895 : : * whether the tuple attributes can be checked, so we record corruption
896 : : * messages for them but we do not return false merely because we detected
897 : : * them.
898 : : *
899 : : * Returns whether the tuple is sufficiently sensible to undergo visibility and
900 : : * attribute checks.
901 : : */
902 : : static bool
1109 rhaas@postgresql.org 903 :CBC 548140 : check_tuple_header(HeapCheckContext *ctx)
904 : : {
905 : 548140 : HeapTupleHeader tuphdr = ctx->tuphdr;
1270 906 : 548140 : uint16 infomask = tuphdr->t_infomask;
389 907 [ + + + + : 548140 : TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
+ + ]
1109 908 : 548140 : bool result = true;
909 : : unsigned expected_hoff;
910 : :
1270 911 [ + + ]: 548140 : if (ctx->tuphdr->t_hoff > ctx->lp_len)
912 : : {
1270 rhaas@postgresql.org 913 :GBC 1 : report_corruption(ctx,
914 : : psprintf("data begins at offset %u beyond the tuple length %u",
915 : 1 : ctx->tuphdr->t_hoff, ctx->lp_len));
1109 916 : 1 : result = false;
917 : : }
918 : :
1270 rhaas@postgresql.org 919 [ + + ]:CBC 548140 : if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
920 [ + + ]: 131 : (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
921 : : {
1270 rhaas@postgresql.org 922 :GBC 2 : report_corruption(ctx,
923 : : pstrdup("multixact should not be marked committed"));
924 : :
925 : : /*
926 : : * This condition is clearly wrong, but it's not enough to justify
927 : : * skipping further checks, because we don't rely on this to determine
928 : : * whether the tuple is visible or to interpret other relevant header
929 : : * fields.
930 : : */
931 : : }
932 : :
389 rhaas@postgresql.org 933 [ + + ]:CBC 548140 : if (!TransactionIdIsValid(curr_xmax) &&
934 [ + + + - : 547909 : HeapTupleHeaderIsHotUpdated(tuphdr))
+ - ]
935 : : {
389 rhaas@postgresql.org 936 :GBC 1 : report_corruption(ctx,
937 : : psprintf("tuple has been HOT updated, but xmax is 0"));
938 : :
939 : : /*
940 : : * As above, even though this shouldn't happen, it's not sufficient
941 : : * justification for skipping further checks, we should still be able
942 : : * to perform sensibly.
943 : : */
944 : : }
945 : :
384 rhaas@postgresql.org 946 [ + + ]:CBC 548140 : if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
947 [ + + ]: 5790 : ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
948 : : {
384 rhaas@postgresql.org 949 :GBC 1 : report_corruption(ctx,
950 : : psprintf("tuple is heap only, but not the result of an update"));
951 : :
952 : : /* Here again, we can still perform further checks. */
953 : : }
954 : :
1270 rhaas@postgresql.org 955 [ + + ]:CBC 548140 : if (infomask & HEAP_HASNULL)
956 : 252549 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
957 : : else
958 : 295591 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
959 [ + + ]: 548140 : if (ctx->tuphdr->t_hoff != expected_hoff)
960 : : {
1270 rhaas@postgresql.org 961 [ + + - + ]:GBC 5 : if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
1270 rhaas@postgresql.org 962 :UBC 0 : report_corruption(ctx,
963 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
964 : 0 : expected_hoff, ctx->tuphdr->t_hoff));
1270 rhaas@postgresql.org 965 [ + + ]:GBC 5 : else if ((infomask & HEAP_HASNULL))
966 : 1 : report_corruption(ctx,
967 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
968 : 1 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
969 [ - + ]: 4 : else if (ctx->natts == 1)
1270 rhaas@postgresql.org 970 :UBC 0 : report_corruption(ctx,
971 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
972 : 0 : expected_hoff, ctx->tuphdr->t_hoff));
973 : : else
1270 rhaas@postgresql.org 974 :GBC 4 : report_corruption(ctx,
975 : : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
976 : 4 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1109 977 : 5 : result = false;
978 : : }
979 : :
1109 rhaas@postgresql.org 980 :CBC 548140 : return result;
981 : : }
982 : :
983 : : /*
984 : : * Checks tuple visibility so we know which further checks are safe to
985 : : * perform.
986 : : *
987 : : * If a tuple could have been inserted by a transaction that also added a
988 : : * column to the table, but which ultimately did not commit, or which has not
989 : : * yet committed, then the table's current TupleDesc might differ from the one
990 : : * used to construct this tuple, so we must not check it.
991 : : *
992 : : * As a special case, if our own transaction inserted the tuple, even if we
993 : : * added a column to the table, our TupleDesc should match. We could check the
994 : : * tuple, but choose not to do so.
995 : : *
996 : : * If a tuple has been updated or deleted, we can still read the old tuple for
997 : : * corruption checking purposes, as long as we are careful about concurrent
998 : : * vacuums. The main table tuple itself cannot be vacuumed away because we
999 : : * hold a buffer lock on the page, but if the deleting transaction is older
1000 : : * than our transaction snapshot's xmin, then vacuum could remove the toast at
1001 : : * any time, so we must not try to follow TOAST pointers.
1002 : : *
1003 : : * If xmin or xmax values are older than can be checked against clog, or appear
1004 : : * to be in the future (possibly due to wrap-around), then we cannot make a
1005 : : * determination about the visibility of the tuple, so we skip further checks.
1006 : : *
1007 : : * Returns true if the tuple itself should be checked, false otherwise. Sets
1008 : : * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1009 : : * TOAST tuples -- are eligible for pruning.
1010 : : *
1011 : : * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1012 : : * and false otherwise. If it's set to true, then also set *xmin_commit_status
1013 : : * to the actual commit status.
