| blob | f2526ed63a28453e5485f8ef05fb98f37c274500 |
1 /*-------------------------------------------------------------------------
2 *
3 * verify_heapam.c
4 * Functions to check postgresql heap relations for corruption
5 *
6 * Copyright (c) 2016-2024, PostgreSQL Global Development Group
7 *
8 * contrib/amcheck/verify_heapam.c
9 *-------------------------------------------------------------------------
10 */
30 /* The number of columns in tuples returned by verify_heapam */
31 #define HEAPCHECK_RELATION_COLS 4
33 /* The largest valid toast va_rawsize */
34 #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
36 /*
37 * Despite the name, we use this for reporting problems with both XIDs and
38 * MXIDs.
39 */
41 {
42 XID_INVALID,
43 XID_IN_FUTURE,
44 XID_PRECEDES_CLUSTERMIN,
45 XID_PRECEDES_RELMIN,
46 XID_BOUNDS_OK,
50 {
51 XID_COMMITTED,
52 XID_IS_CURRENT_XID,
53 XID_IN_PROGRESS,
54 XID_ABORTED,
58 {
59 SKIP_PAGES_ALL_FROZEN,
60 SKIP_PAGES_ALL_VISIBLE,
61 SKIP_PAGES_NONE,
64 /*
65 * Struct holding information about a toasted attribute sufficient to both
66 * check the toasted attribute and, if found to be corrupt, to report where it
67 * was encountered in the main table.
68 */
70 {
77 /*
78 * Struct holding the running context information during
79 * a lifetime of a verify_heapam execution.
80 */
82 {
83 /*
84 * Cached copies of values from TransamVariables and computed values from
85 * them.
86 */
91 * relative to next_fxid */
93 * all-visible while we're running */
95 /*
96 * Cached copy of value from MultiXactState
97 */
101 /*
102 * Cached copies of the most recently checked xid and its status.
103 */
104 TransactionId cached_xid;
105 XidCommitStatus cached_status;
107 /* Values concerning the heap relation being checked */
108 Relation rel;
109 TransactionId relfrozenxid;
110 FullTransactionId relfrozenfxid;
111 TransactionId relminmxid;
112 Relation toast_rel;
114 Relation valid_toast_index;
117 /* Values for iterating over pages in the relation */
118 BlockNumber blkno;
119 BufferAccessStrategy bstrategy;
120 Buffer buffer;
121 Page page;
123 /* Values for iterating over tuples within a page */
124 OffsetNumber offnum;
125 ItemId itemid;
126 uint16 lp_len;
127 uint16 lp_off;
128 HeapTupleHeader tuphdr;
131 /* Values for iterating over attributes within the tuple */
133 AttrNumber attnum;
135 /* True if tuple's xmax makes it eligible for pruning */
138 /*
139 * List of ToastedAttribute structs for toasted attributes which are not
140 * eligible for pruning and should be checked
141 */
144 /* Whether verify_heapam has yet encountered any corrupt tuples */
147 /* The descriptor and tuplestore for verify_heapam's result tuples */
148 TupleDesc tupdesc;
152 /* Internal implementation */
158 uint32 extsize);
184 /*
185 * Scan and report corruption in heap pages, optionally reconciling toasted
186 * attributes with entries in the associated toast table. Intended to be
187 * called from SQL with the following parameters:
188 *
189 * relation:
190 * The Oid of the heap relation to be checked.
191 *
192 * on_error_stop:
193 * Whether to stop at the end of the first page for which errors are
194 * detected. Note that multiple rows may be returned.
195 *
196 * check_toast:
197 * Whether to check each toasted attribute against the toast table to
198 * verify that it can be found there.
199 *
200 * skip:
201 * What kinds of pages in the heap relation should be skipped. Valid
202 * options are "all-visible", "all-frozen", and "none".
203 *
204 * Returns to the SQL caller a set of tuples, each containing the location
205 * and a description of a corruption found in the heap.
