Line data Source code
1 : /*-------------------------------------------------------------------------
2 : *
3 : * verify_heapam.c
4 : * Functions to check postgresql heap relations for corruption
5 : *
6 : * Copyright (c) 2016-2025, PostgreSQL Global Development Group
7 : *
8 : * contrib/amcheck/verify_heapam.c
9 : *-------------------------------------------------------------------------
10 : */
11 : #include "postgres.h"
12 :
13 : #include "access/detoast.h"
14 : #include "access/genam.h"
15 : #include "access/heaptoast.h"
16 : #include "access/multixact.h"
17 : #include "access/relation.h"
18 : #include "access/table.h"
19 : #include "access/toast_internals.h"
20 : #include "access/visibilitymap.h"
21 : #include "access/xact.h"
22 : #include "catalog/pg_am.h"
23 : #include "catalog/pg_class.h"
24 : #include "funcapi.h"
25 : #include "miscadmin.h"
26 : #include "storage/bufmgr.h"
27 : #include "storage/procarray.h"
28 : #include "utils/builtins.h"
29 : #include "utils/fmgroids.h"
30 : #include "utils/rel.h"
31 :
32 602 : PG_FUNCTION_INFO_V1(verify_heapam);
33 :
34 : /* The number of columns in tuples returned by verify_heapam */
35 : #define HEAPCHECK_RELATION_COLS 4
36 :
37 : /* The largest valid toast va_rawsize */
38 : #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
39 :
40 : /*
41 : * Despite the name, we use this for reporting problems with both XIDs and
42 : * MXIDs.
43 : */
44 : typedef enum XidBoundsViolation
45 : {
46 : XID_INVALID,
47 : XID_IN_FUTURE,
48 : XID_PRECEDES_CLUSTERMIN,
49 : XID_PRECEDES_RELMIN,
50 : XID_BOUNDS_OK,
51 : } XidBoundsViolation;
52 :
53 : typedef enum XidCommitStatus
54 : {
55 : XID_COMMITTED,
56 : XID_IS_CURRENT_XID,
57 : XID_IN_PROGRESS,
58 : XID_ABORTED,
59 : } XidCommitStatus;
60 :
61 : typedef enum SkipPages
62 : {
63 : SKIP_PAGES_ALL_FROZEN,
64 : SKIP_PAGES_ALL_VISIBLE,
65 : SKIP_PAGES_NONE,
66 : } SkipPages;
67 :
68 : /*
69 : * Struct holding information about a toasted attribute sufficient to both
70 : * check the toasted attribute and, if found to be corrupt, to report where it
71 : * was encountered in the main table.
72 : */
73 : typedef struct ToastedAttribute
74 : {
75 : struct varatt_external toast_pointer;
76 : BlockNumber blkno; /* block in main table */
77 : OffsetNumber offnum; /* offset in main table */
78 : AttrNumber attnum; /* attribute in main table */
79 : } ToastedAttribute;
80 :
81 : /*
82 : * Struct holding the running context information during
83 : * a lifetime of a verify_heapam execution.
84 : */
85 : typedef struct HeapCheckContext
86 : {
87 : /*
88 : * Cached copies of values from TransamVariables and computed values from
89 : * them.
90 : */
91 : FullTransactionId next_fxid; /* TransamVariables->nextXid */
92 : TransactionId next_xid; /* 32-bit version of next_fxid */
93 : TransactionId oldest_xid; /* TransamVariables->oldestXid */
94 : FullTransactionId oldest_fxid; /* 64-bit version of oldest_xid, computed
95 : * relative to next_fxid */
96 : TransactionId safe_xmin; /* this XID and newer ones can't become
97 : * all-visible while we're running */
98 :
99 : /*
100 : * Cached copy of value from MultiXactState
101 : */
102 : MultiXactId next_mxact; /* MultiXactState->nextMXact */
103 : MultiXactId oldest_mxact; /* MultiXactState->oldestMultiXactId */
104 :
105 : /*
106 : * Cached copies of the most recently checked xid and its status.
107 : */
108 : TransactionId cached_xid;
109 : XidCommitStatus cached_status;
110 :
111 : /* Values concerning the heap relation being checked */
112 : Relation rel;
113 : TransactionId relfrozenxid;
114 : FullTransactionId relfrozenfxid;
115 : TransactionId relminmxid;
116 : Relation toast_rel;
117 : Relation *toast_indexes;
118 : Relation valid_toast_index;
119 : int num_toast_indexes;
120 :
121 : /* Values for iterating over pages in the relation */
122 : BlockNumber blkno;
123 : BufferAccessStrategy bstrategy;
124 : Buffer buffer;
125 : Page page;
126 :
127 : /* Values for iterating over tuples within a page */
128 : OffsetNumber offnum;
129 : ItemId itemid;
130 : uint16 lp_len;
131 : uint16 lp_off;
132 : HeapTupleHeader tuphdr;
133 : int natts;
134 :
135 : /* Values for iterating over attributes within the tuple */
136 : uint32 offset; /* offset in tuple data */
137 : AttrNumber attnum;
138 :
139 : /* True if tuple's xmax makes it eligible for pruning */
140 : bool tuple_could_be_pruned;
141 :
142 : /*
143 : * List of ToastedAttribute structs for toasted attributes which are not
144 : * eligible for pruning and should be checked
145 : */
146 : List *toasted_attributes;
147 :
148 : /* Whether verify_heapam has yet encountered any corrupt tuples */
149 : bool is_corrupt;
150 :
151 : /* The descriptor and tuplestore for verify_heapam's result tuples */
152 : TupleDesc tupdesc;
153 : Tuplestorestate *tupstore;
154 : } HeapCheckContext;
155 :
156 : /* Internal implementation */
157 : static void check_tuple(HeapCheckContext *ctx,
158 : bool *xmin_commit_status_ok,
159 : XidCommitStatus *xmin_commit_status);
160 : static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
161 : ToastedAttribute *ta, int32 *expected_chunk_seq,
162 : uint32 extsize);
163 :
164 : static bool check_tuple_attribute(HeapCheckContext *ctx);
165 : static void check_toasted_attribute(HeapCheckContext *ctx,
166 : ToastedAttribute *ta);
167 :
168 : static bool check_tuple_header(HeapCheckContext *ctx);
169 : static bool check_tuple_visibility(HeapCheckContext *ctx,
170 : bool *xmin_commit_status_ok,
171 : XidCommitStatus *xmin_commit_status);
172 :
173 : static void report_corruption(HeapCheckContext *ctx, char *msg);
174 : static void report_toast_corruption(HeapCheckContext *ctx,
175 : ToastedAttribute *ta, char *msg);
176 : static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
177 : const HeapCheckContext *ctx);
178 : static void update_cached_xid_range(HeapCheckContext *ctx);
179 : static void update_cached_mxid_range(HeapCheckContext *ctx);
180 : static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
181 : HeapCheckContext *ctx);
182 : static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
183 : HeapCheckContext *ctx);
184 : static XidBoundsViolation get_xid_status(TransactionId xid,
185 : HeapCheckContext *ctx,
186 : XidCommitStatus *status);
187 :
188 : /*
189 : * Scan and report corruption in heap pages, optionally reconciling toasted
190 : * attributes with entries in the associated toast table. Intended to be
191 : * called from SQL with the following parameters:
192 : *
193 : * relation:
194 : * The Oid of the heap relation to be checked.
195 : *
196 : * on_error_stop:
197 : * Whether to stop at the end of the first page for which errors are
198 : * detected. Note that multiple rows may be returned.
199 : *
200 : * check_toast:
201 : * Whether to check each toasted attribute against the toast table to
202 : * verify that it can be found there.
203 : *
204 : * skip:
205 : * What kinds of pages in the heap relation should be skipped. Valid
206 : * options are "all-visible", "all-frozen", and "none".
207 : *
208 : * Returns to the SQL caller a set of tuples, each containing the location
209 : * and a description of a corruption found in the heap.
210 : *
211 : * This code goes to some trouble to avoid crashing the server even if the
212 : * table pages are badly corrupted, but it's probably not perfect. If
213 : * check_toast is true, we'll use regular index lookups to try to fetch TOAST
214 : * tuples, which can certainly cause crashes if the right kind of corruption
215 : * exists in the toast table or index. No matter what parameters you pass,
216 : * we can't protect against crashes that might occur trying to look up the
217 : * commit status of transaction IDs (though we avoid trying to do such lookups
218 : * for transaction IDs that can't legally appear in the table).
219 : */
220 : Datum
221 6880 : verify_heapam(PG_FUNCTION_ARGS)
222 : {
223 6880 : ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
224 : HeapCheckContext ctx;
225 6880 : Buffer vmbuffer = InvalidBuffer;
226 : Oid relid;
227 : bool on_error_stop;
228 : bool check_toast;
229 6880 : SkipPages skip_option = SKIP_PAGES_NONE;
230 : BlockNumber first_block;
231 : BlockNumber last_block;
232 : BlockNumber nblocks;
233 : const char *skip;
234 :
235 : /* Check supplied arguments */
236 6880 : if (PG_ARGISNULL(0))
237 0 : ereport(ERROR,
238 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
239 : errmsg("relation cannot be null")));
240 6880 : relid = PG_GETARG_OID(0);
241 :
242 6880 : if (PG_ARGISNULL(1))
243 0 : ereport(ERROR,
244 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
245 : errmsg("on_error_stop cannot be null")));
246 6880 : on_error_stop = PG_GETARG_BOOL(1);
247 :
248 6880 : if (PG_ARGISNULL(2))
249 0 : ereport(ERROR,
250 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
251 : errmsg("check_toast cannot be null")));
252 6880 : check_toast = PG_GETARG_BOOL(2);
253 :
254 6880 : if (PG_ARGISNULL(3))
255 0 : ereport(ERROR,
256 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
257 : errmsg("skip cannot be null")));
258 6880 : skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
259 6880 : if (pg_strcasecmp(skip, "all-visible") == 0)
260 168 : skip_option = SKIP_PAGES_ALL_VISIBLE;
261 6712 : else if (pg_strcasecmp(skip, "all-frozen") == 0)
262 174 : skip_option = SKIP_PAGES_ALL_FROZEN;
263 6538 : else if (pg_strcasecmp(skip, "none") == 0)
264 6536 : skip_option = SKIP_PAGES_NONE;
265 : else
266 2 : ereport(ERROR,
267 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
268 : errmsg("invalid skip option"),
269 : errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
270 :
271 6878 : memset(&ctx, 0, sizeof(HeapCheckContext));
272 6878 : ctx.cached_xid = InvalidTransactionId;
273 6878 : ctx.toasted_attributes = NIL;
274 :
275 : /*
276 : * Any xmin newer than the xmin of our snapshot can't become all-visible
277 : * while we're running.
