Line data Source code
1 : /*-------------------------------------------------------------------------
2 : *
3 : * verify_heapam.c
4 : * Functions to check postgresql heap relations for corruption
5 : *
6 : * Copyright (c) 2016-2025, PostgreSQL Global Development Group
7 : *
8 : * contrib/amcheck/verify_heapam.c
9 : *-------------------------------------------------------------------------
10 : */
11 : #include "postgres.h"
12 :
13 : #include "access/detoast.h"
14 : #include "access/genam.h"
15 : #include "access/heaptoast.h"
16 : #include "access/multixact.h"
17 : #include "access/relation.h"
18 : #include "access/table.h"
19 : #include "access/toast_internals.h"
20 : #include "access/visibilitymap.h"
21 : #include "access/xact.h"
22 : #include "catalog/pg_am.h"
23 : #include "catalog/pg_class.h"
24 : #include "funcapi.h"
25 : #include "miscadmin.h"
26 : #include "storage/bufmgr.h"
27 : #include "storage/procarray.h"
28 : #include "storage/read_stream.h"
29 : #include "utils/builtins.h"
30 : #include "utils/fmgroids.h"
31 : #include "utils/rel.h"
32 :
33 604 : PG_FUNCTION_INFO_V1(verify_heapam);
34 :
35 : /* The number of columns in tuples returned by verify_heapam */
36 : #define HEAPCHECK_RELATION_COLS 4
37 :
38 : /* The largest valid toast va_rawsize */
39 : #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
40 :
41 : /*
42 : * Despite the name, we use this for reporting problems with both XIDs and
43 : * MXIDs.
44 : */
45 : typedef enum XidBoundsViolation
46 : {
47 : XID_INVALID,
48 : XID_IN_FUTURE,
49 : XID_PRECEDES_CLUSTERMIN,
50 : XID_PRECEDES_RELMIN,
51 : XID_BOUNDS_OK,
52 : } XidBoundsViolation;
53 :
54 : typedef enum XidCommitStatus
55 : {
56 : XID_COMMITTED,
57 : XID_IS_CURRENT_XID,
58 : XID_IN_PROGRESS,
59 : XID_ABORTED,
60 : } XidCommitStatus;
61 :
62 : typedef enum SkipPages
63 : {
64 : SKIP_PAGES_ALL_FROZEN,
65 : SKIP_PAGES_ALL_VISIBLE,
66 : SKIP_PAGES_NONE,
67 : } SkipPages;
68 :
69 : /*
70 : * Struct holding information about a toasted attribute sufficient to both
71 : * check the toasted attribute and, if found to be corrupt, to report where it
72 : * was encountered in the main table.
73 : */
74 : typedef struct ToastedAttribute
75 : {
76 : struct varatt_external toast_pointer;
77 : BlockNumber blkno; /* block in main table */
78 : OffsetNumber offnum; /* offset in main table */
79 : AttrNumber attnum; /* attribute in main table */
80 : } ToastedAttribute;
81 :
82 : /*
83 : * Struct holding the running context information during
84 : * a lifetime of a verify_heapam execution.
85 : */
86 : typedef struct HeapCheckContext
87 : {
88 : /*
89 : * Cached copies of values from TransamVariables and computed values from
90 : * them.
91 : */
92 : FullTransactionId next_fxid; /* TransamVariables->nextXid */
93 : TransactionId next_xid; /* 32-bit version of next_fxid */
94 : TransactionId oldest_xid; /* TransamVariables->oldestXid */
95 : FullTransactionId oldest_fxid; /* 64-bit version of oldest_xid, computed
96 : * relative to next_fxid */
97 : TransactionId safe_xmin; /* this XID and newer ones can't become
98 : * all-visible while we're running */
99 :
100 : /*
101 : * Cached copy of value from MultiXactState
102 : */
103 : MultiXactId next_mxact; /* MultiXactState->nextMXact */
104 : MultiXactId oldest_mxact; /* MultiXactState->oldestMultiXactId */
105 :
106 : /*
107 : * Cached copies of the most recently checked xid and its status.
108 : */
109 : TransactionId cached_xid;
110 : XidCommitStatus cached_status;
111 :
112 : /* Values concerning the heap relation being checked */
113 : Relation rel;
114 : TransactionId relfrozenxid;
115 : FullTransactionId relfrozenfxid;
116 : TransactionId relminmxid;
117 : Relation toast_rel;
118 : Relation *toast_indexes;
119 : Relation valid_toast_index;
120 : int num_toast_indexes;
121 :
122 : /*
123 : * Values for iterating over pages in the relation. `blkno` is the most
124 : * recent block in the buffer yielded by the read stream API.
125 : */
126 : BlockNumber blkno;
127 : BufferAccessStrategy bstrategy;
128 : Buffer buffer;
129 : Page page;
130 :
131 : /* Values for iterating over tuples within a page */
132 : OffsetNumber offnum;
133 : ItemId itemid;
134 : uint16 lp_len;
135 : uint16 lp_off;
136 : HeapTupleHeader tuphdr;
137 : int natts;
138 :
139 : /* Values for iterating over attributes within the tuple */
140 : uint32 offset; /* offset in tuple data */
141 : AttrNumber attnum;
142 :
143 : /* True if tuple's xmax makes it eligible for pruning */
144 : bool tuple_could_be_pruned;
145 :
146 : /*
147 : * List of ToastedAttribute structs for toasted attributes which are not
148 : * eligible for pruning and should be checked
149 : */
150 : List *toasted_attributes;
151 :
152 : /* Whether verify_heapam has yet encountered any corrupt tuples */
153 : bool is_corrupt;
154 :
155 : /* The descriptor and tuplestore for verify_heapam's result tuples */
156 : TupleDesc tupdesc;
157 : Tuplestorestate *tupstore;
158 : } HeapCheckContext;
159 :
160 : /*
161 : * The per-relation data provided to the read stream API for heap amcheck to
162 : * use in its callback for the SKIP_PAGES_ALL_FROZEN and
163 : * SKIP_PAGES_ALL_VISIBLE options.
164 : */
165 : typedef struct HeapCheckReadStreamData
166 : {
167 : /*
168 : * `range` is used by all SkipPages options. SKIP_PAGES_NONE uses the
169 : * default read stream callback, block_range_read_stream_cb(), which takes
170 : * a BlockRangeReadStreamPrivate as its callback_private_data. `range`
171 : * keeps track of the current block number across
172 : * read_stream_next_buffer() invocations.
173 : */
174 : BlockRangeReadStreamPrivate range;
175 : SkipPages skip_option;
176 : Relation rel;
177 : Buffer *vmbuffer;
178 : } HeapCheckReadStreamData;
179 :
180 :
181 : /* Internal implementation */
182 : static BlockNumber heapcheck_read_stream_next_unskippable(ReadStream *stream,
183 : void *callback_private_data,
184 : void *per_buffer_data);
185 :
186 : static void check_tuple(HeapCheckContext *ctx,
187 : bool *xmin_commit_status_ok,
188 : XidCommitStatus *xmin_commit_status);
189 : static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
190 : ToastedAttribute *ta, int32 *expected_chunk_seq,
191 : uint32 extsize);
192 :
193 : static bool check_tuple_attribute(HeapCheckContext *ctx);
194 : static void check_toasted_attribute(HeapCheckContext *ctx,
195 : ToastedAttribute *ta);
196 :
197 : static bool check_tuple_header(HeapCheckContext *ctx);
198 : static bool check_tuple_visibility(HeapCheckContext *ctx,
199 : bool *xmin_commit_status_ok,
200 : XidCommitStatus *xmin_commit_status);
201 :
202 : static void report_corruption(HeapCheckContext *ctx, char *msg);
203 : static void report_toast_corruption(HeapCheckContext *ctx,
204 : ToastedAttribute *ta, char *msg);
205 : static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
206 : const HeapCheckContext *ctx);
207 : static void update_cached_xid_range(HeapCheckContext *ctx);
208 : static void update_cached_mxid_range(HeapCheckContext *ctx);
209 : static XidBoundsViolation check_mxid_in_range(MultiXactId mxid,
210 : HeapCheckContext *ctx);
211 : static XidBoundsViolation check_mxid_valid_in_rel(MultiXactId mxid,
212 : HeapCheckContext *ctx);
213 : static XidBoundsViolation get_xid_status(TransactionId xid,
214 : HeapCheckContext *ctx,
215 : XidCommitStatus *status);
216 :
217 : /*
218 : * Scan and report corruption in heap pages, optionally reconciling toasted
219 : * attributes with entries in the associated toast table. Intended to be
220 : * called from SQL with the following parameters:
221 : *
222 : * relation:
223 : * The Oid of the heap relation to be checked.
224 : *
225 : * on_error_stop:
226 : * Whether to stop at the end of the first page for which errors are
227 : * detected. Note that multiple rows may be returned.
228 : *
229 : * check_toast:
230 : * Whether to check each toasted attribute against the toast table to
231 : * verify that it can be found there.
232 : *
233 : * skip:
234 : * What kinds of pages in the heap relation should be skipped. Valid
235 : * options are "all-visible", "all-frozen", and "none".
236 : *
237 : * Returns to the SQL caller a set of tuples, each containing the location
238 : * and a description of a corruption found in the heap.
239 : *
240 : * This code goes to some trouble to avoid crashing the server even if the
241 : * table pages are badly corrupted, but it's probably not perfect. If
242 : * check_toast is true, we'll use regular index lookups to try to fetch TOAST
243 : * tuples, which can certainly cause crashes if the right kind of corruption
244 : * exists in the toast table or index. No matter what parameters you pass,
245 : * we can't protect against crashes that might occur trying to look up the
246 : * commit status of transaction IDs (though we avoid trying to do such lookups
247 : * for transaction IDs that can't legally appear in the table).
248 : */
249 : Datum
250 6882 : verify_heapam(PG_FUNCTION_ARGS)
251 : {
252 6882 : ReturnSetInfo *rsinfo = (ReturnSetInfo *) fcinfo->resultinfo;
253 : HeapCheckContext ctx;
254 6882 : Buffer vmbuffer = InvalidBuffer;
255 : Oid relid;
256 : bool on_error_stop;
257 : bool check_toast;
258 6882 : SkipPages skip_option = SKIP_PAGES_NONE;
259 : BlockNumber first_block;
260 : BlockNumber last_block;
261 : BlockNumber nblocks;
262 : const char *skip;
263 : ReadStream *stream;
264 : int stream_flags;
265 : ReadStreamBlockNumberCB stream_cb;
266 : void *stream_data;
267 : HeapCheckReadStreamData stream_skip_data;
268 :
269 : /* Check supplied arguments */
270 6882 : if (PG_ARGISNULL(0))
271 0 : ereport(ERROR,
272 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
273 : errmsg("relation cannot be null")));
274 6882 : relid = PG_GETARG_OID(0);
275 :
276 6882 : if (PG_ARGISNULL(1))
277 0 : ereport(ERROR,
278 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
279 : errmsg("on_error_stop cannot be null")));
280 6882 : on_error_stop = PG_GETARG_BOOL(1);
281 :
282 6882 : if (PG_ARGISNULL(2))
283 0 : ereport(ERROR,
284 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
285 : errmsg("check_toast cannot be null")));
286 6882 : check_toast = PG_GETARG_BOOL(2);
287 :
288 6882 : if (PG_ARGISNULL(3))
289 0 : ereport(ERROR,
290 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
291 : errmsg("skip cannot be null")));
292 6882 : skip = text_to_cstring(PG_GETARG_TEXT_PP(3));
293 6882 : if (pg_strcasecmp(skip, "all-visible") == 0)
294 170 : skip_option = SKIP_PAGES_ALL_VISIBLE;
295 6712 : else if (pg_strcasecmp(skip, "all-frozen") == 0)
296 174 : skip_option = SKIP_PAGES_ALL_FROZEN;
297 6538 : else if (pg_strcasecmp(skip, "none") == 0)
298 6536 : skip_option = SKIP_PAGES_NONE;
299 : else
300 2 : ereport(ERROR,
301 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
302 : errmsg("invalid skip option"),
303 : errhint("Valid skip options are \"all-visible\", \"all-frozen\", and \"none\".")));
304 :
305 6880 : memset(&ctx, 0, sizeof(HeapCheckContext));
306 6880 : ctx.cached_xid = InvalidTransactionId;
307 6880 : ctx.toasted_attributes = NIL;
308 :
309 : /*
310 : * Any xmin newer than the xmin of our snapshot can't become all-visible
311 : * while we're running.