206 *
207 * This code goes to some trouble to avoid crashing the server even if the
208 * table pages are badly corrupted, but it's probably not perfect. If
209 * check_toast is true, we'll use regular index lookups to try to fetch TOAST
210 * tuples, which can certainly cause crashes if the right kind of corruption
211 * exists in the toast table or index. No matter what parameters you pass,
212 * we can't protect against crashes that might occur trying to look up the
213 * commit status of transaction IDs (though we avoid trying to do such lookups
214 * for transaction IDs that can't legally appear in the table).
215 */
216 Datum
218 {
220 HeapCheckContext ctx;
222 Oid relid;
226 BlockNumber first_block;
227 BlockNumber last_block;
228 BlockNumber nblocks;
231 /* Check supplied arguments */
261 else
271 /*
272 * Any xmin newer than the xmin of our snapshot can't become all-visible
273 * while we're running.
274 */
277 /*
278 * If we report corruption when not examining some individual attribute,
279 * we need attnum to be reported as NULL. Set that up before any
280 * corruption reporting might happen.
281 */
284 /* Construct the tuplestore and tuple descriptor */
289 /* Open relation, check relkind and access method */
292 /*
293 * Check that a relation's relkind and access method are both supported.
294 */
303 /*
304 * Sequences always use heap AM, but they don't show that in the catalogs.
305 * Other relkinds might be using a different AM, so check.
306 */
313 /*
314 * Early exit for unlogged relations during recovery. These will have no
315 * relation fork, so there won't be anything to check. We behave as if
316 * the relation is empty.
317 */
320 {
327 }
329 /* Early exit if the relation is empty */
332 {
335 }
341 /* Validate block numbers, or handle nulls. */
344 else
345 {
354 }
357 else
358 {
367 }
369 /* Optionally open the toast relation, if any. */
371 {
374 /* Main relation has associated toast relation */
376 AccessShareLock);
378 AccessShareLock,
382 }
383 else
384 {
385 /*
386 * Main relation has no associated toast relation, or we're
387 * intentionally skipping it.
388 */
392 }
404 {
405 OffsetNumber maxoff;
416 /* Optionally skip over all-frozen or all-visible blocks */
418 {
419 int32 mapbits;
424 {
427 }
430 {
433 }
434 }
436 /* Read and lock the next page. */
442 /* Perform tuple checks */
446 {
447 BlockNumber nextblkno;
448 OffsetNumber nextoffnum;
455 /* Skip over unused/dead line pointers */
459 /*
460 * If this line pointer has been redirected, check that it
461 * redirects to a valid offset within the line pointer array
462 */
464 {
466 ItemId rditem;
469 {
475 }
477 {
483 }
485 /*
486 * Since we've checked that this redirect points to a line
487 * pointer between FirstOffsetNumber and maxoff, it should now
488 * be safe to fetch the referenced line pointer. We expect it
489 * to be LP_NORMAL; if not, that's corruption.
490 */
493 {
498 }
500 {
505 }
507 {
512 }
514 /*
515 * Record the fact that this line pointer has passed basic
516 * sanity checking, and also the offset number to which it
517 * points.
518 */
522 }
524 /* Sanity-check the line pointer's offset and length values */
529 {
534 }
536 {
542 }
544 {
551 }
553 /* It should be safe to examine the tuple's header, at least */
558 /* Ok, ready to check this next tuple */
563 /*
564 * If the CTID field of this tuple seems to point to another tuple
565 * on the same page, record that tuple as the successor of this
566 * one.
567 */
573 }
575 /*
576 * Update chain validation. Check each line pointer that's got a valid
577 * successor against that successor.