1014 : : */
1015 : : static bool
389 1016 : 548135 : check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1017 : : XidCommitStatus *xmin_commit_status)
1018 : : {
1019 : : TransactionId xmin;
1020 : : TransactionId xvac;
1021 : : TransactionId xmax;
1022 : : XidCommitStatus xmin_status;
1023 : : XidCommitStatus xvac_status;
1024 : : XidCommitStatus xmax_status;
1109 1025 : 548135 : HeapTupleHeader tuphdr = ctx->tuphdr;
1026 : :
1027 : 548135 : ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
331 tgl@sss.pgh.pa.us 1028 : 548135 : *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1029 : :
1030 : : /* If xmin is normal, it should be within valid range */
1109 rhaas@postgresql.org 1031 [ + + ]: 548135 : xmin = HeapTupleHeaderGetXmin(tuphdr);
1032 [ - + + + : 548135 : switch (get_xid_status(xmin, ctx, &xmin_status))
+ - ]
1033 : : {
1109 rhaas@postgresql.org 1034 :UBC 0 : case XID_INVALID:
1035 : : /* Could be the result of a speculative insertion that aborted. */
388 1036 : 0 : return false;
1109 rhaas@postgresql.org 1037 :CBC 548131 : case XID_BOUNDS_OK:
389 1038 : 548131 : *xmin_commit_status_ok = true;
1039 : 548131 : *xmin_commit_status = xmin_status;
1109 1040 : 548131 : break;
1109 rhaas@postgresql.org 1041 :GBC 1 : case XID_IN_FUTURE:
1042 : 1 : report_corruption(ctx,
1043 : : psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1044 : : xmin,
1045 : 1 : EpochFromFullTransactionId(ctx->next_fxid),
1046 : 1 : XidFromFullTransactionId(ctx->next_fxid)));
1047 : 1 : return false;
1048 : 2 : case XID_PRECEDES_CLUSTERMIN:
1049 : 2 : report_corruption(ctx,
1050 : : psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1051 : : xmin,
1052 : 2 : EpochFromFullTransactionId(ctx->oldest_fxid),
1053 : 2 : XidFromFullTransactionId(ctx->oldest_fxid)));
1054 : 2 : return false;
1055 : 1 : case XID_PRECEDES_RELMIN:
1056 : 1 : report_corruption(ctx,
1057 : : psprintf("xmin %u precedes relation freeze threshold %u:%u",
1058 : : xmin,
1059 : 1 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1060 : 1 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1061 : 1 : return false;
1062 : : }
1063 : :
1064 : : /*
1065 : : * Has inserting transaction committed?
1066 : : */
1270 rhaas@postgresql.org 1067 [ + + ]:CBC 548131 : if (!HeapTupleHeaderXminCommitted(tuphdr))
1068 : : {
1069 [ - + ]: 18453 : if (HeapTupleHeaderXminInvalid(tuphdr))
1109 rhaas@postgresql.org 1070 :UBC 0 : return false; /* inserter aborted, don't check */
1071 : : /* Used by pre-9.0 binary upgrades */
1109 rhaas@postgresql.org 1072 [ - + ]:CBC 18453 : else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1073 : : {
1109 rhaas@postgresql.org 1074 [ # # ]:UBC 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1075 : :
1076 [ # # # # : 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
# # ]
1077 : : {
1270 1078 : 0 : case XID_INVALID:
1079 : 0 : report_corruption(ctx,
1080 : : pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1109 1081 : 0 : return false;
1270 1082 : 0 : case XID_IN_FUTURE:
1083 : 0 : report_corruption(ctx,
1084 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1085 : : xvac,
1086 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1087 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1109 1088 : 0 : return false;
1270 1089 : 0 : case XID_PRECEDES_RELMIN:
1090 : 0 : report_corruption(ctx,
1091 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1092 : : xvac,
1093 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1094 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1109 1095 : 0 : return false;
1270 1096 : 0 : case XID_PRECEDES_CLUSTERMIN:
1097 : 0 : report_corruption(ctx,
1098 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1099 : : xvac,
1100 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1101 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1109 1102 : 0 : return false;
1270 1103 : 0 : case XID_BOUNDS_OK:
1109 1104 : 0 : break;
1105 : : }
1106 : :
1107 [ # # # # : 0 : switch (xvac_status)
# ]
1108 : : {
1109 : 0 : case XID_IS_CURRENT_XID:
1110 : 0 : report_corruption(ctx,
1111 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1112 : : xvac));
1113 : 0 : return false;
1114 : 0 : case XID_IN_PROGRESS:
1115 : 0 : report_corruption(ctx,
1116 : : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1117 : : xvac));
1118 : 0 : return false;
1119 : :
1120 : 0 : case XID_COMMITTED:
1121 : :
1122 : : /*
1123 : : * The tuple is dead, because the xvac transaction moved
1124 : : * it off and committed. It's checkable, but also
1125 : : * prunable.
1126 : : */
1127 : 0 : return true;
1128 : :
1129 : 0 : case XID_ABORTED:
1130 : :
1131 : : /*
1132 : : * The original xmin must have committed, because the xvac
1133 : : * transaction tried to move it later. Since xvac is
1134 : : * aborted, whether it's still alive now depends on the
1135 : : * status of xmax.
1136 : : */
1137 : 0 : break;
1138 : : }
1139 : : }
1140 : : /* Used by pre-9.0 binary upgrades */
1109 rhaas@postgresql.org 1141 [ - + ]:CBC 18453 : else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1142 : : {
1109 rhaas@postgresql.org 1143 [ # # ]:UBC 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1144 : :
1145 [ # # # # : 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
# # ]
1146 : : {
1270 1147 : 0 : case XID_INVALID:
1148 : 0 : report_corruption(ctx,
1149 : : pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1150 : 0 : return false;
1151 : 0 : case XID_IN_FUTURE:
1152 : 0 : report_corruption(ctx,
1153 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1154 : : xvac,
1155 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1156 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1109 1157 : 0 : return false;
1270 1158 : 0 : case XID_PRECEDES_RELMIN:
1159 : 0 : report_corruption(ctx,
1160 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1161 : : xvac,
1162 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1163 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1109 1164 : 0 : return false;
1270 1165 : 0 : case XID_PRECEDES_CLUSTERMIN:
1166 : 0 : report_corruption(ctx,
1167 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1168 : : xvac,
1169 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1170 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1109 1171 : 0 : return false;
1270 1172 : 0 : case XID_BOUNDS_OK:
1109 1173 : 0 : break;
1174 : : }
1175 : :
1176 [ # # # # : 0 : switch (xvac_status)
# ]
1177 : : {
1178 : 0 : case XID_IS_CURRENT_XID:
1179 : 0 : report_corruption(ctx,
1180 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1181 : : xvac));
1182 : 0 : return false;
1183 : 0 : case XID_IN_PROGRESS:
1184 : 0 : report_corruption(ctx,
1185 : : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1186 : : xvac));
1187 : 0 : return false;
1188 : :
1189 : 0 : case XID_COMMITTED:
1190 : :
1191 : : /*
1192 : : * The original xmin must have committed, because the xvac
1193 : : * transaction moved it later. Whether it's still alive
1194 : : * now depends on the status of xmax.
1195 : : */
1196 : 0 : break;
1197 : :
1198 : 0 : case XID_ABORTED:
1199 : :
1200 : : /*
1201 : : * The tuple is dead, because the xvac transaction moved
1202 : : * it off and committed. It's checkable, but also
1203 : : * prunable.
1204 : : */
1205 : 0 : return true;
1206 : : }
1207 : : }
1109 rhaas@postgresql.org 1208 [ + + ]:CBC 18453 : else if (xmin_status != XID_COMMITTED)
1209 : : {
1210 : : /*
1211 : : * Inserting transaction is not in progress, and not committed, so
1212 : : * it might have changed the TupleDesc in ways we don't know
1213 : : * about. Thus, don't try to check the tuple structure.