312 : */
313 6880 : ctx.safe_xmin = GetTransactionSnapshot()->xmin;
314 :
315 : /*
316 : * If we report corruption when not examining some individual attribute,
317 : * we need attnum to be reported as NULL. Set that up before any
318 : * corruption reporting might happen.
319 : */
320 6880 : ctx.attnum = -1;
321 :
322 : /* Construct the tuplestore and tuple descriptor */
323 6880 : InitMaterializedSRF(fcinfo, 0);
324 6880 : ctx.tupdesc = rsinfo->setDesc;
325 6880 : ctx.tupstore = rsinfo->setResult;
326 :
327 : /* Open relation, check relkind and access method */
328 6880 : ctx.rel = relation_open(relid, AccessShareLock);
329 :
330 : /*
331 : * Check that a relation's relkind and access method are both supported.
332 : */
333 6880 : if (!RELKIND_HAS_TABLE_AM(ctx.rel->rd_rel->relkind) &&
334 392 : ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE)
335 8 : ereport(ERROR,
336 : (errcode(ERRCODE_WRONG_OBJECT_TYPE),
337 : errmsg("cannot check relation \"%s\"",
338 : RelationGetRelationName(ctx.rel)),
339 : errdetail_relkind_not_supported(ctx.rel->rd_rel->relkind)));
340 :
341 : /*
342 : * Sequences always use heap AM, but they don't show that in the catalogs.
343 : * Other relkinds might be using a different AM, so check.
344 : */
345 6872 : if (ctx.rel->rd_rel->relkind != RELKIND_SEQUENCE &&
346 6488 : ctx.rel->rd_rel->relam != HEAP_TABLE_AM_OID)
347 0 : ereport(ERROR,
348 : (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
349 : errmsg("only heap AM is supported")));
350 :
351 : /*
352 : * Early exit for unlogged relations during recovery. These will have no
353 : * relation fork, so there won't be anything to check. We behave as if
354 : * the relation is empty.
355 : */
356 6872 : if (ctx.rel->rd_rel->relpersistence == RELPERSISTENCE_UNLOGGED &&
357 0 : RecoveryInProgress())
358 : {
359 0 : ereport(DEBUG1,
360 : (errcode(ERRCODE_READ_ONLY_SQL_TRANSACTION),
361 : errmsg("cannot verify unlogged relation \"%s\" during recovery, skipping",
362 : RelationGetRelationName(ctx.rel))));
363 0 : relation_close(ctx.rel, AccessShareLock);
364 0 : PG_RETURN_NULL();
365 : }
366 :
367 : /* Early exit if the relation is empty */
368 6872 : nblocks = RelationGetNumberOfBlocks(ctx.rel);
369 6838 : if (!nblocks)
370 : {
371 3882 : relation_close(ctx.rel, AccessShareLock);
372 3882 : PG_RETURN_NULL();
373 : }
374 :
375 2956 : ctx.bstrategy = GetAccessStrategy(BAS_BULKREAD);
376 2956 : ctx.buffer = InvalidBuffer;
377 2956 : ctx.page = NULL;
378 :
379 : /* Validate block numbers, or handle nulls. */
380 2956 : if (PG_ARGISNULL(4))
381 2708 : first_block = 0;
382 : else
383 : {
384 248 : int64 fb = PG_GETARG_INT64(4);
385 :
386 248 : if (fb < 0 || fb >= nblocks)
387 2 : ereport(ERROR,
388 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
389 : errmsg("starting block number must be between 0 and %u",
390 : nblocks - 1)));
391 246 : first_block = (BlockNumber) fb;
392 : }
393 2954 : if (PG_ARGISNULL(5))
394 2708 : last_block = nblocks - 1;
395 : else
396 : {
397 246 : int64 lb = PG_GETARG_INT64(5);
398 :
399 246 : if (lb < 0 || lb >= nblocks)
400 2 : ereport(ERROR,
401 : (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
402 : errmsg("ending block number must be between 0 and %u",
403 : nblocks - 1)));
404 244 : last_block = (BlockNumber) lb;
405 : }
406 :
407 : /* Optionally open the toast relation, if any. */
408 2952 : if (ctx.rel->rd_rel->reltoastrelid && check_toast)
409 1392 : {
410 : int offset;
411 :
412 : /* Main relation has associated toast relation */
413 1392 : ctx.toast_rel = table_open(ctx.rel->rd_rel->reltoastrelid,
414 : AccessShareLock);
415 1392 : offset = toast_open_indexes(ctx.toast_rel,
416 : AccessShareLock,
417 : &(ctx.toast_indexes),
418 : &(ctx.num_toast_indexes));
419 1392 : ctx.valid_toast_index = ctx.toast_indexes[offset];
420 : }
421 : else
422 : {
423 : /*
424 : * Main relation has no associated toast relation, or we're
425 : * intentionally skipping it.
426 : */
427 1560 : ctx.toast_rel = NULL;
428 1560 : ctx.toast_indexes = NULL;
429 1560 : ctx.num_toast_indexes = 0;
430 : }
431 :
432 2952 : update_cached_xid_range(&ctx);
433 2952 : update_cached_mxid_range(&ctx);
434 2952 : ctx.relfrozenxid = ctx.rel->rd_rel->relfrozenxid;
435 2952 : ctx.relfrozenfxid = FullTransactionIdFromXidAndCtx(ctx.relfrozenxid, &ctx);
436 2952 : ctx.relminmxid = ctx.rel->rd_rel->relminmxid;
437 :
438 2952 : if (TransactionIdIsNormal(ctx.relfrozenxid))
439 2568 : ctx.oldest_xid = ctx.relfrozenxid;
440 :
441 : /* Now that `ctx` is set up, set up the read stream */
442 2952 : stream_skip_data.range.current_blocknum = first_block;
443 2952 : stream_skip_data.range.last_exclusive = last_block + 1;
444 2952 : stream_skip_data.skip_option = skip_option;
445 2952 : stream_skip_data.rel = ctx.rel;
446 2952 : stream_skip_data.vmbuffer = &vmbuffer;
447 :
448 2952 : if (skip_option == SKIP_PAGES_NONE)
449 : {
450 : /*
451 : * It is safe to use batchmode as block_range_read_stream_cb takes no
452 : * locks.
453 : */
454 2620 : stream_cb = block_range_read_stream_cb;
455 2620 : stream_flags = READ_STREAM_SEQUENTIAL |
456 : READ_STREAM_FULL |
457 : READ_STREAM_USE_BATCHING;
458 2620 : stream_data = &stream_skip_data.range;
459 : }
460 : else
461 : {
462 : /*
463 : * It would not be safe to naively use use batchmode, as
464 : * heapcheck_read_stream_next_unskippable takes locks. It shouldn't be
465 : * too hard to convert though.
466 : */
467 332 : stream_cb = heapcheck_read_stream_next_unskippable;
468 332 : stream_flags = READ_STREAM_DEFAULT;
469 332 : stream_data = &stream_skip_data;
470 : }
471 :
472 2952 : stream = read_stream_begin_relation(stream_flags,
473 : ctx.bstrategy,
474 : ctx.rel,
475 : MAIN_FORKNUM,
476 : stream_cb,
477 : stream_data,
478 : 0);
479 :
480 26826 : while ((ctx.buffer = read_stream_next_buffer(stream, NULL)) != InvalidBuffer)
481 : {
482 : OffsetNumber maxoff;
483 : OffsetNumber predecessor[MaxOffsetNumber];
484 : OffsetNumber successor[MaxOffsetNumber];
485 : bool lp_valid[MaxOffsetNumber];
486 : bool xmin_commit_status_ok[MaxOffsetNumber];
487 : XidCommitStatus xmin_commit_status[MaxOffsetNumber];
488 :
489 23880 : CHECK_FOR_INTERRUPTS();
490 :
491 23880 : memset(predecessor, 0, sizeof(OffsetNumber) * MaxOffsetNumber);
492 :
493 : /* Lock the next page. */
494 : Assert(BufferIsValid(ctx.buffer));
495 23880 : LockBuffer(ctx.buffer, BUFFER_LOCK_SHARE);
496 :
497 23880 : ctx.blkno = BufferGetBlockNumber(ctx.buffer);
498 23880 : ctx.page = BufferGetPage(ctx.buffer);
499 :
500 : /* Perform tuple checks */
501 23880 : maxoff = PageGetMaxOffsetNumber(ctx.page);
502 1135126 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
503 1111246 : ctx.offnum = OffsetNumberNext(ctx.offnum))
504 : {
505 : BlockNumber nextblkno;
506 : OffsetNumber nextoffnum;
507 :
508 1111246 : successor[ctx.offnum] = InvalidOffsetNumber;
509 1111246 : lp_valid[ctx.offnum] = false;
510 1111246 : xmin_commit_status_ok[ctx.offnum] = false;
511 1111246 : ctx.itemid = PageGetItemId(ctx.page, ctx.offnum);
512 :
513 : /* Skip over unused/dead line pointers */
514 1111246 : if (!ItemIdIsUsed(ctx.itemid) || ItemIdIsDead(ctx.itemid))
515 19028 : continue;
516 :
517 : /*
518 : * If this line pointer has been redirected, check that it
519 : * redirects to a valid offset within the line pointer array
520 : */
521 1092218 : if (ItemIdIsRedirected(ctx.itemid))
522 : {
523 11446 : OffsetNumber rdoffnum = ItemIdGetRedirect(ctx.itemid);
524 : ItemId rditem;
525 :
526 11446 : if (rdoffnum < FirstOffsetNumber)
527 : {
528 12 : report_corruption(&ctx,
529 : psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
530 : (unsigned) rdoffnum,
531 : (unsigned) FirstOffsetNumber));
532 12 : continue;
533 : }
534 11434 : if (rdoffnum > maxoff)
535 : {
536 28 : report_corruption(&ctx,
537 : psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
538 : (unsigned) rdoffnum,
539 : (unsigned) maxoff));
540 28 : continue;
541 : }
542 :
543 : /*
544 : * Since we've checked that this redirect points to a line
545 : * pointer between FirstOffsetNumber and maxoff, it should now
546 : * be safe to fetch the referenced line pointer. We expect it
547 : * to be LP_NORMAL; if not, that's corruption.
