LCOV - code coverage report
Current view: top level - contrib/amcheck - verify_heapam.c (source / functions) Coverage Total Hit
Test: PostgreSQL 20devel Lines: 75.9 % 702 533
Test Date: 2026-07-07 10:15:45 Functions: 100.0 % 19 19
Legend: Lines:     hit not hit
Branches: + taken - not taken # not executed
Branches: 71.7 % 421 302

             Branch data     Line data    Source code
       1                 :             : /*-------------------------------------------------------------------------
       2                 :             :  *
       3                 :             :  * verify_heapam.c
       4                 :             :  *    Functions to check postgresql heap relations for corruption
       5                 :             :  *
       6                 :             :  * Copyright (c) 2016-2026, PostgreSQL Global Development Group
       7                 :             :  *
       8                 :             :  *    contrib/amcheck/verify_heapam.c
       9                 :             :  *-------------------------------------------------------------------------
      10                 :             :  */
      11                 :             : #include "postgres.h"
      12                 :             : 
      13                 :             : #include "access/detoast.h"
      14                 :             : #include "access/genam.h"
      15                 :             : #include "access/heaptoast.h"
      16                 :             : #include "access/multixact.h"
      17                 :             : #include "access/relation.h"
      18                 :             : #include "access/table.h"
      19                 :             : #include "access/toast_internals.h"
      20                 :             : #include "access/visibilitymap.h"
      21                 :             : #include "access/xact.h"
      22                 :             : #include "catalog/pg_am.h"
      23                 :             : #include "catalog/pg_class.h"
      24                 :             : #include "funcapi.h"
      25                 :             : #include "miscadmin.h"
      26                 :             : #include "storage/bufmgr.h"
      27                 :             : #include "storage/lwlock.h"
      28                 :             : #include "storage/procarray.h"
      29                 :             : #include "storage/read_stream.h"
      30                 :             : #include "utils/builtins.h"
      31                 :             : #include "utils/fmgroids.h"
      32                 :             : #include "utils/rel.h"
      33                 :             : #include "utils/tuplestore.h"
      34                 :             : 
      35                 :         302 : PG_FUNCTION_INFO_V1(verify_heapam);
      36                 :             : 
      37                 :             : /* The number of columns in tuples returned by verify_heapam */
      38                 :             : #define HEAPCHECK_RELATION_COLS 4
      39                 :             : 
      40                 :             : /* The largest valid toast va_rawsize */
      41                 :             : #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
      42                 :             : 
      43                 :             : /*
      44                 :             :  * Despite the name, we use this for reporting problems with both XIDs and
      45                 :             :  * MXIDs.
      46                 :             :  */
      47                 :             : typedef enum XidBoundsViolation
      48                 :             : {
      49                 :             :     XID_INVALID,
      50                 :             :     XID_IN_FUTURE,
      51                 :             :     XID_PRECEDES_CLUSTERMIN,
      52                 :             :     XID_PRECEDES_RELMIN,
      53                 :             :     XID_BOUNDS_OK,
      54                 :             : } XidBoundsViolation;
      55                 :             : 
      56                 :             : typedef enum XidCommitStatus
      57                 :             : {
      58                 :             :     XID_COMMITTED,
      59                 :             :     XID_IS_CURRENT_XID,
      60                 :             :     XID_IN_PROGRESS,
      61                 :             :     XID_ABORTED,
      62                 :             : } XidCommitStatus;
      63                 :             : 
      64                 :             : typedef enum SkipPages
      65                 :             : {
      66                 :             :     SKIP_PAGES_ALL_FROZEN,
      67                 :             :     SKIP_PAGES_ALL_VISIBLE,
      68                 :             :     SKIP_PAGES_NONE,
      69                 :             : } SkipPages;
      70                 :             : 
      71                 :             : /*
      72                 :             :  * Struct holding information about a toasted attribute sufficient to both
      73                 :             :  * check the toasted attribute and, if found to be corrupt, to report where it
      74                 :             :  * was encountered in the main table.
      75                 :             :  */
      76                 :             : typedef struct ToastedAttribute
      77                 :             : {
      78                 :             :     varatt_external toast_pointer;
      79                 :             :     BlockNumber blkno;          /* block in main table */
      80                 :             :     OffsetNumber offnum;        /* offset in main table */
      81                 :             :     AttrNumber  attnum;         /* attribute in main table */
      82                 :             : } ToastedAttribute;
      83                 :             : 
      84                 :             : /*
      85                 :             :  * Struct holding the running context information during
      86                 :             :  * a lifetime of a verify_heapam execution.
      87                 :             :  */
      88                 :             : typedef struct HeapCheckContext
      89                 :             : {
      90                 :             :     /*
      91                 :             :      * Cached copies of values from TransamVariables and computed values from
      92                 :             :      * them.
      93                 :             :      */
      94                 :             :     FullTransactionId next_fxid;    /* TransamVariables->nextXid */
      95                 :             :     TransactionId next_xid;     /* 32-bit version of next_fxid */
      96                 :             :     TransactionId oldest_xid;   /* TransamVariables->oldestXid */
      97                 :             :     FullTransactionId oldest_fxid;  /* 64-bit version of oldest_xid, computed
      98                 :             :                                      * relative to next_fxid */
      99                 :             :     TransactionId safe_xmin;    /* this XID and newer ones can't become
     100                 :             :                                  * all-visible while we're running */
     101                 :             : 
     102                 :             :     /*
     103                 :             :      * Cached copy of value from MultiXactState
     104                 :             :      */
     105                 :             :     MultiXactId next_mxact;     /* MultiXactState->nextMXact */
     106                 :             :     MultiXactId oldest_mxact;   /* MultiXactState->oldestMultiXactId */
     107                 :             : 
     108                 :             :     /*
     109                 :             :      * Cached copies of the most recently checked xid and its status.
     110                 :             :      */
     111                 :             :     TransactionId cached_xid;
     112                 :             :     XidCommitStatus cached_status;
     113                 :             : 
     114                 :             :     /* Values concerning the heap relation being checked */
     115                 :             :     Relation    rel;
     116                 :             :     TransactionId relfrozenxid;
     117                 :             :     FullTransactionId relfrozenfxid;
     118                 :             :     TransactionId relminmxid;
     119                 :             :     Relation    toast_rel;
     120                 :             :     Relation   *toast_indexes;
     121                 :             :     Relation    valid_toast_index;
     122                 :             :     int         num_toast_indexes;
     123                 :             : 
     124                 :             :     /*
     125                 :             :      * Values for iterating over pages in the relation. `blkno` is the most
     126                 :             :      * recent block in the buffer yielded by the read stream API.
     127                 :             :      */
     128                 :             :     BlockNumber blkno;
     129                 :             :     BufferAccessStrategy bstrategy;
     130                 :             :     Buffer      buffer;
     131                 :             :     Page        page;
     132                 :             : 
     133                 :             :     /* Values for iterating over tuples within a page */
     134                 :             :     OffsetNumber offnum;
     135                 :             :     ItemId      itemid;
     136                 :             :     uint16      lp_len;
     137                 :             :     uint16      lp_off;
     138                 :             :     HeapTupleHeader tuphdr;
     139                 :             :     int         natts;
     140                 :             : 
     141                 :             :     /* Values for iterating over attributes within the tuple */
     142                 :             :     uint32      offset;         /* offset in tuple data */
     143                 :             :     AttrNumber  attnum;
     144                 :             : 
     145                 :             :     /* True if tuple's xmax makes it eligible for pruning */
     146                 :             :     bool        tuple_could_be_pruned;
     147                 :             : 
     148                 :             :     /*
     149                 :             :      * List of ToastedAttribute structs for toasted attributes which are not
     150                 :             :      * eligible for pruning and should be checked
     151                 :             :      */
     152                 :             :     List       *toasted_attributes;
     153                 :             : 
     154                 :             :     /* Whether verify_heapam has yet encountered any corrupt tuples */
     155                 :             :     bool        is_corrupt;
     156                 :             : 
     157                 :             :     /* The descriptor and tuplestore for verify_heapam's result tuples */
     158                 :             :     TupleDesc   tupdesc;
     159                 :             :     Tuplestorestate *tupstore;
     160                 :             : } HeapCheckContext;
     161                 :             : 
     162                 :             : /*
     163                 :             :  * The per-relation data provided to the read stream API for heap amcheck to
     164                 :             :  * use in its callback for the SKIP_PAGES_ALL_FROZEN and
     165                 :             :  * SKIP_PAGES_ALL_VISIBLE options.
     166                 :             :  */
     167                 :             : typedef struct HeapCheckReadStreamData
     168                 :             : {
     169                 :             :     /*
     170                 :             :      * `range` is used by all SkipPages options. SKIP_PAGES_NONE uses the
     171                 :             :      * default read stream callback, block_range_read_stream_cb(), which takes
     172                 :             :      * a BlockRangeReadStreamPrivate as its callback_private_data. `range`
     173                 :             :      * keeps track of the current block number across
     174                 :             :      * read_stream_next_buffer() invocations.
     175                 :             :      */
     176                 :             :     BlockRangeReadStreamPrivate range;
     177                 :             :     SkipPages   skip_option;
     178                 :             :     Relation    rel;
     179                 :             :     Buffer     *vmbuffer;
     180                 :             : } HeapCheckReadStreamData;
     181                 :             : 
     182                 :             : 
     183                 :             : /* Internal implementation */
     184                 :             : static BlockNumber heapcheck_read_stream_next_unskippable(ReadStream *stream,
     185                 :             :                                                           void *callback_private_data,
     186                 :             :                                                           void *per_buffer_data);
     187                 :             : 
     188                 :             : static void check_tuple(HeapCheckContext *ctx,
     189                 :             :                         bool *xmin_commit_status_ok,
     190                 :             :                         XidCommitStatus *xmin_commit_status);
     191                 :             : static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
     192                 :             :                               ToastedAttribute *ta, int32 *expected_chunk_seq,
     193                 :             :                               uint32 extsize);
     194                 :             : 
     195                 :             : static bool check_tuple_attribute(HeapCheckContext *ctx);
     196                 :             : static void check_toasted_attribute(HeapCheckContext *ctx,
     197                 :             :                                     ToastedAttribute *ta);
     198                 :             : 
     199                 :             : static bool check_tuple_header(HeapCheckContext *ctx);
     200                 :             : static bool check_tuple_visibility(HeapCheckContext *ctx,
     201                 :             :                                    bool *xmin_commit_status_ok,
     202                 :             :                                    XidCommitStatus *xmin_commit_status);
     203                 :             : 
     204                 :             : static void report_corruption(HeapCheckContext *ctx, char *msg);
     205                 :             : static void report_toast_corruption(HeapCheckContext *ctx,
     206                 :             :                                     ToastedAttribute *ta, char *msg);
     207                 :             : static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
     208                 :             :                                                         const HeapCheckContext *ctx);
     209                 :             : static void update_cached_xid_range(HeapCheckContext *ctx);
     210                 :             : static void update_cached_mxid_range(HeapCheckContext *ctx);
     211                 :             : static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
     212                 :             :                                               HeapCheckContext *ctx);
     213                 :             : static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
     214                 :             :                                                   HeapCheckContext *ctx);
     215                 :             : static XidBoundsViolation get_xid_status(TransactionId xid,
     216                 :             :                                          HeapCheckContext *ctx,
     217                 :             :                                          XidCommitStatus *status);
     218                 :             : 
     219                 :             : /*
     220                 :             :  * Scan and report corruption in heap pages, optionally reconciling toasted
     221                 :             :  * attributes with entries in the associated toast table.  Intended to be
     222                 :             :  * called from SQL with the following parameters:
     223                 :             :  *
     224                 :             :  *   relation:
     225                 :             :  *     The Oid of the heap relation to be checked.
     226                 :             :  *
     227                 :             :  *   on_error_stop:
     228                 :             :  *     Whether to stop at the end of the first page for which errors are
     229                 :             :  *     detected.  Note that multiple rows may be returned.
     230                 :             :  *
     231                 :             :  *   check_toast:
     232                 :             :  *     Whether to check each toasted attribute against the toast table to
     233                 :             :  *     verify that it can be found there.
     234                 :             :  *
     235                 :             :  *   skip:
     236                 :             :  *     What kinds of pages in the heap relation should be skipped.  Valid
     237                 :             :  *     options are "all-visible", "all-frozen", and "none".
     238                 :             :  *
     239                 :             :  * Returns to the SQL caller a set of tuples, each containing the location
     240                 :             :  * and a description of a corruption found in the heap.
     241                 :             :  *
     242                 :             :  * This code goes to some trouble to avoid crashing the server even if the
     243                 :             :  * table pages are badly corrupted, but it's probably not perfect. If
     244                 :             :  * check_toast is true, we'll use regular index lookups to try to fetch TOAST
     245                 :             :  * tuples, which can certainly cause crashes if the right kind of corruption
     246                 :             :  * exists in the toast table or index. No matter what parameters you pass,
     247                 :             :  * we can't protect against crashes that might occur trying to look up the
     248                 :             :  * commit status of transaction IDs (though we avoid trying to do such lookups
     249                 :             :  * for transaction IDs that can't legally appear in the table).