278 : */
279 6878 : ctx.safe_xmin = GetTransactionSnapshot()->xmin;
280 :
281 : /*
282 : * If we report corruption when not examining some individual attribute,
283 : * we need attnum to be reported as NULL. Set that up before any
284 : * corruption reporting might happen.
285 : */
286 6878 : ctx.attnum = -1;
287 :
288 : /* Construct the tuplestore and tuple descriptor */
289 6878 : InitMaterializedSRF(fcinfo, 0);
290 6878 : ctx.tupdesc = rsinfo->setDesc;
291 6878 : ctx.tupstore = rsinfo->setResult;
292 :
293 : /* Open relation, check relkind and access method */
294 6878 : ctx.rel = relation_open(relid, AccessShareLock);
295 :
296 : /*
297 : * Check that a relation's relkind and access method are both supported.
298 : */
299 6878 : if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
300 390 : ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
301 8 : ereport(ERROR,
302 : (errcode(ERRCODE_WRONG_OBJECT_TYPE),
303 : errmsg("cannot check relation \"%s\"",
304 : RelationGetRelationName(ctx.rel)),
305 : errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
306 :
307 : /*
308 : * Sequences always use heap AM, but they don't show that in the catalogs.
309 : * Other relkinds might be using a different AM, so check.
310 : */
311 6870 : if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
312 6488 : ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
313 0 : ereport(ERROR,
314 : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
315 : errmsg("only heap AM is supported")));
316 :
317 : /*
318 : * Early exit for unlogged relations during recovery. These will have no
319 : * relation fork, so there won't be anything to check. We behave as if
320 : * the relation is empty.
321 : */
322 6870 : if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
323 0 : RecoveryInProgress())
324 : {
325 0 : ereport(DEBUG1,
326 : (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
327 : errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
328 : RelationGetRelationName(ctx.rel))));
329 0 : relation_close(ctx.rel, AccessShareLock);
330 0 : PG_RETURN_NULL();
331 : }
332 :
333 : /* Early exit if the relation is empty */
334 6870 : nblocks = RelationGetNumberOfBlocks(ctx.rel);
335 6836 : if (!nblocks)
336 : {
337 3882 : relation_close(ctx.rel, AccessShareLock);
338 3882 : PG_RETURN_NULL();
339 : }
340 :
341 2954 : ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
342 2954 : ctx.buffer = InvalidBuffer;
343 2954 : ctx.page = NULL;
344 :
345 : /* Validate block numbers, or handle nulls. */
346 2954 : if (PG_ARGISNULL(4))
347 2708 : first_block = 0;
348 : else
349 : {
350 246 : int64 fb = PG_GETARG_INT64(4);
351 :
352 246 : if (fb < 0 || fb >= nblocks)
353 2 : ereport(ERROR,
354 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
355 : errmsg("starting block number must be between 0 and %u",
356 : nblocks - 1)));
357 244 : first_block = (BlockNumber) fb;
358 : }
359 2952 : if (PG_ARGISNULL(5))
360 2706 : last_block = nblocks - 1;
361 : else
362 : {
363 246 : int64 lb = PG_GETARG_INT64(5);
364 :
365 246 : if (lb < 0 || lb >= nblocks)
366 2 : ereport(ERROR,
367 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
368 : errmsg("ending block number must be between 0 and %u",
369 : nblocks - 1)));
370 244 : last_block = (BlockNumber) lb;
371 : }
372 :
373 : /* Optionally open the toast relation, if any. */
374 2950 : if (ctx.rel->rd_rel->reltoastrelid && check_toast)
375 1392 : {
376 : int offset;
377 :
378 : /* Main relation has associated toast relation */
379 1392 : ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
380 : AccessShareLock);
381 1392 : offset = toast_open_indexes(ctx.toast_rel,
382 : AccessShareLock,
383 : &(ctx.toast_indexes),
384 : &(ctx.num_toast_indexes));
385 1392 : ctx.valid_toast_index = ctx.toast_indexes[offset];
386 : }
387 : else
388 : {
389 : /*
390 : * Main relation has no associated toast relation, or we're
391 : * intentionally skipping it.
392 : */
393 1558 : ctx.toast_rel = NULL;
394 1558 : ctx.toast_indexes = NULL;
395 1558 : ctx.num_toast_indexes = 0;
396 : }
397 :
398 2950 : update_cached_xid_range(&ctx);
399 2950 : update_cached_mxid_range(&ctx);
400 2950 : ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
401 2950 : ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
402 2950 : ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
403 :
404 2950 : if (TransactionIdIsNormal(ctx.relfrozenxid))
405 2568 : ctx.oldest_xid = ctx.relfrozenxid;
406 :
407 26822 : for (ctx.blkno = first_block; ctx.blkno <= last_block; ctx.blkno++)
408 : {
409 : OffsetNumber maxoff;
410 : OffsetNumber predecessor[MaxOffsetNumber];
411 : OffsetNumber successor[MaxOffsetNumber];
412 : bool lp_valid[MaxOffsetNumber];
413 : bool xmin_commit_status_ok[MaxOffsetNumber];
414 : XidCommitStatus xmin_commit_status[MaxOffsetNumber];
415 :
416 23878 : CHECK_FOR_INTERRUPTS();
417 :
418 23878 : memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
419 :
420 : /* Optionally skip over all-frozen or all-visible blocks */
421 23878 : if (skip_option != SKIP_PAGES_NONE)
422 : {
423 : int32 mapbits;
424 :
425 1470 : mapbits = (int32) visibilitymap_get_status(ctx.rel, ctx.blkno,
426 : &vmbuffer);
427 1470 : if (skip_option == SKIP_PAGES_ALL_FROZEN)
428 : {
429 768 : if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
430 66 : continue;
431 : }
432 :
433 1406 : if (skip_option == SKIP_PAGES_ALL_VISIBLE)
434 : {
435 702 : if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
436 2 : continue;
437 : }
438 : }
439 :
440 : /* Read and lock the next page. */
441 23812 : ctx.buffer = ReadBufferExtended(ctx.rel, MAIN_FORKNUM, ctx.blkno,
442 : RBM_NORMAL, ctx.bstrategy);
443 23812 : LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
444 23812 : ctx.page = BufferGetPage(ctx.buffer);
445 :
446 : /* Perform tuple checks */
447 23812 : maxoff = PageGetMaxOffsetNumber(ctx.page);
448 1131184 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
449 1107372 : ctx.offnum = OffsetNumberNext(ctx.offnum))
450 : {
451 : BlockNumber nextblkno;
452 : OffsetNumber nextoffnum;
453 :
454 1107372 : successor[ctx.offnum] = InvalidOffsetNumber;
455 1107372 : lp_valid[ctx.offnum] = false;
456 1107372 : xmin_commit_status_ok[ctx.offnum] = false;
457 1107372 : ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
458 :
459 : /* Skip over unused/dead line pointers */
460 1107372 : if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
461 18490 : continue;
462 :
463 : /*
464 : * If this line pointer has been redirected, check that it
465 : * redirects to a valid offset within the line pointer array
466 : */
467 1088882 : if (ItemIdIsRedirected(ctx.itemid))
468 : {
469 11326 : OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
470 : ItemId rditem;
471 :
472 11326 : if (rdoffnum < FirstOffsetNumber)
473 : {
474 12 : report_corruption(&ctx,
475 : psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
476 : (unsigned) rdoffnum,
477 : (unsigned) FirstOffsetNumber));
478 12 : continue;
479 : }
480 11314 : if (rdoffnum > maxoff)
481 : {
482 28 : report_corruption(&ctx,
483 : psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
484 : (unsigned) rdoffnum,
485 : (unsigned) maxoff));
486 28 : continue;
487 : }
488 :
489 : /*
490 : * Since we've checked that this redirect points to a line
491 : * pointer between FirstOffsetNumber and maxoff, it should now
492 : * be safe to fetch the referenced line pointer. We expect it
493 : * to be LP_NORMAL; if not, that's corruption.
494 : */
495 11286 : rditem = PageGetItemId(ctx.page, rdoffnum);
496 11286 : if (!ItemIdIsUsed(rditem))
497 : {
498 0 : report_corruption(&ctx,
499 : psprintf("redirected line pointer points to an unused item at offset %u",
500 : (unsigned) rdoffnum));
501 0 : continue;
502 : }
503 11286 : else if (ItemIdIsDead(rditem))
504 : {
505 0 : report_corruption(&ctx,
506 : psprintf("redirected line pointer points to a dead item at offset %u",
507 : (unsigned) rdoffnum));
508 0 : continue;
509 : }
510 11286 : else if (ItemIdIsRedirected(rditem))
511 : {
512 2 : report_corruption(&ctx,
513 : psprintf("redirected line pointer points to another redirected line pointer at offset %u",
514 : (unsigned) rdoffnum));
515 2 : continue;
516 : }
517 :
518 : /*
519 : * Record the fact that this line pointer has passed basic
520 : * sanity checking, and also the offset number to which it
521 : * points.