548 : */
549 11406 : rditem = PageGetItemId(ctx.page, rdoffnum);
550 11406 : if (!ItemIdIsUsed(rditem))
551 : {
552 0 : report_corruption(&ctx,
553 : psprintf("redirected line pointer points to an unused item at offset %u",
554 : (unsigned) rdoffnum));
555 0 : continue;
556 : }
557 11406 : else if (ItemIdIsDead(rditem))
558 : {
559 0 : report_corruption(&ctx,
560 : psprintf("redirected line pointer points to a dead item at offset %u",
561 : (unsigned) rdoffnum));
562 0 : continue;
563 : }
564 11406 : else if (ItemIdIsRedirected(rditem))
565 : {
566 2 : report_corruption(&ctx,
567 : psprintf("redirected line pointer points to another redirected line pointer at offset %u",
568 : (unsigned) rdoffnum));
569 2 : continue;
570 : }
571 :
572 : /*
573 : * Record the fact that this line pointer has passed basic
574 : * sanity checking, and also the offset number to which it
575 : * points.
576 : */
577 11404 : lp_valid[ctx.offnum] = true;
578 11404 : successor[ctx.offnum] = rdoffnum;
579 11404 : continue;
580 : }
581 :
582 : /* Sanity-check the line pointer's offset and length values */
583 1080772 : ctx.lp_len = ItemIdGetLength(ctx.itemid);
584 1080772 : ctx.lp_off = ItemIdGetOffset(ctx.itemid);
585 :
586 1080772 : if (ctx.lp_off != MAXALIGN(ctx.lp_off))
587 : {
588 12 : report_corruption(&ctx,
589 : psprintf("line pointer to page offset %u is not maximally aligned",
590 12 : ctx.lp_off));
591 12 : continue;
592 : }
593 1080760 : if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
594 : {
595 24 : report_corruption(&ctx,
596 : psprintf("line pointer length %u is less than the minimum tuple header size %u",
597 24 : ctx.lp_len,
598 : (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
599 24 : continue;
600 : }
601 1080736 : if (ctx.lp_off + ctx.lp_len > BLCKSZ)
602 : {
603 28 : report_corruption(&ctx,
604 : psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
605 28 : ctx.lp_off,
606 28 : ctx.lp_len,
607 : (unsigned) BLCKSZ));
608 28 : continue;
609 : }
610 :
611 : /* It should be safe to examine the tuple's header, at least */
612 1080708 : lp_valid[ctx.offnum] = true;
613 1080708 : ctx.tuphdr = (HeapTupleHeader) PageGetItem(ctx.page, ctx.itemid);
614 1080708 : ctx.natts = HeapTupleHeaderGetNatts(ctx.tuphdr);
615 :
616 : /* Ok, ready to check this next tuple */
617 1080708 : check_tuple(&ctx,
618 1080708 : &xmin_commit_status_ok[ctx.offnum],
619 1080708 : &xmin_commit_status[ctx.offnum]);
620 :
621 : /*
622 : * If the CTID field of this tuple seems to point to another tuple
623 : * on the same page, record that tuple as the successor of this
624 : * one.
625 : */
626 1080708 : nextblkno = ItemPointerGetBlockNumber(&(ctx.tuphdr)->t_ctid);
627 1080708 : nextoffnum = ItemPointerGetOffsetNumber(&(ctx.tuphdr)->t_ctid);
628 1080708 : if (nextblkno == ctx.blkno && nextoffnum != ctx.offnum &&
629 388 : nextoffnum >= FirstOffsetNumber && nextoffnum <= maxoff)
630 388 : successor[ctx.offnum] = nextoffnum;
631 : }
632 :
633 : /*
634 : * Update chain validation. Check each line pointer that's got a valid
635 : * successor against that successor.
636 : */
637 23880 : ctx.attnum = -1;
638 1135126 : for (ctx.offnum = FirstOffsetNumber; ctx.offnum <= maxoff;
639 1111246 : ctx.offnum = OffsetNumberNext(ctx.offnum))
640 : {
641 : ItemId curr_lp;
642 : ItemId next_lp;
643 : HeapTupleHeader curr_htup;
644 : HeapTupleHeader next_htup;
645 : TransactionId curr_xmin;
646 : TransactionId curr_xmax;
647 : TransactionId next_xmin;
648 1111246 : OffsetNumber nextoffnum = successor[ctx.offnum];
649 :
650 : /*
651 : * The current line pointer may not have a successor, either
652 : * because it's not valid or because it didn't point to anything.
653 : * In either case, we have to give up.
654 : *
655 : * If the current line pointer does point to something, it's
656 : * possible that the target line pointer isn't valid. We have to
657 : * give up in that case, too.
658 : */
659 1111246 : if (nextoffnum == InvalidOffsetNumber || !lp_valid[nextoffnum])
660 1099454 : continue;
661 :
662 : /* We have two valid line pointers that we can examine. */
663 11792 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
664 11792 : next_lp = PageGetItemId(ctx.page, nextoffnum);
665 :
666 : /* Handle the cases where the current line pointer is a redirect. */
667 11792 : if (ItemIdIsRedirected(curr_lp))
668 : {
669 : /*
670 : * We should not have set successor[ctx.offnum] to a value
671 : * other than InvalidOffsetNumber unless that line pointer is
672 : * LP_NORMAL.
673 : */
674 : Assert(ItemIdIsNormal(next_lp));
675 :
676 : /* Can only redirect to a HOT tuple. */
677 11404 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
678 11404 : if (!HeapTupleHeaderIsHeapOnly(next_htup))
679 : {
680 2 : report_corruption(&ctx,
681 : psprintf("redirected line pointer points to a non-heap-only tuple at offset %u",
682 : (unsigned) nextoffnum));
683 : }
684 :
685 : /* HOT chains should not intersect. */
686 11404 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
687 : {
688 2 : report_corruption(&ctx,
689 : psprintf("redirect line pointer points to offset %u, but offset %u also points there",
690 2 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
691 2 : continue;
692 : }
693 :
694 : /*
695 : * This redirect and the tuple to which it points seem to be
696 : * part of an update chain.
697 : */
698 11402 : predecessor[nextoffnum] = ctx.offnum;
699 11402 : continue;
700 : }
701 :
702 : /*
703 : * If the next line pointer is a redirect, or if it's a tuple but
704 : * the XMAX of this tuple doesn't match the XMIN of the next
705 : * tuple, then the two aren't part of the same update chain and
706 : * there is nothing more to do.
707 : */
708 388 : if (ItemIdIsRedirected(next_lp))
709 0 : continue;
710 388 : curr_htup = (HeapTupleHeader) PageGetItem(ctx.page, curr_lp);
711 388 : curr_xmax = HeapTupleHeaderGetUpdateXid(curr_htup);
712 388 : next_htup = (HeapTupleHeader) PageGetItem(ctx.page, next_lp);
713 388 : next_xmin = HeapTupleHeaderGetXmin(next_htup);
714 388 : if (!TransactionIdIsValid(curr_xmax) ||
715 : !TransactionIdEquals(curr_xmax, next_xmin))
716 8 : continue;
717 :
718 : /* HOT chains should not intersect. */
719 380 : if (predecessor[nextoffnum] != InvalidOffsetNumber)
720 : {
721 2 : report_corruption(&ctx,
722 : psprintf("tuple points to new version at offset %u, but offset %u also points there",
723 2 : (unsigned) nextoffnum, (unsigned) predecessor[nextoffnum]));
724 2 : continue;
725 : }
726 :
727 : /*
728 : * This tuple and the tuple to which it points seem to be part of
729 : * an update chain.
730 : */
731 378 : predecessor[nextoffnum] = ctx.offnum;
732 :
733 : /*
734 : * If the current tuple is marked as HOT-updated, then the next
735 : * tuple should be marked as a heap-only tuple. Conversely, if the
736 : * current tuple isn't marked as HOT-updated, then the next tuple
737 : * shouldn't be marked as a heap-only tuple.
738 : *
739 : * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
740 : * hint bits indicate xmin/xmax aborted.
741 : */
742 380 : if (!(curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
743 2 : HeapTupleHeaderIsHeapOnly(next_htup))
744 : {
745 2 : report_corruption(&ctx,
746 : psprintf("non-heap-only update produced a heap-only tuple at offset %u",
747 : (unsigned) nextoffnum));
748 : }
749 378 : if ((curr_htup->t_infomask2 & HEAP_HOT_UPDATED) &&
750 376 : !HeapTupleHeaderIsHeapOnly(next_htup))
751 : {
752 2 : report_corruption(&ctx,
753 : psprintf("heap-only update produced a non-heap only tuple at offset %u",
754 : (unsigned) nextoffnum));
755 : }
756 :
757 : /*
758 : * If the current tuple's xmin is still in progress but the
759 : * successor tuple's xmin is committed, that's corruption.
760 : *
761 : * NB: We recheck the commit status of the current tuple's xmin
762 : * here, because it might have committed after we checked it and
763 : * before we checked the commit status of the successor tuple's
764 : * xmin. This should be safe because the xmin itself can't have
765 : * changed, only its commit status.
766 : */
767 378 : curr_xmin = HeapTupleHeaderGetXmin(curr_htup);
768 378 : if (xmin_commit_status_ok[ctx.offnum] &&
769 378 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS &&
770 2 : xmin_commit_status_ok[nextoffnum] &&
771 4 : xmin_commit_status[nextoffnum] == XID_COMMITTED &&
772 2 : TransactionIdIsInProgress(curr_xmin))
773 : {
774 2 : report_corruption(&ctx,
775 : psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
776 : (unsigned) curr_xmin,
777 2 : (unsigned) ctx.offnum,
778 : (unsigned) next_xmin));
779 : }
780 :
781 : /*
782 : * If the current tuple's xmin is aborted but the successor
783 : * tuple's xmin is in-progress or committed, that's corruption.
784 : */
785 378 : if (xmin_commit_status_ok[ctx.offnum] &&
786 378 : xmin_commit_status[ctx.offnum] == XID_ABORTED &&
787 4 : xmin_commit_status_ok[nextoffnum])
788 : {
789 4 : if (xmin_commit_status[nextoffnum] == XID_IN_PROGRESS)
790 2 : report_corruption(&ctx,
791 : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
792 : (unsigned) curr_xmin,
793 2 : (unsigned) ctx.offnum,
794 : (unsigned) next_xmin));
795 2 : else if (xmin_commit_status[nextoffnum] == XID_COMMITTED)
796 2 : report_corruption(&ctx,
797 : psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
798 : (unsigned) curr_xmin,
799 2 : (unsigned) ctx.offnum,
800 : (unsigned) next_xmin));
801 : }
802 : }
803 :
804 : /*
805 : * An update chain can start either with a non-heap-only tuple or with
806 : * a redirect line pointer, but not with a heap-only tuple.