1214 : : *
1215 : : * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1216 : : * any such DDL changes ought to be visible to us, so perhaps we
1217 : : * could check anyway in that case. But, for now, let's be
1218 : : * conservative and treat this like any other uncommitted insert.
1219 : : */
1220 : 7 : return false;
1221 : : }
1222 : : }
1223 : :
1224 : : /*
1225 : : * Okay, the inserter committed, so it was good at some point. Now what
1226 : : * about the deleting transaction?
1227 : : */
1228 : :
1229 [ + + ]: 548124 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1230 : : {
1231 : : /*
1232 : : * xmax is a multixact, so sanity-check the MXID. Note that we do this
1233 : : * prior to checking for HEAP_XMAX_INVALID or
1234 : : * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1235 : : * things that wouldn't actually be a problem during a normal scan,
1236 : : * but eventually we're going to have to freeze, and that process will
1237 : : * ignore hint bits.
1238 : : *
1239 : : * Even if the MXID is out of range, we still know that the original
1240 : : * insert committed, so we can check the tuple itself. However, we
1241 : : * can't rule out the possibility that this tuple is dead, so don't
1242 : : * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1243 : : * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1244 : : * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1245 : : * avoiding possibly-bogus complaints about missing TOAST entries.
1246 : : */
1247 : 58 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1248 [ - + - + : 58 : switch (check_mxid_valid_in_rel(xmax, ctx))
+ - ]
1249 : : {
1109 rhaas@postgresql.org 1250 :UBC 0 : case XID_INVALID:
1251 : 0 : report_corruption(ctx,
1252 : : pstrdup("multitransaction ID is invalid"));
1253 : 0 : return true;
1109 rhaas@postgresql.org 1254 :GBC 1 : case XID_PRECEDES_RELMIN:
1255 : 1 : report_corruption(ctx,
1256 : : psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1257 : : xmax, ctx->relminmxid));
1258 : 1 : return true;
1109 rhaas@postgresql.org 1259 :UBC 0 : case XID_PRECEDES_CLUSTERMIN:
1260 : 0 : report_corruption(ctx,
1261 : : psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1262 : : xmax, ctx->oldest_mxact));
1263 : 0 : return true;
1109 rhaas@postgresql.org 1264 :GBC 1 : case XID_IN_FUTURE:
1265 : 1 : report_corruption(ctx,
1266 : : psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1267 : : xmax,
1268 : : ctx->next_mxact));
1269 : 1 : return true;
1109 rhaas@postgresql.org 1270 :CBC 56 : case XID_BOUNDS_OK:
1271 : 56 : break;
1272 : : }
1273 : : }
1274 : :
1275 [ + + ]: 548122 : if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1276 : : {
1277 : : /*
1278 : : * This tuple is live. A concurrently running transaction could
1279 : : * delete it before we get around to checking the toast, but any such
1280 : : * running transaction is surely not less than our safe_xmin, so the
1281 : : * toast cannot be vacuumed out from under us.
1282 : : */
1283 : 547896 : ctx->tuple_could_be_pruned = false;
1284 : 547896 : return true;
1285 : : }
1286 : :
1287 [ + + - + ]: 226 : if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1288 : : {
1289 : : /*
1290 : : * "Deleting" xact really only locked it, so the tuple is live in any
1291 : : * case. As above, a concurrently running transaction could delete
1292 : : * it, but it cannot be vacuumed out from under us.
1293 : : */
1294 : 28 : ctx->tuple_could_be_pruned = false;
1295 : 28 : return true;
1296 : : }
1297 : :
1298 [ + + ]: 198 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1299 : : {
1300 : : /*
1301 : : * We already checked above that this multixact is within limits for
1302 : : * this table. Now check the update xid from this multixact.
1303 : : */
1304 : 28 : xmax = HeapTupleGetUpdateXid(tuphdr);
1305 [ - - - - : 28 : switch (get_xid_status(xmax, ctx, &xmax_status))
+ - ]
1306 : : {
1109 rhaas@postgresql.org 1307 :UBC 0 : case XID_INVALID:
1308 : : /* not LOCKED_ONLY, so it has to have an xmax */
1309 : 0 : report_corruption(ctx,
1310 : : pstrdup("update xid is invalid"));
1311 : 0 : return true;
1312 : 0 : case XID_IN_FUTURE:
1313 : 0 : report_corruption(ctx,
1314 : : psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1315 : : xmax,
1316 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1317 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1318 : 0 : return true;
1319 : 0 : case XID_PRECEDES_RELMIN:
1320 : 0 : report_corruption(ctx,
1321 : : psprintf("update xid %u precedes relation freeze threshold %u:%u",
1322 : : xmax,
1323 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1324 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1325 : 0 : return true;
1326 : 0 : case XID_PRECEDES_CLUSTERMIN:
1327 : 0 : report_corruption(ctx,
1328 : : psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1329 : : xmax,
1330 : 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1331 : 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1332 : 0 : return true;
1109 rhaas@postgresql.org 1333 :CBC 28 : case XID_BOUNDS_OK:
1334 : 28 : break;
1335 : : }
1336 : :
1337 [ - + - - ]: 28 : switch (xmax_status)
1338 : : {
1109 rhaas@postgresql.org 1339 :UBC 0 : case XID_IS_CURRENT_XID:
1340 : : case XID_IN_PROGRESS:
1341 : :
1342 : : /*
1343 : : * The delete is in progress, so it cannot be visible to our
1344 : : * snapshot.
1345 : : */
1346 : 0 : ctx->tuple_could_be_pruned = false;
1347 : 0 : break;
1109 rhaas@postgresql.org 1348 :CBC 28 : case XID_COMMITTED:
1349 : :
1350 : : /*
1351 : : * The delete committed. Whether the toast can be vacuumed
1352 : : * away depends on how old the deleting transaction is.
1353 : : */
1354 : 28 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1355 : : ctx->safe_xmin);
1356 : 28 : break;
1109 rhaas@postgresql.org 1357 :UBC 0 : case XID_ABORTED:
1358 : :
1359 : : /*
1360 : : * The delete aborted or crashed. The tuple is still live.
