@@ -6338,6 +6338,7 @@ heap_inplace_update(Relation relation, HeapTuple tuple)
63386338 */
63396339static TransactionId
63406340FreezeMultiXactId (MultiXactId multi ,uint16 t_infomask ,
6341+ TransactionId relfrozenxid ,TransactionId relminmxid ,
63416342TransactionId cutoff_xid ,MultiXactId cutoff_multi ,
63426343uint16 * flags )
63436344{
@@ -6364,16 +6365,26 @@ FreezeMultiXactId(MultiXactId multi, uint16 t_infomask,
63646365* flags |=FRM_INVALIDATE_XMAX ;
63656366return InvalidTransactionId ;
63666367}
6368+ else if (MultiXactIdPrecedes (multi ,relminmxid ))
6369+ ereport (ERROR ,
6370+ (errcode (ERRCODE_DATA_CORRUPTED ),
6371+ errmsg_internal ("found multixact %u from before relminmxid %u" ,
6372+ multi ,relminmxid )));
63676373else if (MultiXactIdPrecedes (multi ,cutoff_multi ))
63686374{
63696375/*
6370- * This old multi cannot possibly have members still running. If it
6371- * was a locker only, it can be removed without any further
6372- * consideration; but if it contained an update, we might need to
6373- * preserve it.
6376+ * This old multi cannot possibly have members still running, but
6377+ *verify just in case. If it was a locker only, it can be removed
6378+ *without any further consideration; but if it contained an update, we
6379+ *might need to preserve it.
63746380 */
6375- Assert (!MultiXactIdIsRunning (multi ,
6376- HEAP_XMAX_IS_LOCKED_ONLY (t_infomask )));
6381+ if (MultiXactIdIsRunning (multi ,
6382+ HEAP_XMAX_IS_LOCKED_ONLY (t_infomask )))
6383+ ereport (ERROR ,
6384+ (errcode (ERRCODE_DATA_CORRUPTED ),
6385+ errmsg_internal ("multixact %u from before cutoff %u found to be still running" ,
6386+ multi ,cutoff_multi )));
6387+
63776388if (HEAP_XMAX_IS_LOCKED_ONLY (t_infomask ))
63786389{
63796390* flags |=FRM_INVALIDATE_XMAX ;
@@ -6387,13 +6398,22 @@ FreezeMultiXactId(MultiXactId multi, uint16 t_infomask,
63876398/* wasn't only a lock, xid needs to be valid */
63886399Assert (TransactionIdIsValid (xid ));
63896400
6401+ if (TransactionIdPrecedes (xid ,relfrozenxid ))
6402+ ereport (ERROR ,
6403+ (errcode (ERRCODE_DATA_CORRUPTED ),
6404+ errmsg_internal ("found update xid %u from before relfrozenxid %u" ,
6405+ xid ,relfrozenxid )));
6406+
63906407/*
63916408 * If the xid is older than the cutoff, it has to have aborted,
63926409 * otherwise the tuple would have gotten pruned away.
63936410 */
63946411if (TransactionIdPrecedes (xid ,cutoff_xid ))
63956412{
6396- Assert (!TransactionIdDidCommit (xid ));
6413+ if (TransactionIdDidCommit (xid ))
6414+ ereport (ERROR ,
6415+ (errcode (ERRCODE_DATA_CORRUPTED ),
6416+ errmsg_internal ("cannot freeze committed update xid %u" ,xid )));
63976417* flags |=FRM_INVALIDATE_XMAX ;
63986418xid = InvalidTransactionId ;/* not strictly necessary */
63996419}
@@ -6465,6 +6485,13 @@ FreezeMultiXactId(MultiXactId multi, uint16 t_infomask,
64656485{
64666486TransactionId xid = members [i ].xid ;
64676487
6488+ Assert (TransactionIdIsValid (xid ));
6489+ if (TransactionIdPrecedes (xid ,relfrozenxid ))
6490+ ereport (ERROR ,
6491+ (errcode (ERRCODE_DATA_CORRUPTED ),
6492+ errmsg_internal ("found update xid %u from before relfrozenxid %u" ,
6493+ xid ,relfrozenxid )));
6494+
64686495/*
64696496 * It's an update; should we keep it? If the transaction is known
64706497 * aborted or crashed then it's okay to ignore it, otherwise not.
@@ -6493,18 +6520,26 @@ FreezeMultiXactId(MultiXactId multi, uint16 t_infomask,
64936520update_committed = true;
64946521update_xid = xid ;
64956522}
6496-
6497- /*
6498- * Not in progress, not committed -- must be aborted or crashed;
6499- * we can ignore it.
6500- */
6523+ else
6524+ {
6525+ /*
6526+ * Not in progress, not committed -- must be aborted or crashed;
6527+ * we can ignore it.
6528+ */
6529+ }
65016530
65026531/*
65036532 * Since the tuple wasn't marked HEAPTUPLE_DEAD by vacuum, the
6504- * update Xid cannot possibly be older than the xid cutoff.
6533+ * update Xid cannot possibly be older than the xid cutoff. The
6534+ * presence of such a tuple would cause corruption, so be paranoid
6535+ * and check.