     250                 :             :  */
     251                 :             : Datum
     252                 :        3572 : verify_heapam(PG_FUNCTION_ARGS)
     253                 :             : {
     254                 :        3572 :     ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
     255                 :             :     HeapCheckContext ctx;
     256                 :        3572 :     Buffer      vmbuffer = InvalidBuffer;
     257                 :             :     Oid         relid;
     258                 :             :     bool        on_error_stop;
     259                 :             :     bool        check_toast;
     260                 :        3572 :     SkipPages   skip_option = SKIP_PAGES_NONE;
     261                 :             :     BlockNumber first_block;
     262                 :             :     BlockNumber last_block;
     263                 :             :     BlockNumber nblocks;
     264                 :             :     const char *skip;
     265                 :             :     ReadStream *stream;
     266                 :             :     int         stream_flags;
     267                 :             :     ReadStreamBlockNumberCB stream_cb;
     268                 :             :     void       *stream_data;
     269                 :             :     HeapCheckReadStreamData stream_skip_data;
     270                 :             : 
     271                 :             :     /* Check supplied arguments */
     272         [ -  + ]:        3572 :     if (PG_ARGISNULL(0))
     273         [ #  # ]:           0 :         ereport(ERROR,
     274                 :             :                 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     275                 :             :                  errmsg("relation cannot be null")));
     276                 :        3572 :     relid = PG_GETARG_OID(0);
     277                 :             : 
     278         [ -  + ]:        3572 :     if (PG_ARGISNULL(1))
     279         [ #  # ]:           0 :         ereport(ERROR,
     280                 :             :                 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     281                 :             :                  errmsg("on_error_stop cannot be null")));
     282                 :        3572 :     on_error_stop = PG_GETARG_BOOL(1);
     283                 :             : 
     284         [ -  + ]:        3572 :     if (PG_ARGISNULL(2))
     285         [ #  # ]:           0 :         ereport(ERROR,
     286                 :             :                 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     287                 :             :                  errmsg("check_toast cannot be null")));
     288                 :        3572 :     check_toast = PG_GETARG_BOOL(2);
     289                 :             : 
     290         [ -  + ]:        3572 :     if (PG_ARGISNULL(3))
     291         [ #  # ]:           0 :         ereport(ERROR,
     292                 :             :                 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     293                 :             :                  errmsg("skip cannot be null")));
     294                 :        3572 :     skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
     295         [ +  + ]:        3572 :     if (pg_strcasecmp(skip, "all-visible") == 0)
     296                 :          84 :         skip_option = SKIP_PAGES_ALL_VISIBLE;
     297         [ +  + ]:        3488 :     else if (pg_strcasecmp(skip, "all-frozen") == 0)
     298                 :          87 :         skip_option = SKIP_PAGES_ALL_FROZEN;
     299         [ +  + ]:        3401 :     else if (pg_strcasecmp(skip, "none") == 0)
     300                 :        3400 :         skip_option = SKIP_PAGES_NONE;
     301                 :             :     else
     302         [ +  - ]:           1 :         ereport(ERROR,
     303                 :             :                 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     304                 :             :                  errmsg("invalid skip option"),
     305                 :             :                  errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
     306                 :             : 
     307                 :        3571 :     memset(&ctx, 0, sizeof(HeapCheckContext));
     308                 :        3571 :     ctx.cached_xid = InvalidTransactionId;
     309                 :        3571 :     ctx.toasted_attributes = NIL;
     310                 :             : 
     311                 :             :     /*
     312                 :             :      * Any xmin newer than the xmin of our snapshot can't become all-visible
     313                 :             :      * while we're running.
     314                 :             :      */
     315                 :        3571 :     ctx.safe_xmin = GetTransactionSnapshot()->xmin;
     316                 :             : 
     317                 :             :     /*
     318                 :             :      * If we report corruption when not examining some individual attribute,
     319                 :             :      * we need attnum to be reported as NULL.  Set that up before any
     320                 :             :      * corruption reporting might happen.
     321                 :             :      */
     322                 :        3571 :     ctx.attnum = -1;
     323                 :             : 
     324                 :             :     /* Construct the tuplestore and tuple descriptor */
     325                 :        3571 :     InitMaterializedSRF(fcinfo, 0);
     326                 :        3571 :     ctx.tupdesc = rsinfo->setDesc;
     327                 :        3571 :     ctx.tupstore = rsinfo->setResult;
     328                 :             : 
     329                 :             :     /* Open relation, check relkind and access method */
     330                 :        3571 :     ctx.rel = relation_open(relid, AccessShareLock);
     331                 :             : 
     332                 :             :     /*
     333                 :             :      * Check that a relation's relkind and access method are both supported.
     334                 :             :      */
     335   [ +  +  +  +  :        3571 :     if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
                   +  + ]
     336         [ +  + ]:         195 :         ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
     337         [ +  - ]:           4 :         ereport(ERROR,
     338                 :             :                 (errcode(ERRCODE_WRONG_OBJECT_TYPE),
     339                 :             :                  errmsg("cannot check relation \"%s\"",
     340                 :             :                         RelationGetRelationName(ctx.rel)),
     341                 :             :                  errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
     342                 :             : 
     343                 :             :     /*
     344                 :             :      * Sequences always use heap AM, but they don't show that in the catalogs.
     345                 :             :      * Other relkinds might be using a different AM, so check.
     346                 :             :      */
     347         [ +  + ]:        3567 :     if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
     348         [ -  + ]:        3376 :         ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
     349         [ #  # ]:           0 :         ereport(ERROR,
     350                 :             :                 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
     351                 :             :                  errmsg("only heap AM is supported")));
     352                 :             : 
     353                 :             :     /*
     354                 :             :      * Early exit for unlogged relations during recovery.  These will have no
     355                 :             :      * relation fork, so there won't be anything to check.  We behave as if
     356                 :             :      * the relation is empty.
     357                 :             :      */
     358   [ -  +  -  - ]:        3567 :     if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
     359                 :           0 :         RecoveryInProgress())
     360                 :             :     {
     361         [ #  # ]:           0 :         ereport(DEBUG1,
     362                 :             :                 (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
     363                 :             :                  errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
     364                 :             :                         RelationGetRelationName(ctx.rel))));
     365                 :           0 :         relation_close(ctx.rel, AccessShareLock);
     366                 :           0 :         PG_RETURN_NULL();
     367                 :             :     }
     368                 :             : 
     369                 :             :     /* Early exit if the relation is empty */
     370                 :        3567 :     nblocks = RelationGetNumberOfBlocks(ctx.rel);
     371         [ +  + ]:        3550 :     if (!nblocks)
     372                 :             :     {
     373                 :        2073 :         relation_close(ctx.rel, AccessShareLock);
     374                 :        2073 :         PG_RETURN_NULL();
     375                 :             :     }
     376                 :             : 
     377                 :        1477 :     ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
     378                 :        1477 :     ctx.buffer = InvalidBuffer;
     379                 :        1477 :     ctx.page = NULL;
     380                 :             : 
     381                 :             :     /* Validate block numbers, or handle nulls. */
     382         [ +  + ]:        1477 :     if (PG_ARGISNULL(4))
     383                 :        1354 :         first_block = 0;
     384                 :             :     else
     385                 :             :     {
     386                 :         123 :         int64       fb = PG_GETARG_INT64(4);
     387                 :             : 
     388   [ +  -  +  + ]:         123 :         if (fb < 0 || fb >= nblocks)
     389         [ +  - ]:           1 :             ereport(ERROR,
     390                 :             :                     (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     391                 :             :                      errmsg("starting block number must be between 0 and %u",
     392                 :             :                             nblocks - 1)));
     393                 :         122 :         first_block = (BlockNumber) fb;
     394                 :             :     }
     395         [ +  + ]:        1476 :     if (PG_ARGISNULL(5))
     396                 :        1353 :         last_block = nblocks - 1;
     397                 :             :     else
     398                 :             :     {
     399                 :         123 :         int64       lb = PG_GETARG_INT64(5);
     400                 :             : 
     401   [ +  -  +  + ]:         123 :         if (lb < 0 || lb >= nblocks)
     402         [ +  - ]:           1 :             ereport(ERROR,
     403                 :             :                     (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
     404                 :             :                      errmsg("ending block number must be between 0 and %u",
     405                 :             :                             nblocks - 1)));
     406                 :         122 :         last_block = (BlockNumber) lb;
     407                 :             :     }
     408                 :             : 
     409                 :             :     /* Optionally open the toast relation, if any. */
     410   [ +  +  +  + ]:        1475 :     if (ctx.rel->rd_rel->reltoastrelid && check_toast)
     411                 :         696 :     {
     412                 :             :         int         offset;
     413                 :             : 
     414                 :             :         /* Main relation has associated toast relation */
     415                 :         696 :         ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
     416                 :             :                                    AccessShareLock);
     417                 :         696 :         offset = toast_open_indexes(ctx.toast_rel,
     418                 :             :                                     AccessShareLock,
     419                 :             :                                     &(ctx.toast_indexes),
     420                 :             :                                     &(ctx.num_toast_indexes));
     421                 :         696 :         ctx.valid_toast_index = ctx.toast_indexes[offset];
     422                 :             :     }
     423                 :             :     else
     424                 :             :     {
     425                 :             :         /*
     426                 :             :          * Main relation has no associated toast relation, or we're
     427                 :             :          * intentionally skipping it.
     428                 :             :          */
     429                 :         779 :         ctx.toast_rel = NULL;
     430                 :         779 :         ctx.toast_indexes = NULL;
     431                 :         779 :         ctx.num_toast_indexes = 0;
     432                 :             :     }
     433                 :             : 
     434                 :        1475 :     update_cached_xid_range(&ctx);
     435                 :        1475 :     update_cached_mxid_range(&ctx);
     436                 :        1475 :     ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
     437                 :        1475 :     ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
     438                 :        1475 :     ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
     439                 :             : 
     440         [ +  + ]:        1475 :     if (TransactionIdIsNormal(ctx.relfrozenxid))
     441                 :        1284 :         ctx.oldest_xid = ctx.relfrozenxid;
     442                 :             : 
     443                 :             :     /* Now that `ctx` is set up, set up the read stream */
     444                 :        1475 :     stream_skip_data.range.current_blocknum = first_block;
     445                 :        1475 :     stream_skip_data.range.last_exclusive = last_block + 1;
     446                 :        1475 :     stream_skip_data.skip_option = skip_option;
     447                 :        1475 :     stream_skip_data.rel = ctx.rel;
     448                 :        1475 :     stream_skip_data.vmbuffer = &vmbuffer;
     449                 :             : 
     450         [ +  + ]:        1475 :     if (skip_option == SKIP_PAGES_NONE)
     451                 :             :     {
     452                 :             :         /*
     453                 :             :          * It is safe to use batchmode as block_range_read_stream_cb takes no
     454                 :             :          * locks.
     455                 :             :          */
     456                 :        1310 :         stream_cb = block_range_read_stream_cb;
     457                 :        1310 :         stream_flags = READ_STREAM_SEQUENTIAL |
     458                 :             :             READ_STREAM_FULL |
     459                 :             :             READ_STREAM_USE_BATCHING;
     460                 :        1310 :         stream_data = &stream_skip_data.range;
     461                 :             :     }
     462                 :             :     else
     463                 :             :     {
     464                 :             :         /*
     465                 :             :          * It would not be safe to naively use batchmode, as
     466                 :             :          * heapcheck_read_stream_next_unskippable takes locks. It shouldn't be
     467                 :             :          * too hard to convert though.
     468                 :             :          */
     469                 :         165 :         stream_cb = heapcheck_read_stream_next_unskippable;
     470                 :         165 :         stream_flags = READ_STREAM_DEFAULT;
     471                 :         165 :         stream_data = &stream_skip_data;
     472                 :             :     }
     473                 :             : 
     474                 :        1475 :     stream = read_stream_begin_relation(stream_flags,
     475                 :             :                                         ctx.bstrategy,
     476                 :             :                                         ctx.rel,
     477                 :             :                                         MAIN_FORKNUM,
     478                 :             :                                         stream_cb,
     479                 :             :                                         stream_data,
     480                 :             :                                         0);
     481                 :             : 
     482         [ +  + ]:       13758 :     while ((ctx.buffer = read_stream_next_buffer(stream, NULL)) != InvalidBuffer)
     483                 :             :     {
     484                 :             :         OffsetNumber maxoff;
     485                 :             :         OffsetNumber predecessor[MaxOffsetNumber];
     486                 :             :         OffsetNumber successor[MaxOffsetNumber];
     487                 :             :         bool        lp_valid[MaxOffsetNumber];
     488                 :             :         bool        xmin_commit_status_ok[MaxOffsetNumber];
     489                 :             :         XidCommitStatus xmin_commit_status[MaxOffsetNumber];
     490                 :             : 
     491         [ -  + ]:       12286 :         CHECK_FOR_INTERRUPTS();
     492                 :             : 
     493                 :       12286 :         memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
     494                 :             : 
     495                 :             :         /* Lock the next page. */
     496                 :             :         Assert(BufferIsValid(ctx.buffer));
     497                 :       12286 :         LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
     498                 :             : 
     499                 :       12286 :         ctx.blkno = BufferGetBlockNumber(ctx.buffer);
     500                 :       12286 :         ctx.page = BufferGetPage(ctx.buffer);
     501                 :             : 
     502                 :             :         /* Perform tuple checks */
     503                 :       12286 :         maxoff = PageGetMaxOffsetNumber(ctx.page);
     504         [ +  + ]:      590221 :         for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
     505                 :      577935 :              ctx.offnum = OffsetNumberNext(ctx.offnum))
     506                 :             :         {
     507                 :             :             BlockNumber nextblkno;
     508                 :             :             OffsetNumber nextoffnum;
     509                 :             : 
     510                 :      577935 :             successor[ctx.offnum] = InvalidOffsetNumber;
     511                 :      577935 :             lp_valid[ctx.offnum] = false;
     512                 :      577935 :             xmin_commit_status_ok[ctx.offnum] = false;
     513                 :      577935 :             ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
     514                 :             : 
     515                 :             :             /* Skip over unused/dead line pointers */
     516   [ +  +  +  + ]:      577935 :             if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
     517                 :        7651 :                 continue;
     518                 :             : 
     519                 :             :             /*
     520                 :             :              * If this line pointer has been redirected, check that it
     521                 :             :              * redirects to a valid offset within the line pointer array
     522                 :             :              */
     523         [ +  + ]:      570284 :             if (ItemIdIsRedirected(ctx.itemid))
     524                 :        5197 :             {
     525                 :        5218 :                 OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
     526                 :             :                 ItemId      rditem;
     527                 :             : 
     528         [ +  + ]:        5218 :                 if (rdoffnum < FirstOffsetNumber)
     529                 :             :                 {
     530                 :           6 :                     report_corruption(&ctx,
     531                 :             :                                       psprintf("line pointer redirection to item at offset %d precedes minimum offset %d",
     532                 :             :                                                rdoffnum,
     533                 :             :                                                FirstOffsetNumber));
     534                 :           6 :                     continue;
     535                 :             :                 }
     536         [ +  + ]:        5212 :                 if (rdoffnum > maxoff)
     537                 :             :                 {
     538                 :          14 :                     report_corruption(&ctx,
     539                 :             :                                       psprintf("line pointer redirection to item at offset %d exceeds maximum offset %d",
     540                 :             :                                                rdoffnum,
     541                 :             :                                                maxoff));
     542                 :          14 :                     continue;
     543                 :             :                 }
     544                 :             : 
     545                 :             :                 /*
     546                 :             :                  * Since we've checked that this redirect points to a line
     547                 :             :                  * pointer between FirstOffsetNumber and maxoff, it should now
     548                 :             :                  * be safe to fetch the referenced line pointer. We expect it
     549                 :             :                  * to be LP_NORMAL; if not, that's corruption.