522 : */
523 11284 : lp_valid[ctx.offnum] = true;
524 11284 : successor[ctx.offnum] = rdoffnum;
525 11284 : continue;
526 : }
527 :
528 : /* Sanity-check the line pointer's offset and length values */
529 1077556 : ctx.lp_len = ItemIdGetLength(ctx.itemid);
530 1077556 : ctx.lp_off = ItemIdGetOffset(ctx.itemid);
531 :
532 1077556 : if (ctx.lp_off != MAXALIGN(ctx.lp_off))
533 : {
534 12 : report_corruption(&ctx,
535 : psprintf("line pointer to page offset %u is not maximally aligned",
536 12 : ctx.lp_off));
537 12 : continue;
538 : }
539 1077544 : if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
540 : {
541 24 : report_corruption(&ctx,
542 : psprintf("line pointer length %u is less than the minimum tuple header size %u",
543 24 : ctx.lp_len,
544 : (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
545 24 : continue;
546 : }
547 1077520 : if (ctx.lp_off + ctx.lp_len > BLCKSZ)
548 : {
549 28 : report_corruption(&ctx,
550 : psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
551 28 : ctx.lp_off,
552 28 : ctx.lp_len,
553 : (unsigned) BLCKSZ));
554 28 : continue;
555 : }
556 :
557 : /* It should be safe to examine the tuple's header, at least */
558 1077492 : lp_valid[ctx.offnum] = true;
559 1077492 : ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
560 1077492 : ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
561 :
562 : /* Ok, ready to check this next tuple */
563 1077492 : check_tuple(&ctx,
564 1077492 : &xmin_commit_status_ok[ctx.offnum],
565 1077492 : &xmin_commit_status[ctx.offnum]);
566 :
567 : /*
568 : * If the CTID field of this tuple seems to point to another tuple
569 : * on the same page, record that tuple as the successor of this
570 : * one.
571 : */
572 1077492 : nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
573 1077492 : nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
574 1077492 : if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
575 382 : nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
576 382 : successor[ctx.offnum] = nextoffnum;
577 : }
578 :
579 : /*
580 : * Update chain validation. Check each line pointer that's got a valid
581 : * successor against that successor.
582 : */
583 23812 : ctx.attnum = -1;
584 1131184 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
585 1107372 : ctx.offnum = OffsetNumberNext(ctx.offnum))
586 : {
587 : ItemId curr_lp;
588 : ItemId next_lp;
589 : HeapTupleHeader curr_htup;
590 : HeapTupleHeader next_htup;
591 : TransactionId curr_xmin;
592 : TransactionId curr_xmax;
593 : TransactionId next_xmin;
594 1107372 : OffsetNumber nextoffnum = successor[ctx.offnum];
595 :
596 : /*
597 : * The current line pointer may not have a successor, either
598 : * because it's not valid or because it didn't point to anything.
599 : * In either case, we have to give up.
600 : *
601 : * If the current line pointer does point to something, it's
602 : * possible that the target line pointer isn't valid. We have to
603 : * give up in that case, too.
604 : */
605 1107372 : if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
606 1095706 : continue;
607 :
608 : /* We have two valid line pointers that we can examine. */
609 11666 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
610 11666 : next_lp = PageGetItemId(ctx.page, nextoffnum);
611 :
612 : /* Handle the cases where the current line pointer is a redirect. */
613 11666 : if (ItemIdIsRedirected(curr_lp))
614 : {
615 : /*
616 : * We should not have set successor[ctx.offnum] to a value
617 : * other than InvalidOffsetNumber unless that line pointer is
618 : * LP_NORMAL.
619 : */
620 : Assert(ItemIdIsNormal(next_lp));
621 :
622 : /* Can only redirect to a HOT tuple. */
623 11284 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
624 11284 : if (!HeapTupleHeaderIsHeapOnly(next_htup))
625 : {
626 2 : report_corruption(&ctx,
627 : psprintf("redirected line pointer points to a non-heap-only tuple at offset %u",
628 : (unsigned) nextoffnum));
629 : }
630 :
631 : /* HOT chains should not intersect. */
632 11284 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
633 : {
634 2 : report_corruption(&ctx,
635 : psprintf("redirect line pointer points to offset %u, but offset %u also points there",
636 2 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
637 2 : continue;
638 : }
639 :
640 : /*
641 : * This redirect and the tuple to which it points seem to be
642 : * part of an update chain.
643 : */
644 11282 : predecessor[nextoffnum] = ctx.offnum;
645 11282 : continue;
646 : }
647 :
648 : /*
649 : * If the next line pointer is a redirect, or if it's a tuple but
650 : * the XMAX of this tuple doesn't match the XMIN of the next
651 : * tuple, then the two aren't part of the same update chain and
652 : * there is nothing more to do.
653 : */
654 382 : if (ItemIdIsRedirected(next_lp))
655 0 : continue;
656 382 : curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
657 382 : curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
658 382 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
659 382 : next_xmin = HeapTupleHeaderGetXmin(next_htup);
660 382 : if (!TransactionIdIsValid(curr_xmax) ||
661 : !TransactionIdEquals(curr_xmax, next_xmin))
662 8 : continue;
663 :
664 : /* HOT chains should not intersect. */
665 374 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
666 : {
667 2 : report_corruption(&ctx,
668 : psprintf("tuple points to new version at offset %u, but offset %u also points there",
669 2 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
670 2 : continue;
671 : }
672 :
673 : /*
674 : * This tuple and the tuple to which it points seem to be part of
675 : * an update chain.
676 : */
677 372 : predecessor[nextoffnum] = ctx.offnum;
678 :
679 : /*
680 : * If the current tuple is marked as HOT-updated, then the next
681 : * tuple should be marked as a heap-only tuple. Conversely, if the
682 : * current tuple isn't marked as HOT-updated, then the next tuple
683 : * shouldn't be marked as a heap-only tuple.
684 : *
685 : * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
686 : * hint bits indicate xmin/xmax aborted.
687 : */
688 372 : if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
689 2 : HeapTupleHeaderIsHeapOnly(next_htup))
690 : {
691 2 : report_corruption(&ctx,
692 : psprintf("non-heap-only update produced a heap-only tuple at offset %u",
693 : (unsigned) nextoffnum));
694 : }
695 372 : if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
696 370 : !HeapTupleHeaderIsHeapOnly(next_htup))
697 : {
698 2 : report_corruption(&ctx,
699 : psprintf("heap-only update produced a non-heap only tuple at offset %u",
700 : (unsigned) nextoffnum));
701 : }
702 :
703 : /*
704 : * If the current tuple's xmin is still in progress but the
705 : * successor tuple's xmin is committed, that's corruption.
706 : *
707 : * NB: We recheck the commit status of the current tuple's xmin
708 : * here, because it might have committed after we checked it and
709 : * before we checked the commit status of the successor tuple's
710 : * xmin. This should be safe because the xmin itself can't have
711 : * changed, only its commit status.
712 : */
713 372 : curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
714 372 : if (xmin_commit_status_ok[ctx.offnum] &&
715 372 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
716 2 : xmin_commit_status_ok[nextoffnum] &&
717 4 : xmin_commit_status[nextoffnum] == XID_COMMITTED &&
718 2 : TransactionIdIsInProgress(curr_xmin))
719 : {
720 2 : report_corruption(&ctx,
721 : psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
722 : (unsigned) curr_xmin,
723 2 : (unsigned) ctx.offnum,
724 : (unsigned) next_xmin));
725 : }
726 :
727 : /*
728 : * If the current tuple's xmin is aborted but the successor
729 : * tuple's xmin is in-progress or committed, that's corruption.
730 : */
731 372 : if (xmin_commit_status_ok[ctx.offnum] &&
732 372 : xmin_commit_status[ctx.offnum] == XID_ABORTED &&
733 4 : xmin_commit_status_ok[nextoffnum])
734 : {
735 4 : if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
736 2 : report_corruption(&ctx,
737 : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
738 : (unsigned) curr_xmin,
739 2 : (unsigned) ctx.offnum,
740 : (unsigned) next_xmin));
741 2 : else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
742 2 : report_corruption(&ctx,
743 : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
744 : (unsigned) curr_xmin,
745 2 : (unsigned) ctx.offnum,
746 : (unsigned) next_xmin));
747 : }
748 : }
749 :
750 : /*
751 : * An update chain can start either with a non-heap-only tuple or with
752 : * a redirect line pointer, but not with a heap-only tuple.
753 : *
754 : * (This check is in a separate loop because we need the predecessor
755 : * array to be fully populated before we can perform it.)
