| blob | f996f9a5727b1eb4b0541d22840ddb87d97e5d05 |
1 /*-------------------------------------------------------------------------
2 *
3 * verify_heapam.c
4 * Functions to check postgresql heap relations for corruption
5 *
6 * Copyright (c) 2016-2022, PostgreSQL Global Development Group
7 *
8 * contrib/amcheck/verify_heapam.c
9 *-------------------------------------------------------------------------
10 */
30 /* The number of columns in tuples returned by verify_heapam */
31 #define HEAPCHECK_RELATION_COLS 4
33 /* The largest valid toast va_rawsize */
34 #define VARLENA_SIZE_LIMIT 0x3FFFFFFF
36 /*
37 * Despite the name, we use this for reporting problems with both XIDs and
38 * MXIDs.
39 */
41 {
42 XID_INVALID,
43 XID_IN_FUTURE,
44 XID_PRECEDES_CLUSTERMIN,
45 XID_PRECEDES_RELMIN,
46 XID_BOUNDS_OK
50 {
51 XID_COMMITTED,
52 XID_IS_CURRENT_XID,
53 XID_IN_PROGRESS,
54 XID_ABORTED
58 {
59 SKIP_PAGES_ALL_FROZEN,
60 SKIP_PAGES_ALL_VISIBLE,
61 SKIP_PAGES_NONE
64 /*
65 * Struct holding information about a toasted attribute sufficient to both
66 * check the toasted attribute and, if found to be corrupt, to report where it
67 * was encountered in the main table.
68 */
70 {
77 /*
78 * Struct holding the running context information during
79 * a lifetime of a verify_heapam execution.
80 */
82 {
83 /*
84 * Cached copies of values from ShmemVariableCache and computed values
85 * from them.
86 */
91 * relative to next_fxid */
93 * all-visible while we're running */
95 /*
96 * Cached copy of value from MultiXactState
97 */
101 /*
102 * Cached copies of the most recently checked xid and its status.
103 */
104 TransactionId cached_xid;
105 XidCommitStatus cached_status;
107 /* Values concerning the heap relation being checked */
108 Relation rel;
109 TransactionId relfrozenxid;
110 FullTransactionId relfrozenfxid;
111 TransactionId relminmxid;
112 Relation toast_rel;
114 Relation valid_toast_index;
117 /* Values for iterating over pages in the relation */
118 BlockNumber blkno;
119 BufferAccessStrategy bstrategy;
120 Buffer buffer;
121 Page page;
123 /* Values for iterating over tuples within a page */
124 OffsetNumber offnum;
125 ItemId itemid;
126 uint16 lp_len;
127 uint16 lp_off;
128 HeapTupleHeader tuphdr;
131 /* Values for iterating over attributes within the tuple */
133 AttrNumber attnum;
135 /* True if tuple's xmax makes it eligible for pruning */
138 /*
139 * List of ToastedAttribute structs for toasted attributes which are not
140 * eligible for pruning and should be checked
141 */
144 /* Whether verify_heapam has yet encountered any corrupt tuples */
147 /* The descriptor and tuplestore for verify_heapam's result tuples */
148 TupleDesc tupdesc;
152 /* Internal implementation */
156 uint32 extsize);
181 /*
182 * Scan and report corruption in heap pages, optionally reconciling toasted
183 * attributes with entries in the associated toast table. Intended to be
184 * called from SQL with the following parameters:
185 *
186 * relation:
187 * The Oid of the heap relation to be checked.
188 *
189 * on_error_stop:
190 * Whether to stop at the end of the first page for which errors are
191 * detected. Note that multiple rows may be returned.
192 *
193 * check_toast:
194 * Whether to check each toasted attribute against the toast table to
195 * verify that it can be found there.
196 *
197 * skip:
198 * What kinds of pages in the heap relation should be skipped. Valid
199 * options are "all-visible", "all-frozen", and "none".
200 *
201 * Returns to the SQL caller a set of tuples, each containing the location
202 * and a description of a corruption found in the heap.
203 *
204 * This code goes to some trouble to avoid crashing the server even if the
205 * table pages are badly corrupted, but it's probably not perfect. If
206 * check_toast is true, we'll use regular index lookups to try to fetch TOAST
207 * tuples, which can certainly cause crashes if the right kind of corruption
208 * exists in the toast table or index. No matter what parameters you pass,
209 * we can't protect against crashes that might occur trying to look up the
210 * commit status of transaction IDs (though we avoid trying to do such lookups
211 * for transaction IDs that can't legally appear in the table).