65056536 */
6506- Assert (!TransactionIdIsValid (update_xid )||
6507- !TransactionIdPrecedes (update_xid ,cutoff_xid ));
6537+ if (TransactionIdIsValid (update_xid )&&
6538+ TransactionIdPrecedes (update_xid ,cutoff_xid ))
6539+ ereport (ERROR ,
6540+ (errcode (ERRCODE_DATA_CORRUPTED ),
6541+ errmsg_internal ("found update xid %u from before xid cutoff %u" ,
6542+ update_xid ,cutoff_xid )));
65086543
65096544/*
65106545 * If we determined that it's an Xid corresponding to an update
@@ -6601,8 +6636,9 @@ FreezeMultiXactId(MultiXactId multi, uint16 t_infomask,
66016636 * recovery. We really need to remove old xids.
66026637 */
66036638bool
6604- heap_prepare_freeze_tuple (HeapTupleHeader tuple ,TransactionId cutoff_xid ,
6605- TransactionId cutoff_multi ,
6639+ heap_prepare_freeze_tuple (HeapTupleHeader tuple ,
6640+ TransactionId relfrozenxid ,TransactionId relminmxid ,
6641+ TransactionId cutoff_xid ,TransactionId cutoff_multi ,
66066642xl_heap_freeze_tuple * frz ,bool * totally_frozen_p )
66076643{
66086644bool changed = false;
@@ -6619,8 +6655,20 @@ heap_prepare_freeze_tuple(HeapTupleHeader tuple, TransactionId cutoff_xid,
66196655xid = HeapTupleHeaderGetXmin (tuple );
66206656if (TransactionIdIsNormal (xid ))
66216657{
6658+ if (TransactionIdPrecedes (xid ,relfrozenxid ))
6659+ ereport (ERROR ,
6660+ (errcode (ERRCODE_DATA_CORRUPTED ),
6661+ errmsg_internal ("found xmin %u from before relfrozenxid %u" ,
6662+ xid ,relfrozenxid )));
6663+
66226664if (TransactionIdPrecedes (xid ,cutoff_xid ))
66236665{
6666+ if (!TransactionIdDidCommit (xid ))
6667+ ereport (ERROR ,
6668+ (errcode (ERRCODE_DATA_CORRUPTED ),
6669+ errmsg_internal ("uncommitted xmin %u from before xid cutoff %u needs to be frozen" ,
6670+ xid ,cutoff_xid )));
6671+
66246672frz -> t_infomask |=HEAP_XMIN_FROZEN ;
66256673changed = true;
66266674}
@@ -6645,6 +6693,7 @@ heap_prepare_freeze_tuple(HeapTupleHeader tuple, TransactionId cutoff_xid,
66456693uint16 flags ;
66466694
66476695newxmax = FreezeMultiXactId (xid ,tuple -> t_infomask ,
6696+ relfrozenxid ,relminmxid ,
66486697cutoff_xid ,cutoff_multi ,& flags );
66496698
66506699if (flags & FRM_INVALIDATE_XMAX )
@@ -6694,8 +6743,28 @@ heap_prepare_freeze_tuple(HeapTupleHeader tuple, TransactionId cutoff_xid,
66946743}
66956744else if (TransactionIdIsNormal (xid ))
66966745{
6746+ if (TransactionIdPrecedes (xid ,relfrozenxid ))
6747+ ereport (ERROR ,
6748+ (errcode (ERRCODE_DATA_CORRUPTED ),
6749+ errmsg_internal ("found xmax %u from before relfrozenxid %u" ,
6750+ xid ,relfrozenxid )));
6751+
66976752if (TransactionIdPrecedes (xid ,cutoff_xid ))
6753+ {
6754+ /*
6755+ * If we freeze xmax, make absolutely sure that it's not an XID
6756+ * that is important. (Note, a lock-only xmax can be removed
6757+ * independent of committedness, since a committed lock holder has
6758+ * released the lock).
6759+ */
6760+ if (!(tuple -> t_infomask & HEAP_XMAX_LOCK_ONLY )&&
6761+ TransactionIdDidCommit (xid ))
6762+ ereport (ERROR ,
6763+ (errcode (ERRCODE_DATA_CORRUPTED ),
6764+ errmsg_internal ("cannot freeze committed xmax %u" ,
6765+ xid )));
66986766freeze_xmax = true;
6767+ }
66996768else
67006769totally_frozen = false;
67016770}
@@ -6800,14 +6869,17 @@ heap_execute_freeze_tuple(HeapTupleHeader tuple, xl_heap_freeze_tuple *frz)
68006869 * Useful for callers like CLUSTER that perform their own WAL logging.
68016870 */
68026871bool
6803- heap_freeze_tuple (HeapTupleHeader tuple ,TransactionId cutoff_xid ,
6804- TransactionId cutoff_multi )
6872+ heap_freeze_tuple (HeapTupleHeader tuple ,
6873+ TransactionId relfrozenxid ,TransactionId relminmxid ,
6874+ TransactionId cutoff_xid ,TransactionId cutoff_multi )
68056875{
68066876xl_heap_freeze_tuple frz ;
68076877bool do_freeze ;
68086878bool tuple_totally_frozen ;
68096879
6810- do_freeze = heap_prepare_freeze_tuple (tuple ,cutoff_xid ,cutoff_multi ,
6880+ do_freeze = heap_prepare_freeze_tuple (tuple ,
6881+ relfrozenxid ,relminmxid ,
6882+ cutoff_xid ,cutoff_multi ,
68116883& frz ,& tuple_totally_frozen );
68126884
68136885/*