1361 : : */
1362 : 0 : ctx->tuple_could_be_pruned = false;
1363 : 0 : break;
1364 : : }
1365 : :
1366 : : /* Tuple itself is checkable even if it's dead. */
1109 rhaas@postgresql.org 1367 :CBC 28 : return true;
1368 : : }
1369 : :
1370 : : /* xmax is an XID, not a MXID. Sanity check it. */
1371 : 170 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1372 [ + - - + : 170 : switch (get_xid_status(xmax, ctx, &xmax_status))
+ - ]
1373 : : {
388 rhaas@postgresql.org 1374 :GBC 1 : case XID_INVALID:
1375 : 1 : ctx->tuple_could_be_pruned = false;
1376 : 1 : return true;
1109 rhaas@postgresql.org 1377 :UBC 0 : case XID_IN_FUTURE:
1378 : 0 : report_corruption(ctx,
1379 : : psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1380 : : xmax,
1381 : 0 : EpochFromFullTransactionId(ctx->next_fxid),
1382 : 0 : XidFromFullTransactionId(ctx->next_fxid)));
1383 : 0 : return false; /* corrupt */
1384 : 0 : case XID_PRECEDES_RELMIN:
1385 : 0 : report_corruption(ctx,
1386 : : psprintf("xmax %u precedes relation freeze threshold %u:%u",
1387 : : xmax,
1388 : 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1389 : 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1390 : 0 : return false; /* corrupt */
1109 rhaas@postgresql.org 1391 :GBC 1 : case XID_PRECEDES_CLUSTERMIN:
1392 : 1 : report_corruption(ctx,
1393 : : psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1394 : : xmax,
1395 : 1 : EpochFromFullTransactionId(ctx->oldest_fxid),
1396 : 1 : XidFromFullTransactionId(ctx->oldest_fxid)));
1397 : 1 : return false; /* corrupt */
1109 rhaas@postgresql.org 1398 :CBC 168 : case XID_BOUNDS_OK:
1399 : 168 : break;
1400 : : }
1401 : :
1402 : : /*
1403 : : * Whether the toast can be vacuumed away depends on how old the deleting
1404 : : * transaction is.
1405 : : */
1406 [ - + + - ]: 168 : switch (xmax_status)
1407 : : {
1109 rhaas@postgresql.org 1408 :UBC 0 : case XID_IS_CURRENT_XID:
1409 : : case XID_IN_PROGRESS:
1410 : :
1411 : : /*
1412 : : * The delete is in progress, so it cannot be visible to our
1413 : : * snapshot.
1414 : : */
1415 : 0 : ctx->tuple_could_be_pruned = false;
1416 : 0 : break;
1417 : :
1109 rhaas@postgresql.org 1418 :CBC 165 : case XID_COMMITTED:
1419 : :
1420 : : /*
1421 : : * The delete committed. Whether the toast can be vacuumed away
1422 : : * depends on how old the deleting transaction is.
1423 : : */
1424 : 165 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1425 : : ctx->safe_xmin);
1426 : 165 : break;
1427 : :
1428 : 3 : case XID_ABORTED:
1429 : :
1430 : : /*
1431 : : * The delete aborted or crashed. The tuple is still live.
1432 : : */
1433 : 3 : ctx->tuple_could_be_pruned = false;
1434 : 3 : break;
1435 : : }
1436 : :
1437 : : /* Tuple itself is checkable even if it's dead. */
1438 : 168 : return true;
1439 : : }
1440 : :
1441 : :
1442 : : /*
1443 : : * Check the current toast tuple against the state tracked in ctx, recording
1444 : : * any corruption found in ctx->tupstore.
1445 : : *
1446 : : * This is not equivalent to running verify_heapam on the toast table itself,
1447 : : * and is not hardened against corruption of the toast table. Rather, when
1448 : : * validating a toasted attribute in the main table, the sequence of toast
1449 : : * tuples that store the toasted value are retrieved and checked in order, with
1450 : : * each toast tuple being checked against where we are in the sequence, as well
1451 : : * as each toast tuple having its varlena structure sanity checked.
1452 : : *
1453 : : * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1454 : : * to find in toasttup. On exit, it will be updated to the value the next call
1455 : : * to this function should expect to see.
1456 : : */
1457 : : static void
1103 1458 : 41569 : check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
1459 : : ToastedAttribute *ta, int32 *expected_chunk_seq,
1460 : : uint32 extsize)
1461 : : {
1462 : : int32 chunk_seq;
1077 1463 : 41569 : int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1464 : : Pointer chunk;
1465 : : bool isnull;
1466 : : int32 chunksize;
1467 : : int32 expected_size;
1468 : :
1469 : : /* Sanity-check the sequence number. */
1470 : 41569 : chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1471 : 41569 : ctx->toast_rel->rd_att, &isnull));
1270 1472 [ - + ]: 41569 : if (isnull)
1473 : : {
1103 rhaas@postgresql.org 1474 :UBC 0 : report_toast_corruption(ctx, ta,
1475 : : psprintf("toast value %u has toast chunk with null sequence number",
1476 : : ta->toast_pointer.va_valueid));
1270 1477 : 0 : return;
1478 : : }
1077 rhaas@postgresql.org 1479 [ - + ]:CBC 41569 : if (chunk_seq != *expected_chunk_seq)
1480 : : {
1481 : : /* Either the TOAST index is corrupt, or we don't have all chunks. */
1077 rhaas@postgresql.org 1482 :UBC 0 : report_toast_corruption(ctx, ta,
1483 : : psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1484 : : ta->toast_pointer.va_valueid,
1485 : : chunk_seq, *expected_chunk_seq));
1486 : : }
1077 rhaas@postgresql.org 1487 :CBC 41569 : *expected_chunk_seq = chunk_seq + 1;
1488 : :
1489 : : /* Sanity-check the chunk data. */
1270 1490 : 41569 : chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1491 : 41569 : ctx->toast_rel->rd_att, &isnull));
1492 [ - + ]: 41569 : if (isnull)
1493 : : {
1103 rhaas@postgresql.org 1494 :UBC 0 : report_toast_corruption(ctx, ta,
1495 : : psprintf("toast value %u chunk %d has null data",
1496 : : ta->toast_pointer.va_valueid,
1497 : : chunk_seq));
1270 1498 : 0 : return;
1499 : : }
1270 rhaas@postgresql.org 1500 [ + - ]:CBC 41569 : if (!VARATT_IS_EXTENDED(chunk))
1501 : 41569 : chunksize = VARSIZE(chunk) - VARHDRSZ;
1270 rhaas@postgresql.org 1502 [ # # ]:UBC 0 : else if (VARATT_IS_SHORT(chunk))
1503 : : {
1504 : : /*
1505 : : * could happen due to heap_form_tuple doing its thing
1506 : : */
1507 : 0 : chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1508 : : }
1509 : : else
1510 : : {
1511 : : /* should never happen */
1512 : 0 : uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1513 : :
1103 1514 : 0 : report_toast_corruption(ctx, ta,
1515 : : psprintf("toast value %u chunk %d has invalid varlena header %0x",
1516 : : ta->toast_pointer.va_valueid,
1517 : : chunk_seq, header));
1270 1518 : 0 : return;
1519 : : }
1520 : :
1521 : : /*
1522 : : * Some checks on the data we've found
1523 : : */
1077 rhaas@postgresql.org 1524 [ - + ]:CBC 41569 : if (chunk_seq > last_chunk_seq)
1525 : : {
1103 rhaas@postgresql.org 1526 :UBC 0 : report_toast_corruption(ctx, ta,
1527 : : psprintf("toast value %u chunk %d follows last expected chunk %d",
1528 : : ta->toast_pointer.va_valueid,
1529 : : chunk_seq, last_chunk_seq));
1270 1530 : 0 : return;
1531 : : }
1532 : :
1077 rhaas@postgresql.org 1533 [ + + ]:CBC 41569 : expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1534 : 11811 : : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1535 : :
1270 1536 [ - + ]: 41569 : if (chunksize != expected_size)
1103 rhaas@postgresql.org 1537 :UBC 0 : report_toast_corruption(ctx, ta,
1538 : : psprintf("toast value %u chunk %d has size %u, but expected size %u",
1539 : : ta->toast_pointer.va_valueid,
1540 : : chunk_seq, chunksize, expected_size));
1541 : : }
1542 : :
1543 : : /*
1544 : : * Check the current attribute as tracked in ctx, recording any corruption
1545 : : * found in ctx->tupstore.