807 : *
808 : * (This check is in a separate loop because we need the predecessor
809 : * array to be fully populated before we can perform it.)
810 : */
811 23880 : for (ctx.offnum = FirstOffsetNumber;
812 1135126 : ctx.offnum <= maxoff;
813 1111246 : ctx.offnum = OffsetNumberNext(ctx.offnum))
814 : {
815 1111246 : if (xmin_commit_status_ok[ctx.offnum] &&
816 1080690 : (xmin_commit_status[ctx.offnum] == XID_COMMITTED ||
817 14 : xmin_commit_status[ctx.offnum] == XID_IN_PROGRESS) &&
818 1080680 : predecessor[ctx.offnum] == InvalidOffsetNumber)
819 : {
820 : ItemId curr_lp;
821 :
822 1068906 : curr_lp = PageGetItemId(ctx.page, ctx.offnum);
823 1068906 : if (!ItemIdIsRedirected(curr_lp))
824 : {
825 : HeapTupleHeader curr_htup;
826 :
827 : curr_htup = (HeapTupleHeader)
828 1068906 : PageGetItem(ctx.page, curr_lp);
829 1068906 : if (HeapTupleHeaderIsHeapOnly(curr_htup))
830 8 : report_corruption(&ctx,
831 : psprintf("tuple is root of chain but is marked as heap-only tuple"));
832 : }
833 : }
834 : }
835 :
836 : /* clean up */
837 23880 : UnlockReleaseBuffer(ctx.buffer);
838 :
839 : /*
840 : * Check any toast pointers from the page whose lock we just released
841 : */
842 23880 : if (ctx.toasted_attributes != NIL)
843 : {
844 : ListCell *cell;
845 :
846 25322 : foreach(cell, ctx.toasted_attributes)
847 23636 : check_toasted_attribute(&ctx, lfirst(cell));
848 1686 : list_free_deep(ctx.toasted_attributes);
849 1686 : ctx.toasted_attributes = NIL;
850 : }
851 :
852 23874 : if (on_error_stop && ctx.is_corrupt)
853 0 : break;
854 : }
855 :
856 : /* Ensure that the stream is completely read */
857 : Assert(read_stream_next_buffer(stream, NULL) == InvalidBuffer);
858 2946 : read_stream_end(stream);
859 :
860 2946 : if (vmbuffer != InvalidBuffer)
861 6 : ReleaseBuffer(vmbuffer);
862 :
863 : /* Close the associated toast table and indexes, if any. */
864 2946 : if (ctx.toast_indexes)
865 1386 : toast_close_indexes(ctx.toast_indexes, ctx.num_toast_indexes,
866 : AccessShareLock);
867 2946 : if (ctx.toast_rel)
868 1386 : table_close(ctx.toast_rel, AccessShareLock);
869 :
870 : /* Close the main relation */
871 2946 : relation_close(ctx.rel, AccessShareLock);
872 :
873 2946 : PG_RETURN_NULL();
874 : }
875 :
876 : /*
877 : * Heap amcheck's read stream callback for getting the next unskippable block.
878 : * This callback is only used when 'all-visible' or 'all-frozen' is provided
879 : * as the skip option to verify_heapam(). With the default 'none',
880 : * block_range_read_stream_cb() is used instead.
881 : */
882 : static BlockNumber
883 1738 : heapcheck_read_stream_next_unskippable(ReadStream *stream,
884 : void *callback_private_data,
885 : void *per_buffer_data)
886 : {
887 1738 : HeapCheckReadStreamData *p = callback_private_data;
888 :
889 : /* Loops over [current_blocknum, last_exclusive) blocks */
890 1804 : for (BlockNumber i; (i = p->range.current_blocknum++) < p->range.last_exclusive;)
891 : {
892 1472 : uint8 mapbits = visibilitymap_get_status(p->rel, i, p->vmbuffer);
893 :
894 1472 : if (p->skip_option == SKIP_PAGES_ALL_FROZEN)
895 : {
896 768 : if ((mapbits & VISIBILITYMAP_ALL_FROZEN) != 0)
897 64 : continue;
898 : }
899 :
900 1408 : if (p->skip_option == SKIP_PAGES_ALL_VISIBLE)
901 : {
902 704 : if ((mapbits & VISIBILITYMAP_ALL_VISIBLE) != 0)
903 2 : continue;
904 : }
905 :
906 1406 : return i;
907 : }
908 :
909 332 : return InvalidBlockNumber;
910 : }
911 :
912 : /*
913 : * Shared internal implementation for report_corruption and
914 : * report_toast_corruption.
915 : */
916 : static void
917 172 : report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
918 : BlockNumber blkno, OffsetNumber offnum,
919 : AttrNumber attnum, char *msg)
920 : {
921 172 : Datum values[HEAPCHECK_RELATION_COLS] = {0};
922 172 : bool nulls[HEAPCHECK_RELATION_COLS] = {0};
923 : HeapTuple tuple;
924 :
925 172 : values[0] = Int64GetDatum(blkno);
926 172 : values[1] = Int32GetDatum(offnum);
927 172 : values[2] = Int32GetDatum(attnum);
928 172 : nulls[2] = (attnum < 0);
929 172 : values[3] = CStringGetTextDatum(msg);
930 :
931 : /*
932 : * In principle, there is nothing to prevent a scan over a large, highly
933 : * corrupted table from using work_mem worth of memory building up the
934 : * tuplestore. That's ok, but if we also leak the msg argument memory
935 : * until the end of the query, we could exceed work_mem by more than a
936 : * trivial amount. Therefore, free the msg argument each time we are
937 : * called rather than waiting for our current memory context to be freed.
938 : */
939 172 : pfree(msg);
940 :
941 172 : tuple = heap_form_tuple(tupdesc, values, nulls);
942 172 : tuplestore_puttuple(tupstore, tuple);
943 172 : }
944 :
945 : /*
946 : * Record a single corruption found in the main table. The values in ctx should
947 : * indicate the location of the corruption, and the msg argument should contain
948 : * a human-readable description of the corruption.
949 : *
950 : * The msg argument is pfree'd by this function.
951 : */
952 : static void
953 170 : report_corruption(HeapCheckContext *ctx, char *msg)
954 : {
955 170 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
956 170 : ctx->offnum, ctx->attnum, msg);
957 170 : ctx->is_corrupt = true;
958 170 : }
959 :
960 : /*
961 : * Record corruption found in the toast table. The values in ta should
962 : * indicate the location in the main table where the toast pointer was
963 : * encountered, and the msg argument should contain a human-readable
964 : * description of the toast table corruption.
965 : *
966 : * As above, the msg argument is pfree'd by this function.
967 : */
968 : static void
969 2 : report_toast_corruption(HeapCheckContext *ctx, ToastedAttribute *ta,
970 : char *msg)
971 : {
972 2 : report_corruption_internal(ctx->tupstore, ctx->tupdesc, ta->blkno,
973 2 : ta->offnum, ta->attnum, msg);
974 2 : ctx->is_corrupt = true;
975 2 : }
976 :
977 : /*
978 : * Check for tuple header corruption.
979 : *
980 : * Some kinds of corruption make it unsafe to check the tuple attributes, for
981 : * example when the line pointer refers to a range of bytes outside the page.
982 : * In such cases, we return false (not checkable) after recording appropriate
983 : * corruption messages.
984 : *
985 : * Some other kinds of tuple header corruption confuse the question of where
986 : * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
987 : * unreasonable to attempt to check attributes, even if all candidate answers
988 : * to those questions would not result in reading past the end of the line
989 : * pointer or page. In such cases, like above, we record corruption messages
990 : * about the header and then return false.
991 : *
992 : * Other kinds of tuple header corruption do not bear on the question of
993 : * whether the tuple attributes can be checked, so we record corruption
994 : * messages for them but we do not return false merely because we detected
995 : * them.
996 : *
997 : * Returns whether the tuple is sufficiently sensible to undergo visibility and
998 : * attribute checks.
999 : */
1000 : static bool
1001 1080708 : check_tuple_header(HeapCheckContext *ctx)
1002 : {
1003 1080708 : HeapTupleHeader tuphdr = ctx->tuphdr;
1004 1080708 : uint16 infomask = tuphdr->t_infomask;
1005 1080708 : TransactionId curr_xmax = HeapTupleHeaderGetUpdateXid(tuphdr);
1006 1080708 : bool result = true;
1007 : unsigned expected_hoff;
1008 :
1009 1080708 : if (ctx->tuphdr->t_hoff > ctx->lp_len)
1010 : {
1011 2 : report_corruption(ctx,
1012 : psprintf("data begins at offset %u beyond the tuple length %u",
1013 2 : ctx->tuphdr->t_hoff, ctx->lp_len));
1014 2 : result = false;
1015 : }
1016 :
1017 1080708 : if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
1018 386 : (ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
1019 : {
1020 4 : report_corruption(ctx,
1021 : pstrdup("multixact should not be marked committed"));
1022 :
1023 : /*
1024 : * This condition is clearly wrong, but it's not enough to justify
1025 : * skipping further checks, because we don't rely on this to determine
1026 : * whether the tuple is visible or to interpret other relevant header
1027 : * fields.
1028 : */
1029 : }
1030 :
1031 2159348 : if (!TransactionIdIsValid(curr_xmax) &&
1032 1078640 : HeapTupleHeaderIsHotUpdated(tuphdr))
1033 : {
1034 2 : report_corruption(ctx,
1035 : psprintf("tuple has been HOT updated, but xmax is 0"));
1036 :
1037 : /*
1038 : * As above, even though this shouldn't happen, it's not sufficient
1039 : * justification for skipping further checks, we should still be able
1040 : * to perform sensibly.
1041 : */
1042 : }
1043 :
1044 1080708 : if (HeapTupleHeaderIsHeapOnly(tuphdr) &&
1045 11784 : ((tuphdr->t_infomask & HEAP_UPDATED) == 0))
1046 : {
1047 2 : report_corruption(ctx,
1048 : psprintf("tuple is heap only, but not the result of an update"));
1049 :
1050 : /* Here again, we can still perform further checks. */
1051 : }
1052 :
1053 1080708 : if (infomask & HEAP_HASNULL)
1054 484228 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader + BITMAPLEN(ctx->natts));
1055 : else
1056 596480 : expected_hoff = MAXALIGN(SizeofHeapTupleHeader);
1057 1080708 : if (ctx->tuphdr->t_hoff != expected_hoff)
1058 : {
1059 10 : if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
1060 0 : report_corruption(ctx,
1061 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
1062 0 : expected_hoff, ctx->tuphdr->t_hoff));
1063 10 : else if ((infomask & HEAP_HASNULL))
1064 2 : report_corruption(ctx,
1065 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
1066 2 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1067 8 : else if (ctx->natts == 1)
1068 0 : report_corruption(ctx,
1069 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
1070 0 : expected_hoff, ctx->tuphdr->t_hoff));
1071 : else
1072 8 : report_corruption(ctx,
1073 : psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
1074 8 : expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
1075 10 : result = false;
1076 : }
1077 :
1078 1080708 : return result;
1079 : }
1080 :
1081 : /*
1082 : * Checks tuple visibility so we know which further checks are safe to
1083 : * perform.