     550                 :             :                  */
     551                 :        5198 :                 rditem = PageGetItemId(ctx.page, rdoffnum);
     552         [ -  + ]:        5198 :                 if (!ItemIdIsUsed(rditem))
     553                 :             :                 {
     554                 :           0 :                     report_corruption(&ctx,
     555                 :             :                                       psprintf("redirected line pointer points to an unused item at offset %d",
     556                 :             :                                                rdoffnum));
     557                 :           0 :                     continue;
     558                 :             :                 }
     559         [ -  + ]:        5198 :                 else if (ItemIdIsDead(rditem))
     560                 :             :                 {
     561                 :           0 :                     report_corruption(&ctx,
     562                 :             :                                       psprintf("redirected line pointer points to a dead item at offset %d",
     563                 :             :                                                rdoffnum));
     564                 :           0 :                     continue;
     565                 :             :                 }
     566         [ +  + ]:        5198 :                 else if (ItemIdIsRedirected(rditem))
     567                 :             :                 {
     568                 :           1 :                     report_corruption(&ctx,
     569                 :             :                                       psprintf("redirected line pointer points to another redirected line pointer at offset %d",
     570                 :             :                                                rdoffnum));
     571                 :           1 :                     continue;
     572                 :             :                 }
     573                 :             : 
     574                 :             :                 /*
     575                 :             :                  * Record the fact that this line pointer has passed basic
     576                 :             :                  * sanity checking, and also the offset number to which it
     577                 :             :                  * points.
     578                 :             :                  */
     579                 :        5197 :                 lp_valid[ctx.offnum] = true;
     580                 :        5197 :                 successor[ctx.offnum] = rdoffnum;
     581                 :        5197 :                 continue;
     582                 :             :             }
     583                 :             : 
     584                 :             :             /* Sanity-check the line pointer's offset and length values */
     585                 :      565066 :             ctx.lp_len = ItemIdGetLength(ctx.itemid);
     586                 :      565066 :             ctx.lp_off = ItemIdGetOffset(ctx.itemid);
     587                 :             : 
     588         [ +  + ]:      565066 :             if (ctx.lp_off != MAXALIGN(ctx.lp_off))
     589                 :             :             {
     590                 :           6 :                 report_corruption(&ctx,
     591                 :             :                                   psprintf("line pointer to page offset %u is not maximally aligned",
     592                 :           6 :                                            ctx.lp_off));
     593                 :           6 :                 continue;
     594                 :             :             }
     595         [ +  + ]:      565060 :             if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
     596                 :             :             {
     597                 :          12 :                 report_corruption(&ctx,
     598                 :             :                                   psprintf("line pointer length %u is less than the minimum tuple header size %u",
     599                 :          12 :                                            ctx.lp_len,
     600                 :             :                                            (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
     601                 :          12 :                 continue;
     602                 :             :             }
     603         [ +  + ]:      565048 :             if (ctx.lp_off + ctx.lp_len > BLCKSZ)
     604                 :             :             {
     605                 :          14 :                 report_corruption(&ctx,
     606                 :             :                                   psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %d",
     607                 :          14 :                                            ctx.lp_off,
     608                 :          14 :                                            ctx.lp_len,
     609                 :             :                                            BLCKSZ));
     610                 :          14 :                 continue;
     611                 :             :             }
     612                 :             : 
     613                 :             :             /* It should be safe to examine the tuple's header, at least */
     614                 :      565034 :             lp_valid[ctx.offnum] = true;
     615                 :      565034 :             ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
     616                 :      565034 :             ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
     617                 :             : 
     618                 :             :             /* Ok, ready to check this next tuple */
     619                 :      565034 :             check_tuple(&ctx,
     620                 :      565034 :                         &xmin_commit_status_ok[ctx.offnum],
     621                 :      565034 :                         &xmin_commit_status[ctx.offnum]);
     622                 :             : 
     623                 :             :             /*
     624                 :             :              * If the CTID field of this tuple seems to point to another tuple
     625                 :             :              * on the same page, record that tuple as the successor of this
     626                 :             :              * one.
     627                 :             :              */
     628                 :      565034 :             nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
     629                 :      565034 :             nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
     630   [ +  +  +  +  :      565034 :             if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
                   +  - ]
     631         [ +  - ]:         233 :                 nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
     632                 :         233 :                 successor[ctx.offnum] = nextoffnum;
     633                 :             :         }
     634                 :             : 
     635                 :             :         /*
     636                 :             :          * Update chain validation. Check each line pointer that's got a valid
     637                 :             :          * successor against that successor.
     638                 :             :          */
     639                 :       12286 :         ctx.attnum = -1;
     640         [ +  + ]:      590221 :         for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
     641                 :      577935 :              ctx.offnum = OffsetNumberNext(ctx.offnum))
     642                 :             :         {
     643                 :             :             ItemId      curr_lp;
     644                 :             :             ItemId      next_lp;
     645                 :             :             HeapTupleHeader curr_htup;
     646                 :             :             HeapTupleHeader next_htup;
     647                 :             :             TransactionId curr_xmin;
     648                 :             :             TransactionId curr_xmax;
     649                 :             :             TransactionId next_xmin;
     650                 :      577935 :             OffsetNumber nextoffnum = successor[ctx.offnum];
     651                 :             : 
     652                 :             :             /*
     653                 :             :              * The current line pointer may not have a successor, either
     654                 :             :              * because it's not valid or because it didn't point to anything.
     655                 :             :              * In either case, we have to give up.
     656                 :             :              *
     657                 :             :              * If the current line pointer does point to something, it's
     658                 :             :              * possible that the target line pointer isn't valid. We have to
     659                 :             :              * give up in that case, too.
     660                 :             :              */
     661   [ +  +  -  + ]:      577935 :             if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
     662                 :      572505 :                 continue;
     663                 :             : 
     664                 :             :             /* We have two valid line pointers that we can examine. */
     665                 :        5430 :             curr_lp = PageGetItemId(ctx.page, ctx.offnum);
     666                 :        5430 :             next_lp = PageGetItemId(ctx.page, nextoffnum);
     667                 :             : 
     668                 :             :             /* Handle the cases where the current line pointer is a redirect. */
     669         [ +  + ]:        5430 :             if (ItemIdIsRedirected(curr_lp))
     670                 :             :             {
     671                 :             :                 /*
     672                 :             :                  * We should not have set successor[ctx.offnum] to a value
     673                 :             :                  * other than InvalidOffsetNumber unless that line pointer is
     674                 :             :                  * LP_NORMAL.
     675                 :             :                  */
     676                 :             :                 Assert(ItemIdIsNormal(next_lp));
     677                 :             : 
     678                 :             :                 /* Can only redirect to a HOT tuple. */
     679                 :        5197 :                 next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
     680         [ +  + ]:        5197 :                 if (!HeapTupleHeaderIsHeapOnly(next_htup))
     681                 :             :                 {
     682                 :           1 :                     report_corruption(&ctx,
     683                 :             :                                       psprintf("redirected line pointer points to a non-heap-only tuple at offset %d",
     684                 :             :                                                nextoffnum));
     685                 :             :                 }
     686                 :             : 
     687                 :             :                 /* HOT chains should not intersect. */
     688         [ +  + ]:        5197 :                 if (predecessor[nextoffnum] != InvalidOffsetNumber)
     689                 :             :                 {
     690                 :           1 :                     report_corruption(&ctx,
     691                 :             :                                       psprintf("redirect line pointer points to offset %d, but offset %d also points there",
     692                 :           1 :                                                nextoffnum, predecessor[nextoffnum]));
     693                 :           1 :                     continue;
     694                 :             :                 }
     695                 :             : 
     696                 :             :                 /*
     697                 :             :                  * This redirect and the tuple to which it points seem to be
     698                 :             :                  * part of an update chain.
     699                 :             :                  */
     700                 :        5196 :                 predecessor[nextoffnum] = ctx.offnum;
     701                 :        5196 :                 continue;
     702                 :             :             }
     703                 :             : 
     704                 :             :             /*
     705                 :             :              * If the next line pointer is a redirect, or if it's a tuple but
     706                 :             :              * the XMAX of this tuple doesn't match the XMIN of the next
     707                 :             :              * tuple, then the two aren't part of the same update chain and
     708                 :             :              * there is nothing more to do.
     709                 :             :              */
     710         [ -  + ]:         233 :             if (ItemIdIsRedirected(next_lp))
     711                 :           0 :                 continue;
     712                 :         233 :             curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
     713                 :         233 :             curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
     714                 :         233 :             next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
     715                 :         233 :             next_xmin = HeapTupleHeaderGetXmin(next_htup);
     716   [ +  +  -  + ]:         233 :             if (!TransactionIdIsValid(curr_xmax) ||
     717                 :             :                 !TransactionIdEquals(curr_xmax, next_xmin))
     718                 :           4 :                 continue;
     719                 :             : 
     720                 :             :             /* HOT chains should not intersect. */
     721         [ +  + ]:         229 :             if (predecessor[nextoffnum] != InvalidOffsetNumber)
     722                 :             :             {
     723                 :           1 :                 report_corruption(&ctx,
     724                 :             :                                   psprintf("tuple points to new version at offset %d, but offset %d also points there",
     725                 :           1 :                                            nextoffnum, predecessor[nextoffnum]));
     726                 :           1 :                 continue;
     727                 :             :             }
     728                 :             : 
     729                 :             :             /*
     730                 :             :              * This tuple and the tuple to which it points seem to be part of
     731                 :             :              * an update chain.
     732                 :             :              */
     733                 :         228 :             predecessor[nextoffnum] = ctx.offnum;
     734                 :             : 
     735                 :             :             /*
     736                 :             :              * If the current tuple is marked as HOT-updated, then the next
     737                 :             :              * tuple should be marked as a heap-only tuple. Conversely, if the
     738                 :             :              * current tuple isn't marked as HOT-updated, then the next tuple
     739                 :             :              * shouldn't be marked as a heap-only tuple.
     740                 :             :              *
     741                 :             :              * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
     742                 :             :              * hint bits indicate xmin/xmax aborted.
     743                 :             :              */
     744   [ +  +  +  - ]:         229 :             if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
     745                 :           1 :                 HeapTupleHeaderIsHeapOnly(next_htup))
     746                 :             :             {
     747                 :           1 :                 report_corruption(&ctx,
     748                 :             :                                   psprintf("non-heap-only update produced a heap-only tuple at offset %d",
     749                 :             :                                            nextoffnum));
     750                 :             :             }
     751         [ +  + ]:         228 :             if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
     752         [ +  + ]:         227 :                 !HeapTupleHeaderIsHeapOnly(next_htup))
     753                 :             :             {
     754                 :           1 :                 report_corruption(&ctx,
     755                 :             :                                   psprintf("heap-only update produced a non-heap only tuple at offset %d",
     756                 :             :                                            nextoffnum));
     757                 :             :             }
     758                 :             : 
     759                 :             :             /*
     760                 :             :              * If the current tuple's xmin is still in progress but the
     761                 :             :              * successor tuple's xmin is committed, that's corruption.
     762                 :             :              *
     763                 :             :              * NB: We recheck the commit status of the current tuple's xmin
     764                 :             :              * here, because it might have committed after we checked it and
     765                 :             :              * before we checked the commit status of the successor tuple's
     766                 :             :              * xmin. This should be safe because the xmin itself can't have
     767                 :             :              * changed, only its commit status.
     768                 :             :              */
     769                 :         228 :             curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
     770         [ +  - ]:         228 :             if (xmin_commit_status_ok[ctx.offnum] &&
     771         [ +  + ]:         228 :                 xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
     772         [ +  - ]:           1 :                 xmin_commit_status_ok[nextoffnum] &&
     773   [ +  -  +  - ]:           2 :                 xmin_commit_status[nextoffnum] == XID_COMMITTED &&
     774                 :           1 :                 TransactionIdIsInProgress(curr_xmin))
     775                 :             :             {
     776                 :           1 :                 report_corruption(&ctx,
     777                 :             :                                   psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %d with committed xmin %u",
     778                 :             :                                            curr_xmin,
     779                 :           1 :                                            ctx.offnum,
     780                 :             :                                            next_xmin));
     781                 :             :             }
     782                 :             : 
     783                 :             :             /*
     784                 :             :              * If the current tuple's xmin is aborted but the successor
     785                 :             :              * tuple's xmin is in-progress or committed, that's corruption.
     786                 :             :              */
     787         [ +  - ]:         228 :             if (xmin_commit_status_ok[ctx.offnum] &&
     788         [ +  + ]:         228 :                 xmin_commit_status[ctx.offnum] == XID_ABORTED &&
     789         [ +  - ]:           2 :                 xmin_commit_status_ok[nextoffnum])
     790                 :             :             {
     791         [ +  + ]:           2 :                 if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
     792                 :           1 :                     report_corruption(&ctx,
     793                 :             :                                       psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %d with in-progress xmin %u",
     794                 :             :                                                curr_xmin,
     795                 :           1 :                                                ctx.offnum,
     796                 :             :                                                next_xmin));
     797         [ +  - ]:           1 :                 else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
     798                 :           1 :                     report_corruption(&ctx,
     799                 :             :                                       psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %d with committed xmin %u",
     800                 :             :                                                curr_xmin,
     801                 :           1 :                                                ctx.offnum,
     802                 :             :                                                next_xmin));
     803                 :             :             }
     804                 :             :         }
     805                 :             : 
     806                 :             :         /*
     807                 :             :          * An update chain can start either with a non-heap-only tuple or with
     808                 :             :          * a redirect line pointer, but not with a heap-only tuple.
     809                 :             :          *
     810                 :             :          * (This check is in a separate loop because we need the predecessor
     811                 :             :          * array to be fully populated before we can perform it.)