1546 : : *
1547 : : * This function follows the logic performed by heap_deform_tuple(), and in the
1548 : : * case of a toasted value, optionally stores the toast pointer so later it can
1549 : : * be checked following the logic of detoast_external_attr(), checking for any
1550 : : * conditions that would result in either of those functions Asserting or
1551 : : * crashing the backend. The checks performed by Asserts present in those two
1552 : : * functions are also performed here and in check_toasted_attribute. In cases
1553 : : * where those two functions are a bit cavalier in their assumptions about data
1554 : : * being correct, we perform additional checks not present in either of those
1555 : : * two functions. Where some condition is checked in both of those functions,
1556 : : * we perform it here twice, as we parallel the logical flow of those two
1557 : : * functions. The presence of duplicate checks seems a reasonable price to pay
1558 : : * for keeping this code tightly coupled with the code it protects.
1559 : : *
1560 : : * Returns true if the tuple attribute is sane enough for processing to
1561 : : * continue on to the next attribute, false otherwise.
1562 : : */
1563 : : static bool
1270 rhaas@postgresql.org 1564 :CBC 7877336 : check_tuple_attribute(HeapCheckContext *ctx)
1565 : : {
1566 : : Datum attdatum;
1567 : : struct varlena *attr;
1568 : : char *tp; /* pointer to the tuple data */
1569 : : uint16 infomask;
1570 : : Form_pg_attribute thisatt;
1571 : : struct varatt_external toast_pointer;
1572 : :
1573 : 7877336 : infomask = ctx->tuphdr->t_infomask;
1574 : 7877336 : thisatt = TupleDescAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1575 : :
1576 : 7877336 : tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1577 : :
1578 [ - + ]: 7877336 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1579 : : {
1270 rhaas@postgresql.org 1580 :UBC 0 : report_corruption(ctx,
1581 : : psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1582 : 0 : thisatt->attlen,
1583 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1584 : 0 : ctx->lp_len));
1585 : 0 : return false;
1586 : : }
1587 : :
1588 : : /* Skip null values */
1270 rhaas@postgresql.org 1589 [ + + + + ]:CBC 7877336 : if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1590 : 1330674 : return true;
1591 : :
1592 : : /* Skip non-varlena values, but update offset first */
1593 [ + + ]: 6546662 : if (thisatt->attlen != -1)
1594 : : {
1595 [ + + + + : 5979135 : ctx->offset = att_align_nominal(ctx->offset, thisatt->attalign);
+ + - + ]
1596 [ + - - - : 5979135 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
- - - - -
- - - - -
- - ]
1597 : : tp + ctx->offset);
1598 [ - + ]: 5979135 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1599 : : {
1270 rhaas@postgresql.org 1600 :UBC 0 : report_corruption(ctx,
1601 : : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1602 : 0 : thisatt->attlen,
1603 : 0 : ctx->tuphdr->t_hoff + ctx->offset,
1604 : 0 : ctx->lp_len));
1605 : 0 : return false;
1606 : : }
1270 rhaas@postgresql.org 1607 :CBC 5979135 : return true;
1608 : : }
1609 : :
1610 : : /* Ok, we're looking at a varlena attribute. */
1611 [ + + + + : 567527 : ctx->offset = att_align_pointer(ctx->offset, thisatt->attalign, -1,
- + + - -
- ]
1612 : : tp + ctx->offset);
1613 : :
1614 : : /* Get the (possibly corrupt) varlena datum */
1615 : 567527 : attdatum = fetchatt(thisatt, tp + ctx->offset);
1616 : :
1617 : : /*
1618 : : * We have the datum, but we cannot decode it carelessly, as it may still
1619 : : * be corrupt.
1620 : : */
1621 : :
1622 : : /*
1623 : : * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1624 : : * risking a call into att_addlength_pointer
1625 : : */
1626 [ + + ]: 567527 : if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1627 : : {
1628 : 26252 : uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1629 : :
1630 [ - + ]: 26252 : if (va_tag != VARTAG_ONDISK)
1631 : : {
1270 rhaas@postgresql.org 1632 :UBC 0 : report_corruption(ctx,
1633 : : psprintf("toasted attribute has unexpected TOAST tag %u",
1634 : : va_tag));
1635 : : /* We can't know where the next attribute begins */
1636 : 0 : return false;
1637 : : }
1638 : : }
1639 : :
1640 : : /* Ok, should be safe now */
1270 rhaas@postgresql.org 1641 [ - + + - :CBC 567527 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
+ + + - +
- - + + +
- - ]
1642 : : tp + ctx->offset);
1643 : :
1644 [ + + ]: 567527 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1645 : : {
1270 rhaas@postgresql.org 1646 :GBC 1 : report_corruption(ctx,
1647 : : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1648 : 1 : thisatt->attlen,
1649 : 1 : ctx->tuphdr->t_hoff + ctx->offset,
1650 : 1 : ctx->lp_len));
1651 : :
1652 : 1 : return false;
1653 : : }
1654 : :
1655 : : /*
1656 : : * heap_deform_tuple would be done with this attribute at this point,
1657 : : * having stored it in values[], and would continue to the next attribute.
1658 : : * We go further, because we need to check if the toast datum is corrupt.
1659 : : */
1660 : :
1270 rhaas@postgresql.org 1661 :CBC 567526 : attr = (struct varlena *) DatumGetPointer(attdatum);
1662 : :
1663 : : /*
1664 : : * Now we follow the logic of detoast_external_attr(), with the same
1665 : : * caveats about being paranoid about corruption.