212 */
213 Datum
215 {
217 MemoryContext old_context;
219 HeapCheckContext ctx;
221 Oid relid;
225 BlockNumber first_block;
226 BlockNumber last_block;
227 BlockNumber nblocks;
230 /* Check to see if caller supports us returning a tuplestore */
240 /* Check supplied arguments */
270 else
280 /*
281 * Any xmin newer than the xmin of our snapshot can't become all-visible
282 * while we're running.
283 */
286 /*
287 * If we report corruption when not examining some individual attribute,
288 * we need attnum to be reported as NULL. Set that up before any
289 * corruption reporting might happen.
290 */
293 /* The tupdesc and tuplestore must be created in ecxt_per_query_memory */
303 /* Open relation, check relkind and access method */
306 /*
307 * Check that a relation's relkind and access method are both supported.
308 */
317 /*
318 * Sequences always use heap AM, but they don't show that in the catalogs.
319 * Other relkinds might be using a different AM, so check.
320 */
327 /*
328 * Early exit for unlogged relations during recovery. These will have no
329 * relation fork, so there won't be anything to check. We behave as if
330 * the relation is empty.
331 */
334 {
341 }
343 /* Early exit if the relation is empty */
346 {
349 }
355 /* Validate block numbers, or handle nulls. */
358 else
359 {
368 }
371 else
372 {
381 }
383 /* Optionally open the toast relation, if any. */
385 {
388 /* Main relation has associated toast relation */
390 AccessShareLock);
392 AccessShareLock,
396 }
397 else
398 {
399 /*
400 * Main relation has no associated toast relation, or we're
401 * intentionally skipping it.
402 */
406 }
418 {
419 OffsetNumber maxoff;
423 /* Optionally skip over all-frozen or all-visible blocks */
425 {
426 int32 mapbits;
431 {
434 }
437 {
440 }
441 }
443 /* Read and lock the next page. */
449 /* Perform tuple checks */
453 {
456 /* Skip over unused/dead line pointers */
460 /*
461 * If this line pointer has been redirected, check that it
462 * redirects to a valid offset within the line pointer array
463 */
465 {
467 ItemId rditem;
470 {
476 }
478 {
484 }
491 }
493 /* Sanity-check the line pointer's offset and length values */
498 {
503 }
505 {
511 }
513 {
520 }
522 /* It should be safe to examine the tuple's header, at least */
526 /* Ok, ready to check this next tuple */
528 }
530 /* clean up */
533 /*
534 * Check any toast pointers from the page whose lock we just released
535 */
537 {
544 }
548 }
553 /* Close the associated toast table and indexes, if any. */
556 AccessShareLock);
560 /* Close the main relation */
564 }
566 /*
567 * Shared internal implementation for report_corruption and
568 * report_toast_corruption.
569 */
570 static void
574 {
577 HeapTuple tuple;
587 /*
588 * In principle, there is nothing to prevent a scan over a large, highly
589 * corrupted table from using work_mem worth of memory building up the
590 * tuplestore. That's ok, but if we also leak the msg argument memory
591 * until the end of the query, we could exceed work_mem by more than a
592 * trivial amount. Therefore, free the msg argument each time we are
593 * called rather than waiting for our current memory context to be freed.
594 */
599 }
601 /*
602 * Record a single corruption found in the main table. The values in ctx should
603 * indicate the location of the corruption, and the msg argument should contain
604 * a human-readable description of the corruption.
605 *
606 * The msg argument is pfree'd by this function.
607 */
608 static void
610 {
614 }
616 /*
617 * Record corruption found in the toast table. The values in ta should
618 * indicate the location in the main table where the toast pointer was
619 * encountered, and the msg argument should contain a human-readable
620 * description of the toast table corruption.
621 *
622 * As above, the msg argument is pfree'd by this function.
623 */
624 static void
627 {
631 }
633 /*
634 * Construct the TupleDesc used to report messages about corruptions found
635 * while scanning the heap.
636 */
637 static TupleDesc
639 {
640 TupleDesc tupdesc;
651 }
653 /*
654 * Check for tuple header corruption.
655 *
656 * Some kinds of corruption make it unsafe to check the tuple attributes, for
657 * example when the line pointer refers to a range of bytes outside the page.