578 */
582 {
583 ItemId curr_lp;
584 ItemId next_lp;
585 HeapTupleHeader curr_htup;
586 HeapTupleHeader next_htup;
587 TransactionId curr_xmin;
588 TransactionId curr_xmax;
589 TransactionId next_xmin;
592 /*
593 * The current line pointer may not have a successor, either
594 * because it's not valid or because it didn't point to anything.
595 * In either case, we have to give up.
596 *
597 * If the current line pointer does point to something, it's
598 * possible that the target line pointer isn't valid. We have to
599 * give up in that case, too.
600 */
604 /* We have two valid line pointers that we can examine. */
608 /* Handle the cases where the current line pointer is a redirect. */
610 {
611 /*
612 * We should not have set successor[ctx.offnum] to a value
613 * other than InvalidOffsetNumber unless that line pointer is
614 * LP_NORMAL.
615 */
618 /* Can only redirect to a HOT tuple. */
621 {
625 }
627 /* HOT chains should not intersect. */
629 {
634 }
636 /*
637 * This redirect and the tuple to which it points seem to be
638 * part of an update chain.
639 */
642 }
644 /*
645 * If the next line pointer is a redirect, or if it's a tuple but
646 * the XMAX of this tuple doesn't match the XMIN of the next
647 * tuple, then the two aren't part of the same update chain and
648 * there is nothing more to do.
649 */
660 /* HOT chains should not intersect. */
662 {
667 }
669 /*
670 * This tuple and the tuple to which it points seem to be part of
671 * an update chain.
672 */
675 /*
676 * If the current tuple is marked as HOT-updated, then the next
677 * tuple should be marked as a heap-only tuple. Conversely, if the
678 * current tuple isn't marked as HOT-updated, then the next tuple
679 * shouldn't be marked as a heap-only tuple.
680 *
681 * NB: Can't use HeapTupleHeaderIsHotUpdated() as it checks if
682 * hint bits indicate xmin/xmax aborted.
683 */
686 {
690 }
693 {
697 }
699 /*
700 * If the current tuple's xmin is still in progress but the
701 * successor tuple's xmin is committed, that's corruption.
702 *
703 * NB: We recheck the commit status of the current tuple's xmin
704 * here, because it might have committed after we checked it and
705 * before we checked the commit status of the successor tuple's
706 * xmin. This should be safe because the xmin itself can't have
707 * changed, only its commit status.
708 */
715 {
717 psprintf("tuple with in-progress xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
721 }
723 /*
724 * If the current tuple's xmin is aborted but the successor
725 * tuple's xmin is in-progress or committed, that's corruption.
726 */
730 {
733 psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with in-progress xmin %u",
739 psprintf("tuple with aborted xmin %u was updated to produce a tuple at offset %u with committed xmin %u",
743 }
744 }
746 /*
747 * An update chain can start either with a non-heap-only tuple or with
748 * a redirect line pointer, but not with a heap-only tuple.
749 *
750 * (This check is in a separate loop because we need the predecessor
751 * array to be fully populated before we can perform it.)
752 */
756 {
761 {
762 ItemId curr_lp;
766 {
767 HeapTupleHeader curr_htup;
774 }
775 }
776 }
778 /* clean up */
781 /*
782 * Check any toast pointers from the page whose lock we just released
783 */
785 {
792 }
796 }
801 /* Close the associated toast table and indexes, if any. */
804 AccessShareLock);
808 /* Close the main relation */
812 }
814 /*
815 * Shared internal implementation for report_corruption and
816 * report_toast_corruption.
817 */
818 static void
822 {
825 HeapTuple tuple;
833 /*
834 * In principle, there is nothing to prevent a scan over a large, highly
835 * corrupted table from using work_mem worth of memory building up the
836 * tuplestore. That's ok, but if we also leak the msg argument memory
837 * until the end of the query, we could exceed work_mem by more than a
838 * trivial amount. Therefore, free the msg argument each time we are
839 * called rather than waiting for our current memory context to be freed.