1084 : *
1085 : * If a tuple could have been inserted by a transaction that also added a
1086 : * column to the table, but which ultimately did not commit, or which has not
1087 : * yet committed, then the table's current TupleDesc might differ from the one
1088 : * used to construct this tuple, so we must not check it.
1089 : *
1090 : * As a special case, if our own transaction inserted the tuple, even if we
1091 : * added a column to the table, our TupleDesc should match. We could check the
1092 : * tuple, but choose not to do so.
1093 : *
1094 : * If a tuple has been updated or deleted, we can still read the old tuple for
1095 : * corruption checking purposes, as long as we are careful about concurrent
1096 : * vacuums. The main table tuple itself cannot be vacuumed away because we
1097 : * hold a buffer lock on the page, but if the deleting transaction is older
1098 : * than our transaction snapshot's xmin, then vacuum could remove the toast at
1099 : * any time, so we must not try to follow TOAST pointers.
1100 : *
1101 : * If xmin or xmax values are older than can be checked against clog, or appear
1102 : * to be in the future (possibly due to wrap-around), then we cannot make a
1103 : * determination about the visibility of the tuple, so we skip further checks.
1104 : *
1105 : * Returns true if the tuple itself should be checked, false otherwise. Sets
1106 : * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1107 : * TOAST tuples -- are eligible for pruning.
1108 : *
1109 : * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1110 : * and false otherwise. If it's set to true, then also set *xmin_commit_status
1111 : * to the actual commit status.
1112 : */
1113 : static bool
1114 1080698 : check_tuple_visibility(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1115 : XidCommitStatus *xmin_commit_status)
1116 : {
1117 : TransactionId xmin;
1118 : TransactionId xvac;
1119 : TransactionId xmax;
1120 : XidCommitStatus xmin_status;
1121 : XidCommitStatus xvac_status;
1122 : XidCommitStatus xmax_status;
1123 1080698 : HeapTupleHeader tuphdr = ctx->tuphdr;
1124 :
1125 1080698 : ctx->tuple_could_be_pruned = true; /* have not yet proven otherwise */
1126 1080698 : *xmin_commit_status_ok = false; /* have not yet proven otherwise */
1127 :
1128 : /* If xmin is normal, it should be within valid range */
1129 1080698 : xmin = HeapTupleHeaderGetXmin(tuphdr);
1130 1080698 : switch (get_xid_status(xmin, ctx, &xmin_status))
1131 : {
1132 0 : case XID_INVALID:
1133 : /* Could be the result of a speculative insertion that aborted. */
1134 0 : return false;
1135 1080690 : case XID_BOUNDS_OK:
1136 1080690 : *xmin_commit_status_ok = true;
1137 1080690 : *xmin_commit_status = xmin_status;
1138 1080690 : break;
1139 2 : case XID_IN_FUTURE:
1140 2 : report_corruption(ctx,
1141 : psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
1142 : xmin,
1143 2 : EpochFromFullTransactionId(ctx->next_fxid),
1144 2 : XidFromFullTransactionId(ctx->next_fxid)));
1145 2 : return false;
1146 4 : case XID_PRECEDES_CLUSTERMIN:
1147 4 : report_corruption(ctx,
1148 : psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
1149 : xmin,
1150 4 : EpochFromFullTransactionId(ctx->oldest_fxid),
1151 4 : XidFromFullTransactionId(ctx->oldest_fxid)));
1152 4 : return false;
1153 2 : case XID_PRECEDES_RELMIN:
1154 2 : report_corruption(ctx,
1155 : psprintf("xmin %u precedes relation freeze threshold %u:%u",
1156 : xmin,
1157 2 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1158 2 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1159 2 : return false;
1160 : }
1161 :
1162 : /*
1163 : * Has inserting transaction committed?
1164 : */
1165 1080690 : if (!HeapTupleHeaderXminCommitted(tuphdr))
1166 : {
1167 27168 : if (HeapTupleHeaderXminInvalid(tuphdr))
1168 0 : return false; /* inserter aborted, don't check */
1169 : /* Used by pre-9.0 binary upgrades */
1170 27168 : else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
1171 : {
1172 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1173 :
1174 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
1175 : {
1176 0 : case XID_INVALID:
1177 0 : report_corruption(ctx,
1178 : pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
1179 0 : return false;
1180 0 : case XID_IN_FUTURE:
1181 0 : report_corruption(ctx,
1182 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1183 : xvac,
1184 0 : EpochFromFullTransactionId(ctx->next_fxid),
1185 0 : XidFromFullTransactionId(ctx->next_fxid)));
1186 0 : return false;
1187 0 : case XID_PRECEDES_RELMIN:
1188 0 : report_corruption(ctx,
1189 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1190 : xvac,
1191 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1192 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1193 0 : return false;
1194 0 : case XID_PRECEDES_CLUSTERMIN:
1195 0 : report_corruption(ctx,
1196 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1197 : xvac,
1198 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1199 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1200 0 : return false;
1201 0 : case XID_BOUNDS_OK:
1202 0 : break;
1203 : }
1204 :
1205 0 : switch (xvac_status)
1206 : {
1207 0 : case XID_IS_CURRENT_XID:
1208 0 : report_corruption(ctx,
1209 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1210 : xvac));
1211 0 : return false;
1212 0 : case XID_IN_PROGRESS:
1213 0 : report_corruption(ctx,
1214 : psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1215 : xvac));
1216 0 : return false;
1217 :
1218 0 : case XID_COMMITTED:
1219 :
1220 : /*
1221 : * The tuple is dead, because the xvac transaction moved
1222 : * it off and committed. It's checkable, but also
1223 : * prunable.
1224 : */
1225 0 : return true;
1226 :
1227 0 : case XID_ABORTED:
1228 :
1229 : /*
1230 : * The original xmin must have committed, because the xvac
1231 : * transaction tried to move it later. Since xvac is
1232 : * aborted, whether it's still alive now depends on the
1233 : * status of xmax.
1234 : */
1235 0 : break;
1236 : }
1237 0 : }
1238 : /* Used by pre-9.0 binary upgrades */
1239 27168 : else if (tuphdr->t_infomask & HEAP_MOVED_IN)
1240 : {
1241 0 : xvac = HeapTupleHeaderGetXvac(tuphdr);
1242 :
1243 0 : switch (get_xid_status(xvac, ctx, &xvac_status))
1244 : {
1245 0 : case XID_INVALID:
1246 0 : report_corruption(ctx,
1247 : pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
1248 0 : return false;
1249 0 : case XID_IN_FUTURE:
1250 0 : report_corruption(ctx,
1251 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1252 : xvac,
1253 0 : EpochFromFullTransactionId(ctx->next_fxid),
1254 0 : XidFromFullTransactionId(ctx->next_fxid)));
1255 0 : return false;
1256 0 : case XID_PRECEDES_RELMIN:
1257 0 : report_corruption(ctx,
1258 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1259 : xvac,
1260 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1261 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1262 0 : return false;
1263 0 : case XID_PRECEDES_CLUSTERMIN:
1264 0 : report_corruption(ctx,
1265 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1266 : xvac,
1267 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1268 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1269 0 : return false;
1270 0 : case XID_BOUNDS_OK:
1271 0 : break;
1272 : }
1273 :
1274 0 : switch (xvac_status)
1275 : {
1276 0 : case XID_IS_CURRENT_XID:
1277 0 : report_corruption(ctx,
1278 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1279 : xvac));
1280 0 : return false;
1281 0 : case XID_IN_PROGRESS:
1282 0 : report_corruption(ctx,
1283 : psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1284 : xvac));
1285 0 : return false;
1286 :
1287 0 : case XID_COMMITTED:
1288 :
1289 : /*
1290 : * The original xmin must have committed, because the xvac
1291 : * transaction moved it later. Whether it's still alive
1292 : * now depends on the status of xmax.
1293 : */
1294 0 : break;
1295 :
1296 0 : case XID_ABORTED:
1297 :
1298 : /*
1299 : * The tuple is dead, because the xvac transaction moved
1300 : * it off and committed. It's checkable, but also
1301 : * prunable.
1302 : */
1303 0 : return true;
1304 : }
1305 0 : }
1306 27168 : else if (xmin_status != XID_COMMITTED)
1307 : {
1308 : /*
1309 : * Inserting transaction is not in progress, and not committed, so
1310 : * it might have changed the TupleDesc in ways we don't know
1311 : * about. Thus, don't try to check the tuple structure.
1312 : *
1313 : * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1314 : * any such DDL changes ought to be visible to us, so perhaps we
1315 : * could check anyway in that case. But, for now, let's be
1316 : * conservative and treat this like any other uncommitted insert.
1317 : */
1318 14 : return false;
1319 : }
1320 : }
1321 :
1322 : /*
1323 : * Okay, the inserter committed, so it was good at some point. Now what
1324 : * about the deleting transaction?
1325 : */
1326 :
1327 1080676 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1328 : {
1329 : /*
1330 : * xmax is a multixact, so sanity-check the MXID. Note that we do this
1331 : * prior to checking for HEAP_XMAX_INVALID or
1332 : * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1333 : * things that wouldn't actually be a problem during a normal scan,
1334 : * but eventually we're going to have to freeze, and that process will
1335 : * ignore hint bits.
1336 : *
1337 : * Even if the MXID is out of range, we still know that the original
1338 : * insert committed, so we can check the tuple itself. However, we
1339 : * can't rule out the possibility that this tuple is dead, so don't
1340 : * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1341 : * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1342 : * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1343 : * avoiding possibly-bogus complaints about missing TOAST entries.
1344 : */
1345 116 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1346 116 : switch (check_mxid_valid_in_rel(xmax, ctx))
1347 : {
1348 0 : case XID_INVALID:
1349 0 : report_corruption(ctx,
1350 : pstrdup("multitransaction ID is invalid"));
1351 0 : return true;
1352 2 : case XID_PRECEDES_RELMIN:
1353 2 : report_corruption(ctx,
1354 : psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
1355 : xmax, ctx->relminmxid));
1356 2 : return true;
1357 0 : case XID_PRECEDES_CLUSTERMIN:
1358 0 : report_corruption(ctx,
1359 : psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
1360 : xmax, ctx->oldest_mxact));
1361 0 : return true;
1362 2 : case XID_IN_FUTURE:
1363 2 : report_corruption(ctx,
1364 : psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
1365 : xmax,
1366 : ctx->next_mxact));
1367 2 : return true;
1368 112 : case XID_BOUNDS_OK:
1369 112 : break;
1370 : }
1371 1080560 : }
1372 :
1373 1080672 : if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
1374 : {
1375 : /*
1376 : * This tuple is live. A concurrently running transaction could
1377 : * delete it before we get around to checking the toast, but any such
1378 : * running transaction is surely not less than our safe_xmin, so the
1379 : * toast cannot be vacuumed out from under us.
1380 : */
1381 1078614 : ctx->tuple_could_be_pruned = false;
1382 1078614 : return true;
1383 : }
1384 :
1385 2058 : if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
1386 : {
1387 : /*
1388 : * "Deleting" xact really only locked it, so the tuple is live in any
1389 : * case. As above, a concurrently running transaction could delete
1390 : * it, but it cannot be vacuumed out from under us.