     812                 :             :          */
     813                 :       12286 :         for (ctx.offnum = FirstOffsetNumber;
     814         [ +  + ]:      590221 :              ctx.offnum <= maxoff;
     815                 :      577935 :              ctx.offnum = OffsetNumberNext(ctx.offnum))
     816                 :             :         {
     817         [ +  + ]:      577935 :             if (xmin_commit_status_ok[ctx.offnum] &&
     818         [ +  + ]:      565025 :                 (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
     819         [ +  + ]:           7 :                  xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
     820         [ +  + ]:      565020 :                 predecessor[ctx.offnum] == InvalidOffsetNumber)
     821                 :             :             {
     822                 :             :                 ItemId      curr_lp;
     823                 :             : 
     824                 :      559599 :                 curr_lp = PageGetItemId(ctx.page, ctx.offnum);
     825         [ +  - ]:      559599 :                 if (!ItemIdIsRedirected(curr_lp))
     826                 :             :                 {
     827                 :             :                     HeapTupleHeader curr_htup;
     828                 :             : 
     829                 :             :                     curr_htup = (HeapTupleHeader)
     830                 :      559599 :                         PageGetItem(ctx.page, curr_lp);
     831         [ +  + ]:      559599 :                     if (HeapTupleHeaderIsHeapOnly(curr_htup))
     832                 :           4 :                         report_corruption(&ctx,
     833                 :             :                                           psprintf("tuple is root of chain but is marked as heap-only tuple"));
     834                 :             :                 }
     835                 :             :             }
     836                 :             :         }
     837                 :             : 
     838                 :             :         /* clean up */
     839                 :       12286 :         UnlockReleaseBuffer(ctx.buffer);
     840                 :             : 
     841                 :             :         /*
     842                 :             :          * Check any toast pointers from the page whose lock we just released
     843                 :             :          */
     844         [ +  + ]:       12286 :         if (ctx.toasted_attributes != NIL)
     845                 :             :         {
     846                 :             :             ListCell   *cell;
     847                 :             : 
     848   [ +  -  +  +  :       13522 :             foreach(cell, ctx.toasted_attributes)
                   +  + ]
     849                 :       12635 :                 check_toasted_attribute(&ctx, lfirst(cell));
     850                 :         887 :             list_free_deep(ctx.toasted_attributes);
     851                 :         887 :             ctx.toasted_attributes = NIL;
     852                 :             :         }
     853                 :             : 
     854   [ +  +  -  + ]:       12283 :         if (on_error_stop && ctx.is_corrupt)
     855                 :           0 :             break;
     856                 :             :     }
     857                 :             : 
     858                 :        1472 :     read_stream_end(stream);
     859                 :             : 
     860         [ +  + ]:        1472 :     if (vmbuffer != InvalidBuffer)
     861                 :          37 :         ReleaseBuffer(vmbuffer);
     862                 :             : 
     863                 :             :     /* Close the associated toast table and indexes, if any. */
     864         [ +  + ]:        1472 :     if (ctx.toast_indexes)
     865                 :         693 :         toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
     866                 :             :                             AccessShareLock);
     867         [ +  + ]:        1472 :     if (ctx.toast_rel)
     868                 :         693 :         table_close(ctx.toast_rel, AccessShareLock);
     869                 :             : 
     870                 :             :     /* Close the main relation */
     871                 :        1472 :     relation_close(ctx.rel, AccessShareLock);
     872                 :             : 
     873                 :        1472 :     PG_RETURN_NULL();
     874                 :             : }
     875                 :             : 
     876                 :             : /*
     877                 :             :  * Heap amcheck's read stream callback for getting the next unskippable block.
     878                 :             :  * This callback is only used when 'all-visible' or 'all-frozen' is provided
     879                 :             :  * as the skip option to verify_heapam(). With the default 'none',
     880                 :             :  * block_range_read_stream_cb() is used instead.
     881                 :             :  */
     882                 :             : static BlockNumber
     883                 :         867 : heapcheck_read_stream_next_unskippable(ReadStream *stream,
     884                 :             :                                        void *callback_private_data,
     885                 :             :                                        void *per_buffer_data)
     886                 :             : {
     887                 :         867 :     HeapCheckReadStreamData *p = callback_private_data;
     888                 :             : 
     889                 :             :     /* Loops over [current_blocknum, last_exclusive) blocks */
     890         [ +  + ]:         900 :     for (BlockNumber i; (i = p->range.current_blocknum++) < p->range.last_exclusive;)
     891                 :             :     {
     892                 :         735 :         uint8       mapbits = visibilitymap_get_status(p->rel, i, p->vmbuffer);
     893                 :             : 
     894         [ +  + ]:         735 :         if (p->skip_option == SKIP_PAGES_ALL_FROZEN)
     895                 :             :         {
     896         [ +  + ]:         384 :             if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
     897                 :          32 :                 continue;
     898                 :             :         }
     899                 :             : 
     900         [ +  + ]:         703 :         if (p->skip_option == SKIP_PAGES_ALL_VISIBLE)
     901                 :             :         {
     902         [ +  + ]:         351 :             if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
     903                 :           1 :                 continue;
     904                 :             :         }
     905                 :             : 
     906                 :         702 :         return i;
     907                 :             :     }
     908                 :             : 
     909                 :         165 :     return InvalidBlockNumber;
     910                 :             : }
     911                 :             : 
     912                 :             : /*
     913                 :             :  * Shared internal implementation for report_corruption and
     914                 :             :  * report_toast_corruption.
     915                 :             :  */
     916                 :             : static void
     917                 :          86 : report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
     918                 :             :                            BlockNumber blkno, OffsetNumber offnum,
     919                 :             :                            AttrNumber attnum, char *msg)
     920                 :             : {
     921                 :          86 :     Datum       values[HEAPCHECK_RELATION_COLS] = {0};
     922                 :          86 :     bool        nulls[HEAPCHECK_RELATION_COLS] = {0};
     923                 :             :     HeapTuple   tuple;
     924                 :             : 
     925                 :          86 :     values[0] = Int64GetDatum(blkno);
     926                 :          86 :     values[1] = Int32GetDatum(offnum);
     927                 :          86 :     values[2] = Int32GetDatum(attnum);
     928                 :          86 :     nulls[2] = (attnum < 0);
     929                 :          86 :     values[3] = CStringGetTextDatum(msg);
     930                 :             : 
     931                 :             :     /*
     932                 :             :      * In principle, there is nothing to prevent a scan over a large, highly
     933                 :             :      * corrupted table from using work_mem worth of memory building up the
     934                 :             :      * tuplestore.  That's ok, but if we also leak the msg argument memory
     935                 :             :      * until the end of the query, we could exceed work_mem by more than a
     936                 :             :      * trivial amount.  Therefore, free the msg argument each time we are
     937                 :             :      * called rather than waiting for our current memory context to be freed.
     938                 :             :      */
     939                 :          86 :     pfree(msg);
     940                 :             : 
     941                 :          86 :     tuple = heap_form_tuple(tupdesc, values, nulls);
     942                 :          86 :     tuplestore_puttuple(tupstore, tuple);
     943                 :          86 : }
     944                 :             : 
     945                 :             : /*
     946                 :             :  * Record a single corruption found in the main table.  The values in ctx should
     947                 :             :  * indicate the location of the corruption, and the msg argument should contain
     948                 :             :  * a human-readable description of the corruption.
     949                 :             :  *
     950                 :             :  * The msg argument is pfree'd by this function.
     951                 :             :  */
     952                 :             : static void
     953                 :          85 : report_corruption(HeapCheckContext *ctx, char *msg)
     954                 :             : {
     955                 :          85 :     report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
     956                 :          85 :                                ctx->offnum, ctx->attnum, msg);
     957                 :          85 :     ctx->is_corrupt = true;
     958                 :          85 : }
     959                 :             : 
     960                 :             : /*
     961                 :             :  * Record corruption found in the toast table.  The values in ta should
     962                 :             :  * indicate the location in the main table where the toast pointer was
     963                 :             :  * encountered, and the msg argument should contain a human-readable
     964                 :             :  * description of the toast table corruption.
     965                 :             :  *
     966                 :             :  * As above, the msg argument is pfree'd by this function.
     967                 :             :  */
     968                 :             : static void
     969                 :           1 : report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
     970                 :             :                         char *msg)
     971                 :             : {
     972                 :           1 :     report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
     973                 :           1 :                                ta->offnum, ta->attnum, msg);
     974                 :           1 :     ctx->is_corrupt = true;
     975                 :           1 : }
     976                 :             : 
     977                 :             : /*
     978                 :             :  * Check for tuple header corruption.
     979                 :             :  *
     980                 :             :  * Some kinds of corruption make it unsafe to check the tuple attributes, for
     981                 :             :  * example when the line pointer refers to a range of bytes outside the page.
     982                 :             :  * In such cases, we return false (not checkable) after recording appropriate
     983                 :             :  * corruption messages.
     984                 :             :  *
     985                 :             :  * Some other kinds of tuple header corruption confuse the question of where
     986                 :             :  * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
     987                 :             :  * unreasonable to attempt to check attributes, even if all candidate answers
     988                 :             :  * to those questions would not result in reading past the end of the line
     989                 :             :  * pointer or page.  In such cases, like above, we record corruption messages
     990                 :             :  * about the header and then return false.
     991                 :             :  *
     992                 :             :  * Other kinds of tuple header corruption do not bear on the question of
     993                 :             :  * whether the tuple attributes can be checked, so we record corruption
     994                 :             :  * messages for them but we do not return false merely because we detected
     995                 :             :  * them.
     996                 :             :  *
     997                 :             :  * Returns whether the tuple is sufficiently sensible to undergo visibility and
     998                 :             :  * attribute checks.
     999                 :             :  */
    1000                 :             : static bool
    1001                 :      565034 : check_tuple_header(HeapCheckContext *ctx)
    1002                 :             : {
    1003                 :      565034 :     HeapTupleHeader tuphdr = ctx->tuphdr;
    1004                 :      565034 :     uint16      infomask = tuphdr->t_infomask;
    1005                 :      565034 :     TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
    1006                 :      565034 :     bool        result = true;
    1007                 :             :     unsigned    expected_hoff;
    1008                 :             : 
    1009         [ +  + ]:      565034 :     if (ctx->tuphdr->t_hoff > ctx->lp_len)
    1010                 :             :     {
    1011                 :           1 :         report_corruption(ctx,
    1012                 :             :                           psprintf("data begins at offset %u beyond the tuple length %u",
    1013                 :           1 :                                    ctx->tuphdr->t_hoff, ctx->lp_len));
    1014                 :           1 :         result = false;
    1015                 :             :     }
    1016                 :             : 
    1017         [ +  + ]:      565034 :     if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
    1018         [ +  + ]:         167 :         (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
    1019                 :             :     {
    1020                 :           2 :         report_corruption(ctx,
    1021                 :             :                           pstrdup("multixact should not be marked committed"));
    1022                 :             : 
    1023                 :             :         /*
    1024                 :             :          * This condition is clearly wrong, but it's not enough to justify
    1025                 :             :          * skipping further checks, because we don't rely on this to determine
    1026                 :             :          * whether the tuple is visible or to interpret other relevant header
    1027                 :             :          * fields.
    1028                 :             :          */
    1029                 :             :     }
    1030                 :             : 
    1031   [ +  +  +  + ]:     1128836 :     if (!TransactionIdIsValid(curr_xmax) &&
    1032                 :      563802 :         HeapTupleHeaderIsHotUpdated(tuphdr))
    1033                 :             :     {
    1034                 :           1 :         report_corruption(ctx,
    1035                 :             :                           psprintf("tuple has been HOT updated, but xmax is 0"));
    1036                 :             : 
    1037                 :             :         /*
    1038                 :             :          * As above, even though this shouldn't happen, it's not sufficient
    1039                 :             :          * justification for skipping further checks, we should still be able
    1040                 :             :          * to perform sensibly.
    1041                 :             :          */
    1042                 :             :     }
    1043                 :             : 
    1044         [ +  + ]:      565034 :     if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
    1045         [ +  + ]:        5426 :         ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
    1046                 :             :     {
    1047                 :           1 :         report_corruption(ctx,
    1048                 :             :                           psprintf("tuple is heap only, but not the result of an update"));
    1049                 :             : 
    1050                 :             :         /* Here again, we can still perform further checks. */
    1051                 :             :     }
    1052                 :             : 
    1053         [ +  + ]:      565034 :     if (infomask & HEAP_HASNULL)
    1054                 :      256902 :         expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
    1055                 :             :     else
    1056                 :      308132 :         expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
    1057         [ +  + ]:      565034 :     if (ctx->tuphdr->t_hoff != expected_hoff)
    1058                 :             :     {
    1059   [ +  +  -  + ]:           5 :         if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
    1060                 :           0 :             report_corruption(ctx,
    1061                 :             :                               psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
    1062                 :           0 :                                        expected_hoff, ctx->tuphdr->t_hoff));
    1063         [ +  + ]:           5 :         else if ((infomask & HEAP_HASNULL))
    1064                 :           1 :             report_corruption(ctx,
    1065                 :             :                               psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
    1066                 :           1 :                                        expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
    1067         [ -  + ]:           4 :         else if (ctx->natts == 1)
    1068                 :           0 :             report_corruption(ctx,
    1069                 :             :                               psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
    1070                 :           0 :                                        expected_hoff, ctx->tuphdr->t_hoff));
    1071                 :             :         else
    1072                 :           4 :             report_corruption(ctx,
    1073                 :             :                               psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
    1074                 :           4 :                                        expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
    1075                 :           5 :         result = false;
    1076                 :             :     }
    1077                 :             : 
    1078                 :      565034 :     return result;
    1079                 :             : }
    1080                 :             : 
    1081                 :             : /*
    1082                 :             :  * Checks tuple visibility so we know which further checks are safe to
    1083                 :             :  * perform.
    1084                 :             :  *
    1085                 :             :  * If a tuple could have been inserted by a transaction that also added a
    1086                 :             :  * column to the table, but which ultimately did not commit, or which has not
    1087                 :             :  * yet committed, then the table's current TupleDesc might differ from the one
    1088                 :             :  * used to construct this tuple, so we must not check it.
    1089                 :             :  *
    1090                 :             :  * As a special case, if our own transaction inserted the tuple, even if we
    1091                 :             :  * added a column to the table, our TupleDesc should match.  We could check the
    1092                 :             :  * tuple, but choose not to do so.