840 */
845 }
847 /*
848 * Record a single corruption found in the main table. The values in ctx should
849 * indicate the location of the corruption, and the msg argument should contain
850 * a human-readable description of the corruption.
851 *
852 * The msg argument is pfree'd by this function.
853 */
854 static void
856 {
860 }
862 /*
863 * Record corruption found in the toast table. The values in ta should
864 * indicate the location in the main table where the toast pointer was
865 * encountered, and the msg argument should contain a human-readable
866 * description of the toast table corruption.
867 *
868 * As above, the msg argument is pfree'd by this function.
869 */
870 static void
873 {
877 }
879 /*
880 * Check for tuple header corruption.
881 *
882 * Some kinds of corruption make it unsafe to check the tuple attributes, for
883 * example when the line pointer refers to a range of bytes outside the page.
884 * In such cases, we return false (not checkable) after recording appropriate
885 * corruption messages.
886 *
887 * Some other kinds of tuple header corruption confuse the question of where
888 * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
889 * unreasonable to attempt to check attributes, even if all candidate answers
890 * to those questions would not result in reading past the end of the line
891 * pointer or page. In such cases, like above, we record corruption messages
892 * about the header and then return false.
893 *
894 * Other kinds of tuple header corruption do not bear on the question of
895 * whether the tuple attributes can be checked, so we record corruption
896 * messages for them but we do not return false merely because we detected
897 * them.
898 *
899 * Returns whether the tuple is sufficiently sensible to undergo visibility and
900 * attribute checks.
901 */
902 static bool
904 {
912 {
917 }
921 {
925 /*
926 * This condition is clearly wrong, but it's not enough to justify
927 * skipping further checks, because we don't rely on this to determine
928 * whether the tuple is visible or to interpret other relevant header
929 * fields.
930 */
931 }
935 {
939 /*
940 * As above, even though this shouldn't happen, it's not sufficient
941 * justification for skipping further checks, we should still be able
942 * to perform sensibly.
943 */
944 }
948 {
952 /* Here again, we can still perform further checks. */
953 }
957 else
960 {
963 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
967 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
971 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
973 else
975 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
978 }
981 }
983 /*
984 * Checks tuple visibility so we know which further checks are safe to
985 * perform.
986 *
987 * If a tuple could have been inserted by a transaction that also added a
988 * column to the table, but which ultimately did not commit, or which has not
989 * yet committed, then the table's current TupleDesc might differ from the one
990 * used to construct this tuple, so we must not check it.
991 *
992 * As a special case, if our own transaction inserted the tuple, even if we
993 * added a column to the table, our TupleDesc should match. We could check the
994 * tuple, but choose not to do so.
995 *
996 * If a tuple has been updated or deleted, we can still read the old tuple for
997 * corruption checking purposes, as long as we are careful about concurrent
998 * vacuums. The main table tuple itself cannot be vacuumed away because we
999 * hold a buffer lock on the page, but if the deleting transaction is older
1000 * than our transaction snapshot's xmin, then vacuum could remove the toast at
1001 * any time, so we must not try to follow TOAST pointers.
1002 *
1003 * If xmin or xmax values are older than can be checked against clog, or appear
1004 * to be in the future (possibly due to wrap-around), then we cannot make a
1005 * determination about the visibility of the tuple, so we skip further checks.
1006 *
1007 * Returns true if the tuple itself should be checked, false otherwise. Sets
1008 * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
1009 * TOAST tuples -- are eligible for pruning.
1010 *
1011 * Sets *xmin_commit_status_ok to true if the commit status of xmin is known
1012 * and false otherwise. If it's set to true, then also set *xmin_commit_status
1013 * to the actual commit status.