1666 : : */
1667 : :
1668 : : /* Skip values that are not external */
1669 [ + + ]: 567526 : if (!VARATT_IS_EXTERNAL(attr))
1670 : 541274 : return true;
1671 : :
1672 : : /* It is external, and we're looking at a page on disk */
1673 : :
1674 : : /*
1675 : : * Must copy attr into toast_pointer for alignment considerations
1676 : : */
1096 1677 [ - + + - : 26252 : VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
+ - - + -
+ ]
1678 : :
1679 : : /* Toasted attributes too large to be untoasted should never be stored */
891 1680 [ - + ]: 26252 : if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
891 rhaas@postgresql.org 1681 :UBC 0 : report_corruption(ctx,
1682 : : psprintf("toast value %u rawsize %d exceeds limit %d",
1683 : : toast_pointer.va_valueid,
1684 : : toast_pointer.va_rawsize,
1685 : : VARLENA_SIZE_LIMIT));
1686 : :
662 rhaas@postgresql.org 1687 [ + + ]:CBC 26252 : if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1688 : : {
1689 : : ToastCompressionId cmid;
891 1690 : 2024 : bool valid = false;
1691 : :
1692 : : /* Compressed attributes should have a valid compression method */
1693 : 2024 : cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1694 [ + - - ]: 2024 : switch (cmid)
1695 : : {
1696 : : /* List of all valid compression method IDs */
1697 : 2024 : case TOAST_PGLZ_COMPRESSION_ID:
1698 : : case TOAST_LZ4_COMPRESSION_ID:
1699 : 2024 : valid = true;
1700 : 2024 : break;
1701 : :
1702 : : /* Recognized but invalid compression method ID */
891 rhaas@postgresql.org 1703 :UBC 0 : case TOAST_INVALID_COMPRESSION_ID:
1704 : 0 : break;
1705 : :
1706 : : /* Intentionally no default here */
1707 : : }
891 rhaas@postgresql.org 1708 [ - + ]:CBC 2024 : if (!valid)
891 rhaas@postgresql.org 1709 :UBC 0 : report_corruption(ctx,
1710 : : psprintf("toast value %u has invalid compression method id %d",
1711 : : toast_pointer.va_valueid, cmid));
1712 : : }
1713 : :
1714 : : /* The tuple header better claim to contain toasted values */
1270 rhaas@postgresql.org 1715 [ - + ]:CBC 26252 : if (!(infomask & HEAP_HASEXTERNAL))
1716 : : {
1270 rhaas@postgresql.org 1717 :UBC 0 : report_corruption(ctx,
1718 : : psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1719 : : toast_pointer.va_valueid));
1720 : 0 : return true;
1721 : : }
1722 : :
1723 : : /* The relation better have a toast table */
1270 rhaas@postgresql.org 1724 [ - + ]:CBC 26252 : if (!ctx->rel->rd_rel->reltoastrelid)
1725 : : {
1270 rhaas@postgresql.org 1726 :UBC 0 : report_corruption(ctx,
1727 : : psprintf("toast value %u is external but relation has no toast relation",
1728 : : toast_pointer.va_valueid));
1729 : 0 : return true;
1730 : : }
1731 : :
1732 : : /* If we were told to skip toast checking, then we're done. */
1270 rhaas@postgresql.org 1733 [ + + ]:CBC 26252 : if (ctx->toast_rel == NULL)
1734 : 14429 : return true;
1735 : :
1736 : : /*
1737 : : * If this tuple is eligible to be pruned, we cannot check the toast.
1738 : : * Otherwise, we push a copy of the toast tuple so we can check it after
1739 : : * releasing the main table buffer lock.
1740 : : */
1103 1741 [ + + ]: 11823 : if (!ctx->tuple_could_be_pruned)
1742 : : {
1743 : : ToastedAttribute *ta;
1744 : :
1745 : 11821 : ta = (ToastedAttribute *) palloc0(sizeof(ToastedAttribute));
1746 : :
1747 [ - + + - : 11821 : VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
+ - - + -
+ ]
1748 : 11821 : ta->blkno = ctx->blkno;
1749 : 11821 : ta->offnum = ctx->offnum;
1750 : 11821 : ta->attnum = ctx->attnum;
1751 : 11821 : ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
1752 : : }
1753 : :
1754 : 11823 : return true;
1755 : : }
1756 : :
1757 : : /*
1758 : : * For each attribute collected in ctx->toasted_attributes, look up the value
1759 : : * in the toast table and perform checks on it. This function should only be
1760 : : * called on toast pointers which cannot be vacuumed away during our
1761 : : * processing.
1762 : : */
1763 : : static void
1764 : 11815 : check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
1765 : : {
1766 : : SnapshotData SnapshotToast;
1767 : : ScanKeyData toastkey;
1768 : : SysScanDesc toastscan;
1769 : : bool found_toasttup;
1770 : : HeapTuple toasttup;
1771 : : uint32 extsize;
1077 1772 : 11815 : int32 expected_chunk_seq = 0;
1773 : : int32 last_chunk_seq;
1774 : :
1775 : 11815 : extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
1776 : 11815 : last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1777 : :
1778 : : /*
1779 : : * Setup a scan key to find chunks in toast table with matching va_valueid
1780 : : */
1270 1781 : 11815 : ScanKeyInit(&toastkey,
1782 : : (AttrNumber) 1,
1783 : : BTEqualStrategyNumber, F_OIDEQ,
1784 : : ObjectIdGetDatum(ta->toast_pointer.va_valueid));
1785 : :
1786 : : /*
1787 : : * Check if any chunks for this toasted object exist in the toast table,
1788 : : * accessible via the index.
1789 : : */
1790 : 11815 : init_toast_snapshot(&SnapshotToast);
1791 : 11815 : toastscan = systable_beginscan_ordered(ctx->toast_rel,
1792 : : ctx->valid_toast_index,
1793 : : &SnapshotToast, 1,
1794 : : &toastkey);
1795 : 11815 : found_toasttup = false;
1796 : 11815 : while ((toasttup =
1797 : 53384 : systable_getnext_ordered(toastscan,
1798 [ + + ]: 53381 : ForwardScanDirection)) != NULL)
1799 : : {
1800 : 41569 : found_toasttup = true;
1077 1801 : 41569 : check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1802 : : }
1270 1803 : 11812 : systable_endscan_ordered(toastscan);
1804 : :
1103 1805 [ + + ]: 11812 : if (!found_toasttup)
1103 rhaas@postgresql.org 1806 :GBC 1 : report_toast_corruption(ctx, ta,
1807 : : psprintf("toast value %u not found in toast table",
1808 : : ta->toast_pointer.va_valueid));
1077 rhaas@postgresql.org 1809 [ - + ]:CBC 11811 : else if (expected_chunk_seq <= last_chunk_seq)
1103 rhaas@postgresql.org 1810 :UBC 0 : report_toast_corruption(ctx, ta,
1811 : : psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1812 : : ta->toast_pointer.va_valueid,
1813 : : last_chunk_seq, expected_chunk_seq));
1270 rhaas@postgresql.org 1814 :CBC 11812 : }
1815 : :
1816 : : /*
1817 : : * Check the current tuple as tracked in ctx, recording any corruption found in
1818 : : * ctx->tupstore.