756 : */
757 23812 : for (ctx.offnum = FirstOffsetNumber;
758 1131184 : ctx.offnum <= maxoff;
759 1107372 : ctx.offnum = OffsetNumberNext(ctx.offnum))
760 : {
761 1107372 : if (xmin_commit_status_ok[ctx.offnum] &&
762 1077474 : (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
763 14 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
764 1077464 : predecessor[ctx.offnum] == InvalidOffsetNumber)
765 : {
766 : ItemId curr_lp;
767 :
768 1065816 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
769 1065816 : if (!ItemIdIsRedirected(curr_lp))
770 : {
771 : HeapTupleHeader curr_htup;
772 :
773 : curr_htup = (HeapTupleHeader)
774 1065816 : PageGetItem(ctx.page, curr_lp);
775 1065816 : if (HeapTupleHeaderIsHeapOnly(curr_htup))
776 8 : report_corruption(&ctx,
777 : psprintf("tuple is root of chain but is marked as heap-only tuple"));
778 : }
779 : }
780 : }
781 :
782 : /* clean up */
783 23812 : UnlockReleaseBuffer(ctx.buffer);
784 :
785 : /*
786 : * Check any toast pointers from the page whose lock we just released
787 : */
788 23812 : if (ctx.toasted_attributes != NIL)
789 : {
790 : ListCell *cell;
791 :
792 25366 : foreach(cell, ctx.toasted_attributes)
793 23636 : check_toasted_attribute(&ctx, lfirst(cell));
794 1730 : list_free_deep(ctx.toasted_attributes);
795 1730 : ctx.toasted_attributes = NIL;
796 : }
797 :
798 23806 : if (on_error_stop && ctx.is_corrupt)
799 0 : break;
800 : }
801 :
802 2944 : if (vmbuffer != InvalidBuffer)
803 6 : ReleaseBuffer(vmbuffer);
804 :
805 : /* Close the associated toast table and indexes, if any. */
806 2944 : if (ctx.toast_indexes)
807 1386 : toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
808 : AccessShareLock);
809 2944 : if (ctx.toast_rel)
810 1386 : table_close(ctx.toast_rel, AccessShareLock);
811 :
812 : /* Close the main relation */
813 2944 : relation_close(ctx.rel, AccessShareLock);
814 :
815 2944 : PG_RETURN_NULL();
816 : }
817 :
818 : /*
819 : * Shared internal implementation for report_corruption and
820 : * report_toast_corruption.
821 : */
822 : static void
823 172 : report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
824 : BlockNumber blkno, OffsetNumber offnum,
825 : AttrNumber attnum, char *msg)
826 : {
827 172 : Datum values[HEAPCHECK_RELATION_COLS] = {0};
828 172 : bool nulls[HEAPCHECK_RELATION_COLS] = {0};
829 : HeapTuple tuple;
830 :
831 172 : values[0] = Int64GetDatum(blkno);
832 172 : values[1] = Int32GetDatum(offnum);
833 172 : values[2] = Int32GetDatum(attnum);
834 172 : nulls[2] = (attnum < 0);
835 172 : values[3] = CStringGetTextDatum(msg);
836 :
837 : /*
838 : * In principle, there is nothing to prevent a scan over a large, highly
839 : * corrupted table from using work_mem worth of memory building up the
840 : * tuplestore. That's ok, but if we also leak the msg argument memory
841 : * until the end of the query, we could exceed work_mem by more than a
842 : * trivial amount. Therefore, free the msg argument each time we are
843 : * called rather than waiting for our current memory context to be freed.
844 : */
845 172 : pfree(msg);
846 :
847 172 : tuple = heap_form_tuple(tupdesc, values, nulls);
848 172 : tuplestore_puttuple(tupstore, tuple);
849 172 : }
850 :
851 : /*
852 : * Record a single corruption found in the main table. The values in ctx should
853 : * indicate the location of the corruption, and the msg argument should contain
854 : * a human-readable description of the corruption.
855 : *
856 : * The msg argument is pfree'd by this function.
857 : */
858 : static void
859 170 : report_corruption(HeapCheckContext *ctx, char *msg)
860 : {
861 170 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
862 170 : ctx->offnum, ctx->attnum, msg);
863 170 : ctx->is_corrupt = true;
864 170 : }
865 :
866 : /*
867 : * Record corruption found in the toast table. The values in ta should
868 : * indicate the location in the main table where the toast pointer was
869 : * encountered, and the msg argument should contain a human-readable
870 : * description of the toast table corruption.
871 : *
872 : * As above, the msg argument is pfree'd by this function.
873 : */
874 : static void
875 2 : report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
876 : char *msg)
877 : {
878 2 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
879 2 : ta->offnum, ta->attnum, msg);
880 2 : ctx->is_corrupt = true;
881 2 : }
882 :
883 : /*
884 : * Check for tuple header corruption.
885 : *
886 : * Some kinds of corruption make it unsafe to check the tuple attributes, for
887 : * example when the line pointer refers to a range of bytes outside the page.
888 : * In such cases, we return false (not checkable) after recording appropriate
889 : * corruption messages.
890 : *
891 : * Some other kinds of tuple header corruption confuse the question of where
892 : * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
893 : * unreasonable to attempt to check attributes, even if all candidate answers
894 : * to those questions would not result in reading past the end of the line
895 : * pointer or page. In such cases, like above, we record corruption messages
896 : * about the header and then return false.
897 : *
898 : * Other kinds of tuple header corruption do not bear on the question of
899 : * whether the tuple attributes can be checked, so we record corruption
900 : * messages for them but we do not return false merely because we detected
901 : * them.
902 : *
903 : * Returns whether the tuple is sufficiently sensible to undergo visibility and
904 : * attribute checks.
905 : */
906 : static bool
907 1077492 : check_tuple_header(HeapCheckContext *ctx)
908 : {
909 1077492 : HeapTupleHeader tuphdr = ctx->tuphdr;
910 1077492 : uint16 infomask = tuphdr->t_infomask;
911 1077492 : TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
912 1077492 : bool result = true;
913 : unsigned expected_hoff;
914 :
915 1077492 : if (ctx->tuphdr->t_hoff > ctx->lp_len)
916 : {
917 2 : report_corruption(ctx,
918 : psprintf("data begins at offset %u beyond the tuple length %u",
919 2 : ctx->tuphdr->t_hoff, ctx->lp_len));
920 2 : result = false;
921 : }
922 :
923 1077492 : if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
924 400 : (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
925 : {
926 4 : report_corruption(ctx,
927 : pstrdup("multixact should not be marked committed"));
928 :
929 : /*
930 : * This condition is clearly wrong, but it's not enough to justify
931 : * skipping further checks, because we don't rely on this to determine
932 : * whether the tuple is visible or to interpret other relevant header
933 : * fields.
934 : */
935 : }
936 :
937 1077492 : if (!TransactionIdIsValid(curr_xmax) &&
938 1074634 : HeapTupleHeaderIsHotUpdated(tuphdr))
939 : {
940 2 : report_corruption(ctx,
941 : psprintf("tuple has been HOT updated, but xmax is 0"));
942 :
943 : /*
944 : * As above, even though this shouldn't happen, it's not sufficient
945 : * justification for skipping further checks, we should still be able
946 : * to perform sensibly.
947 : */
948 : }
949 :
950 1077492 : if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
951 11658 : ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
952 : {
953 2 : report_corruption(ctx,
954 : psprintf("tuple is heap only, but not the result of an update"));
955 :
956 : /* Here again, we can still perform further checks. */
957 : }
958 :
959 1077492 : if (infomask & HEAP_HASNULL)
960 483082 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
961 : else
962 594410 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
963 1077492 : if (ctx->tuphdr->t_hoff != expected_hoff)
964 : {
965 10 : if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
966 0 : report_corruption(ctx,
967 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
968 0 : expected_hoff, ctx->tuphdr->t_hoff));
969 10 : else if ((infomask & HEAP_HASNULL))
970 2 : report_corruption(ctx,
971 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
972 2 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
973 8 : else if (ctx->natts == 1)
974 0 : report_corruption(ctx,
975 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
976 0 : expected_hoff, ctx->tuphdr->t_hoff));
977 : else
978 8 : report_corruption(ctx,
979 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
980 8 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
981 10 : result = false;
982 : }
983 :
984 1077492 : return result;
985 : }
986 :
987 : /*
988 : * Checks tuple visibility so we know which further checks are safe to
989 : * perform.
990 : *
991 : * If a tuple could have been inserted by a transaction that also added a
992 : * column to the table, but which ultimately did not commit, or which has not
993 : * yet committed, then the table's current TupleDesc might differ from the one
994 : * used to construct this tuple, so we must not check it.
995 : *
996 : * As a special case, if our own transaction inserted the tuple, even if we
997 : * added a column to the table, our TupleDesc should match. We could check the
998 : * tuple, but choose not to do so.
999 : *
1000 : * If a tuple has been updated or deleted, we can still read the old tuple for
1001 : * corruption checking purposes, as long as we are careful about concurrent
1002 : * vacuums. The main table tuple itself cannot be vacuumed away because we
1003 : * hold a buffer lock on the page, but if the deleting transaction is older
1004 : * than our transaction snapshot's xmin, then vacuum could remove the toast at
1005 : * any time, so we must not try to follow TOAST pointers.
1006 : *
1007 : * If xmin or xmax values are older than can be checked against clog, or appear
1008 : * to be in the future (possibly due to wrap-around), then we cannot make a
1009 : * determination about the visibility of the tuple, so we skip further checks.
1010 : *
1011 : * Returns true if the tuple itself should be checked, false otherwise. Sets
1012 : * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1013 : * TOAST tuples -- are eligible for pruning.
1014 : *
1015 : * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1016 : * and false otherwise. If it's set to true, then also set *xmin_commit_status
1017 : * to the actual commit status.