658 * In such cases, we return false (not checkable) after recording appropriate
659 * corruption messages.
660 *
661 * Some other kinds of tuple header corruption confuse the question of where
662 * the tuple attributes begin, or how long the nulls bitmap is, etc., making it
663 * unreasonable to attempt to check attributes, even if all candidate answers
664 * to those questions would not result in reading past the end of the line
665 * pointer or page. In such cases, like above, we record corruption messages
666 * about the header and then return false.
667 *
668 * Other kinds of tuple header corruption do not bear on the question of
669 * whether the tuple attributes can be checked, so we record corruption
670 * messages for them but we do not return false merely because we detected
671 * them.
672 *
673 * Returns whether the tuple is sufficiently sensible to undergo visibility and
674 * attribute checks.
675 */
676 static bool
678 {
685 {
690 }
694 {
698 /*
699 * This condition is clearly wrong, but it's not enough to justify
700 * skipping further checks, because we don't rely on this to determine
701 * whether the tuple is visible or to interpret other relevant header
702 * fields.
703 */
704 }
708 else
711 {
714 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
718 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
722 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
724 else
726 psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
729 }
732 }
734 /*
735 * Checks tuple visibility so we know which further checks are safe to
736 * perform.
737 *
738 * If a tuple could have been inserted by a transaction that also added a
739 * column to the table, but which ultimately did not commit, or which has not
740 * yet committed, then the table's current TupleDesc might differ from the one
741 * used to construct this tuple, so we must not check it.
742 *
743 * As a special case, if our own transaction inserted the tuple, even if we
744 * added a column to the table, our TupleDesc should match. We could check the
745 * tuple, but choose not to do so.
746 *
747 * If a tuple has been updated or deleted, we can still read the old tuple for
748 * corruption checking purposes, as long as we are careful about concurrent
749 * vacuums. The main table tuple itself cannot be vacuumed away because we
750 * hold a buffer lock on the page, but if the deleting transaction is older
751 * than our transaction snapshot's xmin, then vacuum could remove the toast at
752 * any time, so we must not try to follow TOAST pointers.
753 *
754 * If xmin or xmax values are older than can be checked against clog, or appear
755 * to be in the future (possibly due to wrap-around), then we cannot make a
756 * determination about the visibility of the tuple, so we skip further checks.
757 *
758 * Returns true if the tuple itself should be checked, false otherwise. Sets
759 * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
760 * TOAST tuples -- are eligible for pruning.
761 */
762 static bool
764 {
765 TransactionId xmin;
766 TransactionId xvac;
767 TransactionId xmax;
768 XidCommitStatus xmin_status;
769 XidCommitStatus xvac_status;
770 XidCommitStatus xmax_status;
775 /* If xmin is normal, it should be within valid range */
778 {
785 xmin,
792 xmin,
799 xmin,
803 }
805 /*
806 * Has inserting transaction committed?
807 */
809 {
812 /* Used by pre-9.0 binary upgrades */
814 {
818 {
825 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
826 xvac,
832 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
833 xvac,
839 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
840 xvac,
846 }
849 {
852 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
853 xvac));
857 psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
858 xvac));
863 /*
864 * The tuple is dead, because the xvac transaction moved
865 * it off and committed. It's checkable, but also
866 * prunable.
867 */
872 /*
873 * The original xmin must have committed, because the xvac
874 * transaction tried to move it later. Since xvac is
875 * aborted, whether it's still alive now depends on the
876 * status of xmax.
877 */
879 }
880 }
881 /* Used by pre-9.0 binary upgrades */
883 {
887 {
894 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
895 xvac,
901 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
902 xvac,
908 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
909 xvac,
915 }
918 {
921 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
922 xvac));
926 psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
927 xvac));
932 /*
933 * The original xmin must have committed, because the xvac
934 * transaction moved it later. Whether it's still alive
935 * now depends on the status of xmax.
936 */
941 /*
942 * The tuple is dead, because the xvac transaction moved
943 * it off and committed. It's checkable, but also
944 * prunable.
945 */
947 }
948 }
950 {
951 /*
952 * Inserting transaction is not in progress, and not committed, so
953 * it might have changed the TupleDesc in ways we don't know
954 * about. Thus, don't try to check the tuple structure.