1014 */
1015 static bool
1018 {
1019 TransactionId xmin;
1020 TransactionId xvac;
1021 TransactionId xmax;
1022 XidCommitStatus xmin_status;
1023 XidCommitStatus xvac_status;
1024 XidCommitStatus xmax_status;
1030 /* If xmin is normal, it should be within valid range */
1033 {
1035 /* Could be the result of a speculative insertion that aborted. */
1044 xmin,
1051 xmin,
1058 xmin,
1062 }
1064 /*
1065 * Has inserting transaction committed?
1066 */
1068 {
1071 /* Used by pre-9.0 binary upgrades */
1073 {
1077 {
1084 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
1085 xvac,
1091 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
1092 xvac,
1098 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
1099 xvac,
1105 }
1108 {
1111 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
1112 xvac));
1116 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
1117 xvac));
1122 /*
1123 * The tuple is dead, because the xvac transaction moved
1124 * it off and committed. It's checkable, but also
1125 * prunable.
1126 */
1131 /*
1132 * The original xmin must have committed, because the xvac
1133 * transaction tried to move it later. Since xvac is
1134 * aborted, whether it's still alive now depends on the
1135 * status of xmax.
1136 */
1138 }
1139 }
1140 /* Used by pre-9.0 binary upgrades */
1142 {
1146 {
1153 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
1154 xvac,
1160 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
1161 xvac,
1167 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
1168 xvac,
1174 }
1177 {
1180 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
1181 xvac));
1185 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
1186 xvac));
1191 /*
1192 * The original xmin must have committed, because the xvac
1193 * transaction moved it later. Whether it's still alive
1194 * now depends on the status of xmax.
1195 */
1200 /*
1201 * The tuple is dead, because the xvac transaction moved
1202 * it off and committed. It's checkable, but also
1203 * prunable.
1204 */
1206 }
1207 }
1209 {
1210 /*
1211 * Inserting transaction is not in progress, and not committed, so
1212 * it might have changed the TupleDesc in ways we don't know
1213 * about. Thus, don't try to check the tuple structure.
1214 *
1215 * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
1216 * any such DDL changes ought to be visible to us, so perhaps we
1217 * could check anyway in that case. But, for now, let's be
1218 * conservative and treat this like any other uncommitted insert.
1219 */
1221 }
1222 }
1224 /*
1225 * Okay, the inserter committed, so it was good at some point. Now what
1226 * about the deleting transaction?
1227 */
1230 {
1231 /*
1232 * xmax is a multixact, so sanity-check the MXID. Note that we do this
1233 * prior to checking for HEAP_XMAX_INVALID or
1234 * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
1235 * things that wouldn't actually be a problem during a normal scan,
1236 * but eventually we're going to have to freeze, and that process will
1237 * ignore hint bits.
1238 *
1239 * Even if the MXID is out of range, we still know that the original
1240 * insert committed, so we can check the tuple itself. However, we
1241 * can't rule out the possibility that this tuple is dead, so don't
1242 * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
1243 * clear that flag anyway if HEAP_XMAX_INVALID is set or if
1244 * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
1245 * avoiding possibly-bogus complaints about missing TOAST entries.
1246 */
1249 {
1267 xmax,
1272 }
1273 }
1276 {
1277 /*
1278 * This tuple is live. A concurrently running transaction could
1279 * delete it before we get around to checking the toast, but any such
1280 * running transaction is surely not less than our safe_xmin, so the
1281 * toast cannot be vacuumed out from under us.
1282 */
1285 }
1288 {
1289 /*
1290 * "Deleting" xact really only locked it, so the tuple is live in any
1291 * case. As above, a concurrently running transaction could delete
1292 * it, but it cannot be vacuumed out from under us.
1293 */
1296 }
1299 {
1300 /*
1301 * We already checked above that this multixact is within limits for
1302 * this table. Now check the update xid from this multixact.
1303 */
1306 {
1308 /* not LOCKED_ONLY, so it has to have an xmax */
1315 xmax,
1322 xmax,
1329 xmax,
1335 }
1338 {
1342 /*
1343 * The delete is in progress, so it cannot be visible to our
1344 * snapshot.