1018 : */
1019 : static bool
1020 1077482 : check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1021 : XidCommitStatus *xmin_commit_status)
1022 : {
1023 : TransactionId xmin;
1024 : TransactionId xvac;
1025 : TransactionId xmax;
1026 : XidCommitStatus xmin_status;
1027 : XidCommitStatus xvac_status;
1028 : XidCommitStatus xmax_status;
1029 1077482 : HeapTupleHeader tuphdr = ctx->tuphdr;
1030 :
1031 1077482 : ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
1032 1077482 : *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1033 :
1034 : /* If xmin is normal, it should be within valid range */
1035 1077482 : xmin = HeapTupleHeaderGetXmin(tuphdr);
1036 1077482 : switch (get_xid_status(xmin, ctx, &xmin_status))
1037 : {
1038 0 : case XID_INVALID:
1039 : /* Could be the result of a speculative insertion that aborted. */
1040 0 : return false;
1041 1077474 : case XID_BOUNDS_OK:
1042 1077474 : *xmin_commit_status_ok = true;
1043 1077474 : *xmin_commit_status = xmin_status;
1044 1077474 : break;
1045 2 : case XID_IN_FUTURE:
1046 2 : report_corruption(ctx,
1047 : psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1048 : xmin,
1049 2 : EpochFromFullTransactionId(ctx->next_fxid),
1050 2 : XidFromFullTransactionId(ctx->next_fxid)));
1051 2 : return false;
1052 4 : case XID_PRECEDES_CLUSTERMIN:
1053 4 : report_corruption(ctx,
1054 : psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1055 : xmin,
1056 4 : EpochFromFullTransactionId(ctx->oldest_fxid),
1057 4 : XidFromFullTransactionId(ctx->oldest_fxid)));
1058 4 : return false;
1059 2 : case XID_PRECEDES_RELMIN:
1060 2 : report_corruption(ctx,
1061 : psprintf("xmin %u precedes relation freeze threshold %u:%u",
1062 : xmin,
1063 2 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1064 2 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1065 2 : return false;
1066 : }
1067 :
1068 : /*
1069 : * Has inserting transaction committed?
1070 : */
1071 1077474 : if (!HeapTupleHeaderXminCommitted(tuphdr))
1072 : {
1073 29456 : if (HeapTupleHeaderXminInvalid(tuphdr))
1074 0 : return false; /* inserter aborted, don't check */
1075 : /* Used by pre-9.0 binary upgrades */
1076 29456 : else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1077 : {
1078 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1079 :
1080 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
1081 : {
1082 0 : case XID_INVALID:
1083 0 : report_corruption(ctx,
1084 : pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1085 0 : return false;
1086 0 : case XID_IN_FUTURE:
1087 0 : report_corruption(ctx,
1088 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1089 : xvac,
1090 0 : EpochFromFullTransactionId(ctx->next_fxid),
1091 0 : XidFromFullTransactionId(ctx->next_fxid)));
1092 0 : return false;
1093 0 : case XID_PRECEDES_RELMIN:
1094 0 : report_corruption(ctx,
1095 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1096 : xvac,
1097 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1098 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1099 0 : return false;
1100 0 : case XID_PRECEDES_CLUSTERMIN:
1101 0 : report_corruption(ctx,
1102 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1103 : xvac,
1104 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1105 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1106 0 : return false;
1107 0 : case XID_BOUNDS_OK:
1108 0 : break;
1109 : }
1110 :
1111 0 : switch (xvac_status)
1112 : {
1113 0 : case XID_IS_CURRENT_XID:
1114 0 : report_corruption(ctx,
1115 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1116 : xvac));
1117 0 : return false;
1118 0 : case XID_IN_PROGRESS:
1119 0 : report_corruption(ctx,
1120 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1121 : xvac));
1122 0 : return false;
1123 :
1124 0 : case XID_COMMITTED:
1125 :
1126 : /*
1127 : * The tuple is dead, because the xvac transaction moved
1128 : * it off and committed. It's checkable, but also
1129 : * prunable.
1130 : */
1131 0 : return true;
1132 :
1133 0 : case XID_ABORTED:
1134 :
1135 : /*
1136 : * The original xmin must have committed, because the xvac
1137 : * transaction tried to move it later. Since xvac is
1138 : * aborted, whether it's still alive now depends on the
1139 : * status of xmax.
1140 : */
1141 0 : break;
1142 : }
1143 0 : }
1144 : /* Used by pre-9.0 binary upgrades */
1145 29456 : else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1146 : {
1147 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1148 :
1149 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
1150 : {
1151 0 : case XID_INVALID:
1152 0 : report_corruption(ctx,
1153 : pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1154 0 : return false;
1155 0 : case XID_IN_FUTURE:
1156 0 : report_corruption(ctx,
1157 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1158 : xvac,
1159 0 : EpochFromFullTransactionId(ctx->next_fxid),
1160 0 : XidFromFullTransactionId(ctx->next_fxid)));
1161 0 : return false;
1162 0 : case XID_PRECEDES_RELMIN:
1163 0 : report_corruption(ctx,
1164 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1165 : xvac,
1166 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1167 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1168 0 : return false;
1169 0 : case XID_PRECEDES_CLUSTERMIN:
1170 0 : report_corruption(ctx,
1171 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1172 : xvac,
1173 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1174 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1175 0 : return false;
1176 0 : case XID_BOUNDS_OK:
1177 0 : break;
1178 : }
1179 :
1180 0 : switch (xvac_status)
1181 : {
1182 0 : case XID_IS_CURRENT_XID:
1183 0 : report_corruption(ctx,
1184 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1185 : xvac));
1186 0 : return false;
1187 0 : case XID_IN_PROGRESS:
1188 0 : report_corruption(ctx,
1189 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1190 : xvac));
1191 0 : return false;
1192 :
1193 0 : case XID_COMMITTED:
1194 :
1195 : /*
1196 : * The original xmin must have committed, because the xvac
1197 : * transaction moved it later. Whether it's still alive
1198 : * now depends on the status of xmax.
1199 : */
1200 0 : break;
1201 :
1202 0 : case XID_ABORTED:
1203 :
1204 : /*
1205 : * The tuple is dead, because the xvac transaction moved
1206 : * it off and committed. It's checkable, but also
1207 : * prunable.
1208 : */
1209 0 : return true;
1210 : }
1211 0 : }
1212 29456 : else if (xmin_status != XID_COMMITTED)
1213 : {
1214 : /*
1215 : * Inserting transaction is not in progress, and not committed, so
1216 : * it might have changed the TupleDesc in ways we don't know
1217 : * about. Thus, don't try to check the tuple structure.
1218 : *
1219 : * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1220 : * any such DDL changes ought to be visible to us, so perhaps we
1221 : * could check anyway in that case. But, for now, let's be
1222 : * conservative and treat this like any other uncommitted insert.
1223 : */
1224 14 : return false;
1225 : }
1226 : }
1227 :
1228 : /*
1229 : * Okay, the inserter committed, so it was good at some point. Now what
1230 : * about the deleting transaction?
1231 : */
1232 :
1233 1077460 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1234 : {
1235 : /*
1236 : * xmax is a multixact, so sanity-check the MXID. Note that we do this
1237 : * prior to checking for HEAP_XMAX_INVALID or
1238 : * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1239 : * things that wouldn't actually be a problem during a normal scan,
1240 : * but eventually we're going to have to freeze, and that process will
1241 : * ignore hint bits.
1242 : *
1243 : * Even if the MXID is out of range, we still know that the original
1244 : * insert committed, so we can check the tuple itself. However, we
1245 : * can't rule out the possibility that this tuple is dead, so don't
1246 : * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1247 : * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1248 : * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1249 : * avoiding possibly-bogus complaints about missing TOAST entries.
1250 : */
1251 116 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1252 116 : switch (check_mxid_valid_in_rel(xmax, ctx))
1253 : {
1254 0 : case XID_INVALID:
1255 0 : report_corruption(ctx,
1256 : pstrdup("multitransaction ID is invalid"));
1257 0 : return true;
1258 2 : case XID_PRECEDES_RELMIN:
1259 2 : report_corruption(ctx,
1260 : psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1261 : xmax, ctx->relminmxid));
1262 2 : return true;
1263 0 : case XID_PRECEDES_CLUSTERMIN:
1264 0 : report_corruption(ctx,
1265 : psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1266 : xmax, ctx->oldest_mxact));
1267 0 : return true;
1268 2 : case XID_IN_FUTURE:
1269 2 : report_corruption(ctx,
1270 : psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1271 : xmax,
1272 : ctx->next_mxact));
1273 2 : return true;
1274 112 : case XID_BOUNDS_OK:
1275 112 : break;
1276 : }
1277 1077344 : }
1278 :
1279 1077456 : if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1280 : {
1281 : /*
1282 : * This tuple is live. A concurrently running transaction could
1283 : * delete it before we get around to checking the toast, but any such
1284 : * running transaction is surely not less than our safe_xmin, so the
1285 : * toast cannot be vacuumed out from under us.
1286 : */
1287 1074608 : ctx->tuple_could_be_pruned = false;
1288 1074608 : return true;
1289 : }
1290 :
1291 2848 : if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1292 : {
1293 : /*
1294 : * "Deleting" xact really only locked it, so the tuple is live in any
1295 : * case. As above, a concurrently running transaction could delete
1296 : * it, but it cannot be vacuumed out from under us.
1297 : */
1298 56 : ctx->tuple_could_be_pruned = false;
1299 56 : return true;
1300 : }
1301 :
1302 2792 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1303 : {
1304 : /*
1305 : * We already checked above that this multixact is within limits for
1306 : * this table. Now check the update xid from this multixact.