955 *
956 * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
957 * any such DDL changes ought to be visible to us, so perhaps we
958 * could check anyway in that case. But, for now, let's be
959 * conservative and treat this like any other uncommitted insert.
960 */
962 }
963 }
965 /*
966 * Okay, the inserter committed, so it was good at some point. Now what
967 * about the deleting transaction?
968 */
971 {
972 /*
973 * xmax is a multixact, so sanity-check the MXID. Note that we do this
974 * prior to checking for HEAP_XMAX_INVALID or
975 * HEAP_XMAX_IS_LOCKED_ONLY. This might therefore complain about
976 * things that wouldn't actually be a problem during a normal scan,
977 * but eventually we're going to have to freeze, and that process will
978 * ignore hint bits.
979 *
980 * Even if the MXID is out of range, we still know that the original
981 * insert committed, so we can check the tuple itself. However, we
982 * can't rule out the possibility that this tuple is dead, so don't
983 * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
984 * clear that flag anyway if HEAP_XMAX_INVALID is set or if
985 * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side of
986 * avoiding possibly-bogus complaints about missing TOAST entries.
987 */
990 {
1008 xmax,
1013 }
1014 }
1017 {
1018 /*
1019 * This tuple is live. A concurrently running transaction could
1020 * delete it before we get around to checking the toast, but any such
1021 * running transaction is surely not less than our safe_xmin, so the
1022 * toast cannot be vacuumed out from under us.
1023 */
1026 }
1029 {
1030 /*
1031 * "Deleting" xact really only locked it, so the tuple is live in any
1032 * case. As above, a concurrently running transaction could delete
1033 * it, but it cannot be vacuumed out from under us.
1034 */
1037 }
1040 {
1041 /*
1042 * We already checked above that this multixact is within limits for
1043 * this table. Now check the update xid from this multixact.
1044 */
1047 {
1049 /* not LOCKED_ONLY, so it has to have an xmax */
1056 xmax,
1063 xmax,
1070 xmax,
1076 }
1079 {
1083 /*
1084 * The delete is in progress, so it cannot be visible to our
1085 * snapshot.
1086 */
1091 /*
1092 * The delete committed. Whether the toast can be vacuumed
1093 * away depends on how old the deleting transaction is.
1094 */
1100 /*
1101 * The delete aborted or crashed. The tuple is still live.
1102 */
1105 }
1107 /* Tuple itself is checkable even if it's dead. */
1109 }
1111 /* xmax is an XID, not a MXID. Sanity check it. */
1114 {
1118 xmax,
1125 xmax,
1132 xmax,
1139 }
1141 /*
1142 * Whether the toast can be vacuumed away depends on how old the deleting
1143 * transaction is.
1144 */
1146 {
1150 /*
1151 * The delete is in progress, so it cannot be visible to our
1152 * snapshot.
1153 */
1159 /*
1160 * The delete committed. Whether the toast can be vacuumed away
1161 * depends on how old the deleting transaction is.
1162 */
1169 /*
1170 * The delete aborted or crashed. The tuple is still live.
1171 */
1174 }
1176 /* Tuple itself is checkable even if it's dead. */
1178 }
1181 /*
1182 * Check the current toast tuple against the state tracked in ctx, recording
1183 * any corruption found in ctx->tupstore.
1184 *
1185 * This is not equivalent to running verify_heapam on the toast table itself,
1186 * and is not hardened against corruption of the toast table. Rather, when
1187 * validating a toasted attribute in the main table, the sequence of toast
1188 * tuples that store the toasted value are retrieved and checked in order, with
1189 * each toast tuple being checked against where we are in the sequence, as well
1190 * as each toast tuple having its varlena structure sanity checked.
1191 *
1192 * On entry, *expected_chunk_seq should be the chunk_seq value that we expect
1193 * to find in toasttup. On exit, it will be updated to the value the next call
1194 * to this function should expect to see.
1195 */
1196 static void
1199 uint32 extsize)
1200 {
1201 int32 chunk_seq;
1203 Pointer chunk;
1205 int32 chunksize;
1206 int32 expected_size;
1208 /* Sanity-check the sequence number. */
1212 {
1217 }
1219 {
1220 /* Either the TOAST index is corrupt, or we don't have all chunks. */
1225 }
1228 /* Sanity-check the chunk data. */
1232 {
1236 chunk_seq));
1238 }
1242 {
1243 /*
1244 * could happen due to heap_form_tuple doing its thing
1245 */
1247 }
1248 else
1249 {
1250 /* should never happen */
1258 }
1260 /*
1261 * Some checks on the data we've found
1262 */
1264 {
1270 }
1280 }
1282 /*
1283 * Check the current attribute as tracked in ctx, recording any corruption
1284 * found in ctx->tupstore.