1345 */
1350 /*
1351 * The delete committed. Whether the toast can be vacuumed
1352 * away depends on how old the deleting transaction is.
1353 */
1359 /*
1360 * The delete aborted or crashed. The tuple is still live.
1361 */
1364 }
1366 /* Tuple itself is checkable even if it's dead. */
1368 }
1370 /* xmax is an XID, not a MXID. Sanity check it. */
1373 {
1380 xmax,
1387 xmax,
1394 xmax,
1400 }
1402 /*
1403 * Whether the toast can be vacuumed away depends on how old the deleting
1404 * transaction is.
1405 */
1407 {
1411 /*
1412 * The delete is in progress, so it cannot be visible to our
1413 * snapshot.
1414 */
1420 /*
1421 * The delete committed. Whether the toast can be vacuumed away
1422 * depends on how old the deleting transaction is.
1423 */
1430 /*
1431 * The delete aborted or crashed. The tuple is still live.
1432 */
1435 }
1437 /* Tuple itself is checkable even if it's dead. */
1439 }
1442 /*
1443 * Check the current toast tuple against the state tracked in ctx, recording
1444 * any corruption found in ctx->tupstore.
1445 *
1446 * This is not equivalent to running verify_heapam on the toast table itself,
1447 * and is not hardened against corruption of the toast table. Rather, when
1448 * validating a toasted attribute in the main table, the sequence of toast
1449 * tuples that store the toasted value are retrieved and checked in order, with
1450 * each toast tuple being checked against where we are in the sequence, as well
1451 * as each toast tuple having its varlena structure sanity checked.
1452 *
1453 * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1454 * to find in toasttup. On exit, it will be updated to the value the next call
1455 * to this function should expect to see.
1456 */
1457 static void
1460 uint32 extsize)
1461 {
1462 int32 chunk_seq;
1464 Pointer chunk;
1466 int32 chunksize;
1467 int32 expected_size;
1469 /* Sanity-check the sequence number. */
1473 {
1478 }
1480 {
1481 /* Either the TOAST index is corrupt, or we don't have all chunks. */
1486 }
1489 /* Sanity-check the chunk data. */
1493 {
1497 chunk_seq));
1499 }
1503 {
1504 /*
1505 * could happen due to heap_form_tuple doing its thing
1506 */
1508 }
1509 else
1510 {
1511 /* should never happen */
1519 }
1521 /*
1522 * Some checks on the data we've found
1523 */
1525 {
1531 }
1541 }
1543 /*
1544 * Check the current attribute as tracked in ctx, recording any corruption
1545 * found in ctx->tupstore.
1546 *
1547 * This function follows the logic performed by heap_deform_tuple(), and in the
1548 * case of a toasted value, optionally stores the toast pointer so later it can
1549 * be checked following the logic of detoast_external_attr(), checking for any
1550 * conditions that would result in either of those functions Asserting or
1551 * crashing the backend. The checks performed by Asserts present in those two
1552 * functions are also performed here and in check_toasted_attribute. In cases
1553 * where those two functions are a bit cavalier in their assumptions about data
1554 * being correct, we perform additional checks not present in either of those
1555 * two functions. Where some condition is checked in both of those functions,
1556 * we perform it here twice, as we parallel the logical flow of those two
1557 * functions. The presence of duplicate checks seems a reasonable price to pay
1558 * for keeping this code tightly coupled with the code it protects.
1559 *
1560 * Returns true if the tuple attribute is sane enough for processing to
1561 * continue on to the next attribute, false otherwise.
1562 */
1563 static bool
1565 {
1566 Datum attdatum;
1569 uint16 infomask;
1570 Form_pg_attribute thisatt;
1579 {
1586 }
1588 /* Skip null values */
1592 /* Skip non-varlena values, but update offset first */
1594 {
1599 {
1606 }
1608 }
1610 /* Ok, we're looking at a varlena attribute. */
1614 /* Get the (possibly corrupt) varlena datum */
1617 /*
1618 * We have the datum, but we cannot decode it carelessly, as it may still
1619 * be corrupt.