1307 : */
1308 56 : xmax = HeapTupleGetUpdateXid(tuphdr);
1309 56 : switch (get_xid_status(xmax, ctx, &xmax_status))
1310 : {
1311 0 : case XID_INVALID:
1312 : /* not LOCKED_ONLY, so it has to have an xmax */
1313 0 : report_corruption(ctx,
1314 : pstrdup("update xid is invalid"));
1315 0 : return true;
1316 0 : case XID_IN_FUTURE:
1317 0 : report_corruption(ctx,
1318 : psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1319 : xmax,
1320 0 : EpochFromFullTransactionId(ctx->next_fxid),
1321 0 : XidFromFullTransactionId(ctx->next_fxid)));
1322 0 : return true;
1323 0 : case XID_PRECEDES_RELMIN:
1324 0 : report_corruption(ctx,
1325 : psprintf("update xid %u precedes relation freeze threshold %u:%u",
1326 : xmax,
1327 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1328 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1329 0 : return true;
1330 0 : case XID_PRECEDES_CLUSTERMIN:
1331 0 : report_corruption(ctx,
1332 : psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1333 : xmax,
1334 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1335 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1336 0 : return true;
1337 56 : case XID_BOUNDS_OK:
1338 56 : break;
1339 : }
1340 :
1341 56 : switch (xmax_status)
1342 : {
1343 0 : case XID_IS_CURRENT_XID:
1344 : case XID_IN_PROGRESS:
1345 :
1346 : /*
1347 : * The delete is in progress, so it cannot be visible to our
1348 : * snapshot.
1349 : */
1350 0 : ctx->tuple_could_be_pruned = false;
1351 0 : break;
1352 56 : case XID_COMMITTED:
1353 :
1354 : /*
1355 : * The delete committed. Whether the toast can be vacuumed
1356 : * away depends on how old the deleting transaction is.
1357 : */
1358 56 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1359 : ctx->safe_xmin);
1360 56 : break;
1361 0 : case XID_ABORTED:
1362 :
1363 : /*
1364 : * The delete aborted or crashed. The tuple is still live.
1365 : */
1366 0 : ctx->tuple_could_be_pruned = false;
1367 0 : break;
1368 : }
1369 :
1370 : /* Tuple itself is checkable even if it's dead. */
1371 56 : return true;
1372 : }
1373 :
1374 : /* xmax is an XID, not a MXID. Sanity check it. */
1375 2736 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1376 2736 : switch (get_xid_status(xmax, ctx, &xmax_status))
1377 : {
1378 2 : case XID_INVALID:
1379 2 : ctx->tuple_could_be_pruned = false;
1380 2 : return true;
1381 0 : case XID_IN_FUTURE:
1382 0 : report_corruption(ctx,
1383 : psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1384 : xmax,
1385 0 : EpochFromFullTransactionId(ctx->next_fxid),
1386 0 : XidFromFullTransactionId(ctx->next_fxid)));
1387 0 : return false; /* corrupt */
1388 0 : case XID_PRECEDES_RELMIN:
1389 0 : report_corruption(ctx,
1390 : psprintf("xmax %u precedes relation freeze threshold %u:%u",
1391 : xmax,
1392 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1393 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1394 0 : return false; /* corrupt */
1395 2 : case XID_PRECEDES_CLUSTERMIN:
1396 2 : report_corruption(ctx,
1397 : psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1398 : xmax,
1399 2 : EpochFromFullTransactionId(ctx->oldest_fxid),
1400 2 : XidFromFullTransactionId(ctx->oldest_fxid)));
1401 2 : return false; /* corrupt */
1402 2732 : case XID_BOUNDS_OK:
1403 2732 : break;
1404 : }
1405 :
1406 : /*
1407 : * Whether the toast can be vacuumed away depends on how old the deleting
1408 : * transaction is.
1409 : */
1410 2732 : switch (xmax_status)
1411 : {
1412 0 : case XID_IS_CURRENT_XID:
1413 : case XID_IN_PROGRESS:
1414 :
1415 : /*
1416 : * The delete is in progress, so it cannot be visible to our
1417 : * snapshot.
1418 : */
1419 0 : ctx->tuple_could_be_pruned = false;
1420 0 : break;
1421 :
1422 2726 : case XID_COMMITTED:
1423 :
1424 : /*
1425 : * The delete committed. Whether the toast can be vacuumed away
1426 : * depends on how old the deleting transaction is.
1427 : */
1428 2726 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1429 : ctx->safe_xmin);
1430 2726 : break;
1431 :
1432 6 : case XID_ABORTED:
1433 :
1434 : /*
1435 : * The delete aborted or crashed. The tuple is still live.
1436 : */
1437 6 : ctx->tuple_could_be_pruned = false;
1438 6 : break;
1439 : }
1440 :
1441 : /* Tuple itself is checkable even if it's dead. */
1442 2732 : return true;
1443 : }
1444 :
1445 :
1446 : /*
1447 : * Check the current toast tuple against the state tracked in ctx, recording
1448 : * any corruption found in ctx->tupstore.
1449 : *
1450 : * This is not equivalent to running verify_heapam on the toast table itself,
1451 : * and is not hardened against corruption of the toast table. Rather, when
1452 : * validating a toasted attribute in the main table, the sequence of toast
1453 : * tuples that store the toasted value are retrieved and checked in order, with
1454 : * each toast tuple being checked against where we are in the sequence, as well
1455 : * as each toast tuple having its varlena structure sanity checked.
1456 : *
1457 : * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1458 : * to find in toasttup. On exit, it will be updated to the value the next call
1459 : * to this function should expect to see.
1460 : */
1461 : static void
1462 83320 : check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
1463 : ToastedAttribute *ta, int32 *expected_chunk_seq,
1464 : uint32 extsize)
1465 : {
1466 : int32 chunk_seq;
1467 83320 : int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1468 : Pointer chunk;
1469 : bool isnull;
1470 : int32 chunksize;
1471 : int32 expected_size;
1472 :
1473 : /* Sanity-check the sequence number. */
1474 83320 : chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1475 83320 : ctx->toast_rel->rd_att, &isnull));
1476 83320 : if (isnull)
1477 : {
1478 0 : report_toast_corruption(ctx, ta,
1479 : psprintf("toast value %u has toast chunk with null sequence number",
1480 : ta->toast_pointer.va_valueid));
1481 0 : return;
1482 : }
1483 83320 : if (chunk_seq != *expected_chunk_seq)
1484 : {
1485 : /* Either the TOAST index is corrupt, or we don't have all chunks. */
1486 0 : report_toast_corruption(ctx, ta,
1487 : psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1488 : ta->toast_pointer.va_valueid,
1489 : chunk_seq, *expected_chunk_seq));
1490 : }
1491 83320 : *expected_chunk_seq = chunk_seq + 1;
1492 :
1493 : /* Sanity-check the chunk data. */
1494 83320 : chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1495 83320 : ctx->toast_rel->rd_att, &isnull));
1496 83320 : if (isnull)
1497 : {
1498 0 : report_toast_corruption(ctx, ta,
1499 : psprintf("toast value %u chunk %d has null data",
1500 : ta->toast_pointer.va_valueid,
1501 : chunk_seq));
1502 0 : return;
1503 : }
1504 83320 : if (!VARATT_IS_EXTENDED(chunk))
1505 83320 : chunksize = VARSIZE(chunk) - VARHDRSZ;
1506 0 : else if (VARATT_IS_SHORT(chunk))
1507 : {
1508 : /*
1509 : * could happen due to heap_form_tuple doing its thing
1510 : */
1511 0 : chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1512 : }
1513 : else
1514 : {
1515 : /* should never happen */
1516 0 : uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1517 :
1518 0 : report_toast_corruption(ctx, ta,
1519 : psprintf("toast value %u chunk %d has invalid varlena header %0x",
1520 : ta->toast_pointer.va_valueid,
1521 : chunk_seq, header));
1522 0 : return;
1523 : }
1524 :
1525 : /*
1526 : * Some checks on the data we've found
1527 : */
1528 83320 : if (chunk_seq > last_chunk_seq)
1529 : {
1530 0 : report_toast_corruption(ctx, ta,
1531 : psprintf("toast value %u chunk %d follows last expected chunk %d",
1532 : ta->toast_pointer.va_valueid,
1533 : chunk_seq, last_chunk_seq));
1534 0 : return;
1535 : }
1536 :
1537 83320 : expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1538 23628 : : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1539 :
1540 83320 : if (chunksize != expected_size)
1541 0 : report_toast_corruption(ctx, ta,
1542 : psprintf("toast value %u chunk %d has size %u, but expected size %u",
1543 : ta->toast_pointer.va_valueid,
1544 : chunk_seq, chunksize, expected_size));
1545 : }
1546 :
1547 : /*
1548 : * Check the current attribute as tracked in ctx, recording any corruption
1549 : * found in ctx->tupstore.
1550 : *
1551 : * This function follows the logic performed by heap_deform_tuple(), and in the
1552 : * case of a toasted value, optionally stores the toast pointer so later it can
1553 : * be checked following the logic of detoast_external_attr(), checking for any
1554 : * conditions that would result in either of those functions Asserting or
1555 : * crashing the backend. The checks performed by Asserts present in those two
1556 : * functions are also performed here and in check_toasted_attribute. In cases
1557 : * where those two functions are a bit cavalier in their assumptions about data
1558 : * being correct, we perform additional checks not present in either of those
1559 : * two functions. Where some condition is checked in both of those functions,
1560 : * we perform it here twice, as we parallel the logical flow of those two
1561 : * functions. The presence of duplicate checks seems a reasonable price to pay
1562 : * for keeping this code tightly coupled with the code it protects.
1563 : *
1564 : * Returns true if the tuple attribute is sane enough for processing to
1565 : * continue on to the next attribute, false otherwise.