    1093                 :             :  *
    1094                 :             :  * If a tuple has been updated or deleted, we can still read the old tuple for
    1095                 :             :  * corruption checking purposes, as long as we are careful about concurrent
    1096                 :             :  * vacuums.  The main table tuple itself cannot be vacuumed away because we
    1097                 :             :  * hold a buffer lock on the page, but if the deleting transaction is older
    1098                 :             :  * than our transaction snapshot's xmin, then vacuum could remove the toast at
    1099                 :             :  * any time, so we must not try to follow TOAST pointers.
    1100                 :             :  *
    1101                 :             :  * If xmin or xmax values are older than can be checked against clog, or appear
    1102                 :             :  * to be in the future (possibly due to wrap-around), then we cannot make a
    1103                 :             :  * determination about the visibility of the tuple, so we skip further checks.
    1104                 :             :  *
    1105                 :             :  * Returns true if the tuple itself should be checked, false otherwise.  Sets
    1106                 :             :  * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
    1107                 :             :  * TOAST tuples -- are eligible for pruning.
    1108                 :             :  *
    1109                 :             :  * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
    1110                 :             :  * and false otherwise. If it's set to true, then also set *xmin_commit_status
    1111                 :             :  * to the actual commit status.
    1112                 :             :  */
    1113                 :             : static bool
    1114                 :      565029 : check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
    1115                 :             :                        XidCommitStatus *xmin_commit_status)
    1116                 :             : {
    1117                 :             :     TransactionId xmin;
    1118                 :             :     TransactionId xvac;
    1119                 :             :     TransactionId xmax;
    1120                 :             :     XidCommitStatus xmin_status;
    1121                 :             :     XidCommitStatus xvac_status;
    1122                 :             :     XidCommitStatus xmax_status;
    1123                 :      565029 :     HeapTupleHeader tuphdr = ctx->tuphdr;
    1124                 :             : 
    1125                 :      565029 :     ctx->tuple_could_be_pruned = true;   /* have not yet proven otherwise */
    1126                 :      565029 :     *xmin_commit_status_ok = false; /* have not yet proven otherwise */
    1127                 :             : 
    1128                 :             :     /* If xmin is normal, it should be within valid range */
    1129                 :      565029 :     xmin = HeapTupleHeaderGetXmin(tuphdr);
    1130   [ -  +  +  +  :      565029 :     switch (get_xid_status(xmin, ctx, &xmin_status))
                   +  - ]
    1131                 :             :     {
    1132                 :           0 :         case XID_INVALID:
    1133                 :             :             /* Could be the result of a speculative insertion that aborted. */
    1134                 :           0 :             return false;
    1135                 :      565025 :         case XID_BOUNDS_OK:
    1136                 :      565025 :             *xmin_commit_status_ok = true;
    1137                 :      565025 :             *xmin_commit_status = xmin_status;
    1138                 :      565025 :             break;
    1139                 :           1 :         case XID_IN_FUTURE:
    1140                 :           1 :             report_corruption(ctx,
    1141                 :             :                               psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
    1142                 :             :                                        xmin,
    1143                 :           1 :                                        EpochFromFullTransactionId(ctx->next_fxid),
    1144                 :           1 :                                        XidFromFullTransactionId(ctx->next_fxid)));
    1145                 :           1 :             return false;
    1146                 :           2 :         case XID_PRECEDES_CLUSTERMIN:
    1147                 :           2 :             report_corruption(ctx,
    1148                 :             :                               psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
    1149                 :             :                                        xmin,
    1150                 :           2 :                                        EpochFromFullTransactionId(ctx->oldest_fxid),
    1151                 :           2 :                                        XidFromFullTransactionId(ctx->oldest_fxid)));
    1152                 :           2 :             return false;
    1153                 :           1 :         case XID_PRECEDES_RELMIN:
    1154                 :           1 :             report_corruption(ctx,
    1155                 :             :                               psprintf("xmin %u precedes relation freeze threshold %u:%u",
    1156                 :             :                                        xmin,
    1157                 :           1 :                                        EpochFromFullTransactionId(ctx->relfrozenfxid),
    1158                 :           1 :                                        XidFromFullTransactionId(ctx->relfrozenfxid)));
    1159                 :           1 :             return false;
    1160                 :             :     }
    1161                 :             : 
    1162                 :             :     /*
    1163                 :             :      * Has inserting transaction committed?
    1164                 :             :      */
    1165         [ +  + ]:      565025 :     if (!HeapTupleHeaderXminCommitted(tuphdr))
    1166                 :             :     {
    1167         [ -  + ]:        8423 :         if (HeapTupleHeaderXminInvalid(tuphdr))
    1168                 :           0 :             return false;       /* inserter aborted, don't check */
    1169                 :             :         /* Used by pre-9.0 binary upgrades */
    1170         [ -  + ]:        8423 :         else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
    1171                 :             :         {
    1172                 :           0 :             xvac = HeapTupleHeaderGetXvac(tuphdr);
    1173                 :             : 
    1174   [ #  #  #  #  :           0 :             switch (get_xid_status(xvac, ctx, &xvac_status))
                   #  # ]
    1175                 :             :             {
    1176                 :           0 :                 case XID_INVALID:
    1177                 :           0 :                     report_corruption(ctx,
    1178                 :             :                                       pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
    1179                 :           0 :                     return false;
    1180                 :           0 :                 case XID_IN_FUTURE:
    1181                 :           0 :                     report_corruption(ctx,
    1182                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
    1183                 :             :                                                xvac,
    1184                 :           0 :                                                EpochFromFullTransactionId(ctx->next_fxid),
    1185                 :           0 :                                                XidFromFullTransactionId(ctx->next_fxid)));
    1186                 :           0 :                     return false;
    1187                 :           0 :                 case XID_PRECEDES_RELMIN:
    1188                 :           0 :                     report_corruption(ctx,
    1189                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
    1190                 :             :                                                xvac,
    1191                 :           0 :                                                EpochFromFullTransactionId(ctx->relfrozenfxid),
    1192                 :           0 :                                                XidFromFullTransactionId(ctx->relfrozenfxid)));
    1193                 :           0 :                     return false;
    1194                 :           0 :                 case XID_PRECEDES_CLUSTERMIN:
    1195                 :           0 :                     report_corruption(ctx,
    1196                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
    1197                 :             :                                                xvac,
    1198                 :           0 :                                                EpochFromFullTransactionId(ctx->oldest_fxid),
    1199                 :           0 :                                                XidFromFullTransactionId(ctx->oldest_fxid)));
    1200                 :           0 :                     return false;
    1201                 :           0 :                 case XID_BOUNDS_OK:
    1202                 :           0 :                     break;
    1203                 :             :             }
    1204                 :             : 
    1205   [ #  #  #  #  :           0 :             switch (xvac_status)
                      # ]
    1206                 :             :             {
    1207                 :           0 :                 case XID_IS_CURRENT_XID:
    1208                 :           0 :                     report_corruption(ctx,
    1209                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
    1210                 :             :                                                xvac));
    1211                 :           0 :                     return false;
    1212                 :           0 :                 case XID_IN_PROGRESS:
    1213                 :           0 :                     report_corruption(ctx,
    1214                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
    1215                 :             :                                                xvac));
    1216                 :           0 :                     return false;
    1217                 :             : 
    1218                 :           0 :                 case XID_COMMITTED:
    1219                 :             : 
    1220                 :             :                     /*
    1221                 :             :                      * The tuple is dead, because the xvac transaction moved
    1222                 :             :                      * it off and committed. It's checkable, but also
    1223                 :             :                      * prunable.
    1224                 :             :                      */
    1225                 :           0 :                     return true;
    1226                 :             : 
    1227                 :           0 :                 case XID_ABORTED:
    1228                 :             : 
    1229                 :             :                     /*
    1230                 :             :                      * The original xmin must have committed, because the xvac
    1231                 :             :                      * transaction tried to move it later. Since xvac is
    1232                 :             :                      * aborted, whether it's still alive now depends on the
    1233                 :             :                      * status of xmax.
    1234                 :             :                      */
    1235                 :           0 :                     break;
    1236                 :             :             }
    1237                 :             :         }
    1238                 :             :         /* Used by pre-9.0 binary upgrades */
    1239         [ -  + ]:        8423 :         else if (tuphdr->t_infomask & HEAP_MOVED_IN)
    1240                 :             :         {
    1241                 :           0 :             xvac = HeapTupleHeaderGetXvac(tuphdr);
    1242                 :             : 
    1243   [ #  #  #  #  :           0 :             switch (get_xid_status(xvac, ctx, &xvac_status))
                   #  # ]
    1244                 :             :             {
    1245                 :           0 :                 case XID_INVALID:
    1246                 :           0 :                     report_corruption(ctx,
    1247                 :             :                                       pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
    1248                 :           0 :                     return false;
    1249                 :           0 :                 case XID_IN_FUTURE:
    1250                 :           0 :                     report_corruption(ctx,
    1251                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
    1252                 :             :                                                xvac,
    1253                 :           0 :                                                EpochFromFullTransactionId(ctx->next_fxid),
    1254                 :           0 :                                                XidFromFullTransactionId(ctx->next_fxid)));
    1255                 :           0 :                     return false;
    1256                 :           0 :                 case XID_PRECEDES_RELMIN:
    1257                 :           0 :                     report_corruption(ctx,
    1258                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
    1259                 :             :                                                xvac,
    1260                 :           0 :                                                EpochFromFullTransactionId(ctx->relfrozenfxid),
    1261                 :           0 :                                                XidFromFullTransactionId(ctx->relfrozenfxid)));
    1262                 :           0 :                     return false;
    1263                 :           0 :                 case XID_PRECEDES_CLUSTERMIN:
    1264                 :           0 :                     report_corruption(ctx,
    1265                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
    1266                 :             :                                                xvac,
    1267                 :           0 :                                                EpochFromFullTransactionId(ctx->oldest_fxid),
    1268                 :           0 :                                                XidFromFullTransactionId(ctx->oldest_fxid)));
    1269                 :           0 :                     return false;
    1270                 :           0 :                 case XID_BOUNDS_OK:
    1271                 :           0 :                     break;
    1272                 :             :             }
    1273                 :             : 
    1274   [ #  #  #  #  :           0 :             switch (xvac_status)
                      # ]
    1275                 :             :             {
    1276                 :           0 :                 case XID_IS_CURRENT_XID:
    1277                 :           0 :                     report_corruption(ctx,
    1278                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
    1279                 :             :                                                xvac));
    1280                 :           0 :                     return false;
    1281                 :           0 :                 case XID_IN_PROGRESS:
    1282                 :           0 :                     report_corruption(ctx,
    1283                 :             :                                       psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
    1284                 :             :                                                xvac));
    1285                 :           0 :                     return false;
    1286                 :             : 
    1287                 :           0 :                 case XID_COMMITTED:
    1288                 :             : 
    1289                 :             :                     /*
    1290                 :             :                      * The original xmin must have committed, because the xvac
    1291                 :             :                      * transaction moved it later. Whether it's still alive
    1292                 :             :                      * now depends on the status of xmax.
    1293                 :             :                      */
    1294                 :           0 :                     break;
    1295                 :             : 
    1296                 :           0 :                 case XID_ABORTED:
    1297                 :             : 
    1298                 :             :                     /*
    1299                 :             :                      * The tuple is dead, because the xvac transaction moved
    1300                 :             :                      * it off and committed. It's checkable, but also
    1301                 :             :                      * prunable.
    1302                 :             :                      */
    1303                 :           0 :                     return true;
    1304                 :             :             }
    1305                 :             :         }
    1306         [ +  + ]:        8423 :         else if (xmin_status != XID_COMMITTED)
    1307                 :             :         {
    1308                 :             :             /*
    1309                 :             :              * Inserting transaction is not in progress, and not committed, so
    1310                 :             :              * it might have changed the TupleDesc in ways we don't know
    1311                 :             :              * about. Thus, don't try to check the tuple structure.
    1312                 :             :              *
    1313                 :             :              * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
    1314                 :             :              * any such DDL changes ought to be visible to us, so perhaps we
    1315                 :             :              * could check anyway in that case. But, for now, let's be
    1316                 :             :              * conservative and treat this like any other uncommitted insert.
    1317                 :             :              */
    1318                 :           7 :             return false;
    1319                 :             :         }
    1320                 :             :     }
    1321                 :             : 
    1322                 :             :     /*
    1323                 :             :      * Okay, the inserter committed, so it was good at some point.  Now what
    1324                 :             :      * about the deleting transaction?
    1325                 :             :      */
    1326                 :             : 
    1327         [ +  + ]:      565018 :     if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
    1328                 :             :     {
    1329                 :             :         /*
    1330                 :             :          * xmax is a multixact, so sanity-check the MXID. Note that we do this
    1331                 :             :          * prior to checking for HEAP_XMAX_INVALID or
    1332                 :             :          * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
    1333                 :             :          * things that wouldn't actually be a problem during a normal scan,
    1334                 :             :          * but eventually we're going to have to freeze, and that process will
    1335                 :             :          * ignore hint bits.
    1336                 :             :          *
    1337                 :             :          * Even if the MXID is out of range, we still know that the original
    1338                 :             :          * insert committed, so we can check the tuple itself. However, we
    1339                 :             :          * can't rule out the possibility that this tuple is dead, so don't
    1340                 :             :          * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
    1341                 :             :          * clear that flag anyway if HEAP_XMAX_INVALID is set or if
    1342                 :             :          * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
    1343                 :             :          * avoiding possibly-bogus complaints about missing TOAST entries.