1620 */
1622 /*
1623 * Check that VARTAG_SIZE won't hit an Assert on a corrupt va_tag before
1624 * risking a call into att_addlength_pointer
1625 */
1627 {
1631 {
1634 va_tag));
1635 /* We can't know where the next attribute begins */
1637 }
1638 }
1640 /* Ok, should be safe now */
1645 {
1653 }
1655 /*
1656 * heap_deform_tuple would be done with this attribute at this point,
1657 * having stored it in values[], and would continue to the next attribute.
1658 * We go further, because we need to check if the toast datum is corrupt.
1659 */
1663 /*
1664 * Now we follow the logic of detoast_external_attr(), with the same
1665 * caveats about being paranoid about corruption.
1666 */
1668 /* Skip values that are not external */
1672 /* It is external, and we're looking at a page on disk */
1674 /*
1675 * Must copy attr into toast_pointer for alignment considerations
1676 */
1679 /* Toasted attributes too large to be untoasted should never be stored */
1685 VARLENA_SIZE_LIMIT));
1688 {
1689 ToastCompressionId cmid;
1692 /* Compressed attributes should have a valid compression method */
1695 {
1696 /* List of all valid compression method IDs */
1702 /* Recognized but invalid compression method ID */
1706 /* Intentionally no default here */
1707 }
1712 }
1714 /* The tuple header better claim to contain toasted values */
1716 {
1721 }
1723 /* The relation better have a toast table */
1725 {
1730 }
1732 /* If we were told to skip toast checking, then we're done. */
1736 /*
1737 * If this tuple is eligible to be pruned, we cannot check the toast.
1738 * Otherwise, we push a copy of the toast tuple so we can check it after
1739 * releasing the main table buffer lock.
1740 */
1742 {
1752 }
1755 }
1757 /*
1758 * For each attribute collected in ctx->toasted_attributes, look up the value
1759 * in the toast table and perform checks on it. This function should only be
1760 * called on toast pointers which cannot be vacuumed away during our
1761 * processing.
1762 */
1763 static void
1765 {
1766 SnapshotData SnapshotToast;
1767 ScanKeyData toastkey;
1768 SysScanDesc toastscan;
1770 HeapTuple toasttup;
1771 uint32 extsize;
1773 int32 last_chunk_seq;
1778 /*
1779 * Setup a scan key to find chunks in toast table with matching va_valueid
1780 */
1786 /*
1787 * Check if any chunks for this toasted object exist in the toast table,
1788 * accessible via the index.
1789 */
1799 {
1802 }
1814 }
1816 /*
1817 * Check the current tuple as tracked in ctx, recording any corruption found in
1818 * ctx->tupstore.
1819 *
1820 * We return some information about the status of xmin to aid in validating
1821 * update chains.
1822 */
1823 static void
1826 {
1827 /*
1828 * Check various forms of tuple header corruption, and if the header is
1829 * too corrupt, do not continue with other checks.
1830 */
1834 /*
1835 * Check tuple visibility. If the inserting transaction aborted, we
1836 * cannot assume our relation description matches the tuple structure, and
1837 * therefore cannot check it.
1838 */
1840 xmin_commit_status))
1843 /*
1844 * The tuple is visible, so it must be compatible with the current version
1845 * of the relation descriptor. It might have fewer columns than are
1846 * present in the relation descriptor, but it cannot have more.
1847 */
1849 {
1855 }
1857 /*
1858 * Check each attribute unless we hit corruption that confuses what to do
1859 * next, at which point we abort further attribute checks for this tuple.