1566 : */
1567 : static bool
1568 15469252 : check_tuple_attribute(HeapCheckContext *ctx)
1569 : {
1570 : Datum attdatum;
1571 : struct varlena *attr;
1572 : char *tp; /* pointer to the tuple data */
1573 : uint16 infomask;
1574 : CompactAttribute *thisatt;
1575 : struct varatt_external toast_pointer;
1576 :
1577 15469252 : infomask = ctx->tuphdr->t_infomask;
1578 15469252 : thisatt = TupleDescCompactAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1579 :
1580 15469252 : tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1581 :
1582 15469252 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1583 : {
1584 0 : report_corruption(ctx,
1585 : psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1586 0 : thisatt->attlen,
1587 0 : ctx->tuphdr->t_hoff + ctx->offset,
1588 0 : ctx->lp_len));
1589 0 : return false;
1590 : }
1591 :
1592 : /* Skip null values */
1593 15469252 : if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1594 2650576 : return true;
1595 :
1596 : /* Skip non-varlena values, but update offset first */
1597 12818676 : if (thisatt->attlen != -1)
1598 : {
1599 11758364 : ctx->offset = att_nominal_alignby(ctx->offset, thisatt->attalignby);
1600 11758364 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1601 : tp + ctx->offset);
1602 11758364 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1603 : {
1604 0 : report_corruption(ctx,
1605 : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1606 0 : thisatt->attlen,
1607 0 : ctx->tuphdr->t_hoff + ctx->offset,
1608 0 : ctx->lp_len));
1609 0 : return false;
1610 : }
1611 11758364 : return true;
1612 : }
1613 :
1614 : /* Ok, we're looking at a varlena attribute. */
1615 1060312 : ctx->offset = att_pointer_alignby(ctx->offset, thisatt->attalignby, -1,
1616 : tp + ctx->offset);
1617 :
1618 : /* Get the (possibly corrupt) varlena datum */
1619 1060312 : attdatum = fetchatt(thisatt, tp + ctx->offset);
1620 :
1621 : /*
1622 : * We have the datum, but we cannot decode it carelessly, as it may still
1623 : * be corrupt.
1624 : */
1625 :
1626 : /*
1627 : * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1628 : * risking a call into att_addlength_pointer
1629 : */
1630 1060312 : if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1631 : {
1632 52510 : uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1633 :
1634 52510 : if (va_tag != VARTAG_ONDISK)
1635 : {
1636 0 : report_corruption(ctx,
1637 : psprintf("toasted attribute has unexpected TOAST tag %u",
1638 : va_tag));
1639 : /* We can't know where the next attribute begins */
1640 0 : return false;
1641 : }
1642 : }
1643 :
1644 : /* Ok, should be safe now */
1645 1060312 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1646 : tp + ctx->offset);
1647 :
1648 1060312 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1649 : {
1650 2 : report_corruption(ctx,
1651 : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1652 2 : thisatt->attlen,
1653 2 : ctx->tuphdr->t_hoff + ctx->offset,
1654 2 : ctx->lp_len));
1655 :
1656 2 : return false;
1657 : }
1658 :
1659 : /*
1660 : * heap_deform_tuple would be done with this attribute at this point,
1661 : * having stored it in values[], and would continue to the next attribute.
1662 : * We go further, because we need to check if the toast datum is corrupt.
1663 : */
1664 :
1665 1060310 : attr = (struct varlena *) DatumGetPointer(attdatum);
1666 :
1667 : /*
1668 : * Now we follow the logic of detoast_external_attr(), with the same
1669 : * caveats about being paranoid about corruption.
1670 : */
1671 :
1672 : /* Skip values that are not external */
1673 1060310 : if (!VARATT_IS_EXTERNAL(attr))
1674 1007800 : return true;
1675 :
1676 : /* It is external, and we're looking at a page on disk */
1677 :
1678 : /*
1679 : * Must copy attr into toast_pointer for alignment considerations
1680 : */
1681 52510 : VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
1682 :
1683 : /* Toasted attributes too large to be untoasted should never be stored */
1684 52510 : if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
1685 0 : report_corruption(ctx,
1686 : psprintf("toast value %u rawsize %d exceeds limit %d",
1687 : toast_pointer.va_valueid,
1688 : toast_pointer.va_rawsize,
1689 : VARLENA_SIZE_LIMIT));
1690 :
1691 52510 : if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1692 : {
1693 : ToastCompressionId cmid;
1694 4054 : bool valid = false;
1695 :
1696 : /* Compressed attributes should have a valid compression method */
1697 4054 : cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1698 4054 : switch (cmid)
1699 : {
1700 : /* List of all valid compression method IDs */
1701 4054 : case TOAST_PGLZ_COMPRESSION_ID:
1702 : case TOAST_LZ4_COMPRESSION_ID:
1703 4054 : valid = true;
1704 4054 : break;
1705 :
1706 : /* Recognized but invalid compression method ID */
1707 0 : case TOAST_INVALID_COMPRESSION_ID:
1708 0 : break;
1709 :
1710 : /* Intentionally no default here */
1711 : }
1712 4054 : if (!valid)
1713 0 : report_corruption(ctx,
1714 : psprintf("toast value %u has invalid compression method id %d",
1715 : toast_pointer.va_valueid, cmid));
1716 : }
1717 :
1718 : /* The tuple header better claim to contain toasted values */
1719 52510 : if (!(infomask & HEAP_HASEXTERNAL))
1720 : {
1721 0 : report_corruption(ctx,
1722 : psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1723 : toast_pointer.va_valueid));
1724 0 : return true;
1725 : }
1726 :
1727 : /* The relation better have a toast table */
1728 52510 : if (!ctx->rel->rd_rel->reltoastrelid)
1729 : {
1730 0 : report_corruption(ctx,
1731 : psprintf("toast value %u is external but relation has no toast relation",
1732 : toast_pointer.va_valueid));
1733 0 : return true;
1734 : }
1735 :
1736 : /* If we were told to skip toast checking, then we're done. */
1737 52510 : if (ctx->toast_rel == NULL)
1738 28858 : return true;
1739 :
1740 : /*
1741 : * If this tuple is eligible to be pruned, we cannot check the toast.
1742 : * Otherwise, we push a copy of the toast tuple so we can check it after
1743 : * releasing the main table buffer lock.
1744 : */
1745 23652 : if (!ctx->tuple_could_be_pruned)
1746 : {
1747 : ToastedAttribute *ta;
1748 :
1749 23648 : ta = (ToastedAttribute *) palloc0(sizeof(ToastedAttribute));
1750 :
1751 23648 : VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
1752 23648 : ta->blkno = ctx->blkno;
1753 23648 : ta->offnum = ctx->offnum;
1754 23648 : ta->attnum = ctx->attnum;
1755 23648 : ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
1756 : }
1757 :
1758 23652 : return true;
1759 : }
1760 :
1761 : /*
1762 : * For each attribute collected in ctx->toasted_attributes, look up the value
1763 : * in the toast table and perform checks on it. This function should only be
1764 : * called on toast pointers which cannot be vacuumed away during our
1765 : * processing.
1766 : */
1767 : static void
1768 23636 : check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
1769 : {
1770 : ScanKeyData toastkey;
1771 : SysScanDesc toastscan;
1772 : bool found_toasttup;
1773 : HeapTuple toasttup;
1774 : uint32 extsize;
1775 23636 : int32 expected_chunk_seq = 0;
1776 : int32 last_chunk_seq;
1777 :
1778 23636 : extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
1779 23636 : last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1780 :
1781 : /*
1782 : * Setup a scan key to find chunks in toast table with matching va_valueid
1783 : */
1784 23636 : ScanKeyInit(&toastkey,
1785 : (AttrNumber) 1,
1786 : BTEqualStrategyNumber, F_OIDEQ,
1787 : ObjectIdGetDatum(ta->toast_pointer.va_valueid));
1788 :
1789 : /*
1790 : * Check if any chunks for this toasted object exist in the toast table,
1791 : * accessible via the index.
1792 : */
1793 23636 : toastscan = systable_beginscan_ordered(ctx->toast_rel,
1794 : ctx->valid_toast_index,
1795 : get_toast_snapshot(), 1,
1796 : &toastkey);
1797 23636 : found_toasttup = false;
1798 130586 : while ((toasttup =
1799 106956 : systable_getnext_ordered(toastscan,
1800 : ForwardScanDirection)) != NULL)
1801 : {
1802 83320 : found_toasttup = true;
1803 83320 : check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1804 : }
1805 23630 : systable_endscan_ordered(toastscan);
1806 :
1807 23630 : if (!found_toasttup)
1808 2 : report_toast_corruption(ctx, ta,
1809 : psprintf("toast value %u not found in toast table",
1810 : ta->toast_pointer.va_valueid));
1811 23628 : else if (expected_chunk_seq <= last_chunk_seq)
1812 0 : report_toast_corruption(ctx, ta,
1813 : psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1814 : ta->toast_pointer.va_valueid,
1815 : last_chunk_seq, expected_chunk_seq));
1816 23630 : }
1817 :
1818 : /*
1819 : * Check the current tuple as tracked in ctx, recording any corruption found in
1820 : * ctx->tupstore.
1821 : *
1822 : * We return some information about the status of xmin to aid in validating
1823 : * update chains.
1824 : */
1825 : static void
1826 1077492 : check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1827 : XidCommitStatus *xmin_commit_status)
1828 : {
1829 : /*
1830 : * Check various forms of tuple header corruption, and if the header is
1831 : * too corrupt, do not continue with other checks.
1832 : */
1833 1077492 : if (!check_tuple_header(ctx))
1834 10 : return;
1835 :
1836 : /*
1837 : * Check tuple visibility. If the inserting transaction aborted, we
1838 : * cannot assume our relation description matches the tuple structure, and
1839 : * therefore cannot check it.