    1344                 :             :          */
    1345                 :          58 :         xmax = HeapTupleHeaderGetRawXmax(tuphdr);
    1346   [ -  +  -  +  :          58 :         switch (check_mxid_valid_in_rel(xmax, ctx))
                   +  - ]
    1347                 :             :         {
    1348                 :           0 :             case XID_INVALID:
    1349                 :           0 :                 report_corruption(ctx,
    1350                 :             :                                   pstrdup("multitransaction ID is invalid"));
    1351                 :           0 :                 return true;
    1352                 :           1 :             case XID_PRECEDES_RELMIN:
    1353                 :           1 :                 report_corruption(ctx,
    1354                 :             :                                   psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
    1355                 :             :                                            xmax, ctx->relminmxid));
    1356                 :           1 :                 return true;
    1357                 :           0 :             case XID_PRECEDES_CLUSTERMIN:
    1358                 :           0 :                 report_corruption(ctx,
    1359                 :             :                                   psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
    1360                 :             :                                            xmax, ctx->oldest_mxact));
    1361                 :           0 :                 return true;
    1362                 :           1 :             case XID_IN_FUTURE:
    1363                 :           1 :                 report_corruption(ctx,
    1364                 :             :                                   psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
    1365                 :             :                                            xmax,
    1366                 :             :                                            ctx->next_mxact));
    1367                 :           1 :                 return true;
    1368                 :          56 :             case XID_BOUNDS_OK:
    1369                 :          56 :                 break;
    1370                 :             :         }
    1371                 :             :     }
    1372                 :             : 
    1373         [ +  + ]:      565016 :     if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
    1374                 :             :     {
    1375                 :             :         /*
    1376                 :             :          * This tuple is live.  A concurrently running transaction could
    1377                 :             :          * delete it before we get around to checking the toast, but any such
    1378                 :             :          * running transaction is surely not less than our safe_xmin, so the
    1379                 :             :          * toast cannot be vacuumed out from under us.
    1380                 :             :          */
    1381                 :      563789 :         ctx->tuple_could_be_pruned = false;
    1382                 :      563789 :         return true;
    1383                 :             :     }
    1384                 :             : 
    1385         [ +  + ]:        1227 :     if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
    1386                 :             :     {
    1387                 :             :         /*
    1388                 :             :          * "Deleting" xact really only locked it, so the tuple is live in any
    1389                 :             :          * case.  As above, a concurrently running transaction could delete
    1390                 :             :          * it, but it cannot be vacuumed out from under us.
    1391                 :             :          */
    1392                 :          28 :         ctx->tuple_could_be_pruned = false;
    1393                 :          28 :         return true;
    1394                 :             :     }
    1395                 :             : 
    1396         [ +  + ]:        1199 :     if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
    1397                 :             :     {
    1398                 :             :         /*
    1399                 :             :          * We already checked above that this multixact is within limits for
    1400                 :             :          * this table.  Now check the update xid from this multixact.
    1401                 :             :          */
    1402                 :          28 :         xmax = HeapTupleGetUpdateXid(tuphdr);
    1403   [ -  -  -  -  :          28 :         switch (get_xid_status(xmax, ctx, &xmax_status))
                   +  - ]
    1404                 :             :         {
    1405                 :           0 :             case XID_INVALID:
    1406                 :             :                 /* not LOCKED_ONLY, so it has to have an xmax */
    1407                 :           0 :                 report_corruption(ctx,
    1408                 :             :                                   pstrdup("update xid is invalid"));
    1409                 :           0 :                 return true;
    1410                 :           0 :             case XID_IN_FUTURE:
    1411                 :           0 :                 report_corruption(ctx,
    1412                 :             :                                   psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
    1413                 :             :                                            xmax,
    1414                 :           0 :                                            EpochFromFullTransactionId(ctx->next_fxid),
    1415                 :           0 :                                            XidFromFullTransactionId(ctx->next_fxid)));
    1416                 :           0 :                 return true;
    1417                 :           0 :             case XID_PRECEDES_RELMIN:
    1418                 :           0 :                 report_corruption(ctx,
    1419                 :             :                                   psprintf("update xid %u precedes relation freeze threshold %u:%u",
    1420                 :             :                                            xmax,
    1421                 :           0 :                                            EpochFromFullTransactionId(ctx->relfrozenfxid),
    1422                 :           0 :                                            XidFromFullTransactionId(ctx->relfrozenfxid)));
    1423                 :           0 :                 return true;
    1424                 :           0 :             case XID_PRECEDES_CLUSTERMIN:
    1425                 :           0 :                 report_corruption(ctx,
    1426                 :             :                                   psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
    1427                 :             :                                            xmax,
    1428                 :           0 :                                            EpochFromFullTransactionId(ctx->oldest_fxid),
    1429                 :           0 :                                            XidFromFullTransactionId(ctx->oldest_fxid)));
    1430                 :           0 :                 return true;
    1431                 :          28 :             case XID_BOUNDS_OK:
    1432                 :          28 :                 break;
    1433                 :             :         }
    1434                 :             : 
    1435   [ -  +  -  - ]:          28 :         switch (xmax_status)
    1436                 :             :         {
    1437                 :           0 :             case XID_IS_CURRENT_XID:
    1438                 :             :             case XID_IN_PROGRESS:
    1439                 :             : 
    1440                 :             :                 /*
    1441                 :             :                  * The delete is in progress, so it cannot be visible to our
    1442                 :             :                  * snapshot.
    1443                 :             :                  */
    1444                 :           0 :                 ctx->tuple_could_be_pruned = false;
    1445                 :           0 :                 break;
    1446                 :          28 :             case XID_COMMITTED:
    1447                 :             : 
    1448                 :             :                 /*
    1449                 :             :                  * The delete committed.  Whether the toast can be vacuumed
    1450                 :             :                  * away depends on how old the deleting transaction is.
    1451                 :             :                  */
    1452                 :          28 :                 ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
    1453                 :             :                                                                    ctx->safe_xmin);
    1454                 :          28 :                 break;
    1455                 :           0 :             case XID_ABORTED:
    1456                 :             : 
    1457                 :             :                 /*
    1458                 :             :                  * The delete aborted or crashed.  The tuple is still live.
    1459                 :             :                  */
    1460                 :           0 :                 ctx->tuple_could_be_pruned = false;
    1461                 :           0 :                 break;
    1462                 :             :         }
    1463                 :             : 
    1464                 :             :         /* Tuple itself is checkable even if it's dead. */
    1465                 :          28 :         return true;
    1466                 :             :     }
    1467                 :             : 
    1468                 :             :     /* xmax is an XID, not a MXID. Sanity check it. */
    1469                 :        1171 :     xmax = HeapTupleHeaderGetRawXmax(tuphdr);
    1470   [ +  -  -  +  :        1171 :     switch (get_xid_status(xmax, ctx, &xmax_status))
                   +  - ]
    1471                 :             :     {
    1472                 :           1 :         case XID_INVALID:
    1473                 :           1 :             ctx->tuple_could_be_pruned = false;
    1474                 :           1 :             return true;
    1475                 :           0 :         case XID_IN_FUTURE:
    1476                 :           0 :             report_corruption(ctx,
    1477                 :             :                               psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
    1478                 :             :                                        xmax,
    1479                 :           0 :                                        EpochFromFullTransactionId(ctx->next_fxid),
    1480                 :           0 :                                        XidFromFullTransactionId(ctx->next_fxid)));
    1481                 :           0 :             return false;       /* corrupt */
    1482                 :           0 :         case XID_PRECEDES_RELMIN:
    1483                 :           0 :             report_corruption(ctx,
    1484                 :             :                               psprintf("xmax %u precedes relation freeze threshold %u:%u",
    1485                 :             :                                        xmax,
    1486                 :           0 :                                        EpochFromFullTransactionId(ctx->relfrozenfxid),
    1487                 :           0 :                                        XidFromFullTransactionId(ctx->relfrozenfxid)));
    1488                 :           0 :             return false;       /* corrupt */
    1489                 :           1 :         case XID_PRECEDES_CLUSTERMIN:
    1490                 :           1 :             report_corruption(ctx,
    1491                 :             :                               psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
    1492                 :             :                                        xmax,
    1493                 :           1 :                                        EpochFromFullTransactionId(ctx->oldest_fxid),
    1494                 :           1 :                                        XidFromFullTransactionId(ctx->oldest_fxid)));
    1495                 :           1 :             return false;       /* corrupt */
    1496                 :        1169 :         case XID_BOUNDS_OK:
    1497                 :        1169 :             break;
    1498                 :             :     }
    1499                 :             : 
    1500                 :             :     /*
    1501                 :             :      * Whether the toast can be vacuumed away depends on how old the deleting
    1502                 :             :      * transaction is.
    1503                 :             :      */
    1504   [ -  +  +  - ]:        1169 :     switch (xmax_status)
    1505                 :             :     {
    1506                 :           0 :         case XID_IS_CURRENT_XID:
    1507                 :             :         case XID_IN_PROGRESS:
    1508                 :             : 
    1509                 :             :             /*
    1510                 :             :              * The delete is in progress, so it cannot be visible to our
    1511                 :             :              * snapshot.
    1512                 :             :              */
    1513                 :           0 :             ctx->tuple_could_be_pruned = false;
    1514                 :           0 :             break;
    1515                 :             : 
    1516                 :        1166 :         case XID_COMMITTED:
    1517                 :             : 
    1518                 :             :             /*
    1519                 :             :              * The delete committed.  Whether the toast can be vacuumed away
    1520                 :             :              * depends on how old the deleting transaction is.
    1521                 :             :              */
    1522                 :        1166 :             ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
    1523                 :             :                                                                ctx->safe_xmin);
    1524                 :        1166 :             break;
    1525                 :             : 
    1526                 :           3 :         case XID_ABORTED:
    1527                 :             : 
    1528                 :             :             /*
    1529                 :             :              * The delete aborted or crashed.  The tuple is still live.
    1530                 :             :              */
    1531                 :           3 :             ctx->tuple_could_be_pruned = false;
    1532                 :           3 :             break;
    1533                 :             :     }
    1534                 :             : 
    1535                 :             :     /* Tuple itself is checkable even if it's dead. */
    1536                 :        1169 :     return true;
    1537                 :             : }
    1538                 :             : 
    1539                 :             : 
    1540                 :             : /*
    1541                 :             :  * Check the current toast tuple against the state tracked in ctx, recording
    1542                 :             :  * any corruption found in ctx->tupstore.
    1543                 :             :  *
    1544                 :             :  * This is not equivalent to running verify_heapam on the toast table itself,
    1545                 :             :  * and is not hardened against corruption of the toast table.  Rather, when
    1546                 :             :  * validating a toasted attribute in the main table, the sequence of toast
    1547                 :             :  * tuples that store the toasted value are retrieved and checked in order, with
    1548                 :             :  * each toast tuple being checked against where we are in the sequence, as well
    1549                 :             :  * as each toast tuple having its varlena structure sanity checked.
    1550                 :             :  *
    1551                 :             :  * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
    1552                 :             :  * to find in toasttup. On exit, it will be updated to the value the next call
    1553                 :             :  * to this function should expect to see.
    1554                 :             :  */
    1555                 :             : static void
    1556                 :       42301 : check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
    1557                 :             :                   ToastedAttribute *ta, int32 *expected_chunk_seq,
    1558                 :             :                   uint32 extsize)
    1559                 :             : {
    1560                 :             :     int32       chunk_seq;
    1561                 :       42301 :     int32       last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
    1562                 :             :     Pointer     chunk;
    1563                 :             :     bool        isnull;
    1564                 :             :     int32       chunksize;
    1565                 :             :     int32       expected_size;
    1566                 :             : 
    1567                 :             :     /* Sanity-check the sequence number. */
    1568                 :       42301 :     chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
    1569                 :       42301 :                                           ctx->toast_rel->rd_att, &isnull));
    1570         [ -  + ]:       42301 :     if (isnull)
    1571                 :             :     {
    1572                 :           0 :         report_toast_corruption(ctx, ta,
    1573                 :             :                                 psprintf("toast value %u has toast chunk with null sequence number",
    1574                 :             :                                          ta->toast_pointer.va_valueid));
    1575                 :           0 :         return;
    1576                 :             :     }
    1577         [ -  + ]:       42301 :     if (chunk_seq != *expected_chunk_seq)
    1578                 :             :     {
    1579                 :             :         /* Either the TOAST index is corrupt, or we don't have all chunks. */
    1580                 :           0 :         report_toast_corruption(ctx, ta,
    1581                 :             :                                 psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
    1582                 :             :                                          ta->toast_pointer.va_valueid,
    1583                 :             :                                          chunk_seq, *expected_chunk_seq));
    1584                 :             :     }
    1585                 :       42301 :     *expected_chunk_seq = chunk_seq + 1;
    1586                 :             : 
    1587                 :             :     /* Sanity-check the chunk data. */
    1588                 :       42301 :     chunk = DatumGetPointer(fastgetattr(toasttup, 3,
    1589                 :       42301 :                                         ctx->toast_rel->rd_att, &isnull));
    1590         [ -  + ]:       42301 :     if (isnull)
    1591                 :             :     {
    1592                 :           0 :         report_toast_corruption(ctx, ta,
    1593                 :             :                                 psprintf("toast value %u chunk %d has null data",
    1594                 :             :                                          ta->toast_pointer.va_valueid,
    1595                 :             :                                          chunk_seq));
    1596                 :           0 :         return;
    1597                 :             :     }
    1598         [ +  - ]:       42301 :     if (!VARATT_IS_EXTENDED(chunk))
    1599                 :       42301 :         chunksize = VARSIZE(chunk) - VARHDRSZ;
    1600         [ #  # ]:           0 :     else if (VARATT_IS_SHORT(chunk))
    1601                 :             :     {
    1602                 :             :         /*
    1603                 :             :          * could happen due to heap_form_tuple doing its thing
    1604                 :             :          */
    1605                 :           0 :         chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
    1606                 :             :     }
    1607                 :             :     else
    1608                 :             :     {
    1609                 :             :         /* should never happen */
    1610                 :           0 :         uint32      header = ((varattrib_4b *) chunk)->va_4byte.va_header;
    1611                 :             : 
    1612                 :           0 :         report_toast_corruption(ctx, ta,
    1613                 :             :                                 psprintf("toast value %u chunk %d has invalid varlena header %0x",
    1614                 :             :                                          ta->toast_pointer.va_valueid,
    1615                 :             :                                          chunk_seq, header));
    1616                 :           0 :         return;
    1617                 :             :     }
    1618                 :             : 
    1619                 :             :     /*
    1620                 :             :      * Some checks on the data we've found
    1621                 :             :      */
    1622         [ -  + ]:       42301 :     if (chunk_seq > last_chunk_seq)
    1623                 :             :     {
    1624                 :           0 :         report_toast_corruption(ctx, ta,
    1625                 :             :                                 psprintf("toast value %u chunk %d follows last expected chunk %d",
    1626                 :             :                                          ta->toast_pointer.va_valueid,
    1627                 :             :                                          chunk_seq, last_chunk_seq));
    1628                 :           0 :         return;
    1629                 :             :     }
    1630                 :             : 
    1631         [ +  + ]:       42301 :     expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
    1632                 :       12631 :         : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
    1633                 :             : 
    1634         [ -  + ]:       42301 :     if (chunksize != expected_size)
    1635                 :           0 :         report_toast_corruption(ctx, ta,
    1636                 :             :                                 psprintf("toast value %u chunk %d has size %u, but expected size %u",
    1637                 :             :                                          ta->toast_pointer.va_valueid,
    1638                 :             :                                          chunk_seq, chunksize, expected_size));
    1639                 :             : }
    1640                 :             : 
    1641                 :             : /*
    1642                 :             :  * Check the current attribute as tracked in ctx, recording any corruption
    1643                 :             :  * found in ctx->tupstore.