1285 *
1286 * This function follows the logic performed by heap_deform_tuple(), and in the
1287 * case of a toasted value, optionally stores the toast pointer so later it can
1288 * be checked following the logic of detoast_external_attr(), checking for any
1289 * conditions that would result in either of those functions Asserting or
1290 * crashing the backend. The checks performed by Asserts present in those two
1291 * functions are also performed here and in check_toasted_attribute. In cases
1292 * where those two functions are a bit cavalier in their assumptions about data
1293 * being correct, we perform additional checks not present in either of those
1294 * two functions. Where some condition is checked in both of those functions,
1295 * we perform it here twice, as we parallel the logical flow of those two
1296 * functions. The presence of duplicate checks seems a reasonable price to pay
1297 * for keeping this code tightly coupled with the code it protects.
1298 *
1299 * Returns true if the tuple attribute is sane enough for processing to
1300 * continue on to the next attribute, false otherwise.
1301 */
1302 static bool
1304 {
1305 Datum attdatum;
1308 uint16 infomask;
1309 Form_pg_attribute thisatt;
1318 {
1325 }
1327 /* Skip null values */
1331 /* Skip non-varlena values, but update offset first */
1333 {
1338 {
1345 }
1347 }
1349 /* Ok, we're looking at a varlena attribute. */
1353 /* Get the (possibly corrupt) varlena datum */
1356 /*
1357 * We have the datum, but we cannot decode it carelessly, as it may still
1358 * be corrupt.
1359 */
1361 /*
1362 * Check that VARTAG_SIZE won't hit a TrapMacro on a corrupt va_tag before
1363 * risking a call into att_addlength_pointer
1364 */
1366 {
1370 {
1373 va_tag));
1374 /* We can't know where the next attribute begins */
1376 }
1377 }
1379 /* Ok, should be safe now */
1384 {
1392 }
1394 /*
1395 * heap_deform_tuple would be done with this attribute at this point,
1396 * having stored it in values[], and would continue to the next attribute.
1397 * We go further, because we need to check if the toast datum is corrupt.
1398 */
1402 /*
1403 * Now we follow the logic of detoast_external_attr(), with the same
1404 * caveats about being paranoid about corruption.
1405 */
1407 /* Skip values that are not external */
1411 /* It is external, and we're looking at a page on disk */
1413 /*
1414 * Must copy attr into toast_pointer for alignment considerations
1415 */
1418 /* Toasted attributes too large to be untoasted should never be stored */
1424 VARLENA_SIZE_LIMIT));
1427 {
1428 ToastCompressionId cmid;
1431 /* Compression should never expand the attribute */
1439 /* Compressed attributes should have a valid compression method */
1442 {
1443 /* List of all valid compression method IDs */
1449 /* Recognized but invalid compression method ID */
1453 /* Intentionally no default here */
1454 }
1459 }
1461 /* The tuple header better claim to contain toasted values */
1463 {
1468 }
1470 /* The relation better have a toast table */
1472 {
1477 }
1479 /* If we were told to skip toast checking, then we're done. */
1483 /*
1484 * If this tuple is eligible to be pruned, we cannot check the toast.
1485 * Otherwise, we push a copy of the toast tuple so we can check it after
1486 * releasing the main table buffer lock.
1487 */
1489 {
1499 }
1502 }
1504 /*
1505 * For each attribute collected in ctx->toasted_attributes, look up the value
1506 * in the toast table and perform checks on it. This function should only be
1507 * called on toast pointers which cannot be vacuumed away during our
1508 * processing.
1509 */
1510 static void
1512 {
1513 SnapshotData SnapshotToast;
1514 ScanKeyData toastkey;
1515 SysScanDesc toastscan;
1517 HeapTuple toasttup;
1518 uint32 extsize;
1520 int32 last_chunk_seq;
1525 /*
1526 * Setup a scan key to find chunks in toast table with matching va_valueid
1527 */
1533 /*
1534 * Check if any chunks for this toasted object exist in the toast table,
1535 * accessible via the index.