1391 : */
1392 56 : ctx->tuple_could_be_pruned = false;
1393 56 : return true;
1394 : }
1395 :
1396 2002 : if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
1397 : {
1398 : /*
1399 : * We already checked above that this multixact is within limits for
1400 : * this table. Now check the update xid from this multixact.
1401 : */
1402 56 : xmax = HeapTupleGetUpdateXid(tuphdr);
1403 56 : switch (get_xid_status(xmax, ctx, &xmax_status))
1404 : {
1405 0 : case XID_INVALID:
1406 : /* not LOCKED_ONLY, so it has to have an xmax */
1407 0 : report_corruption(ctx,
1408 : pstrdup("update xid is invalid"));
1409 0 : return true;
1410 0 : case XID_IN_FUTURE:
1411 0 : report_corruption(ctx,
1412 : psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
1413 : xmax,
1414 0 : EpochFromFullTransactionId(ctx->next_fxid),
1415 0 : XidFromFullTransactionId(ctx->next_fxid)));
1416 0 : return true;
1417 0 : case XID_PRECEDES_RELMIN:
1418 0 : report_corruption(ctx,
1419 : psprintf("update xid %u precedes relation freeze threshold %u:%u",
1420 : xmax,
1421 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1422 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1423 0 : return true;
1424 0 : case XID_PRECEDES_CLUSTERMIN:
1425 0 : report_corruption(ctx,
1426 : psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
1427 : xmax,
1428 0 : EpochFromFullTransactionId(ctx->oldest_fxid),
1429 0 : XidFromFullTransactionId(ctx->oldest_fxid)));
1430 0 : return true;
1431 56 : case XID_BOUNDS_OK:
1432 56 : break;
1433 : }
1434 :
1435 56 : switch (xmax_status)
1436 : {
1437 0 : case XID_IS_CURRENT_XID:
1438 : case XID_IN_PROGRESS:
1439 :
1440 : /*
1441 : * The delete is in progress, so it cannot be visible to our
1442 : * snapshot.
1443 : */
1444 0 : ctx->tuple_could_be_pruned = false;
1445 0 : break;
1446 56 : case XID_COMMITTED:
1447 :
1448 : /*
1449 : * The delete committed. Whether the toast can be vacuumed
1450 : * away depends on how old the deleting transaction is.
1451 : */
1452 56 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1453 : ctx->safe_xmin);
1454 56 : break;
1455 0 : case XID_ABORTED:
1456 :
1457 : /*
1458 : * The delete aborted or crashed. The tuple is still live.
1459 : */
1460 0 : ctx->tuple_could_be_pruned = false;
1461 0 : break;
1462 : }
1463 :
1464 : /* Tuple itself is checkable even if it's dead. */
1465 56 : return true;
1466 : }
1467 :
1468 : /* xmax is an XID, not a MXID. Sanity check it. */
1469 1946 : xmax = HeapTupleHeaderGetRawXmax(tuphdr);
1470 1946 : switch (get_xid_status(xmax, ctx, &xmax_status))
1471 : {
1472 2 : case XID_INVALID:
1473 2 : ctx->tuple_could_be_pruned = false;
1474 2 : return true;
1475 0 : case XID_IN_FUTURE:
1476 0 : report_corruption(ctx,
1477 : psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
1478 : xmax,
1479 0 : EpochFromFullTransactionId(ctx->next_fxid),
1480 0 : XidFromFullTransactionId(ctx->next_fxid)));
1481 0 : return false; /* corrupt */
1482 0 : case XID_PRECEDES_RELMIN:
1483 0 : report_corruption(ctx,
1484 : psprintf("xmax %u precedes relation freeze threshold %u:%u",
1485 : xmax,
1486 0 : EpochFromFullTransactionId(ctx->relfrozenfxid),
1487 0 : XidFromFullTransactionId(ctx->relfrozenfxid)));
1488 0 : return false; /* corrupt */
1489 2 : case XID_PRECEDES_CLUSTERMIN:
1490 2 : report_corruption(ctx,
1491 : psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
1492 : xmax,
1493 2 : EpochFromFullTransactionId(ctx->oldest_fxid),
1494 2 : XidFromFullTransactionId(ctx->oldest_fxid)));
1495 2 : return false; /* corrupt */
1496 1942 : case XID_BOUNDS_OK:
1497 1942 : break;
1498 : }
1499 :
1500 : /*
1501 : * Whether the toast can be vacuumed away depends on how old the deleting
1502 : * transaction is.
1503 : */
1504 1942 : switch (xmax_status)
1505 : {
1506 0 : case XID_IS_CURRENT_XID:
1507 : case XID_IN_PROGRESS:
1508 :
1509 : /*
1510 : * The delete is in progress, so it cannot be visible to our
1511 : * snapshot.
1512 : */
1513 0 : ctx->tuple_could_be_pruned = false;
1514 0 : break;
1515 :
1516 1936 : case XID_COMMITTED:
1517 :
1518 : /*
1519 : * The delete committed. Whether the toast can be vacuumed away
1520 : * depends on how old the deleting transaction is.
1521 : */
1522 1936 : ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
1523 : ctx->safe_xmin);
1524 1936 : break;
1525 :
1526 6 : case XID_ABORTED:
1527 :
1528 : /*
1529 : * The delete aborted or crashed. The tuple is still live.
1530 : */
1531 6 : ctx->tuple_could_be_pruned = false;
1532 6 : break;
1533 : }
1534 :
1535 : /* Tuple itself is checkable even if it's dead. */
1536 1942 : return true;
1537 : }
1538 :
1539 :
1540 : /*
1541 : * Check the current toast tuple against the state tracked in ctx, recording
1542 : * any corruption found in ctx->tupstore.
1543 : *
1544 : * This is not equivalent to running verify_heapam on the toast table itself,
1545 : * and is not hardened against corruption of the toast table. Rather, when
1546 : * validating a toasted attribute in the main table, the sequence of toast
1547 : * tuples that store the toasted value are retrieved and checked in order, with
1548 : * each toast tuple being checked against where we are in the sequence, as well
1549 : * as each toast tuple having its varlena structure sanity checked.
1550 : *
1551 : * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1552 : * to find in toasttup. On exit, it will be updated to the value the next call
1553 : * to this function should expect to see.
1554 : */
1555 : static void
1556 83364 : check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
1557 : ToastedAttribute *ta, int32 *expected_chunk_seq,
1558 : uint32 extsize)
1559 : {
1560 : int32 chunk_seq;
1561 83364 : int32 last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1562 : Pointer chunk;
1563 : bool isnull;
1564 : int32 chunksize;
1565 : int32 expected_size;
1566 :
1567 : /* Sanity-check the sequence number. */
1568 83364 : chunk_seq = DatumGetInt32(fastgetattr(toasttup, 2,
1569 83364 : ctx->toast_rel->rd_att, &isnull));
1570 83364 : if (isnull)
1571 : {
1572 0 : report_toast_corruption(ctx, ta,
1573 : psprintf("toast value %u has toast chunk with null sequence number",
1574 : ta->toast_pointer.va_valueid));
1575 0 : return;
1576 : }
1577 83364 : if (chunk_seq != *expected_chunk_seq)
1578 : {
1579 : /* Either the TOAST index is corrupt, or we don't have all chunks. */
1580 0 : report_toast_corruption(ctx, ta,
1581 : psprintf("toast value %u index scan returned chunk %d when expecting chunk %d",
1582 : ta->toast_pointer.va_valueid,
1583 : chunk_seq, *expected_chunk_seq));
1584 : }
1585 83364 : *expected_chunk_seq = chunk_seq + 1;
1586 :
1587 : /* Sanity-check the chunk data. */
1588 83364 : chunk = DatumGetPointer(fastgetattr(toasttup, 3,
1589 83364 : ctx->toast_rel->rd_att, &isnull));
1590 83364 : if (isnull)
1591 : {
1592 0 : report_toast_corruption(ctx, ta,
1593 : psprintf("toast value %u chunk %d has null data",
1594 : ta->toast_pointer.va_valueid,
1595 : chunk_seq));
1596 0 : return;
1597 : }
1598 83364 : if (!VARATT_IS_EXTENDED(chunk))
1599 83364 : chunksize = VARSIZE(chunk) - VARHDRSZ;
1600 0 : else if (VARATT_IS_SHORT(chunk))
1601 : {
1602 : /*
1603 : * could happen due to heap_form_tuple doing its thing
1604 : */
1605 0 : chunksize = VARSIZE_SHORT(chunk) - VARHDRSZ_SHORT;
1606 : }
1607 : else
1608 : {
1609 : /* should never happen */
1610 0 : uint32 header = ((varattrib_4b *) chunk)->va_4byte.va_header;
1611 :
1612 0 : report_toast_corruption(ctx, ta,
1613 : psprintf("toast value %u chunk %d has invalid varlena header %0x",
1614 : ta->toast_pointer.va_valueid,
1615 : chunk_seq, header));
1616 0 : return;
1617 : }
1618 :
1619 : /*
1620 : * Some checks on the data we've found
1621 : */
1622 83364 : if (chunk_seq > last_chunk_seq)
1623 : {
1624 0 : report_toast_corruption(ctx, ta,
1625 : psprintf("toast value %u chunk %d follows last expected chunk %d",
1626 : ta->toast_pointer.va_valueid,
1627 : chunk_seq, last_chunk_seq));
1628 0 : return;
1629 : }
1630 :
1631 83364 : expected_size = chunk_seq < last_chunk_seq ? TOAST_MAX_CHUNK_SIZE
1632 23628 : : extsize - (last_chunk_seq * TOAST_MAX_CHUNK_SIZE);
1633 :
1634 83364 : if (chunksize != expected_size)
1635 0 : report_toast_corruption(ctx, ta,
1636 : psprintf("toast value %u chunk %d has size %u, but expected size %u",
1637 : ta->toast_pointer.va_valueid,
1638 : chunk_seq, chunksize, expected_size));
1639 : }
1640 :
1641 : /*
1642 : * Check the current attribute as tracked in ctx, recording any corruption
1643 : * found in ctx->tupstore.
1644 : *
1645 : * This function follows the logic performed by heap_deform_tuple(), and in the
1646 : * case of a toasted value, optionally stores the toast pointer so later it can
1647 : * be checked following the logic of detoast_external_attr(), checking for any
1648 : * conditions that would result in either of those functions Asserting or
1649 : * crashing the backend. The checks performed by Asserts present in those two
1650 : * functions are also performed here and in check_toasted_attribute. In cases
1651 : * where those two functions are a bit cavalier in their assumptions about data
1652 : * being correct, we perform additional checks not present in either of those
1653 : * two functions. Where some condition is checked in both of those functions,
1654 : * we perform it here twice, as we parallel the logical flow of those two
1655 : * functions. The presence of duplicate checks seems a reasonable price to pay
1656 : * for keeping this code tightly coupled with the code it protects.
1657 : *
1658 : * Returns true if the tuple attribute is sane enough for processing to
1659 : * continue on to the next attribute, false otherwise.