1819 : : *
1820 : : * We return some information about the status of xmin to aid in validating
1821 : : * update chains.
1822 : : */
1823 : : static void
389 1824 : 548140 : check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1825 : : XidCommitStatus *xmin_commit_status)
1826 : : {
1827 : : /*
1828 : : * Check various forms of tuple header corruption, and if the header is
1829 : : * too corrupt, do not continue with other checks.
1830 : : */
1103 1831 [ + + ]: 548140 : if (!check_tuple_header(ctx))
1270 rhaas@postgresql.org 1832 :GBC 5 : return;
1833 : :
1834 : : /*
1835 : : * Check tuple visibility. If the inserting transaction aborted, we
1836 : : * cannot assume our relation description matches the tuple structure, and
1837 : : * therefore cannot check it.
1838 : : */
389 rhaas@postgresql.org 1839 [ + + ]:CBC 548135 : if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1840 : : xmin_commit_status))
1270 1841 : 12 : return;
1842 : :
1843 : : /*
1844 : : * The tuple is visible, so it must be compatible with the current version
1845 : : * of the relation descriptor. It might have fewer columns than are
1846 : : * present in the relation descriptor, but it cannot have more.
1847 : : */
1848 [ + + ]: 548123 : if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1849 : : {
1270 rhaas@postgresql.org 1850 :GBC 2 : report_corruption(ctx,
1851 : : psprintf("number of attributes %u exceeds maximum expected for table %u",
1852 : : ctx->natts,
1853 : 2 : RelationGetDescr(ctx->rel)->natts));
1854 : 2 : return;
1855 : : }
1856 : :
1857 : : /*
1858 : : * Check each attribute unless we hit corruption that confuses what to do
1859 : : * next, at which point we abort further attribute checks for this tuple.
1860 : : * Note that we don't abort for all types of corruption, only for those
1861 : : * types where we don't know how to continue. We also don't abort the
1862 : : * checking of toasted attributes collected from the tuple prior to
1863 : : * aborting. Those will still be checked later along with other toasted
1864 : : * attributes collected from the page.
1865 : : */
1270 rhaas@postgresql.org 1866 :CBC 548121 : ctx->offset = 0;
1867 [ + + ]: 8425456 : for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1868 [ + + ]: 7877336 : if (!check_tuple_attribute(ctx))
1270 rhaas@postgresql.org 1869 :GBC 1 : break; /* cannot continue */
1870 : :
1871 : : /* revert attnum to -1 until we again examine individual attributes */
1269 tgl@sss.pgh.pa.us 1872 :CBC 548121 : ctx->attnum = -1;
1873 : : }
1874 : :
1875 : : /*
1876 : : * Convert a TransactionId into a FullTransactionId using our cached values of
1877 : : * the valid transaction ID range. It is the caller's responsibility to have
1878 : : * already updated the cached values, if necessary.
1879 : : */
1880 : : static FullTransactionId
1270 rhaas@postgresql.org 1881 : 73763 : FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
1882 : : {
1883 : : uint64 nextfxid_i;
1884 : : int32 diff;
1885 : : FullTransactionId fxid;
1886 : :
400 andres@anarazel.de 1887 [ - + ]: 73763 : Assert(TransactionIdIsNormal(ctx->next_xid));
1888 [ - + ]: 73763 : Assert(FullTransactionIdIsNormal(ctx->next_fxid));
1889 [ - + ]: 73763 : Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
1890 : :
1270 rhaas@postgresql.org 1891 [ + + ]: 73763 : if (!TransactionIdIsNormal(xid))
1892 : 191 : return FullTransactionIdFromEpochAndXid(0, xid);
1893 : :
400 andres@anarazel.de 1894 : 73572 : nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1895 : :
1896 : : /* compute the 32bit modulo difference */
1897 : 73572 : diff = (int32) (ctx->next_xid - xid);
1898 : :
1899 : : /*
1900 : : * In cases of corruption we might see a 32bit xid that is before epoch 0.
1901 : : * We can't represent that as a 64bit xid, due to 64bit xids being
1902 : : * unsigned integers, without the modulo arithmetic of 32bit xid. There's
1903 : : * no really nice way to deal with that, but it works ok enough to use
1904 : : * FirstNormalFullTransactionId in that case, as a freshly initdb'd
1905 : : * cluster already has a newer horizon.
1906 : : */
1907 [ + + + + ]: 73572 : if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
1908 : : {
400 andres@anarazel.de 1909 [ - + ]:GBC 4 : Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
1910 : 4 : fxid = FirstNormalFullTransactionId;
1911 : : }
1912 : : else
400 andres@anarazel.de 1913 :CBC 73568 : fxid = FullTransactionIdFromU64(nextfxid_i - diff);
1914 : :
1915 [ - + ]: 73572 : Assert(FullTransactionIdIsNormal(fxid));
1916 : 73572 : return fxid;
1917 : : }
1918 : :
1919 : : /*
1920 : : * Update our cached range of valid transaction IDs.
1921 : : */
1922 : : static void
1270 rhaas@postgresql.org 1923 : 1479 : update_cached_xid_range(HeapCheckContext *ctx)
1924 : : {
1925 : : /* Make cached copies */
1926 : 1479 : LWLockAcquire(XidGenLock, LW_SHARED);
128 heikki.linnakangas@i 1927 :GNC 1479 : ctx->next_fxid = TransamVariables->nextXid;
1928 : 1479 : ctx->oldest_xid = TransamVariables->oldestXid;
1270 rhaas@postgresql.org 1929 :CBC 1479 : LWLockRelease(XidGenLock);
1930 : :
1931 : : /* And compute alternate versions of the same */
1932 : 1479 : ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
400 andres@anarazel.de 1933 : 1479 : ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
1270 rhaas@postgresql.org 1934 : 1479 : }
1935 : :
1936 : : /*
1937 : : * Update our cached range of valid multitransaction IDs.
1938 : : */
1939 : : static void
1940 : 1477 : update_cached_mxid_range(HeapCheckContext *ctx)
1941 : : {
1942 : 1477 : ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
1943 : 1477 : }
1944 : :
1945 : : /*
1946 : : * Return whether the given FullTransactionId is within our cached valid
1947 : : * transaction ID range.
1948 : : */
1949 : : static inline bool
1950 : 61426 : fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
1951 : : {
1952 [ + + ]: 122849 : return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
1953 [ + + ]: 61423 : FullTransactionIdPrecedes(fxid, ctx->next_fxid));
1954 : : }
1955 : :
1956 : : /*
1957 : : * Checks whether a multitransaction ID is in the cached valid range, returning
1958 : : * the nature of the range violation, if any.