1536 */
1546 {
1549 }
1561 }
1563 /*
1564 * Check the current tuple as tracked in ctx, recording any corruption found in
1565 * ctx->tupstore.
1566 */
1567 static void
1569 {
1570 /*
1571 * Check various forms of tuple header corruption, and if the header is
1572 * too corrupt, do not continue with other checks.
1573 */
1577 /*
1578 * Check tuple visibility. If the inserting transaction aborted, we
1579 * cannot assume our relation description matches the tuple structure, and
1580 * therefore cannot check it.
1581 */
1585 /*
1586 * The tuple is visible, so it must be compatible with the current version
1587 * of the relation descriptor. It might have fewer columns than are
1588 * present in the relation descriptor, but it cannot have more.
1589 */
1591 {
1597 }
1599 /*
1600 * Check each attribute unless we hit corruption that confuses what to do
1601 * next, at which point we abort further attribute checks for this tuple.
1602 * Note that we don't abort for all types of corruption, only for those
1603 * types where we don't know how to continue. We also don't abort the
1604 * checking of toasted attributes collected from the tuple prior to
1605 * aborting. Those will still be checked later along with other toasted
1606 * attributes collected from the page.
1607 */
1613 /* revert attnum to -1 until we again examine individual attributes */
1615 }
1617 /*
1618 * Convert a TransactionId into a FullTransactionId using our cached values of
1619 * the valid transaction ID range. It is the caller's responsibility to have
1620 * already updated the cached values, if necessary.
1621 */
1622 static FullTransactionId
1624 {
1625 uint32 epoch;
1631 epoch--;
1633 }
1635 /*
1636 * Update our cached range of valid transaction IDs.
1637 */
1638 static void
1640 {
1641 /* Make cached copies */
1647 /* And compute alternate versions of the same */
1650 }
1652 /*
1653 * Update our cached range of valid multitransaction IDs.
1654 */
1655 static void
1657 {
1659 }
1661 /*
1662 * Return whether the given FullTransactionId is within our cached valid
1663 * transaction ID range.
1664 */
1667 {
1670 }
1672 /*
1673 * Checks whether a multitransaction ID is in the cached valid range, returning
1674 * the nature of the range violation, if any.
1675 */
1676 static XidBoundsViolation
1678 {
1688 }
1690 /*
1691 * Checks whether the given mxid is valid to appear in the heap being checked,
1692 * returning the nature of the range violation, if any.
1693 *
1694 * This function attempts to return quickly by caching the known valid mxid
1695 * range in ctx. Callers should already have performed the initial setup of
1696 * the cache prior to the first call to this function.
1697 */
1698 static XidBoundsViolation
1700 {
1701 XidBoundsViolation result;
1707 /* The range may have advanced. Recheck. */
1710 }
1712 /*
1713 * Checks whether the given transaction ID is (or was recently) valid to appear
1714 * in the heap being checked, or whether it is too old or too new to appear in
1715 * the relation, returning information about the nature of the bounds violation.
1716 *
1717 * We cache the range of valid transaction IDs. If xid is in that range, we
1718 * conclude that it is valid, even though concurrent changes to the table might
1719 * invalidate it under certain corrupt conditions. (For example, if the table
1720 * contains corrupt all-frozen bits, a concurrent vacuum might skip the page(s)
1721 * containing the xid and then truncate clog and advance the relfrozenxid
1722 * beyond xid.) Reporting the xid as valid under such conditions seems
1723 * acceptable, since if we had checked it earlier in our scan it would have
1724 * truly been valid at that time.
1725 *
1726 * If the status argument is not NULL, and if and only if the transaction ID
1727 * appears to be valid in this relation, the status argument will be set with
1728 * the commit status of the transaction ID.
1729 */
1730 static XidBoundsViolation
1733 {
1734 FullTransactionId fxid;
1735 FullTransactionId clog_horizon;
1737 /* Quick check for special xids */
1741 {
1745 }
1747 /* Check if the xid is within bounds */
1750 {
1751 /*
1752 * We may have been checking against stale values. Update the cached
1753 * range to be sure, and since we relied on the cached range when we
1754 * performed the full xid conversion, reconvert.
1755 */
1758 }
1767 /* Early return if the caller does not request clog checking */
1771 /* Early return if we just checked this xid in a prior call */
1773 {
1776 }
1780 clog_horizon =
1782 ctx);
1784 {
1791 else
1793 }
1798 }