1660 : */
1661 : static bool
1662 15534250 : check_tuple_attribute(HeapCheckContext *ctx)
1663 : {
1664 : Datum attdatum;
1665 : struct varlena *attr;
1666 : char *tp; /* pointer to the tuple data */
1667 : uint16 infomask;
1668 : CompactAttribute *thisatt;
1669 : struct varatt_external toast_pointer;
1670 :
1671 15534250 : infomask = ctx->tuphdr->t_infomask;
1672 15534250 : thisatt = TupleDescCompactAttr(RelationGetDescr(ctx->rel), ctx->attnum);
1673 :
1674 15534250 : tp = (char *) ctx->tuphdr + ctx->tuphdr->t_hoff;
1675 :
1676 15534250 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1677 : {
1678 0 : report_corruption(ctx,
1679 : psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
1680 0 : thisatt->attlen,
1681 0 : ctx->tuphdr->t_hoff + ctx->offset,
1682 0 : ctx->lp_len));
1683 0 : return false;
1684 : }
1685 :
1686 : /* Skip null values */
1687 15534250 : if (infomask & HEAP_HASNULL && att_isnull(ctx->attnum, ctx->tuphdr->t_bits))
1688 2658956 : return true;
1689 :
1690 : /* Skip non-varlena values, but update offset first */
1691 12875294 : if (thisatt->attlen != -1)
1692 : {
1693 11812056 : ctx->offset = att_nominal_alignby(ctx->offset, thisatt->attalignby);
1694 11812056 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1695 : tp + ctx->offset);
1696 11812056 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1697 : {
1698 0 : report_corruption(ctx,
1699 : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1700 0 : thisatt->attlen,
1701 0 : ctx->tuphdr->t_hoff + ctx->offset,
1702 0 : ctx->lp_len));
1703 0 : return false;
1704 : }
1705 11812056 : return true;
1706 : }
1707 :
1708 : /* Ok, we're looking at a varlena attribute. */
1709 1063238 : ctx->offset = att_pointer_alignby(ctx->offset, thisatt->attalignby, -1,
1710 : tp + ctx->offset);
1711 :
1712 : /* Get the (possibly corrupt) varlena datum */
1713 1063238 : attdatum = fetchatt(thisatt, tp + ctx->offset);
1714 :
1715 : /*
1716 : * We have the datum, but we cannot decode it carelessly, as it may still
1717 : * be corrupt.
1718 : */
1719 :
1720 : /*
1721 : * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1722 : * risking a call into att_addlength_pointer
1723 : */
1724 1063238 : if (VARATT_IS_EXTERNAL(tp + ctx->offset))
1725 : {
1726 52510 : uint8 va_tag = VARTAG_EXTERNAL(tp + ctx->offset);
1727 :
1728 52510 : if (va_tag != VARTAG_ONDISK)
1729 : {
1730 0 : report_corruption(ctx,
1731 : psprintf("toasted attribute has unexpected TOAST tag %u",
1732 : va_tag));
1733 : /* We can't know where the next attribute begins */
1734 0 : return false;
1735 : }
1736 : }
1737 :
1738 : /* Ok, should be safe now */
1739 1063238 : ctx->offset = att_addlength_pointer(ctx->offset, thisatt->attlen,
1740 : tp + ctx->offset);
1741 :
1742 1063238 : if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
1743 : {
1744 2 : report_corruption(ctx,
1745 : psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
1746 2 : thisatt->attlen,
1747 2 : ctx->tuphdr->t_hoff + ctx->offset,
1748 2 : ctx->lp_len));
1749 :
1750 2 : return false;
1751 : }
1752 :
1753 : /*
1754 : * heap_deform_tuple would be done with this attribute at this point,
1755 : * having stored it in values[], and would continue to the next attribute.
1756 : * We go further, because we need to check if the toast datum is corrupt.
1757 : */
1758 :
1759 1063236 : attr = (struct varlena *) DatumGetPointer(attdatum);
1760 :
1761 : /*
1762 : * Now we follow the logic of detoast_external_attr(), with the same
1763 : * caveats about being paranoid about corruption.
1764 : */
1765 :
1766 : /* Skip values that are not external */
1767 1063236 : if (!VARATT_IS_EXTERNAL(attr))
1768 1010726 : return true;
1769 :
1770 : /* It is external, and we're looking at a page on disk */
1771 :
1772 : /*
1773 : * Must copy attr into toast_pointer for alignment considerations
1774 : */
1775 52510 : VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
1776 :
1777 : /* Toasted attributes too large to be untoasted should never be stored */
1778 52510 : if (toast_pointer.va_rawsize > VARLENA_SIZE_LIMIT)
1779 0 : report_corruption(ctx,
1780 : psprintf("toast value %u rawsize %d exceeds limit %d",
1781 : toast_pointer.va_valueid,
1782 : toast_pointer.va_rawsize,
1783 : VARLENA_SIZE_LIMIT));
1784 :
1785 52510 : if (VARATT_EXTERNAL_IS_COMPRESSED(toast_pointer))
1786 : {
1787 : ToastCompressionId cmid;
1788 4054 : bool valid = false;
1789 :
1790 : /* Compressed attributes should have a valid compression method */
1791 4054 : cmid = TOAST_COMPRESS_METHOD(&toast_pointer);
1792 4054 : switch (cmid)
1793 : {
1794 : /* List of all valid compression method IDs */
1795 4054 : case TOAST_PGLZ_COMPRESSION_ID:
1796 : case TOAST_LZ4_COMPRESSION_ID:
1797 4054 : valid = true;
1798 4054 : break;
1799 :
1800 : /* Recognized but invalid compression method ID */
1801 0 : case TOAST_INVALID_COMPRESSION_ID:
1802 0 : break;
1803 :
1804 : /* Intentionally no default here */
1805 : }
1806 4054 : if (!valid)
1807 0 : report_corruption(ctx,
1808 : psprintf("toast value %u has invalid compression method id %d",
1809 : toast_pointer.va_valueid, cmid));
1810 : }
1811 :
1812 : /* The tuple header better claim to contain toasted values */
1813 52510 : if (!(infomask & HEAP_HASEXTERNAL))
1814 : {
1815 0 : report_corruption(ctx,
1816 : psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
1817 : toast_pointer.va_valueid));
1818 0 : return true;
1819 : }
1820 :
1821 : /* The relation better have a toast table */
1822 52510 : if (!ctx->rel->rd_rel->reltoastrelid)
1823 : {
1824 0 : report_corruption(ctx,
1825 : psprintf("toast value %u is external but relation has no toast relation",
1826 : toast_pointer.va_valueid));
1827 0 : return true;
1828 : }
1829 :
1830 : /* If we were told to skip toast checking, then we're done. */
1831 52510 : if (ctx->toast_rel == NULL)
1832 28858 : return true;
1833 :
1834 : /*
1835 : * If this tuple is eligible to be pruned, we cannot check the toast.
1836 : * Otherwise, we push a copy of the toast tuple so we can check it after
1837 : * releasing the main table buffer lock.
1838 : */
1839 23652 : if (!ctx->tuple_could_be_pruned)
1840 : {
1841 : ToastedAttribute *ta;
1842 :
1843 23648 : ta = (ToastedAttribute *) palloc0(sizeof(ToastedAttribute));
1844 :
1845 23648 : VARATT_EXTERNAL_GET_POINTER(ta->toast_pointer, attr);
1846 23648 : ta->blkno = ctx->blkno;
1847 23648 : ta->offnum = ctx->offnum;
1848 23648 : ta->attnum = ctx->attnum;
1849 23648 : ctx->toasted_attributes = lappend(ctx->toasted_attributes, ta);
1850 : }
1851 :
1852 23652 : return true;
1853 : }
1854 :
1855 : /*
1856 : * For each attribute collected in ctx->toasted_attributes, look up the value
1857 : * in the toast table and perform checks on it. This function should only be
1858 : * called on toast pointers which cannot be vacuumed away during our
1859 : * processing.
1860 : */
1861 : static void
1862 23636 : check_toasted_attribute(HeapCheckContext *ctx, ToastedAttribute *ta)
1863 : {
1864 : ScanKeyData toastkey;
1865 : SysScanDesc toastscan;
1866 : bool found_toasttup;
1867 : HeapTuple toasttup;
1868 : uint32 extsize;
1869 23636 : int32 expected_chunk_seq = 0;
1870 : int32 last_chunk_seq;
1871 :
1872 23636 : extsize = VARATT_EXTERNAL_GET_EXTSIZE(ta->toast_pointer);
1873 23636 : last_chunk_seq = (extsize - 1) / TOAST_MAX_CHUNK_SIZE;
1874 :
1875 : /*
1876 : * Setup a scan key to find chunks in toast table with matching va_valueid
1877 : */
1878 23636 : ScanKeyInit(&toastkey,
1879 : (AttrNumber) 1,
1880 : BTEqualStrategyNumber, F_OIDEQ,
1881 : ObjectIdGetDatum(ta->toast_pointer.va_valueid));
1882 :
1883 : /*
1884 : * Check if any chunks for this toasted object exist in the toast table,
1885 : * accessible via the index.
1886 : */
1887 23636 : toastscan = systable_beginscan_ordered(ctx->toast_rel,
1888 : ctx->valid_toast_index,
1889 : get_toast_snapshot(), 1,
1890 : &toastkey);
1891 23636 : found_toasttup = false;
1892 130630 : while ((toasttup =
1893 107000 : systable_getnext_ordered(toastscan,
1894 : ForwardScanDirection)) != NULL)
1895 : {
1896 83364 : found_toasttup = true;
1897 83364 : check_toast_tuple(toasttup, ctx, ta, &expected_chunk_seq, extsize);
1898 : }
1899 23630 : systable_endscan_ordered(toastscan);
1900 :
1901 23630 : if (!found_toasttup)
1902 2 : report_toast_corruption(ctx, ta,
1903 : psprintf("toast value %u not found in toast table",
1904 : ta->toast_pointer.va_valueid));
1905 23628 : else if (expected_chunk_seq <= last_chunk_seq)
1906 0 : report_toast_corruption(ctx, ta,
1907 : psprintf("toast value %u was expected to end at chunk %d, but ended while expecting chunk %d",
1908 : ta->toast_pointer.va_valueid,
1909 : last_chunk_seq, expected_chunk_seq));
1910 23630 : }
1911 :
1912 : /*
1913 : * Check the current tuple as tracked in ctx, recording any corruption found in
1914 : * ctx->tupstore.
1915 : *
1916 : * We return some information about the status of xmin to aid in validating
1917 : * update chains.
1918 : */
1919 : static void
1920 1080708 : check_tuple(HeapCheckContext *ctx, bool *xmin_commit_status_ok,
1921 : XidCommitStatus *xmin_commit_status)
1922 : {
1923 : /*
1924 : * Check various forms of tuple header corruption, and if the header is
1925 : * too corrupt, do not continue with other checks.
1926 : */
1927 1080708 : if (!check_tuple_header(ctx))
1928 10 : return;
1929 :
1930 : /*
1931 : * Check tuple visibility. If the inserting transaction aborted, we
1932 : * cannot assume our relation description matches the tuple structure, and
1933 : * therefore cannot check it.
1934 : */
1935 1080698 : if (!check_tuple_visibility(ctx, xmin_commit_status_ok,
1936 : xmin_commit_status))
1937 24 : return;
1938 :
1939 : /*
1940 : * The tuple is visible, so it must be compatible with the current version
1941 : * of the relation descriptor. It might have fewer columns than are
1942 : * present in the relation descriptor, but it cannot have more.