1860 * Note that we don't abort for all types of corruption, only for those
1861 * types where we don't know how to continue. We also don't abort the
1862 * checking of toasted attributes collected from the tuple prior to
1863 * aborting. Those will still be checked later along with other toasted
1864 * attributes collected from the page.
1865 */
1871 /* revert attnum to -1 until we again examine individual attributes */
1873 }
1875 /*
1876 * Convert a TransactionId into a FullTransactionId using our cached values of
1877 * the valid transaction ID range. It is the caller's responsibility to have
1878 * already updated the cached values, if necessary.
1879 */
1880 static FullTransactionId
1882 {
1883 uint64 nextfxid_i;
1884 int32 diff;
1885 FullTransactionId fxid;
1896 /* compute the 32bit modulo difference */
1899 /*
1900 * In cases of corruption we might see a 32bit xid that is before epoch 0.
1901 * We can't represent that as a 64bit xid, due to 64bit xids being
1902 * unsigned integers, without the modulo arithmetic of 32bit xid. There's
1903 * no really nice way to deal with that, but it works ok enough to use
1904 * FirstNormalFullTransactionId in that case, as a freshly initdb'd
1905 * cluster already has a newer horizon.
1906 */
1908 {
1911 }
1912 else
1917 }
1919 /*
1920 * Update our cached range of valid transaction IDs.
1921 */
1922 static void
1924 {
1925 /* Make cached copies */
1931 /* And compute alternate versions of the same */
1934 }
1936 /*
1937 * Update our cached range of valid multitransaction IDs.
1938 */
1939 static void
1941 {
1943 }
1945 /*
1946 * Return whether the given FullTransactionId is within our cached valid
1947 * transaction ID range.
1948 */
1951 {
1954 }
1956 /*
1957 * Checks whether a multitransaction ID is in the cached valid range, returning
1958 * the nature of the range violation, if any.
1959 */
1960 static XidBoundsViolation
1962 {
1972 }
1974 /*
1975 * Checks whether the given mxid is valid to appear in the heap being checked,
1976 * returning the nature of the range violation, if any.
1977 *
1978 * This function attempts to return quickly by caching the known valid mxid
1979 * range in ctx. Callers should already have performed the initial setup of
1980 * the cache prior to the first call to this function.
1981 */
1982 static XidBoundsViolation
1984 {
1985 XidBoundsViolation result;
1991 /* The range may have advanced. Recheck. */
1994 }
1996 /*
1997 * Checks whether the given transaction ID is (or was recently) valid to appear
1998 * in the heap being checked, or whether it is too old or too new to appear in
1999 * the relation, returning information about the nature of the bounds violation.
2000 *
2001 * We cache the range of valid transaction IDs. If xid is in that range, we
2002 * conclude that it is valid, even though concurrent changes to the table might
2003 * invalidate it under certain corrupt conditions. (For example, if the table
2004 * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
2005 * containing the xid and then truncate clog and advance the relfrozenxid
2006 * beyond xid.) Reporting the xid as valid under such conditions seems
2007 * acceptable, since if we had checked it earlier in our scan it would have
2008 * truly been valid at that time.
2009 *
2010 * If the status argument is not NULL, and if and only if the transaction ID
2011 * appears to be valid in this relation, the status argument will be set with
2012 * the commit status of the transaction ID.
2013 */
2014 static XidBoundsViolation
2017 {
2018 FullTransactionId fxid;
2019 FullTransactionId clog_horizon;
2021 /* Quick check for special xids */
2025 {
2029 }
2031 /* Check if the xid is within bounds */
2034 {
2035 /*
2036 * We may have been checking against stale values. Update the cached
2037 * range to be sure, and since we relied on the cached range when we
2038 * performed the full xid conversion, reconvert.
2039 */
2042 }
2051 /* Early return if the caller does not request clog checking */
2055 /* Early return if we just checked this xid in a prior call */
2057 {
2060 }
2064 clog_horizon =
2066 ctx);
2068 {
2075 else
2077 }
2082 }