    1644                 :             :  *
    1645                 :             :  * This function follows the logic performed by heap_deform_tuple(), and in the
    1646                 :             :  * case of a toasted value, optionally stores the toast pointer so later it can
    1647                 :             :  * be checked following the logic of detoast_external_attr(), checking for any
    1648                 :             :  * conditions that would result in either of those functions Asserting or
    1649                 :             :  * crashing the backend.  The checks performed by Asserts present in those two
    1650                 :             :  * functions are also performed here and in check_toasted_attribute.  In cases
    1651                 :             :  * where those two functions are a bit cavalier in their assumptions about data
    1652                 :             :  * being correct, we perform additional checks not present in either of those
    1653                 :             :  * two functions.  Where some condition is checked in both of those functions,
    1654                 :             :  * we perform it here twice, as we parallel the logical flow of those two
    1655                 :             :  * functions.  The presence of duplicate checks seems a reasonable price to pay
    1656                 :             :  * for keeping this code tightly coupled with the code it protects.
    1657                 :             :  *
    1658                 :             :  * Returns true if the tuple attribute is sane enough for processing to
    1659                 :             :  * continue on to the next attribute, false otherwise.
    1660                 :             :  */
    1661                 :             : static bool
    1662                 :     8150053 : check_tuple_attribute(HeapCheckContext *ctx)
    1663                 :             : {
    1664                 :             :     Datum       attdatum;
    1665                 :             :     varlena    *attr;
    1666                 :             :     char       *tp;             /* pointer to the tuple data */
    1667                 :             :     uint16      infomask;
    1668                 :             :     CompactAttribute *thisatt;
    1669                 :             :     varatt_external toast_pointer;
    1670                 :             : 
    1671                 :     8150053 :     infomask = ctx->tuphdr->t_infomask;
    1672                 :     8150053 :     thisatt = TupleDescCompactAttr(RelationGetDescr(ctx->rel), ctx->attnum);
    1673                 :             : 
    1674                 :     8150053 :     tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
    1675                 :             : 
    1676         [ -  + ]:     8150053 :     if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
    1677                 :             :     {
    1678                 :           0 :         report_corruption(ctx,
    1679                 :             :                           psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
    1680                 :           0 :                                    thisatt->attlen,
    1681                 :           0 :                                    ctx->tuphdr->t_hoff + ctx->offset,
    1682                 :           0 :                                    ctx->lp_len));
    1683                 :           0 :         return false;
    1684                 :             :     }
    1685                 :             : 
    1686                 :             :     /* Skip null values */
    1687   [ +  +  +  + ]:     8150053 :     if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
    1688                 :     1389803 :         return true;
    1689                 :             : 
    1690                 :             :     /* Skip non-varlena values, but update offset first */
    1691         [ +  + ]:     6760250 :     if (thisatt->attlen != -1)
    1692                 :             :     {
    1693                 :     6202067 :         ctx->offset = att_nominal_alignby(ctx->offset, thisatt->attalignby);
    1694   [ +  -  -  - ]:     6202067 :         ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
    1695                 :             :                                             tp + ctx->offset);
    1696         [ -  + ]:     6202067 :         if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
    1697                 :             :         {
    1698                 :           0 :             report_corruption(ctx,
    1699                 :             :                               psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
    1700                 :           0 :                                        thisatt->attlen,
    1701                 :           0 :                                        ctx->tuphdr->t_hoff + ctx->offset,
    1702                 :           0 :                                        ctx->lp_len));
    1703                 :           0 :             return false;
    1704                 :             :         }
    1705                 :     6202067 :         return true;
    1706                 :             :     }
    1707                 :             : 
    1708                 :             :     /* Ok, we're looking at a varlena attribute. */
    1709         [ +  + ]:      558183 :     ctx->offset = att_pointer_alignby(ctx->offset, thisatt->attalignby, -1,
    1710                 :             :                                       tp + ctx->offset);
    1711                 :             : 
    1712                 :             :     /* Get the (possibly corrupt) varlena datum */
    1713                 :      558183 :     attdatum = fetchatt(thisatt, tp + ctx->offset);
    1714                 :             : 
    1715                 :             :     /*
    1716                 :             :      * We have the datum, but we cannot decode it carelessly, as it may still
    1717                 :             :      * be corrupt.
    1718                 :             :      */
    1719                 :             : 
    1720                 :             :     /*
    1721                 :             :      * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
    1722                 :             :      * risking a call into att_addlength_pointer
    1723                 :             :      */
    1724         [ +  + ]:      558183 :     if (VARATT_IS_EXTERNAL(tp + ctx->offset))
    1725                 :             :     {
    1726                 :       27072 :         uint8       va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
    1727                 :             : 
    1728         [ -  + ]:       27072 :         if (va_tag != VARTAG_ONDISK)
    1729                 :             :         {
    1730                 :           0 :             report_corruption(ctx,
    1731                 :             :                               psprintf("toasted attribute has unexpected TOAST tag %u",
    1732                 :             :                                        va_tag));
    1733                 :             :             /* We can't know where the next attribute begins */
    1734                 :           0 :             return false;
    1735                 :             :         }
    1736                 :             :     }
    1737                 :             : 
    1738                 :             :     /* Ok, should be safe now */
    1739   [ -  +  +  - ]:      558183 :     ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
    1740                 :             :                                         tp + ctx->offset);
    1741                 :             : 
    1742         [ +  + ]:      558183 :     if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
    1743                 :             :     {
    1744                 :           1 :         report_corruption(ctx,
    1745                 :             :                           psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
    1746                 :           1 :                                    thisatt->attlen,
    1747                 :           1 :                                    ctx->tuphdr->t_hoff + ctx->offset,
    1748                 :           1 :                                    ctx->lp_len));
    1749                 :             : 
    1750                 :           1 :         return false;
    1751                 :             :     }
    1752                 :             : 
    1753                 :             :     /*
    1754                 :             :      * heap_deform_tuple would be done with this attribute at this point,
    1755                 :             :      * having stored it in values[], and would continue to the next attribute.
    1756                 :             :      * We go further, because we need to check if the toast datum is corrupt.
    1757                 :             :      */
    1758                 :             : 
    1759                 :      558182 :     attr = (varlena *) DatumGetPointer(attdatum);
    1760                 :             : 
    1761                 :             :     /*
    1762                 :             :      * Now we follow the logic of detoast_external_attr(), with the same
    1763                 :             :      * caveats about being paranoid about corruption.
    1764                 :             :      */
    1765                 :             : 
    1766                 :             :     /* Skip values that are not external */
    1767         [ +  + ]:      558182 :     if (!VARATT_IS_EXTERNAL(attr))
    1768                 :      531110 :         return true;
    1769                 :             : 
    1770                 :             :     /* It is external, and we're looking at a page on disk */
    1771                 :             : 
    1772                 :             :     /*
    1773                 :             :      * Must copy attr into toast_pointer for alignment considerations
    1774                 :             :      */
    1775                 :       27072 :     VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
    1776                 :             : 
    1777                 :             :     /* Toasted attributes too large to be untoasted should never be stored */
    1778         [ -  + ]:       27072 :     if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
    1779                 :           0 :         report_corruption(ctx,
    1780                 :             :                           psprintf("toast value %u rawsize %d exceeds limit %d",
    1781                 :             :                                    toast_pointer.va_valueid,
    1782                 :             :                                    toast_pointer.va_rawsize,
    1783                 :             :                                    VARLENA_SIZE_LIMIT));
    1784                 :             : 
    1785         [ +  + ]:       27072 :     if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
    1786                 :             :     {
    1787                 :             :         ToastCompressionId cmid;
    1788                 :        2844 :         bool        valid = false;
    1789                 :             : 
    1790                 :             :         /* Compressed attributes should have a valid compression method */
    1791                 :        2844 :         cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
    1792      [ +  -  - ]:        2844 :         switch (cmid)
    1793                 :             :         {
    1794                 :             :                 /* List of all valid compression method IDs */
    1795                 :        2844 :             case TOAST_PGLZ_COMPRESSION_ID:
    1796                 :             :             case TOAST_LZ4_COMPRESSION_ID:
    1797                 :        2844 :                 valid = true;
    1798                 :        2844 :                 break;
    1799                 :             : 
    1800                 :             :                 /* Recognized but invalid compression method ID */
    1801                 :           0 :             case TOAST_INVALID_COMPRESSION_ID:
    1802                 :           0 :                 break;
    1803                 :             : 
    1804                 :             :                 /* Intentionally no default here */
    1805                 :             :         }
    1806         [ -  + ]:        2844 :         if (!valid)
    1807                 :           0 :             report_corruption(ctx,
    1808                 :             :                               psprintf("toast value %u has invalid compression method id %d",
    1809                 :             :                                        toast_pointer.va_valueid, cmid));
    1810                 :             :     }
    1811                 :             : 
    1812                 :             :     /* The tuple header better claim to contain toasted values */
    1813         [ -  + ]:       27072 :     if (!(infomask & HEAP_HASEXTERNAL))
    1814                 :             :     {
    1815                 :           0 :         report_corruption(ctx,
    1816                 :             :                           psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
    1817                 :             :                                    toast_pointer.va_valueid));
    1818                 :           0 :         return true;
    1819                 :             :     }
    1820                 :             : 
    1821                 :             :     /* The relation better have a toast table */
    1822         [ -  + ]:       27072 :     if (!ctx->rel->rd_rel->reltoastrelid)
    1823                 :             :     {
    1824                 :           0 :         report_corruption(ctx,
    1825                 :             :                           psprintf("toast value %u is external but relation has no toast relation",
    1826                 :             :                                    toast_pointer.va_valueid));
    1827                 :           0 :         return true;
    1828                 :             :     }
    1829                 :             : 
    1830                 :             :     /* If we were told to skip toast checking, then we're done. */
    1831         [ +  + ]:       27072 :     if (ctx->toast_rel == NULL)
    1832                 :       14429 :         return true;
    1833                 :             : 
    1834                 :             :     /*
    1835                 :             :      * If this tuple is eligible to be pruned, we cannot check the toast.
    1836                 :             :      * Otherwise, we push a copy of the toast tuple so we can check it after
    1837                 :             :      * releasing the main table buffer lock.
    1838                 :             :      */
    1839         [ +  + ]:       12643 :     if (!ctx->tuple_could_be_pruned)
    1840                 :             :     {
    1841                 :             :         ToastedAttribute *ta;
    1842                 :             : 
    1843                 :       12641 :         ta = palloc0_object(ToastedAttribute);
    1844                 :             : 
    1845                 :       12641 :         VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
    1846                 :       12641 :         ta->blkno = ctx->blkno;
    1847                 :       12641 :         ta->offnum = ctx->offnum;
    1848                 :       12641 :         ta->attnum = ctx->attnum;
    1849                 :       12641 :         ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
    1850                 :             :     }
    1851                 :             : 
    1852                 :       12643 :     return true;
    1853                 :             : }
    1854                 :             : 
    1855                 :             : /*
    1856                 :             :  * For each attribute collected in ctx->toasted_attributes, look up the value
    1857                 :             :  * in the toast table and perform checks on it.  This function should only be
    1858                 :             :  * called on toast pointers which cannot be vacuumed away during our
    1859                 :             :  * processing.
    1860                 :             :  */
    1861                 :             : static void
    1862                 :       12635 : check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
    1863                 :             : {
    1864                 :             :     ScanKeyData toastkey;
    1865                 :             :     SysScanDesc toastscan;
    1866                 :             :     bool        found_toasttup;
    1867                 :             :     HeapTuple   toasttup;
    1868                 :             :     uint32      extsize;
    1869                 :       12635 :     int32       expected_chunk_seq = 0;
    1870                 :             :     int32       last_chunk_seq;
    1871                 :             : 
    1872                 :       12635 :     extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
    1873                 :       12635 :     last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
    1874                 :             : 
    1875                 :             :     /*
    1876                 :             :      * Setup a scan key to find chunks in toast table with matching va_valueid
    1877                 :             :      */
    1878                 :       12635 :     ScanKeyInit(&toastkey,
    1879                 :             :                 (AttrNumber) 1,
    1880                 :             :                 BTEqualStrategyNumber, F_OIDEQ,
    1881                 :             :                 ObjectIdGetDatum(ta->toast_pointer.va_valueid));
    1882                 :             : 
    1883                 :             :     /*
    1884                 :             :      * Check if any chunks for this toasted object exist in the toast table,
    1885                 :             :      * accessible via the index.
    1886                 :             :      */
    1887                 :       12635 :     toastscan = systable_beginscan_ordered(ctx->toast_rel,
    1888                 :             :                                            ctx->valid_toast_index,
    1889                 :             :                                            get_toast_snapshot(), 1,
    1890                 :             :                                            &toastkey);
    1891                 :       12635 :     found_toasttup = false;
    1892                 :       12635 :     while ((toasttup =
    1893                 :       54936 :             systable_getnext_ordered(toastscan,
    1894         [ +  + ]:       54933 :                                      ForwardScanDirection)) != NULL)
    1895                 :             :     {
    1896                 :       42301 :         found_toasttup = true;
    1897                 :       42301 :         check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
    1898                 :             :     }
    1899                 :       12632 :     systable_endscan_ordered(toastscan);
    1900                 :             : 
    1901         [ +  + ]:       12632 :     if (!found_toasttup)
    1902                 :           1 :         report_toast_corruption(ctx, ta,
    1903                 :             :                                 psprintf("toast value %u not found in toast table",
    1904                 :             :                                          ta->toast_pointer.va_valueid));
    1905         [ -  + ]:       12631 :     else if (expected_chunk_seq <= last_chunk_seq)
    1906                 :           0 :         report_toast_corruption(ctx, ta,
    1907                 :             :                                 psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
    1908                 :             :                                          ta->toast_pointer.va_valueid,
    1909                 :             :                                          last_chunk_seq, expected_chunk_seq));
    1910                 :       12632 : }
    1911                 :             : 
    1912                 :             : /*
    1913                 :             :  * Check the current tuple as tracked in ctx, recording any corruption found in
    1914                 :             :  * ctx->tupstore.