1943 : */
1944 1080674 : if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
1945 : {
1946 4 : report_corruption(ctx,
1947 : psprintf("number of attributes %u exceeds maximum expected for table %u",
1948 : ctx->natts,
1949 4 : RelationGetDescr(ctx->rel)->natts));
1950 4 : return;
1951 : }
1952 :
1953 : /*
1954 : * Check each attribute unless we hit corruption that confuses what to do
1955 : * next, at which point we abort further attribute checks for this tuple.
1956 : * Note that we don't abort for all types of corruption, only for those
1957 : * types where we don't know how to continue. We also don't abort the
1958 : * checking of toasted attributes collected from the tuple prior to
1959 : * aborting. Those will still be checked later along with other toasted
1960 : * attributes collected from the page.
1961 : */
1962 1080670 : ctx->offset = 0;
1963 16614918 : for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
1964 15534250 : if (!check_tuple_attribute(ctx))
1965 2 : break; /* cannot continue */
1966 :
1967 : /* revert attnum to -1 until we again examine individual attributes */
1968 1080670 : ctx->attnum = -1;
1969 : }
1970 :
1971 : /*
1972 : * Convert a TransactionId into a FullTransactionId using our cached values of
1973 : * the valid transaction ID range. It is the caller's responsibility to have
1974 : * already updated the cached values, if necessary. This is akin to
1975 : * FullTransactionIdFromAllowableAt(), but it tolerates corruption in the form
1976 : * of an xid before epoch 0.
1977 : */
1978 : static FullTransactionId
1979 149610 : FullTransactionIdFromXidAndCtx(TransactionId xid, const HeapCheckContext *ctx)
1980 : {
1981 : uint64 nextfxid_i;
1982 : int32 diff;
1983 : FullTransactionId fxid;
1984 :
1985 : Assert(TransactionIdIsNormal(ctx->next_xid));
1986 : Assert(FullTransactionIdIsNormal(ctx->next_fxid));
1987 : Assert(XidFromFullTransactionId(ctx->next_fxid) == ctx->next_xid);
1988 :
1989 149610 : if (!TransactionIdIsNormal(xid))
1990 384 : return FullTransactionIdFromEpochAndXid(0, xid);
1991 :
1992 149226 : nextfxid_i = U64FromFullTransactionId(ctx->next_fxid);
1993 :
1994 : /* compute the 32bit modulo difference */
1995 149226 : diff = (int32) (ctx->next_xid - xid);
1996 :
1997 : /*
1998 : * In cases of corruption we might see a 32bit xid that is before epoch 0.
1999 : * We can't represent that as a 64bit xid, due to 64bit xids being
2000 : * unsigned integers, without the modulo arithmetic of 32bit xid. There's
2001 : * no really nice way to deal with that, but it works ok enough to use
2002 : * FirstNormalFullTransactionId in that case, as a freshly initdb'd
2003 : * cluster already has a newer horizon.
2004 : */
2005 149226 : if (diff > 0 && (nextfxid_i - FirstNormalTransactionId) < (int64) diff)
2006 : {
2007 : Assert(EpochFromFullTransactionId(ctx->next_fxid) == 0);
2008 8 : fxid = FirstNormalFullTransactionId;
2009 : }
2010 : else
2011 149218 : fxid = FullTransactionIdFromU64(nextfxid_i - diff);
2012 :
2013 : Assert(FullTransactionIdIsNormal(fxid));
2014 149226 : return fxid;
2015 : }
2016 :
2017 : /*
2018 : * Update our cached range of valid transaction IDs.
2019 : */
2020 : static void
2021 2960 : update_cached_xid_range(HeapCheckContext *ctx)
2022 : {
2023 : /* Make cached copies */
2024 2960 : LWLockAcquire(XidGenLock, LW_SHARED);
2025 2960 : ctx->next_fxid = TransamVariables->nextXid;
2026 2960 : ctx->oldest_xid = TransamVariables->oldestXid;
2027 2960 : LWLockRelease(XidGenLock);
2028 :
2029 : /* And compute alternate versions of the same */
2030 2960 : ctx->next_xid = XidFromFullTransactionId(ctx->next_fxid);
2031 2960 : ctx->oldest_fxid = FullTransactionIdFromXidAndCtx(ctx->oldest_xid, ctx);
2032 2960 : }
2033 :
2034 : /*
2035 : * Update our cached range of valid multitransaction IDs.
2036 : */
2037 : static void
2038 2956 : update_cached_mxid_range(HeapCheckContext *ctx)
2039 : {
2040 2956 : ReadMultiXactIdRange(&ctx->oldest_mxact, &ctx->next_mxact);
2041 2956 : }
2042 :
2043 : /*
2044 : * Return whether the given FullTransactionId is within our cached valid
2045 : * transaction ID range.
2046 : */
2047 : static inline bool
2048 125420 : fxid_in_cached_range(FullTransactionId fxid, const HeapCheckContext *ctx)
2049 : {
2050 250834 : return (FullTransactionIdPrecedesOrEquals(ctx->oldest_fxid, fxid) &&
2051 125414 : FullTransactionIdPrecedes(fxid, ctx->next_fxid));
2052 : }
2053 :
2054 : /*
2055 : * Checks whether a multitransaction ID is in the cached valid range, returning
2056 : * the nature of the range violation, if any.
2057 : */
2058 : static XidBoundsViolation
2059 120 : check_mxid_in_range(MultiXactId mxid, HeapCheckContext *ctx)
2060 : {
2061 120 : if (!TransactionIdIsValid(mxid))
2062 0 : return XID_INVALID;
2063 120 : if (MultiXactIdPrecedes(mxid, ctx->relminmxid))
2064 4 : return XID_PRECEDES_RELMIN;
2065 116 : if (MultiXactIdPrecedes(mxid, ctx->oldest_mxact))
2066 0 : return XID_PRECEDES_CLUSTERMIN;
2067 116 : if (MultiXactIdPrecedesOrEquals(ctx->next_mxact, mxid))
2068 4 : return XID_IN_FUTURE;
2069 112 : return XID_BOUNDS_OK;
2070 : }
2071 :
2072 : /*
2073 : * Checks whether the given mxid is valid to appear in the heap being checked,
2074 : * returning the nature of the range violation, if any.
2075 : *
2076 : * This function attempts to return quickly by caching the known valid mxid
2077 : * range in ctx. Callers should already have performed the initial setup of
2078 : * the cache prior to the first call to this function.
2079 : */
2080 : static XidBoundsViolation
2081 116 : check_mxid_valid_in_rel(MultiXactId mxid, HeapCheckContext *ctx)
2082 : {
2083 : XidBoundsViolation result;
2084 :
2085 116 : result = check_mxid_in_range(mxid, ctx);
2086 116 : if (result == XID_BOUNDS_OK)
2087 112 : return XID_BOUNDS_OK;
2088 :
2089 : /* The range may have advanced. Recheck. */
2090 4 : update_cached_mxid_range(ctx);
2091 4 : return check_mxid_in_range(mxid, ctx);
2092 : }
2093 :
2094 : /*
2095 : * Checks whether the given transaction ID is (or was recently) valid to appear
2096 : * in the heap being checked, or whether it is too old or too new to appear in
2097 : * the relation, returning information about the nature of the bounds violation.
2098 : *
2099 : * We cache the range of valid transaction IDs. If xid is in that range, we
2100 : * conclude that it is valid, even though concurrent changes to the table might
2101 : * invalidate it under certain corrupt conditions. (For example, if the table
2102 : * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2103 : * containing the xid and then truncate clog and advance the relfrozenxid
2104 : * beyond xid.) Reporting the xid as valid under such conditions seems
2105 : * acceptable, since if we had checked it earlier in our scan it would have
2106 : * truly been valid at that time.
2107 : *
2108 : * If the status argument is not NULL, and if and only if the transaction ID
2109 : * appears to be valid in this relation, the status argument will be set with
2110 : * the commit status of the transaction ID.
2111 : */
2112 : static XidBoundsViolation
2113 1082700 : get_xid_status(TransactionId xid, HeapCheckContext *ctx,
2114 : XidCommitStatus *status)
2115 : {
2116 : FullTransactionId fxid;
2117 : FullTransactionId clog_horizon;
2118 :
2119 : /* Quick check for special xids */
2120 1082700 : if (!TransactionIdIsValid(xid))
2121 2 : return XID_INVALID;
2122 1082698 : else if (xid == BootstrapTransactionId || xid == FrozenTransactionId)
2123 : {
2124 957278 : if (status != NULL)
2125 957278 : *status = XID_COMMITTED;
2126 957278 : return XID_BOUNDS_OK;
2127 : }
2128 :
2129 : /* Check if the xid is within bounds */
2130 125420 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2131 125420 : if (!fxid_in_cached_range(fxid, ctx))
2132 : {
2133 : /*
2134 : * We may have been checking against stale values. Update the cached
2135 : * range to be sure, and since we relied on the cached range when we
2136 : * performed the full xid conversion, reconvert.
2137 : */
2138 8 : update_cached_xid_range(ctx);
2139 8 : fxid = FullTransactionIdFromXidAndCtx(xid, ctx);
2140 : }
2141 :
2142 125420 : if (FullTransactionIdPrecedesOrEquals(ctx->next_fxid, fxid))
2143 2 : return XID_IN_FUTURE;
2144 125418 : if (FullTransactionIdPrecedes(fxid, ctx->oldest_fxid))
2145 6 : return XID_PRECEDES_CLUSTERMIN;
2146 125412 : if (FullTransactionIdPrecedes(fxid, ctx->relfrozenfxid))
2147 2 : return XID_PRECEDES_RELMIN;
2148 :
2149 : /* Early return if the caller does not request clog checking */
2150 125410 : if (status == NULL)
2151 0 : return XID_BOUNDS_OK;
2152 :
2153 : /* Early return if we just checked this xid in a prior call */
2154 125410 : if (xid == ctx->cached_xid)
2155 : {
2156 107140 : *status = ctx->cached_status;
2157 107140 : return XID_BOUNDS_OK;
2158 : }
2159 :
2160 18270 : *status = XID_COMMITTED;
2161 18270 : LWLockAcquire(XactTruncationLock, LW_SHARED);
2162 : clog_horizon =
2163 18270 : FullTransactionIdFromXidAndCtx(TransamVariables->oldestClogXid,
2164 : ctx);
2165 18270 : if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
2166 : {
2167 18270 : if (TransactionIdIsCurrentTransactionId(xid))
2168 0 : *status = XID_IS_CURRENT_XID;
2169 18270 : else if (TransactionIdIsInProgress(xid))
2170 4 : *status = XID_IN_PROGRESS;
2171 18266 : else if (TransactionIdDidCommit(xid))
2172 18252 : *status = XID_COMMITTED;
2173 : else
2174 14 : *status = XID_ABORTED;
2175 : }
2176 18270 : LWLockRelease(XactTruncationLock);
2177 18270 : ctx->cached_xid = xid;
2178 18270 : ctx->cached_status = *status;
2179 18270 : return XID_BOUNDS_OK;
2180 : }
|