1959 : : */
1960 : : static XidBoundsViolation
1961 : 60 : check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
1962 : : {
1963 [ - + ]: 60 : if (!TransactionIdIsValid(mxid))
1270 rhaas@postgresql.org 1964 :UBC 0 : return XID_INVALID;
1270 rhaas@postgresql.org 1965 [ + + ]:CBC 60 : if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
1270 rhaas@postgresql.org 1966 :GBC 2 : return XID_PRECEDES_RELMIN;
1270 rhaas@postgresql.org 1967 [ - + ]:CBC 58 : if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
1270 rhaas@postgresql.org 1968 :UBC 0 : return XID_PRECEDES_CLUSTERMIN;
1270 rhaas@postgresql.org 1969 [ + + ]:CBC 58 : if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
1270 rhaas@postgresql.org 1970 :GBC 2 : return XID_IN_FUTURE;
1270 rhaas@postgresql.org 1971 :CBC 56 : return XID_BOUNDS_OK;
1972 : : }
1973 : :
1974 : : /*
1975 : : * Checks whether the given mxid is valid to appear in the heap being checked,
1976 : : * returning the nature of the range violation, if any.
1977 : : *
1978 : : * This function attempts to return quickly by caching the known valid mxid
1979 : : * range in ctx. Callers should already have performed the initial setup of
1980 : : * the cache prior to the first call to this function.
1981 : : */
1982 : : static XidBoundsViolation
1983 : 58 : check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
1984 : : {
1985 : : XidBoundsViolation result;
1986 : :
1987 : 58 : result = check_mxid_in_range(mxid, ctx);
1988 [ + + ]: 58 : if (result == XID_BOUNDS_OK)
1989 : 56 : return XID_BOUNDS_OK;
1990 : :
1991 : : /* The range may have advanced. Recheck. */
1270 rhaas@postgresql.org 1992 :GBC 2 : update_cached_mxid_range(ctx);
1993 : 2 : return check_mxid_in_range(mxid, ctx);
1994 : : }
1995 : :
1996 : : /*
1997 : : * Checks whether the given transaction ID is (or was recently) valid to appear
1998 : : * in the heap being checked, or whether it is too old or too new to appear in
1999 : : * the relation, returning information about the nature of the bounds violation.
2000 : : *
2001 : : * We cache the range of valid transaction IDs. If xid is in that range, we
2002 : : * conclude that it is valid, even though concurrent changes to the table might
2003 : : * invalidate it under certain corrupt conditions. (For example, if the table
2004 : : * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2005 : : * containing the xid and then truncate clog and advance the relfrozenxid
2006 : : * beyond xid.) Reporting the xid as valid under such conditions seems
2007 : : * acceptable, since if we had checked it earlier in our scan it would have
2008 : : * truly been valid at that time.
2009 : : *
2010 : : * If the status argument is not NULL, and if and only if the transaction ID
2011 : : * appears to be valid in this relation, the status argument will be set with
2012 : : * the commit status of the transaction ID.
2013 : : */
2014 : : static XidBoundsViolation
1270 rhaas@postgresql.org 2015 :CBC 548333 : get_xid_status(TransactionId xid, HeapCheckContext *ctx,
2016 : : XidCommitStatus *status)
2017 : : {
2018 : : FullTransactionId fxid;
2019 : : FullTransactionId clog_horizon;
2020 : :
2021 : : /* Quick check for special xids */
2022 [ + + ]: 548333 : if (!TransactionIdIsValid(xid))
1270 rhaas@postgresql.org 2023 :GBC 1 : return XID_INVALID;
1270 rhaas@postgresql.org 2024 [ + + + + ]:CBC 548332 : else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2025 : : {
2026 [ + - ]: 486906 : if (status != NULL)
2027 : 486906 : *status = XID_COMMITTED;
2028 : 486906 : return XID_BOUNDS_OK;
2029 : : }
2030 : :
2031 : : /* Check if the xid is within bounds */
2032 : 61426 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2033 [ + + ]: 61426 : if (!fxid_in_cached_range(fxid, ctx))
2034 : : {
2035 : : /*
2036 : : * We may have been checking against stale values. Update the cached
2037 : : * range to be sure, and since we relied on the cached range when we
2038 : : * performed the full xid conversion, reconvert.
2039 : : */
1270 rhaas@postgresql.org 2040 :GBC 4 : update_cached_xid_range(ctx);
2041 : 4 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2042 : : }
2043 : :
1270 rhaas@postgresql.org 2044 [ + + ]:CBC 61426 : if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
1270 rhaas@postgresql.org 2045 :GBC 1 : return XID_IN_FUTURE;
1270 rhaas@postgresql.org 2046 [ + + ]:CBC 61425 : if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
1270 rhaas@postgresql.org 2047 :GBC 3 : return XID_PRECEDES_CLUSTERMIN;
1270 rhaas@postgresql.org 2048 [ + + ]:CBC 61422 : if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
1270 rhaas@postgresql.org 2049 :GBC 1 : return XID_PRECEDES_RELMIN;
2050 : :
2051 : : /* Early return if the caller does not request clog checking */
1270 rhaas@postgresql.org 2052 [ - + ]:CBC 61421 : if (status == NULL)
1270 rhaas@postgresql.org 2053 :UBC 0 : return XID_BOUNDS_OK;
2054 : :
2055 : : /* Early return if we just checked this xid in a prior call */
1270 rhaas@postgresql.org 2056 [ + + ]:CBC 61421 : if (xid == ctx->cached_xid)
2057 : : {
2058 : 52042 : *status = ctx->cached_status;
2059 : 52042 : return XID_BOUNDS_OK;
2060 : : }
2061 : :
2062 : 9379 : *status = XID_COMMITTED;
2063 : 9379 : LWLockAcquire(XactTruncationLock, LW_SHARED);
2064 : : clog_horizon =
128 heikki.linnakangas@i 2065 :GNC 9379 : FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
2066 : : ctx);
1270 rhaas@postgresql.org 2067 [ + - ]:CBC 9379 : if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2068 : : {
2069 [ - + ]: 9379 : if (TransactionIdIsCurrentTransactionId(xid))
1109 rhaas@postgresql.org 2070 :UBC 0 : *status = XID_IS_CURRENT_XID;
1109 rhaas@postgresql.org 2071 [ + + ]:CBC 9379 : else if (TransactionIdIsInProgress(xid))
1270 rhaas@postgresql.org 2072 :GBC 2 : *status = XID_IN_PROGRESS;
1270 rhaas@postgresql.org 2073 [ + + ]:CBC 9377 : else if (TransactionIdDidCommit(xid))
2074 : 9370 : *status = XID_COMMITTED;
2075 : : else
1109 2076 : 7 : *status = XID_ABORTED;
2077 : : }
1270 2078 : 9379 : LWLockRelease(XactTruncationLock);
2079 : 9379 : ctx->cached_xid = xid;
2080 : 9379 : ctx->cached_status = *status;
2081 : 9379 : return XID_BOUNDS_OK;
2082 : : }
|