1840 : */
1841 1077482 : if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1842 : xmin_commit_status))
1843 24 : return;
1844 :
1845 : /*
1846 : * The tuple is visible, so it must be compatible with the current version
1847 : * of the relation descriptor. It might have fewer columns than are
1848 : * present in the relation descriptor, but it cannot have more.
1849 : */
1850 1077458 : if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1851 : {
1852 4 : report_corruption(ctx,
1853 : psprintf("number of attributes %u exceeds maximum expected for table %u",
1854 : ctx->natts,
1855 4 : RelationGetDescr(ctx->rel)->natts));
1856 4 : return;
1857 : }
1858 :
1859 : /*
1860 : * Check each attribute unless we hit corruption that confuses what to do
1861 : * next, at which point we abort further attribute checks for this tuple.
1862 : * Note that we don't abort for all types of corruption, only for those
1863 : * types where we don't know how to continue. We also don't abort the
1864 : * checking of toasted attributes collected from the tuple prior to
1865 : * aborting. Those will still be checked later along with other toasted
1866 : * attributes collected from the page.
1867 : */
1868 1077454 : ctx->offset = 0;
1869 16546704 : for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1870 15469252 : if (!check_tuple_attribute(ctx))
1871 2 : break; /* cannot continue */
1872 :
1873 : /* revert attnum to -1 until we again examine individual attributes */
1874 1077454 : ctx->attnum = -1;
1875 : }
1876 :
1877 : /*
1878 : * Convert a TransactionId into a FullTransactionId using our cached values of
1879 : * the valid transaction ID range. It is the caller's responsibility to have
1880 : * already updated the cached values, if necessary.
1881 : */
1882 : static FullTransactionId
1883 151034 : FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
1884 : {
1885 : uint64 nextfxid_i;
1886 : int32 diff;
1887 : FullTransactionId fxid;
1888 :
1889 : Assert(TransactionIdIsNormal(ctx->next_xid));
1890 : Assert(FullTransactionIdIsNormal(ctx->next_fxid));
1891 : Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
1892 :
1893 151034 : if (!TransactionIdIsNormal(xid))
1894 382 : return FullTransactionIdFromEpochAndXid(0, xid);
1895 :
1896 150652 : nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1897 :
1898 : /* compute the 32bit modulo difference */
1899 150652 : diff = (int32) (ctx->next_xid - xid);
1900 :
1901 : /*
1902 : * In cases of corruption we might see a 32bit xid that is before epoch 0.
1903 : * We can't represent that as a 64bit xid, due to 64bit xids being
1904 : * unsigned integers, without the modulo arithmetic of 32bit xid. There's
1905 : * no really nice way to deal with that, but it works ok enough to use
1906 : * FirstNormalFullTransactionId in that case, as a freshly initdb'd
1907 : * cluster already has a newer horizon.
1908 : */
1909 150652 : if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
1910 : {
1911 : Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
1912 8 : fxid = FirstNormalFullTransactionId;
1913 : }
1914 : else
1915 150644 : fxid = FullTransactionIdFromU64(nextfxid_i - diff);
1916 :
1917 : Assert(FullTransactionIdIsNormal(fxid));
1918 150652 : return fxid;
1919 : }
1920 :
1921 : /*
1922 : * Update our cached range of valid transaction IDs.
1923 : */
1924 : static void
1925 2958 : update_cached_xid_range(HeapCheckContext *ctx)
1926 : {
1927 : /* Make cached copies */
1928 2958 : LWLockAcquire(XidGenLock, LW_SHARED);
1929 2958 : ctx->next_fxid = TransamVariables->nextXid;
1930 2958 : ctx->oldest_xid = TransamVariables->oldestXid;
1931 2958 : LWLockRelease(XidGenLock);
1932 :
1933 : /* And compute alternate versions of the same */
1934 2958 : ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
1935 2958 : ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
1936 2958 : }
1937 :
1938 : /*
1939 : * Update our cached range of valid multitransaction IDs.
1940 : */
1941 : static void
1942 2954 : update_cached_mxid_range(HeapCheckContext *ctx)
1943 : {
1944 2954 : ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
1945 2954 : }
1946 :
1947 : /*
1948 : * Return whether the given FullTransactionId is within our cached valid
1949 : * transaction ID range.
1950 : */
1951 : static inline bool
1952 126848 : fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
1953 : {
1954 253690 : return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
1955 126842 : FullTransactionIdPrecedes(fxid, ctx->next_fxid));
1956 : }
1957 :
1958 : /*
1959 : * Checks whether a multitransaction ID is in the cached valid range, returning
1960 : * the nature of the range violation, if any.
1961 : */
1962 : static XidBoundsViolation
1963 120 : check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
1964 : {
1965 120 : if (!TransactionIdIsValid(mxid))
1966 0 : return XID_INVALID;
1967 120 : if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
1968 4 : return XID_PRECEDES_RELMIN;
1969 116 : if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
1970 0 : return XID_PRECEDES_CLUSTERMIN;
1971 116 : if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
1972 4 : return XID_IN_FUTURE;
1973 112 : return XID_BOUNDS_OK;
1974 : }
1975 :
1976 : /*
1977 : * Checks whether the given mxid is valid to appear in the heap being checked,
1978 : * returning the nature of the range violation, if any.
1979 : *
1980 : * This function attempts to return quickly by caching the known valid mxid
1981 : * range in ctx. Callers should already have performed the initial setup of
1982 : * the cache prior to the first call to this function.
1983 : */
1984 : static XidBoundsViolation
1985 116 : check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
1986 : {
1987 : XidBoundsViolation result;
1988 :
1989 116 : result = check_mxid_in_range(mxid, ctx);
1990 116 : if (result == XID_BOUNDS_OK)
1991 112 : return XID_BOUNDS_OK;
1992 :
1993 : /* The range may have advanced. Recheck. */
1994 4 : update_cached_mxid_range(ctx);
1995 4 : return check_mxid_in_range(mxid, ctx);
1996 : }
1997 :
1998 : /*
1999 : * Checks whether the given transaction ID is (or was recently) valid to appear
2000 : * in the heap being checked, or whether it is too old or too new to appear in
2001 : * the relation, returning information about the nature of the bounds violation.
2002 : *
2003 : * We cache the range of valid transaction IDs. If xid is in that range, we
2004 : * conclude that it is valid, even though concurrent changes to the table might
2005 : * invalidate it under certain corrupt conditions. (For example, if the table
2006 : * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2007 : * containing the xid and then truncate clog and advance the relfrozenxid
2008 : * beyond xid.) Reporting the xid as valid under such conditions seems
2009 : * acceptable, since if we had checked it earlier in our scan it would have
2010 : * truly been valid at that time.
2011 : *
2012 : * If the status argument is not NULL, and if and only if the transaction ID
2013 : * appears to be valid in this relation, the status argument will be set with
2014 : * the commit status of the transaction ID.
2015 : */
2016 : static XidBoundsViolation
2017 1080274 : get_xid_status(TransactionId xid, HeapCheckContext *ctx,
2018 : XidCommitStatus *status)
2019 : {
2020 : FullTransactionId fxid;
2021 : FullTransactionId clog_horizon;
2022 :
2023 : /* Quick check for special xids */
2024 1080274 : if (!TransactionIdIsValid(xid))
2025 2 : return XID_INVALID;
2026 1080272 : else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2027 : {
2028 953424 : if (status != NULL)
2029 953424 : *status = XID_COMMITTED;
2030 953424 : return XID_BOUNDS_OK;
2031 : }
2032 :
2033 : /* Check if the xid is within bounds */
2034 126848 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2035 126848 : if (!fxid_in_cached_range(fxid, ctx))
2036 : {
2037 : /*
2038 : * We may have been checking against stale values. Update the cached
2039 : * range to be sure, and since we relied on the cached range when we
2040 : * performed the full xid conversion, reconvert.
2041 : */
2042 8 : update_cached_xid_range(ctx);
2043 8 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2044 : }
2045 :
2046 126848 : if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
2047 2 : return XID_IN_FUTURE;
2048 126846 : if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
2049 6 : return XID_PRECEDES_CLUSTERMIN;
2050 126840 : if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
2051 2 : return XID_PRECEDES_RELMIN;
2052 :
2053 : /* Early return if the caller does not request clog checking */
2054 126838 : if (status == NULL)
2055 0 : return XID_BOUNDS_OK;
2056 :
2057 : /* Early return if we just checked this xid in a prior call */
2058 126838 : if (xid == ctx->cached_xid)
2059 : {
2060 108568 : *status = ctx->cached_status;
2061 108568 : return XID_BOUNDS_OK;
2062 : }
2063 :
2064 18270 : *status = XID_COMMITTED;
2065 18270 : LWLockAcquire(XactTruncationLock, LW_SHARED);
2066 : clog_horizon =
2067 18270 : FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
2068 : ctx);
2069 18270 : if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2070 : {
2071 18270 : if (TransactionIdIsCurrentTransactionId(xid))
2072 0 : *status = XID_IS_CURRENT_XID;
2073 18270 : else if (TransactionIdIsInProgress(xid))
2074 4 : *status = XID_IN_PROGRESS;
2075 18266 : else if (TransactionIdDidCommit(xid))
2076 18252 : *status = XID_COMMITTED;
2077 : else
2078 14 : *status = XID_ABORTED;
2079 : }
2080 18270 : LWLockRelease(XactTruncationLock);
2081 18270 : ctx->cached_xid = xid;
2082 18270 : ctx->cached_status = *status;
2083 18270 : return XID_BOUNDS_OK;
2084 : }
|