    1915                 :             :  *
    1916                 :             :  * We return some information about the status of xmin to aid in validating
    1917                 :             :  * update chains.
    1918                 :             :  */
    1919                 :             : static void
    1920                 :      565034 : check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
    1921                 :             :             XidCommitStatus *xmin_commit_status)
    1922                 :             : {
    1923                 :             :     /*
    1924                 :             :      * Check various forms of tuple header corruption, and if the header is
    1925                 :             :      * too corrupt, do not continue with other checks.
    1926                 :             :      */
    1927         [ +  + ]:      565034 :     if (!check_tuple_header(ctx))
    1928                 :           5 :         return;
    1929                 :             : 
    1930                 :             :     /*
    1931                 :             :      * Check tuple visibility.  If the inserting transaction aborted, we
    1932                 :             :      * cannot assume our relation description matches the tuple structure, and
    1933                 :             :      * therefore cannot check it.
    1934                 :             :      */
    1935         [ +  + ]:      565029 :     if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
    1936                 :             :                                 xmin_commit_status))
    1937                 :          12 :         return;
    1938                 :             : 
    1939                 :             :     /*
    1940                 :             :      * The tuple is visible, so it must be compatible with the current version
    1941                 :             :      * of the relation descriptor. It might have fewer columns than are
    1942                 :             :      * present in the relation descriptor, but it cannot have more.
    1943                 :             :      */
    1944         [ +  + ]:      565017 :     if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
    1945                 :             :     {
    1946                 :           2 :         report_corruption(ctx,
    1947                 :             :                           psprintf("number of attributes %u exceeds maximum %u expected for table",
    1948                 :             :                                    ctx->natts,
    1949                 :           2 :                                    RelationGetDescr(ctx->rel)->natts));
    1950                 :           2 :         return;
    1951                 :             :     }
    1952                 :             : 
    1953                 :             :     /*
    1954                 :             :      * Check each attribute unless we hit corruption that confuses what to do
    1955                 :             :      * next, at which point we abort further attribute checks for this tuple.
    1956                 :             :      * Note that we don't abort for all types of corruption, only for those
    1957                 :             :      * types where we don't know how to continue.  We also don't abort the
    1958                 :             :      * checking of toasted attributes collected from the tuple prior to
    1959                 :             :      * aborting.  Those will still be checked later along with other toasted
    1960                 :             :      * attributes collected from the page.
    1961                 :             :      */
    1962                 :      565015 :     ctx->offset = 0;
    1963         [ +  + ]:     8715067 :     for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
    1964         [ +  + ]:     8150053 :         if (!check_tuple_attribute(ctx))
    1965                 :           1 :             break;              /* cannot continue */
    1966                 :             : 
    1967                 :             :     /* revert attnum to -1 until we again examine individual attributes */
    1968                 :      565015 :     ctx->attnum = -1;
    1969                 :             : }
    1970                 :             : 
    1971                 :             : /*
    1972                 :             :  * Convert a TransactionId into a FullTransactionId using our cached values of
    1973                 :             :  * the valid transaction ID range.  It is the caller's responsibility to have
    1974                 :             :  * already updated the cached values, if necessary.  This is akin to
    1975                 :             :  * FullTransactionIdFromAllowableAt(), but it tolerates corruption in the form
    1976                 :             :  * of an xid before epoch 0.
    1977                 :             :  */
    1978                 :             : static FullTransactionId
    1979                 :       75225 : FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
    1980                 :             : {
    1981                 :             :     uint64      nextfxid_i;
    1982                 :             :     int32       diff;
    1983                 :             :     FullTransactionId fxid;
    1984                 :             : 
    1985                 :             :     Assert(TransactionIdIsNormal(ctx->next_xid));
    1986                 :             :     Assert(FullTransactionIdIsNormal(ctx->next_fxid));
    1987                 :             :     Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
    1988                 :             : 
    1989         [ +  + ]:       75225 :     if (!TransactionIdIsNormal(xid))
    1990                 :         191 :         return FullTransactionIdFromEpochAndXid(0, xid);
    1991                 :             : 
    1992                 :       75034 :     nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
    1993                 :             : 
    1994                 :             :     /* compute the 32bit modulo difference */
    1995                 :       75034 :     diff = (int32) (ctx->next_xid - xid);
    1996                 :             : 
    1997                 :             :     /*
    1998                 :             :      * In cases of corruption we might see a 32bit xid that is before epoch 0.
    1999                 :             :      * We can't represent that as a 64bit xid, due to 64bit xids being
    2000                 :             :      * unsigned integers, without the modulo arithmetic of 32bit xid. There's
    2001                 :             :      * no really nice way to deal with that, but it works ok enough to use
    2002                 :             :      * FirstNormalFullTransactionId in that case, as a freshly initdb'd
    2003                 :             :      * cluster already has a newer horizon.
    2004                 :             :      */
    2005   [ +  +  +  + ]:       75034 :     if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
    2006                 :             :     {
    2007                 :             :         Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
    2008                 :           4 :         fxid = FirstNormalFullTransactionId;
    2009                 :             :     }
    2010                 :             :     else
    2011                 :       75030 :         fxid = FullTransactionIdFromU64(nextfxid_i - diff);
    2012                 :             : 
    2013                 :             :     Assert(FullTransactionIdIsNormal(fxid));
    2014                 :       75034 :     return fxid;
    2015                 :             : }
    2016                 :             : 
    2017                 :             : /*
    2018                 :             :  * Update our cached range of valid transaction IDs.
    2019                 :             :  */
    2020                 :             : static void
    2021                 :        1479 : update_cached_xid_range(HeapCheckContext *ctx)
    2022                 :             : {
    2023                 :             :     /* Make cached copies */
    2024                 :        1479 :     LWLockAcquire(XidGenLock, LW_SHARED);
    2025                 :        1479 :     ctx->next_fxid = TransamVariables->nextXid;
    2026                 :        1479 :     ctx->oldest_xid = TransamVariables->oldestXid;
    2027                 :        1479 :     LWLockRelease(XidGenLock);
    2028                 :             : 
    2029                 :             :     /* And compute alternate versions of the same */
    2030                 :        1479 :     ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
    2031                 :        1479 :     ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
    2032                 :        1479 : }
    2033                 :             : 
    2034                 :             : /*
    2035                 :             :  * Update our cached range of valid multitransaction IDs.
    2036                 :             :  */
    2037                 :             : static void
    2038                 :        1477 : update_cached_mxid_range(HeapCheckContext *ctx)
    2039                 :             : {
    2040                 :        1477 :     ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
    2041                 :        1477 : }
    2042                 :             : 
    2043                 :             : /*
    2044                 :             :  * Return whether the given FullTransactionId is within our cached valid
    2045                 :             :  * transaction ID range.
    2046                 :             :  */
    2047                 :             : static inline bool
    2048                 :       63106 : fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
    2049                 :             : {
    2050         [ +  + ]:      126209 :     return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
    2051         [ +  + ]:       63103 :             FullTransactionIdPrecedes(fxid, ctx->next_fxid));
    2052                 :             : }
    2053                 :             : 
    2054                 :             : /*
    2055                 :             :  * Checks whether a multitransaction ID is in the cached valid range, returning
    2056                 :             :  * the nature of the range violation, if any.
    2057                 :             :  */
    2058                 :             : static XidBoundsViolation
    2059                 :          60 : check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
    2060                 :             : {
    2061         [ -  + ]:          60 :     if (!TransactionIdIsValid(mxid))
    2062                 :           0 :         return XID_INVALID;
    2063         [ +  + ]:          60 :     if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
    2064                 :           2 :         return XID_PRECEDES_RELMIN;
    2065         [ -  + ]:          58 :     if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
    2066                 :           0 :         return XID_PRECEDES_CLUSTERMIN;
    2067         [ +  + ]:          58 :     if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
    2068                 :           2 :         return XID_IN_FUTURE;
    2069                 :          56 :     return XID_BOUNDS_OK;
    2070                 :             : }
    2071                 :             : 
    2072                 :             : /*
    2073                 :             :  * Checks whether the given mxid is valid to appear in the heap being checked,
    2074                 :             :  * returning the nature of the range violation, if any.
    2075                 :             :  *
    2076                 :             :  * This function attempts to return quickly by caching the known valid mxid
    2077                 :             :  * range in ctx.  Callers should already have performed the initial setup of
    2078                 :             :  * the cache prior to the first call to this function.
    2079                 :             :  */
    2080                 :             : static XidBoundsViolation
    2081                 :          58 : check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
    2082                 :             : {
    2083                 :             :     XidBoundsViolation result;
    2084                 :             : 
    2085                 :          58 :     result = check_mxid_in_range(mxid, ctx);
    2086         [ +  + ]:          58 :     if (result == XID_BOUNDS_OK)
    2087                 :          56 :         return XID_BOUNDS_OK;
    2088                 :             : 
    2089                 :             :     /* The range may have advanced.  Recheck. */
    2090                 :           2 :     update_cached_mxid_range(ctx);
    2091                 :           2 :     return check_mxid_in_range(mxid, ctx);
    2092                 :             : }
    2093                 :             : 
    2094                 :             : /*
    2095                 :             :  * Checks whether the given transaction ID is (or was recently) valid to appear
    2096                 :             :  * in the heap being checked, or whether it is too old or too new to appear in
    2097                 :             :  * the relation, returning information about the nature of the bounds violation.
    2098                 :             :  *
    2099                 :             :  * We cache the range of valid transaction IDs.  If xid is in that range, we
    2100                 :             :  * conclude that it is valid, even though concurrent changes to the table might
    2101                 :             :  * invalidate it under certain corrupt conditions.  (For example, if the table
    2102                 :             :  * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
    2103                 :             :  * containing the xid and then truncate clog and advance the relfrozenxid
    2104                 :             :  * beyond xid.) Reporting the xid as valid under such conditions seems
    2105                 :             :  * acceptable, since if we had checked it earlier in our scan it would have
    2106                 :             :  * truly been valid at that time.
    2107                 :             :  *
    2108                 :             :  * If the status argument is not NULL, and if and only if the transaction ID
    2109                 :             :  * appears to be valid in this relation, the status argument will be set with
    2110                 :             :  * the commit status of the transaction ID.
    2111                 :             :  */
    2112                 :             : static XidBoundsViolation
    2113                 :      566228 : get_xid_status(TransactionId xid, HeapCheckContext *ctx,
    2114                 :             :                XidCommitStatus *status)
    2115                 :             : {
    2116                 :             :     FullTransactionId fxid;
    2117                 :             :     FullTransactionId clog_horizon;
    2118                 :             : 
    2119                 :             :     /* Quick check for special xids */
    2120         [ +  + ]:      566228 :     if (!TransactionIdIsValid(xid))
    2121                 :           1 :         return XID_INVALID;
    2122   [ +  +  +  + ]:      566227 :     else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
    2123                 :             :     {
    2124         [ +  - ]:      503121 :         if (status != NULL)
    2125                 :      503121 :             *status = XID_COMMITTED;
    2126                 :      503121 :         return XID_BOUNDS_OK;
    2127                 :             :     }
    2128                 :             : 
    2129                 :             :     /* Check if the xid is within bounds */
    2130                 :       63106 :     fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
    2131         [ +  + ]:       63106 :     if (!fxid_in_cached_range(fxid, ctx))
    2132                 :             :     {
    2133                 :             :         /*
    2134                 :             :          * We may have been checking against stale values.  Update the cached
    2135                 :             :          * range to be sure, and since we relied on the cached range when we
    2136                 :             :          * performed the full xid conversion, reconvert.
    2137                 :             :          */
    2138                 :           4 :         update_cached_xid_range(ctx);
    2139                 :           4 :         fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
    2140                 :             :     }
    2141                 :             : 
    2142         [ +  + ]:       63106 :     if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
    2143                 :           1 :         return XID_IN_FUTURE;
    2144         [ +  + ]:       63105 :     if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
    2145                 :           3 :         return XID_PRECEDES_CLUSTERMIN;
    2146         [ +  + ]:       63102 :     if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
    2147                 :           1 :         return XID_PRECEDES_RELMIN;
    2148                 :             : 
    2149                 :             :     /* Early return if the caller does not request clog checking */
    2150         [ -  + ]:       63101 :     if (status == NULL)
    2151                 :           0 :         return XID_BOUNDS_OK;
    2152                 :             : 
    2153                 :             :     /* Early return if we just checked this xid in a prior call */
    2154         [ +  + ]:       63101 :     if (xid == ctx->cached_xid)
    2155                 :             :     {
    2156                 :       53940 :         *status = ctx->cached_status;
    2157                 :       53940 :         return XID_BOUNDS_OK;
    2158                 :             :     }
    2159                 :             : 
    2160                 :        9161 :     *status = XID_COMMITTED;
    2161                 :        9161 :     LWLockAcquire(XactTruncationLock, LW_SHARED);
    2162                 :             :     clog_horizon =
    2163                 :        9161 :         FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
    2164                 :             :                                        ctx);
    2165         [ +  - ]:        9161 :     if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
    2166                 :             :     {
    2167         [ -  + ]:        9161 :         if (TransactionIdIsCurrentTransactionId(xid))
    2168                 :           0 :             *status = XID_IS_CURRENT_XID;
    2169         [ +  + ]:        9161 :         else if (TransactionIdIsInProgress(xid))
    2170                 :           2 :             *status = XID_IN_PROGRESS;
    2171         [ +  + ]:        9159 :         else if (TransactionIdDidCommit(xid))
    2172                 :        9152 :             *status = XID_COMMITTED;
    2173                 :             :         else
    2174                 :           7 :             *status = XID_ABORTED;
    2175                 :             :     }
    2176                 :        9161 :     LWLockRelease(XactTruncationLock);
    2177                 :        9161 :     ctx->cached_xid = xid;
    2178                 :        9161 :     ctx->cached_status = *status;
    2179                 :        9161 :     return XID_BOUNDS_OK;
    2180                 :             : }
        

Generated by: LCOV version 2.0-1